Weekly Threat Briefing: First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, Backdoor, Banking trojan, Data leak, Keylogger, Malspam, Malvertising, Misconfigured database, Phishing, Ransomware, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.infosecurity-magazine.com/news/gandcrab-campaign-attacks-mysql-1/" target="_blank">GandCrab Campaign Attacks MySQL Servers</a> (May 28, 2019) Sophos researchers have discovered that threat actors distributing the “GandCrab” ransomware are targeting “MySQL” servers. Researchers observed that the IP address hosting the machine that itself was hosting GandCrab was located in the US state of Arizona. However, the “user interface of the server software (HFS) running on it was set to simplified Chinese,” which may indicate that the actors behind this campaign are located in China. These attacks are scanning for port “3306” in MySQL database server, which is the default listening port for TCP/IP, according to MySQL documentation. <a href="https://forum.anomali.com/t/gandcrab-campaign-attacks-mysql-servers/3836" target="_blank">Click here for Anomali recommendation</a><a href="https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/" target="_blank">First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records</a> (May 24, 2019) KrebsOnSecurity was notified that the website for the Fortune 500 real estate title insurance company “First American Financial” was leaking hundreds of millions of financial and Personally Identifiable Information (PII) documents dating back to 2003. The leaked data was stored in over 885 million records and consisted of: bank account numbers and statements, driver’s license images, mortgage and tax records, Social Security numbers, and wire transaction receipts. <a href="https://forum.anomali.com/t/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/3837" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.ensilo.com/uncovering-new-activity-by-apt10" target="_blank">Uncovering new Activity by APT10</a> (May 24, 2019) The Chinese Advanced Persistent Threat (APT) group “APT10” has been observed to have added new malware loaders to their arsenal, according to enSilo researchers. In late April 2019, researchers identified two malware loader variants that have previously never been seen and are attributed to APT10 due to similar Tactics, Techniques, and Procedures (TTPs) known to be used by the group. The new loaders were found to drop four different files: a binary file (svchost.bin), a legitimate executable (jjs.exe), a legitimate Microsoft C Runtime DLL (msvcrt100.dll), and a malicious DLL (jli.dll). Researchers also found that the loaders are capable of delivering different payloads such as the Remote Access Trojans “PlugX” and “Quasar.” The objective of these loaders is to install malware onto target machines, achieve persistence, and then steal data to send back to a Command and Control (C2) server. <a href="https://forum.anomali.com/t/uncovering-new-activity-by-apt10/3838" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion (T1107)</a><a href="https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html" target="_blank">Sorpresa! JasperLoader Targets Italy with a New Bag of Tricks</a> (May 23, 2019) Throughout 2019, the malware loader new to this year called “JasperLoader,” has become more active, according to Cisco Talos researchers. A new phishing campaign distributing JasperLoader has been observed to be targeting individuals in Italy. The Italian-written emails are sent with a certified email service that attempts to convince the recipient to follow a URL that results in a “HTTP 302” response that redirects to the website for the China Internet Network Information Center (CNNIC). Researchers believe this tactic is being used for “geofencing” which is used to find the location of infected machines are only in a specified region. The objective of JasperLoader is to achieve persistence via a scheduled task or a registry run key, and then used to download arbitrary malware onto the infected machine. <a href="https://forum.anomali.com/t/sorpresa-jasperloader-targets-italy-with-a-new-bag-of-tricks/3839" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a><a href="https://www.zdnet.com/article/researcher-publishes-windows-zero-days-for-the-third-day-in-a-row/" target="_blank">Researcher Published Windows Zero-Days for the Third Day in a Row</a> (May 23, 2019) Another zero-day vulnerability, with associated Proof-of-Concept (POC) code, for Windows operating has been published to GitHub by the researcher known as “SandboxEscaper.” The vulnerability is a bypass for the patch Microsoft issued for “CVE-2019-0841” which is a vulnerability that could allow a low-privileged user “to hijack files that are owned by NT AUTHORITYSYSTEM by overwriting permissions on the targeted file.” Threat actors could use exploit this vulnerability to plant malware in unauthorized folders. <a href="https://forum.anomali.com/t/researcher-published-windows-zero-days-for-the-third-day-in-a-row/3840" target="_blank">Click here for Anomali recommendation</a><a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank">A Journey to Zebrocy Land</a> (May 22, 2019) ESET researchers have published a report discussing the use of the “Zebrocy” backdoor that is used by the Russian Advanced Persistent Threat (APT) group “APT28.” The researchers analyzed Zebrocy, which APT28 has increasingly used since August 2018, to identify what commands the malware is capable of conducting to learn what data types may be of most interest to the group. Zebrocy was observed being used not only to steal credentials from numerous email providers and web browsers, but also was found being used to deploy another custom backdoor using the command “CME_Execute” onto target machines deemed more important than others. Interestingly, researchers do not know what this backdoor is being used for as of this writing. <a href="https://forum.anomali.com/t/a-journey-to-zebrocy-land/3841" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947170">[MITRE ATT&CK] Rundll32 (T1085)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947214">[MITRE ATT&CK] Component Object Model Hijacking (T1122)</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&CK] Disabling Security Tools (T1089)</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&CK] Query Registry (T1012)</a> | <a href="https://ui.threatstream.com/ttp/1260109">[MITRE MOBILE-ATT&CK] Process Discovery (MOB-T1027)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/1260082">[MITRE MOBILE-ATT&CK] File and Directory Discovery (MOB-T1023)</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&CK] Data from Local System (T1005)</a> | <a href="https://ui.threatstream.com/ttp/947230">[MITRE ATT&CK] Data from Network Shared Drive (T1039)</a> | <a href="https://ui.threatstream.com/ttp/947100">[MITRE ATT&CK] Data from Removable Media (T1025)</a> | <a href="https://ui.threatstream.com/ttp/947199">[MITRE ATT&CK] Data Staged (T1074)</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture (T1056)</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture (T1113)</a> | <a href="https://ui.threatstream.com/ttp/947193">[MITRE ATT&CK] Automated Exfiltration (T1020)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a><a href="https://www.tripwire.com/state-of-security/featured/data-millions-instagram-accounts-internet/" target="_blank">Data on Millions of Instagram Accounts Spills Onto the Internet</a> (May 22, 2019) Security researcher Anurang Sen identified an Amazon Web Services (AWS) bucket that was publicly accessible to anyone who navigated to the correct URL. The database contained information associated to millions of Instagram accounts that appeared to have been scrapped from the profiles. The information consists of: account verification status, account follower count, biography, city, country, email address and phone number. The database is believed to be owned by the Mumbai-based social media marketing firm “Chtrbox.” <a href="https://forum.anomali.com/t/data-on-millions-of-instagram-accounts-spills-onto-the-internet/3842" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/getcrypt-ransomware-brute-forces-credentials-decryptor-released/" target="_blank">GetCrypt Ransomware Brute Forces Credentials, Decryptor Released</a> (May 22, 2019) An exploit kit researcher(s) known as “nao_sec” discovered a new ransomware called “GetCrypt.” The ransomware is delivered through malvertising campaigns that will redirect users to the “RIG” Exploit Kit (EK). The campaign was found to be using “Popcash” advertisement network to distribute the malvertisements. If a user clicks on a malvertisement he/she will be redirected to a webpage hosting the RIG EK that will attempt to run malicious scripts to exploit vulnerabilities on the host machine. The ransomware checks the default language on the Windows machine and if it is Belarusian, Kazakh, Russian, or Ukrainian it will halt the encryption process, otherwise GetCrypt will utilize the “Salsa20” and “RSA-4096” encryption algorithms. The ransomware is also capable of brute-force attacking network account credentials to propagate through a network. <a href="https://forum.anomali.com/t/getcrypt-ransomware-brute-forces-credentials-decryptor-released/3843" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/1259935">[MITRE PRE-ATT&CK] Deploy exploit using advertising (PRE-T1157)</a><a href="https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/" target="_blank">RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708</a> (May 21, 2019) The Remote Code Execution (RCE) vulnerability in Microsoft’s Remote Desktop Services, registered as “CVE-2019-0708,” now has Proof-of-Concept (POC) code associated to it. The vulnerability can be exploited by an actor connecting to the target via Remote Desktop Protocol (RDP) and sending custom-crafted requests. The vulnerability affected multiple Windows operating systems including: Windows 2003, Windows XP, Windows 7, Windows Server 2008, and Windows Server 2008 R2. CVE-2019-0708 is wormable vulnerability that could be utilized to spread to other systems, similar to the global “WannaCry” ransomware campaign that took place in March 2017. <a href="https://forum.anomali.com/t/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/3844" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.malwarebytes.com/cybercrime/2019/05/skimmer-acts-as-payment-service-provider-via-rogue-iframe/" target="_blank">Skimmer Acts as Payment Service Provider via Rogue Iframe</a> (May 21, 2019) One of the approximately 12 financially-motivated groups referred to by the umbrella term “Magecart,” has been found to be using overlay techniques to steal credit card information, according to Malwarebytes Labs researchers. This campaign consists of Magecart, potentially Magecart group 4 because of overlay tactics, injecting a “Magento” ecommerce site an iframe that requests credit card information be entered when a user went to a checkout page to complete a purchase. These fields for credit card data do not exist in the normal checkout page prior to a Magecart injection. The stolen data is exfiltrated via a network request. <a href="https://forum.anomali.com/t/skimmer-acts-as-payment-service-provider-via-rogue-iframe/3845" target="_blank">Click here for Anomali recommendation</a><a href="https://myonlinesecurity.co.uk/hawkeye-keylogger-via-fake-receipt-stolen-data-sent-to-another-keylogger-site/" target="_blank">Hawkeye Keylogger via Fake Receipt. Stolen Data Sent to Another Keylogger Site</a> (May 20, 2019) Security researchers have noticed a decline in malspam campaigns over the past six weeks, however, there has been one observation of a low-quantity campaign delivering the “Hawkeye” keylogger. The actors behind this campaign are distributing a version of Hawkeye that is different than previous versions in that the location for the stolen data and the distributed email is different. The malspam emails purport that the recipient has made a payment and claims that the receipt is attached that, if opened, prompts macros to be enabled. The Hawkeye infection process begins once macros are enabled. Interestingly, the actors left the email address that receives the stolen information (chit@spytector[.]com) is legible in plain text. <a href="https://forum.anomali.com/t/hawkeye-keylogger-via-fake-receipt-stolen-data-sent-to-another-keylogger-site/3846" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-watch-arrival-via-redirection-url-in-spam/" target="_blank">Trickbot Watch: Arrival via Redirection URL in Spam</a> (May 20, 2019) Trend Micro researchers have found a variant of the banking trojan “Trickbot” being distributed via spam emails that attempt to trick the recipient into following a malicious URL. The spam email purports that an order has been processed and to visit a hyperlink for payment reference; it even adds social media tags at the body of the email in attempts to appear more authentic. This Trickbot variant was observed using “Google to redirect from the URL hxxps://google[.]dm:443/url?q=<trickbot downloader="">,” with the query string being the malicious URL that downloads Trickbot. The downloader page impersonates an order review page that claims that the order review will be downloaded in three seconds. The download is a .zip file containing a Visual Basic Script (VBS) that is actually the Trickbot downloader. Trickbot has numerous malicious capabilities such as stealing browser data, credentials, and system information, among other functions. <a href="https://forum.anomali.com/t/trickbot-watch-arrival-via-redirection-url-in-spam/3847" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a></trickbot><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank">Recent MuddyWater-Associated BlackWater Campaign Shows Signs of New Anti-Detection Techniques</a> (May 20, 2019) The Advanced Persistent Threat (APT) group, “MuddyWater,” has been identified to have added some new techniques to their arsenal, according to Cisco Talos researchers. MuddyWaters has been active since at least 2017 and primarily targets entities located in Middle Eastern countries. Researchers identified malicious documents attributed to MuddyWaters, likely delivered via spearphishing emails, that contain a password-protected macro called “BlackWater.bas.” This is done to prevent the macro from being viewed in Visual Basic as an anti-analysis techniques and perhaps to impersonate a penetration team’s tool. The macro contains a PowerShell script to gain persistence in the “Run” registry key and calls a file that appears to be a stager every 300 seconds. The stager then communicates with a MuddyWater-controlled server to “obtain a component of the FruityC2 agent script,” which is an open source, post-exploitation tool. <a href="https://forum.anomali.com/t/recent-muddywater-associated-blackwater-campaign-shows-signs-of-new-anti-detection-techniques/3848" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model">This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial</a>.<div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/1174" target="_blank">APT10</a>APT10 is believed to be a China-based group that has been active since at least 2009, and first appeared in public sources in 2013. They gained notoriety by targeting defense contractors around the world, but primarily those located in the U.S. APT10 has evolved from primarily targeting the Defense Industrial Base (DIB) to conducting global cyberespionage campaigns against numerous targets in multiple sectors. They are a highly sophisticated group that specializes in acquiring strategic information that researchers believe is based on achieving China’s national security objectives. APT10 is believed to have been able to compromise government agencies, as well as public and private organizations around the globe and exfiltrated large amounts of sensitive information.</div></div><div id="threat_model_vulnerability"> </div></div></div>