Weekly Threat Briefing: Jenkins Miner: One of the Biggest Mining Operations Ever Discovered

The intelligence in this week’s iteration discuss the following threats: AWS Leaks, Breaches, Cryptominers, Exit Scams, Google AdWords, Jenkins server vulnerabilities, Lazarus Group, Rapid Ransomware and Telegram Messenger vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/" target="_blank">Jenkins Miner: One of the Biggest Mining Operations Ever Discovered</a> (February 15, 2018) An actor, purportedly of Chinese origin, who has already secured over $3 million USD worth of Monero by running miners on Windows, has upped the scope of their operation by targeting Jenkins CI servers. To deliver the miner to servers, the actor exploits the vulnerability registered as "CVE-20171000353". The vulnerability exploits the Jenkins Java deserialization implementation, that allows any serialized object to be accepted. The requests are sent to the command line interface (CLI). The request contains two serialized objects with the injected PowerShell code to download and execute the "JenkinsMiner". <a href="https://forum.anomali.com/t/jenkins-miner-one-of-the-biggest-mining-operations-ever-discovered/" target="_blank">Click here for Anomali recommendation</a><a href="https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html" target="_blank">CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining</a> (February 15, 2018) The vulnerability, registered as "CVE-2017-10271", is being exploited in the wild according the FireEye researchers. The vulnerability exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, leading to arbitrary code execution. Tactics observed involving the vulnerability have been distributing scripts that deliver cryptocurrency miners onto victim systems on both Windows and Linux systems. <a href="https://forum.anomali.com/t/cve-2017-10271-used-to-deliver-cryptominers-an-overview-of-techniques-used-post-exploitation-and-pre-mining/" target="_blank">Click here for Anomali recommendation</a><a href="https://mackeepersecurity.com/post/fedex-customer-records-exposed" target="_blank">FedEx Customer Records Exposed</a> (February 15, 2018) Security researchers from Kromtech discovered an Amazon S3 bucket set for public access that contained the personal data of more than 199,000 customers of FedEx. The data consisted of scanned documents such as passports, driving licenses and security IDs. The information was accompanied by scanned "Applications for Delivery of Mail Through Agent" forms, that contained details such as home addresses, phone numbers and zip codes. The customers range from all over the world. The bucket has now been removed by FedEx. <a href="https://forum.anomali.com/t/fedex-customer-records-exposed/" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/group-makes-50-million-by-phishing-bitcoin-users-using-google-adwords/" target="_blank">Group Makes $50 Million by Phishing Bitcoin Users Using Google AdWords</a> (February 15, 2018) A Ukrainian cybercrime operation has made approximately $50 million USD by utilising Google AdWords to lure users to Bitcoin phishing sites. The group, dubbed "Coinhorder" has been active for multiple years, and purchases typosquatted domains that imitate the legitimate site "Blockchain[.]info," a Bitcoin wallet management service. The group then buys adverts on the Google AdWords platform that puts their results to the top of the page in Bitcoin related Google search results. The pages stole login information from users attempting to log into their accounts. It is estimated tens of millions of users were lured to the phishing websites. <a href="https://forum.anomali.com/t/group-makes-50-million-by-phishing-bitcoin-users-using-google-adwords/" target="_blank">Click here for Anomali recommendation</a><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/?page=1&year=0&month=0&LangType=1033" target="_blank">Multi-Stage Email Word Attack without Macros</a> (February 14, 2018) Researchers from Trustwave have detailed a new macro-less Microsoft Word document attack in a recent blog post. The emails, distributed from the Necurs botnet, have Word attachments that exploit the ability to access remote OLE objects referenced in the "document.xml.rels" file. The file used in this attack downloads a Rich Text Format (RTF) file that exploits "CVE-2017-11882" to execute a MSHTA command to download and execute a remote HTA file. The HTA file uses VBScript to run a PowerShell script to download and execute the final password stealer payload. The stolen passwords are sent to a Command and Control server via HTTP POST requests. <a href="https://forum.anomali.com/t/multi-stage-email-word-attack-without-macros/" target="_blank">Click here for Anomali recommendation</a><a href="https://nakedsecurity.sophos.com/2018/02/14/cryptocurrency-startup-loopx-exit-scams-with-4-5m-in-ico/" target="_blank">Cryptocurrency startup LoopX exit scams with $4.5M in ICO</a> (February 14, 2018) The cryptocurrency startup "LoopX" has pulled an exit scam, making off with $4.5 million USD worth of investors money. There was signs that LoopX was suspicious because there was a lack of information and transparency around their proprietary trading algorithm. Investors pledged an approximate total of 276 bitcoin and 2,446 Ethereum into LoopX's ICO according to a cached version of the now scrapped website. <a href="https://forum.anomali.com/t/cryptocurrency-startup-loopx-exit-scams-with-4-5m-in-ico/" target="_blank">Click here for Anomali recommendation</a><a href="https://www.welivesecurity.com/2018/02/14/patch-microsoft-security-flaws/" target="_blank">Patch now! Microsoft fixes over 50 serious security flaws</a> (February 14, 2018) Microsoft's "Patch Tuesday" has released a bundle of security patches for multiple products including Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, and Adobe Flash Player, among others. This instance of Patch Tuesday addresses over 50 security vulnerabilities. One such vulnerability was the critically rated vulnerability, registered as "CVE-2018-0852," that is located in Microsoft Outlook and can result in arbitrary code execution. <a href="https://forum.anomali.com/t/patch-now-microsoft-fixes-over-50-serious-security-flaws/" target="_blank">Click here for Anomali recommendation</a><a href="https://securelist.com/zero-day-vulnerability-in-telegram/83800/" target="_blank">Zero-day vulnerability in Telegram</a> (February 13, 2018) Kaspersky Lab researchers have discovered a vulnerability in "Telegram Messenger's" Windows client that is being exploited by actors in the wild. The vulnerability involves the use of the right-to-left override unicode attack when a user sends files over the messenger service. A special character is used to reverse the order of the characters that come after in the string. This is usually used for languages that read from right-to-left. Using this unicode character a threat actor can send a file with a different looking file extension to a victim. This could possibly fool a target into downloading a malicious file or executable. <a href="https://forum.anomali.com/t/zero-day-vulnerability-in-telegram/" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/rapid-ransomware-being-spread-using-fake-irs-malspam/" target="_blank">Rapid Ransomware Being Spread Using Fake IRS Malspam</a> (February 12, 2018) A new variant of the "Rapid" ransomware is being distributed using malspam that purports to be from the Internal Revenue Service (IRS). The email claims that the recipient is behind on payments for real estate taxes and asks the recipient to open the attachment to view a report of the owed taxes. The macro enabled Microsoft Word attachment drops the Rapid ransomware and requests to contact them via email for decryption instructions. <a href="https://forum.anomali.com/t/rapid-ransomware-being-spread-using-fake-irs-malspam/" target="_blank">Click here for Anomali recommendation</a><a href="https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank">Lazarus Resurfaces, Targets Global Banks and Bitcoin Users</a> (February 12, 2018) The North Korean Advanced Persistent Threat (APT) group "Lazarus Group" are targeting cryptocurrency users and exchanges in a new campaign, dubbed "HaoBao" by McAfee researchers. Individuals are targeted with spear phishing emails impersonating job recruiters that contain malicious macro-enabled Microsoft Word files. When macros are enabled, the Visual Basic script decrypts an embedded executable payload that is run via the command prompt. For persistence it used the startup folder. The malware unwraps a Dynamic-Link Library (DLL) into memory and calls its one import using Reflective DLL injection. The implant gathers data on the victim's system and sends this to the Command and Control server using HTTP. <a href="https://forum.anomali.com/t/lazarus-resurfaces-targets-global-banks-and-bitcoin-users/2032" target="_blank">Click here for Anomali recommendation</a><a href="https://www.theverge.com/2018/2/11/17001046/equifax-hack-personal-data-tax-identification-numbers-email-addresses-drivers-licenses-cybersecurity" target="_blank">Hackers accessed more personal data from Equifax than previously disclosed</a> (February 11, 2018) Following the announcement last year that hackers had stolen the personal information of 143 million US customers of Equifax, a document submitted to the Senate Banking Committee says that hackers accessed additional information beyond what was initially reported. This additional information included tax identification numbers, credit card information, and driver's license information. The company sent notifications to those whose credit card information was affected. <a href="https://forum.anomali.com/t/hackers-accessed-more-personal-data-from-equifax-than-previously-disclosed/" target="_blank">Click here for Anomali recommendation</a>