Anomali Cyber Watch:  Malware, Phishing, Ransomware and More. | Anomali

Anomali Cyber Watch:  Malware, Phishing, Ransomware and More.

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackKingdom, Chrome Extensions, Microsoft, REvil, PurpleFox, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Google removes privacy-focused ClearURLs Chrome extension

(published: March 24, 2021)

Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of using modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
Tags: Google, Chrome, browser extension, privacy, Firefox, ClearURL

Purple Fox Malware Targets Windows Machines With New Worm Capabilities

(published: March 24, 2021)

Purple Fox, which first appeared in 2018, is an active malware campaign that targeted victims through phishing and exploit kits, it required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims' systems on its own, according to new research from Guardicore Labs. The researchers identified a new infection vector through Server Message Block (SMB) password brute force and the addition of a rootkit, allowing the actors to hide the malware on a machine making it more difficult to detect and remove. Purple Fox is believed to have compromised around 3,000 servers, the vast majority of which were old versions of Windows Server IIS version 7.5. It was very active in Spring and Summer 2020 before going quiet and then ramping up activity in early 2021.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Hidden Files and Directories - T1158
Tags: Purple fox, Windows, Windows Server, worm, rootkit, malware, persistence, campaign

Energy Giant Shell Is Latest Victim of Accellion Attacks

(published: March 23, 2021)

Royal Dutch Shell is the latest victim of a series of attacks on users of Accellion's File Transfer Appliance product. The company acknowledged they had been impacted by a ‘data-security incident’ and that attackers had gained access to ‘various files,’ these files are believed to contain personal and company data from both Shell and its stakeholders. According to the company, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team and started an investigation to better understand the extent of the incident. Shell did not specify how attackers exploited the Accellion appliance but is most likely related to a series of recently exploited vulnerabilities that Accellion have scrambled to patch, so far four have been found and patched but the Shell attack indicates there may be more undiscovered exploits. Several of the attacks have been attributed to FIN11 and the Cl0P ransomware gang.
Analyst Comment: Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Tags: FIN11, Clop Cl0p, CVE-2021-27103, CVE-2021-27102, CVE-2021-27101, CVE-2021-27104, Shell, energy, oil, vulnerability, Accellion, zero-day

Microsoft warns of phishing attacks bypassing email gateways

(published: March 23, 2021)

An ongoing phishing operation that stole an estimated 400,000 OWA and Office 365 credentials since December has now expanded to abuse new legitimate services to bypass secure email gateways. Attacks are part of multiple phishing campaigns collectively dubbed the "Compact" Campaign, active since early 2020 first detected by the WMC Global Threat Intelligence Team. The phishing emails are masquerading as notifications from video conference services, security solutions and productivity tools sent from compromised SendGrid and MailGun email delivery services, this allows the attacks to take advantage of secure email gateways as trusted domains and won’t be filtered out. The emails contain hyperlinks that will redirect to phishing landing pages posing as Microsoft login pages, including Office 365 and Outlook. The campaign has now expanded to abuse Amazon Simple Email Service and the Appspot cloud platform to deliver and generate URLs. Microsoft and the WMC Global team are taking the domains and accounts used as soon as they are detected.
Analyst Comment: Ensure that your organisation is using good basic cyber security habits. It is important that organisations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit to mitigate damage of potential breaches.
Tags: Microsoft, phishing, email, outlook, office, Amazon, appspot, spoofing, compact, campaign, credentials, mail delivery,

Microsoft Exchange servers now targeted by BlackKingdom ransomware

(published: March 22, 2021)

Microsoft has seen a large rise in attacks targeting its Exchange servers since publishing a report on the actor ‘HAFNIUM.’ Over the weekend, security researcher Marcus Hutchins (MalwareTechBlog) tweeted that a threat actor was compromising Microsoft Exchange servers via ProxyLogon vulnerabilities to deploy ransomware. Based on the logs from his honeypots, Hutchins states that the threat actor used the vulnerability to execute a PowerShell script that downloads the ransomware executable from 'yuuuuu44[.]com' before pushing it out to other computers on the network. Marcus Hutchins noted that whilst claiming to be ‘BlackKingdom’, the ‘ransomware’ did not appear to encrypt files but only dropped a ransom note to every directory.
Analyst Comment: In order to avoid falling victim to cyber attackers exploiting the Microsoft Exchange vulnerabilities, it's recommended that organisations apply the critical updates as quickly as possible, because the longer the patches aren't applied, the more time cyber criminals will have to potentially exploit the vulnerabilities as part of an attack. Even if organisations have already applied the relevant security updates, there's no guarantee they were not compromised by malicious hackers before the patches were applied – so it's important to analyse the network to examine if it has already been accessed by cyber criminals. Tools like Anomali Match can help with retrospective searches for indicators to identify if such accesses were done in the past.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Redundant Access - T1108
Tags: BlackKingdom, DearCry, REvil, EU & UK, North America, Russia, Middle East, , HAFNIUM, , cmd.exe, LemonDuck, dsquery, net.exe, reg.exe, DoejoCrypt, CVE-2021-26855, CVE-2021-27065,

Acer reportedly targeted with $50 million ransomware attack

(published: March 22, 2021)

According to Bleeping Computer, the ransomware gang ‘REvil’ reportedly breached the computer manufacturer Acer, the group shared images of allegedly stolen files as proof on its website over the weekend of March 20 & 21st. The leaked images showed documents that included financial spreadsheets, bank balances, and bank communications. REvil demanded $50 million to deactivate the ransomware, It is not confirmed whether Acer has paid the ransomware group nor have they acknowledged any attack. The attack is thought to have used a Microsoft Exchange exploit but is currently unknown which exploit.
Analyst Comment: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Permission Groups Discovery - T1069 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047
Tags: REvil, Banking And Finance, ransom, ransomware, Acer, computer manufacturing, manufacturing, North America, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

CISA Warns of Security Flaws in GE Power Management Devices

(published: March 22, 2021)

The U.S. Cybersecurity & Infrastructure Security Agency is warning of critical-severity security flaws in GE's Universal Relay (UR) family of power management devices. CISA has warned that if not updated, the affected products could be exploited to access sensitive information, reboot the UR, gain privileged access or cause of denial-of-service condition. GE’s Universal Relay (UR) line are power management devices that monitor and meter power within industrial plant automation.
Analyst Comment: It is important that your company has patch-maintenance policies in place. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Bootkit - T1067 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068
Tags: CVE-2021-27428, CVE-2021-27422, CVE-2021-27426, CVE-2021-27430, North America, General Electric, energy, industrial, manufacturing, utilities, industrial controls

Researchers Discover Two Dozen Malicious Chrome Extensions

(published: March 22, 2021)

Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of technology in modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Browser Extensions - T1176
Tags: CVE-2021-22314, CVE-2021-25917, CVE-2021-25922, CVE-2021-25918, CVE-2021-22321, Chrome, Google, browser extension

Subscribe to the Anomali Newsletter

Get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now