August 31, 2021
Anomali Threat Research

Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities,</b> and <b> XSS</b> . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the <a href=";limit=50">"Anomali Cyber Watch"</a> tag.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Widespread Credential Phishing Campaign Abuses Open Redirector Links</a></h3> <p>(published: August 26, 2021)</p> <p>Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.<br/> <b>Analyst Comment:</b> Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Domain Trust Discovery - T1482</a><br/> <b>Tags:</b> Phishing, Microsoft, North America, Anomali Cyber Watch</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware</a></h3> <p>(published: August 25, 2021)</p> <p>FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.<br/> <b>Analyst Comment:</b> Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit to mitigate damage of potential breaches.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a><br/> <b>Tags:</b> Sardonic, FIN8, Backdoor, US, Banking And Finance, Healthcare</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Critical F5 BIG-IP Bugs And Priority Patches</a></h3> <p>(published: August 25, 2021)</p> <p>F5 is releasing patches and updates for more than 30 known vulnerabilities. These affect the following BIG-IP modules: Advanced WAF (Firewall), Application Security Manager (ASM), DNS, and Traffic Management User Interface (TMUI). These vulnerabilities can lead to privilege escalation, remote code execution, denial of service, and XSS attacks.<br/> <b>Analyst Comment:</b> Some threat actors go to great lengths to created sophisticated exploits and malware for targeted attacks. However, sometimes proof-of-concept code for exploits exist on open source locations and quickly incorporated by actors in the timeframe prior to and post patch release. Ensure that your company has a patch policy in place to react quickly to sudden vulnerabilities. If the equipment is unable to be updated, F5 recommends limiting configuration capabilities to trusted users only.<br/> <b>Tags:</b> F5, CVE-2021-23037, CVE-2021-23036, CVE-2021-23028, CVE-2021-23029, CVE-2021-23035, CVE-2021-23034, CVE-2021-23033, CVE-2021-23032, CVE-2021-23031, CVE-2021-23030, CVE-2021-23025, CVE-2021-23026, CVE-2021-23027, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Emerging Threats From Ransomware Groups</a></h3> <p>(published: August 24, 2021)</p> <p>New activity amongst multiple ransomware-as-a-service (RaaS) groups has been observed per Unit42. AvosLocker, Hive, HelloKitty, and LockBit have been running new campaigns and recruiting fresh talent to expand operations. This is due in large part to other ransomware groups taking a backseat to avoid law enforcement engagement while changing tools and techniques.<br/> <b>Analyst Comment:</b> Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Software Packing - T1045</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Multi-hop Proxy - T1188</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Permission Groups Discovery - T1069</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> AvosLocker, Hive, HelloKitty, LockBit, Ransomware, EU &amp; UK, North America, Russia, Middle East, Banking And Finance, Healthcare</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">WhatsApp Mod Found With Triada Trojan</a></h3> <p>(published: August 24, 2021)</p> <p>A modified version of WhatsApp (FMWhatsApp 16.80.0) has been bundled with the Triada trojan. The malware gathers unique device identifiers, Subscriber IDs, MAC addresses, and the name of the app package where they're deployed. The information they collect is sent to a remote server to register the device, and the SMS service is used to sign the victim up for premium subscriptions.<br/> <b>Analyst Comment:</b> Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a><br/> <b>Tags:</b> Triada, WhatsApp, Android</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">New Zero-Click iPhone Exploit Used to Deploy NSO Spyware</a></h3> <p>(published: August 24, 2021)</p> <p>Researchers have discovered that Pegasus spyware has been deployed to the phones of Bahraini activists. This was linked with high confidence to the government of Bahrain by Citizen Lab. The spyware was deployed on their devices after being compromised using two zero-click iMessage exploits: the 2020 KISMET exploit and a new never-before-seen exploit dubbed FORCEDENTRY. These exploits bypass the iOS BlastDoor security feature and will run on iOS 14.4 and 14.6.<br/> <b>Analyst Comment:</b> Threat actors and governments can and do make use of exploit kits, malware, and other methods to target specific individuals. These methods eventually make their way to more commercial uses. Keep your devices up to date with the latest patches from software and hardware manufacturers.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> Pegasus, iMessage, FORCEDENTRY, NSO Group, Middle East, Government</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Realtek-based Routers, Smart Devices Are Being Targeted By Mirai</a></h3> <p>(published: August 24, 2021)</p> <p>Mirai, a malware family used to create botnets, is utilizing new avenues to infect routers and IoT devices, which can then be used to launch huge Distributed Denial of Service (DDoS) attacks. The Realtek RTL819xD chipset is the hardware currently being exploited, with at least 65 vendors affected. The vulnerabilities, which deal with buffer overflows, allow Mirai to escalate privileges and execute arbitrary code.<br/> <b>Analyst Comment:</b> This story depicts the importance of policies regarding the importance of applying security patches to network devices when they become available. Users and administrators should reboot the routers and install the necessary updates as soon as possible.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> Mirai, CVE-2021-20090, CVE-2021-35395</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Phishing Campaign Uses XSS Vuln to Distribute Malware</a></h3> <p>(published: August 23, 2021)</p> <p>Using a cross-site scripting (XSS) vulnerability in to modify the site's regular page to look like a legitimate download page, a malicious Word document was sent to customers claiming a package had an “exception” and needed to physically be picked up. This tactic will likely cause the victims to open the Invoice with less suspicion, thinking it is a real file from UPS. As of this writing, the malicious domain is no longer active.<br/> <b>Analyst Comment:</b> Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Learn about the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> XSS, Phishing</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.