Weekly Threat Briefing: ECB Shuts Down Compromised BIRD Website

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: BEC, Botnet malware, Data breach, Data leak, Pre-installed threats, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/" target="_blank">Uncovering a MyKings Variant with Bootloader Persistence via Managed Detection and Response</a> (August 19, 2019) Trend Micro researchers were on-site with an unnamed electronics company in the Asia-Pacific when they identified malicious activity taking place within the company’s network. That activity appeared to be related to the “EternalBlue,” exploit that is notoriously known for being utilized for the global WannaCry ransomware attack that took place in May 2017. Additional investigation revealed that one of the company’s machines was communicating with a Command and Control (C2) server that contained the word “mykings,” which is related to a botnet found in August 2017. Further analysis revealed registry changes on the machine that indicated that it had been infected with malware and remained undetected since 2017. MyKings is a botnet malware that is also capable of downloading a payload, likely a cryptominer since the botnet mined currency worth approximately $2.3 million USD as of 2018. <a href="https://forum.anomali.com/t/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/4097" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a><a href="https://thehackernews.com/2019/08/european-central-bank-hack.html" target="_blank">ECB Shuts Down Compromised BIRD Website</a> (August 15, 2019) Unknown threat actors were able to compromise a website owned by the European Central Bank (ECB) on August 15, 2019, according to a statement released by ECB. The Germany-based bank, which “is the central bank of the 19 European Union countries,” confirmed that unauthorized access was attained by threat actors in its Bank’s Integrated Reporting Dictionary (BIRD) website. The breach of the third-party hosted website potentially exposed information associated to 481 BIRD newsletter subscribers. The information consists of email addresses, names, and position titles. In addition, the actors were also able to inject “malware onto the external server to aid phishing activities,” according to the ECB press release. <a href="https://forum.anomali.com/t/ecb-shuts-down-compromised-bird-website/4098" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/" target="_blank">Analysis: New Remcos RAT Arrives via Phishing Email</a> (August 15, 2019) Trend Micro researchers have published a blog post in which they discuss their findings of a phishing campaign distributing a new variant of the “Remcos” Remote Access Trojan (RAT). The emails, which masquerade as a new order notification, contain a ACE-compressed attachment that contains a loader/wrapper called “Boom.ex.” This loader/wrapper, once executed, converts the executable to “AutoIT” script with the objective to achieve persistence, conduct anti-analysis detection, and drop/execute Remcos. <a href="https://forum.anomali.com/t/analysis-new-remcos-rat-arrives-via-phishing-email/4099" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947258">[MITRE ATT&CK] Bypass User Account Control - T1088</a><a href="https://www.helpnetsecurity.com/2019/08/14/biometric-data-leak/" target="_blank">Huge Database Found Leaking Biometric, Personal Info of Millions</a> (August 14, 2019) The South Korea-based biometric company, Suprema, was identified to be the owner of a ElasticSearch database that stored data related to the company’s BioStar 2. BioStar 2 is described as a web-based open integrated platform according to the Suprema website and is used by companies around the world. The ElasticSearch database was found to contain parts of data related to BioStar 2 and was “unprotected and unencrypted.” The exposed data consists of 23 gigabytes includes the following: biometric data (facial and fingerprint), backend controls, email address, employee records, as well as security levels and clearances, among others. <a href="https://forum.anomali.com/t/huge-database-found-leaking-biometric-personal-info-of-millions/4100" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.bankinfosecurity.com/microsoft-issues-patches-for-bluekeep-like-vulnerabilities-a-12915" target="_blank">Microsoft Issues Patches for BlueKeep-Like Vulnerabilities</a> (August 14, 2019) Microsoft has issued patches for Remote Desktop Services that include two for critical-rated Remote Code Execution (RCE), registered as “CVE-2019-1181” and “CVE-2019-1182.” These two vulnerabilities, similar to the well-known BlueKeep vulnerability (CVE-2019-0708), are wormable and capable of being exploited by malware to propagate to other vulnerable machines with no user action required. Windows versions affected by this vulnerability are: “Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions,” according to Microsoft. <a href="https://forum.anomali.com/t/microsoft-issues-patches-for-bluekeep-like-vulnerabilities/4101" target="_blank">Click here for Anomali recommendation</a><a href="https://www.itpro.co.uk/cyber-security/34207/british-airways-check-in-vulnerability-exposes-passenger-information" target="_blank">British Airways Check-in Vulnerability Exposes Passenger Information</a> (August 14, 2019) Wandera researchers found that British Airways was leaking its customers’ Personally Identifiable Information (PII) as part of its online check e-ticketing process. According to Wander researchers “…passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight. “The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.” This way of handling customer data in an unencrypted URL parameter without any user authentication can put other forms of data at risk such as email address, first and last name, and phone number, among others. <a href="https://forum.anomali.com/t/british-airways-check-in-vulnerability-exposes-passenger-information/4102" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&CK] Network Sniffing - T1040</a><a href="https://www.agari.com/email-security-blog/how-bec-scammers-validate-new-targets-blank-emails/" target="_blank">The “I’s” Have It: How BEC Scammers Validate New Targets with Blank Emails</a> (August 13, 2019) Threat groups that focus on Business Email Compromise (BEC) utilize a variety of techniques in attempts to accomplish their malicious operations. Agari researchers have analyzed such groups, such as London Blue, use benign, blank emails to check if a target email account is legitimate. This technique is listed second out of the four steps of a BEC attack which consist of: target generation, lead and validation processing, pre-attack testing, and BEC attack. The blank email is part of the lead and validation processing whereby threat actors distribute said emails to validate that the email address receives the message. Actors can then supplement the actual BEC attack knowing that the target account will receive the malicious email. <a href="https://forum.anomali.com/t/the-i-s-have-it-how-bec-scammers-validate-new-targets-with-blank-emails/4103" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-several-routers-devices/" target="_blank">Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices</a> (August 13, 2019) Over a span of three weeks, Trend Micro researchers were able to observe malware in the wild that were identified to be variants of botnet malwares Bashlite, Mirai, and Neko. The Backlite variant is called “Ayedz,” the Mirai variant is called “Asher,” and the Neko variant goes as itself. Asher and Neko are equipped with exploit functionality and brute-force attack capabilities targeting specific router models. Ayedz’s primary purpose is to conduct Denial-of-Service (DOS) attacks. <a href="https://forum.anomali.com/t/back-to-back-campaigns-neko-mirai-and-bashlite-malware-variants-use-various-exploits-to-target-several-routers-devices/4104" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/2402530">[MITRE ATT&CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><a href="https://nakedsecurity.sophos.com/2019/08/13/android-users-menaced-by-pre-installed-malware/" target="_blank">Android Users Menaced by Pre-Installed Malware</a> (August 13, 2019) Google Project Zero researcher, Maddie Stone, presented research at the annual Black Hat security convention in Las Vegas discussing the threats of pre-installed applications. Android devices come with approximately 100-400 applications pre-installed, and threat actors can utilize this large number for malicious purposes. Only one of these applications need to compromised to potentially affect millions of Android devices. Stone found in her research that “an SMS and click fraud botnet called Chamois” was able to infect approximately 21 million devices from 2016 onwards and that the affected company whose application was manipulated affected 7.4 million devices because it came pre-installed. <a href="https://forum.anomali.com/t/android-users-menaced-by-pre-installed-malware/4105" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402574">[MITRE MOBILE-ATT&CK] Supply Chain Compromise - T1474</a> | <a href="https://ui.threatstream.com/ttp/2402693">[MITRE PRE-ATT&CK] Identify vulnerabilities in third-party software libraries - T1389</a><a href="https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" target="_blank">Cerberus – A New Banking Trojan from The Underworld</a> (August 12, 2019) A newly discovered Android malware, dubbed “Cerberus,” is being offered for rent on underground forums after its creators claim that the malware was operating in the wild for two years, according to ThreatFabric researchers. The threat actors behind Cerberus also claimed that the malware was created by them from scratch and that no leaked banking trojan source code was used. Analysis conducted by ThreatFabric confirmed the Cerberus actor(s), who appears to use the Twitter account @AndroidCerberus to post campaign advertisements, confirmed that the malware is not based off of the Anubis banking trojan. Cerberus is capable of contact list and credential theft, keylogging, overlay attacks, and SMS control, among others. The primary target list includes banking applications for French, US, and Japanese banks as well as 15 other non-banking applications. <a href="https://forum.anomali.com/t/cerberus-a-new-banking-trojan-from-the-underworld/4106" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/1260064">[MITRE MOBILE-ATT&CK] Capture SMS Messages - T1412</a> | <a href="https://ui.threatstream.com/ttp/1260098">[MITRE MOBILE-ATT&CK] Manipulate Device Communication - T1463</a> | <a href="https://ui.threatstream.com/ttp/1260048">[MITRE MOBILE-ATT&CK] Abuse Device Administrator Access to Prevent Removal - T1401</a> | <a href="https://ui.threatstream.com/ttp/1260088">[MITRE MOBILE-ATT&CK] Location Tracking - T1430</a> | <a href="https://ui.threatstream.com/ttp/1260117">[MITRE MOBILE-ATT&CK] Standard Application Layer Protocol - T1437</a></div></div>