Threat Report

PCM customer impacted by Office 365 business email compromise

Perch now has Office 365 log collection in beta testing. And, in good timing! A breach at large solution provider, PCM Inc., allowed hackers to access Microsoft Office 365 email and file sharing systems for some of the company’s clients. California-based PCM had more than 2,000 customers in 2018. According to Krebs’ sources, attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.

Business email compromise is becoming increasingly common and companies are moving to Microsoft’s cloud email/office solution, Office 365. This is why Perch targeted support for Office 365 logging to the Perch SIEM. Perch customers will soon be able to aggregate their Office 365 logs and create visualizations to detect when suspicious Office 365 activity occurs.

In a statement shared with Krebs, PCM said they “recently experienced a cyber incident that impacted certain of its systems.” The statement further explains, “From its investigation, impact to its systems was limited and the matter has been remediated.” The company has downplayed the incident as expected stating, “The incident did not impact all of PCM customers; in fact, investigation has revealed minimal-to-no impact to PCM customers. To the extent any PCM customers were potentially impacted by the incident, those PCM customers have been made aware of the incident and PCM worked with them to address any concerns they had.” The full story can be read at KrebsOnSecurity.

The PCM breach is the latest example of threat actors increasingly targeting cloud data providers and technology consultancies that manage vast IT resources for many clients, similar to the Cloud Hopper campaign.

Cloud Hopper breached world’s largest service providers

A U.S. indictment in December outlined an elaborate operation to steal Western intellectual property in order to advance China’s economic interests.

Based on details from the indictment, hackers working for China’s Ministry of State Security broke into networks for eight of the world’s largest technology service providers in an effort to steal commercial secrets from their clients.

Those companies’ names have now been published by Reuters. The list of eight included five of the 10 largest enterprise technology service providers in the world. Here is the run down: Hewlett Packard Enterprise, IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology (HP’s enterprise services).

According to the indictment, Cloud Hopper campaign sought to use their long-term access to these companies to collect and steal data from the providers’ customers. Customer data was exfiltrated through the service provider’s network or in some cases through the end customer’s network.

The Chinese government has consistently denied all accusations of involvement in hacking. The Chinese Foreign Ministry said Beijing opposed cyber-enabled industrial espionage. “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,” according to a statement to Reuters.

In related news, The U.S. Executive Office has lifted bans on use of Huawei technology in the United States.

Crypto-curious infected with njRAT through YouTube

According to researchers, YouTube is being leveraged by scammers to lure the crypto-curious into an infostealer malware infection, with remote access trojan (RAT) njRAT.

These YouTube videos pretend to be hack scripts, giveaways, or games that allow you to win free cryptocurrency such as Bitcoins. The video links to bit.ly which prompts for a VBS file download. In the VBS script is an embedded exe. The exe is detected as Bladabindi or njRAT.

When launched, the Windows.exe will connect to a command and control server and send a variety of information such as the PC name, user name, and more. It will then wait for commands given by the attacker that the program will execute.

As this infection has the ability to steal browser passwords and log keystrokes, it should be assumed that your login names and passwords have been compromised if you are infected by this scam.

Heaven’s Gate leveraged in malspam campaign

Researchers recently discovered a campaign delivering the HawkEye Reborn keylogger and other malware families. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the infamous “Heaven’s Gate” technique — a trick that allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment.

These malware campaigns demonstrate how advanced techniques such as Heaven’s Gate can be quickly integrated across malware families. The cybercriminals leveraging these kits lack the experience to implement this functionality natively but leverage available loaders to achieve the same goal.

The infection starts with attackers sending malspam to victims disguised as invoices, banking statements, and other financial-related topics. The emails contain documents that leverage CVE-2017-11882, a vulnerability affecting Microsoft Equation Editor. When opened by victims, these malicious documents function as malware downloaders, reaching out to Web servers on which the attacker is hosting their malware payload.

Domains

www[.]kemostarlogistics[.]co[.]ke 
www[.]terryhill[.]top 
mail[.]jaguarline[.]com 

IP Addresses

173.254.126[.]115 
164.160.128[.]110

Email

Email: sartaj@jaguarline[.]com 
Mailserver: mail.jaguarline[.]com

Link in Windows Startup folder

L"[InternetShortcut]\nURL=file:///C:\\Users\\Dex 
Dexter\\AppData\\Roaming\\kgehorzlnr\\zqwlnpeijybtmkv.exe"

Malicious document hashes (SHA256)

cf0a3dadba03f32d90e84401451c9acc1a1d2378d5bdae8e87fc2ab9c6ff0f12 
e23d16a5b770a04664dd42f8d2153ad62ce5fbf65af2a6dfd791ad70deef61b0

PE32 Hashes (SHA256) analyzed

01349f0b7a30d36f2171145548602451643d670870f8863f8baeec4f76cf83a0 
10149bf87feb3276a7d6bfb864864c655b4e11aa2ed6d677c177353dbffdfc25 
c2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17 
fc31b4107bec4352fac3e1a13d91031b6b49969e21abff2301609219c43cd472

Miami police department loses 1TB of office body cam footage

A cache of police body camera footage was left open to the world and subsequently posted to the dark Web. Researchers identified about a terabyte of officer body cam videos stored in unprotected internet-facing CouchDB database, with data belonging to the Miami Police Department, police in other U.S. cities, and cities abroad. The operators of these databases are service providers for various police departments. The footage reportedly dates from 2018 to present.

“Vendors that provide services to police departments are insecure,” said Tate, who posted a sample body cam video to his Twitter account. Included in the Twitter conversation was a list of all databases which included other police departments like: City of Boulder, City of Pearland, City of Fort Worth, Indianapolis, and more.

Although it is unknown who the service providers are, one company, Axon, has a near monopoly on police body cameras and is known to work with Miami PD and other impacted police departments.

This story is similar to our recent coverage on video footage leaked by providers of U.S. Customs and Border Patrol. Government groups should practice better due diligence in selecting vendors to store sensitive information to include an understanding of how data is stored.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday June 26th 2019