Weekly Threat Briefing: Hackers Are Going After Cisco RV320/RV325 Routers Using a New Exploit

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Alert, Data leak, DNS tampering, Misconfigured database, Phishing, Ransomware, Trojan, Vulnerabilities, Website compromise </strong>and<strong> Zero-day.</strong> The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.zdnet.com/article/hackers-are-going-after-cisco-rv320rv325-routers-using-a-new-exploit/" target="_blank"><b>Hackers Are Going After Cisco RV320/RV325 Routers Using A New Exploit</b></a> (<i>January 27, 2019</i>)<br/> On January 25, 2019, RedTeam Pentesting found that threat actors were scanning the internet in attempts to discover vulnerabilities associated with Proof-of-Concept (PoC) code posted to GitHub on the same day. The vulnerabilities, registered as “CVE-2019-1653” and “CVE-2019-1652,” affect Cisco “RV320” and “RV325” WAN VPN routers. CVE-2019-1653 can be exploited by an actor to steal device configuration data, and CVE-2019-1652 can allow a remote actor to inject and run administrator commands on an affected device. Both of the vulnerabilities can be exploited without acquiring the device password.<br/> <a href="https://forum.anomali.com/t/hackers-are-going-after-cisco-rv320-rv325-routers-using-a-new-exploit/3489" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection (T1055)</a></p><p><a href="https://threatpost.com/phishing-gandcrab-ursnif/141182/" target="_blank"><b>Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch</b></a> (<i>January 25, 2019</i>)<br/> A phishing campaign has been discovered to be distributing the “GandCrab” ransomware and the information-stealing malware “Ursnif.” Carbon Black researchers published their findings on the campaign and also note that other researchers have also observed this malicious activity which is believed to have begun on December 17, 2018. The initial infection vector is accomplished through phishing emails distributing Microsoft Word documents with embedded macros. If the macro is enabled, it will call a PowerShell script that begins the infection process for both GandCrab and Ursnif. Researchers has identified approximately 180 variants of Word documents in the wild associated with this campaign.<br/> <a href="https://forum.anomali.com/t/phishing-campaign-delivers-nasty-ransomware-credential-theft-two-punch/3490" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell (T1086)</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2019/01/24/Tax-Identity-Theft-Awareness-Week" target="_blank"><b>Tax Identity Theft Awareness Week</b></a> (<i>January 24, 2019</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has published an alert to bring attention to “Tax Identity Theft Awareness Week.” The week of awareness takes place from January 28 to February 1, 2019. The US-CERT encourages everyone to be aware of identity theft schemes that will be taking place, as they do every year, during the US tax season. Threat actors will often try to steal individual’s information by impersonating the Internal Revenue Service (IRS) or other government-related or private organizations. Actors will be attempting to steal Personally Identifiable Information (PII) to abuse for their own malicious purposes or sell on underground forums. Threat actors will also attempt to steal PII to file an individual’s taxes to steal his/her tax return.<br/> <a href="https://forum.anomali.com/t/tax-identity-theft-awareness-week-2019/3499" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html" target="_blank"><b>AMP Tracks New Campaign That Delivers Ursnif</b></a> (<i>January 24, 2019</i>)<br/> The information-stealing malware “Ursnif” has been observed being distributed by threat actors via a Microsoft Word document containing a malicious Visual Basic for Applications (VBS) macro, according to Cisco Talos researchers. A user who receives the Word document, likely through phishing or malspam, will be asked to enable macros to view the document if macros are disabled, otherwise the macro will automatically launch. The objective of the macro is to execute a PowerShell to begin the downloading process for Ursnif. The malware in this campaign uses Cabinet file format (CAB) to compress the stolen data before sending it to an actor-controlled Command and Control (C2) server. In addition, researchers note that “Ursnif is a fan of ‘fileless’ persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic.”<br/> <a href="https://forum.anomali.com/t/amp-tracks-new-campaign-that-delivers-ursnif/3491" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&amp;CK] Windows Management Instrumentation (T1047)</a></p><p><a href="https://techcrunch.com/2019/01/23/financial-files/" target="_blank"><b>Millions of Bank Loan and Mortgage Documents Have Leaked Online</b></a> (<i>January 23, 2019</i>)<br/> A server running an “Elasticsearch” database was found to be leaking financial-related Personally Identifiable Information (PII) for approximately two weeks, according to security researcher Bob Diachenko. The publicly accessible database was taken down on January 15, 2019 and was found to be owned the financial data and analytics company “Ascension.” The leak was caused by a “server configuration error that may have led to exposure of some mortgage-related documents,” according general counsel of Ascension’s parent company Rocktop Partners, Sandy Campbell. The information dates back to 2008 and consists of addresses, bank account number, checking account number, date of birth, details of loan agreements, and Social Security numbers. Other information notes if an individual has declared bankruptcy, and has filed tax documents such as W-2 forms.<br/> <a href="https://forum.anomali.com/t/millions-of-bank-loan-and-mortgage-documents-have-leaked-online/3492" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.tripwire.com/state-of-security/government/dhs-issues-emergency-directive-on-dns-infrastructure-tampering/" target="_blank"><b>DHS Issues Emergency Directive on DNS Infrastructure Tampering</b></a> (<i>January 23, 2019</i>)<br/> The United States Department of Homeland Security (DHS) issued an emergency alert, “Emergency Directive 19-01,” regarding the threat to Domain Name System (DNS) infrastructure manipulation. In the directive, the DHS discusses how they have been collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to analyze DNS tampering campaigns. The DHS and CISA have found that “multiple executive branch agency domains” were affected “by the tampering campaign and has notified the agencies that maintain them.” Threat actors involved in this kind of malicious activity use various techniques. However, their objective is typically to intercept and redirect web and mail traffic. Some of the techniques used include compromising target credentials to change DNS records, replacing DNS addresses with an actor-controlled one, and stealing authentic encryption certificates.<br/> <a href="https://forum.anomali.com/t/dhs-issues-emergency-directive-on-dns-infrastructure-tampering/3493" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2019/01/php-pear-hacked.html" target="_blank"><b>Someone Hacked PHP PEAR Site and Replaced the Official Package Manager</b></a> (<i>January 23, 2019</i>)<br/> The administrators for the “PHP Extension and Application Repository” (PEAR) framework and package manager have confirmed that its official website was compromised by unknown threat actors. PEAR issued a security announcement on January 19, 2019, where the developers confirmed that its website was compromised, and that the “PEAR website itself has been disabled until a known clean site can be rebuilt,” according to the official PEAR announcement. The actors were found to have replaced the legitimate PHP PEAR package manager (go-pear.phar) with an altered version that contained malicious code. The malicious package manager was available for download from the PEAR website for at least six months. The code was found to be a module that has the ability to “spawn a reverse shell via Perl IP 104.131.154[.]154” which would allow actors complete control over an infected server. Those who downloaded PEAR prior to December 20, 2018, are likely affected by this incident.<br/> <a href="https://forum.anomali.com/t/someone-hacked-php-pear-site-and-replaced-the-official-package-manager/3494" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise (T1195)</a></p><p><a href="https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" target="_blank"><b>Happy New Year 2019! Anatova is Here!</b></a> (<i>January 22, 2019</i>)<br/> New ransomware family, dubbed “Anatova” after the name of the ransom note, has been identified in a private Peer-to-Peer (P2P) network, according to McAfee researchers. The ransomware was found to avoid infecting users in certain countries by checking the first installed language setting on the machine. This allows the ransomware to avoid conducting malicious activity on machines located in the following countries: all Commonwealth of Independent States (CIS) countries, Egypt, India, Iraq, and Syria. The exclusion of these countries is a potential indicator that the threat actors behind Anatova reside in one of those countries.<br/> <a href="https://forum.anomali.com/t/happy-new-year-2019-anatova-is-here/3495" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947147">[MITRE ATT&amp;CK] DLL Search Order Hijacking (T1038)</a> | <a href="https://ui.threatstream.com/ttp/947262">[MITRE ATT&amp;CK] Clear Command History (T1146)</a><br/> <b>Tags:</b> Ransomware, Anatova</p><p><a href="https://www.us-cert.gov/ncas/current-activity/2019/01/22/Apple-Releases-Multiple-Security-Updates" target="_blank"><b>Apple Releases Multiple Security Updates</b></a> (<i>January 22, 2019</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in multiple “Apple” products. Some of the vulnerabilities that have been issued patches could be exploited by threat actors to gain control of an affected system. In total, six patches were issued that affect iCloud for Windows, iOS, macOS (Mojave and High Sierra), Safari, and watchOS.<br/> <a href="https://forum.anomali.com/t/apple-releases-multiple-security-updates-1-22-19/3500" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/malware-user-privacy-failures-found-in-top-free-vpn-android-apps/" target="_blank"><b>Malware, User Privacy Failures Found in Top Free VPN Android Apps</b></a> (<i>January 21, 2019</i>)<br/> Metric Labs Top10VPN researchers have published their analysis of the most popular 150 free Android VPN applications that produced some interesting results. Researchers discovered that one in five of the 150 tested applications were potential sources of malware. This brings the count to 25 of the top 150 free VPN applications being detected as possible malware sources according to VirusTotal. In addition, 25% of the 150 applications were identified to be affected by a DNS security flaw that leaks “browsing history data to their ISP and any third-party DNS server operator that it may use.” The permissions in free VPN applications put users at risk of leaking data that was supposed to be hidden by the application. The applications that present a security-risk were observed to have been downloaded approximately 260 million times, according to statistics from the Google Play Store.<br/> <a href="https://forum.anomali.com/t/malware-user-privacy-failures-found-in-top-free-vpn-android-apps/3496" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/mysql-design-flaw-allows-malicious-servers-to-steal-files-from-clients/" target="_blank"><b>MySQL Design Flaw Allows Malicious Servers to Steal Files from Clients</b></a> (<i>January 21, 2019</i>)<br/> The file interaction feature of a “MySQL” database and a client-host is known and documented to contain a design flaw that could allow a threat actor to gain access to all information that the connected client “has read access to.” The MySQL documentation explains that the issue resides in the way clients receive fine-transfer requests from a MySQL server. If a request is made, the client responds with a “LOAD DATA” statement. A malicious server controlled by a threat actor could then respond with “LOAD DATA LOCAL” statement and request any data the client has read-permissions access. Actors could abuse this known flaw with publicly available code for malicious MYSQL servers.<br/> <a href="https://forum.anomali.com/t/mysql-design-flaw-allows-malicious-servers-to-steal-files-from-clients/3497" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/windows-zero-day-bug-that-lets-attackers-read-any-file-gets-micropatch/" target="_blank"><b>Windows Zero-Day Bug Lets Attackers Read Any File Gets Micropatch</b></a> (<i>January 21, 2019</i>)<br/> The Proof-of-Concept (PoC) code for a Microsoft zero-day vulnerability that was published on GitHub approximately one month ago has been issued a micropatch by the Slovenia-based company, “Acros Security.” At the time of this writing, the vulnerability does not have a registered Common Vulnerabilities and Exposures (CVE) number nor a patch, however, this is likely because the patch is a complex fix. The United States Computer Emergency Readiness Team (US-CERT) issued a joint alert with Carnegie Mellon University that stated the “Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files.” The alert also notes that they are “unaware of a practical solution to this problem” as of the publication of the article (December 20, 2018).<br/> <a href="https://forum.anomali.com/t/windows-zero-day-bug-lets-attackers-read-any-file-gets-micropatch/3498" target="_blank">Click here for Anomali recommendation</a></p></div></div>