Weekly Threat Briefing: New Android Malware, PerSwaysion Phishing Campaign, SaltStack Vulnerabilities, and More

<div id="weekly">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT activity, Malspam, Phishing, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/050420.png"/>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="https://www.tripwire.com/state-of-security/security-data-protection/increase-in-ransomware-demand-amounts-driven-by-ryuk-sodinokibi/" target="_blank">Increase in Ransomware Demand Amounts Driven by Ryuk, Sodinokibi</a></h3>(published: May 4, 2020)Ransomware recovery firm Coveware found that Phobos, Ryuk, and Sodinokibi ransomware families have contributed to sizable increases in ransomware demands over the first quarter of 2020. Coveware calculates the average paid ransom amount demanded by a ransomware attack to be $111,605 USD in the first quarter of 2020, which is about a third higher than the final quarter of 2019. According to Coveware aggregated data, Sodinokibi represented over 26% of all paid ransomware attacks, likely due to their broad victim demographic, with increases in ransoms proportionate to the size of the target organizations. Ryuk was the second most prevalent ransomware with just over 19%, which represents the average ransom demands of over $1M USD in quarter one of 2020. The Ryuk average still increased from the fourth quarter of 2019, even though Ryuk has been seen targeting smaller organizations than in previous campaigns. Recommendation: These statistics highlight the need for organizations to do more to protect themselves against crypto-malware infections. It is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> Tags: Ransomware, Ryuk, Sodinokibi<h3 id="article-2" style="margin-bottom:0;"><a href="https://thehackernews.com/2020/05/saltstack-rce-exploit.html" target="_blank">Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability</a></h3>(published: May 3, 2020)Two critical vulnerabilities in the SaltStack configuration framework are being actively exploited in a campaign that has impacted servers of LineageOS, Ghost, and DigiCert. The vulnerabilities, “CVE-2020-11651” and “CVE-2020-11652,” could allow an adversary to execute arbitrary code on remote servers. The vulnerabilities were fixed in version 3000.2, which was released on April 29, 2020. LineageOS, an open-source Android distribution, detected the intrusion into their infrastructure on May 2, 2020. Ghost, an open-source blogging platform, and Digicert certificate authority were both compromised on May 3, 2020. According to an alert published by F-Secure, as many as 6,000 SaltStack servers are vulnerable and can be exploited if left unpatched. Recommendation: It is highly encouraged that those running Salt software packages are configured to automatically update to aid in limiting the possibility of exploitation. All software used by your organization should be routinely checked for software patches and updates, and automatically updated whenever possible. It is critical that the latest security patches be applied as soon as possible. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches before a malicious actor could attempt to exploit any vulnerabilities. Tags: Vulnerability, SaltStack, LineageOS<h3 id="article-3" style="margin-bottom:0;"><a href="https://www.group-ib.com/blog/perswaysion" target="_blank">PerSwaysion Campaign, Playbook of Microsoft Document Sharing-Based Phishing Attack</a></h3>(published: April 30, 2020)Security researchers at Group-IB have discovered a spearphishing campaign abusing Microsoft file sharing services, dubbed “PerSwaysion.” The campaign primarily targets small and medium-sized financial services, law firms, and real estate groups. The campaign is aimed at high-ranking executives within targeted organizations in order to pull Office 365 credentials from fake Outlook login pages. The three-phase phishing operation takes a targeted victim from a malicious PDF-attached email, redirects to a Microsoft file sharing service, such as Sway or SharePoint, and prompts yet another redirect to a fake Microsoft Outlook login page, where the malicious actors collect victim credentials. The PerSwaysoin campaign is not very sophisticated but has been incredibly successful, with at least 156 high-ranking officers compromised, according to Group-IB research. The actors behind the PerSwaysion campaign are believed to be based in Nigeria and South Africa, likely using LinkedIn to gather intelligence on executives, and are using a phishing toolkit developed by Vietnamese programmers. Recommendation: Group-IB has launched a website where individuals can check if their email addresses have been compromised by PerSwaysion. Anyone who would like to check if their email may be impacted can do so at https://www.group-ib.com/landing/publicalert.html. Files that request content be enabled to properly view the document are often signs of a phishing attack. Any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and reported to appropriate personnel. Tags: PerSwaysion, Campaign, Phishing<h3 id="article-4" style="margin-bottom:0;"><a href="https://blog.barracuda.com/2020/04/30/threat-spotlight-malicious-recaptcha/" target="_blank">Threat Spotlight: Malicious Use of reCAPTCHA</a></h3>(published: April 30, 2020)Researchers at Barracuda Networks have observed an increase in the malicious use of official reCAPTCHA walls in phishing campaigns. This approach prevents automated URL analysis systems from accessing any phishing page content, and also makes the phishing site appear more authentic and believable to the user. According to the research samples, the use of the actual reCAPTCHA API has become considerably more common than fake reCAPTCHA boxes due to the ease of detection by automated scanners. Recommendation: Be sure to educate employees on the malicious use of reCAPTCHA in phishing campaigns, and of the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Tags: reCAPTCHA, API, Phishing<h3 id="article-5" style="margin-bottom:0;"><a href="https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" target="_blank">EventBot: A New Mobile Banking Trojan is Born</a></h3>(published: April 30, 2020)In March 2020, the Cybereason Nocturnus team uncovered a new type of Android mobile banking trojan and infostealer, dubbed “EventBot,” that targets banking and cryptocurrency credentials on the device. EventBot primarily targets financial banking apps used across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany, in respective order. The EventBot malware masquerades as a legitimate Android application, such as Adobe Flash or Microsoft Word, which may be downloaded from third-party app stores and other malicious websites. Once installed, EventBot abuses accessibility features on the device to steal login credentials from financial applications and read user SMS messages to bypass two-factor authentication (2FA). This new malware is still in early developmental stages, but according to Cybereason researchers, demonstrates a high level of sophistication amongst mobile malware authors. Recommendation: Android users should always download applications directly from the Google Play Store and not from unofficial or unauthorized sources. Google Play Protect is built-in malware protection from Android, and users should be certain this feature is turned on. Employers should also consider mobile threat detection solutions to increase security on employee mobile devices. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/3297593">[MITRE ATT&CK] PowerShell Profile - T1504</a> Tags: EventBot, Banking, Trojan, Android, Malware<h3 id="article-6" style="margin-bottom:0;"><a href="https://latesthackingnews.com/2020/04/29/xss-vulnerability-found-in-real-time-find-and-replace-wordpress-plugin/" target="_blank">XSS Vulnerability Found In Real-Time Find and Replace WordPress Plugin</a></h3>(published: April 29, 2020)A high-severity vulnerability has been discovered in a WordPress plugin affecting thousands of websites. The Wordfence security team discovered the Real-Time Find and Replace plugin contains a Cross-Site Scripting (XSS) vulnerability that, if exploited, could allow a malicious actor to gain administrative access to the website. According to the researchers, the problem exists in the far_options_page function of the plugin that fails to use nonce verification, resulting in a cross-site request forgery vulnerability. The vulnerability has been patched in the 4.0.2 version of the plugin. Recommendation: Users of this WordPress plugin should ensure they are using version 4.0.2 or newer which includes a fix to the vulnerability. All website owners, especially those using WordPress, should keep their installations and plugins up to date to ensure patches are installed as soon as they are available. Tags: XXS, WordPress, Plugin, Vulnerability<h3 id="article-7" style="margin-bottom:0;"><a href="https://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html" target="_blank">Upgraded Aggah Malspam Campaign Delivers Multiple RATs</a></h3>(published: April 29, 2020)Researchers at Cisco Talos have observed an upgraded, ongoing Aggah malspam campaign that began in January 2020. The campaign distributes malicious Microsoft Office documents designed to target a user’s endpoint using a multi-stage infection. The final payload of the campaign is a Remote Access Tool (RAT) from the Agent Tesla, njRAT, or Nanocore RAT families. The updated version of the malware uses a .NET binary to disable virus detection and prevention software, and this new campaign leverages freely available Pastebin accounts and a Pastebin PRO account to distribute attack components and host all the final RAT payloads. Recommendation: This campaign is still ongoing as of the time of this writing. This campaign shows that network-based detection software can be evaded by sophisticated threat actors, and should be paired with endpoint protections and system behavior analysis when possible. Furthermore, all employees should be educated on the risks of phishing and spearphishing attacks and how to identify such attempts. MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface - T1059</a> Tags: RAT, Aggah, Malware, Phishing, Malspam<h3 id="article-8" style="margin-bottom:0;"><a href="https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/" target="_blank">Nine Million Logs of Brits' Road Journeys Spill Onto the Internet from Passwordless Number-Plate Camera Dashboard</a></h3>(published: April 28, 2020)The Automatic Number-Plate Recognition (ANPR) system for Sheffield City Council in the UK has been reportedly exposing records of citizen’s road journeys, due to an unsecured management dashboard accessible online. The ANPR system is a series of traffic enforcement cameras that have been recording vehicle travel data to the unsecured dashboard since November 2018. The Register notified Sheffield City Council officials of the security breach, noting that no login details or authentication was needed to search and view the system, and the dashboard was taken offline. The dashboard contained over eight million records of vehicle movements, including full plate numbers and the location, date, and time that identified vehicles passed one of 100 stationary cameras in the system. According to statements made by Britain’s Surveillance Camera Commissioner and the South Yorkshire Police, there is an on-going investigation into the exposure, and officials do not have evidence, as of this time of writing, that harm or detrimental effects came as a result of this breach. However, due to the lack of login data, it is uncertain how often unauthorised users accessed and searched the logs for malicious gain. According to researchers Chris Kubecka and Gerard Janssen, the dashboard could have been used to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, accurate to the minute of travel. Recommendation: No login details or authentication of any sort were necessary to access this data, showing considerable security negligence by system managers. Sensitive data should always be secured with login credentials. Individuals traveling through and within the “clean air zone” in Sheffield city centre between November 2018 and April 2020 may have been impacted by this lapse in security. Drivers should be aware and recognize signs and symbols of automated surveillance and should understand their local and national surveillance policies while operating a motor vehicle. Tags: Data breach, Surveillance, Automotive, UK<h3 id="article-9" style="margin-bottom:0;"><a href="https://securelist.com/apt-phantomlance/96772/" target="_blank">Hiding in Plain Sight: PhantomLance Walks Into a Market</a></h3>(published: April 28, 2020)Kaspersky researchers have discovered a long-term Android malware campaign dating back to early 2016. The campaign, dubbed PhantomLance, has been used to target Android devices in South Asia using trojanized applications from the Google Play Store and other third-party marketplaces. The campaign has been observed targeting devices based primarily in India, Vietnam, Bangladesh, and Indonesia, in respective order. The researchers discovered various overlaps with previous campaigns by the Advanced Persistent Threat (APT) group OceanLotus, believed to be Vietnam-based cyber espionage threat actors. The campaign’s main payload is a backdoor first observed in July 2019 called “Android.Backdoor.736.origin,” of which Kaspersky has found three major versions in the wild. The backdoor allows adversaries to gather call data, contact lists, geolocation data, and SMS texts, as well as execute additional malicious payloads based on the actors’ needs. Recommendation: Always practice caution and scrutiny when installing applications onto any device. This can be done by checking the APK signature and hash in sources like VirusTotal before installing it on your device. As this story represents, there are still risks associated when using reputable app marketplaces, such as the Google Play Store. The malicious PhantomLance apps reportedly available within the Google Play marketplace have been removed by Google, however, the apps remain available on other third-party sites. Tags: PhantomLance, OceanLotus, APT32</div></div>