January 7, 2020
Anomali Threat Research

Weekly Threat Briefing: Colorado Town Wires Over $1 Million To BEC Scammers

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>BabyShark, Fraud, Maze Ransomware, North Korea, POS malware, Ransomware, Rowhammer, Ryuk Ransomware, Thallium</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><p><img src="https://anomali-labs-public.s3.amazonaws.com/img/581981.png "/><br/> <b>Figure 1 - IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/colorado-town-wires-over-1-million-to-bec-scammers/ " target="_blank"><b>Colorado Town Wires Over $1 Million To BEC Scammers</b></a> (<i>January 3, 2020</i>)<br/> The Colorado Town Erie has paid over one million dollars in a Business Email Compromise (BEC) scam. Using social engineering, the scammers contacted the Town requesting a change of payment from cheque to electronic transfer for the Erie Parkway Bridge. The town staff accepted the form and did not verify the authenticity of the submission with the construction company, wiring one million dollars to the account. The contact form has been removed from the town’s website, with the local police working with the FBI to investigate the incident, and attempt to recover funds.<br/> <a href="https://forum.anomali.com/t/colorado-town-wires-over-1-million-to-bec-scammers/4480" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.zdnet.com/article/landrys-restaurant-chain-disclose-pos-malware-incident/" target="_blank"><b>Landry's Restaurant Chain Discloses POS Malware Incident</b></a> (<i>January 2, 2020</i>)<br/> An infection of Point-of-Sale (POS) malware has been found on Landry’s network. Landry’s, a company that owns many US restaurants, stated they found malware on 63 bar and restaurant networks and was active for at least six months. The company has stated they believe only a small number of customers have been impacted, due to security features implemented following a 2016 attack. Customers are being advised to review bank statements and to look for any suspicious activity.<br/> <a href="https://forum.anomali.com/t/landrys-restaurant-chain-discloses-pos-malware-incident/4481" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.zdnet.com/article/fpga-cards-can-be-abused-for-faster-and-more-reliable-rowhammer-attacks/" target="_blank"><b>FPGA Cards Can Be Abused For Faster And More Reliable Rowhammer Attacks</b></a> (<i>January 2, 2020</i>)<br/> A research paper has been released by a team of US and German academics detailing how Field-Programmable Gate Array (FPGA) cards can be exploited in “Rowhammer” attacks. Rowhammer attacks, first noted in 2014, exploit a design flaw in Random Access Memory (RAM) cards that alters data by reading data at high speeds repeatedly, a method referred to as “row hammering”. While RAM manufacturers have put migitations in place to avoid damage from attacks, the academics have identified ways around the mitigations, along with an expansion on using Rowhammer. These include but are not limited to taking over Linux computers, Windows computers, Android devices, remote attacks, and data exfiltration.<br/> <a href="https://forum.anomali.com/t/fpga-cards-can-be-abused-for-faster-and-more-reliable-rowhammer-attacks/4482" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a></p><p><a href="https://www.bleepingcomputer.com/news/security/maze-ransomware-sued-for-publishing-victims-stolen-data/" target="_blank"><b>Maze Ransomware Sued For Publishing Victim's Stolen Data</b></a> (<i>January 2, 2020</i>)<br/> Southwire, a wire and cable manufacturing company located in Georgia, is suing the anonymous operators behind the “Maze” ransomware. The company was attacked in December 2019, with 120GB of data stolen and published when Southwire did not pay a ransom of six million dollars. The lawsuit seeks damages against the Maze operators for encrypting and publishing their data, while the operators are unknown, should the government retrieve monetary damages, Southwire could be privy to an amount. The lawsuit also seeks injunctions against websites such as World Hosting Farm Limited, an Irish web hosting company who hosted the Maze news site and hosted the published Southwire data.<br/> <a href="https://forum.anomali.com/t/maze-ransomware-sued-for-publishing-victims-stolen-data/4483" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/" target="_blank"><b>Chrome Extension Caught Stealing Crypto-Wallet Private Keys</b></a> (<i>January 1, 2020</i>)<br/> A Chrome extension named “Shitcoin Wallet”, has been caught stealing passwords and private keys from cryptocurrency wallets. The recently launched extension claims to let users manage Ether and Ethereum coins, however it contains malicious code. When users visit cryptocurrency management platforms, the extension injects Javascript that steals login credentials and private keys, sending the stolen information to a third party website. It is not known if the malicious code was implanted by the Shitcoin Team, or if they have been compromised by a third party, however the extension is still available for download from the Google Chrome Web Store.<br/> <a href="https://forum.anomali.com/t/chrome-extension-caught-stealing-crypto-wallet-private-keys/4484" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a></p><p><a href="https://www.zdnet.com/article/us-coast-guard-discloses-ryuk-ransomware-infection-at-maritime-facility/" target="_blank"><b>US Coast Guard Discloses Ryuk Ransomware Infection at Maritime Facility</b></a> (<i>December 30, 2019</i>)<br/> The United States Coast Guard (USCG) has disclosed that an infection of Ryuk ransomware took down a maritime facility. In the security bulletin sent out, the USCG state they believe a malicious email containing a link was opened, enabling access to IT network files, which were then encrypted. The attack appears to have disrupted the corporate IT network, camera and physical access control systems and loss of process control monitoring systems. The unnamed port had to close operations for over 30 hours.<br/> <a href="https://forum.anomali.com/t/us-coast-guard-discloses-ryuk-ransomware-infection-at-maritime-facility/4485" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a></p><p><a href="https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" target="_blank"><b>Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group</b></a> (<i>December 30, 2019</i>)<br/> Microsoft has filed a court case against suspected North Korean group “Thallium”. The group typically utilize spear phishing as a method to compromise victim accounts, giving them access to calendar, contacts, and emails. The court's ruling has enabled Microsoft to take control of 50 domains the group has been using, meaning the group can no longer use these sites in attacks. Thallium, a suspected North Korean Advanced Persistent Threat (APT) group, have been active since at least 2010, targeting government, non-governmental organizations (NGO) and university employees using legitimate services such as Gmail, Hotmail and Yahoo. While stealing sensitive data, the group use the malware ‘BabyShark’ and ‘KimJongRAT’ in their attacks.<br/> <a href="https://forum.anomali.com/t/microsoft-takes-court-action-against-fourth-nation-state-cybercrime-group/4486" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.bleepingcomputer.com/news/security/special-olympics-new-york-hacked-to-send-phishing-emails/" target="_blank"><b>Special Olympics New York Hacked to Send Phishing Emails</b></a> (<i>December 30, 2019</i>)<br/> During the Christmas holiday, Special Olympics of New York, a nonprofit that provides athletic competition to those with disabilities had its email server breached. An email was sent to donors of the Special Olympics claiming they would take over one million dollars from their account, directing them to a PDF of the transaction statement. The Special Olympics claim that only the communications system was affected, and not any financial data.<br/> <a href="https://forum.anomali.com/t/special-olympics-new-york-hacked-to-send-phishing-emails/4487" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.