20200729

UNCLASSIFIED Page 1 29 July 2020 Table of Contents Industrial VPN vulnerabilities put critical infrastructure at risk Ransomware: These free decryption tools have now saved victims over $600m U.S. cybersecurity firm says Beijing-linked hackers target Vatican ahead of talks Office 365 phishing baits employees with fake SharePoint alerts Windows 10: New bug hits popular built-in security features Emotet malware now steals your email attachments to attack contacts Cerberus banking Trojan team breaks up, source code goes to auction North Korean hackers created VHD ransomware for enterprise attacks OkCupid: Hackers want your data, not a relationship Feature-rich Ensiko malware can encrypt, targets Windows, macOS, Linux Industrial VPN vulnerabilities put critical infrastructure at risk BleepingComputer, 28 Jul 2020: Security researchers analyzing popular remote access solutions used for industrial control systems (ICS) found multiple vulnerabilities that could let unauthenticated attackers execute arbitrary code and breach the environment. The flaws are in virtual private network (VPN) implementations and adversaries could exploit them cause physical damage by connecting to field devices and programmable logic controllers (PLCs). After discovering and reporting a critical vulnerability (CVE-2020-14511) in Moxa EDR-G902 and EDR-G903 series routers (version 5.4 and below), Claroty Research Team found that products from Secomea and HMS Networks also had severe flaws that could be leveraged to gain full access to the internal network without authentication. Remote access servers like Secomea GateManager manage secure connections from outside the local network. They are critical assets and attackers with access to them can view internal traffic and reach hosts on the network. "If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN." Claroty created proof-of-concept exploit code to demonstrate that leveraging the vulnerability for root access is possible and prepared a video with an attack in action. Secomea received a report about the bug and its severity in May and released a patch on July 2020. Organizations using GateManager are strongly advised to prioritize applying the patch. Another vulnerability that could lead to remote code execution was discovered in eWon VPN. A product from HMS Networks, eWon allows remote clients to connect to it using a proprietary VPN client called eCatcher. Brizinov found that a vulnerability in eCatcher could allow unauthenticated remote code execution. Identified as CVE-2020-14498, the bug could be triggered by visiting a malicious website or opening a crafted email with a specific HTML element. In a scenario demonstrated by Claroty, a threat actor could send a phishing email to a target to trigger the flaw and potentially get access to the restricted network. Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)

UNCLASSIFIED Page 2 Ransomware: These free decryption tools have now saved victims over $600m ZD Net, 27 Jul 2020: Over four million victims of ransomware attacks have now avoided paying over £600 million in extortion demands to cyber criminals in the first four years of Europol's No More Ransom initiative. First launched in 2016 with four founding members, No More Ransom ( link ) provides free decryption tools for ransomware and has been growing ever since, now consisting of 163 partners across cybersecurity, law enforcement bodies, financial services and more. Together, they've released free decryption tools for over 140 families of ransomware that have been downloaded a combined total of over 4.2 million times – something that Europol estimates has prevented $632 million from being paid out to cyber criminals. Among the top contributors to the project are Emsisoft, which has provided 54 decryption tools for 45 ransomware families, founding member Kaspersky, which has provided five tools for 32 ransomware families and Trend Micro, which has provided two decryption tools for 27 ransomware families. Other cybersecurity firms that have provided multiple tools to No More Ransom include Avast, Bitdefender, Check Point, ESET and founding member McAfee. No More Ransom is now available in 36 languages and has received visitors from 188 countries around the world. The largest number of visitors come from South Korea, the US, Brazil, Russia and India. Despite the best efforts of No More Ransom and other cybersecurity initiatives, ransomware remains a highly effective money-making tool for cyber criminals, who in many cases can make hundreds of thousands or even millions of pounds from a single attack. However, applying security updates and patches to PCs and networks can go a long way to stopping attacks in the first place. "No More Ransom is like a car seatbelt: it's a critical safety net, but it's best to abide by the rules of the road to lessen the chance of needing to use it. Or, to be put it another way, ransomware is definitely a case in which prevention is better than cure," says Brett Callow, threat analyst at Emsisoft. U.S. cybersecurity firm says Beijing-linked hackers target Vatican ahead of talks Reuters, 29 Jul 2020: Hackers linked to the Chinese government have infiltrated Vatican computer networks, including the Roman Catholic Church's Hong Kong-based representative, a U.S. firm that tracks state-backed cyber attacks said on Wednesday . It said the attacks began in May. The Vatican and Beijing were expected to engage in talks this year over the renewal of a landmark 2018 deal that stabilised relations between China and the Church. U.S. cybersecurity firm Recorded Future said in the report that the attacks targeted the Vatican and the Catholic diocese of Hong Kong, including the head of the Hong Kong Study Mission, who is seen as Pope Francis' de facto representative to China. The report said the targets included communications Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info

UNCLASSIFIED Page 4 device," Microsoft explains in a support note. Microsoft plans on addressing the bug in an upcoming release of Windows 10. However it hasn't said when the fix is expected to arrive. Emotet malware now steals your email attachments to attack contacts BleepingComputer, 28 Jul 2020: The Emotet malware botnet is now also using stolen attachments to increase the authenticity of spam emails used for infecting targets' systems. This is the first time the botnet is using stolen attachments to add credibility to emails as Binary Defense threat researcher James Quinn told BleepingComputer. The attachment stealer module code was added around June 13th according to Marcus 'MalwareTech' Hutchins. This new tactic adds to the Emotet gang's leveraging of hijacked email conversation threads where a malicious URL or attachment would be included in new emails attached to existing conversations as a concealment measure (as first spotted by Minerva Labs in March 2019). "Emotet seems to be using not only stolen email bodies, but is now including stolen attachments as well," email security firm Cofense said today. "This lends to even more authenticity in their phishing emails. In one example we found 5 benign attachments and a dropper link within the templated portion of the email." The botnet has been delivering massive amounts of malicious spam emails — camouflaged as payment reports, invoices, employment opportunities, and shipping information — through all its server clusters starting with July 17, after more than five months of inactivity. Since it has returned to life, Emotet first started installing the TrickBot trojan on compromised Windows computers, later to switch to once again heavily spreading QakBot malware, fully replacing the TrickBot payloads. At the moment, there is no exact info on QakBot's final payloads but reports say that it will deploy ProLock ransomware on some of the systems initially infected with Emotet. This huge spike of activity was behind Emotet being ranked first in a list of top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week, head and shoulders above the next malware in the top (the njRAT Remote Access Trojan), with more than double the number of sample uploads submitted for analysis. Cerberus banking Trojan team breaks up, source code goes to auction ZD Net, 27 Jul 2020: The source code of the Android-based Cerberus banking Trojan is being auctioned off due to the break-up of the development team. As reported by Bleeping Computer, the malware's maintainer recently posted an advert on an underground forum for Russian speakers offering the malware on a bidding basis, with the hopes of generating up to $100,000 from the sale. According to the post, spotted by Hudson Rock, the operator is attempting to sell off the full project at a starting price of $50,000, including the Trojan's .APK source code, module code, the code for administrator panels, and servers. In addition, threat actors looking to adopt the malware into their own toolkits are being offered Cerberus' customer base with active licensing and the required installation materials. The seller says that the project is being sold off due to a "lack of time" and because the "team has broken up" -- leading to what appears to be a single maintainer left to support customers. To try and lure potential bidders, the seller claims that the Android malware is generating $10,000 in profit per month. Cerberus has been in circulation since 2019 and was spotted earlier this month in the Google Play store, having bypassed Google's app protections. A seemingly-legitimate currency converter app designed for Spanish speakers -- downloaded over 10,000 times before its removal -- deployed the Trojan on Android devices by way of a malicious update performed months after the app passed security inspections. Once deployed on a device, the malware creates overlays across existing financial service and banking apps in

UNCLASSIFIED Page 5 order to steal account credentials that are then sent to the attacker's command-and-control (C2) server. The Trojan is also able to intercept 2FA mechanisms, such as one-time passcodes (OTP), to obtain the information necessary to pilfer financial accounts. ThreatFabric researchers said in February that test versions of the malware are able to abuse Android Accessibility privileges to steal OTPs from Google Authenticator, software designed to enhance the security of 2FA in comparison to one-time SMS messages. Cerberus has many of the standard capabilities of Remote Access Trojans (RATs), including data theft modules, keylogging, phone call recording, and SMS grabbing. The malware is also advertised as being able to lock mobile devices, uninstall apps, push notifications, and self-destruct. The Android malware’s operator is hoping the code and client list will net them up to $100,000. The source code of the Android-based Cerberus banking Trojan is being auctioned off due to the break-up of the development team. Once deployed on a device, the malware creates overlays across existing financial service and banking apps in order to steal account credentials that are then sent to the attacker's command-and-control (C2) server. The Trojan is also able to intercept 2FA mechanisms, such as one-time passcodes (OTP), to obtain the information necessary to pilfer financial accounts. ThreatFabric researchers said in February that test versions of the malware are able to abuse Android Accessibility privileges to steal OTPs from Google Authenticator, software designed to enhance the security of 2FA in comparison to one-time SMS messages. Cerberus has many of the standard capabilities of Remote Access Trojans (RATs), including data theft modules, keylogging, phone call recording, and SMS grabbing. The malware is also advertised as being able to lock mobile devices, uninstall apps, push notifications, and self- destruct. North Korean hackers created VHD ransomware for enterprise attacks BleepingComputer, 28 Jul 2020: North Korean-backed hackers tracked as the Lazarus Group have developed and are actively using VHD ransomware against enterprise targets according to a report published by Kaspersky researchers today. The researchers found VHD ransomware samples between March and May 2020 during two investigations, being deployed over the network with the help of an SMB brute-forcing spreading tool and the MATA malware framework (also known as Dacls). "Functionally, VHD is a fairly standard ransomware tool. It creeps through the drives connected to a victim’s computer, encrypts files, and deletes all System Volume Information folders (thereby sabotaging System Restore attempts in Windows)," the report reads. "What’s more, it can suspend processes that could potentially protect important files from modification (such as Microsoft Exchange or SQL Server)." While analyzing the two incidents, Kaspersky's researchers were able to determine the entire VHD ransomware infection chain starting with the attackers gaining access to their victims' network after successfully exploiting vulnerable VPN gateways. Next, they escalated their privileges on the compromised devices and installed a backdoor, part of the multi-platform and modular MATA malware framework. Kaspersky linked the MATA framework to the Lazarus hackers based on unique orchestrator filenames used in versions of the Manuscrypt trojan (also known as Volgmer). Once the backdoor deployed, it allowed the attackers to take control of their victims' Active Directory server which made it possible to deliver VHD ransomware payloads to all systems on the network within 10 hours with the help of a Python-based loader. Kaspersky attributed the VHD ransomware to the Lazarus Group based on the tools used to deploy the ransomware as part of the two attacks and the lateral movement tactics also observed in previous Lazarus intrusions.

UNCLASSIFIED Page 7 access key is “RaBiitch.” To expand capabilities, Ensiko can load several tools, which the malware downloads from Pastebin and stores them in a directory named “tools_ensikology.” One of the functions of the malware is called Steganologer, which can identify image files that have code in their metadata (EXIF headers). The code is then extracted and executed on the compromised server. Trend Micro malware analyst Aliakbar Zahravi discovered that Ensiko can also check if a web shell from a predefined list is present on a remote host. Another scanning function called Remote File Check allows the operator to look for arbitrary files on a remote system. Another function in this malicious tool allows recursive overwrite of all files with a specified extension in a directory of a web shell. Ensiko’s capabilities do not stop at this, though. The malware lets threat actors run brute-force attacks on FTP, cPanel, and Telnet, thus enabling them extended access.