Anomali Detect

September 20 - 22, 2017

Anomali Weekly Threat Intelligence Briefing - May 16, 2017

May 16, 2017 | Gage Mele

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

"Patched" WannaCry Ransomware Has No Kill-Switch (May 15, 2017)
A new version of the WannaCry (WCry, WannaCrypt0r) ransomware, which first began infecting various companies and individuals around the globe on May 12, has been identified, according to researchers. This version reportedly does not have the kill-switch feature discovered by a security researcher called "MalwareTech." The researcher identified the feature which involves the malware calling out to a domain, and then halt its processes if a connection was made. MalwareTech was able to register the domain and prevented many infections from installing and propagating further.
Recommendation: This global ransomware outbreak uses U.S. National Security Agency (NSA) tools that were leaked by the threat group "Shadow Brokers" to distribute WCry; Microsoft issued patches that would prevent these exploitations with MS17-010 on March 14, 2017. These crucial security updates should be employed as soon as possible if they have been already.
Tags: Ransomware, WannaCry

NHS Hospitals Across England Hit by Large-Scale Cyberattack (May 12, 2017)
The U.K.'s National Health Service (NHS) has been breached with a strain a ransomware named "Wanna Decrptor," causing hospital systems across England to be inaccessible. The actors behind this incident are unknown, and are demanding a payment $300 USD worth of Bitcoins for the decryption key. Interestingly, the Bitcoin address that was provided has already received a payment of $266 and, as of this writing, it is unknown who paid the sum. NHS Digital has reached out to the National Cyber Security Centre to assist in mitigation.
Recommendation: The proper implementation and upkeep of backup files is further reiterated in this story, additionally, all servers and software applications should be kept up-to-date with the latest security patches. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should also be checked for similar infections.
Tags: Ransomware, Breach

Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak (May 12, 2017)
The Spanish telecommunications company Telefonica has been infected with the WCry (WannaCry, WannaCrypt0r) ransomware. This ransomware outbreak mostly affects Spain, but other countries including Germany, Indonesia, Japan, Kazakhstan, the Philippines, Russia, Taiwan, and Vietnam have also been affected with the same strain of malware. Telefonica employees have been instructed to shut down computers and VPN connections in attempts to prohibit the ransomware infections reach. Researchers believe that the malware is being distributed via U.S. National Security Agency (NSA) tools leaked by the threat group called "Shadow Brokers."
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: Ransomware, Breach

Jaff – New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart (May 11, 2017)
A new ransomware, dubbed "Jaff," has been discovered to be being distributed by a large-scale malspam campaign that is delivering tens of millions of messages. The messages contain PDF attachments with embedded Word documents that will download the Jaff ransomware if macros are enabled. The ransomware demands 1.79 bitcoins ($3,186 USD) for the decryption key.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Ransomware, Malspam

Unpatched 0-Days In Vanilla Forums Let Remote Attackers Hack Websites (May 11, 2017)
Security researcher Dawid Golunksi has discovered two vulnerabilities in the open source forum software Vanilla Forums. One is a remote code execution vulnerability registered as "CVE-2016-10033," and the other is a host header injection vulnerability registered as "CVE-2016-10073." Golunksi claims that the vulnerabilities exist because Vanilla Forums is using a vulnerable version of a PHP library used to send emails called "PHPMailer." These vulnerabilities could allow actors to take complete remote control of a website. Currently approximately 500,000 websites are vulnerable to these attacks.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Vulnerability, Website

Keylogger Found in Audio Driver of HP Laptops (May 11, 2017)
Multiple versions of HP laptops have been identified to contain a driver "feature" that functions as a keylogger and then saves the data in a local file, according to modzero researchers. The feature was discovered in version 1.0.0.46 and earlier of the Conexant HD Audio Driver Package. The preinstalled driver "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys" and stores the data in a local file located at "C:\users\public\MicTray.log."
Recommendation: The threat of preinstalled features has the ability of hiding from even the most cautious of users. If the machines affected by this feature are being used by your company, they should be properly inspected and the unwanted file that stores the gathered data removed.
Tags: Preintalled risk

Practice Makes Perfect: Nemucod Evolves Delivery and Obfuscation Techniques to Harvest Credentials (May 11, 2017)
The Unit 42 research team has discovered a new malspam phishing campaign that is distributing the Nemucod downloader malware via weaponized document attachments. The objective of this campaign is steal information and user credentials from an infected machine. Researchers discovered that the malicious documents in this campaign have underwent numerous revisions, with one such document being revised approximately 192 times. Many of the revisions not only updated malicious capabilities, but are also used to stay up-to-date with current media.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified.
Tags: Phishing, Malspam, Credential theft

Adobe Patches Critical Vulnerabilities in Flash, OEM (May 10, 2017)
Adobe has released patches for eight critical vulnerabilities in Flash Player and Adobe Experience Manager (AEM). Seven of the vulnerabilities affect Adobe Flash and CVE-2017-3067 affects AEM. Six of the vulnerabilities involve memory corruption, one is a user-after-free vulnerability (class of memory corruption), and one can allow actors to breach the pre-population service in AEM forums.
Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In Adobe's case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerability

Sednit Adds Two Zero-day Exploits Using 'Trump's Attack on Syria' As A Decoy (May 10, 2017)
The Advanced Persistent Threat (APT) group called "Sednit" (APT28, Fancy Bear, and Sofacy) has been identified to be behind a new phishing campaign, according to ESET researchers. This campaign is politically-themed with the subject lines of one of the emails titled "Trump's Political Report." Additionally, the emails contain a malicious Word document attachment titled "Trump's Attack on Syria" that uses two exploits, CVE-2017-0261 and CVE-2017-0263, to install the malware dropper "Seduploader."
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: Phishing, Zero-day, APT

RIG EK at 92.53.119.66 Drops Dreambot (May 9, 2017)
Researchers have discovered that an iframe on a fake website is returning a landing page that is distributing the Dreambot banking trojan. The pre-landing page is using a script that fingerprints the visiting system and prepares the URL for the RIG Exploit Kit. The next step is to attempt to use Adobe Flash to drop a Dreambot payload and execute it in the "%Temp%" directory.
Recommendation: Exploit kits have become one of the most common types of crimeware currently available to the less than sophisticated threat actor. The kits, put together by skilled actors, are then sold to criminal groups as easily deployable exploitation frameworks. The best protection from exploit kits is through employee education in combination with keeping web browsing software (including extensions such as flash and java) up to date at all times, as well as operating system software. Users should be educated on how to browse the web as safely as possible, and to report any suspicious symptoms observed on their devices to IT/secops immediately. In the case of a compromise by RIG, the infected system must be wiped and reformatted.
Tags: Malspam

Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras (May 9, 2017)
A new IoT botnet called "Persirai," has been discovered to be actively targeting Internet Protocol (IP) camera models, according to Trend Micro researchers. Approximately 120,000 IP cameras have been detected to be vulnerable to this botnet. A significant amount of vulnerable cameras that were identified are using the Universal Plug and Play (UPnP) protocol that allows devices to open a port on a router and act like a server.
Recommendation: Your company should ensure that all internet-connected devices and systems are properly patched and carefully monitored for suspicious activity. Additionally, internet-of-things (IoT) devices such as smart phones and tablets that are brought it by your employees need to be viewed as a potential risk. Employees should be properly educated on how to keep their professional and personal devices properly secured.
Tags: IoT Botnet

Microsoft Releases Emergency Patch for 'Crazy Bad' Windows Zero-Day Bug (May 9, 2017)
The severe Windows remote code execution vulnerability, registered as CVE-2017-0290, discovered by Google Security researcher Tavis Ormandy has been issued a patch by Microsoft. The vulnerability can allow threat actors to worm into the LocalSystem account and take over the entire system if the Microsoft Malware Protection Engine scans a malicious file.
Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In this instance, Microsoft will be issuing the patch automatically to vendors over the next 48 hours beginning on May 9.
Tags: Vulnerability

Thousands of Devices Hacked by Rakos Botnet (May 8, 2017)
Additional information on the Linux malware called "Rakos," first identified in December 2016, has been published by Morphus Labs researchers. Researchers used fake nodes, honeypots, and web crawlers to determine the amount of compromised devices to be at approximately 25,000, or approximately 8,300 infections per day throughout 178 countries. Rakos is a peer-to-peer botnet with each infect host receiving IP addresses from a C2 to further target.
Recommendation: This botnet takes advantage of internet connected devices which have been misconfigured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Tags: Botnet

BitKangoroo Ransomware Deletes Your Files If You Do Not Pay (May 8, 2017)
A new strain of ransomware called "BitKangoroo," has been identified to use an interesting tactic, that is, deleting one file every 60 minutes. The malware demands one Bitcoin (currently $1,755 USD) to decrypt all of the files that have been encrypted. At the time of this writing, the malware still appears to be in the developmental stages because it will only encrypt files located on the desktop.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: Ransomware

FBI Reports Business Email Compromise Scams Result in $5 Billion + Losses Worldwide (May 8, 2017)
The United States' Federal Bureau of Investigation (FBI) has published a public service announcement discussing the scale and dangers posed by Business Email Compromise (BEC). This type of attack takes place when a threat actor compromises an email account of a targeted company that is then used to conduct unauthorized transfers of funds or to send phishing emails to other employees and targeted entities. The FBI reports that between October 2013 and December 2016 more than 40,000 BEC incidents took place around the world, and between January 2015 and December 2016 there was a 2,379% increase in "identified exposed losses."
Recommendation: It is important for your business to use a company domain for email accounts, and maintain policies to educate employees to identify BEC attempts. Corporate email accounts should also employ two-factor authentication to add another layer of protection to email accounts that contain sensitive information.
Tags: BEC

Spectacular Phishing Attack Pushes Google to Improve Defenses (May 8, 2017)
Researchers claim that the Google-themed phishing campaign which took advantage of OAuth interface in the first week of May has potential to occur again. Researchers believe this because warnings about OAuth date back to 2011, and were then reiterated again in 2014. The issue arises because the OAuth interface only shows a user the Google Drive icon, which was the same tactic used in this phishing campaign. Google claims they are working on new security features to protect users and impersonation of their services.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and inform the appropriate personnel when they are identified. In the case of infection, the affected system should be wiped and reformatted; avoiding paying the cyber criminals is paramount. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Phishing

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit's objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.
Tags: RIG, exploitkit

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.