The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: COVID-19, Data leak, HIDDEN COBRA, Mandrake, RAT and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
(published: May 16, 2020)
The U.S Secret Service have raised an alert regarding an ongoing fraud operation exploiting the COVID-19 pandemic to target multiple state unemployment programs. The group behind this have been filling out unemployment claims using the social security numbers for first responders, government officials, and school employees. The Secret Service believes the threat actors obtained the personally identifiable information (PII) of these individuals through prior database leaks or compromises due to the number of fraudulent claims being made. Washington has been most affected by this, along with Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, and Wyoming.
Recommendation: Fraudulent activity themed around recent events such as the COVID-19 pandemic are always prevalent. Controls must be set in place to ensure that the individual filing a claim such as these are genuine and that operations are in place to detect fictitious activity. If multiple claims are coming in from the same source, then this should be met with suspicion and reported for potential fraud.
MITRE ATT&CK: [MITRE PRE-ATT&CK] Conduct social engineering - T1268
Tags: COVID-19, Unemployment Fraud, Washington
(published: May 15, 2020)
A sophisticated Android spyware framework has been identified by researchers at Bitdefender being used in espionage campaigns as early as 2016. The spyware, named “Mandrake”, will be embedded within fully-developed applications by the threats actors and focus on multiple areas including art, finance, media, and auto industry. Bitdefender has attributed seven applications containing Mandrake located on the Google Play Store. Affected individuals were found to be located in Australia, Canada, Europe, and the U.S. In some cases, the applications will have social media accounts related to the applications development to act as a lure. Mandrake's capabilities include: collecting SMS messages, contact list, and list of installed applications. Mandrake can also send SMS messages, initiate calls, uninstall applications, steal credentials from applications, and enable GPS tracking. Collected information will be exfiltrated to the threat actors Command and Control (C2) server.
Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
Tags: Android, Spyware, Mandrake, Google Play Store
(published: May 14, 2020)
A new version of the Remote Access Trojan (RAT) "COMpfun" was observed being used to target diplomatic entities within Europe in the form of fake visa applications, according to Kaspersky researchers. The RAT is using HTTP/HTTPS status codes as part of its Command and Control (C2) to execute remote commands. A status code of 200 notifies the RAT to exfiltrate all target data to the C2. COMpfun is used to monitor the browser activity of targets, capture keystrokes, and take screenshots. This new version of COMpfun will identify any removable USB devices on the system to spread to, and will then send new commands to be executed in the form of HTTP status codes.
Recommendation: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spearphishing attack. In the situation where a spearphishing campaign was successful, companies must ensure that firewalls block all entry points for unauthorized users and maintain a record of traffic travelling through the network to detect unusual activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Custom Command and Control Protocol - T1094 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Component Object Model Hijacking - T1122
Tags: COMpfun. HTTP status codes, RAT
(published: May 14, 2020)
A collaboration between Welivesecurity and Avast have disclosed a Remote Access Trojan (RAT) named "Mikroceen" being used in campaigns targeting central Asia since 2017. It has been seen targeting private and public entities including gas industries, governments, and telecommunication organisations. The RAT was previously reported under different names from Kaspersky, Palo Alto Networks, and Checkpoint, however, researchers in this joint operation were able to identify this malware as the same one. The linkage between these reports is the methodology as to how Mikroceen decrypts the configuration file that holds the Command and Control (C2) domain. Targets have included Belarus, Mongolia, and Russia. The RAT will be stored in the startup folder of systems to provide persistence on boot and uses a legitimately signed certificate for its C2 connection to the threat actors.
Recommendation: Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros to be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Service Execution - T1035 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] AppInit DLLs - T1103 | [MITRE ATT&CK] Standard Cryptographic Protocol - T1032 | [MITRE ATT&CK] Commonly Used Port - T1043 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Transfer Size Limits - T1030 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Screen Capture - T1113
Tags: Mikroceen, Remote Access Trojan, Belaurs, Mongolia, Russia
(published: May 14, 2020)
Researchers from Checkpoint have announced that a previously-patched vulnerability for Remote Desktop Services, registered as "CVE-2019-0887" is being bypassed to exploit third-party Remote Desktop Protocol (RDP) software in reverse RDP attacks. The initial vulnerability relates to improper validation of file paths for clipboard data which could be exploited for remote code execution. However, Checkpoint tested multiple (RDP) clients including "rdesktop", "FreeRDP", and Microsoft's built-in client "Mstsc.exe" and found a bypass for this patch for Microsoft's RDP client on Mac devices. Actors were able to bypass this patch but were also able to get around any form of file path canonicalization currently existing in the software. The researchers were able to deduce that replacing all backward-slashes (\) in their exploits with forward-slashes (/), they could get around Microsoft's main method of canonicalization "PathCchCanonicalize". Microsoft were notified by this new vulnerability and have since released a patch registered as "CVE-2020-0655". The patch was reviewed by Checkpoint once released, and they were able to identify the patch does not rectify the issue with Microsoft's "PathCchCanonicalize" method but only works as a workaround.
Recommendation: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied appropriately as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Microsoft, RDP, CVE-2019-0887, CVE-2020-0655
(published: May 13, 2020)
A new cyber-espionage framework named “Ramsay” has been identified by ESET researchers that is being used to target air-gapped systems. Initial samples related to Ramsay were pushed to VirusTotal from Japan that allowed ESET researchers to find additional features and versions of the framework. Ramsay’s focus is to collect and exfiltrate sensitive documents from air-gapped systems and is believed to be still in development due to its low detection rate. Three versions have been observed using different methods of distribution. The first being "version 1", the framework is spread in malicious documents exploiting the vulnerability "CVE-2017-0199" to drop the Ramsay installer onto target systems. The second version, "version 2.a" will appear as a legitimate 7zip installer as lure to install Ramsay and contains improvements for evasion and persistence in comparison to "version 1". The final version seen was "version 2.b", and will use the vulnerability "CVE-2017-11882" as part of the document to drop the Ramsay installer under the name "lmsch[.]exe".
Recommendation: This framework is being distributed via spearphishing campaigns up to now, which is why all employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications.
MITRE ATT&CK: [MITRE ATT&CK] Replication Through Removable Media - T1091 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] Execution through Module Load - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Service Execution - T1035 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] AppInit DLLs - T1103 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Bypass User Account Control - T1088 | [MITRE ATT&CK] DLL Search Order Hijacking - T1038 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Software Packing - T1045 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Share Discovery - T1135 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Replication Through Removable Media - T1091 | [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Communication Through Removable Media - T1092 | [MITRE ATT&CK] Custom Command and Control Protocol - T1094 | [MITRE ATT&CK] Data Compressed - T1002
Tags: Ramsay Framework, Air-gapped, Spearphishing, CVE-2017-0199, CVE-2017-11882
(published: May 12, 2020)
The U.S government has linked three different malware variants to the North Korea-based Advanced Persistent Threat (APT) group HIDDEN COBRA (aka The Lazarus Group). The malware includes, CopperHedge, TaintedScribe and PebbleDash. CopperHedge is a Remote Access Tool (RAT) seen targeting cryptocurrency exchanges. TaintedScribe, a trojan that will masquerade itself as Microsoft's Narrator that will execute modules received from its Command and Control (C2) server. The final one is PebbleDash, a trojan that provides the group command line access (CLI) to target systems to execute, upload, and download files. HIDDEN COBRA is known to target industry sectors in South Korea and the U.S, as well as entertainment organizations, media, and Non-government organizations (NGOs) using spearphishing emails as an initial point of intrusion.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs like HIDDEN COBRA, including a focus on both network and host-based security. The Cybersecurity and Infrastructure Security Agency (CISA) have released malware analysis reports (MARs) that provide organisations the ability to improve their Defense-in-depth strategies against malware variants. These reports include Indicators of Compromise (IOCs), YARA rules, and SNORT rules which will allow organisations to detect Hidden Cobra activity and reduce the likelihood of being compromised.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE PRE-ATT&CK] Upload, install, and configure software/tools - T1362
Tags: APT, North Korea, HIDDEN COBRA, CopperHedge, TaintedScribe, PebbleDash
(published: May 12, 2020)
Thirty-six patches for Adobe Acrobat, Reader, and Adobe DNG Software Development Kit (SDK) have been made available by Adobe developers and includes 16 critical vulnerabilities that would allow for threat actors to execute remote code and evade security solutions. Vulnerabilities that were patched include "CVE-2020-9615" in Acrobat and Reader, a vulnerability which is the result of a race condition occurring to provide threat actors evasive tactics from security products. The patch also contains the vulnerability registered as "CVE-2020-9621", that can be exploited due to an overflow of memory in the heap and execute arbitrary code.
Recommendation: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Adobe Acrobat, Adobe Reader, Adobe DNG SDK, Arbitrary Code Execution, Security Bypass
(published: May 12, 2020)
Threat group, Shiny Hunters, has placed over 164 million user records from 11 different companies onto the dark web for sale. Data being sold includes email addresses, names, phone numbers, password hashes and other Personally Identifiable Information (PII) of website customers and has not previously been compromised. The companies affected by this data breach include Tokopedia, a large online store in Indonesia, Chatbook, a photo printing service, and Zoosk, an online dating app. The data involved in this theft has not previously been compromised. Shiny Hunters are also the group who allegedly compromised Microsoft's Github account, however, this is yet to be denied or confirmed by the company.
Recommendation: Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with these companies should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.
MITRE ATT&CK: [MITRE ATT&CK] Steal Application Access Token - T1528
Tags: Data Breach, Dark Web, Tokopedia, Zoosk, Chatbooks, PII. Shiny Hunters
(published: May 11, 2020)
Comparitech researchers have determined that a large quantity of applications on the Google Play Store developed using the Firebase platform have been misconfigured in a way that exposed the personally identifiable information of users. Firebase is Google's application development platform used by developers to develop and manage applications, with 30% of Google Play Store's using Firebase. Comparitech lead researcher Bob Diachenko has reported an estimated 24,000 applications using Firebase that have exposed customer data. Data was being leaked via exposed databases which could be viewed via well crafted web-requests. Data includes email addresses, user credentials, phone numbers, IP addresses, credit card data, and street addresses. Games made up 24.71% of related applications, and Education coming in second at 14.72%.
Recommendation: The exposure of PII requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. It is advised for developers using Firebase should have appropriate rules in place to prevent unauthorised access to data and do not store information in plain text.
MITRE ATT&CK: [MITRE ATT&CK] Cloud Instance Metadata API - T1522 | [MITRE ATT&CK] Data from Cloud Storage Object - T1530
Tags: Google Play Store. Firebase, Android, PII, Data Leak
(published: May 11, 2020)
Björn Rutenberg, a researcher at the Eindhoven University of Technology has identified seven hardware vulnerabilities in desktops and laptops that use Thunderbolt USB-C ports that would allow for threat actors to read/write or steal data from memory. The systems affected include all existing Windows, Linux, and Apple MacBooks (except retina versions) sold since 2011 that use versions 1-3 of Thunderbolt. The vulnerabilities are linked to insufficient authentication schemes and configurations in place which when physically exploited will allow for individuals to perform Direct Memory Attacks (DMA) and access devices without the need of passwords. These capabilities are possible for threat actors due to Thunderbolt's high privilege access at a low level, enabling peripheral devices to evade operating system security and access system memory.
Recommendation: Since the report of these vulnerabilities, Björn Rutenberg released an open-source tool called "SpyCheck" to identify if a system is vulnerable to these exploits, it can be found at thunderspy[.]io. Once a vulnerability like the ones disclosed here are reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Hardware Additions - T1200
Tags: Thunderbolt, ThudnerSpy, UBS-C, Data Memory Access
(published: May 11, 2020)
The “Hangover” threat group (Viceroy Tiger, MONSOON) has been seen recently using an updated version of the BackConfig malware to target government and military organizations in South Asia. Malicious Microsoft excel documents are used to distribute BackConfig using a compromised website. The documents contain embedded macros that will install BackConfig once opened by the user. The malware will focus on gathering system information, keylogging users, and executing additional payloads downloaded from its C2 server. BackConfig has also been distributed in RTF files that leverage the vulnerability registered as "CVE-2017-11882", an exploit within Microsoft Office products that allows threat actors to execute remote code. The documents used will be crafted to reflect current events locally and nationally. The modular capabilities of the malware make it harder to detect with sandboxes and analysis products and will use self-signed certificates from Foxit Software Incorporated and the Nvidia Corporation to make the payloads appear as legitimate.
Recommendation: It is crucial that server software be kept up-to-date with the most current versions and that all external facing assets are carefully monitored and scanned for unusual activity and vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs
MITRE ATT&CK: [MITRE PRE-ATT&CK] Acquire OSINT data sets and information - T1247 | [MITRE PRE-ATT&CK] Conduct social engineering - T1249 | [MITRE PRE-ATT&CK] Compromise 3rd party infrastructure to support delivery - T1312 | [MITRE PRE-ATT&CK] Create custom payloads - T1345 | [MITRE PRE-ATT&CK] Obtain/re-use payloads - T1346 | [MITRE PRE-ATT&CK] Upload, install, and configure software/tools - T1362 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Commonly Used Port - T1043 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol - T1032 | [MITRE ATT&CK] Remote File Copy - T1105
Tags: APT, Hangover, BackConfig, Supply-Chain