November 16, 2021
Anomali Threat Research

Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Data breach, Data leak, Malspam, Phishing, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer</a></h3> <p>(published: November 8, 2021)</p> <p>US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft &amp; Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.<br/> <b>Analyst Comment:</b> This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Credentials in Files - T1081</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Staged - T1074</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Hooking - T1179</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Registry Run Keys / Startup Folder - T1060</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Pass the Hash - T1075</a><br/> <b>Tags:</b> Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom</a></h3> <p>(published: November 9, 2021)</p> <p>A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include the ransomware incident affecting the IT management software company called Kaseya attributed to REvil group . The DOJ has seized $6.1 million worth of ransom payments from Vasinskyi. This arrest is part of a global crackdown of REvil affiliates called Operation GoldDust which involves 17 countries, as well as the law enforcement agencies Europol, Eurojust and Interpol. Three decryption tools were also released through the No More Ransom project which saved more than 49,000 systems and more than $69.5 million (USD) (€60 million euros) in unpaid ransom as of this writing.<br/> <b>Analyst Comment:</b> Many ransomware groups have had some setbacks because of increased joint efforts by law enforcement agencies and security companies to both arrest involved personale and simultaneously take down the infrastructure. Nevertheless, many countries like Russia provide safe havens for attackers to operate from, and oftentimes the law enforcement agencies behind these efforts may slow down attackers but it’s not going to stop them completely.<br/> <b>Tags:</b> DarkSide, GoldDust, REvil, REvil/Sodinokibi, James, Sodinokibi, GandCrab, Government, Europe, North America, Russia</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Threat Analysis Report: From Shatak Emails to the Conti Ransomware</a></h3> <p>(published: November 9, 2021)</p> <p>Cybereason’s Global Security Operations Center (GSOC) has released a report regarding recent attacks attributed to the “ITG23” threat group (TrickBot Gang, Wizard Spider). The group is partnering with the TA551 (Shatak) threat group to distribute TrickBot and BazarBackdoor malware that are then used to deploy the Conti ransomware on compromised systems. The Shatak threat group distributes the malware as password-protected archive files attached to phishing emails. The archive files contain malicious documents whose macros download and execute TrickBot or Bazar Backdoor malware. The report found that Conti actors do not deploy ransomware immediately after initial infection, but first conduct other activities such as reconnaissance, credential theft, credential exfiltration, and data exfiltration.<br/> <b>Analyst Comment:</b> Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Rundll32 - T1085</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Disabling Security Tools - T1089</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Regsvr32 - T1117</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Domain Trust Discovery - T1482</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Account Discovery - T1087</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Remote System Discovery - T1018</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Mshta - T1170</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Remote Desktop Protocol - T1076</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Credentials in Files - T1081</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a><br/> <b>Tags:</b> ITG23, Wizard Spider, IcedID, Cobalt Strike, Valak, Cobalt Strike beacon, Conti Ransomware, nltest, BazarBackdoor, BazarLoader, Ryuk ransomware, TrickBot, Healthcare, Military Europe, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Cobalt Strike Vulnerability Affects Botnet Servers</a></h3> <p>(published: November 8, 2021)</p> <p>Researchers at SentinelOne have discovered a vulnerability in Cobalt Strike, a security tool used by penetration testers to simulate network attacks, but also used by threat actors to automate their own attacks. The vulnerability, registered as “CVE-2018-06464,” affects botnet servers that are used to send commands to infected computers and receive the data they exfiltrate. Researchers found that the vulnerability can be exploited by a threat actor by creating a machine that has been configured to use specific customizations to maintain persistent contact with the machine running the “Cobalt Strike” Team Server. The server responds to the client with a “reply” that will cause the server to crash if the server is not disabled.<br/> <b>Analyst Comment:</b> This is an ironic instance, where malicious actors are using vulnerable software as patch is only available for licensed users and researchers are in position to use this vulnerability to knock down Cobalt Strike C2 servers.<br/> <b>Tags:</b> Cobalt Strike Beacon, Vulnerability, Botnet</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Electronics retail giant MediaMarkt hit by ransomware attack</a></h3> <p>(published: November 8, 2021)</p> <p>Europe's largest consumer electronics retailer MediaMarkt is hit by Hive Ransomware attack causing IT systems to shut down and disruption of store operations. Hive ransomware gangs are known to seek out and delete any backups to make recovery difficult and they also threaten to make data public on ‘HiveLeaks’ site. Impacted stores are unable to process card payments &amp; customers unable to lookup previous purchases. Initial ransom demand from attackers is an unrealistic amount of $240 million to provide decryptor. MediaMarkt has put up a public statement confirming an attack but exact mechanisms used by the attackers are still unknown.<br/> <b>Analyst Comment:</b> Such attacks when the holiday season is just around the corner could have a huge business impact for retailers which enables the attackers to extort more money.<br/> <b>Tags:</b> Hive Ransomware, Europe</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Robinhood breach leaks information of 7 million people</a></h3> <p>(published: November 8, 2021)</p> <p>Robinhood, a popular financial services company, has suffered a data breach according to a statement released by the company. The company stated that an "unauthorized third party" was able to obtain personal information of approximately seven million customers, including email addresses, names, dates of birth, and zip codes. Robinhood stated that no Social Security numbers, bank account numbers, or debit card numbers were exposed in the breach. However, approximately 310 customers had additional personal information, including name, date of birth and zip code, that was exposed, with a subset of approximately ten customers having more extensive account details revealed.<br/> <b>Analyst Comment:</b> Data breaches in stock applications like Robinhood are damaging because the platform holds a lot of sensitive financial information and such attacks can have financial implications for a lot of people using this platform.<br/> <b>Tags:</b> Banking And Finance, Breach</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">These cybersecurity vulnerabilities could leave millions of connected medical devices open to attack</a></h3> <p>(published: November 9, 2021)</p> <p>Researchers at Forescout and Medigate have identified 13 vulnerabilities dubbed “Nucleus:13” in the Nucleus Net TCP/IP stacks, used in connected devices used in hospital networks, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems. The vulnerabilities could allow for remote code execution, denial-of-service attacks and even leak data, although researchers cannot say for certain if the vulnerabilities have been actively exploited by cyber criminals. Nucleus:13 is the final part of Forescout's Project Memoria, which has worked to uncover and help to patch security vulnerabilities in TCP/IP stack<br/> <b>Analyst Comment:</b> Forescout with their Project Memoria in the past 2 years has identified 97 critical vulnerabilities in network stacks running on millions of devices and played a key role in making TCP/IP stack more secure.<br/> <b>Tags:</b> CVE-2021-31887, CVE-2021-31886, CVE-2021-31888, Healthcare, IoT</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks</a></h3> <p>(published: November 9, 2021)</p> <p>The Clop ransomware gang, also known as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices. The vulnerability, “CVE-2021-35211” allows a remote threat actor to execute commands on a vulnerable server with elevated privileges. This facilitates ransomware attack with malware deployment, network reconnaissance, and lateral movement. Researchers have warned that despite SolarWinds providing security updates around 4 months ago, still around 60% of servers are vulnerable.<br/> <b>Analyst Comment:</b> As soon as critical vulnerability is publicly known, adversaries start scanning the internet to look out for vulnerable public facing servers/applications. Important thing is to apply the patch as early as possible. In meantime put security measures in place to minimise the risk and also set up monitoring rules to identify potential exploit attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a><br/> <b>Tags:</b> FIN11, FlawedGrace, Cobalt Strike beacon, Clop, CVE-2021-35211, North America, China</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens</a></h3> <p>(published: November 10, 2021)</p> <p>Researchers from Zimperium zLabs have discovered a new Android spyware called "PhoneSpy" that is similar to the NSO Group’s "Pegasus" spyware. The spyware disguises itself as a legitimate application and gives attackers complete access to data stored on a mobile device and grants full control over the targeted device, according to a report published by the company. PhoneSpy features include stealing data, eavesdropping on messages and viewing images stored on the phone. Researchers said attackers can also gain full remote control of Android phones. The malware first requests permissions and opens a phishing page that imitates the login page of the popular South Korean messaging app "Kakao Talk" to steal credentials.<br/> <b>Analyst Comment:</b> This particular malicious app wasn’t uploaded to Google Play Store, but rather delivered via other means and tricked users to install an untrusted APK. You should always download &amp; install applications from trusted stores &amp; only provide permission for which you intended to use the app for. If an app asks for a lot of mandatory permissions then it’s highly likely to be malware.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> NSO Group, RAT, Pegasus spyware, PhoneSpy, Android, South Korea</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Massive Zero Day Hole Found in Palo Alto Security Appliances</a></h3> <p>(published: November 10, 2021)</p> <p>Researchers at Randori identified a critical Remote Code Execution (RCE) vulnerability “CVE-2021-3064” in Palo Alto Networks Firewall where more than 10,000 vulnerable firewalls are exposed on the internet as susceptible to takeover. This vulnerability affects both physical and virtual versions of firewalls and affects multiple versions of PAN-OS 8.1 prior to 8.17. According to researchers, if an attacker successfully exploits the vulnerability, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. As a temporary mitigation, it’s recommended to disable the GlobalProtect VPN portion of the firewall if not used and monitor logs from the Firewall.<br/> <b>Analyst Comment:</b> Since VPN server has to be a public internet component, as soon as exploit code is available there sure are going to be mass exploit attempts by threat actors to leverage this RCE vulnerability. It’s recommended to install the patch as soon as possible.<br/> <b>Tags:</b> CVE-2021-3064, Palo Alto Firewall, RCE</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Lazarus hackers target researchers with trojanized IDA Pro</a></h3> <p>(published: November 10, 2021)</p> <p>The Advanced Persistent Threat (APT) group "Lazarus," also known as Zinc by Microsoft, has been observed to be targeting security researchers with a trojanized pirated version of the popular IDA Pro reverse engineering application, according to ESET researchers. The IDA installer has been modified to include two malicious DLLs named idahelp.dll and win_fw.dll that will be executed when the program is installed. Security researchers commonly use IDA to analyze legitimate software for vulnerabilities and malware to determine what malicious behavior it performs, but since its expensive tool, some researchers download a pirated cracked version instead of purchasing it.<br/> <b>Analyst Comment:</b> Since most researcher laptops don’t have any security monitoring tools enabled, it is highly likely that this infection would stay under the radar for longer. It's recommended not to use pirated tools &amp; properly segregate your analysis machine from your home or office network even if you are not performing dynamic analysis of malicious samples.<br/> <b>Tags:</b> Lazarus, Zinc, NukeSped, IDA Pro</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.