Weekly Threat Briefing: 50,000 Enterprise Firms Running SAP Software Vulnerable to Attack

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, Backdoor, BEC, Data breach, Data leak, Malspam, Malvertisements, Phishing, Ransomware, targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/" target="_blank">“MegaCortex” Ransomware Wants to be The One</a> (May 3, 2019) A new ransomware family, called “MegaCortex”, may have a relationship with threat actors distributing the “Emotet” and Qakbot” trojans, according to SophosLabs Uncut researchers. MegaCortex is distributed via a “convoluted infection methodology” that “leverages both automated and manual components”. Researchers found MegaCortex primarily uses automated attacks conducted through an unnamed “common red-team attack tool script” that then creates a “Meterpreter” reverse shell. The reverse shell uses batch files from remote servers, commands to only instruct the malware to drop second payloads, and PowerShell scripts on infected machines. Researchers found that in at least one instance, the ransomware attack began with a domain controller inside the target network, which may indicate an inside job, and in other incidents MegaCortex was found on the same systems as Emotet and Qakbot. Since MegaCortex was first found in a VirusTotal submission in January 2019, the new ransomware may have connections with the actors behind Emotet and Qakbot, but as of this writing it is unconfirmed. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> Tags: Ransomware, MegaCortex<a href="https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-vulnerable-to-attack/" target="_blank">50,000 Enterprise Firms Running SAP Software Vulnerable to Attack</a> (May 2, 2019) Researchers from Onapsis Research Labs have identified potential vulnerabilities in SAP software. The exploit tool, named “10KBlaze”, utilizes errors in the SAP NetWeaver installation configuration, allowing attackers to gain unrestricted access to SAP systems. This could lead to compromises of the software such as theft of sensitive information, and deletion of application data. Business transactions including creating vendors, releasing shipments, generating reports, and payments can be carried out with this exploit. It is estimated that 50,000 enterprises are vulnerable to this attack. Recommendation: Threat actors are consistently looking for new ways to conduct malicious activity, therefore, it is crucial that your company has security and patch-maintenance policies in place. SAP is recommending users to follow SAP Security Note #821875, #1408081, #1421005. The security update should be applied as soon as possible to avoid potential exploitation by this new tool. Tags: Vulnerability, SAP systems, Exploit tool, 10KBlaze<a href="https://www.sentinelone.com/blog/formbook-yet-another-stealer-malware/" target="_blank">Formbook | Yet Another Stealer Malware</a> (May 2, 2019) SentinelOne researchers have detected a malspam campaign spreading the financial malware, “Formbook”. The malware has been spread with an RTF file containing malicious code to exploit the vulnerability, registered as “CVE-2017-8570”, which is a remote code execution vulnerability in Microsoft Office. Formbook itemizes the processes on the victim’s system, with the payload ceased from infecting if a blacklisted process, primarily virtual machine software, is detected. Once the payload is loaded into the system, legitimate processes are infected with malicious code with the ability to avoid detection. The malware then will likely be used to inject code into browsers to exfiltrate data from the browser. Recommendation: Always be on high alert while reading email, in particular when it contains attachments, attempts to redirect to a URL, contains an urgent label, or uses poor grammar. Use anti-spam and antivirus protection and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> Tags: Malware, Information-stealer, Formbook<a href="https://www.tripwire.com/state-of-security/security-data-protection/unprotected-database-exposed-13-7m-users-employment-information/" target="_blank">Unprotected Database Exposes 13.7m Users' Employment Information</a> (May 2, 2019) Security researcher, Sanyam Jain has discovered an unprotected database of personal and employment information of 13.7 million individuals. The database that is viewable by anyone online, contains information belonging to a New-York job recruitment site, “Ladders.” The database includes email addresses, employment history, IP addresses, names, postal addresses, phone numbers, and security clearances. The database was an Amazon Web Service (AWS) managed ElasticSearch that was not password protected. Ladders has responded by taking the database offline. Recommendation: Due to the risk of phishing attacks, Ladders users should change their account passwords, along with other online accounts that share the same password. It is crucial for companies working with personal information to have adequate authentication and security to avoid customer data from becoming public. Tags: Database, Data breach<a href="https://www.riskiq.com/blog/labs/magecart-beyond-magento/" target="_blank">Not All Roads Lead to Magento: All Payment Platforms are Targets for Magecart</a> (May 1, 2019) RiskQ has identified a significant Magecart attack focused on Magento, a popular e-commerce platform. The attackers, known as Group 12, have been targeting multiple e-commerce platforms including Magento and OpenCart. Using a similar URL, the group injects a skimmer into the checkout page to steal payment details from customers. A common method of the group is to exploit vulnerabilities in online stores that are using outdated versions of e-commerce platforms. While the current attacks are focused on payment information, the attacks could likely expand to other information such as login credentials. Recommendation: Websites require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping software up to date, it is essential that all external facing assets are monitored and scanned for vulnerabilities. Tags: CVE-2017-8570, Financial malware<a href="https://www.bleepingcomputer.com/news/security/dell-computers-exposed-to-rce-attacks-by-supportassist-flaws/" target="_blank">Dell Computers Exposed to RCE Attacks by SupportAssist Flaws</a> (May 1, 2019) The preinstalled software in Dell devices running Windows, “SupportAssist Client,” was disclosed to suffer two high-severity vulnerabilities, registered as “CVE-2019-3719” and “CVE-2019-3718,” that could both allow for remote code execution. Dell stated that “An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.” Dell has issued a patched for these vulnerabilities. Recommendation: As a patch has been released, users with versions prior to 3.2.0.90 and later are recommended to update their system immediately due to the high severity rating of these vulnerabilities and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit. Tags: Vulnerability, Dell, SupportAssist, CVE-2019-3719, CVE-2019-3718<a href="https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/" target="_blank">New “Sodinokibi” Ransomware Exploits Critical Oracle WebLogic Flaw</a> (May 1, 2019) A critical-rated vulnerability, registered as “CVE-2019-2725,” in Oracle WebLogic server has been disclosed that allows for deserialisation and is being actively exploited in the wild to deliver a new ransomware called, “Sodinokibi.” The vulnerability allows a threat actor to make an HTTP connection to a WebLogic server and execute remote code without any authentication. In the campaign observed in the wild, threat actors will send an HTTP POST request to the vulnerable server, which contains a PowerShell command that downloads a file. That file, which contains the ransomware, is then saved locally and is executed on the computer. The ransom requests $2500 USD in Bitcoin to be sent to the threat actor’s specified wallet address. The malicious file also executes a legitimate Windows utility to manage shadow copies, allowing the threat actors to delete backup files on the machine. Recommendation: This vulnerability has been patched with an updated released on April 26, 2019. Because of the critical severity of this vulnerability, it is highly encouraged that users update their systems immediately to prevent exploitation. Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1852">Exploitation of Vulnerability (ATT&CK T1068)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&CK] Exploitation for Privilege Escalation (T1068)</a> Tags: Vulnerability, Oracle, WebLogic, Ransomware, Sodinokibi, CVE-2019-2725<a href="https://thehackernews.com/2019/04/electrum-bitcoin-wallet-botnet.html" target="_blank">Rapidly Growing Electrum Botnet Infects Over 152,000 Users; Steals $4.6 Million</a> (April 30, 2019) An ongoing attack against Electrum Bitcoin wallets has been observed to have been occurring since December 2018. Unknown threat actors exploited a vulnerability in Electrum’s infrastructure to phish users with a malicious software update download from an unofficial GitHub repository. Following the phishing campaign being noticed by the Electrum developers, an update was released to protect users, which the threat actors then responded by conducting Distributed-Denial-of-Services (DDoS) attacks on the legitimate servers to force users into connecting to the malicious GitHub nodes since the legitimate ones were overwhelmed. The DDoS attacks were conducted following the threat actors distributing a botnet, dubbed “ElectrumDoSMiner,” via the Smoke Loader RIG exploit kit. This campaign allowed the threat actors to garner an illicit profit of over $4.6 million in Bitcoin. Recommendation: The most recent version of Electrum are not susceptible to phishing attacks so users are encouraged to update their software to version 3.3.4 via the official Electrum site. It is also encouraged that users disable the auto-connect feature in the wallet application and manually select a server to prevent DDoS attacks. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> Tags: DDoS, Phishing, Electrum Bitcoin, ElectrumDoSMiner<a href="https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/" target="_blank">Behind the Scenes with OilRig</a> (April 30, 2019) Iranian-based threat actors, “LabDookhtegan,” recently leaked a massive amount of information about an Iranian Ministry of Intelligence-linked Advanced Persistent Threat (APT) group, “OilRig” (also known as APT34 and HELIX KITTEN). The group released a data dump that included OilRig’s backdoors, Command and Control (C2) server components, credential dumps, and webshells amongst several other files of interest. According to Palo Alto researchers, they “identified nearly 13,000 stolen credentials, over 100 deployed webshells, and roughly a dozen backdoor sessions into compromised hosts across 27 countries, 97 organizations, and 18 industries.” Recommendation: The leak of APT data and tools increases the likelihood that other threat actors will utilize sophisticated malware for malicious purposes. The leak of OilRig information may also make attribution amongst different threat groups more difficult due to previously private malware having become publicly available. Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts. Tags: APT, OilRig, APT34, Poison frog, OopsIE<a href="https://blog.eset.ie/2019/04/30/buhtrap-backdoor-and-ransomware-distributed-via-major-advertising-platform/" target="_blank">Buhtrap Backdoor and Ransomware Distributed via Major Advertising Platform</a> (April 30, 2019) Researchers from ESET have discovered a campaign that has been ongoing since October 2018 and utilises malicious advertisements posted through “Yandex.Direct” to target organisations in Russia to infect them with the backdoors “Buhtrap” and “RTM.” The advertisements were reported to be related to accounting or legal aid services, and appeared as a banner on several legitimate websites, tricking users into thinking it was also legitimate. Many of the searches in the malicious fake website were for examples and template of claims, contracts, invoices, and other legal documents. If a user downloads any of the “templates,” they are then infected with Buhtrap, which acts as a ransomware, and the RTM backdoor, that acts as a banking trojan in the machine. Recommendation: This campaign is a good example of how legitimate advertisement services can be abused to distribute malware. Users should always make sure the source from where they download software is a well-known, reputable software distributor, to avoid being caught by such a scam. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947101">[MITRE ATT&CK] Code Signing (T1116)</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information (T1140)</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery (T1083)</a> | <a href="https://ui.threatstream.com/ttp/947123">[MITRE ATT&CK] Network Share Discovery (T1135)</a> | <a href="https://ui.threatstream.com/ttp/947154">[MITRE ATT&CK] Winlogon Helper DLL (T1004)</a> | <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&CK] Hidden Files and Directories (T1158)</a> | <a href="https://ui.threatstream.com/ttp/947118">[MITRE ATT&CK] Clipboard Data (T1115)</a> | <a href="https://ui.threatstream.com/ttp/947193">[MITRE ATT&CK] Automated Exfiltration (T1020)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port (T1043)</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol (T1071)</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&CK] Execution through API (T1106)</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture (T1056)</a> | <a href="https://ui.threatstream.com/ttp/947271">[MITRE ATT&CK] Two-Factor Authentication Interception (T1111)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy (T1105)</a> Tags: Malvertisment, Yandex, Backdoor, Ransomware, Buhtrap, RTM<a href="https://thehackernews.com/2019/04/america-personal-data.html" target="_blank">Unprotected Database Exposes Personal Info of 80 Million American Households</a> (April 30, 2019) A publicly-accessible database, containing 24 GB of information on US households, has been identified by VPNMentor’s research team. The unsecure information contains addresses, birth dates, gender, income, marital status, and names on over 80 million households. Hosted on a Microsoft Cloud server, the database was found while the research team scanned IP blocks looking for holes in web systems. The owner of the database is currently unknown as the researchers have appealed to the public to help them in identifying the owner. The database was available publicly without password access for at least several years, has now been taken offline. Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured database has the potential to cause significant harm to individuals and a company’s reputation. Leaks of this sort causes individuals to be at a large risk of phishing attacks. Actors can use this information to coerce more personal data from the victim. Users should also monitor their credit in order to make sure that nothing out of the ordinary is happening and no identity fraud is being committed. Tags: Data breach, Misconfigured server, PII<a href="https://www.bleepingcomputer.com/news/security/175-million-stolen-by-crooks-in-church-bec-attack/" target="_blank">$1.75 Million Stolen by Crooks in Church BEC Attack</a> (April 29, 2019) The Saint Ambrose Catholic Parish in Brunswick, Ohio fell victim to a Business Email Compromise (BEC) scam that resulted in a loss of $1.75 million USD. The parish released a statement that they had received an email from their contractor, “Marous Brothers,” regarding being behind in payments for the church’s “Vision 2020 project” that the contractor is working on. The email the church received stated that they were two months behind and owed $1.75 million dollars, and the church resubmitted payment to the purportedly new bank account number for the contractor. Following an investigation, law enforcement found that threat actors compromised the parish’s email system somehow, though no other IT asset was compromised in the attack. Recommendation: It is helpful for your business to use a company domain for email accounts, and maintain policies to educate employees to identify BEC attempts. Corporate email accounts should also employ two-factor authentication to add another layer of protection to email accounts that contain sensitive information. Email account security is paramount because many threat actors use brute force attacks that could easily gain access to an account with a weak password. As this incident portrays, it is best practice to directly verify the information in the email via other means to ensure that the request for money or other things is legitimate prior to sending anything. Tags: BEC, Church, Phishing</div><div id="observed-threats"><h1 id="observedthreats">Observed Threats</h1></div><div id="threat_model">This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial</a>.<h3><a href="https://ui.threatstream.com/actor/4411">OilRig</a></h3> The Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.</div></div>