Weekly Intelligence Summary | 24 April 2020
Updated: Jun 11
In the spotlight this week:
COVID-19 remains to be in the spotlight according to Google.
Other items that should attract attention:
All VPN vulnerabilities, including Pulse Connect Secure, give adversaries ways to launch stealth attacks during COVID-19 period as organizations allow their employees to work from home.
Ransomware attackers are not only looking for a few hundred USD; they are now aggressively asking for more money. DoppelPaymer and Nightwalker ransomware will publish their victim’s data if payment is not provided.
Threatpost reported on April 21, 2020 that the IBM Data Risk Manager 0-days are still unpatched. This incident is a reminder of the June 2019 Reuters report about China being able to hack eight major MSSP in years-long attack.
FireEye claims that Vietnamese Threat Actors APT32 are targeting the Wuhan government.
Source: Orange Tsai’s blog post. Retrieved from https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
The Cyber Security Infrastructure Agency. Retrieved from https://www.us-cert.gov/APTs-Targeting-IT-Service-Provider-Customers April 21, 2020 | Inside the West’s Failed Fight Against China’s ‘Cloud Hopper’ Hackers
Security researcher Pedro Ribeiro, Director of Research at Agile Information Security, has published details about four zero-day vulnerabilities affecting the IBM Data Risk Manager (IDRM) after the company refused to address the issues. The IBM Data Risk Manager is an enterprise security product that aggregates feeds from vulnerability scanning tools and other risk management tools allowing to analyzed security events and data-related business risks. IBM weighed in on the problem this week. After a researcher went public with the bugs, one of which may end up being a zero-day issue — Big Blue is still investigating.
Source: Reuters. Retrieved from https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/
Threatpost. Retrieved from https://threatpost.com/rce-exploit-ibm-data-risk-manager-no-patch/154986/
April 21, 2020 | DoppelPaymer Ransomware Hits Los Angeles County City, Leaks Files
The City of Torrance of the Los Angeles Metropolitan Area, California has allegedly been attacked by the DoppelPaymer Ransomware, which encrypted their devices and unencrypted data that were stolen. The attackers are demanding a 100 bitcoin (USD 689,147) ransom for a decryptor to take down files that have been publicly leaked, and to not release more stolen files. In February 2020, DoppelPaymer created a site called ‘Dopple Leaks’ that they used to publish the stolen data of victims who refuse to pay a ransom. According to ZDnet, Ransomware gangs are getting more aggressive these days about pursuing payments and have begun stealing and threatening to leak sensitive documents if victims do not pay the requested ransom demand.
Source: Bleeping Computer. Retrieved from https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-los-angeles-county-city-leaks-files/
April 21, 2020 | Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage
Since January to April 2020, suspected Vietnamese actors, APT32, carried out intrusion campaigns against Chinese targets which Mandiant Threat Intelligence believes were designed to collect intelligence on the COVID-19 crisis. APT32 sent out spear phishing messages to China's Ministry of Emergency Management and the Government of Wuhan province, where COVID-19 was first identified. Although East Asia has been the consistent target of the activity, previous reports on APT32, this current incident, and other publicly reported intrusions are all part of a global increase in cyber espionage related to the crisis carried out by states desperately seeking for solutions and non-public information.
Source: FireEye Threat Research. Retrieved from https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html
April 21, 2020 | Zoom Malware Can Record Meetings; Attack Simulation Shows How
Over the past few weeks, Morphisec Labs researchers have identified a flaw in the Zoom application, allowing threat actors to voluntarily record Zoom sessions and capture chat messages without any of the meeting participants’ knowledge. The Zoom malware is even able to do the same despite recording functionality being disabled by the host for participants. The trigger is a malware that injects its code into a Zoom process even without any interaction to the user and regardless of the host not enabling the recording feature.
Source: Morphisec. Retrieved from https://blog.morphisec.com/zoom-malware-can-record-meetings-attack-simulation-shows-how
April 21, 2020 | IR Case: The Florentine Banker Group
This alarming scenario behind the threat group “The Florentine Banker”, which conducts a various types of Business Email Compromise (BEC), is similar to the case investigated by CPIRT. The CPIRT examined case was about an incident where attackers were able to divert USD 1M worth of funds, which were supposed to be transferred from a Chinese venture capital.
Source: Check Point Research. Retrieved from https://research.checkpoint.com/2020/ir-case-the-florentine-banker-group/
April 23, 2020 | Pulse Connect Secure Severe Vulnerabilities
On April 6, 2020, three issues were discovered in Host Checker policy enforcement on Pulse Connect Secure (PCS). These vulnerabilities were encoded as CVE-2020-11580 (No certificate Validation), CVE-2020-11581 (Command Injection), CVE-2020-11582 (DNS Rebindig). These vulnerabilities could allow a man-in-the-middle (MITM) attacker to perform a remote code execution (RCE) attack. CERT-EU is not aware of any malicious exploitation for those vulnerabilities, but a consideration must be taken on the fact that the file on which these vulnerabilities are built ( tncc.jar ) is not obfuscated in any way, and the original source code can be obtained with almost any Java decompiler and customized in a malicious manner. CrowdStrike also discovered two distinct vulnerabilities in the Windows, Linux and MacOS versions of the Palo Alto Networks GlobalProtect VPN client.
Source: Cert-EU. Retrieved from https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-023.pdf
CrowdStrike. Retrieved from https://www.crowdstrike.com/blog/exploiting-escalation-of-privileges-via-globalprotect-part-1/