Anomali Weekly Threat Intelligence Briefing - February 28, 2017

<h2 id="trendingthreats">Trending Threats</h2>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="http://thehackernews.com/2017/02/ukraine-russia-hacking_20.html" target="_blank">Malware Hijacks Microphones to Spy On Ukrainian Businesses, Scientists and Media</a> (February 20, 2017) Researchers have discovered that Ukraine has once again been targeted by a highly sophisticated malware campaign called "Operation BugDrop." Threat actors have targeted approximately 70 Ukrainian entities and, as of this writing, have stolen over 600 gigabytes of data. The malware is distributed via spear phishing emails and is capable of turning on the microphone to capture audio as well as capturing screen shots, documents, and passwords. The stolen information and audio is then exfiltrated using Dropbox folders controlled by the attackers. Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Tags: Spear Phishing, BugDrop<a href="http://www.malware-traffic-analysis.net/2017/02/20/index.html" target="_blank">MalSpam – Subject: Radar Photo Proof 57628324</a> (February 20, 2017) A new malicious spam operation is attempting to trick victims into following a link that is claiming to be a "negligent driving" violation. If the link is followed a malware dropper is downloaded that then downloads and installs a trojan into the system. Researchers contend that this strain may be the Zeus trojan variant, Zeus Panda Banker. Recommendation: This email spam tactic has been used by malicious actors in the past, and police departments in the U.S. have had to inform the public that they will never email them concerning a traffic violation. It could also be useful for employees to get out of the habit of using email attachments in favor of a cloud file hosting service, as well as never following links from vendors attempting to use scare tactics. Tags: Malspam, Zeus trojan<a href="https://heimdalsecurity.com/blog/security-alert-teamspy-turn-teamviewer-into-spying-tool/" target="_blank">TeamSpy Malware Spammers Turn TeamViewer into Spying Tool in Targeted Attacks</a> (February 21, 2017) The threat actor group called "TeamSpy" has been identified to be behind a new spam campaign, according to Heimdal Security researchers. TeamSpy was last reported to be active after it was discovered they were engaged in a 10 yearlong cyber espionage campaign from 2003 to 2013. TeamSpy is using social engineering to trick their targets into installing malware via malicious email attachments. Using DLL hijacking, the attacker adds a VPN and keylogger to the TeamViewer application; the malware will then send stolen data back to a C2. Recommendation: Always be on high alert while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders. Tags: TeamSpy, Phishing<a href="https://krebsonsecurity.com/2017/02/how-to-bury-a-major-breach-notification/" target="_blank">How to Bury a Major Breach Notification</a> (February 21, 2017) An unnamed software company that provides a popular, and also unnamed, piece of software to major U.S. companies, had their website and update server breached for two weeks in April, 2015, according to RSA researchers. Researcher Brian Krebs believes that the compromised software package was "EVlog," provided by Altair Technologies Ltd. The company provides software designed to assist Windows system administrators better comprehend and parse Windows event logs. Companies that use the service may have automatically downloaded compromised update versions. Entities that downloaded compromised versions include: 24 banks and financial institutions, five defense contractors, approximately 24 Fortune 500 companies, approximately 45 higher educational institutions, over 36 IT product manufacturers or solutions providers, and over 10 western military organizations. Recommendation: Always practice defense in depth - deploy redundant, layered, and failsafe security controls at every level of your network in order to detect early, and prevent attackers before they get deep into your network. Tags: Vulnerability, EVlog<a href="https://blog.malwarebytes.com/threat-analysis/2017/02/rogue-chrome-extension-pushes-tech-support-scam/" target="_blank">Rogue Chrome Extension Pushes Tech Support Scam</a> (February 21, 2017) A new malicious advertising (malvertising) campaign has been identified to be targeting Chrome web browser users. If a user is targeted with malvertising attempts, follows a link provided by the attacker and is directed to a malicious website, the website will detect whether or not the visitor is using Chrome. If Chrome is detected as the web browser via the user agent, a pop up will appear that requests an extension to be installed in order to leave the webpage; during this time the browser is stuck in a perpetual loop of full-screen modes. Once the extension is added, malicious JavaScript will reach out to a C2 and present the infected computer with technical support scams. Recommendation: While web browser extensions can be useful in day-to-day business activities it is possible, as this story describes, for malicious extensions to make their way into legitimate services (Google has since removed the malicious extension). Your company should only use browser extensions and add-ons provided by trusted sources. Tags: Malvertising<a href="http://blog.fortinet.com/2017/02/22/keep-your-account-safe-by-avoiding-dyzap-malware" target="_blank">Keep Your Account Safe by Avoiding Dyzap Malware</a> (February 22, 2017) A new version of the Dyzap trojan virus has been identified in the wild with new features, according to Fortinet researchers. Dyzap targets over 100 applications, is capable of stealing information stored in multiple web browsers, databases, and registries, as well as using keylogger functions. The malware moves the stolen information into packets in binary format before it sends it to a C2. Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Tags: Dyzap trojan<a href="https://www.bleepingcomputer.com/news/security/malware-uses-blinking-hard-drive-leds-to-transmit-data-to-nearby-cameras/" target="_blank">Malware Uses Blinking Hard LEDs to Transmit Data to Nearby Cameras</a> (February 23, 2017) Researchers from Ben-Guiron University of the Negev in Israel, have created a custom malware that can gather data from a compromised machine via binary code represented by blinking LED lights. The researchers successfully tested their malware and were able to gather information from a machine by video recording the rapidly blinking LED lights (where the light turned on represents one, and off represents zero). The malware does not need administrator rights to execute, and was designed to steal data from air-gapped systems, albeit at a slow speed of 0.5KBs. Recommendation: While it has not been reported how this malware could be used to infect a computer or system, simple mitigations do exist. Concealing a LED light that is in range of a camera, and covering windows so outsiders cannot peer inside can prevent this style of attack because a special camera is needed to capture the displayed binary code. Tags: Malware<a href="https://www.bleepingcomputer.com/news/security/linux-project-patches-11-year-old-security-flaw-that-gives-attackers-root-access/" target="_blank">Linux Project Patches 11-Year-Old Security Flaw That Gives Attackers Root Access</a> (February 23, 2017) An intern at Google named Andrew Konovalov discovered a vulnerability in the Linux operating system, dubbed "CVE-2017-6074." The vulnerability can be exploited with low-privilege access to gain root code execution rights. The double free vulnerability (occurs when an application frees the same memory address twice) affects all Linux versions beginning with version 2.6.14. Recommendation: Your company should ensure that software and operating systems are always kept up-to-date with the newest version. New vulnerabilities that could potentially cause harm to your company are reported by security researchers quite frequently, even in software and applications previously thought to be secure as this story shows. Tags: Vulnerability, Linux<a href="http://thehackernews.com/2017/02/cloudflare-vulnerability.html" target="_blank">Serious Bug Exposes Sensitive Data From Millions of Sites Sitting Behind CloudFlare</a> (February 23, 2017) There is a buffer overflow issue with edge servers belonging to CloudFlare, a content delivery network and web security provider, according to security researcher Tavis Ormandy. The vulnerability, dubbed “Cloudbleed,” occurs when edge servers were running past the end of a buffer and were returning memory. The returned memory contained sensitive data such as authentication tokens, encryption keys, HTTP cookies, HTTP POST bodies, and passwords; some of the leaked data has already been cached by search engines. Recommendation: Even though Cloudflare mitigated the issue in less than an hour after discovery, your company should consider any data that passed through CloudFlare services to be at risk of having been viewed. Your company and employees should have proper policies in place in regards to changing passwords on a frequent basis.. Tags: Cloudbleed, CloudFlare<a href="https://blog.eset.ie/2017/02/24/new-crypto-ransomware-hits-macos/" target="_blank">New Crypto-ransomware Hits macOS </a> (February 24, 2017) A new ransomware campaign is targeting MacOS users by masquerading itself in BitTorrent distribution websites as an application called "Patcher." The malware is written entirely in the Swift programming language. The malicious torrent contains one zip file in which there are two fake applications, Adobe Premiere Pro and Office 2016 Patcher. If these applications are executed, the ransomware will generate a random 25-character string to use for encrypting files. A ransomware note will be displayed that requests 0.25 bitcoins ($300). This poorly written ransomware is not capable of decrypting any files if the ransom is paid. Recommendation: The best approach to the threat of ransomware is for all users to maintain secured backups of their data, keep their systems fully patched, and practice good security hygiene when browsing the internet. In the case of ransomware infection, the affected system must be wiped and reformatted, other systems on the network should be assessed for similar infection, and the original attack vector must be identified in order to educate the victim and other employees. Tags: Ransomware, MacOS<a href="https://www.helpnetsecurity.com/2017/02/24/wifi-experiment-rsac-2017/" target="_blank">Results of the Rogue Access Point Experiment at RSA Conference 2017</a> (February 24, 2017) Help Net Security researchers once again conducted their rogue Access Point (AP) experiment at this year's RSA conference, with rather surprising results. By using a Pineapple Tetra and listening for Service Set Identifiers (SSIDs) from mobile devices, the researchers were able to capture 8,653 SSIDs and tricked 4,499 Wi-Fi clients to connect to their rogue AP. Recommendation: While this incident was just an experiment, it shows the genuine threat of devices connecting to potentially malicious Wi-Fi networks. Mobile devices should always be kept up-to-date with the latest patches, and Wi-Fi should always be turned off when in public locations. Tags: Rogue Access Point, Experiment<a href="https://www.bleepingcomputer.com/news/security/hacker-group-defaces-hundreds-of-websites-after-hacking-uk-hosting-firm/" target="_blank">Hacker Group Defaces Hundreds of Websites After Hacking UK Hosting Firm </a> (February 25, 2017) A threat actor group calling themselves the "National Hacking Society" (NHA) has defaced approximately 605 websites after compromising the hosting company Mesh Digital (DomainMonster[.]com). NHA has three members known as Benajmin, GeneralEG and R3d HaXoR, according to researchers. The group has compromised over 1.5 million webpages and, in some instances, were able to install backdoors and compromise servers. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: National Hacking Society, Defacements<h2 id="observedthreats">Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.<a href="https://ui.threatstream.com/tip/7308" target="_blank">EITest Tool Tip</a> The EITest gate or Traffic Direction System (TDS) is a service used by criminals to direct web traffic to Exploit Kits (EKs) to install malware on victim’s computers. In the past EITest has been observed directing traffic to Angler, Neutrino, and the Rig EK. Tags: EITest-gate, EITest