Anomali Weekly Threat Intelligence Briefing - January 9, 2017

<p><b>Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><h2>Trending Threats</h2><p>This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" target="_blank"><b>DragonOK Updates Toolset and Targets Multiple Geographic Regions</b></a> (<i>January 5, 2016</i>)<br/> Unit 42 first discussed the DragonOK actor in April 2015 when they witnessed the group targeting a number of organizations in Japan. More recently, multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK. Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format (RTF) documents exploiting the CVE-2015-1641 vulnerability (patched in MS15-033) that in turn leveraged a very unique shellcode. Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques. While Japan is still the most heavily targeted geographic region by this particular actor, they've expanded their targets to include Taiwan, Tibet, and Russia.<br/> <b>Recommendation:</b> The DragonOK actor TTPs are very similar to the other big name actors we see today. Educate employees about the dangers of phishing, and the damage that can be caused by a single credential compromise. Provide sane (secure) defaults for employee workstations.<br/> <b>Tags:</b> DragonOK, Japan, Asia, Taiwan, Tibet, Russia, Sysget, Tidepool, IsSpace, CVE-2015-1641, MS15-033</p><p><a href="http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" target="_blank"><b>2016 Updates to Shifu Banking Trojan</b></a> (<i>January 6, 2016</i>)<br/> Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others. Unit 42's latest gives an update to the TTPs used by this group throughout the year of 2016.<br/> <b>Recommendation:</b> Antivirus scanners are a must-have, even decades after their inception. However, antivirus must be supplemented with additional network based detection/prevention mechanisms. Employ defense in depth while building or assessing your security infrastructure - don't rely on single defenses and instead deploy overlapping, redundant, failsafe security infrastructure.<br/> <b>Tags:</b> Shifu, Financial-Services, Zeus, Trojan</p><p><a href="https://blog.fortinet.com/2017/01/05/analysis-of-phpmailer-remote-code-execution-vulnerability-cve-2016-10033" target="_blank"><b>Critical Flaw in widely used PHPMailer</b></a> (<i>January 6, 2016</i>)<br/> This week, a high-level security update was released to fix a remote code execution vulnerability (CVE-2016-10033) in PHPMailer, which is an open source PHP library for sending emails from PHP websites. This critical vulnerability is caused by class.phpmailer.php incorrectly processing user requests. As a result, remote attackers are able to execute code on vulnerable servers. Fortinet researchers have disclosed the details about how the attack scenario works, and how it's exploited.<br/> <b>Recommendation:</b> The phpmailer flaw is a good reminder of how important it is to be aware of all the libraries and software running on business critical systems. Vulnerability scanning is critically important, should be done on a consistent schedule, and built in to your IT alerting system. Cross team cooperation with operations should be established before an incident happens, and policies should be documented so that an action plan exists in the event of a compromise.<br/> <b>Tags:</b> CVE-2016-10033, critical-vulnerability, PHP</p><p><a href="https://blog.opendns.com/2017/01/05/future-assaulting-internet-mirai/" target="_blank"><b>The Future is Here – Assaulting the Internet with Mirai</b></a> (<i>January 5, 2016</i>)<br/> OpenDNS published a concise review of the Mirai botnet's destruction, evolution, and most notably some unnerving prospects for the future. They give an overview of the attack surface used by mirai, and the expansive scope of internet connected devices that could pose similar risks. Though the threat posed by Mirai is dying out, variants and other similar malware families are on the horizon.<br/> <b>Recommendation:</b> First and foremost, be aware of your network, account for every device on your network. Without the ability to monitor your network, including the most obscure devices on it, you will always be at risk the threat posed by Mirai. Have a password rotation policy in place for all devices on your network, and use vulnerability scanning to regularly flush out devices using default credentials.<br/> <b>Tags:</b> Mirai, IoT, botnet DDoS</p><p><a href="https://www.bleepingcomputer.com/news/security/google-dev-finds-serious-flaws-in-kasperskys-https-traffic-inspection-system/" target="_blank"><b>Project Zero (Google) Finds Serious Flaws in Kaspersky's HTTPS Traffic Inspection System</b></a> (<i>January 4, 2016</i>)<br/> Tavis Ormandy, one of Google Project Zero's most proficient security researchers, has identified two issues in the way Kaspersky security products inspect HTTPS traffic for web threats. According to the researcher, the Kaspersky performs this operation by its root certificate (Kaspersky Anti-Virus Personal Root) as a trusted certificate authority (CA) in the operating system's authorized certificate store.<br/> <b>Recommendation:</b> Always keep your software and operating systems up to date with the latest patches. Flaws such as these in security software are inevitable, and don't necessarily mean they provide poor security posture. On the contrary, they demonstrate the importance of source code auditing, and vendor released patches.<br/> <b>Tags:</b> Kaspersky, SSL</p><p><a href="https://www.bleepingcomputer.com/news/government/new-california-law-makes-ransomware-a-standalone-crime/" target="_blank"><b>New Law in California makes ransomware a standalone crime</b></a> (<i>January 5, 2016</i>)<br/> On January 1, 2017, a new law went into effect in California that makes ransomware use a standalone crime. Technically, ransomware usage was an illegal activity before, but all people engaged in such activities were trialed based on state extortion laws or computer hacking and money laundering charges. This new law makes ransomware use a standalone crime, allowing prosecutors to charge suspects much easier, without having to spend time proving the suspect was involved in a money laundering operation.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs.<br/> <b>Tags:</b> ransomware, US, California</p><p><a href="https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/" target="_blank"><b>Ransomware Roundup - January 6</b></a> (<i>January 6, 2016</i>)<br/> 2017 is here and ransomware continues to pump out at a rapid pace. We have a lot of little variants popping up this week (as usual), An attacker going by the name of Harak1r1 hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a ransom in bitcoin to return the data. Additionally, multiple new FSociety branded ransomware families have emerged, which pokes fun at the TV show Mr Robot.<br/> <b>Recommendation:</b> Always run antivirus and endpoint protection software in order to prevent ransomware before it's too late. Keep secure backups of all your important files, to avoid the need to pay ransomware authors. Never open email attachments or software obtained from untrusted sources. Always keep your systems patched with the latest security fixes. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br/> <b>Tags:</b> Ransomware, mongodb</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.</p><p><a href="https://ui.threatstream.com/tip/8281" target="_blank"><b>NetWire RAT (Windows) Tool Tip</b></a><br/> Netwire is a Remote Access Trojan primarily used for data theft. However, the authors behind NetWire claim it's legitimacy as an espionage tool. The analyzed sample in this case masquerades as a directory, but is actually an executable (.exe) file.<br/> <b>Tags:</b> NetWire, RAT, Windows-Malware</p>