Weekly Threat Briefing: Contract Management Company Evisort Accidentally Exposed Sensitive Documents Publicly

<div id="weekly">The intelligence in this week's iteration discuss the following threats: AZORult, Backdoor, Data breach, Malware, Phishing, Supply Chain, Targeted attacks, Trojans, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://latesthackingnews.com/2019/04/29/contract-management-company-evisort-exposed-sensitive-documents-publicly/" target="_blank">Contract Management Company Evisort Accidentally Exposed Sensitive Documents Publicly</a> (April 29, 2019) The contract management company, "Evisort," suffered a data breach following a misconfiguration of an Elasticsearch database. The database was not password-protected and was publicly accessible via the internet, so any person could have accessed the database which stored sensitive documents including employee contracts, loan agreements, Non-Disclosure Agreements, and resumes. The company released a statement that the database was intended for testing purposes during ongoing audits, and said that they will contact the impacted customers. The database was removed an hour following disclosure of the leak. <a href="https://forum.anomali.com/t/contract-management-company-evisort-accidentally-exposed-sensitive-documents-publicly/3774" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/fake-windows-pc-cleaner-drops-azorult-info-stealing-trojan/" target="_blank">Fake Windows PC Cleaner Drops AZORult Info-Stealing Trojan</a> (April 27, 2019) A fake PC cleaner has been discovered by researchers that installs the information-stealing trojan, "AZORult." The tool was found to have its own website that purported to be a Windows junk-cleaner tool called "G-Cleaner" that appears to be legitimate. If a user downloaded and ran the fake tool, it looks like any other PC cleaner tool and pretends to scan the computer for junk files. In the background, the AZORult malware will run and steal the device's cryptocurrency wallet information, data, passwords, amongst other information. It will then communicate with the Command and Control (C2) server to encrypt and send the stolen information to the C2 before it removes itself from the machine. <a href="https://forum.anomali.com/t/fake-windows-pc-cleaner-drops-azorult-info-stealing-trojan/3775" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/" target="_blank">AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks and Cryptocurrency Mining</a> (April 26, 2019) An "AESDDoS" botnet malware has been identified exploiting a server-side template injection vulnerability, registered as "CVE-2019-3396," according to Trend Micro researchers. The vulnerability resides in the Widget Connector macro located in the project management software, Atlassian Confluence Server. In exploiting this vulnerability, an attacker was able to infect machines with AESDDoS botnet malware using a remotely executed shell script to download multiple shell scripts to download the malware. This malware has the ability to send and receive remote shell commands that can be used to load cryptocurrency miners to affected machines, launch various types of Distributed-Denial-of-Service (DDoS) attacks, and steal system data. <a href="https://forum.anomali.com/t/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/3776" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application (T1190)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://thehackernews.com/2019/04/wordpress-woocommerce-security.html" target="_blank">Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension</a> (April 26, 2019) A vulnerability in the "WooCommerce" plugin has been identified by Plugin Vulnerabilities. WooCommerce Checkout Manager, is a plugin used by WordPress e-commerce sites for customised checkout forms. The "Categorize Uploaded Files" option in WooCommerce Checkout Manager is where the vulnerability lies. Using this file uploader, remote attackers could execute server-side scripts to gain entry and modify data or gain admin privileges. WooCommerce Checkout Manager is currently being used by more than 60,000 websites, with the latest plugin, 4.2.6, being vulnerable. <a href="https://forum.anomali.com/t/critical-unpatched-flaw-disclosed-in-wordpress-woocommerce-extension/3777" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/amnesty-international-says-state-sponsored-hackers-targeted-hong-kong-base/" target="_blank">Amnesty International Says ëState Sponsored' Hackers Targeted Hong Kong Base</a> (April 26, 2019) Amnesty International, a non-governmental organisation focused on human rights, has revealed it was the latest victim of a state-sponsored cyberattack, detected on March 15, 2019. The attack has been attributed to supporters of the Chinese government due to an analysis of the methods and tactics observed in previous campaigns. While the investigation is still underway, Amnesty International claims that the motive of the attack was to steal information and obstruct their human rights work. Contact information, Hong Kong identity card numbers, and supporters names were among the compromised data, however financial data remains safe. Immediate action was taken by Amnesty International and affected individuals were contacted. <a href="https://forum.anomali.com/t/amnesty-international-says-state-sponsored-hackers-targeted-hong-kong-base/3778" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html" target="_blank">JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan</a> (April 25, 2019) Various phishing campaigns were observed to be targeting specific European countries in order to install the banking trojan "Gootkit" through a new loader called "JasperLoader," according to Cisco Talos researchers. Each campaign was written in the specific language of the targeted country, specifically German and Italian, with lures such as payment invoices that were signed by a legitimate certified email service provider, "Posta Elettronica Certificata (PEC)." The attachment is either a ZIP file or a Word document that requests macros to be enabled. If the file is unzipped, and contents executed, or macros are enabled, JasperLoader is dropped onto the device and executed. JasperLoader checks the geolocation of the infected computer to ensure it is not in Belarus, China, Russia, or Ukraine, and then achieves persistence via the Startup folder. Once it establishes a connection to the Command and Control (C2) server, it then installs the banking trojan, Gootkit. <a href="https://forum.anomali.com/t/jasperloader-emerges-targets-italy-with-gootkit-banking-trojan/3779" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a><a href="https://www.bleepingcomputer.com/news/security/eternalblue-exploit-serves-beapy-cryptojacking-campaign/" target="_blank">EternalBlue Exploit Serves Beapy Cryptojacking Campaign </a> (April 25, 2019) A file-based cryptojacking campaign, dubbed "Beapy," has been discovered by Symantec researchers that utilises the US National Security Agency's (NSA) leaked "EternalBlue" exploit and "DoublePulsar" backdoor. The campaign has impacted mainly enterprises in China, Japan, South Korea, and Vietnam. The campaign is initiated via phishing emails that contain a malicious Microsoft Excel spreadsheet. If the document is opened, the DoublePulsar backdoor is downloaded, allowing the threat actors to exploit the EternalBlue vulnerability to spread laterally in the network and enables arbitrary code execution. Following the backdoor being installed, a connection is established with the Command and Control (C2) server to run PowerShell script to install the coinminer. Beapy also uses open source credential-stealing tool "Mimikatz," to obtain Windows passwords so the actors can also infect patched machines. <a href="https://forum.anomali.com/t/eternalblue-exploit-serves-beapy-cryptojacking-campaign/3780" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping (T1003)</a> | <a href="https://ui.threatstream.com/ttp/947241">[MITRE ATT&CK] Credentials in Files (T1081)</a><a href="https://nakedsecurity.sophos.com/2019/04/25/atlanta-hawks-fall-prey-to-magecart-credit-card-skimming-group/" target="_blank">Atlanta Hawks Fall Prey to Magecart Credit Card Skimming Group</a> (April 25, 2019) Researchers at Sanguine Security have identified payment skimming code on the Atlanta Hawks merchandise site, on or after April 20, 2019. Customer information including name, address and credit card details were stolen using keylogger malware. MageCart, an umbrella term that refers to groups that specialise in stealing payment information from e-commerce sites, specifically sites using Magento, are reportedly behind the attack. Using a skimmer, the group logged visitor keystrokes and sent the information to the domain "imagesengines[.]com." Researchers believe they may have gained access through a third-party component on the website. The Atlanta Hawks site disabled all payments to prevent further information from being stolen in response. <a href="https://forum.anomali.com/t/atlanta-hawks-fall-prey-to-magecart-credit-card-skimming-group/3781" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank">Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware</a> (April 25, 2019) Researchers at Cybereason have uncovered a highly-organised attack against a financial institution in April 2019. The attack is attributed to the threat group "TA505," and features a targeted phishing campaign with the objective of installing a backdoor called "ServHelper." The group distributed emails containing a Microsoft Excel spreadsheet posing as "work orders" that requests macros to be enabled. If enabled, a Windows process called "msiexec.exe" is triggered and connects to a server to download the first payload. With the malware on the system, the ServHelper backdoor gathers information about the target computer including the users SID, an Admin group identifier, the machine's date and time, and additional information related to the machine's system. In using legitimate Windows processes, the malware is able to avoid detection. It appears the goal of this campaign is reconnaissance and information gathering. <a href="https://forum.anomali.com/t/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware/3782" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&CK] DLL Side-Loading (T1073)</a> | <a href="https://ui.threatstream.com/ttp/947101">[MITRE ATT&CK] Code Signing (T1116)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a><a href="https://www.bleepingcomputer.com/news/security/qbot-malware-dropped-via-context-aware-phishing-campaign/" target="_blank">Qbot Malware Dropped via Context-Aware Phishing Campaign</a> (April 24, 2019) A phishing campaign has been observed by researchers from JASK that drops the banking trojan, "Qbot." The phishing email purports to be a reply to a pre-existing email thread that also contains a link to an online document. The link takes the user to a VBScript-based dropper that appears as a ZIP archive to get the user to open and unzip the file. If so, the Qbot payload is dropped onto the machine. The malware will brute-force network accounts on the compromised host to move laterally. Qbot steals financial information by hooking API calls/searches for banking strings in the system hooking API calls/searches for banking strings in the system, keylogging, and searching for saved credentials in browser cookies. <a href="https://forum.anomali.com/t/qbot-malware-dropped-via-context-aware-phishing-campaign/3783" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947257">[MITRE ATT&CK] BITS Jobs (T1197)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a><a href="https://threatpost.com/gamers-pointblank-backdoor-malware/144088/" target="_blank">Point Blank Gamers Targeted with Backdoor Malware</a> (April 24, 2019) The first-person shooter game, "Point Blank," appears to have suffered a supply-chain attack, causing users to be infected with a backdoor upon downloading the official game, according to Kaspersky Lab researchers. The researchers discovered that several executable files for the game were injected with a backdoor. The files were signed with a legitimate and unrevoked certificate from the company, Zepetto Co. The backdoor can download additional data or malware to the machine, after running through checks to determine the machine it is installed onto does not have the system language set to Chinese or Russian and ensures it obtains administrative privileges. Researchers believe this supply-chain attack may be linked to a past campaign called "Operation ShadowHammer," which involved compromising an ASUS update with malicious code, due to the technical similarities. Kaspersky Lab believes that the Advanced Persistent Threat group "Barium" (APT17, Axiom, Deputy Dog) was behind Operation ShadowHammer, therefore, it is possible that the group is also behind this incident. <a href="https://forum.anomali.com/t/point-blank-gamers-targeted-with-backdoor-malware/3784" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise (T1195)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" target="_blank">DNSpionage Brings Out the Karkoff </a> (April 23, 2019) A new campaign distributing a malware called, "Kirkoff," has been found to have similarities to the campaign targeting Middle Eastern entities that began in November 2018, called "DNSpionage." DNSpionage utilised a new Remote Administration Tool (RAT) capable of supporting HTTP and DNS communication with the threat actors' Command and Control (C2) server. The new campaign utilises a phishing email with an Excel document attached, and requests macros to be enabled to view properly. If macros are enabled, a payload is dropped that establishes a connection to the C2 server which mimics the GitHub platform to hide its activity. Kirkoff, similar to DNSpionage techniques, supports both HTTP and DNS communication, and this campaign has also added a reconnaissance phase into it to ensure that the payload is dropped on specific targets rather than indiscriminately infect any machine. <a href="https://forum.anomali.com/t/dnspionage-brings-out-the-karkoff/3785" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> | <a href="https://ui.threatstream.com/ttp/86759">DNS Tunneling</a><a href="https://nakedsecurity.sophos.com/2019/04/23/hotspot-finder-app-blabs-2-million-wi-fi-network-passwords/" target="_blank">Hotspot Finder App Blabs 2 Million Wi-Fi Network Passwords </a> (April 23, 2019) Security researcher, Sanyam Jain, discovered that the popular WiFi finding application, "WiFi Finder," was leaking users' information due to an insecured database. The database stored users' network passwords and geolocation data, although no user contact information was accessible. Over two million passwords were discovered on this unprotected database, though it is unclear whether it was accessed by unauthorised users or not. The security researchers were unable to contact the developer of the application, however, the database was pulled offline after communication with the host. <a href="https://forum.anomali.com/t/hotspot-finder-app-blabs-2-million-wi-fi-network-passwords/3786" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/malware-hosted-in-google-sites-sends-data-to-mysql-server/" target="_blank">Malware Hosted in Google Sites Sends Data to MySQL Server </a> (April 23, 2019) An information-stealing malware called, "LoadPCBanker," has been discovered to be hosted on the "Google Sites" platform to build websites according to security researchers. The malware is disguised as a PDF file that holds "guest house reservation information" that is stored in "File Cabinet," a storage space for Google Sites, that the threat actor sends a URL link to potential victims. If a user launches the file, a typosquatted program, "Otlook.exe," is installed to trick the user into thinking it is the legitimate Microsoft Outlook, when it actually functions as an information stealer that steals login credentials, logs keystrokes, record data saved in the clipboard, and take screenshots. The information is then uploaded to a SQL database that is controlled by the threat actor. <a href="https://forum.anomali.com/t/malware-hosted-in-google-sites-sends-data-to-mysql-server/3787" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947118">[MITRE ATT&CK] Clipboard Data (T1115)</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture (T1113)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a><a href="https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" target="_blank">FINTEAM: Trojanized TeamViewer Against Government Targets</a> (April 22, 2019) Researchers from Check Point discovered a spear phishing campaign targeting government officials at embassies around the world to install the Remote Administration Tool (RAT) "TeamViewer." The malicious attachment pretends to be a top secret US document related to "Military Financing Program" and requests macros to be enabled to view the full content. If macros are enabled, AutoHotKey scripts are run that ultimately load the TeamViewer RAT after connecting to the threat actor's Command and Control (C2) server. The RAT is capable of credentials harvesting, taking screenshots of the user's computer, sending device information to the C2, and transferring and executing additional EXE or DLL files. Some of the affected countries include Bermuda, Guyana, Italy, Kenya, Liberia, Lebanon, and Nepal. <a href="https://forum.anomali.com/t/finteam-trojanized-teamviewer-against-government-targets/3788" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&CK] DLL Side-Loading (T1073)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&CK] Hooking (T1179)</a> | <a href="https://ui.threatstream.com/ttp/947118">[MITRE ATT&CK] Clipboard Data (T1115)</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture (T1113)</a><a href="https://www.securityweek.com/source-code-iran-linked-hacking-tools-posted-online" target="_blank">Source Code of Iran-Linked Hacking Tools Posted Online</a> (April 22, 2019) A group of threat actors, believed to be Iranian, called "Lab Dookhtegan" allegedly leaked information and tools of an Iranian Ministry of Intelligence-linked Advanced Persistent Threat (APT) group, "APT34," also known as "OilRig." Lab Dookhtegan began leaking tools, domain names, IP addresses, and information obtained from APT34 victims since March 26, 2019. The group behind the leak stated that they were wanting to destroy OilRig for unknown reasons, which included allegedly erasing the servers of the APT group. <a href="https://forum.anomali.com/t/source-code-of-iran-linked-hacking-tools-posted-online/3789" target="_blank">Click here for Anomali recommendation</a></div></div>