April 4, 2018
Anomali Threat Research

Weekly Threat Briefing: Panera Bread Leaks Millions of Customer Records

<p>This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: <b>APT</b>, <b>Data breach</b>, <b>Credit card theft</b>, <b>Data leak</b>, <b>Malspam</b>, <b>Mobile malware</b>, <b>RAT</b>, <b>Targeted attacks</b>, <b>Threat group</b>, <b>Underground markets</b>, and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/" target="_blank"><b>Panerabread[.]com Leaks Millions of Customer Records</b></a> (<i>April 2, 2018</i>)<br/> The website U.S.-based bakery-café restaurant chain “Panera Bread” (panerabread[.]com) was leaking millions of customer records for at least eight months. Anyone individual who traveled to the correct URL would be able to view the plaintext data. The leaked data consists of birthdays, names, email and physical addresses, and the last four digits of a credit card number associated to approximately 37 million customers. The website was taken down on April 2, 2018. The exposed data belongs to customers who registered for an account that is used to order food for pickup or delivery. Panera Bread was informed of this data leak by security researcher Dylan Houlihan back in August 2017.<br/> <a href="https://forum.anomali.com/t/panerabread-com-leaks-millions-of-customer-records/2246" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" target="_blank"><b>Fake AV Investigation Unearths KevDroid, New Android Malware</b></a> (<i>April 2, 2018</i>)<br/> Cisco Talos researchers have discovered two variants of an Android Remote Administration Tool (RAT) dubbed “KevDroid,” and one Windows RAT dubbed “PubNubRAT.” The Android RATs are able to steal device information such as contacts, phone history, and SMS messages. In addition, one KevDroid variant was observed to exploit an Android vulnerability (CVE-2015-3636) to gain root access on an infected device. The PubNubRAT uses the “PubNub” platform, a global data stream network, as its Command and Control (C2) server.<br/> <a href="https://forum.anomali.com/t/fake-av-investigation-unearths-kevdroid-new-android-malware/2247" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.flashpoint-intel.com/blog/compromised-magento-sites-delivering-malware/" target="_blank"><b>Compromised Magneto Sites Delivering Malware</b></a> (<i>April 2, 2018</i>)<br/> Approximately 1,000 “Magneto” (open source ecommerce platform) administrator portals have been found to be compromised, according to Flashpoint researchers. The threat actors behind this campaign are brute-force attacking, or using common default credentials, to gain access to administrator panels to conduct malicious activity on the Magento websites. The malicious activity consists of scraping credit card numbers and installing cryptocurrency-mining malware. The threat actors were observed to use a fake Adobe Flash Player update that was placed on the website in attempts to trick visitors to downloading the “update.” If this “update” is downloaded, a user will launch malicious JavaScript that downloads malware from an actor controlled servers on GitHub and from other compromised sites onto a user’s machine.<br/> <a href="https://forum.anomali.com/t/compromised-magneto-sites-delivering-malware/2248" target="_blank">Click here for Anomali recommendation</a></p><p><a href=" https://geminiadvisory.io/fin7-syndicate-hacks-saks-fifth-avenue-and-lord-taylor/" target="_blank"><b>Fin7 Syndicate Hacks Saks Fifth Avenue and Lord &amp; Taylor Stores</b></a> (<i>March 30, 2018</i>)<br/> Gemini Advisory researchers observed that March 28, 2018, the threat group “Fin7” had made an announcement that over five million credit and debit cards will be offered for purchase on the underground carding forum called “Joker’s Stash.” Further research into the posting in combination with assistance from financial institutions, led to the discovered with high probability that the credit and debit card data was stolen from customers of “Saks Fifth Avenue” and “Lord &amp; Taylor” department stores. Researchers believe that the threat group had compromised said store’s since “May 2017 to present.” At the time of this writing, the offer on Joker’s Stash consists of approximately 125,000 records and researchers believe that more records will be offered for purchase in the near future.<br/> <b>Recommendation:</b> Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data.<br/> <a href="https://forum.anomali.com/t/fin7-syndicate-hacks-saks-fifth-avenue-and-lord-taylor-stores/2249" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/" target="_blank"><b>150 million MyFitnessPal accounts compromised – here’s what to do</b></a> (<i>March 30, 2018</i>)<br/> Approximately 150 million user accounts of Under Armour’s fitness tracker “MyFitnessPal” have been compromised. The affected data includes email addresses, usernames, and hashed passwords; the passwords were hashed using “bcrypt.” While the “majority” of account passwords hashed it would take significant time to brute force attack, users could now be targets of spear phishing attacks because user email addresses were exposed.<br/> <a href="https://forum.anomali.com/t/150-million-myfitnesspal-accounts-compromised-here-s-what-to-do/2250" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-out-of-band-security-update-for-windows-7-and-windows-server-2008/" target="_blank"><b>Microsoft Issues Out-Of-Band Update for Windows 7 &amp; Windows Server 2008</b></a> (<i>March 29, 2018</i>)<br/> Microsoft has issued a security update for Windows 7 and Windows Server 2008 R2 that is out of sync with the company’s typical Patch Tuesday cycle. This indicates that a high-severity problem has been addressed. Specifically, this security update fixes a vulnerability, registered as “CVE-2018-1038,” which was discovered by Swedish security expert Ulf Frisk that was caused by a different security update that was meant to fix the “Meltdown” vulnerability registered as “CVE-2017-5754.” The Meltdown update was found to have “accidentally flipped a bit that controlled access permissions to kernel memory.” The bit flip allows any process on the machine to read and write to any memory location, including kernel space memory, without the need for an exploit. A threat actor would need physical access to the machine, or have infected the machine with malware previously to exploit this vulnerability.<br/> <a href="https://forum.anomali.com/t/microsoft-issues-out-of-band-update-for-windows-7-windows-server-2008/2251" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/" target="_blank"><b>Omitting the “o” in .com Could Be Costly</b></a> (<i>March 29, 2018</i>)<br/> Senior security advisor at “SecureWorks,” an Atlanta-based cybersecurity firm, discovered a large typosquatting campaign domain while trying to visit the website “espn[.]com.” Typosquatting is a tactic used by threat actors in which domains are registered that impersonate legitimate, and often well-known domains. The domains were all found to have omitted the “o” in “.com.” Additional research into the typosquatted domain revealed the IP address (85.25.199[.]30) is hosting thousands of typosquatted domains. Furthermore, visiting one of these domains redirectors visitors to one of two landing pages of which will sometimes request the visitor to complete a “short survey” in exchange for an opportunity to win gift cards, coupons and “other amazing deals!”<br/> <a href="https://forum.anomali.com/t/omitting-the-o-in-com-could-be-costly/2252" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.drupal.org/sa-core-2018-002" target="_blank"><b>Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002</b></a> (<i>March 28, 2018</i>)<br/> A highly critically rated vulnerability, registered as “CVE-2018-7600,” has been found to exist “within multiple subsystems of Drupal 7.x and 8.x.” CVE-2018-7600 is a remote code execution vulnerability that could be exploited by threat actors to take control of a Drupal website and also opening up other vectors for malicious activity.<br/> <a href="https://forum.anomali.com/t/drupal-core-highly-critical-remote-code-execution-sa-core-2018-002/2253" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-hiddenminer-android-malware-can-potentially-cause-device-failure/" target="_blank"><b>Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure</b></a> (<i>March 28, 2018</i>)<br/> A new Android malware, dubbed “HiddenMiner,” has been discovered to be infecting mobile devices to mine the “Monero” cryptocurrency, according to Trend Micro researchers. The malware is distributed via malicious applications in third-party application stores. HiddenMiner will use a device’s CPU to continuously mine Monero until the device’s resources are exhausted. This functionality of HiddenMiner could potentially cause a device to overheat which could possibly lead to device failure. At the time of this writing, the malware is primarily targeting individuals located in China and India.<br/> <a href="https://forum.anomali.com/t/monero-mining-hiddenminer-android-malware-can-potentially-cause-device-failure/2254" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.cybereason.com/blog/fauxpersky-credstealer-malware-autohotkey-kaspersky-antivirus" target="_blank"><b>Fauxpersky: Credstealer Malware Written in Autohotkey Masquerades as Kaspersky Antivirus, Spreading Through Infecting USB Drives</b></a> (<i>March 28, 2018</i>)<br/> Cybereason researchers, while conducting an investigation in a customer’s environment, discovered a new credential-stealing malware dubbed “Fauxpersky.” The malware is written in “AutoHotKey” which allows individuals to write keystroke scripts that interact with the Windows operating system. Fauxpersky impersonates “Kaspersky Antivirus” and is distributed via infected USB drives. The researchers discovered four files that masqueraded as legitimate Windows files titled “Explorers.exe,” Spoolsvc.exe,” “Svhost.exe,” and “Taskhosts.exe” used for the malware to gain persistence on a machine. Fauxpersky uses keylogger functionality to steal information and replicates itself to drives listed on a machine for persistence.<br/> <a href="https://forum.anomali.com/t/fauxpersky-credstealer-malware-written-in-autohotkey-masquerades-as-kaspersky-antivirus-spreading-through-infecting-usb-drives/2255" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/03/28/North-Korean-Malicious-Cyber-Activity" target="_blank"><b>North Korean Malicious Cyber Activity</b></a> (<i>March 28, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding new malicious activity attributed to the government Democratic People’s Republic of Korea (DPRK). The Advanced Persistent Threat (APT) group “HIDDEN COBRA,” the cyber-arm of the DPRK, has created a new trojan called “SHARPKNOT.” SHARPKNOT is a “wiper ” malware that destroys an infected Windows machine by overwriting the Master Boot Record (MBR) and deleting files on network shares and connected external storage devices.<br/> <a href="https://forum.anomali.com/t/north-korean-malicious-cyber-activity/2256" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://www.zdnet.com/article/avcrypt-ransomware-attempts-to-eradicate-your-antivirus/" target="_blank"><b>AVCrypt ransomware attempts to eradicate your antivirus </b></a> (<i>March 27, 2018</i>)<br/> The security researcher known as “MalwareHunterTeam” has found a new ransomware, dubbed “AVCrypt,” that attempts to uninstall antivirus software from an infected machine prior to encrypting files. At the time of this writing, it is unknown how AVCrypt targets machines. To remove antivirus software, the ransomware will target “Windows Defender” and “Malwarebytes,” or query for other antivirus software before attempting to remove it. This is followed by deleting Windows services that are needed for the antivirus software to function properly. Researchers note that AVCrypt appears to be in the developmental stages because the ransom note does not contain any instructions or request for payment.<br/> <a href="https://forum.anomali.com/t/avcrypt-ransomware-attempts-to-eradicate-your-antivirus/2257" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/" target="_blank"><b>Panda Banking Zeros in on Japanese Targets</b></a> (<i>March 27, 2018</i>)<br/> Arbor Networks has found that a threat actor is targeting Japanese financial institutions with the “Panda Banker” (PandaBot, Zeus Panda) trojan. Panda Banker is a variant of the notorious Zeus malware family. Panda Banker is capable of stealing account numbers, and user credentials with the objective of eventually stealing money. This malicious activity is accomplished by exploiting web browser vulnerabilities and web-injections. Panda Banker is offered for purchase on underground forums, and researchers note that this is the first observation of the newest variant in version 2.6.6.<br/> <a href="https://forum.anomali.com/t/panda-banking-zeros-in-on-japanese-targets/2258" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/03/27/Mozilla-Releases-Security-Updates-Firefox" target="_blank"><b>Mozilla Releases Security updates for Firefox</b></a> (<i>March 27, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding security updates for a vulnerability in “Firefox” and “Firefox Extended Support Release (ESR).” A threat actor could exploit the vulnerability to “cause a denial-of-service condition.”<br/> <a href="https://forum.anomali.com/t/mozilla-releases-security-updates-for-firefox/2259" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.malware-traffic-analysis.net/2018/03/26/index2.html" target="_blank"><b>Malspam Pushing Sigma Ransomware</b></a> (<i>March 26, 2018</i>)<br/> A malspam campaign has been observed to be distributing the “Sigma” ransomware, according to security researchers. The email text claims that attachment is a receipt that is password protected, and provides the password to access the document. In addition, the text also reminds the recipient not to open attachments or follow links from unknown senders. If the document is opened and the password is entered, the document then requests that “Enable Content,” “Enabled Editing,” or “Enable Macro” be clicked to properly view the document. If any of these are enabled, the infection process for Sigma will begin.<br/> <a href="https://forum.anomali.com/t/malspam-pushing-sigma-ransomware/2260" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html" target="_blank"><b>Forgot About Default Account? No Worries, GoScanSSH Didn’t</b></a> (<i>March 26, 2018</i>)<br/> Cisco Talos researchers have discovered a new malware family, dubbed “GoScanSSH,” that threat actors are using to compromise Secure Shell (SSH) servers and subsequently targets Linux systems. The malware is written in the “Go” programming language and uses the “Tor2Web” proxy service for Command and Control (C2) communication in attempts to make tracking and potential C2 takedown more difficult. Researchers believe that the initial infection vector for GoScanSSH is “likely an SSH credential brute-force attack against a publicly accessible SSH server that allowed password-based SSH authentication.”<br/> <a href="https://forum.anomali.com/t/forgot-about-default-account-no-worries-goscanssh-didn-t/2261" target="_blank">Click here for Anomali recommendation</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.