Weekly Threat Briefing: Over Half of Organisations Were Successfully Phished In 2019

<div id="weekly">The various threat intelligence stories in this iteration of the Weekly Threat Briefing (WTB) discusses the following topics: BitPyLock, Business Email Compromise, Data Breaches, Konni Group, Phishing, and Zero-Day. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.<img src="https://cdn.filestackcontent.com/PKcDRUMTS92dRu3I5Ovc"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><a href="https://www.bleepingcomputer.com/news/security/paypal-american-express-phishing-kits-added-to-16shop-service/" target="_blank">Paypal, American Express Phishing Kits Added to 16Shop Service</a> (January 25, 2020) The phishing distribution network, 16Shop, has started circulating phishing templates specifically targeting PayPal and American Express users. 16Shop does this by legitimising licenses in real-time that blocks web crawlers from vendors to ensure that the phishing page can continue to exist. Kits distributed for PayPal and Amazon templates have been in various languages including but not limited to; English, German, Japanese, Spanish and Thai. The phishing focuses on capturing login credentials, card details, personal address and other pieces of Personally Identifiable Information (PII). Researchers from Zerofox have found that 16Shop have attached several techniques to ensure longevity of their phishing campaigns. It includes bot detection, blacklisting security vendor products and the use of web crawler detection software. <a href="https://forum.anomali.com/t/paypal-american-express-phishing-kits-added-to-16shop-service/4533" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.bankinfosecurity.com/hackers-target-european-energy-firm-researchers-a-13645" target="_blank">Hackers Target European Energy Firm</a> (January 24, 2020) Reports released from Recorded Future analysts details a targeted campaign of several Iranian backed threat groups targeting several unnamed U.S. and European energy sector businesses. The threat actors behind the operations used several open source tools including the Remote Access Tool (RAT) Pupy which can be downloaded from Github. This use of Pupy and other open source tools has given Recorded Future reason to believe that the group conducting these attacks are the Advanced Persistent Threat (APT) APT33, aka Elfin, Refined Kitten, Magnallium, and Holmium. <a href="https://forum.anomali.com/t/hackers-target-european-energy-firm/4534" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.zdnet.com/article/hackers-target-unpatched-citrix-servers-to-deploy-ransomware/" target="_blank">Hackers Target Unpatched Citrix Servers to Deploy Ransomware</a> (January 24, 2020) Threat actors distributed the Sodinokibi ransomware are using the vulnerability “CVE-2019-19781” to exploit unpatched Citrix servers and deploy ransomware on their servers. The vulnerability, “CVE-2019-19781”, if exploited, enables threat actors to perform arbitrary code execution with affected systems including the Citrix Application Delivery Controller (ADC), Citrix Gateway and two older versions of the Citrix SD-WAN WANOP. The exploit was first announced December 17th, 2019, and at the time of writing, there are currently 11,732 vulnerable Citrix servers left unpatched. <a href="https://forum.anomali.com/t/hackers-target-unpatched-citrix-servers-to-deploy-ransomware/4535" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><a href="https://www.helpnetsecurity.com/2020/01/24/phishing-attacks-2019/" target="_blank">Over Half of Organisations Were Successfully Phished In 2019</a> (January 24, 2020) Eighty-eight percent of worldwide organisations had recorded attempts of spearphishing in 2019 with fifty-five percent of them in total being compromised. These numbers are likely higher due to the fact that companies would prefer not to disclose any compromises and affect company value. There had been a rise of suspicious emails by sixty-seven percent in 2019 compared to 2018. The majority of the compromises come from lack of knowledge on the employees’ side of things with forty-five percent of questioned employees admitting to password reuse and more than half not password-protecting home networks. <a href="https://forum.anomali.com/t/over-half-of-organisations-were-successfully-phished-in-2019/4536" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank">The Fractured Statue Campaign: U.S. Government Targeted in Spearphishing Attacks</a> (January 23, 2020) Unit42 researchers have identified malware families related to the Konni group targeting US government agencies by leveraging the socio-geopolitical tensions between North Korea and the US to lure targets into opening malicious email attachments. Konni was originally used to refer to a Remote Access Trojan (RAT) linked with targeted campaigns from North Korea due to large overlaps in TTPs, without using the RAT itself. Researchers from Unit 42 now refer to the group behind these operations as “Konni Group” with activity first being cited in July 2019. The group has a new download called “CARROTBALL” that it is using in their campaigns. Each malicious document attached comes from Russian email addresses with the lures being written in Russian. The documents consistently used the newly named second-stage downloader CARROTBALL to download SYSCON payloads primarily. <a href="https://forum.anomali.com/t/the-fractured-statue-campaign-u-s-government-targeted-in-spearphishing-attacks/4537" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="https://securelist.com/shlayer-for-macos/95724/" target="_blank">Shlayer Trojan Attacks One in Ten macOS Users</a> (January 23, 2020) Being active since May 2018, Shlayer today has caused one in ten macOS users confronted with the trojan downloader with it making up 30% of all malware detections on mac systems. Shlayer is distributed by initially appearing as other services such as looking for live streams of sports events or download tools such as Adobe Flash Player. Users are redirected to web pages that appear as legitimate to encourage users to download Shlayer thinking it is something else. The malware has been seen in links of Youtube videos and Wikipedia articles. Once the malware mounts the mac’s DMG image, the user will be asked to install a file, but the installer actually contains several python scripts with one being able to acquire the user ID, system id and other details about the version of macOS. Once Shlayer has carried out all its tasks, the trojan will delete the downloaded archive and any of its unpacked contents to remove indication of infection. The US is the primary target making up 31% of targeting and Germany at second with 14%. <a href="https://forum.anomali.com/t/shlayer-trojan-attacks-one-in-ten-macos-users/4538" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="https://www.vpnmentor.com/blog/report-thsuite-breach/" target="_blank">Cannabis Users' Sensitive Data Exposed in Data Breach</a> (January 22, 2020) THSuite, a point-of-sale system used in the cannabis industry has been compromised with a data leakage with Personally Identifiable Information (PII) of over 30,000 individuals being exposed. Details include but are not limited; cannabis purchased, DOB, dispensary sales, email addresses, full names, medical ID numbers, phone number and street address. Researchers from vpnMentor analyzed unsecured and unencrypted Amazon S3 buckets owned by THSuite that resulted in the exposure of sensitive data from multiple marijuana dispensaries. Affected dispensaries are; Amedicanna Dispensary, a medical dispensary based out of Maryland state, Bloom Medicinals, a medical dispensary with locations in Akron, Columbus, Maumee, Painesville and Seven Mile. The recreational dispensary Colorado Grow Company based in the Durango Colorado was also affected. <a href="https://forum.anomali.com/t/cannabis-users-sensitive-data-exposed-in-data-breach/4540" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/" target="_blank">250 Million Microsoft Customer Service and Support Records Exposed on the Web</a> (January 22, 2020) Comparitech researchers discovered the exposure of nearly 250 million Customer Service and Support (CSS) records from five vulnerable Elasticsearch servers. It was found that Personally Identifiable Information (PII) involving contract number, email aliases and payment information were withdrawn from the records. However, a large amount of records enclosed plain text data includes: case numbers, CSS claims and cases, customer email addresses, internal notes, IP addresses, locations, and Microsoft support agent emails, among others. <a href="https://forum.anomali.com/t/250-million-microsoft-customer-service-and-support-records-exposed-on-the-web/4541" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.helpnetsecurity.com/2020/01/21/mitsubishi-electric-data-breach/" target="_blank">Mitsubishi Electric discloses data breach, possible data leak</a> (January 21, 2020) The Japanese manufacturing company, Mitsubishi Electric, has released details on a data breach that occurred six months ago in June of 2019. The information relates to Personal Identifiable Information (PII) of customers and corporate confidential information. Allegedly, the threat actors behind the compromise gained access to the systems of an affiliated company in China and conducted a supply-chain compromise to breach Mitsubishi computer networks with hijacked accounts. The data leaked involves addresses, DOB, employment history, names, telephone number etc. The suspected threat group for the breach in the Chinese group, TICK (aka BRONZE BUTLER or REDBALDKNIGHT). <a href="https://forum.anomali.com/t/mitsubishi-electric-discloses-data-breach-possible-data-leak/4542" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.infosecurity-magazine.com/news/zero-ie-bug-exploited/" target="_blank">Zero-Day IE Bug is Being Exploited in the Wild</a> (January 21, 2020) Warnings have been given from the US Government and Microsoft regarding a Remote Code Execution (RCE) vulnerability found in Internet Explorer (IE) and is currently in use by threat actors. The zero-day has been registered as “CVE-2020-0674” and the exploit gives threat actors the capability of executing code on the user’s system by corrupting memory. The exploit could provide threat actors the same rights as the legitimate user which in turn could result in malicious programs being deployed, personal files could be deleted, encrypted or exfiltrated. CVE-2020-0674 affects IE versions 9, 10, and 11 on Windows systems. <a href="https://forum.anomali.com/t/zero-day-ie-bug-is-being-exploited-in-the-wild/4543" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/" target="_blank">BitPyLock Ransomware Now Threatens to Publish Stolen Data</a> (January 21, 2020) A new ransomware called “BitPyLock” has been discovered by researchers known as MalwareHunterTeam. This ransomware is capable of stealing information prior to encrypting data. Once executed, BitPyLock will try to stop any processes with strings relating to security software as well as closing any files used for databases, user backups, virtual machines, web server daemons, and virtual machines so that they can be encrypted for ransom. BitPyLock will target 346 file extensions for encryption. The ransomware also creates a ransom note called “HELP_TO_DECRYT_YOUR_FILES.html” that details how end users can send the bitcoin ransom to the specified bitcoin address. <a href="https://forum.anomali.com/t/bitpylock-ransomware-now-threatens-to-publish-stolen-data/4544" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T148</a></div></div>