Weekly Threat Briefing: Advanced Persistent Threat Activity Targeting Energy and Critical Infrastructure Sectors

The intelligence in this week’s iteration discuss the following threats: APT, Malspam, Malvertising, Malware, Phishing, Targeted attacks, Ransomware, and Underground markets. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://blog.eset.ie/2017/10/23/osxproton-spreading-again-through-supply-chain-attack/" target="_blank">OSX/Proton Spreading Again Through Supply-Chain Attack</a> (October 23, 2017) ESET researchers discovered that the software development company "Eltima Software" was unknowingly distributing malware on its official website. The website was offering malicious versions of "Elmedia Player" and "Folx" software that contained the "OSX/Proton" backdoor. The OSX/Proton backdoor is capable of stealing various forms of information from an infected machine such as browser information, operating systems details, and SSH private data, among others. Recommendation: Researchers advise that any user who downloaded Elmedia Player or Folx software on October 19, before 3:15 p.m. EDT and ran it, is likely compromised. Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: Compromised application, Backdoor, OSX/Proton<a href="https://www.us-cert.gov/ncas/alerts/TA17-293A" target="_blank">Advanced Persistent Threat Activity Targeting Energy and Critical Infrastructure Sectors</a> (October 20, 2017) The U.S. Computer Emergency Readiness Team (CERT) has issued a joint technical alert in collaboration with the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI). The alert discusses Advanced Persistent Threat (APT) group activity that is targeting energy and other critical infrastructure sectors. The threat actors are using open-source reconnaissance, spear phishing emails, watering-hole domains, host-based exploitation, and ongoing credential gathering. The alert points to Symantec's report regarding the APT group "Dragonfly" for additional information concerning this ongoing campaign. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts. Tags: Technical Alert, APT, Targeted attacks<a href="https://myonlinesecurity.co.uk/malware-delivered-via-necurs-botnet-by-dde-feature-in-microsoft-word/" target="_blank">Malware Delivered via Necurs Botnet by DDE Feature in Microsoft Word</a> (October 19, 2017) The "Necurs" botnet is actively distributing malspam in attempts to infect recipients with "Locky" ransomware. The emails are randomly generated and purport to be an invoice. This campaign takes advantage of Microsoft's Dynamic Data Exchange (DDE) feature for its malicious documents to contact a C2 server to download the malware. The malicious documents require a user to enable macros to begin the infection process. Researchers state that this Locky version also appears to have wormlike capabilities to infect other users on the same network. Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided. Tags: Malspam, Ransomware, Locky<a href="https://www.darkreading.com/attacks-breaches/new-locky-ransomware-strain-emerges-/d/d-id/1330168" target="_blank">New Locky Ransomware Strain Emerges</a> (October 19, 2017) A new "Locky" ransomware strain has been found infecting users in the wild. The strain was first found on October 11, and has been dubbed "asasin" because of the ".asisin" the ransomware appends to encrypted files. Interestingly, this Locky variant will gather system information in addition to traditional ransomware functionality. The asasin variant will gather information such as IP address and the infected machine's operating system. Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Additionally, this augmented version may allow actors to gather intelligence on a targeted network, and potentially discovered machines which could demand a higher price for the decryption key. Tags: Ransomware, Locky-variant, asasin<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/" target="_blank">Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware</a> (October 18, 2017) Trend Micro researchers have identified that the "Magnitude" exploit kit is distributing a new ransomware called "Magniber." The threat actors behind this campaign are using malvertisements on actor-owned websites to target South Korean users with ransomware. Magniber will only fully execute if the installed language on the machine is identified to be Korean. Recommendation: Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Furthermore, in the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Tags: Malvertising, Magnitude EK, Ransomware, Magniber<a href="https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/" target="_blank">New Attacker Scanning for SSH Private Keys on Websites</a> (October 18, 2017) Threat actors are actively conducting scanning operations that with objecting of finding private SSH keys. Some researchers speculate that this sudden spike in scanning activity could be caused by a bug or perhaps a common operational mistake made by WordPress administrators. Actors are looking for SSH keys in web directories where such a key would be stored, such as "root," "ssh," or "id_rsa." This scanning activity is reported to have begun on October 16, 2017. Recommendation: Ensure that your company stores SSH keys in private locations, and do not copy a private key to the remote server that is being logged in to. SSH keys can also be protected with passwords for another layer of protections. Additionally, WordPress administrators should avoid storing their SSH keys in directories mentioned above to avoid these scanning attacks. Tags: Threat actor, SSH key, Scanning, Theft<a href="https://www.symantec.com/connect/blogs/android-malware-google-play-adds-devices-botnet-and-performs-ddos-attacks" target="_blank">Android Malware on Google Play Adds Devices to Botnet</a> (October 18, 2017) Symantec researchers discovered eight applications in the Google Play store that are infected with "Sockbot" malware. The applications, which are themed around the game "Minecraft," were downloaded between 600,000 to 2.6 million times. The malware appears to be primarily targeting Android users in U.S. Researchers believe that the malware could be used to launch Distributed Denial-of-Service (DDoS), and the flexible proxy topology could be used to exploit network vulnerabilities. Google has since removed the malicious applications. Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software. Tags: Mobile, Android, Malware, Malicious applications<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/new-malicious-macro-evasion-tactics-exposed-ursnif-spam-mail/" target="_blank">New Malicious Macro Evasion Tactics Exposed in URSNIF Spam</a> (October 18, 2017) A new malspam campaign is targeting users with "URSNIF" malware, according to Trend Micro researchers. In this campaign, the actors behind the URSNIF malware are using Microsoft Office file attachments with malicious macros to deliver the malware. The attachments are using the "AutoClose" feature will begin when a malspam recipient closes the attachment and run malicious a Powershell script to download and execute the malware. Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Tags: Malspam, Malware, URSNIF<a href="https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html" target="_blank">Opening Hacker's Door</a> (October 17, 2017) Cylance researchers have found that the Remote Access Trojan (RAT) called "Hacker's Door" has reappeared in active investigations after being dormant since 2004-2005. The RAT was signed with a stolen certificate that is known to be used by the Advanced Persistent Threat (APT) group "Winnti." The RAT is comprised of a backdoor and rootkit that, once installed, is capable of multiple remote commands including: downloading additional files, extracting Windows credentials from the current session, and gathering system information, among others. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. The reappearance of this tool is evident of threat groups going back to previous malicious tools after a period of inactivity. Therefore, it is important to be aware of malicious tools used by threat groups because it can sometimes indicate which actor/group may be responsible for the attack. Tags: Malware, RAT, Hacker's Door, APT, Winnti<a href="https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/" target="_blank">ATM Malware is Being Sold on Darknet Market</a> (October 17, 2017) Two strains of ATM malware have been identified to being offered for purchase on an underground forum for $5,000 USD, according to Kaspersky Lab researchers. The malware specifically targets a certain, unnamed vendor's ATM. The offer was discovered on "AlphaBay," and has since been removed by the Federal Bureau of Investigation, however, it is possible that the malware was purchased prior to being removed. The forum post explains what kind of ATM's are affected by the malware, and provides a manual that explains how to force an ATM to empty its cash. Recommendation: ATM security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation. Tags: ATM, Malware, Underground markets<a href="https://blog.eset.ie/2017/10/17/dangerous-ransomware-arriving-as-fraudulent-eir-bill-email/" target="_blank">Dangerous Ransomware Arriving as Fraudulent Eir Bill Email</a> (October 17, 2017) A new phishing has been discovered to be targeting customers of the Irish telecommunications company, "Eir," according to ESET researchers. The emails purport to be from Eir and claims that the recipient's bill is available and provides a link to view the fake invoice. If the link is clicked, it will download what appears to be a zipped file, but is actually an obfuscated JavaScript file. The zipped file will infect a user with the "Filecoder" ransomware if opened. Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection. Tags: Phishing, Ransomware<a href="https://threatpost.com/lenovo-quietly-patches-massive-bug-impacting-its-android-tablets-and-zuk-vibe-phones/128489/" target="_blank">Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones</a> (October 17, 2017) On October 5, 2017, Lenovo quietly issued four patches to address vulnerabilities that affect all of their Android tablets, Vibe and Zuk phones, as well as the Moto M and Moto E3 handsets. The vulnerabilities are tied to the "Lenovo Service Framework" (LSF). Successful exploitation could allow a threat actor to execute arbitrary code remotely. Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature is a good mediation step to ensure that your company is always using the most recent version. Tags: Vulnerabilities, Remote code execution<a href="https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" target="_blank">BlackOasis APT and New Targeted Attacks Leveraging Zero-day Exploit</a> (October 16, 2017) Kaspersky Lab researchers have discovered that the Advanced Persistent Threat (APT) group, "BlackOasis," is leveraging a zero-day vulnerability (CVE-2017-11292) that affects Adobe Flash. BlackOasis exploited the vulnerability with malicious geopolitically-themed Word documents that contain an ActiveX object, which contains the Flash exploit. Opening of the Word document can lead to successful exploitation and result in the user being infected with "FinSpy" malware. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts. Additionally, all employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox. Tags: Targeted attacks, APT, BlackOasis<a href="https://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.html" target="_blank">Taiwan Heist: Lazarus Tools and Ransomware</a> (October 16, 2017) BAE researchers have published their findings regarding a cyber theft from a commercial firm in Taiwan of approximately $195,000 USD. The targeted firm, "Far Eastern International Bank" (FEIB) in Taiwan, had its network breached with malware that are known to be used by the Advanced Persistent Threat (APT) group called "Lazarus Group." Researchers believe that Lazarus Group may have used a rare ransomware family called "Hermes" to distract the IT staff of FEIB while the theft of funds was occurring. Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts. Tags: Breach, Theft, APT, Lazarus Group<h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial.</a><a href="https://ui.threatstream.com/tip/7064" target="_blank">Locky Tool Tip</a> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto. Tags: Locky, Ransomware