Category:Anomali Cyber Watch
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] Audio Capture - T1123 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Connection Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041
Tags: Remcos RAT, RedLine, QuasarRAT, Fileless Malware, MSBuild, Process Injection
(published: May 13, 2021)
Transparent Tribe (APT36) continues to create fake domains and use phishing techniques to target military, government and diplomatic groups, as well as research organizations. The phishing emails contain documents with malicious VBA macros that contain either CrimsonRAT or ObliqueRAT. These documents will masquerade as resumes, awards, diplomatic communications, and military operations for Indian Armed Forces. The main targets have been in India, Pakistan, Iran and Afghanistan.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Permission Groups Discovery - T1069 | [MITRE ATT&CK] Masquerading - T1036
Tags: CrimsonRAT, ObliqueRAT, Mythic Leopard, Transparent Tribe, APT36, North America, Pakistan, Middle East, Government, Military
(published: May 12, 2021)
A new RaaS (Ransomware as a Service), DARKSIDE campaign is being waged with multiple partnered threat groups, including Babuk and Sodinokibi. Network infrastructure is breached using a combination of stolen credentials and phishing. Cobalt Strike BEACON, mimikatz, and local tools (psexec, cmd, etc) are used to harvest and exfiltrate data. As these groups are working in concert, operations are expected to grow with the unfortunate side effect that TTPs will vary per group.
Analyst Comment: This type of attack has been increasing in both volume and frequency against private companies and public entities, such as city governments. The need for comprehensive recovery solutions will likewise become greater in order to prevent ransom payouts, thus fueling further malicious attacks.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Bypass User Account Control - T1088 | [MITRE ATT&CK] Local Job Scheduling - T1168 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] Network Share Discovery - T1135 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Scheduled Transfer - T1029 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Command-Line Interface - T1059
Tags: DarkSide Ransomware, NetWalker, Sodinokibi, AnyDesk, Cobalt Strike Beacon, Mimikatz, PsExec, Empire, REvil, Darkside 2.0, Babuk, Darksupp, CVE-2021-20016, North America, Russia, Middle East, Banking And Finance, Healthcare
(published: May 12, 2021)
Microsoft has submitted a new vulnerability in the Windows-only HTTP server, which is responsible for handling HTTP network requests. Exploitation of this vulnerability will lead to a BSOD (Blue Screen of Death) at a minimum and could theoretically lead to remote code execution in a worst-case scenario. Fortunately, there is no exploit in the wild at present.
Analyst Comment: Per https://kc.mcafee.com/corporate/index?page=content&id=KB94510, apply the following Network Security Signature Sets 10.8.21.2: CVE-2021-31166 - 0x4528f000 Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Tags: CVE-2021-31166, CVE-2015-1635
(published: May 11, 2021)
A vulnerability has been identified with Microsoft Azure VM extension in which a malicious actor could access private data and potentially use privilege escalation. Using a combination of Transport Key and Transport Certificate flaws, an attacker could craft their own certificate to leak sensitive data being held in VM extension files as they are transmitted to and from a wire server. This includes, but is not limited to credentials, network configurations, installed applications. Attackers can use this to perform lateral movement and further infiltration.
Analyst Comment: The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
MITRE ATT&CK: [MITRE ATT&CK] Install Root Certificate - T1130
(published: May 11, 2021)
Avaddon ransomware groups are actively targeting healthcare, manufacturing, government, information technology, energy, and other sectors per the FBI and the Australian Cyber Security Center. At present, twenty-one countries have seen attacks with increasing frequency. Avaddon is RaaS, meaning that threat actors are responsible for multiple aspects of operations while participating (initial infection, data exfiltration, TOR payment portal maintenance, etc). There have also been threats of DDOS attacks as additional leverage, but as of yet no such attacks have been observed.
Analyst Comment: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Avaddon Ransomware, SunCrypt, RagnarLocker
(published: May 11, 2021)
Android users are at risk of a new attack involving SMS phishing. Targets will receive a text involving a ‘customs fee’ to release a package; clicking the link will prompt an update to Google Chrome but is the malicious payload. Once installed, the victim is redirected to a page and asked to pay several dollars (thus harvesting the credit card data for future fraud). The malware then uses the new device to spread, sending upwards of 300 texts per day. The campaign currently focuses on credential/credit card harvesting, but may utilize additional forms of theft in the future.
Analyst Comment: Always be sure to install apps from a trusted source and developer to lower the possibility of downloading malware.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036
Tags: SMSishing, Android, Credential Harvesting, Bank Fraud