Weekly Threat Briefing: Iranian Hacking Group Built It's Own VPN Network

The intelligence in this week’s iteration discuss the following threats: APT33, DDoS Attacks, DoppelPaymer, Iran, POS Malware, Medical Equipment, TrickBot, Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<img alt="" src="https://cdn.filestackcontent.com/EHUy2KaBSba0BfyokDgr"/><h2>Trending Threats</h2><a href="https://www.justice.gov/opa/pr/former-operator-illegal-booter-services-sentenced-conspiracy-commit-computer-damage-and-abuse" target="_blank">Former Operator of Illegal Booter Services Sentenced for Conspiracy to Commit Computer Damage and Abuse</a> (November 15, 2019) Sergiy P. Usatyuk, a 21-year old Illinois resident, has been sentenced to 13 months in prison for his involvement in illegal booter services responsible for millions of Distributed Denial-Of-Service (DDoS) attacks between August 2015 and November 2017. According to prosecutors, Usatyuk’s DDoS-for-hire services made him “hundreds of thousands of dollars” developing and operating booter services used to target “the American public. Usatyuk will also have a three year supervised release, must forfeit $542,925 USD in proceeds from illegal activities, and will turn over dozens of servers to the FBI. Special Agent in Charge John Strong of the FBI’s North Carolina Field Office hopes the sentencing of Usatyuk demonstrates the agency’s commitment to “unmasking malicious actors behind these types of egregious cyberattacks.” <a href="https://forum.anomali.com/t/former-operator-of-illegal-booter-services-sentenced-for-conspiracy-to-commit-computer-damage-and-abuse/4369" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&CK] Endpoint Denial of Service - T1499</a><a href="https://www.itpro.co.uk/bugs/34827/tech-giants-band-together-to-form-the-github-security-lab" target="_blank">Tech Giants Band Together To Form The GitHub Security Lab</a> (November 15, 2019) Thirteen major tech firms are joining forces with GitHub in the launch of GitHub Security Lab, a community-led project designed to expand the value of open source security. According to Jamie Cool, GitHub’s Vice President for Product Management and Security, the GitHub Security Lab “will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version." GitHub will dedicate full-time resources to finding and reporting vulnerabilities, and will be providing the newly-developed CodeQL tool for free. Current partner companies include the likes of Google, Intel, LinkedIn, Mozilla, Oracle, and VMware, all which will be donating time and expertise to finding and reporting vulnerabilities. <a href="https://forum.anomali.com/t/tech-giants-band-together-to-form-the-github-security-lab/4370" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/iranian-hacking-group-built-its-own-vpn-network/" target="_blank">Iranian Hacking Group Built It’s Own VPN Network</a> (November 14, 2019) Security researchers at Trend Micro have identified a private network of 21 VPN nodes belonging to “APT33,” Iran’s most sophisticated Advanced Persistent Threat (APT) group. Recent findings by the researchers investigating APT33 2019 infections provide greater insight into a layered hacking infrastructure, designed to keep APT33 operators from being identified during a campaign. The “VPN Layer,” one of four layers between the APT33 operator and the target, is a custom built network of VPN nodes used to hide the IP address and location of the operator. What makes this particularly interesting is APT33’s use of a private VPN network, as opposed to commercial VPN servers, as is more common with other APT groups. This made APT33 activity easier to track, as researchers were able to track a small list of specific VPN exit nodes for more than a year. According to Trend Micro, APT33 have used the same private VPN exit nodes for reconnaissance of oil and gas industry networks, specifically targeting an undisclosed oil exploitation company in the Middle East, as well as an undisclosed oil company in the United States. <a href="https://forum.anomali.com/t/iranian-hacking-group-built-it-s-own-vpn-network/4371" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation - T1001</a><a href="https://latesthackingnews.com/2019/11/14/serious-security-vulnerability-found-in-all-mcafee-antivirus-editions/" target="_blank">Serious Security Vulnerability Found In All McAfee Antivirus Editions</a> (November 14, 2019) SafeBreach Labs researchers reported a security vulnerability found in all versions of McAfee Total Protection (MTP), Anti-Virus Plus (AVP), and McAfee Internet Security (MIS). The lead researcher of the report, Peleg Hadar, explained that a malicious actor could exploit the vulnerability to achieve code execution, allowing the actor to execute malicious payloads while evading security checks. The vulnerability (CVE-2019-3648) was discovered in August 2019, <a href="https://forum.anomali.com/t/serious-security-vulnerability-found-in-all-mcafee-antivirus-editions/4372" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&CK] Disabling Security Tools - T1089</a><a href="https://www.infosecurity-magazine.com/news/microsoft-patches-ie-zeroday-bug/" target="_blank">Microsoft Patches IE Zero-Day Bug</a> (November 13, 2019) A fix has been released by Microsoft for a zero-day flaw found in Internet Explorer. According to Microsoft’s vulnerability assessment, “CVE-2019-1429” could be exploited by a malicious actor to remotely gain administrative user rights and take control of an affected system. The actor could then create new accounts and install programs, as well as view, change, and delete data. The vulnerability exists in how the scripting engine handles objects in memory in the browser. Microsoft also released 74 additional fixes for vulnerabilities during the November patch update round, including vulnerabilities in Excel, Adobe, and Trusted Platform Module chipset firmware. <a href="https://forum.anomali.com/t/microsoft-patches-ie-zero-day-bug/4373" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947273">[MITRE ATT&CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&CK] File Permissions Modification - T1222</a><a href="https://nakedsecurity.sophos.com/2019/11/13/us-cert-warns-of-critical-flaws-in-medtronic-equipment/" target="_blank">US-CERT Warns of Critical Flaws in Medtronic Equipment</a> (November 13, 2019) United States Computer Emergency Readiness Team (US-CERT) has issued a warning about security flaws in Medtronic medical equipment used by surgeons during operations. The equipment, Valleylab FT10 and FX8 electrosurgical generators, have four reported flaws, with two of the flaws (“CVE-2019-3464” and “CVE-2019-3463”) being reported as critical in severity. Vulnerable devices often have a remote management utility enabled, and using an unpatched version could give a malicious actor administrative access with the ability to execute code. There are also flaws (“CVE-2019-13539” and “CVE-2019-13543”) caused by reversible password hashes and hard-coded credentials. Patches are available for Valleylab FT10, with the FX8 patches available in early 2020, according to Medtronic. The equipment is used exclusively in hospitals, which means locating vulnerable equipment for patching should be relatively less difficult than more commonly used medical equipment. <a href="https://forum.anomali.com/t/us-cert-warns-of-critical-flaws-in-medtronic-equipment/4374" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&CK] Disabling Security Tools - T1089</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&CK] File Permissions Modification - T1222</a><a href="https://www.bleepingcomputer.com/news/security/mexicos-pemex-oil-suffers-ransomware-attack-49-million-demanded/" target="_blank">Mexico's Pemex Oil Suffers Ransomware Attack, $4.9 Million Demanded</a> (November 12, 2019) Pemex, Mexico’s state-owned oil company, was hit with a “DoppelPaymer” ransomware attack on November 10, 2019, demanding $4.9 million USD to decrypt their files. Pemex reports that the attack affected less than 5% of their computers, and that there was no affect on their fuel production, supply, and inventory. Security researchers at BleepingComputer, MalwareHunterTeam, and Vitali Kremez were able to confirm the DoppelPaymer infection by evaluating the leaked ransom notes and malware sample. The DoppelPaymer group demanded 565 bitcoins, worth approximately $4.9 million USD at the time of this writing, to be paid by the end of November. In a statement made by Pemex, the company will not pay the ransom, and workers at Pemex reported that internal memos stated that all computers were up and running on Monday, November 11, 2019. <a href="https://forum.anomali.com/t/mexicos-pemex-oil-suffers-ransomware-attack-4-9-million-demanded/4375" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><a href="https://www.bbc.com/news/election-2019-50388879" target="_blank">General Election 2019: Labour Party Hit By Second Cyber-Attack</a> (November 12, 2019) The Labour Party in the United Kingdom have reportedly been victim to an attempted Distributed Denial-of-Service (DDoS) attack. A Labour spokesperson claims the attack to be a “sophisticated” and “large-scale” attack on Labour’s digital platforms. The Labour party also claim the attack failed due to their robust security systems, with no data breach however data breach does not occur during a DDoS attack, as it is not accessing the system. While the Labour Party claim the attack to be sophisticated, DDoS attacks are not sophisticated and not usually large scale. <a href="https://forum.anomali.com/t/general-election-2019-labour-party-hit-by-second-cyber-attack/4376" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&CK] Endpoint Denial of Service - T1499</a><a href="https://www.bleepingcomputer.com/news/security/trickbot-malware-uses-fake-sexual-harassment-complaints-as-bait/" target="_blank">TrickBot Malware Uses Fake Sexual Harassment Complaints as Bait</a> (November 11, 2019) In a new spearphishing campaign, threat actors are using fake sexual harassment claims to spread the “TrickBot” banking trojan to employees of large, undisclosed companies. The actors behind the campaign are posing as officials from the U.S. Equal Employment Opportunity Commission, customizing the phishing email using the target’s employer information, names, phone numbers, and titles to appear more legitimate. The email contains a malicious document that will infect the victim’s computer with the TrickBot payload. TrickBot has been used to harvest and exfiltrate sensitive banking information from it’s victims, and has evolved into <a href="https://forum.anomali.com/t/trickbot-malware-uses-fake-sexual-harassment-complaints-as-bait/4377" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell - T1086</a><a href="https://www.bloomberg.com/news/articles/2019-11-11/security-researchers-discover-flaws-in-u-s-cash-machines" target="_blank">Nautilus ATM Flaws Could Allow Hackers Access to Cash</a> (November 11, 2019) Researchers at Red Balloon Security found two vulnerabilities in retail versions of Nautilus ATMs, the largest provider of ATMs in the United States. The vulnerabilities were reported to Nautilus, and patches were developed and released within a week of the report. Red Balloon will not release a detailed breakdown of the vulnerabilities in order to prevent criminals from replicating their efforts. The two vulnerabilities, one found in the machine’s remote management system and one in the ATM’s peripherals software, could allow the remote theft of payment card numbers and PIN keypad inputs during a transaction. Red Balloon researchers and Nautilus executives have no evidence that anyone has taken advantage of the vulnerabilities. While fixes have been made available, it is unclear as to how many ATMs have received the necessary firmware updates. <a href="https://forum.anomali.com/t/nautilus-atm-flaws-could-allow-hackers-access-to-cash/4378" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy - T1105</a>