Anomali Weekly Threat Intelligence Briefing - May 9, 2017

<p><b>Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><h2>Trending Threats</h2><p>This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.</p><p><a href="https://blog.eset.ie/2017/05/08/malware-warning-for-mac-users-after-handbrake-mirror-download-server-hacked/" target="_blank"><b>Malware Warning for Mac Users, after HandBrake Mirror Download Server Hacked </b></a> (<i>May 8, 2017</i>)<br/> Researchers have discovered that the video transcoder application for macOS called "HandBrake," has been compromised. Users may be infected with the "Proton" malware if the application was downloaded between May 2 and May 6, 2017. Proton is capable of keylogging, stealing files, and taking screenshots. The compromised HandBrake application will request additional access via display boxes for the user to authenticate by providing a password.<br/> <b>Recommendation:</b> HandBrake is advising its users to check the SHA checksum when new versions are downloaded from their mirror website to see if the compromised version was installed. As this story shows, it is important to understand what permissions an application will request from its users because strange behavior can potentially indicate malicious activity.<br/> <b>Tags:</b> Compromise</p><p><a href="https://www.bleepingcomputer.com/news/security/hackers-use-flaws-in-telephony-core-protocol-to-bypass-2fa-on-bank-accounts/" target="_blank"><b>Hackers Use Flaws in Telephony Core Protocol to Bypass 2FA on Bank Accounts </b></a> (<i>May 5, 2017</i>)<br/> The German newspaper, "Süddeutsche Zeitung," published an article discussing how threat actors exploited vulnerabilities in mobile network protocol Signaling System No. 7 (SS7). SS7 was first developed in 1975, and is used to route phone calls between different mobile providers. Cybercriminals were identified to be exploiting the protocol by using a SS7 hacking rig to interact with other telephony providers in order to intercept SMS messages. The intercepted messages were used to steal money from individual’s bank accounts.<br/> <b>Recommendation:</b> Accounts that are protected with SMS based authentication systems, even two-factor authentication, are potentially at risk of being intercepted by actors using this method. Therefore, taking the necessary steps to implement new authentication policies that do not use text-based messages such as an Authenticator mobile application provided by a trusted vendor could be used to avoid this vulnerability.<br/> <b>Tags:</b> Vulnerability, Mobile</p><p><a href="https://www.bleepingcomputer.com/news/security/new-fatboy-ransomware-as-a-service-advertised-on-russian-hacking-forum/" target="_blank"><b>New Fatboy Ransomware-as-a-Service Advertised on Russian Hacking Forum </b></a> (<i>May 5, 2017</i>)<br/> A ransomware called "Fatboy" has been identified being advertised on Russian-speaking forums as a Ransomware-as-a-Service (RaaS). Interestingly, the RaaS calculates the payment for the decryption key by using the Big Mac Index (McDonald's Index) combined with the victim IP address and country of origin. Fatboy uses AES 256 to encrypt all files on a Windows machine with individual keys, and then encrypts each key with RSA 2048.<br/> <b>Recommendation:</b> Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br/> <b>Tags:</b> Ransomware, RaaS</p><p><a href="https://www.fireeye.com/blog/threat-research/2017/05/dridex_and_lockyret.html" target="_blank"><b>Dridex and Locky Return Via PDF Attachments in Latest Campaigns </b></a> (<i>May 4, 2017</i>)<br/> The Dridex banking trojan and Locky ransomware have resumed their large-scale spam distribution campaigns after declining in late 2016, according to FireEye researchers. Both malware families are being distributed via malspam emails that contain a PDF file purporting to be a payment receipt and are primarily targeting the insurance sector in the U.S. A second malspam campaign was also identified to be distributing Dridex and Locky using PDF attachments claiming to be a printer alert for a scanned document. This campaign primarily targets government entities in Japan, the Middle East, and the U.S.<br/> <b>Recommendation:</b> All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.<br/> <b>Tags:</b> Malspam, Malware</p><p><a href="https://www.helpnetsecurity.com/2017/05/04/wordpress-password-reset-vulnerabilities/" target="_blank"><b>WordPress Admins Take Note: RCE and Password Reset Vulnerabilities Revealed </b></a> (<i>May 4, 2017</i>)<br/> Security researcher Dawid Golunksi has published his findings regarding two vulnerabilities that affect WordPress websites. One of the vulnerabilities, CVE-2016-10033, can be exploited to allow remote code execution. The second vulnerability, CVE-2017-8295, can be exploited to reset passwords of the WordPress account. At the time of this writing, WordPress has not confirmed that CVE-2017-8295 has been patched.<br/> <b>Recommendation:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.<br/> <b>Tags:</b> Vulnerability, Website</p><p><a href="https://www.ptsecurity.com/ww-en/about/news/240117/" target="_blank"><b>Positive Technologies Discovers Vulnerability in ATM Security Software </b></a> (<i>May 3, 2017</i>)<br/> A vulnerability has been identified in the technology company GMV's Check ATM security software, according to Positive Technologies researchers. The vulnerability can be exploited by actors posing as the ATM's control server, which could be accomplished via ARP packet poisoning. Then during the ATM's process of generating a public key for traffic encryption, an attacker can cause a buffer overflow that could allow full remote control over the ATM.<br/> <b>Recommendation:</b> ATM Security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation. Additionally, the latest security patches should be applied as soon as they become available.<br/> <b>Tags:</b> Vulnerability, ATM</p><p><a href="https://arstechnica.com/security/2017/05/google-docs-phish-worm-grabs-your-google-app-permissions-contacts/" target="_blank"><b>All Your Googles are Belong to Us: Look Out for the Google Docs Phishing Worm</b></a> (<i>May 3, 2017</i>)<br/> A well circulated email claiming to be inviting the recipient to share in access to a Google Docs document had been identified to be distributing a worm. The phishing attack directs the recipient to a fake web page impersonating Google sign-in. If a user enters their credentials, the worm will steal all of the contacts and send phishing emails to them as well. Google has since shut down the domains associated with this phishing campaign.<br/> <b>Recommendation:</b> It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified.<br/> <b>Tags:</b> Phishing</p><p><a href="http://blogs.rsa.com/supercmd-rat/" target="_blank"><b>SuperCMD RAT </b></a> (<i>May 3, 2017</i>)<br/> RSA researchers have discovered a new Remote Access Trojan (RAT) dubbed "SuperCMD," that is capable of installing legitimate Novell Client drivers onto a Windows Kernel. The RAT does so by first installing said drivers in the the "C:WindowsSystem32" directory</p>