Weekly Threat Briefing: Faulty Patch for Oracle WebLogic Flaw Opens Updated Servers to Hackers Again

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Data leak, Malspam, Phishing, Ransomware, Targeted attacks, Threat group, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://thehackernews.com/2018/04/oracle-weblogic-rce-exploit.html" target="_blank">Faulty Patch for Oracle WebLogic Flaw Opens Updated Servers to Hackers Again</a> (April 30, 2018) A security researcher with the Twitter name “@pyn3rd,” who claims to be part of the Alibaba security team, discovered that a recently patched Oracle WebLogic Server remote code vulnerability can still be exploited due to a faulty blacklist type patch, by swapping out a interface parameter. The vulnerability, registered as “CVE-2018-2628,” affects WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3. <a href="https://forum.anomali.com/t/faulty-patch-for-oracle-weblogic-flaw-opens-updated-servers-to-hackers-again/2400/1" target="_blank">Click here for Anomali recommendation</a><a href="https://congnghe.tuoitre.vn/lo-thong-tin-hang-tram-trieu-tai-khoan-khach-hang-vng-xin-loi-20180427225719109.htm" target="_blank">Hundreds of Millions of Customer Accounts, Sorry VNG</a> (April 27, 2018) The Vietnamese newspaper “Tu?i Tr?” found that an information-sharing forum called “Raid Forums” posted a thread on April 24 that discussed a data leak of 163,666,400 Zing ID accounts for the technology company “VNG Corporation.” On April 27, VNG acknowledged that over 163 million Zing IDs are at risk dating back to 2015. The company also stated that 99% of Zing ID accounts have not generated any activity for more than a year, and that the extent of users affected by this problem is not large. However, the scale of this leak is too large to not be taken seriously. The leaked data consists of the following: address, city, country of residence, date of birth, email, full name, game code, and IP. <a href="https://forum.anomali.com/t/hundreds-of-millions-of-customer-accounts-sorry-vng/2401" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html?m=1" target="_blank">GravityRAT – The Two-year Evolution of an APT Targeting India</a> (April 26, 2018) Cisco Talos researchers have identified a new malware, dubbed “GravityRAT,” that has been under development for at least 18 months. Researchers note that while information about this Remote Access Trojan (RAT) has not yet been published, the National Computer Emergency Response Team of India did describe a RAT that was being used in targeted attacks in their country. The primary initial infection vector for GravityRAT is accomplished via malicious Microsoft Word documents. The documents request that a user enable macros to properly view the document and, if enabled, will begin the infection process for GravityRAT. The malware is capable of stealing basic system information of an infected machine as well as files with certain extensions. <a href="https://forum.anomali.com/t/gravityrat-the-two-year-evolution-of-an-apt-targeting-india/2402" target="_blank">Click here for Anomali recommendation</a><a href="https://www.vadesecure.com/en/phishing-attack-targets-550-million/" target="_blank">Vade Secure Discovered New Phishing Attack Targeting 550 Million Email Users Globally</a> (April 26, 2018) A new, large-scale phishing campaign has distributed more than 550 million emails since it was first detected in early January 2018, according to Vade Secure researchers. this campaign is targeting people around the world, but the highest concentration of targets are located in France, Germany, the Netherlands, the U.K., and the U.S. The threat actors behind this campaign are attempting to steal banking credentials by pretending to offer a coupon or discount for partaking in a quiz for an online event. <a href="https://forum.anomali.com/t/vade-secure-discovered-new-phishing-attack-targeting-550-million-email-users-globally/2403" target="_blank">Click here for Anomali recommendation</a><a href="https://www.securityweek.com/authorities-take-down-largest-ddos-services-marketplace" target="_blank">Authorities Take Down Largest DDoS Services Marketplace</a> (April 25, 2018) The Dutch police, the U.K.’s National Crime Agency, Europol, and other authorities around the world collaborated on the take-down of a large Distributed Denial-of-Service (DDoS) for service website. The website “Webstresser[.]org” offered DDoS services for approximately $14.99 USD a month. At the time the website was taken down, Webstresser boasted over 136,000 registered users and is believed to have been responsible for approximately four million DDoS attacks as of April 2018. <a href="https://forum.anomali.com/t/authorities-take-down-largest-ddos-services-marketplace/2404" target="_blank">Click here for Anomali recommendation</a><a href="https://research.checkpoint.com/a-phishing-kit-investigative-report/" target="_blank">A New Phishing Kit on the Dark Net</a> (April 24, 2018) Check Point and CyberInt researchers worked in collaboration to identify a new “phishing kit” that is being advertised on underground forums. A phishing kit is a collection of tools, and in this case infrastructure, that allows even the most non-technical individuals to simply conduct phishing attacks. Features in this kit include an administrator panel, the ability to use legitimate URLs of retail company’s product page to add a layer of legitimacy, and force these pages to leave credit card information fields empty to steal said information, among others. An actor going by the alias “[A]pache” claims to be the creator of the kit is offering his work for purchase for between $100 and $300 USD (depending on features). This phishing kit targets Brazilian retailers and includes: Americanas, Casa Bahia, Extra, Ponto Frio, Shoptime, Submarino, and Walmar <a href="https://forum.anomali.com/t/a-new-phishing-kit-on-the-dark-net/2405" target="_blank">Click here for Anomali recommendation</a><a href="https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" target="_blank">Sednit Update: Analysis of Zebrocy</a> (April 24, 2018) ESET researchers have published new information regarding a new malware component used by the Advanced Persistent Threat group called “Sednit” (APT28, Fancy Bear, Sofacy, Strontium). The malware component, called “Zebrocy,” was first reported on by Kaspersky researchers in March 2018. ESET researchers delved deeper into the malware and found that Zebrocy may be taking steps to replace their custom first-stage malware “Seduploader,” or use the Zebrocy first-stage loader in tandem with Seduploader. Zebrocy is primarily delivered via malicious email attachments. The documents were found contain a Visual Basic for Applications (VBA) macro, or abuse Microsoft’s Dynamic Data Exchange (DDE). Once on a machine, Zebrocy will download other APT28 malware such as the AutoIT downloader, Delphi downloader, and the Delphi backdoor. <a href="https://forum.anomali.com/t/sednit-update-analysis-of-zebrocy/2406" target="_blank">Click here for Anomali recommendation</a><a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank">Metamorfo Campaigns Targeting Brazilian Users</a> (April 24, 2018) Several malspam campaigns, dubbed “Metamorfo,” have been targeting Brazilian companies with the objective of delivering banking trojans, according to FireEye researchers. The malspam emails were found to contain HTML attachments which the content of the email purports is some sort of data. If the URL inside the HTML attachment is loaded, it redirects a malspam recipient to a legitimate cloud storage website such as Dropbox, GitHub, or Google Drive. The recipient is redirected to attempt to trick them into downloading a ZIP file. If the ZIP file is opened and the executable file inside is run, a user will have begun the infection process for a banking trojan. Other tactics in this campaign include malspam emails that contain links to legitimate or compromised domains with shortened URLs that also redirect to cloud storage sites to download a ZIP file. The trojan steals banking credentials by displaying fake forms over the top of banking websites in addition to having keylogger functionality. <a href="https://forum.anomali.com/t/metamorfo-campaigns-targeting-brazilian-users/2407" target="_blank">Click here for Anomali recommendation</a><a href="https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/" target="_blank">Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalageddon2</a> (April 24, 2018) The website of Ukraine’s energy ministry was compromised and had its files encrypted by threat actors. AlientVault researchers believe that the attack was conducted in two phases. First, a threat actor with the alias “X-zakaria” was able to deface said website. Second, a different, unknown actor used X-zakaria’s backdoor that was left on the website for access and subsequently encrypted the website’s files. A ransom note was left on the website demanding 0.1 bitcoins (approximately $928 USD) to decrypt the files. Researchers believe that the actors exploited a vulnerability called “Drupalgeddon2,” which is a remote code execution vulnerability that affects most Drupal-run websites. <a href="https://forum.anomali.com/t/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalageddon2/2408" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.roysolberg.com/2018/04/hotel-leak" target="_blank">Case #15: Leaked Hotel Reservations</a> (April 23, 2018) Ariane Systems, a provider of self-guest check-in and check-out technology, was found to have a leak in one of its newsletter software installations. This leak exposed more than 1.5 million hotel reservation information records dating back to at least 2016, and also include future hotel bookings. The exposed data consisted of: date of arrival and departure, email address, full name, hotel name, reservation number, and hotel room. Most of the affected hotels are located in France and Germany, according to Ariane. <a href="https://forum.anomali.com/t/case-15-leaked-hotel-reservations/2409" target="_blank">Click here for Anomali recommendation</a><a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank">New Orangeworm Attack Group Targets the Healthcare Sector in the U.S., Europe, and Asia</a> (April 23, 2018) A newly identified threat group, dubbed “Orangeworm,” that is targeting organizations in the healthcare industry in Asia, Europe, and the U.S. Malicious activity associated with the group was first observed in January 2015; in this timeframe the group targeted healthcare providers, IT solution providers for healthcare and equipment manufacturers, and pharmaceuticals. In recent malicious activity, Orangeworm has been observed installing a custom backdoor called “Kwampirs.” The group’s objective is to gain access to a target’s network, and install Kwampirs to grant remote access to a compromised machine. To propagate itself, the backdoor copies itself across open network shares. <a href="https://forum.anomali.com/t/new-orangeworm-attack-group-targets-the-healthcare-sector-in-the-u-s-europe-and-asia/2410" target="_blank">Click here for Anomali recommendation</a>