Weekly Threat Briefing: New Pervasive Worm Exploiting Linux Exim Server Vulnerability

<h1 id="trendingthreats">Trending Threats</h1>This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: Dofloo Trojan, EternalBlue, FIN8, MuddyWater, ShellTea, and Vim Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<a href="https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/" target="_blank">Exposed Docker APIs Abused DDoS, Cryptojacking Botnet Malware</a> (June 14, 2019) Exposed Docker containers are being used to drop the “Dofloo” Trojan, malware used to create large scale botnets. First detected in 2014, the malware enables threat actors to create botnets to launch Denial-of-Service (DDoS) attacks and spread cryptocurrency miners. Using port 2375, the threat actors search for vulnerable Dockers, containers that have been misconfigured to allow external access. All vulnerable containers then receive the “Dofloo” malware, enabling the ability for DDoS attacks to be carried out. The trojan also collects system information for later decisions to be made on. <a href="https://forum.anomali.com/t/checkers-restaurant-chain-discloses-card-breach/3851" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://forum.anomali.com/t/exposed-docker-apis-abused-ddos-cryptojacking-botnet-malware/3899">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a><a href="https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability" target="_blank">New Pervasive Worm Exploiting Linux Exim Server Vulnerability</a> (June 13, 2019) A new vulnerability, CVE-2019-10149, has been identified by CyberReason that exploits Linux email servers. Discovered on June 5, the campaign seeks to gain remote command execution using an RSA key installed on the SSH server for root authentication, then deploying a port scanner to find more vulnerable servers. Once carried out, any existing coin miners are removed, and then installing a coin miners. Due to the number of vulnerable Exim servers, 3,683,029, many servers can quickly be infected. <a href="https://forum.anomali.com/t/checkers-restaurant-chain-discloses-card-breach/3851" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://forum.anomali.com/t/new-pervasive-worm-exploiting-linux-exim-server-vulnerability/3900">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/" target="_blank">Advanced Targeted Attack Tools Being Used to Distribute Cryptocurrency Miners</a> (June 13, 2019) Trend Micro researchers have identified a cryptojacking campaign that infects unpatched computers with XMRig variants. While it is unknown who is behind the campaign, the threat actors have been using the EternalBlue and EternalChampion exploits to target unpatched Windows systems. Both exploits, EternalBlue and EternalChampion were leaked in April 2017, are alleged NSA tools that exploit vulnerabilities in Microsoft’s SMB protocol. Once the threat actors gain access to the system, a cryptominer binary is dropped in the “system32” or in the “SysWOW64” folder. The reported targets of the campaign include China and India, along with businesses in various sectors; communications, education, finance, media and technology. <a href="https://forum.anomali.com/t/advanced-targeted-attack-tools-being-used-to-distribute-cryptocurrency-miners/3901" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a><a href="https://nakedsecurity.sophos.com/2019/06/12/june-patch-tuesday-sees-critical-adobe-flash-player-bug-fix/" target="_blank">Critical Adobe Flash Player Bug and More in June’s Patch Tuesday</a> (June 12, 2019) Adobe has issued patches for 88 vulnerabilities for the June 2019 Patch Tuesday. 21 of the vulnerabilities were rated as critical. One was a Remote Code Execution (RCE) vulnerability, registered as “CVE-2019-7845,” in Adobe Flash Player (versions 32.0.0.192 and earlier) that could be exploited by a threat actor to run arbitrary code on an affected machine. Other vulnerabilities issued patches were located in ColdFusion, bypassing file extension blacklist while uploading a file (CVE-2019-7838), command injection (CVE-2019-7839), and deserialization of untrusted data (CVE-2019-7840). <a href="https://forum.anomali.com/t/critical-adobe-flash-player-bug-and-more-in-june-s-patch-tuesday/3902" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://www.bleepingcomputer.com/news/security/mybb-forum-patches-vulnerabilities-that-allow-site-takeover/" target="_blank">MyBB Forum Patches Vulnerabilities That Allow Site Takeover</a> (June 11, 2019) Researchers at RIPS Technologies identified a vulnerability in MyBB forum allowing for remote code execution. By creating a PHP backdoor from chaining a Stored XSS vulnerability with a File Write vulnerability, an attacker can gain access under any name, researchers discovered they could upload a PHP shell to gain access to the server. In order to trigger an attack, a malicious message containing an XSS exploit could be sent and opened by an administrator prompting the PHP backdoor to be created, giving the attacker full access. After the vulnerability was reported to MyBB by RIPS Technologies, MyBB released a patch on June 10th fixing the vulnerabilities. <a href="https://forum.anomali.com/t/mybb-forum-patches-vulnerabilities-that-allow-site-takeover/3903" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&CK] Upload, install, and configure software/tools (PRE-T1139)</a><a href="https://threatpost.com/microsoft-patches-four-publicly-known-vulnerabilities/145594/" target="_blank">Microsoft Patches Four Publicly-Known Vulnerabilities</a> (June 11, 2019) This month, Microsoft has released patches for 88 vulnerabilities including four previously known bugs. Out of the 88 patches, 21 were rated critical, 66 important, and one moderate. While there no reports of exploitation of the vulnerabilities, they include bugs such as allowing Elevation of Privilege on an affected machine. Two patches included for remote code execution vulnerability in Microsoft Word on both Windows and Mac. Other vulnerabilities patched affect SharePoint that could enable an attacker to change permissions, delete content, place malicious content and read unauthorized content. <a href="https://forum.anomali.com/t/microsoft-patches-four-publicly-known-vulnerabilities/3904" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution (T1203)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://cyware.com/news/personal-information-of-nearly-900000-banking-customers-of-three-major-russian-banks-leaked-online-54e078f9" target="_blank">Personal Information of Nearly 900,000 Banking Customer of Three Major Russian Banks Leaked Online</a> (June 11, 2019) Three Russian banks, Alfa Bank, HCF Bank, and OTP Bank, have confirmed that financial data and Personally Identifiable Information (PII) associated with approximately 900,000 clients was publicly accessible on four different databases. Approximately 800,000 records belonged to customers of OTP Bank dating back to 2013 were found in a file in a database that the bank stated to have no knowledge of its origins. The file contained information including: addresses, approved credit limit, names, passport details, and phone numbers. DeviceLock researchers discovered two databases containing data of Alfa Bank associated with 55,000 customers in one (dating back to 2014-2015), and 504 records in the second (dating back to 2018-2019) consisting of: addresses, names, place of work, and phone numbers in one database, and account balance (limited to 130,000-160,000 rubles ($2,500-$3,000 USD)). The database that contained customer data of HFC Bank consisted of 24,4000 records that consisted of addresses, credit limit, names, passport details, and phone numbers. <a href="https://forum.anomali.com/t/personal-information-of-nearly-900-000-banking-customer-of-three-major-russian-banks-leaked-online/3905" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding (T1132)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank">Security Alert: FIN8 is Back in Business, Targeting The Hospitality Industry</a> (June 10, 2019) The financially-motivated threat group, “FIN8,” has been found to have implemented a new variant of the “ShellTea” (PunchPuggy) backdoor, according to Morphisec researchers. FIN8 was observed utilizing this Point-of-Sale (POS) malware while targeting an unnamed company in the hotel-entertainment industry. While the infection vector is unknown for this instance, it is believed that it was delivered via phishing emails. ShellTea is a sophisticated piece of malware that creates a registry entry for persistence, hashes its functions to evade analysis, utilizes a fileless dropper, and has virtual environment and sandbox detection. The malware will collect system information and will receive commands from a Command and Control (C2) server for additional malicious activity. <a href="https://forum.anomali.com/t/security-alert-fin8-is-back-in-business-targeting-the-hospitality-industry/3906" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry (T1112)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank">MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools </a> (June 10, 2019) Trend Micro researchers have identified an unspecified number of malicious campaigns believed to be conducted by the Advanced Persistent Threat (APT) group, “MuddyWater.” One of the campaigns was found to consist of spearphishing emails being distributed “to a university in Jordan and the Turkish government.” The emails were distributed from authentic accounts that were compromised by the group to increase the chances that a recipient would open the attached Microsoft Word document. Researchers found that the objective of the email was to convince recipients to open the attachment that contains an embedded macro that, if enabled, will begin the infection process for a new backdoor dubbed “POWERSTATS v3.” <a href="https://forum.anomali.com/t/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/3907" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding (T1132)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a><a href="https://thehackernews.com/2019/06/linux-vim-vulnerability.html" target="_blank">Your Linux Can Get Hacked Just by Opening a File in Vim or Neovim Editor </a> (June 10, 2019) Security researcher Armin Razmjou has discovered a vulnerability in Vim and Neovim, two preinstalled Linux command-line text editors. While Vim uses sandbox protection, and limited allowed options in modelines, using the “:source!” command can bypass the sandbox. This leaves the potential for an attacker to send a malicious file to a victim while secretly executing commands. The maintainers of Vim and Neovim have released patches for the vulnerabilities. <a href="https://forum.anomali.com/t/your-linux-can-get-hacked-just-by-opening-a-file-in-vim-or-neovim-editor/3908" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&CK] Upload, install, and configure software/tools (PRE-T1139)</a><h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a><a href="https://ui.threatstream.com/actor/14723" target="_blank">MuddyWater</a> MuddyWater is an espionage-focused Iranian group that targets a variety of sectors to conduct reconnaissance and steal information for military, security, and diplomatic reasons. When the group was initially observed, they engaged in financially-motivated activity prior to cyber espionage-oriented activity.