Weekly Threat Briefing: FBI Asks Users to Reboot Their Routers Due to Russian Malware

<p>The intelligence in this week’s iteration discuss the following threats: <strong>APT</strong>, <strong>Banking trojan</strong>, <strong>Botnet</strong>, <strong>Data leak</strong>, <strong>Phishing</strong>, <strong>Ransomware</strong>, <strong>Scams</strong>, <strong>Vehicles</strong>, <strong>Vulnerabilities</strong>, and <strong>Zero-day</strong>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://latesthackingnews.com/2018/05/29/fbi-asks-users-to-reboot-their-routers-due-to-russian-malware/" target="_blank"><b>FBI Asks Users to Reboot Their Routers Due to Russian Malware</b></a> (<i>May 29, 2018</i>)<br/> The United States’ Federal Bureau of Investigation (FBI) has issued a statement regarding a botnet consists of home routers infected with the “VPNFilter” malware. The FBI attributes the botnet and malware to the Advanced Persistent Threat (APT) group “APT28,” who is believed to be sponsored by the Russian Federation government.<br/> <a href="https://forum.anomali.com/t/fbi-askes-users-to-reboot-their-routers-due-to-russian-malware/2508" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/" target="_blank"><b>Despite Ringleader’s Arrest, Cobalt Group Still Active</b></a> (<i>May 28, 2018</i>)<br/> The financially motivated threat group “Cobalt Group,” known for targeting banks and ATMs, may be responsible for a phishing campaign observed in mid-May by Positive Technologies researchers. Analysis of the phishing campaign revealed tactics that bear resemblance to previous Cobalt Group campaigns. The May phishing campaign was found to be distributing a backdoor that can be loaded with different malicious functions including: detecting antivirus software, launching programs, self-updating, and self-removal. These abilities mirror previously identified Cobalt Group backdoor capabilities, according to researchers.<br/> <a href="https://forum.anomali.com/t/despite-ringleader-s-arrest-cobalt-group-still-active/2509" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" target="_blank"><b>BackSwap Malware Finds Innovative Ways to Empty Bank Accounts</b></a> (<i>May 25, 2018</i>)<br/> ESET researchers have discovered a new banking malware, dubbed “BackSwap,” that is capable of stealing banking credentials from web browsers. The threat group behind the malware is distributing it via spam emails that contain a malicious attachment. The attachment contains a hidden JavaScript downloader called “Nemucod.” Once the malware has infected a machine, it waits until it detects web browser banking activity and subsequently injects malicious JavaScript into the page via the browser’s JavaScript console or into the address bar. The malware will begin the process to steal funds from an individual’s bank account.<br/> <a href="https://forum.anomali.com/t/backswap-malware-finds-innovative-ways-to-empty-bank-accounts/2510" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.infosecurity-magazine.com/news/bmw-fixes-14-vulnerabilities-in/" target="_blank"><b>BMW Fixes 14 Vulnerabilities in Connected Cars</b></a> (<i>May 25, 2018</i>)<br/> The BMW automobile company has addressed 14 vulnerabilities in its vehicles that were found by Tencent’s Keen Security Lab. The researchers tested several car models over a year consisting of the following: I Series, X1 sDrive, 5 Series, and 7 Series. Researchers discovered it was possible for an actor “to gain remote control to the CAN buses of a vulnerable BMW car by utilizing a complex chain of several vulnerabilities existing in different vehicle components.” Successful exploitation could result in an actor to manipulate the accelerator, brakes, and steering, among others.<br/> <a href="https://forum.anomali.com/t/bmw-fixes-14-vulnerabilities-in-connected-cars/2511" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.avast.com/android-devices-ship-with-pre-installed-malware" target="_blank"><b>Avast Threat Labs Analyzed Malware That Has Affected Thousands of Users Around The World</b></a> (<i>May 24, 2018</i>)<br/> Approximately three hundred Android device models and versions have been identified to contain pre-installed malware, according to Avast Threat Lab researchers. researchers note that the majority of affected devices are not certified by Google. The malware found on the affected devices is an advertising malware (adware) called “Cosiloon.” Cosiloon will display overlays over a webpage in a user’s browser that advertise malicious applications. At the time of this writing, approximately 18,000 Android users are believed to be affected by this campaign.<br/> <a href="https://forum.anomali.com/t/avast-threat-labs-analyzed-malware-that-has-affected-thousands-of-users-around-the-world/2512" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.engadget.com/2018/05/24/fbi-seizes-domain-russian-botnet/" target="_blank"><b>FBI Seized Domain Behind Major Russian Botnet</b></a> (<i>May 24, 2018</i>)<br/> The U.S. Department of Justice (DOJ) announced that the Federal Bureau of Investigation (FBI) was able to take down the botnet created via the “VPNFilter” malware. The botnet consisted of approximately 500,000 routers located around the world. The DOJ attributes this campaign to the Advanced Persistent Threat (APT) group “APT28,” which is believed to be sponsored by the Russian Federation government. The FBI was able to take control of a Command and Control (C2) domain (ToKnowAll[.]com) that VPNFilter beacons out too upon successful infection. This takeover is reported to severely limit the malware’s malicious capabilities.<br/> <a href="https://forum.anomali.com/t/fbi-seized-domain-behind-major-russian-botnet/2513" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.talosintelligence.com/2018/05/VPNFilter.html" target="_blank"><b>New VPNFilter Malware Targets At Least 500k Networking Devices Worldwide</b></a> (<i>May 23, 2018</i>)<br/> Cisco Talos researchers discovered that a new malware, dubbed “VPNFilter,” is actively infecting hosts in Ukraine at “an alarming rate.” The malware has different modules that are used at different stages of infection and to accomplish different tasks. This includes the ability to maintain persistence after reboot (stage 1), receive commands and steal files (stage 2), and providing additional functionalities (stage 3). As of this writing, VPNFilter has infected approximately 500,000 network devices in at least 54 countries.<br/> <a href="https://forum.anomali.com/t/new-vpnfilter-malware-targets-at-least-500k-networking-devices-worldwide/2514" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/crypton-ransomware-installed-using-hacked-remote-desktop-services/" target="_blank"><b>CryptON Ransomware Installed Using Hacked Remote Desktop Services</b></a> (<i>May 23, 2018</i>)<br/> Threat actors have been observed to be distributing the “CryptON” ransomware via compromising systems with publicly accessible Remote Desktop Services (RDP) running, according to Malwarebytes security researchers known as “S!Ri.” At the time of this writing, there is no way to recover encrypted files except to pay for the decryption key or to restore the files from via a backup.<br/> <a href="https://forum.anomali.com/t/crypton-ransomware-installed-using-hacked-remote-desktop-services/2515" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2018/05/new-mac-cryptominer-uses-xmrig/" target="_blank"><b>New Mac Crytpominer Uses XMRig</b></a> (<i>May 22, 2018</i>)<br/> Malwarebytes Labs researchers have published information regarding a new cryptocurrency miner that affects Apple Mac users. The miner was first identified when users began reporting an issue regarding a process called “mshelper” on Apple’s discussion forums. As of this writing, it is unknown how the miner gets on a machine, i.e. the dropper, yet the researchers do note that it is not a sophisticated piece of malware. Researchers found that the mshelper process, which is installed in the “tmp” folder, is an older version of the open source mining software “XMRig.”<br/> <a href="https://forum.anomali.com/t/new-mac-crytpominer-uses-xmrig/2516" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/google-and-microsoft-reveal-new-spectre-attack/" target="_blank"><b>Google and Microsoft Reveal New Spectre Attack</b></a> (<i>May 22, 2018</i>)<br/> Google and Microsoft researchers have discovered two new variants of the “Spectre” attack, registered as “CVE-2018-3640” and “CVE-2018-3639, that affect processors made by AMD, ARM, IBM, and Intel. Exploitation of CVE-2018-3640 can result in an actor being able to “read privileged data across trust boundaries,” according to Microsoft.<br/> <a href="https://forum.anomali.com/t/google-and-microsoft-reveal-new-spectre-attack/2517" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.zdnet.com/article/comcast-bug-leaks-xfinity-home-addresses-wireless-passwords/" target="_blank"><b>Comcast Website Bug Leaks Xfinity Customer Data</b></a> (<i>May 21, 2018</i>)<br/> Security researchers Karan Sini and Ryan Stevenson found that the website of the Internet Service Provider company “Comcast” had a bug that resulted in the leaking of sensitive customer information. The affected website (https://register.be.xfinity.com/activate) is used to activate Xfinity routers. A threat actor could use previously acquired names and billing addresses to access a customer’s account, and from there an actor could retrieve the customers Wi-Fi network information and password in plaintext. This bug only affected customers who use an Xfinity router.<br/> <a href="https://forum.anomali.com/t/comcast-website-bug-leaks-xfinity-customer-data/2518" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.theregister.co.uk/2018/05/21/draytek_routers_security_vulnerability/" target="_blank"><b>High-end Router Flinger DrayTek Admits to Zero Day in Bunch of Vigor Kit</b></a> (<i>May 21, 2018</i>)<br/> The customer premises equipment manufacturing company “DrayTek,” has issued updates for a vulnerability that affects a large amount of its “Vigor” model routers. The vulnerability, if exploited, could allow threat actors to manipulate DNS settings on 28 of its Vigor routers. Users on forum “AbuselPDB” reported that an exploitation of a zero-day vulnerability had infected their servers and workstations. DrayTek has since issued a patch for this vulnerability.<br/> <a href="https://forum.anomali.com/t/high-end-router-flinger-draytek-admits-to-zero-day-in-bunch-of-vigor-kit/2519" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/05/21/Tragedy-Related-Scams" target="_blank"><b>Tragedy-Related Scams</b></a> (<i>May 21, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding threat actors attempting to use the tragic school shooting in Texas to conduct malicious activity. Emails and social media posts discussing this event should be viewed with caution. In addition, users should also be aware of fraudulent charitable donation scams, both online and in-person, related to the event.<br/> <a href="https://forum.anomali.com/t/tragedy-related-scams/2520" target="_blank">Click here for Anomali recommendation</a></p>