March 30, 2020
Anomali Threat Research

Weekly Threat Briefing: APT41, Exploits, lightSpy, TA505 and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT Groups, Data Breach, Mobile Malware, Router Vulnerabilities, Remote Access Trojans,</b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Group-IB: New Financially Motivated Attacks in Western Europe Traced to Russian-Speaking Threat Actors</b></a></h3><p>(published: March 27, 2020)</p><p>Group-IB researchers have identified successful attacks against Western Europe from January 2020. Attributed to Silence and TA505, the attacks targeted pharmaceutical and manufacturing industries. TA505 have targeted banks, medical retailers, with banks and finance being the targets of Silence. With an apparent connection between the groups, the malware Silence.ProxyBot and Silent.MainModule have been used in this attack, along with Meterpreter stager TinyMet and executables that exploit “CVE-2019-1405” and “CVE-2019-1322”. The current estimated amount of funds stolen by Silence is $4.2 million.<br /> <b>Recommendation:</b> This APT is using legitimate methods to access networks and steal information. Campaigns like this are difficult to detect because they may not be using any malware to achieve their hands-on-objectives. Organisations can use behavioural monitoring capabilities to better detect anomalous behaviour if a malicious actor is using legitimate accounts. Behavioural monitoring capabilities include detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br /> <b>Tags:</b> APT, Banking, CVE-2019-1405, CVE-2019-1322, Finance, Silence, TA505, TinyMet</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Voter Records For the Entire Country of Georgia Published Online</b></a></h3><p>(published: March 27, 2020)</p><p>The voting records of the country of Georgia have been published online. The database contained over 4.9 records, including deceased citizens. The information leaked included addresses, dates of birth, ID numbers, names, and phone numbers. The leaked database was posted on a forum but it is unclear how the breach occurred.<br /> <b>Recommendation:</b> While it is currently unknown how the breach occurred, users should follow the following advice for securing their databases. Databases should not be directly accessible over, or connected to the internet. Protect these services with authentication, do not allow guest or anonymous login. For web applications that are accessing database data, make sure all user-supplied data is sanitized to prevent SQL injections. Actors can use this information to coerce more personal data from the victim. Users should also monitor their credit in order to make sure that nothing out of the ordinary is happening and no identity fraud is being committed.<br /> <b>MITRE ATT&CK: </b> <a href="">REVOKED - [MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><br /> <b>Tags:</b> Data breach, Database, Georgia, PII, Voter Records</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>New Router DNS Hijacking Attacks Abuse Bitbucket to Host InfoStealer</b></a></h3><p>(published: March 25, 2020)</p><p>Bitdefender researchers have identified threat actors targeting routers to redirect traffic to websites serving malware. Finding vulnerable routers, some by brute-forcing the passwords, the DNS settings are changed to redirect users to a fake WHO COVID-19 related website with instructions to install an application. The file is a .exe that is hosted on Bitbucket, with a payload of Oski, a data-stealing malware. The majority of victims are in France, Germany, and the United States.<br /> <b>Recommendation:</b> Users should maintain the most current, and secure updates be applied to routers. Furthermore, it is crucial that routers have secure passwords to avoid automated attacks that search for default credentials.<br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] User Execution - T1204</a> | <a href="">[MITRE ATT&CK] Brute Force - T1110</a> | <a href="">[MITRE ATT&CK] Input Capture - T1056</a><br /> <b>Tags:</b> Bitbucket, Brute force, Coronavirus, DNS Hijacking, Oski, Malware</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Chinese Hackers Use Cisco, Citrix, Zoho in Exploits in Targeted Attacks</b></a></h3><p>(published: March 25, 2020)</p><p>A campaign attributed to APT41, a Chinese backed Advanced Persistent Threat (APT) group, has been tracked by FireEye between January and March, exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central. The group, which generally utilizes phishing emails in attacking target networks, has been exploiting ‘CVE-2019-19781’, a vulnerability that affects Citrix NetScaler ADC and NetScaler servers, with interesting patterns in activity, such as hiatuses during Chinese holidays and during Coronavirus quarantine measures.<br /> <b>Recommendation:</b> This story depicts the importance of policies regarding the importance of applying security patches to network devices when they become available. Users and administrators should reboot the routers and install the necessary update as soon as possible.<br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><br /> <b>Tags:</b> APT41, Coronavirus, China, Citrix, CVE-2019-19781, NetScaler</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links</b></a></h3><p>(published: March 24, 2020)</p><p>A campaign targeting iOS users in Hong Kong has been identified by TrendMicro and Kaspersky. The campaign, dubbed “Operation Poisoned News”, uses news sites posted on forums with a hidden iframe to load and execute malicious code that downloads “lightSpy” malware. lightSpy enables a threat actor to remotely control the victim’s device and can exfiltrate data including contacts, location, hardware information, internet browser history, iOS keychain, phone call history, SMS messages, QQ, Telegram, and WeChat.<br /> <b>Recommendation:</b> It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. iOS users should make sure to keep their iOS up to date.<br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE MOBILE-ATT&CK] Location Tracking - T1430</a> | <a href="">[MITRE MOBILE-ATT&CK] System Information Discovery - T1426</a> | <a href="">[MITRE MOBILE-ATT&CK] Access Contact List - T1432</a> | <a href="">[MITRE MOBILE-ATT&CK] Access Sensitive Data in Device Logs - T1413</a> | <a href="">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a><br /> <b>Tags:</b> Hong Kong, iOS, lightSpy, Mobile Malware, Operation Poisoned News</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>WildPressure Targets Industrial In The Middle East</b></a></h3><p>(published: March 24, 2020)</p><p>A new malware, dubbed “Milum” was identified last August by researchers at Kaspersky. Milum, a Remote Access Trojan (RAT) is written in C++ with functionality to execute commands, get file information, remove itself, gain system information, get directory information, and update to a new version. The operation, named “WildPressure” by researchers, has not been able to be attributed to any group, due to the commonality of the code and lack of similarity to samples used in known campaigns. The targets appear to be exclusively Middle Eastern, however, there hasn’t been enough information available to determine if there is a specific target.<br /> <b>Recommendation:</b> It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers to conduct your business needs safely.<br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="">[MITRE ATT&CK] Commonly Used Port - T1043</a> | <a href="">[MITRE ATT&CK] Commonly Used Port - T1043</a> | <a href="">[MITRE ATT&CK] Data Encrypted - T1022</a><br /> <b>Tags:</b> Middle East, Milum, RAT, Trojan, WildPressure</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Hacker Selling Data of 538 Million Weibo Users</b></a></h3><p>(published: March 23, 2020)</p><p>Threat actors are selling the personal details of more than 538 million users of the Chinese social media site “Weibo” on the dark web. Having apparently breached the site sometime mid-2019, the database contained gender, location, name, phone numbers, and usernames. As passwords were not included in the dump, the database is being sold for just $250. Weibo are disputing where the data is coming from, claiming that instead the phone numbers were obtained in 2018 when user accounts were uploading large amounts of phone numbers in an attempt to match accounts, however, this claim does not stand up to scrutiny.<br /> <b>Recommendation:</b> Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.<br /> <b>MITRE ATT&CK: </b> <a href="">REVOKED - [MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><br /> <b>Tags:</b> Data breach, China, Database, Social Media, Weibo</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Tech Giant GE Discloses Data Breach After Service Provider Hack</b></a></h3><p>(published: March 23, 2020)</p><p>Technology giant General Electric (GE) has disclosed a data breach of an employees’ email account. An unauthorized party gained access to the email account in early February, gaining access to employee information. The breached information included current and former GE employees, as well as beneficiaries of GE benefits. The information may have included addresses, bank account numbers, birth certificates, dates of birth, death certificates, driver’s license numbers, marriage certificates, passports, Social Security numbers, retirement benefits, and tax forms. GE claims their systems were not affected by the breach and will provide identity protection along with credit monitoring services to affected persons.<br /> <b>Recommendation:</b> Email account security is paramount because many threat actors use brute force attacks that could easily gain access to an account with a weak password. As this incident portrays, a compromised email account could not only cause harm to individuals whose PII was stored in the account but could also put them at further risk of highly-targeted phishing attacks using recipients’ legitimate information.<br /> <b>MITRE ATT&CK: </b> <a href="">REVOKED - [MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><br /> <b>Tags:</b> Breached Email, Data breach, General Electric</p><h3 style="margin-bottom:0;"><a href="" target="_blank"><b>Microsoft Warns of Hackers Exploiting Unpatched Windows Bugs</b></a></h3><p>(published: March 23, 2020)</p><p>Microsoft has issued a warning that malicious actors are exploiting two Zero-Day vulnerabilities. The vulnerabilities are in the Adobe Type Manager Library, and if exploited could be used for remote code execution (RCE). In order to exploit the vulnerability, threat actors could use the Windows Preview pane to get users to open malicious documents, in turn allowing them to modify data, install programs and create user accounts.<br /> <b>Recommendation:</b> Microsoft is advising customers to disable the Preview and Details panes in Windows Explorer to prevent malicious files opening in Windows Explorer. In addition, customers are being recommended to disable the WebClient service to protect systems from attempts to exploit the vulnerability, along with renaming the library “ATMFD.DLL”.<br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] User Execution - T1204</a> | <a href="">[MITRE PRE-ATT&CK] Identify vulnerabilities in third-party software libraries - T1389</a><br /> <b>Tags:</b> Adobe Type Manager, Exploit, Windows, Vulnerabilities, Zero day</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.