Weekly Threat Briefing: Australia Bushfire Donation Site Suffered MageCart Attack

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>APT40, APT28, data-breach, Trickbot, phishing, targeted attacks, JhoneRAT, Pegasus</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<br /> <img src="https://anomali-labs-public.s3.amazonaws.com/foo.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.bankinfosecurity.com/nsa-uncovers-severe-microsoft-windows-vulnerability-a-13607" target="_blank"><b>NSA Uncovers &#39;Severe&#39; Microsoft Windows Vulnerability</b></a> (<i>January 14, 2020</i>)<br /> On Tuesday, 13th January, the National Security Agency (NSA) published information on a “severe” vulnerability in Windows 10. The vulnerability, CVE-2020-060, could allow threat actors to spoof the digital certificates used in encrypted communication. This means that devices with the Windows 10 operating system could be at risk of man-in-the-middle attacks. Actors could also decrypt data within applications. The ability to use CryptoAPI spoofing could also enable an actors’ malicious code to look legitimate.<br /> <a href="https://forum.anomali.com/t/nsa-uncovers-severe-microsoft-windows-vulnerability/4518" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bankinfosecurity.com/babys-first-breach-app-exposes-baby-photos-videos-a-13603 " target="_blank"><b>Baby&#39;s First Data Breach: App Exposes Baby Photos, Videos</b></a> (<i>January 14, 2020</i>)<br /> Peekaboo Moments, a mobile phone app that is designed for capturing special moments of a baby’s development, has been found to have exposed customer information. Data exposed include email, device information as well as photos and videos. The exposure has occurred due to an open unsecured Elasticsearch server. Facebook API keys as well as the Peekaboo owned API endpoint were exposed. This could allow an attacker to upload or exfiltrate data.<br /> <a href="https://forum.anomali.com/t/babys-first-data-breach-app-exposes-baby-photos-videos/4519" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/area-1-security-phishingbarismaholdings-1.pdf" target="_blank"><b>Report: Russian Hackers Targeted Ukrainian Gas Firm Burisma</b></a> (<i>January 14, 2020</i>)<br /> Researchers from Area1 have detected an attack on a Ukrainian company called Burismo, a holdings company for energy exploration and production companies. The attack appears to have originated from FancyBear (APT28), a group attributed to the Main Intelligence Directorate of the General Staff of the Russian Army (GRU). The phishing campaign was designed to harvest credentials from Burismo, and its subsidiaries and partners. The company has been associated with Hunter Biden, the son of Democratic presidential candidate Joe Biden, who served on Burisma&#39;s board.<br /> <a href="https://forum.anomali.com/t/report-russian-hackers-targeted-ukrainian-gas-firm-burisma/4520" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a></p><p><a href="https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/" target="_blank"><b>TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection</b></a> (<i>January 16, 2020</i>)<br /> Trickbot trojan has been updated to include a User Account Control (UAC) bypass. A UAC bypass allows programs to run with administrator privileges without displaying a prompt to ask if that&#39;s okay. This means that the program will be being run without the knowledge of the user. Trickbot will first seek to determine if the operating system is Windows 10 or Windows 7. If the machine is Windows 10 then it will use the “Fodhelper UAC Bypass”, a method that modifies a registry key to spawn a shell that has the UAC flag turned off.<br /> <a href="https://forum.anomali.com/t/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/4521" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a></p><p><a href="https://www.bbc.co.uk/news/technology-51008811" target="_blank"><b>Soleimani: US federal Site Hacked with Pro-Iranian Message</b></a> (<i>January 6, 2020</i>)<br /> A group of pro-Iranian hackers have defaced the U.S. Federal Depository Library Program&#39;s website. The defacement contained a picture of President Donald Trump being punched in the face by a fist where an Islamic Revolutionary Guard Corps (IRGC) emblem is visible on the arm. The defacement, although low-level, is at a time when tensions between the U.S. and Iran are extremely heightened.<br /> <a href="https://forum.anomali.com/t/soleimani-us-federal-site-hacked-with-pro-iranian-message/4522" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/" target="_blank"><b>APT40 is run by the Hainan department of the Chinese Ministry of State Security</b></a> (<i>January 16, 2020</i>)<br /> IntrusionTruth researchers have investigated previously reported connections between the Chinese Ministry of State Security (MSS) and a number of front companies for APT activity in Hainan. In this new report, the researchers have used their investigative techniques to uncover information about a particular individual called “Ding Xiaoyang”. A particularly damning photo provides evidence of the individual wearing a Ministry of State Security uniform with the number 461079 on his chest. IntrusionTruth points out that the initial two numbers “46” are for Hainan. There is also a post on the social media site RenRen from Ding Xiaoyang where he speaks about going to work for the MSS. Ding Xiaoyang links to APT40 through the use of a telephone number, being used on job adverts for the network of front companies for APT40. According to IntrusionTruth he is the owner of the number under the alias “Mr Chen”.<br /> <a href="https://forum.anomali.com/t/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/4523" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.infosecurity-magazine.com/news/aussie-bushfires-donation-site/" target="_blank"><b>Australia Bushfire Donation Site Suffered MageCart Attack</b></a> (<i>January 14, 2020</i>)<br /> MalwareBytes researchers have discovered a Magecart attack on the Australia Bushfire donation site. Magecart is an umbrella term used to refer to activity that involves stealing credit card information with specific Tactics, Techniques, and Procedures (TTPs). The attack has exposed donor credit card information to the attackers. Troy Mursch detected a further 39 sites also impacted by the same malicious code as it was using keyword “ATMZOW” in the script. Magecart typically injects malicious JavaScript into payment pages of eCommerce sites to harvest payment information.<br /> <a href="https://forum.anomali.com/t/australia-bushfire-donation-site-suffered-magecart-attack/4524" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a></p><p><a href="https://blog.talosintelligence.com/2020/01/jhonerat.html" target="_blank"><b>JhoneRAT: Cloud based python RAT targeting Middle Eastern countries</b></a> (<i>January 16, 2020</i>)<br /> Cisco Talos security researchers have identified a new Remote Access Trojan (RAT) they have called “JhoneRAT”. This new RAT appears to be specifically targeting Arabic speakers, which is done by checking the keyboard layout of the victim. Upon investigation researchers have found the following countries are being targeted: Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon. The reconnaissance that is performed on initial infection is using multiple cloud services before attempting to download further payloads.<br /> <a href="https://forum.anomali.com/t/jhonerat-cloud-based-python-rat-targeting-middle-eastern-countries/4525" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry - T1112</a></p><p><a href="https://www.cyberscoop.com/nso-group-export-license-amnesty-international/" target="_blank"><b>Amnesty suit asking Israel to revoke NSO Group&#39;s license heads to court</b></a> (<i>January 14, 2020</i>)<br /> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from sophisticated threat groups and APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Ensure that your company&#39;s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.<br /> <a href="https://forum.anomali.com/t/amnesty-suit-asking-israel-to-revoke-nso-groups-license-heads-to-court/4526" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. <a href="http://https//www.anomali.com/products" target="_blank">A ThreatStream account is required to view this section.</a></p><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/4494" target="_blank">APT28</a><p>The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.</p></div></div></div></div>