Weekly Threat Briefing: Lenovo Patches Arbitrary Code Execution Flaw

<p>The intelligence in this week’s iteration discuss the following threats: <strong>APT</strong>, <strong>APT28</strong>, <strong>Cryptocurrency miner</strong>, <strong>Malspam</strong>, <strong>Malicious applications</strong>, <strong>Phishing</strong>, <strong>Ransomware</strong>, <strong>Targeted attacks</strong>, and <strong> Vulnerabilities</strong>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://threatpost.com/lenovo-patches-arbitrary-code-execution-flaw/131725/" target="_blank"><b>Lenovo Patches Arbitrary Code Execution Flaw</b></a> (<i>May 7, 2018</i>)<br/> Lenovo has addressed two security updates that address vulnerabilities which affect products in its “ThinkPad” line and “System x” servers. This first vulnerability addressed lies in “Secure Boot,” which is registered as “CVE-2017-3775,” and is rated as high-severity. The second vulnerability, registered as “CVE-2018-9063,” is a buffer overflow vulnerability rated as medium-severity.<br/> <a href="https://forum.anomali.com/t/lenovo-patches-arbitrary-code-execution-flaw/2431" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank"><b>SynAck Targeted Ransomware Uses the Doppelgänging Technique</b></a> (<i>May 7, 2018</i>)<br/> Threat actors are using a bypass technique called “Process Doppelgänging” to distribute a new variant of the “SynAck” ransomware, according to Kaspersky Lab researchers. Process Doppelgänging is a fileless code injection technique that works on all Windows versions by utilizing a built-in Windows function and an undocumented implementation of Windows process loader; the technique was first explained at the 2017 BlackHat conference. Researchers observed this technique first being utilized by actors in April 2018. The ransomware encrypts files with the AES-256-ECb algorithm.<br/> <a href="https://forum.anomali.com/t/synack-targeted-ransomware-uses-the-doppelganging-technique/2432" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.fortinet.com/blog/threat-research/gandcrab-v3-accidentally-locks-systems-with-new--change-wallpape.html" target="_blank"><b>GandCrab V3 Accidentally Locks Systems with New “Change Wallpaper” Feature</b></a> (<i>May 4, 2018</i>)<br/> The threat actors behind the “GandCrab” ransomware have added new features to the malware and spam email distribution, according to Fortinet researchers. In regards to the email spam distribution, the tactics are essentially the same in that the emails ask the recipient to open an attachment and reply as soon as possible. In a change from previous malicious attachments, the current iteration uses Visual Basic Scripts (VBS) instead of JScripts. After the malware has encrypted files it forces a reboot and changes the machine’s desktop image, however, on Windows 7 the malware gets stuck prior to the Windows Shell completely loading. This means that this version of GandCrab could leave the entire machine “seemingly unusable.”<br/> <a href="https://forum.anomali.com/t/gandcrab-v3-accidentally-locks-systems-with-new-change-wallpaper-feature/2433" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://usa.kaspersky.com/about/press-releases/2018_zoopark-new-android-based-malware" target="_blank"><b>Kaspersky Lab Discovers ZooPark, an Android-based Malware Campaign</b></a> (<i>May 3, 2018</i>)<br/> A previously unknown Advanced Persistent Threat, dubbed “ZooPark,” has been identified to be targeting Android users in Middle Eastern countries, according to Kaspersky Lab researchers. The group was discovered when Kaspersky Lab received a sample of an unknown Android malware. Further research into this malware led to the discovery a recent version of the malware contained in the same application as the initial sample. The malicious applications impersonate legitimate applications with names such as “TelegramGroups” and “Alnaharegypt news,” among others that are relevant in some targeted countries. The ZooPark malware is distributed on news and political websites and is capable of stealing various forms of data as well as executing shell commands.<br/> <a href="https://forum.anomali.com/t/kaspersky-lab-discovers-zoopark-an-android-based-malware-campaign/2434" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/vulnerabilities-affecting-over-one-million-dasan-gpon-routers-are-now-under-attack/" target="_blank"><b>Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack</b></a> (<i>May 4, 2018</i>)<br/> An authentication bypass vulnerability (CVE-2018-10561) and a remote code execution vulnerability (CVE-2018-10562) that affect Dasan Gigabit Passive Optical Network (GPON) routers are actively being exploited, according to Qihoo 360 Netlab researchers. Specifically, the attacks began on May, several days after an anonymous researcher published information discussing both vulnerabilities. In addition, the researcher said that he/she found over one million vulnerable services via the internet scanning tool Shodan.<br/> <a href="https://forum.anomali.com/t/vulnerabilities-affecting-over-one-million-dasan-gpon-routers-are-now-under-attack/2435" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html" target="_blank"><b>Crypto Me0wing Attacks: Kitty Cashes in on Monero</b></a> (<i>May 2, 2018</i>)<br/> Threat actors are still exploiting the Drupal platform vulnerability, known as “Dupralgeddon2.0” and registered as “CVE-2018-7600,” nearly one month after the vulnerability was addressed. In this instance, actors are exploiting Drupalgeddon2.0 to install a Monero cryptocurrency mining malware called “Kitty,” according to Imperva researchers. The Kitty cryptocurrency malware utilizes a publicly available web browser mining software called “webminerpool” and the “XMRig” CPU miner to mine Monero. In addition to being able to maintain persistence on a web server, Kitty is also capable of infecting visitors to websites hosted on compromised servers.<br/> <a href="https://forum.anomali.com/t/crypto-me0wing-attacks-kitty-cashes-in-on-monero/2436" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/05/02/Microsoft-Releases-Security-Update" target="_blank"><b>Microsoft Releases Security Update</b></a> (<i>May 2, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding a vulnerability in the Windows Host Compute Service Shim (hcsshim). A threat actor could exploit this vulnerability, registered as “CVE-2018-8115,” to execute arbitrary code on an affected system.<br/> <a href="https://forum.anomali.com/t/microsoft-releases-security-update/2437" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.eset.ie/2018/05/01/convincing-fake-netflix-page-phishing-for-victims-credit-cards/" target="_blank"><b>Convincing Fake Netflix Page Phishing for Victims’ Credit Cards</b></a> (<i>May 1, 2018</i>)<br/> A well-designed phishing campaign has been found by ESET researchers to be targeting Netflix users in attempts to steal credit card information. The phishing emails purport that Netflix was unable to renew the recipient’s subscription, and thus the email serves as a cancellation notice. The emails contain a link for “restarting” the membership that leads to a webpage that impersonated the authentic Netflix login page. After “logging in&amp;rdqurdquo a page is presented that harvests payment data.<br/> <a href="https://forum.anomali.com/t/convincing-fake-netflix-page-phishing-for-victims-credit-cards/2438" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers" target="_blank"><b>MassMiner Malware Targeting Web Servers</b></a> (<i>May 1, 2018</i>)<br/> A cryptocurrency mining malware, dubbed “MassMiner,” has been observed to contain more features than a typical mining malware family, according to AlienVault researchers. MassMiner is capable of propagating via the following three vulnerabilities: CVE-2017-10271 (WebLogic vulnerability), CVE-2017-0143 (vulnerability used by EnternalBlue SMB exploit to install DoublePulsar), and CVE-2017-5638 (Apache Struts vulnerability). In addition to exploiting said vulnerabilities, MassMiner is also capable of conducting brute-force attacks against Microsoft SQL Servers via a tool called “SQlck.” Once infection has taken place, the malware will begin mining the “Monero” cryptocurrency.<br/> <a href="https://forum.anomali.com/t/massminer-malware-targeting-web-servers/2439" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://asert.arbornetworks.com/lojack-becomes-a-double-agent/" target="_blank"><b>Lojack Becomes a Double-Agent</b></a> (<i>May 1, 2018</i>)<br/> ASERT researchers have discovered that an anti-theft software tool called “Lojack for Laptops,” is being used for malicious purposes by the Russian state-sponsored Advanced Persistent Threat group “APT28” (Fancy Bear, Pawn Storm). Researchers identified that the software was being used by APT28 actors when hijacked Lojack agents were observed pointing to domains known to be associated with the group. APT28 is using the hijacked Lojak agents to disguise their malicious activity to appear to originate from a legitimate source. At the time of this writing it is unknown how APT28 is initially infecting a target, however, it is known that APT28’s primary infection is typically spear phishing emails.<br/> <a href="https://forum.anomali.com/t/lojack-becomes-a-double-agent/2440" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" target="_blank"><b>Legitimate Application AnyDesk Bundles with New Ransomware Variant</b></a> (<i>May 1, 2018</i>)<br/> A new ransomware, dubbed “Blackheart,” was identified bundled together with the legitimate remote desktop application “AnyDesk,” according to Trend Micro researchers. In addition, researchers note that while the initial infection vector is unknown, they have observed cases in which users unknowingly downloaded Blackheart upon visiting a malicious website. Once the ransomware is executed, it will drop and execute two additional files, the ransomware executable and an AnyDesk executable. The threat actors behind this campaign are demanding 0.06164 bitcoins (approximately $50 USD) for the decryption key.<br/> <a href="https://forum.anomali.com/t/legitimate-application-anydesk-bundles-with-new-ransomware-variant/2441" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/tens-of-thousands-of-malicious-apps-using-facebook-apis/131566/" target="_blank"><b>Tens of Thousands of Malicious Apps Using Facebook APIs</b></a> (<i>May 1, 2018</i>)<br/> Approximately 25,936 malicious applications were found to be using one of Facebook’s APIs to gather information, according to Trustlook researchers. This information includes a variety of data that can be gathered from a Facebook profile such as email address, full name, and location. Some of these applications were found to be capable of taking pictures and capturing audio even when the application is closed.<br/> <a href="https://forum.anomali.com/t/tens-of-thousands-of-malicious-apps-using-facebook-apis/2442" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/facexworm-targets-cryptocurrency-trading-platforms-abuses-facebook-messenger-for-propagation/" target="_blank"><b>FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation</b></a> (<i>April 30, 2018</i>)<br/> Trend Micro researchers have found that the malicious Chrome extension, dubbed “FacexWorm,” has added new features to its malicious capabilities. The malicious extension uses Facebook Messenger for distribution by directing message recipients to a Youtube page that asks the user to install a codec extension; the codec extension is FacexWorm. Installation of the extension results in a request for the privilege to access and change data on a website. These permissions allow FacexWorm to install cryptocurrency miners on web browsers, and hijacks transactions by replacing a user’s wallet with one owned by the threat actor(s) controlling the malware, among other theft techniques.<br/> <a href="https://forum.anomali.com/t/facexworm-targets-cryptocurrency-trading-platforms-abuses-facebook-messenger-for-propagation/2443" target="_blank">Click here for Anomali recommendation</a></p>