Anomali Weekly Threat Intelligence Briefing - February 21, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="https://blog.eset.ie/2017/02/14/new-android-trojan-mimics-user-clicks-to-download-dangerous-malware/" target="_blank">New Android Trojan Downloads Dangerous Malware</a> (February 14, 2017) Android users are being targeted in a new campaign that is being distributed via compromised websites. According to researchers, the compromised website requests a fake Adobe Flash update to be installed. If installed, a pop-up appears asking the user to turn on "Saving Battery." The fake service requests multiple permissions to an infected device. If the permissions are granted, the malicious Flash Player will communicate with its C2 in order to download additional malware of the cyber criminal's choosing such as adware, banking trojans, or spyware. Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites or documents that request additional software or updates to fully work should be avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Tags: Android, Malware, Adobe Flash, Saving Battery<a href="https://www.bleepingcomputer.com/news/security/researchers-create-poc-ransomware-that-targets-ics-scada-systems/" target="_blank">Researchers Create PoC Ransomware That Targets ICS/SCADA Systems</a> (February 14, 2017) A proof of concept ransomware that targets Programmable Logic Controllers (PLC) has been created by researchers from the Georgia Institute of Technology (GIT). PLCs are essential parts of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks. This is reportedly the first time PLC ransomware has been seen. GIT researchers contend that it is only a matter of time before threat actors begin to develop their own PLC ransomware in order to hide state sponsored attacks. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Tags: Ransomware, PLC, ICS, SCADA<a href="https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.6dcz0hief" target="_blank">Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal</a> (February 14, 2017) A new phishing campaign dubbed "Operation Kingphish" has been discovered to be targeting human rights activists in Qatar and Nepal. According to Amnesty Insights' researchers, the campaign is operating under the alias "Safeena Malik," for which multiple social media accounts (Facebook, LinkedIn, and Twitter) have been created to lend credibility to her authenticity. Malik has been active since at least 2014. Currently, the female persona is distributing information stealing malware via invitations on Google Drive, Facebook Messenger, and Google Hangouts. Recommendation: This story serves as an example that your employees should be properly informed on the potential risks associated with phishing attacks, and taught how to identify possible phishing attempts. Tags: Phishing<a href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank">XAgentOSX: SofacyÕs XAgent macOS Tool</a> (February 14, 2017) Palo Alto Networks researchers believe that they have discovered a new backdoor trojan that is being used by the Russian Advanced Persistent Threat (APT) group Sofacy (also known as APT28, among others). The backdoor is called "XAgentOSX," and is currently being used by Sofacy to target individuals running MacOS. This malware steals information from compromised machines, and sends data back to a C2 using RC4 encryption. Recommendation: Defending against APTs requires a defense in depth approach. Layering of security mechanisms, redundancy, and fail safe defense processes will provide a robust safety-net against malicious actors. Network and host based tools should be used in tandem to provide prevention and detection capabilities to your network. Tags: Sofacy, APT28, APT, Backdoor<a href="https://www.trendmicro.com/content/dam/trendmicro/en/security-intelligence/research/reports/wp-us-cities-exposed.pdf" target="_blank">What's In Shodan? Analyzing Exposed Cyber Assets in the United States</a> (February 15, 2017) Trend Micro researchers recently conducted a study on exposed cyber assets using Shodan, an open source search engine that aggregates devices and systems connected to the internet. Information gathered from Shodan could potentially be used by threat actors to target and attack these devices. The studyÕs report revealed millions of potentially vulnerable cyber assets in some of the largest cities in the U.S. The cities ranked from most to least are: Los Angeles, Houston, Chicago, Dallas, Phoenix, San Jose, New York, San Antonio, San Diego, and Philadelphia. Recommendation: Your company should ensure that all internet-connected devices and systems are properly patched, and carefully monitored for suspicious activity. Additionally, internet-of-things (IoT) devices such as smart phones and tablets that are brought in by your employees need to be viewed as a potential risk. Employees should be properly educated on how to keep their professional and personal devices properly secured. Tags: Shodan<a href="https://www.recordedfuture.com/recent-rasputin-activity/" target="_blank">Russian Speaking Hacker Breaches Over 60 Universities and Government Agencies</a> (February 15, 2017) A Russian threat actor called "Rasputin" has been identified to be selling access to over 60 government agency and university databases on underground markets. Rasputin compromised the databases using a custom SQL injection tool, a method that the actor has been using for at least the past 15 years. Rasputin has been primarily targeting North American government agencies and universities, but similar Western European entities have also been targeted, according to researchers. Recommendation: Properly implementing SQL databases is the first step to prevent injection attacks. Using prepared statements and stored procedures, implementing escape schemes, properly limiting privileged accounts, and using input validation are some steps you can take to better protect your company from SQL injection attacks. Tags: SQL injection<a href="http://thehackernews.com/2017/02/yahoo-hack.html" target="_blank">Yahoo Hacked Once Again! Quietly Warns Affected Users About New Attack</a> (February 15, 2017) Yahoo began rolling out notifications this week to its email-service customers after they disclosed a notice about a breach that took place in December, 2016. Interestingly, said notification was somewhat overlooked because that same statement also provided additional details concerning the 2013 breach which compromised over one billion email accounts. In this incident, attackers forged cookies to trick the email provider into thinking that a user was already logged into their account. At the time of this writing, it is unknown how many email accounts may have been compromised. Recommendation: Yahoo's rather lackadaisical disclosure of yet another security incident may cause many of its users to search for a different email provider. Yahoo email users should check their inboxes for the notification sent by the company, and monitor credit card statements if a yahoo account is associated with filing taxes or with a bank account; especially during tax season when threat actors attempt to file fraudulent tax returns. Tags: Breach<a href="http://www.cbc.ca/news/canada/british-columbia/bc-pharmanet-breach-1.3985173" target="_blank">PharmaNet Breach Compromises Personal Information of 7,500 British Columbians</a> (February 16, 2017) The Ministry of Health has warned 7,500 British Columbians that their Personally Identifiable Information (PII) may have been stolen via a breach in the provincial government's PharmaNet system. An unknown actor was able to gain access to the PharmaNet system via an unnamed physician's login credentials. Investigations are currently underway, encompassing 14 physicians and their offices. Recommendation: Monitoring financial records should be a habitual process, and your employees should be reminded to do so as a means to detect and prevent possible identity theft attempts. Tags: Breach<a href="https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/" target="_blank">Hermes Ransomware Decrypted in Live Video</a> (February 16, 2017) A new ransomware, dubbed "Hermes" by its discoverer Karsten Hahn, has been successfully decrypted by Emsisoft CTO Fabian Wosar. Wosar showed viewers, in a live demonstration, that the seed which is used to encrypt data can be recovered and used to create a decryptor. If a user is infected with the ransomware, Hermes will use a User Account Control (UAC) to delete Shadow Volume Copies as well as backup files and images. It also targets files with certain extensions to be encrypted and held for ransom. Recommendation: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained. Tags: Hermes, Ransomware<a href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" target="_blank">menuPass Return with New Malware and New Attacks Against Japanese Academics and Organizations</a> (February 16, 2017) Unit 42 researchers report that an Advanced Persistent Threat (APT) campaign known as "menuPass" (also known as Stone Panda and APT10) was targeting Japanese academics and organizations from September to November, 2016. Japan's Computer Emergency Response Team has also discovered a new trojan used by the group that they have dubbed "ChChes." The menuPass group used spear phishing emails that spoofed public addresses associated with the Sasakawa Peace Foundation and The White House as one way to distribute multiple forms of malware. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts. Tags: Stone Panda, APT10, APT, ChChess, Phishing<a href="https://arstechnica.com/security/2017/02/secure-trump-website-defaced-by-hacker-claiming-to-be-from-iraq/" target="_blank">'Secure' Trump Website Defaced by Hacker Claiming to be from Iraq</a> (February 19, 2017) A threat actor calling him/herself 'Pro_Mast3r' defaced a server that was associated with President Donald TrumpÕs presidential fundraising campaign. It does not appear that the server is directly linked from President Trump's and Vice President Pence's home page, according to researchers. No malicious code was found on the server, but rather an animation script and a link to a Google Code account (masterendi) were identified. The Google Code account is associated with at least three other website defacements. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: Compromised Website, Defacement<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.<a href="https://ui.threatstream.com/tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware