June 5, 2018
-
Anomali Threat Research
,

Weekly Threat Briefing: Sigrun Ransomware Author Decrypting Russian Victims for Free

<p>This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: <b>APT</b>, <b>Banking trojan</b>, <b>Backdoor trojan</b>, <b>Data leak</b>, <b>Malspam</b>, <b>Misconfigured databases</b>, <b>Ransomware</b>, <b>SMB worm</b>, <b>Spear phishing</b>, <b>Threat group</b>, <b>Vulnerabilities</b>, and <b>Zero-day</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.kennasecurity.com/widespread-google-groups-misconfiguration-exposes-sensitive-information/" target="_blank"><b>Widespread Google Groups Misconfiguration Exposes Sensitive Information</b></a> (<i>June 1, 2018</i>)<br/> Numerous organizations utilizing Google’s “G Suite”, which provides cloud services and collaboration tools, are leaking sensitive data, according to Kenna Security researchers. The researchers found that out of approximately 9,600 organizations using G Suite, around 3,000 (31%) were leaking some form of information via emails. The affected companies include Fortune 500 organizations such as hospitals, newspapers and television stations, universities and colleges, and United States government agencies.<br/> <a href="https://forum.anomali.com/t/widespread-google-groups-misconfiguration-exposes-sensitive-information/2537" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/06/01/Apple-Releases-Security-Updates" target="_blank"><b>Apple Releases Security Updates</b></a> (<i>June 1, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in macOS “High Sierra.” Apple has released a security update for High Sierra and supplemental updates for macOS “Sierra” and “El Capitan.” A threat actor could exploit some of these vulnerabilities to gain control over an affected system, according to US-CERT.</p><p><a href="https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/" target="_blank"><b>Sigrun Ransomware Author Decrypting Russian Victims for Free</b></a> (<i>June 1, 2018</i>)<br/> Security researcher Alex Svirid, known for analyzing ransomware, discovered that the author of the “Sigrun” ransomware is decrypting his/her ransomware for free for individuals located in Russia. For others, the actor is demanding $2,500 USD in Bitcoin or Dash for the decryption key. In addition, Sigrun will check the default keyboard layout on an infected machine and if Russian is detected the malware will delete itself. The distribution method for this malware is not mentioned, however, email attachments are a common tactic used to propagate ransomware.<br/> <a href="https://forum.anomali.com/t/sigrun-ransomware-author-decrypting-russian-victims-for-free/2538" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.talosintelligence.com/2018/05/navrat.html?m=1" target="_blank"><b>NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea</b></a> (<i>May 31, 2018</i>)<br/> A new campaign is targeting Korean users with a malicious Hangul Word Processor (HWP) document with the objective to install Remote Access Trojan (RAT) called “NavRAT,” according to Cisco Talos researchers. Researchers believe that the threat group “Group123,” which is based in the Democratic People’s Republic of Korea, may be responsible for this spear phishing campaign. The emails are themed around the potential summit between United States and DPRK leaders with the document titled “Prospects for US-North Korea Summit.hwp” (translated). The document contains an embedded Encapsulated PostScript (EPS) object to execute shellcode to download the NavRAT payload. NavRAT uses the free email platform “Naver” for Command and Control (C2) communication and is capable of downloading and uploading files, executing commands, and a keylogger function.<br/> <a href="https://forum.anomali.com/t/navrat-uses-us-north-korea-summit-as-decoy-for-attacks-in-south-korea/2539" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/" target="_blank"><b>Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner</b></a> (<i>May 31, 2018</i>)<br/> Trend Micro researchers have found that the RIG exploit kit is using a remote code execution vulnerability that is registered as “CVE-2018-8174.” The vulnerability affects Windows 7 and later operating systems via the Internet Explorer web browser and Microsoft Office documents that use vulnerable VBScript engines. RIG is being served via malicious advertisements (malvertising) that have hidden iframes which will redirect to RIG’s landing page. Once on the landing page, RIG exploits CVE-2018-8174, to execute obfuscated shellcode to retrieve a second-stage downloader found to be a variant of “SmokeLoader.” SmokeLoader will then download a “Monero” cryptocurrency miner as the final payload.<br/> <a href="https://forum.anomali.com/t/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/2540" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/" target="_blank"><b>ActiveX Zero-Day Discovered in Recent North Korean Hacks</b></a> (<i>May 31, 2018</i>)<br/> A cyberespionage group called “Andariel Group” has been observed to have exploited a zero-day vulnerability in the “ActiveX” software, according to AhnLab researchers. ActiveX is a Microsoft framework that adapts earlier versions of Component Object Model (COM) and object linking and technologies for content download from a network. Andariel Group is believed to be a small faction within the Advanced Persistent Threat (APT) group “Lazarus Group” (Hidden Cobra), which is attributed to the Democratic People’s Republic of Korea (DPRK).<br/> <a href="https://forum.anomali.com/t/activex-zero-day-discovered-in-recent-north-korean-hacks/2541" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://asert.arbornetworks.com/omg-mirai-minions-are-wicked/" target="_blank"><b>OMG – Mirai Minions Are Wicked</b></a> (<i>May 31, 2018</i>)<br/> Arbor Networks ASERT team researchers have released information regarding four variants of the notorious “Mirai” Internet of Things (IOT) Distributed Denial-of-Service (DDoS) malware. Mirai’s source code was released back in 2016 and since then has spawned multiple variants that borrow its malicious capabilities. The four variants discussed are called “JenX,” “OMG,” “Satori,” and “Wicked.” The actors behind the malwares added new features and expanded upon the Mirai source code. New features include remote code injection exploits, HTTP and SOCKS proxy, and increased scanning abilities.<br/> <a href="https://forum.anomali.com/t/omg-mirai-minions-are-wicked/2542" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/valve-patches-security-bug-that-existed-in-steam-client-for-the-past-ten-years/" target="_blank"><b>Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years</b></a> (<i>May 31, 2018</i>)<br/> Context Information Security researcher Tom Court found a remote code execution vulnerability in Valve’s “Steam” gaming client that could be exploited by a threat actor “to execute malicious code on any of Steam’s 15 million gaming clients.” To exploit the vulnerability, a threat actor would need to send malformed UDP packets to a target machine. The malformed UDP packets cause a buffer overflow in one of Steam’s internal libraries that deals with reassembly of fragmented UDP packets. Researchers note that this vulnerability was accidently half-patched in July 2017 via an update that provided a new security feature. With the patch applied, the vulnerability crashes Steam rather than allowing remote code execution.<br/> <a href="https://forum.anomali.com/t/valve-patches-security-bug-that-existed-in-steam-client-for-the-past-ten-years/2543" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.databreaches.net/hackers-threaten-to-reveal-personal-data-of-90000-canadians-caught-in-bank-hack/" target="_blank"><b>Hackers Threaten to Reveal Personal Data of 90,000 Canadians Caught in Bank Hack</b></a> (<i>May 31, 2018</i>)<br/> Threat actors are threatening two Canadian banks with the release of Personally Identifiable Information (PII) if their demand of a one-million-dollar ransom is not met. The threat actors are threatening to release data belonging to customers of the “Bank of Montreal” (BMO) and the online bank “Simplii Financial” (which is owned by the Canadian Imperial Bank of Commerce). BMO and Simplii Financial issued a statement on May 28, 2018, in which they confirmed that after an investigation they discovered that the actors had stolen account holder information related to approximately 90,000 individuals; 40,000 account holders for Simplii Financial and 50,000 for BMO.<br/> <a href="https://forum.anomali.com/t/hackers-threaten-to-reveal-personal-data-of-90-000-canadians-caught-in-bank-hack/2544" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.flashpoint-intel.com/blog/trickbot-icedid-collaborate-increase-impact/" target="_blank"><b>TrickBot and IcedID Botnet Operators Collaborate to Increase Impact</b></a> (<i>May 30, 2018</i>)<br/> Instead of competing for potential victims and monetary theft, the threat actors behind the “IcedID” and “TrickBot” banking trojans are collaborating, according to Flashpoint researchers. The researchers believe that the actors are collaborating because analysis conducted on malware samples revealed that machines infected with IcedID were also downloading TrickBot. Sometimes malware will search for other malware on a machine and even remove the “competing” malware; so observing a machine infected with one banking trojan downloading a different banking trojan is an interesting observation. In this campaign, the IcedID trojan is functioning as a TrickBot downloader, and the former is being distributed via spam emails.<br/> <a href="https://forum.anomali.com/t/trickbot-and-icedid-botnet-operators-collaborate-to-increase-impact/2545" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://mackeepersecurity.com/post/honda-leaked-personal-information-from-its-honda-connect-app/" target="_blank"><b>Honda Leaked Personal Information From Its Honda Connect App</b></a> (<i>May 30, 2018</i>)<br/> Kromtech Security Center researchers found that two Amazon AWS S3 buckets owned by “Honda Car India” were configured for public access. Inside the buckets, researchers discovered databases that contained Personally Identifiable Information (PII) belonging to users of the “Honda Connect App.” Overall, this leak affects approximately 50,000 Honda Connect App users. The data consists of the following: account password, email address (for users and their trusted contacts), full name, phone number (for users and their trusted contacts), and car information such as VIN and Connect IDs, among others.<br/> <a href="https://forum.anomali.com/t/honda-leaked-personal-information-from-its-honda-connect-app/2546" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://seclists.org/fulldisclosure/2018/May/54" target="_blank"><b>[CVE-2018-1418] IBM QRadar SIEM Unauthenticated Remote Code Execution as Root</b></a> (<i>June 28, 2018</i>)<br/> Security researcher Pedro Ribeiro has published a report regarding his discovery of three vulnerabilities in IBM’s “QRadar Security Information and Event Management (SIEM)” software. QRadar SIEM is used to collect log data and other forms of information to assist in detecting anomalous or malicious behaviour. Ribeiro identified three vulnerabilities, however, IBM has attributed them all to one CVE in CVE-2018-1418; remote execution depends on using all three vulnerabilities. Two of the vulnerabilities are “logical bugs,” located in the forensic application, that can be exploited to bypass authentication. Overall, the remote execution vulnerability can be exploited via two HTTP requests.<br/> <a href="https://forum.anomali.com/t/cve-2018-1418-ibm-qradar-siem-unauthenticated-remote-code-execution-as-root/2547" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/" target="_blank"><b>Announcing the May 2018 Git Security Vulnerability</b></a> (<i>May 29, 2018</i>)<br/> A vulnerability in “Git,” an open source software for tracking file changes and collaborating on files, has been disclosed by the Git community. The vulnerability, registered as “CVE-2018-11235,” can result in the execution of arbitrary code if exploited. Exploiting the vulnerability involves the process of using “git clone” to clone a repository which can exclude configuration data from the server. Since the configuration is not cloned from the remote server, “a remote server could provide you code that you would then execute on your computer.”<br/> <a href="https://forum.anomali.com/t/announcing-the-may-2018-git-security-vulnerability/2548" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/alerts/TA18-149A" target="_blank"><b>HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm</b></a> (<i>May 29, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT), along with their partners in the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), have issued a joint technical alert. The alert provides information regarding the Advanced Persistent Threat (APT) group “HIDDEN COBRA,” which is attributed to the North Korean government. Researchers discovered that the group has been using the “Joanap” Remote Access Trojan (RAT) and the “Brambul” Server Message Block (SMB) to target entities around the world since at least 2009. Targeted sectors include the following: aerospace, critical infrastructure, financial, and media.<br/> <a href="https://forum.anomali.com/t/hidden-cobra-joanap-backdoor-trojan-and-brambul-server-message-block-worm/2549" target="_blank">Click here for Anomali recommendation</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.