Blog
Weekly Threat Briefing: New dark_nexus Botnet, Pegasus Spyware, SFO Airport Data Breach, and More
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Botnet, Data breach, Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Anomali Threat Research
April 14, 2020
<p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: <b>APT, Botnet, Data breach, Malware,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/734087.png"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><h2>Trending Cyber News and Threat Intelligence</h2><h3 style="margin-bottom:0;"><a href="https://www.databreaches.net/san-francisco-intl-airport-discloses-data-breach-after-hack/" target="_blank">San Francisco International Airport Discloses Data Breach After Hack</a></h3><p>(published: April 11, 2020)</p><p>San Francisco International Airport has been the victim of a cyber attack in March 2020. The actors injected malicious code into the websites of SFOConnect[.]com and SFOConstruction[.]com. The attack will have impacted users connecting to these sites from outside the airport network. Attackers may have accessed usernames and passwords. The airport has forced a reset of all SFO related email and network passwords on the 23rd of March 2020, according to the "Notice of Data Breach" sent from the airport.<br/> <b>Recommendation:</b> The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. There are a number of ways to conduct login security maintenance to mitigate this risk. Users must make sure they are not reusing the same credentials across multiple sites. Criminals are likely to test this common mistake by taking a stolen credential and using it against another service to see if they can access it. To boost login security, users can implement two factor authentication, and make sure the secondary authentication mechanism is with something in proximity such as your mobile phone. Using a password manager will also help to generate longer and more secure passwords, without the need to remember them.<br/> <b>Tags:</b> Data breach, SFO, San Francisco, Airport</p><h3 style="margin-bottom:0;"><a href="https://www.databreaches.net/suspecting-cyber-attack-mediterranean-shipping-company-reports-network-outage-update/" target="_blank">Suspecting Cyber Attack, Mediterranean Shipping Company Reports Network Outage</a></h3><p>(published: April 11, 2020)</p><p>The Mediterranean Shipping Company has announced that its network outage may have been the result of a cyber attack. The outage began in one of its data centers in Geneva Switzerland, and the company has stated that the issue has only impacted its headquarters in Geneva. The company chose to shut down its servers as a safety precaution. The Mediterranean Shipping Company is the world’s second largest container shipping line.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from attacks such as these, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br/> <b>Tags:</b> Mediterranean Shipping Company, Geneva</p><h3 style="margin-bottom:0;"><a href="https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/" target="_blank">Ransomware Operators Leak Boeing, Lockheed Martin, SpaceX Documents After Contractor Refuses to Pay</a></h3><p>(published: April 10, 2020)</p><p>The aerospace defense contractor Visser Precision was targeted with DoppelPaymer ransomware this month, but after refusing to pay the demand has had some of the data leaked online. The data includes information from clients like Lockheed Martin, SpaceX, Tesla, Boeing, Honeywell (among others) with a particular focus on Tesla, Lockheed Martin, Boeing, and SpaceX.<br/> <b>Recommendation:</b> Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> DoppelPaymer, Ransomware, Visser Precision</p><h3 style="margin-bottom:0;"><a href="https://www.darkreading.com/threat-intelligence/criminals-selling-videoconferencing-credentials-on-dark-web/d/d-id/1337539" target="_blank">Criminals Selling Video Conferencing Credentials on Dark Web</a></h3><p>(published: April 10, 2020)</p><p>Cyber criminals have been selling video conferencing credentials in underground markets. Selling hundreds, in some cases thousands, of Zoom usernames and passwords. This trend is at a time in which many employees are now working from home.<br/> <b>Recommendation:</b> There are a number of ways to conduct login security maintenance to mitigate this risk. Users must make sure they are not reusing the same credentials across multiple sites. Criminals are likely to test this common mistake by taking a stolen credential and using it against another service to see if they can access it. To boost login security, users can implement two factor authentication, and make sure the secondary authentication mechanism is with something in proximity such as your mobile phone. Using a password manager will also help to generate longer and more secure passwords, without the need to remember them.<br/> <b>Tags:</b> Zoom, Credentials, Data breach</p><h3 style="margin-bottom:0;"><a href="https://latesthackingnews.com/2020/04/09/nso-group-disclose-facebooks-secret-attempt-to-buy-their-pegasus-spyware/" target="_blank">NSO Group Disclose Facebook’s Secret Attempt To Buy Their Pegasus Spyware</a></h3><p>(published: April 9, 2020)</p><p>The Israeli surveillance technology firm NSO Group, reported on for selling spyware to multiple governments, has been sued by Facebook. However, it turns out that in 2017 Facebook approached NSO Group to buy their software. According to a statement delivered to the U.S. Federal District Court, by CEO of NSO Group; Shalev Hulio. Facebook required help with mobile app Onavo Protect, a VPN service found to have been harvesting user data and discontinued in May 2019. In order to more successfully track users on iOS devices, Facebook requested technology from NSO Group.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>Tags:</b> NSO, Facebook, Surveillance</p><h3 style="margin-bottom:0;"><a href="https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-to-shame/" target="_blank">New dark_nexus IoT Botnet Puts Others to Shame</a></h3><p>(published: April 8, 2020)</p><p>Researchers at BitDefender have detected a new Internet of Things (IOT) botnet they have called "dark_nexus". They have called the botnet dark_nexus due to the user agent string observed during exploits over HTTP: "dark_NeXus_Qbot/4.0". Which also infers the botnet is influenced by Qbot. BitDefender analysts have determined that dark_nexus reuses code from Qbot and Mirai botnets, and that there is also a great deal of unique code. Payloads have been compiled for 12 different CPU architectures, boasting increased potency. The botnet seems to have been developed by known botnet author "greek.helios" who has known IOT malware skills.<br/> <b>Recommendation:</b> Botnet malware takes advantage of internet-connected devices which have been misconfigured, or do not have security updates applied. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a><br/> <b>Tags:</b> BitDefender, Botnet, dark nexus, malware, Qbot</p><h3 style="margin-bottom:0;"><a href="https://www.zdnet.com/article/this-is-why-the-vicious-xhelper-malware-resists-factory-wipes-and-reboots/" target="_blank">This is Why the Vicious xHelper Malware Resists Factory Wipes and Reboots</a></h3><p>(published: April 8, 2020)</p><p>xHelper Android malware has been called "dangerous" and "unkillable" by media reports due to its persistence levels compared to other Android malware. xHelper is an infostealer, but can also operate as a downloader for other malware. Once the malware has root access, it is able to install malware directly into the system partition. Using a script called "forever.sh" the malware launches from the petition at startup. xHelper also deletes root access to the control applications, such as Superuser, making it even more difficult for victims to gain back control of the device.<br/> <b>Recommendation:</b> It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/1260053">[MITRE MOBILE-ATT&CK] Access Sensitive Data in Device Logs - T1413</a><br/> <b>Tags:</b> Mobile, Android, Malware, xHelper</p><h3 style="margin-bottom:0;"><a href="https://www.scmagazineuk.com/darkhotel-exploits-zero-day-vpn-attack-china-assets/article/1679607" target="_blank">DarkHotel APT is Exploiting SangFor VPN Vulnerability to Target Chinese Institutions, Claims Chinese Security Firm</a></h3><p>(published: April 8, 2020)</p><p>Qihoo 360 researchers have detected DarkHotel APT targeting Chinese institutions, by exploiting a vulnerability in the SangFor Virtual Private Network (VPN). The campaign began in March 2020, and over 200 SangFor SSL VPN servers have been compromised. The attacks have targeted Chinese organisations all over the world, including in the UK and Italy. The vulnerability exists in the update file which is downloaded from the VPN server. The only security check that is performed appears to be the version number. Attackers can therefore tamper with the file and infect the target machine. Researchers pointed out that VPN services have been increasingly targeted in recent campaigns due to more people working from home during the Coronavirus Pandemic.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>Tags:</b> APT, SangFor, VPN, Vulnerability, China</p><h3 style="margin-bottom:0;"><a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0408.pdf" target="_blank">Intent to Infekt: ‘Operation Pinball’ Tactics Reminiscent of ‘Operation Secondary Infektion’</a></h3><p>(published: April 8, 2020)</p><p>Recorded Future have published a report detailing a concerted effort by Russia to undermine the relationship between Estonia and the EU. Called "Operation Pinball", Researchers have uncovered a number of fraudulently generated documents and letters purporting to be from Ministry Officials. Researchers pointed out that the themes of the letters were likely to undermine the EU-Estonian relationship, cause internal strife at the political level in Estonia, undermine confidence in the Estonian government, and to influence perceptions on migration.<br/> <b>Recommendation:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>Tags:</b> Russia, US, Documentation, Operation Pinball</p>
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
