Weekly Threat Briefing: Iranian Hackers Have Been ”˜Password-Spraying' the US Grid

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APTs, Credential theft, Iran, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<img src="https://anomali-labs-public.s3.amazonaws.com/589660.png"/> Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.bleepingcomputer.com/news/security/android-trojan-kills-google-play-protect-spews-fake-app-reviews/" target="_blank">Android Trojan Kills Google Play Protect, Spews Fake App Reviews</a> (January 11, 2019) An Android malware strain has been identified by researchers at Kaspersky Lab. “Trojan-Dropper.AndroidOS.Shopper.a” is being used by threat actors to increase application installations and ratings to fool advertisers with false metrics. The trojan is a malicious app that is likely distributed through third-party app stores and is disguised as a legitimate system application for obfuscation. A malicious actor can disable the Google Play Protect service once the device is infected, and abuses the Accessibility Service, a known Android malware tactic, to conduct activities without needing user interaction. The actor can steal information from the device, such as email addresses, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), network type, and smartphone model, for exfiltration back to the actors’ servers. A series of commands is sent to infected devices with the intent to generate fake reviews, install apps onto the device, and register social media accounts to apps. According to Kaspersky Lab researcher Igor Golovin, the trojan is most widespread in Russia, Brazil, and India, accounting for over 61% of infected users. <a href="https://forum.anomali.com/t/android-trojan-kills-google-play-protect-spews-fake-app-reviews/4494" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&CK] Automated Collection - T1119</a> | <a href="https://ui.threatstream.com/ttp/947193">[MITRE ATT&CK] Automated Exfiltration - T1020</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&CK] Disabling Security Tools - T1089</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a><a href="https://www.forbes.com/sites/daveywinder/2020/01/10/paypal-confirms-high-severity-password-security-vulnerability/#4ee17e261b50" target="_blank">PayPal Confirms ‘High-Severity’ Password Security Vulnerability</a> (January 10, 2019) A critical security vulnerability has been confirmed by PayPal that could have potentially exposed user passwords to malicious actors. The researcher that discovered the vulnerability, Alex Birsan, reported their findings to PayPal on November 18, 2019, and a patch was released 18 days later. According to PayPal, "sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation," using Cross-Site Script Inclusion (XSSI) attacks. Birsan explained that while a malicious party would need to convince the targeted user to visit a malicious website prior to logging into their PayPal account, plain text credentials could be retrieved from the prior Google CAPTCHA validation request session data and displayed on the page. Phishing and social engineering could assist a highly-motivated actor in fooling a user into visiting a malicious site and enacting this credential-theft strategy. The PayPal patch resolved the vulnerability, and “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found,” according to the company. <a href="https://forum.anomali.com/t/paypal-confirms-high-severity-password-security-vulnerability/4495" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a><a href="https://www.zdnet.com/article/hundreds-of-millions-of-cable-modems-are-vulnerable-to-new-cable-haunt-vulnerability/" target="_blank">Hundreds of Millions of Cable Modems Vulnerable to New “Cable Haunt” Vulnerability</a> (January 10, 2019) Security research group Lyrebirds from Denmark, have disclosed a vulnerability in cable modems using Broadcom chips with a spectrum analyzer component. The vulnerability has been dubbed “Cable Haunt,” and is believed to impact an estimated 200 million cable modems in Europe, with a possibility of impacting users across the globe. According to the researchers, the spectrum analyzer lacks protection against DNS rebinding attacks and uses default credentials, and also contains a programming error in its firmware. At the time of this writing, the researchers have yet to test all of the cable modem models that may be vulnerable, and have created a website dedicated to informing as many affected users and providers as possible. Exploiting Cable Haunt is extremely complex, as the vulnerable spectrum analyzer component is only available on the cable modem’s internal network, and not exposed directly to the internet. While challenging, a determined threat actor could trick a target user into accessing a malicious page through their browser, and could then exploit the vulnerable component to execute commands on the device. A successful actor could conduct remote man-in-the-middle attacks, change config files and settings, and disable ISP firmware upgrades. <a href="https://forum.anomali.com/t/hundreds-of-millions-of-cable-modems-vulnerable-to-new-cable-haunt-vulnerability/4496" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><a href="https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html?m=1" target="_blank">Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641</a> (January 9, 2019) The Project Zero team at Google have detailed a vulnerability in iMessage that can be exploited remotely to activate the camera and microphone, as well as steal emails, passwords, and text messages. The vulnerability (CVE-2019-8641) affects iOS 12.4, allowing a remote actor to cause unexpected application termination or arbitrary code execution. A patch was issued by Apple in August 2019, but users that are still running iOS 12.4 remain vulnerable to this type of attack. Researcher Samuel Gross demonstrated the weaknesses in a data-randomizing security feature called ASLR in the iPhone operating system, abusing the “receipts” feature in iMessages to accomplish remote code execution. <a href="https://forum.anomali.com/t/remote-iphone-exploitation-part-1-poking-memory-via-imessage-and-cve-2019-8641/4497" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a><a href="https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/" target="_blank">New Iranian Data Wiper Malware Hits Bapco, Bahrain's National Oil Company</a> (January 9, 2019) On December 29, 2019, Iran-sponsored threat actors deployed a strain of new data-wiping malware, known as “Dustman,” on the network of the Bahraini national oil company, Bapco. The details of the attack are provided in a security alert published by Saudi Arabia’s National Cybersecurity Authority (CNA), which was sent to local companies involved in the energy market to warn of impending attacks. The incident demonstrates Iran’s advanced capabilities in launching cyberattacks, which has been of great international interest due to U.S. and Iranian political tension. The Dustman data-wiper is designed to delete data on infected computers when executed, and appears to be an upgraded and more advanced version of “ZeroCleare” malware that was first discovered in September 2019. The two important differences in Dustman are that all necessary drivers and loaders are delivered in one executable, and Dustman has the ability to completely overwrite the volume. The CNA believes with "moderate confidence" that the initial attack vector was a Virtual Private Network (VPN) server containing a remote code execution vulnerability that had been disclosed in the summer of 2019. This could potentially be referring to VPN servers from Fortinet or Pulse Secure. Bapco officials learned of the incident the day following the attack, as employee workstations that were in “Sleep Mode” during the attack sent antivirus detections of the malware attempting to execute when they were turned on the morning of December 30, as the antivirus was no longer disabled from the attack. <a href="https://forum.anomali.com/t/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/4498" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion - T1107</a><a href="https://www.wired.com/story/iran-apt33-us-electric-grid/amp" target="_blank">Iranian Hackers Have Been ‘Password-Spraying’ the US Grid</a> (January 9, 2019) The Iran-sponsored Advanced Persistent Threat (APT) group “APT33” have been working to exploit American electric and gas utilities, according to a report by security firm Dragos. Researchers at Dragos have observed APT33 carrying out password-spraying attacks targeting US utilities and oil and gas firms, guessing a set of common passwords for thousands of different accounts. APT33 appears to have been cooperating with another threat group, dubbed “Parasite” by Dragos, who were attempting to exploit vulnerabilities in VPN software of the same US electric utilities and oil and gas firms. According to the research, the intrusion campaign ran throughout all of 2019, and continues as of this writing. Dragos has not commented on whether or not any activities by APT33 and Parasite have resulted in an actual breach. <a href="https://forum.anomali.com/t/iranian-hackers-have-been-password-spraying-the-us-grid/4499" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force - T1110</a><a href="https://blog.talosintelligence.com/2020/01/mideast-tensions-preparations.html" target="_blank">What The Continued Escalation of Tensions in the Middle East Means For Security</a> (January 8, 2019) Researchers at Cisco Talos are working to evaluate potential Iranian threats and attack vectors, especially those impacting critical infrastructure and high-profile businesses. In a blog post, the Cisco Talos team discusses the aspects and indicators of prior campaigns in the Middle East, and more specifically, Iranian-attributed campaigns, and shines some light on likely tactics of future campaigns. Iran has been an active cyber adversary to the U.S. since 2011, with attribution in large-scale denial-of-service attacks and campaigns with “Shamoon” and “ZeroCleare” data-wiper malware. They are believed to have conducted espionage campaigns against universities and companies to steal research and intellectual property, and attack DNS infrastructures using social engineering and watering hole techniques against target organizations. Talos highlights the willingness of threat actors in the region to attack critical components of the Internet, most notably DNS, and elaborates that the heightened political tensions can make for a very dangerous adversary. <a href="https://forum.anomali.com/t/what-the-continued-escalation-of-tensions-in-the-middle-east-means-for-security/4500" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947240">[MITRE ATT&CK] Data Compressed - T1002</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://securelist.com/operation-applejeus-sequel/95596/" target="_blank">Operation AppleJeus Sequel: Lazarus Continues to Attack the Cryptocurrency Business with Enhanced Capabilities</a> (January 8, 2019) According to Kaspersky Lab researchers, “Lazarus” Advanced Persistent Threat (APT) group has continued to target cryptocurrency businesses using macOS malware similar to the “Operation AppleJeus” attacks that took place in 2018, calling this new campaign the “Sequel” to Operation AppleJeus. The threat group leveraged public source code to build macOS installers, using similar post installer scripts, as well as the same command-line argument to execute the second-stage as the Operation AppleJeus macOS “Lazarus Loader” malware. The researchers suspect that the installer is delivered via Telegram messenger, due to the discovery of the threat actor’s Telegram group. Sequel modifications include the use of a malicious application called “UnionCryptoTrader” that executes from the Telegram messenger download folder. Other modifications include the use of GitHub to host the malware, using Object-C instead of the QT framework, and the use of a significantly different post-install script of macOS malware. Lazarus appears to have created fake cryptocurrency-themed websites for this campaign, but the pages did not work as intended, as most links that the researchers observed were not functional. While the identity of targeted victim organizations of the Operation AppleJeus Sequel campaign are undisclosed, the targeted victims were located in China, Poland, Russia, and the UK and were linked to cryptocurrency business entities. <a href="https://forum.anomali.com/t/operation-applejeus-sequel-lazarus-continues-to-attack-the-cryptocurrency-business-with-enhanced-capabilities/4501" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><a href="https://www.theverge.com/2020/1/8/21050589/tiktok-patched-vulnerability-hackers-videos-china-bytedance-checkpoint" target="_blank">TikTok Vulnerability Could Have Let Hackers Access Users’ Videos</a> (January 8, 2019) Vulnerabilities have been discovered within the popular video sharing app “TikTok,” allowing app users to receive spoofed text messages from malicious actors that appear to come from the company. Researchers at Check Point found that it is possible to send links via SMS text messages to TikTok users that appear to be sent directly from TikTok. Once a user clicks the fake link within the text, the malicious actor has access to parts of the user’s TikTok account, allowing the actor to change public and private sharing settings, as well as upload and delete videos. The infrastructure allowed a malicious actor to redirect the user to a malicious website designed to look like TikTok’s homepage, which could have been combined with cross-site scripting and other attacks on the user account. Check Point notified TikTok about the security vulnerabilities in November, and TikTok has since fixed the vulnerabilities in it’s latest version of the app released January 3, 2020. TikTok has close to 1.5 billion global users, and could be highly targeted due to the amount of potentially private information being transferred through the app. <a href="https://forum.anomali.com/t/tiktok-vulnerability-could-have-let-hackers-access-users-videos/4502" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="www.tomshardware.com/amp/news/clop-ransomware-terminates-663-processes" target="_blank">CLOP Ransomware Now Terminates 663 Processes Before Encrypting Your Files</a> (January 7, 2019) “CLOP” ransomware has recently evolved into a more sophisticated trojan, reportedly terminating a total of 663 processes before encrypting any files. CLOP ransomware, reportedly used by Russian cyber threat group “TA505,” has been in circulation since February 2019 and is a CryptoMix ransomware variant, with similar features seen within this family of ransomware since 2017. According to MalwareHunterTeam and reverse engineer Vitali Kremez, this new version of CLOP disables processes like Adobe Acrobat, Microsoft Office applications, notepad and notepad++, among others, allowing CLOP to encrypt more popular file types. In December 2019, CLOP had infected the University of Maastricht in the Netherlands, disabling all Windows systems. The university is investigating the attack, trying to determine whether actors were able to gain access to scientific data. It is suspected that TA505 is behind the attack, as they have adopted CLOP ransomware as their final payload of choice in other attributed attacks. <a href="https://forum.anomali.com/t/clop-ransomware-now-terminates-663-processes-before-encrypting-your-files/4503" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&CK] Disabling Security Tools - T1089</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model">This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. <a href="http://https://www.anomali.com/products" target="_blank">A ThreatStream account is required to view this section</a>.<div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/2433" target="_blank">APT33</a>The Advanced Persistent Threat (APT) group “APT33” is believed to be an Iranian-based group that has been active since at least 2013. APT33 conducts cyber espionage campaigns and deploys destructive malware on an organizations primarily situated in Saudi Arabia but have also targeted firms in South Korea and the United States. They are believed to be a state-sponsored group, because their campaigns target firms that would align to Iranian government and military interests. They have heavily targeted the aviation industry in Saudi Arabia, which may suggest that they are attempting to acquire knowledge on Saudi Arabia’s military aviation capabilities in order to enhance their domestic aviation abilities and to support strategic decisions. Their targeting of the South Korean petrochemical industry may been to gain insight into South Korea’s partnerships with Iran’s petrochemical industry as well as their relationships with Saudi Arabian petrochemical companies. Possibly in an attempt to help gain information needed to expand Iran’s petrochemical production and competitiveness in the Middle East.</div><div><a href="https://ui.threatstream.com/actor/281" target="_blank">Lazarus Group</a>The Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People's Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121?), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau”. The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.</div><div><a href="https://ui.threatstream.com/actor/26092" target="_blank">TA505</a>The financially-motivated threat group called, “TA505,” was first reported on by Proofpoint researchers in December 2017.[1] Malicious activity attributed to the Russian-speaking group dates back to at least 2014, and the campaigns conducted by TA505 have targeted entities and individuals around the world. The group distributes a variety of malware, both well-known strains (Dridex banking trojan, Locky ransomware), custom-created (Jaff ransomware, tRAT), and variants of legitimate remote access tools (Remote Manipulator System). The group primarily distributes malware and tools via large scale and indiscriminately-distributed malspam campaigns, often through the “Necurs” botnet, with malicious attachments or links. Incorporation of new malware, creating custom malware and the use of advanced tactics, such as the removal of malware artifacts, indicate that this group is a sophisticated threat and likely well-funded. The group is innovative and shows the flexibility to pivot to other techniques and malware trends on a global scale. </div></div></div></div>