<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Cryptojacking, Downloaders, Malspam, RATs,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/qDfP0wvjR2mKouEgQhfs"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29" target="_blank">Windows “PetitPotam” Network Attack – How to Protect Against It</a></h3> <p>(published: July 21, 2021)</p> <p>Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gilles Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment web service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.<br/> <b>Analyst Comment:</b> Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.<br/> <b>Tags:</b> Vulnerability, Microsoft, PetitPotam, Man-in-the-middle</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/" target="_blank">APT31 Modus Operandi Attack Campaign Targeting France</a></h3> <p>(published: July 21, 2021)</p> <p>The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”<br/> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> APT, APT31, Judgment Panda, Zirconium, Home routers</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html" target="_blank">StrongPity APT Group Deploys Android Malware for the First Time</a></h3> <p>(published: July 21, 2021)</p> <p>Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous reporting on the advanced persistent threat (APT) group StrongPity in 2019 and 2020. The group is believed to be actively developing new backdoors for Android operating systems, as is evident by new modules for stealing different types of messages from infected devices.<br/> <b>Analyst Comment:</b> Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permissions that the application will request, and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.<br/> <b>Tags:</b> APT, StrongPity, Android</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/" target="_blank">Top Prevalent Malware with a Thousand Campaigns Migrates to macOS</a></h3> <p>(published: July 21, 2021)</p> <p>The notorious Formbook information-stealing malware has once again undergone changes, according to Check Point researchers. The malware started as a simple keylogger over five years ago (later became known as XLoader in February 2020,) and now can steal data from machines running macOS or Windows. XLoader is offered for purchase on multiple forums from prices ranging from $69 (USD) to $139 depending on the site and additional malware features. Formbook/XLoader is capable of keylogging, stealing credentials from web browsers, taking screenshots, and downloading and executing additional files per communication from a command and control server.<br/> <b>Analyst Comment:</b> Information stealing is a common and prevalent threat facing individuals and organizations around the world. Education on frequently-used delivery methods such as malspam and phishing emails can help prevent infection. In addition, maintain efficient log management policies to identify potentially abnormal network activity.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947209" target="_blank">[MITRE ATT&CK] Third-party Software - T1072</a><br/> <b>Tags:</b> Info stealer, Formbook, XLoader, Windows, macOS</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934" target="_blank">Windows Elevation of Privilege Vulnerability</a></h3> <p>(published: July 20, 2021)</p> <p>A new Windows 10 vulnerability, assigned CVE-2021-36934 and referred to as HiveNightmare/SeriousSAM, has been found to affect all Windows 10 versions beginning with build 1809. The issue arises from non-admin users being granted read access to any file in the %windir%\system32\config directory that can allow for local privilege escalation. If a virtual shadow copy [service] (VSS), which is a Microsoft Windows feature that can create backups or snapshots of files or volumes, of the system is available, a non-admin user can abuse these files for malicious activity.<br/> <b>Analyst Comment:</b> Microsoft has issued workarounds for CVE-2021-36934, specifically, to run a command “icacls %windir%\system32\config\*.* /inheritance:e” to delete VSS shadow copies. However, deleting shadow copies could negatively impact restoring operations for Microsoft and third-party services. Microsoft stated, “You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.”<br/> <b>Tags:</b> Vulnerability, Windows 10, CVE-2021-36934, Privilege escalation</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/?utm_content=173663376&utm_medium=social&utm_source=twitter&hss_channel=tw-3315266420" target="_blank">New Attacks on Kubernetes via Misconfigured Argo Workflow</a></h3> <p>(published: July 20, 2021)</p> <p>A new attack vector has been discovered targeting Kubernetes (K8s) clusters through misconfigured Argo Workflows instances, according to Intezer researchers. Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes, according to its documentation. One misconfigured Argo Workflows cluster was found to running a kannix/monero cryptocurrency miner.<br/> <b>Analyst Comment:</b> As any system that stores potentially sensitive information, cloud containers need to be configured properly to avoid threat actors from targeting them. Ensure that environments have security policies in place, such as the principle of least privilege, to ensure that permissions are only granted to those on a need-access basis.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> Argo Worklows, Kubernetes, Misconfigured, Cryptomining</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" target="_blank">Debugging MosaicLoader, One Step at a Time</a></h3> <p>(published: July 20, 2021)</p> <p>Bitdefender researchers have reported their findings on a new malware family dubbed MosaicLoader. The malware was discovered when researchers noticed “processes that add local exclusions in Windows Defender for specific file names (prun.exe, appsetup.exe, etc.), that all reside in the same folder, called \PublicGaming\.” The malware is delivered through archives masquerading as cracked software installers. That threat actors are then purchasing Google search engine results to boost their malicious archives’ visibility and potential delivery. MosaicLoader can deliver any other kind of malware and utilizes a unique obfuscation technique that shuffles code chunks creating a mosaic-like structure.<br/> <b>Analyst Comment:</b> Cracked software is a well-known and common delivery method for malicious payloads or first-stage infections. Always check to ensure that you are downloading software from the legitimate website for the desired product.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/3297596" target="_blank">[MITRE ATT&CK] Software Discovery - T1518</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a><br/> <b>Tags:</b> Malware loader, MosaicLoader, Cracked software</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/" target="_blank">CVE-2021-3438: 16 Years in Hiding – Millions of Printers Worldwide Vulnerable</a></h3> <p>(published: July 20, 2021)</p> <p>A high-severity vulnerability, registered as CVE-2021-3438, has been identified by SentinelLabs researchers that affects HP, Samsung, and Xerox printers. The vulnerability has resided in the printers’ driver software since 2005. The number of printers created by HP, Samsung, and Xerox during the last 16 years amounts to over 380 different models by HP and Samsung and at least 12 Xerox models. Exploitation of CVE-2021-3438, which is a kernel driver vulnerability, can result in an unprivileged user account changing to “SYSTEM account and run code in kernel mode (since the vulnerable driver is locally available to anyone).” Researchers note that they have not seen this vulnerability actively-exploited in the wild.<br/> <b>Analyst Comment:</b> The potential scope of this vulnerability is significant. Users should follow Security Advisories from both HP (HPSBPI03724) and Xerox (XRX21K) and apply the necessary patches as soon as possible. The list of affected HP and Samsung printer models can be found here, and the list of affected Xerox printers models can be found here.<br/> <b>Tags:</b> Vulnerability, CVE-2021-3438, Printer driver software, HP, Samsung, Xerox</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/" target="_blank">Remcos RAT Delivered via Visual Basic</a></h3> <p>(published: July 19, 2021)</p> <p>Malwarebytes researchers have discovered a financially-themed malspam campaign that distributed the remote access tool (RAT) Remcos. All of the malspam email subject lines are typical for malspam delivering a commodity tool like Remcos. Some of these subject lines include: Appraisal Report for you Loan Application-1100788392210, FWD: Reminder: Your July Appointment-11002214991. The emails refer recipients to an attached archive that, if downloaded, will enable a Visual Basic script to download and execute a Remcos payload. Researchers found metadata inside the archive inside a .hta file that included “demo” in its code which researchers suggest may indicate that threat actors are testing new code.<br/> <b>Analyst Comment:</b> Financially-themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/2336968" target="_blank">REVOKED - [MITRE ATT&CK] File Permissions Modification - T1222</a><br/> <b>Tags:</b> Malspam, VB Script, Remcos RAT</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://thehackernews.com/2021/07/researchers-warn-of-linux-cryptojacking.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29" target="_blank">Researchers Warn of Linux Cryptojacking Attackers Operating from Romania</a></h3> <p>(published: July 19, 2021)</p> <p>A new cryptojacking threat group, which is likely based in Romania and has been active since at least 2020, is actively attacking Linux-based machines with weak SSH passwords, according to Bitdefender researchers. The group uses a previously-unknown SSH brute force attack tool written in Go, dubbed “Diicot brute,” that is reportedly being sold as a software-as-a-service (SaaS). In addition, the unnamed group is also involved in distributed denial-of-service (DDoS), which involves a variant of the DDoS botnet malware Demonbot called “chernobyl.” The group is primarily-motivated by mining Monero cryptocurrency via XMRig through access gained by conducting SSH brute force attacks.<br/> <b>Analyst Comment:</b> A secure password policy is crucial to taking a proactive step to mitigate password brute force attacks. Cybersecurity frameworks such as NIST offer guidelines and best practices for a variety of subjects. For passwords, it is helpful to institute at least an eight-character limit, allow use of special characters, and restrict sequential and repetitive characters.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947227" target="_blank">[MITRE ATT&CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947267" target="_blank">[MITRE ATT&CK] Drive-by Compromise - T1189</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947222" target="_blank">[MITRE ATT&CK] Account Manipulation - T1098</a> | <a href="https://ui.threatstream.com/ttp/947273" target="_blank">[MITRE ATT&CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947094" target="_blank">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> Threat Group, Cryptojacking, Monero mining, DDoS</p> </div>