Weekly Threat Briefing: APT Groups, Ransomware, Vulnerabilities, Zero-Day Exploits and More

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, CactusPete, FoxKitten, Phishing, Smaug, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/XGMkNXBFT5Stq6TMAZ3L"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/canada-suffers-cyberattack-used-to-steal-covid-19-relief-payments/" target="_blank">Canada Suffers Cyberattack Used to Steal COVID-19 Relief Payments</a></h3> (published: August 16, 2020) Canadian government portal “GCKey” used to provide access to services, has been the victim of an attack. GCKey provides the public with access to immigration, tax, pension and benefits. Out of 12 million accounts, 9,041 appear to have been breached in a credential stuffing attack. The affected accounts were cancelled by the government. Recommendation: Never use the same password and username combination, as this can be used in credential stuffing attacks. If you have concerns about your GCKey account, change the password immediately. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947087" target="_blank">[MITRE ATT&CK] Credential Dumping - T1003</a> Tags: Canada, COVID-19, Credential Stuffing, Government sites <h3 id="article-2" style="margin-bottom:0;"><a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank">US Intelligence Exposes Russian Drovodub Malware</a></h3> (published: August 13, 2020) The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory disclosing the details of the Russian “Drovorub” malware. Drovorub is a Linux malware toolset that uses an implant coupled with a kernel module rootkit, a port forwarding tool, file transfer and a command and control server (C2). After deployment the malware allows for direct communication with actor-controlled infrastructure and intelligence exfiltration or remote control may begin. Drovorub is believed to have been deployed by APT28 (Fancy Bear, Strontium), an Advanced Persistent Threat (APT) group linked to the Russian General Staff Main Intelligence Directorate (GRU) known for primarily engaging in cyber espionage against a significant amount of Western nations. APT28’s targets in the past have included many industries: from aerospace, military and government to media and hospitality. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947210" target="_blank">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947190" target="_blank">[MITRE ATT&CK] Connection Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947092" target="_blank">[MITRE ATT&CK] Rootkit - T1014</a> Tags: Drovodub, GRU, Russian, APT, APT28, Fancy Bear, NSA, FBI <h3 id="article-3" style="margin-bottom:0;"><a href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank">CactusPete APT Targets Military in Eastern European</a></h3> (published: August 13, 2020) The Advanced Persistent Threat (APT) group CactusPete (Karma Panda, Tonto Team) has been observed targeting financial and military organizations in Eastern Europe. CactusPete is believed to be a Chinese sponsored group that has been active since 2012, they are known for primarily targeting Asian countries. Researchers from Kaspersky were able to link over 300 Bisonal samples to the group, observed in the wild between March 2019 and April 2020. Bisonal is a backdoor installed on a user’s system that allows the group to covertly gain control over a victim’s computer, CactusPete delivers the payload as a ‘magic’ attachment in spearphishing emails. No victims have been publicly named but Kaspersky believes the APT group was targeting sensitive information held by military and diplomatic organizations. The change in targeted victims could signal a shift within the group and their goals. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/3297612" target="_blank">[MITRE ATT&CK] Internal Spearphishing - T1534</a> Tags: APT, China, CactusPete, Bisonal, spearphishing, military, backdoor <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.group-ib.com/media/red-curl/" target="_blank">New APT Group Identified</a></h3> (published: August 13, 2020) Researchers from Group-IB have identified a new Advanced Persistent Threat (APT) group believed to have been active since 2018. Dubbed “RedCurl”, the group is thought to have been responsible for 26 targeted corporate espionage attacks throughout Russia, Ukraine, United Kingdom, Germany, Canada, and Norway. RedCurl appeared to be particularly interested in confidential corporate data from a wide range of industries including insurance, retail, law, and banking. Spearphishing was the primary method used to deliver the malicious payload, the emails were so convincing Group-IB commented that the emails resembled red team pen-testing exercises. The RedCurl.Dropper has been the groups favoured trojan; written in PowerShell, it would allow the group access to the victim's computer to begin file extraction. The trojan would remain on the victims network for an average of two to six months as all malicious network communication would be disguised through legitimate cloud services such as Cloudme. Group-IB have not offered any attribution at the time of publishing. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/3297612" target="_blank">[MITRE ATT&CK] Internal Spearphishing - T1534</a> Tags: APT, espionage, corporate espionage, powershell, trojan, backdoor, spearphishing <h3 id="article-5" style="margin-bottom:0;"><a href="https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/" target="_blank">Internet Explorer and Windows Zero-day Exploits Used in Operation PowerFall</a></h3> (published: August 12, 2020) Researchers from Kaspersky have discovered a new campaign in May 2020 named “Operation PowerFall,” that may have been conducted by North Korea based threat group DarkHotel. In the campaign researchers observed an attack against a South Korean company by a malicious script for Internet Explorer. Analysis revealed that the attack used a previously unknown exploit chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. The two vulnerabilities “CVE-2020-1380” and “CVE-2020-0986” used in the campaign have been fixed by Microsoft and patches were released as part of Patch Tuesday. Recommendation: Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Continued usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. Tags: CVE-2020-1380, CVE-2020-0986, 0day, exploit <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/" target="_blank">SANS Infosec Training Org Suffers Data Breach After Phishing Attack</a></h3> (published: August 11, 2020) The Cybersecurity training institute SANS has been breached after one of their employees fell victim to a phishing attack. The incident was discovered by SANS on August 6th as part of a review of their organization's email configuration. After the successful phishing attack, the threat actors proceeded to configure a rule that forwarded all email received in the compromised account to an "unknown external email address" and also installed a malicious Office 365 add-on.The configured rule forwarded a total of 513 emails, with some containing a total of approximately 28,000 records of personal information (PII) of SANS members. The breach did not include any exposed password or credit card information, but it exposed email addresses, full names, phone numbers and physical address. Those affected as part of this breach will be notified by SANS via email. Recommendation: Those who are affected by this information exposure should be vigilant targeted phishing attacks utilizing the stolen information. It is crucial that your company has password policies in place to avoid repetition across accounts and those that be easily brute-force attacked. Education is the best defense. Tags: SANS, Data Breach, PII <h3 id="article-7" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/" target="_blank">SBA Phishing Scams: From Malware to Advanced Social Engineering</a></h3> (published: August 10, 2020) Researchers at Malwarebytes Labs have reported on three phishing campaigns using Small Business Administration (SBA) themed lures. The first campaign that was active in April used the theme to spread the malware GuLoader via an attachment named “SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img”. The second campaign utilized a spoofed email address to trick the receiver to visit a page for credential harvesting. The most recent campaign was more advanced and started in early August. The campaign utilized a spoofed loan application to trick the receiver to give away bank information that the threat actor can use to steal money. The original form from SBA is intended to be printed and sent in the mail to one of the offices while the threat actor instead is requesting the receiver to fill it out electronically and reply back to the email with the filled out form. Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications. Tags: Phishing, SBA, COVID-19 <h3 id="article-8" style="margin-bottom:0;"><a href="https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service?&web_view=true" target="_blank">Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service</a></h3> (published: August 10, 2020) Anomali Threat Research (ATR) have released an analysis on the ransomware Smaug, a Ransomware-as-a-Service (RaaS). Sold on an onion site, Smaug can be purchased for around $2000 and is available for Linux, macOS and Windows. When the ransomware is purchased, the user is taken to a dashboard which enables them to create and manage campaigns, manage decryption keys, download payloads, and withdraw funds. Smaug is written in Golang and is designed to run offline. In order to encrypt files, a “goroutine” scans the partition for files and compares the extension to a list of file extensions, once identified the files are encrypted with AES. The ransom note is written to all folders with encrypted files and provides a link to an onion site where the victim can buy a decryption key. It is worth noting that the ransomware doesn’t delete backup on Windows systems, enabling file recovery if the feature is enabled. Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: Linux, macOS, Ransomware, RaaS, Smaug, Windows <h3 id="article-9" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/" target="_blank">FBI Says an Iranian Hacking Group is Attacking F5 Networking Devices</a></h3> (published: August 10, 2020) The FBI released a notification to the US private sector last week about the exploitation of F5 BIG-IP devices by Iranian based threat group Fox Kitten (Parisite). Fox Kitten primarily operates by attacking expensive network equipment using exploits for recently disclosed vulnerabilities before companies have time to patch the devices. Once the group gains access to a device, they obtain legitimate credentials and install webshells to maintain access and for lateral movement. The FBI has asked US companies to patch their on-premise BIG-IP devices to prevent successful intrusions. The FBI notification also includes Fox Kitten’s Tactics, Techniques, Procedures (TTPs) and the tools the group frequently uses in their operations, allowing companies to deploy detections and countermeasures for prevention of future intrusions. Recommendation: Organizations should upgrade their BIG-IP software to the corresponding patches for CVE-2020-5902. Ensure detection rules are in place to detect the threat group Fox Kitten’s TTPs. Once a vulnerability has been reported threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. Tags: BIG-IP, Fox kitten,Iran, CVE-2020-5902, Remote Code Execution, Vulnerability <h3 id="article-10" style="margin-bottom:0;"><a href="https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/" target="_blank">Exploiting vBulletin: “A Tale of a Patch Fail”</a></h3> (published: August 9, 2020) The security researcher “zenofex” has released a by-pass against “CVE-2019-16759”. The vulnerability is a remote code execution (RCE) affecting vBulletin. When the initial patch was released it was noted that the vulnerability was trivially exploited. The “widgetConfig[ code ]” parameter in “ajax/render/widget_php” can allow an attacker their own PHP code to be injected and executed. The new exploit uses the “widget_tabbedcontainer_tab_panel” to inject a template and by-pass the filtering added by the initial security fix. As part of the disclosure, Proof of Concept (PoC) code and a metasploit module was released. Recommendation: Patch is available for vBulletin 5.6.0, 5.6.1, 5.6.2. It is important to apply it as soon as possible. This vulnerability is known to be currently exploited. It is possible to disable PHP rendering or block requests to the vulnerable endpoint using a Web Application Firewall (WAF) until the patch can be applied. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> Tags: CVE-2019-16759, vBulletin, Exploit, By-pass