Weekly Threat Briefing: Computer Virus Cripples iPhone Chipmaker TSMC Plants

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: Breach, Cryptojacking, GandCrab, malspam, phishing, Ransomware, targeted attacks and WannaCry. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2>Trending Threats</h2><a href="https://twitter.com/haveibeenpwned/status/1026391987094573056" target="_blank">Have I Been Pwned: New Sensitive Breach</a> (August 6, 2018) Adult-FanFiction.org disclosed that they suffered a breach in May 2018. At least 186,000 records were compromised. Data such as names, dates of birth, email addresses and passwords were stored in both MD5 and plain text, which made them easily accessible by threat actors. <a href="https://forum.anomali.com/t/have-i-been-pwned-new-sensitive-breach/2762" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/have-i-been-pwned-new-sensitive-breach/2762" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/have-i-been-pwned-new-sensitive-breach/2762" target="_blank"> recommendation</a> <a href="https://www-bloomberg-com.cdn.ampproject.org/c/s/www.bloomberg.com/amp/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus" target="_blank">Computer Virus Cripples iPhone Chipmaker TSMC Plants</a> (August 4, 2018) A computer virus halted production for the company, Taiwan Semiconductor Manufacturing Co., who manufacture parts for the iPhone. The company reported that a number of its fabrication tools were infected. The virus was reportedly contained and the company was able to resume some production, however, several of its factories will not be able to resume production until at least Sunday the 5th of August 2018. The company did not disclose what computer virus affected their organization, though it is speculated that it was a version of WannaCry, or how the virus infected their network, but did say that it was not initiated by a hacker. <a href="https://forum.anomali.com/t/computer-virus-cripples-iphone-chipmaker-tsmc-plants/2763" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/computer-virus-cripples-iphone-chipmaker-tsmc-plants/2763" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/computer-virus-cripples-iphone-chipmaker-tsmc-plants/2763" target="_blank"> recommendation</a><a href="https://krebsonsecurity.com/2018/08/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months/" target="_blank">Credit Card Issuer TCM Bank Leaked Applicant Data For 16 Months </a> (August 3, 2018) TCM Bank released a statement that a due to a third-party vendor's website misconfiguration, names, addresses, dates of birth and Social Security numbers of thousands of people who applied for cards between early March 2017 and mid-July 2018 were exposed. TCM Bank was notified of the breach, and the leak was fixed the next day. TCM Bank stated that fewer than 10,000 consumers who applied for cards were affected in the breach, but they have been notified. While the third-party vendor was not publicly announced, TCM Bank said that they will require the vendor to look at their technologies and procedures to detect and prevent similar issues going forward. <a href="https://forum.anomali.com/t/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months/2764" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months/2764" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months/2764" target="_blank"> recommendation</a><a href="https://www.theregister.co.uk/2018/08/03/alaskan_town_has_entire_network_owned_by_ransomware_crims/" target="_blank">Alaskan Borough Dusts Off The Typewriters After Ransomware Crims Pwn Entire Network </a> (August 3, 2018) The Alaskan borough of Matanuska-Susitna or Mat-Su was hit by a ransomware attack that infected nearly all of the local government's servers and network. The attack was spearheaded by the BitPaymer ransomware, but also appears as though another threat actor was able to log into the borough's network to drop other malicious items like the Emotet banking trojan. The threat actors were able to gain Active Directory access which inhibited the controller's ability to reconfigure its security setting. The borough resorted to using typewriters and handwriting receipts to continue conducting business until the systems were cleared and up-and-running again. The local government admitted that the recovery servers were also infected, meaning that data such as email were lost for good unless the decryption key is accessed. <a href="https://forum.anomali.com/t/alaskan-borough-dusts-off-the-typewriters-after-ransomware-crims-pwn-entire-network/2765" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/alaskan-borough-dusts-off-the-typewriters-after-ransomware-crims-pwn-entire-network/2765" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/alaskan-borough-dusts-off-the-typewriters-after-ransomware-crims-pwn-entire-network/2765" target="_blank"> recommendation</a><a href="https://www.theregister.co.uk/2018/08/03/icliniq_cloud_breach/" target="_blank">Web Doc iCliniq Plugs Leaky S3 Bucket Full Of Medical Files </a> (August 3, 2018) An India-based online medical consultation service left thousands of medical documents and information available to public viewing after it accidentally left them in a public Amazon Simple Storage Service (S3) storage bucket. Their consultation services allow users to ask medical questions in private and they can attach private medical info, to be answered by doctors, which were some of the documents stored in the AWS S3 bucket. The bucket contained over 20,000 medical records. iCliniq failed to double-check their web application's permissions, meaning that users could access anyone's responses to the medical questionnaire by just guessing the ID number related to the question. Once aware of the scale of the breach, iCliniq promptly restricted access to that data and made it private. However, this leaves many patients vulnerable as their confidential medical and personal information could be accessed by unauthorized users. <a href="https://forum.anomali.com/t/web-doc-icliniq-plugs-leaky-s3-bucket-full-of-medical-files/2766" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/web-doc-icliniq-plugs-leaky-s3-bucket-full-of-medical-files/2766" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/web-doc-icliniq-plugs-leaky-s3-bucket-full-of-medical-files/2766" target="_blank"> recommendation</a><a href="https://isc.sans.edu/forums/diary/DHLthemed+malspam+reveals+embedded+malware+in+animated+gif/23944/" target="_blank">DHL-themed Malspam Reveals Embedded Malware In Animated Gif </a> (August 2, 2018) A phishing campaign to launch malware is parading as a DHL tracking email to evoke users to click on the link. The phishing email is formatted poorly, but can still get users to click on it. If a user clicks the "Track Shipment" link, a zip file is downloaded and directs traffic to an HTTP request that returns an animated GIF that contains malware binaries. This phishing campaign pushes malware using the Agent Tesla keystroke logger. <a href="https://forum.anomali.com/t/dhl-themed-malspam-reveals-embedded-malware-in-animated-gif/2767" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/dhl-themed-malspam-reveals-embedded-malware-in-animated-gif/2767" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/dhl-themed-malspam-reveals-embedded-malware-in-animated-gif/2767" target="_blank"> recommendation</a><a href="https://www.scmp.com/news/hong-kong/hong-kong-law-and-crime/article/2158023/after-singapore-medical-data-hack-hong-kongs" target="_blank">After Singapore Medical Data Hack, Hong Kong's Department Of Health Becomes Latest Cyber-attack Victim</a> (August 2, 2018) Three computers belonging to Hong Kong's Infection Control Branch, Clinical Genetic Service and Drug Office were infected with ransomware. The ransomware encrypted the computers' files and gave an email address to contact for a decryption key though no ransom amount was initially declared. According to the department's spokesperson, none of the computers contained sensitive personal information and no data was leaked. An investigation is ongoing into how the attack began and the motive, but officials theorize that it probably was initiated by using unsafe websites or opening links and/or attachments in emails. <a href="https://forum.anomali.com/t/after-singapore-medical-data-hack-hong-kongs-department-of-health-becomes-latest-cyber-attack-victim/2768" target="_blank">Click here fo </a><a href="https://forum.anomali.com/t/after-singapore-medical-data-hack-hong-kongs-department-of-health-becomes-latest-cyber-attack-victim/2768" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/after-singapore-medical-data-hack-hong-kongs-department-of-health-becomes-latest-cyber-attack-victim/2768" target="_blank"> recommendation</a><a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-%E2%80%93-First-we-cryptojack-Brazil,-then-we-take-the-World-/" target="_blank">Mass MikroTik Router Infection – First We Cryptojack Brazil, Then We Take The World? </a> (August 1, 2018) MikroTik routers in Brazil sustained a mass infection, utilizing CoinHive to mine for cryptocurrency. The infection took advantage of a vulnerability in the devices that target Winbox allowing the attacker full remote administrative access to the files on the device. While this vulnerability was immediately patched by MikroTik, numerous devices were never updated to apply the fix. The attacker used the device's functionality in order to inject the CoinHive script into every unencrypted HTTP web page that a user visited. This allows the threat actor to covertly miner cryptocurrency over long periods of time and is more difficult to uncover. <a href="https://forum.anomali.com/t/mass-mikrotik-router-infection-first-we-cryptojack-brazil-then-we-take-the-world/2769" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/mass-mikrotik-router-infection-first-we-cryptojack-brazil-then-we-take-the-world/2769" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/mass-mikrotik-router-infection-first-we-cryptojack-brazil-then-we-take-the-world/2769" target="_blank"> recommendation</a><a href="https://www.wired.com/story/reddit-hacked-thanks-to-woefully-insecure-two-factor-setup/" target="_blank">Reddit Got Hacked Thanks To A Woefully Insecure Two-Factor Setup</a> (August 1, 2018) In a blog post, Reddit notified users that it had suffered a data breach that compromised user emails, source code, and internal files along with all Reddit data from 2007 and earlier. The breach occurred when a threat actor compromised some of Reddit's employee administrative accounts with cloud and source code hosting providers by intercepting text messages two-factor authentication verification codes. Logs from June 3 to June 17, 2018, for the platform's "email digests" also were exposed in the breach. This information could allow threat actors to see the usernames connected to each email address. Reddit stated that all the passwords used for Reddit from 2007 and earlier should be changed to stronger passwords. Text message two-factor authentication (2FA) is known to not be as secure of a 2FA method since threat actors can copy SIM cards to intercept messages. <a href="https://forum.anomali.com/t/reddit-got-hacked-thanks-to-a-woefully-insecure-two-factor-setup/2770" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/reddit-got-hacked-thanks-to-a-woefully-insecure-two-factor-setup/2770" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/reddit-got-hacked-thanks-to-a-woefully-insecure-two-factor-setup/2770" target="_blank"> recommendation</a><a href="https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/" target="_blank">Attacks On Industrial Enterprises Using RMS And TeamViewer</a> (August 1, 2018) Russian-based industrial production companies have been the targets of a recent phishing campaign. The phishing emails pretend to be legitimate finance-based commercial offers to the industrial companies, and each email is intelligently tailored to the target company and the recipient of the email. If the malicious attachment is opened, legitimate remote administration software, either TeamViewer or Remote Manipulator System/Remote Utilities (RMS), is installed onto the machine. The goal of this malware campaign is to steal money from the targeted organization. This specific campaign not only steals money from the target organization, but also searches the correspondence of the employees to then launch attacks on partner companies. <a href="https://forum.anomali.com/t/attacks-on-industrial-enterprises-using-rms-and-teamviewer/2771" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/attacks-on-industrial-enterprises-using-rms-and-teamviewer/2771" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/attacks-on-industrial-enterprises-using-rms-and-teamviewer/2771" target="_blank"> recommendation</a><a href="https://securingtomorrow.mcafee.com/mcafee-labs/gandcrab-ransomware-puts-the-pinch-on-victims/" target="_blank">GandCrab Ransomware Puts The Pinch On Victims </a> (July 31, 2018) GandCrab is a quickly evolving malware that is currently in its fourth version of development. Threat actors developing this piece of malware has quickly improved its code since its first version, and now is adding comments in it to mock law enforcement, security researchers, as well as "NoMoreRansom.com" which had previously been able to decrypt the GandCrab's encryption keys. The malware uses one of four initial attack vectors: 1. Remote desktop connections that have weak security 2. Phishing emails with malicious links or attachments 3. Legitimate programs that contain malicious trojans with the malware 4. Exploit kits such as RigEK and others The goal of this ransomware it to gain an illicit profit, mainly in the form of the cryptocurrency DASH, though Bitcoin is also used. The newest version of the malware uses Salsa20 to encrypt the infected machine's files instead of RSA and AES. Like many other malwares, this malware checks the machine's operating language, and will not drop the malicious payload if the system operates in Russian or certain former Soviet languages. <a href="https://forum.anomali.com/t/gandcrab-ransomware-puts-the-pinch-on-victims/2772" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/gandcrab-ransomware-puts-the-pinch-on-victims/2772" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/gandcrab-ransomware-puts-the-pinch-on-victims/2772" target="_blank"> recommendation</a><a href="https://securityintelligence.com/news/new-crypto-mining-malware-zombieboy-exploits-multiple-cves-for-maximum-impact/" target="_blank">New Crypto-Mining Malware ZombieBoy Exploits Multiple CVEs For Maximum Impact </a> (July 31, 2018) A new family of crypto-mining malware has been uncovered by a security researcher, dubbed "ZombieBoy." It leverages multiple Windows vulnerabilities to compromise networks and create backdoors. The malware drops a Dynamic Link Library (DLL) file into the system and uses WinEggDrop to infect the systems. The binary is encrypted with Themida and does not run on virtual machines so it is difficult to reverse engineer the malware. Because the malware contains a double-backdoor, it leaves the machine vulnerable to ransomware, keyloggers, and other malicious tools. This "ZombieBoy" toolkit is linked to other Chinese-based malware like IRON TIGER APT. <a href="https://forum.anomali.com/t/new-crypto-mining-malware-zombieboy-exploits-multiple-cves-for-maximum-impact/2773" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-crypto-mining-malware-zombieboy-exploits-multiple-cves-for-maximum-impact/2773" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-crypto-mining-malware-zombieboy-exploits-multiple-cves-for-maximum-impact/2773" target="_blank"> recommendation</a><a href="https://citizenlab.ca/2018/07/nso-spyware-targeting-amnesty-international/" target="_blank">NSO Group Infrastructure Linked To Targeting Of Amnesty International And Saudi Dissident </a> (July 31, 2018) Amnesty International and Saudi activists abroad have been receiving suspicious WhatsApp and text messages since June 2018. Security researchers at The Citizen Lab discovered that these suspicious messages were phishing attempts to infect the target's phone with the "Pegasus" spyware that is linked to the Israeli company, NSO Group. If a target is successfully infected with the Pegasus spyware, a threat actor can spy on their activity by using the camera and microphone, recording calls, logging messages from mobile chat applications, and tracking the device's location. These specific text messages appear to be a part of the NSO Group's infrastructure that has a focus on Saudi Arabia, which coincides with the fact that the newest targets are Saudi Arabian dissidents and an NGO that is focused on human rights' violations. <a href="https://forum.anomali.com/t/nso-group-infrastructure-linked-to-targeting-of-amnesty-international-and-saudi-dissident/2774" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/nso-group-infrastructure-linked-to-targeting-of-amnesty-international-and-saudi-dissident/2774" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/nso-group-infrastructure-linked-to-targeting-of-amnesty-international-and-saudi-dissident/2774" target="_blank"> recommendation</a></div><div id="threat_model"><div id="threat_model_actors"> </div><div id="threat_model_campaign"> </div><div id="threat_model_incident"> </div><div id="threat_model_tipreport"> </div><div id="threat_model_ttp"> </div><div id="threat_model_vulnerability"> </div></div></div>