The intelligence in this week’s iteration discuss the following threats: Data theft, Banking malware, Magecart, RCE, Threat group, targeted attacks, Website compromise, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.
Slack Bug Allows Remote File Hijacking, Malware Injection (May 20, 2019)Tenable researcher David Wells discovered a vulnerability in the collaboration software, “Slack Desktop” client for Windows. The vulnerability is located in Slack Desktop version 3.3.7 and could be exploited by a threat actor by posting a custom hyperlink into a Slack channel or direct message that “changes the document download location path when clicked.” Threat actors could use this tactic to direct users to actor-controlled SMB servers, or to distribute malicious documents. Slack states that it has over 10 million daily users which makes it a potentially lucrative target from the perspective of a threat actor.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] User Execution (T1204)
Over 12,000 MongoDB Databases Deleted by Unistellar Attacks (May 17, 2019)Researchers have identified a campaign targeting publicly-accessible “MongoDB” databases and deleting their contents. The threat actor(s) behind this campaign, called “Unistellar,” is not demanding a ransom to give back the deleted data, as other campaigns targeting MongoDB have been observed to do, and instead provides an email address to communicate with. Researchers estimate that approximately 12,000 misconfigured MongoDB databases have been deleted over the past three weeks. At the time of this writing, it i ..