April 9, 2018
Anomali Threat Research

WTB: Cisco Protocol Abused by Nation State Hackers

<p>The intelligence in this week’s iteration discuss the following threats: <strong>APT</strong>, <strong>Botnet</strong>, <strong>Breach</strong>, <strong>Credit card theft</strong>, <strong>Cryptocurrency-miner</strong>, <strong>Data leak</strong>, <strong>Data theft</strong>, <strong>DDoS</strong>, <strong>Fake updates</strong>, <strong>Malicious extensions</strong>, <strong>Phishing</strong>, <strong>Spear phishing</strong>, <strong>Ransomware</strong>, <strong>Targeted attacks</strong>, and <strong>Vulnerabilities</strong>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.infosecurity-magazine.com/news/cisco-protocol-abused-by-kremlin/" target="_blank"><b>Cisco Protocol Abused by Nation State Hackers</b></a> (<i>April 9, 2018</i>)<br /> A “protocol misuse” flaw in Cisco’s “Smart Install Client” has been observed being abused by threat actors and Advanced Persistent Threat (APT) groups who are primarily targeting “the Russian-speaking segment of the internet.” Cisco addressed this issue in February 2017. The protocol misuse can be taken advantage of by threat actors because after installation of Smart Install, the feature remains enabled without security protocols. This can allow actors to modify Trivial File Transfer Protocol (TFTP) server settings, steal configuration files via TFTP, replace an IOS image, set up new accounts, and allows for executions of IOS commands.<br /> <a href="https://forum.anomali.com/t/cisco-protocol-abused-by-nation-state-hackers/2284" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/impact-of-chat-service-breach-expands-to-best-buy-kmart/131062/" target="_blank"><b>Impact of Chat Service Breach Expands to Best Buy, Kmart</b></a> (<i>April 9, 2018</i>)<br /> The software service provider [24]7.ai, which provides online chat services, announced last week that its platform had been compromised in 2017. Specifically, the company said that the attacks took place between September 26, 2017 through October 12, 2017. The threat actors were able to use the access to [24]7.ai’s platform to steal payment card information from [24]7.ai client websites. At the time of this writing, Best Buy, Delta Airlines, Kmart, and Sears have announced that they have been impacted by the breach. Affected companies are working with federal law enforcement to discern how much of their client’s payment data was affected.<br /> <a href="https://forum.anomali.com/t/impact-of-chat-service-breach-expands-to-best-buy-kmart/2285" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/" target="_blank"><b>New Matrix Ransomware Variants Installed Via Hacked Remote Desktop Services</b></a> (<i>April 7, 2018</i>)<br /> The security researcher known as “MalwareHunterTeam” has discovered two new variants of the “Matrix” ransomware. One of the variants was found to be able to have debugging capabilities and using a cipher to wipe free space. Threat actors are distributing this ransomware via compromised Remote Desktop services. At the time of this writing, a decryptor for both Matrix variants is not available.<br /> <a href="https://forum.anomali.com/t/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/2286" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://go.recordedfuture.com/hubfs/reports/cta-2018-0405.pdf" target="_blank"><b>Mirai-Variant IoT Botnet Used to Target Financial Sector in January 2018</b></a> (<i>April 5, 2018</i>)<br /> A variant of the “Mirai” Distributed Denial-of-Service (DDoS) malware called “IoTroop” (Reaper) may be responsible for the DDoS attacks that targeted financial institutions between January 27 and January 28, 2018. IoTroop was first reported on in October 2017 and is capable of infecting multiple types of Internet-of-Things (IoT) devices such as CCTVs and televisions. Recorded Future researchers note that this malware can be updated easily because it was created with “a flexible Lua engine and scripts, which means that instead of being limited to static, pre-programmed attacks or previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available.”<br /> <a href="https://forum.anomali.com/t/mirai-variant-iot-botnet-used-to-target-financial-sector-in-january-2018/2287" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment" target="_blank"><b>Silent Librarian University Attacks Continue Unabated in Days Following Indictment</b></a> (<i>April 5, 2018</i>)<br /> Following the indictment of nine Iranian threat actors on March for stealing significant amounts of data from business, governments, and universities around the globe, Phish Labs researchers have discovered that the information-theft campaign is still ongoing. The group responsible for the campaign, dubbed “Silent Librarian,” have been observed to have conducted 18 phishing attacks targeting 14 universities located in Australia, Canada, France, the U.K., and the U.S. Researchers note that the phishing campaigns have specifically targeted universities and organizations with robust research departments with a focus on technology and medicine.<br /> <a href="https://forum.anomali.com/t/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment/2288" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.theregister.co.uk/2018/04/05/billions_files_exposed_aws_ftp_wide_open/" target="_blank"><b>1.5 BEEELLION Sensitive Files Found Exposed Online Dwarf Pana Papers Leak</b></a> (<i>April 5, 2018</i>)<br /> Threat Intelligence firm “Digital Shadows” detected over 1.5 billion publicly available files during the first months of 2018. The data was found to be exposed on multiple file storage systems including Amazon’s S3 buckets, File Transfer Protocol (FTP) servers, misconfigured websites, Network Attached Storage (NAT) drives, rsync, and Server Message Blocks (SMBs). The exposed data amounts to over 12 petabytes (12,000 terabytes) and consist of the following data: credit card information, intellectual property, medical records, payroll data, and tax returns.<br /> <a href="https://forum.anomali.com/t/1-5-beeellion-sensitive-files-found-exposed-online-dwarf-pana-papers-leak/2289" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.fireeye.com/blog/threat-research/2018/04/fake-software-update-abuses-netsupport-remote-access-tool.html" target="_blank"><b>Fake Software Update Abuses NetSupport Remote Access Tool</b></a> (<i>April 5, 2018</i>)<br /> FireEye researchers have discovered a new campaign that is distributing the “NetSupport Manager” Remote Access Tool (RAT) via compromised websites. NetSupport Manager is a legitimate RAT that can be used by system administrators for remotely accessing colleague and client machines, however, the tool can also be used by threat actors for malicious purposes. The infections vector for this campaign is accomplished by threat actors by first compromising a website, which in turn offers fake updates impersonating Adobe Flash, Chrome, and Firefox. If a user visits one of the websites, a malicious JavaScript file is downloaded, typically from a DropBox link. The Javascript retrieves and subsequently send basic system information to a C2 before downloading the NetSupport Manager payload.<br /> <a href="https://forum.anomali.com/t/fake-software-update-abuses-netsupport-remote-access-tool/2290" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank"><b>New MacOS Backdoor Linked to OceanLotus</b></a> (<i>April 4, 2018</i>)<br /> A new backdoor has been discovered and attributed to the Advanced Persistent Threat (APT) group OceanLotus (APT32, APT-C-00, SeaLotus, Cobalt Kitty), according to Trend Micro researchers. The backdoor, dubbed “OSX_OCEANLOTUS.D,” is distributed via a malicious Word document which itself is likely distributed via email. Once the document is opened, it requests the user to enable macros to “activate the compatibility mode for older version.”<br /> <a href="https://forum.anomali.com/t/new-macos-backdoor-linked-to-oceanlotus/2291" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://researchcenter.paloaltonetworks.com/2018/04/unit42-smoking-rarog-mining-trojan/" target="_blank"><b>Smoking Out the Rarog Cryptocurrency Mining Trojan</b></a> (<i>April 4, 2018</i>)<br /> Palo Alto Unit 42 researchers have published a report discussing a new cryptocurrency-mining trojan called “Rarog.” The trojan has been offered for purchase on various underground forums since June 2017, and at the time of this writing, can be purchased for approximately $104 USD. The malware is primarily used to mine “Monero” but is capable of mining other cryptocurrencies. In addition to mining, Rarog can also configure different processor loads, download Dynamic Link Libraries (DLLs), infect USB drives, and provide mining statistics.<br /> <a href="https://forum.anomali.com/t/smoking-out-the-rarog-cryptocurrency-mining-trojan/2292" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/googles-april-android-security-bulletin-warns-of-9-critical-bugs/130936/" target="_blank"><b>Google’s April Android Security Bulletin Warns of 9 Critical Bugs</b></a> (<i>April 3, 2018</i>)<br /> Google has issued its April Security Bulletin in which 29 vulnerabilities were addressed. Overall, nine of the vulnerabilities were rated as critical, and 19 were rated as high. Google issued updates for four Remote Code Execution (RCE) vulnerabilities and one privilege escalation vulnerability.<br /> <a href="https://forum.anomali.com/t/google-s-april-android-security-bulletin-warns-of-9-critical-bugs/2293" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.malwarebytes.com/cybercrime/2018/04/malicious-gaming-extensions-a-childs-play-to-infection/" target="_blank"><b>Malicious Gaming Extensions: A Child’s Play to Infection</b></a> (<i>April 2, 2018</i>)<br /> A malicious web browser extension campaign themed around video games is infecting users with advertising malware (adware), according to Malwarebytes researchers. The extensions offer purported assistance in various video games and in some cases the individual extensions have been downloaded over one millions times, over 150,000 times, and over 100,000, among others. While adware can be harmful because it could slow down a machine and lead to potential malicious locations, this campaign’s extensions also request overly intrusive permissions upon download. The malicious extensions were found primarily in Chrome, but others were found in Firefox and Safari as well. The names of the extensions are the following listed in order from most to least installs: Search Web, ArcadeFrontier Ads, GamesChill Ads, PlayZiz Advertisements, Gamerscan Ad, ArcadeGala Advertising Offers, and VideoGameHub Advertising.<br /> <a href="https://forum.anomali.com/t/malicious-gaming-extensions-a-child-s-play-to-infection/2294" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trustlook.com/2018/04/02/a-trojan-with-hidden-malicious-code-steals-users-messenger-app-information/" target="_blank"><b>A Trojan with Hidden Malicious Code Steals User’s Messenger App Information</b></a> (<i>April 2, 2018</i>)<br /> TrustLook Labs researchers have discovered an Android trojan that is capable of stealing information from a device’s installed messaging applications. The malware is distributed via malicious Chinese applications called “Cloud Module” (in Chinese) that has the package name “com.android.boxa.” The malware gains persistence by attempting to modify the “/system/etc/install-recovery.sh” file that can allow the trojan to execute every time the device boots. While the malware is capable of stealing information from 14 different messaging applications, the most interesting feature of the trojan is the sophisticated evasion techniques via an anti-emulator and debugger detection techniques.<br /> <a href="https://forum.anomali.com/t/a-trojan-with-hidden-malicious-code-steals-user-s-messenger-app-information/2295" target="_blank">Click here for Anomali recommendation</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.