December 3, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: Millions of Americans at Risk After Huge Data and SMS Leak

<div id="weekly"><p>The intelligence in this week’s iteration discuss the following threats: <strong>Black Friday, Data breach, Emotet, Monero, Remote Access Trojan, RevengeHotels, Ryuk, Scam, Spearphishing, </strong>and<strong> XMRIG</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><p id="intro"><img src="https://cdn.filestackcontent.com/7Hk2bI0ORp6GNNKruMvc"/><br/> <b>Figure 1 - IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p><a href="https://www.bankinfosecurity.com/mixcloud-breach-affects-21-million-accounts-a-13461" target="_blank"><b>Mixcloud Breach Affects 21 Million Accounts</b></a> (<i>December 2, 2019</i>)<br/> The streaming service MixCloud has suffered a data breach after a threat actor called “A_W_S”, distributed personal data of MixCloud users to various media companies including outlets Vice and ZDNet. The data leaked includes email and IP addresses, hashed passwords, registration dates, and last login dates and users’ country of origin. The data has since been placed for sale on Dark Web marketplaces for sale in range from $2,000-$3,700. This is not the first time A_W_S has published personal data for sale on underground marketplaces. They released the data of Canva, a graphic design tool website, Chegg which is an education platform and StockX, an online clothing marketplace.<br/> <a href="https://forum.anomali.com/t/mixcloud-breach-affects-21-million-accounts/4404" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.vpnmentor.com/blog/report-truedialog-leak/" target="_blank"><b>Millions of Americans at Risk After Huge Data and SMS Leak</b></a> (<i>December 2, 2019</i>)<br/> The private text messages of hundreds of millions of users have been found unprotected and in cleartext on the internet. vpnMentor researchers discovered that a database hosted on Microsoft Azure running on the Oracle Marketing Cloud containing the private text messages of TrueDialog users has been exposed to the internet. TrueDialog is an American communications company that is used by businesses’ for text messaging solutions and has nearly five billion subscribers worldwide. The information leaked involves the phone numbers, finance applications for university, information to online medical services, passwords and usernames to Google and Facebook and other confidential information. TrueDialog have since closed the database involved in the leakage.<br/> <a href="https://forum.anomali.com/t/millions-of-americans-at-risk-after-huge-data-and-sms-leak/4405" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/fake-steam-skin-giveaway-site-steals-your-login-credentials/" target="_blank"><b>Fake Steam Skin Giveaway Site Steals Your Login Credentials</b></a> (<i>December 1, 2019</i>)<br/> The researcher “nullcookies” posted on Twitter of their discovery of a fake Steam gun skin giveaway site that steals users credentials. Steam is a video game service for PC used by third-party publishers to distribute their games and allow users to play them. Steam phishing pages have been seen being endorsed by leaving comments on legitimate Steam profiles stating that they are the “winner” of a giveaway and must go to the website “giveavvay[.]com”. Users must then enter their Steam details on this website to receive the supposed skins. The campaign includes some techniques to make the webpage appear legitimate. The page has a fake chat forum that impersonates the legitimate forum, but actually just contains hard-coded messages contained in a JavaScript script with the context of the conversation potentially relevant to the user. The threat actor(s) behind this campaign also utilize a Steam Guard Request in a further attempt to legitimize the malicious activity.<br/> <a href="https://forum.anomali.com/t/fake-steam-skin-giveaway-site-steals-your-login-credentials/4406" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://thehackernews.com/2019/11/europol-imminent-monitor-rat.html" target="_blank"><b>Europol Shuts Down 'Imminent Monitor' RAT Operations With 13 Arrests</b></a> (<i>November 29, 2019</i>)<br/> Europol have announced that the cybercrime network and its operations involving the Imminent Monitor Remote Access Trojan (IM-RAT) have ceased. The IM-RAT was demonstrated as being a remote administration framework that allowed threat actors to take remote control of a user's system. IM-RAT was capable of disabling anti-virus/anti-malware software, download/execute files, record keystrokes, spy through webcams, steal data and passwords from browsers, and terminate running processes, amongst others. The operation carried by international law enforcement agencies enabled them to seize the framework of the RAT which resulted in it becoming inoperative to its 14,000+ users around the world. Europol were also able to make arrests on high-level customers of IM-RAT and its developers from Australia, Colombia, Czech Republic, Holland, Poland, Spain, Sweden and the United Kingdom.<br/> <a href="https://forum.anomali.com/t/europol-shuts-down-imminent-monitor-rat-operations-with-13-arrests/4407" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&amp;CK] Disabling Security Tools - T1089</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a></p><p><a href="https://www.bleepingcomputer.com/news/security/beware-of-thanksgiving-ecard-emails-distributing-malware/" target="_blank"><b>Beware of Thanksgiving eCard Emails Distributing Malware</b></a> (<i>November 28, 2019</i>)<br/> Thanksgiving is being celebrated across the US and threat actors have been circulating themed spearphishing emails that will deploy the Emotet Trojan as well as other malware. Emails are being sent masqueraded as Thanksgiving greeting e-cards with attached word documents. Once the user clicks on the attachment to view the “greeting” it tells the users that to view the “greeting” accordingly they must click on “Enable Content” or “Enable Editing”. What this does if clicked, will execute macros that will install the modular malware Emotet. It will be used to download other malware which can allow the threat actor to steal cached passwords, give remote access to the users machine or deploy ransomware.<br/> <a href="https://forum.anomali.com/t/beware-of-thanksgiving-ecard-emails-distributing-malware/4408" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p><p><a href="https://securelist.com/revengehotels/95229/" target="_blank"><b>RevengeHosts: Cybercrime Targeting Hotel Front Desks Worldwide</b></a> (<i>November 28, 2019</i>)<br/> A cybercrime campaign by the name of “RevengeHotels” has been targeting hospitality and tourism companies, hotels and hostels with the majority of the operations focusing on Brazil. Other targets include Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The threat actors involved have used well worded emails attached with Word, Excel or PDFfiles. There has been samples of the campaign using the zero-day exploit “CVE-2017-0199” which allows for malicious VB scripts to be run on a user's system. The focus of the campaign for its operators is to collect credit card data from guests and travellers using these hotels or hostels. This is done by infecting front desk machines of these hotels or hostels to capture the credentials from unpatched administration software being used. In some cases, threat actors will sell these credentials to allow other actors remote access to these systems to carry out their own malicious campaigns.<br/> <a href="https://forum.anomali.com/t/revengehosts-cybercrime-targeting-hotel-front-desks-worldwide/4409" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://www.zdnet.com/article/adobe-discloses-security-breach-impacting-magento-marketplace-users/" target="_blank"><b>Adobe Discloses Security Breach Impacting Magento Marketplace Users</b></a> (<i>November 27, 2019</i>)<br/> Adobe’s Magento Marketplace has experienced a security breach which exposed the personal information of its registered users. The marketplace is used by customers to buy, sell and download themes as well as plugins for Magento-based stores which makes up more than 20% of the top 1000 e-retailers in America and Canada. Threat actors were able to exploit a vulnerability in the Marketplace’s website which would allow third parties illegitimate access to account information of Magento customers. Since the breach was discovered, the marketplace has been taken down to allow for the organisation to deal with this vulnerability. Adobe claim no passwords or account information were exposed in the breach.<br/> <a href="https://forum.anomali.com/t/adobe-discloses-security-breach-impacting-magento-marketplace-users/4410" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/ryuk-ransomware-forces-prosegur-security-firm-to-shut-down-network/" target="_blank"><b>Ryuk Ransomware Forces Prosegur Security Firm to Shut Down Network</b></a> (<i>November 27, 2019</i>)<br/> The multinational security company Prosegur, based in Spain, has made an announcement that there were disruptions to its telecommunications platform as a result of a cyberattack. The malware used in the attack is “Ryuk”, a ransomware that specifically targets enterprise, downloaded via Emotet. To prevent further spread of the ransomware, Prosegur restricted communications with its customers and are continuing to do so until they can ascertain that their systems are clean of the infection. Prosegur has stated once investigations have been completed, affected systems will be brought to full functionality.<br/> <a href="https://forum.anomali.com/t/ryuk-ransomware-forces-prosegur-security-firm-to-shut-down-network/4411" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a></p><p><a href="https://krebsonsecurity.com/2019/11/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/" target="_blank"><b>Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains</b></a> (<i>November 26, 2019</i>)<br/> Four million stolen cards have recently been put up for sale on the criminal underground carding bazaar, Joker’s Stash. These cards were funneled from four different sources, Krystal’s, Moe’s, McAlister’s Deli and Schlotzsky, which are restaurant chains that are most apparent in the midwest and eastern parts of the United States. Focus Brands, which is the parent company of Moe’s, McAlister’s and Schlotzsky had been breached between April and July 2019 and again between July and September 2019. These attacks are commonly done by remotely installing Point-Of-Sale(POS) malware to collect card payment details when customers use a compromised payment like an ATM.<br/> <a href="https://forum.anomali.com/t/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/4412" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a></p><p><a href="https://threatpost.com/black-friday-shoppers-scams-fake-domains/150593/" target="_blank"><b>Black Friday Shoppers Targeted By Scams and Fake Domains</b></a> (<i>November 26, 2019</i>)<br/> The annual Black Friday and Cyber Monday sales have started and actors are taking advantage of it to lure customers to hand over their payment data. Researchers from ZeroFOX have analysed that scammers are using various tactics to prevail with their spam attacks and malware. It includes the use of domain impersonation, social media giveaway scams and malicious Chrome extensions. Actors would generally use social media add to lure people into clicking links that would persuade them to pass over different pieces of personal information, which could be credit card information or email addresses. It will also actors to collect user credentials and distribute more malware on their system. This would allow the actors to carry out their spam attacks and with these links could impersonate genuine domains such as Apple or Amazon to legitimise the need for customers to enter their personal details. With these fake domains, users are being tricked into installing malicious Chrome extensions as necessary requirements to view the webpage. The actors behind this extension are using it to extort customers for their social security numbers or risk further compromise of their system.<br/> <a href="https://forum.anomali.com/t/black-friday-shoppers-targeted-by-scams-and-fake-domains/4413" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/" target="_blank"><b>A Hacking Group is Hijacking Docker Systems with Exposed API Endpoints</b></a> (<i>November 26, 2019</i>)<br/> Chief Research Officer (CRO) Troy Mursch of Bad Packets LLC, discovered operations being carried out against docker containers. It was noted that a threat group were performing mass scanning on Docker platforms that have exposed API endpoints in the internet. The threat actors are searching for these Docket containers to deploy a cryptocurrency miner on the users Docker instance and generate profit for the group. At this point, it has been noted that the actors behind the attack are scanning in excess of 59,000 IP networks for exposed Docker entities. Once the group has identified an exposed instance, they will use the API endpoint to run a command which will install a sample of the cryptocurrency miner XMRIG. As precautions, the malware used in the campaigns has self-defense procedures in place uninstall monitoring agents and kill processes downloaded from the groups C2. Docker containers became targeted in 2019 due to the discovery of CVE-2019-5736, a zero-day exploit which would allow remote users root access to Docker containers.<br/> <a href="https://forum.anomali.com/t/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/4414" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&amp;CK] Disabling Security Tools - T1089</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.