October 28, 2019
Anomali Threat Research

Weekly Threat Briefing: AWS Left Reeling After Eight-Hour DDoS

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>China, Iran, Magecart, Nautilus, Neuron, NordVPN, Spidey Bot, Turla, Waterbug, </strong>and<strong> Winnti Group</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.infosecurity-magazine.com/news/aws-customers-hit-by-eighthour-ddos/" target="_blank"><b>AWS Left Reeling After Eight-Hour DDoS</b></a> (<i>October 24, 2019</i>)<br /> Amazon was hit by a Distributed Denial of Service (DDoS) attack this week which took service offline for up to eight hours. The DDoS targeting the Amazon Web Services (AWS) Router 53 DNS web service which in turn affected other services. The success of the attack calls into question the DDoS-mitigation platform Shield Advanced which was used by AWS during the attack.<br /> <a href="https://forum.anomali.com/t/aws-left-reeling-after-eight-hour-ddos/4307" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&CK] Endpoint Denial of Service - T1499</a></p><p><a href="https://nakedsecurity.sophos.com/2019/10/23/facebook-pulls-fake-news-networks-linked-to-russia-and-iran/" target="_blank"><b>Facebook Pulls Fake News Networks Linked to Russia and Iran</b></a> (<i>October 23, 2019</i>)<br /> Facebook has detected and taken down four networks of accounts that they say are linked to Iran and Russia. These accounts are believed to be designed to interfere in elections. One of the networks was targeting the 2020 United States presidential elections and appears to be linked to the Russian organisation the Internet Research Agency (IRA). Other networks targeted North Africa and Latin America. Facebook has taken action under their policy on misrepresentation. 93 Facebook accounts, 17 Facebook pages and 4 Instagram accounts were removed for violating its policy and were linked to efforts originating in Iran to target the United States and North Africa. Other accounts originating in Iran were focusing on countries in Latin America. Graphika, a social media analysis company dubbed the activities that originate in Russia “IRACopyPasta”. Graphika has observed efforts in the Russian based accounts to avoid linguistic mistakes that were made in the previous 2016 posts.<br /> <a href="https://forum.anomali.com/t/facebook-pulls-fake-news-networks-linked-to-russia-and-iran/4308" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/ " target="_blank"><b>Discord Turned Into an Info-Stealing Backdoor by New Malware</b></a> (<i>October 23, 2019</i>)<br /> Discord users are being targeted by a new Trojan that MalwareHunterTeam researchers have called “Spidey Bot”. This malware modifies the Windows Discord client so that it can act as a backdoor and steal information such as user email address, IP address, payment information, phone number, timezone, Windows Clipboard, and username. he Windows Discord client is an Electron application, a framework using Javascript, enabling the malware to modify its core files. This allows the malware to execute malicious behaviour on startup. Researchers believed that the malware might be being delivered through Discord chats disguised as cheats for games such as Roblox. Victims have to uninstall and reinstall the Discord app to remove the modified core files.<br /> <a href="https://forum.anomali.com/t/discord-turned-into-an-info-stealing-backdoor-by-new-malware/4309" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a></p><p><a href="https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/" target="_blank"><b>The Forgotten Domain: Exploring A Link Between Magecart Group 5 And The Carbanak APT</b></a> (<i>October 22, 2019</i>)<br /> Malwarebytes has previously observed a possible overlap between Magecart Group 4 and the Cobalt gang. They have recently discovered new information identifying past Whois data for domains used by Magecart Group 5. This registrant information also seems to be responsible for domains used in Dridex phishing campaigns. Magecart group 5 is known for targeting and compromising the supply chain used by ecommerce merchants.<br /> <a href="https://forum.anomali.com/t/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/4310" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://www.zdnet.com/article/czech-authorities-dismantle-alleged-russian-cyber-espionage-network/" target="_blank"><b>Czech Authorities Dismantle Alleged Russian Cyber-Espionage Network </b></a> (<i>October 22, 2019</i>)<br /> Czech authorities have uncovered and dismantled a Russian cyber-espionage network operating from within the country. The Russian network was set up with several hardware and software companies to launch cyber attacks, and was being funded from the Russian Prague embassy. The server infrastructure was intended to be used for cyber attacks against the Czech Republic as well as the EU and NATO allies. The network was dismantled in March 2019 but has now officially been confirmed.<br /> <a href="https://forum.anomali.com/t/czech-authorities-dismantle-alleged-russian-cyber-espionage-network/4311" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a></p><p><a href="https://krebsonsecurity.com/2019/10/ransomware-hits-b2b-payments-firm-billtrust/" target="_blank"><b>Ransomware Hits B2B Payments Firm Billtrust</b></a> (<i>October 22, 2019</i>)<br /> The Business-to-business (B2B) payments provider Billtrust was hit with a ransomware attack last week and is still recovering. It has stopped the attack and is dealing with remediation, having restored most of its systems. Billtrust has not declared whether they paid the ransom but are still consulting with law enforcement to determine the extent of the breach.<br /> <a href="https://forum.anomali.com/t/ransomware-hits-b2b-payments-firm-billtrust/4312" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.eset.ie/2019/10/21/winnti-groups-skip%E2%80%912-0-a-microsoft-sql-server-backdoor/" target="_blank"><b>Winnti Group’s Skip‑2.0: A Microsoft SQL Server Backdoor</b></a> (<i>October 21, 2019</i>)<br /> ESET researchers tracking China-based Winnti Group have observed a previously unreported backdoor being used by the threat actors. Winnti Group, who have been active since 2012, are targeting Microsoft SQL (MSSQL) servers 11 and 12. The backdoor called “skip-2.0” allows the attacker to connect to any MSSQL account by using a magic password - and hiding connections from the logs. The backdoor means that the Winnti Group can copy, modify or delete information from the databases.<br /> <a href="https://forum.anomali.com/t/winnti-group-s-skip-2-0-a-microsoft-sql-server-backdoor/4313" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.cyberscoop.com/nordvpn-data-breach/" target="_blank"><b>NordVPN Admits &#39;Isolated&#39; Data Breach Was Discovered Last Year</b></a> (<i>October 21, 2019</i>)<br /> NordVPN was impacted by an attack on a Finnish data centre in 2018. NordVPN now admits to the intrusion but that usernames, passwords and user activity logs are all safe. It may have been possible for the attacker to manipulate site traffic and to monitor some user activity. NordVPN ended its contract with the data centre in question and affirms that no other data centre providers have been affected. According to Cyberscoop it was the Creanove hosting provider that was breached. However Creanova blame NordVPN.<br /> <a href="https://forum.anomali.com/t/nordvpn-admits-isolated-data-breach-was-discovered-last-year/4314" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise - T1195</a></p><p><a href="https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" target="_blank"><b>Advisory: Turla Group Exploits Iranian APT to Expand Coverage of Victims</b></a> (<i>October 21, 2019</i>)<br /> The Russia-based Turla group has been reported to have scanned victims for Iranian APT backdoors with the intention to use them to gain a further foothold into the target environment. The U.K. National Cyber Security Centre (NCSC) has discerned that Neuron and Nautilus tools were being exploited by The Turla group but that their scanning reveals a lack of insight regarding where the backdoors have been deployed already. An overlap in infrastructure revealed that in some cases, an Iranian IP address had been used to first deploy the implant, whilst Turla associated infrastructure access the same implant later. The Turla group appears to exfiltrate directory listings and keylogger output which included operational activity from Iranian actors.<br /> <a href="https://forum.anomali.com/t/advisory-turla-group-exploits-iranian-apt-to-expand-coverage-of-victims/4315" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a></p><p><a href="https://latesthackingnews.com/2019/10/20/hackers-now-employ-steganography-to-wav-audio-files-for-hiding-malware/" target="_blank"><b>Hackers Now Employ Steganography To WAV Audio Files For Hiding Malware</b></a> (<i>October 20, 2019</i>)<br /> Symantec researchers reported in June this year that Waterbug APT (Russian-based Turla Group) were exploiting WAV audio files with steganography. Cylance researchers have now discovered a campaign using a similar technique to deliver cryptominers. Using steganography, attackers can execute malicious code from a benign file, evading detection. In this instance, the WAV files contain code associated with the Monero CPU miner, with others contain Metasploit code.<br /> <a href="https://forum.anomali.com/t/hackers-now-employ-steganography-to-wav-audio-files-for-hiding-malware/4316" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.