March 10, 2020
Anomali Threat Research

Weekly Threat Briefing: PwndLocker Ransomware, Key Fob Cloning, Analyzing Trojans, U.S. Primary Election Interference, and More

<p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> Data breach, Phishing, Ransomware, Trojans, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2>Trending Cyber News and Threat Intelligence</h2><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>APT Groups Attack Exchange Servers Via Patched Flaw</b></a></h3> <span>(published: March 9, 2020)</span></div> Threat researchers are Volexity have discovered an exploit in the wild for a Microsoft Exchange Control Panel (ECP) vulnerability, approximately two weeks after Microsoft released a patch for the vulnerability. The ECP vulnerability (CVE-2020-0688) is a result of the “Exchange Server failing to properly create unique cryptographic keys at the time of installation,” according to Trend Micro’s Zero Day Initiative. The exploit requires access to compromised credentials, and Volexity has observed threat actors exploiting the vulnerability to conduct reconnaissance, deploy webshell backdoors, and execute in-memory post-exploitation frameworks, leading the researchers to believe that state-sponsored Advanced Persistent Threat (APT) groups may be behind the detected attacks.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="">[MITRE ATT&amp;CK] Web Shell - T1100</a> | <a href="">[MITRE ATT&amp;CK] Process Injection - T1055</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Encryption Flaws Leave Millions of Toyota, Kia, and Hyundai Cars Vulnerable to Key Cloning</b></a></h3> <span>(published: March 5, 2020)</span></div> A study published by University of Birmingham and KU Leuvan in Belgium claims that millions of cars with radio-enabled car keys made by Toyota, Hyundai, and Kia may be vulnerable to RFID fob cloning. According to the research, a vehicle highjacker could use an RFID reader device to clone a car’s key fob if within close proximity of a legitimate key fob. The vulnerable device transmits enough information to determine the encryption key, which can be used to clone the device and disable the immobilizer, the part of the key that prevents a car from starting without the key inside the vehicle. According to the researchers, the encryption keys used by the cars were easily discovered by reverse engineering the firmware. According to Wired, Toyota and Hyundai have both made statements, commenting on the “low risk” configuration of older model vehicles and on how they intend to stay ahead of threats.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks</b></a></h3> <span>(published: March 5, 2020)</span></div> Researchers at TrendMicro have conducted analysis into the Android Trojan “Geost,” following the release of their 2020 Security Predictions report, highlighting the continued proliferation of mobile malware families. Geost was first identified in October 2019 targeting Russian banks, with a victim count of over 800,000 users when first detected. According to TrendMicro, “The trojan employed several layers of obfuscation, encryption, reflection, and injection of non-functional code segments that made it more difficult to reverse engineer.” The Geost botnet consists of infected Android phones, which are victimized by the botnet via fake banking and social network applications. Once infected, the phones connect to the botnet and can be remotely controlled.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE MOBILE-ATT&amp;CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="">[MITRE MOBILE-ATT&amp;CK] Standard Application Layer Protocol - T1437</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Cruise Operator Carnival Corporation Discloses Cyber Attack</b></a></h3> <span>(published: March 5, 2020)</span></div> Holland America Line and Princess Cruises, two cruise lines belonging to Carnival Corporation, have revealed that following an investigation, an unauthorized third party had access to Personally Identifiable Information (PII) and financial information of some guests and employees. Carnival Corp. stated that the cyber attack was identified in May 2019, and that actions were taken at that time to prevent further unauthorized access. At the time of this writing, it is unknown the number of individuals that may be impacted by the breach. The unauthorized third party had access to credit card information, email addresses, names, and Social Security numbers of guests and employees.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Cathay Pacific Airlines Fined Over Data Breach</b></a></h3> <span>(published: March 5, 2020)</span></div> International airline Cathay Pacific Airways has been fined £500,000 by the United Kingdom’s Information Commissioner’s Office (ICO) for failing to protect personal data of 9.4 million customers between 2014 and 2018. The ICO found that the airline lacked appropriate security controls, had unencrypted backups and admin consoles connected to the open internet, leading to millions of records being exposed. The data breach exposed addresses (both physical and email), birth dates, historical travel information, names, passport information, and phone numbers. The fine is the largest the IOC can impose on the airline, as the breach took place prior to the EU’s General Data Protection Regulation going into effect in May 2018.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Casinos in Las Vegas Hit by Suspected Ransomware Attack</b></a></h3> <span>(published: March 3, 2020)</span></div> The Nevada State Game Control Board is currently investigating a ransomware attack affecting two Las Vegas casinos. According to reports, the incident occurred at The Four Queens Hotel and Casino and Binion’s Casino on February 27, 2020, and impacts ATMs, credit card processing, hotel reservations, player loyalty programs, and slot machines within the casinos. Both casinos are owned by TLC Casino Enterprises, Inc., and are both located on Fremont Street in Las Vegas. The casinos are open for business at the time of this writing, but are both continuing to experience technical issues with slot machines on casino floors, website issues, and at times accepting cash only. It is unknown at this time whether a ransom has been paid to the actors behind the attack.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Android Security: Google Patches a Dangerous Flaw in These Phones</b></a></h3> <span>(published: March 3, 2020)</span></div> Google has reported a severe vulnerability affecting Android devices running on MediaTek chips, with malicious apps exploiting the flaw since January 2020. The vulnerability (CVE-2020-0069) is an Elevation of Privilege (EoP) flaw, and affects MediaTek devices with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14, and running Android version 7,8 or 9. The “MediaTek-su” exploit enables temporary root access in shell using one of several unnamed malicious apps (all of which have been removed in the Google Play Store), and can be used to collect the infected devices’ files, location, screenshots, and data from Chrome, Facebook, Gmail, Outlook, Twitter, and WeChat applications. Google has released a fix in its most recent Android update.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">REVOKED - [MITRE ATT&amp;CK] File Permissions Modification - T1222</a> | <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="">[MITRE ATT&amp;CK] Automated Collection - T1119</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>U.S. Government Warns of Continuous Election Meddling Efforts</b></a></h3> <span>(published: March 3, 2020)</span></div> In preparation for the presidential primaries, multiple United States government agencies and departments came together to issue a joint statement regarding foreign actors attempting to interfere with the election process. The statement reads that Americans should “...remain aware that foreign actors continue to try to influence public sentiment and shape voter perceptions.” The statement warns of foreign actors using social media to spread false information about candidates and processes, causing confusion and inspiring doubt in voters. The agencies and departments are committed to working together to thwart any threat actors looking to undermine the democratic process in the 2020 elections. The agencies and departments include Department of State, Department of Defense, Department of Justice, Department of Homeland Security, Director of National Intelligence, the Federal Bureau of Investigation, National Security Agency, and the Cybersecurity and Infrastructure Security Agency, and will be working closely with all state and local governments throughout the election season.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>New PwndLocker Ransomware Targeting U.S. Cities, Enterprises</b></a></h3> <span>(published: March 2, 2020)</span></div> A new ransomware has been found targeting businesses and local governments within the United States. Discovered in late December 2019, the ransomware, dubbed “PwndLocker” by its creators, attempts to disable Windows services using the ‘net stop’ command, and targets processes to terminate when detected, such as security software and backup applications. BleepingComputer reports that ransom requests are of various amounts between $175,000 and $660,000 USD, requested in bitcoin for the decyrptor. There is one publicly named victim, Lasalle County of Illinois, and as of the time of this writing, it is not known if any victims have paid out a ransom.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="">[MITRE ATT&amp;CK] Disabling Security Tools - T1089</a><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>French Firms Rocked by Kasbah Hacker?</b></a></h3> <span>(published: March 2, 2020)</span></div><p>A malware campaign targeting French critical infrastructure firms has been discovered by security researchers at HYAS. The malware network was first uncovered in 2018, and was identified as a version of “njRAT,” a Remote Access Trojan (RAT) which is a .NET backdoor commonly known for targeting victims in the Middle East. In a summary of their findings, HYAS researchers stated that, “twelve sectors of critical importance across four key areas of responsibility” were targeted in the campaign, including an automobile manufacturer, an electrical power company, a French bank, a hospital system, multiple nuclear research facilities, postal and transportation systems, and a railway company. The researchers believe these entities were compromised in a coordinated phishing campaign specifically targeting French infrastructure firms, and that the campaign is likely controlled by a group of adversaries based out of Morocco. HYAS notified French authorities, and requested the dynamic Domain Name System (DNS) provider to “sinkhole” the malware networks domains, redirecting any traffic to the researcher’s control server. According to the dynamic DNS provider, the email addresses used to register the malware network were associated with the domain of a legitimate business in Morocco, although it is unclear at the time of this writing if there is any malicious activity attributed to this business.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p><p> </p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.