Weekly Threat Briefing: Cryptominers, Phishing, APT Group, and More

<div id="weekly"> The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Backdoor, GoldenSpy, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/atrqeJLTeaIXa1ZiNhgk"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. <div id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/iranian-hackers-attack-exposed-rdp-to-deploy-dharma-ransomware/" target="_blank">Iranian Hackers Attack Exposed RDP to Deploy Dharma Ransomware</a></h3> (published: August 24, 2020) A new group of threat actors have been targeting businesses with Dharma ransomware. The group, likely from Iran, have been targeting China, India, Japan, and Russia. Using Masscan, a port scanner, the group scans IP ranges for exposed remote desktop connections (RDP). Once an IP is identified, NLBrute is used to brute force a list of RDP passwords until finding one that works. The ransomware demand is between $11,700 - $59,000. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947094">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947123">[MITRE ATT&CK] Network Share Discovery - T1135</a> | <a href="https://ui.threatstream.com/ttp/947275">[MITRE ATT&CK] Remote System Discovery - T1018</a> | <a href="https://ui.threatstream.com/ttp/947162">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/3297598">[MITRE ATT&CK] Account Access Removal - T1531</a> | <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/2402534">[MITRE ATT&CK] Inhibit System Recovery - T1490</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: Brute Force, CVE-2017-0213, Dharma, Iran, Ransomware <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713?" target="_blank">Cryptominer Found Embedded in AWS Community AMI</a></h3> (published: August 21, 2020) Security researchers from Mitiga have announced their findings into an Amazon Web Services (AWS) community submitted Application Machine Image (AMI) that has been found to contain an embedded Monero cryptominer. The AMI was uploaded to the AWS Community about 5 years ago, and unlike official AWS AMIs that undergo rigorous security evaluations, community submissions are not subjected to this type of audit by AWS. There are thousands of community submitted AMIs, with many different OS and software combinations. The attractiveness of community AMIs vs. official AMIs is that in order to use an official AMI, one needs to purchase it, as well as pay for the storage and compute resources used. However, most community AMIs are free to use, and one only pays for the computer and storage needed. However, in this case, the researched AMI was preconfigured to launch a Monero cryptomining service that would generate bitcoin at the user's expense and forward the proceeds to the person who created the AMI. The researchers state that they have done no broad analysis of community AMIs, so the relative prevalence of this type of unwanted software or service included in an AMI is unknown. Recommendation: As is the case with all third party services, applications, and libraries, it is vital for organizations and individuals to perform due diligence into these items. Best practice is to only include libraries or services from a known organization with good auditing and security practices. Additionally, organizations need to be aware of this type of risk in all build vs. buy decisions and perform the appropriate risk analysis. Tags: AWS, cryptomining <h3 id="article-3" style="margin-bottom:0;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank">New RAT Linked to Lazarus Group</a></h3> (published: August 21, 2020) The US Department of Homeland Security, in conjunction with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), have released a report detailing a new Remote Access Trojan (RAT) used by the Lazarus Group. The RAT, dubbed “BLINDINGCAN,” was discovered in early 2020 targeting government contractors to extract intelligence on military and energy technologies. The Lazarus Group would spearphish high-value targets whilst posing as job recruiters on LinkedIn before then sending the victim a malicious document disguised as job advertisement; these documents were loaded with BLINDINGCAN. Once loaded onto the victims device, BLINGINGCAN is able to execute files, create and start processes, change directories and retrieve information about the installed disks. Researchers from Trend Micro have postulated that Lazarus also collects intelligence on companies' financial affairs and may use this to steal money directly from them. The Lazarus Group is a North Korean backed APT that is believed to include several groupings such as Silent Chollima and Stardust Chollima, active from 2009, they primarily focus on cyber espionage and are believed to have been involved with the 2017 WannaCry attacks. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. Tags: RAT, Lazarus, North Korea, APT, spearphishing <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.netscout.com/blog/asert/lucifers-spawn" target="_blank">Lucifer Cryptomining DDOS Malware Targets Linux</a></h3> (published: August 21, 2020) A DDoS botnet known for targeting Windows systems and turning them into Monero cryptomining bots is now targeting Linux systems. Security researchers have named this new variant “Lucifer” to distinguish it from the original “Satan DDoS'' that only targets Windows systems. Researchers from NETSCOUT have released a report detailing the Linux bot, noting it functions similarly to the Windows version, including modules for cryptojacking and launching TCP, UCP and ICMP flooding attacks. The researchers note that the Linux version can also perform HTTP DDoS attacks. The original “Satan DDoS '' variant was discovered in May by Unit 42 researchers whilst it was deploying an XMRig miner on vulnerable Windows systems. Recommendation: Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly. In addition, it is not uncommon for cryptocurrency mining malware to be distributed via malicious plugins/add-ons that impersonate legitimate software. Therefore, it is important that your employees are educated about such tactics and that policies regarding which software are allowed on work machines are in place. Tags: Cryptomining, DDOS, Linux, bots, XMRig <h3 id="article-5" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/google-fixes-major-gmail-bug-seven-hours-after-exploit-details-go-public/?&web_view=true" target="_blank">Google Fixes Major Gmail Bug Seven Hours After Exploit Details Go Public</a></h3> (published: August 20, 2020) Google recently fixed a flaw in Gmail and Gsuite that would have allowed actors to generate emails that pass both Sender Permitted From (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) validations. The flaw was uncovered and notified to Google by security researcher Allison Husain on April 3rd. Google had initially planned to fix this flaw (actually a combination of two different flaws in the Gmail backend) sometime in September, but after the disclosure period had ended, the security researcher published details about the flaw as well as Proof of Concept (POC) code. Seven hours after the public disclosure of this flaw, Gmail and Gsuite backends have been updated and no user intervention is needed. The nature of the flaw would allow phishing emails to be sent to any user that allows email from Gmail that appears to have come from a valid email address and mail server. Furthermore, due to the fact that this flaw exploits the Gmail backend, the sent emails would likely have been rated lower for spam and filtering algorithms. Recommendation: Phishing remains one of the most prevalent attacks in the wild, and user diligence and training remains the best protection against phishing attacks. Additionally, companies should always apply defense-in-depth practices regarding email delivery, and not rely on a single vendor/technology for protection from email spam and phishing. Tags: phishing, gmail <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/" target="_blank">Fritzfrog: A New Generation Of Peer-to-peer Botnets</a></h3> (published: August 19, 2020) A new botnet named “Fritzfrog” has been discovered by the researchers from Guardicore breaching SSH servers around the world since January 2020. The malware is written in Golang and is modular, multi-threaded, and fileless leaving no traces on the infected machine’s disk. The botnet is actively targeting government, education, and financial institutions. The botnet spreads by brute forcing millions of IP addresses and to this date, it has successfully breached more than 500 servers. Fritzfrog uses a proprietary P2P implementation written from scratch for its network infrastructure. Researchers were unable to attribute the botnet to a specific group, though there is some resemblance to a previously known P2P botnet named Rakos. Recommendation: Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public-key authentication, which is much safer. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use. Tags: FritzFrog, botnet, golang, malware <h3 id="article-7" style="margin-bottom:0;"><a href="https://www.menlosecurity.com/blog/new-attack-alert-duri" target="_blank">New Attack Alert: Duri</a></h3> (published: August 18, 2020) Menlo Security discovered a campaign dubbed as “Duri” that leverages HTML smuggling to deliver malicious files to the users’ endpoints. This technique evades network security solutions such as sandboxes and legacy proxies. The goal of HTML smuggling is to make use of HTML5 or JavaScript features to deliver file downloads. According to the researchers, the Duri campaign started in early July and is currently ongoing. Once the user clicks on a malicious link the page invokes a JavaScript “Onload” function to dynamically construct a ZIP file from a bae64 encoded data blob and downloaded into the user endpoint. The malware that Duri downloads is not new, according to Cisco it has previously been delivered via Dropbox. Recommendation: Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it. It is recommended to disable JavaScript on web browsers where possible and educate users not to execute programs that are downloaded from unknown websites. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947145">[MITRE ATT&CK] Signed Binary Proxy Execution - T1218</a> Tags: HTML smuggling, Duri <h3 id="article-8" style="margin-bottom:0;"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank">WellMess Malware: Analysis of Its Command and Control (C2) Server</a></h3> (published: August 17, 2020) Analysts at PwC have analyzed a new tool used by the threat actor behind the WellMess malware. In July, the National Cyber Security Centre released a report attributing the malware to the Russian state-sponsored threat actor APT21 (Cozy Bear/Dukes). The report did not include any information proving the attribution claims and the threat intelligence industry has been trying to confirm or refute the claim. Weak attributions to a China-based threat actor, APT28 (Fancy Bear/Sofacy), and Dark Hotel have been reported. The report released by PwC may answer the difference seen by different vendors. The tool identified by PwC is used as a first-stage Command and Control (C2) server for the malware. It is designed to act as an intermediary between the malware and the operator without exposing the operator’s true location. According to PwC, the way the malware store requests from the operator and replies from the malware is similar to the SeaDuke malware; a malware attributed to APT21. If WellMess uses encrypted transport, the tool cannot decrypt or encrypt the payloads making the tool suitable for running on compromised machines without leaking information to the owner of the compromised system. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947199">[MITRE ATT&CK] Data Staged - T1074</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947253">[MITRE ATT&CK] Data Transfer Size Limits - T1030</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> Tags: WellMess, APT, APT21, Dukes <h3 id="article-9" style="margin-bottom:0;"><a href="https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials" target="_blank">TEAM TNT – The First Crypto-Mining Worm to Steal AWS Credentials</a></h3> (published: August 17, 2020) Researchers at Cado Security have discovered changes to the mining worm used by the threat actor “Team TNT”. The new version of the worm has received an update to allow it to steal AWS credentials on the compromised host. The worm looks for the credentials stored in both the root users and all the normal users’ home folder. If it finds the correct file, it uploads it to a server controlled by the threat actor using cURL. The current version of the malware has a bug in it that only will extract the credentials stored for the root user and a hardcoded username. The goal for the malware is to compromise servers running Docker or Kubernetes and install cryptomining software. Recommendation: To ensure an organisation does not become a victim of these resource hijacking attacks, they are advised to make certain that endpoints are secure with the latest patches. It is also suggested that users be given standard user accounts and not have unnecessary escalated privileges as well as use endpoint antimalware tools to protect the docker containers. Organisations should also ensure that applications are appropriately configured to ensure that they cannot be abused by threat actors and in this case, prevent threat actors from using docker containers for cryptomining. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&CK] Resource Hijacking - T1496</a> Tags: TeamTNT, Cryptomining, Docker, Kubernetes <h3 id="article-10" style="margin-bottom:0;"><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-5-multiple-goldenspy-uninstaller-variants-discovered/" target="_blank">GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered</a></h3> (published: August 17, 2020) Researchers from Trustwave exposed a backdoor, known as GoldenSpy, in late June 2020, on mandatory tax invoice software, which is required to conduct business in China. After the discovery was made public, actors behind the campaign started pushing an uninstaller to erase the traces of the backdoor from the infected systems. In a recent analysis researchers have found that the actors are continuing to push new variants of GoldenSpy uninstallers. So far researchers have identified five variants of the uninstaller binaries totaling 24 unique samples. The recently identified samples have the same behaviour, but utilizes different execution flow, string obfuscation, and size to evade detection by security technologies. Recommendation: It is strongly recommended to follow best software practices when it comes to 3rd party software installations. No matter where an organization operates, extra vigilance needs to be taken when adopting mandatory software (or any 3rd party software) in order to conduct business. GoldenSpy and what we have seen in terms of its continuous activities is a prime example. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> Tags: GoldenSpy, backdoor </div> </div>