Weekly Threat Briefing: Google Researchers Discover Malicious Websites Hacking iPhones for Years

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>CamScanner, Data Breaches, FIN6, iPhone Hacking, Quasar RAT, Retadup Botnet, REvil Ransomware, TA505, </strong>and<strong> TrickBot</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.reuters.com/article/us-capital-one-fin-cyber/u-s-jury-indicts-suspected-capital-one-hacker-on-wire-fraud-data-theft-charges-idUSKCN1VJ0DL" target="_blank"><b>U.S. Jury Indicts Suspected Capital One Hacker on Wire Fraud, Data Theft Charges</b></a> (<i>August 29, 2019</i>)<br/> Following the conclusion of a federal grand jury investigation, formal charges have been filed against Paige Thompson, the suspected threat actor who obtained personal information of over 100 million people in a Capital One data breach between March and July 2019. Thompson, a former Amazon Web Services (AWS) software engineer, is charged with wire fraud and computer data theft. In late March 2019, Thompson created a program that scanned cloud customers for a specific web application firewall misconfiguration, ultimately exploiting the misconfiguration to extract account credentials for more than 30 victim databases, one of which was Capital One. The Department of Justice has not identified the other companies or agencies breached by Thompson. According to Capital One, approximately 140,000 Social Security numbers and 80,000 associated bank account numbers were compromised in the data breach.<br/> <a href="https://forum.anomali.com/t/u-s-jury-indicts-suspected-capital-one-hacker-on-wire-fraud-data-theft-charges/4141" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.vice.com/en_us/article/bjwne5/malicious-websites-hacked-iphones-for-years" target="_blank"><b>Google Researchers Discover Malicious Websites Hacking iPhones for Years</b></a> (<i>August 29, 2019</i>)<br/> Researchers at Google’s Treat Analyst Group (TAG) and Project Zero have discovered a series of hacked websites that have been delivering attacks to iPhones for a period of at least two years. “Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” said Ian Beer, a security researcher at Project Zero. TAG was able to collect five distinct iPhone exploit chains based on 14 vulnerabilities. These exploit chains covered versions from iOS 10 up to the latest iteration of iOS 12. The attack chains allowed a threat actor to gain root access to the device, and gain access to the victim’s keychain, as well as steal files and upload live location data. The implant does not have persistence on a device, but the potentially stolen authentication tokens from user keychains could allow the actor to gain access to various accounts.<br/> <a href="https://forum.anomali.com/t/google-researchers-discover-malicious-websites-hacking-iphones-for-years/4142" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&amp;CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/1260053">[MITRE MOBILE-ATT&amp;CK] Access Sensitive Data in Device Logs - T1413</a> | <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a></p><p><a href="https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/" target="_blank"><b>REvil Ransomware Impacts Hundred of Dental Practices Across US.</b></a> (<i>August 29, 2019</i>)<br/> An unidentified threat group breached the infrastructure of the medical records software “DDS Safe” to deploy ransomware in hundreds of dental offices across the United States. The breach was discovered on August 26, 2019, when dental staff at impacted offices could not access patient information. The software providers, The Digital Dental Record and PerCSoft, appear to have opted to pay the ransom, and have begun to distribute a decypher to dental offices. The variety of ransomware, known as “REvil,” is considered one of the most active and widespread ransomware strains of 2019, according to a Fidelis Security report.<br/> <a href="https://forum.anomali.com/t/revil-ransomware-impacts-hundred-of-dental-practices-across-us/4143" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a></p><p><a href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank"><b>Threat Actor FIN6 Targeting E-Commerce Using More_eggs Backdoor</b></a> (<i>August 29, 2019</i>)<br/> Researchers at IBM have identified a series of attacks targeting e-commerce websites as being perpetrated by the threat group dubbed ”ITG08,” or more commonly known as FIN6. The group has been observed injecting malicious code into online checkout pages of compromised websites, thereby stealing payment card data of customers attempting to make a purchase. This new FIN6 activity demonstrates many of the same established tactics, techniques and procedures (TTPs) of the group, but in this new e-commerce environment. FIN6 is targeting multinational organizations via spearphising emails, advertising fake job advertisements to targeted employees. The emails contain a link that leads the targeted individual to download a ZIP file containing a malicious Windows Script File (WSF) that initiates the infection routine of the “More_eggs” JScript backdoor malware. Threat actors can then use the More_eggs backdoor to gain a foothold and infect additional devices.<br/> <a href="https://forum.anomali.com/t/threat-actor-fin6-targeting-e-commerce-using-more-eggs-backdoor/4144" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a></p><p><a href="https://www.bleepingcomputer.com/news/security/malware-operation-making-millions-defeated-by-design-flaw/" target="_blank"><b>Retadup Botnet Defeated by Design Flaw</b></a> (<i>August 28, 2019</i>)<br/> Over 850,000 unique infections of the Retadup cryptojacking botnet have been neutralized after a Command and Control (C2) server was taken down in Paris, France. Bringing down the Redatup infrastructure was possible due to a design flaw that researchers found in the botnet's communication protocol. The Cybercrime Fighting Center (C3N) of the French National Gendarmerie replaced the malicious C2 server with a version that made connected instances of Retadup self-destruct. The botnet was used primarily for Monero cryptojacking, and according to officials at C3N, Retadup operators have earned an estimated “several million” euros every year starting in 2016.<br/> <a href="https://forum.anomali.com/t/retadup-botnet-defeated-by-design-flaw/4145" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a></p><p><a href="https://securelist.com/dropper-in-google-play/92496/" target="_blank"><b>CamScanner Advertising Dropper in Google Play</b></a> (<i>August 27, 2019</i>)<br/> Security researchers at Kaspersky have discovered malicious code in an Android application that has over 100 million downloads on Google Play. The app, a mobile PDF creator application called CamScanner, contains within the advertising library a malicious dropper component. Detected as Trojan-Dropper.AndroidOS.Necro.n, the module functions to download and launch a payload of malicious servers. According to researchers at Kaspersky, owners of the module can manipulate an infected device to show intrusive advertisements and to steal money by charging mobile accounts for paid subscriptions. These findings were reported to Google, and the app was removed from the Google Play marketplace.<br/> <a href="https://forum.anomali.com/t/camscanner-advertising-dropper-in-google-play/4146" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a></p><p><a href="https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/" target="_blank"><b>Imperva Firewall Breach Exposes Customer API Keys, SSL Certificates</b></a> (<i>August 27, 2019</i>)<br/> Cybersecurity firm Imperva has announced a security breach, impacting customers of Imperva’s Cloud Web Application Firewall (WAF) product previously known as ‘Incapsula’. The company learned of the incident from a third party, and has verified that the affected customer database contained old Incapsula records that go up to September 15, 2017 only. The exposed information from the database includes email addresses, hashed, and salted passwords, as well as some customer API keys and SSL certificates. Imperva has informed customers affected by the incident regarding the breach, and has implemented password resets and 90-day password expiration for the product in the wake of the incident.<br/> <a href="https://forum.anomali.com/t/imperva-firewall-breach-exposes-customer-api-keys-ssl-certificates/4147" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a></p><p><a href="https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users" target="_blank"><b>TrickBot Modifications to Target U.S. Mobile Users</b></a> (<i>August 27, 2019</i>)<br/> In August 2019, researchers observed “TrickBot” malware using dynamic web injection attacks on legitimate websites for U.S.-based mobile carriers Sprint, T-Mobile, and Verizon Wireless. The malware leverages a new module that manipulates web sessions for already-infected systems. When a victim navigates to one of the sites on the infected system, the modified website requests the account PIN, which is normally not required by the legitimate site’s login procedure. TrickBot’s record functionality allows the PIN, as well as the victim’s username and password, to be transmitted to the TrickBot Command and Control (C2) server. Threat actors utilizing TrickBot can use the PIN and associated account information to take over the victim account via SIM swapping attacks, allowing the actor to assume control of the telephone number, including text and voice communications.<br/> <a href="https://forum.anomali.com/t/trickbot-modifications-to-target-u-s-mobile-users/4148" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/" target="_blank"><b>TA505 Active: Updates to ServHelper and FlawedAmmyy Malware</b></a> (<i>August 27, 2019</i>)<br/> According to researchers at TrendMicro, threat actor “TA505” is actively targeting banks in Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary, utilizing phishing techniques to compromise systems. The group is targeting the banks with emails that have ISO file attachments as an initial infection vector. As in previous operations, TA505 is using either “FlawedAmmy” remote access trojan (RAT) or ServHelper as payloads, and continues to make a combination of small adjustments to their deployment techniques. According to researchers at TrendMicro, the adjustments and updates made to the FlawedAmmyy RAT and ServHelper may indicate that the group is evaluating which forms of obfuscation can bypass detections and yield more financial returns.<br/> <a href="https://forum.anomali.com/t/ta505-active-updates-to-servhelper-and-flawedammyy-malware/4149" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a></p><p><a href="https://cofense.com/advanced-phishing-campaign-delivers-quasar-rat/" target="_blank"><b>Advanced Phishing Campaign Delivers Quasar RAT</b></a> (<i>August 26, 2019</i>)<br/> A new phishing campaign has been identified by researchers at Cofense Intelligence that delivers the “Quasar” Remote Access Tool (RAT) while employing multiple measures to deter detection. The phishing email, written to appear as though sent from a job seeker, includes an attached “resume” document file that delivers the malware. The document is password protected to bypass automated phishing software, loaded with more than 1200 lines of garbage code strings to overload and crash analysis systems, and the payload URL is hidden as metadata for embedded images. Finally, to avoid discovery, a Microsoft Self Extracting executable is downloaded that unpacks the RAT that is 401MB, an artificially-large file size that can crash an automated-detection system. These sophisticated techniques are used to delay detection and can provide the threat actor with enough time to gather information and additional malware before being detected or removed.<br/> <a href="https://forum.anomali.com/t/advanced-phishing-campaign-delivers-quasar-rat/4150" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a></p><p><a href="https://threatpost.com/hostinger-data-breach-14m-passwords/147681/" target="_blank"><b>Hostinger Data Breach Impacts 14 Million Customers</b></a> (<i>August 26, 2019</i>)<br/> Hostinger, a popular web hosting provider, has announced that an unauthorized third party has breached one of their servers, impacting about 14 million Hostinger users. According to Hostinger, “This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API server.” The unauthorized third party had access to emails, first names, hashed passwords, IP addresses, and usernames. Hostinger client financial data was not impacted in the breach. Following the incident, all Hostinger user passwords have been reset using SHA-256 hashing algorithm to increase security for customers.<br/> <a href="https://forum.anomali.com/t/hostinger-data-breach-impacts-14-million-customers/4151" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial</a>.</p></div><div id="threat_model"><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/26092" target="_blank">TA505</a><br/> The financially-motivated threat group called, “TA505,” was first reported on by Proofpoint researchers in December 2017. Malicious activity attributed to the Russian-speaking group dates back to at least 2014, and the campaigns conducted by TA505 have targeted entities and individuals around the world. The group distributes a variety of malware, both well-known strains (Dridex banking trojan, Locky ransomware), custom-created (Jaff ransomware, tRAT), and variants of legitimate remote access tools (Remote Manipulator System). The group primarily distributes malware and tools via large scale and indiscriminately-distributed malspam campaigns, often through the “Necurs” botnet, with malicious attachments or links. Incorporation of new malware, creating custom malware and the use of advanced tactics, such as the removal of malware artifacts, indicate that this group is a sophisticated threat and likely well-funded. The group is innovative and shows the flexibility to pivot to other techniques and malware trends on a global scale. </div><div><a href="https://ui.threatstream.com/actor/1929" target="_blank">FIN6</a><br/> FIN6 is a financially motivated threat actor shown active as early as 2014. Public information on this group is limited, but reports from FireEye contend that FIN6 is focused on theft of credit card data that is then offered for sale on underground marketplaces. Researchers report that the group has successfully stolen payment data from more than 10 million credit cards. Public visibility of FIN6 intrusions is limited, thus the group’s initial attack vectors are largely unknown. FireEye researchers believe that the group purchases previously stolen account credentials and access to compromised victim systems on underground forums. Otherwise, like many other threat actors, the group may employ typical phishing schemes to harvest credentials and deploy malware.</div></div></div></div>