Weekly Threat Briefing: Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, APT platform, Banking trojan, Botnet, Malspam, Phishing, Spear phishing, Targeted attacks, Vulnerabilities, and Zero day. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://thehackernews.com/2019/04/apache-tomcat-security-flaw.html" target="_blank">Apache Tomcat Patches Important Remote Code Execution Flaw</a> (April 15, 2019) The Apache Software Foundation’s open source Java servlet container “Apache Tomcat” has released new versions to address a Remote Code Execution (RCE) vulnerability, registered as “CVE-2019-0232.” The affected Tomcat versions are the following: 9.0.0M1 to 9.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93. The RCE vulnerability is located in the “Common Gateway Interface” (CGI) Servlet when it is running on the Windows operating system if “enableCmdLineArguments” is enabled. The issue is the way that Java Runtime Environment (JRE) passes command line arguments to Windows. Exploitation of CVE-2019-0232 could allow a threat actor the ability to execute an arbitrary command on a Windows server using an affected Tomcat version. <a href="https://forum.anomali.com/t/apache-tomcat-patches-important-remote-code-execution-flaw/3731" target="_blank">Click here for Anomali recommendation</a><a href="https://motherboard.vice.com/en_us/article/ywyz3x/hackers-could-read-your-hotmail-msn-outlook-microsoft-customer-support" target="_blank">Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support</a> (April 14, 2019) Microsoft has confirmed that an unknown threat actor (or threat group) was able to compromise one of its customer support agent’s accounts. The actor was then able to use that account to access Microsoft customer email information from Hotmail, MSN, and Outlook accounts. Data that the actor would have been able to collect consist of, at least, who the account communicated with and the email subject lines. In Addition, an unnamed source informed Motherboard reporters that in March 2019, “this abuse of a customer support portal” granted the actor the ability to access any Microsoft-owned email account except those that are corporate accounts. The source also gave reporters details of the attack which those details were later shared again by the source along with screenshots and additional information. However, this incident regarding the ability to access multiple accounts has only been reported on by Motherboard, and it is unclear if the source’s allegations are accurate, at the time of this writing. Furthermore, Microsoft stated in its breach notification email this incident only affected a limited number of its customer accounts, and those customers were notified in a separate email. <a href="https://forum.anomali.com/t/hackers-could-read-your-hotmail-msn-and-outlook-emails-by-abusing-microsoft-support/3732" target="_blank">Click here for Anomali recommendation</a><a href="https://www.darkreading.com/vulnerabilities---threats/us-cert-cisa-warn-of-vuln-in-at-least-4-major-vpns/d/d-id/1334413" target="_blank">US-CERT, CISA Warn of Vuln in At Least 4 Major VPNs</a> (April 12, 2019) The Cybersecurity and Infrastructure Security Agency (CISA) has published an alert regarding the United States Computer Emergency Readiness Team (US-CERT) identifying vulnerabilities in Virtual Private Network (VPN) products. The VPN products affected by the vulnerability, tracked as “VU#192371,” include Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure. The vulnerability consists of the VPN products storing “authentication and/or session cookies insecurely in memory and/or log files.” A threat actor could exploit this vulnerability by first having acquired access to a VPN endpoint, or having stolen the cookie in another way, to bypass authentication methods to subsequently acquire access to all of the applications granted to a user in that VPN session. <a href="https://forum.anomali.com/t/us-cert-cisa-warn-of-vuln-in-at-least-4-major-vpns/3733" target="_blank">Click here for Anomali recommendation</a><a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank">Malware Analysis Report (AR19-100A) MAR-10135536-8 – North Korean Trojan: HOPLIGHT</a> (April 10, 2019) The United States Computer Emergency Readiness Team (US-CERT) released a report on a new malware variant, dubbed “HOPLIGHT.” The malware has been attributed to the North Korean Advanced Persistent Threat (APT) group “Lazarus” (also known as HIDDEN COBRA). The malware files act as a proxy application to mask traffic between the malware and operator to create fake TLS handshake sessions using a valid and public SSL certificate. <a href="https://forum.anomali.com/t/malware-analysis-report-ar19-100a-mar-10135536-8-north-korean-trojan-hoplight/3734" target="_blank">Click here for Anomali recommendation</a><a href="https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/" target="_blank">Analysis of A Targeted Attack Exploiting the WinRAR CVE-2018-20250 Vulnerability</a> (April 10, 2019) A spear phishing campaign utilizing the vulnerability in the archiving tool “WinRAR,” registered as “CVE-2018-20250,” was found to have begun in early March, according to the Microsoft Office 365 ATP Research team. The emails purport to be from the Ministry of Foreign Affairs of the Islamic Republic of Afghanistan were distributed to “very specific targets” that contained a Microsoft Word attachment. The document, if opened, asks the recipient to download another document from a OneDrive URL. It is the second document that is malicious, which is a tactic used by threat actors to avoid identification of a malicious document directly attached to an email. The second document was observed to contain a malicious macro that, if enabled, will download a PowerShell script backdoor that is capable of exploiting CVE-2018-20250. Researchers believe that the politically motivated, Arabic-speaking threat group “MuddyWater” may be responsible for this campaign. <a href="https://forum.anomali.com/t/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/3735" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank">Gaza Cybergang Group1, Operation SneakyPastes </a> (April 10, 2019) Kaspersky Lab researchers have observed a new wave of attacks being conducted by threat group “Gaza Cybergang Group1,” targeting embassies and political personnel. The group distributed phishing emails with political-themed lures containing either a link to a malware-hosting domain, or the first-stage malware was attached to the email itself. If a user clicked on the link, they would be prompted to download a RAR file that contained the first stage of the malware. The first stage aims to obtain persistence in the system via the Startup folder and AppData folder. Once persistence is achieved, the malware will beacon to the Command and Control (C2) server to install a Remote Access Trojan (RAT) onto the infected device. The RAT then searches for specific file extensions to compress into a RAR file and upload to the C2. The countries with the most infections by this threat group were Egypt, Israel, Jordan, Lebanon, Palestinian Territories, Saudi Arabia, Syria, and the UAE. <a href="https://forum.anomali.com/t/gaza-cybergang-group1-operation-sneakypastes/3736" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947240">[MITRE ATT&CK] Data Compressed (T1002)</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding (T1132)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947113">[MITRE ATT&CK] Startup Items (T1165)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a><a href="https://www.kaspersky.com/blog/taj-mahal-apt/26370/" target="_blank">Another Taj Mahal (Between Tokyo and Yokohama) </a> (April 9, 2019) In late 2018, researchers from Kaspersky Lab observed an unspecified attack on an unnamed diplomatic entity in a Central Asian country and discovered a previously unknown Advanced Persistent Threat (APT) platform tool, called “TajMahal.” This spyware framework contains at least 80 different malicious module plugins and has been in operation for at least the past five years. The platform is made up of two parts: “Tokyo” and “Yokohama,” where Tokyo acts as the main backdoor into an infected computer and delivers second-stage malware. Yokohama is the payload delivered in the second stage and creates a virtual file system with plugins, third-party libraries, and configuration files. It has only been confirmed to have infected one victim, leading researchers to believe more will be identified in the future. <a href="https://forum.anomali.com/t/another-taj-mahal-between-tokyo-and-yokohama/3737" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947113">[MITRE ATT&CK] Startup Items (T1165)</a><a href="https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" target="_blank">Gustuff Banking Botnet Targets Australia </a> (April 9, 2019) Cisco Talos researchers have published a report regarding a new Android-based campaign that has been targeting Australian financial institutions. The campaign is associated to the "ChristinaMorrow" text message-based spam campaign that sends a URL in a text message which initiates the dropping of the malware if it is clicked upon. The actors behind this campaign are also using SMS messages to distribute malware, in this case, the banking trojan, “Gustuff.” If a user installs the malware via SMS, the malware will access the infected device’s contact list and send malicious SMS to those contacts. Gustuff can also connect to a Command and Control (C2) server to obtain commands to harvest for credentials from targeted applications, and steal personal information on the device. The malware is packed to break a standard debugger and obfuscated to make detection and analysis more difficult. <a href="https://forum.anomali.com/t/gustuff-banking-botnet-targets-australia/3738" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/1260092">[MITRE MOBILE-ATT&CK] Malicious SMS Message (MOB-T1057)</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&CK] Access Contact List (MOB-T1035)</a> | <a href="https://ui.threatstream.com/ttp/1260108">[MITRE MOBILE-ATT&CK] Premium SMS Toll Fraud (MOB-T1051)</a><a href="https://blog.eset.ie/2019/04/09/oceanlotus-macos-malware-update/" target="_blank">OceanLotus: macOS Malware Update</a> (April 9, 2019) The Advanced Persistent Threat (APT) group, “OceanLotus,” has been observed to have expanded their toolset to include macOS malware, according to ESET researchers. It is unclear how the malware initially infects a user to install the backdoor malware, as of this writing. The malware sample is packed with UPX to make it more difficult for sandboxes and debuggers to detect it. The backdoor commands in this malware are similar to older backdoors used by the APT, but the Command and Control (C2) servers are more recent. <a href="https://forum.anomali.com/t/oceanlotus-macos-malware-update/3739" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&CK] Hidden Files and Directories (T1158)</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&CK] File Permissions Modification (T1222)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947096">[MITRE ATT&CK] Timestomp (T1099)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&CK] Custom Command and Control Protocol (T1094)</a><a href="https://threatpost.com/tp-link-routers-vulnerable-to-zero-day-buffer-overflow-attack/143575/" target="_blank">TP-Link Routers Vulnerable to Zero-Day Buffer Overflow Attack</a> (March 8, 2019) IBM Security researchers have identified that two models of TP-Link’s routers, “TL-WR940N” and “TL-WR941ND,” have zero-day vulnerabilities that could allow a remote threat actors to take control of the device. The vulnerabilities lie in the web-based control panel that users utilize to configure the routers. “When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary,” which can allow a threat actor to create a buffer overflow attack. Despite the routers being discontinued, they are still available to purchase in stores like Walmart and Target. <a href="https://forum.anomali.com/t/tp-link-routers-vulnerable-to-zero-day-buffer-overflow-attack/3740" target="_blank">Click here for Anomali recommendation</a><a href="https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/" target="_blank">Mirai Compiled for New Processors Surfaces in the Wild</a> (April 8, 2019) Researchers from Palo Alto Networks discovered new samples of the “Mirai” botnet malware that are compiled for additional processor architectures. The new samples were developed for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. This means that the number of affected devices has increased substantially so Mirai-using actors have more capabilities to conduct Distributed-Denial-of-Service (DDoS) attacks. The samples contained several new features that highlights the continual evolution and usage of the botnet. The new features are a modified version of the standard Mirai encryption algorithm, a new DDoS attack option, and the exploitation of five registered vulnerabilities. The vulnerabilities include “CVE-2014-8361” and “CVE-2017-17215” Remote Code Execution (RCE) vulnerabilities, alongside two other RCE vulnerabilities and one command injection vulnerability. <a href="https://forum.anomali.com/t/mirai-compiled-for-new-processors-surfaces-in-the-wild/3741" target="_blank">Click here for Anomali recommendation</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model">Additional information regarding the threats discussed in this week’s Community Threat Briefing can be found below:<div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/281" target="_blank">Lazarus Group</a>The Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People's Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121?), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau” (????? ???????). The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.</div></div></div></div>