Weekly Threat Briefing: A Huge Database of Facebook Users' Phone Numbers Found Online

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, malspam, phishing, Targeted attacks, underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/" target="_blank">ESET Discovered an Undocumented Backdoor Used by the Infamous Stealth Falcon Group</a> (September 9, 2019) The Stealth Falcon threat group, which is known for targeting political activists, dissidents and journalists since at least 2012, has been attributed to a newly-discovered backdoor, according to ESET researchers. A binary backdoor analyzed by ESET was found to be similar to “the PowerShell script with backdoor capabilities attributed to the Stealth Falcon group.” The distribution method of the backdoor, dubbed “Win32/StealthFalcon,” was not reported, however, it may be distributed similar to Stealth Falcon’s PowerShell script; a spearphishing containing a weaponized document attachment. The Win32/StealthFalcon backdoor can allow an actor full remote control of an infected machine. <a href="https://forum.anomali.com/t/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group/4158" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&CK] Execution through API - T1106</a> | <a href="https://ui.threatstream.com/ttp/947170">[MITRE ATT&CK] Rundll32 - T1085</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947257">[MITRE ATT&CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947109">[MITRE ATT&CK] Security Software Discovery - T1063</a> | <a href="https://ui.threatstream.com/ttp/947193">[MITRE ATT&CK] Automated Exfiltration - T1020</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a><a href="https://research.checkpoint.com/upsynergy/" target="_blank">UPSynergy: Chinese-American Spy vs Spy Story</a> (September 5, 2019) Checkpoint researchers analyzed the “Bemstour” exploitation tool used by the China-based Advanced Persistent Threat (APT), “APT3,” and were able to confirm that the group “recreated its own version of an Equation group exploit using captured network traffic.” This suggestion was first introduced by Symantec, and now Checkpoint believes that APT3 already had access to a network that was attacked by the Equation Group. The Equation Group is believed to be a US-based group who had variants of their tools publicly released by a group called “The Shadow Brokers” in 2017. APT3 incorporated an exploit from the Equation Group leak into Bemstour. The exploit, found to be an equivalent to EternalRomace, was attempted to be augmented to affect different Windows versions which “required looking for an additional 0-day that provided them with a kernel information leak.” Such analysis show the sophistication of APT3 and the lengths APT groups undertake to acquire new tools to conduct malicious activity. <a href="https://forum.anomali.com/t/upsynergy-chinese-american-spy-vs-spy-story/4159" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a><a href="https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" target="_blank">Southeast Asia: An Evolving Cyber Threat Landscape</a> (September 5, 2019) FireEye analysts have published their findings of malicious activity attributed to a Chinese state-sponsored group called “APT5.” The Advanced Persistent Threat (APT) group name, APT5, is an umbrella term that is used to refer to activity conducted by several subgroups that sometimes utilize “distinct tactics and infrastructure.” The APT5 attacks began in August and were observed to have been scanning the internet for Fortinet and Pulse Secure VPN servers. The objecting of this activity was to exploit two vulnerabilities in the two products, CVE-2018-13379 for Fortinet and CVE-2019-11510 for Pulse Secure. Both vulnerabilities are “pre-auth file reads” that can be exploited by an actor to access files on a VPN server without authentication. <a href="https://forum.anomali.com/t/southeast-asia-an-evolving-cyber-threat-landscape/4160" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise - T1195</a><a href="https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/" target="_blank">A Huge Database of Facebook Users’ Phone Numbers Found Online</a> (September 4, 2019) Security researcher Sanyam Jain has discovered a publicly accessible server that contained multiple databases in which Jain found hundreds of millions of phone numbers, according to TechCrunch reporters. The database contained approximately 419 million records that were confirmed to be phone numbers associated to Facebook accounts from users all around the world. Some of the records were found to contain Facebook users name, gender, and location. The geographic breakdown for the Facebook accounts is as follows: 18 million UK-based accounts, 33 million US-based accounts, and 50 million Vietnam-based accounts. <a href="https://forum.anomali.com/t/a-huge-database-of-facebook-users-phone-numbers-found-online/4161" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/" target="_blank">Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions</a> (September 4, 2019) Threat actors are distributing the “Glupteba” trojan via malvertisements as a pay-per-install adware service in the wild, according to Trend Micro researchers. The actors behind Glupteba conduct various malicious activities such as providing proxy services and using the EternalBlue exploit to propagate through networks to mine Monero cryptocurrency. The Glupteba variant analyzed in this campaign downloads two other components that have the following capabilities: a browser stealer to steal data such as account names and passwords, browsing history, and website cookies, as well as a MikroTik router attack exploiting the CVE-2019-1487 vulnerability. The Glupteba dropper was also found to have the ability to retrieve Command and Control (C2) domains from Bitcoin transactions. <a href="https://forum.anomali.com/t/glupteba-campaign-hits-network-routers-and-updates-c-c-servers-with-data-from-bitcoin-transactions/4162" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://www.vpnmentor.com/blog/report-aliznet-leak/" target="_blank">Report: Aliznet Data Breach Exposes Data for Millions of Canadian Customers</a> (September 3, 2019) Alizent, a French consulting company, has suffered a data breach that resulted in Personally Identifiable Information (PII) and other forms of sensitive information being exposed. Yves Rocher, an international cosmetics and beauty company, customers’ full PII, order records, and private internal records were all viewable by researchers. The PII was identified to be belong to approximately 2.5 million Yves Rocher customers, as well as six million order records. Other data includes internal client data such as turnover, and order volumes, among others. A vulnerability in an Elasticsearch server API interface was also identified that could result in anyone with access to an employee ID, such as those exposed in the leak. <a href="https://forum.anomali.com/t/report-aliznet-data-breach-exposes-data-for-millions-of-canadian-customers/4163" target="_blank">Click here for Anomali recommendation</a><a href="https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/" target="_blank">Virtual Media Vulnerability in BMC Opens Servers to Remote Attack</a> (September 3, 2019) Eclypsium researchers have published research discussing a vulnerability, dubbed “USBAnywhere,” that affects Baseboard Management Controllers (BMCs) on Supermicro’s X9, X10 and X11 servers. A BMC is a special processor used to monitor the physical state of hardware. USBAnywhere takes advantage of several multiple problems in the way BMCs handle access to virtual media, which is typically managed by a Java application. Researchers found that the weaknesses of BMC’s Java application, which connects to a virtual media service on TCP port 623, include: authentication bypass, plaintext authentication, unencrypted network traffic, and weak encryption. Exploitation results in the ability “to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet.” At the time of this writing, researchers found approximately 47,000 systems that had BMCs connected to the internet. <a href="https://forum.anomali.com/t/virtual-media-vulnerability-in-bmc-opens-servers-to-remote-attack/4164" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947134">[MITRE ATT&CK] Replication Through Removable Media - T1091</a> | <a href="https://ui.threatstream.com/ttp/947172">[MITRE ATT&CK] Communication Through Removable Media - T1092</a><a href="https://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/" target="_blank">German Bank Loses €1.5 Million in Mysterious Cashout of EMV Cards</a> (September 3, 2019) A financially-motivated threat group, believed to be located in Brazil, conducted fraudulent transfers utilizing cloned debit cards to steal approximately €1.5 million ($1.65 million USD). The funds were stolen from cardholder accounts of 2,000 customers of the Germany-based bank Oldenburgische Landesbank AG (OLB). The threat group, which is still unknown as of this writing, only utilized cloned Mastercard debit cards in the theft. This prompted some security researchers to wonder what the cause of solely using Mastercard debit cards, which employed chip and pin technology, may imply from a security perspective. OLB has stated that this incident was the result of “organized cybercrime involving counterfeit cards and terminals” and that a security breach did not occur and that all customers were refunded their lost funds. <a href="https://forum.anomali.com/t/german-bank-loses-1-5-million-in-mysterious-cashout-of-emv-cards/4165" target="_blank">Click here for Anomali recommendation</a><a href="https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" target="_blank">Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs</a> (September 2, 2019) Volexity analysts have identified approximately “11 Uyghur and East Turkistan related websites that have been compromised and leveraged for surveillance and exploitation.” Researchers note that while this number is less than an extensive surveillance campaign conducted by the Chinese Advanced Persistent Threat (APT) group “OceanLotus” in 2018, these 11 sites have been compromised specifically to use for malicious purposes. At least two Chinese APT groups, one tracked as “Evil Eye” and the other unnamed (or not attributed), are using the compromised websites to target Android users. The websites were found to contain malicious code that utilizes an exploit to download an executable file that steals device information and send it back to the actors via an HTTP POST request. <a href="https://forum.anomali.com/t/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/4166" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260117">[MITRE MOBILE-ATT&CK] Standard Application Layer Protocol - T1437</a> | <a href="https://ui.threatstream.com/ttp/1260095">[MITRE MOBILE-ATT&CK] Malicious Web Content (MOB-T1059)</a> | <a href="https://ui.threatstream.com/ttp/1260119">[MITRE MOBILE-ATT&CK] System Information Discovery - T1426</a><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf" target="_blank">Credentials Gathering Campaign</a> (September 2, 2019) The Agence nationale de la sécurité des systèmes d'information (ANSSI) has identified “several clusters of malicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with traces going back to 2017.” This malicious activity follows naming conventions that reveal the targets that are being attacked with the objective being to steal credentials. The targeted organizations are government-related such as the French ministry of foreign affairs, and the South African ministry of foreign affairs. These credential-stealing attacks were traced into five different clusters of malicious activity. This indicates that the actors are well-organized and strategic in their targeting which leads to this activity likely being APT-related. <a href="https://forum.anomali.com/t/credentials-gathering-campaign/4167" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a></div></div>