May 12, 2020
Anomali Threat Research

Weekly Threat Briefing: APT Group, Linux Malware, Ransomware, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Bugs, Exploit, Healthcare Attacks, Naikon, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="" target="_blank"><b>Bugs in Two Related WordPress Plugins Together Risked Over 1 Million Websites</b></a></h3><p>(published: May 10, 2020)</p><p>Two critical-severity WordPress plugin vulnerabilities have been identified by the Wordfence security team which could impact over a million WordPress websites. The two plugins affected are Elementor Pro and Ultimate Addons for Elementor, and the researchers have observed active exploitation of the vulnerabilities. Exploiting the Elementor Pro plugin allows for remote code execution attacks, granting a malicious actor the ability to gain full administrative access to WordPress if the site has open user registration. Websites with the “open user registration” option disabled can be exploited using the Ultimate Addons for Elementor registration bypass vulnerability. Developers behind both plugins have patched the flaws in Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2.<br/> <b>Recommendation:</b> Users of these WordPress plugins should ensure they are using Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2 or newer which include fixes to the vulnerabilities. All website owners, especially those using WordPress, should keep their installations and plugins up to date to ensure patches are installed as soon as they are available.<br/> <b>Tags:</b> Vulnerabilities, WordPress, Plugin, Registration bypass, Remote code execution</p><h3 id="article-2" style="margin-bottom:0;"><a href="" target="_blank"><b>Hacker Group Floods Dark Web with Data Stolen From 11 Companies</b></a></h3><p>(published: May 9, 2020)</p><p>The threat group known as Shiny Hunters are selling millions of user records for 11 different companies on an undisclosed dark web marketplace. The databases being sold include a combined total of 164.2 million user records, and have been steadily streamed to the marketplace since the beginning of May 2020. As of the time of this writing, the prices for each database ranges between $500 and $5,000 USD. The first reported database belongs to Tokopedia, an Indonesian online store, with over 90 million user records. The other companies reportedly involved are Bhinneka, ChatBooks, Chronicle Of Higher Education, Ggumim, HomeChef, Mindful, Minted, StarTribune, Styleshare, and Zoosk. The affected companies have been contacted by Bleeping Computer, as the data breaches appear legitimate, despite not being 100% confirmed.<br/> <b>Recommendation:</b> Individuals that have accounts with any of the impacted companies are strongly advised to change their login credentials immediately. Additionally, it is important to not reuse passwords for multiple sites and services. If the same credentials are used on any other sites, it is suggested that those accounts also be updated with new, unique passwords.<br/> <b>Tags:</b> Data breach, Shiny Hunters, Dark web marketplace</p><h3 id="article-3" style="margin-bottom:0;"><a href="" target="_blank"><b>Naikon APT: Cyber Espionage Reloaded</b></a></h3><p>(published: May 7, 2020)</p><p>Check Point Research have discovered evidence that the Advanced Persistent Threat (APT) group known as “Naikon” have been persistently targeting national government agencies in the Asia Pacific region since 2015 as part of a cyber-espionage campaign. Naikon APT has been using a new type of Remote Access Trojan (RAT) called “Aria-body” as a backdoor into government networks, targeting ministries of foreign affairs, science, and technology in Australia, Brunei, Indonesia, Myanmar, Philippines, Thailand, and Vietnam. Aria-body infects the network and servers of one target, and then uses the compromised infrastructure to launch new attacks, exploiting the trust between departments and governments to increase the chances of success, according to the Check Point report. Naikon threat actors use several different infection methods to deliver the Aria-body RAT, including malicious emails containing a Rich Text Format (RTF) file weaponized with “RoyalRoad” exploit builder malware, or directly via a legitimate executable file, which serves as a loader. These methods are aimed at personnel within target organizations to be able to use the compromised servers to more effectively infiltrate new agencies. According to reports by Kaspersky, ThreatConnect, and Defense Group Inc. in 2015, Niakon is believed to be Chinese-speaking and associated with China’s People’s Liberation Army (PLA) intelligence operations.<br/> <b>Recommendation:</b> This Naikon campaign is highly targeted, therefore, it is likely that actors are impersonating government employees or agencies in spearphishing emails. All employees should be educated on the risk of opening attachments or following links received from unknown or unexpected senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a> | <a href="">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a><br/> <b>Tags:</b> Naikon, APT, China, RAT, Aria-body, RoyalRoad, Malware</p><h3 id="article-4" style="margin-bottom:0;"><a href="" target="_blank"><b>Europe's Largest Private Hospital Operator Fresenius Hit by Ransomware</b></a></h3><p>(published: May 6, 2020)</p><p>The private hospital operator Fresenius has been compromised by SNAKE Ransomware. Frentius is the largest European private healthcare provider and has been in high demand for its dialysis service and products used to combat the ongoing COVID-19 pandemic. The SNAKE ransomware is written in Golang and appeared in January 2020, it attempts to identify any processes linked to enterprise management tools and industrial control systems (ICS). This ransomware attack comes after a series of ransomware campaigns targeting health care providers who are attempting to resolve the pandemic.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Fresenius, SNAKE, Ransomware, COVID-19</p><h3 id="article-5" style="margin-bottom:0;"><a href="" target="_blank"><b>Microsoft's GitHub Account Hacked, Private Repositories Stolen</b></a></h3><p>(published: May 6, 2020)</p><p>Threat actors claim to have gained full access to Microsoft’s private GitHub account, and have stolen over 500GB of data in private Microsoft projects. According to files released to Bleeping Computer by Shiny Hunters, the threat actors behind the breach, the event likely occurred March 28th, 2020, and Microsoft has stated that they are aware and investigating the claims behind the leak. Analysts at Bleeping Computer and cyber intelligence firm Under the Breach are of the opinion that the stolen data does not appear to contain sensitive code data for Windows or Office, and is mostly samples, test projects, and other generic items. Under the Breach did tweet concerns that private API keys or passwords could have inadvertently been left in the private repositories, as this has been done by developers in the past.<br/> <b>Recommendation:</b> It’s best practice for GitHub and other repository users to not commit personal config files into source control and to use password management tools and multi-factor authentication. While it is currently unknown how Shiny Hunters gained access into Microsoft’s private GitHub account, malicious actors are known to comb the Internet for config files with credentials listed in plain text to gain access to repositories. Avoid committing these files in the future and be sure to discuss best practices with team members.<br/> <b>Tags:</b> Microsoft, GitHub, Shiny Hunters</p><h3 id="article-6" style="margin-bottom:0;"><a href="" target="_blank"><b>Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets</b></a></h3><p>(published: May 5, 2020)</p><p>Three critical vulnerabilities have been identified in Citrix ShareFile customer-managed storage zone controllers. Citrix ShareFile, a file sharing solution for businesses, allows employees to securely access and share proprietary and sensitive business data. According to Citrix, the vulnerabilities (CVE-2020-7473, CVE-2020-8982, CVE-2020-8983) if exploited, would allow an unauthenticated malicious actor access to ShareFile users’ documents and folders. According to Nate Warfield, a Senior Security Program Manager for the Microsoft Security Response Center, a search on Shodan revealed close to 2,800 exposed Citrix ShareFile storage servers. Citrix has released a mitigation tool and updates that include fixes for the three vulnerabilities, which affect ShareFile storage zone Controller 5.9.0, 5.8.0, 5.7.0, 5.5.0, and 5.5.0. Citrix warns that even updated storage zone controllers that were created using vulnerable versions are at risk, and must also run the mitigation tool on primary and secondary storage zone controllers.<br/> <b>Recommendation:</b> Threat actors are consistently looking for new ways to conduct malicious activity, therefore, it is crucial that your company has security and patch-maintenance policies in place. The security update should be applied as soon as possible to avoid potential exploitation. Citrix ShareFile customers that manage the zones themselves should ensure they are running a supported version and have run the mitigation tool (available at, requires login credentials) if necessary.<br/> <b>Tags:</b> CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, Citrix, ShareFile</p><h3 id="article-7" style="margin-bottom:0;"><a href="" target="_blank"><b>APT Groups Target Healthcare and Essential Services</b></a></h3><p>(published: May 5, 2020)</p><p>The US Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert regarding Advanced Persistent Threat (APT) actors targeting COVID-19 response organizations. The targeted entities include: academia, healthcare, local governments, medical research, and pharmaceutical. The unnamed APT groups are using password spraying attacks, which are automated attacks using a list of passwords. The list of passwords could be a combination of previously compromised credentials or common passwords, among others.<br/> <b>Recommendation:</b> It is crucial that your company has password policies in place to avoid repetition across accounts, and mandate a level of password complexity that can resist brute force and password-spray attacks. Educate your employees of the dangers that these styles of attacks impose, and why mitigation must be in place prior to an incident taking place. Threat actors of all levels of sophistication are capable of utilizing brute-force and password-spraying attacks, therefore, it is paramount that all companies take steps to avoid these attacks.<br/> <b>Tags:</b> APT, COVID-19, Password spraying</p><h3 id="article-8" style="margin-bottom:0;"><a href="" target="_blank"><b>Kaiji: New Chinese Linux Malware Turning to Golang</b></a></h3><p>(published: May 4, 2020)</p><p>A new Internet of Things (IoT) botnet called, “Kaiji,” that targets IoT devices and servers with SSH brute-force attacks, according to Intezer researchers. The malware utilizes a custom implant, which was dubbed Kaiji by MalwareMustDie, instead of utilizing some publicly-available ones such as Mirai. Kaiji was built by threat actors in the Golang programming language, which has been increasingly utilized by threat actors. The malware only targets root users while conducting its only method of propagation through SSH brute force, and if Kaiji makes a connection it will launch a bash script to begin the installation process.<br/> <b>Recommendation:</b> Botnet malware typically takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied, however, as Kaiji shows there are Internet of Things (IoT) botnets that conduct brute-force attacks. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.<br/> <b>Tags:</b> Botnet, IoT, Kaiji, SSH brute force</p><h3 id="article-9" style="margin-bottom:0;"><a href="" target="_blank"><b>Live Streaming Adult Site Leaves 7 Terabytes of Private Data Exposed</b></a></h3><p>(published: May 4, 2020)</p><p>Researchers at SafetyDetectives have identified an exposed database used by the adult streaming website CAM4[.]com which has leaked over seven terabytes of data related to customers. CAM4 is a website used for livestreaming explicit material to adults and researchers were able to find an unsecured ElasticSearch database containing the personally identifiable information (PII) of the website's customers. The data leaked includes firstname, surname, credit card data, email addresses and sexual orientation. U.S.A, Brazil and Italy were listed as the largest customer base for the platform with 10.88 billion records identified in the leak.<br/> <b>Recommendation:</b> Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> CAM4, Data leak, PII</p><h3 id="article-10" style="margin-bottom:0;"><a href="" target="_blank"><b>Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack</b></a></h3><p>(published: May 4, 2020)</p><p>Threat actors over the weekend have been targeting the Ghost publishing platform in resource hijacking campaigns to mine cryptocurrency. Ghost is an open-source platform used for publishing and has over two million customers including Mozilla and DuckDuckGo. Threat actors were leveraging the vulnerabilities registered as "CVE-2020-11651" and "CVE-2020-11652", which allow for remote code execution capabilities on servers in data centers and in the cloud. The exploit comes from Ghost's usage of SaltStack, which provides the server management infrastructure of the platform.<br/> <b>Recommendation:</b> Cryptocurrency malwares are becoming increasingly common amongst threat actors. As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors. Third-party software vendors must ensure that their software is secure frequently to avoid customers falling victim to cyber threats due to their own vulnerabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> Ghost, Resource Hijacking, Cryptocurrency mining, CVE-2020-11651, CVE-2020-11652</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.