October 8, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: Iran Caught Targeting US Presidential Campaign Accounts

<p>This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: <b>Adwind, Casbanerio, Data Breach, Iran, PII, Phosphorus, Ransomware, Remote Access Trojan, RevengeRat</b>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.darkreading.com/endpoint/iran-caught-targeting-us-presidential-campaign-accounts/d/d-id/1336007" target="_blank"><b>Iran Caught Targeting US Presidential Campaign Accounts</b></a> (<i>October 4, 2019</i>)<br/> Phosphorus, an Iranian state attack group, have been targeting the accounts of 241 users connected to a US Presidential campaign. Between August and September, Microsoft observed over 2,700 attempts to identify email accounts associated with customers involved in a US Presidential campaign, along with journalists covering politics. The group gathered publicly-available information to attempt to reset the passwords of the accounts, as well as accessing phone numbers associated with the accounts. The customers affected have been notified by Microsoft.<br/> <a href="https://forum.anomali.com/t/iran-caught-targeting-us-presidential-campaign-accounts/4237" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/lost-files-data-wiper-poses-as-a-windows-security-scanner/" target="_blank"><b>‘Lost Files’ Data Wiper Poses as a Windows Security Scanner</b></a><b> </b> (<i>October 3, 2019</i>)<br/> Malware posing as a Windows Security Scanner is being circulated by email spam, which claims a trojan has been found on the user’s computer. The link leads the user to a “security scanner”, that if downloaded presents a ransom screen demanding $500 in Bitcoins to decrypt the user’s files. While the screen claims to have encrypted the files, in actuality the binary data is corrupt, with the first line removed. It is not known whether the attacker has done this on purpose or not, but has also included weird messages such as ‘Donald Trumps Hair Line’, and messages about Kim Kardashian.<br/> <a href="https://forum.anomali.com/t/lost-files-data-wiper-poses-as-a-windows-security-scanner/4238" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a></p><p><a href="https://www.infosecurity-magazine.com/news/zendesk-breach-hits-10000/" target="_blank"><b>Zendesk Breach Hits 10,000 Corporate Accounts</b></a> (<i>October 3, 2019</i>)<br/> Zendesk has disclosed a breach going back to 2016, affecting 10,000 corporate accounts. These accounts, accessed by an unauthorized third party, include high profile clients such as Airbnb, OpenTable, and Uber. The information accessed includes email addresses, end-user passwords, names, and phone numbers, along with configuration settings for apps installed via Zendesk marketplace. Users who haven’t updated their passwords since 2016 will be required to upon signing in. No information was provided on how the breach occurred.<br/> <a href="https://forum.anomali.com/t/zendesk-breach-hits-10-000-corporate-accounts/4239" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"><b>Windows Activator Bundles Banker in Youtube Description</b></a> (<i>October 2, 2019</i>)<br/> Attackers spreading a banking trojan, “Casbanerio”, are using YouTube video descriptions in an attempt to hide Command and Control (C2) addresses. Casbanerio is distributed through ReLoader, a tool used to illegally activate Windows and Microsoft Office, with prevalence in Latin America. Other methods used to conceal C2 addresses for Casbanerio is embedding the address in a Google Docs file amongst random text and encoded in hexadecimal. Using Youtube enables the address to be disguised as it raises no flags due to being regular traffic. The malware is then able to steal banking information, and cryptocurrency, along with distributing other malware.<br/> <a href="https://forum.anomali.com/t/windows-activator-bundles-banker-in-youtube-description/4240" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service - T1194</a></p><p><a href="https://www.zdnet.com/article/academics-find-eight-vulnerabilities-in-androids-voip-components/" target="_blank"><b>Academics Find Eight Vulnerabilties in Android's VoIP Components</b></a> (<i>October 1, 2019</i>)<br/> Research conducted by academics has identified eight vulnerabilities in the Android operating system’s VoIP (Voice over IP). Focusing on fuzzing, the technique of sending random data through software to see how it will react, the academics were able to discover nine bugs. These bugs include five high severity and one critical vulnerability with the ability for remote code execution, caller ID spoofing, and spam calls. These vulnerabilities were only tested in recent Android versions 7.0 ‘Nougat’, to 9.0 ‘Pie’, and have been reported to Google.<br/> <a href="https://forum.anomali.com/t/academics-find-eight-vulnerabilties-in-androids-voip-components/4241" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&amp;CK] Access Contact List - T1432</a></p><p><a href="https://www.bleepingcomputer.com/news/security/comodo-forums-breached-data-of-over-170-000-users-up-for-grabs/" target="_blank"><b>Comodo Forums Breach, Data of Over 170,000 Users Up For Grabs</b></a> (<i>October 1, 2019</i>)<br/> A breach in Comodo Forums has over half of the forums’ users data to be stolen and up for sale. Comodo, a cybersecurity firm, used vBulletin software that has a critical vulnerability, which may have resulted in the breach. With a user base of around 245,000 registered users, the data of 170,000 is being sold including birth date, email addresses, IP addresses, passwords, security questions and usernames. An investigation is currently being conducted.<br/> <a href="https://forum.anomali.com/t/comodo-forums-breach-data-of-over-170-000-users-up-for-grabs/4242" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/2402693">[MITRE PRE-ATT&amp;CK] Identify vulnerabilities in third-party software libraries - T1389</a></p><p><a href="https://www.netskope.com/blog/new-adwind-campaign-targets-us-petroleum-industry-2" target="_blank"><b>New Adwind Campaign Targets US Petroleum Industry</b></a> (<i>October 1, 2019</i>)<br/> Threat actors utilizing the “Adwind” Remote Access Trojan (RAT) are targeting organizations in the US petroleum industry, according to Netskope researchers. Adwind was found in the wild being hosted on a serving domain for this campaign. The malware is capable of conducting process injection, stealing data, terminating security services (firewall, anti-virus), and achieving persistence by manipulating the registry. New capabilities observed in Adwind for this campaign is the obfuscation technique “wherein multiple embedded JAR archives are used before unpacking the actual payload.”<br/> <a href="https://forum.anomali.com/t/new-adwind-campaign-targets-us-petroleum-industry/4243" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&amp;CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947109">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a></p><p><a href="https://www.vic.gov.au/cyber-health-incident" target="_blank"><b>Cyber Health Incident</b></a> (<i>October 1, 2019</i>)<br/> The systems of hospitals and health services in Gippsland and south-west Victoria have been affected by a cybersecurity incident. While the full impact isn’t currently known, multiple systems were blocked due to ransomware leading to systems being disconnected to stop further infection. It appears as though no patient information was accessed or stolen, however, the shutdown has led hospitals to be without patient data such as x-rays and charts. An investigation is currently underway.<br/> <a href="https://forum.anomali.com/t/cyber-health-incident/4244" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a></p><p><a href="https://blog.talosintelligence.com/2019/09/odt-malware-twist.html" target="_blank"><b>Open Document Creates Twist In Maldoc Landscape</b></a> (<i>September 30, 2019</i>)<br/> Cisco Talos researchers have identified attackers attempting to dodge antivirus software by changing the file formats. Using an OpenDocument (ODT) file format, for a Microsoft Office application can evade detection as certain antivirus software don’t apply the same rules to ODT files as standard Office files. While most attackers are using Microsoft Office for malicious documents, using an ODT file may be more successful. In one observed campaign, an embedded OLE object was contained in an ODT document, requiring user interaction. Executing two HTA scripts, RevengeRat was the payload in the English version of the campaign.<br/> <a href="https://forum.anomali.com/t/open-document-creates-twist-in-maldoc-landscape/4245" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.