Weekly Threat Briefing: Imgur Hackers Stole 1.7 Million Email Addresses and Passwords

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: Account Checking, Android Malware, BankBot Trojan, Imgur Database Breach, IRAFAU, Lazrus Group, Microsoft Office Vulnerabilities, Mirai Botnet, Necurs Botnet, Scarab Ransomware, Trickbot Banking Trojan, and Wordpress malware. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://www.welivesecurity.com/2017/11/27/imgur-hackers-stole-email-addresses-passwords/" target="_blank">Imgur hackers stole 1.7 million email addresses and passwords</a> (November 27, 2017) On November 23, the researcher Troy Hunt notified the popular image-hosting website Imgur that it suffered a data breach in 2014. The account details of approximately 1,700,000 users was accessed including emails and passwords. Imgur does not store any other personally identifiable information and has begun the process of resetting passwords. At the time the passwords were hashed with SHA-256, but in 2016 they switched over to using bcrypt. Recommendation: It is important that you use different passwords for the different accounts that are being used. Previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. If you are possibly affected by this breach, immediately change your password. Tags: Breach, Imgur<a href="http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/" target="_blank">Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323</a> (November 24, 2017) Netlab researchers have detected a new Mirai variant after noticing 100,000 new unique scanning IP addresses. The botnet is spreading by abusing two credentials: "admin/CentryL1nk" and "admin/QwestM0dem". The "CentryL1nk" credential first appeared in an exploit for the ZyXEL PK5001Z modem in exploit-db less than a month ago. Most of the new infections have been detected in Argentina. Recommendation: The Mirai botnet takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames/passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring. Tags: Mirai, BotNet, Exploit<a href="https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/" target="_blank">Necurs botnet malspam delivering a new Ransomware via fake scanner /copier messages</a> (November 23, 2017) After a short break from distributing the "Locky" ransomware, the Necurs botnet is spamming out a new type of ransomware in time with the Thanksgiving holiday. The emails are being sent from the email "copier@<company_domain>"; it is typical of Necurs to spoof the email of a target organization. The emails have an empty body of text with the subject line "Scanned from <company name="">". The names observed being used are "Lexmark", "Canon", "HP", and "Epson". The new ransomware is being labeled as "Scarab" ransomware. Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection. Even if the email appears to come from within the company, still exercise caution as emails are easily spoofed. Tags: Scarab, Necurs, Ransomware, Malspam </company></company_domain><a href="https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html" target="_blank">A Hacking Group Is Already Exploiting the Office Equation Editor Bug</a> (November 22, 2017) Approximately a week after details of a new Microsoft Office vulnerability came to light, at least one threat actor is now exploiting "CVE-2017-11882". The issue has been present in Office for 17 years. The "Cobalt" hacking group have been using Rich Text Format (RTF) files that exploit the vulnerability to download malware. Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Tags: Microsoft Office, Cobalt, RTF<a href="https://blog.fortinet.com/2017/11/22/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document" target="_blank">CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document</a> (November 22, 2017) Fortinet researchers have discovered new documents, of a political theme, that exploit "CVE-2017-11826". The Rich Text Format (RTF) documents are themed around the political situations in Saudi Arabia and Rohingya (Myanmar). The exploit executes shellcode which downloads a backdoor dubbed "IRAFAU". IRAFAU can execute files, create/remove files, download/upload files and execute a remote shell. Recommendation: Themed malspam emails are a common tactic among threat actors, therefore, it is crucial that users are aware of their institution's policies regarding electronic communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: RTF, IRAFAU, Exploit<a href="https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/" target="_blank">Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model</a> (November 22, 2017) According to Flashpoint researchers the Trickbot gang, creators of the Trickbot banking Trojan, have incorporated account checking operations. Account checking utilizes credentials stolen from database breaches and compromises to try to gain unauthorized access to accounts belonging to the same victims. In order to avoid their activities getting automatically blocked by IP address, they use already infected Trickbot hosts as a stream of new and "clean" proxies. Recommendation: Trickbot heavily targets the financial industry. It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Tags: Trickbot, Trojan, Account Checking<a href="https://nakedsecurity.sophos.com/2017/11/22/uber-suffered-massive-data-breach-then-paid-hackers-to-keep-quiet/" target="_blank">Uber suffered massive data breach, then paid hackers to keep quiet</a> (November 21, 2017) New news reveals that Uber, the transportation company, suffered a large data breach in October 2016. According to Bloomberg, the data of approximately 57,000,000 drivers and customers was stolen. The leaked data included names, email addresses, and phone numbers. The personal information of 7,000,000 drivers was accessed too, including 600,000 US driver's license numbers. Uber paid the actors $100,000 to delete the data. Recommendation: Personal should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Always monitor your accounts and use identity prevention/fraud prevention services to add an additional layer of security to your accounts. If data has been stolen, never pay any demanded ransom, as there is no guarantee that the data will actually be deleted by the actors. Tags: Uber, Breach, Ransom<a href="https://www.us-cert.gov/ncas/current-activity/2017/11/21/Symantec-Releases-Security-Update" target="_blank">Symantec Releases Security Update</a> (November 21, 2017) The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding a vulnerability located in the "Symantec Management Console." The US-CERT states that a remote threat actor could exploit this vulnerability, registered as "CVE-2017-15527," to take control of an affected system. Symantec rates this vulnerability as a highest severity issue. Recommendation: Symantec users should review the security advisory, located at "https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171120_00" and apply the necessary update as soon as possible if it has not been applied already. Tags: Alert, Vulnerability, Symantec<a href="https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers" target="_blank">Mobile Banking Trojan Sneaks Into Google Play Targeting Wells Fargo, Chase and Citibank Customers</a> (November 20, 2017) A new variant of the mobile banking malware "BankBot" has been identified to be located in applications in the Google Play store, according to collaboration report by Avast, ESET, and SfyLabs researchers. This version of the BankBot trojan is being hidden in applications that purport to be flashlight applications. Other applications identified to contain BankBot are solitaire games and a cleaner application; researchers note that these applications were observed to distribute other malware besides BankBot. BankBot is targeting the applications associated with banks such as Chase, Diba, Citibank, and WellsFargo. In addition, Google has since removed the malicious applications, however, some of the applications were found to be active until November 17, 2017. Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software. Tags: BankBot, Android, Trojan<a href="https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/" target="_blank">Wp-Vcd WordPress Malware Campaign Is Back</a> (November 20, 2017) Researchers are warning "WordPress" website administrators of the malware called "wp-vcd," which is capable of adding secret administrator users and can allow actors control of the affected websites. The malware was discovered by security researcher, Manuel D'Orso, in the summer of 2017. Now researchers have discovered a new variant of the malware that, in addition to features mentioned above, will inject malicious code into the default themes in WordPress CMS 2015 and 2016. Researchers note that even though said default themes are often disabled on a large amount of websites, this does not affect the potential malicious activity that can still occur. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Tags: Wordpress, wp-vcd<a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbuster-goes-mobile/" target="_blank">Operation Blockbuster Goes Mobile</a> (November 20, 2017) Unit 42 researchers from Palo Alto Networks have discovered new malware samples targeting Samsung devices and Korean language speakers. It is believed the malware comes from the Lazarus Group, from North Korea. The malware samples are backdoors and have the ability to record microphone, capture from camera, download/upload files, record GPS, read contact information, read texts, and capture WiFi information. It is not currently known how the malware is being delivered. Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and never install software from unverified sources. Tags: Lazarus Group, Backdoor, Android