Anomali Weekly Threat Intelligence Briefing - April 4, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="https://blogs.technet.microsoft.com/mmpc/2017/04/03/tech-support-scams-persist-with-increasingly-crafty-techniques/" target="_blank">Tech Support Scam Persist with Increasingly Crafty Techniques</a> (April 3, 2017) Microsoft researchers report that the U.S. was the most targeted country for technical support scams in 2016. The researchers also note that their data indicates that three million of its customers are targeted with these type of attacks every month. Users are primarily targeted with these attacks while visiting websites that offer various forms of software and copies of popular applications. Actors then use a variety of techniques in attempts to trick users into following directions that are claimed to be needed to fix broken parts of a machine, but actually downloads malware. Recommendation: Technical support scams are common threats facing individuals and companies alike. Any image that appears that requests a phone number be called in order to receive assistance in repairing a machine is likely fake. Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. Policies should also be in place to educate your employees on the proper steps to avoid these scams, and who to inform if such an instance occurs. Tags: Tech support scam<a href="https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/" target="_blank">Skype Malvertising Campaign Pushes Fake Flash Player </a> (March 31, 2017) Researchers discovered a new malicious advertising (malvertising) campaign was being distributed to Skype users for at least one day. This campaign was discovered after Twitter and Reddit users posted complaints discussing how Skype was trying to force them to download a new Adobe Flash Player update. Domains have been identified that were registered by the same email address used to push fake Flash updates to Skype users which may indicate that they too will be used for malicious advertising. Recommendation: Malvertising campaigns are constantly being developed and improved by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Tags: Malvertising, Flash Player<a href="https://www.bleepingcomputer.com/news/security/raging-sysadmin-shuts-down-company-servers-deletes-system-files/" target="_blank">Raging Sysadmin Shuts Down Company Servers, Deletes System Files </a> (March 31, 2017) Joe Vito Venzor, a former system administrator for the boot-making company Lucchese Bootmaker, is facing significant prison time and a large fine after actions he took after being fired. On September 1, 2016, Venzor was terminated from his position, and later that day he used a hidden account to shut down the company's email and application servers. Authorities discovered that the account Venzor used to access Lucchese's network after his termination had been previously accessed from his work computer. Recommendation: Your company should ensure that employee account privileges only allow what is necessary for an employee's daily activities. This story also serves as a reminder that accounts an all points of access a former employee had should be blocked/deleted as soon as possible, especially after a termination. Tags: Disgruntled, Employee<a href="http://www.malware-traffic-analysis.net/2017/03/30/index.html" target="_blank">Compromised Websites Using Terror Exploit Kit to Exploit Silverlight Vulnerability </a> (March 30, 2017) A new malware campaign has been identified to be using the Terror Exploit Kit (EK) (also called Blaze EK and possibly Neptune EK) to download malware. Actors behind the campaign are compromising websites and then using the Terror EK Silverlight exploit to attempt to download additional malware. Recommendation: The Exploit Kit landscape is evolving more quickly than ever before, in turn causing increased pain to network defenders. Always practice defense in depth - deploy redundant, layered, and failsafe security controls at every level of your network in order to detect early, and prevent attackers before they get deep into your network. Tags: Exploit Kit<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/" target="_blank">IIS 6.0 Vulnerability Leads to Code Execution </a> (March 29, 2017) Microsoft Internet Information Services (IIS) 6.0 has been discovered to contain a buffer overflow vulnerability registered as "CVE-2017-7269." The vulnerability is caused by an incorrect validation of an "IF" header in a PROPFIND request. Researchers discovered this vulnerability being actively exploited in the wild in July and August of 2016, and it was publicly disclosed on March 27. Recommendation: Zero day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available. Tags: Vulnerability<a href="https://umbrella.cisco.com/blog/2017/03/29/seamless-campaign-delivers-ramnit-via-rig-ek/" target="_blank">"Seamless" Campaign Delivers Ramnit via Rig Exploit Kit </a> (March 29, 2017) A new malware campaign has been identified to be infecting users in the wild with the Ramnit banking trojan distributed via the Rig exploit kit, according to Cisco researchers. The campaign is dubbed "Seamless" because of the now deprecated seamless iframe attribute. The actors behind this campaign are compromising websites in order to inject a malicious iframe that will attempt to deliver malware to unsuspecting visitors. Recommendation: Exploit kits have become one of the most common types of crimeware currently available to the less than sophisticated threat actor. The kits, put together by skilled actors, are then sold to criminal groups as easily deployable exploitation frameworks. The best protection from exploit kits is through employee education in combination with keeping web browsing software (including extensions such as flash and java) up to date at all times, as well as operating system software. Users should be educated on how to browse the web as safely as possible, and to report any suspicious symptoms observed on their devices to IT/secops immediately. In the case of a compromise by Rig, the infected system must be wiped and reformatted. Tags: Exploit kit, Trojan<a href="https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" target="_blank">New Mirai Variant Launches 54 DDoS Attack Against U.S. College</a> (March 29, 2017) Imperva researchers have discovered a new Mirai malware variant that was used in a Distributed Denial-of-Service (DDoS) attacks against one of their customers on February 28. The DDoS attack targeted an unnamed U.S. college for approximately 54 hours straight and peaked at approximately 37,000 Requests per Second (RPS). Overall the attack generated more than 2.8 billion requests from compromised devices such as CCTV cameras, DVRs, and routers from IP addresses around the globe. Recommendation: Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation techniques can vary depending on the specifics of the attack. Tags: DDoS, Malware<a href="https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/" target="_blank">The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak </a> (March 28, 2017) The creator of the Nuclear Bot (NukeBot) banking trojan (also known as TinyNuke) has decided to release the source code for his malware on a Github repository. IBM researchers discovered that the actor behind NukeBot called "Gosya," was having difficulties selling his malware because he did not follow the proper procedures of having the malware vetted by the underground community. Instead, Gosya immediately began advertising NukeBot which caused other members to distrust him. Researchers contend that the open availability of the trojan will spawn more variants similar to what occurred with the leaked Zeus trojan in 2011. Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Tags: Trojan<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/" target="_blank">Cerber Starts Evading Machine Learning </a> (March 28, 2017) A new variant of the Cerber Ransomware has been discovered that is using a loader which was created to avoid detection by machine learning methods, according to Trend Micro researchers. The current variant is being distributed via phishing emails masquerading as legitimate services that contain a link to a self-extracting archive. The archive contains a Visual Basic script, a DLL, and a binary file that appears to be a configuration file. The binary file contains an encrypted loader that will check the affected machine for the presence of a variety of analysis tools and antivirus vendors. If any of the said tools and vendors are identified the malware will stop running. Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to even consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Tags: Ransomware<a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" target="_blank">Dimnie: Hiding in Plain Sight </a> (March 28, 2017) A new phishing campaign is targeting GitHub repository users, according to Unit 42 researchers. The message claims that the sender has "saw you GitHub repo and I'm pretty amazed. The point is that i have an open position in my company and looks like you are a good fit." The phishing emails contain malicious .doc files attachments. The malicious attachment requires macros in order to use the Powershell downloader that will drop the malicious binary payload typically called "Dimnie." The malware disguises its traffic to imitate normal activity to assist in avoiding detection, and is capable of stealing information from an affected machine. Recommendation: Education is the best defense against phishing attacks. Poor grammar, urgent subject lines, and various forms of offers are often signs of phishing attempts. Employees should be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Tags: Phishing, Malware<a href="http://www.zdnet.com/article/icloud-accounts-breach-gets-bigger-here-is-what-we-know/" target="_blank">Apple iCloud Hack Threats Gets Worse: Here's What We’ve Learned </a> (March 28, 2017) Researchers have gathered more evidence that the group blackmailing Apple for Bitcoin and gift cards may actually have access to some iCloud accounts. The London based group called the "Turkish Crime Family" appears to actually have access to some iCloud accounts, acquired by gathering passwords from other breaches, such as LinkedIn, according to ZDNet researchers. While the number of breached accounts is still unknown, the amount of accounts does appear to be increasing. Recommendation: It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis. Tags: iCloud<a href="https://threatpost.com/new-clues-surface-on-shamoon-2s-destructive-behavior/124587/" target="_blank">New Clues Surface on Shamoon 2’s Destructive Behavior </a> (March 27, 2017) Researchers have discovered new information about the Shamoon 2 campaign in regards to the distribution of the Disttrack malware. Actors behind Shamoon 2 pivot within the target network by searching for hostnames and IP addresses, then with stolen user credentials, gain access to the machines. The actors are then using batch scripts and various legitimate tools to install Disttrack malware. Recommendation: In order to secure your infrastructure, first you must be aware of what your assets are, which are publicly facing, and which are the most important to protect. To protect against these attacks, deploy Host and Network based intrusion detections systems (IDS) throughout your entire network. Integrate these systems using a SIEM or other security manager. In the case of a compromised system, it must be wiped and restored before being reintroduced to your environment. Tags: Shamoon<a href="https://www.bleepingcomputer.com/news/security/pycl-ransomware-delivered-via-rig-ek-in-distribution-test/" target="_blank">PyCL Ransomware Delivered via RIG EK in Distribution Test </a> (March 28, 2017) A new ransomware called "PyCL" has been identified to be have been distributed for just one day, according to researchers. This ransomware was being distributed via the EITest exploit kit campaign which was redirecting visitors to compromised websites using the Rig exploit kit. Researchers contend that this Python based ransomware may be in the beginning stages of a Ransomware as a Service (RaaS). The actors behind the ransomware were demanding $239.20 (0.25 Bitcoins) for the decryption key. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer. Tags: Ransomware<a href="https://www.theregister.co.uk/2017/03/27/lastpass_confirms_major_flaw/" target="_blank">LastPass Scrambles to Fix Another Major Flaw – Once Again Spotted by Google's Bugfinders </a> (March 27, 2017) Google researcher Tavis Ormandy has discovered another vulnerability in the password management application LastPass. LastPass has confirmed that the code execution vulnerability does exist, and that it is highly sophisticated and unlikely to be used in attacks in the wild. Recommendation: Web browser extensions are useful applications in everyday activities, however, using them should be done so with caution and updates should always be applied as soon as they are offered. This story serves as a reminder that it may be best for your company to turn off extensions until all of the flaws have been addressed. Additionally, policies should be in place regarding the proper use and download of extensions that have been vetted by the appropriate personnel. Tags: Vulnerability, Browser extensions<a href="https://www.bleepingcomputer.com/news/security/researcher-says-api-flaw-exposed-symantec-certificates-including-private-keys/" target="_blank">Researcher Says API Flaw Exposed Symantec Certificate Including Private Keys </a> (March 27, 2017) Security researcher Chris Byrne disclosed a vulnerability in Symantec's customer facing API. The flaw was discovered approximately two years ago, but it is only being discussed now because Symantec reported that the vulnerability would take two years to fix. The flaw in the API could allow unauthenticated access to another customer's certificate details by manipulating one of the parameters in the email links. An actor could have conducted automated attacks to scrape information from Symantec customers. Recommendation: Your company should have policies in place that ensure that all software in use is always running the most current version. This story serves as a reminder of the importance to constantly be aware of new product versions as soon as they become available. Tags: Vulnerability<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.<a href="https://ui.threatstream.com/tip/7453" target="_blank">Cerber Ransomware Tool Tip</a> Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement. Tags: cerber, ransomware