Weekly Threat Briefing: Magecart Skimmers Found on Amazon CloudFront CDN

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: Botnet, Data breach, Misconfigurations, Ransomware, Threat groups, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://nakedsecurity.sophos.com/2019/06/10/the-goldbrute-botnet-is-trying-to-crack-open-1-5-million-rdp-servers/" target="_blank">Aggressive Brute Force Campaign “GoldBrute” Trying to Access 1.5M RDP Servers</a> (June 10, 2019) Morphus Labs announced the discovery of a new brute force campaign against 1.5 million Remote Desktop Protocol (RDP) servers by a botnet called “GoldBrute.” The campaign targets the problem of RDP servers left exposed to the Internet by the BlueKeep vulnerability (CVE-2019-0708) in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP. According to Morphus, 1,596,571 servers have been subjected to an attempted brute-force attacks targeting RDP accounts. While limiting the number of times a password can be guessed is a vital practice, “GoldBrute” is trying to fly under the radar by limiting itself to one attempt per compromised host. <a href="https://forum.anomali.com/t/aggressive-brute-force-campaign-goldbrute-trying-to-access-1-5m-rdp-servers/3878" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&CK] Remote Desktop Protocol (T1076)</a><a href="https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/" target="_blank">Magecart Skimmers Found on Amazon CloudFront CDN</a> (June 8, 2019) Malwarebytes researchers discovered a number of web properties on Amazon CloudFront compromised by the financially-motivated threat actors referred to by the umbrella term, “Magecart.”. Hosted JavaScirpt libraries within the Contect Delivery Network (CDN) were tampered with and injected with web skimmers. Upon analyzing the breaches, it was found that they were a continuation of a campaign from Magecart threat actors attempting to affect a large number of web properties at once. The sites identified had nothing in common other than the fact that they were all using their own custom CDN to load libraries. The victims identified in this campaign were contacted by Malwarebytes, and some have remediated the breach. Additionally, abuse reports were filed directly with Amazon. <a href="https://forum.anomali.com/t/magecart-skimmers-found-on-amazon-cloudfront-cdn/3879" target="_blank">Click here for Anomali recommendation</a><a href="https://www.darkreading.com/vulnerabilities---threats/vulnerability-found-in-millions-of-email-systems/d/d-id/1334913" target="_blank">Vulnerability Found in MTA Exim, Could Impact More Than 4.1M Email Systems</a> (June 7, 2019) The remote command execution vulnerability, registered as “CVE-2019-10149,” has been discovered in older versions of mail transfer agent (MTA) Exim, a critical, open source piece of the email infrastructure in many organizations. Present in Exim version 4.87 through 4.91, the vulnerability could allow an attacker to execute commands as root, with no privilege escalation required. Researchers at Qualys have found more than 4.1 million systems are potentially vulnerable to the flaw. According to researchers at Tenable, no exploits have been seen in the wild, though they expect at least proof-of-concept exploits to appear in the near future. A patch has since been released for the vulnerability. <a href="https://forum.anomali.com/t/vulnerability-found-in-mta-exim-could-impact-more-than-4-1m-email-systems/3880" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/veteran-fortune-500-company-leaked-264gb-in-client-payment-data/" target="_blank">Tech Data Leaked 264GB in Client and Business Data </a> (June 7, 2019) IT infrastructure company Tech Data was the source of a data leak that exposed 264GB in client and business data to the public. According to vpnMentor researchers, a log management server was leaking system-wide information, exposing “payment information, PII, and full company and account details for end-users and MSPs.” Client API keys, bank and payment information, and usernames and unencrypted passwords were exposed, as well as employee Personally Identifiable Information, including full names, phone numbers, and physical addresses. The exposed database was discovered on June 2, 2019 and was fixed within 48 hours. <a href="https://forum.anomali.com/t/tech-data-leaked-264gb-in-client-and-business-data/3881" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/the-rig-exploit-kit-is-now-pushing-the-buran-ransomware/" target="_blank">RIG Exploit Kit is Now Pushing the Buran Ransomware</a> (June 6, 2019) The RIG exploit kit is currently distributing a new variant of VegaLocker ransomware, called Buran. The malicious campaign is attempting to exploit vulnerabilities via Internet Explorer. If successful, a series of commands would download the ransomware and then execute it. Exploit Kit researcher nao_sec spotted a malvertising campaign redirecting users to the RIG exploit kit, which then drops the Buran ransomware as a payload. Being a new variant of VegaLocker ransomware, Buran ransomware uses a similar encryption process. While there is no known way to decrypt this ransomware for free as of yet, it is currently being researched. <a href="https://forum.anomali.com/t/rig-exploit-kit-is-now-pushing-the-buran-ransomware/3882" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution (T1203)</a><a href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank">New HAWKBALL Backdoor Targets Government Sector in Central Asia</a> (June 5, 2019) A newly-discovered backdoor called HAWKBALL was recently observed in a campaign targeting Russian-speaking government entities in Central Asia. According to FireEye researchers, upon successful infection, HAWKBALL offers the attackers a range of malicious capabilities, including creating, deleting, and uploading files, delivering additional payloads,and surveying the host to collect victim information. To deliver the backdoor, attackers send a malicious document claiming to be from an anti-terrorist organization. The file uses an OLE object “that uses Equation Editor to drop the embedded shellcode in %TEMP%” and exploits two Microsoft Office vulnerabilities, “CVE-2017-11882” and “CVE-2018-0802” to infect a target machine. HAWKBALL communicates with a hard-coded C2 server over HTTP to exfiltrate the victim’s information, to include computer name, IP address, OS version, and user name, and performs actions to check if it is being debugged. <a href="https://forum.anomali.com/t/new-hawkball-backdoor-targets-government-sector-in-central-asia/3883" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution (T1203)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank">Threat Actors Build “Frankenstein” Campaign Using Open-Source Tools</a> (June 4, 2019) Cisco Talos researchers have recently identified a series of credential-harvesting malware attacks spanning from January to April 2019. The campaign was named “Frankenstein,” referring to the actor’s ability to piece together and leverage four different open-source techniques to build the malicious tools. The campaign used components of an article to detect when a sample is being run in a VM, leverages MSbuild to execute a PowerShell command, uses “Fruityc2” to build a stager, and utilizes the GitHub project “PowerShell Empire” for their agents. As the Cisco Talos research team concluded, the use of open source and publicly available components for building the tools allowed the threat actors to avoid standing out, making it difficult for experts to attribute attacks to a particular actor. <a href="https://forum.anomali.com/t/threat-actors-build-frankenstein-campaign-using-open-source-tools/3884" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&CK] Custom Command and Control Protocol (T1094)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a><a href="https://www.bleepingcomputer.com/news/security/private-info-of-over-15m-donors-leaked-by-uchicago-medicine/" target="_blank">Over 1.6M Personal Donor Records Exposed by UChicago Medicine</a> (June 4, 2019) In late May 2019, a security researcher for Security Discovery discovered a publicly accessible ElasticSearch instance that was exposing potential and existing University of Chicago Medicine donor records. The misconfigured ElasticSearch server contained over 1.6 million individual donor records, and was left unprotected on the Internet without a password. The records contained personal information, such as birth dates, full names and addresses, phone numbers, and wealth information and status. At the time of this writing, the exposed server has been taken down. According to the official statement made by University of Chicago Medicine, the university is conducting a forensic investigation, “...and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database.” <a href="https://forum.anomali.com/t/over-1-6m-personal-donor-records-exposed-by-uchicago-medicine/3885" target="_blank">Click here for Anomali recommendation</a><a href="https://www.itpro.co.uk/cyber-security/33766/anu-confirms-mass-data-breach-spanning-19-years" target="_blank">Australian National University Data Breach Exposes 19 Years of Student Data</a> (June 4, 2019) The Australian National University has disclosed a massive breach on the university’s systems, involving the unauthorized access to significant amounts of personal staff, student, and visitor data extending back 19 years. Student academic records were accessed, as well as information provided to the university for administrative purposes. This additional information may include addresses, bank account details, dates of birth, emergency contact details, names, passport details, payroll information, personal email addresses, phone numbers, and tax file numbers. The university’s Vice Chancellor Brian Schmidt stated that systems involving research work were not impacted in the breach. At this stage of the investigation, the university has not been able to attribute the attack to any known actor, and have referred the data breach to the Australian authorities. <a href="https://forum.anomali.com/t/australian-national-university-data-breach-exposes-19-years-of-student-data/3886" target="_blank">Click here for Anomali recommendation</a><a href="https://www.helpnetsecurity.com/2019/06/04/quest-diagnostics-data-breach/" target="_blank">Nearly 12M Quest Diagnostics Patients Affected by AMCA Data Breach</a> (June 4, 2019) Diagnostic testing provider, Quest Diagnostics, has announced that a third-party billing collections company they use has been hit by a data breach, affecting 11.9 million of Quest’s customers. The potentially compromised information includes patient financial information and personal information, including Social Security numbers. The billings collection service provider, American Medical Collection Agency (AMCA), informed Quest Diagnostics that an unauthorized user had access to AMCA systems containing personal information received from Quest. The SEC filing filed by Quest Diagnostics reveals that the attackers had access to the AMCA’s system between August 1, 2018 and March 30, 2019. An AMCA spokesperson said that they have taken down their web payments page and are investigating the security breach with the help of a third-party forensics firm. Quest Diagnostics have suspended sending collection requests to AMCA for the moment. <a href="https://forum.anomali.com/t/nearly-12m-quest-diagnostics-patients-affected-by-amca-data-breach/3887" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/" target="_blank">New “BlackSquid” Malware Utilizes Eight Notorious Exploits to Drop XMRig Miner</a> (June 3, 2019) A new malware family dubbed, “BlackSquid,” has been discovered by Trend Micro researchers. The malware targets web servers, network drives, and removable drives using multiple web server exploits and dictionary attacks. BlackSquid is named after its registries and component file names and uses some of the most notorious exploits today including: EternalBlue; DoublePulsar (the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464), and three ThinkPHP exploits for multiple versions. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, launch attacks on an organization, render hardware and software useless, or steal proprietary information. However, all of the exploited vulnerabilities have patches that have been available for years, so organizations following updated and proper patching procedures are unlikely to be affected. <a href="https://forum.anomali.com/t/new-blacksquid-malware-utilizes-eight-notorious-exploits-to-drop-xmrig-miner/3888" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947230">[MITRE ATT&CK] Data from Network Shared Drive (T1039)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&CK] Exploitation for Privilege Escalation (T1068)</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution (T1203)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a><a href="https://www.bleepingcomputer.com/news/security/new-email-hacking-tool-from-oilrig-apt-group-leaked-online/" target="_blank">Brute-force Email Hacking Tool from OilRig ATP Group Leaked Online</a> (June 3, 2019) A brute-force attack tool for hijacking Microsoft Exchange email accounts allegedly used by the Advanced Persistent Threat (APT) OilRig threat group has been leaked online. OilRig, also known as APT34 and HelixKitten, is a group linked to the Iranian government. The tool is called “Jason” and is not detected by antivirus engines on VirusTotal, at the time of this writing. The tool works by trying various email account passwords until it finds the correct one. The brute-force activity is aided by a list with password samples and four text files containing numerical patterns. This utility is the seventh tool associated with the OilRig group that has been made publicly available. As of this writing, it is unknown who is responsible for exposing some of the APT group’s malware and tools, it is possible it was done so in hopes that publishing the tools will be a disruption to future operations by the threat group. <a href="https://forum.anomali.com/t/brute-force-email-hacking-tool-from-oilrig-atp-group-leaked-online/3889" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model">This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/4411" target="_blank">OilRig</a> The Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.</div></div><div id="threat_model_incident"> </div><div id="threat_model_tipreport"><a href="https://ui.threatstream.com/tip/256529" target="_blank">MageCart Timeline of Malicious Activity</a> MageCart is a particularly interesting threat group because of the sheer amount of sites, approximately 100,000, they have either compromised or successfully skimmed card credentials from since being first identified in 2015. The name MageCart refers to multiple groups, according to RiskIQ. It appears that MageCart is a collective term used to track payment information-stealing activity from at least 12 separate groups. Researchers also point out that Group 9 was interfering Group 3’s skimmer by manipulating the last credit or debit card number, which appears to indicate that MageCart is indeed an umbrella term used to track malicious activity. It may be difficult for individuals to determine separate groups because some of the groups use similar and common data-stealing methods, however, RiskIQ does note their methodology in their joint paper with Flashpoint on how they identify the different groups.[1]</div><div id="threat_model_ttp"> </div><div id="threat_model_vulnerability"> </div></div></div>