Posts

WTB: New Mirai Variant Targets Billions of ARC-Based Endpoints

The intelligence in this week’s iteration discuss the following threats: APT, Disk-wiper, DNS hijacking, Malicious extensions, Malicious application, Malvertising, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Mirai Variant Targets Billions of ARC-Based Endpoints (January 16, 2018)
Security researchers are discussing a new variant of the Internet-of-Things (IoT) malware “Mirai” dubbed “Okiru.” The new malware was first observed by MalwareMustDie researcher “@unixfreaxjp.” Researchers now believe that Okiru is the first malware designed to target “Argonaut RISC Core” (ARC) processors. In addition, researchers also believe that there are over 1.5 billion devices that have ARC processors such as cameras, cars, cell phones, and televisions (among others). At the time of this writing, it is unknown how many devices have been infected with Okiru, however, researchers state that the malware is specifically targeting ARC Linux devices.
Click here for Anomali recommendation

New KillDisk Variant Hits Financial Organizations in Latin America (January 15, 2018)
A new variant of the disk-wiping malware “KillDisk” is targeting financial organizations in Latin America, according to Trend Micro researchers. The malware appears to be dropped by another process rather than being directly installed. This KillDisk variant changes its file name to “c:windows23456789” while it is running. In addition, KillDisk will go through all logical drives and before it deletes a file, it is first randomly renamed. It is capable of reading the Master Boot Record (MBR) as well as overwriting the Extended Boot Record (EBR).
Click here for Anomali recommendation

Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses (January 15, 2018)
Researchers from U.S.-based cyber security firm “ICEBERG” have discovered four malicious Chrome browser extensions which were available for download on the official Chrome Web Store. The four extensions were titled “Change HTTP Request Header,” “Nyoogle – Custom Logo for Google,” “Lite Bookmarks,” and “Stickies – Chrome’s Post-it Notes” which were found to have been downloaded approximately 500,000 times. The extensions were designed in such a way that could allow a threat actor to send commands to an affected user’s browser via JavaScript code. Researchers discovered that the actors behind this campaign are using the extension to conduct click fraud by loading a website in the background and clicking on advertisements.
Click here for Anomali recommendation

Warning: New Undetectable DNS Hijacking Malware Taregting Apple macOS Users (January 12, 2018)
A security researcher has published information regarding what may be the first reported macOS specific malware of 2018. The malware was first identified via a post on a Malwarebytes forum. The malware, dubbed “OSC/MaMi,”is an unsigned Mach-O 64-bit executable that is reported to be similar another malware family called “DNSChanger.” In 2012, DNSChanger infected millions of machines around the globe. DNSChanger would change Domain Name Server (DNS) server settings to route traffic through actor controlled servers, this would allow actors to intercept potentially sensitive data. OSC/MaMi appears to be doing the same thing, in addition to installing a new root certificate in an attempt to intercept encrypted communications.
Click here for Anomali recommendation

Update on Pawn Storm: New Targets and Politically Motivated Campaigns (January 12, 2018)
The Advanced Persistent Threat (APT) group “APT28” has added new targets in its cyber espionage campaign “Operation Pawn Storm,” according to Trend Micro researchers. Researchers note that the group’s tactics in this campaign have remained the same. APT28 uses well prepared, politically-themed spear phishing emails to target political organizations around the world. The group has been conducting this campaign since 2015. Now researchers have observed the group distributing phishing emails that attempt to steal user credentials. In October and November APT28 distributed emails that purported to be a message from the recipient’s Microsoft Exchange server regarding an expired password, and another that purported that there is a new file on the recipient company’s OneDrive system.
Click here for Anomali recommendation

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Server (January 11, 2018)
Researchers Johannes B. Ullrich (SANS) and Renato Marinho (Morphus Labs) have discovered that threat actors are actively exploiting a vulnerability in Oracle WebLogic servers. The vulnerability, registered as “CVE-2017-10271,” was patched by Oracle in October 2017. However, the proof-of-concept code released for the vulnerability is likely a driving force behind the current malicious activity. Actors have been able to compromise enterprise-owned WebLogic server and gain access to corporate networks. Interestingly, instead of stealing information, the actors installed a “Monero” cryptocurrency miner. As of this writing, the actors have been able to mine approximately 611 Monero, valuing at approximately $226,000 USD.
Click here for Anomali recommendation

Adobe Patches Information Leak Vulnerability (January 10, 2018)
As part of Patch Tuesday, Adobe has issued a security patch to address a vulnerability registered as “CVE-2018-4871.” The vulnerability could be exploited by threat actors to leak sensitive data. This vulnerability affects Adobe Flash Player on Mac, Linux, and Windows machines. In addition, Adobe Flash Player for the web browser Chrome, Edge, and Internet Explorer versions 28.0.0.126 and earlier are also affected.
Click here for Anomali recommendation

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-day (January 9, 2018)
In Microsoft’s first Patch Tuesday of 2018, the company addressed 56 CVE-registered vulnerabilities that affect multiple products including ASP.NET, ChakraCore, Edge, Internet Explorer, and the .NET framework. Microsoft issued a patch for a zero-day vulnerability, registered as “CVE-2018-0802,” in Office that was observed to have been exploited by threat actors in the wild.
Click here for Anomali recommendation

Diplomats in Eastern Europe Bitten by a Turla Mosquito (January 9, 2018)
Researchers from the IT security company ESET, have released a report discussing new malicious activity which is attributed to Advanced Persistent Threat (APT) group “Turla.” Researchers discovered that a custom backdoor used by the group called “Mosquito” was packaged with the legitimate Flash installer and it appeared to have been downloaded from adobe[.]com. Turla has been observed using a fake Adobe Flash installer in previous campaigns. The group was also observed using their “Gazer” malware to primarily target consulates and embassies in Eastern Europe, although some private companies were also infected.
Click here for Anomali recommendation

RIG Exploit Kit Campaign Gets Deep Into Crypto Craze (January 9, 2018)
As cryptocurrencies continue to become more popular, due in part to the significant rise in value of Bitcoin, so too are malicious campaigns designed to mine cryptocurrency. Researchers have discovered such a campaign, dubbed “Ngay,” is distributing the RIG exploit kit via malicious advertisements (malvertising). If a malvertisement is followed, a user is infected with RIG, which then downloads a “Monero” or “Electroneum” cryptocurrency miner on to the affected machine.
Click here for Anomali recommendation

First Kotlin-Developed Malicious App Signs User Up for Premium SMS Services (January 9, 2018)
Trend Micro researchers have identified a malicious application on the Google Play store that impersonated the utility cleaning tool application for Android devices called “Swift Cleaner.” The application was written in the “Kotlin” programming language, which was announced by Google in May 2017, used to create Android applications. The fake application was observed to have been downloaded between 1,000 and 5,000 times. The malicious application is capable of click advertisement fraud, data theft, remote code execution, URL forwarding, and signing up for paid SMS subscription services without user permission.
Click here for Anomali recommendation

Apple Releases Multiple Security Updates (January 8, 2018)
The United States Computer Emergency has issued an alert regarding vulnerabilities in multiple Apple products. The affected Operating Systems (OS) are macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6. The products affected by vulnerabilities are iPhone 5s and later, iPad Air and later, and iPod 6th generation. A threat actor could exploit these vulnerabilities to gain access to sensitive information.
Click here for Anomali recommendation

A North Korean Monero Cryptocurrency Miner (January 8, 2018)
A new application, identified to have been compiled on December 24, 2017, is being used to mine “Monero” cryptocurrency, according to AlienVault labs researchers. The currency, after being mined, is then sent to “Kim Il Sung University” in Pyongyang, North Korea. Researchers believe that it is likely that the installer is associated with the open source Monero mining software “XMRig.” Interestingly, it was discovered that the actors behind this campaign used a hostname no longer resolves, which means XMRig cannot send the mined currency to actors on most networks. Researchers believe that this fact, in addition to the use of a North Korean server, may indicate that this a testing phase of a potential malicious campaign, or this may be a genuine Monero mining operation. However, the use of a North Korean server may indicate that actors within the country are mining cryptocurrencies as a way to bypass United Nation’s sanctions. Lastly, the observation of Monero being sent to Kim Il Sung University does not necessarily attribute this activity to a North Korean citizen because the university is “unusually open” and analysis of the code samples reveal French text.
Click here for Anomali recommendation


Source: Honeypot Tech

Anomali Raises $40 Million in Series D Funding

Today I’m pleased to share the news of our latest fundraising efforts, and the addition of Lumia Capital, Deutsche Telekom Capital Partners, Telstra Ventures and Sozo Ventures to the Anomali family. With this funding, we’ll continue to invest in developing innovative threat management and collaboration solutions and expand our global reach.

This milestone comes on the heels of a very exciting 2017 at Anomali – a year in which we:

On the Products and Engineering side we kept the teams very busy, rolling out release after release with tons of new capabilities and functionality to help organizations stay ahead of threats and react more quickly and efficiently. Here’s a sampling of the updates:

  • ThreatStream: added Phishing Indicator extraction, bi-directional STIX/TAXII 2.0 support, multi-analyst collaboration on threat bulletins, powerful new rules engine that can trigger automated actions
  • Anomali Enterprise: launched AE 3.0 including updated UI with streamlined workflows and new dashboards; released Real Time Forensics for automatic threat indicator threat detection, and added Malware family attribution for DGA domains
  • STAXX: released STAXX 2.0 (and, more recently 3.0) including bidirectional threat sharing, support for STIX/TAXII 2.0, threat indicator expansion on STAXX portal, Anomali Limo feed integration, and STIX/TAXII “bridge” translator between v1.0 and 2.0
  • Limo: launched a free collection of threat intelligence feeds, curated by the Anomali Intelligence Acquisition Team, and fully integrated with STAXX.

The best news of all is the growth in our relationship with you. In 2017 we saw record customer growth and added many new ISACs, ISAOs and other threat sharing communities to the Anomali platform. 2018 is already off to fast start and we are looking forward to another exciting year working closely with our customers and partners.

Hope to see you at our Detect ’18 Conference!


Source: Honeypot Tech

The Rise of Malware Using Legitimate Services for Communications

Malware often includes the ability to communicate with attacker controlled systems on the Internet from within compromised networks. This gives the attacker several important capabilities.

Some examples of this communication include:

  • Receive “heartbeats” to maintain an inventory of compromised systems
  • Send Remote control commands and receive the results of those commands
  • Exfiltrate data from inside compromised networks
  • Send updates or new capabilities to already compromised hosts

This communication between malware and attacker controlled servers on the Internet is often referred to as “command and control.” This is also a primary area of focus for detection of malware infections in security software outside of detecting the malware itself.

As defenders have gotten better at detecting Internet hosts and domains used for malware command and control, attackers have had to develop their own countermeasures to try and stay ahead of detection and blocking efforts. Techniques such as Domain Generating Algorithms have been employed to try and evade traditional detection mechanisms put in place by defenders.

One of the new evolutions in malware capabilities is the use of legitimate services as a conduit for command and control communications. Imagine malware that uses Github, or Google Docs, or Facebook to communicate with attackers.  Defenders are stuck trying to discern between legitimate traffic and malicious traffic that is all encrypted and going to the same popular and very legitimate services on the Internet. The dominant way to refer to this technique is “Legit Services C2.”

A variety of legitimate services seen abused for C2

There are many possible services available across the Internet that could be used for malware command and control. As new services are constantly popping up, there is essentially an unlimited supply of options for using legit services for malware command and control.

We did some detailed research into malware that uses legit services for C2. We identify a number of malware families that have been observed taking advantage of legit services. We also dig into how malware uses legit services for C2.  Finally, we offer some suggestions for potentially sifting out malware usage vs. legitimate usage of these services.  We packed all this research into a white paper titled, Rise of Legit Services for Backdoor Command and Control which can be downloaded here without registration. Please feel free to use this research and we hope that others will expand on it.


Source: Honeypot Tech

WTB: Malicious Document Targets Pyeonchang Olympics

The intelligence in this week’s iteration discuss the following threats: Banking trojan, Botnet, Credit card theft, Data breach, Hardcoded backdoor, Malicious applications, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Hardcoded Backdoor Found on Western Digital Storage Devices (January 8, 2018)
GulfTech researcher James Bercegay discovered vulnerabilities in the company Western Digital’s “WDMyCloud” firmware before version 2.30.165. The unrestricted file upload vulnerabilities affect multiple MyCloud products. In addition to the vulnerabilities, it was also found that some MyCloud products contain a hardcoded administrator account that can function as a backdoor. The vulnerabilities could be exploited to gain remote root code execution on the affected personal cloud storage units by sending a crafted HTTP POST request. Furthermore, the backdoor administrator account, when logged in to, can function as a root shell from which actors to execute arbitrary commands.
Click here for Anomali recommendation

Malicious Document Targets Pyeonchang Olympics (January 6, 2018)
A new phishing campaign has been identified to be targeting organizations associated with the Pyeongchang Olympics, according to McAfee researchers. The actors behind this campaign are distributing malicious Microsoft Word documents that have the original file name “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” This campaign is primarily targeting organizations in South Korea. If the Word document is opened, it requests the recipient to “Enable Content” which, if enabled, will launch an obfuscated PowerShell script. The script sets up communication to a Command and Control (C2) server for additional instructions, some of which were found to be executing commands on the infected machine to download additional malware.
Click here for Anomali recommendation

Microsoft Issues Warning for Meltdown Fix (January 5, 2018)
Microsoft has issued security updates out-of-cycle of their typical Patch Tuesday in response to a vulnerability dubbed “Meltdown” and registered as “CVE-2017-5754” that affects “Intel CPUs.” The Meltdown vulnerability allows normal applications to access the content of private kernel memory. This could potentially expose sensitive information on machines use cloud-based features. In addition to possibly exposing sensitive data, Meltdown can also cause compatibility issues with some antivirus tools.
Click here for Anomali recommendation

LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play (January 5, 2018)
22 applications inside of the Google Play store were identified contain scripts that override a user’s ability to disable advertisements, and hides the icon of itself in an attempt to prevent it from being removed, according to Check Point researchers. The malware, dubbed “LightsOut,” was found inside of flashlight and utility applications that ranged from 1.5 million to 7.5 million downloads.
Click here for Anomali recommendation

Avamar Zero-day (January 4, 2018)
Digital Defense researchers have released information regarding three vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15550,” and “CVE-2017-15549” discovered on Dell’s “EMC Data Protection Suite Family” products. The affected products were found to be “Avamar Server” versions 7.1.x, 7.2.x, 7.3.x, 7.4.x, and 7.5.0, NetWorker Virtual Edition versions 0.x, 9.1.x, and 9.2.x, and the Integrated Data Protection Appliance versions 2.0. Exploitation of the vulnerabilities can result in authenticated arbitrary file access and file upload in “UserInputService,” or conduct an authentication bypass in “SecurityService.” All three vulnerabilities can be exploited by an actor to gain root login on an affected machine.
Click here for Anomali recommendation

Reading Privileged Memory with A Side-Channel (January 3, 2018)
Google’s Project Zero team has released a report regarding three vulnerabilities, registered as “CVE-2017-5753,” “CVE-2017-5715,” and “CVE-2017-5754,” that affect some modern processors created by AMD, ARM, and Intel. Exploitation of the vulnerabilities can result in bounds check bypass, branch target injection, or rogue data cache load. These vulnerabilities are also known as “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754).
Click here for Anomali recommendation

New Python-based Crypto-Miner Botnet Flying Under The Radar (January 3, 2018)
A new cryptocurrency mining botnet, dubbed “PyCryptoMiner,” has been observed infecting machines via brute forcing credentials for the SSH protocol, according to FS researchers. The Linux botnet malware is written in the Python programming language uses the text-storing website “Pastebin[.]com” under the username “WHATHAPPEN” to receive new Command and Control (C2) to receive commands if the original C2 server is unreachable. Researchers have observed the malware has scanning capabilities that search for JBoss servers vulnerable to “CVE-2017-12149.” The botnet mines “Monero” cryptocurrency on an infected device.
Click here for Anomali recommendation

Satori IoT Botnet Malware Code Given Away for Christmas (January 3, 2018)
An unknown threat actor has publicly released the code for a vulnerability, registered as “CVE-2017-17215,” on “Pastebin[.]com.” The vulnerability affects “Huawei GH532” devices. Prior to the posting, the vulnerability has already been used by two Internet-of-Things (IoT) malware families in “Satori” and “Brickerbot.”
Click here for Anomali recommendation

Android Banking Trojan Targets More Than 232 Apps Including Apps Offered by Indian Banks (January 3, 2018)
Researchers from Quick Heal Security Labs have detected an Android Banking Trojan that targets approximately 232 apps. The trojan is being distributed through a fake Flash Player application located on third-party app stores. Once the application is installed it will ask the user to enable administrative rights. Once enabled the Trojan looks for 232 applications on the device, mainly banking and cryptocurrency applications. If a targeted application is found on the device, a notification is shown and if the user clicks on it, a fake login page is displayed which harvests the user’s credentials. The Trojan can also exfiltrate contacts, locations, and SMS messages from the device.
Click here for Anomali recommendation

VMware Releases Security Updates (January 2, 2018)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in “VMware’s” “vSphere Data Protection.” The vSphere Data Protection is a backup and recovery solution created for vSphere environment, according to VMware. In addition, the company ranks the vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15549,” and “CVE-2017-15550,” as critical severity. The vulnerabilities could be exploited to allow a threat actor root access to an affected machine.
Click here for Anomali recommendation

Forever 21 Breach Lasted Over Seven Months (January 2, 2018)
The U.S.-based retail store “Forever 21” has made a statement regarding its investigation into a data breach that was first confirmed in November 2017. At that time, the company said that the breach affected card transactions at its stores from March to October 2017. Now Forever 21 has changed the timeframe in which card transactions were potentially compromised to April through November 2017. The retail company also stated that encryption features for Point of Sale (POS) machines at various locations were turned off during the April through November 2017 timeframe. This could allow threat actors to more easily steal payment data as it was processed. Additionally, the company identified malware “installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017.”
Click here for Anomali recommendation


Source: Honeypot Tech

What is Strategic Threat Intelligence?

This is the second blog in a series called, “What is Threat Intelligence?”  The first blog in the series can be found here.  Stay tuned for future installments in this series.

Maintaining a strong security posture requires developing and answering many questions specific to the organization. Many of these questions must be answered continually as situations and environments evolve. Will bringing in additional security solutions really provide that much more additional protection? Is it worth the cost to update each and every legacy system? Who are my adversaries and how might they attack me? Many organizations choose to tackle these questions and make more informed decisions with context from threat intelligence. This curated information is generally divided into three subsets:

  • Strategic intelligence – who/why
  • Operational intelligence – how/where
  • Tactical intelligence – what

Strategic intelligence (who/why) is the 100,000 foot view, providing a big picture look at how threat and attacks are changing over time. Strategic intel may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Who is attacking you and why? Who might attack organizations in your sector? Why are you within scope for an attack? What are the major trends happening? What kind of things do you need to do to reduce your risk profile? Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.

Strategic intelligence might include information on the following topic areas:

  • Attribution for intrusions and data breaches
  • Actor group trends
  • Targeting trends for industry sectors and geographies
  • Mapping cyber attacks to geopolitical conflicts and events (South China Sea, Arab Spring, Russia-Ukraine)
  • Global statistics on breaches, malware and information theft
  • Major attacker TTP changes over time

For example, if you are in the education sector, you may wonder what nation states and what groups you should be concerned about. Where do you need to focus your resources to reduce risk of an intrusion and theft of intellectual property? Or perhaps if you know you’re in an industry or region that is frequently targeted by the actor APT29.

Strategic Intelligence for the Education Sector

Academic networks typically possess diverse infrastructure with a relatively large volume of connected devices and high bandwidth, but are notoriously challenging to adequately secure and monitor, making them prime targets for actors interested in exploiting them. A variety of actors routinely target these networks, including Advanced Persistent Threat (APT) groups conducting cyber espionage and likely using institutions’ networks to launch attacks against third parties, financially motivated actors seeking to steal information and monetize it, and hacktivists and similar groups seeking to promote their messages and causes. We assess with high confidence that actors will continue to target the education sector for the foreseeable future due to the perceived value of the information stored on school networks, demonstrated ease of using network infrastructure for launching further operations, and the inherent difficulties administrators face in securing them.

  • Cyber espionage continues to pose the greatest threat to the education industry. China, Russia, Iran and South Korea have demonstrated the capability and willingness to conduct extensive reconnaissance activity and espionage against educational entities.
    • Motivations include strategic and business intelligence, economic advantage, regional interests, and monitoring citizens abroad.
    • China–based groups and campaigns include APT22, Menupass Team, and unnamed groups.
    • APT29, a cyber espionage actor with a Russia nexus.
    • Beanie Team, a cyber espionage actor with an Iran nexus.
    • Fallout Team, a cyber espionage actor with a South Korea nexus.
    • We have also observed unknown cyber espionage actors targeting the education industry.

Strategic Intelligence for APT29

  • APT29 engages in cyber espionage operations where the primary goal appears to be data theft. APT29s targets include Western governments, foreign affairs and policy making bodies, government contractors, universities, and media outlets. Based on available data, we assess with high confidence that APT29 is a nation-state sponsored group located in Russia.
  • APT29 appears to have formidable capabilities, to include a range of custom developed tools, extensive command-and-control (C2) infrastructure that includes compromised and satellite infrastructure (via satellite service providers), and savvy operational know-how. Unlike many other Russian attack groups, APT29 continues to operate after they have been detected. APT29 has demonstrated a high regard for OPSEC, and is aggressive in continued operations and efforts to evade investigators and remediation attempts.
  • APT29 appears highly interested in European government and foreign policy issues, with a significant emphasis on the Russia-Ukraine conflict. APT29 has targeted several Western national government and foreign policy entities, defense and government contractors, and academic institutions.

Using Strategic Intelligence

Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical intelligence from known cyber attacks.

There are many uses for strategic intel including, but not limited to, the following:

  • Inform your executive leadership about high risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground.
  • Perform a thorough risk analysis and review of entire technology supply chain.
  • Learn which commercial ventures, vendors, partner companies, and technology products are most likely to increase or decrease risk to your enterprise environment.

Next up – What is Operational Threat Intelligence?


Source: Honeypot Tech

WTB: macOS Exploit Published on the Last Day of 2017

The intelligence in this week’s iteration discuss the following threats: Data leak, Information stealing malware, Malspam, Misconfigured Database, Phishing, RAT, Vulnerabilities, and Zero-day. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

macOS Exploit Published on the Last Day of 2017 (January 2, 2017)
A security researcher going by the alias “Siguza” has released a zero-day vulnerability that affects all versions of the Mac operating system (macOS) since at least 2002. Siguza did not notify Apple prior to publishing a report discussing the vulnerability that affects the “IOHIDFamily” macOS kernel driver. According to Siguza, the vulnerability is a Local Privilege Escalation (LPE) flaw that an actor can only exploit with local access to, or previous malware infection of the affected machine.
Click here for Anomali recommendation

Resume-Themed Malspam Pushing Dreambot Banking Trojan (December 29, 2017)
Researchers have observed a new malspam campaign that is distributing the “Dreambot” banking trojan. In the emails, the actors behind this campaign purport to be sending the recipient a resume to consider. The actors also include “Happy New Year” in the email in an attempt to stay relevant to the current timeframe and to attempt to add legitimacy to the emails. The “resume” attachment is a zip file that, if opened, will extract a JSE file (JScript) and begin the infection process for Dreambot.
Click here for Anomali recommendation

Flaws in Sonos and Bose Smart Speakers Let Hackers Play Pranks on Users (December 27, 2017)
Trend Micro researchers Stephen Hill, has discovered that some “Bose” and “Sonos” smart speakers are affected by vulnerabilities that could allow a threat actor to take over the device. In addition, the vulnerabilities can be exploited by actors who are performing reconnaissance and are trying to gain access to a corporate network, or gather information stored on the device to conduct potentially more effective phishing attacks. Researchers report that the affected smart speakers are “Sonos Play:1” and “Bose SoundTouch,” however, it is possible that more models are also affected.
Click here for Anomali recommendation

Mozilla Releases Security Update for Thunderbird (December 25, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding multiple vulnerabilities in Mozilla’s “Thunderbird” platform. Mozilla’s security advisory lists five vulnerabilities that affect Thunderbird 52.5.2. Out of the vulnerabilities, two are listed as critical, two as high, and one as low. Some of the vulnerabilities allow remote code execution.
Click here for Anomali recommendation

Vulnerability Affects Hundreds of Thousands of IoT Devices (December 25, 2017)
Researchers have discovered a vulnerability, registered as “CVE-2017-1756,” in a web server package called “GoAhead” created by the company “Embedthis Software.” GoAhead is located in hundreds of thousands of IoT devices as well as well deployed inside other products such as Comcast, Oracle, and HP, among others. Elttam researchers identified a method in which they could execute malicious code remotely on any device that used the GoAhead web server package.
Click here for Anomali recommendation

Malspam Uses CVE-2017-0199 To Distribute Remcos RAT (December 22, 2017)
Researchers have discovered that threat actors are exploiting the Microsoft Office/WordPad remote code execution vulnerability registered as “CVe-2017-0199” to distribute the “Remcos” Remote Access Trojan (RAT). The malspam emails purport that the attached invoice is incorrect, and requests the recipient to make an amendment so that the sender “Helen Rowe” of “Purchasing Department” can process the payment. The attachment is an RTF file which, if opened, will present a prompt that requests the user to update the document with data from linked files. Clicking yes, and subsequently running the executable will infect the user with Remcos.
Click here for Anomali recommendation

Huawei Home Routers in Botnet Recruitment (December 21, 2017)
An updated variant of the notorious denial-of-service “Mirai” malware called “Satori” is being used to target a zero-day vulnerability in “Huawei” routers, according to Check Point researchers. A threat actor is exploiting a vulnerability, registered as “CVE-2017-17215,” that affects Huawei routers. The threat actor behind this campaign is believe to go under the alias “Nexus Zeta.”
Click here for Anomali recommendation

Digmine Cryptocurrency Miner Spreading via Facebook Messenger (December 21, 2017)
Trend Micro researchers have discovered that threat actors are distributing cryptocurrency miner malware, dubbed “Digimine” via Facebook Messenger. The malware only affects Messenger’s desktop/web browser version on Chrome. Digimine is being propagated to create a cryptocurrency mining botnet installing an auto-start mechanism on infected machines, and then continuing again using Messenger in attempts to infect other machines. Digimine is capable of mining the “Monero” cryptocurrency. The threat actors are sending zip files to their “friends” that will begin the infection process if opened.
Click here for Anomali recommendation

CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer (December 20, 2017)
A new campaign has been found to be delivering a “cracked” version of the “Loki” information stealing malware, according to Trend Micro researchers. Threat actors are using a pirated version of Loki that is being distributed via spam emails that masquerade as an Australian shipping company with an attached receipt. The emails contain a malicious .docx file that then drops a Rich Text Format (RTF) file. The RTF file exploits the Microsoft Office vulnerability registered as “CVE-2017-11882” to download an HTML Application (HTA) dropper that then downloads the Loki payload.
Click here for Anomali recommendation

Home Economics: How Life in 123 Million American Households Was Exposed Online (December 20, 2017)
The UpGuard Cyber Risk Team has discovered that a cloud-based repository belonging to the California-based data analytics firm “Alteryx” was configured for public access. Specifically, the repository was an Amazon Web Services (AWS) S3 cloud storage bucket located on an Alteryx subdomain. The exposed data consists of Personally Identifiable Information (PII) such as financial history and mortgage ownership, in addition to 248 categories of specific data types within the AWS bucket.
Click here for Anomali recommendation

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites (December 19, 2017)
Researchers have found that a plugin available for WordPress websites created by the developer “BestWebSoft” was modified by the buyer. The plugin was a Captcha that was modified in such a way that it operated as a backdoor that had the ability to affect approximately 300,000 WordPress websites. An actor could use the backdoor to gain administrator privileges on the affected website.
Click here for Anomali recommendation

Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy (December 19, 2017)
Trend Micro researchers have discovered malicious applications that made their way into the Google Play store. The applications were identified to contain malware dubbed “AnubisSpy” and are believed to be linked to a cyber espionage campaign called “Sphinx.” Researchers attribute this campaign to the Advanced Persistent Threat group “APT-C-15.” The AnubisSpy malware is capable stealing various forms of data from an infected device in addition to stealing and recording audio.
Click here for Anomali recommendation

TelegramRAT Evades Traditional Defenses via the Cloud (December 18, 2017)
The Remote Access Trojan (RAT) called “TelegramRAT” is being distributed by threat actors via a malicious Microsoft Office document, according to Netskope Threat Research Labs. TelegramRAT exploits the Microsoft vulnerability registered as “CVE-2017-11882.” Additionally, the malicious Office document uses the “Bit.ly” URL shortening service to hide TelegramRAT which is hosted on Dropbox. The RAT uses the messaging service “Telegram’s” BOT API to send and receive commands. TelegramRAT is capable of numerous malicious functions, including stealing various forms of data and deleting evidence of its presence.
Click here for Anomali recommendation

CHM Badness Delivers a Banking Trojan (December 18, 2017)
SpiderLabs researchers have discovered a malspam campaign that is targeting Brazilian institutions with the “Bancos” banking trojan. The threat actors behind this campaign are distributing the trojan via malspam emails that utilize Compiled HTML (CHM) file attachments. This tactic allows actors to conceal malicious downloader code in files and make them more difficult to detect. If the CHM is opened and subsequently decompressed by its default application, “Microsoft Help Viewer”, the HTML objects will run a JavaScript function that begins the Bancos infection process.
Click here for Anomali recommendation


Source: Honeypot Tech

12 Days of Threats

On the first day of Christmas a hacker stole from me,
Thousands in my favorite cryptocurrency…
On the second day of Christmas a hacker stole from me,
Two plain-text passwords and thousands in my favorite cryptocurrency…

We’re sure by now you’ve heard too much Christmas music, so we’ll spare you a full rendition. However, as we approach the end of the year, we’d like to reflect on some of the year’s most notable cyber events.

Freedom Hosting II

Threat description: February 2017 – A first-time hacker from Anonymous took down approximately 20% of all Dark Web traffic this year by breaching Freedom Hosting II (FH2), a Dark Web hosting provider. Anonymous posted messages on all of these sites explaining they did this because FH2 provided services to child pornography and scamming sites. The hackers initially tried to ransom the Freedom Hosting II database for .1 Bitcoin (a little over $100), but later released the information publicly. This information included plain-text emails and passwords, site users, personal information about site administrators, and a write-up of how they breached the systems.

Holiday gift: Bad guys get empty stockings and empty sites

Cloudbleed

Threat description: February 17th, 2017 – Internet infrastructure and security company Cloudflare wasn’t directly targeted by a malicious attack, but likely felt their fair share of panic this year. A security bug affected Cloudflare’s reverse proxies, unwittingly leaking data from Cloudflare customers to other customers. Personally Identifiable Information (PII) was downloaded by crawlers and users during everyday activity. This data included full https requests and responses, client IP addresses, cookies, and passwords. Tavis Ormandy of Google Project Zero, who first identified the issue, was able to get Cloudflare servers to return private messages from dating sites, full messages from chat services, online hotel bookings, and online password manager data. Cloudflare has since reported on the potential impact of the bug.

Holiday gift: Proof that collaboration can identify and fix issues before a malicious actor takes advantage

Wikileaks CIA Vault 7

Threat description: March 7th, 2017 – This year Wikileaks released thousands of pages of CIA software tool and techniques allegedly created in collaboration with British intelligence. This trove of documents, titled Vault 7, serves as a catalogue of advanced tactics for surveillance and cyber warfare, including how to hack into smartphones, computers, and Internet-connected TVs. The CIA has not confirmed the authenticity of these documents, but officials speaking anonymously have indicated that the information from Vault 7 is genuine. Wikileaks has not identified the source of the information. The existence of such documents is not necessarily surprising, but the scope of tools and procedures is alarming. Instructions are also available for compromising Skype, Wi-Fi networks, docs in PDF formats, commercial antivirus programs, WhatsApp, Signal, and Telegram.

Holiday gift: The CIA is there to listen when we have a long day. Now we can be a good friend and hear a bit about theirs as well.

Shadow Brokers

Threat description: The Shadow Brokers first came to public attention with an announcement on Pastebin.com offering tools stolen from the NSA’s hacking division, officially called Tailored Access Operations and colloquially called the Equation Group. Few people offered to take the bait, so The Shadow Brokers chose to publicly release some of the information – all unredacted. The exploits they have released are older and often already issued patches, but still have significant potential for damage. For example, the NSA backdoor used in the WannaCry ransomware, DOUBLEPULSAR, came from one of the Shadow Brokers’ leaks. As of yet it’s unknown exactly who the Shadow Brokers are.

Holiday gift: Catalogues more interesting than SkyMall.

WannaCry

Threat description: May 12th, 2017 – The WannaCry ransomware outbreak serves as evidence that weapons-grade cyber attacks developed by nation states are now being used for profit. WannaCry was one of the first examples of ransomware that had the ability to spread to other (Windows) computers on its own, similar to malware of the past like Conficker. The ransomware was able to spread on its own by scanning for systems vulnerable to MS17-010, exploiting them, and then using a recently leaked NSA backdoor to install the ransomware on the system. Both the exploit, called ETERNALBLUE, and the backdoor, DOUBLEPULSAR, came from the recent “Lost in Translation” dump leaked by the Shadow Brokers. The United States government has officially blamed North Korea for WannaCry.

Holiday gift: Some tissue for those impacted by WannaCry.

Petya/NotPetya/Nyetya/PetrWrap

Threat description: June 27th, 2017 – The Petya malware rapidly spread across Europe and North America and infected tens of thousands of systems in more than 65 countries. The Petya ransomware trojan is speculated to be a part of a Ransomware-as-a-Service (RaaS) malware family that was first advertised by Janus Cybercrime Solutions as a RaaS in late 2015. The initial infection vector is believed to be contaminated software updates from Ukrainian financial tech company MeDoc. Anton Geraschenko, an aide to the Ukrainian Interior Minister, has stated that this infection was “the biggest in Ukraine’s history.” The estimated damages associated with NotPetya reached into the millions for companies like French construction group group Saint-Gobain, who lost an estimated $387 million.

Holiday gift: Nothing. Ransomware still sucks 🙁

Hackers Target Nuclear Facilities

Threat description: July 2017 – Critical infrastructure such as nuclear and energy facilities are frequently targeted by advanced persistent threat actors. Early this year the Department of Homeland Security and the Federal Bureau of Investigation released a joint report indicating that companies such as the Wolf Creek Nuclear Operating Corporation had been targeted by hackers. The various attack methods included targeted emails with malicious Word docs, man-in-the-middle attacks (redirecting internet traffic through malicious machines), and watering hole attacks (compromising legitimate websites). Evidence points to Russian hacking group “Energetic Bear” as the culprit. Luckily, no real damage was done.

Holiday gift: Energy sector > energetic adversaries

Ethereum

Threat description: July 2017 – Popular computer platform Ethereum was victim to multiple hacks in 2017. On separate occasions cyber criminals stole > $1 million, $7.4 million, and later $32 million worth of “ether” tokens, the second most widely-used cryptocurrency. For the latter hack, white hat hackers (the good guys) drained $75 million worth of ether from other accounts to protect it from thieves by exploiting the same vulnerability. Ethereum’s problems didn’t end there- a glitch later in the year caused $300 million to be frozen in Parity multi-signature wallets. Parity Technologies suggested a fork (think hard reset) to “unlock” the funds like the one enacted after the DAO hack.

Holiday gift: We’ve identified a better solution than Nutcrackers for a tough nut to crack – white hat hackers.

MongoDB

Threat description: September 2017 – Open-source document database MongoDB had over 27,000 databases wiped and ransomed for their restoration. The targeted databases were running with default settings, making it easy for attackers to find and exploit them. Unfortunately, many of the companies that paid the ransom were never given back their data. Without proper management of permissions and settings, services like MongoDB present an easy opportunity for attackers.

Holiday gift: Security best practices from MongoDB, and a reminder of their importance. This holiday season try to look at security not as the often-ignored fruitcake, but as the delicious frosting keeping your internet gingerbread house together.

Campaign Hacks

Threat description: 2017 – After the direct foreign influence in the 2016 U.S. presidential election, many were left wondering if the numerous European elections of 2017 would encounter the same challenges. In the Netherlands’ March election, concerns over security were so great that every vote was counted by hand. Interior Minister Ronald Plasterk directly cited Russia as a factor in this decision, along with insecure and outdated counting software. The Macron campaign of France, knowing that a targeted attack was inevitable, engaged in a “cyber-blurring” strategy. Fake email accounts were seeded with false documents to slow down hackers. The French government cyber security agency ANSSI later confirmed attacks on the Macron campaign, but did not officially name Russia as the culprit. The German election did not encounter any direct interference, but they did have a bit of a scare – IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed German voting count software and found numerous security flaws. Overall, it appears that most of the elections were carried out relatively unscathed.

Holiday gift: Putin snuck his way onto the nice list last year and got a bald eagle as an early Christmas gift. This year the EU got him for Secret Santa and gave him nada.

Equifax Data Breach

Threat description: September 7th, 2017 – Equifax announced a major data breach to their systems, exposing data associated with approximately 143 million Americans, 400,000 Britons, and 100,000 Canadians. The exposed data contained a host of Personally Identifiable Information (PII), including addresses, Date of Birth (DOB), full names, dispute documents, and of course Social Security Numbers (SSNs). The exploited vulnerability, “CVE-2017-5638,” was issued a patch in March of 2017, which Equifax failed to apply. With half the population of the United States’ information now exposed, many are calling into question the viability of the Social Security Number system. People should keep on alert for fraud.

Holiday gift: Free credit report monitoring from the same company that lost your information in the first place

BadRabbit

Threat description: October 24th, 2017 – Yet another large ransomware campaign targeted entities in Russia and Eastern Europe and affected predominantly news and media websites. The initial infection vector was believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer. The ransomware was able to propagate itself through networks via Server Message Block (SMB). Bad Rabbit bears similarities to the WanaCry and Petya ransomware outbreaks earlier in the year.

Holiday gift: A reminder of the movie Donnie Darko. That’s about it.


Source: Honeypot Tech

WTB: New GnatSpy Mobile Malware Family Discovered

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: ATM-theft, Data leak, Malspam, Mobile malware, Phishing, Targeted attacks, Threat group, underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Jack of All Trades (December 18, 2017)
A new mobile malware is targeting Android devices, according to Kaspersky Lab researchers. The malware, called “Loapi,” is being called a “jack of all trades” malware because of the numerous malicious capabilities that have been observed. The modular architecture of the malware allows it to perform different malicious actions such as advertisements, Distributed Denial-of-Service (DDoS) attacks, mine cryptocurrency, send SMS messages, and subscribe to paid services, among others. Researchers note that the modular architecture could allow the actors behind the malware to add new features at any time. The malware was observed to impersonate antivirus and adult-related applications.
Click here for Anomali Recommendation

New GnatSpy Mobile Malware Family Discovered (December 18, 2017)
In early 2017, researchers discovered that a threat group, dubbed “Two-tailed Scorpion/APT-C-23,” was targeting Middle Eastern organizations with the “Vamp” and later on “FrozenCell” malware. Now Trend Micro researchers have discovered a new mobile malware family, dubbed “GnatSpy,” that is believed to be a new variant of “Vamp.” As of this writing, researchers do not know how the threat group is distributing the malware to Android devices. However, it is possible that the actors sent them directly to said devices; researchers note the distribution method is in question because few Android applications were found to contain GnatSpy. The complexity of GnatSpy indicated that the group is increasing their malicious engineering efforts to steal information from Android devices.
Click here for Anomali Recommendation

Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks (December 15, 2017)
Microsoft has released an Office update that disables the Dynamic Data Exchange (DDE) protocol in Word applications as part of December’s Patch Tuesday. The DDE feature allows an Office application to load data from other applications. DDE has been used by threat actors to distribute malware, and this update is Microsoft’s attempt to help mitigate such malicious activity.
Click here for Anomali Recommendation

Ngay Campaign Rig EK Pushes Quant Loader & Monero CPU Miner (December 14, 2017)
Nao-sec researchers discovered a drive-by download attack campaign, dubbed “ngay,” that appears to be targeting Vietnamese-speaking individuals. The actors behind this campaign previously used drive-by download attacks to redirect website visitors to the “Disdain” Exploit Kit (EK). Researcher identified that this campaign is now using the “RIG” EK to distribute the “Quant” loader malware and a “Monero” cryptocurrency miner.
Click here for Anomali Recommendation

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure (December 14, 2017)
While responding to a security incident, FireEye Mandiant researchers discovered that an unnamed company was infected with an attack framework malware called “TRITON.” The malware is designed to interact with Triconex Safety Instrumented System (SIS) controllers. Researchers state that TRITON is one of the publicly identified malwares that target Industrial Control Systems (ICS) and is consistent with the “Stuxnet” and “Industroyer” malware. The malware was found on a SIS workstation that ran the Microsoft Windows operating system while impersonating the authentic Triconex Trilog application.
Click here for Anomali Recommendation

Apple Releases Security Updates (December 13, 2017)
The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in multiple Apple products. The vulnerabilities could be exploited by a remote threat actor to alter the application state iOS and tvOS. Apple’s iCloud for Windows 7.2 is vulnerable to an actor on a privileged network position tracking a user on the same network.
Click here for Anomali Recommendation

WORK Cryptomix Ransomware Variant Released (December 13, 2017)
A new variant of the “Cryptomix” ransomware, dubbed “WORK” because of the .WORK extension appending of the malware, has been discovered in the wild, according to BleepingComputer researchers. This new variant uses the same encryption methods as previous Cryptomix versions, with the change coming in the form of .WORK appended to encrypted files and new emails to contact for the decryption key. While the distribution method of this ransomware has not been reported, malspam is often a common method to distribute malware.
Click here for Anomali Recommendation

The ROBOT Attack (December 12, 2017)
A vulnerability first identified in 1998 by researcher Daniel Bleichenbacher, dubbed “Return Of Bleichenbacher’s Oracle Threat (ROBOT), has resurfaced, according to researchers Hanno Böck and Craig Young. Other researchers believe that this vulnerability is in fact the original “Padding Oracle Attack.” Daniel Bleichenbacher discovered that “the error messages given by SSL server for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.” This vulnerability could allow a threat actor to record Internet traffic and later decrypt it against a vulnerable host that only supports RSA encryption. Researchers found that 27 of the top 100 domains, ranked by Alexa, had vulnerable subdomains.
Click here for Anomali Recommendation

Database of 1.4 Billion Credentials Found on Dark Web (December 11, 2017)
4iQ researchers have discovered a large, interactive database that contains an aggregated list of compromised credentials from approximately 252 previous breaches. The discovery was made on December 5, 2017. The total amount of advertised data consists of usernames and associated, clear text passwords is 1,400,533,869. The structure of the database makes it simply for anyone to download and interact with it, and the search feature is fast enough to return a result in one second. After additional analysis on the data, researchers found that the number of compromised credentials is less because not all of the usernames are listed with an associated password. While some sources state that the data was located on underground forums, and this is likely, the data was also found on open source locations such as “Reddit.”
Click here for Anomali Recommendation

Hacker’s Delight: Mobile Bank App Security Flaw Could Have Smacked Millions (December 11, 2017)
University of Birmingham researchers have published information regarding vulnerabilities located in popular banking applications. The researchers used a custom tool called “Spinner” to conduct semi-automated security tests on 400 applications that heavily rely on security. Through this testing, it was discovered that many banking applications use a technique called “Certificate Pinning” to improve connection security, but use of this technique made it more difficult for penetration testers to find a more serious vulnerability. Researchers found that the vulnerability located in many popular banking applications was that they did not have a proper hostname verification. This flaw could have allowed a threat actor, on the same network of an individual using an affected application, to conduct Man-in-The-Middle (MiTM) attacks to steal user credentials.
Click here for Anomali Recommendation

Phishing Attacks on Bitcoin Wallets Intensify as Price Goes Higher and Higher (December 11, 2017)
With the significant increase in monetary value of the Bitcoin currency, approximately $16,180 USD per bitcoin as of this writing, threat actors are increasing their targeting Bitcoin-related websites and Bitcoin users. In addition to phishing emails, “CheckPhish” researchers also identified five phishing domains targeting the “Blockchain” wallet service. Other security researchers found that the Bitcoin exchange “LocalBitcoins” brand was also used in phishing websites. Threat actors are attempting to steal wallet files and empty accounts of their bitcoins.
Click here for Anomali Recommendation

Hackers Hit U.S., Russian Banks In ATM Robbery Scam: Report (December 11, 2017)
A previously unknown, Russian-speaking threat group, dubbed “MoneyTaker,” is responsible for the theft of approximately $10 million USD from around 18 banks, according to Group-IB researchers. The actors targeted ATMs operated by banks primarily located in the U.S. and Russia. The malicious activity is ongoing and is believed to have begun approximately 18 months ago. Researchers identified that the first attacks took place in the spring of 2016 against banks using the payment technology company “First Data’s” “STAR” network; STAR is a debit card processing and payment network. First Data has stated that “a number” of financial institutions on the STAR network had their credentials for administering debit cards compromised. The actors used custom malware called MoneyTaker, also used for the name of the group, to manipulate payment orders and then use “money mules” to cash out funds from ATMs
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware


Source: Honeypot Tech

A Very Malicious Christmas

In 2017, Americans are projected to spend $906 million on gifts, up from $785 in 2016. A significant chunk of that total will be spent online. As consumers turn to the internet, those looking to exploit them are increasing at a similar rate.

Over the last 5 years, the festive season has seen actors ramping up Christmas themed campaigns to directly target businesses and consumers. This post outlines a very small number of particularly prolific attacks that have been observed over previous Christmases that will very likely be seen in reworked variants this year.

FastPOS

View details in ThreatStream: https://ui.threatstream.com/search?status=active&multiSearchResults=true&value__re=.*fastpos.*

Despite the increase in ecommerce transactions, in-person retail sales still account for the largest share of the market. Many consumers don’t think twice when they swipe their credit card or enter their PIN when buying that must-have gift. Unfortunately, some of these people might receive unwelcome expenses on their credit card statements come January if they’ve fallen victim to using a point-of-sale (POS) device infected with malware.

First seen in June 2016, FastPOS is just one piece of malware that targets POS devices. FastPOS, as it is called, is much like other POS families in that it will capture credit data, Track2 and log keystrokes on the infected machine. Notably, the malware communicates with its command and control (C&C) via unencrypted HTTP session. The POS malware establishes persistence much like other malware by creating an auto run key in the Windows registry.

Previously, FastPOS has taken advantage of the increased retail transaction volume in the run-up to Christmas. Various iterations of the FastPOS and other malware families targeting POS systems are likely to follow suit during the 2017 holiday season.

Protip for retailers: search for indicators of compromise (IOCs) tagged with “retail” in ThreatStream to uncover threats to your operations over Christmas.

Lizard Squad

View details in ThreatStream: https://ui.threatstream.com/search?status=active&multiSearchResults=true&value__re=.*lizard%20squad.*

In 2014, Lizard Squad performed a distributed denial-of-service (DDoS) attack against the Xbox Live and Sony Playstation networks over Christmas. As millions (including myself) attempted to play the games they’d just received as gifts they were met with errors. This occurred for the duration of the attack. 

Looking through ThreatStream, Lizard Squad are responsible for a number of attacks, with DDoS being their preferred method. Since the group’s inception they have developed increasingly more sophisticated DDoS capabilities and are now using variations of the botnet malware GafGyt.

Protip for gaming companies: sync indicators of compromise (IOCs) from ThreatStream with your SIEM to automatically match known threats to your logs, and alert when a match has been found.

Merry X-Mas

View details in ThreatStream: https://ui.threatstream.com/search?status=active&multiSearchResults=true&value__re=.*Merry%20Christmas%20Ransomware.*

2017 has been the year of ransomware. From Wanacry to Petya and everything else in between, ransomware has brought havoc to companies around the world. The NotPetya ransomware will reportedly cost shipping giant, Maersk, $300 million alone!

The Merry Christmas (or Merry X-Mas) ransomware was spotted for the first time by security researchers in early January 2017, when the malware was distributed through spam campaigns. According to researchers, the latest strains of the ransomware have been delivered together with other pieces of malware, namely DiamondFox, which is used to steal sensitive information from victims’ systems.

Protip for SecOps teams: be immediately alerted when the latest malware hashes or suspect domain generated algorithms are seen inside your network (including on mobile devices) using Anomali Enterprise.

Phishing for gifts

View search in ThreatStreamhttps://ui.threatstream.com/search?value__re=.*christmas.*

A quick search for malicious domains in ThreatStream turns up hundreds of IOCs with the word “christmas.” Phishing campaigns often ramp up over the festive period, taking advantage of the fact people are spending more money in December. I’ve seen campaigns spoofing retailers and financial institutions in greater number this year than in any previous year I can recall.

Protip for everyone: never click a link in an email. For SecOps teams, monitor emails from compromised addresses or with links to known malicious domains before they’re clicked using Anomali Enterprise.

A few free Christmas gifts from Anomali

STAXX gives you an easy way to access any STIX/TAXII feed and is a great tool for those starting to incorporate threat intelligence into their security strategies. 

You can download STAXX for free here — our gift to you this Christmas.

Understand your security risk posture with a free customized Recon Report from Anomali Labs. Simply sign up for a free Anomali Enterprise Trial in the month of December.

A December to Remember


Source: Honeypot Tech

WTB: German Spy Agency Warns of Chinese LinkedIn Espionage

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Botnet, Data leak, Malspam, Malvertising, Pre-installed keylogger, Ransomware, Targeted attacks, Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

German Spy Agency Warns of Chinese LinkedIn Espionage (December 10, 2017)
The German intelligence agency, the Federal Office for the Protection of the Constitution (BfV), has stated that Chinese intelligence is using the networking website “LinkedIn” to target approximately 10,000 Germans. The BfV released information regarding multiple fake LinkedIn profiles it discovered and believes that the accounts are evidence of China’s efforts to spy on, and possibly recruit German individuals and subvert German politics.
Tags: Targeted attacks, LinkedIn
Click here for Anomali Recommendation

Pre-Installed Keylogger Found On Over 460 HP Laptop Models (December 8, 2017)
A security researcher going by the name “ZwClose” has released information regarding a pre-installed keylogger located in the “Synaptics” touchpad driver. The Synaptics driver is shipped with HP machines, and approximately 460 HP models were observed to contain this keylogging feature. Researchers note that the keylogger feature is disabled by default, however, threat actors could use open source tools for bypassing the User Account Control to enabled the keylogger “by setting a registry value.”
Tags: Pre-Installed threat, Keylogger, HP
Click here for Anomali Recommendation

A Peculiar Case of Orcus RAT Targeting Bitcoin Investors (December 7, 2017)
As the value of the “Bitcoin” cryptocurrency continues to increase (approximately $17,740 USD as of this writing) threat actors are subsequently increasing their efforts to target Bitcoin investors. Fortinet researchers have found that actors are targeting Bitcoin investors with a Remote Access Trojan (RAT) called “Orcus” via a phishing campaign. The phishing emails purport to be an announcement of a new, legitimate bitcoin trading bot called “Gunbot.” The email attachment contains a VB script that, when executed, will download a file impersonating a .jpeg. The .jpeg file is actually a portable executable binary file. The executable was found to be a trojanized version of an open source inventory tool called “TTJ-Inventory System.” Inside this malicious versions, researcher discovered the presence of the “Orcus” RAT, which is advertised as a Remote Access Tool created by Orcus Technologies. Orcus has numerous features and commands that it can run, however, researcher note that what separates Orcus is the ability to load custom plugins.
Tags: Targeted attacks, Bitcoin investors, Malspam, Orcus RAT
Click here for Anomali Recommendation

New Targeted Attack in the Middle East by APT34, A Suspected Iranian Threat Group, Using CVE-2017-11882 (December 7, 2017)
FireEye researchers have published a report regarding a new Advanced Persistent Threat (APT) group they have dubbed “APT34.” The group is believed to be based in Iran, and has been observed exploiting a Microsoft Office vulnerability (CVE-2017-11882) that Microsoft patched on November 14, 2017. The vulnerability was exploited while attacking an unnamed government organization in the Middle East. Researchers believe that the APT group has been conducting a long-term cyber espionage campaign to benefit Iranian national interests. The group is believed to have been active since at least 2014. The group was observed using spear phishing emails that attempt to drop public and custom malicious tools, such as the group’s custom PowerShell backdoor to achieve its goals.
Tags: APT, APT34, Targeted attacks
Click here for Anomali Recommendation

Master Channel: The Boleto Mestra Campaign Targets Brazil (December 7, 2017)
Palo Alto Unit 42 researchers have discovered a new malspam campaign, dubbed “The Boleto Mestre Campaign” because the links and attachments in the emails masquerade as “Boleto Bancário.” Boleto Bancário is an official payment method that is regulated by the Central Bank of Brazil. Researchers have observed over 260,000 emails that fall under this theme since June 2017. The objective of this campaign is trick a user into following a malicious link or open a document that will infect the recipient with an information stealing trojan.
Tags: Malspam, Boleto Bancario-themed, Data theft
Click here for Anomali Recommendation

Mailsploit: It’s 2017, and You Can Spoof The “From” in Email to Fool Filters (December 6, 2017)
Penetration tester, Sabri Haddouche, has discovered that more than 30 email clients are vulnerable to email source spoofing. The vulnerability has been dubbed “Mailsploit.” The email clients are vulnerable to spoofing because of improper implementation of the Request For Comments (RFC) 1342 (which dates back to 1992) that can allow source spoofing to bypass spam filters and security features such as Domain-based Message Authentication, Reporting and Conformance (DMARC). RFC 1342 has to do with the representation of non-ASCII character in Internet message headers. Haddouche identified that the mail client interfaces do not properly sanitize a non-ASCII string after it is decoded.
Tags: Vulnerability, Mailsploit, Email clients
Click here for Anomali Recommendation

StorageCrypt Ransomware Infecting NAS Devices Using SambaCry (December 5, 2017)
A new ransomware, dubbed “StorageCrypt,” is targeting Network-Attached Storage (NAS) devices, according to Bleeping Computer researchers. The threat actors behind this campaign are using the Linux Samba vulnerability “SambaCry,” Samba is a Windows suite of programs for Linux and Unix. Exploitation of the vulnerability allows an actor to open a command shell on the affected machine that can be used to download file and execute commands. The actors are demanding a ransom from anywhere between 0.4 (approximately $6,356 USD) to 2 (approximately $31,779 USD) bitcoins for the decryption key.
Tags: Ransomware, StorageCrypt, Vulnerability, SambaCry
Click here for Anomali Recommendation

Quantize or Capitalize (December 5, 2017)
Forcepoint researchers have found that the “Quant” trojan loader, usually used to distribute “Locky” ransomware and the information stealing malware “Pony,” has added new features to its malicious capabilities. Quant is now able to steal credentials as well as various cryptocurrencies including Bitcoin, Peercoin, Primecoin, and Terracoin. The credential stealing feature is accomplished via the Delphi based library that is capable of stealing operating systems and application login credentials.
Tags: Malware, Downloader, Quant, Credential theft
Click here for Anomali Recommendation

Virtual Keyboard Developer Leaked 31 Million of Client Records (December 5, 2017)
A MongoDB database that appears to belong to the Tel Aviv-based startup company “AI.Type” was configured for public access which exposed approximately 31 million user records, according to the Kromtech Security Center. The company designed a virtual keyboard that works on mobile devices for both Android and iOS. The exposed database contained 557 gigabytes of data that consists of user registration records in addition to information that was entered onto the keyboard.
Tags: Misconfigured database, MongoDB, Data leak
Click here for Anomali Recommendation

Dridex is Back, Baby! – Necurs Botnet Malspam Pushes Dridex (December 4, 2017)
Researchers have discovered that “Necurs” botnet has resumed its distribution of the “Dridex” banking malware. Researchers note that the last occurrence of Necurs Dridex distribution was identified in June 2017, and that this Necurs campaign is separate from the “Globeimposter” ransomware campaign. The emails purport to be discussing a credit card payment and provides a link to receive the confirmation of the payment. If the link if followed, it will retrieve a malicious Word document. Inside the document is an embedded object that generates up to four URLs to retrieve the Dridex installer.
Tags: Malspam, Botnet, Necurs, Banking trojan, Dridex
Click here for Anomali Recommendation

Apache Software Foundation Releases Security Updates (December 4, 2017)
An alert has been released by the United States Computer Emergency Readiness Team (US-CERT) concerning vulnerabilities in Apache products. Specifically, the vulnerabilities are located in Apache Struts versions 2.5 through 2.5.14. The US-CERT states that an actor could exploit one of these vulnerabilities to take control of an affected system. One of the vulnerabilities can be exploited by an actor via a custom JSON request that can be used to conduct a Denial-of-Service (DoS) when using an outdated json-lib with Struts REST plugin. The second vulnerability is located in the Jackson JSON library, however, the impact of the issue is, as of this writing, still being researched further.
Tags: Alert, Vulnerabilities, Apache
Click here for Anomali Recommendation

Mozilla Releases Security Update for Firefox (December 4, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in the Mozilla Firefox web browser. The US-CERT states that a remote threat actor could exploit these vulnerabilities to take control of an affected system. The vulnerabilities, registered as “CVE-2017-7843” and “CVE-2017-7844,” involves Private Browsing mode storing data across multiple private browsing mode sessions. The latter vulnerability includes an external SVG image referenced on one page, and the coloring of anchor links stored within the image that can be used to determine which pages a user has in their history.
Tags: Alert, Vulnerabilities, Mozilla, Firefox web browser
Click here for Anomali Recommendation

Necurs Botnet Malspam Pushed Globeimposter Ransomware (December 4, 2017)
Researchers have observed that the “Necurs” botnet, known for distributing “Locky” ransomware, is currently distributing the “Globeimposter” ransomware. The ransomware is being distributed via malspam that contain malicious attachments. The emails purport that a message is ready to be sent with the following file or link attachments, or that an attached file is a confirmation of a credit card payment per the recipient’s request. Opening the attachment will begin the infection process for Globeimposter. The threat actors behind this campaign are demanding 0.088 Bitcoin (approximately $1,037 USD) for the decryption key.
Tags: Malspam, Botnet, Necurs, Ransomware, Globeimposter
Click here for Anomali Recommendation

Seamless Campaign Serves RIG EK via Punycode (December 4, 2017)
Malwarebytes Labs researchers have published information regarding the history and current activity regarding the “Seamless” malvertising campaign. The Seamless campaigns are known for almost exclusively distributing the “Ramnit” banking trojan via the RIG exploit kit. Threat actors are currently running two Seamless campaigns simultaneously; one that use static strings and IP literal URLs (URLs that skip DNS), and another that uses special characters. In the latter campaign, actors are using a Cryllic-based domain name that is then transcribed via “Punycode” (encoding used to convert Unicode characters to ASCII). According to researchers, the malvertisements are typically distributed via adult portals that redirect to malicious domains to begin the infection process for Ramnit.
Tags: Malvertising, Seamless campaign, RIG EK, Trojan, Ramnit
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit’s objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.
Tags: RIG, exploitkit


Source: Honeypot Tech