Weekly Threat Briefing: Iranian APTs, Airport Cybersecurity, Phishing Attack on Puerto Rican Government, Ransomware, and More.
Get COVID-19 Cyber Security Resources Learn More

Weekly Threat Briefing: Iranian APTs, Airport Cybersecurity, Phishing Attack on Puerto Rican Government, Ransomware, and More

February 19, 2020 | Anomali Threat Research Team

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Malware, Phishing, Remote Access Trojans, Viruses, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Iranian-sponsored Advanced Persistent Threat (APT) groups are prioritizing the exploitation of vulnerabilities found in enterprise VPN servers, such as those sold by Palo Alto Networks and Forinet, according to a report published by researchers at security firm ClearSky. The report highlights the technical offensive capabilities of Iranian APT groups, and suggests a considerable interest in exploiting brand new VPN vulnerabilities in order to plant backdoors in companies internationally. According to ClearSky, in 2019, Iranian groups exploited VPN vulnerabilities disclosed by Pulse Secure, Fortinet, and Palo Alto Networks (CVE-2019-11510, CVE-2018-13379, and CVE-2019-1579), and attacks are continuing into 2020. The attacks appear to be the work of at least three Iranian APT groups working collectively (APT33, APT34, and APT39) and are likely surveillance and reconnaissance-based. However, infected networks could be weaponized to take down business operations in the future, as data-wiping malware have been linked back to Iranian activity since 2019.
Click here for Anomali recommendation

 

Researchers at Cisco Talos have identified a new version of “Loda,” an AutoIT-based Remote Access Trojan (RAT), being used in a malware campaign targeting countries in Central and South America, as well as the United States. The Loda RAT was first observed in 2016, but the new version of Loda has improved obfuscation techniques and can maintain persistence on a system after shutdown. The victim receives a phishing email that contains the first-stage document as an attachment. If downloaded, a second document will attempt to exploit a memory corruption vulnerability in Microsoft Office (CVE-2017-11882) that permits the execution of arbitrary code. According to Talos researcher Chris Neal, if this exploit is successful, the trojan is delivered with a malicious MSI file, which has credential-stealing capabilities and can lead to “significant financial loss or a potential data breach.” These new persistence and obfuscation mechanisms show that the functionality of Loda is actively improving.
Click here for Anomali recommendation
MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] File Permissions Modification - T1222 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] User Execution - T1204

 

An arbitrary code execution vulnerability has been identified in Dell SupportAssist, a software that comes preinstalled on most Windows-based endpoint devices. According to the advisory released by Dell, the high-severity vulnerability (CVE-2020-5316) is in an uncontrolled search vulnerability, and a malicious actor can use a low-privilege user account to load arbitrary Dynamic-Link Libraries (DDLs) in order to elevate privileges. A fix has been released by Dell and is available in the latest version of the software (Home PCs 3.4.1, and Business PCs 2.1.4).
Click here for Anomali recommendation
MITRE ATT&CK: [MITRE ATT&CK] File Permissions Modification - T1222

 

The Puerto Rican government has confirmed that $2.6 Million USD has been unintentionally paid to cyber criminals after an email-based phishing scam targeted Puerto Rico’s Industrial Development Company (IDC). The IDC is a government-owned corporation that works with local and foreign investors to improve economic development in Puerto Rico. According to the police filing and agency executives, an IDC employee transferred the funds on January 17, 2020 after receiving an email regarding a change to remittance payment methods. It is unknown if Puerto Rican officials have been able to recover any of the money paid.
Click here for Anomali recommendation

 

Application security company ImmuniWeb published research findings regarding cybersecurity, compliance, and privacy of the world’s largest airports, shedding light onto the vulnerabilities within the aviation transportation industry. The ImmuniWeb research covered 100 of the largest airports in the world, and conducted analysis on main website security, mobile application security, and dark web exposure. 97% of the websites contained outdated web software, 100% of mobile apps contained at least two vulnerabilities, and 87% of the airports have data leaks on public code repositories. Of the 100 airports, only three successfully passed all the tests without any single major issues detected: Amsterdam Airport Schiphol, Dublin Airport, and Helsinki-Vantaa Airport. CEO of ImmuniWeb, Ilia Kolochenko, commented that the results were “quite alarming,” and that attacks aimed at airports can directly disrupt critical infrastructure internationally.
Click here for Anomali recommendation

 

Security researchers at BinaryDefense have discovered a new attack vector for Emotet, a “WiFi spreader” module that can jump from one infected network to another using weak passwords in WiFi networks. The module is installed onto the initial Emotet victim network and works through a series of brute-force attacks to attempt to connect to locally reachable WiFi networks. This means that close physical proximity to an Emotet-infected network, coupled with an overly-simple network password, could allow Emotet to infect a neighboring network. WiFi has not been a traditional attack vector for malware strains like Emotet, and this newly discovered module shows an increase in attack capabilities for the authors of Emotet.
Click here for Anomali recommendation
MITRE ATT&CK: [MITRE ATT&CK] Network Service Scanning - T1046

 

KBOT: Sometimes They Come Back 

(published February 10, 2020)
Kaspersky Labs have discovered a new malware that is spread through injecting malicious code into Windows executable files. According to the researchers, the malware, dubbed “KBOT,” is one of the first “living’ viruses observed in the wild in recent years. KBOT can be spread through local networks, removable drives, and web-facing systems. The virus is able to spread quickly in the system and on the local network by infecting executable files without the possibility of recovery. The actor behind the virus can enable “remote desktop sessions, steal personal data, and perform web injects for the purpose of stealing users’ bank data,” according to the Kaspersky Labs team.
Click here for Anomali recommendation
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041

 

A new ransomware has been found targeting Remote Monitoring and Management (RMM) software used by Managed Service Providers (MSPs). Discovered in late December 2019, the ransomware, dubbed “Ragnar Locker” by its creators, has been analyzed by researchers at BleepingComputer, Huntress Labs, and SentinelLabs, and has been observed encrypting files and terminating processes and services for remote support applications that assist undisclosed MSPs in managing clients. The threat actors behind Ragnar Locker ransomware perform reconnaissance tasks before execution, and customize the ransom note and ransom amount accordingly. BleepingComputer has observed ransom requests of various amounts between $200,000 and $600,000 USD. According to the ransomware creators, pre-deployment tasks include stealing victim’s files and threatening to post private information publicly if ransoms are not paid.
Click here for Anomali recommendation
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Disabling Security Tools - T1089

 

The U.S. Federal Bureau of Investigation (FBI) has released a security alert to the private sector regarding an ongoing cyber campaign targeting supply chain software providers supporting energy sector Industrial Control Systems (ICS). According to the FBI, threat actors behind the campaign are attempting to infect victim companies with a Remote Access Trojan (RAT) known as “Kwampirs” in order to gain access to strategic partner and customer networks. The FBI believes Kwampirs was also deployed in attacks against companies in the energy, financial, and healthcare sectors. The FBI claims that comparative forensic analysis reveals “numerous similarities” between Kwampirs and Shamoon malware, developed by Iranian state-sponsored Advanced Persistent Threat (APT) group “APT33.” The alert did not identify any targeted companies or victims, and urges business to scan networks for any signs of Kwampirs infections.
Click here for Anomali recommendation
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195

 

Anomali Threat Research Team
About the Author

Anomali Threat Research Team

Get the latest threat intelligence news in your email.