Weekly Threat Briefing: NASA Jira Server Leaked Internal Project And Employee Data

<div id="weekly">The intelligence in this week's iteration discuss the following threats: Adware, Backdoor, CryptoMix, Data breaches, DNS hijacking, FlawedGrace, ICEPick-3PC, MageCart, Malware, Phishing, Ransomware, ServHelper, Side-channel attack, TA505, TEMP.MixMaster, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats </h2><a href="https://latesthackingnews.com/2019/01/13/nasa-jira-server-leaked-internal-project-and-employee-data/" target="_blank">NASA Jira Server Leaked Internal Project And Employee Data </a> (January 13, 2019) The JIRA server for NASA reportedly was misconfigured, causing sensitive internal data to be leaked. According to an unnamed security researcher, he found that the misconfigured JIRA server could allow an unauthorised user to access internal data and share it via the internet. The permission settings were not properly set up, so an anonymous user could access the "user picker functionality" which allows for extracting usernames and passwords of all users. The JIRA filter settings were also not properly configured and thus allowed for anyone to get a general understanding of the types of projects NASA was undertaking. Whilst NASA received notice of this issue in September 2018, they did not fix the problem for over three weeks. <a href="https://forum.anomali.com/t/nasa-jira-server-leaked-internal-project-and-employee-data/3431" target="_blank">Click here for Anomali recommendation</a> <a href="https://www.zdnet.com/article/cvs-containing-sensitive-info-of-over-202-million-chinese-users-left-exposed-online/" target="_blank">CVs Containing Sensitive Info of Over 202 Million Chinese Users Left Exposed Online </a> (January 10, 2019) Bob Diachenko, a researcher from Hacken Proof, discovered an unsecured MongoDB database server that contained detailed CVs of over 202 million Chinese persons. The server contained 845 gigabytes (GB) of data, approximately equating to 202,730,434 records. Personally Identifiable Information (PII) exposed in this breach include: body measurements like height and weight, education, emails, full names, home addresses, literacy level, marital status, number of children, past jobs, phone numbers, political affiliations, salary expectations, amongst other information. At the time of the article's publication, it is unclear to whom the administrator of the unsecured server is that allowed for the breach of data. A popular Chinese job portal, "bj.58[.]com" is one of the primary sources of the leaked data, but disclosed that the data in the unsecured server was from a data scraper that likely scrapes several different job portal sites. The unknown owner of the server appeared to have secured the server and removed the GitHub repository a few days following Diachenko's public request on Twitter to find the owner and fix the issue. <a href="https://forum.anomali.com/t/cvs-containing-sensitive-info-of-over-202-million-chinese-users-left-exposed-online/3432" target="_blank">Click here for Anomali recommendation</a><a href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank">A Nasty Trick: From Credential Theft Malware to Business Disruption </a> (January 10, 2019) Researchers from FireEye have been tracking an interactive deployment of both the "Ryuk" ransomware and the "Trickbot" malware, dubbed "TEMP.MixMaster." TEMP.MixMaster is not attributed to any one group at the time of the article's publication, and references to the deployment of Ryuk ransomware following a Trickbot infection. In several cases of TEMP.MixMaster, threat actors utilised a payroll-themed phishing email to coax users to open an XLS attachment that delivered Trickbot if macros were enabled in the document. Trickbot would then create scheduled tasks on the infected machine to execute itself and obtain persistence following a reboot. Once the unknown threat actors utilising Trickbot gained a foothold in a system network, a period of inactivity would follow before the Ryuk ransomware would be distributed. These campaigns that have been observed using both Trickbot and Ryuk appear to be fairly indiscriminately targeted as the group have impacted organisations in government, financial services, manufacturing, service providers, and many others. <a href="https://forum.anomali.com/t/a-nasty-trick-from-credential-theft-malware-to-business-disruption/3433" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a><a href="https://threatpost.com/intel-patches-privilege-escalation-bugs/140665/" target="_blank">Intel Patches High-Severity Privilege-Escalation Bugs </a> (January 9, 2019) Intel released patches for five vulnerabilities, three of which were deemed "high-severity." The three high-severity flaws include a privilege escalation vulnerability in Intel's wireless connection management tool, "PROset/Wireless Wi-Fi software," that is registered as "CVE-2018-12177," a vulnerability in the System Support Utility for Windows that also allows unauthorised privilege escalation, registered as "CVE-2019-0088", and a flaw in its Software Guard Extensions (SGX) platform, registered as "CVE-2018-18098." The other two vulnerabilities fixed in this update include a medium-severity vulnerability in the SGX that could allow an unprivileged user to cause information disclosure via local access, registered as "CVE-2018-12155," and another medium-severity privilege escalation vulnerability in the SSD data-centre tool for Windows. <a href="https://forum.anomali.com/t/intel-patches-high-severity-privilege-escalation-bugs/3434" target="_blank">Click here for Anomali recommendation</a><a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank">ServHelper and FlawedGrace - New Malware Introduced by TA505 </a> (January 9, 2019) A phishing email campaign has been observed dropping a new backdoor named "ServHelper" and the Remote Access Trojan (RAT) malware "FlawedGrace," according to researchers at Proofpoint. The email campaign has been targeting financial institutions, retail businesses, and restaurants, and is currently attributed the to known threat group, "TA505." The phishing email contained a message purporting to be regarding bank information that contained an attachment with the details. If the document was opened, it would request macros to be enabled (if it was a Word document) or would have URLs in a PDF directing users to a "PDF plugin." Allowing macros or clicking the link would execute the ServHelper downloader and well as execute FlawedGrace. ServHelper has two variants: a tunnel variant and a downloader variant. The tunnel variant has more features such as setting up reverse SSH tunnels to give TA505 access to an infected machine via Remote Desktop Protocol (RDP). The downloader does not contain this tunnelling feature and is utilised as a basic downloader. <a href="https://forum.anomali.com/t/servhelper-and-flawedgrace-new-malware-introduced-by-ta505/3435" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&CK] Remote Desktop Protocol (T1076)</a><a href="https://www.businessinsider.com/apple-phone-number-logo-shows-up-on-iphones-in-scam-calls-2019-1?r=US&IR=T" target="_blank">A Scary Type of Scam Call Causes Apple's Logo and Phone Number to Pop Up on Your iPhone Lock Screen, But There's a Way to Protect Yourself</a> (January 9, 2019) A new scam has been targeting Apple users that makes calls under the official Apple Help Line number to try to social engineer people into giving the threat actors their Personally Identifiable Information (PII) and financial information. The threat actors spoof Apple's official phone number and input their logo as the caller ID to encourage victims to pick up the phone. They then attempt to get the user to share their credentials, likely to utilise them for the threat actors own financial gain. <a href="https://forum.anomali.com/t/a-scary-type-of-scam-call-causes-apples-logo-and-phone-number-to-pop-up-on-your-iphone-lock-screen-but-theres-a-way-to-protect-yourself/3436" target="_blank">Click here for Anomali recommendation</a><a href="https://mediatrust.com/blog/icepick-3pc-new-malware-steals-device-ip-en-masse" target="_blank">ICEPick-3PC: New Malware Steals Device IP En Masse</a> (January 9, 2019) The Media Trust's Digital Security & Operations security research team discovered a malware strain, dubbed "ICEPick-3PC," that executes following the threat actor hijacking the third-party tools on a website. It is distributed via malicious code being injected into libraries used by third party advertisers. This malware will run checks on the device to see battery level, device motion, orientation, device type, if anti-malware software in on the device, and user agent. The malware probably targets Android devices specifically due to the open-source specific vulnerabilities they have. Once all the checks have been conducted, the malware will establish an RTC peer connection between the infected device and remote peer and send the infected device's IP to the remote device. The malware is able to bypass Virtual Private Networks (VPN) to obtain the device's IP address, as it makes a peer-to-peer connection, which can allow the unknown threat actors to identify a device's own vulnerabilities for future campaigns. <a href="https://forum.anomali.com/t/icepick-3pc-new-malware-steals-device-ip-en-masse/3437" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&CK] Supply Chain Compromise (T1195)</a><a href="https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html" target="_blank">Global DNS Hijacking Campaign: DNS Record Manipulation at Scale </a> (January 9, 2019) FireEye researchers have observed a new wave of Domain Name System (DNS) hijacking campaigns targeting government, internet, and telecommunications entities in Europe, the Middle East, North Africa, and North America. Whilst no specific threat group has been attributed to the campaign, it appears that the attacks are originating from Iranian IPs. The ways in which the unknown threat actors attack a targeted DNS are by either altering "DNS A Records," altering "DNS NS (Name Server) Records," or using a DNS Redirector. To alter the DNS A Records, the threat actor will log into a proxy box to browse without specific attribution, then log into the DNS provider's administrative panel using previously compromised credentials. They will change the A record and point it to one of the actor-controlled IP addresses. Here, a "Let's Encrypt" Certificate is set up for each domain to make the malicious domain appear legitimate, and eventually the username, password, and domain credentials are all harvested and stored from the hijacked domain. The DNS NS Record technique, changes the name server record which will redirect user to the threat actor's IP address when a specific domain name is visited. This will also harvest all credentials entered in a specific domain. It is currently unclear how the threat actors are obtaining the credentials for initial access to the targeted domains. <a href="https://forum.anomali.com/t/global-dns-hijacking-campaign-dns-record-manipulation-at-scale/3438" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/adobe-fixes-vulnerabilities-in-connect-and-digital-editions-flash-left-in-the-cold/" target="_blank">Adobe Fixes Vulnerabilities in Connect and Digital Editions, Flash Left in the Cold </a> (January 9, 2019) Adobe released a security update for January 2019 that issued patches for vulnerabilities in Adobe Connect, a conferencing and training software, and Digital Editions. The first flaw addressed in Adobe Connect, registered as "CVE-2018-19718," was ranked as "important" and was a session token exposure problem that revealed to anyone the privileges granted to a specific session. "CVE-2018-12817" was an out-of-bounds read vulnerability in Digital Editions that could lead to information disclosure if exploited. <a href="https://forum.anomali.com/t/adobe-fixes-vulnerabilities-in-connect-and-digital-editions-flash-left-in-the-cold/3439" target="_blank">Click here for Anomali recommendation</a><a href="https://www.securityweek.com/new-side-channel-attack-targets-os-page-cache" target="_blank">New Side-Channel Attack Targets OS Page Cache</a> (January 8, 2019) A new side-channel attack method has been discovered by researchers from CrowdStrike, NetApp, Boston University, Intel, and Graz University of Technology that targets an operating system's page cache. This type of attack vector works with both Windows and Linux operating systems, where malware can leverage the page cache to conduct various activities such as creating high-speed covert channels to bypass sandboxes, placing phishing windows over a legitimate application, keylogging, and reconstruct temporary passwords generated by frameworks that use UNIX timestamps to generate random numbers. It is also possible for remote page cache attacks to affect systems, though these are not hardware agnostic, and can be used to build a covert channel to exfiltrate information over a network from a protected network. It is unclear to researchers at the time, whether the attack could also work on macOS. Linux and Microsoft are aware of the vulnerability and are developing mitigations currently. <a href="https://forum.anomali.com/t/new-side-channel-attack-targets-os-page-cache/3440" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture (T1056)</a><a href="https://www.zdnet.com/article/this-old-ransomware-is-using-an-unpleasant-new-trick-to-try-and-make-you-pay-up/" target="_blank">This Old Ransomware is Using an Unpleasant New Trick to Try and Make You Pay Up</a> (January 8, 2019) The old ransomware family, "CryptoMix," has been observed in a new campaign recently by researchers from Coveware. This campaign begins by attempting to brute force weak passwords on RDP ports, and if they successfully gain access, the threat actors with then harvest administrative credentials in order to laterally move inside the network. All the servers on a network will be encrypted and backup files will be wiped, then a ransom note will notify users of what they will have to do in order to get their files back. This campaign varies a bit from most ransomware campaigns in that the threat actors request two or three Bitcoins, but say that the money will be donated to children's charities, to manipulate the victims to pay the ransom. The actors behind CryptoMix appear to have stolen information about real children from crowdfunding and local news sites to give the appearance that the children's charity donation claim is legitimate. <a href="https://forum.anomali.com/t/this-old-ransomware-is-using-an-unpleasant-new-trick-to-try-and-make-you-pay-up/3441" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a> | <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&CK] Remote Desktop Protocol (T1076)</a><a href="https://www.imperva.com/blog/scapy-sploit-python-network-tool-is-vulnerable-to-denial-of-service-dos-attack-cve-pending/" target="_blank">Scapy-sploit: Python Network Tool is Vulnerable to Denial of Service (DoS) Attack CVE pending </a> (January 8, 2019) Researchers from Imperva discovered a vulnerability in the new version, 2.4.0, of the packet manipulation tool used by cyber security researchers and network engineers, "Scapy," that can allow for a Denial-of-Service (DoS) state. The tool utilises a heuristic algorithm that relies on port numbers to determine the type of network packet, and those packet types can be easily faked. The vulnerability is from a lack of input validation when reading the length field in the "RADIUS" packet's Attribute Value Pairs (AVP) that causes an infinite loop if a particular byte is set to zero. This infinite loop then results in a DoS state in Scapy, leading Scapy to crash. <a href="https://forum.anomali.com/t/scapy-sploit-python-network-tool-is-vulnerable-to-denial-of-service-dos-attack-cve-pending/3442" target="_blank">Click here for Anomali recommendation</a><a href="https://thehackernews.com/2019/01/android-adware-malware.html" target="_blank">Google Removes 85 Adware Apps That Infect 9 Million Android Users </a> (January 8, 2019) Google removed over 80 applications from its Google Play Store after being notified that they were pushing aggressive, full-screen adware. The applications were feigned to be games, tv streaming applications, and remote control simulators, and had been downloaded by approximately nine million users. Some of the malicious applications include: Easy Universal TV Remote, Police Chase Extreme City 3D Game, Prado Parking City 3D Game, Moto Racing, Parking Game, TV WORLD, SPORT TV, A/C Air Conditioner Remote, Garage Door Remote Control, and several more. The applications came from different developers but shared similar code and names. The applications will uncontrollably run advertisements, including in the background when the user is not in the application, and garner the threat actors a profit every time. Google had removed the applications from the Google Play Store, however users who had already downloaded the application, have to manually remove it, which can be difficult with ads constantly popping up as soon as the phone is unlocked. <a href="https://forum.anomali.com/t/google-removes-85-adware-apps-that-infect-9-million-android-users/3443" target="_blank">Click here for Anomali recommendation</a><a href="https://nakedsecurity.sophos.com/2019/01/08/hacker-uses-aussie-early-warning-system-for-fake-message-campaign/" target="_blank">Hacker Uses Early Warning System for Fake Message Campaign </a> (January 8, 2019) An unknown threat actor obtained illegal access to the Australian emergency warning notification service, "Early Warning Network," on January 5, 2019, and sent out fake messages to people all over the continent. The unknown actor sent a message headlined as "EWM Hacked ñ Privacy Alert," via email, landline telephone, and text message that stated: "EWM has been hacked. Your personal data stored with us is not safe. We are trying to fix the security issues. Please email support@ewn.com.au if you wish to subscribe. ewn.com.au ASX AER/." The organisation was able to detect the fraudulent message, and shut down the system, however, some tens of thousands of people still received the message. According to the organisation, the threat actor was able to access a legitimate account login to send out the fake message, and the link in the message appeared to not be malicious. <a href="https://forum.anomali.com/t/hacker-uses-early-warning-system-for-fake-message-campaign/3444" target="_blank">Click here for Anomali recommendation</a><a href="https://www.zdnet.com/article/coinbase-suspends-ethereum-classic-etc-trading-after-double-spend-attacks/" target="_blank">Coinbase Suspends Ethereum Classic (ETC) Trading After Double-spend Attacks </a> (January 7, 2019) Coinbase, a cryptocurrency trading portal, removed the "Ethereum Classic" (ETC) currency from its portal after noticing several days of double-spend attacks. A double-spend attack is where a threat actor will engage in unauthorised transactions over legitimate ones that are occurring. The double-spend attacks occurred from January 5, 2019 until January 8, 2019 when Coinbase suspended ETC on their portal. Since the suspension of ETC, the unknown threat actor behind the attacks has conducted at least 11 double-spend attacks where they moved funds from legitimate accounts to their own, which equates to approximately 88,500 ETC ($460,000) in transactions. According to Coinbase, the attacks are still ongoing, but it is unclear if attackers are attempting to move money from a different trading portal. <a href="https://forum.anomali.com/t/coinbase-suspends-ethereum-classic-etc-trading-after-double-spend-attacks/3445" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/oxo-discloses-magecart-attack-that-targeted-customer-data-on-oxocom/" target="_blank">OXO Discloses MageCart Attack That Targeted Customer Data on Oxo.com </a> (January 7, 2019) US-based kitchen utensil manufacturing company, OXO International, announced that they had suffered a data breach that occurred during several time periods over two years. Between June 9, 2017 to November 28, 2017, June 8, 2018 to June 9, 2018, and July 20, 2018 to October 16, 2018, their servers were compromised, by a suspected MageCart, in an attempt to obtain customer credentials and payment information. Any data entered into their website, "https://www.oxo[.]com," is believed to have been compromised, but the organisation does not think that the actors were successful in obtaining any data. <a href="https://forum.anomali.com/t/oxo-discloses-magecart-attack-that-targeted-customer-data-on-oxo-com/3446" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a></div></div>