Anomali Weekly Threat Intelligence Briefing - March 21, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<h2>Trending Threats</h2>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.<a href="https://www.theregister.co.uk/2017/03/19/mcdonalds_india_data_leak/" target="_blank">McDonalds India's App Was a Golden Honeypot</a> (March 19, 2017) McDonalds India has released that approximately 2.2 million users of its mobile application have had their Personally Identifiable Information (PII) leaked through a misconfigured server, according to researchers. The PII consists of email address, full name, home address and coordinates, phone number, and social profile links. Recommendation: Identity theft is always a risk when user information is entered into any kind of account. Therefore, information should only be entered into services provided by trusted vendors, and careful monitoring of financial statements should always be practiced. Tags: Data leak, PII<a href="https://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-breach/" target="_blank">Google Points to Another POS Vendor Breach</a> (March 17, 2017) Security researcher Brian Krebs discovered that the organization Select Restaurants Inc., which owns multiple restaurants around the continental U.S., appears to have been compromised with Point of Sale (POS) malware. KrebsOnSecurity was contacted by financial institutions' anti-fraud teams who were attempting to identify the source of numerous instances of fraudulent transactions. This prompted a quick Google search by Krebs which revealed that Select Restaurants' website "may be hacked." As of this writing, the company has not commented on the purported breach. Recommendation: POS systems need to be carefully maintained, and kept up-to-date with the newest software patches because they are frequent target of threat actors. Especially in the U.S. where chip and pin technology has taken longer to become commonplace in comparison to other countries and regions around the world. In the case of POS infection, all systems that process financial data should be taken offline and reformatted to ensure the malware has been properly removed before reconnecting to the network. Tags: POS malware, Credit card theft<a href="https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/" target="_blank">Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor!</a> (March 16, 2017) An Avast malware researcher has discovered a new Star Trek themed malware dubbed "Kirk Ransomware." The Kirk Ransomware is written in Python and uses Monero, which is similar to the Bitcoin system, for its victims to submit payments for decryption. Researchers note that this malware may be the first of its kind to use Monero currency for payment. Kirk Ransomware increases the ransom payment the longer a victim waits. At the time of this writing, one Monero (XMR) is equivalent to $23.27; the first ransom demand is 50 XMR ($1,163.84). Recommendation: Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors, and prevent ransom from being a profitable business for cyber criminals. Tags: Ransomware<a href="https://www.bleepingcomputer.com/news/security/trend-ransomware-hidden-in-nsis-installers-harder-to-detect/" target="_blank">Trend: Ransomware Hidden in NSIS Installers Harder to Detect</a> (March 16, 2017) Researchers have discovered a trend among ransomware threat actors in that they are beginning to pack their malware inside a Nullsoft Scriptable Install System (NSIS). Actors are using the legitimate service, combined with encryption, to hide their malicious code. The malware will load into a Windows computer's memory, decrypt, and then execute. NSIS ransomware is primarily being distributed through spam campaigns that contain JavaScript downloaders (some are also contained inside ZIP files), malicious Office documents, and .LNK files that contain PowerShell scripts which all lead to downloads of malicious NSIS installers. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the official website of the provider/developer. Tags: Ransomware, NSIS Installers<a href="https://documents.trendmicro.com/assets/majikpos-combines-pos-malware-and-rats-to-pull-off-its-malicious-tricks.pdf" target="_blank">MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks</a> (March 15, 2017) A new Point of Sale (POS) malware dubbed "MajikPOS" has been observed attacking targets in the wild with unique features, according to Trend Micro researchers. MajikPOS is capable of using Remote Access Trojans (RATs) to attack its target endpoints. The malware has been identified attacking Remote Desktop Protocols (RDPs) and Virtual Network Computing (VNC) by testing generic credentials, and brute force attacking accounts. MajickPOS scrapes Random Access memory for the presence of credit card data by multiple vendors, which is then sent to a C2 and posted for sale on underground markets. Recommendation: POS security relies on the same type of preventative measures as all others, as they are a specific type of computer. In the case of a confirmed MajickPOS infection, the POS system should be taken offline until it can be completely wiped and restored to its original factory settings. Tags: MajickPOS, Malware, Credit card theft, RATs<a href="http://www.malware-traffic-analysis.net/2017/03/15/index5.html" target="_blank">Blank Slate Malspam Campaign Spreading Cerber Ransomware</a> (March 15, 2017) A spam campaign dubbed "Blank Slate" because of the lack email subject lines, has increased its botnet activity to primarily deliver Cerber ransomware; Sage 2.0 and Locky ransomware were also observed. The emails contain malicious Word documents that warns the recipient to enables macros to properly view the document. If a user enable macros, or opens a .js file, the Word macro or .js file will reach out to web server to receive the malware and begin the infection process. Recommendation: Your company should have policies in place that remind your employees to be meticulous and skeptical while reading emails. Anti-spam and antivirus protection should always be employed, and employees should always observe failed financial transactions, poor grammar, and urgent label subject lines with the utmost caution. Tags: Malspam, Cerber, Ransomware, Phishing<a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/" target="_blank">NexusLogger: A New Cloud-based Keylogger Enters the Market</a> (March 15, 2017) A new keylogger malware dubbed "NexusLogger," that was first discovered in late 2016, has been identified to be currently targeting individuals via phishing attacks, according to Unit 42 researchers. NexusLogger masquerades as a "Parental Monitoring Software Solution," and is offered for purchase on underground markets for prices ranging from $7 to $199 depending on the length of subscription. Interestingly, the ransomware also specifically targets online game credentials for Minecraft, Origin, Steam, and UPlay. Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and inform the appropriate personnel when they are identified. In the case of NexusLogger infection, the affected systems should be wiped and reformatted. Tags: Keylogger, Malware, Phishing<a href="http://thehackernews.com/2017/03/yahoo-russian-hacker.html" target="_blank">U.S. Charges Two Russian Spies and Two Hackers for Hacking 500 million Yahoo Accounts</a> (March 15, 2017) U.S. prosecutors claim that approximately 30 million yahoo email accounts were targeted in a massive spam campaign in order to gather information on their owners. The targeted individuals consist of journalists, government officials, and technology company employees. Yahoo had previously reported in 2016 that they believed that the 2014 incident that compromised over 500 million Yahoo accounts was conducted by a state-sponsored group. The four defendants include two officers from the Russian Security Service (FSB), and two threat actors identified as Alexesey Alexseyvich Belan and Karim Baratov. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts. Tags: Malspam, Yahoo, APT<a href="https://www.scmagazineuk.com/massive-data-leak-in-us-air-force-exposes-details-of-4000-officers/article/644225/" target="_blank">Massive Data Leak in the U.S. Air Force Exposes Details of Over 4,000 Officers</a> (March 15, 2017) Researchers have discovered than an unnamed U.S. Air Force (USAF) Lieutenant Colonel's backup drive was misconfigured in a way that could allow anyone to access sensitive information it contained. An unspecified amount of gigabytes was found to be accessible that included Personally Identifiable Information (PII) of over 4,000 USAF officers consisting of full names, home addresses, list of security clearances, phone numbers and contact information of staff and their spouses, and social security numbers. Recommendation: Identity theft and fraud risks are always present for individuals who do not carefully monitor their credit card statements and online banking activity. Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Always monitor your accounts and use identity prevention / fraud prevention services to add an additional layer of security to your accounts. Tags: Compromise, PII, Identity theft<a href="https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" target="_blank">PetrWrap: The New Petya-Based Ransomware Used in Targeted Attacks</a> (March 14, 2017) A new campaign has been discovered to be targeting organizations networks in order to download ransomware, according to Kaspersky researchers. The threat actors are targeting servers with unprotected Remote Desktop Protocol (RDP) access. The actors have created a trojan dubbed Petrwrap that is written in C and compiled in MS Visual Studio and carries version three of Petya ransomware inside. The PetrWap trojan waits approximately 90 minutes before decrypting the Dynamic Link Library (DLL) of Petya calling the function that prepares the ransomware for further instructions. Recommendation: Ensuring that your server is always running the most current software version is vitally important. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Furthermore, always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, and other machines on the same network should be scanned for other potential infections. Tags: PetrWrap, Ransomware, Trojan<a href="https://threatpost.com/adobe-fixes-six-code-execution-bugs-in-flash/124302/" target="_blank">Adobe Fixes Six Code Execution Bugs in Flash</a> (March 14, 2017) Adobe has once again released patches for vulnerabilities found in their Flash Player on "Patch Tuesday." Seven vulnerabilities were patched, six of which could be exploited by threat actors to execute malicious code. The patch covered the following vulnerabilities: one regarding buffer overflow, two concerning memory corruption, and three that could be used after initial exploitation that can trigger code execution. Recommendation: Patch Tuesday should be observed every week in order to apply the latest security updates to software used by your company. In Adobe's case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version. Tags: Adobe, Vulnerabilities<a href="http://www.securityweek.com/actively-exploited-struts-flaw-affects-cisco-products" target="_blank">Actively Exploited Struts Flaw Affects Cisco Products</a> (March 13, 2017) Cisco products have been identified to affected by a newly discovered vulnerability dubbed "CVE-2017-5638." The vulnerability affects Cisco Identity Services Engine (ISE), specifically Apache Struts versions 2.3.5 through 2.3.31, 2.5 through 2.5.10, as well as 2.3.32 and 2.5.10. CVE-2017-5638 is a remote code execution vulnerability that has been actively exploited by threat actors in the wild, however Cisco researchers report that they have not seen attackers specifically target their products. Recommendation: Zero day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to attack with vulnerabilities even after they have been patched by the affected company. Therefore it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available. Tags: Vulnerabilities<a href="http://cyberwarzone.com/turkish-cyberattack-dutch-companies-erdogan-speech/" target="_blank">Cyberattacks Hits The Dutch After Erdogan Speech</a> (March 13, 2017) Websites based in the Netherlands have been defaced by a team of threat actors identifying themselves as "PrivateHackers." These defacements appear to have occurred because of tensions between the Dutch and Turkish governments. The tension has arisen because of the Dutch government barring Turkish officials from holding rallies in Rotterdam. Turkish President Recep Tayyip Erdoğan then accused the Dutch of contributing to the Srebrenica massacre in Bosnia, 1995, in regards to Dutch United Nations' peacekeepers failure to protect Muslim men who were killed. Recommendation: This story represents potential threats and attacks that can arise based on current political developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. It is crucial that server software be kept up-to-date with the most current versions, and that all external facing assets are carefully monitored and scanned for unusual activity and vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: Defacements<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click <a href="https://www.anomali.com/products/threatstream">here</a> to request a trial.<a href="https://ui.threatstream.com/tip/7453" target="_blank">Cerber Ransomware Tool Tip</a> Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement. Tags: cerber, ransomware