Anomali Weekly Threat Intelligence Briefing – May 23, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Meet EternalRocks, WannaCry’s Scarier Successor (May 21, 2017)
Security researchers have discovered a new malware dubbed “EternalRocks,” that uses the same vulnerabilities exploited by the “WannaCry” ransomware. In total, the EternalRocks worm uses seven leaked NSA tools to propagate itself. The malware targets Windows operating systems and is capable of receiving remote commands to install additional malware onto an affected machine.
Recommendation: It is paramount that your company stays up-to-date on the latest security patches Microsoft has issued in response to the leaked NSA tools.
Tags: EternalRocks, Worm, Vulnerability

WannaCry Ransomware Decryption Tool Released; Unlock Your Files Without Paying Ransom (May 18, 2017)
Quarkslab security researcher Adrien Guinet has discovered a process that can be used to decrypt files that have been encrypted by the WannaCry ransomware. Guinet released a tool called “WannaKey” that will attempt to retrieve the decryption key left in memory by WannaCry. Guinet notes that the affected machine must not have been rebooted post-infection for WannaKey to work properly, in addition to associated memory not having been allocated and erased by other processes.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: WannaCry, Decryption tool

HookAds Malvertising Campaign Leads to RIG EK, Drops LatenBot (May 18, 2017)
Researchers have discovered a malvertising campaign that is redirecting users to a malicious website that attempts to infect the visitor with LatenBot malware. The malicious websites use the RIG Exploit Kit which then uses injected iframes to attempt to drop malicious payloads in the “%Temp%” directory.
Recommendation: Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, thus keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: Malvertising

New Loki Variant Being Spread via PDF File (May 17, 2017)
A new variant of the information stealing malware “Loki Bot” has been discovered being distributed via phishing emails, according to Fortinet researchers. The emails contain a PDF attachment which, if opened, attempts to impersonate Dropbox and claims that the file could not be opened. A link is provided to download the file in order to, purportedly, view the PDF in a web browser but will actually begin downloading Loki Bot. This variant is capable of stealing user credentials for email client software, file management software, gaming software, notes software, and SSH/VNC client software.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and inform the appropriate personnel when they are identified. In the case of Loki Bot infection, the affected system should be wiped and reformatted.
Tags: Phishing

Zomato Hacked; Hacker Puts Up 17 Million Users’ Emails and Passwords on Sale (May 17, 2017)
The restaurant search and discovery service “Zomato,” has acknowledged that unknown threat actors have stolen 17 million out of their 120 million user accounts and hashed passwords. Zomato is assuring its customers that no financial data was stolen because it is stored in a separate database. Researchers have discovered that the 17 million user accounts are being offered for sale for 0.5521 Bitcoins ($1,001 USD).
Recommendation: Even though Zomato claims that the passwords would be difficult to crack, it is recommendation that passwords used on Zomato be changed; as should other passwords if the same password is used for multiple online accounts. Additionally, phishing attacks are likely to follow because of the large amount of emails addresses that have become available to threat actors. This incident represents the importance to educate your employees about the dangers of phishing, how to identify such attempts, and whom to contact if such an email is identified.
Tags: Breach, Credentials, Underground market

Malware Uses Fake WordPress API Domain to Steal Sensitive Cookies (May 17, 2017)
Sucuri security researchers have discovered compromised WordPress websites that are infected with malware designed to steal administrator credentials. The malware will steal cookies and then send them to a fake domain whenever the user accessed the site and loaded the JavaScript code. WordPress has released version 4.7.5 to address this vulnerability, among others.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites, Credential theft

1.9 Million Bell Canada Customer Account Details Stolen, Leaked (May 17, 2017)
The Canadian telecommunications and media company, Bell Canada, has issued a statement regarding unauthorized access to customer information. Overall, unknown threat actor(s) gained access to approximately 1.9 million active customer email addresses and approximately 1,700 names and active phone numbers. The company has informed its customers to be alert for phishing emails and also states that there is no indication that any financial data, passwords, or “other sensitive personal information was accessed.”
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified.
Tags: Breach, Leak

DocuSign Breached, Stolen Info Used for Targeted Phishing Campaign (May 16, 2017)
Researchers have discovered a new phishing camping that is specifically targeting customers of the electronic signature and digital transaction management provider, DocuSign. The phishing campaign has taken place because threat actors were able to gain access to a “non-core system” which was used by the company to communicate service-related content to its customers via email. Cybercriminals were able to steal the list of emails and, as of this writing, are distributing targeted phishing emails to those addresses.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and inform the appropriate personnel when they are identified.
Tags: Breach, Phishing

Chrome Browser Hack Opens Door to Credential Theft (May 16, 2017)
Bosko Stankovic, an information security engineer, has discovered a vulnerability in Google Chrome on the latest version of Windows 10 that can be exploited to conduct Server Message Block (SMB) relay attacks, download malicious files, and steal user credentials. Actors would first need to a user to visit a malicious location for this attack to work. This attack could allow an actor to gain access to a Microsoft LAN Manager password hash on Microsoft Windows 10, which actors could then attempt to crack.
Recommendation: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described. Additionally, Chrome settings can be changed to ask the user to save a file before downloading, and SMB signing can be used to mitigate SMB relay attacks.
Tags: Vulnerability, Web Browser

Shadow Brokers, Who Leaked WannaCry SMB Exploit, Are Back With More 0-Days (May 16, 2017)
The Shadow Brokers, the group responsible for leaking U.S. National Security Agency (NSA) tools that led to the global WannaCry ransomware campaign, has pledged to release more malicious tools. This time the group is claiming to be opening a subscription-based group called the “Wine of the Month Club” that will be granted access to exploits and malicious tools.
Recommendation: Compromised machines must be wiped and restored to factory settings. Attacks coming from the Shadow Brokers malware could be targeted, and a formal investigation should be initiated by notifying the appropriate law enforcement agencies. Based on the group’s record, it is likely they will release more malicious tools, therefore, staying up-to-date on the latest security patches is crucial.
Tags: Shadow Brokers

Google Researcher Finds Link Between WannaCry Attacks and North Korea (May 15, 2017)
Security researcher Neel Mehta claims to have discovered evidence that the global WannaCry ransomware campaign that began on May 12 has connections to North Korea. Mehta suggests that the WannaCry code contains clues that it was a North Korean state-sponsored group responsible for the attacks. Mehta claims that parts of the source code for WannaCry is nearly identical to the code in the backdoor called “Cantopee” used by the North Korean group called the “Lazarus Group.” Researchers note that even though WannaCry was contained, this is by no means the end of the ransomware.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to even consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: WannaCry, Ransomware

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations (May 15, 2017)
FireEye researchers have identified a new Advanced Persistent Threat (APT) dubbed “APT32,” and “OceanLotus.” The group is believed to have been conducting cyberespionage activities since at least 2014 targeting private sector companies primarily in Southeast Asia with a focus on entities with ties to Vietnam. OceanLotus uses their own specific malware to steal information as well as using phishing emails, the latter of which has been discovered in a new campaign.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, Cyberespionage

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

EternalRocks Worm Uses Leaked NSA Toolbox
EternalRocks is a worm that uses the SMB exploits from the leaked NSA toolbox to infect unpatched Windows machines. During the first stage of the infection, the malware downloads .NET libraries and Tor from api.nuget.org and archive.torproject.org respectively. EternalRocks uses Tor to communicate with the C2 server at the address ubgdgno5eswkhmpy[.]onion.

The second stage of the malware is downloaded from https://ubgdgno5eswkhmpy[.]onion/updates/download?id=PC 24 hours after the initial infection. During this stage, the NSA tools are extracted and are used to infect other machine by random scanning for port 445. ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY are being used along with DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH to find other targets to infect. It is possible the malware authors are controlling the spread by using the 24 hour delay between the two stages. .
Tags: EternalRocks, Exploitation, EternalBlue, SMB


Source: Honeypot Tech