Week 40
Weekly Intelligence Bulletin
Date 05 October 2018 Reading Time 25-30 min Type Intelligence Bulletin Audience-Role Management Sub-Type Weekly Bulletin Audience-Industry Cross Industry Repor�ng Period 27-09-2018 to 04-10-2018 TLP AMBER TABLE OF CONTENTS
CYBER 3 CURRENT THREAT ...... 3 GhostDNS Used to Hijack Over 100,000 Routers ...... 3 VULNERABILITIES ...... 4 Multiple Critical RCE Vulnerabilities in Adobe Reader and Acrobat ...... 4 THREAT ACTOR ACTIVITY ...... 4 APT28: New UEFI Rootkit Discovered – Lojax ...... 4 REPORTED INCIDENTS ...... 5 Facebook and Uber Facing Large Fines Due to Separate Data Breach Incidents ...... 5 ROLLUP ...... 6
CRYPTOCURRENCY 8 Cryptocurrency Market Capitalization Increases Slightly ...... 8 Italy Becomes Member of the European Blockchain Partnership ...... 8 ROLLUP ...... 9
GEOPOLITICS 10 NATO Member States Accuse Russian Government of Global Cyberattacks ...... 10 Diplomatic Relation between the U.S., Israel and Iran Further Worsen ...... 11 ROLLUP ...... 12
OUTLOOK 13 Annual Meetings of the International Monetary Fund and World Bank Group ...... 13 Patch Tuesday ...... 13 it-sa 2018 ...... 13 RuhrSummit 2018 ...... 13
About this Intelligence Product 14
ABOUT US 16
CONTACTS 17
Consumer Information Industry: Government Financials Discretionary Technology Sen�ment Positive (crypto only): Development Companies: Adobe NATO Facebook Uber Loca�ons: Israel Asia North Korea Italy United Germany Europe Africa Kingdom South Russia Iran America Ar�cle Type: Hot Topic Spotlight TLP: AMBER Intelligence Bulle�n
SUMMARY CYBER Current Threat Industry Impacted: ANY, Consumer Discretionary, Financials, Information Tech- nology Researchers uncovered a diverse, and scalable malware campaign dubbed GhostDNS designed to hijack routers and modify their DNS settings to route internet traffic through attacker-controlled servers to phishing sites for the purpose of stealing information. Vulnerabilities Industry Impacted: ANY Adobe released an out-of-band security update covering 86 vulnerabilities that affect Adobe Acrobat and Reader for Windows and MacOS platforms. Of the 86 total vulnerabilities, 47are classified as critical and 39 are classified as important. The various vulnerabilities allow forarbi- trary code execution, information disclosure, and privilege escalation. Threat Actor Activity Industry Impacted: Government Researchers discovered a targeted malware campaign with links to the threat actor group APT28 that successfully deployed a malicious Unified Extensible Firmware Interface (UEFI) rootkit module onto the system of targeted government entities mostly located in the Balkans, and Central/East- ern Europe. Reported Incidents Industry Impacted: ANY Both Facebook and Uber face fines for data incidents that impacted a collective 107 million customers worldwide. CRYPTOCURRENCY During the week, the total market capitalization for cryptocurrencies increased by less than 1 percent to EUR 188 billion. On 27 September, Italy became a member of the European Blockchain Partnership (EBP). The EBF was established in April to create a European Blockchain Services Infrastructure (EBSI) for the delivery of cross-border digital public services. GEOPOLITICS On 4 October several European countries and the U.S. publicly accused Russia’s government of sponsoring malicious cyber operations targeting citizens, governments, companies and interna- tional organizations worldwide. Israel’s Prime Minister Netanyahu said Israel detected a warehouse in which Iran secretly stores nuclear-related material. OUTLOOK 08 October- Annual Meetings of the International Monetary Fund and World Bank Group 09 October- Patch Tuesday 09 October- it-sa 2018 11 October- RuhrSummit 2018
QuoScient- Intelligence Operations (Quoint)- [email protected] 1|Page TLP: AMBER Intelligence Bulle�n
ZUSAMMENFASSUNG CYBER Aktuelle Bedrohungen Industry Impacted: ANY, Consumer Discretionary, Financials, Infor- mation Technology Sicherheitsforscher entdeckten eine vielseitige und skalierbare Malware-Kampagne namens GhostDNS, die darauf abzielt, Router zu kompromittieren und ihre DNS-Einstellungen zu ändern. Hierbei wird der Internetverkehr über einen vom Angreifer kontrollierten Server auf Phishing-Websites geleitet, um schlussendlich Benutzerdaten abzufangen und zu stehlen. Schwachstellen Industry Impacted: ANY Adobe hat ein Out-of-Band-Sicherheitsupdate veröffentlicht, das 86 Schwachstellen abdeckt, die Adobe Acrobat und Reader für Windows- und MacOS-Plattformen betreffen. Von den 86 Sicherheitslücken werden 47 als kritisch und 39 als wichtig eingestuft. Die verschiedenen Schwachstellen ermöglichen die Ausführung von beliebigem Code, die Offenlegung von Informationen und das Erlangen einer höheren Berechtigungstufe (Privilege Escalation).
Cyber Tätergruppen Aktivität Industry Impacted: Government Sicherheitsforscher haben eine gezielte Malware Kampagne mit Verbindungen zu der Tätergruppe APT28 entdeckt, die erfolgreich ein bösartiges Unified Extensible Firmware Interface (UEFI) rootkit Modul auf den Systemen von anvisierten Regierungseinheiten auf dem Balkan und in Zentral/Ost Europa platziert hat. Schadenmeldungen Industry Impacted: ANY Sowohl Facebook als auch Uber sind mit Geldstrafen für Datenvorfälle konfrontiert, von denen 107 Millionen Kunden weltweit betroffen sind. KRYPTOWÄHRUNGEN In der letzten Woche stieg die gesamte Marktkapitalisierung für Kryptowährungen um weniger als 1 Prozent auf 188 Milliarden Euro. Am 27. September wurde Italien Mitglied der European Blockchain Partnership (EBP). Der EBF wurde im April gegründet, um eine europäische Blockchain Services Infrastructure (EBSI) für die Erbringung grenzüberschreitender digitaler öffentlicher Dienstleistungen zu schaffen. GEOPOLITIK Am 4. Oktober beschuldigten mehrere europäische Länder und die USA die russische Regierung öffentlich, mutmaßliche Cyber-Operationen zu unterstützen, die auf Bürger, Regierungen, Unternehmen und internationale Organisationen weltweit ausgerichtet sind. Israels Premierminister Netanyahu sagte, dass Israel ein Lager entdeckt hat, in dem der Iran heimlich nukleares Material lagert.
OUTLOOK 08 October- Jahrestagung des Internationalen Währungsfonds und der Weltbankgruppe 09 October- Patch Dienstag 09 October- it-sa 2018 11 October- RuhrSummit 2018
QuoScient- Intelligence Operations (Quoint)- [email protected] 2|Page TLP: AMBER Intelligence Bulle�n
CYBER CURRENT THREAT
GhostDNS Used to Hijack Over 100,000 Routers Attack Vector: Application Exploitation | Industry Impacted: ANY, Information Technology, Financials, Consumer Discretionary Researchers uncovered1 a diverse, and scalable malware campaign dubbed GhostDNS designed to hijack routers and modify their DNS settings to route internet traffic through attacker-controlled servers to phishing sites for the purpose of stealing information. The threat actors scan an IP space for routers using either weak or no passwords, then access the susceptible routers to replace the existing DNS settings with the IPs of DNS servers in their control. When a compromised router makes aDNSquery,it will be routed through the attacker-controlled DNS server and if the original requested site is included in the target list then the user will be redirected to a fake page used to phish credentials. GhostDNS is a system of modules and sub-modules which work together to perform information collection, exploitation, IP scans, bruteforce attempts, and DNS hijacking. The current campaign hasinfected over 100,000 routers (IP addresses) with the majority located in Brazil, and targets over 50 domains of various entities including the financial and entertainent industries. The brands of routers targeted in the campaign and the known attack vectors impact brands which are primarily designated for home and personal use.
Analyst Comment: In August 2018, researchers at Radware reported2 details of a DNSChanger attack starting in June 2018, targeting customers of Brazilian banks in order to redirect individuals to a fake bank page to steal their credentials. The current reporting of the continuing campaign demonstrates a more sophisticated and scalable attack, with the focus remaining to primarily infect devices within Brazil. Other compromised devices were also identified in Bolivia, Argentina, Saint Maarten, Mexico, Venezuela, the U.S., Russia and several others. DNSChanger malware is not new, and similar to earlier known campaigns, the operation aims to change DNS settings on an infected device through automated password bruteforcing attempts against the router’s web authentication page or exploiting a dnscfg.cgi vulnerability published in 2015 to bypass authentication. However, the GhostDNS campaign is unlike previous DNSChanger campaign because it involves the use of an additional three submodules- Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger- which are each written in different programming languages, and target varying routers with different sets of attack scripts. Collectively, the three submodules have over 100 scripts used for compromising more than 70 different routers. Noteworthy, the financial institutions included in the target list of the campaign were not attacked or breached, but the stolen customer information could be used by threat actors for fraudulent account activity. As well, the notified ISPs which unknowingly hosted the infrastructure of the current attack campaign have taken down the related known malicious IPs.
1 Netlab, F2, 29 September, 70+ different types of home routers (all together 100,000+) are being hijacked by GhostDNS 2 Radware, F2, 10 August, IoT Hackers Trick Brazilian Bank Customers into Providing Sensitive Information
QuoScient- Intelligence Operations (Quoint)- [email protected] 3|Page TLP: AMBER Intelligence Bulle�n
VULNERABILITIES
Multiple Critical RCE Vulnerabilities in Adobe Reader and Acrobat Industry Impacted: ANY Adobe released an out-of-band security update3 covering 86 vulnerabilities that affect Adobe Acrobat and Reader for Windows and MacOS platforms. Of the 86 total vulnerabilities, 47 are classified as critical and 39 are classified as important. The various vulnerabilities allow for arbitrary code execution, information disclosure, and privilege escalation.
Analyst Comment: Further breakdown of the release lists 46 of the 47 critical vulnerabilities as remote code execution (RCE) vulnerabilities, with the other allowing for escalation of privileges. Considering these RCE vulnerabilities target highly popular Adobe products, as well as theease of exploitation, it is important for administrators to assess applying the recommended patches as needed. Those who cannot immediately implement the patch can use the applicable snort rules to detect exploitation activity against the vulnerabilities. 4 At the time of writing, none of the reported vulnerabilities have a Proof of Concept (PoC) code available. Additionally, there isno indication of exploit activity in the wild related to these vulnerabilities. QuoINT will continueto monitor for developments and we will provide updates as needed.
THREAT ACTOR ACTIVITY
APT28: New UEFI Rootkit Discovered – Lojax Motivation: Political / Military | Capability: Advanced | Industry Impacted: Government | Indicators: QuoLab Researchers discovered5 a targeted malware campaign with links to the threat actor group APT28 that successfully deployed a malicious Unified Extensible Firmware Interface (UEFI) rootkit6 module onto the system of targeted government entities mostly located in the Balkans, and Central/Eastern Europe. On compromised systems, well known APT28 attack tools were identified, corroborating the link to threat actor group. Although the initial intrusion vector for this activity is not confirmed, APT28 often uses spear-phishing emails to deliver malicious payloads to its targets. In early 2018, researchers observed7 a trojanized version of the anti-theft commercial software known as LoJack (previously named Computrace) being used in targeted attacks. In an earlier Weekly report8 , QuoINT reported that three of four mentioned C2 server domains were associated with previous APT28 operations. The current attack campaign’s malicious usage of LoJack ledto the name Lojax. Reportedly, LoJax is the first case observed in the wild of a threat actor attack utilizing a UEFI rootkit. Interestingly, the report highlights that all recovered trojanized versions, originate from the same legitimate sample of Lojack and all have the same compilation timestamp. The legit LoJack software is designed and implemented as a UEFI/BIOS module in the firmwarein order to maintain persistence on a system and survive OS-reinstalls or hard drive replacement. As a result, APT28 implements a similar persistence mechanism in their LoJax rootkit which resides in the UEFI firmware to be able to re-infect a compromised system before the operating system
3 Adobe, A1, 01 October, Security bulletin for Adobe Acrobat and Reader | APSB18-30 4 Snort Blog, C2, 4 October, Snort rule blog post for Oct. 4, 2018; Oct. 2, 2018
QuoScient- Intelligence Operations (Quoint)- [email protected] 4|Page TLP: AMBER Intelligence Bulle�n
boots. The module is able to drop and execute malware on disk during the system boot process. In combination with detection and prevention approaches highlighted in the ESET report, QuoINT recommends the following monitoring steps, based off our preliminary analysis, to improve identi- fication and mitigation of the threat. These should be considered with respect to boththeknown malicious artifacts and network indicators of compromise:
Use Sysmon to monitor registry keys, and feed the logs to a SIEM for alerting
Monitor for loaded/unloaded drivers
Monitor for certificates used by the system
Enable Secure Boot – requires drivers etc to have a legitimate digital signature
Use updated UEFI firmware
Use a modern chipset with Platform Controller Hub
Monitor for the execution of files on the system (e.g. using Prefetch files, Shims, Amcache) to identify known artifacts
REPORTED INCIDENTS
Facebook and Uber Facing Large Fines Due to Separate Data Breach Incidents Attack Vector: Application Exploitation | Industry Impacted: ANY On 28 September, Facebook reported9 a security incident that impacted almost 50 million accounts. Facebook stated that the attackers combined multiple bugs to exploit a vulnerability in Facebook’s code that impacted the “View As” feature. Exploiting this flaw enabled the attackers to steal Facebook access tokens (i.e. digital keys that allow access to an account) which they could then use for account takeover. In addition to the access keys, the attackers tried to harvest people’s private information, including name, sex and hometown.10 Facebook patched the vulnerability, reset the access tokens for the known impacted customers, and momentarily turned off the ”View As” feature. Further, as a precaution, the company reset another 40 million access tokens for accounts that were subject to a “View As” look-up in the last year. As the attacker only gained access to the access token, user passwords were not impacted. No information about the attackers is known at this time. There 11are reports stating that the fine could be as large as EUR 1.42 billion as a result of this breach. Reportedly12 , stolen user data from compromised Facebook accounts are already being sold on the dark web for as little as EUR 2.61. Similarly, Uber reached a settlement13 late last month and will pay EUR 128.5 million in fines as a result of how the company mishandled a data breach in 201614 . In this attack, cyber criminals obtained over 50 million customer and driver personal information and held the data for ransom. Instead of reporting the incident when it occurred, the company hid the evidence and paid EUR 86,841 in ransom for the
7 ESET, B2, 27 September, LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group 8 ASERT, F1, May 1st, Lojack Becomes a Double-Agent
QuoScient- Intelligence Operations (Quoint)- [email protected] 5|Page TLP: AMBER Intelligence Bulle�n stolen information to be destroyed. The company then acknowledged15 the data breach a year later.
Analyst Comment: Both incidents demonstrate that not only are cyber criminals a threat to business, but regulators are a looming threat to any organization that suffers a data breach as well. Both data breach incidents are significantly different, yet both companies face hefty fines. With regards to Facebook, there two important aspects that need to be investigated to determine if the company faces a fine, and if so, how much: (a) when Facebook reported the incident- which was within the 72 hour period required under GDPR- and; (b) did Facebook do enough to protect users’ data. In order to determine if the latter was met, Facebook’s lead European privacy Regulator in the European Union, Ireland’s Data Protection Commission, stated they are ”awaiting from Facebook further urgent details of the security breach impacting some 50musers, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users”16 . Under GDPR, companies that fail to sufficiently protect user data face a maximum fine of 20 million euros or 4% of the companies global revenue from the prior year. In this case, Facebook is potentially subjected to EUR 1.42 billion. On the other hand, Uber’s incident occurred before GDPR came into effect, but the company still faced similar scrutiny from United States legislation. The company was found not compliant with U.S. laws where companies are required to notify authorities in case of a data breach immediately once the breach is identified. In addition to paying the USD 48 million settlement, thecompany is required to establish methods to protect user data stored on third party platforms and create password protection policies.
ROLLUP Hidden Cobra Target FASTCash Retail Payment Systems The U.S. CERT published an alert17 regarding the threat actor group Hidden Cobra18 , (also tracked by QuoINT as Lazarus) which is known to target FASTCash retail payment systems within Africa and Asia. The attack vector is unknown but the U.S. CERT alert highlights that the compromised systems were all application servers running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates. APT37 Threat Group uses NOKKI Malware to Deploy RAT The research team at Unit 42 reported that North Korean espionage APT37 Reaper 19 group is using a newly identified NOKKI malware family 20 , to target Russian and Cambodian speaking organisations by using World Cup themed lures to entice victims. The objective of the malware is to collect system information, dropping and executing apayload and executing a decoy document. New IoT Botnet uncovered, more sophisticated than Mirai Researchers discovered21 a new IoT botnet
10 Facebook, A1, 28 September, Security Update 11 New York Times, C3, 28 September, Facebook Security Breach Exposes Accounts of 50 Million Users 12 Nasdaq F2, 1 October, Facebook's Big Data Breach Could Cost It Over $1 Billion 13 The Guardian, C3, 26 September, Uber fined $148m for failing to notify drivers they had been hacked 14 The Guardian, C3, November 2017, Uber concealed massive hack that exposed data of 57m users and drivers 15 Independent, C3, 5 October, Facebook hack: People's Accounts Appear for Sale on Dark Web 17 U.S. Cert, 2 October, Alert (TA18-275A) HIDDEN COBRA – FASTCash Campaign 18 Mitre Attack, Group: Lazarus Group, HIDDEN COBRA 19 Mitre Attack, Group: APT37 20 Palo Alto Unit 42, 27 September, New KONNI Malware attacking Eurasia and Southeast Asia
QuoScient- Intelligence Operations (Quoint)- [email protected] 6|Page TLP: AMBER Intelligence Bulle�n variant called Torii that has more capabilities than previously know Marai variants. Unlike other botnets that carry cryptomining and DDoS attacks, the Torri botnet is capable of deleting information and executing malicious code on to compromised devices. Torri botnet has a wide reach and can infect different architectures in many devices including MIPS, ARM, x86, x64, PowerPC, SuperH, and more.
21 Avast, B1, 27 September, Torii botnet - Not another Mirai variant
QuoScient- Intelligence Operations (Quoint)- [email protected] 7|Page TLP: AMBER Intelligence Bulle�n
CRYPTOCURRENCY
Cryptocurrency Market Capitalization Increases Slightly Crypto Entity Impacted: Bitcoin, Ethereum
Figure 1: Total Market Capitalization
Analyst Comment: During the previous week, the total market capitalization for cryptocurrencies increased by less than 1 percent to EUR 188 billion. However, the market was considerably volatile during the week. The price of Bitcoin spiked on 28 September to EUR 6780 as themarket capitalization temporarily increased by EUR 5 billion but dropped sharply in the following days. The price for Ethereum behaved similarly as it fell 35 percent from its weekly peak to EUR 191. There are no clear indicators which could explain this volatility. A possible explanation for the sudden rise could be an increase in investment into cryptocurrencies while their prices were low in previous weeks. In addition, the increasing interest by banks and other traditional financial institutions in cryptocurrencies might assure investors in the longer term.
Italy Becomes Member of the European Blockchain Partnership Crypto Entity Impacted: E.U. Commission, European Blockchain Partnership On 27 September, Italy became the 27th member of the European Blockchain Partnership (EBP).22 The EBF was established in April by E.U. member states to cooperate on creating a European Blockchain Services Infrastructure (EBSI) for the delivery of cross-border digital public services. The EBF aims to identify an initial set of public sector services which could be deployed through the EBSI bytheendof 2018. The EBF further aims to unify the member states’ approaches of using blockchain technology to avoid the creation of several platforms for the same services.
Analyst Comment: The EBF could potentially streamline the E.U.’s delivery of cross-border digital services, ease current obstacles and facilitate cooperation. The more members of the E.U. who join, the more efficient the system will likely work. However, using blockchain technologies also presents risks as it is an attractive target for cyberat- tackers as incidents involving blockchain vulnerabilities are common. An E.U. wide blockchain could be a target for attackers attempting to sabotage services provided to E.U. citizens.
22 European Commission, A1, 27 September, Italy joins European partnership on blockchain supporting the delivery of cross-border digital public services
QuoScient- Intelligence Operations (Quoint)- [email protected] 8|Page TLP: AMBER Intelligence Bulle�n
The use of blockchain by governments is another development which highlights how blockchain technology can be utilized in a multitude of sectors, not solely for cryptocurrencies. QuoINT previously reported on private companies using it to support their supply chains and banks are starting to use it in international transfers. Increasingly, governments are discovering blockchain for providing services to citizens and QuoINT expects this trend to continue.
ROLLUP Two Men Arrested After Stealing Cryptocurrency Worth EUR 12 million According to reports,23 two men were arrested in Missouri on suspicion of stealing EUR 12 million worth in cryptocurrency through SIM card swapping. The suspects allegedly stole Crowd Machine Compute Tokens (CMCT) from an employee of the cryptocurrency startup Crowd Machine. In September, the company confirmed a theft from from their platform.24 QuoINT has observed a trend of using SIM swapping to steal cryptocurrencies and we reported on a similar incident in August.25 U.K. Exchange Launches GBP-Pegged Cryptocurrency London Block Exchange (LBX), a British over-the- counter trader and crypto asset exchange announced the launch of LBXPeg, a cryptocurrency pegged to the Pound sterling.26 LBX is working with an unnamed bank, which will store the reserves for the stablecoin. LBX is reportedly the first company to offer stablecoins in the U.K.
23 ZD Net, 1 October, Two SIM swappers arrested for CMCT hack 24 Crowd Machine, 24 September, Crowd Machine responds to CMCT price drop 25 QuoScient, 3 August, QuoINT Weekly Intelligence Bulletin 31 26 Business Insider, 29 September, A UK startup is planning to develop a 'crypto pound' as the sector goes crazy for 'stablecoins'
QuoScient- Intelligence Operations (Quoint)- [email protected] 9|Page TLP: AMBER Intelligence Bulle�n
GEOPOLITICS
NATO Member States Accuse Russian Government of Global Cyberattacks On 4 October, several European countries and the U.S. publicly accused Russia’s government of spon- soring malicious cyber operations targeting citizens, governments, companies and international organi- zations worldwide. The Dutch Ministry of Defense (MoD) reported the expulsion of four alleged Russian intelligence officers from the Russian military intelligence agency (GRU).27 The suspects reportedly attempted to launch a cyberattack against the Organisation for the Prohibition of Chemical Weapons (OPCW) locatedin the Hague. The Dutch MoD pointed to evidence obtained from the rental car of the suspects, which included specialized equipment, such as a WiFi antenna, laptops, and mobile devices. At the same time, the British National Cyber Security Centre (NCSC) released a statement inwhich they accuse the GRU to be behind recent "reckless and indiscriminate cyber-attacks."28 The statement lists twelve APT groups (e.g. APT 28, Fancy Bear, and Sofacy), which are allegedly controlled by the GRU. The NCSC also said the GRU was responsible for the BadRabbit ransomware, the attack on the World Anti-Doping Agency (WADA), and the hacking of the 2016 Democratic National Committee (DNC). Further, the NCSC states that by conducting these cyber operations, Russia violates international law, undermines international institutions, affects citizens globally, and causes huge costs tonational economies. Following the U.K., the U.S. Department of Justice (DoJ) charged seven officers of the GRU, including the four expelled from the Netherlands, for "International hacking and Related Influence and Disinfor- mation Operations."29 According to the indictment, the defendants began cyber operations around December 2014 which targeted citizens, companies and international organizations. The U.S. DoJ further alleges that GRU officers disguised themselves as the hacktivist group "Fancy Bear's Hack Team" which released data stolen in the cyberattacks on WADA, FIFA, the nuclear energy company Westinghouse, and other organisations. Other states, including Canada, Australia and New Zealand, also accused the Russian government of malicious operations.30 NATO’s Secretary General Stoltenberg voiced his support for the Netherlands and the U.K and urged Russia to halt its malicious cyber campaigns.31 The Russian government denies these accusations and the spokeswoman for the Russian Foreign Ministry said they are the product of a "rich imagination."32
Analyst Comment: The coordinated accusations by Western states against the Russian government highlights the further deterioration in their diplomatic relationship. Cyber operations arean additional area for conflict between Russia and Western states, alongside the war in Syria, disputes over the Ukraine, and the attempted poisoning of former agent Skripal, among others. Additionally the accusations coincide with NATO’s largest cyber security conference, NIAS, taking place on16
27 U.K. Government, F1, 4 October, UK exposes Russian cyber attacks 28 Ministry of Defence, F1, 4 October, Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW 29 Prime Minister of Australia, F1, 4 October, Attribution of a pattern of malicious cyber activity toRussia 30 NATO, F1, 4 October, Statement by NATO Secretary General Jens Stoltenberg on Russian cyber attacks 31 The United States Department of Justice, F1, 4 October, U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations 32 Russia Today, C4, 5 October, US & allies hit Russia with coordinated avalanche of hacking accusations. Here are the allegations
QuoScient- Intelligence Operations (Quoint)- [email protected] 10|Page TLP: AMBER Intelligence Bulle�n
October. It is expected that NATO member states will discuss the use of offensive cyber weapons during the conference. Their use might be easier to defend if they are directed against an active cyber adversary, such as Russia is presented to be. The allegations also emphasize the integral part that cyber operations occupy in foreign policy. They are frequently used by states around the world as they offer governments a certain degree of obfuscation and deniability. However, public allegations might change this, as governments will be less able to use cyber operations covertly, as they risk being exposed more regularly than before. In publicly accusing Russia, the U.S. and European states hope to deter future attempts of state-funded cyber operations. However, an increasing number of states are introducing cyber strategies that include the ability to use offensive cyber operations to react to adversaries.33 If states can more easily use cyber operations to react to provocations that previously fell below the threshold of retaliation, it increases the risk of cyber conflict escalating which might spillover into kinetic warfare.
Diplomatic Relation between the U.S., Israel and Iran Further Worsen During his speech at the U.N. General Assembly on 27 September, Israel’s Prime Minister Netanyahu said Israel detected a warehouse in which Iran secretly stores nuclear-related material.34 According to Netanyahu, this shows Iran continues developing nuclear weapons, despite Iran’s agreement to limit its nuclear programme under the Joint Comprehensive Plan of Actions (JCPOA). However, an unnamed U.S. official said Netanyahu’s claims were misleading, as the U.S. is reportedly aware of the warehouse and it mainly stores paper records. In addition, even if nuclear-related material was stored in the warehouse, this is not necessarily illegal under the JCPOA, as it does not specify where material has to be stored.35 Netanyahu opposes the JCPOA and criticized European states for further implementing it, despite the U.S. administration leaving it. Last week, the Iranian government accused the U.S. and Saudi Arabia of supporting "foreign mercenar- ies" who Tehran holds responsible for the attack on a military parade in Ahvaz on 22 September.36 On 1 October, Iran targeted these militants in an air strike in Syria, however the missiles exploded within three miles of U.S. troops.37
Analyst Comment: The tensions between Iran and its adversaries continue deteriorating. In the past, Israel and the U.S. have reportedly used cyberattacks to interfere with Iran’s nuclear development. In 2010, researchers discovered the Stuxnet worm, which is attributed to Israel and the U.S., which targeted Iranian nuclear facilities and destroyed several uranium enrichment centrifuges. This possibly indicates that the U.S. and allied states will again resort to cyberattacks targeting Iran as their diplomatic relations worsen. In addition, alleged Iranian cyber operations which target the U.S. and Europe have increased over recent months.38 This estrangement might also lead to an increase in fighting in Syria, where Iran fights in opposition to the U.S. andIsrael. However, as President Trump and President Rouhani rejected a meeting, an improvement of their relationship is unlikely in the short term, which risks an escalation in tensions.
33 QuoScient, N/A, 28 September, QuoINT Weekly Intelligence Bulletin 39 34 United Nations, A6, 27 September, Israel - Prime Minister Addresses General Debate, 73rd Session (video) 35 The Guardian, C3, 27 September, Netanyahu claims Israel has found Iran's 'secret atomic warehouse' 36 CNN, C3, 1 October, Iran missiles in Syria land 'within three miles' of US troops 37 QuoScient, N/A, 28 September, QuoINT Weekly Intelligence Bulletin 39 38 QuoScient, N/A, 24 August, QuoINT Weekly Intelligence Bulletin 34
QuoScient- Intelligence Operations (Quoint)- [email protected] 11|Page TLP: AMBER Intelligence Bulle�n
ROLLUP Mike Pence to warn against Chinese ’intimidation’ in South China Sea U.S. Vice President Pence will crit- icize China’s foreign policy, including China’s behavior in the South China Sea in an upcoming speech.39 This comes after U.S. and Chinese warships almost collided in the disputed waters of the South China Sea while a U.S. destroyer conducted freedom-of-navigation operations. Pence said the U.S. will not be "intimated" by China’s "reckless harassment." Bejing claims sovereignty over the South China Sea islands and its surrounding waters, competing with claims by Vietnam, Indonesia and Taiwan. The diplomatic relationships between the U.S. and China has continually worsened after President Trump imposed tariffs on Chinese imports as well as accusing China of attempting to meddle in the U.S. election. Pompeo backs away from North Korea denuclearisation timeline U.S. Secretary of State Pompeo retreated from the 2021 deadline set for North Korea’s denuclearisation.40 President Trump told Pompeo to avoid setting a timeline for denuclearisation at a meeting between PompeoandKim scheduled for 7 October. At the same time, North Korea reportedly continues cyber operations, as activity by the alleged government-backed APT38 threat group continues (see Cyber Rollup section).
39 Reuters, 4 October, Pence to tell China: We will not be intimidated in South China Sea 40 The Guardian, 4 Ocotber, Pompeo backs away from North Korea denuclearisation timeline
QuoScient- Intelligence Operations (Quoint)- [email protected] 12|Page TLP: AMBER Intelligence Bulle�n
OUTLOOK
Date Events
08 Annual Meetings of the International Monetary Fund and World Bank Group
09 Patch Tuesday
09 it-sa 2018
11 RuhrSummit 2018
Annual Meetings of the International Monetary Fund and World Bank Group Location: Indonesia | Industry Impacted: Financials The Annual Meetings of the International Monetary Fund (IMF) and the Boards of Governors ofthe World Bank Group (WBG) will take place in Indonesia. Representatives from central banks, minister of finance as well as the private and public sector will discuss issues of global concern, such as the world economic outlook and economic developments.41
Patch Tuesday Industry Impacted: ANY Microsoft and third party security patches are released on patch Tuesday, the second Tuesday ofeach month.42 it-sa 2018 Location: Germany | Industry Impacted: Information Technology it-sa is one of Europe’s leading fairs for IT security.43 It provides a platform for C-Level experts and security officers to meet developers and providers of security solutions for cloud computing, mobile and cyber security, data, and network security. QuoScient will be attending the fair.
RuhrSummit 2018 Location: Germany RuhrSummit is the largest startup event in the region and combines a conference with the possibility for startups to meet investors.44 QuoScient will be in attendance.
41 International Monetary Fund and World Bank Group, F1, October 2018, Annual meetings 2018 Indonesia 42 Microsoft, 4 September, Microsoft Security Updates 43 it-sa 2018, October 2018, Die it-sa auf einen Blick 44 Ruhr Summit, OCtober 2018, RuhrSummit - About Us
QuoScient- Intelligence Operations (Quoint)- [email protected] 13|Page TLP: AMBER Intelligence Bulle�n
About this Intelligence Product
Bulletins Briefs Assessments Estimates
Data Driven Concept Driven
Intelligence Bulle�ns include descriptive analysis that aims at overviewing and describing current happen- ings, and answering the Who? What? When? Where? How? questions. When applicable, the bulletin will include analyst comments that highlight patterns, identify trends, and further insights. Bulletin redaction and dissemination is our first step for informing customers on specific happenings, as quick notifications on current threats are imperative for awareness and possible mitigation against those threats. When applicable, threats covered in bulletins will then be analyzed more in-depth and distributed via other analytical products (e.g. Briefs, Assessments or Estimates). As stated, Intelligence Bulletins might contain analyst comments, which should not be confused with judgments. Analyst comments are based on the analyst’s opinion of the happening, which is provided after a quick review and analysis of the discussed topic. Differently, judgments only follow an extensive analysis performed by meeting our high analytic standards.
Weekly Bulle�ns contain the information that Executives in different industry sectors should be aware of. The weeklies cover notable events in the in the Cyber, Cryptocurrency and Geopolitics fields which occurred in the last seven calendar days, as well as highlights events scheduled for the following seven calendar days. This intelligence product covers both open source (OSINT) findings and QuoINT internal investigations. The collected and reported OSINT is processed, validated, and reviewed by our analysts who then provide their comment reporting their opinion-based findings.
Admiralty Code Scoring System Code Source Reliability Definition Code Informa�on Reliability Definition Reliable. No doubt about the source’s authenticity, Confirmed. Logical, consistent with other relevant A trustworthiness, or competency. History of com- 1 information, confirmed by independent sources. plete reliability. Usually reliable. Generally a reliable source that Probably True. Relevant information, not con- B provides a degree of analysis to reports. Has con- 2 firmed. Logical, consistent with other relevant in- sistently provided accurate information. formation, not confirmed. Fairly reliable. Fairly reliable and provides valid in- Possibly true. Reasonably logical, agrees with C formation, but generally does not provide in-depth 3 some relevant information, not confirmed. analysis. Not usually reliable. Significant gaps within infor- Doub�ully true. Not logical, but possible, no other D mation provided. Provided valid information in the 4 information on the subject but confirmed. past. Unreliable. Unconfirmed information provided, Improbable. Not logical, contradicted by other rel- E and competency cannot be assessed. History of 5 evant information. invalid information. Cannot be judged. Insufficient information to eval- Cannot be judged. The validity of the information F 6 uate reliability. May or may not be reliable. cannot be determined.
QuoScient- Intelligence Operations (Quoint)- [email protected] 14|Page TLP: AMBER Intelligence Bulle�n
Admiralty Code All sources QuoINT collects undergo a source and information reliability assessment. The returned assessment is expressed using the Admiralty Code scoring system, which is composed of two elements: source reliability and information reliability. QuoINT rates the reliability of each source by initially assigning the provided information a reliability score (1-5) based on our analysis, and then, on a monthly basis, averaging the score of all the collected information provided by said source. Once completed, the source is assigned the relative source reliability letter (where A=1, B=2, C=3, D=4, E=5 and F=61). Our Admiralty Code is biased based on (a) the number of articles we process by each source; and (b) the score QuoINT analysts apply to the article2. The assigned admiralty code is represented on every article citations, apart from the rollup and outlook items. Weekly Articles Titles 1 2 COBALT: New spear-phising a�acks spoofing Interkassa Capability: High | Industry Impacted: Financials | Indicators: Quolab 3
1. Title of the article. Title of the article provided by the analyst. 2. Icons. Quick visualization of what is treated in the article, especially the entities impacted, such ascountries, industry sectors, and companies. Every Weekly Bulletin includes a legend after the table of content that explains the significance of every icon used in the report. 3. Additional tags. This section is dedicated to quickly highlight the most relevant metadata of the article. The fields vary depending of the category of the article, and includes: Attack Vector. If known, what mean was used to perform the attack. Threat Actor Type. Which category the threat actor belongs to. Threat Actor Motivation. What is the main TA’s motivation. Threat Actor Capability. What is the current TA’s capability estimated by QuoINT. QuoLab indicators. Hyperlink to QuoLab case. All the technical indicators are extracted, enriched, tagged, and validated by QuoINT analysts within QuoScient’s Collaborative Analysis and Incident Response Platform QuoLab. The access to this platform requires a VPN connection to our external network, which is only granted to QuoScient’s clients. References 1 2 3 4 9 SourceXYZ, B2, June 19th , SourceXYZ, B2, June 19
1. Source. Name of the information source. 2. Admiralty Score. Admiralty Score provided by the analyst. 3. Publication Time. Month and year when the information was published. 4. Publication Title. Title of the publication, hyperlinked to the original Internet source.
1 Sources that were analyzed less than four times will have a default ranking score of ’F’ 2 Although QuoINT analysts are trained to enforce the highest quality-control standards, our analysis is not encompassing of all information ever publicized by each source and thus we cannot guarantee 100% accuracy in our evaluation.
QuoScient- Intelligence Operations (Quoint)- [email protected] 15|Page TLP: AMBER Intelligence Bulle�n
ABOUT US
Quoscient is Digital Active Defense
We unite people, resources and technology in digital active defense to protect organizations from digital threats.
We call this approach Digital Active Defense, and it is the core focus of our products and services. Quoscient provides Digital Active Defense as a Platform
Intelligence Opera�ons Inform decision makers
Targeted Intelligence
Digital Risk Protection
Special Operations
Security Opera�ons Respond to digital threats
Incident Management Support
Forensic & Incident Response
Reverse Engineering Analysis
Defense Technology Empower security teams
Security Operations Platform
Unified Threat Intelligence Platform
Security Operations Workflow Management
QuoScient- Intelligence Operations (Quoint)- [email protected] 16|Page TLP: AMBER Intelligence Bulle�n
CONTACTS
Digital Active Defense
Radilostrasse 43 60489 Frankfurt
Germany +49 69 33 99 79 38 [email protected] www.quoscient.io
Disclaimer: This product is issued by QuoScient. While all reasonable care was taken in preparing this product, no responsibility or liability for any errors of fact, omission or opinion expressed herein. Readers are advised to exercise their own independent judgement or with support from our own professional advisor/s as necessary with respect to the risks and consequences of any material contained in this product. QuoScient expressly disclaims liability and responsibility for any issues arising from the use to which this communication is put and for any errors or omissions in this product.
QuoScient- Intelligence Operations (Quoint)- [email protected] 17|Page