WTB: Apple “chaiOS” Flaw Can Crash Your iPhone and macOS with A Single Text Message

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Data breach, Data theft, Malspam, Phishing, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Half of Norway’s Population May Have Been Breached (January 22, 2018)
On January 8, 2018, the security team (HelseCert) for Norway’s healthcare provider “Helse Sør-Øst RHF” (Health South-East RHF) notified Helse IT delivery partner “Sykehuspartner HF” of “abnormal activity.” On January 15, 2017, Helse released a statement in which the company confirmed that it had suffered a data breach by an “advanced and professional” threat actor or group. Helse provides healthcare for the most-populous section of Norway that includes approximately three million people out of a country with a population of approximately five million. At the time of this writing, it is unknown if the actor/group managed to steal any Personally Identifiable Information (PII), and authorities are continuing their investigation of this incident.
Click here for Anomali recommendation

Apple “chaiOS” Flaw Can Crash Your iPhone and macOS with A Single Text Message (January 21, 2018)
Security researcher Abraham Masri discovered a vulnerability, dubbed “chaiOS Text Bomb,” that is located in Apple operating systems iOS and macOS. The vulnerability can be exploited to freeze or force a crash on an iPhone, iPad, or Mac. The vulnerability can be exploited by an actor by sending a text message that provides a link to a webpage that hosts JavaScript code. Apple’s iMessage application cannot handle the JavaScript code which leads to a crash or perpetual reboot loop of the applications.
Click here for Anomali recommendation

OnePlus Confirms Hack Exposed Credit Cards of Phone Buyers (January 19, 2018)
The China-based smartphone manufacturing company “OnePlus” has confirmed that its systems were breached by an unknown actor(s). On January 19, 2017, the company began emailing its customers to warn them about the incident after multiple individuals who purchased OnePlus phone reported fraudulent credit card transactions. The company discovered that a malicious script had been inserted on the company’s pages that would steal any data that was entered. The affected data consists of credit card numbers, expiry dates, and security codes.
Click here for Anomali recommendation

New Year, New Look – Dridex via Compromised FTP (January 18, 2018)
A new malspam campaign has been identified to be distributing a variant of the “Dridex” banking trojan, according to Forecepoint researchers. The actors behind this campaign are using compromised File Transfer Protocol (FTP) to host the malicious documents in the malspam emails. Two different types of malicious documents were observed in this campaign. One is a DOC file that abuses Microsoft’s Dynamic Data Exchange (DDE) feature to execute a shell command to download Dridex. The second is an XLS file with a malicious macro that downloads Dridex from an actor controlled domain.
Click here for Anomali recommendation

Researchers Uncover Government-Sponsored Mobile Hacking Group Operating Since 2012 (January 18, 2018)
Lookout and Electronic Frontier Foundation (EFF) have released a joint report discussing the discovery of an Advanced Persistent Threat (APT) they have dubbed “Dark Caracal.” The researchers believe that the group has been active since at least January 2012 and is believed to be operating out of a building that belongs to the Lebanese General Security Directorate (GDGS). The group appears to be primarily focused on malicious activity associated with mobile devices and is believed to have conducted a global campaign called “Operation Manul” with their custom malware called “Pallas.” Dark Caracal distributes their malware via malicious applications located in third-party application stores. The group has targeted defense contractors, financial institutions, governments, manufacturing companies, militaries, and utilities around the world.
Click here for Anomali recommendation

Downloaders on Google Play Spreading Malware to Steal Facebook Login Details (January 18, 2018)
Numerous malicious applications have been identified on the Google Play store, according to Avast researchers. The applications are capable of downloading additional applications that masquerade as Android system applications. Some of the applications were observed to be capable of stealing user credentials, specifically, for Facebook. The malicious applications purport to be various legitimate applications such as barcode scanners, a chess game, and voice recorders that target English and Vietnamese-speaking Android users. Upon download of one of the applications, a user will be requested to enable “Google Play services” which, if not granted, will perpetually display fake crash popups. If the fake Google Play services is enabled, a user will be shown dialogue boxes that claim there is an error with their Facebook account and to enter credentials to fix the issue.
Click here for Anomali recommendation

Exobot Author Calls It Quits and Sells Off Banking Trojan Source Code (January 17, 2018)
Security researchers have observed that the creator of a sophisticated Android banking trojan, called “Exobot,” is offering the source code of his/her malware for purchase on an underground forum. Exobot dates back to June 2016, and prior to this sale offer the malware author never allowed actors access to the source but rather allowed a “renting” access. Actors would pay a fee to gain access to configuration panels to create malicious applications with custom settings which would then be distributed to infect users with Exobot. Exobot has been one of the more active Android mobile trojans for the past two years. Now with an actor’s ability to purchase the code, and potentially leak it to open sources, malicious activity associated with Exobot will likely increase.
Click here for Anomali recommendation

A Coin Miner with A “Heaven’s Gate” (January 17, 2018)
Malwarebytes Labs researchers have published information regarding a new technique being used by threat actors to steal cryptocurrency. The technique itself, called “Heaven’s Gate,” is not a new technique as it dates back to 2009, however, it appears to be new in regards to being used to steal cryptocurrency. Heaven’s Gate is a technique that can allow software to call 64-bit code from a 32-bit process which can bypass API hooks often used in detection software. The actor’s objective in this campaign is to change the wallet location to one they control to steal cryptocurrency.
Click here for Anomali recommendation

Cisco Releases Security Updates (January 17, 2018)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in multiple Cisco products. The US-CERT states that a threat actor could exploit one of these vulnerabilities to take control of an affected system. The vulnerabilities are listed as follows: Email and Content Security Management Appliance Privilege Escalation, NX-OS Software Pong Packet Denial of Service, and Unified Customer Voice Portal Denial of Service.
Click here for Anomali recommendation

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign (January 17, 2018)
FireEye researchers have discovered a new malicious campaign in which threat actors are distributing the open-source “Zyklon” malware via spam emails. The spam emails were observed to contain zip file attachments that contain a malicious lure DOC file that exploit vulnerabilities in Microsoft Office registered as CVE-2017-11882 and CVE-2017-8759; the attachment was also observed using Office’s Dynamic Data Exchange (DDE) feature to begin the download process of a Zyklon payload. Zyklon is a backdoor that is capable of multiple malicious features which include conducting Distributed Denial-of-Service (DDoS) attacks, downloading and executing additional plugins, keylogging, stealing passwords, and self-updating and self-removal.
Click here for Anomali recommendation

Skygofree: Following in the Footsteps of Hacking Team (January 16, 2018)
A new family of malware, dubbed “Skygofree,” has been identified in the wild and is primarily targeting individuals located in Italy, according to Kaspersky Lab researchers. The malware is capable of infecting Android and Windows devices.The researchers first discovered the malware in October 2017, and identified that the first variants of Skygofree were created in 2014. Additionally, it appears that the actors behind the malware have been updating Skygofree since said time, however, the oldest domains associated with this campaign date back to 2015. The malware is distributed via landing pages that load the malware implant on to a visiting Android device. Researchers note that Skygofree is one of the most powerful spyware tools that they have observed. Some of the capabilities of Skygofree include complex payload structures, never-before-seen-surveillance features, using multiple exploits, and recording surrounding audio.
Click here for Anomali recommendation

Phishers Target Netflix Users, Ask for Info and Photo of Their ID (January 16, 2018)
Researchers have observed yet another phishing campaign that is targeting Netflix users. The actors behind this campaign are distributing emails that purport to be from Netflix, however, upon closer inspection of the email subject line reveals that Netflix is spelled with the Greek letter chi which appears similar to a larger “X.” The content of the message claims that the Netflix user needs to update their billing information and provides a link for the recipient to follow. If the link is followed, a user will be taken to a compromised HTTPS website that redesigned to impersonate Netflix’s login page. The “login” page requests billing address, Netflix credentials, payment card information, and a picture of themselves holding an identification card.
Click here for Anomali recommendation

Source: Honeypot Tech

Introducing Anomali ThreatStream Integrator 6.3.5

Anomali ThreatStream Integrator is a software with a small footprint that allows you to integrate the powerful threat intelligence of Anomali ThreatStream with your existing security tools. Today I’m excited to announce the latest version of Integrator.

In addition to the SIEMs, endpoints and numerous other security solutions (e.g. IDS, DNS, and DHCP tools) Integrator can currently sync threat intelligence data with, the release of Integrator 6.3.5 provides an additional integration destination to growing list of best-of-bread firewall integrations, Cisco ASA devices.

Introducing Cisco ASA Support

Syncing threat intelligence from ThreatStream to Cisco ASA devices using Integrator enables you to automatically blacklist known malicious indicators of compromise (IOCs) on your Cisco firewalls to either monitor/alert or block any incoming or outgoing traffic. Cisco ASA Fire Power currently supports the ability to sync domain, IP, and URL IOCs from ThreatStream.

In some cases, Anomali customers have thousands of Cisco ASA devices in their environments. Syncing threat intelligence to multiple Cisco ASA destinations is a simple and efficient process with Integrator because of its flexible user interface, which is designed to give you an easy way to add and edit new configurations.

Once threat intelligence connection points and data flows are established, customers can use the Integrator confidence filter to ensure only the most current and highest scoring and therefore most malicious threats are synced to Cisco ASA devices. Integrator also supports a number of other useful filters, including indicator type (e.g. malware domains, Phishing domains, etc) and intelligence source. New IOCs are automatically synced to Cisco ASA devices to keep the blacklists up-to-date and to both detect and protect your network from newly identified potentially hostile activity.


Further, the combined usage of the Integrator filter plus the Firepower user interface can help you maintain agile, yet complete control of the blacklists under the Security Intelligence tab. As you can see in the example above, you can create a number of categories for each threat type for easy administration and ongoing management.

Where can I download the latest version of Anomali ThreatStream Integrator?

Anomali ThreatStream Integrator 6.3.5 is now available to download via the ThreatStream Platform.

It doesn’t stop there…

In addition to adding threat intelligence to Cisco ASA devices, Integrator can support many other solutions including Splunk, Arcsight, QRadar, Carbon Black, and Tanium (to name but a few).

If you’re not already an Anomali customer, view a handful of the hundreds of other products Anomali ThreatStream Integrator can sync intelligence with, and register for Anomali ThreatStream today.

Source: Honeypot Tech

WTB: New Mirai Variant Targets Billions of ARC-Based Endpoints

The intelligence in this week’s iteration discuss the following threats: APT, Disk-wiper, DNS hijacking, Malicious extensions, Malicious application, Malvertising, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Mirai Variant Targets Billions of ARC-Based Endpoints (January 16, 2018)
Security researchers are discussing a new variant of the Internet-of-Things (IoT) malware “Mirai” dubbed “Okiru.” The new malware was first observed by MalwareMustDie researcher “@unixfreaxjp.” Researchers now believe that Okiru is the first malware designed to target “Argonaut RISC Core” (ARC) processors. In addition, researchers also believe that there are over 1.5 billion devices that have ARC processors such as cameras, cars, cell phones, and televisions (among others). At the time of this writing, it is unknown how many devices have been infected with Okiru, however, researchers state that the malware is specifically targeting ARC Linux devices.
Click here for Anomali recommendation

New KillDisk Variant Hits Financial Organizations in Latin America (January 15, 2018)
A new variant of the disk-wiping malware “KillDisk” is targeting financial organizations in Latin America, according to Trend Micro researchers. The malware appears to be dropped by another process rather than being directly installed. This KillDisk variant changes its file name to “c:windows23456789” while it is running. In addition, KillDisk will go through all logical drives and before it deletes a file, it is first randomly renamed. It is capable of reading the Master Boot Record (MBR) as well as overwriting the Extended Boot Record (EBR).
Click here for Anomali recommendation

Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses (January 15, 2018)
Researchers from U.S.-based cyber security firm “ICEBERG” have discovered four malicious Chrome browser extensions which were available for download on the official Chrome Web Store. The four extensions were titled “Change HTTP Request Header,” “Nyoogle – Custom Logo for Google,” “Lite Bookmarks,” and “Stickies – Chrome’s Post-it Notes” which were found to have been downloaded approximately 500,000 times. The extensions were designed in such a way that could allow a threat actor to send commands to an affected user’s browser via JavaScript code. Researchers discovered that the actors behind this campaign are using the extension to conduct click fraud by loading a website in the background and clicking on advertisements.
Click here for Anomali recommendation

Warning: New Undetectable DNS Hijacking Malware Taregting Apple macOS Users (January 12, 2018)
A security researcher has published information regarding what may be the first reported macOS specific malware of 2018. The malware was first identified via a post on a Malwarebytes forum. The malware, dubbed “OSC/MaMi,”is an unsigned Mach-O 64-bit executable that is reported to be similar another malware family called “DNSChanger.” In 2012, DNSChanger infected millions of machines around the globe. DNSChanger would change Domain Name Server (DNS) server settings to route traffic through actor controlled servers, this would allow actors to intercept potentially sensitive data. OSC/MaMi appears to be doing the same thing, in addition to installing a new root certificate in an attempt to intercept encrypted communications.
Click here for Anomali recommendation

Update on Pawn Storm: New Targets and Politically Motivated Campaigns (January 12, 2018)
The Advanced Persistent Threat (APT) group “APT28” has added new targets in its cyber espionage campaign “Operation Pawn Storm,” according to Trend Micro researchers. Researchers note that the group’s tactics in this campaign have remained the same. APT28 uses well prepared, politically-themed spear phishing emails to target political organizations around the world. The group has been conducting this campaign since 2015. Now researchers have observed the group distributing phishing emails that attempt to steal user credentials. In October and November APT28 distributed emails that purported to be a message from the recipient’s Microsoft Exchange server regarding an expired password, and another that purported that there is a new file on the recipient company’s OneDrive system.
Click here for Anomali recommendation

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Server (January 11, 2018)
Researchers Johannes B. Ullrich (SANS) and Renato Marinho (Morphus Labs) have discovered that threat actors are actively exploiting a vulnerability in Oracle WebLogic servers. The vulnerability, registered as “CVE-2017-10271,” was patched by Oracle in October 2017. However, the proof-of-concept code released for the vulnerability is likely a driving force behind the current malicious activity. Actors have been able to compromise enterprise-owned WebLogic server and gain access to corporate networks. Interestingly, instead of stealing information, the actors installed a “Monero” cryptocurrency miner. As of this writing, the actors have been able to mine approximately 611 Monero, valuing at approximately $226,000 USD.
Click here for Anomali recommendation

Adobe Patches Information Leak Vulnerability (January 10, 2018)
As part of Patch Tuesday, Adobe has issued a security patch to address a vulnerability registered as “CVE-2018-4871.” The vulnerability could be exploited by threat actors to leak sensitive data. This vulnerability affects Adobe Flash Player on Mac, Linux, and Windows machines. In addition, Adobe Flash Player for the web browser Chrome, Edge, and Internet Explorer versions and earlier are also affected.
Click here for Anomali recommendation

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-day (January 9, 2018)
In Microsoft’s first Patch Tuesday of 2018, the company addressed 56 CVE-registered vulnerabilities that affect multiple products including ASP.NET, ChakraCore, Edge, Internet Explorer, and the .NET framework. Microsoft issued a patch for a zero-day vulnerability, registered as “CVE-2018-0802,” in Office that was observed to have been exploited by threat actors in the wild.
Click here for Anomali recommendation

Diplomats in Eastern Europe Bitten by a Turla Mosquito (January 9, 2018)
Researchers from the IT security company ESET, have released a report discussing new malicious activity which is attributed to Advanced Persistent Threat (APT) group “Turla.” Researchers discovered that a custom backdoor used by the group called “Mosquito” was packaged with the legitimate Flash installer and it appeared to have been downloaded from adobe[.]com. Turla has been observed using a fake Adobe Flash installer in previous campaigns. The group was also observed using their “Gazer” malware to primarily target consulates and embassies in Eastern Europe, although some private companies were also infected.
Click here for Anomali recommendation

RIG Exploit Kit Campaign Gets Deep Into Crypto Craze (January 9, 2018)
As cryptocurrencies continue to become more popular, due in part to the significant rise in value of Bitcoin, so too are malicious campaigns designed to mine cryptocurrency. Researchers have discovered such a campaign, dubbed “Ngay,” is distributing the RIG exploit kit via malicious advertisements (malvertising). If a malvertisement is followed, a user is infected with RIG, which then downloads a “Monero” or “Electroneum” cryptocurrency miner on to the affected machine.
Click here for Anomali recommendation

First Kotlin-Developed Malicious App Signs User Up for Premium SMS Services (January 9, 2018)
Trend Micro researchers have identified a malicious application on the Google Play store that impersonated the utility cleaning tool application for Android devices called “Swift Cleaner.” The application was written in the “Kotlin” programming language, which was announced by Google in May 2017, used to create Android applications. The fake application was observed to have been downloaded between 1,000 and 5,000 times. The malicious application is capable of click advertisement fraud, data theft, remote code execution, URL forwarding, and signing up for paid SMS subscription services without user permission.
Click here for Anomali recommendation

Apple Releases Multiple Security Updates (January 8, 2018)
The United States Computer Emergency has issued an alert regarding vulnerabilities in multiple Apple products. The affected Operating Systems (OS) are macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6. The products affected by vulnerabilities are iPhone 5s and later, iPad Air and later, and iPod 6th generation. A threat actor could exploit these vulnerabilities to gain access to sensitive information.
Click here for Anomali recommendation

A North Korean Monero Cryptocurrency Miner (January 8, 2018)
A new application, identified to have been compiled on December 24, 2017, is being used to mine “Monero” cryptocurrency, according to AlienVault labs researchers. The currency, after being mined, is then sent to “Kim Il Sung University” in Pyongyang, North Korea. Researchers believe that it is likely that the installer is associated with the open source Monero mining software “XMRig.” Interestingly, it was discovered that the actors behind this campaign used a hostname no longer resolves, which means XMRig cannot send the mined currency to actors on most networks. Researchers believe that this fact, in addition to the use of a North Korean server, may indicate that this a testing phase of a potential malicious campaign, or this may be a genuine Monero mining operation. However, the use of a North Korean server may indicate that actors within the country are mining cryptocurrencies as a way to bypass United Nation’s sanctions. Lastly, the observation of Monero being sent to Kim Il Sung University does not necessarily attribute this activity to a North Korean citizen because the university is “unusually open” and analysis of the code samples reveal French text.
Click here for Anomali recommendation

Source: Honeypot Tech

Anomali Raises $40 Million in Series D Funding

Today I’m pleased to share the news of our latest fundraising efforts, and the addition of Lumia Capital, Deutsche Telekom Capital Partners, Telstra Ventures and Sozo Ventures to the Anomali family. With this funding, we’ll continue to invest in developing innovative threat management and collaboration solutions and expand our global reach.

This milestone comes on the heels of a very exciting 2017 at Anomali – a year in which we:

On the Products and Engineering side we kept the teams very busy, rolling out release after release with tons of new capabilities and functionality to help organizations stay ahead of threats and react more quickly and efficiently. Here’s a sampling of the updates:

  • ThreatStream: added Phishing Indicator extraction, bi-directional STIX/TAXII 2.0 support, multi-analyst collaboration on threat bulletins, powerful new rules engine that can trigger automated actions
  • Anomali Enterprise: launched AE 3.0 including updated UI with streamlined workflows and new dashboards; released Real Time Forensics for automatic threat indicator threat detection, and added Malware family attribution for DGA domains
  • STAXX: released STAXX 2.0 (and, more recently 3.0) including bidirectional threat sharing, support for STIX/TAXII 2.0, threat indicator expansion on STAXX portal, Anomali Limo feed integration, and STIX/TAXII “bridge” translator between v1.0 and 2.0
  • Limo: launched a free collection of threat intelligence feeds, curated by the Anomali Intelligence Acquisition Team, and fully integrated with STAXX.

The best news of all is the growth in our relationship with you. In 2017 we saw record customer growth and added many new ISACs, ISAOs and other threat sharing communities to the Anomali platform. 2018 is already off to fast start and we are looking forward to another exciting year working closely with our customers and partners.

Hope to see you at our Detect ’18 Conference!

Source: Honeypot Tech

The Rise of Malware Using Legitimate Services for Communications

Malware often includes the ability to communicate with attacker controlled systems on the Internet from within compromised networks. This gives the attacker several important capabilities.

Some examples of this communication include:

  • Receive “heartbeats” to maintain an inventory of compromised systems
  • Send Remote control commands and receive the results of those commands
  • Exfiltrate data from inside compromised networks
  • Send updates or new capabilities to already compromised hosts

This communication between malware and attacker controlled servers on the Internet is often referred to as “command and control.” This is also a primary area of focus for detection of malware infections in security software outside of detecting the malware itself.

As defenders have gotten better at detecting Internet hosts and domains used for malware command and control, attackers have had to develop their own countermeasures to try and stay ahead of detection and blocking efforts. Techniques such as Domain Generating Algorithms have been employed to try and evade traditional detection mechanisms put in place by defenders.

One of the new evolutions in malware capabilities is the use of legitimate services as a conduit for command and control communications. Imagine malware that uses Github, or Google Docs, or Facebook to communicate with attackers.  Defenders are stuck trying to discern between legitimate traffic and malicious traffic that is all encrypted and going to the same popular and very legitimate services on the Internet. The dominant way to refer to this technique is “Legit Services C2.”

A variety of legitimate services seen abused for C2

There are many possible services available across the Internet that could be used for malware command and control. As new services are constantly popping up, there is essentially an unlimited supply of options for using legit services for malware command and control.

We did some detailed research into malware that uses legit services for C2. We identify a number of malware families that have been observed taking advantage of legit services. We also dig into how malware uses legit services for C2.  Finally, we offer some suggestions for potentially sifting out malware usage vs. legitimate usage of these services.  We packed all this research into a white paper titled, Rise of Legit Services for Backdoor Command and Control which can be downloaded here without registration. Please feel free to use this research and we hope that others will expand on it.

Source: Honeypot Tech

WTB: Malicious Document Targets Pyeonchang Olympics

The intelligence in this week’s iteration discuss the following threats: Banking trojan, Botnet, Credit card theft, Data breach, Hardcoded backdoor, Malicious applications, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Hardcoded Backdoor Found on Western Digital Storage Devices (January 8, 2018)
GulfTech researcher James Bercegay discovered vulnerabilities in the company Western Digital’s “WDMyCloud” firmware before version 2.30.165. The unrestricted file upload vulnerabilities affect multiple MyCloud products. In addition to the vulnerabilities, it was also found that some MyCloud products contain a hardcoded administrator account that can function as a backdoor. The vulnerabilities could be exploited to gain remote root code execution on the affected personal cloud storage units by sending a crafted HTTP POST request. Furthermore, the backdoor administrator account, when logged in to, can function as a root shell from which actors to execute arbitrary commands.
Click here for Anomali recommendation

Malicious Document Targets Pyeonchang Olympics (January 6, 2018)
A new phishing campaign has been identified to be targeting organizations associated with the Pyeongchang Olympics, according to McAfee researchers. The actors behind this campaign are distributing malicious Microsoft Word documents that have the original file name “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” This campaign is primarily targeting organizations in South Korea. If the Word document is opened, it requests the recipient to “Enable Content” which, if enabled, will launch an obfuscated PowerShell script. The script sets up communication to a Command and Control (C2) server for additional instructions, some of which were found to be executing commands on the infected machine to download additional malware.
Click here for Anomali recommendation

Microsoft Issues Warning for Meltdown Fix (January 5, 2018)
Microsoft has issued security updates out-of-cycle of their typical Patch Tuesday in response to a vulnerability dubbed “Meltdown” and registered as “CVE-2017-5754” that affects “Intel CPUs.” The Meltdown vulnerability allows normal applications to access the content of private kernel memory. This could potentially expose sensitive information on machines use cloud-based features. In addition to possibly exposing sensitive data, Meltdown can also cause compatibility issues with some antivirus tools.
Click here for Anomali recommendation

LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play (January 5, 2018)
22 applications inside of the Google Play store were identified contain scripts that override a user’s ability to disable advertisements, and hides the icon of itself in an attempt to prevent it from being removed, according to Check Point researchers. The malware, dubbed “LightsOut,” was found inside of flashlight and utility applications that ranged from 1.5 million to 7.5 million downloads.
Click here for Anomali recommendation

Avamar Zero-day (January 4, 2018)
Digital Defense researchers have released information regarding three vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15550,” and “CVE-2017-15549” discovered on Dell’s “EMC Data Protection Suite Family” products. The affected products were found to be “Avamar Server” versions 7.1.x, 7.2.x, 7.3.x, 7.4.x, and 7.5.0, NetWorker Virtual Edition versions 0.x, 9.1.x, and 9.2.x, and the Integrated Data Protection Appliance versions 2.0. Exploitation of the vulnerabilities can result in authenticated arbitrary file access and file upload in “UserInputService,” or conduct an authentication bypass in “SecurityService.” All three vulnerabilities can be exploited by an actor to gain root login on an affected machine.
Click here for Anomali recommendation

Reading Privileged Memory with A Side-Channel (January 3, 2018)
Google’s Project Zero team has released a report regarding three vulnerabilities, registered as “CVE-2017-5753,” “CVE-2017-5715,” and “CVE-2017-5754,” that affect some modern processors created by AMD, ARM, and Intel. Exploitation of the vulnerabilities can result in bounds check bypass, branch target injection, or rogue data cache load. These vulnerabilities are also known as “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754).
Click here for Anomali recommendation

New Python-based Crypto-Miner Botnet Flying Under The Radar (January 3, 2018)
A new cryptocurrency mining botnet, dubbed “PyCryptoMiner,” has been observed infecting machines via brute forcing credentials for the SSH protocol, according to FS researchers. The Linux botnet malware is written in the Python programming language uses the text-storing website “Pastebin[.]com” under the username “WHATHAPPEN” to receive new Command and Control (C2) to receive commands if the original C2 server is unreachable. Researchers have observed the malware has scanning capabilities that search for JBoss servers vulnerable to “CVE-2017-12149.” The botnet mines “Monero” cryptocurrency on an infected device.
Click here for Anomali recommendation

Satori IoT Botnet Malware Code Given Away for Christmas (January 3, 2018)
An unknown threat actor has publicly released the code for a vulnerability, registered as “CVE-2017-17215,” on “Pastebin[.]com.” The vulnerability affects “Huawei GH532” devices. Prior to the posting, the vulnerability has already been used by two Internet-of-Things (IoT) malware families in “Satori” and “Brickerbot.”
Click here for Anomali recommendation

Android Banking Trojan Targets More Than 232 Apps Including Apps Offered by Indian Banks (January 3, 2018)
Researchers from Quick Heal Security Labs have detected an Android Banking Trojan that targets approximately 232 apps. The trojan is being distributed through a fake Flash Player application located on third-party app stores. Once the application is installed it will ask the user to enable administrative rights. Once enabled the Trojan looks for 232 applications on the device, mainly banking and cryptocurrency applications. If a targeted application is found on the device, a notification is shown and if the user clicks on it, a fake login page is displayed which harvests the user’s credentials. The Trojan can also exfiltrate contacts, locations, and SMS messages from the device.
Click here for Anomali recommendation

VMware Releases Security Updates (January 2, 2018)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in “VMware’s” “vSphere Data Protection.” The vSphere Data Protection is a backup and recovery solution created for vSphere environment, according to VMware. In addition, the company ranks the vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15549,” and “CVE-2017-15550,” as critical severity. The vulnerabilities could be exploited to allow a threat actor root access to an affected machine.
Click here for Anomali recommendation

Forever 21 Breach Lasted Over Seven Months (January 2, 2018)
The U.S.-based retail store “Forever 21” has made a statement regarding its investigation into a data breach that was first confirmed in November 2017. At that time, the company said that the breach affected card transactions at its stores from March to October 2017. Now Forever 21 has changed the timeframe in which card transactions were potentially compromised to April through November 2017. The retail company also stated that encryption features for Point of Sale (POS) machines at various locations were turned off during the April through November 2017 timeframe. This could allow threat actors to more easily steal payment data as it was processed. Additionally, the company identified malware “installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017.”
Click here for Anomali recommendation

Source: Honeypot Tech

What is Strategic Threat Intelligence?

This is the second blog in a series called, “What is Threat Intelligence?”  The first blog in the series can be found here.  Stay tuned for future installments in this series.

Maintaining a strong security posture requires developing and answering many questions specific to the organization. Many of these questions must be answered continually as situations and environments evolve. Will bringing in additional security solutions really provide that much more additional protection? Is it worth the cost to update each and every legacy system? Who are my adversaries and how might they attack me? Many organizations choose to tackle these questions and make more informed decisions with context from threat intelligence. This curated information is generally divided into three subsets:

  • Strategic intelligence – who/why
  • Operational intelligence – how/where
  • Tactical intelligence – what

Strategic intelligence (who/why) is the 100,000 foot view, providing a big picture look at how threat and attacks are changing over time. Strategic intel may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Who is attacking you and why? Who might attack organizations in your sector? Why are you within scope for an attack? What are the major trends happening? What kind of things do you need to do to reduce your risk profile? Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.

Strategic intelligence might include information on the following topic areas:

  • Attribution for intrusions and data breaches
  • Actor group trends
  • Targeting trends for industry sectors and geographies
  • Mapping cyber attacks to geopolitical conflicts and events (South China Sea, Arab Spring, Russia-Ukraine)
  • Global statistics on breaches, malware and information theft
  • Major attacker TTP changes over time

For example, if you are in the education sector, you may wonder what nation states and what groups you should be concerned about. Where do you need to focus your resources to reduce risk of an intrusion and theft of intellectual property? Or perhaps if you know you’re in an industry or region that is frequently targeted by the actor APT29.

Strategic Intelligence for the Education Sector

Academic networks typically possess diverse infrastructure with a relatively large volume of connected devices and high bandwidth, but are notoriously challenging to adequately secure and monitor, making them prime targets for actors interested in exploiting them. A variety of actors routinely target these networks, including Advanced Persistent Threat (APT) groups conducting cyber espionage and likely using institutions’ networks to launch attacks against third parties, financially motivated actors seeking to steal information and monetize it, and hacktivists and similar groups seeking to promote their messages and causes. We assess with high confidence that actors will continue to target the education sector for the foreseeable future due to the perceived value of the information stored on school networks, demonstrated ease of using network infrastructure for launching further operations, and the inherent difficulties administrators face in securing them.

  • Cyber espionage continues to pose the greatest threat to the education industry. China, Russia, Iran and South Korea have demonstrated the capability and willingness to conduct extensive reconnaissance activity and espionage against educational entities.
    • Motivations include strategic and business intelligence, economic advantage, regional interests, and monitoring citizens abroad.
    • China–based groups and campaigns include APT22, Menupass Team, and unnamed groups.
    • APT29, a cyber espionage actor with a Russia nexus.
    • Beanie Team, a cyber espionage actor with an Iran nexus.
    • Fallout Team, a cyber espionage actor with a South Korea nexus.
    • We have also observed unknown cyber espionage actors targeting the education industry.

Strategic Intelligence for APT29

  • APT29 engages in cyber espionage operations where the primary goal appears to be data theft. APT29s targets include Western governments, foreign affairs and policy making bodies, government contractors, universities, and media outlets. Based on available data, we assess with high confidence that APT29 is a nation-state sponsored group located in Russia.
  • APT29 appears to have formidable capabilities, to include a range of custom developed tools, extensive command-and-control (C2) infrastructure that includes compromised and satellite infrastructure (via satellite service providers), and savvy operational know-how. Unlike many other Russian attack groups, APT29 continues to operate after they have been detected. APT29 has demonstrated a high regard for OPSEC, and is aggressive in continued operations and efforts to evade investigators and remediation attempts.
  • APT29 appears highly interested in European government and foreign policy issues, with a significant emphasis on the Russia-Ukraine conflict. APT29 has targeted several Western national government and foreign policy entities, defense and government contractors, and academic institutions.

Using Strategic Intelligence

Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical intelligence from known cyber attacks.

There are many uses for strategic intel including, but not limited to, the following:

  • Inform your executive leadership about high risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground.
  • Perform a thorough risk analysis and review of entire technology supply chain.
  • Learn which commercial ventures, vendors, partner companies, and technology products are most likely to increase or decrease risk to your enterprise environment.

Next up – What is Operational Threat Intelligence?

Source: Honeypot Tech

WTB: macOS Exploit Published on the Last Day of 2017

The intelligence in this week’s iteration discuss the following threats: Data leak, Information stealing malware, Malspam, Misconfigured Database, Phishing, RAT, Vulnerabilities, and Zero-day. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

macOS Exploit Published on the Last Day of 2017 (January 2, 2017)
A security researcher going by the alias “Siguza” has released a zero-day vulnerability that affects all versions of the Mac operating system (macOS) since at least 2002. Siguza did not notify Apple prior to publishing a report discussing the vulnerability that affects the “IOHIDFamily” macOS kernel driver. According to Siguza, the vulnerability is a Local Privilege Escalation (LPE) flaw that an actor can only exploit with local access to, or previous malware infection of the affected machine.
Click here for Anomali recommendation

Resume-Themed Malspam Pushing Dreambot Banking Trojan (December 29, 2017)
Researchers have observed a new malspam campaign that is distributing the “Dreambot” banking trojan. In the emails, the actors behind this campaign purport to be sending the recipient a resume to consider. The actors also include “Happy New Year” in the email in an attempt to stay relevant to the current timeframe and to attempt to add legitimacy to the emails. The “resume” attachment is a zip file that, if opened, will extract a JSE file (JScript) and begin the infection process for Dreambot.
Click here for Anomali recommendation

Flaws in Sonos and Bose Smart Speakers Let Hackers Play Pranks on Users (December 27, 2017)
Trend Micro researchers Stephen Hill, has discovered that some “Bose” and “Sonos” smart speakers are affected by vulnerabilities that could allow a threat actor to take over the device. In addition, the vulnerabilities can be exploited by actors who are performing reconnaissance and are trying to gain access to a corporate network, or gather information stored on the device to conduct potentially more effective phishing attacks. Researchers report that the affected smart speakers are “Sonos Play:1” and “Bose SoundTouch,” however, it is possible that more models are also affected.
Click here for Anomali recommendation

Mozilla Releases Security Update for Thunderbird (December 25, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding multiple vulnerabilities in Mozilla’s “Thunderbird” platform. Mozilla’s security advisory lists five vulnerabilities that affect Thunderbird 52.5.2. Out of the vulnerabilities, two are listed as critical, two as high, and one as low. Some of the vulnerabilities allow remote code execution.
Click here for Anomali recommendation

Vulnerability Affects Hundreds of Thousands of IoT Devices (December 25, 2017)
Researchers have discovered a vulnerability, registered as “CVE-2017-1756,” in a web server package called “GoAhead” created by the company “Embedthis Software.” GoAhead is located in hundreds of thousands of IoT devices as well as well deployed inside other products such as Comcast, Oracle, and HP, among others. Elttam researchers identified a method in which they could execute malicious code remotely on any device that used the GoAhead web server package.
Click here for Anomali recommendation

Malspam Uses CVE-2017-0199 To Distribute Remcos RAT (December 22, 2017)
Researchers have discovered that threat actors are exploiting the Microsoft Office/WordPad remote code execution vulnerability registered as “CVe-2017-0199” to distribute the “Remcos” Remote Access Trojan (RAT). The malspam emails purport that the attached invoice is incorrect, and requests the recipient to make an amendment so that the sender “Helen Rowe” of “Purchasing Department” can process the payment. The attachment is an RTF file which, if opened, will present a prompt that requests the user to update the document with data from linked files. Clicking yes, and subsequently running the executable will infect the user with Remcos.
Click here for Anomali recommendation

Huawei Home Routers in Botnet Recruitment (December 21, 2017)
An updated variant of the notorious denial-of-service “Mirai” malware called “Satori” is being used to target a zero-day vulnerability in “Huawei” routers, according to Check Point researchers. A threat actor is exploiting a vulnerability, registered as “CVE-2017-17215,” that affects Huawei routers. The threat actor behind this campaign is believe to go under the alias “Nexus Zeta.”
Click here for Anomali recommendation

Digmine Cryptocurrency Miner Spreading via Facebook Messenger (December 21, 2017)
Trend Micro researchers have discovered that threat actors are distributing cryptocurrency miner malware, dubbed “Digimine” via Facebook Messenger. The malware only affects Messenger’s desktop/web browser version on Chrome. Digimine is being propagated to create a cryptocurrency mining botnet installing an auto-start mechanism on infected machines, and then continuing again using Messenger in attempts to infect other machines. Digimine is capable of mining the “Monero” cryptocurrency. The threat actors are sending zip files to their “friends” that will begin the infection process if opened.
Click here for Anomali recommendation

CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer (December 20, 2017)
A new campaign has been found to be delivering a “cracked” version of the “Loki” information stealing malware, according to Trend Micro researchers. Threat actors are using a pirated version of Loki that is being distributed via spam emails that masquerade as an Australian shipping company with an attached receipt. The emails contain a malicious .docx file that then drops a Rich Text Format (RTF) file. The RTF file exploits the Microsoft Office vulnerability registered as “CVE-2017-11882” to download an HTML Application (HTA) dropper that then downloads the Loki payload.
Click here for Anomali recommendation

Home Economics: How Life in 123 Million American Households Was Exposed Online (December 20, 2017)
The UpGuard Cyber Risk Team has discovered that a cloud-based repository belonging to the California-based data analytics firm “Alteryx” was configured for public access. Specifically, the repository was an Amazon Web Services (AWS) S3 cloud storage bucket located on an Alteryx subdomain. The exposed data consists of Personally Identifiable Information (PII) such as financial history and mortgage ownership, in addition to 248 categories of specific data types within the AWS bucket.
Click here for Anomali recommendation

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites (December 19, 2017)
Researchers have found that a plugin available for WordPress websites created by the developer “BestWebSoft” was modified by the buyer. The plugin was a Captcha that was modified in such a way that it operated as a backdoor that had the ability to affect approximately 300,000 WordPress websites. An actor could use the backdoor to gain administrator privileges on the affected website.
Click here for Anomali recommendation

Cyberespionage Campaign Sphinx Goes Mobile With AnubisSpy (December 19, 2017)
Trend Micro researchers have discovered malicious applications that made their way into the Google Play store. The applications were identified to contain malware dubbed “AnubisSpy” and are believed to be linked to a cyber espionage campaign called “Sphinx.” Researchers attribute this campaign to the Advanced Persistent Threat group “APT-C-15.” The AnubisSpy malware is capable stealing various forms of data from an infected device in addition to stealing and recording audio.
Click here for Anomali recommendation

TelegramRAT Evades Traditional Defenses via the Cloud (December 18, 2017)
The Remote Access Trojan (RAT) called “TelegramRAT” is being distributed by threat actors via a malicious Microsoft Office document, according to Netskope Threat Research Labs. TelegramRAT exploits the Microsoft vulnerability registered as “CVE-2017-11882.” Additionally, the malicious Office document uses the “” URL shortening service to hide TelegramRAT which is hosted on Dropbox. The RAT uses the messaging service “Telegram’s” BOT API to send and receive commands. TelegramRAT is capable of numerous malicious functions, including stealing various forms of data and deleting evidence of its presence.
Click here for Anomali recommendation

CHM Badness Delivers a Banking Trojan (December 18, 2017)
SpiderLabs researchers have discovered a malspam campaign that is targeting Brazilian institutions with the “Bancos” banking trojan. The threat actors behind this campaign are distributing the trojan via malspam emails that utilize Compiled HTML (CHM) file attachments. This tactic allows actors to conceal malicious downloader code in files and make them more difficult to detect. If the CHM is opened and subsequently decompressed by its default application, “Microsoft Help Viewer”, the HTML objects will run a JavaScript function that begins the Bancos infection process.
Click here for Anomali recommendation

Source: Honeypot Tech

12 Days of Threats

On the first day of Christmas a hacker stole from me,
Thousands in my favorite cryptocurrency…
On the second day of Christmas a hacker stole from me,
Two plain-text passwords and thousands in my favorite cryptocurrency…

We’re sure by now you’ve heard too much Christmas music, so we’ll spare you a full rendition. However, as we approach the end of the year, we’d like to reflect on some of the year’s most notable cyber events.

Freedom Hosting II

Threat description: February 2017 – A first-time hacker from Anonymous took down approximately 20% of all Dark Web traffic this year by breaching Freedom Hosting II (FH2), a Dark Web hosting provider. Anonymous posted messages on all of these sites explaining they did this because FH2 provided services to child pornography and scamming sites. The hackers initially tried to ransom the Freedom Hosting II database for .1 Bitcoin (a little over $100), but later released the information publicly. This information included plain-text emails and passwords, site users, personal information about site administrators, and a write-up of how they breached the systems.

Holiday gift: Bad guys get empty stockings and empty sites


Threat description: February 17th, 2017 – Internet infrastructure and security company Cloudflare wasn’t directly targeted by a malicious attack, but likely felt their fair share of panic this year. A security bug affected Cloudflare’s reverse proxies, unwittingly leaking data from Cloudflare customers to other customers. Personally Identifiable Information (PII) was downloaded by crawlers and users during everyday activity. This data included full https requests and responses, client IP addresses, cookies, and passwords. Tavis Ormandy of Google Project Zero, who first identified the issue, was able to get Cloudflare servers to return private messages from dating sites, full messages from chat services, online hotel bookings, and online password manager data. Cloudflare has since reported on the potential impact of the bug.

Holiday gift: Proof that collaboration can identify and fix issues before a malicious actor takes advantage

Wikileaks CIA Vault 7

Threat description: March 7th, 2017 – This year Wikileaks released thousands of pages of CIA software tool and techniques allegedly created in collaboration with British intelligence. This trove of documents, titled Vault 7, serves as a catalogue of advanced tactics for surveillance and cyber warfare, including how to hack into smartphones, computers, and Internet-connected TVs. The CIA has not confirmed the authenticity of these documents, but officials speaking anonymously have indicated that the information from Vault 7 is genuine. Wikileaks has not identified the source of the information. The existence of such documents is not necessarily surprising, but the scope of tools and procedures is alarming. Instructions are also available for compromising Skype, Wi-Fi networks, docs in PDF formats, commercial antivirus programs, WhatsApp, Signal, and Telegram.

Holiday gift: The CIA is there to listen when we have a long day. Now we can be a good friend and hear a bit about theirs as well.

Shadow Brokers

Threat description: The Shadow Brokers first came to public attention with an announcement on offering tools stolen from the NSA’s hacking division, officially called Tailored Access Operations and colloquially called the Equation Group. Few people offered to take the bait, so The Shadow Brokers chose to publicly release some of the information – all unredacted. The exploits they have released are older and often already issued patches, but still have significant potential for damage. For example, the NSA backdoor used in the WannaCry ransomware, DOUBLEPULSAR, came from one of the Shadow Brokers’ leaks. As of yet it’s unknown exactly who the Shadow Brokers are.

Holiday gift: Catalogues more interesting than SkyMall.


Threat description: May 12th, 2017 – The WannaCry ransomware outbreak serves as evidence that weapons-grade cyber attacks developed by nation states are now being used for profit. WannaCry was one of the first examples of ransomware that had the ability to spread to other (Windows) computers on its own, similar to malware of the past like Conficker. The ransomware was able to spread on its own by scanning for systems vulnerable to MS17-010, exploiting them, and then using a recently leaked NSA backdoor to install the ransomware on the system. Both the exploit, called ETERNALBLUE, and the backdoor, DOUBLEPULSAR, came from the recent “Lost in Translation” dump leaked by the Shadow Brokers. The United States government has officially blamed North Korea for WannaCry.

Holiday gift: Some tissue for those impacted by WannaCry.


Threat description: June 27th, 2017 – The Petya malware rapidly spread across Europe and North America and infected tens of thousands of systems in more than 65 countries. The Petya ransomware trojan is speculated to be a part of a Ransomware-as-a-Service (RaaS) malware family that was first advertised by Janus Cybercrime Solutions as a RaaS in late 2015. The initial infection vector is believed to be contaminated software updates from Ukrainian financial tech company MeDoc. Anton Geraschenko, an aide to the Ukrainian Interior Minister, has stated that this infection was “the biggest in Ukraine’s history.” The estimated damages associated with NotPetya reached into the millions for companies like French construction group group Saint-Gobain, who lost an estimated $387 million.

Holiday gift: Nothing. Ransomware still sucks 🙁

Hackers Target Nuclear Facilities

Threat description: July 2017 – Critical infrastructure such as nuclear and energy facilities are frequently targeted by advanced persistent threat actors. Early this year the Department of Homeland Security and the Federal Bureau of Investigation released a joint report indicating that companies such as the Wolf Creek Nuclear Operating Corporation had been targeted by hackers. The various attack methods included targeted emails with malicious Word docs, man-in-the-middle attacks (redirecting internet traffic through malicious machines), and watering hole attacks (compromising legitimate websites). Evidence points to Russian hacking group “Energetic Bear” as the culprit. Luckily, no real damage was done.

Holiday gift: Energy sector > energetic adversaries


Threat description: July 2017 – Popular computer platform Ethereum was victim to multiple hacks in 2017. On separate occasions cyber criminals stole > $1 million, $7.4 million, and later $32 million worth of “ether” tokens, the second most widely-used cryptocurrency. For the latter hack, white hat hackers (the good guys) drained $75 million worth of ether from other accounts to protect it from thieves by exploiting the same vulnerability. Ethereum’s problems didn’t end there- a glitch later in the year caused $300 million to be frozen in Parity multi-signature wallets. Parity Technologies suggested a fork (think hard reset) to “unlock” the funds like the one enacted after the DAO hack.

Holiday gift: We’ve identified a better solution than Nutcrackers for a tough nut to crack – white hat hackers.


Threat description: September 2017 – Open-source document database MongoDB had over 27,000 databases wiped and ransomed for their restoration. The targeted databases were running with default settings, making it easy for attackers to find and exploit them. Unfortunately, many of the companies that paid the ransom were never given back their data. Without proper management of permissions and settings, services like MongoDB present an easy opportunity for attackers.

Holiday gift: Security best practices from MongoDB, and a reminder of their importance. This holiday season try to look at security not as the often-ignored fruitcake, but as the delicious frosting keeping your internet gingerbread house together.

Campaign Hacks

Threat description: 2017 – After the direct foreign influence in the 2016 U.S. presidential election, many were left wondering if the numerous European elections of 2017 would encounter the same challenges. In the Netherlands’ March election, concerns over security were so great that every vote was counted by hand. Interior Minister Ronald Plasterk directly cited Russia as a factor in this decision, along with insecure and outdated counting software. The Macron campaign of France, knowing that a targeted attack was inevitable, engaged in a “cyber-blurring” strategy. Fake email accounts were seeded with false documents to slow down hackers. The French government cyber security agency ANSSI later confirmed attacks on the Macron campaign, but did not officially name Russia as the culprit. The German election did not encounter any direct interference, but they did have a bit of a scare – IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed German voting count software and found numerous security flaws. Overall, it appears that most of the elections were carried out relatively unscathed.

Holiday gift: Putin snuck his way onto the nice list last year and got a bald eagle as an early Christmas gift. This year the EU got him for Secret Santa and gave him nada.

Equifax Data Breach

Threat description: September 7th, 2017 – Equifax announced a major data breach to their systems, exposing data associated with approximately 143 million Americans, 400,000 Britons, and 100,000 Canadians. The exposed data contained a host of Personally Identifiable Information (PII), including addresses, Date of Birth (DOB), full names, dispute documents, and of course Social Security Numbers (SSNs). The exploited vulnerability, “CVE-2017-5638,” was issued a patch in March of 2017, which Equifax failed to apply. With half the population of the United States’ information now exposed, many are calling into question the viability of the Social Security Number system. People should keep on alert for fraud.

Holiday gift: Free credit report monitoring from the same company that lost your information in the first place


Threat description: October 24th, 2017 – Yet another large ransomware campaign targeted entities in Russia and Eastern Europe and affected predominantly news and media websites. The initial infection vector was believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer. The ransomware was able to propagate itself through networks via Server Message Block (SMB). Bad Rabbit bears similarities to the WanaCry and Petya ransomware outbreaks earlier in the year.

Holiday gift: A reminder of the movie Donnie Darko. That’s about it.

Source: Honeypot Tech

WTB: New GnatSpy Mobile Malware Family Discovered

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: ATM-theft, Data leak, Malspam, Mobile malware, Phishing, Targeted attacks, Threat group, underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Jack of All Trades (December 18, 2017)
A new mobile malware is targeting Android devices, according to Kaspersky Lab researchers. The malware, called “Loapi,” is being called a “jack of all trades” malware because of the numerous malicious capabilities that have been observed. The modular architecture of the malware allows it to perform different malicious actions such as advertisements, Distributed Denial-of-Service (DDoS) attacks, mine cryptocurrency, send SMS messages, and subscribe to paid services, among others. Researchers note that the modular architecture could allow the actors behind the malware to add new features at any time. The malware was observed to impersonate antivirus and adult-related applications.
Click here for Anomali Recommendation

New GnatSpy Mobile Malware Family Discovered (December 18, 2017)
In early 2017, researchers discovered that a threat group, dubbed “Two-tailed Scorpion/APT-C-23,” was targeting Middle Eastern organizations with the “Vamp” and later on “FrozenCell” malware. Now Trend Micro researchers have discovered a new mobile malware family, dubbed “GnatSpy,” that is believed to be a new variant of “Vamp.” As of this writing, researchers do not know how the threat group is distributing the malware to Android devices. However, it is possible that the actors sent them directly to said devices; researchers note the distribution method is in question because few Android applications were found to contain GnatSpy. The complexity of GnatSpy indicated that the group is increasing their malicious engineering efforts to steal information from Android devices.
Click here for Anomali Recommendation

Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks (December 15, 2017)
Microsoft has released an Office update that disables the Dynamic Data Exchange (DDE) protocol in Word applications as part of December’s Patch Tuesday. The DDE feature allows an Office application to load data from other applications. DDE has been used by threat actors to distribute malware, and this update is Microsoft’s attempt to help mitigate such malicious activity.
Click here for Anomali Recommendation

Ngay Campaign Rig EK Pushes Quant Loader & Monero CPU Miner (December 14, 2017)
Nao-sec researchers discovered a drive-by download attack campaign, dubbed “ngay,” that appears to be targeting Vietnamese-speaking individuals. The actors behind this campaign previously used drive-by download attacks to redirect website visitors to the “Disdain” Exploit Kit (EK). Researcher identified that this campaign is now using the “RIG” EK to distribute the “Quant” loader malware and a “Monero” cryptocurrency miner.
Click here for Anomali Recommendation

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure (December 14, 2017)
While responding to a security incident, FireEye Mandiant researchers discovered that an unnamed company was infected with an attack framework malware called “TRITON.” The malware is designed to interact with Triconex Safety Instrumented System (SIS) controllers. Researchers state that TRITON is one of the publicly identified malwares that target Industrial Control Systems (ICS) and is consistent with the “Stuxnet” and “Industroyer” malware. The malware was found on a SIS workstation that ran the Microsoft Windows operating system while impersonating the authentic Triconex Trilog application.
Click here for Anomali Recommendation

Apple Releases Security Updates (December 13, 2017)
The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in multiple Apple products. The vulnerabilities could be exploited by a remote threat actor to alter the application state iOS and tvOS. Apple’s iCloud for Windows 7.2 is vulnerable to an actor on a privileged network position tracking a user on the same network.
Click here for Anomali Recommendation

WORK Cryptomix Ransomware Variant Released (December 13, 2017)
A new variant of the “Cryptomix” ransomware, dubbed “WORK” because of the .WORK extension appending of the malware, has been discovered in the wild, according to BleepingComputer researchers. This new variant uses the same encryption methods as previous Cryptomix versions, with the change coming in the form of .WORK appended to encrypted files and new emails to contact for the decryption key. While the distribution method of this ransomware has not been reported, malspam is often a common method to distribute malware.
Click here for Anomali Recommendation

The ROBOT Attack (December 12, 2017)
A vulnerability first identified in 1998 by researcher Daniel Bleichenbacher, dubbed “Return Of Bleichenbacher’s Oracle Threat (ROBOT), has resurfaced, according to researchers Hanno Böck and Craig Young. Other researchers believe that this vulnerability is in fact the original “Padding Oracle Attack.” Daniel Bleichenbacher discovered that “the error messages given by SSL server for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.” This vulnerability could allow a threat actor to record Internet traffic and later decrypt it against a vulnerable host that only supports RSA encryption. Researchers found that 27 of the top 100 domains, ranked by Alexa, had vulnerable subdomains.
Click here for Anomali Recommendation

Database of 1.4 Billion Credentials Found on Dark Web (December 11, 2017)
4iQ researchers have discovered a large, interactive database that contains an aggregated list of compromised credentials from approximately 252 previous breaches. The discovery was made on December 5, 2017. The total amount of advertised data consists of usernames and associated, clear text passwords is 1,400,533,869. The structure of the database makes it simply for anyone to download and interact with it, and the search feature is fast enough to return a result in one second. After additional analysis on the data, researchers found that the number of compromised credentials is less because not all of the usernames are listed with an associated password. While some sources state that the data was located on underground forums, and this is likely, the data was also found on open source locations such as “Reddit.”
Click here for Anomali Recommendation

Hacker’s Delight: Mobile Bank App Security Flaw Could Have Smacked Millions (December 11, 2017)
University of Birmingham researchers have published information regarding vulnerabilities located in popular banking applications. The researchers used a custom tool called “Spinner” to conduct semi-automated security tests on 400 applications that heavily rely on security. Through this testing, it was discovered that many banking applications use a technique called “Certificate Pinning” to improve connection security, but use of this technique made it more difficult for penetration testers to find a more serious vulnerability. Researchers found that the vulnerability located in many popular banking applications was that they did not have a proper hostname verification. This flaw could have allowed a threat actor, on the same network of an individual using an affected application, to conduct Man-in-The-Middle (MiTM) attacks to steal user credentials.
Click here for Anomali Recommendation

Phishing Attacks on Bitcoin Wallets Intensify as Price Goes Higher and Higher (December 11, 2017)
With the significant increase in monetary value of the Bitcoin currency, approximately $16,180 USD per bitcoin as of this writing, threat actors are increasing their targeting Bitcoin-related websites and Bitcoin users. In addition to phishing emails, “CheckPhish” researchers also identified five phishing domains targeting the “Blockchain” wallet service. Other security researchers found that the Bitcoin exchange “LocalBitcoins” brand was also used in phishing websites. Threat actors are attempting to steal wallet files and empty accounts of their bitcoins.
Click here for Anomali Recommendation

Hackers Hit U.S., Russian Banks In ATM Robbery Scam: Report (December 11, 2017)
A previously unknown, Russian-speaking threat group, dubbed “MoneyTaker,” is responsible for the theft of approximately $10 million USD from around 18 banks, according to Group-IB researchers. The actors targeted ATMs operated by banks primarily located in the U.S. and Russia. The malicious activity is ongoing and is believed to have begun approximately 18 months ago. Researchers identified that the first attacks took place in the spring of 2016 against banks using the payment technology company “First Data’s” “STAR” network; STAR is a debit card processing and payment network. First Data has stated that “a number” of financial institutions on the STAR network had their credentials for administering debit cards compromised. The actors used custom malware called MoneyTaker, also used for the name of the group, to manipulate payment orders and then use “money mules” to cash out funds from ATMs
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Source: Honeypot Tech