Cyber Threat Intelligence Briefing: 9 October 2020

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

• Iranian state-sponsored hackers are back. The Zerologon vulnerability which we have discussed in previous weeks is now being exploited by Iranian state-sponsored hackers.

• US Treasury threatens sanctions for ransomware payments. This comes amid increasing pressure on cyber insurers and bankers to not facilitate ransom payments.

• In other stories this week, dozens of cryptocurrency leaders had their mobiles compromised and Emotet is back… again.

Security Round-up

Iranian nation state hackers exploit Zerologon vulnerability

• Microsoft have identified state-sponsored hackers (Mercury) that are currently exploiting the Zerologon vulnerability, which would allow hackers to take over domain controllers – the keys to the kingdom of any organisation.^[1]
• The threat group is understood to be contractors working for the Iranian government under orders from Iran’s intelligence service.
• While attacks predominantly need to be carried out from internal networks, if the domain controller is publicly exposed, the attacks can be carried out remotely.

So what for security teams? We have seen attacks which exploit this vulnerability dramatically rise in the last few weeks and this has culminated with nation state actors using this exploit to action their objectives. This underscores the importance of applying patches to your critical infrastructure in a timely manner. Waiting weeks to take any action on your publicly exposed infrastructure can have devastating consequences. Monitoring the audit logs of your domain controllers for suspicious activity should be a high priority for those teams that are still testing patches.

Sanctions threatened for ransomware payments

• Two warnings against facilitating ransomware payments were issued by the US Treasury and the Financial Crimes Enforcement Network (FinCEN) last week.^[2] This places many businesses in a difficult position, since we are currently observing a trend in ransomware which results not only in the encryption of data, but also in the exfiltration of sensitive data. If a business is not permitted to pay the ransom, this could result in the disclosure of sensitive customer data.
• Traditionally, businesses have been relying on their cyber insurance to protect themselves against these types of threats. The advisories are, in part, an attempt to up the pressure on insurers that are currently enabling payments, sometimes worth millions of dollars, to ransomware groups. Without the support of insurance, businesses may be unable to afford a ransom and so prevent public exposure of stolen data, which can result in lawsuits, regulatory fines, and reputational damage.
• These advisories are aimed at restricting the cash flow to organised cybercrime and state-sponsored attackers.

So what? The ransomware problem is an ever-increasing threat: victims are more numerous by the day and the ransoms demanded are getting ever more exorbitant. Cyber insurance plays a part in the vicious cycle of ransomware – they enable payment and indeed are used by some insureds to compensate for a lack of investment in a solid information security programme. The US government’s attempts to restrict payments to the cybercrime groups behind ransomware attacks aim to break the cycle of ransomware payments funding crime groups and so facilitating further attacks. Whether this approach will effectively reduce the incentive for ransomware attacks is yet to be seen.

Emotet strikes again

• After lying dormant for almost six months, Emotet, a sophisticated Trojan that acts as a dropper for other malware, made a resurgence in July.^[3] The Cybersecurity Infrastructure Security Agency (CISA) issued an advisory this week stating the agency had seen a dramatic increase since August in threat actors targeting state and local governments with Emotet phishing emails.
• The surges of Emotet have resulted in the compromise of accounts in Canada, France, Japan, New Zealand, Italy and the Netherlands.^[4]
• New tactics employed in the Emotet campaign include attaching password-protected archive files, such as Zip files, to emails to bypass email security gateways. Additionally, thread hijacking has been observed, which involves stealing an existing email chain from an infected host to reply to the chain, and attaching a malicious document to the chain to compromise further contacts.

So what for security teams? Emotet has a long history of compromising user accounts. Since it doesn’t appear to be going anywhere soon, now is the time to be strengthening email security. The most important control to protect against phishing emails is user awareness; raising awareness of these campaigns and the importance of verifying out-of-band with the sender of an email if users see a suspicious attachment. Secondly, blocking email attachments commonly associated with malware, such as dynamic link libraries (.dll) and (.exe) provides an additional layer of security. Finally, blocking email attachments which cannot be scanned by antivirus software, such as zip files, mitigates against these forms of attacks.

CrypTocurrency executives’ phones hacked

• Around 20 Israeli cryptocurrency executives had their mobile devices hacked and their identity stolen during a one-of-a-kind attack at the beginning of September.^[5]
• The attack was carried out by a sophisticated group, which displayed nation state capabilities – they managed to compromise the Telegram and WhatsApp accounts of their targets and send messages to their contact book asking for cyptocurrency payments. The 20 or so victims were all executives who worked for different cryptocurrency companies.
• It turns out that the threat group were able to hijack SMS messages that were sent by the victims’ telecommunications provider when a password reset was requested. Consequently, the threat actors are likely working for a nation state and managed to hack into the cellular network of another country, in this case, Israel.
• It is understood that none of the victims transferred any money to the hackers and as such, the attack failed.

So what for leadership? This type of attack underscores the value that hackers place on company executives and senior leadership, who are considered lucrative targets. While the attacks in this case were unsuccessful, they could have caused significant financial damage. Leadership teams should be looking to raise user awareness, particularly when it comes to financial payments. Every suspicious request for payment should be challenged and communication made with the recipient out-of-band.

The election is coming, and so are the information operations

• As the US heads towards its November election, disinformation actors are stepping up activity, while gatekeepers are looking to defend the democratic process against information operations.
• This week saw the US Department of Justice announcing it had seized 92 domains tied to disinformation run by Iran's Revolutionary Guard Corps.^[6] While Iran is less often associated with disinformation campaigns, it is not unheard of. Four of the domains were used to host fake news outlets – an age-old active measures tactic, sowing disinformation by manipulating a key gatekeeper: the media.
• In other disinformation news, this week Twitter tested how to make its misinformation labels more obvious (a key approach the tech giant has taken to combat the spread of false information),^[7] and Facebook took the step to delete a post by US President Trump claiming that COVID-19 is “less lethal” than the flu.^[8]

So what? Disinformation has been part of the nation state playbook well before the internet age. However, Iranian information operations are more nascent and a clear sign of Tehran looking to expand the levers it uses to advance its agenda.

Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.

Emotet heightened spam activity

Talos Intelligence maintain an up-to-date repository of the latest Emotet IOCs:

Latest Command and Control IPs:

186[.]4[.]172[.]5:443

201[.]212[.]57[.]109:80

104[.]131[.]11[.]150:8080

178[.]32[.]255[.]133:443

93[.]78[.]205[.]196:443

176[.]58[.]93[.]123:8080

104[.]131[.]58[.]132:8080

216[.]154[.]222[.]52:7080

89[.]188[.]124[.]145:443

179[.]62[.]18[.]56:443

143[.]0[.]245[.]169:8080

190[.]92[.]103[.]7:80

159[.]65[.]241[.]220:8080

203[.]130[.]0[.]67:80

151[.]80[.]142[.]33:80

185[.]187[.]198[.]4:8080

186[.]4[.]172[.]5:8080

181[.]230[.]126[.]152:8090

201[.]250[.]11[.]236:50000

182[.]76[.]6[.]2:8080

179[.]12[.]170[.]88:8080

104[.]236[.]185[.]25:8080

User Agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR

References

[1] ‘Microsoft says Iranian hackers are exploiting the Zerologon vulnerability’, ZDNet, 05 October 2020.

[2] ‘US Treasury threatens sanctions for Ransomware payments’, Enterprise Times, 05 October 2020.

[3] ‘Emotet Malware’, CISA, 06 October 2020.

[4] ‘France, Japan, New Zealand warn of sudden spike in Emotet attakcs’, ZDNet, 08 September 2020.

[5] ‘Exclusive: Intricate Hack Against Israeli Crypto Leaders; 'Mossad Investigating’, Haaretz, 06 October 2020.

[6] ‘United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps’, US Department of Justice, 07 October 2020.

[7] ‘Twitter is testing how its misinformation labels can be more obvious, direct’, Reuters, 06 October 2020.

[8] ‘Trump Covid post deleted by Facebook and hidden by Twitter’, , 06 October 2020.