Blog

Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More

Anomali Threat Research
November 10, 2021
Table of contents
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Babuk, Braktooth, Linux, Gamaredon, Magecart </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/jpgn4lGhQqWcRqKkXw6c"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://threatpost.com/braktooth-bluetooth-bugs-exploit-poc/176036/" target="_blank">BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released</a></h3> <p>(published: November 5, 2021)</p> <p>A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.<br/> <b>Analyst Comment:</b> Users are urged to patch or employ workarounds as soon as possible.<br/> <b>Tags:</b> Bluetooth, BrakTooth, Exploit, Vulnerability</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/" target="_blank">CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution</a></h3> <p>(published: November 4, 2021)</p> <p>Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel.<br/> <b>Analyst Comment:</b> TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15.<br/> <b>Tags:</b> Linux, TIPC, Vulnerabiltity</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/" target="_blank">Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB</a></h3> <p>(published: November 4, 2021)</p> <p>The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities.<br/> <b>Analyst Comment:</b> Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/" target="_blank">Credit Card Skimmer Evades Virtual Machines</a></h3> <p>(published: November 3, 2021)</p> <p>Researchers at Malwarebytes have released research detailing the evolution of credit card skimmers to evade virtual machines. The skimmer, Magecart, uses WebGL, a JavaScript API to gather user system information. If there is no virtual machine detected, the skimmer will continue to scrape the victim’s data, which will include credit card information.<br/> <b>Analyst Comment:</b> The financial information that was disclosed seems to be very comprehensive (credit card numbers, bank accounts, etc), and victims could have their identity stolen and financial transactions made in their name. Users that believe they have been impacted by this data breach should monitor their credit cards and bank accounts for unusual activity, and, in addition, freeze their credit reports.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> Anti-VM, Credit Card, Magecart, Skimmer</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29" target="_blank">Microsoft Exchange Vulnerabilities Exploited Once Again For Ransomware, This Time With Babuk</a></h3> <p>(published: November 3, 2021)</p> <p>Cisco Talos researchers have identified a campaign spreading Babuk ransomware, attributed to the recent threat group Tortilla. The campaign appears to have primarily targeted US users, but with infections also occurring in other countries including Brazil, Finland, Germany, Honduras, Thailand, and the United Kingdom. Vulnerable Microsoft Exchange servers are targeted in an attempt to exploit the ProxyShell vulnerability to deliver Babuk ransomware.<br/> <b>Analyst Comment:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Babuk, ChinaChopper, Microsoft Exchange Server, Vulnerability</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/" target="_blank">Mekotio Banker Returns with Improved Stealth and Ancient Encryption</a></h3> <p>(published: November 3, 2021)</p> <p>A new variant of the “Mekotio” banking trojan that has previously been targeting Latin American countries, according to Check Point researchers. The malware is being distributed via phishing emails that contain a link to a zip archive or a zip file as an attachment. The phishing email contains a link that contains a malicious attachment that is intended to trick the recipient into opening the attachment. If the attachment is opened, the malware will download a PowerShell script that runs directly in memory, allowing the malware to be undetected by most anti-virus products. The new infection vector contains these unprecedented elements: a stealthier batch file with at least two layers of obfuscation, a new fileless PowerShell script, and use of Themida v3 for packing the payload.<br/> <b>Analyst Comment:</b> Threat actors deliver malware in numerous ways and will consistently update their TTPs to make analysis and discovery more difficult. Educate your employees on the methods actors use to distribute malware: compromised websites, malicious files, phishing, spearphishing, and vulnerability exploitation, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a><br/> <b>Tags:</b> Mekotio, Powershell, Encryption, Latin America, Phishing</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.bleepingcomputer.com/news/security/trojan-source-attack-method-can-hide-bugs-into-open-source-code/" target="_blank">Trojan Source Attack Method Can Hide Bugs In Source Code</a></h3> <p>(published: November 1, 2021)</p> <p>Researchers from the University of Cambridge have identified a method of attack that can be used to inject malicious code into source code. The method, named “Trojan Source”, manipulates the source code at the encoding level by embedding control characters that are then used to reorder the source code. The method has been demonstrated to work on multiple languages including C, C++, C#, Java, JavaScript, Go, Python, and Rust.<br/> <b>Analyst Comment:</b> One way to defend against Trojan Source is to reject the use of control characters for text directionality in language specifications and in compilers that implement the languages. It is also possible to scan your source code including third-party libraries to check if these control characters were abused.<br/> <b>Tags:</b> C, C++, C#, Java, Javascript, Trojan Source, Vulnerability, Exploit</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/" target="_blank">GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild</a></h3> <p>(published: November 1, 2021)</p> <p>The vulnerability, “CVE-2021-22205”, a GitLab Remote Code Execution (RCE) vulnerability has changed to a 10 CVSSv3 score after changing from an authenticated to an unauthenticated issue. The vulnerability was first identified in April 2021, and could allow a remote actor to exploit a vulnerability in ExifTool to execute commands as a git user. There have been multiple reports of the vulnerability being exploited in the wild. While a patch has been released, many GitLab instances will still be vulnerable.<br/> <b>Analyst Comment:</b> Users to update to the latest version of GitLab as soon as possible, and where possible should not be internet facing.<br/> <b>Tags:</b> GitLab, RCE, Vulnerability</p> </div>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Discover More About Anomali

Get the latest news about Anomali's Security and IT Operations platform,

SEe all Resources
No items found.
No items found.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

November 10, 2021
-
Anomali Threat Research
,

Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Babuk, Braktooth, Linux, Gamaredon, Magecart </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/jpgn4lGhQqWcRqKkXw6c"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://threatpost.com/braktooth-bluetooth-bugs-exploit-poc/176036/" target="_blank">BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released</a></h3> <p>(published: November 5, 2021)</p> <p>A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.<br/> <b>Analyst Comment:</b> Users are urged to patch or employ workarounds as soon as possible.<br/> <b>Tags:</b> Bluetooth, BrakTooth, Exploit, Vulnerability</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/" target="_blank">CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution</a></h3> <p>(published: November 4, 2021)</p> <p>Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel.<br/> <b>Analyst Comment:</b> TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15.<br/> <b>Tags:</b> Linux, TIPC, Vulnerabiltity</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/" target="_blank">Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB</a></h3> <p>(published: November 4, 2021)</p> <p>The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities.<br/> <b>Analyst Comment:</b> Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/" target="_blank">Credit Card Skimmer Evades Virtual Machines</a></h3> <p>(published: November 3, 2021)</p> <p>Researchers at Malwarebytes have released research detailing the evolution of credit card skimmers to evade virtual machines. The skimmer, Magecart, uses WebGL, a JavaScript API to gather user system information. If there is no virtual machine detected, the skimmer will continue to scrape the victim’s data, which will include credit card information.<br/> <b>Analyst Comment:</b> The financial information that was disclosed seems to be very comprehensive (credit card numbers, bank accounts, etc), and victims could have their identity stolen and financial transactions made in their name. Users that believe they have been impacted by this data breach should monitor their credit cards and bank accounts for unusual activity, and, in addition, freeze their credit reports.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> Anti-VM, Credit Card, Magecart, Skimmer</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29" target="_blank">Microsoft Exchange Vulnerabilities Exploited Once Again For Ransomware, This Time With Babuk</a></h3> <p>(published: November 3, 2021)</p> <p>Cisco Talos researchers have identified a campaign spreading Babuk ransomware, attributed to the recent threat group Tortilla. The campaign appears to have primarily targeted US users, but with infections also occurring in other countries including Brazil, Finland, Germany, Honduras, Thailand, and the United Kingdom. Vulnerable Microsoft Exchange servers are targeted in an attempt to exploit the ProxyShell vulnerability to deliver Babuk ransomware.<br/> <b>Analyst Comment:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Babuk, ChinaChopper, Microsoft Exchange Server, Vulnerability</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/" target="_blank">Mekotio Banker Returns with Improved Stealth and Ancient Encryption</a></h3> <p>(published: November 3, 2021)</p> <p>A new variant of the “Mekotio” banking trojan that has previously been targeting Latin American countries, according to Check Point researchers. The malware is being distributed via phishing emails that contain a link to a zip archive or a zip file as an attachment. The phishing email contains a link that contains a malicious attachment that is intended to trick the recipient into opening the attachment. If the attachment is opened, the malware will download a PowerShell script that runs directly in memory, allowing the malware to be undetected by most anti-virus products. The new infection vector contains these unprecedented elements: a stealthier batch file with at least two layers of obfuscation, a new fileless PowerShell script, and use of Themida v3 for packing the payload.<br/> <b>Analyst Comment:</b> Threat actors deliver malware in numerous ways and will consistently update their TTPs to make analysis and discovery more difficult. Educate your employees on the methods actors use to distribute malware: compromised websites, malicious files, phishing, spearphishing, and vulnerability exploitation, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a><br/> <b>Tags:</b> Mekotio, Powershell, Encryption, Latin America, Phishing</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.bleepingcomputer.com/news/security/trojan-source-attack-method-can-hide-bugs-into-open-source-code/" target="_blank">Trojan Source Attack Method Can Hide Bugs In Source Code</a></h3> <p>(published: November 1, 2021)</p> <p>Researchers from the University of Cambridge have identified a method of attack that can be used to inject malicious code into source code. The method, named “Trojan Source”, manipulates the source code at the encoding level by embedding control characters that are then used to reorder the source code. The method has been demonstrated to work on multiple languages including C, C++, C#, Java, JavaScript, Go, Python, and Rust.<br/> <b>Analyst Comment:</b> One way to defend against Trojan Source is to reject the use of control characters for text directionality in language specifications and in compilers that implement the languages. It is also possible to scan your source code including third-party libraries to check if these control characters were abused.<br/> <b>Tags:</b> C, C++, C#, Java, Javascript, Trojan Source, Vulnerability, Exploit</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/" target="_blank">GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild</a></h3> <p>(published: November 1, 2021)</p> <p>The vulnerability, “CVE-2021-22205”, a GitLab Remote Code Execution (RCE) vulnerability has changed to a 10 CVSSv3 score after changing from an authenticated to an unauthenticated issue. The vulnerability was first identified in April 2021, and could allow a remote actor to exploit a vulnerability in ExifTool to execute commands as a git user. There have been multiple reports of the vulnerability being exploited in the wild. While a patch has been released, many GitLab instances will still be vulnerable.<br/> <b>Analyst Comment:</b> Users to update to the latest version of GitLab as soon as possible, and where possible should not be internet facing.<br/> <b>Tags:</b> GitLab, RCE, Vulnerability</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.