A Very Malicious Christmas

In 2017, Americans are projected to spend $906 million on gifts, up from $785 in 2016. A significant chunk of that total will be spent online. As consumers turn to the internet, those looking to exploit them are increasing at a similar rate.

Over the last 5 years, the festive season has seen actors ramping up Christmas themed campaigns to directly target businesses and consumers. This post outlines a very small number of particularly prolific attacks that have been observed over previous Christmases that will very likely be seen in reworked variants this year.


View details in ThreatStream:*fastpos.*

Despite the increase in ecommerce transactions, in-person retail sales still account for the largest share of the market. Many consumers don’t think twice when they swipe their credit card or enter their PIN when buying that must-have gift. Unfortunately, some of these people might receive unwelcome expenses on their credit card statements come January if they’ve fallen victim to using a point-of-sale (POS) device infected with malware.

First seen in June 2016, FastPOS is just one piece of malware that targets POS devices. FastPOS, as it is called, is much like other POS families in that it will capture credit data, Track2 and log keystrokes on the infected machine. Notably, the malware communicates with its command and control (C&C) via unencrypted HTTP session. The POS malware establishes persistence much like other malware by creating an auto run key in the Windows registry.

Previously, FastPOS has taken advantage of the increased retail transaction volume in the run-up to Christmas. Various iterations of the FastPOS and other malware families targeting POS systems are likely to follow suit during the 2017 holiday season.

Protip for retailers: search for indicators of compromise (IOCs) tagged with “retail” in ThreatStream to uncover threats to your operations over Christmas.

Lizard Squad

View details in ThreatStream:*lizard%20squad.*

In 2014, Lizard Squad performed a distributed denial-of-service (DDoS) attack against the Xbox Live and Sony Playstation networks over Christmas. As millions (including myself) attempted to play the games they’d just received as gifts they were met with errors. This occurred for the duration of the attack. 

Looking through ThreatStream, Lizard Squad are responsible for a number of attacks, with DDoS being their preferred method. Since the group’s inception they have developed increasingly more sophisticated DDoS capabilities and are now using variations of the botnet malware GafGyt.

Protip for gaming companies: sync indicators of compromise (IOCs) from ThreatStream with your SIEM to automatically match known threats to your logs, and alert when a match has been found.

Merry X-Mas

View details in ThreatStream:*Merry%20Christmas%20Ransomware.*

2017 has been the year of ransomware. From Wanacry to Petya and everything else in between, ransomware has brought havoc to companies around the world. The NotPetya ransomware will reportedly cost shipping giant, Maersk, $300 million alone!

The Merry Christmas (or Merry X-Mas) ransomware was spotted for the first time by security researchers in early January 2017, when the malware was distributed through spam campaigns. According to researchers, the latest strains of the ransomware have been delivered together with other pieces of malware, namely DiamondFox, which is used to steal sensitive information from victims’ systems.

Protip for SecOps teams: be immediately alerted when the latest malware hashes or suspect domain generated algorithms are seen inside your network (including on mobile devices) using Anomali Enterprise.

Phishing for gifts

View search in ThreatStream*christmas.*

A quick search for malicious domains in ThreatStream turns up hundreds of IOCs with the word “christmas.” Phishing campaigns often ramp up over the festive period, taking advantage of the fact people are spending more money in December. I’ve seen campaigns spoofing retailers and financial institutions in greater number this year than in any previous year I can recall.

Protip for everyone: never click a link in an email. For SecOps teams, monitor emails from compromised addresses or with links to known malicious domains before they’re clicked using Anomali Enterprise.

A few free Christmas gifts from Anomali

STAXX gives you an easy way to access any STIX/TAXII feed and is a great tool for those starting to incorporate threat intelligence into their security strategies. 

You can download STAXX for free here — our gift to you this Christmas.

Understand your security risk posture with a free customized Recon Report from Anomali Labs. Simply sign up for a free Anomali Enterprise Trial in the month of December.

A December to Remember

Source: Honeypot Tech

WTB: German Spy Agency Warns of Chinese LinkedIn Espionage

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Botnet, Data leak, Malspam, Malvertising, Pre-installed keylogger, Ransomware, Targeted attacks, Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

German Spy Agency Warns of Chinese LinkedIn Espionage (December 10, 2017)
The German intelligence agency, the Federal Office for the Protection of the Constitution (BfV), has stated that Chinese intelligence is using the networking website “LinkedIn” to target approximately 10,000 Germans. The BfV released information regarding multiple fake LinkedIn profiles it discovered and believes that the accounts are evidence of China’s efforts to spy on, and possibly recruit German individuals and subvert German politics.
Tags: Targeted attacks, LinkedIn
Click here for Anomali Recommendation

Pre-Installed Keylogger Found On Over 460 HP Laptop Models (December 8, 2017)
A security researcher going by the name “ZwClose” has released information regarding a pre-installed keylogger located in the “Synaptics” touchpad driver. The Synaptics driver is shipped with HP machines, and approximately 460 HP models were observed to contain this keylogging feature. Researchers note that the keylogger feature is disabled by default, however, threat actors could use open source tools for bypassing the User Account Control to enabled the keylogger “by setting a registry value.”
Tags: Pre-Installed threat, Keylogger, HP
Click here for Anomali Recommendation

A Peculiar Case of Orcus RAT Targeting Bitcoin Investors (December 7, 2017)
As the value of the “Bitcoin” cryptocurrency continues to increase (approximately $17,740 USD as of this writing) threat actors are subsequently increasing their efforts to target Bitcoin investors. Fortinet researchers have found that actors are targeting Bitcoin investors with a Remote Access Trojan (RAT) called “Orcus” via a phishing campaign. The phishing emails purport to be an announcement of a new, legitimate bitcoin trading bot called “Gunbot.” The email attachment contains a VB script that, when executed, will download a file impersonating a .jpeg. The .jpeg file is actually a portable executable binary file. The executable was found to be a trojanized version of an open source inventory tool called “TTJ-Inventory System.” Inside this malicious versions, researcher discovered the presence of the “Orcus” RAT, which is advertised as a Remote Access Tool created by Orcus Technologies. Orcus has numerous features and commands that it can run, however, researcher note that what separates Orcus is the ability to load custom plugins.
Tags: Targeted attacks, Bitcoin investors, Malspam, Orcus RAT
Click here for Anomali Recommendation

New Targeted Attack in the Middle East by APT34, A Suspected Iranian Threat Group, Using CVE-2017-11882 (December 7, 2017)
FireEye researchers have published a report regarding a new Advanced Persistent Threat (APT) group they have dubbed “APT34.” The group is believed to be based in Iran, and has been observed exploiting a Microsoft Office vulnerability (CVE-2017-11882) that Microsoft patched on November 14, 2017. The vulnerability was exploited while attacking an unnamed government organization in the Middle East. Researchers believe that the APT group has been conducting a long-term cyber espionage campaign to benefit Iranian national interests. The group is believed to have been active since at least 2014. The group was observed using spear phishing emails that attempt to drop public and custom malicious tools, such as the group’s custom PowerShell backdoor to achieve its goals.
Tags: APT, APT34, Targeted attacks
Click here for Anomali Recommendation

Master Channel: The Boleto Mestra Campaign Targets Brazil (December 7, 2017)
Palo Alto Unit 42 researchers have discovered a new malspam campaign, dubbed “The Boleto Mestre Campaign” because the links and attachments in the emails masquerade as “Boleto Bancário.” Boleto Bancário is an official payment method that is regulated by the Central Bank of Brazil. Researchers have observed over 260,000 emails that fall under this theme since June 2017. The objective of this campaign is trick a user into following a malicious link or open a document that will infect the recipient with an information stealing trojan.
Tags: Malspam, Boleto Bancario-themed, Data theft
Click here for Anomali Recommendation

Mailsploit: It’s 2017, and You Can Spoof The “From” in Email to Fool Filters (December 6, 2017)
Penetration tester, Sabri Haddouche, has discovered that more than 30 email clients are vulnerable to email source spoofing. The vulnerability has been dubbed “Mailsploit.” The email clients are vulnerable to spoofing because of improper implementation of the Request For Comments (RFC) 1342 (which dates back to 1992) that can allow source spoofing to bypass spam filters and security features such as Domain-based Message Authentication, Reporting and Conformance (DMARC). RFC 1342 has to do with the representation of non-ASCII character in Internet message headers. Haddouche identified that the mail client interfaces do not properly sanitize a non-ASCII string after it is decoded.
Tags: Vulnerability, Mailsploit, Email clients
Click here for Anomali Recommendation

StorageCrypt Ransomware Infecting NAS Devices Using SambaCry (December 5, 2017)
A new ransomware, dubbed “StorageCrypt,” is targeting Network-Attached Storage (NAS) devices, according to Bleeping Computer researchers. The threat actors behind this campaign are using the Linux Samba vulnerability “SambaCry,” Samba is a Windows suite of programs for Linux and Unix. Exploitation of the vulnerability allows an actor to open a command shell on the affected machine that can be used to download file and execute commands. The actors are demanding a ransom from anywhere between 0.4 (approximately $6,356 USD) to 2 (approximately $31,779 USD) bitcoins for the decryption key.
Tags: Ransomware, StorageCrypt, Vulnerability, SambaCry
Click here for Anomali Recommendation

Quantize or Capitalize (December 5, 2017)
Forcepoint researchers have found that the “Quant” trojan loader, usually used to distribute “Locky” ransomware and the information stealing malware “Pony,” has added new features to its malicious capabilities. Quant is now able to steal credentials as well as various cryptocurrencies including Bitcoin, Peercoin, Primecoin, and Terracoin. The credential stealing feature is accomplished via the Delphi based library that is capable of stealing operating systems and application login credentials.
Tags: Malware, Downloader, Quant, Credential theft
Click here for Anomali Recommendation

Virtual Keyboard Developer Leaked 31 Million of Client Records (December 5, 2017)
A MongoDB database that appears to belong to the Tel Aviv-based startup company “AI.Type” was configured for public access which exposed approximately 31 million user records, according to the Kromtech Security Center. The company designed a virtual keyboard that works on mobile devices for both Android and iOS. The exposed database contained 557 gigabytes of data that consists of user registration records in addition to information that was entered onto the keyboard.
Tags: Misconfigured database, MongoDB, Data leak
Click here for Anomali Recommendation

Dridex is Back, Baby! – Necurs Botnet Malspam Pushes Dridex (December 4, 2017)
Researchers have discovered that “Necurs” botnet has resumed its distribution of the “Dridex” banking malware. Researchers note that the last occurrence of Necurs Dridex distribution was identified in June 2017, and that this Necurs campaign is separate from the “Globeimposter” ransomware campaign. The emails purport to be discussing a credit card payment and provides a link to receive the confirmation of the payment. If the link if followed, it will retrieve a malicious Word document. Inside the document is an embedded object that generates up to four URLs to retrieve the Dridex installer.
Tags: Malspam, Botnet, Necurs, Banking trojan, Dridex
Click here for Anomali Recommendation

Apache Software Foundation Releases Security Updates (December 4, 2017)
An alert has been released by the United States Computer Emergency Readiness Team (US-CERT) concerning vulnerabilities in Apache products. Specifically, the vulnerabilities are located in Apache Struts versions 2.5 through 2.5.14. The US-CERT states that an actor could exploit one of these vulnerabilities to take control of an affected system. One of the vulnerabilities can be exploited by an actor via a custom JSON request that can be used to conduct a Denial-of-Service (DoS) when using an outdated json-lib with Struts REST plugin. The second vulnerability is located in the Jackson JSON library, however, the impact of the issue is, as of this writing, still being researched further.
Tags: Alert, Vulnerabilities, Apache
Click here for Anomali Recommendation

Mozilla Releases Security Update for Firefox (December 4, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in the Mozilla Firefox web browser. The US-CERT states that a remote threat actor could exploit these vulnerabilities to take control of an affected system. The vulnerabilities, registered as “CVE-2017-7843” and “CVE-2017-7844,” involves Private Browsing mode storing data across multiple private browsing mode sessions. The latter vulnerability includes an external SVG image referenced on one page, and the coloring of anchor links stored within the image that can be used to determine which pages a user has in their history.
Tags: Alert, Vulnerabilities, Mozilla, Firefox web browser
Click here for Anomali Recommendation

Necurs Botnet Malspam Pushed Globeimposter Ransomware (December 4, 2017)
Researchers have observed that the “Necurs” botnet, known for distributing “Locky” ransomware, is currently distributing the “Globeimposter” ransomware. The ransomware is being distributed via malspam that contain malicious attachments. The emails purport that a message is ready to be sent with the following file or link attachments, or that an attached file is a confirmation of a credit card payment per the recipient’s request. Opening the attachment will begin the infection process for Globeimposter. The threat actors behind this campaign are demanding 0.088 Bitcoin (approximately $1,037 USD) for the decryption key.
Tags: Malspam, Botnet, Necurs, Ransomware, Globeimposter
Click here for Anomali Recommendation

Seamless Campaign Serves RIG EK via Punycode (December 4, 2017)
Malwarebytes Labs researchers have published information regarding the history and current activity regarding the “Seamless” malvertising campaign. The Seamless campaigns are known for almost exclusively distributing the “Ramnit” banking trojan via the RIG exploit kit. Threat actors are currently running two Seamless campaigns simultaneously; one that use static strings and IP literal URLs (URLs that skip DNS), and another that uses special characters. In the latter campaign, actors are using a Cryllic-based domain name that is then transcribed via “Punycode” (encoding used to convert Unicode characters to ASCII). According to researchers, the malvertisements are typically distributed via adult portals that redirect to malicious domains to begin the infection process for Ramnit.
Tags: Malvertising, Seamless campaign, RIG EK, Trojan, Ramnit
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit’s objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.
Tags: RIG, exploitkit

Source: Honeypot Tech

What is Threat Intelligence?

Written by Steve Miller and Payton Bush

Threat intelligence is a subset of intelligence focused on information security. Gartner (sorry, people) defines threat intelligence as “evidence-based knowledge…about an existing or emerging menace or hazard…to inform decisions regarding the subject’s response to that menace or hazard.” In short, threat intelligence is curated information intended to inform you and help you make better decisions about how to stop bad things from happening to you.

There are a few schools of thought and several sets of vernacular used to describe cyber threat intelligence. But there are generally three “levels” of cyber threat intelligence: strategic, operational and tactical. Some of the similarities and differences between these kinds of intelligence are summarized below:

Collecting each flavor of intelligence is important because they serve different functions.

 Type  Tagline  Half life of utility (for good guys and bad guys)  Focus  Built on the analysis of  Output data types



 Long (multiyear)  Non-technical   Big campaigns, groups, multi victim intrusions (and operational intel)  Long form writing about: victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events and geopolitical pressures



 Medium (one year plus)  Mixed (both really)   Whole malware families, threat groups, human behavior analysis (and tactical intel)  Short form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules
 Tactical  What?   Short (months)   Technical   Security events, individual malware samples, phishing emails, attacker infrastructure  Atomic and machine-readable indicators such as IPs, domains, IOCs, “signatures”

Analysts deal with a lot of alerts. Alerts enriched with tactical intelligence provide more context and help analysts determine which threats are worth worrying about and which can safely be ignored. These atomic indicators are often changed quickly though, making it important to also incorporate operational and strategic intelligence into decisions.

Operational intelligence helps fuel meaningful detection, incident response and hunting programs. For example, it can help identify patterns in attacks with with we can create logical rules in tech systems that will detect malicious activity specific indicators.

Strategic intelligence can help with assessing and mitigating current and future risks to organizations. For example, a corporation releasing a new product or completing a merger will want to understand not only the potential impact but also the associated risks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better informed investment decisions.

The sum of these different kinds of threat intelligence is the ability to make informed decisions on how to proactively and reactively respond to threats. This includes what solutions to use, how they should be leveraged, and even just who to keep tabs on.

Check back in January for a deeper look into what these three kinds of intelligence look like and how they’re used.

Source: Honeypot Tech

WTB: Phishers Target Panicking PayPal Users with Fake “Failed Transaction” Emails

The intelligence in this week’s iteration discuss the following threats: Backdoor, Data breach, Data theft, Malspam, Misconfigured bucket, Phishing, RAT, Spyware, Trackers, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

PayPal Says 1.6 Million Customer Details Stolen in Breach at Canadian Subsidiary (December 3, 2017)
The American-based online payment company, “PayPal,” has confirmed that a Canadian-based subsidiary suffered a data breach in November 2017. The subsidiary, “TIO Networks,” was purchased by PayPal in July 2017, and is responsible for running a network of over 60,000 utility bills payment kiosks across North America. The unknown threat actors were able to gain access to Personally Identifiable Information (PII) associated with approximately 1.6 million TIO customers and customers of TIO billers. In addition, PayPal stated that some financial details were also likely accessed, however, the specific details of all of the data that was accessed has not yet been released
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measure to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. Furthermore, TIO is offering its customers free credit monitoring services, and users should visit TIO’s website ( for additional details.
Tags: Data breach, Data theft, TIO Networks

Phishers Target Panicking PayPal Users with Fake “Failed Transaction” Emails (December 1, 2017)
A new phishing campaign has been discovered to be targeting PayPal customers, according to Malwarebytes researchers. The emails purport that the recipient’s transaction cannot be verified, or that the recipient’s payment process cannot be completed. The text of the email attempts to scare the recipient by claiming that the account password has been changed, or that changes have been identified that are different than the recipient’s typical selling activities. The emails provide a link that directs a recipient to a fake PayPal landing page which then attempts to direct the user to a “resolution center.” The resolution center page requests various data be entered such as city, country, date of birth, mother’s maiden name, name, street address, and zip code. Other requested information includes credit card data such as expiration code, name, number, and security code.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Data breach, PII, National Credit Federation

Credit Crunch: Detailed Financial Histories Exposed for Thousands (November 30, 2017)
On October 3, 2017, UpGuard Director of Cyber Risk Research Chris Vickery, discovered an Amazon Web Services (AWS) S3 bucket cloud storage bucket that contained sensitive information that was configured for public access. The bucket was found to be owned by the United States credit repair service the National Credit Federation (NCF). The data that was publicly available for download consists of addresses, bank account numbers, credit card numbers, credit card reports (from Equifax, Experian, and TransUnion), date of birth, driver’s license image, full names, personalized credit reports, and social security card image. Overall the data consists of 111 gigabytes of data and is believed to be associated to approximately 40,000 individuals.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measure to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. As of this writing, it is unknown if threat actors downloaded the data, however, appropriate precautions should be made to assist in mitigating the possibly of malicious activity.
Tags: Misconfigured AWS bucket, Data leak, PII

Uber Breach Affected 2.7 Million UK Users (November 30, 2017)
The global transport company, “Uber,” has released additional information regarding a security breach that took place in late-2016. Uber only just confirmed that a breach had occurred in late November 2017. After the breach took place in 2016, Uber reportedly paid the threat actors responsible for the breach, which affected approximately 57 million riders and drivers, $100,000 USD to destroy the stolen data instead of contacting the appropriate authorities. The stolen data consists of email addresses, full names, and phone numbers, in addition to approximately 600,000 Uber driver’s licenses numbers. The new information bodes more bad news for the company as it now states that approximately 2.7 million U.K. residents are also affected by the breach.
Recommendation: At the time of this writing, Uber has not confirmed whether financial data may have been stolen during this incident. However, as Uber has proven, it is not best to rely on a company that does not inform its users of a breach so that they may take steps to protect themselves. Uber users should change their passwords for their accounts as soon as possible, and any other account that uses the same password (every account should use a different password). Furthermore, regular credit card statement monitoring should be common practice to assist in identifying potentially malicious activity.
Tags: Data breach, Data theft, Uber

Fake Windows Troubleshooting Scam Uploads Screen Shots & Uses PayPal (November 29, 2017)
Researchers have discovered a new technical support scam that is targeting Windows operating system users. Threat actors are distributing this scam via a cracked software installer, according to Malwarebytes researcher, Djordje Lukic. The scam begins by showing a Windows user a fake Blue Screen of Death (BSOD), followed by displaying an application that purports to be a Troubleshooter for Windows. The “troubleshooter” application will then present a user with a screen that states that the computer cannot be fixed. It will also block the user from using Windows. Lastly, the actors behind this scam will then prompt the user to purchase a program via PayPal for $25 USD to fix the “issues” that were detected.
Recommendation: Technical support scams are common threats facing individuals and companies alike. However, this scam is a screen locker rather than the often observed phone number provided to contact an individual to assist in “fixing” the “issue.” Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. This story also depicts the potential dangers in downloading software installers. All downloads should be carefully vetted prior to installation, particularly free versions.
Tags: Tech support scam, Windows

Cisco Releases Security Updates (November 29, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in Cisco’s online meeting software “WebEx.” Specifically, in WebEx Network Recording Players for Advanced Recording Format (ARF) and Recording Format (WRF). The US-CERT states that a remote threat actor could exploit these vulnerabilities to take control of an affected system.
Recommendation: The US-CERT recommends that WebEx users and administrators visit Cisco’s security advisory located at “” and apply the necessary updates.
Tags: Alert, Vulnerabilities, Cisco

UBoatRAT Navigates East Asia (November 28, 2017)
Palo Alto Networks Unit 42 researchers have identified attacks in which actors are using a new, custom Remote Access Trojan (RAT) dubbed “UBoatRAT.” The first discovery of UBoatRAT occurred in May 2017, and in this iteration the actors behind the malware have added new malicious features. This variant is distributed via links that direct to a Google Drive, followed by executables masquerading as a folder, a Microsoft Excel spread sheet, or Microsoft Word files. While researchers have not yet been able to pinpoint specific targets for this malware, they have discovered that individuals and organizations that are targeted typically are associated to South Korea or the video games industry.
Recommendation: Malware authors are always implementing different methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Malware, RAT, UBoatRAT, Google Drive

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection (November 28, 2017)
A newly observed Ursnif variant has been observed employing Thread Local Storage (TLS) callbacks in an attempt to avoid sandbox and analyst detection. TLS allows Microsoft Windows to define data objects that are not placed on the stack. It is stored in the PE header. Ursnif has TLS callback functions which initialize and clear TLS data, executing code before the “start” of the program to unpack DLL files stealthily. The malware is delivered by spear phishing emails containing a link which downloads the malware from a compromised Sharepoint account.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label. As shown in this story, if the email suggests you access a resource that is meant to be viewed through the browser, but downloads a file instead, delete the file immediately. If the message appears to come from a person within the company, check with them first to make sure they sent the email. Employ email signing techniques for authentication. This technique is meant to evade sandboxes and signatures, use up-to-date anti-spam and antivirus protection.
Tags: Malware, Ursnif variant

Pro Tip: You Can Log Into macOS High Sierra as Root With No Password (November 28, 2017)
Developer Lemi Orhan Ergin has released information via Twitter regarding a security issue that affects macOS High Sierra. The issue can be exploited by anyone who has physical access to the machine. An individual simply needs to navigate to System Preferences, Users & Groups, click the lock to make changes, and then use “root” as the username while leaving the password field blank. After clicking “Unlock” several times an individual can gain administrator rights to that machine.
Recommendation: Researchers note that this vulnerability cannot be exploited in High Sierra if a user has set a root password for the machine. Users who have not set a root passwords are vulnerable. It is crucial that your company has policies in place in regards to administrator accounts. All work-related machines should have complex root passwords in place. In addition, employees should be in the habit of putting their work machines into sleep mode when not in use to prevent unauthorized access to potentially sensitive data. Furthermore, Apple has a released a patch for this vulnerability that should be applied as soon as possible if it has not been already.
Tags: Vulnerability, macOS, High Sierra

No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers (November 28, 2017)
The team behind “Exim,” a Mail Transfer Agent (MTA), has issued an alert on their website warning that its product contains two vulnerabilities. The vulnerabilities reside in Exim’s most recent versions in 4.88 and 4.89. The critical vulnerability, registered as “CVE-2017-16943,” is a “use-after-free” (attempt to access memory after it has been freed) vulnerability and can be exploited to allow arbitrary code execution on affected servers. Security researchers believe that as many as 400,000 email servers may be affected.
Recommendation: The Exim team have released a patch that addresses both these vulnerabilities. Immediately update to version 4.89.1 or apply the teams workaround to block an attack from being performed; in the main section of the Exim configuration, set “chunking_advertise_hosts=”. The empty value disables advertising the ESMTP Chunking extension, thus allowing an attacker apply the logic. According to a survey conducted in March 2017, 56% of the entire Internet’s email servers run Exim. Furthermore, a public proof-of-concept code for this exploit has been released which increases the likelihood that threat actors will attempt to exploit this vulnerability.
Tags: Vulnerability, RCE, Email servers, Exim

Researchers Identify 44 Trackers in More Than 300 Android Apps (November 28, 2017)
Researchers from Yale Privacy Club and Exodus Privacy have released information from their collaborative report regarding third-party tracking in Android mobile applications. The two teams identified tracking scripts in both popular and less popular Android applications, which sometimes track a user without his/her consent. Overall it was discovered that over 300 Android applications contain 44 different forms of trackers. Researchers note that some of application’s trackers contain trackers that only collect application crash reports, such as Google’s CrashLytics, while other trackers collect application usage information of which some was noted to be sensitive in nature.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Trackers, Applications

Phishing Scam Cashing in on Water Refunds (November 28, 2017)
A phishing campaign is targeting customers of the Irish water services company “Irish Water,” according to ESET researchers. The actors behind this campaign are attempting to generate illicit revenue by using phishing emails that purport to be Irish Water requesting the recipient to perform account maintenance. The email provides a link for the recipient to “log in” to their Irish Water account. If the link is followed, a prompt will appear that requests a user to “update” their credit and debit card information.
Recommendation: Impersonation of legitimate entities is a commonly used tactic by threat actors in malspam and phishing campaigns. It is important to educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
Tags: Phishing, Theft, Irish Water

Tizi: Detecting and Blocking Socially Engineered Spyware on Android (November 27, 2017)
The Google Play Protect security team has discovered a new form of Android malware, dubbed “Tizi,” which was first found in September 2017. Tizi is a fully featured backdoor that is used by threat actors to install other malware designed to steal sensitive information from popular social media applications. Additionally, Tizi is also capable of exploiting multiple vulnerabilities to root a device. Worryingly, researchers also found that the malware goes back until at least October 2015, indicating that some users could have been infected with Tizi for nearly two years. The Tizi creator also created a website and social media accounts to advertise malicious applications. This malware primarily targets African countries, specifically Kenya, however other countries such as the U.S. were also found to have Tizi infections.
Recommendation: Google has since disabled Tizi-infected applications, and have stated that they have also notified users of all known affected devices. Users should carefully review all permission that application will request prior to installation. In addition, applications should be downloaded from official locations to better avoid potentially malicious applications.
Tags: Android, Mobile, Spyware, Malware, Backdoor, Tizi

Source: Honeypot Tech

Using ThreatStream Indicators of Compromise with AWS GuardDuty

It has been a busy week for AWS at their re:Invent 2017 conference in Las Vegas. One of the new product launches that caught my eye yesterday was GuardDuty, a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads.

One way GuardDuty protects AWS environments is through the use of trusted IP lists and threat lists, the latter being particularly useful from a ThreatStream perspective. GuardDuty identifies suspected attackers by comparing threat lists against VPC Flow Logs, AWS CloudTrail event logs, and DNS logs in an AWS account. When a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management and workflow systems.

GuardDuty threat lists allow ThreatStream users to import known malicious IP addresses from the ThreatStream platform to generate findings of threats in their AWS account. Let me show you how.

Step One: Select and Export Indicators

Using ThreatStream’s search functions it is possible to isolate specific indicators. For instance, you can use basic and advanced search operators to pick specific indicators based on information such as confidence, indicator type, ASN, or a specific tag. In the screenshot above I’ve used filters to limit the results to known malware IP’s recently identified by PhishMe with a high confidence score. Currently GuardDuty only considers IP based indicators, therefore it is important to use a filter that only considers IP based indicator types.

After the results are returned you can export the results from ThreatStream. GuardDuty accepts either a simple list of IP’s in a text file or structured IP lists in STIX 1.x format. As ThreatStream supports STIX 1.2 export, use this option.

Step Two: Upload Indicators to S3

Upload the downloaded XML file of indicators in STIX format to an S3 bucket in your AWS account. I created a new S3 bucket named “threatlists” to manage multiple threat list files. You might want to consider a static filename like “threatstream-indicators.xml” (versus the dynamic one created by the ThreatStream export) so that the S3 URL remains static if you append or modify the list of indicators within the file. Currently GuardDuty can support up to 6 threat lists. As a result it makes sense to update a single file where possible. Make a note of the S3 URL as it will be required during step three.

Step three: Add the Threat List to GuardDuty

Adding new threat lists can be done simply inside the GuardDuty console under “Lists”. Creating a new threat list from the STIX file in the S3 bucket is simple; give the threat list an appropriate name, paste the S3 URL into the location field (why using a static URL is recommended), and select “Structured Threat Information Expression (STIX)” as the format.

Once the threat list is added successfully, GuardDuty will begin using the contents of the file in the S3 bucket to compare against events in your AWS environment to deliver “findings” when a threat is observed.

Anomali x AWS

As GuardDuty grows you can expect to see much tighter integration with ThreatStream. If you’re considering using GuardDuty alongside ThreatStream, or any Anomali products, please do send any questions you have my way via email: dgreenwood [-at-] anomali [-dot-] com

Source: Honeypot Tech

FTSE 100 Report: Targeted Brand Attacks and Mass Credential Exposures

The Anomali Labs team conducted research to identify suspicious domain registrations and potentially compromised credentials that could be used as part of an attack against the Financial Times Stock Exchange 100 (FTSE 100). Both methods of attack pose a significant threat not only to corporate brands but also to the corporations themselves. As referenced in Global Finance and Banking Review and Infosecurity, the number of stolen credentials for FTSE 100 employees has nearly tripled since last year’s analysis

With a deceptive domain malicious actors have the potential to:

  • Orchestrate phishing schemes to collect customer credentials
  • Install malware onto visitor devices
  • Coerce the targeted company into paying for the domain
  • Redirect traffic to competing or malicious sites
  • Embarrass the company by displaying inappropriate messaging

Threat actors with compromised credentials may gain the capability to infiltrate an organization’s defenses. From there they can steal data, damage systems, or orchestrate more complex attacks.

The data from this report spans a three month period within 2017. Below are a few key statistics from the report. 

Malicious Domains

  • Eighty-two percent of FTSE 100 companies had at least one potentially suspicious domain registration and thirteen percent had 10 or more suspicious domains.
  • The vertical hit hardest with suspicious domain registrations was Banking at 83 registrations, which was more than double of the next industry, Energy, at 41 registrations.

Mass Credential Exposures

  • An average of 165.83 exposed credentials were identified across all companies. Of the 77% of companies that had credentials exposed, an average of 218 exposed credentials were found.
  • Five companies had more than 1,000 credential exposures.


Source: Honeypot Tech

WTB: Imgur hackers stole 1.7 million email addresses and passwords

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: Account Checking, Android Malware, BankBot Trojan, Imgur Database Breach, IRAFAU, Lazrus Group, Microsoft Office Vulnerabilities, Mirai Botnet, Necurs Botnet, Scarab Ransomware, Trickbot Banking Trojan, and WordPress malware. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Imgur hackers stole 1.7 million email addresses and passwords (November 27, 2017)
On November 23, the researcher Troy Hunt notified the popular image-hosting website Imgur that it suffered a data breach in 2014. The account details of approximately 1,700,000 users was accessed including emails and passwords. Imgur does not store any other personally identifiable information and has begun the process of resetting passwords. At the time the passwords were hashed with SHA-256, but in 2016 they switched over to using bcrypt.
Recommendation: It is important that you use different passwords for the different accounts that are being used. Previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. If you are possibly affected by this breach, immediately change your password.
Tags: Breach, Imgur

Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323 (November 24, 2017)
Netlab researchers have detected a new Mirai variant after noticing 100,000 new unique scanning IP addresses. The botnet is spreading by abusing two credentials: “admin/CentryL1nk” and “admin/QwestM0dem”. The “CentryL1nk” credential first appeared in an exploit for the ZyXEL PK5001Z modem in exploit-db less than a month ago. Most of the new infections have been detected in Argentina.
Recommendation: The Mirai botnet takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames/passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Tags: Mirai, BotNet, Exploit

Necurs botnet malspam delivering a new Ransomware via fake scanner /copier messages (November 23, 2017)
After a short break from distributing the “Locky” ransomware, the Necurs botnet is spamming out a new type of ransomware in time with the Thanksgiving holiday. The emails are being sent from the email “copier@”; it is typical of Necurs to spoof the email of a target organization. The emails have an empty body of text with the subject line “Scanned from “. The names observed being used are “Lexmark”, “Canon”, “HP”, and “Epson”. The new ransomware is being labeled as “Scarab” ransomware.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection. Even if the email appears to come from within the company, still exercise caution as emails are easily spoofed.
Tags: Scarab, Necurs, Ransomware, Malspam

A Hacking Group Is Already Exploiting the Office Equation Editor Bug (November 22, 2017)
Approximately a week after details of a new Microsoft Office vulnerability came to light, at least one threat actor is now exploiting “CVE-2017-11882”. The issue has been present in Office for 17 years. The “Cobalt” hacking group have been using Rich Text Format (RTF) files that exploit the vulnerability to download malware.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Microsoft Office, Cobalt, RTF

CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document (November 22, 2017)
Fortinet researchers have discovered new documents, of a political theme, that exploit “CVE-2017-11826”. The Rich Text Format (RTF) documents are themed around the political situations in Saudi Arabia and Rohingya (Myanmar). The exploit executes shellcode which downloads a backdoor dubbed “IRAFAU”. IRAFAU can execute files, create/remove files, download/upload files and execute a remote shell.
Recommendation: Themed malspam emails are a common tactic among threat actors, therefore, it is crucial that users are aware of their institution’s policies regarding electronic communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: RTF, IRAFAU, Exploit

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model (November 22, 2017)
According to Flashpoint researchers the Trickbot gang, creators of the Trickbot banking Trojan, have incorporated account checking operations. Account checking utilizes credentials stolen from database breaches and compromises to try to gain unauthorized access to accounts belonging to the same victims. In order to avoid their activities getting automatically blocked by IP address, they use already infected Trickbot hosts as a stream of new and “clean” proxies.
Recommendation: Trickbot heavily targets the financial industry. It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis. Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: Trickbot, Trojan, Account Checking

Uber suffered massive data breach, then paid hackers to keep quiet (November 21, 2017)
New news reveals that Uber, the transportation company, suffered a large data breach in October 2016. According to Bloomberg, the data of approximately 57,000,000 drivers and customers was stolen. The leaked data included names, email addresses, and phone numbers. The personal information of 7,000,000 drivers was accessed too, including 600,000 US driver’s license numbers. Uber paid the actors $100,000 to delete the data.
Recommendation: Personal should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Always monitor your accounts and use identity prevention/fraud prevention services to add an additional layer of security to your accounts. If data has been stolen, never pay any demanded ransom, as there is no guarantee that the data will actually be deleted by the actors.
Tags: Uber, Breach, Ransom

Symantec Releases Security Update (November 21, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding a vulnerability located in the “Symantec Management Console.” The US-CERT states that a remote threat actor could exploit this vulnerability, registered as “CVE-2017-15527,” to take control of an affected system. Symantec rates this vulnerability as a highest severity issue.
Recommendation: Symantec users should review the security advisory, located at “” and apply the necessary update as soon as possible if it has not been applied already.
Tags: Alert, Vulnerability, Symantec

Mobile Banking Trojan Sneaks Into Google Play Targeting Wells Fargo, Chase and Citibank Customers (November 20, 2017)
A new variant of the mobile banking malware “BankBot” has been identified to be located in applications in the Google Play store, according to collaboration report by Avast, ESET, and SfyLabs researchers. This version of the BankBot trojan is being hidden in applications that purport to be flashlight applications. Other applications identified to contain BankBot are solitaire games and a cleaner application; researchers note that these applications were observed to distribute other malware besides BankBot. BankBot is targeting the applications associated with banks such as Chase, Diba, Citibank, and WellsFargo. In addition, Google has since removed the malicious applications, however, some of the applications were found to be active until November 17, 2017.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: BankBot, Android, Trojan

Wp-Vcd WordPress Malware Campaign Is Back (November 20, 2017)
Researchers are warning “WordPress” website administrators of the malware called “wp-vcd,” which is capable of adding secret administrator users and can allow actors control of the affected websites. The malware was discovered by security researcher, Manuel D’Orso, in the summer of 2017. Now researchers have discovered a new variant of the malware that, in addition to features mentioned above, will inject malicious code into the default themes in WordPress CMS 2015 and 2016. Researchers note that even though said default themes are often disabled on a large amount of websites, this does not affect the potential malicious activity that can still occur.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: WordPress, wp-vcd

Operation Blockbuster Goes Mobile (November 20, 2017)
Unit 42 researchers from Palo Alto Networks have discovered new malware samples targeting Samsung devices and Korean language speakers. It is believed the malware comes from the Lazarus Group, from North Korea. The malware samples are backdoors and have the ability to record microphone, capture from camera, download/upload files, record GPS, read contact information, read texts, and capture WiFi information. It is not currently known how the malware is being delivered.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and never install software from unverified sources.
Tags: Lazarus Group, Backdoor, Android

Source: Honeypot Tech

10 Reasons to be Thankful for a Security Analyst

The global number of internet users hit 3.8 billion in 2017, and is expected to reach 6 billion by 2022. We’re rapidly approaching the point where people without access to the internet will be in the minority, and where the internet is not only accessible but also ingrained into daily life. Succinctly stated, this is a pretty exciting time for humans.

However, with these technological advancements also comes the sobering realization that more access for the layman means more access for cyber criminals. These people are responsible for over $5 billion in damages in 2017 alone, as well as countless other non-financially related incidents.

Luckily, we have people out on the front lines already – Security Analysts. The title covers a range of specific job functions, but each one contributes in some way to the defense of individuals, organizations, and nations. This Thanksgiving we’d like to give thanks to these hardworking individuals. There are as many reasons to be thankful for an analyst as there are threat alerts in a day, but for the sake of brevity here are ten of our favorites:

1) They’re incredible detectives – Working as an analyst is a mix of technical research, intelligence analysis, and communicating results. They’re responsible for investigating tiny, seemingly inconsequential clues so they can piece together a larger underlying scheme. All of this depends on a strong foundational core of deductive reasoning and logical rigor. They’re the modern-day Sherlock Holmes.

2) They’re great researchers – Security analysts have a penchant for attention to detail, problem solving, and thorough research. Much of this work may take place on their own time and dime, but it’s critical in helping to spur technological innovations and identifying areas that need improvement. Researchers Billy Rios and and Jonathan Butts published findings this year identifying how to weaponize a car wash, proving that even the most unsuspecting of items can be dangerous.

3) They balance between two worlds – Working as an analyst doesn’t just mean understanding what’s going on in the security stack. It also means being able to effectively communicate critical events to executives and security leadership like CISOs. This can be a challenge considering the general lack of understanding not only for security best practices but also for core aspects of the internet and technologies themselves. There’s no Google translate for tech (yet).

4) Their work never, ever ends – One of the key functions of a security analyst is to triage as many alerts as possible in a day to determine whether they’re benign or truly dangerous. Sounds easy enough, right? Perhaps, were it not for the fact that these alerts come in the thousands each and every day. No matter how many tools you deploy and staff you employ, your analysts are volunteering to deal with more red flashing lights than America sees at any given Christmas. Alerts aren’t the end of it though – other tasks include conducting research for customers to determine what’s going on in their infrastructure, hiding in underground forums gathering information, or working to piece together security programs.

5) They operate under pressure – Speaking of triaging events, there’s a constant pressure to catch each and every malicious event. Any deescalated alert may prove to be the one that lets a threat actor in. On the flip side, any false positive may be wasting someone’s time. It’s a constant balancing act. No matter if your organizations is large or small, the target or the gateway, or simply collateral damage in a global attack, your analysts know that they’re going to be held accountable for the eventual impact.

6) They work crazy hours – Security analysts aren’t likely to get a lot of sleep. Hours can be painful, particularly if you’re at a security center operating on a 24×7 schedule. Research and requests for information typically have tight turnaround schedules due to the unknown nature of threats. Any investigation is also unlikely to have a clear “end,” because there’s always the possibility that something was missed. More alarming still is the possibility that on any given workday a zero-day exploit could occur, in which case they’re really not going to get to go home and sleep.

7) They’re vocationally oriented – It’s not about the money. Cybersecurity as an industry is vastly underfunded and even more understaffed. Ask an analyst why they’re in the industry and the response will typically be “because they’re passionate about what they’re doing.”

8) They’re crime fighters – Analysts sign up to deal with crazy hours, pressure, and task lists because they’re truly passionate about finding evil and stopping bad guys. Many are responsible for keeping critical infrastructure like our electricity, energy, and public health systems safe. The dangers of these sectors being targeted are very real, and have the potential to seriously harm untold numbers of people.

9) They’re willing to accept risk – The dangers of cyber threats aren’t limited to the masses. Analysts themselves can be targeted by threat actors. Earlier this year a researcher from FireEye was hacked by unknown attackers, who defaced his social media sites and published private data. In a move reminiscent of Richard Connell’s “The Most Dangerous Game,” threat hunters might find themselves the hunted.

10) They’re just plain fun –  Despite the ever-present dangers to themselves and the systems they’re responsible for, analysts are an incredibly eclectic and entertaining community. All the proof you need comes from this year’s Derbycon 7.0. A participant by the name of Grifter found a cockroach in his milkshake at a nearby restaurant, later tweeting out a warning to others and naming him Trevor. As the restaurant was fumigated, fellow Derbycon participants created a memorial outside in Trevor’s honor. Trevor was later inducted as a Saint in the Church of WiFi, starred in a commemorative film about himself, and made an appearance on Twitter. Funds have even been raised in his honor for disaster relief in Puerto Rico. RIP Trevor.

#TrevorForget  (Photo credit to Steve Ragan @SteveD3)

Source: Honeypot Tech

WTB: Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: APT, Brute force attacks, Holiday scams, Malspam, Phishing, Preinstalled features, Ransomware, Targeted attacks, Threat group, and Vulnerabilites. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks (November 20, 2017)
The financially motivated Advanced Persistent Threat (APT) group “Cobalt,” is behind a new spear phishing campaign targeting European financial organizations, according to Trend Micro researchers. The group tailors their spear phishing emails for different target banks. Researchers note that Cobalt previously used spam emails to target banking customers and these new spear phishing emails represents a change in tactics. The emails were observed to exploit a code injection/remote code execution vulnerability, registered as “CVE-2017-8759,” located in Microsoft’s .NET Framework. The RTF file attachment requires a user to enable macros to run a PowerShell command that will eventually download and execute a backdoor from a remote server.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Threat group, Cobalt, Spear phishing, Targeted attacks, Financial institutions

0000 Cryptomix Ransomware Variant Released (November 17, 2017)
The Security researcher, known as “MalwareHunterTeam,” has discovered a new variant of the “Cryptomix” ransomware. The new variant is dubbed “0000” because of the extension added to encrypted files. As of this writing, researchers have not published the distribution method used by the actors behind this ransomware, however, they do note that users should be cautious when opening attachments from unverified senders.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Ransomware, Cryptomix variant, 0000

Holiday Scams and Malware Campaigns (November 16, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert to remind user to be vigilant while shopping online this holiday season. The US-CERT warns that threats will come in various forms such as emails and ecards that may contain malicious links, and fake advertisements or shipping notifications that may have attachments infected with malware. In addition, spoofed emails addresses and fake social media posts are also expected to be present during the upcoming holiday season.
Recommendation: Users should be aware that the holiday season represents the potential for threat actors to generate illicit revenue because of the significant increase in online shopping. The threats mentioned by the US-CERT can result in sensitive data theft, such as Personally Identifiable Information (PII) and credit card information, as well as identity theft and security breaches. Users should avoid following links or downloading attachments from unknown sources and make note of known email addresses if they begin sending messages or attachments that does not align with typical behavior.
Tags: Alert, Holiday scams, Malware, US-CERT

Ransomware-Spreading Hackers Sneak in Through RDP (November 15, 2017)
Sophos researchers have discovered that threat actors are exploiting weak passwords for Microsoft Windows machine’s Remote Desktop Protocol (RDP) feature to install ransomware. RDP is often used by IT staff because they are often an outsourced part of a company. Threat actors are using a tool called “NLBrute” to try numerous passwords against an RDP account in a brute-force attack. Actors could also use social media to find out common password combinations such as a birthday or a pet’s name.
Recommendation: Compromised RDP accounts is by no means a new tactic used by threat actors. Therefore, it is crucial that RDP accounts have strong passwords and use of the accounts should be restricted via firewalls and network level authentication.
Tags: Ransomware, Brute force attacks, Microsoft RDP

New Emotet Hijacks a Windows API, Evades Sandbox and Analysis (November 15, 2017)
A new variant of the banking trojan “Emotet” is being distributed by threat actors via phishing emails, according to Trend Micro researchers. The phishing emails attempt to trick the recipient into following a provided link which leads to a document with a malicious macro. If macros are enabled, a user will begin the infection process for Emotet. Researchers note that this Emotet variant also includes an anti-analysis technique includes checking when an analysis platform scans for malicious activity to avoid detection.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Phishing, Trojan, Emotet

Muddying the Water: Targeted Attacks in the Middle East (November 14, 2017)
A new campaign has been found to be targeting Middle Eastern countries, according to Unit 42 researchers. The malicious activity is attributed to a new threat group dubbed “MuddyWater.” While researchers found that Middle Eastern nations were primarily targeted, other countries such as India and the U.S. were also identified to be targeted. Researchers discovered that the group’s initial infection vector is a Powershell-based first stage backdoor dubbed “PowerStats” that is delivered via malicious documents. The documents vary depending on which country is being targeted to include images that would be familiar to the recipient such as government branches which may entice a recipient to be more willing to enable macros.
Recommendation: The impersonation of government agencies continues to be an effective malware distribution tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. In the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Targeted Attacks, Threat group, MuddyWater

17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction (November 14, 2017)
Researchers are warning Microsoft Office users to be extra cautious when opening Office file attachments because of a 17-year-old vulnerability. Specifically, the vulnerability is a memory corruption flaw, registered as “CVE-2017-11882,” that resides in ”EQNEDT32.exe” located in all versions of Windows Office and the Windows operating system released in the past 17 years. EQNEDT32.exe is a Microsoft component responsible for the insertion of equations (OLE objects) in documents. Threat actors can exploit this vulnerability to remotely install malware on target machines without any user interaction required, such as enabling macros.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Vulnerability, Microsoft office

Microsoft November Patch Tuesday Fixes 53 Security Issues (November 14, 2017)
Microsoft has issued security updates as part of its November Patch Tuesday that affects the following products: ASP.NET Core, ChakraCore, Internet Explorer, Microsoft Edge, .NET Core, several Office offerings, and the Windows operating system. Researchers note two vulnerabilities, registered as “CVE-2017-11830” and “CVE-2017-11887,” that stand out in this month’s Patch Tuesday. CVE-2017-11830 can be exploited to allow an actor to bypass Windows Device Guard, and CVE-2017-11887 can be exploited to bypass macro execution protection in Microsoft Excel. The latter is expected to be exploited by actors in the near future because of the frequency of malicious macro documents used in phishing attacks.
Recommendation: Your company should have policies in place to prepare for Patch Tuesday every month because as this iteration portrays, sometimes the patched vulnerabilities will be used in common attack vectors.
Tags: Vulnerabilities, Patch Tuesday, Microsoft

Adobe Patches Security Bugs in Flash Player and Eight Other Products (November 14, 2017)
Adobe has released its monthly security updates for November that affect nine products. Overall, Adobe issued patches for 85 vulnerabilities, multiple of which could be exploited to allow remote code execution. The affected products are Adobe Acrobat and Reader, Adobe Connect, Adobe DNG Converter, Adobe Digital Editions, Adobe Experience Manager, Adobe Flash Player, Adobe InDesign, Adobe Photoshop CC, and Adobe Shockwave Player.
Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In Adobe’s case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Patch Tuesday, Adobe

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (November 14, 2017)
A mobile security researcher, known by the alias “Elliot Alderson,” discovered an application located on some, if not all, “OnePlus” devices. The application, called “EngineerMode,” is reported to be vulnerable to exploitation by threat actors in a way that could result in the application to function as a backdoor. Researchers believe that the features located in EngineerMode are the same features one would find in a diagnosis application engineers use to test phones prior to shipping them out. An actor with physical access to a OnePlus device could run a command to take full control of the device. In addition, researchers say that this is the first batch of information regarding OnePlus devices and more information will be released in the near future.
Recommendation: The threat of preinstalled features has the ability to hide from even the most cautious of users. If the devices affected by this feature are being used by your company, they should be properly inspected and the unwanted feature removed.
Tags: Mobile, Presinstalled threat, OnePlus

XZZX Cryptomix Ransomware Variant Released (November 13, 2017)
A new variant of the “XZZX Cryptomix,” dubbed so because of the file appending to encrypted files, has been identified in the wild, according to Bleeping Computer researchers. In addition to the change in file extensions added to encrypted files, this variant has also been updated in regards to actor email addresses used to contact for payment information. The ransomware is able to function with no network communication because it contains 11 public RSA-1024 encryption keys that are used to then encrypt the AES key used to encrypt a user’s files.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Furthermore, your company should have a business continuity policy in place in the case of a ransomware infection.
Tags: Ransomware, Cryptomix variant, XZZX

Source: Honeypot Tech

Anomali Provides Threat-Sharing Expertise Before Congress

Cyber Threat Intelligence provider Anomali appeared before Congress on Wednesday, November 15th to provide threat-sharing expertise before the U.S. House of Representatives Homeland Security Committee. The purpose of this hearing was to discuss methods for improving the value of cyber threat information shared by the government and increasing participation of threat-sharing with the private sector.

Anomali was the first company to automatically share threat intelligence with the Department of Homeland Security’s Automated Indicator Sharing program (AIS), and the only cybersecurity vendor invited by the Homeland Security Committee to testify before Congress. Anomali was represented by Patricia Cagliostro, Federal Solutions Architect Manager.

Ms. Cagliostro began by explaining the current state of cyber threat intelligence sharing in the private sector, citing the 2017 Ponemon Institute Report, The Value of Threat Intelligence: A Study of North American and United Kingdom Companies that included over 1000 respondents. According to the report, 80% of organizations use threat intelligence, with 84% identifying threat intelligence as essential to a strong security posture.

Ms. Cagliostro continued by describing two key factors noted within the study that deter cyber threat intelligence sharing, excessive volumes of threat data (70% of respondents) and a lack of threat intelligence expertise. In regard to the first issue, Ms. Cagliostro noted the benefits of utilizing a threat intelligence platform to manage mass quantities of data and streamline the process of sharing. The second issue, a lack of threat intelligence expertise, was identified as the primary reason organizations do not share intelligence. The following statistics from the report detail a concerning trend for government-led initiatives such as the DHS’ AIS.

Organizations that reported sharing intelligence – 62%
Organizations that reported sharing intelligence with trusted security vendors – 50%
Organizations that reported sharing with trusted peer groups – 43%
Organizations that reported sharing with the government – 30%

Organizations are often unaware of what constitutes useful intelligence, Ms. Cagliostro explained, and are afraid of looking immature for sharing irrelevant information. This is especially true in the small and mid-sized market. Many are concerned with providing “net-new indicators,” although providing additional context for existing indicators could prove useful for companies within the same industry verticals. Many organizations already participate in same-industry or region sharing initiatives such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Anomali acts as the trusted partner for many of these ISACs and Information Sharing and Analysis Organizations (ISAOs).

In regard to the DHS’ sharing program, Ms. Cagliostro explained that “the level of effort to share intelligence within the program and lack of expertise in threat intelligence act as barriers to entry through AIS.”

Organizations connecting to AIS must:

1) Sign a terms of use document
2) Set up a TAXII client
3) Purchase a PKI certificate from a commercial provider
4) Provide their IP address to the DHS
5) Sign an Interconnection Security Agreement

This process can take private organizations weeks to complete due to legal reviews and change control processes. In the public sector this can be even more time consuming because additional processes and requirements can cause delays due to the time required to get new technologies online.

Once connected to AIS, organizations often find it difficult to share intelligence. There are a variety of methods available for sharing within the program, but each adds an additional task for overburdened analysts outside of their typical workflow. Organizations that already struggle with limited resources are not likely to expend further time and effort to stand up additional technology for little perceived gain.

Beyond the operational aspects, these analysts and security personnel such as Chief Information Security Officers (CISOs) must justify sharing intelligence to executives. Ms. Cagliostro explained, “Information sharing is a cost like any other process, new tool, or technique that is brought online. In order for that cost to make sense we have to empower organizations with the answer for the ROI question.”

The answer to that ROI could one of the government’s unique advantages – unmatched visibility. This is something that cannot be developed by companies internally, nor bought from a vendor. Up until now though the DHS has struggled to supply large quantities of high-quality and high-context indicators. Information is declassified at a slow rate, and context that would make intelligence actionable is often missing. Ms. Cagliostro offered the acceleration and increase of declassification of information as a possible solution for the DHS, as well as conversion of the process from manual to machine-to-machine. Part of accelerating the declassification process could include aggregating publicly available information to determine what indicators currently exist in the public domain. Such intelligence (barring more sensitive information such as the association to an actor and how the information was obtained) could then be released.

Throughout her testimony and responses, Ms. Cagliostro encouraged the DHS to make threat sharing as simple and mutually beneficial a process as possible.  

“When I first started at Anomali, people often asked how we forced people to share intelligence.  People assumed that when we talked about sharing, we had to be forcing people because no one would choose to share unless they had to.  Our approach wasn’t to force people to share, but to create an environment where sharing was easy and organizations received value.

The AIS program has come a long way since its inception and, as the barriers to entry are reduced, more organizations will participate and increase the quality of the data provided.”   

Source: Honeypot Tech