March 17, 2020
Anomali Threat Research

Weekly Threat Briefing: Russian APT, Microsoft SMB Vulnerability, Virgin Media Data Leak, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Turla, Data leak, NSO, CVE, Phishing, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Tracking Turla: New backdoor delivered via Armenian watering holes</b></a></h3> <span>(published: March 12, 2020)</span></div> The Turla APT group attributed to Russia has been identified targeting the Armenian embassy. The malware family is using new code according to CyberScoop. Turla has been targeting think tanks and government websites in this campaign, using watering-hole attacks to lure victims. Watering-hole attacks are often sites that are trusted by the target victim but have been compromised to infect people approaching from select IP addresses. The attacks are likely to be for espionage and political purposes.<br/> <b>Recommendation:</b> Security and system/IT administrators must practice due diligence in protecting their websites and web-based applications from threats that can undermine their security, and hijack them to do the bad guys’ bidding—delivering malware to their victims. Malicious web injections, for instance, leverage exploits that enable attackers to gain footholds into the system. An organization’s best defense is to regularly apply the latest patches, as well as routinely scan and examine traffic that goes through the enterprise’s network, which enables prompt incident response and remediation. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Drive-by Compromise - T1189</a> | <a href="">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="">[MITRE ATT&amp;CK] System Network Connections Discovery - T1049</a> | <a href="">[MITRE MOBILE-ATT&amp;CK] Process Discovery - T1424</a> | <a href="">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="">[MITRE ATT&amp;CK] Standard Cryptographic Protocol - T1032</a> | <a href="">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="">[MITRE ATT&amp;CK] Uncommonly Used Port - T1065</a> | <a href="">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a><br/> <b>Tags:</b> Turla, Russia, Armenia, APT, Embassy<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer</b></a></h3> <span>(published: March 12, 2020)</span></div> A newly discovered ransomware called “CoronaVirus” is being distributed through a spoof website which purports to offer WiseCleaner; an optimization and utilities software. The victim is infected with two payloads; the CoronaVirus ransomware and Kpot infostealer. The site is distributing the file “WSHSetup.exe” which when executed acts as a downloader to CoronaVirus ransomware and Kpot infostealer. Kpot is downloaded as “file1.exe” and it attempts to steal cookies and login credentials. It can harvest login information from web browsers, messaging programs, VPNs, FTP, email accounts, gaming accounts such as Steam and, among other services. CoronaVirus ransomware is downloaded as “file2.exe” and then encrypts all the files on the system. The file names are changed to the attackers email address and the C: drive name is changed to “CoronaVirus”. There is a ransom note called CoronaVirus.txt which demands 0.008 (~$50) bitcoins to the following bitcoin address: bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j. The theory from BleepingComputer is that the ransomware is a potential distraction to misdirect the victim from understanding that Kpot has stolen data.<br/> <b>Recommendation:</b> More often than not, infections take place from phishing emails but in this case the victims are being duped by a fake website fraudulently spoofing legitimate yet infected system maintenance services. Organisations should take care to educate their employees on the risks of downloading software from unknown and unverified sites. When malware is sent via an email. Employees should be trained to be on high alert while reading email. Particularly when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Coronavirus, Ransomware, Kpot, Infostealer, Phishing<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Israeli spyware company accused of WhatsApp hack: Facebook lied in lawsuit Home</b></a></h3> <span>(published: March 11, 2020)</span></div> According to Facebook the NSO has been spying on smartphone users through the widely used WhatsApp messaging application, and is now trying to sue them. The NSO is an Israeli firm previously reported for selling malware to governments and law enforcement agencies. It is seeking to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services and is seeking unspecified damages.<br/> <b>Recommendation:</b> Governments should be careful to use malware-as-a-service. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="">[MITRE ATT&amp;CK] Spearphishing via Service - T1194</a><br/> <b>Tags:</b> Facebook, WhatsApp, Pegasus malware, Lawsuit, NSO, Israel<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Flaw in popular VPN service may have exposed customer data</b></a></h3> <span>(published: March 11, 2020)</span></div> NordVPN has fixed a security flaw which exposed customer email addresses and other sensitive information. The flaw was reported through a popular bug bounty platform called HackerOne by a researcher called “dakitu” in February. The flaw is linked to the payment platforms Momo, Gocardless, and Coinpayments and was discovered in December 2019 and fixed within two days. The researcher dakitu received $1000 for the discovery.<br/> <b>Recommendation:</b> Update NordVPN if you haven't already. It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> NordVPN, dakitu, patch, bug<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Microsoft Disrupts Necurs Botnet</b></a></h3> <span>(published: March 10, 2020)</span></div> Microsoft has preempted future infrastructure for the Necurs botnet, and blocked related domains in an effort to thwart criminal activity. The effort included people from 35 countries, involving law enforcement, government and industry specialists. According to the blog post from Microsoft, the investigation’s algorithm has detected over six million possible domains that would have been created over the next 25 months. Necurs was first seen in 2012 and is believed to be operated by criminals originating from Russia. Necurs has been seen dropping Dridex banking malware among other financially motivated malware, ransomware and has a Distributed Denial of Service capability.<br/> <b>Recommendation:</b> Microsoft and partners have successfully helped to mitigate a substantial threat from one of the largest botnets infecting victims from around the world. The algorithm has served a fantastic purpose. The difficulty in reflecting on this success lies in the weakness of relying on algorithms to detect and prevent harm. The underlying patterns for domain creation that Necurs is using may be changed to create a new wave of infrastructure for future infections. The same mechanisms that led to this algorithm can be replicated hopefully to deter these changes. This disruption is likely to dramatically decrease the number of victims ongoing however, even if the criminals make efforts to adapt. If the botnet is permanently disrupted the criminal activity is likely to migrate to other available botnets and services. Botnet malware takes advantage of internet-connected devices which have been misconfigured, or do not have security updates applied. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.<br/> <b>Tags:</b> Necurs, Microsoft, Banking malware, DDoS, Algorithm<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw</b></a></h3> <span>(published: March 10, 2020)</span></div> Information has been leaked regarding a new vulnerability tracked as “CVE-2020-0796”. The vulnerability was found in the Server Message Block 3.0 (SMBv3) network communication protocol. According to the report by BleepingComputer, there has been no official communication regarding why the vulnerability was not disclosed as part of Patch Tuesday. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code within the context of the application and can lead to a “wormable” attack. According to the report, people are likening the vulnerability to EternalBlue, NotPetya and Wannacry. Microsoft released an advisory on how to disable SMBv3 compression to protect systems from exploitation. SMBv3 compression can be disabled with the following PowerShell Command: Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force Microsoft released the KB4551762 security update for the vulnerability two days after the information was publicised.<br/> <b>Recommendation:</b> Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="">[MITRE ATT&amp;CK] Data Compressed - T1002</a><br/> <b>Tags:</b> CVE-2020-0796, Microsoft, SMBv3<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Cyber Command was worried that WikiLeaks dump would burn Operation Aurora intel, document shows</b></a></h3> <span>(published: March 9, 2020)</span></div> CyberScoop has received information through the Freedom of Information Act, from George Washington University’s National Security Archive, that reveals concerns within U.S. Cyber Command. The concerns were regarding the then recent WikiLeaks release of information to the public, and how it could give adversaries the upper hand. In particular, the U.S. Cyber Command’s tracking of the Chinese espionage activities attributed in Operation Aurora. The worry was that the adversary may attempt to change their tactics and make it more difficult to gather intelligence.<br/> <b>Recommendation:</b> The concern highlighted in this report should not be shocking to anybody in industry. There is a legitimate requirement to keep information like this confidential in order to track and mitigate future activity or harm. On the other hand, the disclosure of the information has not prevented an enormous effort from the Chinese, among other cyber-offensively capable adversaries, to continue conducting attacks. China has been the most reported country in cyber intelligence and not least because some of their activities have displayed poor operational security. The disclosures have therefore not stopped creative threat intelligence professionals from hunting this activity down. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>Tags:</b> WikiLeaks, Operation Aurora, U.S. Cyber Command<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>European power grid organization says its IT network was hacked</b></a></h3> <span>(published: March 9, 2020)</span></div> The European Network of Transmission System Operators for Electricity (ENTSO-E) has admitted that they have had their network compromised by a cyber attack. The intrusion did not impact any critical controls, and was restricted to an office network. ENTSO-E overlooks 42 grid operators across 35 European countries and it serves as a coordinating mechanism for utilities delivering electricity to the EU.<br/> <b>Recommendation:</b> Infiltrating an organisation like ENTSO-E can lay the groundwork for lateral movement to further compromise individual electricity providers. Which Joe Slowik, adversary hunter at industrial cybersecurity company Dragos points out in the CyberScoop blog. As the report points out, there are 42 European grids across 35 European countries that could be the ultimate target. There has been no attribution made, so motivation is unknown. Because the attack has been called an “intrusion”, and the systems don't appear to have suffered from ransomware (for example), the attack may be part of an APT espionage campaign. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.<br/> <b>Tags:</b> EU, ENTSO-E, Electricity, Utilities, Espionage<p> </p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Virgin Media data leak exposes details of almost 1 million people</b></a></h3> <span>(published: March 9, 2020)</span></div> A data leak has been disclosed at Virgin Media exposing personal information of approximately 900,000 people. The leak was due to a misconfigured database that was used for marketing purposes. Around 15% of the British company’s fixed-line customer base have been impacted. Information that has been exposed include contact information such as home address, email address and phone numbers.<br/> <b>Recommendation:</b> Despite efforts to secure an enterprise environment, a single human error (such as a misconfigured database) can lead to organisational exposure. Data breaches such as this one serves to remind businesses that cyber security is a constant effort; monitoring, detecting, securing, preventing and responding to threats. Organisations should regularly review and audit their security controls to detect and remediate any accidental as well as malicious risk. Especially when it concerns personally identifiable information (PII). Any storage of customer data should be checked for confidentiality, availability and integrity of that data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> Virgin Media, Data Leak<p> </p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:</p><div id="threat_model_actors"><div><a href="" target="_blank">Turla</a><p>The Advanced Persistent Threat (APT) group “Turla” is believed to be a Russian based group that has been active since at least 2007. Turla conducts cyber espionage against government entities around the world. The group is connected to the “Epic” cyber espionage campaign that targets government agencies around the globe, and is also connected to the Agent.btz worm that infected the network of the U.S. Department of Justice in 2008.</p></div></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.