February 25, 2020
Anomali Threat Research

Weekly Threat Briefing: Data Breaches, Malware, Ransomware, Vulnerabilities and More

<p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: <b>Android Malware, Data Breach, Hardware Vulnerabilities, Ransomware, Phishing,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.</p><p><img alt="" src="https://cdn.filestackcontent.com/Vi4Q1E5kTjCZKByIfAWo"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p><h2>Trending Cyber News and Threat Intelligence</h2><h3 style="margin-bottom:0"><a href="https://www.zdnet.com/article/lte-security-flaw-can-be-abused-to-take-out-subscriptions-at-your-expense/" target="_blank">Attacker Can Impersonate Other Mobile Phone Users</a></h3><p>(published: February 24, 2020)</p><p>Researchers at Ruhr-Universität Bochum have identified a vulnerability in 4G that allows for user impersonation. This enables purchases to be made without the user’s knowledge such as streaming services, that are sent to the victim’s mobile phone bill. The vulnerability affects all devices that connect to 4G, which includes mobile phones, tablets and even some household appliances. In order for an attack to occur, the perpetrator must be within the vicinity of a victim where they can modify data packets. The modification can make the phone and base station decrypt or encrypt messages into plain text, along with sending commands to the phone that are encrypted and forwarded to the phone provider.<br/> <a href="https://forum.anomali.com/t/attacker-can-impersonate-other-mobile-phone-users/4605" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266" target="_blank">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/2402527" target="_blank">[MITRE ATT&amp;CK] Transmitted Data Manipulation - T1493</a></p><h3 style="margin-bottom:0"><a href="https://www.zdnet.com/article/new-obliquerat-malware-linked-to-crimsonrat-group-striking-government-targets/" target="_blank"><b>ObliqueRAT Linked To Threat Group Launching Attacks Against Government Targets</b></a></h3><p>(published: February 21, 2020)</p><p>Cisco Talos researchers have identified a new Remote Access Trojan (RAT) that is targeting Southeast Asia. The malware, named “ObliqueRAT”, started in January 2020 and is currently ongoing. Using phishing emails, Microsoft Office documents pretending to be employer-related documents are being sent to diplomatic and government personale. A malicious Visual Basic script that extracts a binary and drops an executable will run if the user inputs the provided credentials into the password protected document. The RAT can exfiltrate files and system data, communicate with a Command-and-Control (C2) server, gain persistence through startup process, avoids detection by checking for sandbox use, ability to download additional payloads and terminate processes.<br/> <a href="https://forum.anomali.com/t/obliquerat-linked-to-threat-group-launching-attacks-against-government-targets/4606" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947201" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947224" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947211" target="_blank">[MITRE ATT&amp;CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a></p><h3 style="margin-bottom:0"><a href="https://www.bleepingcomputer.com/news/security/slickwraps-data-breach-exposes-financial-and-customer-info/" target="_blank"><b>Slickwraps Data Breach Exposes Financial And Customer Info</b></a></h3><p>(published: February 21, 2020)</p><p>Slickwraps, a mobile device case retailer, has had a data breach exposing customer information. The company claims the data breach includes addresses, email addresses and names of customers. Security researcher Lynx was able to gain access to API credentials, customer photographs, email addresses, employee personal information, passwords, phone numbers, transactions and ZenDesk tickets. Discovering the vulnerability in January, Lynx alerted Slickwraps to the findings, however they were allegedly blocked and did not heed any advice, as the breach occurred after the vulnerability was disclosed.<br/> <a href="https://forum.anomali.com/t/slickwraps-data-breach-exposes-financial-and-customer-info/4607" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983" target="_blank">REVOKED - [MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><h3 style="margin-bottom:0"><a href="https://www.bleepingcomputer.com/news/security/android-malware-joker-still-fools-googles-defense-new-clicker-found/" target="_blank"><b>Android Malware: Joker Still Fools Google's Defense, New Clicker Found</b></a></h3><p>(published: February 21, 2020)</p><p>Developers of the Android Malware, “Joker”, are continuing to update and evolve the malware’s capabilities. The malware, which has been around since 2017, is a spyware that can read and send texts, allowing the malware to subscribe victims to premium services without their knowledge. Joker continues to bypass Google’s Defense, allowing it to continually be on the Google Play Store. Nearly everyday new Joker samples are added to the Google Play Store, due to the malware developers using a range of obfuscation techniques to bypass Google’s security. In recent samples of Joker, a clicker has been added allowing for fraudulent ads click to be generated.<br/> <a href="https://forum.anomali.com/t/android-malware-joker-still-fools-googles-defense-new-clicker-found/4608" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a></p><h3 style="margin-bottom:0"><a href="https://www.bleepingcomputer.com/news/security/tesla-pays-10k-for-microsoft-sql-server-reporting-services-bug/" target="_blank"><b>Tesla Pays $10K For Microsoft SQL Server Reporting Services Bug</b></a></h3><p>(published: February 20, 2020)</p><p>Tesla has paid a $10,000 bounty for a vulnerability found in a Tesla server. The vulnerability, designated as “CVE-2020-0618”, is in Microsoft SQL Server Reporting Services (SSRS), that can allow for a server-side injection that could be used for remote code execution. A patch for the vulnerability was released four days before a German bug hunter “parzel” discovered the vulnerability and reported it on Bugcrowd.<br/> <a href="https://forum.anomali.com/t/tesla-pays-10k-for-microsoft-sql-server-reporting-services-bug/4609" target="_blank">Click here for Anomali recommendation</a><br/> <br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287" target="_blank">[MITRE ATT&amp;CK] PowerShell - T1086</a></p><h3 style="margin-bottom:0"><a href="https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/" target="_blank"><b>Exclusive: Details Of 10.6 Million MGM Hotel Guests Posted On A Hacking Forum</b></a></h3><p>(published: February 19, 2020)</p><p>The Personal Identifiable Information (PII) of over 10.6 million guests from MGM Resorts hotels has been published on a forum. The leak, which occurred last summer, exposed dates of birth, email addresses, home addresses and phone numbers of guests. These guests include celebrities, CEOs, journalists, and government officials. MGM claim no financial or password data was in the leak, and claim to have notified guests affected by the leak.<br/> <a href="https://forum.anomali.com/t/exclusive-details-of-10-6-million-mgm-hotel-guests-posted-on-a-hacking-forum/4610" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983" target="_blank">REVOKED - [MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><h3 style="margin-bottom:0"><a href="https://www.zdnet.com/article/dhs-says-ransomware-hit-us-gas-pipeline-operator/" target="_blank"><b>DHS Says Ransomware Hit US Gas Pipeline Operator</b></a></h3><p>(published: February 18, 2020)</p><p>The United States Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory about a ransomware attack targeting a US based natural gas compression facility. Using a spearphishing link, an unnamed threat actor was able to gain access to the IT network, which was then used to gain access to it’s operational network (OT) to deploy ransomware. This ransomware encrypted data on the IT and OT networks. The gas operator shut down operations as a precautionary measure as a result. The ransomware used in the attack was not named, and the actor had no control over physical operations.<br/> <a href="https://forum.anomali.com/t/dhs-says-ransomware-hit-us-gas-pipeline-operator/4611" target="_blank">Click here for Anomali recommendation</a><br/> <br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a></p><h3 style="margin-bottom:0"><a href="https://www.bleepingcomputer.com/news/security/windows-linux-devices-at-risk-due-to-unsigned-peripheral-firmware/" target="_blank"><b>Windows, Linux Devices at Risk Due to Unsigned Peripheral Firmware</b></a></h3><p>(published: February 18, 2020)</p><p>Eclypsium researchers have identified unsigned firmware in computer peripherals that can be abused by threat actors to attack Linux and Windows machines. These peripherals include cameras, trackpads, USB hubs, and Wifi adapters found in multiple popular machines. Abusing the firmware of a hard drive can enable an attacker to drop and run malicious code, bypassing security checks. As macOS has checks in place to check for firmware signatures when they are every time they are loaded, Linux and Windows only verify during the initial installation.<br/> <a href="https://forum.anomali.com/t/windows-linux-devices-at-risk-due-to-unsigned-peripheral-firmware/4612" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947121" target="_blank">[MITRE ATT&amp;CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/1259961" target="_blank">REVOKED - [MITRE PRE-ATT&amp;CK] Enumerate externally facing software applications technologies, languages, and dependencies (PRE-T1038)</a></p><h3 style="margin-bottom:0"><a href="https://www.bleepingcomputer.com/news/security/world-health-organization-warns-of-coronavirus-phishing-attacks/" target="_blank"><b>World Health Organization Warns of Coronavirus Phishing Attacks</b></a></h3><p>(published: February 17, 2020)</p><p>The World Health Organization (WHO) is warning of Coronavirus-themed phishing attacks pretending to be sent from WHO officials. The email contains malicious attachments and request sensitive information such as usernames and passwords. The email advises the user to click on a link, supposedly containing a document about Coronavirus. Once the user clicks on the link, the WHO website with a pop-up requesting the users’ credentials appears, and if input, sent to a server controlled by actors.<br/> <a href="https://forum.anomali.com/t/world-health-organization-warns-of-coronavirus-phishing-attacks/4613" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923" target="_blank">REVOKED - [MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947224" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a></p><h3 style="margin-bottom:0"><a href="https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/" target="_blank"><b>Critical Issue In ThemeGrill Demo Importer Leads to Database Wipe and Auth Bypass</b></a></h3><p>(published: February 17, 2020)</p><p>ThemeGrill Demo Importer, a WordPress plugin used to automatically import other plugins with over 200,000 active installations, has a critical vulnerability. The vulnerability allows unauthenticated users to wipe the entire site that has a ThemeGrill theme installed on. Once the plugin detects a ThemeGrill theme, a script is run that requires no authentication to be automatically logged in as an admin. As firewalls won’t protect against this type of vulnerability, a lot of damage can be done.<br/> <a href="https://forum.anomali.com/t/critical-issue-in-themegrill-demo-importer-leads-to-database-wipe-and-auth-bypass/4614" target="_blank">Click here for Anomali recommendation</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.