Weekly Threat Briefing: Charming Kitten Hackers Impersonate Journalist in Phishing Attacks

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing (WTB) discusses the following topics: <strong>APT, Data Leak, Phishing, PII, Ransomware, TA505, Targeted Attacks, </strong>and<strong> Vulnerability</strong>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.</p><p><img src="https://anomali-labs-public.s3.amazonaws.com/021020.png"/><br/> <b>Figure 1 - IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/" target="_blank"><b>Netanyahu's party exposes data on over 6.4 million Israelis</b></a> (<i>February 10, 2020</i>)<br/> Verizon Media researcher Ran Bar-Zik found that a misconfiguration in an election-related application resulted in the leak of Personally Identifiable Information (PII) associated to approximately 6.5 million Israeli citizens. The data was exposed because of an API endpoint left unsecured without a password. The application, called “Elector”, was created by the party of Israeli prime minister, Benjamin Netanyahu. The data consisted of: age, full name, gender, home address, ID card numbers, and political preferences. As of this writing, it is unknown if the data was illicitly accessed.<br/> <a href="https://forum.anomali.com/t/netanyahus-party-exposes-data-on-over-6-4-million-israelis/4570" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.cyberscoop.com/china-malaysia-fireeye-kaspersky/" target="_blank"><b>China-linked hackers have targeted Malaysian government, officials warn</b></a> (<i>February 6, 2020</i>)<br/> The Malaysian Computer Emergency Response Team (CERT) has observed an increase in targeting against Government departments in Malaysia. The researchers mention APT40 in their report but do not attribute this activity to the group, as of this writing. The attack has been described as a data-stealing espionage campaign. APT40 has been active since 2013 and has been responsible for cyber-espionage campaigns against multiple targets involved in the Belt and Road Initiative.<br/> <a href="https://forum.anomali.com/t/china-linked-hackers-have-targeted-malaysian-government-officials-warn/4579" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947240">[MITRE ATT&amp;CK] Data Compressed - T1002</a></p><p><a href="https://blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/" target="_blank"><b>Bug in Philips Smart Light Allows Hopping to Devices on the Network </b></a> (<i>February 5, 2020</i>)<br/> Researchers at Check Point have discovered a vulnerability, tracked as CVE-2020-6007, in the ZigBee wireless communication protocol used by smart home devices. The vulnerability is a heap buffer overflow in Philips Hue Bridge model 2.x that can be exploited remotely. The researchers point out that actors can use known exploits, such as EternalBlue, to move laterally to other systems on the network, then deploy further malware. This vulnerability has been patched in firmware version 1935144040, so users who have updated are fine. Customers of these devices are encouraged to apply automatic updates.<br/> <a href="https://forum.anomali.com/t/bug-in-philips-smart-light-allows-hopping-to-devices-on-the-network/4572" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/" target="_blank"><b>Mailto (NetWalker) Ransomware Targets Enterprise Networks </b></a> (<i>February 5, 2020</i>)<br/> A new ransomware identified in 2019 called “Mailto”, also known as NetWalker has recently targeted an Australian transportation and logistics company called, Toll Group. The ransomware was seen spoofing “sticky password” software. When the file is executed it uses an embedded config file containing the ransom note and filename extensions. The ransomware will append an extension using the format .mailto[{mail1}].{id}. Coveware, an incident response company specializing in ransomware, discovered a decrypter indicating the ransomware is called NetWalker.<br/> <a href="https://forum.anomali.com/t/mailto-netwalker-ransomware-targets-enterprise-networks/4573" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware" target="_blank"><b>The Hole In The Bucket: Attackers Abuse BitBucket to Deliver an Arsenal of Malware</b></a> (<i>February 5, 2020</i>)<br/> Threat actors are using the code hosting service Bitbucket to store several malware types. The method has led to more than 500,000 victims, according to Cyberreason researchers. This type of technique has been seen before by actors who have used services such as DropBox, Github and Google Drive for storing malicious code. An organization's network defenses are less likely to be concerned about known legitimate services, so the method is used to help the attack seem less suspicious. Some of the payloads installed on victim systems include infostealers (Predator the Thief, Azorult, Vidar), cryptocurrency miners and stealers (Monero Miner, IntelRapid), ransomware (STOP) and a reconnaissance bot (Amadey bot).<br/> <a href="https://forum.anomali.com/t/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware/4574" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/" target="_blank"><b>Charming Kitten Hackers Impersonate Journalist in Phishing Attacks </b></a> (<i>February 5, 2020</i>)<br/> Researchers at the London-based cybersecurity company Certfa have detected a new attack being orchestrated by the Iranian cyber-espionage group Charming Kitten. The campaign used fake interview requests as a lure, spoofing prominent journalist Farnaz Fassihi who works for the New York Times. Farnaz Fassihi also worked for the Wall Street Journal and has over 17 years experience in covering the Middle East. The email interview request contained a flaw however, as the interview purported to be from the Wall Street Journal while Farnaz Fassihi no longer works there. The email asks the victim to download questions, redirecting to a site hosting a phishing kit designed to steal login credentials and two-factor-authentication (2FA) data. Researchers also detected new malware from Charming Kitten using filename “pdfreader.exe” that serves as a backdoor. This campaign has been targeting journalists, academia, activists and Iranian citizens living outside of Iran.<br/> <a href="https://forum.anomali.com/t/charming-kitten-hackers-impersonate-journalist-in-phishing-attacks/4575" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://krebsonsecurity.com/2020/02/booter-boss-busted-by-bacon-pizza-buy/" target="_blank"><b>Booter Boss Busted By Bacon Pizza Buy</b></a> (<i>February 4, 2020</i>)<br/> David Bukoski has pleaded guilty to running Quantum Stresser, one of the longest-running attack-for-hire “booter” services. The booter enabled paying customers to launch Distributed-Denial-of-Service (DDoS) attacks, knocking web sites and network providers offline. The FBI were able to find the operators real address when they found an old receipt for pizza in one of the email accounts associated with Quantum Stresser. The receipt showed David Bukoski’s home address as the delivery address.<br/> <a href="https://forum.anomali.com/t/booter-boss-busted-by-bacon-pizza-buy/4576" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&amp;CK] Endpoint Denial of Service - T1499</a> | <a href="https://ui.threatstream.com/ttp/2402530">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a></p><p><a href="https://www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/" target="_blank"><b>FBI Warns of DDoS Attack on State Voter Registration Site </b></a> (<i>February 4, 2020</i>)<br/> An FBI advisory reported on by BleepingComputer has detailed a Distributed-Denial-of-Service (DDoS) attack that targeted a state-level voter registration and information site. The DDoS was a Pseudo Random Subdomain (PRSD) attack, which is where actors “disrupt DNS record lookups by flooding a DNS server with large amounts of DNS queries against non-existing subdomains”. The volume of DNS requests seen in the attack were observed “over a month, in intervals of approximately two hours, with request frequency peaking around 200,000 DNS requests during a period of time when less than 15,000 requests were typical for the targeted website”.<br/> <a href="https://forum.anomali.com/t/fbi-warns-of-ddos-attack-on-state-voter-registration-site/4577" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&amp;CK] Endpoint Denial of Service - T1499</a> | <a href="https://ui.threatstream.com/ttp/2402530">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a></p><p><a href="https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678" target="_blank"><b>TA505 APT Group Returns With New Techniques: Report</b></a> (<i>February 3, 2020</i>)<br/> Microsoft has detected the return of TA505 in a new campaign. They have observed the threat group using new TTPs including the use of HTML redirectors attached to emails. Despite these changes Microsoft researchers point out that TA505 is still utilizing the previously-reported malware called GraceWire. GraceWire is an infostealer.<br/> <a href="https://forum.anomali.com/t/ta505-apt-group-returns-with-new-techniques-report/4578" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. <a href="https://www.anomali.com/products" target="_blank">A ThreatStream account is required to view this section.</a></p><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/26092" target="_blank">TA505</a><p>The financially-motivated threat group called, “TA505,” was first reported on by Proofpoint researchers in December 2017.[1] Malicious activity attributed to the Russian-speaking group dates back to at least 2014, and the campaigns conducted by TA505 have targeted entities and individuals around the world. The group distributes a variety of malware, both well-known strains (Dridex banking trojan, Locky ransomware), custom-created (Jaff ransomware, tRAT), and variants of legitimate remote access tools (Remote Manipulator System). The group primarily distributes malware and tools via large scale and indiscriminately-distributed malspam campaigns, often through the “Necurs” botnet, with malicious attachments or links. Incorporation of new malware, creating custom malware and the use of advanced tactics, such as the removal of malware artifacts, indicate that this group is a sophisticated threat and likely well-funded. The group is innovative and shows the flexibility to pivot to other techniques and malware trends on a global scale. </p></div></div></div></div>