Blog

Weekly Threat Briefing: Olympic Destroyer Takes Aim At Winter Olympics

Anomali Threat Research
February 13, 2018
Table of contents
<p>The intelligence in this week’s iteration discuss the following threats: <b>Compromised server</b>, <b>Cryptocurrency miner</b>, <b>Data theft</b>, <b>Malspam</b>, <b>Phishing</b>, <b>Targeted attacks</b>, <b>Underground markets</b>, and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="http://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"><b>Olympic Destroyer Takes Aim At Winter Olympics</b></a> (<i>February 12, 2018</i>)<br/> On February 11, 2018, Winter Olympic officials confirmed that the games were struck by a cyber-attack shortly before the opening ceremony on February 9. The target was the official Pyeongchang 2018 website. The website was inaccessible for approximately 12 hours. In addition, the internet and televisions stopped working in the main press center, as well as the Wi-Fi in the Pyeongchang Olympic stadium, according to the U.K. newspaper outlet The Guardian. Cisco Talos researchers believe with moderate confidence that they have identified malware samples used in this attack. The malware, dubbed “Olympic Destroyer,” appears to have been used with the objective to disrupt the games by rendering affected machines “unusable by deleting shadow copies, event logs and trying to use PSExec &amp; WMI to further move through the environment.”<br/> <a href="https://forum.anomali.com/t/olympic-destroyer-takes-aim-at-winter-olympics/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.helpnetsecurity.com/2018/02/12/websites-found-serving-crypto-mining-script/" target="_blank"><b>Thousands of Government, Orgs’ Websites Found Serving Crypto Mining Script</b></a> (<i>February 12, 2018</i>)<br/> Security researcher Scott Helme discovered that the U.K.’s Information Commissioner’s Office (ICO) had a crypto miner installed on it. Further investigation led Helme to discover that the cause of this incident was the compromise of the “Browsealoud” service run by U.K. firm Texthelp; the service uses a JavaScript that “adds speech, reading, and translation to websites.” Texthelp’s script server was compromised and threat actors added an obfuscated script to the Browsealoud one that would limit the processing power of the crypto miner to assist in staying hidden. Researchers believe that approximately 4,200 websites were infected as a result of this incident.<br/> <a href="https://forum.anomali.com/t/thousands-of-government-orgs-websites-found-serving-crypto-mining-script/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/lenovo-warns-critical-wifi-vulnerability-impacts-dozens-of-thinkpad-models/129860/" target="_blank"><b>Lenovo Warns Critical Wi-Fi Vulnerability Impacts Dozens of ThinkPad Models</b></a> (<i>February 9, 2018</i>)<br/> Lenovo has released a security advisory in which they state that 24 of its ThinkPad models are to firmware vulnerabilities registered as “CVE-2017-11120” and “CVE-2017-11121.” These are the same firmware vulnerabilities that were patched by Apple and Google for their products in September 2017. The vulnerabilities are associated with controllers used by Broadcom’s wireless LAN driver that contain buffer overflow vulnerabilities. The buffer overflow can be exploited by threat actors to acquire arbitrary code execution on the adapter.<br/> <a href="https://forum.anomali.com/t/lenovo-warns-critical-wi-fi-vulnerability-impacts-dozens-of-thinkpad-models/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://krebsonsecurity.com/2018/02/u-s-arrests-13-charges-36-in-infraud-cybercrime-forum-bust/" target="_blank"><b>U.S. Arrests 13, Charges 36 in “Infraud” Cybercrime Forum Bust</b></a> (<i>February 8, 2018</i>)<br/> The U.S. Department of Justice (DOJ) has announced that it has filed charges against 36 individuals for “Alleged Roles in Transnational Criminal Organization Responsible for More than $530 Million in Losses from Cybercrimes.” The DOJ worked with Asian, Australian, and European officials during this takedown called “Operation Shadow Web.” The individuals are believed to be influential members of an underground cybercrime forum called “Infraud.” The forum, which began in October 2010, had approximately 11,000 members prior to the takedown, who bought, sold, and traded various data and malwares including ATM skimmers, botnet hosting, credit card accounts, and malware.<br/> <a href="https://forum.anomali.com/t/u-s-arrests-13-charges-36-in-infraud-cybercrime-forum-bust/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" target="_blank"><b>UDPOS – Exfiltrating Credit Card Data via DNS</b></a> (<i>February 8, 2018</i>)<br/> A Point-of-Sale (POS) malware, dubbed “UDPOS,” is being distributed by threat actors by impersonating a service pack provided by “LogMeln,”. According to Forcepoint researchers one sample, of UDPOS, has been observed in the wild, and there is evidence to suggesting it is being used. Evidence consists of LogMeln file names and Command and Control (C2) URLs. If the fake package is downloaded and the file named “update.exe” is executed, the content of the file is automatically launched with 7-Zip’s “RunProgram” feature. The malware then creates a new service to maintain persistence on an affected system. UDPOS is designed to steal magnetic stripe data (Track 1 and Track 2) from debit and credit cards by scraping the memory of running processes.<br/> <a href="https://forum.anomali.com/t/udpos-exfiltrating-credit-card-data-via-dns/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" target="_blank"><b>Targeted Attacks In The Middle East</b></a> (<i>February 7, 2018</i>)<br/> Cisco Talos researchers have published their researcher regarding a new campaign consisting of targeted attacks against the Middle East. The threat actor(s) behind this campaign are using lure documents that purport to be “written by the Jordanian publishing and research house, Dar El-Jaleel.” Dar El-Jaleel is an organization now for their research and publications regarding the Palestinian-Israeli and Sunni-Shia conflicts. The campaign begins with a VBScript document titled “From inside Iran’s secret war in Syria.vbs” that generates a PowerShell script that creates a Microsoft Office document called “Report.doc” and opens it. The document contains a macro that is capable of creating a Windows Script File (WSF) and execute it to register the infected machine with the Command and Control (C2) server. The script then performs a loop to continually contact the C2 to download additional payloads. The payloads are designed to steal the information from the affected machine such as architecture, IP address, operating system, and username in addition to maintaining persistence on the host.<br/> <a href="https://forum.anomali.com/t/targeted-attacks-in-the-middle-east/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://www.zdnet.com/article/cisco-you-need-to-patch-our-security-devices-again-for-dangerous-asa-vpn-bug/" target="_blank"><b>Cisco: You Need to Patch Our Security Devices Again for Dangerous ASA VPN Bug</b></a> (<i>February 6, 2018</i>)<br/> Cisco has stated that it has found that its Adaptive Security Appliance (ASA) software is vulnerable to a new attack vector that its engineers identified. This means that the update Cisco issued for ASA in late January does not apply in this scenario. According to Cisco, the vulnerability can be exploited by a remote actor “to cause a reload of the affected system or to remote execute code.”<br/> <a href="https://forum.anomali.com/t/cisco-you-need-to-patch-our-security-devices-again-for-dangerous-asa-vpn-bug/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://motherboard.vice.com/en_us/article/gy8bxy/t-mobile-text-warning-phone-hijacking-number-port-out-scam" target="_blank"><b>T-Mobile Is Sending a Mass Text Warning of “Industry-Wide” Phone Hijacking Scam</b></a> (<i>February 5, 2018</i>)<br/> T-Mobile has distributed text messages en masse to its cell phone customers warning them of potential hijacking activity. The threat actor’s objective in this campaign is to gain control over a T-Mobile customer phone number. This can be accomplished by an actor calling T-Mobile and impersonating a legitimate customer and requesting a new SIM card for the customer’s phone number; a SIM card associated with authentic customer’s phone number can give an actor control over that number. An actor could also, again via social engineering, call T-Mobile and request that the phone number be moved to another provider. Once an actor has control over a phone number, he/she can pivot to other malicious activities to gain illicit revenue. This activity could include resetting passwords for financial accounts by asking a bank to send a reset link via text and two-factor authentication.<br/> <a href="https://forum.anomali.com/t/t-mobile-is-sending-a-mass-text-warning-of-industry-wide-phone-hijacking-scam/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2018/02/grammar-checking-software.html" target="_blank"><b>Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data</b></a> (<i>February 5, 2018</i>)<br/> Google Project Zero researcher Tavis Ormandy discovered a vulnerability in the “Grammarly” spell-checking extension for Chrome and Firefox. The vulnerability affects approximately 22 million Grammarly users by exposing authentication tokens to all websites that a user visits. A threat actor could exploit this vulnerability could steal said authentication tokens with a measly four lines of code, according to researchers.<br/> <a href="https://forum.anomali.com/t/critical-flaw-in-grammarly-spell-checker-could-let-attackers-steal-your-data/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://myonlinesecurity.co.uk/dridex-delivered-by-fake-scan-pdf-attachment-via-link-hidden-behind-fake-recaptcha/" target="_blank"><b>Malspam Using PDF Attachments to Push Dridex since 2018-01-30</b></a> (<i>February 5, 2018</i>)<br/> Security researchers have observed a malspam campaign that is distributing the “Dridex” banking trojan via PDF file attachments. The PDF attachment contains a fake Google reCaptcha image that, when clicked, directs a user to a location that requests a 7-Zip (.7z) file be downloaded. Download and extraction of the 7-Zip file will unarchive a VBScript file that when run will result in Dridex infection.<br/> <a href="https://forum.anomali.com/t/malspam-using-pdf-attachments-to-push-dridex-since-2018-01-30/" target="_blank">Click here for Anomali recommendation</a></p>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

February 13, 2018
-
Anomali Threat Research
,

Weekly Threat Briefing: Olympic Destroyer Takes Aim At Winter Olympics

<p>The intelligence in this week’s iteration discuss the following threats: <b>Compromised server</b>, <b>Cryptocurrency miner</b>, <b>Data theft</b>, <b>Malspam</b>, <b>Phishing</b>, <b>Targeted attacks</b>, <b>Underground markets</b>, and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="http://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"><b>Olympic Destroyer Takes Aim At Winter Olympics</b></a> (<i>February 12, 2018</i>)<br/> On February 11, 2018, Winter Olympic officials confirmed that the games were struck by a cyber-attack shortly before the opening ceremony on February 9. The target was the official Pyeongchang 2018 website. The website was inaccessible for approximately 12 hours. In addition, the internet and televisions stopped working in the main press center, as well as the Wi-Fi in the Pyeongchang Olympic stadium, according to the U.K. newspaper outlet The Guardian. Cisco Talos researchers believe with moderate confidence that they have identified malware samples used in this attack. The malware, dubbed “Olympic Destroyer,” appears to have been used with the objective to disrupt the games by rendering affected machines “unusable by deleting shadow copies, event logs and trying to use PSExec &amp; WMI to further move through the environment.”<br/> <a href="https://forum.anomali.com/t/olympic-destroyer-takes-aim-at-winter-olympics/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.helpnetsecurity.com/2018/02/12/websites-found-serving-crypto-mining-script/" target="_blank"><b>Thousands of Government, Orgs’ Websites Found Serving Crypto Mining Script</b></a> (<i>February 12, 2018</i>)<br/> Security researcher Scott Helme discovered that the U.K.’s Information Commissioner’s Office (ICO) had a crypto miner installed on it. Further investigation led Helme to discover that the cause of this incident was the compromise of the “Browsealoud” service run by U.K. firm Texthelp; the service uses a JavaScript that “adds speech, reading, and translation to websites.” Texthelp’s script server was compromised and threat actors added an obfuscated script to the Browsealoud one that would limit the processing power of the crypto miner to assist in staying hidden. Researchers believe that approximately 4,200 websites were infected as a result of this incident.<br/> <a href="https://forum.anomali.com/t/thousands-of-government-orgs-websites-found-serving-crypto-mining-script/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/lenovo-warns-critical-wifi-vulnerability-impacts-dozens-of-thinkpad-models/129860/" target="_blank"><b>Lenovo Warns Critical Wi-Fi Vulnerability Impacts Dozens of ThinkPad Models</b></a> (<i>February 9, 2018</i>)<br/> Lenovo has released a security advisory in which they state that 24 of its ThinkPad models are to firmware vulnerabilities registered as “CVE-2017-11120” and “CVE-2017-11121.” These are the same firmware vulnerabilities that were patched by Apple and Google for their products in September 2017. The vulnerabilities are associated with controllers used by Broadcom’s wireless LAN driver that contain buffer overflow vulnerabilities. The buffer overflow can be exploited by threat actors to acquire arbitrary code execution on the adapter.<br/> <a href="https://forum.anomali.com/t/lenovo-warns-critical-wi-fi-vulnerability-impacts-dozens-of-thinkpad-models/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://krebsonsecurity.com/2018/02/u-s-arrests-13-charges-36-in-infraud-cybercrime-forum-bust/" target="_blank"><b>U.S. Arrests 13, Charges 36 in “Infraud” Cybercrime Forum Bust</b></a> (<i>February 8, 2018</i>)<br/> The U.S. Department of Justice (DOJ) has announced that it has filed charges against 36 individuals for “Alleged Roles in Transnational Criminal Organization Responsible for More than $530 Million in Losses from Cybercrimes.” The DOJ worked with Asian, Australian, and European officials during this takedown called “Operation Shadow Web.” The individuals are believed to be influential members of an underground cybercrime forum called “Infraud.” The forum, which began in October 2010, had approximately 11,000 members prior to the takedown, who bought, sold, and traded various data and malwares including ATM skimmers, botnet hosting, credit card accounts, and malware.<br/> <a href="https://forum.anomali.com/t/u-s-arrests-13-charges-36-in-infraud-cybercrime-forum-bust/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" target="_blank"><b>UDPOS – Exfiltrating Credit Card Data via DNS</b></a> (<i>February 8, 2018</i>)<br/> A Point-of-Sale (POS) malware, dubbed “UDPOS,” is being distributed by threat actors by impersonating a service pack provided by “LogMeln,”. According to Forcepoint researchers one sample, of UDPOS, has been observed in the wild, and there is evidence to suggesting it is being used. Evidence consists of LogMeln file names and Command and Control (C2) URLs. If the fake package is downloaded and the file named “update.exe” is executed, the content of the file is automatically launched with 7-Zip’s “RunProgram” feature. The malware then creates a new service to maintain persistence on an affected system. UDPOS is designed to steal magnetic stripe data (Track 1 and Track 2) from debit and credit cards by scraping the memory of running processes.<br/> <a href="https://forum.anomali.com/t/udpos-exfiltrating-credit-card-data-via-dns/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" target="_blank"><b>Targeted Attacks In The Middle East</b></a> (<i>February 7, 2018</i>)<br/> Cisco Talos researchers have published their researcher regarding a new campaign consisting of targeted attacks against the Middle East. The threat actor(s) behind this campaign are using lure documents that purport to be “written by the Jordanian publishing and research house, Dar El-Jaleel.” Dar El-Jaleel is an organization now for their research and publications regarding the Palestinian-Israeli and Sunni-Shia conflicts. The campaign begins with a VBScript document titled “From inside Iran’s secret war in Syria.vbs” that generates a PowerShell script that creates a Microsoft Office document called “Report.doc” and opens it. The document contains a macro that is capable of creating a Windows Script File (WSF) and execute it to register the infected machine with the Command and Control (C2) server. The script then performs a loop to continually contact the C2 to download additional payloads. The payloads are designed to steal the information from the affected machine such as architecture, IP address, operating system, and username in addition to maintaining persistence on the host.<br/> <a href="https://forum.anomali.com/t/targeted-attacks-in-the-middle-east/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://www.zdnet.com/article/cisco-you-need-to-patch-our-security-devices-again-for-dangerous-asa-vpn-bug/" target="_blank"><b>Cisco: You Need to Patch Our Security Devices Again for Dangerous ASA VPN Bug</b></a> (<i>February 6, 2018</i>)<br/> Cisco has stated that it has found that its Adaptive Security Appliance (ASA) software is vulnerable to a new attack vector that its engineers identified. This means that the update Cisco issued for ASA in late January does not apply in this scenario. According to Cisco, the vulnerability can be exploited by a remote actor “to cause a reload of the affected system or to remote execute code.”<br/> <a href="https://forum.anomali.com/t/cisco-you-need-to-patch-our-security-devices-again-for-dangerous-asa-vpn-bug/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://motherboard.vice.com/en_us/article/gy8bxy/t-mobile-text-warning-phone-hijacking-number-port-out-scam" target="_blank"><b>T-Mobile Is Sending a Mass Text Warning of “Industry-Wide” Phone Hijacking Scam</b></a> (<i>February 5, 2018</i>)<br/> T-Mobile has distributed text messages en masse to its cell phone customers warning them of potential hijacking activity. The threat actor’s objective in this campaign is to gain control over a T-Mobile customer phone number. This can be accomplished by an actor calling T-Mobile and impersonating a legitimate customer and requesting a new SIM card for the customer’s phone number; a SIM card associated with authentic customer’s phone number can give an actor control over that number. An actor could also, again via social engineering, call T-Mobile and request that the phone number be moved to another provider. Once an actor has control over a phone number, he/she can pivot to other malicious activities to gain illicit revenue. This activity could include resetting passwords for financial accounts by asking a bank to send a reset link via text and two-factor authentication.<br/> <a href="https://forum.anomali.com/t/t-mobile-is-sending-a-mass-text-warning-of-industry-wide-phone-hijacking-scam/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://thehackernews.com/2018/02/grammar-checking-software.html" target="_blank"><b>Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data</b></a> (<i>February 5, 2018</i>)<br/> Google Project Zero researcher Tavis Ormandy discovered a vulnerability in the “Grammarly” spell-checking extension for Chrome and Firefox. The vulnerability affects approximately 22 million Grammarly users by exposing authentication tokens to all websites that a user visits. A threat actor could exploit this vulnerability could steal said authentication tokens with a measly four lines of code, according to researchers.<br/> <a href="https://forum.anomali.com/t/critical-flaw-in-grammarly-spell-checker-could-let-attackers-steal-your-data/" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://myonlinesecurity.co.uk/dridex-delivered-by-fake-scan-pdf-attachment-via-link-hidden-behind-fake-recaptcha/" target="_blank"><b>Malspam Using PDF Attachments to Push Dridex since 2018-01-30</b></a> (<i>February 5, 2018</i>)<br/> Security researchers have observed a malspam campaign that is distributing the “Dridex” banking trojan via PDF file attachments. The PDF attachment contains a fake Google reCaptcha image that, when clicked, directs a user to a location that requests a 7-Zip (.7z) file be downloaded. Download and extraction of the 7-Zip file will unarchive a VBScript file that when run will result in Dridex infection.<br/> <a href="https://forum.anomali.com/t/malspam-using-pdf-attachments-to-push-dridex-since-2018-01-30/" target="_blank">Click here for Anomali recommendation</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.