The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: Data Breach, Lazarus, Spearphishing, Trojan and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Leverages India-China Border Dispute to Lure Victims
(published: June 19, 2020)
With recent tensions rising on the India-China border, threat actors are utilizing this as a means to spread malicious documents. The document, titled “India-China border tensions.doc”, contains a PowerShell script that downloads shellcode that in turn extracts Cobalt Strike as the payload. While there has not been any attribution to a threat group, the watermark value found in the beacon configuration has been used previously by the TrickBot Group.
Recommendation: All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security. Documents that request macros to be enabled should be avoided.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Commonly Used Port - T1043 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071
Tags: Cobalt Strike, China, India, Malicious Documents
Nation-state Actor Responsible for Attacks, Australia Claims
(published: June 19, 2020)
Australia’s Prime Minister, Scott Morrison, has claimed that a foreign ‘state-based actor’ has been targeting Australian government, businesses, and public services in coordinated cyber-attacks. There has been no attribution put forward, but tensions have been running high recently between Australia and their biggest economic partner, China. This is not the first time the Chinese are thought to have targeted Australia. The Chinese government was enraged in April by Australia’s calls for an investigation into the origins of the COVID-19 virus and accusing the Chinese of engaging in ‘economic coercion.’ Shortly after there was an increase in cyber espionage activity targeting COVID-19 related materials. The previous year the Chinese were believed to have targeted the Australian Parliament and political parties in the lead up to a general election. Australia has generally not chosen to publicly pursue these matters due to the economic relationship.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Tags: Australia, China, APT, Espionage, COVID-19
Cognizant Admits Data Breach Following Ransomware Attack
(published: June 18, 2020)
In April 2020 Cognizant announced it had been compromised by Maze ransomware. The company, one of the largest IT managed service providers in the world, quickly released a statement and contacted customers to let them know threat actors had not accessed customer data and provided IOCs to monitor. Two months later Cognizant has been forced to admit that threat actors did indeed access sensitive customer data. Experts have speculated that actors had in fact gained access to Cognizant’s networks weeks before they began to encrypt files. The data targeted is believed to have contained customer names, social security numbers, financial account information, driver’s licenses, and passports. Estimations of the number of individuals affected have not been given and the company is offering credit and identity theft monitoring services.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Remote Desktop Protocol - T1076 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Kernel Modules and Extensions - T1215 | [MITRE ATT&CK] Software Packing - T1045
Tags: Cognizant, Ransomware, Finance, Personal Information, Managed Services, Data Breach
COVID-19 and FMLA Campaigns Used To Install New IcedID Banking Malware
(published: June 18, 2020)
Researchers from Juniper Threat Labs have discovered a new campaign that leverages the COVID-19 pandemic to distribute an updated version of the IceID banking trojan. Phishing documents related to COVID-19 and the Family and Medical Leave Act (FMLA) to entice targets into opening the document and executing the trojan. IceID is injected into the "msiexec.exe" process using a self-signed certificate to evade detection and appear as legitimate. It will use full steganography to download additional modules and configure itself. IceID conducts Man-in-the-Browser operations by monitoring several different websites and collects financial information from transactions made.
Recommendation: The use of current events in spearphishing campaigns is yet another aspect of phishing that all users must be aware of. Email attachments should be treated as untrusted regardless of the sender's credibility. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing. In the case of IcedID infection, users must regularly monitor their accounts for unusual activity and are advised to contact fraud prevention services to identify theft of financial data.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Man in the Browser - T1185 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE PRE-ATT&CK] Upload, install, and configure software/tools - T1362 | [MITRE ATT&CK] Credentials from Web Browsers - T1503 | [MITRE ATT&CK] System Shutdown/Reboot - T1529
Tags: IceID Banking Trojan, COVID-19, FMLA, Spearphishing, Man-in-the-Browser,
Digging up InvisiMole's Hidden Arsenal
(published: June 18, 2020)
The InvisiMole threat group has emerged with an improved toolset targeting several diplomatic and military entities in Eastern Europe, as found by ESET researchers. These campaigns have been ongoing since late 2019 and only targeted entities that had been previously compromised by the Russia-sponsored Gamaredon group. InvisiMole distributed its backdoor payloads using a .NET downloader called "MSIL" or "Pterodo" which was developed by the Gamaredon group. InvisMole leverages the SMB vulnerability EternalBlue (“CVE-2017-0144”) and RDP vulnerability BlueKeep (“CVE-2019-0708”) to spread its infection across compromised networks. InvisiMole was also using documents stolen by Gamaderon and modifying them to act as trojans that would later install their payloads when executed. These campaigns potentially display the beginning of a collaboration between InvisoMole and Gamaredon, where Gamaredon gains initial access to target systems and distributes InvisiMole payloads.
Recommendation: Organisations can use behavioural monitoring capabilities to better detect anomalous behaviour if a malicious actor is using legitimate files. Behavioural monitoring capabilities include detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.
MITRE ATT&CK: [MITRE ATT&CK] Control Panel Items - T1196 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] Execution through Module Load - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Service Execution - T1035 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Shortcut Modification - T1023 | [MITRE ATT&CK] Bypass User Account Control - T1088 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Execution Guardrails - T1480 | [MITRE ATT&CK] Hidden Window - T1143 | [MITRE ATT&CK] Indicator Removal from Tools - T1066 | [MITRE ATT&CK] Indirect Command Execution - T1202 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Redundant Access - T1108 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Timestomp - T1099 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Taint Shared Content - T1080 | [MITRE ATT&CK] Commonly Used Port - T1043 | [MITRE ATT&CK] Connection Proxy - T1090 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Uncommonly Used Port - T1065 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Application Window Discovery - T1010 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Audio Capture - T1123 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Network Share Discovery - T1135 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Input Capture - T1056
Tags: InvisiMole, Gamaredon, CVE-2017-0144, CVE-2019-0708, Spearphishing
Operation In(ter)ception: Aerospace and Military Companies In The Crosshairs of Cyberspies
(published: June 17, 2020)
Researchers from ESET have disclosed a new cyberespionage campaign targeted against aerospace and military organizations in Europe and the Middle East. Threat actors have utilized social engineering tactics to create fake LinkedIn user accounts to send messages with malicious attachments or OneDrive link to the targeted individuals. After the successful infection threat actors have deployed their multistage custom malware and made use of living off the land tactics to stay stealthy throughout the operation. The group has also used multiple defense evasion tactics like code signing, renaming executables to well-known binary names, and control-flow flattening. The group used a modified version of the dropbox command-line client to exfiltrate the data collected from the victim. During the investigation, researchers have also found evidence of Business email compromise activity by utilizing the victim’s email address. ESET researchers are suspecting that this campaign could have been performed by North Korea-based Lazarus Group.
Recommendation: This campaign is an example of social engineering tactics that threat actors use to trick users into downloading or installing malicious files on their machines. All social media users should be cautious when accepting unknown user requests, and particularly cautious when receiving communication from unknown users. Even if callers state they are from the bank or another trusted entity, it is best practice to avoid giving any details over the phone and not access unknown websites that are given by the callers. If you are unsure about the legitimacy regarding security modules, contact your security team directly and ask, as well as speak to management to ensure that updates are necessary and genuine.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing via Service - T1194 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Regsvr32 - T1117 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Service Execution - T1035 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] XSL Script Processing - T1220 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Regsvr32 - T1117 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] XSL Script Processing - T1220 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Transfer Data to Cloud Account - T1537
Tags: APT, Lazarus, Social engineering, Spearphishing
More Ad Fraud Apps Found Hiding On Google Play Store
(published: June 17, 2020)
Researchers recently identified a fraud operation that rendered fraudulent advertising in users’ devices. These apps had more than 20 million downloads. 38 apps were associated with this threat, all of which have been taken down by the Play Store.
Recommendation: Only download trusted and known applications from google play store, make sure to check applications permissions before installing.
Tags: Android, Google Play Store, Fraud
Bahrain, Kuwait, and Norway Contact Tracing Apps Among Most Dangerous For Privacy
(published: June 16, 2020)
Amnesty’s Security Lab researchers have reviewed contact tracing applications from different countries and found that the applications for Bahrain, Kuwait, and Norway were the worst in the terms of the user’s privacy. According to the researchers, the applications track the user's whereabouts with GPS in near real-time and store the information in a centralized location. This provides the government with a mass surveillance tool to track its citizens even if the user has not reported being infected by COVID-19. The Norwegian government announced, after being contacted by Amnesty International, that it would stop using its tracing application, Smittestopp, until the issues had been addressed. Many of the applications investigated used a centralized approach for aggregation of the data but the data is only shared with the service.
Recommendation: Many countries have decided to implement their contact tracing application, making them incompatible with each other. Consequently, people that are traveling may have to be forced to use multiple applications. With more applications developed, the chances of issues in them increases. That coupled with the type the data collected, could result in sensitive data being exposed. It also has been reported that threat actors are creating look-alike applications loaded with malware. If the application is required, it is recommended to ensure the correct application is installed from a trusted source.
Tags: COVID-19, Contact-tracing, Android, iOS
Ripple20: 19 Zero-Day Vulnerabilities Amplified by the Supply Chain
(published: June 16, 2020)
Researchers at JSOF lab have released a report of 19 vulnerabilities in Treck’s TCP/IP library. The TCP/IP library is used in embedded systems and Internet of Things (IoT) devices, estimated to affect hundreds of millions of devices. The vulnerabilities discovered range from information disclosures to remote code executions. Currently, 15 vendors have reported that their products are affected. The vendors are B. Braun, Baxter, CareStream, Caterpillar, Cisco, Digi, Green Hills, HCL Tech, HP, HPE, Intel, Maxlinear, Rockwell, Schneider Electric, and Teradici. 10 vendors; Abbot, AMD, GE Healthcare, Laird, NVIDIA, Philips, Sandia National Labs, Texas Instruments, Technicolor, and Zebra Technologies, have reported that their products are not affected while 53 other vendors have still not responded.
Recommendation: Device manufacturers that are using Treck’s TCP/IP library should update to version 6.0.1.67 or later. If a scenario when an update is not possible, consider disabling affected functionality. For users of affected devices, apply patches from the device manufacturer. If patches are not available or can’t be applied, consider preventing the devices from being accessed from external networks. Use network segmentation to isolate and restrict access to the devices. Risks can also be reduced by blocking anomalous network traffic.
Tags: CVE-2020-11896, CVE-2020-11897, CVE-2020-11901, CVE-2020-11898, CVE-2020-11900, CVE-2020-11902, CVE-2020-11904, CVE-2020-11899, CVE-2020-11903, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914, CVE-2020-11908
Cobalt: Tactics and Tools Update
(published: June 16, 2020)
Researchers from PT Security have released a new report on recent activities from Cobalt Group with updated TTPs. Cobalt Group is a financially motivated threat group that primarily attacks financial institutions. According to the researchers, the group has made significant changes to their tools such as CobInt and the dropper COM-DLL. Recent attacks observed by the researchers showed that the group has started using new methods to deliver malware and added multiple malware evasion techniques to their capabilities. For example, the group has used VHD files and Excel 4.0 macros in their recent attacks. The Cobalt group is still actively conducting attacks against financial institutions even after the arrest of the group’s leader in 2018.
Recommendation: Financially themed malspam emails are a common tactic among cybercriminal threat actors, therefore, it is crucial that your employees are aware of their financial institution’s policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Regsvr32 - T1117 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] XSL Script Processing - T1220 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Remote File Copy - T1105
Tags: Cobalt Gang, CobInt, com-dll,
Oracle E-Business Suite Flaws Let Hackers Hijack Business Operations
(published: June 16, 2020)
Two vulnerabilities found in Oracle's E-Business Suite (EBS), dubbed "BigDebIT" were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud. Successful exploitation of this vulnerability would allow an attacker to steal financial data and cause delays in any financial reporting related to the company's compliance processes.
Recommendation: If using any of Oracle’s E-business Suite make sure to update your software and apply relevant patches.
Tags: Oracle E-business, BigDebIT, Oracle's E-Business Suite, CVE-2020-2586, CVE-2020-2587
Topics:
Anomali Cyber Watch
