Weekly Threat Briefing: Massive Botnet Chews Through 20,000 WordPress Sites

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Botnet, BEC, Data theft, Malspam, Phishing, Targeted attacks, Threat group, Vulnerabilities and Website compromise. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://nakedsecurity.sophos.com/2018/12/10/massive-botnet-chews-through-20000-wordpress-sites/" target="_blank">Massive Botnet Chews Through 20,000 WordPress Sites </a> (December 10, 2018) The WordPress security company, “Wordfence,” found that unknown threat actors had managed to compromise approximately 20,000 WordPress websites. The actors compromised the websites by brute force-attacking administrator account credentials and were observed using the websites to create a large-scale botnet. The botnet was observed utilizing the remote procedure protocol “XML-RPC” which functions as an interface “that lets one piece of software make requests to another by sending it remote procedure calls (RPCs) written in the extensible markup language (XML).” The actors created a script that utilized XML-RPC in its brute force attacks to automatically generate username and password combinations. If a weak password is compromised and grants an actor access to the website, the actor then uses that website to target other WordPress website with brute force attacks. <a href="https://forum.anomali.com/t/massive-botnet-chews-through-20-000-wordpress-sites/3319" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/massive-botnet-chews-through-20-000-wordpress-sites/3319" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/massive-botnet-chews-through-20-000-wordpress-sites/3319" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&CK] Connection Proxy (T1090)</a><a href="https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/" target="_blank">DanaBot Evolves Beyond Banking Trojan with New Spam-Sending Capability </a> (December 6, 2018) The threat actors behind the “DanaBot” banking trojan have been testing out some new features in the malware, according to ESET researchers. The actors have been trying some new email address-stealing and malspam distribution techniques while targeting individuals located in Italy. The malspam technique is interesting in that the malware, once it has infected a machine, is capable of using the email accounts to propagate itself. DanaBot will look at an infected user’s email account and reply to existing emails with malspam. ESET researchers also believe that the actors behind DanaBot are cooperating with the group behind the “GootKit” trojan due to a VBS file found on a DanaBot Command and Control (C2) server that pointed to a GootKit downloader module. <a href="https://forum.anomali.com/t/danabot-evolves-beyond-banking-trojan-with-new-spam-sending-capability/3320" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/danabot-evolves-beyond-banking-trojan-with-new-spam-sending-capability/3320" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/danabot-evolves-beyond-banking-trojan-with-new-spam-sending-capability/3320" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://nakedsecurity.sophos.com/2018/12/06/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws/" target="_blank">Patch Now (If You Can!): Latest Android Update Fixes Clutch of RCE Flaws </a> (December 6, 2018) Android has released its December security bulletin to address 53 vulnerabilities, 11 of which are rated as “critical.” Out of those 11 critical vulnerabilities, five are Remote Code Execution (RCE) vulnerabilities. Google notes that, as of this writing, it has not observed that any of these vulnerabilities have been exploited in the wild. The vulnerabilities could be exploited by a remote actor by “using a specially crafted file to execute arbitrary code within the context of a privileged process.” <a href="https://forum.anomali.com/t/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws/3321" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws/3321" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/patch-now-if-you-can-latest-android-update-fixes-clutch-of-rce-flaws/3321" target="_blank"> recommendation</a><a href="https://www.theregister.co.uk/2018/12/06/email_scammers_use_business_intelligence_services/" target="_blank">More Data Joy: Email Scammers Are Buying Mark’s Info from Legit Biz Intelligence Firms </a> (December 6, 2018) Agari researchers have published a report in which they discuss their findings on a Business Email Compromise (BEC) campaign primarily targeting C-suite level executives, specifically, chief financial officers. The group behind this BEC campaign, dubbed “London Blue” because one of its members tagged himself in locations on Instagram, is believed to be a well-organized Nigerian group. Researchers believe that London Blue is separated into distinct groups, each of which have certain responsibilities such as: distributing the BEC emails, making the illicit bank transactions, and passing the money up the ladder to the primary actors. The group uses a database to store records for which they use “legitimate sales leads services” to find potential targets. <a href="https://forum.anomali.com/t/more-data-joy-email-scammers-are-buying-mark-s-info-from-legit-biz-intelligence-firms/3322" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/more-data-joy-email-scammers-are-buying-mark-s-info-from-legit-biz-intelligence-firms/3322" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/more-data-joy-email-scammers-are-buying-mark-s-info-from-legit-biz-intelligence-firms/3322" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a><a href="https://www.bleepingcomputer.com/news/security/adobe-fixes-zero-day-flash-player-vulnerability-used-in-apt-attack-on-russia/" target="_blank">Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia</a> (December 5, 2018) A vulnerability in Adobe’s “Flash Player” is reported to have been exploited in part of an Advanced Persistent Threat (APT) attack against Russia’s FSBI “Polyclinic #2,” according to Qihoo 360 researchers. The vulnerability, registered as “CVE-2018-15982,” was used to target the medical and cosmetic clinic by distributing, likely via email but the specific method is not mentioned, a malicious Word document with an embedded Flash object that poses as an employee questionnaire. A user is shown a warning when the exploit is triggered that states “The embedded content contained in this document may be harmful to your computer.” If the recipient agrees to the prompt, a file called “backup.exe” runs and infects the user with a backdoor that impersonates the “Nvidia Control Panel” application that uses a stolen certificate named “IKB SERVICE UK LTD.” <a href="https://forum.anomali.com/t/adobe-fixes-zero-day-flash-player-vulnerability-used-in-apt-attack-on-russia/3323" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/adobe-fixes-zero-day-flash-player-vulnerability-used-in-apt-attack-on-russia/3323" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/adobe-fixes-zero-day-flash-player-vulnerability-used-in-apt-attack-on-russia/3323" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise (T1195)</a><a href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank">Stolen Pencil Campaign Targets Academia </a> (December 5, 2018) A new spear phishing campaign, potentially attributed to the Democratic People’s Republic of Korea (DPRK), has been discovered to be targeting academic institutions since at least May 2018, according to ASERT researchers. The campaign, dubbed “STOLEN PENCIL,” consists of actors distributing spear phishing emails that contain a link to one of multiple domains controlled by the actors. Visiting the domain, a user would be prompted to download a “Font Manager” extension from the Chrome web store. The extensions had five star reviews from Google+ accounts compromised by the actors that were copied over from other reviews, some of which were negative but still gave five stars. The objective of the campaign is to use the extensions to steal data from the user when using various websites, and after gaining access to a system, using Microsoft’s Remote Desktop Protocol (RDP) to maintain persistence. <a href="https://forum.anomali.com/t/stolen-pencil-campaign-targets-academia/3324" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/stolen-pencil-campaign-targets-academia/3324" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/stolen-pencil-campaign-targets-academia/3324" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&CK] Remote Desktop Protocol (T1076)</a><a href="https://www.scmagazine.com/home/security-news/bloom-is-off-the-rose-canadian-1-800-flowers-operation-discloses-four-year-breach/" target="_blank">Bloom is off the Rose: Canadian 1-800-FLOWERS Operation Discloses Four-Year Breach </a> (December 4, 2018) The Canadian company “1873349 Ontario, Inc.” has stated that the website for its retail operations “1-800-FLOWERS,” had its website compromised for at four least years. The website, “1800Flowers[.]ca,” was infected with information-stealing malware by unknown threat actors from August 15, 2014 to September 15, 2018. Any individuals who made purchases during this time may have had the information entered on the website stolen. The compromise was confirmed on October 30, 2018 when the company identified suspicious activity on its website. The information that could have stolen from the website customers includes: card security code, expiration date, name, and payment card number. <a href="https://forum.anomali.com/t/bloom-is-off-the-rose-canadian-1-800-flowers-operation-discloses-four-year-breach/3325" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/bloom-is-off-the-rose-canadian-1-800-flowers-operation-discloses-four-year-breach/3325" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/bloom-is-off-the-rose-canadian-1-800-flowers-operation-discloses-four-year-breach/3325" target="_blank"> recommendation</a><a href="https://thehackernews.com/2018/12/china-ransomware-wechat.html" target="_blank">New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs </a> (December 4, 2018) Velvet Security researchers have found a previously unknown ransomware with password-stealing capabilities is targeting individuals located in China. The malware, as of this writing, has infected approximately 100,00 users who have downloaded applications that use the “EasyLanguage” programming language. The actors behind this campaign were able to add malicious code into the EasyLanguage programming software that was created to inject ransomware code “into every application and software product compiled through it.” Thus, any user who downloaded an affected application would be infected with ransomware that demands 110 yuan ($16 USD) to be sent to the actor’s “WeChat” account in three days for the decryption key. <a href="https://forum.anomali.com/t/new-ransomware-spreading-rapidly-in-china-infected-over-100-000-pcs/3326" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-ransomware-spreading-rapidly-in-china-infected-over-100-000-pcs/3326" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-ransomware-spreading-rapidly-in-china-infected-over-100-000-pcs/3326" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise (T1195)</a><a href="https://www.databreaches.net/california-based-professional-employer-organization-hacked-by-thedarkoverlord-thousands-of-employees-files-stolen/" target="_blank">California-Based Professional Employer Organization Hacked by TheDarkOverlord; Thousands of Employees’ Files Stolen </a> (December 4, 2018) The threat group “TheDarkOverlord” (TDO), has claimed responsibility for compromising the professional employer organization “Prime Staff Inc,” according to the data breach website databreaches[.]net. The website reports that it received an email from an email address from Prime Staff, Inc. stating “HELP” above bodies of text that appeared to be from TDO. Databreaches attempted to find a way to communicate safely with the email sender and received a reply that said “There’s no safe way to contact Shields.” This response appears to indicate that TDO had gained complete control over Prime Staff’s systems. TDO engaged in tactics known for them: stealing company data and blackmailing the company into paying for their files back or risk them being destroyed. In addition, TDO also included some incentives by offering gradual decreases from the original ransom amount of $50,000, for referring other TDO victims to pay the group. <a href="https://forum.anomali.com/t/california-based-professional-employer-organization-hacked-by-thedarkoverlord-thousands-of-employees-files-stolen/3327" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/california-based-professional-employer-organization-hacked-by-thedarkoverlord-thousands-of-employees-files-stolen/3327" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/california-based-professional-employer-organization-hacked-by-thedarkoverlord-thousands-of-employees-files-stolen/3327" target="_blank"> recommendation</a><a href="https://securelist.com/koffeymaker-notebook-vs-atm/89161/" target="_blank">KoffeyMaker: Notebook vs. ATM </a> (December 4, 2018) Kaspersky Lab researchers have published a report regarding and ATM-stealing toolkit, dubbed “KoffeyMaker,” after unnamed banks in Eastern Europe found their ATMs were attacked. KoffeyMaker utilizes a “black box” attack tactic, using a physical device connected to the machine, where the actor connects a laptop to the ATM. The actor was found to have opened the ATM, connected the laptop with ATM dispenser drivers installed on it along with a patched KDIAG tool, and closed the ATM. Remote access to the laptop was accomplished via “a connection to a USB GPRS modem” that was used to instruct the KDIAG tool to force the ATM to dispense cash. <a href="https://forum.anomali.com/t/koffeymaker-notebook-vs-atm/3328" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/koffeymaker-notebook-vs-atm/3328" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/koffeymaker-notebook-vs-atm/3328" target="_blank"> recommendation</a><a href="https://latesthackingnews.com/2018/12/04/ibm-db2-vulnerabilities-left-ibm-database-installations-at-risk-of-hacks/" target="_blank">IBM Db2 Vulnerabilities Left IBM Database Installations at Risk of Hacks </a> (December 4, 2018) Two vulnerabilities have been addressed in IBM products. One vulnerability, registered as “CVE-2018-1987,” has been identified in IBM’s “IBM Db2” management software, according to researcher Eddie Zhu. This vulnerability could be exploited by a threat actor who has first obtained local user access to elevate privileges by running custom-crafted applications. Another vulnerability, registered as “CVE-2018-1723,” was found in IBM’s “Spectrum Scale” and “could allow a GPFS command line utility allows an unprivileged, authenticated user with access to GPFS node to read arbitrary files on this mode,” according to IBM’s advisory. <a href="https://forum.anomali.com/t/ibm-db2-vulnerabilities-left-ibm-database-installations-at-risk-of-hacks/3329" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/ibm-db2-vulnerabilities-left-ibm-database-installations-at-risk-of-hacks/3329" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/ibm-db2-vulnerabilities-left-ibm-database-installations-at-risk-of-hacks/3329" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947258">[MITRE ATT&CK] Bypass User Account Control (T1088)</a><a href="https://research.checkpoint.com/the-evolution-of-backswap/" target="_blank">The Evolution of BackSwap </a> (December 3, 2018) The threat actors behind the “BackSwap” banking trojan have regularly made changes to the malware over the past few months, according to Check Point researchers. BackSwap is written in assembly and was first discovered in May 2018 by Polish CERT researchers and Michal Poslusny from ESET. The malware is primarily distributed via legitimate programs such as FileZilla, Notepad++, and 7-Zip in which the actors have bundled the malicious code. If a malicious application is downloaded and run, only the BackSwap code will be executed and any legitimate code in the application will not. Researchers found that actors have been modifying BackSwap’s event interception techniques in regards to identifying URLs, to which the malware decrypts “a resource from its .rsrc section which turns out to be its web-injects.” The retrieved code checks the URL to see if it matches any banks that it targets and if so, uses the web injections to steal banking credentials. <a href="https://forum.anomali.com/t/the-evolution-of-backswap/3330" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/the-evolution-of-backswap/3330" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/the-evolution-of-backswap/3330" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&CK] Hooking (T1179)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a><a href="https://www.theregister.co.uk/2018/12/03/kubernetes_flaw_cve_2018_1002105/" target="_blank">Container Code Cluster-Fact: There’s a Hole in Kubernetes That Lets Miscreants Cause Havoc </a> (December 3, 2018) Co-founder of Rancher Labs, Darren Shepherd, found a privilege escalation vulnerability in the open source container orchestration software, “Kubernetes,” registered as “CVE-2018-1002105.” This vulnerability is rated as “critical” because a threat actor could exploit it remotely without any user interaction or specific privileges. Exploitation of the vulnerability could allow an actor to use the “Kubernetes API server to connect to a backend server to send arbitrary requests.” This could then allow actors to inject code, steal data, or shut down applications inside a target’s firewall. <a href="https://forum.anomali.com/t/container-code-cluster-fact-there-s-a-hole-in-kubernetes-that-lets-miscreants-cause-havoc/3331" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/container-code-cluster-fact-there-s-a-hole-in-kubernetes-that-lets-miscreants-cause-havoc/3331" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/container-code-cluster-fact-there-s-a-hole-in-kubernetes-that-lets-miscreants-cause-havoc/3331" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&CK] Exploitation for Privilege Escalation (T1068)</a><a href="https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/" target="_blank">Jared, Kay Jewelers Parent Fixes Data Leak </a> (December 3, 2018) “Signet Jewelers,” the parent firm of the jewelry stores “Jared” and “Kay Jewelers,” has fixed a bug in its subsidiaries’ websites (jared[.]com and kay[.]com). The bug, identified in mid-November by web designer Brandon Sheehy, exposed Jared and Kay customer order information that was conducted through their respective websites. Sheehy discovered that he could alter the link sent in the confirmation email and paste it in a web browser which he found exposed a different customer’s order information. The exposed data consists of: billing address, customer order, delivery date, email address, items and total amount purchased, last name, and tracking link. Sheehy reached out to Signet about this issue but did not hear anything back for several weeks after which he reached out to KrebsOnSecurity. Signet chief information security officer, Scott Lancaster, has stated that this issue has now been fixed. <a href="https://forum.anomali.com/t/jared-kay-jewelers-parent-fixes-data-leak/3332" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/jared-kay-jewelers-parent-fixes-data-leak/3332" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/jared-kay-jewelers-parent-fixes-data-leak/3332" target="_blank"> recommendation</a><a href="https://www.bleepingcomputer.com/news/security/quora-hacked-100-million-users-data-exposed/" target="_blank">Quora Hacked – 100 Million User’s Data Exposed </a> (December 3, 2018) The question and answer website “Quora” has issued a statement in which it confirms that its website was compromised. The website is reported to be the “95th largest website in the world” with approximately “700 million visits per month.” Quora discovered that the breach had occurred on November 30, 2018, and it is unknown at the time of this writing if the breach took place on that date or sometime prior. Regardless, this incident affects approximately 100 million of its users by threat actors accessing user data consisting of: data imported from linked networks (when authorized by users), email addresses, encrypted passwords, and names. Other exposed data includes public content and actions, as well as non-public content and actions such as direct messages. As of this writing, Quora does not know how threat actors gain unauthorized access to their systems. <a href="https://forum.anomali.com/t/quora-hacked-100-million-user-s-data-exposed/3333" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/quora-hacked-100-million-user-s-data-exposed/3333" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/quora-hacked-100-million-user-s-data-exposed/3333" target="_blank"> recommendation</a></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a> Additional information regarding the threats discussed in this week’s Community Threat Briefing can be found below:</div><div id="threat_model"><div id="threat_model_actors"><a href="https://ui.threatstream.com/actor/1528" target="_blank">TheDarkOverlord</a> TheDarkOverlord is a threat group that has been active since at least June 2016 when they started to list dumps for sale on the forum called “Real Deal Marketplace.” The group engages in extortion and data leaks of company data and Personally Identifiable Information (PII). The first incidents the group was involved in revolved around gaining access to healthcare organization servers, stealing information, and then demanding payment for not releasing the data. The data typically consists of PII and Protected Health Information (PHI). The group later expanded from solely targeting the healthcare industry to others such as education and finance, however, the group’s tactics remained the same; steal data and demand payment for not releasing it to open source locations.</div></div></div>