June 29, 2021
Anomali Threat Research

Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>China, NetFilter, Ransomware, QBot, Wizard Spider,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/APwpSM0Q6y3b07kHAHbX"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit" target="_blank">Microsoft Signed a Malicious Netfilter Rootkit</a></h3> <p>(published: June 25, 2021)</p> <p>Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.<br/> <b>Analyst Comment:</b> Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947101" target="_blank">[MITRE ATT&amp;CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947265" target="_blank">[MITRE ATT&amp;CK] Install Root Certificate - T1130</a><br/> <b>Tags:</b> Netfilter, China</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://searchsecurity.techtarget.com/news/252502924/Dell-BIOSConnect-flaws-affect-30-million-devices" target="_blank">Dell BIOSConnect Flaws Affect 30 Million Devices</a></h3> <p>(published: June 24, 2021)</p> <p>Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.<br/> <b>Analyst Comment:</b> Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947124" target="_blank">[MITRE ATT&amp;CK] Peripheral Device Discovery - T1120</a><br/> <b>Tags:</b> CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917/" target="_blank">Malicious Spam Campaigns Delivering Banking Trojans</a></h3> <p>(published: June 24, 2021)</p> <p>Analysis from two mid-March 2021 spam campaignts revealed that they were delivering banking trojans via either zip files or links to zip files. These campaigns were largely delivering the common trojan IcedID, which consists of a downloader and the main malware, which is hidden in a .png file and decrypted by the downloader. Variants of another banking trojan, Qbot, were also detected during analysis. The version of IcedID in these campaigns used a new version of the downloader.<br/> <b>Analyst Comment:</b> User training and email security policies remain among the best defenses from phishing attacks. Vulnerability and asset management to prevent exploitation of patched flaws are critical parts of an effective security program, as much malware relies on vulnerabilities that have already been fixed.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947092" target="_blank">[MITRE ATT&amp;CK] Rootkit - T1014</a> | <a href="https://ui.threatstream.com/ttp/947082" target="_blank">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947186" target="_blank">[MITRE ATT&amp;CK] Software Packing - T1045</a><br/> <b>Tags:</b> IcedID, Qbot, Ligooc, Banking, Trojan</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines" target="_blank">Ransomware: Growing Number of Attackers Using Virtual Machines</a></h3> <p>(published: June 23, 2021)</p> <p>There has been an increase in the number of ransomware attacks utilizing virtual machines. This technique is used to evade security controls on the host system while a virtual machine leverages the shared folder feature of virtualization to mount and encrypt the host machine's drives, potentially including shared network volumes.<br/> <b>Analyst Comment:</b> This type of threat is specifically crafted to avoid common security controls on the host system. Security controls and policies regarding the use of hypervisors, especially not allowing virtual machines to mount shared storage from the host, may be advised for organizations and teams that do not need virtualization. Alternatively specific monitoring around virtual machine activities could be used to detect and thwart these types of attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947080" target="_blank">[MITRE ATT&amp;CK] Bootkit - T1067</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Mountlocker, Mount Locker, Conti, RagnarLocker, Russia</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://threatpost.com/bec-losses-top-18b/167148/" target="_blank">BEC Losses Top $1.8B as Tactics Evolve</a></h3> <p>(published: June 22, 2021)</p> <p>Business Email Compromise (BEC) attacks continued to increase in frequency in 2020, with the use of gift card lures responsible for the most attacks seen in the wild. These campaigns generally rely on volume over targeted crafting of the lure and leverage free email providers for delivery. Another class of BEC attack utilizes impersonation of either an internal employee or a partner/vendor of the target organization. While these emails are often recognized as a scam by users, the low cost for large-scale campaigns means attackers' can be quite profitable even with a very low rate of success.<br/> <b>Analyst Comment:</b> BEC attacks continue to rely on human errors. While email security software and policies can reduce the number of fraudulent emails that reach people, the only effective counter-measures for BEC attacks remain adequate and repeated training of personnel along with a culture and processes that empowers any employee to question an executive demand that involves transfer of funds or payment of any kind.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a><br/> <b>Tags:</b> Banking, Finance, EU, UK, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/" target="_blank">Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators</a></h3> <p>(published: June 22, 2021)</p> <p>Several recent incident responses have involved the use of Remote Desktop Protocol (RDP) as an initial infection vector. These attacks have used compromised credentials to access a target via RDP. After gaining an initial foothold into an organization, the actors will proceed to running reconnaissance commands, as well as Cobalt Strike and other tools. The authors attribute these particular attacks as likely to be WIZARD SPIDER, a suspected Russian APT criminal group.<br/> <b>Analyst Comment:</b> Compromises of RDP continue to be a valuable tactic for malicious cyber actors who can use that access to elevate their privileges, leave backdoors for future re-entry, gain control of part of a victim network, and deploy ransomware. Locking down RDP behind a VPN, reducing the number of people who have legitimate access to RDP, and keeping current on patching related to this protocol can all greatly reduce the risk this kind of compromise represents.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402537" target="_blank">[MITRE ATT&amp;CK] Domain Trust Discovery - T1482</a> | <a href="https://ui.threatstream.com/ttp/947156" target="_blank">[MITRE ATT&amp;CK] Remote Desktop Protocol - T1076</a> | <a href="https://ui.threatstream.com/ttp/947215" target="_blank">[MITRE ATT&amp;CK] Accessibility Features - T1015</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947087" target="_blank">[MITRE ATT&amp;CK] Credential Dumping - T1003</a><br/> <b>Tags:</b> WIZARD SPIDER, Cobalt Strike, AnyDesk, Ryuk, Conti, nltest, Trickbot, BazarLoader, Banking, Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.zdnet.com/article/only-50-of-wa-government-entities-get-a-pass-mark-for-infosec/#ftag=RSSbaffb68" target="_blank">Only 50% of Western Australia's Government Entities Get a Pass Mark for Infosec</a></h3> <p>(published: June 21, 2021)</p> <p>Western Australia's auditor-general recently reported that only half of the 59 government agencies reviewd had achieved their cybersecurity benchmarks in the 2019 - 2020 period. Worse yet, 42% of the security findings in this most recent report had been included in the previous year's report as well. The 13th report from the Office of the Auditor-General (OAG) said, "We continue to find a large number of weaknesses that could compromise the confidentiality, integrity and availability of information systems. Information security remains our biggest area of concern,"<br/> <b>Analyst Comment:</b> This report highlights both the importance and difficulty of good information security policy and controls. Vulnerability reports are only useful as part of an overall patch and asset management program. Regular, independent audits can identify where more resources or updated policies are required in order to achieve compliance, but if those reports are not acted upon - and those actions maintained - security postures are unlikely to improve.<br/> <b>Tags:</b> Naikon, Government, China</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://www.infosecurity-magazine.com:443/news/30000-fertility-clinic-patients/" target="_blank">Over 30,000 Fertility Clinic Patients Hit by Ransomware Data Breach</a></h3> <p>(published: June 21, 2021)</p> <p>Reproductive Biology Associates (RBA) confirmed that private information belonging to over 30,000 patients was stolen in a breach which was detected when a file server was found to be encrypted with ransomware. The company has regained access to the encrypted data and has been assured that the actor has since deleted their copy of all exposed data, which includes patient full names, addresses, Social Security numbers, lab results, and some data related to human tissue handling. However, those assurances from the ransomware actors could not be validated..<br/> <b>Analyst Comment:</b> Defense in depth is critically important, especially for organizations in control of Personally Identifiable Information (PII). Paying ransomware demands has frequently been shown to be an ineffective means of protection. A recent study showed that around 80% of ransomware victims who paid the ransom were subsequently re-infected with ransomware. There have also been multiple instances of organizations being assured that stolen data was deleted by an actor only to have their data leaked anyway.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947227" target="_blank">[MITRE ATT&amp;CK] Brute Force - T1110</a><br/> <b>Tags:</b> Ransomware</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.