Threat Intelligence Posts

METHOD – Law Office Credentials on the Dark Web

August 5, 2018

CNBC has reported that access to various law firms' files and networks are being sold on the Dark Web. In one particular example, access to a New York City law firm was being sold for $3,500 and the individual or group offering access stated they could give screenshots as evidence of the break in.

According to Cybersecurity Service Provider Q6, beyond the New York one, law firms across the United States including multiple firms in Beverly Hills have access being advertised for sale on the Dark Web. The information in the specific New York example was identified on a Russian speaking Forum.

The popular credentials that are advertised on this site were mainly IT admin credentials with high privileges. These accounts appeared to go for the most money. Some of the value provided by these credentials is the ability to access multiple users' email accounts to obtain sensitive information.

The sanitized screenshots provided by CNBC on where the information was being sold detailed a robust web platform that included support, a balance for purchases, and website sections such as "FAQ", "Invoices" and "Settings."

Proficio Threat Intelligence Recommendations:

  • Employ additional controls around privileged users within the organization.

  • Assess working with partners to perform dark web sweeps or dark web monitoring.

  • Have a continuous monitoring program in place to detect suspicious access for public facing remote authentication services..
CNBC Article - Click Here

ATTACKER – Leafminer Expanding Operations to Target United States ICS Entities

August 2, 2018

In July of 2018, the threat actor Leafminer was detailed by Symantec as having targeted a list of government organizations and business verticals in the Middle East since at least early 2017. The article also detailed several aspects of how the attacker attempted to breach targets. One method detailed was the attackers using "file://" URLs embedded on websites used as watering holes that prompted Windows users that visited the site to enter their SMB credentials. When users provided input, it would transmit the user's NTLM hash to the attackers to be cracked offline.

There were additional traditional attack methods observed in the article including using brute force / dictionary attackers against public facing services, EternalBlue for lateral movement, and common attack software such as Mimikatz, PsExec, and THC Hydra.

After this article had been released, a cybersecurity vendor that specializes in ICS incident response, Dragos, reported they had discovered Leafminer targeting US entities in the utility vertical. Dragos suggested that the threat actor uses embedded links that prompt for SMB credentials as well indicating that US entities might be experiencing future watering hole attacks similar to what was seen in the Middle East. Dragos named this threat actor "RASPITE."

Dragos suggested in the blog that they have not received any evidence that the attackers have gained the ability to infiltrate ICS systems once a foothold has been gained into a utility entity, but that the attackers likely trying to gain access to organizations to prepare for a later ICS attack.

Proficio Threat Intelligence Recommendations:

  • Place two factor authentication on any public facing services where users authenticate.

  • Make sure Windows servers inside the network are up-to-date and patched, especially against ETERNALBLUE and other related recent SMB vulnerabilities.

  • Enforce password policies for Windows credentials such as complex passwords or periodic changes of passwords by users.

Symantec findings for Leafminer - Click Here
Dragos details on RASPITE - Click Here

Target: Valve Game in Marketplace Distributed Cryptocurrency Miner

July 30, 2018

Valve pulled the game "Abstractism" from the Steam store after several sources on the internet stated the game was suspected to contain a cryptocurrency-mining bot. Youtube user SidAlpha and other bloggers on the internet flagged the game for very suspicious behavior such as the gaming package being flagged by antivirus software, the authors stating that the game should be left running in yhe background for extended periods of time, and the game taking up an extraordinary amount of GPU and CPU system resources at run time.

Steam is a digital distribution platform owned by the Valve Corporation that allows video game developers to publish to their platform. In this particular instance, it looks like a group of developers were able to compromise the supply chain of the platform and release a bogus game that performs cryptomining.

When the developers of the game were confronted with the findings that the game mines Bitcoin, the developer "Okalu Union" stated "Bitcoin is outdated, we currently use Abstractism to mine only Monero coins." The developer then went on to contract the prior statement with "Abstractism does not mine any of cryptocurrency. Probably, you are playing on high graphic settings."

Something very important to note is that in this case, developers went after a lack of controls in the software supply chain of the Valve platform to perform cybercriminal activity. All organizations depend on a variety of software supply chains to deliver legitimate software downloads and updates. The software supply chain will likely be a target for cybercriminal threat actors in the future and this trend will likely increase with progression of the threat landscape.

Proficio Threat Intelligence Recommendations:

  • Make sure your organization has an acceptable use policy that bans the usage of applications that introduce risk to your organization such as gaming applications.

  • Keep endpoint security controls such as antivirus and EDR (endpoint detection and response) up to date and and validate they work as a preventative control.

  • Assess if your organization has MDM (mobile device management) software and assess if it allows the installation of unauthorized applications that may introduce risk to the organization.
General Information - Click Here

Method: SIM Swapping Used to Target Cryptocurrency Entrepreneurs

Police in California arrested a 20 year old from Boston at Los Angeles International Airport on his way to Europe. The individual, Joel Ortiz, was accused of targeting cryptocurrency entrepreneurs by compromising their two factor authentication hosted on their mobile phone number by a method called SIM swapping. The results of his activities are rumored to have resulted in the theft of five million dollars and forty phone numbers hijacked.

According to multiple sources, it is suspected that Joel along with a group of accomplices were able to socially engineer cell phone providers to send them a replacement SIM card for victims that enabled them to hijack the phone number to a device of their choice. Once this is in place, the attackers are able to receive text messages related to two factor authentications and account resets.

The attacker took some obvious actions in some instances tipping his hand that he had hijacked the device. One of the victim's daughter got a text message requesting to "TELL YOUR DAD TO GIVE US BITCOIN."

Seeing that the attacker group was led by a 20 year old that took some careless actions against victims and on his social media regarding his spending habits, it is possible that this method of attack could be used by more sophisticated threat actors against organizations that use two factor authentication with mobile devices.

Proficio Threat Intelligence Recommendations:

  • For personal and corporate devices, take actions with the cell phone provider for an extra layer of security to prevent SIM Swapping (ex: Implement T-Mobile "care password").

  • Assess and secure any two factor authentication used by the organization around text messages or phone call verification procedures.

General Information - Click Here

Attacker: Corporate iPhones Attacked in MDM Campaign

July 25, 2018

This month security organizations and researchers discovered an attack that utilizes Apple's popular and open source Mobile Device Management (MDM) system for iPhones. The MDM suite allows enterprises to conveniently deploy and manage employees' iPhones remotely. The attackers in this campaign appear to have used social engineering to persuade unsuspecting users to enroll in MDM on their iPhones. From there, the attackers used MDM to remotely deploy Trojan spyware applications. Furthermore, they remained undetected for the past three years, while launching multiple successful attacks against targeted corporate employees in India.

The attackers, who are also believed to be operating within India, were able to coax their victims to install unverified certificates for MDM. The unverified certificates used deceptive naming conventions such as hxxp://ios-certificate-update[.]com and allowed for unchecked administrative privileges once installed. Following the initial compromise, it was later possible for the attacker to deploy the Trojan spyware applications on to the mobile devices of the affected users. While the applications appeared to be legitimate software, such as Telegram or WhatsApp, they were in fact modified versions of the legit software, which granted the attackers access to the target's photos; contacts; real-time location; SMS messages; and application chat logs.

Proficio Threat Intelligence Recommendations:

  • Assess the authenticity of MDM certificates currently in use by your mobile fleet. Apple has already revoked several certifications that were linked to this malicious MDM campaign, but there are likely other malicious certificates that have yet to be canceled.

  • As MDM becomes more popular with large organizations, users should be made aware that installing additional certificates on to their mobile devices may allow unauthorized and/or malicious remote management activity.

  • Update IDS/IPS devices to blacklist certificates and/or traffic made towards the following malicious servers that have been identified thus far: Ios-certificate-update[.]com; www[.]wpitcher[.]com; techwach[.]com; and voguextra[.]com.

  • Update IDS/IPS devices to take appropriate actions when observing the following malicious application hashes: 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa.
General Information - Click Here

VULNERABILITY: New Bluetooth Hack Affects Millions of Devices from Major Vendors

A bluetooth vulnerability tracked as CVE-2018-5383 has been found affecting bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange. The vulnerability affects firmwares or operating system software drivers from major vendors like Apple, Broadcom, Intel and Qualcomm while the implication of the bug on Google, Android and Linux are still unknown. Microsoft products are not vulnerable.

The vulnerability is related to two Bluetooth features - BR/EDR implementations of Secure Simple Pairing in device firmware and Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software.

Apple and Intel have already released patches for this security vulnerability while Broadcom chip makers claims to have already made fixes available to its OEM customers who are now responsible for providing them to the end-users for products supporting Bluetooth 2.1 or newer technology and Qualcomm has not released any statement regarding the vulnerability.

“Currently there are no evidence of the bug being exploited maliciously and it is not aware of any devices implementing the attack being developed, including the researchers who identified the vulnerability” – Mentioned by Bluetooth SIG. It should also be noted that in order to carry out an attack, the attacker would have to be in range of both of the targeted devices during the pairing process and both devices would need to be vulnerable to the attack.

Proficio Threat Intelligence Recommendations:

  • Check with Device Vendor for availability of updates for software and firmware updates

  • Ensure that the all software and firmware are updated to the latest version
General Information - Click Here

METHOD: Scammers Use Breached Personal Data in Phishing Campaigns

cammers often use a wide spectrum of social engineering methods when persuading potential victims to follow the desired course of action. Recent campaigns are using details gathered in mass breaches such as passwords, email addresses, and other personal information gained from past data compromises. Such example of scams include:

1) Personalized Porn Extortion Scam

This campaign involves the sender claiming to have the evidence of the recipient’s porn viewing activities, and then demands payment in exchange of “suppressing” the evidence. It is also observed that the scammer utilises personal information about the recipient beyond just the name, such as a real password the recipient used that was discovered in a data breach dump. Attackers have also been observed claiming to have RDP (remote desktop protocol) access to your computer as a means to watch you while you browse the pornography sites. The scam often demands payment via non-trackable cryptocurrency like Bitcoin and deems this as “privacy fees.” The real user password used in the scam was likely to have been obtained and in one of the mass data breaches that includes email addresses, passwords, and other personal information.

2) Data Breach Lawsuit Case

In this case, the scammer utilizes the victim’s phone number to prove that the victim has sensitive data that was leaked. The scammer poses as an entity that is preparing to sue the company that allegedly leaked the data:

“Your data is compromised. We are preparing a lawsuit against the company that allowed a big data leak. If all our clients win a case, we plan to get a large amount of compensation and all the data and photos that were stolen from the company. For example, we write to your email and include part your number ****** from a large leak.”

The sender’s objective is to solicit additional personal information from the victim under the guise of preparing the lawsuit, possibly requesting the social security number, banking account details, etc.

Proficio Threat Intelligence Recommendations:

  • Enabling spam filters to recognize and prevent emails from suspicious sources to reach the inbox of employees.

  • Do not email or reply the scammers.

  • Paying only highlights being vulnerable and you may be targeted by the scammers again.
General Information on Campaigns - Click Here

Target: SingHealth Patient Data Breach

July 20, 2018

Singapore authorities reported on a cyber-attack affecting SingHealth, the largest group of healthcare institutions in Singapore. This cyber-attack is the largest known cyber-attack targeting organizations based in Singapore that has been reported by Singapore news media. The cyber-attack appears to have resulted in a data breach affecting around 1.5 million patients who visited SingHealth between May 1, 2015 to July 4, 2018. The data breach included personally identifiable information such as names, NRIC, address, gender and race. Around 160,000 of these patients also had their outpatient prescriptions stolen. The Prime Minister of Singapore's personal information was targeted as part of the attack.

The attack was first identified by database administrators from the Integrated Health Information System (IHIS) on July 4, 2018, when they identified anomalous activity on one of SingHealth's IT databases. By July 10th, investigators confirmed it was a cyber-attack, with data stolen between June 27 and July 4.

Although attribution to the exact party that performed the attack is speculative with the data that is publicly available, a statement by the Singapore Health Ministry stated that "It [the attack] was not the work of casual hackers or criminal gangs.” We expect to be able to understand more about the attackers once more technical data is available.

Proficio Threat Intelligence Recommendations:

  • Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles using the principle of least privilege. Passwords that are stored should be encrypted, and strong password policies should be enforced.

  • Review the organization's data retention policies on the duration and the types of PII data that should be stored. To further limit data exposure, companies are advised to purge customer's PII if it is unneeded for business purposes and not required anymore to be retained by law.

  • Any potential victim can check if their data have been compromised by accessing the following website: https://datacheck.singhealth.com.sg.
General Information - Click Here

Target: Labcorp Ransomware Attack

July 17, 2018

LabCorp, one of the largest clinical laboratory networks in the US, reported to the SEC that it had many of its assets infected with ransomware. The 50 minute attack that occurred on July 13th beginning at midnight was suspected to be caused by the attackers entering the network via brute force with public RDP and then spreading a variant of SamSam ransomware. Although the attack was contained in 50 minutes, according to CSO Online, the attackers were able to infect 7,000 systems, 1,900 server, and 350 production servers. The attack only is thought to have compromised Windows servers on the LabCorp network.

The attackers behind the RDP brute force attacks leading to SamSam ransomware used the same methods that led to many successful attacks within the last year on multiple healthcare organizations, government entities, and schools. The best known of the recent victims was the City of Atlanta.

This is an additional major company breach where public facing RDP was likely overlooked and enabled massive damage to an organization.

Proficio Threat Intelligence Recommendations:

  • Implement two-factor authentication to any public facing RDP services required for business

  • Implement monitoring use cases to look for any newly detected public RDP services open to the internet and take appropriate action to mitigate each new detection

  • Implement and test rapid responses that can contain spreading ransomware attacks through MDR services or an EDR platform.
  • Validate any public facing Windows servers are up-to-date on patching and endpoint security controls
General Information - Click Here

ATTACKER: Actors Behind Blackgear Campaign Update C2 Methods

On July 17th, new activity from the actors behind the Blackgear campaign has been reported by Trend Micro. The Blackgear campaign is an ongoing targeted attack against organizations mainly in Japan, South Korea, and Taiwan. It has been ongoing since at least 2008 when Protux, a malware used in the Blackgear camapaign, was discovered in spear phishing emails against Tibetan Activists. The campaign mainly consists of spear phishing for delivery and multiple stages of malware (binder, downloader, backdoor) for infection.

In the most recent Trend Micro report, the malware used by the threat actors behind Blackgear (Protux and Marade) advanced their methods of command and control by employing a way to download their configuration from posts on legitimate social media sites. In the Trend Micro article, screenshots were given where Facebook posts contained strings made out to be magnet links that actually contained the command and control data. The data was made out to be magnet links to avoid antivirus detection. Once the magnet link is downloaded, the malware decrypts the string to discover it's command and control configuration.

Trend Micro also posted the command interface for the Protux malware that controls an infected host. In it, the tool appeared to have several capabilities that it could perform on the remote host including screen capture, shell access, and access the registry / process / service configuration of the system.

Trend Micro also gave details around sample phishing used in the attack chain. In it, at least one phish required a user to enable macros on an Excel file to perform infection via VBScript.

Proficio Threat Intelligence Recommendations:

  • Train users not to enable any type of Microsoft Office Macros delivered in email attachments.

  • Assess blocking well-known social networks that do not have business use to potentially reduce future channels of command and control.

  • Make sure all systems have up to date endpoint security controls that will allow users to access email.

  • In your Windows GPO (group policy), set the policy to disable running macros from files from the internet.

Trend Micro latest entry on Blackgear Campaign - Click Here
Trend Micro previous intel on Blackgear Campaign - Click Here