Weekly Threat Briefing: APT Group, Election Security, Emotet, Remote Access Trojans, and More

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/BupFBMARwS5Oqrje7cNQ"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/emotet-botnet-returns-after-a-five-month-absence/" target="_blank">Emotet Botnet Returns After a Five-month Absence</a></h3> (published: July 17, 2020) The most prolific and sophisticated malware botnet group, Emotet, has resumed campaigns after not being active for five months. The current spam campaigns that started July 17th, 2020, have resulted in at least 80,000 distributed emails to date. These emails contain either a Word doc containing a malicious macro or a malicious URL to download the maldoc. The current campaign appears to be largely targeting the US and UK, and the lures are in the English language. As the Emotet gang has been known to work with ransomware groups, security professionals tend to consider Emotet with the same urgency. Recommendation: It is important for businesses and individuals to educate themselves on email security to avoid falling for spam and phishing campaigns. In addition to education, businesses should have spam and malware protections around email, as well as defense in depth in general. Tags: Email, Emotet, Malicious Macros, Spam <h3 id="article-2" style="margin-bottom:0;"><a href="https://blog.talosintelligence.com/2020/07/what-to-expect-when-youre-electing.html" target="_blank">What To Expect When You’re Electing: Talos’ 2020 Election Security Primer</a></h3> (published: July 16, 2020) Security researchers with Cisco's Talos have concluded four year's worth of research into the 2016 election and the current state of election security around the upcoming 2020 election. The U.S. election system encompasses all levels of government, from federal funding and intelligence to states which largely control their own election systems and laws, to the local governments that largely rely on volunteers to run much of the voting systems. This stands in stark contrast to the coordinated state actors that are attempting to disrupt and infiltrate these systems. In what is to be a series of publications, Talos has begun to detail what we have learned about direct and social media directed election meddling in 2016, as well as ongoing and future actions that can be taken to ensure a fair and trusted 2020 election cycle. Recommendation: There remains much that needs to be done to properly secure the U.S. elections. One of the major issues appears to be a lack of transparency at many levels, especially regarding the security of both the hardware and software involved in voting. This includes touch screen voting machines, optical scanning ballot readers, local and centralized tabulation devices, etc. As an individual or organization, the best recommendation is to pay attention to your local election planning and possibly getting involved, especially from a security standpoint, as local elections boards are severely underfunded. Tags: Election Security, National Election, US Election <h3 id="article-3" style="margin-bottom:0;"><a href="https://www.securityweek.com/uk-us-canada-accuse-russia-hacking-virus-vaccine-trials?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29" target="_blank">Russia Accused of Hacking COVID-19 Virus Trials</a></h3> (published: July 16, 2020) The UK, US, and Canada have publicly accused Russian hackers of targeting coronavirus research activity. APT29 (aka Cozy Bear) has been singled out as the likely culprit for attacks targeting academic and pharmaceutical research groups attempting to develop a coronavirus vaccine. While currently unclear, the UK does not believe that any critical information was stolen. Long believed to be linked to the Russian SVR, APT29 has a history of stealing information from the energy sector, think tanks and various Government departments. The UK’s NCSC, US DHS, and Canada’s Communication Security Establishment were unanimous in their assertion of Russian hacker’s role in the attack, however, Russia has rejected these claims. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. Tags: APT29, Cozy Bear, Russia, SVR, COVID-19, coronavirus, pharmaceutical, academic, information stealing, <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.securityweek.com/iran-linked-hackers-accidentally-exposed-40-gb-their-files?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29" target="_blank">Iranian Hackers Expose Training Videos in Blunder</a></h3> (published: July 16, 2020) Iranian hackers have exposed 40gb worth of their own training videos online in a massive op-sec blunder. Researchers in IBMs X-Force Incident Response Intelligence Services was able to capture five hours of footage from the APT35 group (aka Charming Kitten, Phosphorous, ITG18) used to train their operators. The videos were found in a virtual private cloud that was left unsecured due to misconfigured security settings. This server was known to actively host APT35 domains in early 2020. The videos show APT35’s spearphishing methods in action, in particular, compromising Google accounts and exfiltrating all relevant data, including location history from associated laptops and android devices. Other clips showed APT35 using dummy Yahoo! accounts to send phishing emails, these emails included the Iranian Country code +98 further strengthening the belief that APT35 operates out of Iran. Targets in the videos include the personal accounts of US and Greek Navy serving personnel and attempts to phish US State Department Officials. Importantly, APT35 simply passed on accounts that were secured with two-factor authentication, highlighting the strengths of enabling it on systems. Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. A misconfigured cloud setting can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation, or if you are a hacker, could be incredibly embarrassing. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402776">[MITRE PRE-ATT&CK] Spearphishing for Information - T1397</a> Tags: Iran, APT35, spearphishing, Charming Kitten, op-sec <h3 id="article-5" style="margin-bottom:0;"><a href="https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/" target="_blank">Turla / Venomous Bear Updates Its Arsenal: “Newpass” Appears On The Apt Threat Scene</a></h3> (published: July 14, 2020) Researchers from Telsy uncovered a new malware dubbed as “NewPass” is being utilized by the Russia based Advanced persistent threat (APT) group Venomous Bear aka Turla in June 2020. Researchers suspect that the implant has been used to target at least one European Union country in the sector of diplomacy and foreign affairs. NewPass is a complex piece of malware that is comprised of three main components such as a dropper, loader, and an agent that is responsible for communicating to the Command and Control (C2). The malware uses scheduled tasks, the creation of new services, or adding registry keys to achieve persistence on the victim host. NewPass uses a custom encryption mechanism to encrypt the HTTP header values during C2 communication. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/2336969">[MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&CK] DLL Side-Loading - T1073</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> Tags: APT, Encrypted, Turla <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/dhs-cisa-tells-government-agencies-to-patch-windows-server-dns-bug-within-24h/" target="_blank">SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers</a></h3> (published: July 16, 2020) Security researcher Sagi Tzaik from Checkpoint discovered a 17-year old critical remote code execution vulnerability dubbed as “SigRed” that affects Windows Server versions 2003 to 2019. The vulnerability is tracked under “CVE-2020-1350” could allow an unauthenticated attacker to gain domain administrator privileges over the server if exploited successfully. To exploit this vulnerability the attacker has to send a crafted malicious DNS queries to the Windows DNS server and achieve arbitrary code execution which enables the attackers to intercept and manipulate user’s emails and network traffic, harvest user credentials, and more. The vulnerability is wormable meaning the infection could spread across servers without any human interaction. The code execution vulnerability exists due to the way Windows DNS server parses an incoming and forwarded DNS queries are handled. Recommendation: Researchers believe that the exploitation of the vulnerability is high and successful exploitation will result in an attacker gaining domain administrator privileges. It is highly recommended to patch the vulnerability CVE-2020-1350 in the Windows DNS server and as a temporary workaround, the maximum length of a DNS message (over TCP) can be set to "0xFF00" to eliminate the chances of a buffer overflow. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> Tags: Bug, Remote Code Execution, SIGRed, Windows Server <h3 id="article-7" style="margin-bottom:0;"><a href="https://www.computerweekly.com/news/252486162/Patch-Tuesday-Microsoft-fixes-123-bugs-in-July-2020-update" target="_blank">Patch Tuesday: Microsoft Fixes 123 Bugs in July 2020 Update</a></h3> (published: July 15, 2020) Microsoft has issued its monthly Patch Tuesday initiative for July, and this month’s iteration addressed 123 fixes for 13 products. One of the most severe vulnerabilities, registered as “CVE-2020-1350,” affects Windows DNS and could be exploited by threat actors to create self-propagating (wormable) malware. Out of the 123 fixes, 31 of them addressed Remote Code Execution (RCE) vulnerabilities. Recommendation: Your company should have patch-maintenance policies in place to expect Microsoft’s Patch Tuesday every month. Continuing usage of vulnerability applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits for vulnerable software with malicious intent. Tags: Vulnerabilities, Patch Tuesday, Wormable, RCE <h3 id="article-8" style="margin-bottom:0;"><a href="https://threatpost.com/brazils-banking-trojans-global/157452/" target="_blank">The Tetrade: Brazilian Banking Malware Goes Global</a></h3> (published: July 15, 2020) The sophistication level of the banking trojan landscape in South America has steadily been evolving, and Kaspersky researchers have analyzed four malware families that are prominent in the continent. This malware includes Astaroth, El Gran Grandoreiro, Javali, and Melcoz. In November 2019, Astorath actors began attaching HTML files to phishing emails that use JavaScript to download a malicious file instead of attaching a file to the email. El Gran Grandoreiro is the most widespread of the four and is distributed typically using compromised websites and Google Ads to download the malicious installer. Javali primarily targets financial entities in Brazil and Mexico, distributed through emails with a Microsoft Installer (MSI) file, uses DLL side-loading, and utilizes multiple layers of obfuscation. Melcoz threat actors are observed to operate with sophistication in their operations and have taken their campaigns around the world since at least 2018 using AutoIt or VBScripts added into MSI files for propagation; these files use DLL-hijacking to bypass security. Recommendation: Members of the financial services industry should be aware they are specifically-targeted by malware due to the nature of their business. Threat actors are consistently updating their Tactics, Techniques, and Procedures (TTPs), therefore, it is crucial that your employees are educated on commonly-used infection vectors, such as phishing and malicious attachments. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947216">[MITRE ATT&CK] Exploitation for Credential Access - T1212</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> Tags: Astaroth, DLL Sideloading, MSI, Phishing <h3 id="article-9" style="margin-bottom:0;"><a href="https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/" target="_blank">RATicate Upgrades “RATs as a Service” Attacks with Commercial “Decryptor”</a></h3> (published: July 14, 2020) The “RATicate” threat group, named after their distribution of Remote Access Tools (RATs), has offered to purchase approximately 14 unique RATs, according to Sophos researchers. RATicate has incorporated a different distribution method as of March 2020, around the time the group began using COVID-19 themed phishing emails. The malware delivery mechanism used by the group was found to be CloudEyE, which is “a multi-stage ‘loader’ with a wrapper written in Visual Basic.” Interestingly, CloudEyE creators’ original software, called DarkEyE Protector, was planned to be a tool for developers to enforce software licenses. However, threat actors saw the tool to be useful for malicious activity and began offering cracked versions on forums as a service. Recommendation: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros to be enabled. Tags: RATs, MaaS <h3 id="article-10" style="margin-bottom:0;"><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/" target="_blank">GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software</a></h3> (published: July 14, 2020) Trustwave SpiderLabs researchers discovered a campaign in which threat actors embedded a new malware, dubbed “GoldenHelper,” into an Official Chinese Golden Tax Invoicing Software produced by Aisino. GoldenHelper is very similar to its predecessor GoldenSpy backdoor in that they both seek to gain persistence for subsequent malicious stages. At the time of this writing, the final payload, called “taxver.exe,” has not yet been acquired. This campaign was active in January 2018 and July 2019, and researchers contend that the progressively higher detection engine hits on GoldenHelper contributed to its self-deletion and end. The GoldenSpy malware campaign subsequently began in April 2020. Recommendation: This story portrays the risk of malware-embedded applications and how they can affect a company’s supply chain infrastructure. Threat actors are willing to go to great lengths to abuse trust relationships in supply-chain attacks. Therefore, it is paramount that your company has a cybersecurity framework in place that identifies all machines and devices that may have access to sensitive networks. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> Tags: Embedded malware, Data theft <h3 id="article-11" style="margin-bottom:0;"><a href="https://nakedsecurity.sophos.com/2020/07/13/digicert-revokes-a-raft-of-web-security-certificates/" target="_blank">Digicert Revokes a Raft of Web Security Certificates</a></h3> (published: July 13, 2020) DigiCert has identified an issue where some of the intermediate CAs (ICAs) were not listed as part of Digicert most recent WebTrust EV audit. To resolve the issue, Digicert replaced the affected ICAs for EV only. OV and DV certificates are unaffected by these changes. Recommendation: Digicert recommended these actions for affected users Sign in to your account and locate if your certificate(s) are affected. Reissue ("Replace" if you are still managing certificates on the MSSL/CWS portals) and re-install affected certificates before July 11. Tags: Certificates, DigiCert