Anomali Cyber Watch: Microsoft Exchange Autodiscover Bugs Leak 100K Windows Credentials, REvil Ransomware Reemerges After Shutdown, New Mac Malware Masquerades As iTerm2 and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, BlackMatter, Phishing, Malicious PowerPoint, Microsoft Exchange, REvil </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/ZYeJkymQCqmPvlEyfQKo"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/" target="_blank">Malicious PowerPoint Documents On The Rise</a></h3> <p>(published: September 22, 2021)</p> <p>McAfee Labs researchers have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. The sentiment used here is finance related themes such as purchase orders. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. Attackers use this remote access trojan (RAT) as MaaS (Malware-as-a-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures.<br/> <b>Analyst Comment:</b> Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947139" target="_blank">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a><br/> <b>Tags:</b> AgentTesla, RAT, MaaS, Malware-as-a-Service, VBA macro, Banking And Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-autodiscover-bugs-leak-100k-windows-credentials/" target="_blank">Microsoft Exchange Autodiscover Bugs Leak 100K Windows credentials</a></h3> <p>(published: September 22, 2021)</p> <p>According to researchers from Guardicore have found a bug in the implementation of the “Autodiscover'' protocol is causing Microsoft Exchange’s Autodiscovery feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings. This is causing Windows credentials to be sent to third-party untrusted websites. Researchers have identified that this incorrect implementation has leaked approximately 100,000 login names and passwords for Windows domains worldwide.<br/> <b>Analyst Comment:</b> Administrators are recommended to block TLD domains provided by researchers on github. https://github.com/guardicore/labs_campaigns/tree/master/Autodiscover. Even though most of the domains may not be malicious, adversaries can easily register and take them over. Also organisations are recommended to disable basic authentication.<br/> <b>Tags:</b> EU &amp; UK, China</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://threatpost.com/netgear-soho-security-bug-rce/174921/" target="_blank">Netgear SOHO Security Bug Allows RCE, Corporate Attacks</a></h3> <p>(published: September 22, 2021)</p> <p>Researchers at Grimm discovered a high-severity security bug affecting several Netgear small office/home office (SOHO) routers could allow remote code execution (RCE) via a man-in-the-middle (MiTM) attack to spoof the update server and inject their own bits and bytes into the process. The vulnerability, registered as “CVE-2021-40847,” exists in a third-party component that Netgear includes in its firmware, called “Circle” that handles the parental controls for the devices. Exploiting this vulnerability provides a root access to the router which can be then misused to inject malicious code in traffic and steal sensitive information.<br/> <b>Analyst Comment:</b> Protecting routers is critically important for a small office and home setup. Owners need to ensure that they purchase routers from reputable vendors which provide security updates and make sure that updates are installed once they become available. In order to reduce attack surface, routers management console should only be made accessible from a few trusted devices on the network. A separate VLAN should be set up for guest users or contractors to restrict access to critical machines on corporate/home networks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/2402541" target="_blank">[MITRE ATT&amp;CK] Data Destruction - T1485</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a><br/> <b>Tags:</b> Grimm, CVE-2021-40847</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released" target="_blank">REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released</a></h3> <p>(published: September 22, 2021)</p> <p>The threat group "GOLD SOUTHFIELD" has resumed operations following two months of inactivity following law enforcement actions, according to Secureworks researchers. The group's "REvil" ransomware-as-a-service (RaaS) has returned to the underground forum exploit[.]in after being shut down on July 13, 2019. Researchers observed that the ransom payment site and victim leak site for the group had resumed responding to web requests after abruptly going offline. On September 9, 2019, a newly created “REvil” persona posted messages to underground forums explaining that the shutdown occurred because the spokesperson “UNKN” (also known as unknown) may have been arrested and the clearnet ransom payment servers were compromised.<br/> <b>Analyst Comment:</b> Recently law enforcement agencies are cracking down on Ransomware affiliated hackers and infrastructure. But it’s much easier for hackers to spin up a new infrastructure at different locations and recruit new hackers as rewards are high. It's also ironic that this group has backup for their ransomware code and they could restore their operations in a short period of time but unfortunately most of their victims didn't have backup for essential data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947096" target="_blank">[MITRE ATT&amp;CK] Timestomp - T1099</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a><br/> <b>Tags:</b> UNKN, GOLD SOUTHFIELD, Tor, REvil, Government, North America, Russia</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/" target="_blank">Catching The Big Fish: Analyzing a Large-Scale Phishing-As-A-Service Operation </a></h3> <p>(published: September 21, 2021)</p> <p>Microsoft researchers have discovered a large-scale phishing-as-a-service operation called “BulletProofLink,” which sells phishing kits, email templates, hosting, and automated services at a relatively low cost. The BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. The operation is used by multiple actor groups in either one-off, or monthly subscription-based business models, which creates a steady revenue stream for its operators. The organization has over 100 available phishing templates that mimic known brands and services, with over 100 of the templates being used in phishing attacks. Researchers discovered a campaign that used a rather high volume of newly created and unique subdomains-over 300,000 in a single run.<br/> <b>Analyst Comment:</b> It’s important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Anomali Targeted Threat Monitoring service can help you detect and block such suspicious domain registrations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947164" target="_blank">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947148" target="_blank">[MITRE ATT&amp;CK] New Service - T1050</a><br/> <b>Tags:</b> CVE-2021-40444, Phishing</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://blog.malwarebytes.com/malwarebytes-news/2021/09/new-mac-malware-masquerades-as-iterm2-remote-desktop-and-other-apps/" target="_blank">New Mac Malware Masquerades As iTerm2, Remote Desktop and Other Apps</a></h3> <p>(published: September 21, 2021)</p> <p>Security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. iTerm2 is a legitimate terminal emulator for the macOS Terminal app frequently used by power users, which offers some powerful features that Terminal does not. The trojanized version was apparently being distributed via iTerm2[.]net, which was a very convincing duplicate of the legitimate site iTerm2[.]com. This malware looks to be a Cobalt Strike beacon which can provide comprehensive backdoor access to the attacker. This malware appears to be primarily distributed in China and other southeast Asian countries.<br/> <b>Analyst Comment:</b> Developers and analysts in organizations need to use different tools and code libraries which many times have elevated access to the system. There needs to be a SecOps approved list of dev tools and libraries which should be enforced. Application control policies should be set to only allow installation of applications signed with approved vendor certificates to block potential masquerading attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947156" target="_blank">[MITRE ATT&amp;CK] Remote Desktop Protocol - T1076</a><br/> <b>Tags:</b> beacon, Cobalt Strike, China</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank">TinyTurla - Turla Deploys New Malware To Keep a Secret Backdoor On Victim Machines</a></h3> <p>(published: September 21, 2021)</p> <p>Researchers at Cisco Talos identified a previously undiscovered backdoor from the Turla APT. This new backdoor is either a second-chance backdoor to maintain access to the system in case primary backdoor is detected and removed or it could also be a second-stage dropper to infect the system with additional malware. The adversaries installed the backdoor as a service on the infected machine. This backdoor tries to stay under the radar by naming the service "Windows Time Service", like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. Researchers found the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.<br/> <b>Analyst Comment:</b> Adversaries use multiple tactics to stay under the radar on infected systems in this case posing as legitimate windows service. But they do regularly connect to their C2 servers to receive commands. Anomali Match can help you detect as well as retrospectively search these malicious C2 connections to identify patient zero.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947148" target="_blank">[MITRE ATT&amp;CK] New Service - T1050</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a><br/> <b>Tags:</b> TinyTurla, Turla, Uroburos, WhiteBear, Venomous Bear, Backdoor, Russia, APT</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/" target="_blank">US Farmer CoOperative Hit By $5.9M BlackMatter Ransomware Attack </a></h3> <p>(published: September 20, 2021)</p> <p>The U.S. farmers cooperative, NEW Cooperative, has suffered a BlackMatter ransomware attack claiming to have stolen 1000 GB of data containing R&amp;D results, sensitive employee information, financial documents, and an exported database for the KeePass password manager. Attackers are demanding a $5.9 million (USD) dollar ransom, which will increase to $11.8 million if a ransom is not paid in five days. The ransomware is believed to be a rebrand of the DarkSide ransomware that disappeared after attacking the Colonial Pipeline. New Cooperative is a farmer's feed and grain cooperative with over sixty locations throughout Iowa. Researchers first discovered the attack after a ransomware sample was uploaded to a public malware analysis site early on the morning of September 20. This sample allowed access to the ransom note, the ransomware negotiation page, and a non-public data leak page containing screenshots of stolen data.<br/> <b>Analyst Comment:</b> Ransomware attacks on critical infrastructure are on the rise. Internal systems need to be patched and strong passwords should be used to avoid lateral spread. Data backup solutions should be used to be able to quickly recover the encrypted data. EDR and network traffic monitoring tools should help detect suspicious endpoint activities such as sudden updating of large numbers of files and suspicious network activities like data exfiltration.<br/> <b>Tags:</b> BlackMatter, DarkSide Ransomware, Government, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-9"><a href="https://www.infosecurity-magazine.com/news/payment-api-vulnerabilities/" target="_blank">Payment API Vulnerabilities Exposed "Millions" Of Users</a></h3> <p>(published: September 20, 2021)</p> <p>Researchers from CloudSEK have discovered that approximately 5% of the 13,000 applications uploaded to their BeVigil "security search engine" for mobile applications that use Razorpay API to facilitate financial transactions are potentially impacted. This vulnerability is not a flaw in Razorpay, but rather caused due to developers mishandling API and embedding API key in their source code. This embedded API key can be used to get user information like phone numbers and email addresses, transaction IDs and amounts, and order and refund details. Razorpay has fixed all 10 APIs to avoid misuse.<br/> <b>Analyst Comment:</b> Developers should never hardcode API keys or credentials as part of the code, instead they should be stored in encrypted storage. Adversaries can easily extract all hardcoded plaintext data from applications using free to use utilities like string.exe. Mitigations are covered under MITRE CWE-798.<br/> <b>Tags:</b> Banking And Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-10"><a href="https://www.bleepingcomputer.com/news/security/new-elon-musk-club-crypto-giveaway-scam-promoted-via-email/" target="_blank">New "Elon Musk Club" Crypto Giveaway Scam Promoted Via Email</a></h3> <p>(published: September 19, 2021)</p> <p>A new cryptocurrency giveaway scam called the "Elon Musk Club" is being promoted through spam email campaigns that started over the past few weeks. The phishing emails themselves are low effort and include strange non-descriptive subjects and messages, however, they include an HTML attachment named simply "Get Free Bitcoin - [id].htm." The email contains a single line of code that uses JavaScript to redirect the browser to the https://msto.me/elonmusk/ webpage. The website will pretend to be an Elon Musk Mutual Aid Fund that promises to send 0.001 to 0.055 bitcoins to all users who participate. BleepingComputer has seen two bitcoin addresses associated with these scams which has seen around 100 transactions.<br/> <b>Analyst Comment:</b> This is a small part of a larger crypto giveaway scam. Elon Musk being a very famous public figure and strong proponent of bitcoin, his name is frequently used to carry out crypto giveaway phishing scams via email and fake twitter profiles. It is safer to realize that the cryptocurrency you send will not produce anything in return.<br/> <b>Tags:</b> Phishing, Bitcoin</p> </div>