Weekly Threat Briefing: Government Spyware Company Spied On Hundreds Of Innocent People

<div id="weekly">The various threat intelligence stories in this iteration of the Weekly Threat Briefing (WTB) discusses the following topics: APT, Backdoor, Data leak, Emotet, Malspam, Spyware, Winnti, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.<img src="https://anomali-labs-public.s3.amazonaws.com/020320.png"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><a href="https://thehackernews.com/2020/02/sudo-linux-vulnerability.html" target="_blank">Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root</a> (February 3, 2020) A vulnerability in the “sudo” utility used in Linux and macOS systems has been identified, that would give non-root users (low privileged users) the ability to execute administrative commands. The vulnerability is registered as “CVE-2019-18634” and affects sudo versions before 1.8.26. The Apple security researcher Joe Vennix realised it can be exploited with the “pwfeedback” option in the sudo configuration file. “pwfeedback” provides the visual asterisk (*) feedback for when users input passwords at the console and is not enabled by default in the majority of upstream versions of sudo except for certain distributions including Linux miNT and Elementary OS. <a href="https://forum.anomali.com/t/sudo-bug-lets-non-privileged-linux-and-macos-users-run-commands-as-root/4555" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/" target="_blank">Winnti Group Targeting Universities In Hong Kong</a> (January 31, 2020) The Advanced Persistent Threat (APT) group, Winnti, has been identified targeting several, unnamed Hong Kong-based universities, according to ESET researchers. The Winnti group has been active since 2012 and is attributed to supply chain compromises targeting software companies such as ASUS, CCleaner, and LiveUpdate. The backdoor shadowPad has been a well-known tool of the Winnti Group in its operations. ESET observed malicious files existing on computers owned by the universities with overlap in variants of the backdoor launcher ShadowPad which is commonly used by the Winnti Group. <a href="https://forum.anomali.com/t/winnti-group-targeting-universities-in-hong-kong/4556" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947133">[MITRE ATT&CK] Custom Cryptographic Protocol - T1024</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947148">[MITRE ATT&CK] New Service - T1050</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&CK] DLL Side-Loading - T1073</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&CK] Uncommonly Used Port - T1065</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port - T1043</a><a href="https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html" target="_blank">Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers</a> (January 30, 2020) Check Point researchers have found two vulnerabilities in Microsoft’s Azure services that allow threat actors remote access to an organisation's Azure servers with the ability for remote execution and manipulation of company code. The first vulnerability is registered as “CVE-2019-1234”, a spoofing issue that affects all Azure Stacks versions and if used, allows threat actors to make special requests for Azure Stack resources, such as screenshots and sensitive data. The second exploit is registered as “CVE-2019-1372”, a remote code execution vulnerability that involves the Azure Stack not checking the length of a buffer prior to copying memory to it. Threat actors can use this to gain escalated privileges over the end user’s Azure server and control of their source code. <a href="https://forum.anomali.com/t/microsoft-azure-flaws-could-have-let-hackers-take-over-cloud-servers/4557" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a><a href="https://nakedsecurity.sophos.com/2020/01/30/government-spyware-company-spied-on-hundreds-of-innocent-people/" target="_blank">Government Spyware Company Spied On Hundreds Of Innocent People</a> (January 30, 2020) Security Without Borders researchers have analyzed more than 20 apps on the Google Play Store targeting Italian individuals that contained Exodus malware variants. Exodus is an Android spyware that is capable of collecting a list of installed apps on the end user’s phone, browsing history, contact lists, text messages (including encrypted one), location data and Wi-Fi passwords. The malware is distributed by malicious apps that masquerade as network tools. The apps were being used by law enforcement for surveillance on select individuals in espionage focused operations, however, eSurv has reportedly been using the spyware against law-abiding reasons that have not been yet clarified. <a href="https://forum.anomali.com/t/government-spyware-company-spied-on-hundreds-of-innocent-people/4558" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&CK] Access Contact List - T1432</a> | <a href="https://ui.threatstream.com/ttp/1260053">[MITRE MOBILE-ATT&CK] Access Sensitive Data in Device Logs - T1413</a> | <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/1260088">[MITRE MOBILE-ATT&CK] Location Tracking - T1430</a><a href="https://eclypsium.com/2020/01/30/direct-memory-access-attacks/" target="_blank">Direct Memory Access Attacks - A Walk Down Memory Lane</a> (January 30, 2020) Eclypsium researchers have released reports that disclose vulnerabilities in Dell and HP laptops that allow threat actors to exploit the Direct Memory Access (DMA) abilities of an end user’s machine. This would allow threat actors to read and write memory from the user’s memory by ignoring the main Central Processing Unit (CPU) and Operating System (OS). The ability to overwrite memory potentially provides threat actors control of kernel execution and privilege escalation to carry out additional malicious activity. Eclypsium, to provide evidence, tested recently released laptops including the Dell XPS 13 7390 2-in-1, and the HP ProBook 640 G4, both of which were found to be affected by different vulnerabilities. <a href="https://forum.anomali.com/t/direct-memory-access-attacks-a-walk-down-memory-lane/4559" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://www.bleepingcomputer.com/news/security/emotet-uses-coronavirus-scare-to-infect-japanese-targets/" target="_blank">Emotet Uses Coronavirus Scare To Infect Japanese Targets</a> (January 29, 2020) The Emotet botnet has been observed distributing malspam campaigns targeting individuals in Japan with information-stealing malware, such as TrickBot. The campaign utilizes Coronavirus themed content to leverage the scare tactics associated with the outbreak. The email claims that the attachment contains health warnings and measures in place to deal with potential coronavirus infections in Japan, such as hospital location in certain Japanese cities. The emails contain a malicious Microsoft Word document attachment that requests user’s to enable its content for viewing. Once macros are enabled, a malicious payload (information-stealing malware) will be installed using PowerShell commands. <a href="https://forum.anomali.com/t/emotet-uses-coronavirus-scare-to-infect-japanese-targets/4560" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&CK] Upload, install, and configure software/tools (PRE-T1139)</a><a href="https://www.zdnet.com/article/rce-in-opensmtpd-library-impacts-bsd-and-linux-distros/" target="_blank">RCE In OpenSMTPD Library Impacts BSD And Linux Distros</a> (January 29, 2020) A vulnerability disclosed as “CVE-2020-7247” gives the ability for threat actors to exploit the OpenSMPTD protocol for privilege escalation and remote execution abilities, according to Qualys researchers. OpenSMTPD is an open-source version of the SMTP protocol used for email transmission and is in various Berkeley Software Distribution (BSD) and Linux distributions. Threat actors are able to exploit this vulnerability by sending warped SMTP messages to servers that have not been patched for “CVE-2020-7247”. Since reporting patches have been released by OpenSMTPD developers in version 6.6.2p1 and it is advised for users to update their systems to prevent being exploited. <a href="https://forum.anomali.com/t/rce-in-opensmtpd-library-impacts-bsd-and-linux-distros/4561" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a><a href="https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/" target="_blank">Stopping The Press: New York Times Journalist Targeted By Saudi-Linked Pegasus Spyware Operator</a> (January 28, 2020) Ben Hubbard, the Beirut Bureau Chief for the New York Times, has been targeted with Pegasus, mobile spyware developed by the Israel-based company, NSO Group. The targeting of journalists using NSO-developed spyware is an ongoing threat around the world with journalists, activists and dissidents being targeted for surveillance. There have been reported cases in Mexico and Saudi Arabia of journalists being targeted with Pegasus spyware including the most well known murder of Washington Post columnist Jamal Khashoggi in 2018. The case involving Ben Hubbard details that Hubbard was sent a text in Arabic saying “Ben Hubbard and the story of the Saudi Royal Family” with a link to arabnews365[.]com, a domain that has been known to be used in the Pegasus infrastructure for downloading the spyware. <a href="https://forum.anomali.com/t/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/4562" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/1260088">[MITRE MOBILE-ATT&CK] Location Tracking - T1430</a> | <a href="https://ui.threatstream.com/ttp/1260119">[MITRE MOBILE-ATT&CK] System Information Discovery - T1426</a><a href="https://thehackernews.com/2020/01/new-cacheout-attack-leaks-data-from.html" target="_blank">New 'CacheOut' Attack Leaks Data From Intel CPUs, VMs, And SGX Enclave</a> (January 28, 2020) A vulnerability being registered as “CVE-2020-0549” named “CacheOut” has been discovered by Adelaide and Michigan University researchers. The vulnerability that would allow threat actors to choose what data to leak from the end user’s CPU L1 cache of ongoing processes and extract it for exfiltration. Intel CPUs built prior to October 2018 are known to be vulnerable to this exploit and would enable actors to leak sensitive data from the user’s OS kernel, co-resident VMs and Intel’s SGX enclave. The researchers have clarified that CacheOut does not leave any traces in the log file and is unlikely to identify if someone has exploited the vulnerability. CacheOut cannot be exploited remotely from web browsers and currently does not affect AMD processors. <a href="https://forum.anomali.com/t/new-cacheout-attack-leaks-data-from-intel-cpus-vms-and-sgx-enclave/4563" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947193">[MITRE ATT&CK] Automated Exfiltration - T1020</a><a href="https://techcrunch.com/2020/01/28/labcorp-website-bug-medical-data-exposed/" target="_blank">LabCorp Website Bug Exposed Thousands Of Medical Documents</a> (January 28, 2020) The US-based healthcare company, LapCorp, which operates networks of large clinical laboratories across Pan America, has exposed approximately 10,000 medical documents that affects an unspecified amount of people. The part of the website that pulls from the back end was left exposed with web addresses being viewable in search engines and cached by Google. Any user would be able to view each document by incrementing the document number in the web address. The documents relate to cancer patients being monitored by the laboratory’s integrated oncology testing unit, and contained other information such as Date of Birth (DOB), lab test results of patients, names, social security numbers and other pieces of Personally Identifiable Information (PII). LabCorp has since disabled access to the system with Google links no longer resolving to patient’s documents. This puts many patients at risk of phishing campaigns using their legitimate medical history as lure and the risk of identity fraud and extortion. <a href="https://forum.anomali.com/t/labcorp-website-bug-exposed-thousands-of-medical-documents/4564" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a> </div></div>