Weekly Threat Briefing: Ensiko Ransomware, Lazarus, Vulnerabilities and More

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Data leak, Malware, Nemty, Ransomware, Twitter Hack, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/PkLCuu25TluotQjqHvtw"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/havenly-discloses-data-breach-after-13m-accounts-leaked-online/" target="_blank">Havenly Discloses Data Breach After 1.3M Accounts Leaked Online</a></h3> (published: August 2, 2020) Interior design website Havenly has been breached, exposing 1.3 million user records. The database has been posted on a hacking forum for free, following the leak of 386 million user records from 18 companies. The Havenly breach includes email addresses, names, phone numbers, zip code and MD5 hashed passwords. Havenly claim they do not store full credit card numbers, and that only the last four digits could be exposed. Recommendation: Havenly have implemented a mandatory password change, make sure to use a strong and unique password for all accounts. Threat actors may try to use cracked passwords for other sites which users may have an account with the same login details. Tags: Data breach, Leaked Database, PII <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/us-government-sites-abused-to-redirect-users-to-porn-sites/" target="_blank">US Government Sites Abused to Redirect Users to Porn Sites </a></h3> (published: July 31, 2020) In an ongoing Search Engine Optimization (SEO) campaign, blackhat scammers are using open redirects found on US government websites to create links that redirect users to porn sites while the URL appears to be a trusted US government website. The scammers are not actually hacking the websites, merely searching for vulnerable pages to use for a redirect. The resulting links appear in search engine results to be part of the official website, and many of the redirects are silent, meaning that when the user clicks the link, they never even see the government website and are taken directly to the porn site. The means the scammers are using to get their links published into the search engines are not currently known, and the links discovered to date have only been to porn sites, not directly malicious or phishing sites. However, due to the prevalence of malware and malvertising found on these types of sites, the risk of following these links is definitely non zero. Recommendation: Any website should be thoroughly validated for security flaws, including open redirects, as part of the regular development and maintenance of the site. Corporate and government reputations can be significantly harmed by the publication of these links. All users of the internet should evaluate the actual destinations of links wherever possible. Browser vendors could also be updated such that a user could enable a warning for a link that is redirecting to a different site than the original domain. Tags: SEO, US government <h3 id="article-3" style="margin-bottom:0;"><a href="https://thehackernews.com/2020/07/twitter-hacker-arrested.html" target="_blank">17-Year-Old 'Mastermind', 2 Others Behind the Biggest Twitter Hack Arrested</a></h3> (published: July 31, 2020) Three people, including the "mastermind" behind the scam, a Florida juvenile, were arrested today on multiple charges. The other two individuals are a 22 year old Florida resident and a 19 year old from the United Kingdom. A total of 130 Twitter accounts were hijacked via an internal admin tool available to some Twitter employees. Access to the tool was accomplished by a social engineering phone call where the attacker managed to get access to the internal tool. Of the 130 total accounts accessed, much of the media focus has been around 45 high profile, verified twitter accounts, including those of Elon Musk and former president Barack Obama. These accounts, once compromised, were used to send out a bitcoin scam promising to send followers of these accounts an immediate two fold return of any money sent to a specific bitcoin wallet. Research indicates that approximately $120,000 worth of bitcoin was deposited before the attack was shut down, and another almost $300,000 would have been transferred if not rapidly blocked by one of the bitcoin exchanges. Additionally, the Direct Message (DM) inboxes for 36 accounts were accessed and 8 accounts had their twitter activity downloaded using the "Your Twitter Data" archive tool. Recommendation: Employees need to be educated to the risks associated with social engineering, as well as phishing and other ways that malicious actors access internal systems. Additionally, companies, especially those collecting sensitive personal information, place adequate security and audit controls around any type of tool that allows extensive access to user data. These tools should be very tightly access controlled as well as leveraging other security controls like network segmentation, account separation, and Multiple Factor Authentication (MFA). Tags: social engineering, Twitter <h3 id="article-4" style="margin-bottom:0;"><a href="https://www.infosecurity-magazine.com/news/dussman-group-data-leaked/" target="_blank">Dussmann Group Suffers Data Breach Following Ransomware Attack</a></h3> (published: July 30, 2020) The German multinational, Dussmann, specialising in facilities management, has suffered a data breach after threat actors posted over 16,000 internal Dussmann files on an onion site. The actors behind the breach were able to obtain the files after Dussmann was subjected to an attack by the “Netfilm” ransomware variant; this variant is relatively new and shares many characteristics with the Nemty family. Researchers from Trend Micro believe that Netfilm is likely spread via Remote Desktop Protocol (RDP), possibly through the purchasing of breached RDP credentials online. Dussmann have issued a statement acknowledging the attack and revealed that their refrigeration subsidiary Dresdner Kühlanlagenbau was the target. Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&CK] Masquerading - T1036</a> Tags: ransomware, Netilm, Nemty, dark web, RDP, remote desktop protocol <h3 id="article-5" style="margin-bottom:0;"><a href="https://securityaffairs.co/wordpress/106541/hacking/boothole-issue.html?utm_source=rss&utm_medium=rss&utm_campaign=boothole-issue" target="_blank">BootHole Vulnerability Allows for Malware Installation</a></h3> (published: July 30, 2020) A serious GRUB2 bootloader vulnerability is leaving billions of Windows and Linux devices open to potential malware attacks. Researchers from Eclypsium discovered the vulnerability, now tracked as “CVE-2020-10713”, stating that it will affect any system that uses GRUB2 with Secure Boot and could allow an attacker to elevate privileges within a system and achieve persistence. BootHole is a buffer overlow vulnerability that relates to the way the GRUB2 parses the gru.cfg configuration file. This config file is a text file that is generally not signed, potentially allowing an attacker to execute arbitrary code to modify the content of the GRUB2 config file and execute malicious code before the operating system has loaded. The Canonical security team have recommended that bootloaders be signed and deployed, revoking vulnerable bootloaders. Recommendation: It is important that code-booting policies for machines in use by your company are in place. Many malware families begin their malicious activity at start up, therefore, monitoring this sort of traffic may give potential insight into suspicious behavior. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a> Tags: BootHole, GRUB2, bootloader, Windows, Linux, config, persistence, privilege escalation <h3 id="article-6" style="margin-bottom:0;"><a href="https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" target="_blank">Lazarus on the Hunt for Big Game</a></h3> (published: July 28, 2020) Researchers from Kaspersky Labs have attributed the VHD ransomware to the North Korean Advanced Persistent Threat (APT) actor, Lazarus. Lazarus is known for both being focused on nation state activity and financially-motivated crimes. They have been attributed to targeting crypto currency markets and banks in the past. The use of ransomware indicates that Lazarus is following the cyber criminal trend to obtain money. It is not clear if the group will expand on this approach or not. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. North Korea is under US sanctions and paying the ransom may violate the sanctions. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947094" target="_blank">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947227" target="_blank">[MITRE ATT&CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: APT, Lazarus, North Korea, Ransomware, VHD <h3 id="article-7" style="margin-bottom:0;"><a href="https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank">Watch Your Containers: Doki Infecting Docker Servers in the Cloud</a></h3> (published: July 28, 2020) Researchers from Intezer discovered a new campaign launched by the Ngrok mining botnet. The campaign is primarily focused on taking control over the misconfigured Docker servers and exploiting them to install crypto miners and uses the infected victims to scan for additional vulnerable cloud servers. In the new campaign the Ngrok botnet delivers a new linux malware named “Doki” and it has not been detected by any antivirus vendors as of January 14, 2020 and it exploits previously undocumented technique to stay under the radar. The Doki malware abuses Dogecoin cryptocurrency blockchain to dynamically generate C2 domains to communicate with the malware operator. Recommendation: Organizations and individuals who own container servers in the cloud must immediately fix misconfigurations to prevent exposure. Check for any exposed ports, verify there are no foregin or unknown containers among the existing containers, and monitor for excessive use of resources. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947101" target="_blank">[MITRE ATT&CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947164" target="_blank">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947245" target="_blank">[MITRE ATT&CK] Local Job Scheduling - T1168</a> | <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947291" target="_blank">[MITRE ATT&CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/2402536" target="_blank">[MITRE ATT&CK] Domain Generation Algorithms - T1483</a> Tags: Cryptominer, ngrok, docker <h3 id="article-8" style="margin-bottom:0;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities" target="_blank">Ensiko: A Webshell With Ransomware Capabilities</a></h3> (published: July 27, 2020) Researchers at Trend Micro have identified a new webshell for web servers running PHP. What is unique about this new backdoor is its built-in ransomware functionality. In addition to common webshell functionality, the webshell can also perform as a ransomware. Webshells are used by threat actors to maintain persistence on a compromised host and can be used to launch other malware. Having the ransomware part of the webshell component allows threat actors to encrypt the compromised machine without uploading a separate malware that might get detected by an endpoint protection or endpoint detection and response solution. Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/3297595" target="_blank">[MITRE ATT&CK] Server Software Component - T1505</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: Ensiko, Webshell, Ransomware, PHP <h3 id="article-9" style="margin-bottom:0;"><a href="https://www.bankinfosecurity.com/us-uk-agencies-warn-qnap-nas-devices-vulnerable-a-14719" target="_blank">US, UK Agencies Warn: QNAP NAS Devices Vulnerable</a></h3> (published: July 27, 2020) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) issued a joint warning about the risks of running vulnerable QNAP NAS devices. The vulnerable devices are targeted by QSsnatch (or Derek) malware, and according to the report there are currently over 62,000 infected devices worldwide. All QNAP NAS devices are potentially vulnerable to the QSnatch malware if not updated with the latest security updates. The latest version of QSnatch malware has features such as CGI password logger, Credential scraper, SSH backdoor, Exfiltrating predetermined list of files and WebShell. Recommendation: Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable. Block external connections when the device is intended to be used strictly for internal storage. Verify that the purchased QNAP devices are from reputable sources and if not perform a full factory reset on the device prior to updating the firmware. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947124" target="_blank">[MITRE ATT&CK] Peripheral Device Discovery - T1120</a> | <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> Tags: Qsnatch, QNAP