October 10, 2017
Anomali Threat Research

Weekly Threat Briefing: Every Single Yahoo Account Was Hacked 3 Billion In All

<p>The intelligence in this week’s iteration discuss the following threats: <b>Account compromise</b>, <b>Botnet</b>, <b>Data breach</b>, <b>Data theft</b>, <b>Malspam</b>, <b>Phishing</b>, <b>Ransomware</b>, <b>Targeted attacks</b>, and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/disqus-confirms-2012-data-breach-that-exposed-details-for-17-5-million-users/" target="_blank"><b>Disqus Confirms 2012 Data Breach That Exposed Details for 17.5 Million Users</b></a><b> </b> (<i>October 6, 2017</i>)<br/> Disqus, the U.S.-based blog comment hosting service company, has confirmed that it suffered a data breach in July 2012. Unknown threat actors were able to steal data associated with approximately 17.5 million user accounts. The stolen data consists of emails addresses, Disqus usernames, sign-up dates, and last logins in plaintext, according to the company. This breach appears to affect users who signed up between 2007 and 2012.<br/> <b>Recommendation:</b> Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication can help protect trade secrets and other forms of sensitive data.<br/> <b>Tags:</b> Data breach, Disqus</p><p><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" target="_blank"><b>FreeMilk: A Highly Targeted Spear Phishing Campaign</b></a><b> </b> (<i>October 5, 2017</i>)<br/> A new spear phishing campaign, dubbed "FreeMilk," has been identified to have been ongoing since May 2017, according to Unit 42 researchers. The threat actors behind this campaign are compromising legitimate emails owned by various organization to then conduct the spear phishing attacks. The emails contain malicious documents that leverage the Microsoft Word CVE-2017-0199 vulnerability. Researchers observed that this campaign delivers different malware payloads together with the "PoohMilk" downloader.<br/> <b>Recommendation:</b> Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from colleagues, management, and business partners. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.<br/> <b>Tags:</b> Spear phishing, FreeMilk</p><p><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" target="_blank"><b>SYSCON Backdoor Uses FTP as a C&amp;C Channel</b></a><b> </b> (<i>October 5, 2017</i>)<br/> Trend Micro researchers have found a botnet that uses an unusual method for its bots to communicate to a Command and Control (C2) server. A machine infected with the "SYSCON" backdoor has been identified to use an FTP server for communication as well as a C2 server. The SYSCON backdoor is distributed by actors via malicious documents with macros. Researchers note that all the observed documents mention North Korea. The FTP server tactics can potentially allow malicious activity to be overlooked, however, this method will also leave C2 traffic open to being monitored.<br/> <b>Recommendation:</b> All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.<br/> <b>Tags:</b> Phishing, Malware, SYSCON</p><p><a href="https://www.helpnetsecurity.com/2017/10/05/knockknock-campaign/" target="_blank"><b>KnockKnock Campaign Targets Office 365 Corporate Email Accounts</b></a><b> </b> (<i>October 5, 2017</i>)<br/> Researchers have identified a campaign, dubbed "KnockKnock," in which actors from 16 countries are targeting Office 365 corporate email accounts in specific sectors. At the time of this writing, the campaign is ongoing and targets various organizations in multiple sectors such as, financial services, healthcare, and manufacturing around the globe. Researchers note that the actors are not targeting emails accounts owned by individuals, but instead are targeting automated corporate accounts because they may not have the same level of security.<br/> <b>Recommendation:</b> As researchers noted in this story, sometimes automated email accounts represent a potential target to threat actors because the security on such accounts is weaker than one operated by a real person. Your company should institute security policies on all work-related email addresses, and include security measures such as two-factor authentication.<br/> <b>Tags:</b> Email compromise, Office 365, KnockKnock</p><p><a href="http://www.zdnet.com/article/password-leak-put-online-radio-stations-at-risk-of-hijack/" target="_blank"><b>Password Leak Puts Online Radio Stations at Risk of Hijack</b></a><b> </b> (<i>October 4, 2017</i>)<br/> Researchers have discovered that the New York-based broadcast site "SoniXCast" contains a vulnerability that leaks administrator passwords. The issue resides SonixCast's API, which actors can exploit to expose the passwords that are stored in plaintext. The passwords could then potentially be used to gain full control of 50,000 radio stations that SonixCast has on its network. As of this writing, the vulnerability has not been discussed in great detail because of security researchers such as Troy Hunt, who said that this vulnerability is the fourth most critical on the web today.<br/> <b>Recommendation:</b> Store a salted cryptographic hash of the SSN, preferably Bcrypt, and compare the hashes. Bcrypt is based off the Blowfish block cipher, which relies heavily on accesses to an alternating table which is not able to be efficiently implemented on a GPU. In comparison to something like SHA-256 which uses 32-bit logic operations and therefore able to be handled by GPUs much more efficiently giving attackers and edge in calculating hashes. This will reduce the risk of plain text Social Security Numbers from being leaked in the case of a breach, and also makes it difficult for threat actors to brute force the hashes.<br/> <b>Tags:</b> Vulnerability, Radio station, Broadcast, SoniXCast, Password leak,</p><p><a href="http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html" target="_blank"><b>Every Single Yahoo Account Was Hacked 3 Billion In All</b></a><b> </b> (<i>October 4, 2017</i>)<br/> Verizon Wireless, the parent company of the internet services company "Yahoo!," has stated that the Yahoo! Breach of 2013 affected every single customer account that existed at the time. This includes Fantasy, Flickr, and Tumblr accounts. Verizon stated that, "The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft."<br/> <b>Recommendation:</b> It is important that your company and employees use different passwords for the different accounts that are being used. Previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts.<br/> <b>Tags:</b> Account compromise</p><p><a href="https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html" target="_blank"><b>Apache Tomcat RCE if Readonly Set to False (CVE-2017-12617)</b></a> (<i>October 3, 2017</i>)<br/> The team behind the open source Java Servlet Container, "Apache Tomcat," has announced that all version before 9.0.1 (beta), 8.5.23, 8.0.47, and 7.0.82 contain a Remote Code Execution (RCE) vulnerability. This vulnerability, registered as "CVE-2017-12617," can be exploited on all operating systems if the default servlet is configured with the parameter "readonly" set to "false," or if the WebDAV servlet is enabled with the parameter "readonly" set to "false."<br/> <b>Recommendation:</b> Tomcat users who have not set "readonly" to "false" on publicly accessible Tomcat servers should not be affected by this vulnerability. Additionally, administrators should check the default configuration of Tomcat products to ensure that they are not vulnerable to this CVE.<br/> <b>Tags:</b> Vulnerability, Apache Tomcat</p><p><a href="https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" target="_blank"><b>The Flusihoc Dynasty, A Long Standing DDoS Botnet</b></a><b> </b> (<i>October 3, 2017</i>)<br/> Arbor Networks researchers have released a report detailing a Distributed Denial-of-Service (DDoS) botnet called "Flusihoc." The botnet has potential origins in China due to geolocations of Command and Control (C2) servers and static attributes. Researchers have identified over 500 unique sample of Fluhisoc since 2015. In addition to conducting DDoS attacks, as of April 2017, Fluhisoc is also capable of downloading and executing a file using the Windows API.<br/> <b>Recommendation:</b> Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be block, or at least rate limited.<br/> <b>Tags:</b> Flusihoc, Botnet, DDoS</p><p><a href="https://www.us-cert.gov/ncas/current-activity/2017/10/03/Tragic-Event-Related-Scams" target="_blank"><b>Tragic-Event-Related Scams</b></a><b> </b> (<i>October 3, 2017</i>)<br/> The U.S. Computer Emergency Readiness Team (CERT) is warning individuals to be aware of potential scams related to the tragic event that took place in Las Vegas, Nevada. The US-CERT warns that the scams will likely be targeting individuals who wish to donate to assist victims, and victims themselves. The malicious activity could take shape in various forms such as calls, door-to-door solicitations, fraudulent websites, phishing emails, social media pleas, and texts.<br/> <b>Recommendation:</b> All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful to inform employees that after a natural disaster or major political event threat actors will theme their malicious activity about what just occurred. Individuals should check for a registered charity number if they wish to donate, and do not enter banking information on dubious looking locations. Furthermore, always be cautious when reading email, particularly if the message urgently requests the recipient to visit a link or open an attachments.<br/> <b>Tags:</b> Tragic event, Scams, Alert</p><p><a href="https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html" target="_blank"><b>Behind the Masq: Yet More DNS, and DCHP, Vulnerabilities</b></a><b> </b> (<i>October 2, 2017</i>)<br/> Google researchers have discovered seven vulnerabilities in the Domain Name Server (DNS) software package, "Dnsmasq." The vulnerabilities initial exploitation vectors are accomplished via DNS and Dynamic Host Configuration Protocol (DCHP), and affect the latest version at the project git server as of September 5, 2017. Furthermore, the vulnerabilities can result in denial of service, information leaks, and remote code execution.<br/> <b>Recommendation:</b> Dnsmasq user should apply the appropriate patches as soon as possible. Additionally, this application usually runs on embedded devices, but only affects the LAN. Therefore, if no updates are available, the device could be disabled to avoid potential exploitation.<br/> <b>Tags:</b> Vulnerabilities, Dnsmasq</p><p><a href="http://www.malware-traffic-analysis.net/2017/10/02/index.html" target="_blank"><b>Necurs Botnet Malspam Still Pushing ".YKCOL" Variant Locky Ransomware</b></a><b> </b> (<i>October 2, 2017</i>)<br/> Researchers have released information discussing the ongoing malspam campaign from actors behind the "Locky" ransomware. This campaign is distributing the ".ykcol" Locky variant in malspam emails, some of which claim than an attached document is an invoice, or simply a new document. The emails are being sent by spoofed email addresses, according to researchers. The actors are requesting 0.6 bitcoins ($1,711.60 USD) for victims to decrypt their files.<br/> <b>Recommendation:</b> Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.<br/> <b>Tags:</b> Malspam, Ransomware, Locky variant, .ykcol</p><p><a href="https://latesthackingnews.com/2017/10/02/etherparty-ethereum-ico-hijacked/" target="_blank"><b>Etherparty Ethereum ICO Has Been Hijacked</b></a><b> </b> (<i>October 2, 2017</i>)<br/> The smart contract creation tool company, "Etherparty," has announced that their website was breached by unknown actors. The company stated the actors breached the address on their Initial Coin Offering (ICO) website to reroute funds to the actors instead of Etherparty. The actors had control of the website for approximately 95 minutes. Additionally, Etherparty has stated that it will refund any affected contributors with its proprietary FUEL token. As of this writing, it is unknown how many individuals may have inadvertently given funds to malicious actors.<br/> <b>Recommendation:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.<br/> <b>Tags:</b> Compromise, Website</p><p><a href="https://www.bleepingcomputer.com/news/security/study-concludes-an-additional-2-5-million-americans-affected-by-equifax-breach/" target="_blank"><b>Study Concludes an Additional 2.5 Million Americans Affected by Equifax Breach</b></a><b> </b> (<i>October 2, 2017</i>)<br/> The U.S. credit bureau, "Equifax," has acknowledge that an additional 2.5 million Americans were affected by the breach that was announced on September 7, 2017. The total number of individuals whose Personally Identifiable Information (PII) was exposed from the breach now comprises of approximately 145.5 million. The security firm, "Mandiant," that was hired by Equifax to investigate the breach, also discovered that the amount of affected Canadian citizens is closer to eight thousand rather than 100 thousand.<br/> <b>Recommendation:</b> With nearly half of the U.S. population affected by this breach, it is important for individuals to check to see if they are affected by using the following website "https://www.equifaxsecurity2017.com/potential-impact/". Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.<br/> <b>Tags:</b> Data Breach, Equifax, PII</p><h2>Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial.</a></p><p><a href="https://ui.threatstream.com/tip/7064" target="_blank"><b>Locky Tool Tip</b></a><br/> Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.<br/> <b>Tags:</b> Locky, Ransomware</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.