June 2, 2020
-
Anomali Threat Research
,

Weekly Threat Briefing: Backdoors, iOS Vulnerability, Remote Access Trojans, TrickBot Update, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> Android Vulnerability, Data breach, COVID-19, Ransomware, Russia, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/FpzC0fHQ5e2VABOMpnuG"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain" target="_blank"><b>The Octopus Scanner Malware: Attacking The Open Source Supply Chain</b></a></h3><p>(published: May 29, 2020)</p><p>GitHub has issued an alert about a malware found in Java projects, that can run on Linux, macOS, and Windows. The malware, named “Octopus Scanner” has been found in 26 repositories that are managed using NetBeans, a Java Integrated Development Environment (IDE). Once the user downloads a repo, the malware infects the local machine and spreads into other Java projects after scanning for a local install of NetBeans. The next step of the malware is to download a Remote Access Trojan (RAT) and look for confidential information, including proprietary source code.<br/> <b>Recommendation:</b> It is important for organizations to ensure that they have defense in depth. This assists with detecting supply chain attacks as well as many other types of attacks. Specifically for developers, it is recommended that all third party libraries and repositories are audited, from a reliable source, and that unnecessary libraries should be removed from projects.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a><br/> <b>Tags:</b> GitHub, Java, Malware, Octopus Scanner, RAT</p><h3 id="article-2" style="margin-bottom:0;"><a href="https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/" target="_blank"><b>Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module</b></a></h3><p>(published: May 28, 2020)</p><p>Information stealer, TrickBot has updated one of its propagation modules from “mworm” to “nworm”. The new nworm module retrieves an encrypted binary as prior the executable wasn’t encrypted, the module is now run from system RAM and is more likely to evade detection. When nworm is used to infect a machine, TrickBot does not persist as it is run from memory and leaves no artifacts.<br/> <b>Recommendation:</b> Run patches and up to date versions of your Operating System. A Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent against a TrickBot infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947120">[MITRE ATT&amp;CK] System Service Discovery - T1007</a> | <a href="https://ui.threatstream.com/ttp/947186">[MITRE ATT&amp;CK] Software Packing - T1045</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a><br/> <b>Tags:</b> Propagation, mWorm, nWorm, TrickBot</p><h3 id="article-3" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/nsa-russian-govt-hackers-exploiting-critical-exim-flaw-since-2019/" target="_blank"><b>NSA: Russian Govt Hackers Exploiting Critical Exim Flaw Since 2019</b></a></h3><p>(published: May 28, 2020)</p><p>The Russian cyberespionage group Sandworm Team has been exploiting a vulnerability in the Exim mail transfer agent (MTA) since August 2019, according to the National Security Agency (NSA). Registered as "CVE-2019-10149" ("The Return of the WIZard"), the vulnerability allows for threat groups like Sandworm to execute arbitrary commands with root privileges once specific emails are crafted. Sandworm is using the exploit to download a shell script that will provide escalated privileges on vulnerable MTAs. The vulnerability has also been used by the group to modify SSH structuring to provide members remote access.<br/> <b>Recommendation:</b> The patch made for these vulnerable Exim servers was released on June 5th, 2019 with many devices still exposed on the internet. Users are advised to update Exim software to version 4.93 or later. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>Tags:</b> CVE-2019-10149, Escalated Privileges, Exim, Exploit, Russia, NSA, Sandworm, SSH, Vulnerability</p><h3 id="article-4" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/microsoft-iis-servers-hacked-by-blue-mockingbird-to-mine-monero/" target="_blank"><b>Microsoft IIS Servers Hacked By Blue Mockingbird To Mine Monero</b></a></h3><p>(published: May 28, 2020)</p><p>Threat group, Blue Mockingbird, have been exploiting a critical vulnerability in Microsoft IIS servers to host Monero cryptominer. The vulnerability, designated as “CVE-2019-18935”, is .NET deserialization vulnerability in Progress Telerik UI, which enables attackers to gain backdoor and web shell access. It takes two steps for a threat actor to exploit the vulnerability. First by crafting a POST request to the async upload file handler but using a custom target directory path, along with a malicious file. During the second step, the threat actor needs to make another request to the async file handler and use the path of the malicious file, which once processed should load, executing the code remotely.<br/> <b>Recommendation:</b> It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/947150">[MITRE ATT&amp;CK] Standard Cryptographic Protocol - T1032</a> | <a href="https://ui.threatstream.com/ttp/947165">[MITRE ATT&amp;CK] Private Keys - T1145</a><br/> <b>Tags:</b> Blue Mockingbird, CVE-2019-18935, Cryptominer, Microsoft, Monero, Vulnerability</p><h3 id="article-5" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/german-govt-urges-ios-users-to-patch-critical-mail-app-flaws/" target="_blank"><b>German Govt Urges iOS Users To Patch Critical Mail App Flaws</b></a></h3><p>(published: May 27, 2020)</p><p>The German federal cybersecurity agency, Bundesamt Für Sicherheit in der Informationstechnik (BSI), is advising Apple users to install recent updates released for iOS and iPadOS. These updates relate to patches made for two zero-click vulnerabilities registered as "CVE-2020-9819" and "CVE-2020-9818" that affect Apple's default email application. Threat actors could exploit CVE-2020-9819 to corrupt heap memory and could exploit CVE-2020-9818 to modify memory or terminate applications. All devices running iOS versions 3.1.3 up to 13.4.1 are vulnerable to these exploits which could allow threats actors execute remote code onto compromised systems. The vulnerabilities were patched by Apple upon their release of iOS 13.5 and iPadOS 13.5 and Apple users are advised to update their devices if affected as soon as possible.<br/> <b>Recommendation:</b> It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>Tags:</b> Apple, CVE-2020-9818, CVE-2020-9819, iPhone, iPad, Remote Code Execution</p><h3 id="article-6" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/hacking-group-builds-new-ketrum-malware-from-recycled-backdoors/" target="_blank"><b>Hacking Group Builds New Ketrum Malware From Recycled Backdoors</b></a></h3><p>(published: May 26, 2020)</p><p>The China-based threat group, Ke3chang (APT15), have developed a new malware named "Ketrum" which is based on the source on the groups Ketrican and Okrum backdoors. This backdoor reuses similar Tactics, Techniques, and Procedures (TTPs) used by the other backdoors leveraged by Ke3chang. There have been two variants of Ketrum samples discovered, and are called Ketrum 1 and Ketrum 2. Ketrum 1 will leverage a user' proxy server if present to make HTTP requests and uses the Cookie and Set-Cookie headers in HTTP requests to hide Command and Control (C2) communications. A feature of Ketrum 1 not previously employed by Ke3chang malware is the ability to perform screen capture of target systems. Ketrum 2 is a more minimalist version in comparison to Ketrum 1 and focuses on C2 communications and execute commands without using HTTP headers to hide communication.<br/> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/2336969">[MITRE ATT&amp;CK] Registry Run Keys / Startup Folder - T1060</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/2402791">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools - T1362</a><br/> <b>Tags:</b> Ke3chang, Backdoor, Ketrum, Ketrican, Okrum</p><h3 id="article-7" style="margin-bottom:0;"><a href="https://www.eset.com/int/about/newsroom/press-releases/research/cyber-espionage-group-turla-aka-snake-now-uses-gmail-web-interface-for-command-and-control-ese-2/" target="_blank"><b>Cyber-Espionage Group Turla (a.k.a Snake) Now Uses Gmail Web Interface For Command And Control, ESET Discovers</b></a></h3><p>(published: May 26, 2020)</p><p>A new version of the ComRAT backdoor has been identified by security researchers at ESET. ComRAT is an older malware family used by the Turla group to steal confidential documents, mainly targeting governmental institutions. In the most recent version of this backdoor, the group have been seen using Gmail for Command and Control (C2) to receive commands and exfiltrate data. Additional functions are also including the latest version of ComRAT that enables the program to execute additional programs.<br/> <b>Recommendation:</b> Always practice Defense-in-Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a><br/> <b>Tags:</b> Command and Control, ComRAT, Gmail, Russia, Snake, Trojan, Turla</p><h3 id="article-8" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/critical-android-bug-lets-malicious-apps-hide-in-plain-sight/" target="_blank"><b>Critical Android Bug Lets Malicious Apps Hide in Plain Sight</b></a></h3><p>(published: May 26, 2020)</p><p>Promon security researchers have identified a new vulnerability in devices running Android 9.0 and below registered as "CVE-2020-0096" (StrandHogg 2.0). Threat actors will create malicious applications that masquerade as the legitimate ones to exploit this vulnerability in Android devices to spy on users and steal sensitive information without root permissions. StrandHog 2.0 will allow threat actors to access user's private messages, steal login credentials, track GPS movements, record conversations, and spy through the camera.<br/> <b>Recommendation:</b> Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Since the reporting of this vulnerability, Google have released patches for Android version 8.0, 8.0, and 9, and users are advised to their phones. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.<br/> <b>Tags:</b> Android, CVE-2020-0096, StrandHogg 2.0,</p><h3 id="article-9" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/" target="_blank"><b>New [F]Unicorn Ransomware Hits Italy via Fake Covid 19 Infection Map</b></a></h3><p>(published: May 26, 2020)</p><p>A new ransomware, named [F]Unicorn, has been targeting Italy using a fake COVID tracing application. Emails pretending to be from the Italian Pharmacist Federation (FOFI) stating that a beta release of Immuni for PC is available, are sent to medical targets including doctors, pharmacies, and universities. Download links are included that if downloaded display a COVID-19 dashboard, while the ransomware encrypts data on the system. The note, written in Italian, demands 300 Euros of the data will be lost.<br/> <b>Recommendation:</b> The impersonation of legitimate agencies continues to be an effective spearphishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. In the case of [F]Unicorn ransomware, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/2402630">[MITRE PRE-ATT&amp;CK] Conduct social engineering - T1268</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a><br/> <b>Tags:</b> Covid-19, Italy, Ransomware</p><h3 id="article-10" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/26-million-livejournal-accounts-being-shared-on-hacker-forums/" target="_blank"><b>26 Million Livejournal Accounts Being Shared On Hacker Forums</b></a></h3><p>(published: May 26, 2020)</p><p>A database containing over 26 million LiveJournal user accounts has been leaked on multiple hacker forums. The database contains email addresses, passwords, profile URLs, and usernames. Livejournal have not made a disclosure, however, it is assessed that the credentials come from a breach that took place in 2017, with another breach occurring in 2014.<br/> <b>Recommendation:</b> Users should immediately change their LiveJournal passwords and should not reuse their passwords for any other accounts. Furthermore, users should be aware of phishing and credential stuffing attacks that may occur as a result of this breach.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a><br/> <b>Tags:</b> Data Breach, Leaked Database, Livejournal</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.