September 22, 2020
Anomali Threat Research

Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: <b>APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, </b>and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="" target="_blank"><b>US 2020 Presidential Apps Riddled with Tracking and Security Flaws</b></a></h3> <p>(published: September 17, 2020)</p> <p>The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.<br/> <b>Recommendation:</b> The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.<br/> <b>Tags:</b> APK, Android, Campaign, Election, Joe Biden, PII</p> <h3 id="article-2" style="margin-bottom:0;"><a href="" target="_blank"><b>German Hospital Attacked, Patient Taken to Another City Dies</b></a></h3> <p>(published: September 17, 2020)</p> <p>A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.<br/> <b>Recommendation:</b> Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Germany, Healthcare, Hospital, Ransomware</p> <h3 id="article-3" style="margin-bottom:0;"><a href="" target="_blank"><b>Seven International Cyber Defendants Including APT41 Actors Charged In Connection with Computer Intrusion Campaigns Against More than 100 Victims Globally</b></a></h3> <p>(published: September 17, 2020)</p> <p>The United States Department of Justice announced it was bringing a further indictment against five Chinese nationals who are believed to be members of the cyber-espionage group APT41 (Winnti, Wicked Panda, Wicked Spider, Barium). In 2019 and now 2020, a federal grand jury announced two separate indictments against APT41, the myriad of charges includes: facilitating theft of source code, software code signing certificates, customer data, identity theft, wire fraud, money laundering, abuse of the Computer Fraud and Abuse Act (CFAA), and many others. The 2019 indictment charged Zhang Haoran, 35, and Tan Dailin, 35, with carrying out cyber-attacks on video game companies and other high technology organisations. The 2020 indictment charges Jiang Lizhi, 35, Qian Chuan, 39, and Fu Qiang 37, who allegedly operated within a Chinese company named Chendgu 404 Network Technology. APT41 are a notorious hacking group responsible for targeting a wide range of entities, from video game companies, telecom providers to governments, nonprofits, and even pro-democracy activists in Hong Kong. The US District Court for DC has seized hundreds of accounts, Command and Control (C2) servers and domain names that the accused used in their operations.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>Tags:</b> APT41, China, APT, espionage, Wicked Spider, Wicked Panda, Winnti</p> <h3 id="article-4" style="margin-bottom:0;"><a href=";web_view=true" target="_blank"><b>Cerberus Banking Trojan Source Code Released for Free to Cyberattackers</b></a></h3> <p>(published: September 17, 2020)</p> <p>The source code of the banking Trojan Cerberus has been leaked on an underground forum after an auction failed to reach $100,000. Cerberus was a Russian designed mobile banking Remote Access Trojan (RAT) for the Android operating system. It is believed to have been in circulation since at least July 2019. Once Cerberus is active on a device it is able to intercept communication, steal banking credentials, and other data through creating overlays across banking and social network apps. In late July, researchers from Hudson Rock observed Cerberus going to auction as the development team was breaking up and a new owner was being sought. The price started at $50,000 for the Android Package Kit (APK) source code, client list, servers and code for admin panels, the auctioneer claimed the malware netted $10,000 per month in revenue. The auction failed to reach the developers goal of $100,000 leading them to walk away and drop the code for free on an underground forum. It is likely there will not only be a rise in adoption of Cerberus attacks but also new variants being developed from the code.<br/> <b>Recommendation:</b> Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software are needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided by trusted vendors are recommended.<br/> <b>Tags:</b> Android malware, Cerberus, mobile malware, banking malware</p> <h3 id="article-5" style="margin-bottom:0;"><a href="" target="_blank"><b>New Mrbminer Malware Has Infected Thousands Of Mssql Databases</b></a></h3> <p>(published: September 16, 2020)</p> <p>Researchers from Tencent discovered a new malware named “MrbMiner” that infects Microsoft SQL Servers (MSSQL) and installs a crypto-miner. According to the researchers, more than thousands of MSSQL servers have been infected with the MrbMiner malware. Threat actors behind the malware launched an internet-wide scan for MSSQL servers and performed brute-force attacks to spread the malware. After a successful infection, the threat actors downloaded and installed a file named “assm.exe” to establish persistence. During the investigation on the Command and Control (C2) server, researchers have also discovered Linux and ARM variants of the MrbMiner malware.<br/> <b>Recommendation:</b> It is recommended to use a strong password and limit the exposure of the MSSQL server to the internet. For this malware, administrators are advised to scan the MSSQL servers for the presence of the Default/@fg125kjnhn987 backdoor account.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> MrbMiner,bruteforce, MSSQL</p> <h3 id="article-6" style="margin-bottom:0;"><a href="" target="_blank"><b>Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity</b></a></h3> <p>(published: September 14, 2020)</p> <p>Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory around threat actors affiliated to the Chinese Ministry of State Security (MSS). According to CISA, the threat actors commonly use open-source intelligence gathering when planning their cyber operations. They use readily available exploits and exploit toolkits against known vulnerabilities. In the last 12 months, MSS threat actors have been observed exploiting vulnerabilities in F5 Big-IP (CVE-2020-5902), Citrix Virtual Private Network (VPN) Appliances (CVE-2019-19781), Pulse Secure VPN Servers (CVE-2019-11510), and Microsoft Exchange Server (CVE-2020-0688). Common tools used by the threat actors are Cobalt Strike, China Chopper Web Shell, and Mimikatz.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Having a rigorous patching policy is the best defense against the most frequently used attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE PRE-ATT&amp;CK] Determine approach/attack vector - T1245</a> | <a href="">[MITRE PRE-ATT&amp;CK] Acquire OSINT data sets and information - T1247</a> | <a href="">[MITRE PRE-ATT&amp;CK] Conduct active scanning - T1254</a> | <a href="/ttp/2402594">[MITRE PRE-ATT&amp;CK] Analyze architecture and configuration posture - T1288</a> | <a href="">[MITRE PRE-ATT&amp;CK] Research relevant vulnerabilities/CVEs - T1291</a> | <a href="">[MITRE PRE-ATT&amp;CK] C2 protocol development - T1352</a> | <a href="">[MITRE PRE-ATT&amp;CK] Buy domain name - T1328</a> | <a href="/ttp/2402588">[MITRE PRE-ATT&amp;CK] Acquire and/or use 3rd party infrastructure services - T1329</a> | <a href="">[MITRE PRE-ATT&amp;CK] Obtain/re-use payloads - T1346</a> | <a href="">[MITRE PRE-ATT&amp;CK] Build or acquire exploits - T1349</a> | <a href="">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="">[MITRE ATT&amp;CK] Email Collection - T1114</a> | <a href="">[MITRE ATT&amp;CK] Connection Proxy - T1090</a><br/> <b>Tags:</b> APT, China, MSS, CISA, CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, CVE-2020-0688</p> <h3 id="article-7" style="margin-bottom:0;"><a href="" target="_blank"><b>Zerologon: Unauthenticated Domain Controller Compromise by Subverting Netlogon Cryptography (CVE-2020-1472)</b></a></h3> <p>(published: September 11, 2020)</p> <p>Tom Tervoort, a security researcher at Secura has released a whitepaper describing an attack against Windows Active Directory (AD) servers that can give an attacker domain admin privileges. The vulnerability stems from a flawed implementation of AES-CFB8 that is used to produce the response to the challenge sent by a server when the client is proving it knows the credentials. The flaw used 16 static zero bytes as the initialization vector (IV). If the password consists of just zero bytes, there is one in 256 keys used that will result in an encrypted text of just zero bytes. This can be used to change the computers (AD) password. If performed on an AD server, the attacker can use the new password to dump all the user hashes via the Domain Replication Service (DRS) protocol. From the hashes, the attacker can generate a Golden Ticket and perform pass-the-hash attacks to become domain admin.<br/> <b>Recommendation:</b> Always practice Defense in Depth. An attack needs to be able to send network packets to the active directory server to exploit this vulnerability, either via already having compromised the network or the server being accessed externally. As part of the August patch Tuesday, Microsoft released fixes that address the issues. It is highly recommended to apply the patches as soon as possible.<br/> <b>Tags:</b> CVE-2020-1472, Zerologon</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.