February 11, 2019
Anomali Threat Research

Weekly Threat Briefing: Google Spots Attacks Exploiting iOS Zero-Day Flaws

<div id="weekly"><p id="intro">The intelligence in this weekís iteration discuss the following threats: <strong>Cryptominers, Data breach, ExileRAT, Malware, NanoCore, RATs, Remote code execution, Spear phishing, </strong>and<strong> Vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://latesthackingnews.com/2019/02/10/mumsnet-data-leak-baffled-parents-as-cloud-migration-exposed-users-personal-data/" target="_blank"><b>Mumsnet Data Leak Baffled Parents As Cloud Migration Exposed Users&#39; Personal Data </b></a> (<i>February 10, 2019</i>)<br /> The parenting forum website, "Mumsnet," suffered a data breach following migrating their services to the cloud. Between 2 pm on February 5 and 9 am on February 7, 2019, users that attempted to log into the website could have accessed another user&#39;s account information if two users were logging into the site simultaneously. Because of the software change that was occurring at that time, users could view the details of other users including account details, email addresses, personal messages, and posting history. Mumsnet was notified by a user to the issue, and they promptly fixed the issue.<br /> <a href="https://forum.anomali.com/t/mumsnet-data-leak-baffled-parents-as-cloud-migration-exposed-users-personal-data/3532" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/" target="_blank"><b>Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners</b></a> (<i>February 8, 2019</i>)<br /> Researchers from Trend Micro found a script on one of their honeypots that was downloading and installing a cryptocurrency mining malware onto a Linux system. The script is capable of killing and/or deleting a number of known Linux malware, cryptominers, and connections to other miner services and ports, and after installing its own malware, it implants itself into the machine&#39;s system to survive rebooting and deletion. The script appears to be similar to the "KORKERDS" malware, but is notably different in that this malware does not install a rootkit or uninstall antivirus software, as well as this new malware has KORKERDS in its kill list. The observed script downloads a modified version of the "XMR-Stak" cryptominer that mines for Cryptonight cryptocurrency. The infection source appears to have started from some IP cameras and web services via TCP port 8161.<br /> <a href="https://forum.anomali.com/t/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/3533" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&CK] Uncommonly Used Port (T1065)</a></p><p><a href="https://www.securityweek.com/google-spots-attacks-exploiting-ios-zero-day-flaws" target="_blank"><b>Google Spots Attacks Exploiting iOS Zero-Day Flaws </b></a> (<i>February 8, 2019</i>)<br /> Apple released a new software update to their iOS that addressed four vulnerabilities, including two privilege escalation vulnerabilities observed to be exploited in the wild. The first vulnerability patched in this update, registered as "CVE-2019-7286," affects the Foundation component in iOS and could potentially allow a malicious application elevated privileges. The other vulnerability observed in the wild that has been patched, "CVE-2019-7287," impacts the IOKit and could potentially allow a malicious application to execute arbitrary code with kernel-level privileges. The other two vulnerabilities addressed in the new software update, fix the flaws that are related to the FaceTime bug that allowed the caller to see the recipient before they accepted the phone call.<br /> <a href="https://forum.anomali.com/t/google-spots-attacks-exploiting-ios-zero-day-flaws/3534" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.zdnet.com/article/opening-this-image-file-grants-hackers-access-to-your-android-phone/" target="_blank"><b>Opening This Image File Grants Hackers Access to your Android Phone</b></a> (<i>February 7, 2019</i>)<br /> Google noted a critical vulnerability in the Android operating system framework that could allow a threat actor to execute arbitrary code and obtain privileged access. To exploit this vulnerability, a threat actor would need to send a malicious Portable Network Graphic (.PNG) file to a user&#39;s Android device, and would be triggered upon opening the file. This vulnerability has not been observed in the wild yet. Android versions 7.0 to 9.0 are affected.<br /> <a href="https://forum.anomali.com/t/opening-this-image-file-grants-hackers-access-to-your-android-phone/3535" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://www.tripwire.com/state-of-security/security-data-protection/phishers-leveraging-google-translate-to-target-google-and-facebook-users/" target="_blank"><b>Phishers Leveraging Google Translate to Target Google and Facebook Users</b></a> (<i>February 7, 2019</i>)<br /> Larry Cashdollar, a member of Akamai&#39;s Security Intelligence Response Team (SIRT), received a phishing email that said his Google account had been accessed on an unknown Windows device. The email&#39;s content appeared very similar to a legitimate Google notification, however, the email purported to be from "facebook_secur@hotmail[dot]com." If the target clicked the "view activity" button, they were redirected to a fake Google login that used Google Translate to load the malicious domain to trick users into thinking the domain was legitimate, though the domain being translated in the search bar was completely different from a Google page. This phishing attack had two phishing attempts as if a user did enter in their Google account information, they would then be redirected to a Facebook page in an attempt to also steal those credentials.<br /> <a href="https://forum.anomali.com/t/phishers-leveraging-google-translate-to-target-google-and-facebook-users/3536" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a></p><p><a href="https://threatpost.com/microsoft-confirms-serious-privexchange-vulnerability/141553/" target="_blank"><b>Microsoft Confirms Serious ëPrivExchange&#39; Vulnerability</b></a> (<i>February 6, 2019</i>)<br /> A high-severity privilege escalation flaw in Microsoft&#39;s Exchange Server has been confirmed to exist by the company. Both Microsoft and the US-CERT released official warnings regarding the flaw, called "PrivExchange." The flaw is a result of the default setting in the Microsoft Exchange Server and the mail and calendar server that could allow a threat actor with a basic mailbox account to execute a Man-in-the-Middle (MITM) attack utilising one of two python-based tools: "privexchange.py" and "ntlmrelayx.py." These tools would forward an authentication request to a Microsoft Exchange Server that could allow impersonation of another Exchange user, and allow the threat actor to obtain domain administrator privileges. Domain administrator privileges allow the user access to the full Exchange Server and the ability to perform almost any task on the server. Only users with "OnPrem" deployments are at risk; Exchange Online is not affected. Microsoft is currently developing a patch.<br /> <a href="https://forum.anomali.com/t/microsoft-confirms-serious-privexchange-vulnerability/3537" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.zdnet.com/article/hackers-reveal-data-leak-at-south-africas-main-electricity-provider-on-twitter/" target="_blank"><b>Researcher Reveals Data Leak at South Africa&#39;s Main Electricity Provider </b></a> (<i>February 6, 2019</i>)<br /> The South African, state-owned electricity company, "Eskom," appears to have suffered a data breach due to their billing software database being left exposed, without having a password to protect the database. Cybersecurity researcher Devin Stokes publicly tweeted screenshots of the customer and service-related information that was accessible on the database including: account IDs, meter information, and start and end service dates. The breach appeared to have escalated when Stokes found that some database entries also contained financial data of customers such as CVV numbers, names, payment card types, and partial payment card numbers. This issue appears to have been further exacerbated by an unnamed employee possibly accidentally installing a trojan onto the corporate machines by downloading a fake "SIMS 4" gaming installer. Despite Eskom remaining fairly quiet on the matter, they did state that they "investigated the potential trojan infection and have taken necessary actions."<br /> <a href="https://forum.anomali.com/t/researcher-reveals-data-leak-at-south-africas-main-electricity-provider/3538" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html" target="_blank"><b>Severe RCE Flaw Disclosed in Popular LibreOffice and OpenOffice Software</b></a> (<i>February 5, 2019</i>)<br /> Security researcher, Alex Inf¸hr, discovered a severe Remote Code Execution (RCE) vulnerability in open-source office suites "LibreOffice" and "Apache OpenOffice." This vulnerability could be triggered by opening a malicious OpenDocument Text (ODT) file and exploiting a directory traversal flaw, "CVE-2018-16858," that executes a specific python library in the software. The python file "pydoc.py," that is included in LibreOffice&#39;s python interpreter, will accept arbitrary commands that allows a threat actor to trick the interpreter into executing a malicious payload. This vulnerability affects both Windows and Linux operating systems.<br /> <a href="https://forum.anomali.com/t/severe-rce-flaw-disclosed-in-popular-libreoffice-and-openoffice-software/3539" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://www.itpro.co.uk/phishing/32915/sophisticated-new-phishing-campaign-targets-the-c-suite" target="_blank"><b>Sophisticated New Phishing Campaign Targets the C-Suite</b></a> (<i>February 5, 2019</i>)<br /> A new phishing campaign attempting to steal login credentials has been observed to be specifically targeting C-levels and executives in organisations, according to researchers from GreatHorn. The phishing emails appeared as requests to reschedule a meeting and provides a URL link to a page that looks similar to a "Doodle" poll site to then rearrange for a suitable time. The webpage is a phishing site designed to steal Office 365 credentials. Interestingly, if the phishing email is viewed on a mobile device, the sender of the email is changed to "Note to Self" which is a new feature in Microsoft Outlook that activates when a person emails their self something. Because of this, the likelihood of the user falling victim to the attempt increases. Depending on the email client used, the phishing email could be filtered and put into the "Spam" folder, though this does not inhibit users from continuing to interact with the email.<br /> <a href="https://forum.anomali.com/t/sophisticated-new-phishing-campaign-targets-the-c-suite/3540" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&CK] Trusted Relationship (T1199)</a></p><p><a href="https://latesthackingnews.com/2019/02/05/hackers-now-exploit-google-sheets-to-spread-csv-malware/" target="_blank"><b>Hackers Now Exploit Google Sheets To Spread CSV Malware</b></a> (<i>February 5, 2019</i>)<br /> Threat actors have been observed utilising Google Sheets to distribute malware. Researcher Marco Ramilli received a phishing email that bypassed Google&#39;s spam filters by using a Google Sheets document, and found "a series of empty fields preceding a final and fake formula piping a CMD.exe command. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution." This then installs a variant of the "NanoCore" Remote Access Trojan (RAT). The malware is able to install itself onto the device whether it is opened in Google Sheets or downloaded and opened locally in Microsoft Excel.<br /> <a href="https://forum.anomali.com/t/hackers-now-exploit-google-sheets-to-spread-csv-malware/3541" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a></p><p><a href="https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" target="_blank"><b>ExileRAT Shares C2 with LuckyCat, Targets Tibet</b></a> (<i>February 4, 2019</i>)<br /> Researchers from Cisco Talos discovered a spear phishing campaign targeting individuals in Tibet that installs the "ExileRAT" Android Remote Access Trojan. The phishing email targets subscribers to the organisation, "Central Tibetan Administration," which represents the Tibetan government-in-exile, and uses a malicious attachment pretending to be the document "Tibet-was-never-a-part-of-China" to trick users into opening it. The installation process begins by first by exploiting a registered Microsoft Office code execution vulnerability, "CVE-2017-0199," and then establishing a connection to the Command and Control (C2) server. The C2 then delivers a script that downloads the payload that install the RAT. The RAT is capable of obtaining system information including computer name, listing drives, network adapter, process name, and username, as well as using get/push files and execute/terminate processes. The C2 infrastructure is similar to that of the malware, "LuckyCat," that has been observed to target Tibetan activists in the past and is attributed to Chinese threat groups.<br /> <a href="https://forum.anomali.com/t/exilerat-shares-c2-with-luckycat-targets-tibet/3542" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.