The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: August 7, 2021)
The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers.
Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure.
Tags: CVE-2021-20090, Mirai, China
(published: August 7, 2021)
The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid.
Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack.
Tags: RansomEXX, Defray, Ransomware, Taiwan
(published: August 6, 2021)
The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access.
Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams.
Tags: Data Leak, Phishing, North America, AWS
(published: August 5, 2021)
Researchers at Nozomi Networks Labs discovered five vulnerabilities affecting Mitsubishi safety PLCs that relate to the authentication implementation of the MELSOFT communication protocol. These vulnerabilities include username and password bruteforce, leaked secrets and incorrect session token management. Patches for these vulnerabilities aren’t available yet, but the vendor has provided a series of mitigations which are described in the advisory.
Analyst Comment: Network access between OT-IT networks should be restricted to bare minimal required for operations. Traffic between these networks should be monitored for suspicious activity. If remote access is required, encrypt the communication path by setting up a VPN that is updated to the most current version available.
MITRE ATT&CK: [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] Access Token Manipulation - T1134
Tags: CVE-2020-5594, ICS
(published: August 5, 2021)
Four critical infrastructure organizations in an unnamed South East Asian country were targeted in an intelligence-gathering campaign that continued for several months. Impacted organizations are from water, power, communications and the defense sector. The attacks were ongoing from at least November 2020 to March 2021. Attackers made extensive use of life-of-the-land tools to evade detection. Attackers deployed credential stealing, lateral movement, and keyloggers.
Analyst Comment: Cyber Espionage attacks making use of life-of-the-lands tools remain hidden for long periods of time. It’s important to monitor suspicious network and user activity to be able to detect such attacks. Also tools like Anomali Match can help you to perform retrospective analysis to identify patient zero faster.
MITRE ATT&CK: [MITRE ATT&CK] DLL Search Order Hijacking - T1038 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Scheduled Task - T1053
Tags: SCADA, Espionage, MimiKatz, PsExec, PAExec, South East Asia, Defense, Power, Communication
(published: August 3, 2021)
At the beginning of 2021, Cybereason researchers investigated clusters of intrusions targeting the telecommunications industry across Southeast Asia. Three clusters of activity were identified and showed significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests. Similar to the HAFNIUM attacks, the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. Potential attack targets include corporations, dissident factions, government officials, law enforcement agencies, and political activists/figures of interest to the Chinese government.
Analyst Comment: Make sure your patch update policy automatically installs Microsoft security patches. Some cyberespionage attacks remain dormant for a long period of time, so you need real time forensic capabilities to look up past infection for newly discovered APT indicators.
MITRE ATT&CK: [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Windows Admin Shares - T1077 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Indicator Removal from Tools - T1066 | [MITRE ATT&CK] Pass the Hash - T1075 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Permission Groups Discovery - T1069 | [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Leafminer, Winnti group, HAFNIUM, Tropic Trooper, Naikon, APT27, APT41, APT3, Winnti, Operation Soft Cell, Soft Cell, Emissary Panda, Naikon APT, Iron Tiger, REAKDOWN, China Chopper, Shadowpad, Cobalt Strike, PsExec, Winnti, Valak, Naikon, ChipShot, PowerShell Empire, Mimikatz, PcShare, tasklist, ChinaChopper, Ramnit, hadowPad, Government, China, Asia
(published: August 3, 2021)
Researchers from JFrog and Forescout disclosed 14 vulnerabilities affecting a commonly-used TCP/IP stack used in millions of Operational Technology (OT) devices manufactured by no fewer than 200 vendors and deployed in manufacturing plants, power generation, water treatment, and critical infrastructure sectors. Vulnerability named as "INFRA:HALT," enables an attacker to achieve remote code execution, denial of service, information leak, TCP spoofing, and even DNS cache poisoning. As of March 2021 around 6,400 vulnerable OT devices were exposed online, most of which are located in Canada, the U.S., Spain, Sweden, and Italy.
Analyst Comment: Having thousands of critical OT devices exposed to the internet enormously increases risk for public safety. These should only be accessible via VPN and always need to be kept up to date. Strict access control rules should be in place for OT-IT network communication and this channel needs to be continuously monitored for suspicious traffic/command behaviour.
Tags: CVE-2020-25928, CVE-2021-31226, CVE-2020-25927, CVE-2020-25767, CVE-2021-31227, CVE-2021-31400, CVE-2021-31401, CVE-2020-35683, CVE-2020-35684, CVE-2020-35685, CVE-2021-27565, CVE-2021-36762, CVE-2020-25926, CVE-2021-31228, URGENT/11, Ripple20, AMNESIA:33, NUMBER:JACK, NAME:WRECK, ICS, North America, Europe
(published: August 2, 2021)
Researchers at Armis discovered a series of bugs in Swisslog Healthcare's Translogic PTS which include hard-coded passwords, unencrypted connections and firmware updates that could lead to remote code execution. The flaws could give an unauthenticated attacker root control and could let bad actors take over control stations. Vulnerabilities allow attackers to not only mess with the functioning of the pneumatic tube system, but it's also at the very heart of other hospital systems. Latest patched version 18.104.22.168 mitigates the majority of the vulnerabilities. One remaining vulnerability, CVE-2021-37160, is due to be patched in a future release.
Analyst Comment: Healthcare devices shouldn’t be reachable remotely unless absolutely necessary. If they are exposed to the internet, they should be protected using Web Application Firewall. Patient data C2 Patient PII should be stored separately to minimise risk.
Tags: CVE-2021-37160, CVE-2021-37161, CVE-2021-37162, CVE-2021-37163, CVE-2021-37164, CVE-2021-37165, CVE-2021-37166, CVE-2021-37167, HealthCare, North America
(published: August 2, 2021)
AT&T Alien Labs researchers have identified a new malware, FatalRAT, in their threat analysis systems. FatalRAT is a Remote Access Trojan (RAT) with a wide set of capabilities that can be executed remotely by an attacker. The malware appears to be distributed via forums and Telegram channels, hidden in download links that attempt to lure the user via software or media articles. FatalRAT collects IP address, usernames, and other information about the victim and exfiltrate it via encrypted command and control channels.
Analyst Comment: Do not click links or install softwares from unknown sources. Make sure your EDR is configured to automatically scan all files downloaded from the internet. To effectively detect RAT infections you need to keep an eye on C2 traffic and look out for any suspicious high volume data uploads to unknown IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] Automated Exfiltration - T1020
Tags: FatalRat, AnyDesk, C2, Keylogger
Topics:Anomali Cyber Watch