July 6, 2020
Anomali Threat Research

Weekly Threat Briefing: Critical Vulnerability, Ransomware, APT Group, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT15, Backdoor, Magecart, Ransomware, ThiefQuest, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/img/873206.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/" target="_blank"><b>North Korean Hackers Linked to Credit Card Stealing Attacks on US Stores </b></a></h3><p>(published: July 6, 2020)</p><p>Researchers from Sansec have attributed various MageCart attacks to the Lazarus group, a North Korean threat group. Using skimmers, sensitive information such as payment card details were stolen from the checkout pages of multiple stores. These include Claire’s Accessories, Wongs Jewellers, Paper Source, Focus Camera, among others. The group compromised legitimate businesses to dump the stolen data, and attempt to cover their tracks. Sansec believes this activity has been ongoing since at least May 2019.<br /> <b>Recommendation:</b> Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is paramount that all applications in use by your company are properly maintained and monitored for potential unusual activity.<br /> <b>MITRE ATT&CK: </b> <a href="https;//ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><br /> <b>Tags:</b> North Korea, Web Skimmer, Magecart, PII, Payment details</p><h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-f5-big-ip-vulnerabilities-patch-now/" target="_blank"><b>PoC Exploits Released for F5 BIG-IP Vulnerabilities, Patch Now!</b></a></h3><p>(published: July 5, 2020)</p><p>A vulnerability has been identified in BIG-IP devices that could allow for remote code execution without authentication. Designated as “CVE-2020-5902”, the vulnerability has been given a critical rating. A threat actor exploiting the vulnerability may be able to execute system commands, create/delete files, and execute Java code which could result in a complete system compromise. Multiple security researchers have begun to post proof of concepts displaying how the vulnerability can be exploited.<br /> <b>Recommendation:</b> F5 have released a patch for the vulnerability, that should be applied immediately. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br /> <b>Tags:</b> BIG-IP, Critical Vulnerability, CVE-2020-5902, Remote Code Execution, Vulnerability</p><h3 id="article-3" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/goldenspy-backdoor-installed-by-tax-software-gets-remotely-removed/" target="_blank"><b>GoldenSpy Backdoor Installed by Tax Software Gets Remotely Removed</b></a></h3><p>(published: July 2, 2020)</p><p>Security researchers from Trustwave have determined that an unnamed Chinese bank is implanting a backdoor trojan called "GoldenSpy" on target systems that use their official tax software. Post the public disclosure of the backdoor, the attackers have now released an uninstaller tool to remove any trace of the backdoor from the installed machines. The new tool was being distributed via the legitimate tax software Aisino Intelligent Tax product. The GoldenSpy Uninstaller, named "AWX.exe" is silently downloaded to the infected machines from the C2 and it cleans up all the traces of GoldenSpy’s existence.<br /> <b>Recommendation:</b> All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.<br /> <b>Tags:</b> Backdoor, GoldenSpy</p><h3 id="article-4" style="margin-bottom:0;"><a href="https://www.grahamcluley.com/websites-usa-cities-card-skimming/" target="_blank"><b>Eight US Cities Payment Sites Skimming Card Details</b></a></h3><p>(published: July 2, 2020)</p><p>Trend Micro researchers have reported that eight US cities online payment systems have been compromised by Magecart-style malware. The common denominator is the ‘Click2Gov’ online payment system that the researchers&#39; claim was compromised in April. Malicious JavaScript code was planted on the sites allowing actor(s) to exfiltrate customers&#39; full credit card data, full name, and address. This is increasingly becoming a problem for the Click2Gov system as researchers from Gemini Advisory previously reported that over 350,000 payment records had been compromised in the US and Canada throughout 2018 and 2019.<br /> <b>Recommendation:</b> eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere.<br /> <b>MITRE ATT&CK: </b> <a href="https;//ui.threatstream.com/ttp/3297611">[MITRE ATT&CK] Data from Cloud Storage Object - T1530</a> | <a href="https;//ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https;//ui.threatstream.com/ttp/3297571">[MITRE ATT&CK] Credentials from Web Browsers - T1503</a><br /> <b>Tags:</b> carding, card skimming, online payment, utilities, javascript, local government</p><h3 id="article-5" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/researchers-link-apt15-hackers-to-chinese-military-company/" target="_blank"><b>APT15 Linked to Chinese Military Company</b></a></h3><p>(published: July 2, 2020)</p><p>Researchers from Lookout Threat Intelligence have linked APT15 Android spyware to the Chinese Military company Xi’an Tian He Defense Technology Co. Ltd. APT15 is known for targeted campaigns against the Uyghur minority in China’s Western provinces. Lookout researchers were investigating IP addresses and domains communicating with APT15 malware samples and discovered an unsecured C2 Admin panel. This panel contained IP and GPS location of target devices that were likely mock devices for malware testing before deployment. This GPS data pointed to the Xi’an Tian He Defense Technology company. The company’s blurb says it ‘directs and controls continuous wave radar and photoelectric detection technologies, develops, manufactures and sells control systems,’ however, it would not be the first time a legitimate Chinese company has been found to conspire with APT groups.<br /> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br /> <b>MITRE ATT&CK: </b> <a href="https;//ui.threatstream.com/ttp/947094">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="https;//ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https;//ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a><br /> <b>Tags:</b> APT15, China, military contractors, spyware, malicious app, Android</p><h3 id="article-6" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/hundreds-arrested-after-encrypted-messaging-network-takeover/" target="_blank"><b>Hundreds Arrested After Encrypted Messaging Network Takeover</b></a></h3><p>(published: July 2, 2020)</p><p>A number of European Law Enforcement and judicial agencies, led by agencies in France and the Netherlands, coordinated to infiltrate and monitor the encrypted phone platform EncroChat. The EncroChat phones are almost exclusively used by organized crime organizations in Europe. It is estimated that EncroChat had 60,000 users worldwide. They were able to monitor millions of messages that the criminals believed to be secure. This led to hundreds of investigations and the announcement today of the largest U.K. law enforcement action ever. 746 individuals were arrested in the U.K., and large amounts of drugs, cash, guns, and luxury cars and watches were seized. In other countries around Europe, many other arrests and seizures were triggered at the same time on June 13, 2020, when the operators of EncroChat discovered the infiltration and sent out an emergency message to all its users telling them that they should wipe and discard their phones. The investigation into EncroChat was begun in July 2017 by French authorities when they realized that they were increasingly seizing EncroChat devices during arrests believed to be related to organized crime.<br /> <b>Recommendation:</b> No software or hardware can be made fully secure. Additionally, criminal behavior invalidates any expectations of privacy.<br /> <b>Tags:</b> EncroChat, Crime</p><h3 id="article-7" style="margin-bottom:0;"><a href="https://thehackernews.com/2020/07/windows-security-update.html" target="_blank"><b>Microsoft Releases Urgent Windows Update to Patch Two Critical Flaws</b></a></h3><p>(published: July 1, 2020)</p><p>Microsoft released a patch for two vulnerabilities (CVE-2020-1425 and CVE-2020-1457), both vulnerabilities reside in the Windows Codecs Library, an easy attack vector to social engineer victims into running malicious media files downloaded from the Internet. Codecs is a collection of support libraries that help the Windows operating system to play, compress and decompress various audio and video file extensions<br /> <b>Recommendation:</b> Apply patch and keep your software up to date, make sure to not download audio files from unknown sources.<br /> <b>Tags:</b> CVE-2020-1425, CVE-2020-1457</p><h3 id="article-8" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/new-evilquest-ransomware-discovered-targeting-macos-users/" target="_blank"><b>EvilQuest Wiper Uses Ransomware Cover to Steal Files from Macs</b></a></h3><p>(published: June 30, 2020)</p><p>A security researcher named Dinesh Devadoss from K7 labs identified a new data wiper and information-stealing malware disguised as ransomware that targets Macintosh (macOS) operating systems via trojanized installers. The malware is being distributed via pirated apps including, but not limited to, Little Snitch, Ableton, and Mixed in Key on Torrent sites. EvilQuest has capabilities to check if it is being run inside a virtual machine and also checks for installed anti-malware solutions. After the successful installation of the malware, it randomly encrypts the files and displays a ransom instructions text file with a $50 ransom. Researchers from BleepingComputer investigated the malware further and found that the ransomware capability is a decoy and malware’s true intention is to steal certain types of files from the infected computer.<br /> <b>Recommendation:</b> Educate your employees on the risks of downloading and installing software from unknown websites and torrents. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Users can install the free RansomWhere utility from objective-see.com, which detects EvilQuest&#39;s attempts to gain persistence and allows them to terminate it once it starts locking their files.<br /> <b>MITRE ATT&CK: </b> <a href="https;//ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> EvilQuest,Ransomware,MacOS</p><h3 id="article-9" style="margin-bottom:0;"><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"><b>PROMETHIUM Extends Global Reach with StrongPity3 APT</b></a></h3><p>(published: June 29, 2020)</p><p>Researchers at Cisco Talos have reported on a campaign by the threat actor PROMETHIUM. PROMETHIUM is a threat actor focusing on espionage with links to state-sponsored operations. The threat actor has been active since 2012 and was first publicly reported on by Kaspersky Labs. According to Cisco Talos, the threat actor has expanded its targeting to users Colombia, India, Canada and Vietnam. In addition to the increased target scope, PROMETHIUM has also added four new trojanized applications, Firefox, VPNpro, DriverPack, and 5kPlayer, to its arsenal. The researcher could not identify the initial infection vector, but believe it is likely to be the same vectors as reported by Citizen Labs in their 2018 report. Citizen Labs report identified watering hole attack and in-path request interception as the methods for the initial infection vector.<br /> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br /> <b>MITRE ATT&CK: </b> <a href="https;//ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell - T1086</a> | <a href="https;//ui.threatstream.com/ttp/2336969">[MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060</a> | <a href="https;//ui.threatstream.com/ttp/947148">[MITRE ATT&CK] New Service - T1050</a> | <a href="https;//ui.threatstream.com/ttp/3297596">[MITRE ATT&CK] Software Discovery - T1518</a> | <a href="https;//ui.threatstream.com/ttp/947117">[MITRE ATT&CK] Automated Collection - T1119</a> | <a href="https;//ui.threatstream.com/ttp/947135">[MITRE ATT&CK] Data from Local System - T1005</a> | <a href="https;//ui.threatstream.com/ttp/947199">[MITRE ATT&CK] Data Staged - T1074</a> | <a href="https;//ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port - T1043</a> | <a href="https;//ui.threatstream.com/ttp/947150">[MITRE ATT&CK] Standard Cryptographic Protocol - T1032</a> | <a href="https;//ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https;//ui.threatstream.com/ttp/947240">[MITRE ATT&CK] Data Compressed - T1002</a> | <a href="https;//ui.threatstream.com/ttp/947193">[MITRE ATT&CK] Automated Exfiltration - T1020</a> | <a href="https;//ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a><br /> <b>Tags:</b> APT, PROMETHIUM, StrongPity, Espionage</p><h3 id="article-10" style="margin-bottom:0;"><a href="https://security.paloaltonetworks.com/CVE-2020-2021" target="_blank"><b>CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication</b></a></h3><p>(published: June 29, 2020)</p><p>Palo Alto Networks has released updates to its PAN-OS to address an authentication bypass vulnerability. The affected versions of PAN-OS are: 9.1, prior to 9.1.3; 9.0, prior to 9.0.9; 8.1, prior to 8.1.15; and all versions of 8.0, if Security Assertion Markup Language (SAML) authentication is enabled and “Validate Identity Provider Certificate” option is disabled. The vulnerability allows for an unauthenticated user on the network to gain access to protected resources if exploited. A threat actor can use the vulnerability to access PAN-OS and Panorama’s web interface as an administrator. Palo Alto Networks has rated the vulnerability with a CVSS Base Score of 10.0. If the web interface is only accessible via a restricted network, the vulnerability is rated with a CVSS Base Score of 9.6.<br /> <b>Recommendation:</b> Palo Alto Networks has released updates to PAN-OS with fixes to the vulnerability. If patches at the moment cannot be applied, one mitigation is to disable SAML authentication. If SAML authentication is enabled, ensure “Identity Provider Certificate” is configured. If the “Identity Provider Certificate” is signed by a Certificate Authority, ensure that the “Validate Identity Provider Certificate” option is enabled. If it is not signed by a public Certificate Authority, follow Palo Alto Networks instructions for internal enterprise Certificate Authority.<br /> <b>MITRE ATT&CK: </b> <a href="https;//ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https;//ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><br /> <b>Tags:</b> CVE-2020-2021</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.