April 13, 2021
Anomali Threat Research

Anomali Cyber Watch: Android Malware, Government, Middle East and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/2Pev3iFxSZGGydWSp7wO"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank">Iran’s APT34 Returns with an Updated Arsenal</a></h3> <p>(published: April 8, 2021)</p> <p>Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.<br/> <b>Analyst Comment:</b> Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947217" target="_blank">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947133" target="_blank">[MITRE ATT&amp;CK] Custom Cryptographic Protocol - T1024</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947201" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a><br/> <b>Tags:</b> OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" target="_blank">New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp</a></h3> <p>(published: April 7, 2021)</p> <p>Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.<br/> <b>Analyst Comment:</b> Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.<br/> <b>Tags:</b> Android, FlixOnline, WhatsApp</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://www.bleepingcomputer.com/news/security/new-cring-ransomware-hits-unpatched-fortinet-vpn-devices/" target="_blank">New Cring ransomware hits unpatched Fortinet VPN devices</a></h3> <p>(published: April 7, 2021)</p> <p>A new human-operated ransomware strain known as Cring is being exploited by Cring to breach and encrypt industrial sector companies' networks. The attackers exploit Fortinet SSL VPN servers unpatched against the “CVE-2018-13379” vulnerability. The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploying the ransomware payloads.<br/> <b>Analyst Comment:</b> Malicious actors continuously monitor the internet exposed system for known vulnerabilities. It’s important to install patches on those systems as soon as they are available. If possible internet access to such systems needs to be restricted to avoid exposure. Forensic analysis needs to be performed using tools such as Anomali Match to check if any attacks took place before patches were available.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> Ghost, CertUtil, Cobalt Strike, Mimikatz, CobaltStrike, CVE-2019-5591, CVE-2020-12812, CVE-2018-13379, Government, Military, EU, UK, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.intezer.com/blog/cloud-security/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/" target="_blank">Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys</a></h3> <p>(published: April 6, 2021)</p> <p>Rocke Group is a Chinese-based threat actor most known for running cryptojacking malware on Linux machines. The group has been active since 2018 and continues to evolve by modifying its tools and techniques to stay evasive. In 2019, Intezer reported Rocke Group was competing with Pacha Group for cryptomining positioning on Linux-based servers in the cloud.<br/> <b>Analyst Comment:</b> Use strong passwords for SSH, Jenkins, and Redis services. It is also highly recommended to use TLS authentication. Don’t reuse ssh keys. Restrict access to critical internal machines. Enable IPS to detect network scanning and password brute-forcing attempts<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947097" target="_blank">[MITRE ATT&amp;CK] Permission Groups Discovery - T1069</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947096" target="_blank">[MITRE ATT&amp;CK] Timestomp - T1099</a> | <a href="https://ui.threatstream.com/ttp/947227" target="_blank">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947186" target="_blank">[MITRE ATT&amp;CK] Software Packing - T1045</a><br/> <b>Tags:</b> kerberods, Pacha Group, Rocke Group, ROCKE GROUP, XMRig, CVE-2018-1000861, CVE-2019-1003000, CVE-2016-3088, China, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://threatpost.com/sap-bugs-cyberattack-compromise/165265/" target="_blank">SAP Bugs Under Active Cyberattack, Causing Widespread Compromise</a></h3> <p>(published: April 6, 2021)</p> <p>From mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances. The activity originates from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Taiwan, United States, Vietnam and Yemen. Actors are using the vulnerabilities to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.<br/> <b>Analyst Comment:</b> SAP is the most widely used enterprise application and it also hosts critical business &amp; user data. According to data, SAP vulnerabilities are being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a><br/> <b>Tags:</b> CRM, CVE-2010-5326, CVE-2020-6287, CVE-2018-2380, CVE-2016-3976, CVE-2016-9563, CVE-2020-6207, Banking And Finance, Government, Healthcare, EU, UK, North America, Middle East, SAP</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://threatpost.com/conti-40m-ransom-florida-school/165258/" target="_blank">Conti Gang Demands $40M Ransom from Florida School District</a></h3> <p>(published: April 6, 2021)</p> <p>The Conti Gang has demanded a $40 million ransom from a Fort Lauderdale, Fla., school district. Attackers stole personal information from students and teachers, disrupted the district's networks, and caused some services to be unavailable. The incident that was discovered on March 7 at Broward County Public Schools drew limited attention at the time of the attack. But new details have emerged on DataBreaches.net, which recently posted a screenshot of a chat between attackers and a school district official.<br/> <b>Analyst Comment:</b> Educational institutions are among the public entities that have been compromised by ransomware gangs. In the case of schools, there’s little to no discretionary budget, and even core resources are underfunded. That’s usually a catch-22 situation for them as they can’t invest enough in their security &amp; can’t afford to pay up a huge ransom in case they get attacked.<br/> <b>Tags:</b> Conti Gang, money, Conti, Maze gang, NetWalker, Banking And Finance, Education, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/" target="_blank">Apple Mail Zero-Click Security Vulnerability Allows Email Snooping</a></h3> <p>(published: April 5, 2021)</p> <p>A zero-click security vulnerability in Apple's macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail's sandbox environment. The bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim’s Mail configuration, including mail redirects which enables takeover of victim’s other accounts via password resets; and the ability to change the victim’s configuration so that the attack can propagate to correspondents in a worm-like fashion.<br/> <b>Analyst Comment:</b> Vulnerabilities, where the exploit is possible without any user action, are more dangerous as they enable large-scale exploits. This vulnerability has been given a medium severity score as it only allows manipulation of files in $HOME/Library/Mail directory.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947098" target="_blank">[MITRE ATT&amp;CK] Email Collection - T1114</a><br/> <b>Tags:</b> CVE-2020-9922, Apple, macOS, vulnerability</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/" target="_blank">LinkedIn Spear-Phishing Campaign Targets Job Hunters</a></h3> <p>(published: April 5, 2021)</p> <p>A threat group called Golden Chickens is delivering the fileless backdoor more_eggs through a spear-phishing campaign targeting professionals on LinkedIn with fake job offers, according to researchers at eSentire. The phishing emails try to trick a victim into clicking on a malicious ZIP file by picking up the victim's current job title and adding the word 'position' at the end, making it appear like a legitimate offer. The group is also selling more_eggs as malware-as-a-service to other cybercriminals, who use it to gain a foothold in victim's systems to install other types of malware, including banking malware and ransomware.<br/> <b>Analyst Comment:</b> The goal of this spearphishing campaign seems to be targeting people looking for job change rather than people who lost their job. During the work-from-home state we are in, personal and organization devices coexist on the same network. Compromising such user devices can enable access to critical organization data &amp; infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947097" target="_blank">[MITRE ATT&amp;CK] Permission Groups Discovery - T1069</a> | <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> Cobalt Group, Golden Chickens, FIN6, More_Eggs, Evilnum, Banking And Finance, Healthcare</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.