This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.
Let It Ride: The Sofacy Group‚Äôs DealersChoice Attacks Continue (December 15, 2016)
Recently, Palo Alto Networks Unit 42 uncovered and published about the DealersChoice exploitation platform. In their blog post, they analyze the latest malware being used by the Sofacy actors. Unit 42 has been able to collect additional samples of the weaponized documents that the DealersChoice exploitation platform generates. Two of these samples were found to have operational command and control servers which allowed us to collect and analyze additional artifacts associated with the attack.
Recommendation: The DealersChoice platform continues to be a very advanced threat facing the modern organiaztion. 0days, and similarly exclusive attacks are the most challenging to detect. Practice defense in depth - use multiple overlapping security controls that don't rely on a single point of failure to assure your security. Put policies in place so you have an action plan in the event of a compromise, educate your users, and force them to keep their software up to date with the latest security patches.
Tags: Unit42, DealersChoice, FancyBear, Sofacy
Mirai and IoT: Understanding DDoS Impact Means Accurately Analyzing the Past (December 15, 2016)
Flashpoint Intel released a high level analysis of the DDoS landscape and a post mortem of the Mirai botnet as they encountered it. Mirai has been making headlines over the past couple of months, but this family of malware is a very new part in the larger history of the abuse of vulnerable Internet of Things (IoT) devices. When the record-breaking DDoS attacks happened against Brian Krebs and OVH in September 2016, this was seen as a major moment, but the factors that made this possible had been quietly building up for years before this.
Recommendation: The mirai botnet continues to evolve in new ways, and the source code leak will continue to be a pain point for anyone with IoT devices on their networks. Network security monitoring is a prudent step to take to detect malicious traffic on your network. Ensure that your network detection / prevention systems have your entire network covered, not just the primary ingress / egress points.
Tags: Mirai, DDoS, botnet, IoT
Home Routers Under Attack via Malvertising Attack on Windows and Android (December 13, 2016)
Despite a decrease in popularity, Exploit Kits (EK's), are still vital components of malvertising operations, exposing large numbers of users to malware via malicious ads. Since the end of October, Proofpoint researchers observed an improved version of the ‚ÄúDNSChanger EK‚Äù used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims‚Äô web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising.
Recommendation: Much like the Mirai botnet, this attack takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames / passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Tags: exploit-kit, malvertising
Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware (December 16, 2016)
Macro malware attacks have been around for a long time, mainly because they are very effective at social engineering schemes. Over time, they have become more aggressive and creative in evading detections for themselves and their payloads, and this current example is another advance developmentthat we will surely start to see in other variants. It was not long ago when security researchers presented a POC of this UAC bypass. Sharing this kind of information to the public always has its pros and cons. For the security community, it can serve as a good heads-up to plan and mitigate its bad effects. However, as the good guys become aware of it, there‚Äôs a good chance that the bad guys are aware of it too. In their latest, Fortinet researchers provide in depth analysis of a new malware sample found in the wild with a novel User Access Control (UAC) bypass.
Recommendation: Fortinet provides the following recommendations to prevent such attacks: disable execution of Macros, change the default setting of UAC to Always Notify, and be vigilant while opening emails from unknown sources - in particular attachments and external URLs.
Tags: UAC-bypass, Windows, Malicious-macro
Skype for Mac Backdoor Found (December 12, 2016)
Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API and it enables third-party applications to communicate with Skype. As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.
Recommendation: Software often contains vulnerabilities, highlighting the importance of keeping your software up to date. All employees within your organization should know the risk using outdated software poses to not just themselves, but to the company at large. When vulnerabilities such as this are disclosed, the vendors are typically quick to respond, and their updates should be deployed immediately. This includes everything on employee laptops, even software that is not used as a critical business tool.
Tags: Skype, Vulnerability
MiKey - Analysis of a New Linux Keylogger (December 14, 2016)
Linux malware is slowly becoming more popular. Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux. Through our research on the Windows KLRD keylogger from the Odinaff report, we were able to discover several new keyloggers. The focus of Morphick's latest blog post is MiKey, a little-known and poorly detected Linux keylogger.
Recommendation: MiKey is a good reminder that Windows isn't the only platform targeted by malware. It's essential to provide the same security safeguards to devices and machines of all operating systems in order to maintain the integrity of your network. Keyloggers rely on transmitting the data back to the attacker, and can often easily be detected using a network detection / prevention system with a premium ruleset.
Tags: MiKey, Keylogger, Linux-Malware
New Mirai DGA Seed 0x91 Defeated by Researchers (December 16, 2016)
Netlab published an update on their coverage of the Mirai botnet, including the Domain Generation Algorithm domains for the coming few weeks. The update also included some troubling speculations, however, a new Mirai variant and new DGA seed is likely emerging. This is based on their in depth tracking of the malware family over the past few months.
Recommendation: Domain Generation Algorithms (DGA) have become common among actors who want to evade the law. These algorithms use math and other complex logic loops to generate a pre-determined domain name that the actor will use for a short period of time. When these algorithms are reverse engineered, the list of domains to be used are high fidelity indicators of compromise. Watch for these on your network to identify malicious activity, such as Mirai.
Tags: dga, Mirai, botnet
Ransomware Roundup - Week of December 12 (December 16, 2016)
Lots of small little updates with no big news from any major Ransomware distributions. Of particular note is the fact that the Samas gang has made $450,000 from their operation, which may not be that big compared to some of the others, but has a much lower distribution as well. Another item to watch out for the holidays when people are buying presents is that Cerber is now sending spam pretending to be credit card purchase notifications. Last, but not least, Emsisoft, Bitdefender, Check Point, and Trend Micro have been added as associated partners to the No More Ransom organization.
Recommendation: Ransomware is one of the hottest crimeware tactics on the web right now, and isn't going to stop anytime soon. Advanced endpoint protection solutions can be a good protection as they can actively block ransomware when it lands on the network. However, it is not wise to rely on a single solution for your security and you should practice defense in depth - use multiple, overlapping, and failsafe security controls on your network.
Tags: Ransomware, Samas, Cerber
This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.
NJRat Tool TIP
NJrat is a widely available Remote Access Tool. The tool was originally developed in 2013 by a freelance coder with the alias of `njq8`. NJRat is commonly used as general spyware and to facilitate computer intrusions. NJRAT is often delivered via drive-by downloads and phishing emails. NJRat is most commonly used to target organizations in the middle east.
Tags: njrat, Remote Access Tool, RAT