July 14, 2020
Anomali Threat Research

Weekly Threat Briefing: China, Credit Card Skimmers, Mirai Botnet, Zoom Zero-Day Vulnerability and More

<p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> Citrix Vulnerabilities, Conti Ransomware, Joker Malware, Magecart, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.</p> <p><img src="https://anomali-labs-public.s3.amazonaws.com/img/890869.png" /></p> <p><b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/" target="_blank"><b>Backdoor Accounts Discovered in 29 FTTH Devices from Chinese Vendor C-Data</b></a></h3> <p>(published: July 10, 2020)</p> <p>Security researchers have recently discovered what appears to be an intentional backdoor in 29 Fiber To The Home (FTTH) models sold by the popular Chinese company C-DATA. These devices serve to terminate fiber optic networks and convert the signals to conventional ethernet data. These devices are deployed globally into ISP&#39;s networks and reside all over data centers, due to their critical role. The vulnerabilities and backdoor were found analyzing two devices running the latest firmware, but they are confident that these same seven vulnerabilities impact 27 other models due to the firmware similarities. While the vulnerabilities themselves are quite severe, it is the backdoor that is truly troubling. The backdoor consists of four hardcoded telnet accounts encoded in the device firmware that if accessed gives the user full administrative control of the devices from the external network side of the devices.<br /> <b>Recommendation:</b> As of the time of this writing, there has been no comment from the manufacturer and no patches are currently available. In light of this, along with the trivial nature of exploiting the backdoor and vulnerabilities, the recommendation would be, if at all possible to replace the affected devices as soon as possible.<br /> <b>Tags:</b> Backdoor, China, Espionage, ISPs, Remote Access, Vulnerabilities</p> <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.geekwire.com/2020/amazon-bans-tiktok-employees-phones-citing-security-risks/" target="_blank"><b>Amazon Bans TikTok From Employees’ Phones Citing Security Risks</b></a></h3> <p>(published: July 10, 2020)</p> <p>Amazon today has joined a growing list of companies and governmental agencies that have banned the use of the popular social media app TikTok. This is due to the increasing scrutiny of the Chinese-owned company. This scrutiny has greatly increased since Apple release developer previews of its upcoming iOS software, iOS 14. A new security feature in the Operating System (OS) revealed the TikTok, as well as many other iOS applications, were unknowingly accessing the clipboard, in some cases after every keystroke.<br /> <b>Recommendation:</b> In general, work and personal devices should be separate whenever possible, and work devices should have device management and application whitelists. Since the publication of this story, Amazon has reversed its decision to ban the use of TikTok. However, due to ongoing security issues with TikTok and its unnecessary access to personal data, users should be very cautious about using Tiktok.<br /> <b>Tags:</b> Amazon, China, Chinese spying, Espionage, TikTok</p> <h3 id="article-3" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-targets-asp-net-sites/" target="_blank"><b>Credit Card Skimmer Targets ASP.NET Sites</b></a></h3> <p>(published: July 9, 2020)</p> <p>Researchers at Malwarebytes Labs have identified credit card skimmers on compromised websites running ASP.NET. With regard to web skimmers, e-commerce applications written in PHP have been the major target by threat actors. This finding indicates that threat actors may be in the process of expanding their target scope. The researchers couldn’t identify a specific library that was being compromised by the threat actors. What all the compromised sites have in common was the version of ASP.NET, version 4.0.30319. This version of ASP has reached its end of life and is not maintained any longer. The researcher at Malwarebytes believes that the campaign has been active since mid-April this year.<br /> <b>Recommendation:</b> It is recommended that website owners keep their installations up-to-date, along with any additional plug-ins. Organizations using ASP.NET version 4.0.40419 and having a “cart” functionality on their website, should ensure that the site has not been compromised. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is paramount that all applications in use by your company are properly maintained and monitored for potential unusual activity.<br /> <b>Tags:</b> ASP.NET, Compromised site, Skimmer, PHP</p> <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.cyberscoop.com/zoom-zero-day-windows-7-acros/" target="_blank"><b>Zoom Zero-day Discovered in Windows 7</b></a></h3> <p>(published: July 9, 2020)</p> <p>Researchers from ACROS Security have disclosed a zero-day vulnerability in Zoom on the Windows 7 operating system. Attackers leveraging the vulnerability are able to access files on affected systems, if the user is a local administrator the attacker could access the entire computer. Full details of the exploit will not be available until Windows patches the issue. Microsoft has attempted to phase out technical support for this older operating system to encourage users to upgrade, however, this is not always possible leaving many organizations vulnerable to attack.<br /> <b>Recommendation:</b> Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning-based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.<br /> <b>Tags:</b> Zero-day, Windows 7, Zoom, Teleconferencing</p> <h3 id="article-5" style="margin-bottom:0;"><a href="https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/" target="_blank"><b>New Joker Variant Hits Google Play with an Old Trick</b></a></h3> <p>(published: July 9, 2020)</p> <p>A new variant of the Android dropper malware, “Joker,” has been found located inside of apps in the Google Play Store, according to CheckPoint researchers. This Joker variant is capable of downloading other malware and will subscribe an infected device to premium services. This kind of technique is not new, but it is interesting to see it applied to mobile devices for the objective of monetary theft. Joker uses the Notification Listener service and a dynamic def file that is loaded from a Command and Control server which is used to subscribe users to premium services.<br /> <b>Recommendation:</b> Always keep your mobile phone fully patched with the latest security updates. As this story portrays, sometimes malicious apps make it into official mobile stores, therefore, it is important to carefully review the permission an app will request upon installation.<br /> <b>Tags:</b> Mobile malware, Joker Dropper</p> <h3 id="article-6" style="margin-bottom:0;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29" target="_blank"><b>New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173</b></a></h3> <p>(published: July 8, 2020)</p> <p>Trend Micro researchers have identified that a new variant of the well-known Mirai Botnet has incorporated an exploit for the vulnerability registered as “CVE-2020-10173.” The vulnerability is a multiple authenticated command injection vulnerability that affects Comtrend VR-3033 routers. This Mirai variant has been observed using nine vulnerabilities in the analyzed campaign that affect certain IP camera, router, and smart TV versions, among others. Other capabilities of Mirai remain similar to previous versions, with brute-force capabilities, credential-theft, and Distributed Denial-of-Service (DDoS).<br /> <b>Recommendation:</b> The Mirai botnet takes advantage of internet-connected devices that have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames/passwords must be disabled. Organizations and defenders should be aware of all their internet-facing assets and have them under strict monitoring.<br /> <b>Tags:</b> Botnet, Mirai, CVE-2020-10173, Brute force, Credential theft</p> <h3 id="article-7" style="margin-bottom:0;"><a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"><b>TAU Threat Discovery: Conti Ransomware</b></a></h3> <p>(published: July 8, 2020)</p> <p>A new ransomware family, dubbed “Conti,” is active in the wild, according to the Carbon Black Threat Analysis Unit. Conti is unique ransomware as it is one of few that is capable of direct command-line control. This allows a threat actor to control how Conti iterates over files to encrypt, such as local files, SMB shares, IPs inputted by an actor. In addition, Conti can also utilize the Windows Restart Manager so that it can encrypt all files. Furthermore, the ransomware encrypts files quickly, approximately 32 simultaneous encryption attempts, using AES-256 encryption.<br /> <b>Recommendation:</b> Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> Ransomware, Conti</p> <h3 id="article-8" style="margin-bottom:0;"><a href="https://support.citrix.com/article/CTX276688" target="_blank"><b>Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Appliance Security Update</b></a></h3> <p>(published: July 7, 2020)</p> <p>Citrix has released a security update addressing several vulnerabilities in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) , and Citrix SD-WAN WANOP appliances. The affected models are 4000-WO, 4100-WO, 5000-WO, and 5100-WO. The vulnerabilities, if exploited, can lead to system compromise, denial-of-service (DoS), and remote port scanning of the internal network.<br /> <b>Recommendation:</b> Citrix has released updates to the affected appliances. Organizations should ensure that fixed versions or later are used. The fixed versions are: Citrix ADC and Citrix Gateway 13.0-58.30, Citrix ADC and NetScaler Gateway 12.1-57.18, Citrix ADC and NetScaler Gateway 12.0-63.21, Citrix ADC and NetScaler Gateway 11.1-64.14, NetScaler ADC and NetScaler Gateway 10.5-70.18, Citrix SD-WAN WANOP 11.1.1a, Citrix SD-WAN WANOP 11.0.3d, Citrix SD-WAN WANOP 10.2.7, Citrix Gateway Plug-in for Linux<br /> <b>Tags:</b> Vulnerability, Citrix, NetScaler, CVE-2019-18177, CVE-2020-8187, CVE-2020-8190, CVE-2020-8191, CVE-2020-8193, CVE-2020-8194, CVE-2020-8195, CVE-2020-8196, CVE-2020-8197, CVE-2020-8198, CVE-2020-8199</p> <h3 id="article-9" style="margin-bottom:0;"><a href="https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/" target="_blank"><b>“Keeper” Magecart Group Infects 570 Sites</b></a></h3> <p>(published: July 7, 2020)</p> <p>Researchers from Gemini Advisory discovered that the “Keeper” Magecart group, also known as Group8, has successfully breached more than 570 online e-commerce shopping websites since 2017. Researchers identified the group consists of an interconnected network of 64 attacker domains to deliver malicious JS payloads, 73 exfiltration domains, and the victims were spread across 55 different countries. The analysis shows that over 85% of the victims operate on Magento CMS, which is commonly exploited by the Magecart groups. Researchers also uncovered an unsecured access_log file on an exfiltration server with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. The Keeper group has gained approximately $7 million over the past 3 years of its continuous operation while improving its technical sophistication<br /> <b>Recommendation:</b> eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Ensure the content management systems and plugins are updated to the recent version. Websites, much like personal workstations, require constant maintenance and upkeep to adapt to the latest threats. Understanding what TTPs threat actors use to target certain types of websites or companies can assist in creating a more proactive approach before something malicious takes place.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947202">[MITRE ATT&CK] Shared Webroot - T1051</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a><br /> <b>Tags:</b> Magecart, Group8, Keeper</p> <h3 id="article-10" style="margin-bottom:0;"><a href="https://news.softpedia.com/news/hackers-take-control-of-russian-ministry-s-twitter-account-530465.shtml" target="_blank"><b>Hackers Hijack Russian Foreign Ministry Twitter</b></a></h3> <p>(published: July 6, 2020)</p> <p>Independent researcher Graham Cluley reported that on July 2nd an unnamed group successfully targeted a Russian Foreign Ministry Twitter account. Taking control of the Crisis Management Center account, @MID_travel, the attackers used the account to post an ad in a Tweet, claiming they were looking to sell personal data for 66 Bitcoins (approximately $500,000 USD). The alleged data in question was from tourist payments made in June 2020 through Russia’s Public Services Portal. Russian authorities quickly recovered the account and removed the Tweet stating that cybercriminals had hijacked the account but that the account was now working as normal. No group has claimed responsibility for the attack.<br /> <b>Recommendation:</b> Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication and frequent password changes can help protect trade secrets and other forms of sensitive data.<br /> <b>Tags:</b> Foreign Ministry, Russia, Twitter</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.