<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Data breach, Phishing, Ransomware</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/x5ft19MToyuua4o1tLpw"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.tripwire.com/state-of-security/featured/attack-misuses-google-docs-comments-to-spew-out-malicious-links/" target="_blank">Attack Misuses Google Docs Comments to Spew Out “Massive Wave” of Malicious Links</a></h3> <p>(published: January 7, 2022)</p> <p>Security researchers have seen a very large number of attacks leveraging the comment features of Google Docs to send emails to users containing malicious content. The attackers can create a document, sheet, or slides and add comments tagging any user's email address. Google then sends an email to the tagged user account. These emails come from Google itself and are more likely to be trusted than some other phishing avenues.<br/> <b>Analyst Comment:</b> Phishing education can often help users identify and prevent phishing attacks. Specific to this attack method, users should verify that any unsolicited comments that are received come from the user indicated, and if unsure, reach out separately to the user that appears to have sent the comment to verify that it is real. Links in email should be treated with caution.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&CK] Phishing - T1156</a><br/> <b>Tags:</b> Google, Impersonation, Phishing</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://techcrunch.com/2022/01/07/finalsite-ransomware-school-websites-offline/" target="_blank">Finalsite Ransomware Attack Forces 5,000 School Websites Offline</a></h3> <p>(published: January 7, 2022)</p> <p>Finalsite, a firm used by schools for website content management, design, and hosting, has been hit by an unknown strain of ransomware that affected approximately 5,000 of their 8,000 customers. The company has said in a statement that many of the affected sites were preemptively shut down to protect user's data, that there is no evidence of that data was breached (although they did not confirm that they had the needed telemetry in place to detect that), and that most of the sites and services have been restored.<br/> <b>Analyst Comment:</b> Verified backup and disaster recovery processes are an important aspect of protecting organizations and allowing for remediation of successful attacks. Monitoring and telemetry can aid in detection and prevention from attacks, and provide evidence as to whether data has been exfiltrated.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Education, Finalsite, Ransomware, Web hosting</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond" target="_blank">FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond</a></h3> <p>(published: January 6, 2022)</p> <p>Security researchers have analyzed a new and more sophisticated version of the FluBot Android malware first detected in early 2020. Once installed on a device, the malware can fully take over infected devices, including keylogging, stealing one-time passcodes, send/receive and hide SMS messages, and use the device's contact list to spread. Initial infection is often performed by a SMS message that contains a link to either a compromised app or website. The new version of FluBot (version 5.2) contains an updated domain generation algorithm (DGA) that includes new code allowing the C2 to send a new seed used to generate and find C2 domains. The malware also includes multiple techniques to make detection and analysis difficult.<br/> <b>Analyst Comment:</b> Users should never install applications from unknown sources, and even applications found on known sources should be audited for the permissions they get. Links received via text message should be carefully checked before interaction with them.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/3905071">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3905040">[MITRE ATT&CK] Create or Modify System Process - T1543</a> | <a href="https://ui.threatstream.com/ttp/3905778">[MITRE ATT&CK] Impair Defenses - T1562</a><br/> <b>Tags:</b> Android, DGA, Flubot, Keylogger, Smishing</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/" target="_blank">Can You Trust a File’s Digital Signature? New Zloader Campaign Exploits Microsoft’s Signature Verification Putting Users at Risk</a></h3> <p>(published: January 5, 2022)</p> <p>A new Zloader banking malware campaign has been detected as of November 2021 that leverages both a supply chain attack as well as injecting the malware into a verified signed system DLL to evade security measures. This infection begins with an installation of Altera, a legitimate enterprise remote monitoring and management software. The malware then leverages the free trial of Altera to run two .bat files, one to disable Windows Defender, the second to finish the install of the Zloader malware which then contacts a C2 server to download and execute additional files. The malware injects a script into a validly signed Microsoft DLL as an additional step to avoid system defenses. While the initial infection vector for this campaign is not known, previous Zloader campaigns have used malicious documents, ads, and compromised adult websites to infect victims.<br/> <b>Analyst Comment:</b> Any application not approved by IT/SecOPS should be blocked even if it is a legitimate application. Suspicious command line parameters & process activity should be monitored for legitimate scripting binaries/DLLs to know if they are being used for nefarious purposes. Additionally, Anomali ThreatStream can help blocking known C2 server connections via downstream integrations to protect your environment.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/3905348">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/3904527">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/3905768">[MITRE ATT&CK] Boot or Logon Autostart Execution - T1547</a><br/> <b>Tags:</b> CVE-2012-0151, CVE-2013-3900, CVE-2020-1599, Banking and finance, Malsmoke, North America, Zloader</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundled-with-telegram-installer/" target="_blank">Purple Fox Rootkit Now Bundled With Telegram Installer</a></h3> <p>(published: January 4, 2022)</p> <p>The Purple Fox rootkit has been detected using a valid Telegram installer as part of its infection chain. It furthermore utilizes multiple small files that are downloaded during infection to make it harder to detect and prevent. The rootkit also performs tasks to disable User Access Controls (UAC) and anti-virus products, which require a reboot of the victim device to attain persistence. Purple Fox was first detected in 2018 and has been under continual development since.<br/> <b>Analyst Comment:</b> User education regarding the common threats of malspam and awareness of common infection vectors from the internet remain the best tool to protect and prevent malware infections. Setting up alerts & blocking attempts by applications to disable security controls or modify system files is important to detect such attacks.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/947092">[MITRE ATT&CK] Rootkit - T1014</a> | <a href="https://ui.threatstream.com/ttp/3297596">[MITRE ATT&CK] Software Discovery - T1518</a><br/> <b>Tags:</b> Purplefox, Rootkit, Telegram</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/" target="_blank">FTC Warns Companies to Secure Consumer Data from Log4J Attacks</a></h3> <p>(published: January 4, 2022)</p> <p>The ongoing series of attacks and vulnerabilities leveraging Log4J has spurred the Federal Trade Commision (FTC) to issue a warning to organizations to update Log4J installations that have been exploited by malicious actors or face possible action if the consumer data is breached. This has been a particularly difficult flaw to address both due to the sheer install base of Log4J as well as the multiple patches that have been released by the Apache organization to address methods by which attackers can use the package to infect victims.<br/> <b>Analyst Comment:</b> This series of vulnerabilities has highlighted the need for organizations to have an accurate and up to date asset inventory and vulnerability management program as a critical component of protecting data that they are in control of. It is also important to remember that attackers often leverage known periods of vacation and low staffing levels to make their attacks more effective.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/3905348">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947162">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/2402530">[MITRE ATT&CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, Log4j</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/" target="_blank">A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain</a></h3> <p>(published: January 3, 2022)</p> <p>A new formjacking attack has been discovered targeting at least 100 real estate websites via a cloud video distribution supply chain attack. These attacks inject malicious javascript into videos which when imported can take over web forms to skim data, including credit card numbers. All the organizations in this campaign belong to a single parent company. Personal information filled out on the compromised websites would be hijacked by the malicious javascript, potentially to be used in further attacks.<br/> <b>Analyst Comment:</b> Organizations that collect personal and credit card information via web forms should routinely audit their sites for evidence of compromise as part of their defense operations. Utilization of a frequently updated list of known malware and indicators of compromise (IOCs) can be invaluable in detecting compromise.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/3905348">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a><br/> <b>Tags:</b> Formjacking, Skimmer, Real estate</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/apple-ios-vulnerable-to-homekit-doorlock-denial-of-service-bug/" target="_blank">Apple iOS Vulnerable to HomeKit 'doorLock' Denial of Service Bug</a></h3> <p>(published: January 3, 2022)</p> <p>A vulnerability in Apple's HomeKit smart device framework has been disclosed that allows for an attacker to perform a persistent denial of service (DOS) attack against iOS devices. The attack involves renaming or adding a HomeKit device with a very long name (> 500,000 characters). When the malicious device name is created, it will send affected iOS devices into a denial of service state where a device reset is required. All data on the affected device will be deleted upon reset unless it had been previously backed up. Additionally if the device then attempts to contact the HomeKit device name, the DOS will be triggered again. This vulnerability was reported to Apple in August 2021, but has not yet been addressed, leading the researcher to publicly disclose it.<br/> <b>Analyst Comment:</b> The proliferation of internet of things (IOT) devices and the software to manage them continues to be exploited by malicious actors for a variety of purposes, including data harvesting, distributed denial of service attacks, and DOS against vulnerable devices. These devices should be audited by organizations and updated regularly. Home users should be aware of the additional attack surface that IOT devices present.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&CK] Endpoint Denial of Service - T1499</a><br/> <b>Tags:</b> doorLock, DOS, Homekit, iOS</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/broward-health-warns-1-3-million-patients-staff-of-medical-identity-theft-after-data-breach/#ftag=RSSbaffb68" target="_blank">Data breach: Broward Health Warns 1.3 Million Patients, Staff of 'Medical Identity Theft'</a></h3> <p>(published: January 3, 2022)</p> <p>A data breach involving over 1.3 million users and staff of the Broward Health hospital system has been disclosed. The breach apparently started on October 15, 2021, and notifications were sent out over the weekend of January 01, 2022. The initial access was gained by a third-party provider that had permitted access to Broward health. The delay in notification was at the request of the Department of Justice (DOJ), which was notified of the breach on October 19th. The breached data includes a wide range of personally identifiable information (PII), including drivers license numbers, social security numbers (SSNs) and medical history information, which has been shown to be very valuable for sale and use for fraud.<br/> <b>Analyst Comment:</b> Organizations should be routinely auditing and verifying trusted third-parties, their supply chain, and monitor for unusual activity. Affected users could take advantage of the identity theft protection service offered by Broward Health.<br/> <b>MITRE ATT&CK:</b><a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&CK] Trusted Relationship - T1199</a><br/> <b>Tags:</b> Data Breach, Healthcare, PII</p> </div> <h3>Observed Threats</h3> <p>Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:</p> <p><a href="https://ui.threatstream.com/tip/3271732" target="_blank">Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users</a></p> <p>A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.</p>