February 19, 2019
Anomali Threat Research

Weekly Threat Briefing: Chinese Facial Recognition Database Exposes 2.5m People

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>APT, Data-theft, Malspam, Malware, Phishing, targeted attacks, Trojan,</strong> and <strong>Vulnerabilities.</strong> The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p><a href="https://www.securityweek.com/australia-says-state-actor-hacked-parties-parliament" target="_blank"><b>Australia Says “State Actor” Hacked Parties, Parliament</b></a> (<i>February 18, 2019</i>)<br /> Australian Prime Minister Scott Morrison has issued a statement regarding state-sponsored cyber attacks targeting Australian political party networks. The malicious activity was identified as a result of security researchers investigating a different incident regarding a compromise affecting lawmakers. The affected political parties were noted as “Liberal, Labor and Nationals.” Morrison said the country’s “cyber experts believe that a sophisticated state actor is responsible for this malicious activity,” however, he did not name potentially culpable country. The malicious activity was identified as a result of security researchers investigating a different incident regarding a compromise affecting lawmakers. This malicious comes several months prior to the Australian federal elections that takes place on May 18, 2019.<br /> <a href="https://forum.anomali.com/t/australia-says-state-actor-hacked-parties-parliament/3553" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://finance.yahoo.com/news/major-crypto-brokerage-coinmama-reports-113800910.html" target="_blank"><b>Major Crypto Brokerage Coinmama Reports 450,000 Users Affected by Data Breach </b></a> (<i>February 16, 2019</i>)<br /> The Israel-based cryptocurrency brokerage, “Coinmama,” suffered a data breach that affected 450,000 of its users, according to an official announcement by the company on February 15, 2019. The company stated that 450,000 email addresses and hashed passwords of users who registered with the platform prior to August 5, 2017, were stolen and posted on a Dark Web registry for sale. This breach is believed to be a part of a larger hack that affected 24 different organisations and over 747 million records.<br /> <a href="https://forum.anomali.com/t/major-crypto-brokerage-coinmama-reports-450-000-users-affected-by-data-breach/3554" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://nakedsecurity.sophos.com/2019/02/15/chinese-facial-recognition-database-exposes-25m-people/" target="_blank"><b>Chinese Facial Recognition Database Exposes 2.5m People</b></a> (<i>February 15, 2019</i>)<br /> Security researchers, Victor Gevers, discovered Chinese company, “SenseNets,” has misconfigured a database that stored customer data to be publicly-accessible and in plain-text. SenseNets is a facial recognition artificial intelligence company that uses a mass network of cameras to track people and log their movements. The misconfigured database contained records of over 2.5 million people and included information such as address, date of birth, employer, gender, national ID card number, nationality, and photo. The database also leaked where tracking devices were installed in an abandoned location in Keriya. Following Gevers disclosure on Twitter regarding the database, SenseNets blocked access to the public database.<br /> <a href="https://forum.anomali.com/t/chinese-facial-recognition-database-exposes-2-5m-people/3555" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://latesthackingnews.com/2019/02/14/credential-stuffing-scammer-lists-620-million-records-on-the-dark-web/" target="_blank"><b>Credential Stuffing Scammer Lists 620 Million Records on the Dark Web </b></a> (<i>February 14, 2019</i>)<br /> The underground marketplace, ”Dream Market,” has been selling 617 million stolen database credentials since Monday February 11, 2019. The stolen information was allegedly obtained by credential stuffing, which is using credential taken from one site and tries them for others, and includes email addresses, passwords, and usernames, and also may include first and last names of users. The affected sites are: 8fit, 500px, Animoto, Armor Games, Artsy, BookMate, CoffeeMeetsBagel, DataCamp, Dubsmash, EyeEm, Fotolog, HauteLook, MyFitnessPal, MyHeritage, Share This, and Whitepages. At least one person has apparently bought records from Dubsmash, according to the unnamed threat actor behind the credential sales. The threat actor stated they man have as many as 20 different database credentials, but is keeping them for their own private use.<br /> <a href="https://forum.anomali.com/t/credential-stuffing-scammer-lists-620-million-records-on-the-dark-web/3556" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping (T1003)</a></p><p><a href="https://www.menlosecurity.com/blog/emotet-a-small-change-in-tactics-leads-to-a-spike-in-attacks" target="_blank"><b>Emotet: A Small Change in Tactics Leads to a Spike in Attacks</b></a> (<i>February 14, 2019</i>)<br /> Threat actors utilising the “Emotet” trojan appear to be using a distribution method via a malicious document that then delivers the malware “via a URL hosted on attacker-controlled infrastructure,” according to Menlo Security researchers. The malicious document was found to be an XML file, which contain malicious macros, that impersonate a Microsoft Word document. The infection process for Emotet begins if the macro is enabled. Researchers believe that this tactic may be being used to avoid sandbox detection. The objective of Emotet, which began solely as a banking trojan in 2014, is steal various forms of information from an infected machine and send it back to an actor-controlled location.<br /> <a href="https://forum.anomali.com/t/emotet-a-small-change-in-tactics-leads-to-a-spike-in-attacks/3557" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://www.timesofmalta.com/articles/view/20190213/local/bank-of-valletta-goes-dark-after-detecting-cyber-attack.701896" target="_blank"><b>BOV Goes Dark After Hackers Go After 13m </b></a> (<i>February 13, 2019</i>)<br /> Bank of Valletta, a major bank in Malta, suspended all bank functions on February 13, 2019 following 13 million euros being fraudulently transferred by threat actors. Threat actors attempted to make fraudulent international transfers to various banks in the Czech Republic, Hong Kong, the UK, and the US, but were blocked within 30 minutes of the transactions. It is unclear how the threat actors were able to initiate the transactions, and the bank states that no customer funds were compromised in this attack. The shutdown of services affected Maltese companies that used BOV-operated point-of-sales (PoS) equipment and customers with BOV-issued bank cards’ transactions could not be processed by non-BOV PoS card processors. On Thursday, February 14, the bank’s mobile application was up and running again. The bank is in the process of reversing the transactions back after tracing them.<br /> <a href="https://forum.anomali.com/t/bov-goes-dark-after-hackers-go-after-13m/3558" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://securelist.com/dns-manipulation-in-venezuela/89592/" target="_blank"><b>DNS Manipulation in Venezuela in regards to the Humanitarian Aid Campaign</b></a> (<i>February 13, 2019</i>)<br /> The self-proclaimed interim President of Venezuela, Juan Guaidó, made a public announcement asking for citizen volunteers to help international organisations to deliver humanitarian aid to the country. To volunteer, people would need to register with a website “voluntariosxvenezuela.com” and input their full name, location where they live, personal ID, phone number, and if they have a medical degree, car and/or smartphone. Shortly following the original site appearing on February 6, 2019, a malicious site that mirrored the legitimate site was registered by unknown threat actors on February 11th. The fake website looked identical to the real on and had a very similar domain name and structure. The fake website resolves to the same IP address as the legitimate site, but the IP address both the authentic and malicious sites resolve to is owned by the person who created the malicious site. So even if a user visits the legitimate website, they will still be directed to the fake website.<br /> <a href="https://forum.anomali.com/t/dns-manipulation-in-venezuela-in-regards-to-the-humanitarian-aid-campaign/3559" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil" target="_blank"><b>Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data</b></a> (<i>February 13, 2019</i>)<br /> A new version of the “Astaroth” trojan, which has been active since at least late 2017, has been observed targeting entities primarily located in Brazil and Europe, according to Cybereason researchers. Astaroth is distributed via spam campaigns containing a malicious .7zip file that, if clicked, will begin the infection process. The trojan will use the Windows command line tool “BITSAdmin” and “Windows Management Instrumentation” (WMIC) to download the payload and communicate with a Command and Control (C2) server. Researchers also observed that this version is will check to see if “Avast” antivirus software is installed on a machine and, if found, is capable of injecting a module into one of Avast’s processes in attempts to conceal itself. The objective of the trojan is to remain undetected while it steals various information such as clipboard data, passwords via keylogging, and intercepting operating system calls, among others, by loading modules for different malicious purposes.<br /> <a href="https://forum.anomali.com/t/astaroth-malware-uses-legitimate-os-and-antivirus-processes-to-steal-passwords-and-personal-data/3560" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture (T1056)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a></p><p><a href="https://www.zdnet.com/article/dirty-sock-vulnerability-lets-attackers-gain-root-access-on-linux-systems/" target="_blank"><b>Dirty Sock Vulnerability Lets Attackers Gain Root Access on Linux Systems</b></a> (<i>February 12, 2019</i>)<br /> A security researcher for “The Missing Link” IT company, Chris Moberly, discovered a vulnerability, registered as “CVE-2019-7304,” in the Linux distribution “Ubuntu” that can allow a threat actor root access. The vulnerability, dubbed “Dirty Sock,” is located in the “Snapd” daemon that is included in Ubuntu versions which manages the application packaging format. The Snapd exposes a local REST API server, and threat actors could bypass the access control restrictions by exploiting this vulnerability to escalate privileges and create root-level accounts. Snapd versions 2.28 though 2.37 are affected by this vulnerability.<br /> <a href="https://forum.anomali.com/t/dirty-sock-vulnerability-lets-attackers-gain-root-access-on-linux-systems/3561" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947258">[MITRE ATT&CK] Bypass User Account Control (T1088)</a></p><p><a href="https://threatpost.com/siemens-critical-remote-code-execution/141768/" target="_blank"><b>Siemens Warns of Critical Remote-Code Execution ICS Flaw </b></a> (<i>February 12, 2019</i>)<br /> The industrial manufacturing company, Siemens, has released 16 security advisories regarding vulnerabilities in their industrial control and utility products, including two “critical”-rated vulnerabilities in their SICAM 230 process control system. The first critical vulnerability is registered as “CVE-2018-3991,” and could allow a specially created TCP packet that is sent to port 22347/tcp to cause heap-overflow, leading to remote code execution. The second critical-ranked vulnerability, registered as”CVE-2018-3990,” could allow for privilege escalation via a I/O request that causes buffer overflow and corrupt kernel memory. The other 14 flaws users were notified about include three denial-of-service vulnerabilities that are ranked as “important.”<br /> <a href="https://forum.anomali.com/t/siemens-warns-of-critical-remote-code-execution-ics-flaw/3562" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" target="_blank"><b>New macOS Malware Variant of Shlayer (OSX) Discovered </b></a> (<i>February 12, 2019</i>)<br /> A new variant of a family of macOS malware, called “Shlayer,” has been observed by researchers from Carbon Black that infects macOS via malicious downloads of legitimate software. Most commonly, the download appears to be a fake Adobe Flash software update originating at hijacked domains that used to be legitimate sites or malvertisement redirects. The fake software update will run, and the initial DMG files are signed with a legitimate Apple developer ID and uses legitimate system applications to install which helps make the user think the update is authentic. The first payload will run and obtain system information and downloads a .zip file from a URL that is generated by the initial malware script. This then downloads and installs the second payload that attempts to elevate privileges to administrative level, and disables the built-in filter “Gatekeeper.” The macOS versions affected by this malware are 10.10.5 to 10.14.3.<br /> <a href="https://forum.anomali.com/t/new-macos-malware-variant-of-shlayer-osx-discovered/3563" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&CK] Hidden Files and Directories (T1158)</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information (T1140)</a> | <a href="https://ui.threatstream.com/ttp/947218">[MITRE ATT&CK] Keychain (T1142)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/" target="_blank"><b>Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire</b></a> (<i>February 12, 2019</i>)<br /> Trend Micro researchers have identified that threat actors utilising the “Trickbot” trojan have added a new capability to the malware. The new feature is a remote application credential-stealing module that has been added to the credential-stealing module which was first discovered in November 2018. Threat actors are distributing this updated Trickbot version via malspam emails purporting to be from the “Deloitte” financial company regarding a tax incentive. The email attempts to convince a recipient to open an attached Microsoft Excel spreadsheet for further information. The Excel sheet contains a malicious macro that, if enabled, will begin the infection process for Trickbot. The malware is now capable of stealing credentials for different remote applications including: PuTTy (open source SSH and telnet Windows client), Remote Desktop Protocol (RDP), and Virtual Network Computing (VNC).<br /> <a href="https://forum.anomali.com/t/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/3564" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://thehackernews.com/2019/02/linux-container-runc-docker.html" target="_blank"><b>RunC Flaw Lets Attackers Escape Linux Containers to Gain Root</b></a> (<i>February 12, 2019</i>)<br /> A vulnerability, registered as “CVE-2019-5736,” has been identified to affect the command line tool “runC,” according to security researchers Adam Iwaniuk and Borys Poplawski. The vulnerability was publicly disclosed by runC maintainer Aleksa Sarai. CVE-2019-5736 resides “in the way runC handled system file descriptors when running containers” and can be exploited by a threat actor by utilising a custom container or by having/gaining root access to container to gain root access to the host machine. This vulnerability affects Debian and Ubuntu Linux distributions and containers using “Linux Containers” (LXC) and “Apache Mesos.”<br /> <a href="https://forum.anomali.com/t/runc-flaw-lets-attackers-escape-linux-containers-to-gain-root/3565" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface (T1059)</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/" target="_blank"><b>Windows App Runs on Mac, Downloads Info Stealer and Adware </b></a> (<i>February 11, 2019</i>)<br /> A malicious installation file for the popular firewall application, “Little Snitch,” has been observed to be infecting macOS users with malware that is able to bypass the machine’s built-in security mechanism, “Gatekeeper.” The countries with the most observed infections include Armenia, Australia, Luxembourg, South Africa, the United Kingdom, and the United States. The malware masquerades as the “Little Snitch” installer on torrent websites, and once downloaded, it executes an .exe file, which is more typically seen in Windows systems. The malware obtains device information such as: bootROM version, model name, model identifier, processor speed, processor details, number of processors, number of cores, memory, SMC version, serial number, and UUID and sends that information to the Command and Control (C2) server. Interesting with this malware, although .exe files and malware are more commonly seen on Windows and can execute on any system, this specific type of malware is targeted specifically at Mac users and will display an error notification if attempted to run on a Windows machine.<br /> <a href="https://forum.anomali.com/t/windows-app-runs-on-mac-downloads-info-stealer-and-adware/3566" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.