Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Data Theft, Backdoor, Ransomware, Targeted Ransomware Attacks</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/UvBgV3sTLOsJiUN2Qpgm"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/" target="_blank">Python Also Impacted by Critical IP Address Validation Vulnerability</a></h3> <p>(published: May 1, 2021)</p> <p>Researchers have recently discovered that a bug previously discovered in netmask (a tool to assist with IP address scoping) is also present in recent versions of Python 3. The bug involves the handling of leading zeroes in decimal represented IP addresses. Instead of interpreting these as octal notation as specified in the standard, the python ipaddress library strips these and interprets the initial zero and interprets the rest as a decimal. This could allow unauthenticated remote attackers to perform a number of attacks against programs that rely on python's stdlib ipdaddress library, including Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI).<br/> <b>Analyst Comment:</b> Best practices for developers include input validation and sanitization, which in this case would avoid this bug by validating or rejecting IP addresses. Additionally regular patch and update schedules will allow for rapid addressing of bugs as they are discovered and patches delivered. Proper network monitoring and policies are also an important part of protecting against these types of attacks.<br/> <b>Tags:</b> CVE-2021-29921, python</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.bleepingcomputer.com/news/security/codecov-begins-notifying-affected-customers-discloses-iocs/" target="_blank">Codecov Begins Notifying Affected Customers, Discloses IOCs</a></h3> <p>(published: April 30, 2021)</p> <p>Codecov has disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers. The company disclosed a supply-chain breach on April 15, 2021, and has now begun notifying customers. The breach went undiscovered for 2 months, and leveraged the Codecov Bash Uploader scripts used by a large number of projects.<br/> <b>Analyst Comment:</b> In light of the increasing frequency and sophistication of supply chain attacks, companies should carefully audit, examine, and include in their threat modelling means of mitigating and detecting third party compromises. A resilient and tested backup and restore policy is an important part of the overall security strategy.<br/> <b>Tags:</b> North America, Codecov, supply chain</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://blog.eset.ie/2021/04/30/fbi-teams-up-with-have-i-been-pwned-to-alert-emotet-victims/" target="_blank">FBI Teams up with ‘Have I Been Pwned’ to Alert Emotet Victims</a></h3> <p>(published: April 30, 2021)</p> <p>The FBI has shared more than 4.3 million email addresses with data breach tracking site Have I Been Pwned. The data breach notification site allows you to check if your login credentials may have been compromised by Emotet. In total, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies.<br/> <b>Analyst Comment:</b> Frequently updated endpoint detection policies as well as network security are part of the mitigation strategy for malware in general. Organizations should check to ensure that their employee emails have not been compromised and change passwords and monitor any accounts that may have been compromised.<br/> <b>Tags:</b> Troy Hunt, Emotet, MilitaryEU & UK, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.zdnet.com/article/microsoft-finds-memory-allocation-holes-in-range-of-iot-and-industrial-technology/#ftag=RSSbaffb68" target="_blank">Microsoft Finds Memory Allocation Holes in Range of IoT and Industrial Technology</a></h3> <p>(published: April 30, 2021)</p> <p>The security research group for Azure Defender for IoT, dubbed Section 52, has found a batch of bad memory allocation operations that could lead to malicious code execution. The use of these functions gets problematic when passed external input that can cause an integer overflow or wraparound as values to the functions. The list of affected products in the advisory includes devices from Google Cloud, Arm, Amazon, Red Hat, Texas Instruments and Samsung Tizen.<br/> <b>Analyst Comment:</b> IoT devices within an organization should be carefully considered, and where allowed need to be properly managed and segmented from sensitive networks. Considering the prevalence of IoT devices that employees doing remote work are exposed to, increased user education and endpoint monitoring is an important part of the overall security strategy.<br/> <b>Tags:</b> Bad Memory Allocation, Malicious code execution</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://unit42.paloaltonetworks.com/westeal/" target="_blank">New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl)</a></h3> <p>(published: April 29, 2021)</p> <p>CVE-2019-0604 is a high-severity CVE that can lead to remote code execution. Microsoft patched the flaw in March 2019, but there seems to be no end to the attacks that have used it to penetrate unpatched servers since then. There are various tactics to help alert users to possible attacks, such as setting up each SharePoint server to use a familiar background or image for users to ensure that they only input credentials on legitimate sites.<br/> <b>Analyst Comment:</b> CVE-2019-0604 is a high-severity CVE that can lead to remote code execution. Microsoft patched the flaw in March 2019, but there seems to be no end to the attacks that have used it to penetrate unpatched servers since then. There are various tactics to help alert users to possible attacks, such as setting up each SharePoint server to use a familiar background or image for users to ensure that they only input credentials on legitimate sites.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947201" target="_blank">[MITRE ATT&CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947139" target="_blank">[MITRE ATT&CK] Remote Access Tools - T1219</a><br/> <b>Tags:</b> WeSteal, WeControl, Cryptocurrency</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html" target="_blank">Abusing Replication: Stealing AD FS Secrets Over the Network | FireEye Inc</a></h3> <p>(published: April 28, 2021)</p> <p>FireEye analysts have observed an increased focus on long-term persistent access to Microsoft 365 as one of the threat group UNC24452's primary objectives. One of this group's key TTPs was to steal the Token Signing Certificate from an organization's AD FS server to enable them to bypass MFA and access cloud services as any user.<br/> <b>Analyst Comment:</b> Network mitigations combined with certificate and key rotation policies remain the best mitigations for these attacks.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947269" target="_blank">[MITRE ATT&CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947097" target="_blank">[MITRE ATT&CK] Permission Groups Discovery - T1069</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&CK] Modify Registry - T1112</a><br/> <b>Tags:</b> UNC2452,</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.bleepingcomputer.com/news/security/new-stealthy-linux-malware-used-to-backdoor-systems-for-years/" target="_blank">New stealthy Linux Malware Used to Backdoor Systems for Years</a></h3> <p>(published: April 28, 2021)</p> <p>The backdoor, dubbed RotaJakiro by researchers at Qihoo 360's Network Security Research Lab, remains undetected by VirusTotal's anti-malware engines. It is designed to operate as stealthy as possible, encrypting its communication channels using ZLIB compression and AES, XOR, ROTATE encryption. It also does its best to block malware analysts from dissecting it. RotaJakiro shares multiple functional similarities with the Torii IoT botnet first spotted in 2018.<br/> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to protect against the constantly evolving threat landscape, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place, as well as patching and backup policies.<br/> <b>Tags:</b> Torii, RotaJakiro backdoor,</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/" target="_blank">Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks</a></h3> <p>(published: April 28, 2021)</p> <p>A phishing campaign, discovered by researchers at Cofense, is draping itself in a Microsoft Office SharePoint theme. The phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature. The campaign cropped up in a spot that's supposed to be protected by Microsoft's own Secure Email Gateway (SEG). This isn't the first time that we've seen the SEG sanctuary get polluted.<br/> <b>Analyst Comment:</b> Phishing education and good vulnerability management policies, combined with the recommendations within the article are all key parts of the best practices for securing organizations.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947247" target="_blank">[MITRE ATT&CK] Web Shell - T1100</a><br/> <b>Tags:</b> DKIM, Net, Cobalt Strike, Pings, CVE-2019-0604,</p> </div> <div class="trending-threat-article"> <h3 id="article-9"><a href="https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/" target="_blank">UK Rail Network Merseyrail Likely Hit by Lockbit Ransomware</a></h3> <p>(published: April 28, 2021)</p> <p>UK rail network Merseyrail has confirmed a cyberattack after a ransomware gang used their email system to email employees and journalists about the attack. "A full investigation has been launched and is continuing," the rail network told BleepingComputer. "We have notified the relevant authorities in the meantime," the network said yesterday. "It would be inappropriate" to comment further while the investigation is underway. Lockbit is a relatively new strain of ransomware (first seen in 2019), that rapidly exploits common protocols like SMB, ICMP, and Powershell to propagate through a victim's network.<br/> <b>Analyst Comment:</b> A combination of EDR, patch management, and validated backup policies are critical elements in a defense in depth strategy for asset protection. Backup policies should include mitigations to prevent compromise of the backups.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Lockbit, Merseyrail, EU & UK</p> </div> <div class="trending-threat-article"> <h3 id="article-10"><a href="https://threatpost.com/babuk-ransomware-washington-dc-police/165616/" target="_blank">Babuk Ransomware Gang Targets Washington DC Police</a></h3> <p>(published: April 27, 2021)</p> <p>The Babuk gang of threat actors claims to have stolen more than 250 gigabytes of data from the Washington D.C. Metropolitan Police Department (MPD) on Monday, including police reports, internal memos, and arrested people's mug shots and personal details. According to Vice, the attackers published the claim and the data on the official Babuk site. An MPD spokesperson acknowledged in an email sent to Threatpost Tuesday morning that the department's systems had been breached and that it had contacted the FBI. "We are aware of unauthorized access on our server," the spokesperson said.<br/> <b>Analyst Comment:</b> EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files, as well as a well defined defense in depth strategy.<br/> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Babuk, ThreatConnect, Government, Healthcare, Military</p> </div>
Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox
Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.