The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APTs, COVID-19, Data breach, Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
(published: April 4, 2020)
Two critical Firefox browser zero-day vulnerabilities have fixes available now and should be patched immediately. According to Mozilla, the vulnerabilities (CVE-2020-6819 and CVE-2020-6820) have been part of targeted attacks in the wild, however, Mozilla has not provided details on how they are being exploited. The vulnerabilities allow remote attackers to execute arbitrary code and trigger crashes on machines running Firefox versions older than 74.0.1 and Firefox Extended Support Release 68.6.1. According to the Center for Internet Security, the more restricted the privileges of the targeted user account, the fewer rights are impacted by the vulnerabilities, as user accounts with administrative rights could be used to install, view, change, and delete data from a victim’s system.
Recommendation: It is critical that the latest security patches be applied as soon as possible to Firefox and all other web browsers used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
MITRE ATT&CK: [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] File Deletion - T1107
Tags: Firefox, Zero day, Vulnerabilites, CVE-2020-6819, CVE-2020-6820
(published: April 2, 2020)
Researchers at Avast Threat Labs have identified a new COVID-19 themed wiper malware family masquerading as a file related to the virus. The wiper malware, dubbed "CoViper" by the researchers, rewrites the Master Boot Record (MBR), breaking the infected device’s boot operation, rendering the device non-functional until the MBR can be reinstalled. While MBR wiper malware is often used in combination with ransomware, CoViper simply destroys the MBR, leading analysts to believe that CoViper may be an early version of the malware that will later turn into ransomware. CoViper is distributed as an installer, and drops the "coronavirus.bat" stager that installs the malware, secures persistence on the computer, and restarts the computer. After the first reboot, three files are executed that start an infinite run loop and rewrite the computer’s MBR.
Recommendation: Avoiding malware like CoViper should begin with employee education; it is vital that everyone understands the risks of interacting with suspicious emails and attachments, as this is a likely mechanism for delivering malware of this kind. Educate your employees on the dangers of phishing, how the attacks work, and how to avoid them. This includes the safe and proper use of email as well as web browsing activities. In case of infection, removal instructions are available online at https://www.pcrisk.com/removal-guides/17488-coviper-malware.
MITRE ATT&CK: [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Spearphishing Link - T1192
Tags: CoViper, Coronavirus, MBR wiper, Malware
(published: April 2, 2020)
A technical analysis report has been released by Kaspersky on "Loncom," a malware packer that uses Nullsoft Scriptable Install System (NSIS) software for packing and loading shellcode, and has been seen loading malware used by Advanced Persistent Threat (APT) groups. Packers are often used by threat actors to disguise malware programs that may otherwise be detected by anti-virus, making the analysis of the Loncom packer incredibly useful when researching threat actor behavior. With Loncom, the shellcode unpacks itself as it runs, eventually decrypting the final payload. According to the research, possible payloads include the "REvil" ransomware and the "DarkVNC" backdoor. Analysts also found evidence of Cobalt Strike, a legitimate pentesting utility that is often used by threat actors, associated with the Loncom packer.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
Tags: Loncom, Cobalt Strike, Backdoor, Ransomware, Trojan, Dropper
(published: April 2, 2020)
A MS-SQL server campaign active since May 2018 has been discovered by threat researchers at Guardcore Labs, affecting organizations in the United States, China, South Korea, India, and Turkey. The threat actors, dubbed "Vollgar" by the researchers, are operating from China, installing backdoors and Remote Access Trojans (RATs) on servers exposed to the internet with weak credentials. Vollgar scans the internet for MS-SQL database servers with port 1433 open, and uses brute-force to gain access. Once the machine is compromised and the actors have elevated privileges, they hunt for and remove any other malware on the server, and finally install cryptominers for Monero and VDS cryptocurrency. There is no evidence of specific targeting, and according to the researchers, Vollgar threat actors have infected as many as 3,000 servers a day since beginning the campaign.
Recommendation: This campaign strategy has been highly effective due to a large number of MS-SQL Server instances exposed to the internet with weak credentials. Port 1433 should not be open to the public internet, as this is a major security risk. Additionally, credentials should always be complex and secure in order to avoid the success of a brute-force credential attack.
MITRE ATT&CK: [MITRE ATT&CK] Brute Force - T1110
Tags: Microsoft, MS SQL
(published: April 2, 2020)
Researchers at VpnMentor discovered a breached database belonging to cloud backup provider SOS Online Backup, containing data related to approximately 135 million customer records. The breached database was left unsecured and unencrypted and contained nearly 70GB of metadata related to user accounts, and also contained customers’ personal information, including full names and contact details. VpnMentor discovered the breach in November 2019, disclosed their findings to the company on 9 December 2019, and SOS Online Backup closed the breach in mid-December 2019. There is the potential that California-based SOS Online Backup will face legal action from regulatory bodies in the countries and states it operates in as the details of the breach develop.
Recommendation: The exposure of customer information requires affected individuals to take precautionary measures to protect their identity. Additionally, breaches of this sort may cause impacted individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient.
Tags: SOS Online Backup, Data breach
(published: April 1, 2020)
Two new bugs in Zoom video conferencing software have been discovered by a Jamf security researcher, Patrick Wardle. The two bugs can be launched by a local malicious actor, allowing them to gain and maintain persistent access to the computer starting with low-level user privileges. The first vulnerability allows for the actor to escalate to root privileges, and the second allows the actor to gain access to the webcam and microphone on the computer. Wardle, previously an employee of the National Security Agency (NSA), disclosed the flaws on his blog and to TechCrunch, but Zoom has not yet provided a fix or responded regarding the vulnerabilities. Zoom has been under heavy scrutiny since the beginning of the coronavirus pandemic, due to the increase in daily users and a supposed lack of privacy and security practices by the company.
Recommendation: Zoom, and all other software used by your organization, should be routinely checked for software patches and updates, and automatically updated whenever possible. It is critical that the latest security patches be applied as soon as possible. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches before a malicious actor could attempt to mimic the techniques that are described.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] User Execution - T1204
Tags: Zero day, Zoom, Vulnerabilities
(published: March 31, 2020)
Threat researchers at Volexity have identified a fake Flash campaign targeting Tibetan individuals and organizations. The campaign activity appears to have started in mid-2019 by "Storm Cloud," a Chinese Advanced Persistent Threat (APT) group known to target Tibetan organizations since 2018. The actors entice targeted users into installing a fake Adobe Flash update when the user visits a legitimate site that has been compromised by Storm Cloud. There appears to be a wide variety of payloads distributed using this technique, with the actors frequently changing the malware used in the attacks, including simple downloaders, "PLUGDAT," "Stitch," "GOSLU," and "BrainDamage" malware. The researchers at Volexity believe that these attacks against the Tibetan community are a continuation of digital surveillance by China to impede any formation of an independent Tibet.
Recommendation: This story represents potential threats and attacks that can arise based on current geopolitical developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Spearphishing Link - T1192
Tags: Adobe Flash, Tibet, China, APT
(published: March 30, 2020)
In the ‘Stories from the SOC’ blog series, AT&T SOC analysts describe a recent real-world security incident and investigation involving the RIG Exploit Kit against an undisclosed customer. The RIG Exploit Kit has been used to distribute ransomware to companies across many industries, and in this detailed customer investigation, SOC analysts were able to match indicators for a new ransomware attack. The team was initially alerted by a Domain Name System (DNS) request to a domain indicator associated with the first stage of the cyber kill chain. During the investigation, the researchers discovered twelve firewall events egressing to the malicious domain, with six endpoint devices that had established connection to the domain. The team credits the success of the investigation and response on the opportunity to interact swiftly with the victimized customer.
Recommendation: The ransomware landscape continues to evolve and become a bigger problem. The use of endpoint prevention systems can make all the difference between infection or not. In this case, having a SOC team properly alerted to malicious traffic thwarted any further infection. In the case of any ransomware infection, the victim should avoid paying the ransom, and the infected system should be wiped and reformatted.
Tags: RIG, Exploit kit, Ransomware