Posts

Addressing Threat Blindness

In just four years since launching Anomali we’ve seen Threat Intelligence become a standard element of enterprise security programs. Last week we published a Ponemon Institute report on “The Value of Threat Intelligence” (our 2nd year sponsoring this research) – in it we found:

80%

of enterprises now leverage threat intelligence in their security programs

84%

indicated threat intelligence is “essential to a strong security posture”

Despite this rapid adoption we still see organizations struggling to take full advantage of threat intelligence. Fully 68% of Ponemon respondents said threat intelligence is too voluminous and complex. This speaks to the real promise of threat intelligence – what matters isn’t the list of threats itself, but which of those threats are active in my environment. This requires finding the cross section between my threat feeds and my network activity.

New Versus Old Threats

Most organizations subscribe to numerous threat feeds, whether from open source, premium/3rd party, ISACs, government sharing, etc. Security teams will typically collect and accumulate millions of IOCs (indicators of compromise) from their various threat sources. Every day new threats are added to the list. As it turns out, we need to handle newly discovered threats differently than previously known threats. Here’s why:

Previously known threats: All previously known threats need to be monitored daily to make sure we haven’t become a target. It’s like routine health checks – we need to verify that nothing bad happened today from any of these threats.

Newly discovered threats: Newly discovered threats discovered threats are a different beast altogether. These threats became known today, but they didn’t become bad today. They may have been active for weeks, months or years. Attackers do their best to stay under the radar. When new threats are discovered it’s not enough to be on the lookout for them going forward. Perhaps more importantly, we need to go back in time to see we’ve already been targeted by these actors.

Organizations Flying Blind

The challenge for security teams is how to realistically monitor for known threats and assess exposure to new threats on a daily basis.

Consider the previously known threats. Sounds easy enough to simply alert against any matches against my threat list. Here’s the issue – if you’re a moderate sized enterprise you’re likely generating 1 billion or more log events per day. If you’ve got a (relatively small) threat list of, say, 1 million indicators then you need to compare 1 billion events against 1 million threats. That’s 1,000 TRILLION comparisons per day!

Now consider newly discovered threats. Here you might get 10, 100, 1000 new threats on a given day. The challenge here isn’t the daily monitoring – it’s going back to assess prior exposure. Given how long attacks often take (200 days or more), it’s important to be able to back at least 1 year to get a clear picture of possible prior exposure. Let’s do the math: 1 billion events/day, 365 days, 100 new threats/day = 36.5 trillion comparisons.

The Ponemon survey asked respondents how much historical data they maintain online (e.g., in a SIEM). 72% keep 3 months or less. Plus, running a query over that amount of data would take hours or even days. The end result is organizations are pretty much flying blind with respect to the vast majority of these known threats. Our solution for this is Real Time Forensics.

Real Time Forensics

Anomali innovated the concept of Real Time Forensics (RTF) to address this fundamental threat visibility issue. RTF is the core technology that powers Anomali Enterprise. RTF is an extraordinarily powerful engine that can perform searches over massive amounts of data instantly. In just a few seconds RTF can literally:

  • Identify all matches for millions of IOCs across billions of events
  • Search years of historical data and return all matches

RTF does this WITHOUT duplicating log storage. It integrates with existing log repositories/sources such as SIEMs, syslog, Netflow/sFlow and AWS S3.

We developed RTF with three key objectives in mind:

Visibility Visibility: providing complete visibility into all threats, all network activity, for all time
Clarity Clarity: integrating threat context from ThreatStream to provide a complete picture of the threat and how to respond
Automation Automation: automatically evaluating new and existing threats; alerting security teams to real, active threats in their networks

These objectives aren’t new, but RTF’s capabilities give them a whole new meaning. The second an organization gets a hold of indicators from the latest network breach they can identify whether or not they were affected. Unmanageable data sets are no longer an obstacle to full threat visibility.

As it turns out, the future of security isn’t the ability to look forward, but the ability to look back.


Source: Honeypot Tech

How Ransomware has become an ‘Ethical’ Dilemma in the Eastern European Underground

By Vitali Kremez, Flashpoint and Travis Farral, Anomali

It’s no secret that the Deep & Dark Web (DDW) is home to illicit marketplaces and forums, as well as an array of cybercriminal communications. Less obvious, however, are the nuances of these communications, the unspoken code of conduct that exists in cybercriminal communities, and the “ethical” dilemma that certain types of attacks can cause.

For example, let’s discuss ransomware.

While monitoring DDW communities in Eastern Europe from early 2014 to early 2016, Flashpoint researchers discovered the forewarnings of a shift in attitude toward ransomware.

Prior to 2016, administrators of the Russian underground stated that ransomware should not be practiced for two reasons:

  • It was a waste of botnet installs and exploit kits;
  • ​It was “intellectual death” and therefore a low-end maneuver.

These administrators firmly believed that ransomware attracts too much attention, may impede other types of cybercrime, could be too-easily turned toward Russian targets, and an increase in its use may cause the Russian government to take a harsher stance towards DDW communities.

It’s very important to note that underground administrators are incredibly powerful in the DDW. Regardless of whether administrators are revered or reviled, the community respects their decisions. Those who don’t comply with such decisions risk being exiled from the forums or even doxed.

The Ethical Dilemma

Indeed, on Feb. 5, 2016, an ethical dilemma arose following a ransomware incident at Hollywood Presbyterian Medical Center. The small hospital was demanded to pay 40 bitcoin (roughly $17,000 at the time) or risk a shutdown of its lifesaving equipment. While healthcare companies had been hit with cyberattacks before, the attacks had never before gone as far as to threaten human life. While Hollywood Presbyterian’s management claimed that the hospital’s infrastructure was never truly at risk, they chose to avert the perceived risk and pay the ransom.

Although the unspoken code of conduct amongst Eastern European cybercriminals strictly prohibits any malicious activity directed against citizens of the Commonwealth of Independent States (CIS), the targeting and exploitation of Westerners — in particular United States citizens – is highly encouraged. Nevertheless, news of the attack against Hollywood Presbyterian was coldly received by Eastern European cybercriminals, many of whom regarded the incident as reckless and unacceptable. While some in the community supported the attack, the majority condemned the unknown assailants, which created an ethical divide in the underground.

One highly reputable member of a Russian top-tier cybercrime forum expressed his frustration with ransomware, writing “from the bottom of my heart, I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with [the ransomware]…”

In response, a prominent ransomware operator countered that view: “[the attackers] scored. It means everything was done properly.” Rather than adhering to the ethical code imposed by administrators, he proposed that targeting places that were guaranteed to pay was not wrong because, at the end of the day, cybercrime is always about making money.

In the following months ransomware increased a staggering 6000%, earning 2016 the title of “The Year of Ransomware”. Of the businesses affected, 70% chose to pay the ransom, making it one of cybercrime’s most profitable ventures.

The WannaCry Shift

Ever since the May 12, 2017 start of the global “WannaCry” (also known as “WanaCry,” “W-cry,” and “Wcry”) ransomware worm attack that largely affected healthcare organizations affiliated with the UK’s National Health Service (NHS), criminals debated the ethics behind the attack. Consequently, Russian-speaking cybercriminals revisited the topic of ransomware and its place within the criminal underground. Previously, ransomware presented cybercriminals with the aforementioned ethical dilemma, as it prevented hospital professionals from providing care. However, Flashpoint’s May 2017 review of cybercriminal discussions on ransomware indicated that many threat actors in the Russian-language underground are moving past their ethical concerns and now view banning ransomware as predominantly a business issue.

One threat actor who suggested banning ransomware cited the following reasons:

  • “It attracts attention to malware and causes companies to introduce measures to increase their security.
  • It increases general awareness of topics related to information security.
  • It kills malware tools predicated on loaders, js (javascript execution), doc macro (payloads) etc., as these get blocked everywhere.
  • It’s a business which is built not on intelligence and mental dexterity, but on brute-force and luck.”

The actor went on to say that by “allowing ransomware operators on the forum, we are digging our own grave. Of course, banning this work on the forum doesn’t stop this type of business, but as a minimum we can use community disapproval to make it more difficult to enter into it.”

The post generated multiple unique responses, almost half (48.5%) of which expressed support for the ban.

Threat actors in favor of the ban echoed concerns that Russian underground administrators shared in 2016: ransomware attracts too much attention, may impede other types of cybercrime, could be too-easily turned toward Russia, and may incentivize the government to act more harshly toward underground communities.

Some threat actors, however, suggested that the use of ransomware is still a personal decision — as long as Russia is protected:

“There is only one rule – don’t target Russia. All other cases depend on one’s degree of perversion. Some people take grandma’s last 10k, some encrypt a corporate company and ransom [their files] for 2k, some brute-force WordPress control panels, upload shells and then send spam or host their own malware, some install skimmers.

Everyone has their own thing.”

This one example speaks volumes about how the ethics of cybercrime are constantly evolving, often in unanticipated ways. The culture of underground communities, the power of their administrators, and the ethical dilemmas and other criminal disagreements they face cannot be determined by looking at technical indicators of compromise (IOCs) alone. Applying tradecraft, language, vernacular and culture savvy to actively listening in to a group are what truly provide the best perspective for defenders to consider as they work to mitigate their organization’s risk. It’s also important to look at these threat actors as individuals — not just as shadowy villains. After all, these problems stem from threat actors, are developed by threat actors, and ultimately can be ended by threat actors.

For now, we know that ransomware is no longer off limits and that cybercriminals are being less selective in their targets.

The cybercriminal ecosystem has been historically and traditionally driven by the value of data on the cyber black markets. Recently, successful attacks have illustrated both a shift in cybercriminals’ business models and a nascent understanding in the cybercriminal community of another way to assign value to data: by assessing the value it presents to its owner.

Protecting Businesses

Organizations seeking to mitigate risks posed by threat actors operating on the DDW must first recognize that these actors are human beings and not faceless, shadowy villains. Defenders should continually establish and/or further develop profiles of relevant threat actors, such as those who have previously attacked, targeted, and/or are seen as a threat to that organization. These profiles shouldn’t simply consist of IOCs; they should also provide insights into the human being represented by the profile. What are their preferences? What types of behaviors do they exhibit?

The combination of monitoring activity in the DDW and closely-monitoring observed attacker behaviors inside the organizational environment yields a much deeper perspective on the actors threatening the organization. This dramatically improves situational awareness and provides needed perspective when developing effective mitigation strategies for defense.

Operationally, processes for collecting and storing this information should be implemented to enhance visibility and limit repetitive, low-value tasks from taking time away from analysts. The following suggestions can help operationalize the necessary components of this collection and processing:

  • Ensure that incident response processes collect needed details for threat intelligence collection
  • Ensure there are mechanisms in place to store collected incident response details along with other observables from the environment such that they can be appropriately processed and searched by analysts
  • DDW collection from a professional, trusted provider with data and analysis made available to internal analysts
  • Provide needed context via automated means where possible (WHOIS data, passive DNS, connection to other observables and historical data, etc.)
  • Ensure that analysts can add their own analysis and notes not only to individual IOCs but also provide the ability to curate and store finished reporting along with associated connections to IOCs and related analysis

Conclusion

Visibility into criminal forums on the DDW is a huge asset for defenders, allowing them to understand the ethics and nuances of the mindsets of cybercriminals. Coupling this information with threat intelligence collections inside an organization helps defensive teams develop deep perspectives and create a “rudder” to guide effective mitigation strategies against current threats. The value this creates is significant for organizations that make investments in these areas versus operating largely in the dark regarding the origins of the attacks seen in the environment every day. As the mindsets and capabilities of cybercriminals change and adapt, so should defenders in how they approach their defensive posture.

This blog post has also been published on Flashpoint’s blog, here.

Flashpoint

Want more information?

Learn more with Flashpoint’s paper “An Analysis of Cybercriminal Communication Strategies“.

Download the report.


Source: Honeypot Tech

WTB: CCleanup, A Vast Number of Machines at Risk

The intelligence in this week’s iteration discuss the following threats: Adware, Compromise, Data Breach, Malspam, Malicious Plugin, Phishing, and Vulnerability. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

CCleanup: A Vast Number of Machines at Risk (September 18, 2017)
The system maintenance application, “CCleaner,” has been identified to contain malware, specifically, version 5.33, according to Cisco Talos researchers. The authentic version of CCleaner 5.33 distributed by the software company, “Avast,” was found to contain a multi-stage malware payload in addition to the CCleaner application. The malware was found to be the “Floxif” trojan. The downloaded installation executable was signed with a legitimate digital signature that was issued to software company, “Piriform.” The affected CCleaner version was released on August 15, and researchers discovered that the malicious version was still hosted on the download servers as recent as September 11, 2017.
Recommendation: Threat actors are willing to go to great lengths to abuse trust relationships in supply-chain attacks. If CCleaner version 5.33 was downloaded it is likely that the machine is infected with malware. As of this writing, detection signatures have been made available by and they should be run against your systems to check for potential malicious activity. Additionally, Piriform suggests that its CCleaner users updated to version 5.34 as soon as possible.
Tags: Compromise, CCleaner, Malicious version, Malware

Poisoned WordPress ‘Display Widgets’ Plugin Finally Purged (September 15, 2017)
Since June 2017, approximately 200,000 WordPress sites have been corrupted by a plugin called “Display Widgets,” according to Wordfence. Display Widgets was discovered to have been updated with malicious code on multiple occasions. Wordfence CEO, Mark Maunder, warned customers to remove the Display Widgets plugin as soon as possible because the plugin contains a backdoor, allowing the author to publish content on any site with the plugin installed.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites, Malicious plugin, Display Widgets

Adware Installs InfoStealer Trojan That Loads via Chrome DLL Hijacking (September 15, 2017)
Researchers have discovered that the “AdService” trojan is being distributed by threat actors via adware bundles. This Trojan performs Dynamic Link Library (DLL) hijacking in Chrome web browsers. AdService is capable of stealing passwords for online accounts such as Facebook and Twitter. AdService uses DLL hijacking to load itself when Chrome is executed and attempts to load a DLL that contains malware. In this instance, AdService is placing a malicious version “winhttp.dll” in the “C:Program Files (x86)GoogleChromeApplication” folder.
Recommendation: The AdService Trojan is installed on a victim’s computer via free programs that do not disclose that other software is being installed along with it. All applications should be carefully researched prior to installing on a personal or work machine. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. If given an option between a “quick/express” installation or a “custom” installation, always choose the custom installation as it is more likely to disclose other applications being installed. If you are installing a desired application, check that you are getting the installer from the author’s website and not a third party installer. It is also recommended to have trusted antivirus software installed and that it always kept up-to-date, as AdService is detected by most of the antivirus vendors.
Tags: Adware, Trojan, AdService, Chrome

ExpensiveWall: A Dangerous ‘Packed’ Malware on Google Play That Will Hit Your Wallet (September 14, 2017)
More than 100 applications in the Google Play Store have been found to contain a mobile malware family called, “ExpensiveWall,” according to Check Point researchers. The malicious applications were identified to have been downloaded approximately 5.9 to 21.1 million times. The malicious code was found to reside within a Software Development Kit (SDK) named, “gtk.”ExpensiveWall’s objective is to generate revenue by registering users to premium services and sending premium SMS messages which charge the victim without their knowledge. ExpensiveWall is capable of mimicking clicks on any multi-step procedure as well as hiding confirmation SMS messages. As of this writing, Google has removed the malicious applications from the Google Play Store.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Malware, ExpensiveWall

Potential Phishing Scams Related to Equifax Data Breach (September 14, 2017)
The U.S. Federal Trade Commission (FTC) has issued an alert warning individuals to be aware of malicious activity associated with the Equifax breach. The FTC is warning consumers to be aware of potential calls or emails from individuals purporting to be Equifax employees. Equifax representatives will not contact individuals asking to verify their information.
Recommendation: Significant data breaches often result in threat actors attempting to steal information by capitalizing on fear-tactics. Individuals who are concerned about the Equifax breach can check to see if their data may have been affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Furthermore, it is important that individuals understand, as the FTC stated, that Equifax representatives will not contact consumers to verify their information.
Tags: Scams, Equifax, Data breach

Hangul Word Processor and PostScript Abused Via Malicious Attachments (September 14, 2017)
Trend Micro researchers have discovered a new campaign in which actors are exploiting PostScript code in the Hangul Word Processor (HWP) software. Older versions of HWP were discovered to have implemented a branch of PostScript called “Encapsulated PostScript,” incorrectly. Encapsulated PostScript adds restrictions to code that can be run within HWP documents. However, the incorrect implementation has caused malicious documents to be capable of dropping malicious files on the affected machine.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Vulnerability, HWP

Equifax Confirms Apache Struts Security Flaw It Failed to Patch is to Blame for Hack (September 14, 2017)
The consumer credit reporting agency, “Equifax,” has confirmed that the breach that affects approximately 143 million individuals was caused by a web server vulnerability in Apache Struts. The vulnerability, registered as CVE-2017-5638, was patched by Apache back in March 2017. The Equifax breach took place from mid-May to July 2017.
Recommendation: Zero-day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors.
Tags: Vulnerability, Patch

Phishers Targeting LinkedIn Users via Hijacked Accounts (September 13, 2017)
Researchers have identified a phishing campaign in which threat actors are using compromised LinkedIn accounts in attempts to steal credentials. The actors are using LinkedIn’s “InMail” feature to distribute a shortened “Owd[.]ly” link that state that the sender has just shared a document via GoogleDoc/Drive. The link directs recipients to a fake login page for AOL, Gmail, or Yahoo that steals user credentials if entered.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Phishing, LinkedIn, Compromised accounts

Immediately Patch Windows 0-Day Flaw That’s Being Used to Spread Spyware (September 13, 2017)
Microsoft’s “Patch Tuesday” for September addresses 81 vulnerabilities that affect all supported Windows operating systems and other Microsoft products. The vulnerabilities affect eight Microsoft products. 27 of the vulnerabilities are rated critical and 54 are rated important. 39 vulnerabilities could allow an actor to remotely execute code on a vulnerable machine.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature in Windows operating systems is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Windows, Malware

BlueBorne Bluetooth Attack Puts 5 Billion Devices at Risk (September 13, 2017)
A new attack vector has the potential to put billions of Bluetooth-enabled devices at risk of compromise, according to Armis researchers. Threat actors could potentially connect to a Bluetooth-enabled device using zero-day buffer overflow vulnerabilities researchers discovered in devices associated with Apple, Google, Linux, Microsoft, and Samsung. The vulnerabilities were reported to said companies who are currently working on patches.
Recommendation: All devices should be kept up-to-date with the latest software versions to use the newest security features implemented in the updated. Additionally, only trusted devices should be connected to via Bluetooth, and Bluetooth should be turned off when not in use.
Tags: Vulnerability, Bluetooth, BlueBorne

Massive ElasticSearch Infected Malware Botnet (September 12, 2017)
Thousands of publicly accessible ElasticSearch nodes have been identified to be hosting variants of Point of Sale (POS) malware, according to Kromtech researchers. Among the ElasticSearch servers, researchers discovered file names that are associated with the AlinaPOS and JackPOS malware families. This discovery coincides with other findings in which new variants of POS malware have been advertised for purchase on various underground forums. As of this writing, approximately 4,000 ElasticSearch servers were found to be infected with POS malware.
Recommendation: This story depicts the potential dangers that may reside in publicly accessible services. A public service that uses some form a authentication should be required if open source resources are being used. Additionally, databases should not be directly accessible over the internet, and they should require a form of authentication to access.
Tags: Breach, ElasticSearch servers, Malware, Botnet

Multiple Vulnerabilities in FreeXL Library (September 11, 2017)
Cisco Talos researchers have released information regarding two remote code execution vulnerabilities in the “FreeXL” library. FreeXL is an open source software that is used to extract data from a Microsoft Excel spreadsheet. The two vulnerabilities can be exploited via a buffer overflow that could possibly allow a threat actor to execute arbitrary code on a machine.
Recommendation: Zero-day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Tags: Vulnerabilities, FreeXL Library


Source: Honeypot Tech

The Second Annual Ponemon Study – The Value of Threat Intelligence

Today we released our findings from the Ponemon Study, “The Value of Threat Intelligence: The Second Annual Study of North American and United Kingdom Companies.” The Ponemon Institute surveyed over a thousand IT security professionals on a range of threat intelligence topics. Results show that organizations are rapidly incorporating threat intelligence into their security programs, with 80% of North American respondents using threat intelligence (up from 65% in 2016). Whether or not their organization currently has a threat intelligence program, 84% of participants agreed that threat intelligence is “essential to a strong security posture.”

Despite increased adoption, many of the challenges of threat intelligence remain the same. 69% of respondents indicated that threat intelligence data is too voluminous and complex to provide actionable intelligence. Other top reasons for threat intelligence ineffectiveness include:

  • 71% Lack of staff expertise
  • 52% Lack of ownership
  • 48% Lack of suitable technologies

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, commented on these challenges, stating, “It’s abundantly clear that organizations now understand the benefits provided by threat intelligence, but the overwhelming volume of threat data continues to pose a hurdle to truly effective adoption. Threat intelligence programs are often challenging to implement, but when done right, they are a critical element in an organization’s security program. The significant growth in adoption over the past year is encouraging as it indicates widespread recognition of the value threat intelligence provides.”

Respondents identified a few key factors to successfully establishing a threat intelligence program, including:

  • 80% Deploying a threat intelligence platform
  • 65% Integrating SIEM with a threat intelligence platform
  • 54% Having a qualified threat analyst on-staff

Many organizations choose to leverage a threat intelligence platform (TIP) because they are useful for automating tasks, weeding out false positives, adding context, and integrating with existing security solutions. Threat intelligence platforms also prove critical for threat intelligence sharing, which remains a challenging task for security professionals. Only 50% of respondents currently participate in industry-centric sharing initiatives such as Information Sharing & Analysis Centers (ISACs), which provide industry-relevant intelligence, collaboration with peers, and networking with other security teams. Of those organizations, the majority (60 percent) only receive threat intelligence through ISACs but do not contribute intelligence. The biggest hurdles to outbound intelligence sharing include a lack of expertise (54 percent) followed by fear of revealing a breach (45 percent).

The study also uncovered an interesting disparity in threat intelligence sharing between U.K. organisations and their U.S. counterparts:

  • 43% of U.S. respondents are part of an ISAC, while just 33% of UK businesses are, showing a potential lag in cyber security maturity
  • 35% U.K. organisations share intelligence with government associations, versus 26% U.S. businesses, demonstrating a willingness to help with attribution of cyber attacks

To learn more, download the free report or listen to a podcast interview with the author of the report, Larry Ponemon

DOWNLOAD NOW


Source: Honeypot Tech

Hacker Tactics – Part 2: Supply Chain Attacks

Adversaries are constantly changing and improving how they attack us. In this six-part series we’ll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.

On June 27th, 2017, the NotPetya malware campaign initiated in Ukraine and rapidly spread around the globe. NotPetya devastated businesses of all industry verticals as it began wiping large amounts of Windows systems. Cisco’s Talos researchers found that the initial infection vector was an automatic update of M.E.Doc, a popular Ukrainian tax accounting software.

Not long after, researchers at Kaspersky Lab reported that they discovered a backdoor in recently updated versions of NetSarang software. This software is used for managing and administrating server and client machines, but malicious actors found a way to exploit it as a vector for deploying malware. Customers who installed seemingly legitimate updates during this time period instead received malicious binaries, which researchers identified as part of the ShadowPad family of malware.

These two seemingly unrelated instances have one factor in common – both are examples of a supply chain attack.

What are supply chain attacks?

Supply chain attacks attempt to infect software or hardware from a secondary organization that is used by the primary target organization. Supply chain targeted attacks can affect all organizations using the vendor product, or they can be targeted at a single customer of the given vendor. In many cases, vendors will hold other organizations’ sensitive data that can be stolen. This data can then be used to enhance spear phishing attacks against organizations or the vendors they use.

A supply chain security program will focus on the risks associated with dealing with third party vendors and the planning of actions needed to be taken in response to an incident.

Why are they used?

Supply chain attacks are a versatile and effective option for malicious actors. Organizations are less likely to have tighter security on their partners and connected companies – they’re the last vector one would expect an attack from.

In the case of NotPetya, M.E.Doc was targeted because their software is used in a large number of organizations both within and outside of Ukraine. MEDoc was therefore an ideal method for spreading the wiper malware which could destroy all data and operating systems. This means that the attack on Ukrainian infrastructure was not only highly-coordinated but also intended to cause as much damage as possible in as short of a time as possible.

Contrary to this, the malicious software targeting NetSarang, ShadowPad, was relatively quiet and did not present itself noticeably. It was instead discovered by an organization’s security team who picked up on unusual network activity in the background of the applications. At this point the objective of the attack is unknown.

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.” – Kaspersky Lab

How are they advanced?

This attack vector requires an advanced knowledge of the target’s infrastructure. While large organizations likely have several vendors in their supply chain, it is still difficult to successfully target, exploit, and then leverage the access against the primary target. This requires a high skillset to carry out successfully. There is always a risk of detection when attempting to breach these third-party vendors, which puts the entire operation at risk. A failed attack on a third-party vendor is likely to alert all organizations down the line, inevitably strengthening the security of those potential targets.

History

Supply chain attacks are not new or unique to the digital age. Recent history provides many high-profile data breaches that have occurred largely due to supply chain vulnerabilities. In December 2013, the retail store Target suffered a data breach of 40 million customers’ debit and credit card accounts. Upon investigation it was found that the breach originated from a contracted HVAC company for Target. The attackers first stole network credentials from the HVAC company to connect to the Target network and then steal vast amounts of transaction data.

In September 2014, Home Depot announced a data breach that also stemmed from a third-party vendor. This third party had limited access to the Home Depot network that attackers leveraged to further exploit Home Depot and eventually steal data from 56 million credit and debit cards.

How do you defend against supply chain attacks?

For organizations dealing with several supply chain vendors, a robust security program will thoroughly focus and vet all elements in the chain. Since third-party vendors are, for the most part, required for organizations as they grow, steps are needed to focus on risks associated with each vendor.

The SANS Institute released a whitepaper titled “Combating Cyber Risks in the Supply Chain” that lists four major components for a vendor management program:

1) Define your important vendors

By defining important vendors, organizations are able to properly respond to any affected vendors. If an organization relies heavily on a vendor that suffers an outage they will need a robust response plan for this event.

2) Specify the primary contacts for each vendor

Specifying primary contacts with each vendor will allows organizations to immediately respond to threats or other incidents. This will also prove useful if the vendor suffers a data breach and needs to understand the scope of the impact to the organization.

3) Establish guidelines and controls to ensure consistent processes

Establishing guidelines creates a controlled environment for vendors to interface with organizations, and vice versa. This protects both organizations from misuse by employees and hopefully limits the access to important services to reduce attack surface.

4) Integrate with the organization’s assessment and audit practices

Integrating with a vendor’s assessment and audit practices allows organization to cover all necessary internal audits and assessments that rely on third party vendors.

Click here to check out the first part of this series on Domain Generation Algorithms. Up next in the series: Adversarial Machine Learning.


Source: Honeypot Tech

WTB: Equifax Breach: Sensitive Info, SSNs of 44% of U.S. Consumers Accessed by Attackers

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Data breach, Malspam, Misconfigured database, Phishing, and Vulnerability. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Admin Accounts With No Passwords at the Heart of Recent MongoDB Ransom Attacks (September 11, 2017)
The Senior Director of Product Security at MongoDB Inc., Davi Ottenheimer, has released a blog in which he states that the recent MongoDB attacks were because administrators did not set their passwords. The attacks have compromised approximately 26,000 databases with approximately 22,000 of the database owners being held for ransom to retrieve their data. MongoDB plans on hardening their security with the release of the upcoming MongoDB 3.6.x release.
Recommendation: It is crucial that your company institute strong password policies to protect your sensitive data. Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, the database should require proper authentication in order to access its information.
Tags: MongoDB, Database, Vulnerability

Equifax Breach: Sensitive Info, SSNs of 44% of U.S. Consumers Accessed by Attackers (September 8, 2017)
One of the largest three American credit agencies, “Equifax,” has experienced a significant breach that exposed approximately 143 million U.S. consumers’ Personally Identifiable Information. As of this writing, the threat actors who accessed the data are unknown. The data consists of credit card numbers for approximately 209,000 U.S. consumers, dispute documents for approximately 182,000 U.S. individuals, Social Security numbers (SSNs), some instances of driver licenses information, and limited personal information for some Canadian and U.K. individuals. The unauthorized access took place between mid-May and July 2017. The breach was detected on July 29, 2017.
Recommendation: With nearly half of the U.S. population affected by this breach, it is important for individuals to check to see if they are affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data breach, Credit card data, PII

.UK Domains At Risk of Theft in Enom Blunder (September 7, 2017)
On September 1, 2017, the domain registrar, “Enom,” issued a warning to its mailing list regarding a vulnerability that could allow “.uk” domains to be hijacked. The security group, “The M Group,” disclosed the vulnerability to Enom on May 2, 2017, and the issue was not resolved until September 2, 2017. The vulnerability allowed .uk domains to be transferred between Enom accounts without authorization, logs, or verification.
Tags: Vulnerability, .uk

EMOTET Returns, Starts Spreading via Spam Botnet (September 7, 2017)
The EMOTET banking trojan, first discovered in 2014, has been identified being distributed via a spam botnet. The spam emails that are delivering EMOTET variants are typically themed as an invoice or payment notification. The emails attempt to lure the recipient into following a provided link that will download a document that contains a malicious macro. A user will be infected with EMOTET if the macro is enabled on the document.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Spam, Banking trojan, EMOTET

Malware Xeroing in on Cloud Accounting Customers (September 6, 2017)
SpiderLabs researchers discovered a phishing campaign that appears to have begun on August, 16, 2017, in which actors are impersonating the New Zealand-based software company, “Xero.” The actors are spoofing Xero email addresses and sending phishing emails that contain malicious links. The objective of the emails is to trick recipients into downloading a zip archive that contains a malicious JavaScript file. This will infect a user with a variant of the Dridex banking trojan malware upon execution. Recipients are pointed to a fake Xero domain located at “xeronet[.]org” rather than the authentic site located at “xero[.]com.”
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: Phishing, Spoofed email, Malware, Dridex

Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group (September 6, 2017)
The Advanced Persistent Threat (APT) group “Dragonfly” has been actively targeting European and North American energy sectors in a recently discovered campaign, according to Symantec researchers. The campaign, dubbed “Dragonfly 2.0,” appears to have begun in December 2015. Researchers have found an increase in Dragonfly activity in 2017, specifically targeting Turkey, the U.S., and Switzerland. The group uses multiple infection vectors including spear phishing emails, trojanized software, and watering hole attacks.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, Dragonfly, Spear phishing, Trojan, Watering hole

A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs (September 5, 2017)
Trend Micro researchers have identified threat actors attacking Autodesk’s “A360” cloud project collaboration software and then using it to deliver malware. Researchers believe that this tactic has caused a recent increase in malicious activity for which the cause was previously unknown. A360 accounts are being compromised, and malicious macros in threat actor phishing documents use the URL path that leads to the A360 location to download the malware. Researchers have found multiple forms of malware being delivered using this method such as adware, banking Trojans, and Remote Access Trojans (RATs).
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Compromise, Malware

Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers (September 5, 2017)
Security researchers have identified a remote code execution vulnerability in the Apache Struts web application framework. The vulnerability, registered as “CVE-2017-9805,” resides in the Struts REST plugin when it deserializes XML payloads. Researchers state that all versions of Apache Struts since 2008 are affected by this vulnerability. Thankfully, this vulnerability has been patched with Struts version 2.5.13. Those who are not running the most current Struts version should update as soon as possible.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow, or can be exploited by malicious actors.
Tags: Vulnerability, Apache Struts2

Bazinga! Social Network Taringa ‘Fesses Up to Data Breach (September 5, 2017)
The Latin American social networking site, “Taringa,” has experienced a data breach that resulted in approximately 28 million user records being exposed. The exposed data consists of email addresses, and usernames and associated MD5 hashed passwords. Worryingly, MD5 is relatively weak and can be cracked by threat actors. Taringa has informed its user to change their passwords as soon as possible.
Recommendation: Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, Taringa users should change their passwords as soon as possible. Furthermore, if identical passwords were used for Taringa and other accounts, those passwords should also be changed as soon as possible to avoid potential data theft.
Tags: Data breach

Four Million Time Warner Customers Caught in Privacy Snafu (September 5, 2017)
Kromtech researchers have released information regarding their discovery of two misconfigured AWS S3 buckets. The two buckets contain personal information of Time Warner Cable customers consisting of 600 GB of data. The data consists of account numbers, MAC addresses, transaction IDs, serial numbers, and usernames, among other data. Researchers contend that Broadsoft, a communication software and service provider, did not properly configure the databases to restrict public access.
Recommendation: Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, the database should require proper authentication in order to access its information.
Tags: Misconfigured database, AWS S3 bucket, Data leak

BankBot Continues Its Evolution as AgressiveX AndroBot (September 5, 2017)
The Android “BankBot” trojan has undergone some changes to their URL paths and Command and Control (C2) infrastructure, according to PhishLabs researchers. The actors behind BankBot are using a new domain titled, “agressivex[.]com,” which appears to indicate that the actors may be “re-packaging” the malware to sell under a different name. Researchers note that this version does not appear to the functional, however, this may be a testing phase because BankBot source code has been available to actors since 2016.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.
Tags: Android, BankBot, Trojan, Mobile

Router Flaws Put AT&T Customers at Hacking Risk (September 4, 2017)
Security researcher Joseph Hutchins has reported that thousands of routers that belong to AT&T customers contain five critical vulnerabilities. The affected routers are “Arris NVG589” and “NVG599” with the most current “9.2.2” version. Some of the vulnerabilities can be exploited by threat actors to gain root access to an affected device and full control of the router via a hardcoded credential vulnerability. This could lead to the hijacked router to be part of a botnet. Some researchers speculate that as many as 138,000 routers are vulnerable. Another of the vulnerabilities is a firewall bypass that could allow an attacker to access a machine on a local network.
Recommendation: Routers should be configured to use separate access points behind the router. This can be used to assist in protecting against ISP misconfigured hardware.
Tags: Vulnerability, Router

Thousands of Military Vet’s Details Exposed in S3 Privacy Snafu (September 4, 2017)
Upguard researchers have discovered that an AWS S3 bucket was configured for public access, and that the bucket contained sensitive information associated with U.S. military veterans. The bucket was located at the subdomain “tigerswanresumes.” TigerSwan is a private security firm located in North Carolina. Overall, approximately 9,402 records were available with nearly are all associated with U.S. veterans. Some of the associated data includes home address, email address, partial social security numbers, phone numbers, and other forms of resume information.
Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, misconfigured databases has the potential to cause significant harm to individuals and a company’s reputation.
Tags: Misconfigured database, AWS S3 bucket, Data leak

Massive Wave of MongoDB Attacks Makes 26,000 New Victims (September 4, 2017)
Ransom attacks targeting “MongoDB” databases have increased over the last week in August and first weekend in September, according to security researcher Dylan Katz and Victor Gevers. The researchers state that three new threat groups have emerged and, in total, have compromised approximately 26,000 MongoDB servers. The actors scanned the internet, possibly with “Shodan,” and found vulnerable MongoDB databases that allowed external connections. The content of the databases was then wiped and replaced with a ransom note that provides an email address for payment.
Recommendation: Databases should not be directly accessible over, or connected to the internet. For web applications that are accessing database data, make sure all user supplied data is sanitized to prevent SQL injections. Additionally, the database should require proper authentication in order to access its information.
Tags: Vulnerable database, MongoDB, Data leak, Threat group

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services


Source: Honeypot Tech

Improve Security Through People in Four Simple Steps

Organizations have an incredible variety of security solutions to choose from to protect their networks. A walk down the showroom floor at RSA or BlackHat can be downright overwhelming (both the product explanations and the swag). Whatever solutions your security team deploys though it’s important to remember that a few missteps from your staff can make all of those investments a moot point (no Joey, not a moo point). There are also strategies you can follow to help your employees, which in turn helps you. Here are a few people practices that will help protect your network:

1. Make a few people’s lives more difficult

Namely, your admins. It’s not at all uncommon for someone to request administrative privileges to complete a task. Afterwards, it’s possible that:

  • They won’t need access again
  • They’ll forget they have admin level privileges
  • The real admin will continue access “just in case”
  • The wrong people could exploit this

It seems fairly innocuous, but it’s one of the simplest ways for a network to be breached. The real life equivalent would be handing over the keys to a bank vault to everyone that worked at the bank rather than the one or two who were responsible for retrieving the money.

The easiest way for an organization to keep money in their metaphorical (or literal) bank is to keep the keys in the right hands. Restrict administrative privileges to those that perform administrative tasks daily. This will mean that admins have to spend more time completing these one-off tasks, but not cutting security corners ensures that organizations can avoid damages to their reputation, property, and personnel. It’s worth it to annoy the few for the benefit of the masses.

2. Avoid people altogether

Cybersecurity gets a bad rap for antisocial people (not entirely off the mark), but this tip isn’t actually aimed at that. There’s a huge increase in threat complexity and quantity, making automation a critical step for saving time and sanity. Automating manual tasks is beneficial to you and your people – projects are simpler, and the saved time means your analysts can focus their attention on more complex problems. It also eliminates the inevitable human error. Our product ThreatStream automates the normalization, validation, and aggregation of data. Combined with analyst-friendly features, the platform helps to prioritize threats and reduce time to detection. And if you find a time where our platform isn’t proving friendly we have a great team to help customers out.

3. Discipline your people

Well, more like teach them some discipline. While the importance of a strong password has been metaphorically beaten into us, many people still fail to enact adequate password measures. Setting up your internal systems to automatically require changing passwords every 30-90 days is an excellent approach, particularly considering that most threats will lurk around for 200 days before wreaking havoc. Another way to deprive potential bad guys entry is to require Multi-Factor Authentication (MFA), where a secondary device is needed to fully access the account in question. Unless your malicious actor has engaged in some serious leg work or intrigue it’s unlikely that they’ll have your credentials and your phone. Most importantly, explain to your employees why these measures are necessary, and demonstrate how quickly someone with the right access and the wrong intentions can do damage.

4. Pay attention to your people

Possibly the best thing you can do for your employees though is to educate them. One of the most common reasons good security practices aren’t followed is simply that people don’t understand why they’re needed. Or they might be a bit distracted, so the automation mentioned above can help (it’s ok, we’re all human). Taking the time to consider how people work and in turn helping people to understand a bit more about good security practices can keep your people engaged and your systems running smoothly.

It’s an unfortunate fact that the biggest threat to an organization can be an unwitting or disgruntled employee. These people are your greatest asset though, and it’s worth it to invest in them beyond just proactive damage control. A little recognition for accomplishments can go a long way in boosting morale and encouraging productivity. In the same vein, paying your people well, providing them with benefits, and showing concern for their welfare can provide amazing security results for everyone.


Source: Honeypot Tech

WTB: US Government Site Was Hosting Ransomware

The intelligence in this week’s iteration discuss the following threats: Bitpaymer, Cobian RAT, KHRAT, Locky Ransomware, Malspam, Sarahah, Turla and WireX. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

US Government Site Was Hosting Ransomware (September 1, 2017)
On Wednesday, August 31, 2017, researcher Ankit Anubhav tweeted out that the U.S. Federal Communications Commission’s (FCC) website was hosting a malicious JavaScript downloader. It was discovered that the downloader was contained in a .zip archive that included obfuscated PowerShell led to installations of the “Cerber” ransomware. As of this writing, it is uncertain how the website was hosting malware, although some researchers contend that it was caused by an issue in the FCC’s API.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Website, Ransomware

Locky Ransomware Attacks Ramp Up (August 31, 2017)
AppRiver have identified a new malspam campaign that is on a significant scale in which actors are distributing the “Lukitus” variant of the “Locky” ransomware. Researchers state that over a period of 24 hours approximately 23 million spam emails were distributed. The messages were found to use the following subject lines: documents, images, photo, pictures, please print, and scans. The emails come with zip attachment that contains a Visual Basic Script (VBS) contained in a secondary zip file. If the attachment is clicked, the VBS file begins a downloader that pulls down Locky.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: Malspam, Ransomware, Locky, Lukitus

Cobian RAT – A Backdoored RAT (August 31, 2017)
A new Remote Access Trojan (RAT) called, “Cobian,” is being offered for free on various underground markets, according to Zscaler researchers. Cobian has a backdoor module that allows a threat actor to take full control of all machines that have used the builder kit to create malicious payloads. In this context, an actor could have full control of machines infected with Cobian. The malware is being distributed through a .zip archive that impersonates a Microsoft Excel spreadsheet icon.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: RAT, Cobian

Updated KHRAT Malware Used in Cambodia Attacks (August 31, 2017)
An updated version of the KHRAT Remote Access Trojan (RAT) has been identified to be targeting Cambodian citizens, according to Palo Alto Unit 42 researchers. KHRAT is distributed via spear phishing emails that contain a Microsoft Word attachment that requests macros to be enabled because the user’s Office version is not compatible with the document. KHRAT is capable of logging keystrokes, remote shell access, and taking screenshots.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Additionally, ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: Spear phishing, RAT, KHRAT

Locky Ransomware Adds Anti Sandbox Feature (August 31, 2017)
A new version of the “Locky” ransomware has been discovered to contain an ant-sandbox feature, according to Malwarebytes researcher Marcelo Rivero. Locky is being distributed by spam campaigns that contain malware embedded Microsoft Word documents. Interestingly, the malware will not begin its infection until after a user clicks the enable content on the document, and after the document is closed. The text on the document claims that content editing needs to be enabled in order to view the document. Actors are expecting the user to close the document once no other content becomes viewable.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.
Tags: Spam, Ransomware, Locky

Gazing at Gazer: Turla’s New Second Stage Backdoor (August 30, 2017)
The Advanced Persistent Threat (APT) group, “Turla,” has created a new sophisticated piece of malware, according to ESET researchers. The malware, dubbed “Gazer,” has been discovered inside consulates and embassies throughout Eastern Europe. Gazer has been active since 2016 and specifically targets Windows machines. The malware is distributed via spear phishing emails and operates as a backdoor that is capable of activity monitoring and remote code execution.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, Turla, Gazer, Backdoor

Inside the Massive 711 Million Onliner Spambot Dump (August 30, 2017)
Security researcher Troy Hunt has published a report regarding a large publicly available database. The database contains a significant amount of emails addresses number in the hundreds of millions. Some of the email addresses are listed with corresponding passwords. The addresses are used to send spam from the bot called, “Onliner Spambot,” according to Hunt and another researcher and collaborator, Benkow moʞuƎq.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, the significant amount of compromised email addresses is due cause for concern, and it may be appropriate for your company to change corporate and personal email passwords.
Tags: Onliner Spambot, Compromise, Email addresses

Bitcoin Exchanges in South Korea Hacked and North Korea is the Prime Suspect (August 29, 2017)
South Korea’s Cyber Warfare Research Center has revealed that at least one South Korean Bitcoin exchange was breached. South Korea believes that the Democratic People’s Republic of Korea (DPRK) is likely responsible and that the compromise was accomplished via “a social engineering email campaign.” Researchers contend that the DPRK is targeting Bitcoin exchanges in response to the recent sanctions imposed against it. It may also be possible that financial institutions will become more frequent targets by DPRK actors.
Recommendation: Members of the financial services industry should be aware they are specifically targeted by malware due to the nature of their business. Never open files from unverified sources, and be aware of other infections vectors such as email attachments and infected websites.
Tags: Threat group, Theft

FBI/IRS-Themed Email Scam Spreads Ransomware (August 29, 2017)
The U.S. Internal Revenue Service (IRS) has issued a warning stating that malicious actors are impersonating them in a new phishing campaign. The email purports that the IRS is sending a Federal Bureau of Investigation (FBI) questionnaire because of changes that were made to American tax laws on June 21, 2017. If the document attachment is downloaded, the email recipient will be infected with ransomware.
Recommendation: The impersonation of government agencies continues to be an effective spear phishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. In the case of infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Phishing, Ransomware

Beware of Hurricane Harvey Relief Scams (August 29, 2017)
The U.S. Federal Trade Commission (FTC) issued an alert on August 28, 2017, warning consumers to be cautious of an increase in charity scams. The FTC is warning that individuals who wish to donate to assist charities, such as in response to Hurricane Harvey, to check if the online location is legitimate by using evaluation websites that they recommend. The U.S. Computer Emergency Readiness Team (US-CERT) is also reminding individuals that threat actors will often use a natural disaster theme in their phishing campaigns.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful to inform employees that after a natural disaster or major political event threat actors will theme their malicious activity about what just occurred.
Tags: Charity scams, Natural disaster

Jimmy Nukebot: From Neutrino With Love (August 29, 2017)
The actors behind the “NeutrinoPOS” banking trojan have rewritten their malware, according to Kaspersky Labs researchers. The actors restructured the main body by moving the functions to modules. This causes the malware, dubbed “Jimmy,” to be more difficult to analyze because identifying which processes will stop the malware from stealing financial data is more complicated. However, the functionality to steal financial information, such as credit card data from the memory of the infected device, has been removed. The trojan will now receive modules from a remote node needed to accomplish malicious tasks.
Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of FastPoS infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: Jimmy trojan, POS, Credit card theft

Ransomware Behind NHS Lanarkshire Cyber-Attack (August 28, 2017)
NHS Lanarkshire, the health board responsible for the health care of approximately 650,000 people, has confirmed that it was infected with ransomware on August 25, 2017. As a result, NHS Lanarkshire had to cancel some procedures and appointments as staff worked over the weekend to restore their systems and services. The ransomware was identified to be a variant of “Bitpaymer” and it requested $300 USD per infected machine for the decryption key.
Recommendation: Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Cyber-attack, Ransomware

Tech Firms Team Up to Take Down “WireX” Android DDoS Botnet (August 28, 2017)
Multiple security and technology companies have released information regarding their combined work to dismantle a large mobile Distributed Denial-of-Service (DDoS) botnet. The botnet, “WireX,” consisted of tens of thousands of compromised Android devices that were used to launch DDoS attacks against hospitality websites. Google has stated that they have identified approximately 300 applications in the Play Store related to the WireX bot and that they have been blocked. Additionally, Google also stated that they are in the process of removing the applications from all affected devices.
Recommendation: As this story portrays, sometimes malicious applications find their way into official stores, therefore, it is important to be skeptical of all applications, especially free applications. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended.
Tags: Mobile, Malware, WireX, DDoS botnet

Beware! Viral Sarahah App Secretly Steals Your Entire Contact List (August 28, 2017)
Security analyst, Zachary Julian, has discovered that the recently new anonymous messaging application “Sarahah” gathers users’ contact lists. The contact lists, including phone numbers and email addresses, are surreptitiously uploaded to the company’s servers. This upload is done when an Android or iOS user first downloads and installs the application. The creator of the application claims that this uploading was supposed to be used for a “find your friends” feature that was delayed and that this issue will be fixed in the next update.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Mobile, Data theft

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware


Source: Honeypot Tech

Hacker Tactics – Part 1: Domain Generation Algorithms

DGA Domain Matches in Anomali Enterprise

Coauthored by Evan Wright and Payton Bush

Adversaries are constantly changing and improving how they attack us. In this six-part series we’ll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.

What are DGAs?

DGAs are code that programmatically produce a list of domain names. In most cases, the algorithms behind the malware that generate DGA domains vary just two elements when creating domains:

  1. The length of the domain name
  2. The possible top-level domains it can use

These algorithms produce command and control domains which are used to communicate with malware-infected machines. Often these domains are nonsensical, such as sndjfnin.com. In other cases DGAs like Oderoor and Bobax will produce domains on sites that allow 3rd party domains. This usually includes sites that provide dynamic DNS, and may look more like sndjfnin.dyndns.org. Measurements of domains generated by DGAs provide an understanding of a large cross-section of malware targeting nearly all industries, and includes such well known categories as exploit kits, crimeware, and ransomware.

Why are they used?

DGAs are a robust way for malicious actors to protect their ability to get data from a compromised computer back to a computer that they can more easily access. With a network connection between these two computers malicious actors are able to do things like:

  • Send credit card information from compromised machines to sell elsewhere
  • Coordinate infected machines to attack another computer or system (botnets)
  • Send out spam, which can be monetized
  • Engage in hacktivism by stealing emails and publishing them for all to see

DGAs are advantageous for malicious actors in a number of ways. For one, hard coded lists of domains created by a human may contain a pattern, making detection and extraction from malware easier. An algorithm can instead generate thousands of pseudorandom domains which are difficult for humans to link to one another.

A grossly oversimplified example would be:

bird.com, tiger.com, elephant.com

vs

jsdijiasd.com, neniwehrj.com, asjksrhej.com

The latter obviously look suspicious, but with the prior ones it’s easier to identify what connects each domain. Automatically generating domains instead makes malware authors more nimble. DGA domains ultimately serve to make blocklists ineffective – even if you positively identified and blocked one there are still an unknown number of DGA domains out there. Many DGA implementations will generate hundreds or thousands per day, but only make a few active. This puts a large burden on the defender to stop all domains while minimizing domain registration effort for the malicious actor. Some DGAs could also be pre-registered months in advance of being used to help bypass blocking newly registered domains.

After all of this discussion of domains, some of you may be rightfully wondering why an IP wouldn’t still be easily identified as the source of thousands of domains. In the majority of cases DGA domains are not hosted on one IP. Malware authors recognized this issue and began pairing DGAs with another technique that shuffles around IPs by using technologies such as Fast-Flux. How rapidly they could change IPs is a contributing factor for why IP blocklists are an aging tool, and another reason that DGA domains are so difficult to detect. This combination of DGAs with IP shifting proved to be the key to getting past defenses.

How is it advanced?

Domain Generation Algorithms create a constantly moving target that cyber defenders struggle to successfully hit with a blocklist. Part of this is due to how the algorithm is set up and how easy they are to update. All DGAs are based off of a static and dynamic seed, which ensures that the domains are constantly changing. Nearly all algorithms use different approaches to randomize how they pick the letters in the second-level domain, which is the section of the domain before the “.com”. These seeds could be anything from today’s date to the 8th most popular topic on Twitter. To make matters more complicated, malicious actors could choose to represent the date in different formats like 8/31/17 or 083117. However it’s coded, the software knows what to look for.

Some DGA domain names can even be entirely word-based, which creates a significant problem for those trying to identify them. Sdkfjdi.com looks odd, but birddog.com does not. Random character DGAs are more common than these wordlists due to the difficulty to create and register domains without pre-existing domains complicating their registration effort. By our count, algorithms that generate entirely word-based domains account for only about 5% of all known DGA-capable malware families.

Malicious actors can also change how long these domain names are active. In the majority of cases they’re active for only one to three days, although the potential lifespan of DGA domains has appears to be increasing. Five years ago, most had the characteristic lifespan of three days or less, but now DGA domains lasting even 40 days are somewhat prevalent. Some may even endure beyond that mark. Whatever the lifespan is, a blocklist largely proves ineffective because these domains will expire and others will immediately take its place.

History

The evolution of DGAs is a traditional cat and mouse game between malware authors and cyber defenders. In the late 1990’s, malware began proliferating across the Internet. Its authors noticed that once their malware was installed on a computer, security analysts would simply block the outbound traffic’s IP addresses. Blocking IP addresses was straightforward because it took place on the router, which was required for internet connectivity. In response to this, malware authors began to use domain names for identifying their infrastructure. Rather than calling to a list of domains they developed a way to generate domains which could not easily be identified. Hard coding domains proved to be an ineffective measure. Network defenders in turn began filtering domain names at proxies and DNS stub resolvers.

In 2008, the Conficker botnet was the first malware botnet to use DGAs. Conficker.A generated 250 domains per day in order to remove defenders’ ability to discover and block the malware communicating with the C2 infrastructure.

How are people trying to fight it?

For the past few decades security has been based on signature or indicator based blocking. This proves to be not as effective for something like DGAs, where the indicator is constantly changing. Lists of DGA domains are published by some organizations as a remediation measure, but unlike other indicators will usually expire within 24-48 hours.

One approach that people take is to try to reverse engineer DGAs. While it can be successful, this method is ultimately inefficient because each family has an almost entirely different algorithm. You would also need to know that you can identify every family, which is impossible because new families are developed every day. From a mechanical standpoint, a new giant list of domains each day is too much for a computer to sift through. This isn’t taking into account that each malware family and subsequent algotihm would be spitting out that many domains per day. It also takes a huge investment of human time and effort to reverse engineer these algorithms. There simply are not enough trained professionals to operate at scale. Regardless of the technology or expertise applied to the task, the malware can always be changed and updated, effectively canceling out any reverse engineering efforts.

At Anomali, our approach is to focus on detection via pattern matching, where incoming domains are analyzed in real-time to find statistical patterns of DGA characteristics. This approach does suffer from any of the drawbacks listed above, and our product Anomali Enterprise can perform this detection immediately upon deployment.

Threat actors are constantly changing their tactics, techniques, and procedures. While we can never exactly predict what these changes might be, we can better equip ourselves to meet these challenges by working collaboratively across industries and areas of expertise.


Source: Honeypot Tech

WTB: US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks

The intelligence in this week’s iteration discuss the following threats: APTs, Cybercriminals, Data leaks, Exploit kits, Malspam, Malware, Mobile, Ransomware, Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks (August 26, 2017)
The U.S. Federal Bureau of Investigation has arrested an individual believed to be associated with the Advanced Persistent Threat (APT) group “Deep Panda.” Additionally, the bureau believes that the suspect, Yu Pingan, is associated with the “Sakula” malware that was used in attacks against U.S. companies including the Office of Personnel Management (OPM) and Anthem Health Insurance.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, Crybercriminal

New Arena Crysis Ransomware Variant Released (August 25, 2017)
A new variant of the “Crysis” ransomware has been discovered in the wild by security researcher Michael Gillespie. As of this writing, it is unknown how the malware is being distributed, but in previous campaigns threat actors compromised Remote Desktop Services and manually installed Crysis. This variant is capable of encrypting mapped network drives and unmapped network shares and appends “.arena” to each encrypted file.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: Ransomware, Crysis variant, Arena

New EMPTY CryptoMix Ransomware Variant Released (August 25, 2017)
The security researchers “MalwareHunterTeam” have discovered a new variant of the CryptoMix ransomware called “EMPTY,” named after the text it appends to encrypted files. The file encryption is the same as previous versions, however, there is a new ransom note that contains new email contacts for victims.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: Ransomware, CryptoMix variant, EMPTY

Defray – New Ransomware Targeting Education and Healthcare Verticals (August 24, 2017)
A new ransomware family, dubbed “Defray” has been discovered to be targeting specific sectors in two separate campaigns, according to Proofpoint researchers. In August 2017, actors used the Defray ransomware in phishing emails with malicious Microsoft Word attachments that targeted the education and healthcare sectors in one campaign, and manufacturing and technology sectors in another campaign. The campaigns primarily target entities in the U.K. and U.S., and the ransom note demands $5,000 USD for the decryption key.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Ransomware, Defray

New Multi-Platform Malware/Adware Spreading Via Facebook Messenger (August 24, 2017)
Kaspersky Labs researchers have discovered a new malware campaign that is being spread via “Facebook Messenger.” Researchers note that initial distribution of the malware is conducted through Messenger via links that lead to a Google document. The document purports to be a playable movie that uses an image from the user’s Facebook profile. If the fake movie is clicked, it redirects to a set of websites that enumerates the user’s browser, operating system, and other information. As of this writing, it is unknown how exactly the malware is actually spreading via Messenger, but it is possible it is spreading through clickjacking, hijacked browsers, or stolen Facebook credentials.
Recommendation: Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
Tags: Malware, Adware

WAP-billing Trojan-Clickers on the Rise (August 24, 2017)
Threat actors behind mobile trojans that steal money have been discovered to be using the “WAP-billing” (Wireless Application Protocol) mobile payment system, according to Kaspersky Labs researchers. Researchers note that other variants of the identified families, “Ubsod” and “Autosus,” were also executing other malicious payloads in addition to stealing money. Additionally, the malware is capable of executing commands in the device shell, sending SMS messages, stealing credentials and credit card data via overlays, and showing advertisements.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Trojan

ziVA: Zimperium’s iOS Video Audio Kernel Exploit (August 23, 2017)
An iOS audio kernel exploit has been discovered by Zimperium researchers that they claim should work on all iOS devices running iOS 10.3.1 or earlier. In total, seven vulnerabilities were found that are associated with memory corruption. Some of the vulnerabilities can be exploited to gain kernel access to a device. Any iOS device running version 10.3.1 or earlier should be updated as soon as possible if they have not been already.
Recommendation: Mobile devices should be kept up-to-date at all times to provide the most recent security patches. In this case, the proof of concept code has been released which increases the likelihood that threat actors will attempt to exploit the vulnerabilities in the wild.
Tags: iOS, Vulnerability

Deep Analysis of New Poison Ivy Variant (August 23, 2017)
Fortinet Labs researchers have identified a phishing campaign that is distributing a new variant of the “Poison Ivy” malware. The actors behind this campaign are using malicious PowerPoint file attachments titled “Payment_Advice.ppsx.” If the file is opened, a prompt will appear that attempts to trick the user into running the external program by purporting that the user is enabling Adobe Flash Player. The malware uses anti-analysis and evasion techniques such as checking registry locations for analysis tools and using legitimate Microsoft processes to conduct malicious activity.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Malware, Poison Ivy

BEC Campaigns Target Organizations Across Sectors Using Credential Phishing (August 23, 2017)
A Business Email Compromise (BEC) campaign has been ongoing by a threat actor from March 28, 2017 to at least August 8, 2017, according to Flashpoint researchers. Researchers state that this campaign had a low detection rate because of its simplistic tactics. The threat actors sent out approximately 73 PDF documents in phishing emails that purport to be a “secure online document.” If the PDF is opened, a recipient would be presented with a prompt to view a secure online document. The prompt leads recipients to a fake webpage of the targeted organization and requests that work credentials be entered.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: BEC, Phishing, Credential theft

Bankbot Dropper Hiding on Google Play (August 22, 2017)
An application in the Google Play store called “Earn Real Money Gift Cards” has been identified to contain the “Bankbot” trojan, according to SfyLabs researchers. Another application, from the same developer, was identified to be a dropper for the Bankbot trojan called, “Bubble Shooter Wild Life.” The Bubble Shooter application requires the user to enable it as an Accessibility Service, which will then display a screen that purports to be a Google update. Researchers note that the dropper application appears to be in development because it’s ability to install malicious APKs is currently disabled in the source code.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Bankbot, Trojan

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit (August 22, 2017)
Since July 16, 2017, Trend Micro researchers have observed changes in a malvertising campaign that leads users to the Neptune Exploit Kit (EK). The changes consist of new payloads dropped by Neptune, different Uniform Resource Identifier (URI) patterns, and abusing legitimate popup advertisement services that redirect to fake advertisements. The fake advertisements imitate legitimate sources and if clicked, will redirect to Neptune which then checks the Adobe Flash versions and will attempt to exploit vulnerable versions of Flash or Internet Explorer.
Recommendation: Malvertising and exploit kits techniques are often updated by threat actors, therefore, keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: Malvertising, Neptune, Exploit kit, Monero, Malware

Igexin Advertising Network Put User Privacy at Risk (August 21, 2017)
The advertising Software Development Kit (SDK) called, “Lgexin,” has the ability to spy and gather data on Android users who have downloaded applications that contain the kit, according to Lookout researchers. Lgexin has been identified in approximately 500 applications in the Google Play store, and the applications have been downloaded approximately 500 million times. Researchers note that the malicious activity can be altered at any time and that the SDK is capable of stealing device information as well as incoming calling numbers and call times. Google Play has since removed the applications that contained this feature.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Mobile, Data theft

Online Hotel Booking Service Allegedly Exposed Sensitive Data (August 21, 2017)
Kromtech researchers have discovered a publicly accessible Amazon Web Services (AWS) database that may be associated with the online group hotel booking service company, “Groupize.” The database required no login or passwords to access the data that researchers state shows how “the discount hotel business model works in detail.” Besides business models, other data consisted of payment information such as credit card numbers, expiration date, and CVV codes, among other data.
Recommendation: Always make sure your cloud storage is properly configured. Experts have been warning companies that Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store.
Tags: Misconfigured database, Data leak

Malspam Continues Pushing Trickbot Banking Trojan (August 21, 2017)
The Trickbot banking trojan is continuing to be distributed by threat actors via financially-themed malspam, according to researchers. The actors are using email addresses that appear to be associated with NatWest Bank via typosquatting their email address. The message purports that the recipient’s August 2017 financial statement is available for download in the attached Microsoft Word attachment. If the attachment is downloaded and macros are enabled, the macro will generate a URL to retrieve the Trickbot binary.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Trickbot trojan, Malware

Seamless Campaign Uses RIG EK to Drop Ramnit Trojan (August 21, 2017)
Researchers have discovered a malvertising campaign that uses the RIG Exploit Kit (EK) to infect users with the Ramnit banking trojan. If a user clicks on a malvertisement and visits the website, they will be directed to a location that hosts a script that will then point to a RIG EK iframe. The exploit kit then attempts to use an Adobe Flash Player exploit to install a Ramnit payload.
Recommendation: Malvertising and exploit kits techniques are often updated by threat actors, therefore, keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: RIG, Exploit kit, Ramnit trojan, Malware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

CrySiS Tool TIP
CrySiS is a Ransomware variant that first appeared in early 2016. The CrySiS ransomware is commoditized and distributed amongst forums to many actors. Distribution and delivery of the CrySiS ransomware is left to the actor who has purchased the malware. In the summer of 2016 Trend Micro reported that CrySiS was delivered to hosts in the Southern Pacific region (Australia and New Zealand) via RDP-brute force attacks. As of mid-2016 the builder for CrySiS leaves the PDB-path of C:crysisReleasePDBpayload.pdb as an artifact within the unpacked binary. Additionally the encrypted files are renamed using the pattern of filename.ext.id-UNIQUEID.emailAddr.newext as described below.
Tags: CrySiS


Source: Honeypot Tech