Weekly Threat Briefing: Georgia Court System Hit in Ransomware Attack

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>APT, Banking malware, Cryptocurrency miner, Data leak, Exploit kit, Malvertising, Ransomware, Targeted attacks, </strong>and<strong> Vulnerabilities.</strong> The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.darkreading.com/document.asp?doc_id=1335099" target="_blank"><b>Georgia Court System Hit in Ransomware Attack</b></a> (<i>July 1, 2019</i>)<br/> The U.S. State of Georgia Court Systems have been targeted with a ransomware attack, resulting in IT systems being taken offline. While it remains unclear how many systems were compromised, a spokesman for the Administrative Office of the Courts has confirmed that not all court systems have been affected. Officials stressed that they do not store private information that is not a public document in these systems, and that no social security numbers or other such sensitive information would be compromised. As a precaution, the network was taken offline while trying to determine the attack’s extent.<br/> <a href="https://forum.anomali.com/t/georgia-court-system-hit-in-ransomware-attack/3940" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.avast.com/europol-operation-arrests-six-in-crypto-scam" target="_blank"><b>Europol coordinates arrests of six in $28 million crypto scam</b></a> (<i>June 29, 2019</i>)<br/> Europol coordinated the arrest of five men and one woman accused of running a cryptocurrency ring that stole at least $28 million USD in Bitcoin. The suspects were arrested in the United Kingdom and the Netherlands, and the theft is believed to have affected at least 4,000 victims in 12 countries. Europol released a cybercrime report that notes the widening trouble law enforcement agencies face with cryptocurrency scams and ransomware, and Europol intends to continue treating these types of investigations very seriously. The Europol report notes that there is a need for “greater and enhanced cooperation between international law enforcement agencies,” and that “we do not make the difference between online and real-world investigations. For us, they are interlinked. Every investigation nowadays has a cyber component.”<br/> <a href="https://forum.anomali.com/t/europol-coordinates-arrests-of-six-in-28-million-crypto-scam/3941" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/golang-based-spreader-used-in-a-cryptocurrency-mining-malware-campaign/" target="_blank"><b>Golang Spreader Used in Cryptocurrency-Mining Malware Campaign</b></a> (<i>June 28, 2019</i>)<br/> Trend Micro researchers have identified a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Golang is an open-source programming language that has been recently associated with malware activity. The spreader used in this campaign scans for machines running vulnerable vulnerable web applications, particularly ThinkPHP and Drupal to propagate. Cybercriminals are possibly turning to Golang to make the analysis of their malware more difficult, as it’s not as commonly used for malware as compared to other languages. Trend Micro has been detecting the use of the spreader since May 2019 and observed it again in a campaign in June 2019.<br/> <a href="https://forum.anomali.com/t/golang-spreader-used-in-cryptocurrency-mining-malware-campaign/3942" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&amp;CK] Disabling Security Tools - T1089</a> | <a href="https://ui.threatstream.com/ttp/947262">[MITRE ATT&amp;CK] Clear Command History - T1146</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a></p><p><a href="https://www.infosecurity-magazine.com/news/client-data-at-ford-td-bank-1/" target="_blank"><b>Client Data at Ford, TD Bank Exposed by Attunity</b></a> (<i>June 28, 2019</i>)<br/> Attunity, a data integration and data management company, left client data files exposed on the internet, according to a June 27 report from UpGuard.. The security issue stems from misconfiguration of three Amazon S3 buckets used by Attunity, which the company has now secured. The incident involves two high-profile impacted clients, Ford and TD Bank, with exposed data related to internal business functions, as well as information technology architecture and solutions related to Attunity. Researchers at UpGuard stated that while the total size of the database is uncertain, “The researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups. Backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more.”<br/> <a href="https://forum.anomali.com/t/client-data-at-ford-td-bank-exposed-by-attunity/3943" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.infosecurity-magazine.com/news/new-dridex-variant-evading-1/" target="_blank"><b>New Dridex Variant Evading Traditional Antivirus</b></a> (<i>June 28, 2019</i>)<br/> A new variant of “Dridex” malware has been discovered, according to an eSentire Threat Intelligence report from June 27, 2019. Dridex malware has been known to target Windows users who open email attachments in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft. The new variation that has been identified allows the macros to respond to different levels of employee engagement. The eSentire report explains that as of the morning of June 27, only 16 antivirus solutions of about 60 detected the suspicious behavior. Researchers believe that actors behind this variant of Dridex will continue to change up indicators throughout the current campaign, given the “tendency to utilize randomly generated variables and URL directories.”<br/> <a href="https://forum.anomali.com/t/new-dridex-variant-evading-traditional-antivirus/3944" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a></p><p><a href="https://www.zdnet.com/article/new-cisco-critical-bugs-9-810-severity-nexus-security-flaws-need-urgent-update/" target="_blank"><b>New Highly-Critical Cisco Nexus Security Flaws - Require Urgent Update</b></a> (<i>June 27, 2019</i>)<br/> Admins using Cisco's automation software or Nexus kit are being urged by Cisco to patch core network-management software. The two security bugs are considered highly critical, and affect Cisco’s Data Center Network Manager (DCNM) software in its web-based management interface. The first flaw, “CVE-2019-1619,” is an authentication bypass that allows an attacker to take a valid session cookie without knowing the admin user password. The second vulnerability, “CVE-2019-1620,” would allow anyone on the internet to upload malicious files on the DCNM filesystem on affected devices. According to Cisco, the vulnerability is due to incorrect permission settings, which could be exploited to gain root privileges on the affected device.<br/> <a href="https://forum.anomali.com/t/new-highly-critical-cisco-nexus-security-flaws-require-urgent-update/3945" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a></p><p><a href="https://www.recordedfuture.com/iranian-cyber-operations-infrastructure/" target="_blank"><b>Iranian Threat Actor “APT33” Targets Saudi Organizations</b></a> (<i>June 26, 2019</i>)<br/> Inskit and Recorded Futures researchers suspect that Iranian state-sponsored threat group “APT33,” also known as “Elfin,” or a closely aligned threat actor, continue to conduct and prepare for a widespread cyberespionage campaign. Since March 28, 2019, over 1,200 domains have been used to target mainly Saudi Arabian organizations across a variety of industries. There appears to be a strong emphasis on using commodity malware, which is an attractive option for nation-state threat actors who wish to hinder attribution efforts. Historically, APT33 targeting has focused on the aerospace and defense industries, as well as the oil and gas industry, with a strong focus on companies based in Saudi Arabia. According to the Recorded Futures researchers, a preliminary analysis identified 1,252 unique, correlated domains likely administered by the same APT33 attackers behind an APT33 campaign documented in March 2019 by Symantec.<br/> <a href="https://forum.anomali.com/t/iranian-threat-actor-apt33-targets-saudi-organizations/3946" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&amp;CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a></p><p><a href="https://blog.malwarebytes.com/threat-analysis/2019/06/greenflash-sundown-exploit-kit-expands-via-large-malvertising-campaign/" target="_blank"><b>Malvertising Campaign by “ShadowGate” Utilizes GreenFlash Sundown EK</b></a> (<i>June 26, 2019</i>)<br/> A recent global malvertising campaign has been associated with the cybercriminal group “ShadowGate” utilizing the “GreenFlash Sundown” exploit kit. ShadowGate is known for their elusive and stealthy tactics, and have not been associated with a large scale incident since 2016. The campaign is responsible for pushing “SEON” ransomware, a cryptominer, and the “Pony” credential-stealer. Users that navigate to a popular online video conversion site, OnlineVideoConverter&lt;.&gt;com, are redirected to the exploit kit if they interacted with a fake GIF image that contains the launching piece of JavaScript. A careful pre-check process using PowerShell identifies whether or not the environment is ideal before deciding to drop the payload. Based on telemetry data from Malwarebytes, this campaign is active in North America and Europe, which is new territory for the ShadowGate group, having been previously only observed in East Asian countries.<br/> <a href="https://forum.anomali.com/t/malvertising-campaign-by-shadowgate-utilizes-greenflash-sundown-ek/3947" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/bluestacks-flaw-lets-attackers-remotely-control-android-emulator/" target="_blank"><b>BlueStacks Flaw Lets Attackers Remotely Control Android Emulator</b></a> (<i>June 25, 2019</i>)<br/> A DNS Rebinding vulnerability was identified in BlueStacks Android Emulator by security researcher Nick Cano in April 2019. BlueStacks Android Emulator is the most widely used Android emulator globally, allowing Windows PC and Mac OS users to run Android applications. The DNS rebinding flaw allowed attackers to gain access to the emulator’s interprocess communications (IPC) functions. DNS Rebinding takes advantage of the ability to set low TTLs on DNS responses so that the attacker can constantly rotate the mapped IPs, allowing the script to bypass Same Origin Policy (SOP) and access the local host. The vulnerability was discovered and reported to BlueStacks, and was fixed in the newest release of BlueStacks 4.90.0.1046 on May 27th, 2019.<br/> <a href="https://forum.anomali.com/t/bluestacks-flaw-lets-attackers-remotely-control-android-emulator/3948" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://securelist.com/mobile-banker-riltok/91374/" target="_blank"><b>Riltok Mobile Banking Trojan Identified by Kaspersky Lab</b></a> (<i>June 25, 2019</i>)<br/> Kaspersky Lab researchers have identified a new variant of the Riltok mobile banking trojan that has been in operation since March 2018. The actors distributing Riltok have primarily focused on targeting individuals that reside in Russia, but versions for markets in France, Italy, Ukraine, and the United Kingdom have been detected in 2019. The trojan is distributed via SMS with a malicious link pointing to a fake website that simulates an ad-free version of one of the following popular mobile apps: Avito, Youla, Gumtree, Leboncoin, or Subito. During installation of the imitated app, Riltok asks the user for permission to use special features within the AccessibilityService, which then allows Riltok to prompt users with fake payment screens requesting bank card information. Once Riltok performs basic validation on the bank card details, the information is directed back to the criminal's Command and Control (C2) server. Additionally, the trojan can hide notifications from certain banking apps installed on the device.<br/> <a href="https://forum.anomali.com/t/riltok-mobile-banking-trojan-identified-by-kaspersky-lab/3949" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260047">[MITRE MOBILE-ATT&amp;CK] Abuse Accessibility Features - T1453</a></p><p><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"><b>Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers</b></a> (<i>June 25, 2019</i>)<br/> An advanced, persistent attack targeting telecommunication providers, active since at least 2012, according to Cybereason researchers. The attack, dubbed Operation Soft Cell, was aiming to obtain all data stored in the active directory of a large telecommunications provider, compromising usernames and passwords within the organization, as well as billing information, call detail records, credentials, email servers, and personal identifiable information. The attack consisted of customized and highly-modified versions of the China Chopper web shell, Poison Ivy rat, and “mimikatz” to ultimately obtain credentials. The attackers worked in waves, abandoning one thread of the attack when detected and stopped, but would return months later with new techniques. Cybereason believes with a high level of certainty that the threat actor is affiliated with China and is likely state-sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese actors believed to operate on behalf of the Chinese Ministry of State Security.<br/> <a href="https://forum.anomali.com/t/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers/3950" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947273">[MITRE ATT&amp;CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947247">[MITRE ATT&amp;CK] Web Shell - T1100</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a> | <a href="https://ui.threatstream.com/ttp/947076">[MITRE ATT&amp;CK] Indicator Removal from Tools - T1066</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/1850">Credential Dumping (ATT&amp;CK T1003)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-now-pushed-by-exploit-kits-and-malvertising/" target="_blank"><b>Sodinokibi Ransomware Now Pushed by Exploit Kits and Malvertising</b></a> (<i>June 24, 2019</i>)<br/> Exploit kit researcher nao_sec has discovered “Sodinokibi” ransomware is now being distributed though malvertising that leads to the RIG exploit kit. Sodinokibi has been making news since the “GandCrab” family of ransomware has retired, but by distributing through hacking sites to replace legitimate software with ransomware, and by hacking into the backends of Managed Service Providers (MSPs). The new use of exploit kits shows Sodinokibi is widening it’s stream of vectors to infect victims with ransomware. According to ID-Ransomware, Sodinokibi has been growing and continues to use similar tactics that GandCrab used in the past.<br/> <a href="https://forum.anomali.com/t/sodinokibi-ransomware-now-pushed-by-exploit-kits-and-malvertising/3951" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial</a>.</p><div id="threat_model_actors"><a href="https://ui.threatstream.com/actor/2433" target="_blank">APT33</a><br/> The Advanced Persistent Threat (APT) group “APT33” is believed to be an Iranian-based group that has been active since at least 2013. APT33 conducts cyber espionage campaigns and deploys destructive malware on an organizations primarily situated in Saudi Arabia but have also targeted firms in South Korea and the United States. They are believed to be a state-sponsored group, because their campaigns target firms that would align to Iranian government and military interests. They have heavily targeted the aviation industry in Saudi Arabia, which may suggest that they are attempting to acquire knowledge on Saudi Arabia’s military aviation capabilities in order to enhance their domestic aviation abilities and to support strategic decisions. Their targeting of the South Korean petrochemical industry may been to gain insight into South Korea’s partnerships with Iran’s petrochemical industry as well as their relationships with Saudi Arabian petrochemical companies. Possibly in an attempt to help gain information needed to expand Iran’s petrochemical production and competitiveness in the Middle East.</div></div></div>