Weekly Threat Briefing: Visa Warns of Targeted PoS Attacks on Gas Station Merchants

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: Backdoor, BlackTech, Data Breach, Ransomware, Snatch, Trickbot, Vega, WaterBear, Zeppelin. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<img src="https://anomali-labs-public.s3.amazonaws.com/538067.png"/> Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.<div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><a href="https://latesthackingnews.com/2019/12/15/apple-patched-airdos-vulnerability-with-ios-13-3-along-with-other-security-fixes/" target="_blank">Apple Patched AirDos Vulnerability With iOS 13.3 Along With Other Security Fixes</a> (December 15, 2019) Apple released iOS 13.3, fixing numerous security bugs affecting Apple iPhones and iPads, including the “AirDos” vulnerability. AirDos, a vulnerability found in the AirDrop feature, has been especially troublesome, in that a potential malicious actor could simply spam a nearby iPhone or iPad with AirDrop share popups, blocking the user interface so the device owner no longer has any functionality on the device. Researcher Kishan Bagaria reported the vulnerability to Apple, even providing a video walkthrough to demonstrate the ease of the attack, and a fix was included in this most recent iOS update. Apple also fixed a Facetime bug and a security-bypass vulnerability affecting the Live Photo feature (CVE-2019-8830 and CVE-2019-8857) in the update. <a href="https://forum.anomali.com/t/apple-patched-airdos-vulnerability-with-ios-13-3-along-with-other-security-fixes/4454" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/attackers-steal-credit-cards-in-rooster-teeth-data-breach/" target="_blank">Attackers Steal Credit Cards in Rooster Teeth Data Breach</a> (December 13, 2019) Rooster Teeth Productions, the production company behind popular web series “Red vs. Blue” and “Crunch Time,” have suffered a data breach due to a malicious script injected into the company’s online store, allowing a malicious actor to steal payment card and personal information from shoppers. According to the data breach notification, the malicious script would cause the shopper to be redirected to a fake payment page under the control of the threat actor, allowing the malicious party to steal a customer’s full name and payment card data, as well as email address, home address, and telephone number. The code was discovered on the website on December 2, 2019, and was removed from the store on the same day, and while the number of customers was not included in the statement, those impacted were notified and offered a free 1-year credit monitoring service. <a href="https://forum.anomali.com/t/attackers-steal-credit-cards-in-rooster-teeth-data-breach/4441" target="_blank">Click here for Anomali recommendation</a><a href="https://www.darkreading.com/attacks-breaches/visa-warns-of-targeted-pos-attacks-on-gas-station-merchants/d/d-id/1336619" target="_blank">Visa Warns of Targeted PoS Attacks on Gas Station Merchants</a> (December 13, 2019) Visa's payment fraud division have identified at least three separate attacks targeting Point of Sale (PoS) systems of two gas station merchants and a hospitality chain since August 2019. Telemetry from two of the incidents suggest that the attacks were carried out by FIN8, a cyber crime group previously associated with numerous PoS system attacks. This week, Visa described the actors behind the PoS attacks as “sophisticated cybercrime groups looking to harvest payment card data,” using phishing emails with malicious links to download a Remote Access Trojan (RAT) to access a merchant’s internal network. In one of the attacks, a RAT was used to conduct reconnaissance and move laterally into the PoS environment, after which the actor deployed a RAM memory scraper to harvest payment card data. According to Visa, credit card theft targeting gas station chains are increasing because “many have yet to implement the EMV smartcard standard for payment transactions,” which once implemented should provide significantly better protection against card data theft. <a href="https://forum.anomali.com/t/visa-warns-of-targeted-pos-attacks-on-gas-station-merchants/4442" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947199">[MITRE ATT&CK] Data Staged - T1074</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&CK] Automated Collection - T1119</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&CK] Remote Access Tools - T1219</a><a href="https://news.bitcoin.com/15-million-debit-cards-exposed-as-iranian-banks-fall-victim-to-cyber-warfare/" target="_blank">15 Million Debit Cards Exposed as Iranian Banks Fall Victim to Cyber Warfare</a> (December 12, 2019) According to Iranian media reports, the details of approximately 15 million debit cards have been exposed, affecting close to a fifth of the country’s population. According to Mohammad Javad Azari Jahromi, Iran’s Information and Telecommunications Minister, the personal data was stolen by a disgruntled contractor with access to the accounts, for extortion purposes, and exposed on a public Telegram channel. There is speculation as to whether the reported cause of the exposure is true, with cyber security experts suspecting a breach of this magnitude would more likely have been carried out by a state-sponsored intelligence organization. The banks affected were Mellat, Tejarat, and Sarmayeh, the three largest banks in Iran, and the data exposure could have lasting impressions, creating negative reputations of each bank’s security practices. <a href="https://forum.anomali.com/t/15-million-debit-cards-exposed-as-iranian-banks-fall-victim-to-cyber-warfare/4443" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&CK] Identify sensitive personnel information (PRE-T1051)</a><a href="https://www.tripwire.com/state-of-security/security-data-protection/three-men-arrested-in-connection-to-722m-cryptomining-scheme/" target="_blank">Three Men Arrested in Connection to $722M Cryptomining Scheme</a> (December 12, 2019) The U.S. Attorney’s Office for the District of New Jersey announced the arrests of three men in connection with a cryptomining scheme that defrauded investors of $722 million. Matthew Goettsche and Jobadiah Weeks of Colorado and Joseph Abel of California were arrested on suspicion of conspiracy to commit wire fraud, and are accused of having offered and sold unregistered securities. According to court documents, the “BitClub Network” scheme the men operated between April 2014 and December 2019 solicited money from investors for shares in cryptomining pools. The men provided false and misleading earnings figures to deceive investors, and sold BitClub Network securities which were not registered with the U.S. Securities and Exchange Commission. In a statement released by the U.S. Department of Justice, U.S. Attorney Craig Carpenito called the BitClub Network a “modern, high-tech Ponzi scheme” with the intent of defrauding victims of hundreds of millions of dollars. The men face prison time and as much as $500,000 USD in combined fines for the conspiracy and unregistered securities charges. <a href="https://forum.anomali.com/t/three-men-arrested-in-connection-to-722m-cryptomining-scheme/4444" target="_blank">Click here for Anomali recommendation</a><a href="https://www.infosecurity-magazine.com/news/one-billion-email-password-combos/" target="_blank">Over One Billion Email-Password Combos Leaked Online</a> (December 12, 2019) An unsecured Elasticsearch database containing 2.7 billion email addresses and more than a billion plain text passwords was discovered in early December 2019 and publicly available for nine days before being disabled. Security researcher Bob Diachenko discovered the database and notified the ISP hosting the IP address, and worked with Comparitech researchers to conclude that much of the data was harvested from “The Big Asian Leak” of 2017. The leak involved breached credentials from multiple internet companies across Asia, mainly featuring email usernames and passwords used on Chinese sites. The 1.5TB leak may have also contained phone numbers and other identifying numbers where English characters were required for Chinese usernames. It is unclear as of this writing who the owner of the exposed database is, and if it was intentionally set up for credential stuffing campaigns. <a href="https://forum.anomali.com/t/over-one-billion-email-password-combos-leaked-online/4445" target="_blank">Click here for Anomali recommendation</a><a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank">Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware</a> (December 11, 2019) While monitoring a wave of targeted campaigns against financial, manufacturing, and retail businesses in October 2019, Cybereason researchers observed a new backdoor, dubbed “Anchor,”//big sentence, you could break it here// being used to target Point-of-Sale (PoS) systems of high-profile organizations in the United States and Europe. According to the researchers, Anchor has been in operation since August 2018 and appears to be related to TrickBot, and possibility created by the same individuals. The campaign begins with a phishing email to deliver the TrickBot downloader, masquerading as a Microsoft Word document, that when clicked downloads the TrickBot payload. TrickBot steals data, including the location of the victim and the master key to KeePass, and sends it to a hardcoded C2 server. If the information obtained points to a high value target, Anchor malware is downloaded, an incredibly stealthy backdoor that uses DNS tunneling for C2 communication. While Cybereason did not explicitly discuss attribution, the researchers made observations regarding similarities between techniques and tools used by cyber threat group FIN6 and these PoS campaigns. <a href="https://forum.anomali.com/t/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware/4446" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&CK] Hooking - T1179</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&CK] Uncommonly Used Port - T1065</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a><a href="https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html" target="_blank">Zeppelin Ransomware Targets High Profile Users in the U.S. and Europe</a> (December 11, 2019) A new variant of Vega and VegaLocker Ransomware-as-a-Service (RaaS) have been identified by the Cylance Threat Research Team, leading researchers to believe that the ransomware is now in the hands of new threat actors. “Vega”, a Delphi-based ransomware aimed at Russian-speaking users and delivered via the RIG Exploit Kit (EK), has been redesigned several times throughout 2019, each version bearing a new name. This newest variant, dubbed “Zeppelin,” was first observed in early November 2019, targeting healthcare and tech companies in Europe and the United States. Targeting behaviors suggest that Zeppelin has been bought and sold to a new threat actor, or has been redeveloped using stolen or leaked sources. Zeppelin is highly configurable and can be deployed to targets as EXE, DLL files, or bundled into a PowerShell loader. The malware begins its installation with a temporary folder named “.zeppelin” before spreading and encrypting files. While the amount of the ransom shifts among targeted organizations, all ransom demands are made in a text file and are to be paid in Bitcoin. <a href="https://forum.anomali.com/t/zeppelin-ransomware-targets-high-profile-users-in-the-u-s-and-europe/4447" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/" target="_blank">Waterbear is Back, Uses API Hooking to Evade Security Product Detection</a> (December 11, 2019) Researchers at Trend Micro have observed a new Waterbear campaign that utilizes new evasion capability employing API hooking techniques allowing malicious activities to go undetected by security products. Waterbear, a campaign that is characterized by the use of modular malware and the ability to add and change functionality remotely, has been around for years and has been associated with “BlackTech,” a cyberespionage group that mainly targets technology companies and government agencies in East Asia. According to Trend Micro, the use of API hooking has been implemented to hide network behavior from a specific, unidentified security vendor based in the APAC region, commonly utilized within BlackTech-targeted countries. The researchers highlight that this is the first instance of Waterbear observed attempting to hide backdoor activities, and conclude that the threat actors behind the campaign are “knowledgeable of the victims’ environment and which security products they use.” <a href="https://forum.anomali.com/t/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/4448" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947101">[MITRE ATT&CK] Code Signing - T1116</a><a href="https://nakedsecurity.sophos.com/2019/12/10/snatch-ransomware-pwns-security-using-sneaky-safe-mode-reboot/" target="_blank">Snatch Ransomware Pwns Security Using Sneaky ‘Safe Mode’ Reboot</a> (December 10, 2019) Researchers with Sophos’s Managed Threat Response team have identified a ransomware trick that involves encrypting data after rebooting into Safe Mode on Windows PCs. The technique has been observed in “Snatch” ransomware, and can be effective against endpoint security software that does not load when Safe Mode is in operation. The ransomware installs itself as a Windows service called SuperBackupMan. This service has properties that prevent the user from stopping or pausing while it runs, afterwhich it creates a registry key ensuring the target will boot into Safe Mode. This tactic of using Safe Mode to bypass security presents a few complications and challenges to the malicious actors, such as a need to get past the Windows login, and break into domain controls to distribute to targets within the network. Regardless of these challenges, Snatch has been successful in as many as 12 incidents between July and October 2019, according to Coveware, a ransomware settlements firm involved in negotiations, paying bitcoin ransoms between $2,000 and $35,000 USD. <a href="https://forum.anomali.com/t/snatch-ransomware-pwns-security-using-sneaky-safe-mode-reboot/4449" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><a href="https://www.cpomagazine.com/cyber-security/nypd-fingerprint-database-infected-with-ransomware-by-third-party-contractor/" target="_blank">NYPD Fingerprint Database Target of Ransomware, Result of Third Party Negligence</a> (December 10, 2019) According to the New York Police Department (NYPD) Deputy Commissioner for Information Technology, the NYPD LiveScan fingerprint tracking database was the target of an attempted ransomware attack. The introduction of the malicious ransomware code was inadvertently made by a third-party contractor who was installing video equipment using an infected NUC Mini-PC that was plugged into the network. The ransomware was swiftly detected, and while the ransomware proliferated to 23 endpoint devices, the ransomware was never executed. Public entities like the NYPD have been the target of large-scale ransomware attacks in 2019, likely due to the higher probability of a payout when impacting a highly-essential network. <a href="https://forum.anomali.com/t/nypd-fingerprint-database-target-of-ransomware-result-of-third-party-negligence/4450" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a></div></div>