The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Turla, Data leak, NSO, CVE, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Tracking Turla: New backdoor delivered via Armenian watering holes(published: March 12, 2020)
Recommendation: Security and system/IT administrators must practice due diligence in protecting their websites and web-based applications from threats that can undermine their security, and hijack them to do the bad guys’ bidding—delivering malware to their victims. Malicious web injections, for instance, leverage exploits that enable attackers to gain footholds into the system. An organization’s best defense is to regularly apply the latest patches, as well as routinely scan and examine traffic that goes through the enterprise’s network, which enables prompt incident response and remediation. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE MOBILE-ATT&CK] Process Discovery - T1424 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Standard Cryptographic Protocol - T1032 | [MITRE ATT&CK] Commonly Used Port - T1043 | [MITRE ATT&CK] Uncommonly Used Port - T1065 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: Turla, Russia, Armenia, APT, Embassy
New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer(published: March 12, 2020)
Recommendation: More often than not, infections take place from phishing emails but in this case the victims are being duped by a fake website fraudulently spoofing legitimate yet infected system maintenance services. Organisations should take care to educate their employees on the risks of downloading software from unknown and unverified sites. When malware is sent via an email. Employees should be trained to be on high alert while reading email. Particularly when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Coronavirus, Ransomware, Kpot, Infostealer, Phishing
Israeli spyware company accused of WhatsApp hack: Facebook lied in lawsuit Home(published: March 11, 2020)
Recommendation: Governments should be careful to use malware-as-a-service. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing via Service - T1194
Tags: Facebook, WhatsApp, Pegasus malware, Lawsuit, NSO, Israel
Flaw in popular VPN service may have exposed customer data(published: March 11, 2020)
Recommendation: Update NordVPN if you haven't already. It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: NordVPN, dakitu, patch, bug
Microsoft Disrupts Necurs Botnet(published: March 10, 2020)
Recommendation: Microsoft and partners have successfully helped to mitigate a substantial threat from one of the largest botnets infecting victims from around the world. The algorithm has served a fantastic purpose. The difficulty in reflecting on this success lies in the weakness of relying on algorithms to detect and prevent harm. The underlying patterns for domain creation that Necurs is using may be changed to create a new wave of infrastructure for future infections. The same mechanisms that led to this algorithm can be replicated hopefully to deter these changes. This disruption is likely to dramatically decrease the number of victims ongoing however, even if the criminals make efforts to adapt. If the botnet is permanently disrupted the criminal activity is likely to migrate to other available botnets and services. Botnet malware takes advantage of internet-connected devices which have been misconfigured, or do not have security updates applied. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Tags: Necurs, Microsoft, Banking malware, DDoS, Algorithm
Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw(published: March 10, 2020)
Recommendation: Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Compressed - T1002
Tags: CVE-2020-0796, Microsoft, SMBv3
Cyber Command was worried that WikiLeaks dump would burn Operation Aurora intel, document shows(published: March 9, 2020)
Recommendation: The concern highlighted in this report should not be shocking to anybody in industry. There is a legitimate requirement to keep information like this confidential in order to track and mitigate future activity or harm. On the other hand, the disclosure of the information has not prevented an enormous effort from the Chinese, among other cyber-offensively capable adversaries, to continue conducting attacks. China has been the most reported country in cyber intelligence and not least because some of their activities have displayed poor operational security. The disclosures have therefore not stopped creative threat intelligence professionals from hunting this activity down. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Tags: WikiLeaks, Operation Aurora, U.S. Cyber Command
European power grid organization says its IT network was hacked(published: March 9, 2020)
Recommendation: Infiltrating an organisation like ENTSO-E can lay the groundwork for lateral movement to further compromise individual electricity providers. Which Joe Slowik, adversary hunter at industrial cybersecurity company Dragos points out in the CyberScoop blog. As the report points out, there are 42 European grids across 35 European countries that could be the ultimate target. There has been no attribution made, so motivation is unknown. Because the attack has been called an “intrusion”, and the systems don't appear to have suffered from ransomware (for example), the attack may be part of an APT espionage campaign. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Tags: EU, ENTSO-E, Electricity, Utilities, Espionage
Virgin Media data leak exposes details of almost 1 million people(published: March 9, 2020)
Recommendation: Despite efforts to secure an enterprise environment, a single human error (such as a misconfigured database) can lead to organisational exposure. Data breaches such as this one serves to remind businesses that cyber security is a constant effort; monitoring, detecting, securing, preventing and responding to threats. Organisations should regularly review and audit their security controls to detect and remediate any accidental as well as malicious risk. Especially when it concerns personally identifiable information (PII). Any storage of customer data should be checked for confidentiality, availability and integrity of that data.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: Virgin Media, Data Leak
Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:
The Advanced Persistent Threat (APT) group “Turla” is believed to be a Russian based group that has been active since at least 2007. Turla conducts cyber espionage against government entities around the world. The group is connected to the “Epic” cyber espionage campaign that targets government agencies around the globe, and is also connected to the Agent.btz worm that infected the network of the U.S. Department of Justice in 2008.
Topics:Anomali Cyber Watch