May 20, 2019
Anomali Threat Research

Weekly Threat Briefing: Slack Bug Allows Remote File Hijacking, Malware Injection

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Data theft, Banking malware, Magecart, RCE, Threat group, targeted attacks, Website compromise</strong>, and <strong>Vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="" target="_blank"><b>Slack Bug Allows Remote File Hijacking, Malware Injection</b></a> (<i>May 20, 2019</i>)<br /> Tenable researcher David Wells discovered a vulnerability in the collaboration software, “Slack Desktop” client for Windows. The vulnerability is located in Slack Desktop version 3.3.7 and could be exploited by a threat actor by posting a custom hyperlink into a Slack channel or direct message that “changes the document download location path when clicked.” Threat actors could use this tactic to direct users to actor-controlled SMB servers, or to distribute malicious documents. Slack states that it has over 10 million daily users which makes it a potentially lucrative target from the perspective of a threat actor.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] User Execution (T1204)</a></p><p><a href="" target="_blank"><b>Over 12,000 MongoDB Databases Deleted by Unistellar Attacks</b></a> (<i>May 17, 2019</i>)<br /> Researchers have identified a campaign targeting publicly-accessible “MongoDB” databases and deleting their contents. The threat actor(s) behind this campaign, called “Unistellar,” is not demanding a ransom to give back the deleted data, as other campaigns targeting MongoDB have been observed to do, and instead provides an email address to communicate with. Researchers estimate that approximately 12,000 misconfigured MongoDB databases have been deleted over the past three weeks. At the time of this writing, it is unknown if affected database administrators have been paying Unistellar to restore database contents.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a></p><p><a href="" target="_blank"><b>Feds Charge "GozNym" Members for 2015-2016 Cyber Heists</b></a> (<i>May 16, 2019</i>)<br /> Law enforcement agencies in the United States and Europe have formally charged 11 men for their involvement in the “GozNym” malware heists carried out between October 2015 and December 2016. GozNym, an international cybercriminal malware network, is suspected of stealing $100 million from approximately 41,000 victims utilizing the stealthy GozNym banking trojan. According to the indictment, the defendants advertised their specialized technical skills and services on online criminal forums to provide “cybercrime as a service.” The GozNym malware gets its name because it combined both stealth and power with the Nymaim malware strain and the Gozi banking trojan. The five Russian nationals charged in the case remain at large, and The Justice Department is working with authorities in Georgia, Ukraine, and Moldova to build prosecutions against defendants in those countries.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a></p><p><a href="" target="_blank"><b>Compromised by Magecart: Forbes Magazine Subscription</b></a> (<i>May 16, 2019</i>)<br /> The “Forbes” media company has confirmed that it’s website was compromised by the financially-motivated threat actors referred to by the umbrella term, “Magecart.”. The Forbes magazine subscription website was infected with malicious code designed to siphon credit card information while users attempted to sign up for Forbes paper edition. The information gathered includes: addresses, CVV/CVC security numbers, expiration dates, names, payment card numbers, and phone numbers of users attempting to subscribe. Attackers planted their malicious code on a third-party website with a name related to a legitimate website icon service. This may have been done in an attempt to fool someone examining the source code of Forbes magazine’s website. Fortunately, the domain hosting the malicious code was taken down quickly, neutralizing the attack. A spokesperson for the company stated that it was not aware of any credit card information stolen by the criminals, although an investigation is currently taking place.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] Template Injection (T1221)</a></p><p><a href="" target="_blank"><b>Microsoft Tech Support Scams Moving Towards Azure Cloud Services for Deployment</b></a> (<i>May 16, 2019</i>)<br /> Security researchers have found tech support scams in the wild that are themed around the Microsoft Azure cloud platform for ease of deployment and inexpensive web hosting. The Microsoft Azure feature “App Services” allows quick, mass deployable web sites in the cloud. One of the advantages of using Azure to host your site is that every web site is secured using an SSL certificate from Microsoft. This can make some users think that they are on a legitimate site owned and operated by Microsoft. This apparent legitimacy helps to further the success of the scams, pretending to be support sites for Microsoft, insisting the computer is infected with spyware or a virus. Once reported, links can stay active for 4-5 days before shutdown, giving threat actors time to create new Azure accounts and mass deploy another batch of websites to display scams. In addition to tech support scams, phishing sites are also moving to Azure cloud services to take advantage of Microsoft SSL certificates. Scammers are also utilizing Azure Blob Storage to store their phishing scams.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] User Execution (T1204)</a></p><p><a href="" target="_blank"><b>Adobe May Patch Update Resolves Security Issues in Flash, Acrobat, and Reader</b></a> (<i>May 15, 2019</i>)<br /> Adobe resolved 84 critical or important vulnerabilities in its’ May patch update, the largest of which were related to “Adobe Acrobat” and “Reader DC” on Windows and Mac machines. The patch update has resolved severe security issues which may lead to information disclosure or arbitrary code execution. 36 bugs were repaired in Acrobat and Reader specific to out-of-bounds read problems which could be exploited to leak information. One critical update to Flash is a use-after-free problem that can be abused in order to perform arbitrary code execution in the context of the current user. Two updates were also included for Adobe Media Encoder, as well as six out-of-bounds write problems, a type confusion error, two heap overflow bugs, a buffer error, a double free issue, one security bypass, and 36 use-after-free vulnerabilities. It is recommended that users allow automatic updates and bring their software builds up to the latest version available to mitigate the risk of exploit.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a></p><p><a href="" target="_blank"><b>Critical Remote "Wormable" Windows Vulnerability</b></a> (<i>May 15, 2019</i>)<br /> Microsoft has issued a patch for vulnerability CVE-2019-0708, a vulnerability in its Remote Desktop Services that can be remotely exploited via RDP, without authentication. An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system, and then install programs, change data, and even create new accounts with full user rights.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] Remote Desktop Protocol (T1076)</a></p><p><a href="" target="_blank"><b>Over 25,000 Linksys Smart Wi-Fi Routers Believed Vulnerable to Remote Exploit</b></a> (<i>May 14, 2019</i>)<br /> As part of Microsoft’s most recent Patch Tuesday, fixes are included for versions of Windows 7 and Windows 2008, and have also been made available for versions of Windows XP and Windows 2003. The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads by itself across and between networks. Since Windows XP and 2003 entered the end-of-life period five years ago, Microsoft stated that, “Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support … We recommend that customers running one of these operating systems download and install the update as soon as possible.”<br /> <a href="" target="_blank">Click here for Anomali recommendation</a></p><p><a href="" target="_blank"><b>Cisco Vulnerability: Exposes Enterprise Routers to Remote Hacking</b></a> (<i>May 14, 2019</i>)<br /> Two vulnerabilities have been discovered in Cisco’s most popular enterprise routers. The vulnerability can be exploited by actor to remotely control Cisco’s enterprise 1001-X kit, can be exploited by the two interoperating vulnerabilities. The first vulnerability is in Cisco’s IOS XE operating system, allowing hackers to gain root access to a device remotely, and the second vulnerability, called “Thrangrycat,” allows actors to bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The TAm is a core security provision in nearly every Cisco product, and attackers can quietly assume control of a device and into a network, while the device continues to report itself as “trustworthy.” Red Balloon Security provided a summary report on the vulnerabilities, and stated that “since the flaws reside within the hardware design, it is unlikely that any software patch will fully resolve the fundamental security vulnerability.” Cisco is currently working on a software fix for all the affected products and of those that are vulnerable, some have estimated patch dates as far away as October 2019. According to Cisco, customers will in most cases have to perform a physical, on-prem repair when the relevant patch is released.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a></p><p><a href="" target="_blank"><b>Cybercrime: Groups Behind “Banload” Banking Malware Implement New Techniques</b></a> (<i>May 13, 2019</i>)<br /> The threat group behind the “Banload” banking malware, which is believed to be based in Brazil, have been found to have added some new features to their malware, according to SentinelOne researchers and security researcher(s) “MalwareHunterTeam.” The new feature is a driver component called “FileDelete” that is used to locate and subsequently remove drives and executables associated to antivirus and “banking protection” programs. Once Banload is installed on a machine, it uses the “Golang” loader which uses PowerShell to install the FileDelete driver to the local directory. FileDelete is capable of removing packages belonging to multiple security products such as: Avast, AVG, Rapport, Trusteer, and the Bradesco software “scpbrad.” The threat actors attempt to conceal their malicious activity by digitally signing FileDelete with a “Thawte Code Signing Certificate” to make the malicious activity appear legitimate.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a><br /> <b>MITRE ATT&CK: </b> <a href="">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="">[MITRE ATT&CK] Security Software Discovery (T1063)</a> | <a href="">[MITRE ATT&CK] Code Signing (T1116)</a></p><p><a href="" target="_blank"><b>WhatsApp Flaw Helped Send Spyware With a Voice Call</b></a> (<i>May 13, 2019</i>)<br /> The Facebook-owned messaging application, “WhatsApp,” has confirmed that it was affected by a vulnerability that affects Android, iOS, and Windows phone operating systems. The vulnerability was identified after compromised parties informed WhatsApp that spyware, believed to be created by the Israeli firm “NSO Group,” was found their phones. Threat actors could exploit the vulnerability residing in the Voice Over IP (VOIP) function by sending custom-created packets to manipulate WhatsApp’s memory to allow for remote code execution.<br /> <a href="" target="_blank">Click here for Anomali recommendation</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="" target="_blank">Click here to request a trial</a>. </p><div id="threat_model_tipreport"><div><a href="" target="_blank">MageCart Timeline of Malicious Activity</a><p>MageCart is a particularly interesting threat group because of the sheer amount of sites, approximately 100,000, they have either compromised or successfully skimmed card credentials from since being first identified in 2015. The name MageCart refers to multiple groups, according to RiskIQ. It appears that MageCart is a collective term used to track payment information-stealing activity from at least 12 separate groups. Researchers also point out that Group 9 was interfering Group 3’s skimmer by manipulating the last credit or debit card number, which appears to indicate that MageCart is indeed an umbrella term used to track malicious activity. It may be difficult for individuals to determine separate groups because some of the groups use similar and common data-stealing methods, however, RiskIQ does note their methodology in their joint paper with Flashpoint on how they identify the different groups.</p></div></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.