Weekly Threat Briefing: Federal Agency Breach, Exploits, Malware, and Spyware

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Cyber Espionage, FinSpy, Magento, Taurus Project </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/qqxEl58GQyCeSCYldutB"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/" target="_blank"><b>German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed </b></a></h3> <p>(published: September 25, 2020)</p> <p>Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947081">[MITRE ATT&amp;CK] Logon Scripts - T1037</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a><br/> <b>Tags:</b> Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware</p> <h3 id="article-2" style="margin-bottom:0;"><a href="https://blog.sucuri.net/2020/09/magento-credit-card-stealing-malware-gstaticapi.html" target="_blank"><b>Magento Credit Card Stealing Malware: gstaticapi</b></a></h3> <p>(published: September 25, 2020)</p> <p>Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information.<br/> <b>Recommendation:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a><br/> <b>Tags:</b> Credit Card, Javascript, Magento</p> <h3 id="article-3" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/malwarebytes-news/2020/09/taurus-project-stealer-now-spreading-via-malvertising-campaign/" target="_blank"><b>Taurus Project Stealer Now Spreading via Malvertising Campaign </b></a></h3> <p>(published: September 24, 2020)</p> <p>Security Researchers from Malwarebytes have identified a new malspam campaign utilising the Taurus Project, targeting users of adult websites, primarily in the US but also in the UK and Australia. A user’s internet traffic will be routed through the Fallout exploit kit, which will in turn download Taurus on systems with unpatched versions of Internet Explorer or Flash Player. The Taurus Project is a stealer that was first observed in Spring 2020 being distributed via malspam campaigns targeting users in the US. The infection begins with a user opening a macro-laden document, kickstarting a Powershell script that in turn downloads the Taurus binary. Once installed on a device, Taurus has the ability to steal credentials from browsers, VPNs, FTP, email clients as well as cryptocurrency wallets. Taurus is believed to share a developer with the stealer “Predator the Thief” with which it shares many similarities, many security products will detect Taurus as Predator the Thief.<br/> <b>Recommendation:</b> Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host-based detection and prevention systems where possible. In the case of infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking - T1179</a> | <a href="https://ui.threatstream.com/ttp/947181">[MITRE ATT&amp;CK] Kernel Modules and Extensions - T1215</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking - T1179</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking - T1179</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&amp;CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947149">[MITRE ATT&amp;CK] Application Window Discovery - T1010</a> | <a href="https://ui.threatstream.com/ttp/947124">[MITRE ATT&amp;CK] Peripheral Device Discovery - T1120</a> | <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&amp;CK] Remote Desktop Protocol - T1076</a> | <a href="https://ui.threatstream.com/ttp/947240">[MITRE ATT&amp;CK] Data Compressed - T1002</a><br/> <b>Tags:</b> Taurus Project, Predator the Thief, malspam, fallout exploit,</p> <h3 id="article-4" style="margin-bottom:0;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a" target="_blank"><b>Federal Agency Compromised by Malicious Cyber Actor </b></a></h3> <p>(published: September 24, 2020)</p> <p>A federal agency has been the victim of a successful cyber-espionage attack according to the US Cybersecurity and Infrastructure Security Agency (CISA), whilst not naming the victim, the CISA provided technical details of the attack. CISA believes the attackers gained initial access through an employee’s legitimate Office 365 login credentials, using these to log on to the computer remotely. From there, the attacker browsed pages on a SharePoint site, downloaded a file, and connected to the victim’s virtual private network server (VPN). The agency believes the attacker exploited an unpatched vulnerability, CVE-2019-11510, which allows for a remote unauthenticated retrieval of files. Once VPN access was secured a command-and-control (C2) server was contacted and “inetinfo.exe” was downloaded, this custom malware dropper allowed for a second unnamed malware to be deployed to the system. Once persistence was achieved, the attacker browsed and copied files from directories before exfiltrating them using Windows Terminal Services client. CISA has not commented on the files taken but has said that the attack has been remediated.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947216">[MITRE ATT&amp;CK] Exploitation for Credential Access - T1212</a> | <a href="https://ui.threatstream.com/ttp/947098">[MITRE ATT&amp;CK] Email Collection - T1114</a> | <a href="https://ui.threatstream.com/ttp/947094">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947222">[MITRE ATT&amp;CK] Account Manipulation - T1098</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947187">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947273">[MITRE ATT&amp;CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947199">[MITRE ATT&amp;CK] Data Staged - T1074</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947230">[MITRE ATT&amp;CK] Data from Network Shared Drive - T1039</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a><br/> <b>Tags:</b> cyber-espionage, government, APT, vulnerability</p> <h3 id="article-5" style="margin-bottom:0;"><a href="https://www.databreachtoday.com/exclusive-hackers-hit-virgin-mobile-in-saudi-arabia-a-15018" target="_blank"><b>Hackers Hit Virgin Mobile in Saudi Arabia</b></a></h3> <p>(published: September 21, 2020)</p> <p>According to Data Breach Today, an attacker has breached Virgin Mobile's office network in Saudi Arabia. The attack managed to gain access both to the email system and Active Directory (AD). After gaining access to the AD server, the attacker dumped the credential hashes used in the domain. The data was later advertised to be for sale on a dark web forum. It appears that the attacker exploited a vulnerability in Microsoft Exchange that was patched by Microsoft back in February. It is not known how long the threat actor was inside Virgin’s network but the exfiltrated data appears to have been exfiltrated on July 7. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on March 10 that Microsoft Exchange servers vulnerable to CVE-2020-0688 were being targeted by threat actors. A follow-up advisory was released on September 14.<br/> <b>Recommendation:</b> It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947094">[MITRE ATT&amp;CK] External Remote Services - T1133</a><br/> <b>Tags:</b> CVE-2020-0688, Data breach, Virgin Mobile</p> <h3 id="article-6" style="margin-bottom:0;"><a href="https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472" target="_blank"><b>Samba Releases Security Update for CVE-2020-1472</b></a></h3> <p>(published: September 21, 2020)</p> <p>Cybersecurity and Infrastructure Security Agency (CISA) has released a bulletin about Samba addressing “CVE-2020-1472”. The bulletin urges administrators to apply the patches or workaround as soon as possible. According to Samba’s advisory, Samba is vulnerable to CVE-2020-1472 (ZeroLogon) if it is used as a domain controller. Version 4.8 (released in March 2018) and newer enforces secure logon and is not affected if the default setting is used.<br/> <b>Recommendation:</b> Update to either Samba 4.10.18, 4.11.13, or 4.12.7 to fix the issue. For workarounds, users of Samba earlier versions than 4.8 should ensure “server schannel = yes” is added to the “smb.conf” file. Users of later versions should ensure no “server schannel” line exist in the configuration file or add "server schannel = yes" to it.<br/> <b>Tags:</b> CVE-2020-1472, Samba, ZeroLogon</p> </div> </div>