July 28, 2020
Anomali Threat Research

Weekly Threat Briefing: Data Breach, APT Group, Cerberus, Malware and More

<p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools,</b> and <b> OilRig</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/zAd4svRQKC2kyilw0qpq"/></p> <p><b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/cerberus-banking-trojan-team-breaks-up-source-code-goes-to-auction/" target="_blank"><b>Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction</b></a></h3> <p>(published: July 27, 2020)</p> <p>Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.<br/> <b>Recommendation:</b> Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.<br/> <b>Tags:</b> Android Malware, Cerberus, Mobile Malware</p> <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/source-code-from-dozens-of-companies-leaked-online/" target="_blank"><b>Source Code from Dozens of Companies Leaked Online</b></a></h3> <p>(published: July 27, 2020)</p> <p>Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers' names, along with hardcoded credentials have been found.<br/> <b>Recommendation:</b> It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.<br/> <b>Tags:</b> Misconfigured tools, Data breach</p> <h3 id="article-3" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/dave-data-breach-affects-75-million-users-leaked-on-hacker-forum/" target="_blank"><b>Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum</b></a></h3> <p>(published: July 26, 2020)</p> <p>Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.<br/> <b>Recommendation:</b> Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.<br/> <b>Tags:</b> Data breach, PII, Third party breach</p> <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/" target="_blank"><b>Russia's GRU Hackers Hit US Government and Energy Targets</b></a></h3> <p>(published: July 24, 2020)</p> <p>The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).<br/> <b>Recommendation:</b> Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.<br/> <b>Tags:</b> APT28, FancyBear, government, energy sector, spear-phishing</p> <h3 id="article-5" style="margin-bottom:0;"><a href="https://thehackernews.com/2020/07/dji-drone-hacking_24.html" target="_blank"><b>Chinese DJI Drones Come With Backdoor</b></a></h3> <p>(published: July 24, 2020)</p> <p>Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&amp;C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.<br/> <b>Recommendation:</b> All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.<br/> <b>Tags:</b> Android, drone, backdoor</p> <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.cyberscoop.com/garmin-outage-ransomware-wastedlocker/" target="_blank"><b>Garmin Suffers Potential Ransomware Attack</b></a></h3> <p>(published: July 24, 2020)</p> <p>Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.<br/> <b>Recommendation:</b> Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,</p> <h3 id="article-7" style="margin-bottom:0;"><a href="https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/" target="_blank"><b>MATA: Multi-platform Targeted Malware Framework</b></a></h3> <p>(published: July 22, 2020)</p> <p>Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.<br/> <b>Tags:</b> Lazarus, MATA</p> <h3 id="article-8" style="margin-bottom:0;"><a href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank"><b>OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory</b></a></h3> <p>(published: July 22, 2020)</p> <p>Palo Alto's Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.<br/> <b>Tags:</b> OilRig, Middle East, Email, C2</p> <h3 id="article-9" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" target="_blank"><b>Chinese APT Targets India and Hong Kong with Updated MgBot</b></a></h3> <p>(published: July 21, 2020)</p> <p>Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402776">[MITRE PRE-ATT&amp;CK] Spearphishing for Information - T1397</a> | <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947257">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure</p> <h3 id="article-10" style="margin-bottom:0;"><a href="https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" target="_blank"><b>Golden Chickens: Evolution Of The MaaS</b></a></h3> <p>(published: July 20, 2020)</p> <p>Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.<br/> <b>Recommendation:</b> Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947176">[MITRE ATT&amp;CK] Regsvr32 - T1117</a> | <a href="https://ui.threatstream.com/ttp/947101">[MITRE ATT&amp;CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947187">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947082">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947150">[MITRE ATT&amp;CK] Standard Cryptographic Protocol - T1032</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947197">[MITRE ATT&amp;CK] CMSTP - T1191</a><br/> <b>Tags:</b> Terra loader, Golden chickens</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.