Anomali Weekly Threat Briefing - November 14, 2016

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h1>Trending Threats</h1>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html" target="_blank">Down the H-W0rm Hole with Houdini's RAT</a> (November 9, 2016) There have been recent reports about a new version of a commodity Remote Access Trojan (RAT), called H-W0rm (Hworm), and the various campaigns it is being used in. Telemetry collected by Fidelis shows that H-W0rm is one of the most active RATs we've seen, with infections observed across virtually all enterprise verticals and geographies in which Fidelis Cybersecurity products are deployed. In their post, Fidelis details the associated infrastructure and payloads used by the HWorm rat. Recommendation: The Financial Services industry has been one of the most popular targets since the digital ecommerce economy began, and there is no reason to believe that attackers will ever cease. RATs are often easily detectable from host based artifacts the RAT leaves behind, as well as the network traffic necessary for the attacker to exfiltrate data. Both devices as well as networks should be secured with detection and prevention measures. In the case of HWorm infection, the affected device should be wiped and reformatted, and all devices across the network should be assessed for similar compromise. Tags: Hworm, RAT<a href="http://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" target="_blank">Heimdall Open-Source PHP Ransomware Targets Web Servers</a> (November 9, 2016) A Brazilian developer named Lenon Leite has released proof-of-concept ransomware in PHP that will allow an attacker to encrypt the contents of web servers. The ransomware's name is Heimdall and is currently available via GitHub under an MIT license. The interface allows the attacker to enter a password that will be used to lock the user's files using the AES-128-CBC encryption algorithm. Recommendation: Open source ransomware projects such as Heimdall are widely considered harmful and contributing to the growing popularity of this type of attacks. Ransomware can be prevented by Host based Intrusion Detection Systems (HIDS) and other endpoint security solutions such as antivirus. Users with devices that are not configured for automatic backups are at serious risk of losing intellectual property and personal data. The best approach to the threat of ransomware is for all users to maintain secured backups of their data, keep their systems fully patched, and practice good security hygiene when browsing the internet. In the case of ransomware infection, the affected system must be wiped and reformatted, other systems on the network should be assessed for similar infection, and the original attack vector must be identified in order to educate the victim and other employees. Tags: ransomware, Heimdall<a href="https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" target="_blank">The First Cryptor to exploit Telegram for Command and Control</a> (November 8, 2016) Earlier this month, Kaspersky's Global threat research team discovered an interesting piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case Recommendation: Telecrypt is yet another example of the constant game of cat and mouse criminals and defenders play. Network Intrusion Detection Systems (NIDS) are a crucial component of a secured network, and are the motivation behind tactics such as trying to hide command and control traffic in popular messenger apps such as telegram. Modern organizations should practice defense in depth - multiple, layered, redundant security controls. Relying upon singular solutions is no longer sufficient to be fully protected. Tags: Telecrypt<a href="https://blog.malwarebytes.com/cybercrime/exploits/2016/11/exploit-kits-fall-2016-review/" target="_blank">Exploit Kits - Fall 2016 Review</a> (November 9, 2016) There have been interesting developments with exploit kits in the past few months to say the least, with the disappearance of some and the birth of others. However, one thing we noticed is that the new kits aren’t new per se, but rather variants or VIP versions of their predecessors. The hottest exploit kits of fall 2016 are: RIG-v EK, RIG EK (standard), RIG-E (Empire Pack), Sundown EK, Bizarro Sundown EK, Magnitude EK, Neutrino-v EK. Recommendation: Exploit kits have become one of the most common types of crimeware currently available to the less than sophisticated threat actor. The kits, put together by skilled hackers, are then sold to criminal groups as easily deployable exploitation frameworks. The best protection from exploit kits is through employee education in combination with keeping web browsing software (including extensions such as flash and java) up to date at all times, as well as operating system software. Users should be educated on how to browse the web as safely as possible, and to report any suspicious symptoms observed on their devices to IT/secops immediately. In the case of compromise by Rig/Neutrino/etc., the infected system must be wiped and reformatted. Tags: RigEK, Magnitude, Sundown, Neutrino, ExploitKit<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/" target="_blank">Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched</a> (November 9, 2016) In late October and early November 2016, Pawn Storm (aka Fancy Bear, APT28, Sofacy, etc.) ramped up its spear-phishing campaigns against various governments and embassies around the world. In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016. Recommendation: Attacks such as those utilized by PawnStorm are among the most evasive and professional attacks facing the modern organization. Zero days based attacks can be detected by less conventional methods, such as behavior analysis, heuristic and machine learning based detection systems. These attacks are all based on spearphishing, which is the best place to focus your energy - employee education can prevent these attacks before they can attempt exploitation. All users should be aware of the threats they face when doing something as simple as checking their email. In the case of compromise, the entire network must be assessed to identify the initial infection, and all affected systems must be fully wiped and reformatted to ensure the network is fully restored to a safe state. It is notable that though no longer zero day exploits, Pawn Storm continued to use these exploits after they were patched. Put policies in place to ensure all employees install patches as soon as they are available. Tags: Sofacy, FancyBear, CVE-2016-7855, CVE-2016-7255, FlashExploit, MS16-135, APT28, SpearPhishing<a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank">PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs</a> (November 9, 2016) Very soon after the US Presidential election the PowerDuke APT group launched a series of coordinated and well-planned spear phishing campaigns. Volexity observed five different attack waves with a heavy focus on U.S.-based think tanks and non-governmental organizations (NGOs). These e-mails came from a mix of attacker created Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. Recommendation: Spearphishing is the most common type of threat facing targeted industries such as NGOs. All members of NGO organizations are susceptible to attack, and should all be educated on how to prevent phishing attacks. Email attachments should be treated as untrusted regardless of the sender's credibility. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing. In the case of PowerDuke compromise, the entire network should be scanned for infection, and an incident process should commence to identify the initial infection vector, as well as the scope of the compromise. Sophisticated, targeted attacks should be reported to the respective investigative government authorities. Tags: PowerDuke, APT, Spearphishing<a href="https://www.anomali.com/blog/hacking-an-election-is-not-a-walk-in-the-park" target="_blank">Hacking an Election is Not a Walk in the Park</a> (November 10, 2016) In this post, Senior Security Researcher Josh Gomez takes on the election, voting machines, and the threat landscape surrounding US elections. Discussion of the attack vectors, potential for sabotage, and how lessons learned in the infosec industry could help establish a path towards more secure elections in the future. Recommendation: Electronic voting machines are merely computers, and all computers are potential victims in the modern world. Even those which are air-gapped (not connected to the internet) are hackable, and organizations responsible for the operation of these systems should be accountable for their security. All machines should be assessed for security vulnerabilities regardless of how they will be deployed. In the case of a compromised voting machine, the machine should be removed from circulation, the results should be deemed invalid and recounted. Tags: Election2016<a href="https://blog.fortinet.com/2016/11/10/unmasking-the-bonasira-cyperine-author" target="_blank">Unmasking the Bonasira Cyperine Author</a> (November 10, 2016) Following Fortinet's research on Cyperine 2.0 and Next Man History Stealer, the malware author rebranded their info stealer as Medusa. While it basically has the same features as Cyperine, you now need a valid account to access the builder. The example below compares Cyperine and Medusa. Using OSINT investigative techniques, the Fortinet team was able to uncover the identity of the author, hopefully driving her back into the shadows... Recommendation: Cyperine and other RATs often leave behind artifacts on the infected system that can be used as indicators of compromise. All systems within your organization should be monitored and protected with preventative measures wherever possible. In the case of Cyperine infection, the affected device must be wiped and an Incident response (IR) investigation should take place to identify any other affected systems. Tags: Cyperine<a href="http://soc.tdc.dk/blacknurse/blacknurse.pdf" target="_blank">The BlackNurse Attack</a> (November 8, 2016) Blacknurse is a low bandwidth ICMP-based Denial of Service (DoS) attack that is capable of doing taking down firewalls, including the widely deployed Cisco ASA. In their published report, TDC SOC details the Denial of Service (DoS) attack, as well as mitigation techniques. Recommendation: BlackNurse and denial of service attacks like it can cause great damage to organization's operations, and impact reputation negatively. Put in place policies for incident response before they happen. Mitigation techniques can vary depending on the specifics of the attack, in the case of BlackNurse, ICMP type 3 traffic should be blocked, or at least rate limited. Tags: DDoS, CiscoASA, ICMP<a href="http://phishme.com/unscrupulous-locky-threat-actors-impersonate-us-office-personnel-management-deliver-ransomware/" target="_blank">Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware</a> (November 8, 2016) A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape. Recommendation: The impersonation of government agencies continues to be an effective spearphishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. in the case of Locky infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data. Tags: Locky, Ransomware, OPM, Spearphishing<a href="http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-11th-2016-noobcrypt-fsociety-gingerbread-and-more/" target="_blank">Ransomware Roundup week of November 7-11</a> (November 11, 2016) This week's ransomware roundup features new updates for Cerber (v 4.1.4) being distributed via malspam containing MS word documents with malicious macros that download and install the ransomware. These Word docs are being sent as zipped email attachments in emails with subjects like RE : Invoice 257224. Also, an uptick in fake ransomware (scareware) that does not actually encrypt anything, rather it relies upon scaring users into assuming they've been infected with legitimate ransomware. Recommendation: The ransomware landscape continues to evolve and become bigger problem. The use of endpoint prevention systems can make all the difference between infection or not. In the case of any ransomware infection, the victim should avoid paying the ransom, and the infected system should be wiped and reformatted. Tags: ransomware, Cerber4, NoobCrypt, CLock, CerberTear, JigSaw, FSociety, AiraCrop, iRansom, Heimdall, Telecrypt, Gingerbread,<a href="https://labsblog.f-secure.com/2016/11/10/a-rat-for-the-us-presidential-elections/" target="_blank">A RAT For The US Presidential Elections</a> (November 10, 2016) A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled "The Murtadd Vote". The email was supposedly sent by the head of a US-based terrorist monitoring group. The message was a snippet from the article of USA Today, and has a ZIP archive called "The Murtadd Vote.zip". The archive contains a copy of jRat, a relatively old Remote Access Trojan (RAT). However, F-Secure researchers discovered that the sample is platform independent, which is a notable improvement from the old jRat. Recommendation: The use of current events in spearphishing campaigns is yet another aspect of phishing that all users must be aware of. In the case of jRat infection, the affected system must be wiped and reformatted. Incident response should begin with identifying the infection vector, and all other users who received the email should be checked for similar infection. Tags: jRat, spearphishing<a href="https://iranthreats.github.io/resources/webrtc-deanonymization/" target="_blank">Fictitious Profiles AND WebRTC’s Privacy Leaks Used to Identify Iranian Activists</a> (November 11, 2016) A group of researchers found indications that Iranian actors have used privacy weakness in aspects of a common web protocol in order to obtain the real IP of Internet users without their awareness for investigatory purposes. Combined with the state’s power to force Internet service providers to disclose the customer details from stored records, these campaigns can enable the de-anonymization of pseudonymous users. The potential real world observation of the use of these known technical issues to obtain private information about at-risk communities demonstrates the social impact of protocol designs, and should provoke broader discussion about protecting users by default. Recommendation: Anonymity on the web is critically important, especially for those living under repressive regimes. All users of anonymization technology must be aware of the ways in which traffic can be deanonymized, and should never risk their personal safety by assuming they are 100% anonymous. Users can educate themselves by studying attacks on anonymity, and further protect themselves by using multiple levels of anonymity. When installing such technology, always ensure the integrity of the installer by checking the checksum, and keep software as up to date as possible. Tags: WebRTC, Iran<a href="http://www.threatgeek.com/2016/11/vawtrak-dga-round-2.html" target="_blank">Vawtrak DGA Round 2</a> (November 12, 2016) Vawtrak has been a very successful banking trojan delivered via both mass spam campaigns as well as through exploit kits. The developers appear willing to invest time and resources into protecting their bots and C2 infrastructure -- and security teams, researchers and the banking industry should take note. In this post, researchers from Fidelis discuss the new Domain Generation Algorithm the actors behind Vawtrak are using. Recommendation: The best defense against malware like Vawtrak starts with an educated organization that empowers users to use the web safely. Policies should be in place to prevent malicious code from reaching devices, both at the network level as well as on the devices themselves. Multiple overlapping layers of security (defense in depth) should be practiced in order to prevent attacks at all levels. In the case of Vawtrak infection, the affected system must be wiped and restored, and all information contained on that device should be considered publicly disclosed. Passwords should be reset, and all accounts should be monitored for fraud. Tags: FinancialServices, Vawtrak, Pony, Hancitor, MacroDoc,<h1>Observed Threats</h1>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.<a href="https://ui.threatstream.com/tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware<a href="https://ui.threatstream.com/tip/7855" target="_blank">Mirai Tool TIP</a> Mirai is a Wormable DDoS backdoor that rose to prominence in 2016. The source code for Mirai was released in October 2016. Mirai includes a ``scanner`` component which attempts to brute force login to open telnet prompts via a list of 61 username / password combinations. The Mirai source code includes comments in the Russian and English languages. Before the release of the source code Mirai is believed to have been behind the DDoS of both Brian Krebs' Akamai-protected website, and partially responsible for the DDoS of Dyn's DNS resolvers. After the release of the Mirai source code tens of Mirai botnets have been created. Tags: Mirai, IoT