January 22, 2019
Anomali Threat Research

Weekly Threat Briefing: Ex-Employee Hacks WPML WordPress Plugin Site and Spams Users

<div id="weekly"><p id="intro">The intelligence in this weekís iteration discuss the following threats: <strong>Adware, APT, DarkHydrus, Data breach, Emotet, Lazarus group, MageCart, Malvertising, Ransomware, Spearphishing, </strong>and<strong> Vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p><a href="https://www.bleepingcomputer.com/news/security/ex-employee-hacks-wpml-wordpress-plugin-site-and-spams-users/" target="_blank"><b>Ex-Employee Hacks WPML WordPress Plugin Site and Spams Users </b></a> (<i>January 20, 2019</i>)<br /> The WordPress Multilingual Plugin (WPML) WordPress plugin inundated users with emails that stated that the plugin suffered several vulnerabilities. The email&#39;s headline said &#39;WPML Updates&#39; and went to explain that users should tighten their security and possibly completely remove the plugin from their sites because there were several unaddressed vulnerabilities in the plugin that WPML allegedly refused to fix, according to the email. The WordPress WPML site even was hacked into to include &#39;Security Holes&#39; in their product feature chart. The developer of WPML stated that the hack and spam emails came from an ex-employee who allegedly put a backdoor into the WPML site after using an old SSH password to gain access. The developer said that the WPML plugin is safe to use and does not contain any vulnerabilities. No user payment information was likely compromised, but suggests users change their passwords.<br /> <a href="https://forum.anomali.com/t/ex-employee-hacks-wpml-wordpress-plugin-site-and-spams-users/3462" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank"><b>DarkHydrus Delivers New Trojan That Can Use Google Drive for C2 Communications</b></a> (<i>January 18, 2019</i>)<br /> Researchers from 360TIC and Palo Alto Networks found that the Iranian Advanced Persistent Threat (APT) group, &#39;DarkHyrus,&#39; has been actively delivering malicious documents that install the trojan, &#39;RogueRobin.&#39; The malicious Excel documents, attached to suspected-spearphishing emails, would request a user to &#39;Enable Content&#39; to properly see the data. If a user allowed it, a function called &#39;New_Macro&#39; would run and create a PowerShell script that ultimately would install the RogueRobin payload onto the infected device. The trojan utilizes DNS tunneling to communicate with the designated Command and Control (C2) server, which in this case, is a legitimate Google Drive API.<br /> <a href="https://forum.anomali.com/t/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/3463" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947176">[MITRE ATT&CK] Regsvr32 (T1117)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://threatpost.com/critical-unpatched-cisco-flaw/141010/" target="_blank"><b>Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open</b></a> (<i>January 18, 2019</i>)<br /> A vulnerability in the default configuration for &#39;Cisco Small Business&#39; software, registered as &#39;CVE-2018-15439,&#39; has been identified to be vulnerable to allowing unauthorized administrative privileges over the device. Control over a Cisco Small Business Switch would allow a threat actor administrative control over the entire network. The vulnerability takes shape in the form of a &#39;default, privileged user account that is used for the initial login and cannot be removed from the system.&#39; Cisco has stated that it has yet to issue a patch for this vulnerability, but it is likely that one will be issued in the near future. Devices affected by this vulnerability include: Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches.<br /> <a href="https://forum.anomali.com/t/critical-unpatched-cisco-flaw-leaves-small-business-networks-wide-open/3464" target="_blank">Click here for Anomali recommendation</a><strong_password> </strong_password></p><p><a href="https://www.bankinfosecurity.com/emotet-malware-returns-to-work-after-holiday-break-a-11955" target="_blank"><b>Emotet Malware Returns to Work After Holiday Break</b></a> (<i>January 18, 2019</i>)<br /> The threat actors behind the &#39;Emotet&#39; malware, called &#39;Mealybug,&#39; have returned from their apparent holiday break and resumed their malicious activity. Emotet is considered to be one of the most active malwares in the wild and continues to be one of the most capable. Its capability comes from its modular functionality that allows the actors behind it to extend its features. For example, utilize worm capabilities to move laterally through a network, as well as drop a variety of malware payloads. A new feature found in Emotet is in its spam module that now is observed to be able to check if an infected machine&#39;s IP address is located on any blacklist. This feature is used to identify IP addresses that have not been blacklisted to then use the machines to distribute spam.<br /> <a href="https://forum.anomali.com/t/emotet-malware-returns-to-work-after-holiday-break/3465" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.malwarebytes.com/threat-analysis/2019/01/improved-fallout-ek-comes-back-after-short-hiatus/" target="_blank"><b>Improved Fallout EK Comes Back After Short Hiatus</b></a> (<i>January 17, 2019</i>)<br /> Malwarebytes researchers have observed that the &#39;Fallout&#39; Exploit Kit (EK) is active again after being inactive for a short period of time. Beginning on January 15, 2019, researchers observed an increase in malicious activity attributed to Fallout, in addition to new features added by threat actors who utilize the EK. Fallout is primarily distributed via malicious advertising (malvertising) with the objective of infecting machines with the &#39;GandCrab&#39; ransomware. The new features discovered being utilized in Fallout include: HTTPS support, a new landing page, PowerShell to deliver the ransomware payload, and an exploitation of a Flash Player vulnerability that is registered as &#39;CVE-2018-15982.&#39;<br /> <a href="https://forum.anomali.com/t/improved-fallout-ek-comes-back-after-short-hiatus/3466" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947267">[MITRE ATT&CK] Drive-by Compromise (T1189)</a></p><p><a href="https://www.helpnetsecurity.com/2019/01/17/773-million-records-exposed-in-massive-data-breach/" target="_blank"><b>773 Million Records Exposed in Massive Data Breach</b></a> (<i>January 17, 2019</i>)<br /> Security researcher Troy Hunt has obtained a massive trove of compiled credentials, dubbed &#39;Collection #1,&#39; that appear to be from over 2,000 compromised databases. The collection contains emails addresses and plain text passwords consisting of: &#39;2,692,818,238 rows, 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses, and 21,222,975 unique passwords.&#39; The collection was initially posted on the cloud service &#39;MEGA,&#39; as of this writing it has since been removed, and was also reported to be on an unnamed &#39;popular hacking forum.&#39;<br /> <a href="https://forum.anomali.com/t/773-million-records-exposed-in-massive-data-breach/3467" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/over-140-international-airlines-affected-by-major-security-breach/" target="_blank"><b>Over 140 International Airlines Affected by Major Security Breach</b></a> (<i>January 16, 2019</i>)<br /> The &#39;Amadeus&#39; online booking systems, owned by &#39;Amadeus IT Group,&#39; was found to contain a vulnerability that exposed its customers&#39; information, according to Safety Detective researcher, Noam Rotem. The researchers found the vulnerability while attempting to book a flight on the Israeli airline, &#39;EL AL,&#39; which then prompted researchers to visit a URL that contained the Passenger Name Record (PNR). The URL was discovered to be the beginning of identifying the vulnerability, specifically, the PNR number. Researchers found that by changing the PNR in the URL through a brute-force style attack, they could view any customer&#39;s name and flight information. The passenger name and PNR then allowed researchers to login into EL AL&#39;s customer portal to view additional flight data and Personally Identifiable Information (PII). It was also discovered that Amadeus did not have protections in place against brute-force attacks, which allowed researchers to use this method to find PNR numbers and subsequent user data.<br /> <a href="https://forum.anomali.com/t/over-140-international-airlines-affected-by-major-security-breach/3468" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/voipo-database-exposes-millions-of-texts-call-logs/140898/" target="_blank"><b>VOIPO Database Exposed Millions of Texts, Call Logs</b></a> (<i>January 16, 2019</i>)<br /> Security researcher Justin Paine discovered a publicly accessible &#39;ElasticSearch&#39; database using the internet-scanning tool, &#39;Shodan.&#39; Paine found that the database belonged to the California-based Voice Over Internet Protocol (VOIP) company &#39;VOIPO&#39; and was left publicly-accessible from June 2018 until January 8, 2019. The database contained varying forms of information including 6.7 million call logs (including duration of call, originating number, partial destination number, and timestamp) and six million SMS/MMS logs (consisting of content from sent messages and timestamps dating back to December 2015), according to Paine. Other information stored in the database, which appeared to contain both development and production data, consisted of some logs (approximately one million documents) referencing internal hostnames and plaintext username and associated passwords. Furthermore, approximately one million documents also contained API keys for internal systems. At the time of this writing, VOIPO has since taken the exposed database offline as of January 8, 2019, the same day Paine reached out to the company.<br /> <a href="https://forum.anomali.com/t/voipo-database-exposed-millions-of-texts-call-logs/3469" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/" target="_blank"><b>New Magecart Attack Delivered Through Compromised Advertising Supply Chain</b></a> (<i>January 16, 2019</i>)<br /> MageCart,&#39; an umbrella term used to categorize financially-motivated groups that inject payment skimmer script onto ecommerce sites, has been observed to have increased their malicious activity beginning on January 1, 2019, according to Trend Micro researchers. The significant increase in activity consisted of the group&#39;s known data-stealing (skimming) code identified on 277 ecommerce websites. The websites were found to be associated to flight booking, ticketing, and touring in addition to &#39;self-hosted card websites from prominent cosmetic, healthcare, and apparel brands.&#39; This campaign is different than typical MageCart campaigns where the group would compromise a website and inject malicious skimming code, and instead compromised a third-party JavaScript library operated by the French advertising company &#39;Adverline.&#39; Researchers attribute this campaign to MageCart Group 12 because they, like MageCart Group 5, compromise third-party applications and services used by ecommerce sites. Thus, websites that used Adverline&#39;s &#39;retargeting script&#39; inadvertently launched skimming functionality onto the site.<br /> <a href="https://forum.anomali.com/t/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/3470" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise (T1195)</a> | <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&CK] Trusted Relationship (T1199)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/" target="_blank"><b>Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles </b></a> (<i>January 15, 2019</i>)<br /> A new ransomware, dubbed &#39;Djvu,&#39; has been observed being delivered via &#39;Crack&#39; downloads and adware. Djvu appears to be a variant of the &#39;STOP&#39; malware. It is unclear how the ransomware is distributed, but most victims, according to various forums, state that they became infected following downloading a software crack. Once the ransomware is on a device, the main installer will execute various commands that removes definitions for Windows Defender and disables various functionality. Following this, another executable will download security sites to the Window HOSTS file so victims cannot connect for help following encryption. Djvu will then generate an ID for the machine and sends it to the Command and Control (C2) server to both encrypt (and possibly decrypt) the files. The encrypted files get the file extension &#39;.djvu&#39; or &#39;.tro&#39; added to the end of the file name. The ransom note contains two different emails by which the victim can contact in order to pay and receive their files back.<br /> <a href="https://forum.anomali.com/t/djvu-ransomware-spreading-new-tro-variant-through-cracks-adware-bundles/3471" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/" target="_blank"><b>Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties </b></a> (<i>January 15, 2019</i>)<br /> According to researchers at FlashPoint, a recent intrusion at the Chilean interbank network, &#39;Redbanc,&#39; is linked to the Advanced Persistent Threat (APT) group &#39;Lazarus Group.&#39; The organization associated the attack to Lazarus Group because of the malware toolkit, &#39;PowerRatankba,&#39; that is tied to the Democratic People&#39;s Republic of Korea (DPRK). The malware appeared to have been delivered via a Rebanc IT employee who applied for a job opening via social media, and following an interview via Skype, unwittingly deployed the malware payload by downloading the job application form. The fake job application downloads and executes PowerRatankba. The malware will run through a series of processes and will attempt to obtain administrative privileges and then communicate with its Command and Control (C2) to get further instructions.<br /> <a href="https://forum.anomali.com/t/disclosure-of-chilean-redbanc-intrusion-leads-to-lazarus-ties/3472" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&CK] Trusted Relationship (T1199)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> | <a href="https://ui.threatstream.com/ttp/947148">[MITRE ATT&CK] New Service (T1050)</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&CK] Data from Local System (T1005)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding (T1132)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-ransomware-bundles-paypal-phishing-into-its-ransom-note/" target="_blank"><b>New Ransomware Bundles PayPal Phishing Into Its Ransom Note </b></a> (<i>January 15, 2019</i>)<br /> A new ransomware campaign has been discovered that encrypts a user&#39;s files as well as attempts to steal PayPal credentials via a phishing PayPal page, according to MalwareHunterTeam. The ransomware encrypts a user&#39;s files and then displays a ransom note that requests Bitcoin in exchange for the files back. Interestingly, the note states that a user could use PayPal to pay the ransom. If the user chooses PayPal as the means of paying the ransom and clicks on the &#39;PayPal Buy Now&#39; button in the note, they will be directed to a phishing site &#39;http://ppyc-ve0rf.890m.com/s2[.]php&#39; that has the appearance of being an authentic PayPal payment page. It requests a user to fill in payment information such as address, card number, CVV, and name. After filling in the information requested, a user will then be redirected to a legitimate PayPal login page that will prompt a user to sign in.<br /> <a href="https://forum.anomali.com/t/new-ransomware-bundles-paypal-phishing-into-its-ransom-note/3473" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a></p><p><a href="https://thehackernews.com/2019/01/scp-software-vulnerabilities.html" target="_blank"><b>36-Year-Old SCP Clients&#39; Implementation Flaws Discovered </b></a> (<i>January 15, 2019</i>)<br /> Harry Sintonen, a Senior Security Consultant from F-Secure, discovered 36-year-old vulnerabilities in the Secure Copy Protocol (SCP) implementation that could allow for potential malicious servers to overwrite arbitrary files in the client target directory. These vulnerabilities are a result of poor validations performed by the SCP clients. The first vulnerability, registered as &#39;CVE-2018-20685,&#39; is an improper directory name validation that could allow a remote SCP server to modify permissions of the target directory by using an empty or dot directory name. The second vulnerability, &#39;CVE-2019-6111,&#39; is a missing received object name validation flaw that could allow a malicious SCP serve to overwrite arbitrary files in the SCP client target directory. Performing a recursive operation with this flaw could allow the malicious server to also manipulate subdirectories. The third vulnerability, &#39;CVE-2019-6109,&#39; is a SCP client spoofing object name flaw that could allow client output to be manipulated using ANSI control sequences to disguise additional file transfers. The late vulnerability discovered is a SCP client spoofing via stderr flaw, registered as &#39;CVE-2019-6110,&#39; that also can allow for a malicious server to manipulate client output. These affect applications such as OpenSSH, PuTTY, and WinSCP.<br /> <a href="https://forum.anomali.com/t/36-year-old-scp-clients-implementation-flaws-discovered/3474" target="_blank">Click here for Anomali recommendation</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.