DOCSLIB.ORG

Threat Intelligence Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

August 2019 Threat Intelligence Report - MAN - UFACTUR ING/PUBLIC SECTOR IN THIS ISSUE • New records in fines, ransomware demands • Magecart exploits Amazon Cloud S3 buckets • Can hackers sit in on your next teleconference? • Think twice before scanning QR codes on mobile devices • “What you gonna do, phone the [London] police?” August 2019 About this report Fusing a range of public and proprietary information feeds, including DXC’s global network of Mark Hughes security operations centers and Senior Vice President and General Manager of Security cyber intelligence services, this DXC Technology report delivers a overview of major The cost of cyber incidents is growing, as evidenced by recent substantial fines for data incidents, insights into key trends breaches and increasing ransomware demands. In addition to immediate financial losses and strategic threat awareness. from business disruption, victims face longer-term reputational damage, such as the This report is a part of recent takeover of the London police Twitter account by hacktivists. DXC Labs | Security, which provides insights and thought leadership to This month it’s clear that the threat landscape is continuing to evolve. For example, the security industry. we’re seeing new twists on familiar threats, such as phishing campaigns that use Quick Response (QR) codes to target mobile devices, and the latest Magecart exploit of using Intelligence cutoff date: poorly configured cloud buckets to inject the group’s notorious card-skimming code. 24 July 2019 Table of Contents Threat Ransom payments nearly double in second Multi-industry updates quarter QR codes used to evade mailbox protections Multi-industry Magecart card skimmer hits thousands of Amazon Web Services S3 buckets Multi-industry Suspected malware developer arrested by Dutch National Police Unit Multi-industry Nation state DNS infrastructure hijacking campaigns Public Sector, & geopolitical continue Energy updates Linux desktop malware has suspected Russian links Vulnerability Substantial vulnerabilities in Zoom Multi-industry updates videoconferencing application Critical vulnerability discovered in ProFTPD Multi-industry Incidents/ Huge fines and settlements follow British Travel and Breaches Airways and Equifax breaches Transportation, Financial Services London police suffer social media hijacking Public Sector 2 August 2019 Threat updates Ransom demands nearly double in second quarter The average payment demand related to a ransomware infection has almost doubled, largely as a result of several organizations, including two Florida cities, falling victim to Ryuk ransomware the Ryuk and Sodinokibi ransomware strains. Who? Impact Sole operation by Eastern European cybercriminal group Grim Spider Data from ransomware incident response company Coveware shows that in the second quarter of 2019 the average ransom payment increased by 184 percent to $36,295. The What? analysis also showed that, although public and private sector entities were targeted, public sector victims paid an average of 10 times more in ransom. This dynamic is possibly “Big game hunting” ransomware campaigns, which focus on the largest enterprise fueled by increased media scrutiny of public sector entities and their requirement for environments system availability. How? Increasing ransom demands are likely due to threat actors focusing deployment of Ryuk A combination of automated infection with and Sodinokibi in large enterprise environments. This trend is seen in other prominent manual privilege escalation and expansion strands of ransomware, including LockerGoga, MegaCortex and GandCrab. of access typically using TrickBot or Emotet trojans via malspam for initial access Deployment methods for these strains vary. Ryuk’s operators use common banking Trojans to gain initial access to corporate environments before expanding network access Notable example? and deploying the ransomware binary, normally exploiting Active Directory. Sodinokibi Gained more than $1 million in ransom from has focused on compromising managed services providers (MSPs) and deploying Riviera Beach and Lake City in Florida during attacks in May ransomware to managed endpoints to maximize the scale of the infection. DXC perspective The widely reported decline in ransomware since 2017 is deceptive. The ransomware threat is evolving. There may be fewer total events, but those that occur are often more serious. For example, Ryuk ransomware garnered more than $1 million in ransom from Riviera Beach and Lake City in Florida during attacks in May. Increased sophistication in deployment tactics and a renewed focus on “big game hunting” means the threat has never been greater to enterprise environments. Attacks now seek to infect entire organizations in a single incident rather than a handful of hosts or individual network segments. Denial of initial access is key to prevention. Effective identity and access management controls, network access controls, phishing mail protections and training, and next- generation endpoint solutions can all help prevent account compromise and the delivery of malware. Source: Bleeping Computer QR codes used to evade mailbox protections Among the June 2019 Windows updates, Microsoft released patches for CVE-2019-1040, a vulnerability in the NT LAN Manager (NTLM) message integrity code (MIC) protection mechanism. Impact A phishing campaign was detected using QR codes to avoid detection by URL analysis. Individuals received spam emails posing as a SharePoint notification with an embedded QR code to scan and view an associated document. 3 August 2019 Impact Using a QR code successfully bypasses most traditional mailbox protections and avoids URL sandboxing. The phishing site is optimized for mobile browsers, highlighting the focus on mobile devices. This targeting enables adversaries to bypass the corporate security Most-attacked industries in July zone while retaining a high likelihood of obtaining user credentials. Stolen credentials • Financial services will subsequently be used to achieve initial access to corporate networks by the phishing • Professional services/consulting actor or may be sold to third-party criminal groups for use in further campaigns. • Telecommunications • Manufacturing DXC perspective • Insurance The prevalence of bring-your-own-device (BYOD) policies provides adversaries with an expanded attack surface. Credential phishing remains a prominent attack vector for a range of sophisticated criminal- and state-sponsored actors. We are likely to witness continued efforts to achieve credential compromise outside of the traditional corporate security zone. Targeting of mobile devices is on the increase beyond credential phishing, with several campaigns deploying new mobile-specific malware. The innovative use of QR codes to bypass protections demonstrates the importance of layered security and visibility into access of cloud applications. A well-configured cloud access security broker (CASB) can enable security analysts to highlight suspicious Notable Magecart groups login activity in the event of Office 365 credential theft, enabling swift response and remediation. The use of multifactor authentication is also an effective method of Groups 1 and 2 Use extensive automation to breach and mitigating credential-phishing risk. skim sites. Include a wide target array and Source: Cofense complex, bespoke reshipping infrastructure for monetization. Magecart card skimmer hits thousands of Amazon Web Group 3 Services S3 buckets Focuses on high-volume targeting, often The notorious payment-card skimming tool Magecart has hit another 17,000 websites, in Latin America, using unique skimmers to check web pages to display payment according to RiskIQ. The latest twist is the exploitation of improperly configured change information. to Amazon Simple Storage Services (S3). Group 4 Sophisticatedly blends into “normal” web Impact traffic by mimicking ad providers, analytic Magecart is divided into groups that focus on different targets and employ different modules or victim domains. Realized 3,000+ tactics. The latest campaign is a new spin on a familiar tactic. Card details are still stolen possible compromises by malicious JavaScript skimming code, but this time the injection occurs via storage Group 5 buckets for open public hosting sites with “write” access enabled. Targets third-party suppliers to compromise multiple websites. Was implicated in 2017 Magecart uses open source web-scanning tools, such as Shodan, to identify vulnerable Ticketmaster breach. buckets. Once attackers find a misconfigured bucket, they scan it for any JavaScript Group 6 files, append their skimming code and overwrite the script on the bucket. If these files are Only focuses on largest organizations to loaded onto a payment-processing page, card details will be copied and sent to a system secure high number of transactions. Respon- sible for 2018 British Airways and Newegg under Magecart control. This scattershot approach to the injection is likely to return a breaches. low success rate, which suggests a degree of automation and differing from some of the Group 11 highly targeted Magecart campaigns of 2018. Adds skimmer capabilities for credential or sensitive information theft. Responsible for DXC perspective December 2018 Vision Direct breach. Visibility and secure configuration in the cloud are essential to mitigating a range of Group 12 threats. For this Magecart threat, simply disabling public access to sensitive cloud Targets third parties to inject card-skimming
Recommended publications
  • Ransoming Government What State and Local Governments Can Do to Break Free from Ransomware Attacks About the Authors

    Ransoming Government What State and Local Governments Can Do to Break Free from Ransomware Attacks About the Authors

    A report from the Deloitte Center for Government Insights Ransoming government What state and local governments can do to break free from ransomware attacks About the authors Srini Subramanian | [email protected] Srini Subramanian is a principal in Deloitte & Touche LLP’s Cyber Risk Services practice and leads the Risk & Financial Advisory practice for the State, Local Government and Higher Education (SLHE) sector. He has more than 30 years of technology experience, and more than 20 years of cyber risk services experience in the areas of information security strategy, innovation, governance, identity, access management, and shared services. Subramanian is a member of the National Association of State CIOs (NASCIO) Security and Privacy subcommittee. He is an active participant in the National Governors Association (NGA) Policy Council for State Cybersecurity formed in February 2013. Subramanian is the coauthor of the biennial Deloitte—NASCIO Cybersecurity Study publication with NASCIO since 2010. The recent two publications include the 2016 Deloitte-NASCIO Cybersecurity Study—State governments at risk: Turning strategy and awareness into progress and the 2018 Deloitte-NASCIO Cybersecurity Study—State governments at risk: Bold plays for change. Pete Renneker | [email protected] Pete Renneker is a managing director in Deloitte & Touche LLP’s Cyber practice and serves as the Technical Resilience Offering leader. In this capacity, his focus is on the development and delivery of cross-industry services which help clients develop the ability to withstand disruptions to critical business technology. This work includes helping clients respond to cyberattacks, accelerate business recovery from these events, and transform cyber and resiliency programs in anticipation of emerging threats.
  • COVID-19 Critical Infrastructure Cyber Threat Brief

    COVID-19 Critical Infrastructure Cyber Threat Brief

    Digital Intelligence Securing the Future COVID-19 Critical Infrastructure Cyber Threat Brief CLIENT CONFIDENTIAL Cyjax Purpose This Cyber Threat Brief is intended to help mitigate the risk of cyberattacks against UK critical infrastructure during the coronavirus pandemic. We have defined critical infrastructure as: food supplies, medical supplies, transportation, security services, telecommunications, utilities and financial services. This report provides a broad overview of all relevant coronavirus-related digital threats, alongside more general vulnerabilities that attackers could exploit. We at Cyjax hope this will help organisations and their staff protect themselves from digital threats during this national crisis. If you require any further assistance or advice, please contact us. Overview of malicious cyber activity We have witnessed a significant uptick in cyberattacks exploiting fear of the coronavirus to compromise victims. Notably, however, there has not been a surge in the total number of attacks. Instead, existing cybercriminal operations have been rethemed with COVID-19 lures. Attackers have not gained more resources, but are instead repurposing their existing phishing, ransomware, and malware infrastructure to include COVID-19-themed keywords in a bid to infect more users. [1] All sectors are being targeted with COVID-19-themed attacks, including those operating in the critical infrastructure space. Attacks have ranged from generic “spray and pray” attacks to highly targeted advanced persistent threat (APT) operations. A broad array of nation-state actors have been involved from China, Russia, North Korea and Iran, among others. Sophisticated cybercriminals are also staging coronavirus-themed attacks. Most notably, organised ransomware gangs, who have continued to compromise, encrypt and leak data from a diverse group of organisations.
  • The State of Artistic Freedom 2021

    The State of Artistic Freedom 2021

    THE STATE OF ARTISTIC FREEDOM 2021 THE STATE OF ARTISTIC FREEDOM 2021 1 Freemuse (freemuse.org) is an independent international non-governmental organisation advocating for freedom of artistic expression and cultural diversity. Freemuse has United Nations Special Consultative Status to the Economic and Social Council (UN-ECOSOC) and Consultative Status with UNESCO. Freemuse operates within an international human rights and legal framework which upholds the principles of accountability, participation, equality, non-discrimination and cultural diversity. We document violations of artistic freedom and leverage evidence-based advocacy at international, regional and national levels for better protection of all people, including those at risk. We promote safe and enabling environments for artistic creativity and recognise the value that art and culture bring to society. Working with artists, art and cultural organisations, activists and partners in the global south and north, we campaign for and support individual artists with a focus on artists targeted for their gender, race or sexual orientation. We initiate, grow and support locally owned networks of artists and cultural workers so their voices can be heard and their capacity to monitor and defend artistic freedom is strengthened. ©2021 Freemuse. All rights reserved. Design and illustration: KOPA Graphic Design Studio Author: Freemuse Freemuse thanks those who spoke to us for this report, especially the artists who took risks to take part in this research. We also thank everyone who stands up for the human right to artistic freedom. Every effort has been made to verify the accuracy of the information contained in this report. All information was believed to be correct as of February 2021.
  • Joogsquad Twitter Hack Joogsquad Twitter Hack

    Joogsquad Twitter Hack Joogsquad Twitter Hack

    joogsquad twitter hack Joogsquad twitter hack. Completing the CAPTCHA proves you are a human and gives you temporary access to the web property. What can I do to prevent this in the future? If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware. If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices. Another way to prevent getting this page in the future is to use Privacy Pass. You may need to download version 2.0 now from the Chrome Web Store. Cloudflare Ray ID: 664d7bfe3d831695 • Your IP : 188.246.226.140 • Performance & security by Cloudflare. Dylan O’Brien Real Phone Number. All Dylan O’Brien fans would love to know his real phone number . For all Dylan O’Brien fans, we have some excellent information. His actual phone number was leaked, and we got it. Dylan O’Brien 2021. Who is Dylan O’Brien? Dylan O’Brien is a 29 years old famous TV actor. He was born in New York City, NY on August 26, 1991. Actor best known for his role as Stiles on MTV’s Teen Wolf. He also starred as Thomas in the Maze Runner films and as the character Caleb in the 2016 film Deepwater Horizon. Additionally, he was cast as the lead in the 2017 film American Assassin. He has one older sister named Julia and his parents are named Lisa and Patrick.
  • The Cyberpeace Institute Foreword 2 Acknowledgements 5

    The Cyberpeace Institute Foreword 2 Acknowledgements 5

    March 2021 The CyberPeace Institute Foreword 2 Acknowledgements 5 Part 1: Setting the Scene 7 Disclaimer Introduction 9 The opinions, findings, and conclusions and recommendations in Signposting – How to read the Report 11 this Report reflect the views and opinions of the CyberPeace Institute Key Findings 15 alone, based on independent and discrete analysis, and do not indicate Recommendations 19 endorsement by any other national, regional or international entity. Part 2: Understanding the Threat Landscape 27 The designations employed and the presentation of the material in this publication do not express any opinion whatsoever on the part of the Chapter 1 Background 29 CyberPeace Institute concerning the legal status of any country, territory, 1.1 A convergence of threats to healthcare 29 city or area of its authorities, or concerning the delimitation of its 1.2 Healthcare as a target of choice 30 frontiers or boundaries. 1.3 Cybersecurity in the healthcare sector 32 Copyright Notice Chapter 2 Victims, Targets and Impact 35 2.1 A diversity of victims – the people 36 The concepts and information contained in this document are the 2.2 A typology of targets – healthcare organizations 38 property of the CyberPeace Institute, an independent non-profit 2.3 A variety of impacts on victims and targets 41 foundation headquartered in Geneva, unless otherwise indicated within the document. This document may be reproduced, in whole or in part, Chapter 3 Attacks 51 provided that the CyberPeace Institute is referenced as author and 3.1 Disruptive attacks – ransomware’s evolving threat to healthcare 52 copyright holder. 3.2 Data breaches – from theft to cyberespionage 57 3.3 Disinformation operations – an erosion of trust 59 © 2021 CyberPeace Institute.
  • Morgan Wallen's 'Dangerous' Spends Fourth Week at No. 1 on Billboard

    Morgan Wallen's 'Dangerous' Spends Fourth Week at No. 1 on Billboard

    BILLBOARD COUNTRY UPDATE APRIL 13, 2020 | PAGE 4 OF 19 ON THE CHARTS JIM ASKER [email protected] Bulletin SamHunt’s Southside Rules Top Country YOURAlbu DAILYms; ENTERTAINMENTBrett Young ‘Catc NEWSh UPDATE’-es Fifth AirplayFEBRUARY 8, 2021 Page 1 of 25 Leader; Travis Denning Makes History INSIDE Morgan Wallen’s ‘Dangerous’ Spends Sam Hunt’s second studio full-length, and first in over five years, Southside sales (up 21%) in the tracking week. On Country Airplay, it hops 18-15 (11.9 mil- (MCA Nashville/Universal Music GroupFourth Nashville), debuts at No. Week1 on Billboard’s lion at audience No. impressions, 1 upon 16%). Billboard Top Country• Olivia AlbumsRodrigo’s chart dated April 18. In its first week (ending April 9), it earned‘Drivers 46,000 License’ equivalent album units, including 16,000 in album sales, ac- TRY TO ‘CATCH’ UP WITH YOUNG Brett Youngachieves his fifth consecutive cordingLeads to Hot Nielsen 100 for Music/MRC 4th Data. 200 Albumsand total Country Airplay ChartNo. 1 as “Catch” (Big Machine Label Group) ascends SouthsideWeek, The marks Weeknd Hunt’s second No. 1 on the 2-1, increasing 13% to 36.6 million impressions. chart &and CJ fourth Hit Top top 10 10. It follows freshman LP BY KEITH CAULFIELD Young’s first of six chart entries, “Sleep With- Montevallo• Super ,Bowl which Synch arrived at the summit in No - out You,” reached No. 2 in December 2016. He vember 2014 and reigned for nine weeks. To date, followed with the multiweek No. 1s “In Case You Report: Sony/ATV Morgan Wallen’s Dangerous: The Double Album holds demand streams of the album’s songs), album sales Montevallo has earned 3.9 million units, with 1.4 Didn’t Know” (two weeks, June 2017), “Like I Loved Walking on Air at No.
  • No More Kids at Feltham

    No More Kids at Feltham

    PAGES!68 Out with the old and in “Maybe I’m not this guy, “The more I can do in with the new. Inside maybe I can be someone else Scotland the better, I love it the National Newspaper for Prisoners & Detainees Time goes to Number 10! instead of who I’m pretend- up there.” LJ Flanders ing to be.” Michael Maisey a voice for prisoners since Comment // pages 32-33 Comment // page 25 Scottish Focus // page 26 August 2019 / Issue No. 242 / www.insidetime.org / A ‘not for profit’ publication/ ISSN 1743-7342 SCOTTISH PRISONS INSPECTOR 20 // PPO INTERVIEW 30 // NPR SURVEY INSIDE An average of 60,000 copies distributed monthly Independently verified by the Audit Bureau of Circulations NO MORE KIDS AT FELTHAM YOI Children’s Unit issued with ● Violent incidents Urgent Notification Protocol up by 45% since Jan 2019; ● 40% of children 54 said they had felt unsafe; Cut, style, sliding to success! ● Self-harm Once a prisoner, Mark Maciver (above) a.k.a. SliderCuts is now a celebrity barber, Insta- ‘tripled’ since last gram star and author. He has been cutting hair for 15 years, building up SliderCuts in inspection. Hackney into one of London’s best known barber shops. His famous clientele include boxer Anthony Joshua, NBA star LeBron James and musicians Stormzy and Tinie Tempah. Inside Time report concerning,” Argar said: “As by around 150% since Janu- an immediate response, and ary. Use of force by staff had STOP PRESS! NEW PRISONS MINISTER LUCY FRAZER 14 in addition to work already risen to very high levels: 74% Following the recent inspec- under way, we have taken the of children reported they had tion of the Children’s Unit at decision to stop placing young been physically restrained at Feltham A, HM Chief Inspec- people there temporarily to Feltham A and there had been tor of Prisons, Peter Clarke, provide space for staff to over 700 incidents in the last MICHAEL PURDON SOLICITOR said there has been an, “Ex- make improvements.” six months.
  • Universal Music Group's Profit Margins Grew in 2020, Despite

    Universal Music Group's Profit Margins Grew in 2020, Despite

    BILLBOARD COUNTRY UPDATE APRIL 13, 2020 | PAGE 4 OF 19 ON THE CHARTS JIM ASKER [email protected] Bulletin SamHunt’s Southside Rules Top Country YOURAlbu DAILYms; BrettENTERTAINMENT Young ‘Catc NEWSh UPDATE’-es Fifth AirplayMARCH 3, 2021 Page 1 of 31 Leader; Travis Denning Makes History INSIDE Universal Music Group’s Sam Hunt’s second studio full-length, and first in over five years, Southside sales (up 21%) in the tracking week. On Country Airplay, it hops 18-15 (11.9 mil- (MCA Nashville/Universal Music Group Nashville), debuts at No.Profit 1 on Billboard’s lion audienceMargins impressions, up 16%).Grew Top• Country TuneCore Albums Unveils chart dated April 18. In its first week (ending April 9), it earnedRewards 46,000 Program equivalent album units, including 16,000 in album sales, ac- TRY TO ‘CATCH’ UP WITH YOUNG Brett Youngachieves his fifth consecutive cordingas Indie to Nielsen Distributors Music/MRC Data. in 2020, Despiteand total Country Airplay No.Pandemic 1 as “Catch” (Big Machine Label Group) ascends SouthsideFend Off marks Major Hunt’s second No. 1 on the 2-1, increasing 13% to 36.6 million impressions. chartLabels: and fourth Exclusive top 10. It follows freshman LP BY ED CHRISTMAN Young’s first of six chart entries, “Sleep With- Montevallo, which arrived at the summit in No - out You,” reached No. 2 in December 2016. He • David Crosby Sells vember 2014 and reigned for nineEven weeks. in Toa nearly date, year-long economic downturn, the hit 1.487 billionfollowed euros with ($1.68 the multiweek billion), orNo. a 1s20% “In Casemargin.
  • ESET THREAT REPORT Q3 2020 | 2 ESET Researchers Reveal That Bugs Similar to Krøøk Affect More Chip Brands Than Previously Thought

    ESET THREAT REPORT Q3 2020 | 2 ESET Researchers Reveal That Bugs Similar to Krøøk Affect More Chip Brands Than Previously Thought

    THREAT REPORT Q3 2020 WeLiveSecurity.com @ESETresearch ESET GitHub Contents Foreword Welcome to the Q3 2020 issue of the ESET Threat Report! 3 FEATURED STORY As the world braces for a pandemic-ridden winter, COVID-19 appears to be losing steam at least in the cybercrime arena. With coronavirus-related lures played out, crooks seem to 5 NEWS FROM THE LAB have gone “back to basics” in Q3 2020. An area where the effects of the pandemic persist, however, is remote work with its many security challenges. 9 APT GROUP ACTIVITY This is especially true for attacks targeting Remote Desktop Protocol (RDP), which grew throughout all H1. In Q3, RDP attack attempts climbed by a further 37% in terms of unique 13 STATISTICS & TRENDS clients targeted — likely a result of the growing number of poorly secured systems connected to the internet during the pandemic, and possibly other criminals taking inspiration from 14 Top 10 malware detections ransomware gangs in targeting RDP. 15 Downloaders The ransomware scene, closely tracked by ESET specialists, saw a first this quarter — an attack investigated as a homicide after the death of a patient at a ransomware-struck 17 Banking malware hospital. Another surprising twist was the revival of cryptominers, which had been declining for seven consecutive quarters. There was a lot more happening in Q3: Emotet returning 18 Ransomware to the scene, Android banking malware surging, new waves of emails impersonating major delivery and logistics companies…. 20 Cryptominers This quarter’s research findings were equally as rich, with ESET researchers: uncovering 21 Spyware & backdoors more Wi-Fi chips vulnerable to KrØØk-like bugs, exposing Mac malware bundled with a cryptocurrency trading application, discovering CDRThief targeting Linux VoIP softswitches, 22 Exploits and delving into KryptoCibule, a triple threat in regard to cryptocurrencies.
  • North Korean Cyber Activity 03/25/2021

    North Korean Cyber Activity 03/25/2021

    North Korean Cyber Activity 03/25/2021 TLP: WHITE, ID# 202103251030 Agenda • DPRK National Interests • Timeline of Recent Activity • Overview of DPRK APT Groups • APT Threat Actor Profiles o HIDDEN COBRA o Andariel o APT37 o APT38 o TEMP.Hermit o TEMP.Firework o Kimsuky o Bureau 121 Bureau 325 o Slides Key: • Recommendations Non-Technical: Managerial, strategic and high- • Outlook level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) 2 DPRK National Interests • North Korea, officially the Democratic People’s Republic of Korea (DPRK) • Supreme leader: Kim Jong-un (since 2011) • Primary strategic goal: perpetual Kim family rule via development of economy and nuclear weapons • Primary drivers of security strategy: o Deterring foreign intervention by obtaining nuclear capabilities o Eliminating perceived threats to Kim regime o Belief that North Korea is entitled to respect as a world power • “Cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” – Kim Jong-un (2013) • Reportedly has 7,000 cyber warriors • 300% increase in the volume of activity to and from North Korean networks since 2017 3 Timeline of Recent Activity Jan 2020 Feb 2021 Two distinct Aug 2020 Nov 2020 South Korean Feb 2021 clusters of USG exposed North Korean Intelligence North Korean DPRK cyber DPRK hackers claims DPRK Lazarus activity begin malware used targeted a targeted Group targeting in fake job major COVID- COVID-19
  • Global Threat Report Mid-Year 2021 Introduction

    Global Threat Report Mid-Year 2021 Introduction

    Global Threat Report Mid-Year 2021 Introduction Threat actors are constantly adding to their repertoire by exploring new tactics and techniques to help bolster their efficacy against both technological blockers and humans. So far, this year has been no different as they have continued to add new methods to their toolchest. Thus far in 2021, we have observed several new techniques in the realm of customization as well as obfuscation. We will cover several examples in this report. We will also examine several consistent attack trends that continue to plague organizations across the globe. We are halfway through 2021 and one thing remains unchanged - email is still the number one attack vector for infecting organizations globally. Through the first half of 2021, phishing attacks continued their evolution with greater levels of sophistication. For the first time we observed attackers leveraging real web certificate data to add credibility to their attacks through customization. We also observed greater levels of obfuscation as some attacks threat actors went to great lengths to disguise the nature of their attacks. We observed phishing attacks leveraging CAPTCHA technology to avoid detection. Threat actors also continued the cycle of abuse by leveraging legitimate services to hide their intent. Job seekers and hiring functions within organizations were also targeted with phishing emails designed to mimic legitimate job sites. IC3 recently reported Business Email Compromise as the costliest of cybercrimes in 2020 with adjusted losses totaling $1.8 billion. It is not surprising we observed a large and growing volume of BEC attacks throughout Q1(’21) and Q2(’21) which show no signs of abating.
  • Ryuk 04/08/2021

    Ryuk 04/08/2021

    The Evolution of Ryuk 04/08/2021 TLP: WHITE, ID# 202104081030 Agenda • What is Ryuk? • A New Ryuk Variant Emerges in 2021 • Progression of a Ryuk Infection • Infection Chains • Incident: Late September Attack on a Major US Hospital Network • Incident: Late October Attack on US Hospitals • UNC1878 – WIZARD SPIDER • Danger to the HPH Sector • Mitigations and Best Practices • References Slides Key: Non-Technical: Managerial, strategic and high- level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) 2 What is Ryuk? • A form of ransomware and a common payload for banking Trojans (like TrickBot) • First observed in 2017 • Originally based on Hermes(e) 2.1 malware but mutated since then • Ryuk actors use commercial “off-the-shelf” products to navigate victim networks o Cobalt Strike, Powershell Empire • SonicWall researchers claimed that Ryuk represented a third of all ransomware attacks in 2020 • In March 2020, threat actor group WIZARD SPIDER ceased deploying Ryuk and switched to using Conti ransomware, then resumed using Ryuk in mid-September • As of November 2020, the US Federal Bureau of Investigation (FBI) estimated that victims paid over USD $61 million to recover files encrypted by Ryuk 3 A New Ryuk Variant Emerges in 2021 • Previous versions of Ryuk could not automatically move laterally through a network o Required a dropper and then manual movement • A new version with “worm-like” capabilities was identified in January 2021 o A computer worm can spread copies of itself from device to device