Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.

Trending Cyber News and Threat Intelligence

Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit

(published: August 23, 2021)

Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor

LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers

(published: August 20, 2021)

A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several days before deploying the ransomware. This new ransomware has similarities to both LockBit and Conti.
Analyst Comment: Ransomware continues to be one of the most common and disruptive forms of cyber attacks in 2021, resulting in millions of dollars in financial losses and significant disruptions across education, energy, and manufacturing sectors. Having a TIP such as Anomali ThreatStream is increasingly recognized as a vital component of a defense-in-depth program. The capability to easily ingest and correlate threat intelligence as it is disseminated and correlate it against an organization's infrastructure (as provided by Anomali Match) can greatly ease the burden of finding and remediating both vulnerabilities and attacks.
MITRE ATT&CK: [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] System Network Configuration Discovery - T1016
Tags: Asia, CVE-2021-36942, LockBit, Ransomware, LockFile, Conti, North America, PetitPotam, Banking and Finance

T-Mobile Says Information of More Than 48 Million Customers Leaked in Breach

(published: August 18, 2021)

A threat actor is selling what they claim to be 30 million T-Mobile customers' Social Security and driver license numbers on an underground forum. T-Mobile confirmed the breach and eliminated the actor's access to the systems, and now claims that the data contains information from approximately eight million current customers (including 800,000 prepaid accounts) and assesses the total number of records stolen to be 40 million, contrasting with the 100 million records claimed by the actor. These records include personally identifiable information (PII), including social security numbers, addresses, International Mobile Equipment Identity (IMEI) numbers and more.
Analyst Comment: The loss of control of customer PII is a large problem, both from a public relations (PR) and legal standpoint, as breached companies scramble to meet reporting requirements and inform the public of the risks associated with such breaches. It is vital for organizations that collect PII to have coordinated defense-in-depth programs. A product such as Anomali Match can be invaluable to rapidly detecting and remediating breaches by correlating, for example, data loss prevention (DLP) information with up-to-date threat intelligence.
Tags: data breach, PII, telco

Neurevt Trojan Takes Aim at Mexican Users

(published: August 17, 2021)

Cisco Talos researchers discovered a campaign using the Neurevt trojan to target customers of Mexican banks. This campaign combines backdoors and information stealers with the Neurevt trojan, allowing for persistent access to victim information systems as well as the capability to capture screenshots, keystrokes, mouse activity and more. Additionally, there are a number of anti-analysis and evasion techniques leveraged by the malware.
Analyst Comment: Neither the Neurevt trojan nor the associated tools used in this campaign were new, meaning that organizations with intelligence-driven security programs that combine network traffic with intelligence about threat actors and their tactics, tools, and procedures (TTPs) would likely be able to rapidly identify and neutralize this activity. Tools like Anomali Threatstream and Anomali Match, which correlate information from security research across the globe with data from sources such as email gateways, endpoint detection and response (EDR) systems, and Security Information and Event Management (SIEM) enable rapid detection aof nd response to new threats while speeding up the search for previously undetected attacks.
MITRE ATT&CK: [MITRE ATT&CK] Launch Daemon - T1160 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Accessibility Features - T1015 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] OS Credential Dumping - T1003
Tags: Neurevt, Banking and Finance, Russia, Trojan, Mexico

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

(published: August 17, 2021)

A critical vulnerability (CVE-2021-28372) has been identified in ThroughTek's Kalay P2P software development kit (SDK) that could impact at least 83 million Internet of Things (IoT) devices. The Kalay platform allows registered devices to connect to a mobile or desktop application. The vulnerability could allow for an attacker to remotely compromise connected devices.
Analyst Comment: Organizations using the Kalay SDK should upgrade to at least version 3.1.10. The proliferation of IoT devices, combined with their commodity nature and general lack of built-in security continue to plague this space and allow for undiscovered vulnerabilities to be exploited by actors. Both due to the sensitive nature of these devices (e.g. internet connected cameras) and the ability to pivot from a vulnerable IoT system to a broader network means that accurate inventory of IoT devices should be correlated with threat intelligence to allow for rapid detection and patching when vulnerabilities are discovered.
MITRE ATT&CK: [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Audio Capture - T1123
Tags: CVE-2021-28372, IoT, Kalay

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS

(published: August 17, 2021)

The Cybersecurity & Infrastructure Security Agency (CISA) has warned that the IoT and Operational Technology (OT) vulnerabilities collectively known as BadAlloc (CVE-2021-22156) in Blackberry's QNX RTOS affects over 195 million devices worldwide. The affected devices include critical infrastructure, automobiles, and medical devices. CISA is urgently recommending that organizations with affected systems patch their devices.
Analyst Comment: A combination of asset inventory and patch management, along with limiting the ports exposed by these devices to only used ports, are important mitigation measures for vulnerabilities like this. These policies and programs are especially important for organizations involved in critical infrastructure and the medical industry. Organizations that have the tools to connect external threat intelligence, network traffic (endpoint, SIEM, etc.) with their Configuration Management Database (CMDB) and Crown Jewels Assessment (CJA) are in the best position to discover events like this and take appropriate action immediately.
MITRE ATT&CK: [MITRE ATT&CK] Service Execution - T1035 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: CVE-2021-22156, BadAlloc, IoT, Blackberry QNX

North Korean APT InkySquid Infects Victims Using Browser Exploits

(published: August 17, 2021)

A recent strategic web compromise (SWC) of a South Korean online newspaper that primarily focuses on North Korea has been attributed with moderate confidence to North Korean group APT37 (aka InkySquid, ScarCruft). The attackers used an known exploit of Internet Explorer (CVE-2020-1380) to inject malicious JavaScript and later deliver a custom malware known as Bluelight which leveraged the Microsoft Graph API for C2 operations. This activity was observed from at least early March 2021 through June 2021.
Analyst Comment: Exploitation of known vulnerabilities in web browsers is not a new technique, which serves as a reminder that the majority of cyber threats are known and can be prevented or rapidly detected and mitigated when organizations have intelligence integrated into their security operations. Technologies such as Anomali ThreatStream and Anomali Match enable organizations to connect all available external data, information, and intelligence with all internal network traffic to alert network defenders of malicious activity in near-real time.
MITRE ATT&CK: [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: APT, APT37, Bluelight, CVE-2020-1380, CVE-2021-26411, North Korea, Strategic Web Compromise

65 Vendors Affected by Severe Vulnerabilities in Realtek Chips

(published: August 16, 2021)

A dozen vulnerabilities have been identified in the Realtek RTL819xD module. These vulnerabilities could allow attackers to gain complete access to the device, installed operating systems and other network devices. While this generally requires an attacker to be on the same Wi-Fi network as the device, misconfigurations can expose these devices directly to the Internet. The chips supplied by Realtek are used by almost all well-known manufacturers and can be found in Voice over Internet Protocol (VoIP) devices, wireless routers, IP cameras, IoT devices, and more. The list of affected hardware manufacturers includes AsusTEK, Belkin, D-Link, Edimax, Hama, Netgear.
Analyst Comment: The proliferation of IoT devices both in corporate spaces and home offices makes it imperative that organizations and home users routinely check for and apply updates. These devices can be exploited and used by malicious actors to pivot to other devices on the network. IoT devices should be included in device inventories for visibility.
Tags: CVE-2021-35393, CVE-2021-35392, CVE-2021-35395, CVE-2021-35394, IoT, Realtek

Secret Terrorist Watchlist with 2 Million Records Exposed Online

(published: August 16, 2021)

A trove of JSON records, which appear to be 1.9M records from the FBI's Terrorist Screening Center (TSC), were discovered in July on a password-less Elasticsearch cluster. These records are utilized by a number of federal agencies as a "no-fly list" consisting of sensitive personal information of suspected terrorists and associates. This data was confirmed to have been indexed by at least two search engines, indicating that this information may have been accessed by others aside from the researcher who reported it. The records include names, citizenry information, and passport IDs, among other data. Interestingly, this data was discovered hosted on a Bahrain IP address, not one based in the US.
Analyst Comment: Aside from the embarrassment this discovery will certainly cause the FBI, the people whose information was exposed could be in danger from vigilantes seeking to do harm to them. Additionally, as these lists can include inaccuracies, or could be manipulated and redistributed, this kind of breach could threaten the careers and reputations of innocent people. Secure development techniques for platforms hosting sensitive information should include validation that such information should not be exposed to the Internet unless absolutely necessary, and then should be properly secured, even for development or staging instances. Security scans, backed by asset inventory and incorporated into a TIP, can help to quickly identify and fix these issues before they are discovered by an external entity.
Tags: Government, Military, North America, Middle East


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.