Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities

<div id="weekly"> The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Conti Ransomware, Cryptominers, Emotet, Linux, US Election, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/wOmkBZjBSXmst5LcONYD"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. <div id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.abc.net.au/news/2020-09-14/chinese-data-leak-linked-to-military-names-australians/12656668" target="_blank">China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal</a></h3> (published: September 14, 2020) A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system. Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online. Tags: China, spying <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.hackread.com/us-criminal-court-hit-by-conti-ransomware/" target="_blank">US Criminal Court Hit by Conti Ransomware; Critical Data at Risk</a></h3> (published: September 11, 2020) The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns. Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks. Tags: conti, ryuk, ransomware <h3 id="article-3" style="margin-bottom:0;"><a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank">Microsoft Detail APT Attacks Against US Presidential Campaign</a></h3> (published: September 11, 2020) Microsoft has released a blog detailing the efforts of Russian, Chinese, and Iranian hackers targeting the 2020 US Presidential Election. Microsoft observed an escalation of efforts by APT groups with attacks focused on people and groups associated with both campaigns, however, they do state that Microsoft’s security tools were able to detect and prevent the majority of attacks. The attacks are believed to have been conducted by the usual suspects including APT28 (Fancy Bear), APT31 (Zirconiumn), and APT35 (Charming Kitten, Phosphorus). The Russian APT28 appears to be targeting both campaigns, whilst the Chinese APT31 is focusing on the Biden campaign and the Iranian APT35 is targeting the Trump campaign. Many of the attacks are attempts to harvest people of interest’s log-in credentials and compromise their accounts in an attempt to gather intelligence or disrupt operations. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Tags: APT, apt28, apt31, apt35, fancy bear, charming kitten, phosphorus, China, Iran, Russia, US election, presidential election <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/" target="_blank">Who Is Calling? CDRThief Targets Linux VoIP Softswitches</a></h3> (published: September 10, 2020) A new malware named “CDRThief” has been identified by ESET researchers. Targeting VoIP softswitches Linknat VOS2009 and VOS3000, the malware exfiltrates call data such as caller, call duration, call fee, callee IP address among other information. The call information is stolen from an internal MySQL database which is accessed using credentials taken from the softswitch config files. While the passwords are encrypted, CDRThief is able to decrypt them for use. Recommendation: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers to conduct your business needs safely. In addition, policies should be in place in regards to Bring-Your-Own-Device (BYOD) to consider every device as a potential security liability. Furthermore, always practice Defense-in-Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> Tags: CDRThief, Linux, VoIP <h3 id="article-5" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/blurtooth-vulnerability-lets-attackers-overwrite-bluetooth-authentication-keys/" target="_blank">Bluetooth Vulnerability Allows Attackers to Overwrite Authentication Keys</a></h3> (published: September 9, 2020) A vulnerability dubbed “BLURtooth” has been discovered in Bluetooth devices that target the Cross-Transport Key Derivation” (CTKD). The CTKD is used for setting up authentication keys when pairing Bluetooth devices and can now be overridden, granting attacker access to other Bluetooth-capable apps and services on a device. In some versions of the attack, the authentication keys are completely overridden, while in others they are downgraded. All devices using standard Bluetooth versions 4.0 and 5.0 are vulnerable. Patches are currently not available but are expected to be developed in response to the CVE-2020-15802 identifier. Recommendation: Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability. Tags: Bluetooth, blurtooth, vulnerability <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank">Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks</a></h3> (published: September 8, 2020) The threat actor group named “TeamTNT” is using an open source tool called Weave Scope to install cryptominers on Linux containers, according to researchers at Intezer. The threat actor group, who were recently accused of stealing AWS credentials have now expanded their attack technique. Access to the cluster environment is achieved via exposed Docker API sockets. A privileged container is deployed with access to the host’s filesystem. A local user named “hilde” is created to allow the group access to the environment via SSH. Once they have gained access, Weave Scope is installed to allow the threat actor to install their cryptominers in the containers running on the cluster. Recommendation: To ensure an organisation does not become a victim of these resource hijacking attacks, they are advised to make certain that endpoints are secure with the latest patches. It is also suggested that users be given standard user accounts and not have unnecessary escalated privileges as well as use endpoint antimalware tools to protect the docker containers. Organisations should also ensure that applications are appropriately configured to ensure that they cannot be abused by threat actors and in this case, prevent threat actors from using docker containers for cryptomining. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&CK] Resource Hijacking - T1496</a> Tags: TeamTNT, Docker, cryptomining <h3 id="article-7" style="margin-bottom:0;"><a href="https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/" target="_blank">Emotet Malware Being Spread via Email</a></h3> (published: September 8, 2020) CERT NZ has released an advisory for increased Emotet phishing emails. According to the CERT, the emails include malicious attachments or links made to look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or information on COVID-19. Emotet is designed to steal credentials but can also be used to install other malware. Recommendation: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Tags: Emotet, phishing <h3 id="article-8" style="margin-bottom:0;"><a href="https://thehackernews.com/2020/09/emv-payment-card-pin-hacking.html" target="_blank">New PIN Verification Bypass Flaw Affects Visa Contactless Payments</a></h3> (published: September 7, 2020) Researchers from ETH Zurich published a new flaw in Visa’s EMV enabled cards that would allow the adversaries to bypass the PIN protection while making high-value purchases. EMV is an acronym of the three main credit card companies involved in the development of "smart" or chip cards, Europay, Mastercard, and Visa. This is a PIN bypass attack that allows the criminals to get hold of a victim’s stolen or lost credit card for making high-value purchases even without knowing the card’s PIN, and also trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction. All contactless cards that use the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw. The flaw does not affect Mastercard, American Express, and JCB. Recommendation: Researchers have notified Visa of the flaws, and they have also proposed three software fixes to the protocol to prevent PIN bypass and offline attacks, including using Dynamic Data Authentication (DDA) to secure high-value online transactions and requiring the use of online cryptogram in all PoS terminals, which causes offline transactions to be processed online. Tags: VISA, PIN bypass <h3 id="article-9" style="margin-bottom:0;"><a href="https://www.securityweek.com/microsoft-patches-129-vulnerabilities-september-2020-security-updates?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29" target="_blank">Microsoft Patches 129 Vulnerabilities With September 2020 Security Updates</a></h3> (published: September 8, 2020) Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity, and one moderate bug. According to Microsoft none of these vulnerabilities are publicly exploited by threat actors. Out of these vulnerabilities, the “CVE-2020-16875” is more noticeable and severe according to researchers. CVE-2020-16875 is a Microsoft Exchange Memory Corruption Vulnerability that can allow a remote attacker to perform remote code execution by simply sending a specially crafted email to an Exchange server. Recommendation: Organizations should have patch-maintenance policies in place to expect Microsoft’s Patch Tuesday every month. Continuing usage of vulnerability applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits for vulnerable software with malicious intent. Tags: Patch Tuesday, vulnerabilities </div> </div>