WTB: Equifax Breach: Sensitive Info, SSNs of 44% of U.S. Consumers Accessed by Attackers

September 12, 2017 | Gage Mele

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Data breach, Malspam, Misconfigured database, Phishing, and Vulnerability. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Admin Accounts With No Passwords at the Heart of Recent MongoDB Ransom Attacks (September 11, 2017)
The Senior Director of Product Security at MongoDB Inc., Davi Ottenheimer, has released a blog in which he states that the recent MongoDB attacks were because administrators did not set their passwords. The attacks have compromised approximately 26,000 databases with approximately 22,000 of the database owners being held for ransom to retrieve their data. MongoDB plans on hardening their security with the release of the upcoming MongoDB 3.6.x release.
Recommendation: It is crucial that your company institute strong password policies to protect your sensitive data. Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, the database should require proper authentication in order to access its information.
Tags: MongoDB, Database, Vulnerability

Equifax Breach: Sensitive Info, SSNs of 44% of U.S. Consumers Accessed by Attackers (September 8, 2017)
One of the largest three American credit agencies, "Equifax," has experienced a significant breach that exposed approximately 143 million U.S. consumers' Personally Identifiable Information. As of this writing, the threat actors who accessed the data are unknown. The data consists of credit card numbers for approximately 209,000 U.S. consumers, dispute documents for approximately 182,000 U.S. individuals, Social Security numbers (SSNs), some instances of driver licenses information, and limited personal information for some Canadian and U.K. individuals. The unauthorized access took place between mid-May and July 2017. The breach was detected on July 29, 2017.
Recommendation: With nearly half of the U.S. population affected by this breach, it is important for individuals to check to see if they are affected by using the following website "https://www.equifaxsecurity2017.com/potential-impact/". Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data breach, Credit card data, PII

.UK Domains At Risk of Theft in Enom Blunder (September 7, 2017)
On September 1, 2017, the domain registrar, "Enom," issued a warning to its mailing list regarding a vulnerability that could allow ".uk" domains to be hijacked. The security group, "The M Group," disclosed the vulnerability to Enom on May 2, 2017, and the issue was not resolved until September 2, 2017. The vulnerability allowed .uk domains to be transferred between Enom accounts without authorization, logs, or verification.
Tags: Vulnerability, .uk

EMOTET Returns, Starts Spreading via Spam Botnet (September 7, 2017)
The EMOTET banking trojan, first discovered in 2014, has been identified being distributed via a spam botnet. The spam emails that are delivering EMOTET variants are typically themed as an invoice or payment notification. The emails attempt to lure the recipient into following a provided link that will download a document that contains a malicious macro. A user will be infected with EMOTET if the macro is enabled on the document.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Spam, Banking trojan, EMOTET

Malware Xeroing in on Cloud Accounting Customers (September 6, 2017)
SpiderLabs researchers discovered a phishing campaign that appears to have begun on August, 16, 2017, in which actors are impersonating the New Zealand-based software company, "Xero." The actors are spoofing Xero email addresses and sending phishing emails that contain malicious links. The objective of the emails is to trick recipients into downloading a zip archive that contains a malicious JavaScript file. This will infect a user with a variant of the Dridex banking trojan malware upon execution. Recipients are pointed to a fake Xero domain located at "xeronet[.]org" rather than the authentic site located at "xero[.]com."
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: Phishing, Spoofed email, Malware, Dridex

Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group (September 6, 2017)
The Advanced Persistent Threat (APT) group "Dragonfly" has been actively targeting European and North American energy sectors in a recently discovered campaign, according to Symantec researchers. The campaign, dubbed "Dragonfly 2.0," appears to have begun in December 2015. Researchers have found an increase in Dragonfly activity in 2017, specifically targeting Turkey, the U.S., and Switzerland. The group uses multiple infection vectors including spear phishing emails, trojanized software, and watering hole attacks.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, Dragonfly, Spear phishing, Trojan, Watering hole

A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs (September 5, 2017)
Trend Micro researchers have identified threat actors attacking Autodesk's "A360" cloud project collaboration software and then using it to deliver malware. Researchers believe that this tactic has caused a recent increase in malicious activity for which the cause was previously unknown. A360 accounts are being compromised, and malicious macros in threat actor phishing documents use the URL path that leads to the A360 location to download the malware. Researchers have found multiple forms of malware being delivered using this method such as adware, banking Trojans, and Remote Access Trojans (RATs).
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Tags: Compromise, Malware

Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers (September 5, 2017)
Security researchers have identified a remote code execution vulnerability in the Apache Struts web application framework. The vulnerability, registered as "CVE-2017-9805," resides in the Struts REST plugin when it deserializes XML payloads. Researchers state that all versions of Apache Struts since 2008 are affected by this vulnerability. Thankfully, this vulnerability has been patched with Struts version 2.5.13. Those who are not running the most current Struts version should update as soon as possible.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow, or can be exploited by malicious actors.
Tags: Vulnerability, Apache Struts2

Bazinga! Social Network Taringa 'Fesses Up to Data Breach (September 5, 2017)
The Latin American social networking site, "Taringa," has experienced a data breach that resulted in approximately 28 million user records being exposed. The exposed data consists of email addresses, and usernames and associated MD5 hashed passwords. Worryingly, MD5 is relatively weak and can be cracked by threat actors. Taringa has informed its user to change their passwords as soon as possible.
Recommendation: Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, Taringa users should change their passwords as soon as possible. Furthermore, if identical passwords were used for Taringa and other accounts, those passwords should also be changed as soon as possible to avoid potential data theft.
Tags: Data breach

Four Million Time Warner Customers Caught in Privacy Snafu (September 5, 2017)
Kromtech researchers have released information regarding their discovery of two misconfigured AWS S3 buckets. The two buckets contain personal information of Time Warner Cable customers consisting of 600 GB of data. The data consists of account numbers, MAC addresses, transaction IDs, serial numbers, and usernames, among other data. Researchers contend that Broadsoft, a communication software and service provider, did not properly configure the databases to restrict public access.
Recommendation: Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, the database should require proper authentication in order to access its information.
Tags: Misconfigured database, AWS S3 bucket, Data leak

BankBot Continues Its Evolution as AgressiveX AndroBot (September 5, 2017)
The Android "BankBot" trojan has undergone some changes to their URL paths and Command and Control (C2) infrastructure, according to PhishLabs researchers. The actors behind BankBot are using a new domain titled, "agressivex[.]com," which appears to indicate that the actors may be "re-packaging" the malware to sell under a different name. Researchers note that this version does not appear to the functional, however, this may be a testing phase because BankBot source code has been available to actors since 2016.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.
Tags: Android, BankBot, Trojan, Mobile

Router Flaws Put AT&T Customers at Hacking Risk (September 4, 2017)
Security researcher Joseph Hutchins has reported that thousands of routers that belong to AT&T customers contain five critical vulnerabilities. The affected routers are "Arris NVG589" and "NVG599" with the most current "9.2.2" version. Some of the vulnerabilities can be exploited by threat actors to gain root access to an affected device and full control of the router via a hardcoded credential vulnerability. This could lead to the hijacked router to be part of a botnet. Some researchers speculate that as many as 138,000 routers are vulnerable. Another of the vulnerabilities is a firewall bypass that could allow an attacker to access a machine on a local network.
Recommendation: Routers should be configured to use separate access points behind the router. This can be used to assist in protecting against ISP misconfigured hardware.
Tags: Vulnerability, Router

Thousands of Military Vet's Details Exposed in S3 Privacy Snafu (September 4, 2017)
Upguard researchers have discovered that an AWS S3 bucket was configured for public access, and that the bucket contained sensitive information associated with U.S. military veterans. The bucket was located at the subdomain "tigerswanresumes." TigerSwan is a private security firm located in North Carolina. Overall, approximately 9,402 records were available with nearly are all associated with U.S. veterans. Some of the associated data includes home address, email address, partial social security numbers, phone numbers, and other forms of resume information.
Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, misconfigured databases has the potential to cause significant harm to individuals and a company's reputation.
Tags: Misconfigured database, AWS S3 bucket, Data leak

Massive Wave of MongoDB Attacks Makes 26,000 New Victims (September 4, 2017)
Ransom attacks targeting "MongoDB" databases have increased over the last week in August and first weekend in September, according to security researcher Dylan Katz and Victor Gevers. The researchers state that three new threat groups have emerged and, in total, have compromised approximately 26,000 MongoDB servers. The actors scanned the internet, possibly with "Shodan," and found vulnerable MongoDB databases that allowed external connections. The content of the databases was then wiped and replaced with a ransom note that provides an email address for payment.
Recommendation: Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, the database should require proper authentication in order to access its information.
Tags: Vulnerable database, MongoDB, Data leak, Threat group

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.