Weekly Threat Briefing: Malicious Document Targets Pyeonchang Olympics

<p>The intelligence in this week’s iteration discuss the following threats: <strong>Banking trojan</strong>, <strong>Botnet</strong>, <strong>Credit card theft</strong>, <strong>Data breach</strong>, <strong>Hardcoded backdoor</strong>, <strong>Malicious applications</strong>, <strong>Phishing</strong>, and <strong>Vulnerabilities</strong>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="http://www.securityweek.com/hardcoded-backdoor-found-western-digital-storage-devices" target="_blank"><b>Hardcoded Backdoor Found on Western Digital Storage Devices</b></a> (<i>January 8, 2018</i>)<br/> GulfTech researcher James Bercegay discovered vulnerabilities in the company Western Digital’s “WDMyCloud” firmware before version 2.30.165. The unrestricted file upload vulnerabilities affect multiple MyCloud products. In addition to the vulnerabilities, it was also found that some MyCloud products contain a hardcoded administrator account that can function as a backdoor. The vulnerabilities could be exploited to gain remote root code execution on the affected personal cloud storage units by sending a crafted HTTP POST request. Furthermore, the backdoor administrator account, when logged in to, can function as a root shell from which actors to execute arbitrary commands.<br/> <a href="https://forum.anomali.com/t/hardcoded-backdoor-found-on-western-digital-storage-devices/1784" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/" target="_blank"><b>Malicious Document Targets Pyeonchang Olympics</b></a> (<i>January 6, 2018</i>)<br/> A new phishing campaign has been identified to be targeting organizations associated with the Pyeongchang Olympics, according to McAfee researchers. The actors behind this campaign are distributing malicious Microsoft Word documents that have the original file name “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” This campaign is primarily targeting organizations in South Korea. If the Word document is opened, it requests the recipient to “Enable Content” which, if enabled, will launch an obfuscated PowerShell script. The script sets up communication to a Command and Control (C2) server for additional instructions, some of which were found to be executing commands on the infected machine to download additional malware.<br/> <a href="https://forum.anomali.com/t/malicious-document-targets-pyeonchang-olympics/1785" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.infosecurity-magazine.com/news/microsoft-issues-warning-for/" target="_blank"><b>Microsoft Issues Warning for Meltdown Fix</b></a> (<i>January 5, 2018</i>)<br/> Microsoft has issued security updates out-of-cycle of their typical Patch Tuesday in response to a vulnerability dubbed “Meltdown” and registered as “CVE-2017-5754” that affects “Intel CPUs.” The Meltdown vulnerability allows normal applications to access the content of private kernel memory. This could potentially expose sensitive information on machines use cloud-based features. In addition to possibly exposing sensitive data, Meltdown can also cause compatibility issues with some antivirus tools.<br/> <a href="https://forum.anomali.com/t/microsoft-issues-warning-for-meltdown-fix/1786" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.checkpoint.com/2018/01/05/lightsout-shining-light-malicious-flashlight-adware-google-play/" target="_blank"><b>LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play</b></a> (<i>January 5, 2018</i>)<br/> 22 applications inside of the Google Play store were identified contain scripts that override a user’s ability to disable advertisements, and hides the icon of itself in an attempt to prevent it from being removed, according to Check Point researchers. The malware, dubbed “LightsOut,” was found inside of flashlight and utility applications that ranged from 1.5 million to 7.5 million downloads.<br/> <a href="https://forum.anomali.com/t/lightsout-shining-a-light-on-malicious-flashlight-apps-on-google-play/1791" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.digitaldefense.com/blog/zero-day-alerts/avamar-zero-day/" target="_blank"><b>Avamar Zero-day</b></a> (<i>January 4, 2018</i>)<br/> Digital Defense researchers have released information regarding three vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15550,” and “CVE-2017-15549” discovered on Dell’s “EMC Data Protection Suite Family” products. The affected products were found to be “Avamar Server” versions 7.1.x, 7.2.x, 7.3.x, 7.4.x, and 7.5.0, NetWorker Virtual Edition versions 0.x, 9.1.x, and 9.2.x, and the Integrated Data Protection Appliance versions 2.0. Exploitation of the vulnerabilities can result in authenticated arbitrary file access and file upload in “UserInputService,” or conduct an authentication bypass in “SecurityService.” All three vulnerabilities can be exploited by an actor to gain root login on an affected machine.<br/> <a href="https://forum.anomali.com/t/avamar-zero-day/1792" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html" target="_blank"><b>Reading Privileged Memory with A Side-Channel</b></a> (<i>January 3, 2018</i>)<br/> Google’s Project Zero team has released a report regarding three vulnerabilities, registered as “CVE-2017-5753,” “CVE-2017-5715,” and “CVE-2017-5754,” that affect some modern processors created by AMD, ARM, and Intel. Exploitation of the vulnerabilities can result in bounds check bypass, branch target injection, or rogue data cache load. These vulnerabilities are also known as “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754).<br/> <a href="https://forum.anomali.com/t/reading-privileged-memory-with-a-side-channel/1793" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar" target="_blank"><b>New Python-based Crypto-Miner Botnet Flying Under The Radar</b></a> (<i>January 3, 2018</i>)<br/> A new cryptocurrency mining botnet, dubbed “PyCryptoMiner,” has been observed infecting machines via brute forcing credentials for the SSH protocol, according to FS researchers. The Linux botnet malware is written in the Python programming language uses the text-storing website “Pastebin[.]com” under the username “WHATHAPPEN” to receive new Command and Control (C2) to receive commands if the original C2 server is unreachable. Researchers have observed the malware has scanning capabilities that search for JBoss servers vulnerable to “CVE-2017-12149.” The botnet mines “Monero” cryptocurrency on an infected device.<br/> <a href="https://forum.anomali.com/t/new-python-based-crypto-miner-botnet-flying-under-the-radar/1794" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://www.zdnet.com/article/satori-malware-code-given-away-for-christmas/" target="_blank"><b>Satori IoT Botnet Malware Code Given Away for Christmas</b></a> (<i>January 3, 2018</i>)<br/> An unknown threat actor has publicly released the code for a vulnerability, registered as “CVE-2017-17215,” on “Pastebin[.]com.” The vulnerability affects “Huawei GH532” devices. Prior to the posting, the vulnerability has already been used by two Internet-of-Things (IoT) malware families in “Satori” and “Brickerbot.”<br/> <a href="https://forum.anomali.com/t/satori-iot-botnet-malware-code-given-away-for-christmas/1795" target="_blank">Click here for Anomali recommendation</a></p><p><a href="http://blogs.quickheal.com/android-banking-trojan-targets-232-apps-including-indian-banks/" target="_blank"><b>Android Banking Trojan Targets More Than 232 Apps Including Apps Offered by Indian Banks</b></a> (<i>January 3, 2018</i>)<br/> Researchers from Quick Heal Security Labs have detected an Android Banking Trojan that targets approximately 232 apps. The trojan is being distributed through a fake Flash Player application located on third-party app stores. Once the application is installed it will ask the user to enable administrative rights. Once enabled the Trojan looks for 232 applications on the device, mainly banking and cryptocurrency applications. If a targeted application is found on the device, a notification is shown and if the user clicks on it, a fake login page is displayed which harvests the user's credentials. The Trojan can also exfiltrate contacts, locations, and SMS messages from the device.<br/> <a href="https://forum.anomali.com/t/android-banking-trojan-targets-more-than-232-apps-including-apps-offered-by-indian-banks/1796" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.us-cert.gov/ncas/current-activity/2018/01/02/VMware-Releases-Security-Updates" target="_blank"><b>VMware Releases Security Updates</b></a> (<i>January 2, 2018</i>)<br/> The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in “VMware’s” “vSphere Data Protection.” The vSphere Data Protection is a backup and recovery solution created for vSphere environment, according to VMware. In addition, the company ranks the vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15549,” and “CVE-2017-15550,” as critical severity. The vulnerabilities could be exploited to allow a threat actor root access to an affected machine.<br/> <a href="https://forum.anomali.com/t/vmware-releases-security-updates/1797" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.infosecurity-magazine.com/news/forever-21-breach-lasted-over/" target="_blank"><b>Forever 21 Breach Lasted Over Seven Months</b></a> (<i>January 2, 2018</i>)<br/> The U.S.-based retail store “Forever 21” has made a statement regarding its investigation into a data breach that was first confirmed in November 2017. At that time, the company said that the breach affected card transactions at its stores from March to October 2017. Now Forever 21 has changed the timeframe in which card transactions were potentially compromised to April through November 2017. The retail company also stated that encryption features for Point of Sale (POS) machines at various locations were turned off during the April through November 2017 timeframe. This could allow threat actors to more easily steal payment data as it was processed. Additionally, the company identified malware “installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017.”<br/> <a href="https://forum.anomali.com/t/forever-21-breach-lasted-over-seven-months/1798" target="_blank">Click here for Anomali recommendation</a></p>