Weekly Threat Briefing: APT41, COVID-19, Government Phishing and More

<div id="weekly">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Mobile Malware, Patching, PoetRAT, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/747296.png"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 style="margin-bottom:0;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank">Gamaredon APT Group Use COVID-19 Lure in Campaigns</a></h3>(published: April 17, 2020)Gamaredon have been found to be among the Advanced Persistent Threat (APT) groups taking advantage of the coronavirus pandemic by using COVID-19 lure in recent campaigns. The targeted emails, with subject lines such as "Coronavirus (2019-nCoV)" contains a .docx file which when opened, launch a template injection technique that downloads a template from the internet. The downloaded template then executes a VBScript via malicious micro codes. The routines of the VBScript, observed by IT Security Group Trend Micro, closely match previously reported scripts attributed to Gamaredon. Recommendation: This serves as a reminder to avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing. Sophisticated, targeted attacks should be reported to the respective investigative government authorities. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/2402541">[MITRE ATT&CK] Data Destruction - T1485</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/2336976">[MITRE ATT&CK] Template Injection - T1221</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy - T1105</a> Tags: Gamaredon, COVID-19, Phishing, Macros, VBScript<h3 style="margin-bottom:0;"><a href="https://techcrunch.com/2020/04/16/clearview-source-code-lapse/" target="_blank">Security Lapse Exposed Clearview AI Source Code </a></h3>(published: April 16, 2020)The source code, internal files, and applications of controversial face recognition startup, Clearview AI, was exposed online due owing to a misconfigured server. Dubai-based cybersecurity firm SpiderSilk found that although the repository was password protected, associated settings meant that anyone could register as a new user to gain authenticated access. SpiderSilk opted to report their finding directly to Clearview AI but declined a bug bounty reward which would have prevented them from disclosing the find publicly. Recommendation: Always make sure your cloud storage is properly configured. Experts have been warning companies that repositories such as Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> Tags: Clearview AI, Server Misconfiguration, Cloud Storage<h3 style="margin-bottom:0;"><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank">PoetRAT: Python RAT uses COVID-19 Lures to Target Azerbaijan Public and Private Sectors</a></h3>(published: April 16, 2020)A previously-unknown Remote Access Trojan (RAT) dubbed "PoetRAT", was discovered by Cisco Talos researchers being used to target organisations in Azerbaijan. The RAT gets its name due to references to William Shakespeare in the payload code. The malware has particular interest in targeting the energy sector and Supervisory Control and Data Acquisition (SCADA) systems used for wind turbines. The RAT itself is installed onto a victim system when a Word document referencing the COVID-19 pandemic is opened, dropping a Visual Basic script that writes a ZIP file to disk. The ZIP file contains a Python interpreter and the RAT which is executed after an environment check.The linkage between the fake domains and word documents is yet to be clarified. The RAT's abilities include password stealing and file collection, screen capture, system information collection, backdoor capabilities and executing further commands requested by the C2 server. All files collected will be exfiltrated to PoetRAT's C2 server using FTP. Recommendation: At the time of this writing distribution method for the malicious Word document has not been reported, however, it does serve as a reminder to avoid documents that request Macros to be enabled. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&CK] Hidden Files and Directories - T1158</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> Tags: PoetRAT, Azerbaijan, COVID-19, Government, SCADA Systems<h3 style="margin-bottom:0;"><a href="https://blog.avast.com/malvertising-campaign-targeting-internet-explorer-users" target="_blank">Malvertising Campaign Taking Advantage of COVID-19 Targeting Internet Explorer Users to Steal their Information</a></h3>(published: April 16, 2020)Malvertising campaigns emerging in late March 2020 have been leveraging the COVID-19 pandemic to spread information-stealing malware via vulnerable Internet Explorer browsers. Threat actors are purchasing advertising space to fictitious adverts related to the Coronavirus pandemic. Once a user has clicked on these adverts and visits the malicious domain, the exploit kit Fallout EK will be used to exploit the vulnerability Adobe Flash Player "CVE-2018-15982" in Internet Explorer. This is done to deploy the information stealing malware Kpot v2.0. The malware will collect information including: computer name, username, password, IP address, and currently installed software. Collected information will be exfiltrated to the threat actor’s C2 server. Kpot can also communicate to its C2 server to collect more data from the user, this includes; cookies from browsers, screen capture, and website credentials. Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations. The same logic can be applied to advertised news stories, it would be safer to search for the story or headline on trusted media sources instead of following advertisements.It should also be noted that the vulnerability "CVE-2018-15982" was patched in January 2019, and users of Internet Explorer are advised to update their browsers if they haven’t already done so. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947082">[MITRE ATT&CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&CK] Automated Collection - T1119</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> Tags: Malvertising, COVID-19, Internet Explorer, CVE-2018-15982<h3 style="margin-bottom:0;"><a href="https://www.helpnetsecurity.com/2020/04/16/cisco-ip-phones-vulnerabilities/" target="_blank">Using Cisco IP Phones? Fix These Critical Vulnerabilities</a></h3>(published: April 16, 2020)Developers at Cisco have recently patched vulnerabilities in Cisco IP phones that, if exploited, would allow threat actors to gain root privileges and perform code execution on unauthorised systems. The vulnerabilities registered as "CVE-2020-3161" and "CVE-2016-1421" were discovered by Tenable engineer Jacob Baines in the affected systems. Tenable had previously made reports on "CVE-2016-1421" back when it was initially discovered it didn't note the potential of a Denial of Service (DoS) attack or threat actors gaining root privileges. The vulnerabilities are due to poor validation of user input for HTTP requests. Threat actors can leverage this by creating unique HTTP requests to cause buffer overflow of the stack in memory. Exploitation of these vulnerabilities could result in Denial of Service (DoS) attacks and allowing unauthenticated users root privileges. Recommendation: The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for firmware of systems to prevent compromises of known vulnerabilities that threat actors may exploit. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> Tags: Cisco IP Phones, CVE-2020-3161, CVE-2016-1421, Patch Management<h3 style="margin-bottom:0;"><a href="https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures" target="_blank">Nation-state Mobile Malware Targets Syrians with COVID-19 Lures</a></h3>(published: April 15, 2020)The Syrian Electronic Army (SEA), a Syrian state-sponsored threat group, has been linked to an ongoing surveillance campaign targeting Arabic speaking citizens in Syria and its surrounding areas. Researchers from Lookout have found 71 malicious Android applications that were connected to a C2 server held by the Tarassul Internet Provider (ISP), an ISP owned by the Syrian Telecommunications Establishment (STE). STE has a long history of collaborating with the SEA. The applications would impersonate as legitimate using names such as "Covid19", "Telegram Covid_19" and "Threema Arabic", but were in fact SpyNote samples which are used to collect user input, version numbers, and other system information. As well as SpyNote, the malicious applications included Andoserver and SLRat variants. The malware capabilities include but are not limited to; screen capture, tracking, exfiltration of SMS messages and recording audio. Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&CK] Access Contact List - T1432</a> | <a href="https://ui.threatstream.com/ttp/1260053">[MITRE MOBILE-ATT&CK] Access Sensitive Data in Device Logs - T1413</a> | <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/1260088">[MITRE MOBILE-ATT&CK] Location Tracking - T1430</a> | <a href="https://ui.threatstream.com/ttp/1260119">[MITRE MOBILE-ATT&CK] System Information Discovery - T1426</a> Tags: Syrian Electronic Army, Surveillance, Android, Spyware<h3 style="margin-bottom:0;"><a href="https://nakedsecurity.sophos.com/2020/04/15/wordpress-woocommerce-sites-targeted-by-card-skimming-attacks/" target="_blank">WordPress WooCommerce Sites Targeted by Card Swiper Attacks </a></h3>(published: April 15, 2020)Modification of legitimate JavaScript files has allowed threat actors to carry out credit card fraud by targeting WordPress websites using the WooCommerce plugin as found by web security company Sucuri. The reported incident only came to light after a spate of complaints from victims which prompted an investigation that involved running an integrity check on system files. It was found that threat actors had gone so far as to clear the cache on the site in an attempt to evade detection. While it remains unclear how the actors got into the site, Sucuri researchers noted that the malicious code was loaded via a PHP file. Incidents targeting eCommerce have increased in recent years, with users of the Magneto platform most notably affected. Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> Tags: WordPress, WooCommerce, JavaScript<h3 style="margin-bottom:0;"><a href="https://medium.com/mycrypto/discovering-fake-browser-extensions-that-target-users-of-ledger-trezor-mew-metamask-and-more-e281a2b80ff9" target="_blank">Discovering Fake Browser Extensions That Target Users of Ledger, Trezor, MEW, Metamask, and More</a></h3>(published: April 14, 2020)Bloggers on medium.com have discovered a large number of malicious chrome extensions being used target cryptocurrency platforms. These fake extensions have been seen impersonating platforms including Ledger, Trezor, MyEtherWallet and many more. The extensions will send a notification to its Command and Control (C2) domain when users are entering private keys so that they can be collected. The threat actors that have collected these keys will then be used to drain users' crypto wallets. This is quite a recent attack due to the fact that the majority of the C2 domains used, were registered between March and April 2020. Recommendation: While web browser extensions can be useful in day-to-day business activities, it is possible, as this story describes, for malicious extensions to make their way into legitimate services (Google has since removed the malicious extension). Your company should only use browser extensions and add-ons provided by trusted providers. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> Tags: Fake Extensions, Cryptocurrency, Ledger, MyEtherWallet, Trezor, Electrum<h3 style="margin-bottom:0;"><a href="https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/patch-a-palooza-more-than-560-flaws-fixed-in-a-single-day/d/d-id/1337564" target="_blank">Patch-a-Palooza: More Than 560 Flaws Fixed in a Single Day</a></h3>(published: April 14, 2020)There were 567 patches issued in a mammoth Patch Tuesday release by six enterprise software giants. With Adobe, Intel, VMware, SAP, Microsoft, and Oracle all issuing fixes for software vulnerabilities. As many companies continue to adjust to a majority of their employees working from home this announcement may cause issues for those companies who are not yet using remote patching. In a breakdown of the patches, Oracle addressed 405 security vulnerabilities across 26 of their products, while Microsoft dealt with 113 issues, the most notable relating to Windows OS, Microsoft Office, and the Edge browser. SAP released fixes for 33 flaws while Intel, Adobe, and VMware accounted for nine, five, and two of the patches respectively. Microsoft’s release is particularly of note as it includes a patch for a remote code execution vulnerability which, according to Kenna Security, is currently being used in active attacks. Recommendation: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a> Tags: Microsoft, Oracle, SAP, Adobe, VMware, Intel, Patch Management, CVE 2020-0796<h3 style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/" target="_blank">RagnarLocker Ransomware Hits EDP Energy Giant, Asks for €10M</a></h3>(published: April 14, 2020)The Portugese energy firm Energias de Portugal (EDP), has been compromised by the Ragnar Locker ransomware that has encrypted over 10TB of sensitive documentation. When executed, Ragnar will enumerate all files and encrypt them using an embedded RSA-248 key. Files will be appended with specific extensions depending on the type of file. The Ragnar Locker has been seen using managed service providers (MSP) service ConnectWise as a method of evasion during deployment. The EDP Group is one of the largest organisations in the energy sector that has over 11 million customers, and are being asked to pay a ransom of 1580 bitcoin (BTC), this equals about €10M at the time of reporting. Documents encrypted relate to billings, contracts, transactions, client information, and group partner information. The operators have leaked images of the encrypted files to prove their legitimacy, and if the ransom is not paid, the documents will be released online. Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this story of the EDP group shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: RagnarLocker, Ransomware, Data Leak, EDP, Energy<h3 style="margin-bottom:0;"><a href="https://www.helpnetsecurity.com/2020/04/14/cve-2020-3952/" target="_blank">VMware Plugs Critical Flaw in vCenter Server, Patch ASAP</a></h3>(published: April 14, 2020)A severe vulnerability registered as "CVE-2020-3952" that is part of VMware’s Directory service (vmdir), has recently been patched by VMware developers. "CVE-2020-3952" which when exploited would compromise the server management software vCenter Server that is part of VMware or other services that use the Directory Service (vmdir). Threat actors would be able to use this vulnerability to gain sensitive information from users systems. The vulnerability exists in Windows systems and virtual machines that run version 6.7 of vCenter Server and has a CVSSv3 rating of 10.0. Recommendation: Since the report of this vulnerability, VMware developers have released a patch for it. The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> Tags: VMware, CVE-2020-3952, vCenter Server, Data breach<h3 style="margin-bottom:0;"><a href="https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/" target="_blank">Malicious Attackers Target Government and Medical Organizations with COVID-19 Themed Phishing Campaigns</a></h3>(published: April 14, 2020)Researchers from Palo Alto Networks have reported the ongoing targeting of healthcare organisations as a result of the COVID-19 pandemic. Cybercriminals are conducting spearphishing campaigns using addresses that masquerade as the World Health Organization (WHO) to deliver the EDA2 ransomware. The emails involved contained rich tech format (rtf) the file "20200323-sitrep-63-covid-19.doc" which when opened, would leverage the vulnerability "CVE-2012-0158" to deliver the EDA2 payload to users systems. The ransomware will encrypt files on the system and append them with the ".locked20" extension. Recommendation: The COVID-19 pandemic is of great focus in the world today, and cybercriminals are leveraging to extort individuals. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. Users who have received suspected malspam should report to the relevant authorities. Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available. Employers must educate employees about the dangers of opening attachments or downloading applications that did not come from the official source. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: COVID-19, Healthcare, EDA2, Ransomware, CVE-2012-0158<h3 style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/" target="_blank">Over 500,000 Zoom Accounts Sold On Hacker Forums, The Dark Web</a></h3>(published: April 13, 2020)Zoom credentials are being offered on the dark web for less than a penny, or, in some cases, for free, so that hackers can utilize them for zoom-bombing pranks and other malicious activities. As early as April 1st, Cyble reported seeing free Zoom login details appearing on hacker forums. It is believed that credential stuffing attacks garnered the details through the use of details of accounts that had been leaked in earlier data breaches. Accounts relating to educational institutions such as the University of Colorado, Lafayette, and Dartmouth appear on lists of email addresses and password combinations shared via text sharing sites. Credentials which appear to relate to high profile companies such as Citibank and Chase also appear on account lists purchased by Cyble. Recommendation: It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> Tags: Zoom, Credential Stuffing, Credential Dumping, Data Breach, Password Reuse<h3 style="margin-bottom:0;"><a href="https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" target="_blank">APT41 Using New Speculoos Backdoor to Target Organizations Globally</a></h3>(published: April 13, 2020)The Chinese Advanced Persistent Threat (APT) group APT41 have recently been seen deploying the Speculoos backdoor on FreeBSD systems. Industry targets include education, government, and healthcare, with Speculoos being spread to systems by leveraging the vulnerability "CVE-2019-19781", that affects Citrix appliances. Once the Speculoos payload is executed on the target system, it will enter a loop waiting for commands from its Command and Control (C2) server. The backdoor will collect system information and send it back to its C2 server. Speculoos also has the ability to communicate to its C2 and receive extra functionality, which includes downloading/uploading files, killing processes and command line execution. Recommendation: Patches have since been released for all affected appliances, but threat actors are often known to use and exploit vulnerabilities even after they have been patched by the affected company. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port - T1043</a> Tags: APT41, CVE-2019-19781, Speculoos, Backdoor, FreeBSD</div></div>