Anomali Cyber Watch: Criminals Target Would Be Hackers for Cryptocurrency Theft, A Zero Day Vulnerability in Windows Desktop Manager is in the Wild, US Blames Russia for SolarWinds, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android Malware, Dependency Confusion, Ransomware, Russia, SaintBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
HackBoss Malware Poses as Hacker Tools on Telegram to Steal Digital Coins
(published: April 16, 2021)
The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications. Researchers have named the malware HackBoss and say that its operators likely stole more than $500,000 from wannabe hackers that fell for the trick. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker.
Analyst Comment: Messages that attempt to get a user to click a link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Users should be educated on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data – T1115 | [MITRE ATT&CK] Software Packing – T1045
Tags: Dogecoin, Cryptocurrency, Cryptostealer, Telegram, HackBoss
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
(published: April 15, 2021)
The recently discovered and patched Microsoft Exchange vulnerabilities have garnered considerable attention due to their mass exploitation and the severity of impact each exploitation has on the affected organization. On March 6, 2021, an unknown actor exploited vulnerabilities in Microsoft Exchange Server to install a webshell on a server at a financial institution in the EMEA (Europe, the Middle East and Africa) region. The actor then compressed the files associated with the information gathering and credential harvesting.
Analyst Comment: Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Compressed – T1002 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Web Shell – T1100 | [MITRE ATT&CK] PowerShell – T1086 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] Automated Collection – T1119 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Data from Local System – T1005
Tags: Credential Harvesting, Microsoft Exchange, Vulnerabilities
US Government Confirms Russian SVR Behind the SolarWinds Hack
(published: April 15, 2021)
The United States government is formally accusing the Russian government of the SolarWinds supply-chain attack that gave hackers access to the network of multiple U.S. agencies and private sector tech companies. In early January, the Cyber Unified Coordination Group attributed the attack to a Russian-backed hacker group, without giving a specific name. Today, the White House officially blames the SVR for carrying out ‘the broad-scope cyber espionage campaign’.
Analyst Comment: Officially blaming Russia for this attack will likely increase tensions between the US and their counterparts, but the tactic also sends a message to other would-be attackers that the US is willing to make such claims and likely follow them with sanctions. Those changes in posture may serve as a temporary deterrent against future attacks while simultaneously setting the foundation for escalating response actions by the US should Russia be caught again in the near future.
Tags: Russia, North America, Solar Winds
New Linux, macOS Malware Hidden in Fake Browserify npm Package
(published: April 13, 2021)
A new malicious package has been spotted on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called “web-browserify” and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime. The package consists of a manifest file, a script, and an ELF executable called “run” present in a compressed archive, within the npm component. The component was detected by Sonatype’s automated malware detection system, Release Integrity.
Analyst Comment: This story highlights the growing issue of threat actors using dependency confusion to spread malware. To help mitigate against these attacks users should use one single source instead of multiple for package managers that do not prioritize feeds. Using a scope prefix, especially in npm will allow users to specify one single source, preventing substitution attacks.
Tags: Dependency confusion, npm, Package Manger, Linux, macOS, NodeJS
Zero-day Vulnerability in Desktop Window Manager (CVE-2021-28310) Used in the Wild
(published: April 13, 2021)
A zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) has been used in the wild. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Microsoft released a patch to this vulnerability as part of its April security updates.
Analyst Comment: Once a vulnerability has been reported in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation of Remote Services – T1210
Tags: Zero Day, Vulnerability, Desktop Window Manager, Escalation of Privilege
BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain
(published: April 12, 2021)
The McAfee Mobile Research Team uncovered several new variants of the Android malware family BRATA being distributed in Google Play, ironically posing as app security scanners. These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device.
Analyst Comment: Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Furthermore, this story shows the potential of malicious applications bypassing the security measures of application stores and therefore it is crucial that all permissions of an application be examined prior to download. Avoid granting ‘always allow’ access to unknown apps, instead choose ‘ask always’ or ‘allow while in use’ to minimise the potential risk.
Tags: Mobile malware, Android, BRATA, Backdoor, Google Play
Criminals Spread Malware Using Website Contact Forms with Google URLs
(published: April 12, 2021)
Threat actors are using contact forms to send employees legitimate Google URLs that require users to sign in with their Google username and password. The Google URLs are useful to the attackers because they will bypass email security filters. The attackers appear to have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human. The messages consistently mention a copyright infringement by a photographer, illustrator or designer. The links take victims to a sites.google.com page, which asks them to sign in. Once a person signs in, the page automatically downloads a malicious file, which when unpacked contains a heavily obfuscated.JS file.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Companies with firewalls that block all entry points for unauthorized users, and maintain records of how normal traffic appears on their network, will more easily identify unusual traffic and connections to and from their network to potentially identify malicious activity. Furthermore, employees should remain vigilant for suspicious messages, especially with regards to copyright infringement.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Spearphishing via Service – T1194 | [MITRE ATT&CK] Web Service – T1102
Tags: Phishing, Google, Javascript, CAPTCHA
Dutch Supermarkets Run Out of Cheese After Ransomware Attack
(published: April 12, 2021)
Bakker Logistiek suffered a ransomware attack that encrypted devices on their network and disrupted food transportation and fulfillment operations. The disruption led to a shortage of certain food products, especially cheese, at the Netherland’s largest supermarket chain, Albert Heijn. The logistics service provider has said that they could restore affected systems from backups and have begun coordinating with customers to begin deliveries again.
Analyst Comment: This story highlights the impact that ransomware can have on operations, as well as the importance of having backups. Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). But, as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted, therefore keeping important files backed up is essential to rapid recovery with limit loss. Other devices on the network should also be checked for similar infections. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Law enforcement continues to strongly discourage the payment of ransoms that likely encourage more attacks, fund illicit activities, and often do not result in the restoration of lost data.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: Ransomware, Neatherlands, Data Encrypted
New Malware Downloader Spotted in Targeted Campaigns
(published: April 12, 2021)
A new dropper has been discovered by researchers at MalwareBytes named “Saint Bot”. Saint Bot is being used as part of the infection chain in targeted campaigns against government institutions in the country of Georgia. Saint Bot has been observed dropping the Taurus information stealer. According to Malwarebytes, it is likely to be used by a few different threat actors, so there are likely other victims.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files – T1081
Tags: Phishing, Saint Bot, Dropper, Taurus, Info Stealer, Government