Weekly Threat Briefing: Planet Hollywood Owner Suffers Major POS Data Breach

<div id="weekly">The intelligence in this weekís iteration discuss the following threats: Cryptocurrency, Data breach, Elfin, Emotet, Gustuff, Lazarus, Magento, Malware, Misconfigured databases, Ransomware, Trojans, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.infosecurity-magazine.com/news/planet-hollywood-owner-major-pos-1/" target="_blank">Planet Hollywood Owner Suffers Major POS Data Breach</a> (April 1, 2019) Earl Enterprises, the parent company of several restaurants including Planet Hollywood and Buca di Beppo, announced that they have suffered a data breach. The company stated that their Point-of-Sales system was affected and that customer payment card data was breached for over 10 months between May 23, 2018, and March 18, 2019. Allegedly, online orders and transactions conducted via third-party applications or platforms were not affected. At the time of this writing, it is unclear how many customers have been affected, but it is suspected to be over two million. Many of the breached card credentials were discovered on the card forum, "Joker's Stash." <a href="https://forum.anomali.com/t/planet-hollywood-owner-suffers-major-pos-data-breach/3688" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-distributed-ransomware-loader-for-nozelesn-found-via-managed-detection-and-response/" target="_blank">Emotet-Distributed Ransomware Loader for Nozelesn Found via Managed Detection and Response</a> (March 29, 2019) The banking trojan, "Emotet," has been observed distributing the "Nymaim" malware onto infected devices, according to researchers from Trend Micro. Emotet is distributed through phishing emails containing a malicious Word document that is downloaded via a web browser, in the observed instance, Google Chrome. Once opened, it will run a PowerShell script that ultimately downloads Emotet. It will then connect to the Command and Control (C2) server to obtain instructions to download more malware, specifically Nymaim, to execute on the system. <a href="https://forum.anomali.com/t/emotet-distributed-ransomware-loader-for-nozelesn-found-via-managed-detection-and-response/3689" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://thehackernews.com/2019/03/magento-website-security.html" target="_blank">Critical Magento SQL Injection Vulnerability Discovered ñ Patch Your Sites</a> (March 29, 2019) Magento released new versions of its content management software to address 37 security vulnerabilities in it. Most of the vulnerabilities could only be exploited by authenticated users, but one vulnerability could allow for a SQL injection by an unauthenticated remote threat actor. The vulnerability, labeled as "PRODSECBUG-2198" by Magento, could allow a threat actor to obtain sensitive information from databases of vulnerable e-commerce sites including administrative sessions and password hashes. The affected versions of Magento include Magento Open Source prior to 1.9.4.1, Magento Commerce prior to 1.14.4.1, Magento Commerce 2.1 prior to 2.1.17, Magento Commerce 2.2 prior to 2.2.8, and Magento Commerce 2.3 prior to 2.3.1. <a href="https://forum.anomali.com/t/critical-magento-sql-injection-vulnerability-discovered-patch-your-sites/3690" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/desktop-mobile-phishing-campaign-targets-south-korean-websites-steals-credentials-via-watering-hole/" target="_blank">Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole</a> (March 28, 2019) Researchers from Trend Micro discovered a phishing campaign targeting South Korean websites via watering holes on those compromised sites. The campaign, dubbed "Soula," collects information from a spoofed login screen of a popular South Korean search engine to obtain credentials of a user. That information is sent to the threat actor's Command and Control (C2) server. At the time of the article's writing, it appears that the threat actors are just storing the data to gather information and research, likely before conducting a further campaign using the obtained information. <a href="https://forum.anomali.com/t/desktop-mobile-phishing-campaign-targets-south-korean-websites-steals-credentials-via-watering-hole/3691" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a><a href="https://www.bleepingcomputer.com/news/security/unnam3d-ransomware-locks-files-in-protected-archives-demands-gift-cards/" target="_blank">UNNAM3D Ransomware Locks Files in Protected Archives, Demands Gift Cards</a> (March 28, 2019) BleepingComputer became aware of a new ransomware called "Unnam3d R@nsomware," that is encrypting a user's files into a password-protected RAR archive file and demands a $50 USD Amazon gift card code to decrypt the files. The ransomware is distributed via fake Adobe Flash Player update phishing emails, and once it gets onto a system it will begin moving files in the Documents, Pictures, and Desktop folders of a drive into individual RAR archives. A ransom note will pop up stating that a user needs to purchase an Amazon gift card code before receiving their files back. According to the unknown threat actors, they request the gift card code to then sell to other customers. <a href="https://forum.anomali.com/t/unnam3d-ransomware-locks-files-in-protected-archives-demands-gift-cards/3692" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://www.scmagazineuk.com/android-trojan-exploits-accessibility-services-disabled-autofill-forms/article/1580437" target="_blank">Android Trojan Exploits Accessibility Services for the Disabled to Autofill Forms</a> (March 28, 2019) A new Android trojan, "Gustuff," has been discovered by researchers from Group-IB that utilises a mobile phone's Accessibility Services to autofill banking applications amongst others. It is initially distributed via a text message with a link to a malicious Android Package file (APK) and if clicked, it installs the trojan and interacts with the user's Accessibility Services to communicate with other applications. The trojan targets banking applications, cryptocurrency, fintech, marketplaces, online stores, and payment systems such as PayPal and eBay. Gustuff can display fake notifications with the legitimate icons of an application that allows for either a fake pop-up window for the user to enter the requested personal or payment details, or the legitimate application opens and auto fills the payment field using Accessibility Services to make illicit transactions. Gustuff can also send information about the infected device to a Command and Control (C2) server, read and send text messages, send USSD requests, launch SOCKS5 Proxy, follow links, transfer files to the C2, and reset the device to factory settings. <a href="https://forum.anomali.com/t/android-trojan-exploits-accessibility-services-for-the-disabled-to-autofill-forms/3693" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260092">[MITRE MOBILE-ATT&CK] Malicious SMS Message (MOB-T1057)</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&CK] Access Contact List (MOB-T1035)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a><a href="https://www.zdnet.com/article/cisco-bungled-rv320rv325-patches-routers-still-exposed-to-hacks/" target="_blank">Cisco Bungled RV320/RV325 Patches, Routers Still Exposed to Hacks</a> (March 28, 2019) Cisco recently released patches for two registered router vulnerabilities, "CVE-2019-1652" and "CVE-2019-1653," did not properly fix the vulnerabilities and can still allow threat actors to exploit them. The two vulnerabilities, which have been exploited in the wild, could allow an unauthorised remote actor to obtain sensitive router configuration information in models "RV320" and "RV325," as well as execute code without a password. The patch Cisco released only blacklisted "curl," a command-line tool for transferring data online, but still could allow an actor to use non-curl scanners and exploit tools to manipulate the vulnerabilities. The company has acknowledged the problem, but has yet to announce a timeline for the new patch. <a href="https://forum.anomali.com/t/cisco-bungled-rv320-rv325-patches-routers-still-exposed-to-hacks/3694" target="_blank">Click here for Anomali recommendation</a><a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank">Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.</a> (March 27, 2019) Researchers from Symantec observed the Iranian Advanced Persistent Threat (APT) group, "Elfin," (also known as APT33) to be exploiting a registered vulnerability (CVE-2018-20250) in "WinRAR" to attack various organisations. Elfin is known to target Middle Eastern countries, specifically Saudi Arabia, as well as the United States, and sectors such as chemical, consulting, engineering, finance, governmental, manufacturing, research, telecoms, and several others. The attack with the WinRAR vulnerability targeted Saudi Arabian chemical organisations through phishing emails that allowed remote code execution on the infected computer once opened. The APT group is known for utilising both custom and open-sourced malware tools, and was linked to the malware, "Shamoon." <a href="https://forum.anomali.com/t/elfin-relentless-espionage-group-targets-multiple-organizations-in-saudi-arabia-and-u-s/3695" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&CK] Network Sniffing (T1040)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol (T1048)</a><a href="https://www.zdnet.com/article/hackers-abuse-magento-paypal-integration-to-test-validity-of-stolen-credit-cards/" target="_blank">Hackers Abuse Magento PayPal Integration to Test Validity of Stolen Credit Cards</a> (March 27, 2019) Threat actors have been observed to be exploiting a feature in Magento-supported PayPal "Payflow Pro" integration that is used in online stores to test the validity of stolen payment card numbers. Threat actors test the cards by attempting numerous transactions of $0 USD to see if the transactions are approved. This has been exploited in the wild, and affects stores using the PayPal Payflow Pro integration in Magento versions 2.1.x and 2.2.x. <a href="https://forum.anomali.com/t/hackers-abuse-magento-paypal-integration-to-test-validity-of-stolen-credit-cards/3696" target="_blank">Click here for Anomali recommendation</a><a href="https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" target="_blank">Cryptocurrency Businesses Still Being Targeted by Lazarus</a> (March 26, 2019) Researchers at Kaspersky Lab discovered a new phishing campaign conducted by Advanced Persistent Threat (APT) group, "Lazarus Group," that has been targeting South Korean cryptocurrency professionals. The phishing Korean Hangul Word Processor (HWP) document purported to be either a "Sample document for business plan evaluation of venture company" or a business overview from the Chinese technology consulting organisation, "LAFIZ." Both documents requested macros to be enabled to be viewed properly, and if allowed, would install malware on the user's machine. The malware is suited for both Windows operating systems and Mac operating systems. <a href="https://forum.anomali.com/t/cryptocurrency-businesses-still-being-targeted-by-lazarus/3697" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a><a href="https://nakedsecurity.sophos.com/2019/03/26/journalist-researchers-shut-down-record-spewing-location-tracking-database/" target="_blank">Family Tracking App Spilled Pics, Names and Real-time Location Data</a> (March 26, 2019) The geolocation tracking application, "Family Locator," was discovered to have an unsecured and unencrypted MongoDB database that could allow anyone to view all the data every registered member stored in the application. Sanyam Jain, a researcher for the GDI Foundation found that the database stored information including user's real-time location, email address, name, password, profile photo, as well as the name of the places that were geofenced according to their account which were all publicly accessible. 238,000 users were impacted by this. Microsoft, who hosted the database, took it offline after being notified. <a href="https://forum.anomali.com/t/family-tracking-app-spilled-pics-names-and-real-time-location-data/3698" target="_blank">Click here for Anomali recommendation</a><a href="https://www.helpnetsecurity.com/2019/03/26/apple-march-2018-security-updates/" target="_blank">Apple Fixed Some Interesting Bugs in iOS and macOS</a> (March 26, 2019) Apple has released security updates for several applications including iCloud, iTunes, iOS, macOS, Safari, tvOS, and Xcode. Over eleven different registered vulnerabilities were patched in this update. Registered vulnerability, "CVE-2018-4461," which allowed for kernel-level memory corruption, was fixed in the Xcode software. The new iOS 12.2 update fixed seven different registered vulnerabilities such as flaws that allowed for malicious applications/websites to access a device's microphone without indication (CVE-2019-8566 and CVE-2019-6222), two flaws that could allow a malicious application to obtain root privileges (CVE-2019-8565) or overwrite arbitrary files (CVE-2019-8521), a flaw in the GeoServices component (CVE-2019-8553) that could lead to arbitrary code execution, a vulnerability in Mail, (CVE-2019-7284) that could lead to signature spoofing, and a vulnerability in Safari (CVE-2019-8554) that would allow a website to access sensor information without user consent. This update patched over 14 different registered vulnerabilities in total. <a href="https://forum.anomali.com/t/apple-fixed-some-interesting-bugs-in-ios-and-macos/3699" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bankinfosecurity.com/fema-exposed-23-million-disaster-victims-private-data-a-12236" target="_blank">FEMA Exposed 2.3 Million Disaster Victims' Private Data </a> (March 25, 2019) The US Federal Emergency Management Agency (FEMA) inadvertently shared 2.3 million records of disaster survivors' Personally Identifiable Information (PII) with an unnamed contractor, according to the Department of Homeland Security OIG report released on March 15, 2019. At the time of this writing, FEMA's Joint Assessment Team and the Office of the Chief Information Officer are currently auditing the contractor to assess if the data was further exposed. Thus far, FEMA's investigators have found that the contractor only held their network logs for 30 days of which investigators found no evidence of a breach. However, investigators did identify that the contractor's network contained 11 unspecified vulnerabilities of which four have been mitigated. The exposed records contained information such as: bank transit number, city name, electronic funds transfer number, financial institution name, street address, and zip code. Other information such as birth dates, names, and the last four digits of Social Security Numbers is data that FEMA is allowed to share with contractors. <a href="https://forum.anomali.com/t/fema-exposed-2-3-million-disaster-victims-private-data/3700" target="_blank">Click here for Anomali recommendation</a><a href="https://threatpost.com/grandstream-bugs-smbs-attacks/143141/" target="_blank">Bugs in Grandstream Gear Lay Open SMBs to Range of Attacks</a> (March 25, 2019) Several vulnerabilities have been discovered in various network products from Grandstream that could allow for remote code execution (RCE) by unauthorised users, the installation of malware, and eavesdropping on the devices. If a threat actor is able to compromise a device such as an IP PBX, conferencing gear, or an IP phone, via one of the vulnerabilities, they could then scan the device and the network it is on, install Remote Access Trojans (RATs), access the microphone or camera on said device, and spread within the network. This has the potential to be extremely dangerous for organisations, as an actor could use the vulnerabilities to spy on confidential company calls in boardrooms, record conversations in office rooms, take photos via the camera, and others. <a href="https://forum.anomali.com/t/bugs-in-grandstream-gear-lay-open-smbs-to-range-of-attacks/3701" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259990">[MITRE PRE-ATT&CK] Install and configure hardware, network, and systems (PRE-T1113)</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&CK] Upload, install, and configure software/tools (PRE-T1139)</a></div></div>