June 8, 2020
Anomali Threat Research

Weekly Threat Briefing: Data Breaches, Ransomware, Remote Code Vulnerabilities and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> Android Bugs, Exposed PII, REvil Ransomware, Trojans, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/img/830709.png " /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/google-chinese-and-iranian-hackers-targeted-biden-and-trump-campaign-staffers/" target="_blank"><b>Google: Chinese and Iranian Hackers Targeted Biden and Trump Campaign Staffers</b></a></h3><p>(published: June 4, 2020)</p><p>Google&#39;s Threat Analysis Group (TAG) have determined that campaign staffers for U.S presidential candidates Donald Trump and Joe Biden are being targeted by state-sponsored Advanced Persistent Threat (APT) groups in China and Iran. The Chinese APT group "APT31" (Zirconium) targeted staffers for Joe Biden and the Iranian APT group "APT35" (Newscaster) were targeting Donald Trump staffers. Both groups are known for targeting countries with spearphishing campaigns to gain access and gather intelligence. APT35 had previously targeted Trump&#39;s campaign staff in 2019. As of this writing, no attacks have reportedly been successful targeting either party.<br /> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing, how to identify such attempts, and whom to report them to.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/2402630">[MITRE PRE-ATT&CK] Conduct social engineering - T1268</a><br /> <b>Tags:</b> U.S Elections, Donald Trump, Joe Biden, APT31, APT35, Spearphishing</p><h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/business-services-giant-conduent-hit-by-maze-ransomware/" target="_blank"><b>Business Services Giant Conduent Hit By Maze Ransomware</b></a></h3><p>(published: June 4, 2020)</p><p>The US-based company Conduent has reportedly been compromised by the operators behind the Maze ransomware. The Maze operators leaked 1GB of information from Conduent&#39;s network on the website stating that they had stolen sensitive information and had encrypted company devices. The data consisted of commission statements, customer information, and financial information. It is believed that the group potentially leveraged a vulnerable Citrix server used by Conduent that provided remote code execution capabilities in order to provide lateral movement of the network, collect information and encrypt drives.<br /> <b>Recommendation:</b> It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> Conduent, Maze Ransomware, Data Leak, Citrix Server</p><h3 id="article-3" style="margin-bottom:0;"><a href="https://labs.bitdefender.com/2020/06/banking-trojan-metamorfo-hijacks-trusted-apps-to-run-malware/" target="_blank"><b>Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware</b></a></h3><p>(published: June 4, 2020)</p><p>An operation involving a new variant of the Metamorfo banking trojan that leverages genuine software to target systems in Brazil has been identified by Bitdefender researchers. The malware will hijack the DLL paths for software components from genuine vendors that include Avira, AVG, Avast, Damon Tool and Steam in order for it to be executed and evade detection. Once executed, Metamorph will search for banking related software and will remain dormant waiting for users to access the banking resource to collect keystrokes and screenshots. The malware will also disable the autocomplete feature of a browser so that users must type information manually. Metamorfo will communicate with its Command and Control (C2) server to receive commands and exfiltrate collected banking information.<br /> <b>Recommendation:</b> To protect against these attacks, deploy Host and Network based intrusion detections systems (IDS) throughout your entire network. Integrate these systems using a Security Information and Event Management (SIEM) system or other security manager. In the case of a compromised system, it must be wiped and restored before being reintroduced to your environment. With banking information being stolen in this campaign, users should monitor their credit in order to make sure that nothing out of the ordinary is happening and report any potential cases of identity fraud.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947088">[MITRE ATT&CK] Execution through Module Load - T1129</a> | <a href="https://ui.threatstream.com/ttp/947192">REVOKED - [MITRE ATT&CK] Distributed Component Object Model - T1175</a> | <a href="https://ui.threatstream.com/ttp/947147">[MITRE ATT&CK] DLL Search Order Hijacking - T1038</a> | <a href="https://ui.threatstream.com/ttp/2336969">[MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&CK] DLL Side-Loading - T1073</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947149">[MITRE ATT&CK] Application Window Discovery - T1010</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/2402705">[MITRE PRE-ATT&CK] Obfuscate operational infrastructure - T1318</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a><br /> <b>Tags:</b> Metamorfo, Banking Trojan, DLL Hijacking</p><h3 id="article-4" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/netwalker-ransomware-continues-assault-on-us-colleges-hits-ucsf/" target="_blank"><b>Netwalker Ransomware Continues Assault on US colleges, Hits UCSF</b></a></h3><p>(published: June 3, 2020)</p><p>The University of San Francisco has reportedly been compromised by the threat group behind the Netwalker ransomware encrypting computers and stealing sensitive information. The group posted screenshots of some of the data stolen during the operation on their site stating that if the ransom was not paid, then all of the stolen data would be released publicly. The information leaked consists of student applications that include social security numbers, employee information, and finances. Last week the group also claimed to have done the same to Michigan State University and Columbia College of Chicago and threatened to release all stolen data if ransoms were not paid. The group is known for exploiting vulnerable Remote Desktop Services in order to gain access to target systems, steal information, and encrypt them.<br /> <b>Recommendation:</b> Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company&#39;s network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&CK] Remote Desktop Protocol - T1076</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> Netwalker, Ransomware, UCSF, Data Leak, PII</p><h3 id="article-5" style="margin-bottom:0;"><a href="https://securelist.com/cycldek-bridging-the-air-gap/97157/" target="_blank"><b>Cycldek: Bridging The (Air) Gap</b></a></h3><p>(published: June 3, 2020)</p><p>Researchers from Kaspersky were able to identify new activity linked to the Chinese-speaking threat group Cycldek targeting governments in southeast Asia, primarily in Laos, Thailand and Vietnam. In most of their recent campaigns, the group used politically-themed RTF documents that installed custom and previously unreported tools to provide lateral movement on target networks and collect information. Cycldek used two variants of the NewCore Remote Access Trojan (RAT) called "BlueCore" and "RedCore" that are used by the group for different operations. The group also leveraged a new tool dubbed "USBCulprit" that depends on removable media drives to collect data from target systems. This raises the likelihood of Cycldek now targeting air-gapped systems.<br /> <b>Recommendation:</b> Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Since the group will potentially be targeting air-gapped systems with USB drives, it is crucial that companies have policies in place that forbid employees from using unknown USB drives, and only a limited number of personnel should have access to such sensitive systems.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&CK] DLL Side-Loading - T1073</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947134">[MITRE ATT&CK] Replication Through Removable Media - T1091</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools - T1219</a><br /> <b>Tags:</b> Cycldek, NewCore RAT, BlueCore, RedCore, USBCulprit</p><h3 id="article-6" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/" target="_blank"><b>Ransomware Gang Says it Breached One of NASA&#39;s IT Contractors</b></a></h3><p>(published: June 3, 2020)</p><p>Digital Management Inc. (DMI), an IT contractor for the National Aeronautics and Space Administration (NASA) has had its network compromised by the operators behind the DopplePaymer ransomware. The group operating the ransomware leaked 20 archive files on their dark web portal to prove the legitimacy of the compromise. The NASA data include HR documents, project plans and employee details. The DopplePaymer group also released a list of over 2,500 servers and workstations within DMI&#39;s internal network that have been encrypted and held to ransom. DopplePaymer has followed the method of releasing small pieces of stolen information to entice targets to pay the ransom, and if it isn&#39;t they will release all files publicly.<br /> <b>Recommendation:</b> Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider paying for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. With the risk of personal information being released, individuals should be aware of the risk of being targeted by phishing campaigns.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> DopplePaymer, Ransomware, Digital Management Inc, NASA, Data Leak</p><h3 id="article-7" style="margin-bottom:0;"><a href="https://threatpost.com/two-critical-android-bugs-rce/156216/" target="_blank"><b>Two Critical Android Bugs Open Door to RCE</b></a></h3><p>(published: June 2, 2020)</p><p>Two critical remote code execution (RCE) vulnerabilities registered as "CVE-2020-0117" and "CVE-2020-8597" have been patched in Google&#39;s most recent Android update. Threat actors would be able to create custom requests to execute arbitrary code and provide escalated privileges on a user&#39;s Android phone. Android version eight through ten are exploitable using this vulnerability. Google also patched several other vulnerabilities in their June update including elevation-of-privilege vulnerabilities registered as "CVE-2020-0114" and "CVE-2020-0115" and an information disclosure bug registered as "CVE-2020-0121" in Android version 10.<br /> <b>Recommendation:</b> The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.<br /> <b>Tags:</b> Android, RCE, CVE-2020-0117, CVE-2020-8597</p><h3 id="article-8" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/" target="_blank"><b>REvil Ransomware Creates eBay-like Auction Site for Stolen Data</b></a></h3><p>(published: June 2, 2020)</p><p>Developers behind the REvil ransomware are now selling stolen user data on a new auction site to the highest bidder. This auction comes soon after REvil began releasing celebrity data from the law firm Grubman Shire Meiselas & Sacks (GSMLaw) because a ransom was not paid. The group would then claim to have sensitive information regarding US president Trump and auctioned it off with a starting price of $1 million. From this, the group released an auction segment on their well known blog "Happy Blog" where they would sell personal information of users who refused to pay the ransom. The group has stated they will begin to auction the personal information of celebrities represented by GSMLaw in the near future. Recent company details being put up for auction include an unnamed US food distributor and Canadian agricultural company.<br /> <b>Recommendation:</b> The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. Individuals could also be targeted with blackmail campaigns using the information purchased from the auction. Affected individuals should never pay the blackmail and must contact the relevant authorities.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402688">[MITRE PRE-ATT&CK] Identify sensitive personnel information - T1274</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> REvil, Ransomware, Data Breach, PII, Auction,</p><h3 id="article-9" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/new-cold-boot-attack-affects-seven-years-of-lg-android-smartphones/" target="_blank"><b>New Cold Boot Attack Affects Seven Years of LG Android Smartphones</b></a></h3><p>(published: June 2, 2020)</p><p>LG, the South Korean phone developer, have released a patch for a physical vulnerability registered as "CVE-2020-12753" that affects LG Android smartphones released in the last seven years. The vulnerability is related to the firmware bootloader component which is executed when devices are turned on. The component ensures that the phone&#39;s operating system and firmware initiate appropriately. However, a vulnerability was found in the bootloader&#39;s graphics package that would allow threats actors to inject their own code when graphics are loaded in specific scenarios. Situations, where threat actors can exploit this vulnerability, include when the battery dies and if the bootloader is in Download Mode. LG released a patch for this vulnerability in their "LVE-SMP-200006" security update to address the problem.<br /> <b>Recommendation:</b> It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br /> <b>Tags:</b> LG, Smart Phones, CVE-2020-12753, Code Injection</p><h3 id="article-10" style="margin-bottom:0;"><a href="https://www.vpnmentor.com/blog/report-8belts-leak/" target="_blank"><b>Report: e-Learning Platform Exposes Private Data of Students Across the Globe</b></a></h3><p>(published: June 1, 2020)</p><p>A data breach has been identified linked to the Spanish language e-learning platform 8Belts, which has exposed the Personally Identifiable Information (PII) of customers as found by researchers at vpnMentor. The breach was the result of a misconfigured Amazon Web Services (AWS) S3 bucket which has affected 100,000s of users around the world. User PII data includes<br /> <b>Recommendation:</b> Your company should have protocols in place to ensure that all cloud storage systems are properly configured and patched. Amazon S3 buckets are too often misconfigured and threat actors realize there is potential for malicious activity if the buckets are targeted. A Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3297611">[MITRE ATT&CK] Data from Cloud Storage Object - T1530</a><br /> <b>Tags:</b> 8Belts, Data Breach, AWS S3 Bucket, PII</p><h3 id="article-11" style="margin-bottom:0;"><a href="https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/" target="_blank"><b>Full Infrastructure Takeover of VMWare Cloud Director (CVE-2020-3956)</b></a></h3><p>(published: June 1, 2020)</p><p>Citadelo penetration testers have discovered a vulnerability in the cloud infrastructure provider VMware Cloud Director that would allow for threat actors to gain remote access to public and private clouds. Registered as "CVE-2020-3956", the code injection vulnerability will allow for unauthorised individuals to submit malicious traffic to VMware Cloud Director based clouds via the web-interface or through API calls to access an entity&#39;s cloud infrastructure. Threat actors can use this vulnerability to capture user credentials, escalate privileges, and access the personally identifiable information (PII) of customers. VMware have released patches for these vulnerabilities and are advising users to update systems.<br /> <b>Recommendation:</b> Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><br /> <b>Tags:</b> VMware Cloud Director, CVE-2020-3956, Remote Code Execution, PII</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.