Weekly Threat Intelligence Digest

September 11, 2020

This week, we digest the CDRThief malware, exploitation of CVE-2020-1472, malvertising campaigns, and more.


Zerologon: Instantly Become Domain Admin by Subverting Netlogon Cryptography

September 11, 2020

Secura security researchers have published a test tool and white paper detailing CVE-2020-1472, a vulnerability that stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol. Microsoft has patched the vulnerability, and Secura urges all impacted users to install the patch on domain controllers as soon as possible.

CVEs of Interest: CVE-2020-1472, CVE-2019-1424

MITRE ATT&CK: Custom Cryptographic Protocol - T1024, Standard Application Layer Protocol - T1071, Brute Force - T1110, Data from Network Shared Drive - T1039, Pass the Hash - T1075, Standard Cryptographic Protocol - T1032

Source: Secura

 


Credential Phishing Attack Performs Real-Time AD Authentication

September 10, 2020

The Armorblox Threat Research Team has identified a phishing campaign that performed real-time validation against an undisclosed organization's Active Directory to harvest Office 365 credentials. The team provides a breakdown of the attack flow and of the infrastructure behind the attack.

MITRE ATT&CK: ATT&CK 01 Initial Access, Source - T1153, Web Service - T1102, System Network Configuration Discovery - T1016

Indicators:
Domain
j.q.zehfsje.com
teenagemoglen.com

Source: Armorblox

 


Equinix Data Center Giant Hit by Netwalker Ransomware, $4.5M Ransom

September 10, 2020

International data center provider Equinix were hit with a Netwalker ransom attack over Labor Day weekend. The ransom note includes screenshots of data allegedly stolen, indicating theft of accounting and financial information for the business, as well as a 455 bitcoin demand.

MITRE ATT&CK: Standard Application Layer Protocol - T1071, Data Encrypted for Impact - T1486, Remote Desktop Protocol - T1076, Multi-hop Proxy - T1188, Screen Capture - T1113, Source - T1153

Source: Bleeping Computer

 


Razer Gaming Fans Caught Up in Data Leak

September 10, 2020

Due to a misconfigured Elasticsearch cloud cluster, an estimated 100K Razer Gaming customers may have had private information exposed to the public. The database contained customer information including full names, phone numbers, email addresses, order details, and more.

MITRE ATT&CK: Insider Threat - Unintentional Bad Users, Data Encrypted for Impact - T1486, ATT&CK 01 Initial Access

Source: Threatpost

 


Who Is Calling? CDRThief Targets Linux VoIP Softswitches

September 10, 2020

Newly identified CDRThief malware has been discovered and analyzed by ESET researchers. The malware is designed to target Linknat VOS2009 and VOS3000 Chinese VoIP platforms, with a primary goal of exfiltrating Call Detail Records (CDR) from a compromised softswitch.

MITRE ATT&CK: Obfuscated Files or Information - T1027, Obfuscated Files or Information: Software Packing - T1027.002, Unsecured Credentials: Credentails in Files - T1552.001, System Information Discover - T1082, Archive Collected Data: Archive via Custom Method. T1071.001, Exfiltration Over C2 Channel - T1041

Indicators:
File
6B15CF51E4DFF3E25B805173EEF88940DBEB52B2662BD265450E6E54D5BB84D6
3339B8C4A522548B67FCA732C54FA232
8532E858EB24AE38632091D2D790A1299B7BBC87
8E2624DA4D209ABD3364D90F7BC08230F84510DB
CC373D633A16817F7D21372C56955923C9DDA825
FC7CCABB239AD6FD22472E5B7BB6A5773B7A3DAC
IPv4
34.94.199.142
119.29.173.65
35.236.173.187
129.226.134.180
150.109.79.136
129.211.157.244

Source: ESET

 


Malvertising Campaigns Come Back in Full Swing

September 9, 2020

Malwarebytes Labs researchers uncover a large malvertising campaign targeting the highly-trafficked xHamster website. The team provides a deeper look into this campaign and modern malvertising.

CVEs of Interest: CVE-2018-15982, CVE-2019-0752

MITRE ATT&CK: Standard Application Layer Protocol - T1071, NTFS File Attributes - T1096

Indicators:
Domain
inteca-deco.com
websolvent.me
intica-deco.com
chinadevmonster.top
dkajsdjiqwdwnfj.info
2831ujedkdajsdj.info
928eijdksasnfss.info
einlegesohle.com
adexhangetomatto.space
encelava.com
uneaskie.com
bumblizz.com
canadaversaliska.info
krostaur.com
leiomity.com
surdised.com
File
B289155154642BA8E9B032490A20C4A2C09B925E5B85DDA11FC85D377BAA6A6C
F319264B36CDF0DAEB6174A43AAF4A6684775E6F0FB69AAF2D7DC051A593DE93
23BEF893E3AF7CB49DC5AE0A14452ED781F841DB7397DC3EBB689291FD701B6B
IPv4
34.105.147.92
URL
34.105.147.92/gate/log.php
chinadevmonster.top/gate/log.php
einlegesohle.com/indexx.php
encelava.com/coexo.php
encelava.com/caac
uneaskie.com/ukexo.php
bumblizz.com/auexo.php
bumblizz.com/auflexexo.php
bumblizz.com/caexo.php
bumblizz.com/caflexexo.php
bumblizz.com/usexo.php
bumblizz.com/usflexexo.php
canadaversaliska.info/coflexexo.php
canadaversaliska.info/coflexo.php
canadaversaliska.info/ukflexexo.php
canadaversaliska.info/ukflexo.php
canadaversaliska.info/usflexexo.php
canadaversaliska.info/usflexo.php
krostaur.com/jpexo.php
krostaur.com/jpflexexo.php
krostaur.com/jpflexo.php
leiomity.com/ukexo.php
leiomity.com/ukflexexo.php
leiomity.com/usexo.php
leiomity.com/usflexexo.php
surdised.com/coexo.php
surdised.com/usexo.php

Source: Malwarebytes Labs

 


Java Network Launch Protocol - Another Way For Distributing Java Downloaders

September 9, 2020

Security researchers at Forcepoint X-Labs have identified a component in Java Network Launch Protocol (JNLP) that is actively being leveraged to automate malware download and execution.

MITRE ATT&CK: Source - T1153, Data Compressed - T1002, Standard Application Layer Protocol - T1071, ATT&CK 02 Execution, ATT&CK 10 Command and Control

Indicators:
Domain
social.interactivegood.com
gstat.americansreachingmanyservices.com
social.farfetchedproductions.com
line.campdiy.com
File
0776F05B3DD4D3E64D67F546C96DB8EAEDA43DC0
EB754E01F809B42BCF3675A8BD4E5481EAB8D08F
B8AA4FBBA139B8F783A52C3BA8E8A4091EAF0C05
10C733DA7668D037BD743430523403197641715A
45E2FDC19E91F2264E11A97C70E3BA1D86E8A678
F9419377E43E8E8A911924FACE6C1660C85957C2
CD2FAA0EA08DB2A1C9C430891C4A82304D3ADD57
E525BDE63DFB455358C5F827B409C2BF2BC3CAF6
05E39E5621F3CA78556D9B345B9E3519D066E4BC
8724AAA2CFDBBB2832FFA278C23A11AD04902B5D
40065D1F0BF0B901B339CE476F62295F5E6F8C40
D4E84B7D26BF91C8C5AE104F6467204DF5F069CB
URL
http://gstat.rayzacastillo.com/images/
http://gstat.farmlifesupplements.com/images/
https://payreceipt.top/receipt/
https://transferreceipt.xyz/bin/

Source: Forcepoint

 


GhostDNSbusters

September 8, 2020

A dive into GhostDNS infrastructure and various elements of phishing targets and victimology, provided by researcher Nick Byers of Team Cymru and in collaboration with Manabu Niseki and CERT.br.

MITRE ATT&CK: Standard Application Layer Protocol - T1071, DNS Hijacking, ATT&CK 01 Initial Access, Source - T1153, Command-Line Interface - T1059, Commonly Used Port - T1043

Indicators:
IPv4
107.155.132.186
107.155.152.14
164.90.195.195
45.62.198.242
107.155.152.5
149.56.152.185
178.62.211.51
107.155.152.28
107.155.152.27
107.155.152.24
104.215.74.207
107.155.152.21
162.248.164.36
64.225.66.217
45.62.198.74
107.155.152.3
51.81.27.247
80.82.77.163
45.62.198.73
111.90.159.53
192.169.7.38
51.159.71.63
45.62.198.243
107.155.152.15
107.155.152.17
167.172.47.178
107.155.152.13
45.62.198.89
178.62.205.16
35.203.119.123
134.209.194.220
209.61.253.201
161.35.82.213
200.98.134.184
107.155.132.189
107.155.132.188
23.101.189.23

Source: Team Cymru

 


TikTok Spyware

September 8, 2020

Researchers at Zscaler provide a detailed analysis into a spyware application masquerading as TikTok Pro.

MITRE ATT&CK: Standard Application Layer Protocol - T1071, ATT&CK 01 Initial Access, Masquerading - T1036, Data Compressed - T1002, ATT&CK 03 Persistence, External Remote Services - T1133, Commonly Used Port - T1043, ATT&CK 10 Command and Control, Screen Capture - T1113, ATT&CK 02 Execution, Input Prompt - T1141, NTFS File Attributes - T1096

Indicators:
File
9FED52EE7312E217BD10D6A156C8B988
URL
http://tiny.cc/tiktokpro

Source: Zscaler

 

Get Notifications

Sign up to get notifications when new Weekly Digests or Blogs are available on CyberPress.