Anomali Weekly Threat Intelligence Briefing - January 16, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/eye-storm-look-eyepyramid-malware-supposedly-used-high-profile-hacks-italy/" target="_blank">EyePyramid and High Profile Targeted Attacks in Italy</a> (January 11, 2017) Two Italian citizens were arrested last Tuesday by Italian authorities (in cooperation with the FBI) for exfiltrating sensitive data from high-profile Italian targets. Private and public Italian citizens, including those holding key positions in the state, were the subject of a spear-phishing campaign that reportedly served a malware, codenamed EyePyramid, as a malicious attachment. This malware was used to successfully exfiltrate over 87 gigabytes worth of data including usernames, passwords, browsing data, and filesystem content. Recommendation: All compromises should be reported to the appropriate law enforcement agencies for the benefit of everyone, as collaboration between private and public sector organizations is the most effective way to thwart cybercriminals. Machines infected with the EyePyramid malware must be isolated, wiped, and reformatted before being reintroduced to your network. Tags: EyePyramid, Italy, Europe, Spear-Phishing, Targeted<a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/" target="_blank">Terror Exploit Kit? More like Error Exploit Kit</a> (January 9, 2017) Trustwave is tracking a newly discovered Exploit Kit (EK) dubbed "Terror EK", after identifying a development server presumably in use by the creators to build and test the capabilities. The server was found in a development state with a number of half baked exploits, broken code, and other errors. The Trustwave team produced an informative and interesting writeup examining the entire kit, including the exploits in use, the other mechanics. Recommendation: The Exploit Kit landscape is evolving more quickly than ever before, in turn causing increased pain to network defenders. Always practice defense in depth - deploy redundant, layered, and failsafe security controls at every level of your network in order to detect early, and prevent attackers before they get deep into your network. Tags: Terror-EK, Exploit-Kit<a href="https://security.web.cern.ch/security/venom.shtml" target="_blank">VENOM Linux Rootkit</a> (January 11, 2017) The Linux VENOM rootkit is a two-component malicious software aimed at maintaining unauthorized access on compromised Linux systems. It requires root privileges to be installed, and relies on: A userland binary, providing an encrypted backdoor with remote code execution and proxy functionalities A lightweight Linux Loadable Kernel Module, providing an additional port-knocking service for the userland backdoor VENOM features similar mechanisms to the tools used during the Freenode intrusion in 2014. As the attacker attempts to remove all local traces, it is highly recommended to deploy and use a remote logging service (e.g. remote syslog). Recommendation: The VENOM rootkit relies on overwriting the syslog on the local system. Log aggregation tools like SIEM can really boost their value by acting as remote logging systems, which are much harder for attackers to wipe their tracks and evade detection from. If your organization is not already using a remote logging solution, they can enhance your security posture by providing a more authoritative record than local logging can. Once the attacker has full root access to the system, you can no longer trust any information from that system. Tags: Linux, Rootkit, VENOM<a href="https://blog.opendns.com/2017/01/11/catching-exploit-kit-landers/" target="_blank">Catching Exploit Kit Landers</a> (January 11, 2017) Exploit Kits play an integral role in many of the attacks we see on a daily basis. In this blog post OpenDNS researchers show how they use data collection in a novel way to uncover new components of the attack infrastructure and keep their customers protected against new threats. Recommendation: The techiniques described in this post should be replicated with caution, and all threat hunting work should be done in a lab environment, disconnected from your organization's main network. Proactive threat hunting is a great way to stay on top of the threats in your environment. Tags: Exploit-Kit, Threat-Hunting<a href="http://blog.netlab.360.com/fraudulent-top-sites-an-underground-market-infrastructure-en/" target="_blank">Top Fraudulent Sites: A Look at Dedicated Underground Market Infrastructure in China</a> (January 10, 2017) Netlab has released an investigation on Chinese underground infrastructure. In China, gambling and pornography are illegal, so it is not surprising these business are adopting an underground dedicated infrastructure. In this article, we analyze the peculiar use fraudulent top site domain names in this infrastructure from different perspectives like whois, PassiveDNS, and IP distribution. Netlab concludes it's report with a few interesting conclusions. Recommendation: Deploy network level Intrusion Detection / Prevention Systems to ensure that employees are following the rules layed out by your organization. You should be able to identify the use of illegal websites and educate your users on the hazards of visiting such websites. Utilize policies and procedures to define what your employees can and can not do from their workstations. Tags: China, Underground-Markets<a href="http://blog.talosintel.com/2017/01/shadow-brokers-malware-coverage.html" target="_blank">Shadow Brokers Malware Coverage</a> (January 12, 2017) Talos published a quick post including IOCs for the Shadow Brokers recently released windows rootkit components in a farewell message. The malware included mainly Windows malware files that supposedly all trigger as either equationdrug.generic or equationdrug.k by the Kaspersky security product. The files are signed with the same key used previously for Equation Group malware which indicates that these files came from the same threat actor. Recommendation: Compromised machines must be wiped and restored to factory settings. Attacks coming from the shadow brokers malware could be targeted, and a formal investigation should be initiated by notifying the appropriate law enforcement agencies. Tags: Shadow-Brokers, Equation-Group, Windows-Malware, Rootkit<a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/" target="_blank">Second Wave of Shamoon 2 Attacks Identified</a> (January 9, 2017) Unit 42 has published some updates regarding the shamoon / disttrack wiper actors. The writeup includes a deep dive into the malware, including how it has evolved over the past 6 months, and the latest TTPs the actors are using to comrpmise machines and exfil stolen data. Recommendation: In order to secure your infrastructure, first you must be aware of what your assets are, which are publicly facing, and which are the most important to protect. To protect against these attacks, deploy Host and Network based intrusion detections systems (IDS) throughout your entire network. Integrate these systems using a SIEM or other security manager. In the case of a compromised system, it must be wiped and restored before being reintroduced to your environment. Tags: Shamoon, Shamoon-2, Disttrack-Wiper<a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/" target="_blank">EITest: Campaign Evolution Oct - Dec 2016</a> (January 12, 2017) Unit 42 has been tracking the EITest exploit kit, and published a writeup on recent updates. The EITest campaign is focused on the Delivery, Exploitation, and Installation phases of the cyber attack lifecycle. The way the attacker executes each of these phases changes over time, and this blog examines the changes during the last quarter of 2016. Two significant changes have occurred during this time, detailed in the blog post. Recommendation: EITest infection can be detected by deploying network detection systems instrumented with threat intelligence related to active attacks and exploitation. These indicators allow network defenders to monitor connections to known bad hosts serving the EITest exploit framework. In the case of a compromise, the infected machine should be wiped and reformatted, and the rest of the network segment should be further examined for similar issues. Tags: EITest, Exploit-Kit<a href="https://www.fireeye.com/blog/threat-research/2017/01/credit_card_dataand.html" target="_blank">Credit Card Data Targeted in Netflix Phishing Campaign</a> (January 9, 2017) FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion techniques that were used by the attackers including phishing pages were hosted on legitimate (but compromised) web servers, Client-side HTML code was obfuscated with AES encryption to evade text-based detection, Phishing pages were not displayed to users from certain IP addresses if its DNS resolved to companies such as Google or PhishTank. Recommendation: Phishing continues to be one of the easiest ways for cyber criminals to make money quickly with a low level of technical expertise. Educate your employees on the dangers of phishing, how the attacks work, and how to avoid them. This includes the safe and proper use of email as well as web browsing activites. Tags: Targeted-Netflix, Phishing, Credit-Card-Stealer<a href="https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html" target="_blank">New Variant of Ploutus ATM Malware Observed in Latin America</a> (January 11, 2017) Ploutus is one of the most advanced ATM malware families FireEye has seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a novel technique. FireEye Labs recently identified a previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with KAL’s Kalignite multivendor ATM platform. The samples we identified target the ATM vendor Diebold. However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries. Recommendation: ATM/POS/IoT Security relies on the same type of preventative measures as all others, as they are a certain type of computer. In the case of a confirmed Ploutus infection, the ATM must be taken offline until it can be completely wiped and restored to it's original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation. Tags: Ploutus, Financial-Services, IoT, ATM<a href="https://www.proofpoint.com/us/threat-insight/post/targeted-threat-leads-to-keylogger-via-fake-silverlight-update" target="_blank">Targeted Threat leads to Keylogger via Fake Microsoft Silverlight Update</a> (January 12, 2017) Proofpoint researchers recently discovered a small email-based campaign attacking a major financial services provider. This attack was notable for a few reasons. The attack was very narrow in scope - a small number of malicious emails appear to have been sent to users in a single organization. The emails included a Microsoft Word attachment that used an embedded object rather than macros to avoid detection; the embedded object was also highly obfuscated. The payload was an unidentified keylogger hardcoded to send logs from infected computers to two Gmail addresses. Recommendation: Windows users being targeted by this threat may be tricked by the attackers trying to imitate microsoft and interfere with an employee workflow that may be essential to their duty in your organization. This type of attack highlights the importance of employee education, and secure defaults. Educate your employees so they know what the warning signs of an attack such as the fake Silverlight update look like, and only allow employees to do tasks on their workstations that are essential for their job. Disable macros and other risky functionality whenever possible, and ensure employees know the risks of allowing these features to operate. Tags: Keylogger, MSWord, Silverlight, Windows-Malware<a href="https://www.bleepingcomputer.com/news/security/researcher-whatsapp-bug-exposes-encrypted-messages/" target="_blank">Researcher: WhatsApp Bug Exposes Encrypted Messages</a> (January 13, 2017) Earlier this week, reports surfaced that the messenger app WhatsApp contained a backdoor. While the coverage was unfortunately fast and loose with the details, the findings of the independent security researcher should not be overlooked. The bug is a serious security defect described by some cryptography experts as an implementation bug, which is not the same as a universal or reliable backdoor. The issue is still a significant finding that impacts the integrity of the WhatsApp messenger platform. Recommendation: The WhatsApp vulnerabililty highlighted in this story is a great example of the complicated times we find ourselves in. WhatsApp is a professionally written piece of software, that we all expect to uphold our privacy and prevent eavesdroppers from reading our conversations. No software is perfect, and one should never expect privacy to be a guarantee. WhatsApp users, along with everyone else, should practice good security by always installing updates as soon as they are available. They often include important security fixes, closing holes such as this one. Tags: Vulnerability, Secure-Communication, WhatsApp, Privacy<a href="https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-13th-2017-mongodb-apocalypse-spora-decryptors-and-more/" target="_blank">Ransomware Roundup: Week of January 13</a> (January 13, 2017) The ransomware scourge shows no signs of slowing down. This week we have seen lots of small ransomware infections released as well as a very professional looking payment site from the Spora Ransomware. The big news is the continuing relentless attack on unsecured MongoDB databases, the new attacks on ElasticSearch databases, and a big time ransomware payout by a school. Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Tags: Ransomware, Mongodb, ElasticSearch, Spora<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.<a href="https://ui.threatstream.com/tip/8281" target="_blank">NetWire RAT (Windows) Tool Tip</a> Netwire is a Remote Access Trojan primarily used for data theft. However, the authors behind NetWire claim it's legitimacy as an espionage tool. The analyzed sample in this case masquerades as a directory, but is actually an executable (.exe) file. Tags: NetWire, RAT, Windows-Malware