Category:Anomali Cyber Watch
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BazarCall, DarkSide, Data breach, Malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: May 23, 2021)
Adding to the growing body of knowledge related to the March 2021 breach of SITA, a multinational information technology company providing IT and telecommunication services to the air transport industry, Air India announced over the weekend that the personal information of 4.5 million customers was compromised. According to the airline, the stolen information included passengers’ name, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. The compromise included data for passengers who registered with Indian Airlines between 26 August 2011 and 3 February 2021; nearly a decade. Air India adds to the growing list of SITA clients impacted by their data breach, including Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa.
Analyst Comment: Unfortunately, breaches like this are commonplace. While customers have no control over their information being included in such a breach, they can and should take appropriate actions once notified they may be impacted, Those actions can include changing passwords and credit cards associated with the breached accounts, engaging with credit reporting agencies for enhanced credit monitoring or freezing of credit inquiries without permission, and reaching out to companies that have reportedly been breached to learn what protections they may be offering their clients.
Tags: Data Breach, Airline, PII
(published: May 19, 2021)
Researchers from PaloAlto’s Unit42 released a breakdown of a new infection method for the BazarLoader malware. Once installed, BazarLoader provides backdoor access to an infected Windows host which criminals can use to scan the environment, send follow-up malware, and exploit other vulnerable hosts on the network. In early February 2021, researchers began to report a “call center” method of distributing BazarLoader. Actors would send phishing emails with trial subscription-based themes encouraging victims to phone a number to unsubscribe. If a victim called, the actor would answer the phone and direct the victim through a process to infect the computer with BazarLoader. Analysts dubbed this method of infection “BazarCall.”
Analyst Comment: This exemplifies social engineering tactics threat actors employ to trick users into installing malware on their machines. All social media users should be cautious when accepting unknown requests to connect, and particularly cautious when receiving communication from unknown users. Even if callers state they are from the bank or another trusted entity, it is best practice to avoid giving any details over the phone and not to access unknown websites that are given by the callers. Those who are unsure about the legitimacy regarding security modules should contact their bank directly and speak to management to ensure that updates are necessary and genuine.
MITRE ATT&CK: [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Multi-Stage Channels - T1104 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] Network Share Discovery - T1135 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Windows Management Instrumentation - T1047
Tags: Cobalt Strike, cmd.exe, Ryuk, certutil, BazaLoader, Ryuk ransomware, BazarCall, Anchor, North America
(published: May 18, 2021)
On May 12th, the North American student health insurance provider Guard.me took their website offline after discovering a vulnerability had allowed a threat actor to access their customers' policy and personal information. When visiting the site, visitors were automatically redirected to a maintenance page warning that the site was down while the insurance provider increased security on the site. The insurance carrier also stated that they were instituting new policies for increased security, including database segmentation and two-factor authentication. The threat actor was believed to have accessed policyholder data including encrypted password, date of birth, gender, email address, mailing address and phone numbers. Guard.me stated that they have fixed the vulnerability.
Analyst Comment: Despite efforts to secure an enterprise environment, a single human error (such as a misconfigured database) can lead to organisational exposure. Data breaches such as this one serve to remind businesses that cyber security is a constant effort; monitoring, detecting, securing, preventing and responding to threats. Organisations should regularly review and audit their security controls to detect and remediate both accidental and malicious risks, particularly when related to personally identifiable information (PII). Any storage of customer data should be checked for confidentiality, availability and integrity of that data.
Tags: insurance, North America, USA, Canada, student, data breach, data leak
(published: May 18, 2021)
The online workflow management platform Monday.com disclosed that it was impacted by the Codecov supply chain attack. The Codecov attack, which began in January, went undetected for two months whilst threat actors were able to modify the Codecov Bash Uploader tool to exfiltrate environment variables (keys, tokens, credentials) from Codecov customers' environments. Whilst investigating the breach, Monday.com discovered actors had gained access to a read-only copy of their source code. The company does not believe that the code has been tampered with or any products impacted. Given the similarities to the SolarWinds supply chain attack, US federal investigators have stepped in to investigate the wider impact.
Analyst Comment: Websites, much like personal workstations, require constant maintenance and upkeep to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is paramount that all applications in use are properly maintained and monitored for potential unusual activity.
Tags: codecov, breach, data breach, supply chain, supply chain attack, source code
(published: May 17, 2021)
Researchers from SecureList (Kaspersky) observed the Brazilian banking trojan “Bizarro” targeting users in Europe. Previously confined to South America, Bizarro has recently been seen targeting users in Spain, Portugal, France and Italy. The group behind Bizarro relies on phishing emails to deliver the trojan, as well as social engineering attacks to convince users to download malicious smartphone apps. This group has attempted to steal credentials from customers of 70 banks across Europe and South America.
Analyst Comment: Threat actors continuously adapt to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Organizations that ensure their firewalls block blocks all entry points for unauthorized users and maintain records of how normal traffic appears on your network will be better positioned to spot unusual traffic and connections to and from their network;potentially identifying malicious activity. Furthermore, ensure that employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled, is a vital component of ongoing security training
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Application Window Discovery - T1010 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016
Tags: Bizarro, ipconfig, Amavaldo, Guildma, Banking And Finance, EU & UK, North America, Brazil, South America, trojan, malware, social engineering
(published: May 17, 2021)
Scammers are increasingly using faked Windows Push Notifications to trick users into installing malicious applications posing as Windows Defender updates, these toaster pop-ups are customised browser push notifications. Once a user activates the pop up, they will be directed to install a signed ms-appinstaller (MSIX) package from “Publisher: Microsoft.” The malicious download will appear to act as a normal Defender update whilst downloading a data stealing trojan, Eversible.exe. This trojan will begin to search the computer for RAM, serial number, Chrome, Ethereum wallets and credit cards amongst other things.
Analyst Comment: All system updates should be done through the correct channels, in this case the Defender application itself. Adversaries are very adept at creating convincing programs and only updates from verified, legitimate sources should be trusted.
Tags: Windows, Windows Defender, trojan, data stealing, updates,
(published: May 17, 2021)
Toshiba Tec Corporation - a Toshiba subsidiary known for making printing, scanning and other office equipment - stated on Friday 5/14/21 that they had been a victim of Darkside ransomware. The firm contacted the relevant authorities in Europe, where the attackers struck, and is working with third-party cyber experts to find out exactly what happened. Toshiba did not confirm if any customer data had been stolen but did admit that “it is possible that some information and data may have been leaked by the criminal gang.” The report claimed over 740GB of data had been stolen, including passport scans and other personal information. There are believed to be around 30 groups working within Darkside, but further investigations into the group have been hampered by the removal of the Darkside Tor site. It is currently unclear if law enforcement removed it or the group did themselves in an attempt to lie low after the Colonial Pipeline attack.
Analyst Comment: Corporate security training programs should educate employees on the risks of opening attachments from unknown senders. It is also best practice to employ anti-spam and antivirus applications provided by trusted vendors.Emails that are received from unknown senders should be carefully considered, and attachments from such senders not opened unless in a controlled environment or by security personnel. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
Tags: DarkSide, DarkSide ransomware, EU & UK, Toshiba, techonolgy, ransomware, manufacturing
(published: May 17, 2021)
The well-known Russian cybercrime forum “XSS” announced that it has banned all ransomware activity on its site due to the ideological differences and concerns over the publicity of recent high-profile incidents. In the past, XSS has been a focal point for ransomware vendors, allowing groups such as Netfilm, REvil, Darkside and Babuk to operate on the site to recruit new affiliates. According to the post from a forum admin, recent attacks such as the Colonial Pipeline breach by DarkSide are generating too much publicity and are increasing geopolitical and law enforcement risk to an unacceptable level.
Analyst Comment: It is possible that XSS is becoming increasingly concerned that Russian officials may crack down on the forums given the international issues they are causing. Researchers across the industry, including Flashpoint and Digital Shadows, do not expect this to hamper the ransomware industry, as threat actors will continue to operate in private or advertise for new affiliates from their own sites.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] File Deletion - T1107
Tags: LockBit, Conti, DarkSide, Avaddon, REvil, EU & UK, North America, Russia, XSS, forum, dark web, babuk, Netfilm
(published: May 17, 2021)
Threat actors impersonated Truist, the new entity formed by the merger of SunTrust and BB&T that represents the sixth-largest US commercial bank, in a spearphishing campaign attempting to infect recipients with what appeared to be a remote access trojan (RAT) malware. The FBI stated the actors tailored the phishing campaign “to spoof the financial institution through registered domains, email subjects and an application, all appearing to be related to the institution.” In an attack targeting a renewable energy company in February 2021, the phishing emails instructed the target to download a malicious Windows application that mimicked the legitimate Truist Financial SecureBank App and supposedly needed to complete the process behind a $62 million loan, an amount consistent with the company’s business model. Once a victim downloaded the currently unknown RAT, the malware would be able to communicate over the UDP network, escalate privileges, download files and inject code amongst many other activities.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: Banking And Finance, EU & UK, spearphishing, spear-phishing, phishing, banking, finance, RAT, malware, app,