Weekly Threat Briefing: Iranian APTs, Airport Cybersecurity, Phishing Attack on Puerto Rican Government, Ransomware, and More

<style type="text/css"></style><p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Malware, Phishing, Remote Access Trojans, Viruses, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/629716.png"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="“weekly”"><div id="“trending-threats”"><h2 id="“trendingthreats”">Trending Cyber News and Threat Intelligence</h2><div><h3 style="display: inline-block;"><b><a href="“https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/”" target="“_blank”">Iranian Hackers Have Been Hacking VPN Servers to Plant Backdoors in Companies Around the World</a> </b></h3> <span>(published February 16, 2020)</span></div><p>Iranian-sponsored Advanced Persistent Threat (APT) groups are prioritizing the exploitation of vulnerabilities found in enterprise VPN servers, such as those sold by Palo Alto Networks and Forinet, according to a report published by researchers at security firm ClearSky. The report highlights the technical offensive capabilities of Iranian APT groups, and suggests a considerable interest in exploiting brand new VPN vulnerabilities in order to plant backdoors in companies internationally. According to ClearSky, in 2019, Iranian groups exploited VPN vulnerabilities disclosed by Pulse Secure, Fortinet, and Palo Alto Networks (CVE-2019-11510, CVE-2018-13379, and CVE-2019-1579), and attacks are continuing into 2020. The attacks appear to be the work of at least three Iranian APT groups working collectively (APT33, APT34, and APT39) and are likely surveillance and reconnaissance-based. However, infected networks could be weaponized to take down business operations in the future, as data-wiping malware have been linked back to Iranian activity since 2019.<br/> <a href="https://forum.anomali.com/t/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/4585" target="_blank">Click here for Anomali recommendation</a></p><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://www.zdnet.com/article/loda-trojan-leaves-infancy-with-revamped-obfuscation-exploits/”" target="“_blank”">Loda Trojan Revitalized with Stealthy Upgrade, New Exploits</a> </b></h3> <span>(published February 13, 2020)</span></div> Researchers at Cisco Talos have identified a new version of “Loda,” an AutoIT-based Remote Access Trojan (RAT), being used in a malware campaign targeting countries in Central and South America, as well as the United States. The Loda RAT was first observed in 2016, but the new version of Loda has improved obfuscation techniques and can maintain persistence on a system after shutdown. The victim receives a phishing email that contains the first-stage document as an attachment. If downloaded, a second document will attempt to exploit a memory corruption vulnerability in Microsoft Office (CVE-2017-11882) that permits the execution of arbitrary code. According to Talos researcher Chris Neal, if this exploit is successful, the trojan is delivered with a malicious MSI file, which has credential-stealing capabilities and can lead to “significant financial loss or a potential data breach.” These new persistence and obfuscation mechanisms show that the functionality of Loda is actively improving.<br/> <a href="https://forum.anomali.com/t/loda-trojan-revitalized-with-stealthy-upgrade-new-exploits/4586" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://nakedsecurity.sophos.com/2020/02/13/dell-fixes-privilege-elevation-bug-in-support-software/”" target="“_blank”">Dell Fixes Privilege Elevation Bug in Support Software</a> </b></h3> <span>(published February 13, 2020)</span></div> An arbitrary code execution vulnerability has been identified in Dell SupportAssist, a software that comes preinstalled on most Windows-based endpoint devices. According to the advisory released by Dell, the high-severity vulnerability (CVE-2020-5316) is in an uncontrolled search vulnerability, and a malicious actor can use a low-privilege user account to load arbitrary Dynamic-Link Libraries (DDLs) in order to elevate privileges. A fix has been released by Dell and is available in the latest version of the software (Home PCs 3.4.1, and Business PCs 2.1.4).<br/> <a href="https://forum.anomali.com/t/dell-fixes-privilege-elevation-bug-in-support-software/4587" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://www.infosecurity-magazine.com/news/puerto-rico-government-loses-26m/”" target="“_blank”">Puerto Rico Government Loses $2.6m in Phishing Scam</a> </b></h3> <span>(published February 13, 2020)</span></div> The Puerto Rican government has confirmed that $2.6 Million USD has been unintentionally paid to cyber criminals after an email-based phishing scam targeted Puerto Rico’s Industrial Development Company (IDC). The IDC is a government-owned corporation that works with local and foreign investors to improve economic development in Puerto Rico. According to the police filing and agency executives, an IDC employee transferred the funds on January 17, 2020 after receiving an email regarding a change to remittance payment methods. It is unknown if Puerto Rican officials have been able to recover any of the money paid.<br/> <a href="https://forum.anomali.com/t/puerto-rico-government-loses-2-6m-in-phishing-scam/4588" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://www.securitymagazine.com/articles/91726-out-of-100-of-worlds-largest-airports-have-cybersecurity-vulnerabilities”" target="“_blank”">97 out of 100 of World's Largest Airports Have Cybersecurity Vulnerabilities</a> </b></h3> <span>(published February 13, 2020)</span></div> Application security company ImmuniWeb published research findings regarding cybersecurity, compliance, and privacy of the world’s largest airports, shedding light onto the vulnerabilities within the aviation transportation industry. The ImmuniWeb research covered 100 of the largest airports in the world, and conducted analysis on main website security, mobile application security, and dark web exposure. 97% of the websites contained outdated web software, 100% of mobile apps contained at least two vulnerabilities, and 87% of the airports have data leaks on public code repositories. Of the 100 airports, only three successfully passed all the tests without any single major issues detected: Amsterdam Airport Schiphol, Dublin Airport, and Helsinki-Vantaa Airport. CEO of ImmuniWeb, Ilia Kolochenko, commented that the results were “quite alarming,” and that attacks aimed at airports can directly disrupt critical infrastructure internationally.<br/> <a href="https://forum.anomali.com/t/97-out-of-100-of-worlds-largest-airports-have-cybersecurity-vulnerabilities/4589" target="_blank">Click here for Anomali recommendation</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://www.zdnet.com/article/emotet-trojan-evolves-to-spread-via-a-wifi-connection/”" target="“_blank”">Emotet Trojan Evolves to Spread Via WiFi Connections</a> </b></h3> <span>(published February 11, 2020)</span></div> Security researchers at BinaryDefense have discovered a new attack vector for Emotet, a “WiFi spreader” module that can jump from one infected network to another using weak passwords in WiFi networks. The module is installed onto the initial Emotet victim network and works through a series of brute-force attacks to attempt to connect to locally reachable WiFi networks. This means that close physical proximity to an Emotet-infected network, coupled with an overly-simple network password, could allow Emotet to infect a neighboring network. WiFi has not been a traditional attack vector for malware strains like Emotet, and this newly discovered module shows an increase in attack capabilities for the authors of Emotet.<br/> <a href="https://forum.anomali.com/t/emotet-trojan-evolves-to-spread-via-wifi-connections/4590" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://securelist.com/kbot-sometimes-they-come-back/96157/”" target="“_blank”">KBOT: Sometimes They Come Back</a> </b></h3> <span>(published February 10, 2020)</span></div> Kaspersky Labs have discovered a new malware that is spread through injecting malicious code into Windows executable files. According to the researchers, the malware, dubbed “KBOT,” is one of the first “living’ viruses observed in the wild in recent years. KBOT can be spread through local networks, removable drives, and web-facing systems. The virus is able to spread quickly in the system and on the local network by infecting executable files without the possibility of recovery. The actor behind the virus can enable “remote desktop sessions, steal personal data, and perform web injects for the purpose of stealing users’ bank data,” according to the Kaspersky Labs team.<br/> <a href="https://forum.anomali.com/t/kbot-sometimes-they-come-back/4591" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/”" target="“_blank”">Ragnar Locker Ransomware Targets MSP Enterprise Support Tools</a> </b></h3> <span>(published February 10, 2020)</span></div> A new ransomware has been found targeting Remote Monitoring and Management (RMM) software used by Managed Service Providers (MSPs). Discovered in late December 2019, the ransomware, dubbed “Ragnar Locker” by its creators, has been analyzed by researchers at BleepingComputer, Huntress Labs, and SentinelLabs, and has been observed encrypting files and terminating processes and services for remote support applications that assist undisclosed MSPs in managing clients. The threat actors behind Ragnar Locker ransomware perform reconnaissance tasks before execution, and customize the ransom note and ransom amount accordingly. BleepingComputer has observed ransom requests of various amounts between $200,000 and $600,000 USD. According to the ransomware creators, pre-deployment tasks include stealing victim’s files and threatening to post private information publicly if ransoms are not paid.<br/> <a href="https://forum.anomali.com/t/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/4592" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947115">[MITRE ATT&amp;CK] Disabling Security Tools - T1089</a><p> </p><div><h3 style="display: inline-block;"><b><a href="“https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/”" target="“_blank”">FBI Warns About Ongoing Attacks Against Software Supply Chain Companies</a> </b></h3> <span>(published February 10, 2020)</span></div><p>The U.S. Federal Bureau of Investigation (FBI) has released a security alert to the private sector regarding an ongoing cyber campaign targeting supply chain software providers supporting energy sector Industrial Control Systems (ICS). According to the FBI, threat actors behind the campaign are attempting to infect victim companies with a Remote Access Trojan (RAT) known as “Kwampirs” in order to gain access to strategic partner and customer networks. The FBI believes Kwampirs was also deployed in attacks against companies in the energy, financial, and healthcare sectors. The FBI claims that comparative forensic analysis reveals “numerous similarities” between Kwampirs and Shamoon malware, developed by Iranian state-sponsored Advanced Persistent Threat (APT) group “APT33.” The alert did not identify any targeted companies or victims, and urges business to scan networks for any signs of Kwampirs infections.<br/> <a href="https://forum.anomali.com/t/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/4593" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a></p><p> </p></div></div>