Weekly Threat Briefing: China, Ransomware, Phishing, Vulnerabilities and More

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Capitol One, Data breach, LockBit, Phishing, RAT, TAIDOOR, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/Gdg0FrTVQmu5NWSOi122"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/fake-security-advisory-used-in-clever-cpanel-phishing-attack/" target="_blank">Fake Security Advisory Used in Clever cPanel Phishing Attack</a></h3> (published: August 8, 2020) User of cPanel, an administrative software, are being targeted by a phishing scam. Pretending to be a security alert, users are receiving emails urging the users of an urgent update sent from a legitimate looking email. The email prompts the user to enter their credentials to install the “security update”. Recommendation: Make sure all emails are coming from the legitimate source. If you have received a similar email recently, immediately change your password, and any other account that may have the same password. Tags: cPanel, Phishing, Scam <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/bugs-in-hdl-automation-expose-iot-devices-to-remote-hijacking/" target="_blank">Bugs in HDL Automation Expose IoT Devices to Remote Hijacking</a></h3> (published: August 8, 2020) During this year's DEF CON conference, security researcher Barak Sternberg has shown how vulnerabilities in IoT devices could be compromised. When a user registers a new account on the mobile application, another account is automatically created for applying the settings, which can have its password changed without changing the password of the main account. Additionally, an endpoint was found to be vulnerable to SQL injection, which could enable extraction of email address, user list and passwords. Recommendation: If the device is IoT, it is recommended that it is placed behind a firewall or network address translation and placed within a Virtual Local Area Network (VLAN). Change the default password of IoT devices such as routers and printers to something that is difficult for threat actors to guess, but memorable for you. It is crucial to stay up-to-date with security patches and updates. Tags: IoT, Remote Hijacking, Vulnerabilities <h3 id="article-3" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/" target="_blank">TeamViewer Fixes Bug That Lets Attackers Access Your PC </a></h3> (published: August 7, 2020) TeamViewer, a popular remote access program, has released an update to a number of versions of their software due to a vulnerability in how Uniform Resource Indicators (URI) are handled. The vulnerability has been assigned “CVE-2020-13699”, which is labeled as severe. It is a member of the class of vulnerabilities collectively known as Unquoted Search Path or Element (CWE-428). This particular vulnerability relates to how arguments are passed to the TeamViewer application as it is launched by a URI link. The elements in the URI were not properly quoted, allowing for an attacker to craft a malicious URI that is interpreted as a direct command, for example launching a machine-authenticated connection to a remote Server Message Block (SMB) server. The fix simply properly quotes the elements in the URI to prevent command injection. Recommendation: Users and companies that leverage TeamViewer should upgrade these applications as soon as possible. Software updates, especially OS, browsers, and software that can be leveraged for remote access, should be part of every user and company's regular update activities. Users should also be cautious with their browsing activities and only visit trusted sites. However, as this vulnerability can also be launched via an invisible iFrame embedded into a legitimate, but compromised, webserver, URL inspection would be insufficient to detect this. Tags: CVE-2020-13699, teamviewer, CWE-428, "severity: high" <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/bulgarian-police-arrest-hacker-instakilla/#ftag=RSSbaffb68" target="_blank">Bulgarian Police Arrest Hacker Instakilla </a></h3> (published: August 7, 2020) Bulgarian law enforcement arrested a resident of Plovdiv Bulgaria, who is also known as the actor known as Instakilla. He has been active in underground hacker forums since 2017, and rose to notoriety due to his involvement in publishing databases from the Bulgarian National Revenue Agency (Национална агенция за приходите). He is not believed to have been part of the initial breach, but did offer the data for sale. Additionally, he was known to run a "hacker-for-hire" service website and regularly posted user data breaches for sale. He was known to target vBulletin forum vulnerabilities to acquire user accounts. The authorities searched two of his residences and confiscated numerous electronic devices and cryptocurrency. Recommendation: All companies that maintain user login data must ensure that they take adequate precautions to protect that data. This includes the standard defence in depth measures, patch management, and security measures. User data, indeed all PII or sensitive data needs to be further secured by limiting access, network separation, and encryption. Audits of access to these data should also be regularly performed and issues addressed. This is especially vital for cloud services and publicly accessible websites. Tags: InstaKilla <h3 id="article-5" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/intel-investigating-breach-after-20gb-of-internal-documents-leak-online/" target="_blank">Intel Investigates 20GB Document Breach</a></h3> (published: August 6, 2020) The US chip manufacturing giant Intel is currently investigating a security breach after 20GB of internal documents were uploaded to a file sharing site. Independent researcher Till Kottman published the findings after receiving the files from an anonymous source who claimed to have breached Intel in early 2020. Kottman noted that many of the files were marked as “confidential” and “restricted secret,” this is supported by analysts from ZDNet who reviewed these files and have reported they contained Intel intellectual property related to various chipset designs dating back to 2016. It should be noted that none of the documents reviewed contained data on Intel customers or employees. Intel believes the breach came from their “Intel Resource and Design Center” portal and that the attacker had not compromised their systems, however, the anonymous source claims to have obtained the data via an unsecured server hosted on the Akamai CDN. The source also noted that many of the files were password-protected, however a guess of ‘intel123’ was able to open most of them. Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&CK] Connection Proxy - T1090</a> Tags: intel, chipset, data leak, <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.cbronline.com/news/capital-one-data-breach" target="_blank">Capital One Fined $80 Millon for Data Breach</a></h3> (published: August 6, 2020) Capital One Financial Corp have been hit with a $80 million fine after suffering a large data breach in 2019. The banking regulator, Office for the Comptroller of the Currency (OCC), issued the fine after determining that Capital One did not carry out an appropriate risk assessment after migrating its data to the AWS cloud. This negligence led to the leaking of over 100 million customer’s details online, including over 140,00 social security numbers and 80,000 linked bank account numbers. The actor responsible is believed to be a former employee of AWS and was able to gain access by exploiting a misconfigured application firewall. Recommendation: Always make sure your cloud storage is properly configured. Experts have been warning companies that Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/3297611">[MITRE ATT&CK] Data from Cloud Storage Object - T1530</a> Tags: Capital One, finance, banking, data leak, misconfigured, AWS <h3 id="article-7" style="margin-bottom:0;"><a href="https://www.inky.com/blog/zoom-doom-how-inky-unraveled-a-credential-harvesting-phishing-scam" target="_blank">Zoom & Doom: How INKY Unraveled A Credential Harvesting Phishing Scam</a></h3> (published: August 5, 2020) Researchers from INKY discovered a new phishing campaign that targets zoom users across the globe. The campaign uses convincing lures such as zoom meeting invitations, file attachments with details about meeting invitations and malicious links. The phishing emails appear to be originating from hijacked accounts and newly created domains that impersonate Zoom. Once the user clicks on either malicious links or HTM/HTML attachments were directed to spoofed Office365 and Outlook login page for credential harvesting. The attackers have encoded the HTML, JavaScript, and PHP code and they are unreadable to humans and automated security tools. The obfuscation makes the phishing pages undetectable and evade URL reputation checkers. Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues. Tags: Zoom, Phishing <h3 id="article-8" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/interpol-lockbit-ransomware-attacks-affecting-american-smbs/" target="_blank">Interpol: Lockbit Ransomware Attacks Affecting American SMBs</a></h3> (published: August 4, 2020) Companies in the United States are currently being targeted by LockBit ransomware operators. In a report by Interpol’s Cybercrime Directorate, an increase in ransomware attacks was noted, specifically in relation to COVID-19. The affected companies are not named but are mentioned as “medium-sized” companies. LockBit is a Ransomware-as-a-Service (RaaS) and has previously targeted Microsoft and healthcare services with the use of the pen testing tool CrackMapExec. Recommendation: Interpol is recommending organizations to keep all software and hardware up to date, applying any relevant patches. Organizations are also advised to keep multiple backups of data, with offline storage, and be aware of phishing attacks. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: American Industry, Interpol, LockBit, Ransomware <h3 id="article-9" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/" target="_blank">Iranian Hacker Group Becomes First Known APT to Weaponize DNS-over-HTTPS (DoH) </a></h3> (published: August 4, 2020) Iran based Advanced Persistent Threat group OilRig (APT34) has been observed using DNS-over-HTTPS (DoH) in their recent campaigns. The activity was first identified by the researchers from Kaspersky and presented as part of the APT trends report Q2 2020 webinar. According to the researchers, OilRig included this new TTP in their arsenal in May 2020. The group incorporated a publicly available utility called DNSExfiltrator that creates a covert communication channel. OilRig has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to the group controlled servers. The group uses DoH as an exfiltration mechanism to avoid detection and monitoring while transferring stolen data. Recommendation: Organizations should block direct DoH traffic between internal IP addresses and DNS servers on the internet. This will help you maintain control by ensuring that end-users still use your DNS infrastructure and be subject to IT DNS policies. SOC’s can maintain visibility by installing custom security certificates on endpoints and routing browser traffic via a proxy. This would enable setting up a network traffic inspection solution that understands DoH, can conduct HTTPS inspection for inline decryption, inspection, logging, etc., and forward any events to an EDR tool for further analysis. Tags: oilrig, APT, DOH <h3 id="article-10" style="margin-bottom:0;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a" target="_blank">MAR-10292089-1.v1 – Chinese Remote Access Trojan: TAIDOOR</a></h3> (published: August 3, 2020) The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have released a malware analysis report on the Remote Access Trojan (RAT) named TAIDOOR. TAIDOOR has been attributed to be used by Chinese state-sponsored threat actors. The threat actors are using the malware in conjunction with proxy servers to maintain persistence and access to compromised networks. The malware consists of two parts, a loader and the RAT module. The RAT module is executed as a Windows service Dynamic Link Library (DLL). The reasoning behind CISA’s release of the report is to allow network administrators to better defend and reduce exposure to the China-sponsored threat actor activity. Recommendation: The MAR-10292089-1.v1 report includes both Snort and Yara signatures for detecting TAIDOOR activity. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> Tags: TAIDOOR, RAT, APT, China