Week 39
Weekly Intelligence Bulletin
Date 28 September 2018 Reading Time 25-30 min Type Intelligence Bulletin Audience-Role Management Sub-Type Weekly Bulletin Audience-Industry Cross Industry Repor�ng Period 20-09-2018 to 27-09-2018 TLP AMBER TLP: AMBER Intelligence Bulle�n TABLE OF CONTENTS
CYBER 3 VULNERABILITIES ...... 3 Linux Kernel IP Fragment Reassembly Vulnerability impacting multiple Cisco Products . . . . . 3 New Exploit Variation of Recent VBScript Engine Vulnerability in theWild ...... 3 Zero Day Initiative Reports Remote Code Execution Vulnerability in Microsoft Windows Jet Database Engine ...... 4 THREAT ACTOR ACTIVITY ...... 5 COBALT: Latest campaign activity spoofing Oracle ...... 5 REPORTED INCIDENTS ...... 5 The United Nations Experiences Data Incidents on Third Party Platforms ...... 5 Energy Company RWE Suffers DDoS Attack ...... 6 ROLLUP ...... 7
CRYPTOCURRENCY 8 Cryptocurrency Total Market Capitalization Declines ...... 8 German Cryptoasset Exchanges Launches First Blockchain Bank Account ...... 8 French Government Reportedly Creating Legal Framework for Cryptoasset Providers ...... 9 ROLLUP ...... 9
GEOPOLITICS 11 Deutsche Telekom and German Armed Forces Cooperate on Cyber Defense ...... 11 U.N. General Assembly Annual Session ...... 11 President Trump Presents National Cyber Strategy ...... 12 ROLLUP ...... 12
OUTLOOK 14 Macedonia Holds Referendum on Name Change ...... 14
About this Intelligence Product 15
CONTACTS 17
Information Consumer Industry: Energy Financials Technology Discretionary Government QuoINT Ar�cle Type: Spotlight investigation Republic of United Loca�ons: Syria Germany Macedonia Kingdom Europe USA China Sen�ment Negative Positive (crypto only): Development Development Companies: microsoft bitwala UnitedNations cisco RWE Telekom
2|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n SUMMARY CYBER Vulnerabilities Industry Impacted: Information Technology, ANY On 24 September, Cisco released an updated security advisory as they continue to investigate their products using the affected Linux Kernel Version to determine and mitigate susceptibility toa Denial-of-Service (DoS) vulnerability known as FragmentSmack. Based on Microsoft’s latest Patch Tuesday release, Linux based products are not exclusively affected by FragmentStack. Microsoft states that various Windows systems are affected, including servers. Researchers identified a new variation of earlier exploit code targeting a previously patched remote code execution vulnerability existing in the Internet Explorer(IE) VBScript Engine. The variant code is being used at least in one campaign ongoing since at least July 2018, distributing the final payload of Quasar- a Remote Administration Tool (RAT). A security researcher publicly disclosed an unpatched zero-day vulnerability existing in the Mi- crosoft JET (Joint Engine Technology) Database Engine, affecting at least the Windows 7operating system. In accordance with the Zero Day Initiative (ZDI) 120 day deadline, this vulnerability was disclosed publicly without a patch. Threat Actor Activity Industry Impacted: Financials On, 25 September, QuoINT detected a new Cobalt spear-phishing attack imitating Oracle. Reported Incidents Industry Impacted: Energy, Government A security researcher discovered sensitive internal documents and technical details for websites of the United Nations (U.N.) accessible online due to misconfigurations in the U.N’s. project management service Trello, issue ticketing tool Jira and office suite Google Docs. Separately, another researcher found both a path disclosure and information disclosure vulnerability in The United Nations WordPress site that exposed CV’s of thousands of job applicants since 2016. The website for the German energy company RWE reportedly suffered a Distributed Denial of Service (DDoS) attack earlier this week that caused the site to be ”sometimes difficult orsome- times not reachable in some places”. The attack is reportedly due to the company’s involvement in the deforestation efforts in west Cologne in order to continue mining lignite. CRYPTOCURRENCY The German cryptoasset exchange Bitwala announced it completed their latest funding round to launch a fully regulated bank account based on the blockchain. The French National Assembly will reportedly discuss an amendment to the French legislation to regulate all service providers in the cryptoasset industry. The total crypto asset market capitalization decreased by 1.6 percent in the previous weekto EUR 184 billion. GEOPOLITICS Deutsche Telekom announced a cooperation with the German Armed Forces (Bundeswehr) on cyber defense. The conflict between the U.S. and Iran was one of the dominating issues during the annual U.N. General Assembly session. The U.S. administration released its National Cyber Strategy in which it outlines priority actions to protect U.S. citizens. OUTLOOK 30 September- Macedonia Holds Referendum on Name Change
1|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
ZUSAMMENFASSUNG CYBER Schwachstellen Industry Impacted: Information Technology, ANY Am 24. September hat Cisco eine aktualisierte Sicherheitsempfehlung veröffentlicht, da sie weiterhin ihre Produkte mir der betroffenen Linux Kernel Version untersuchen, um die Anfälligkeit für eine Denial-of-Service Schwachstelle, bekannt als FragmentSmack, zu finden und zu mindern. Basierend auf Microsofts letztem Patch Tuesday sind nicht ausschließlich Linux-basierte Produkte von FragmentSmack betroffen. Microsoft hat angegeben, dass verschiedene Microsoft Systeme, einschließlich Server, auch betroffen sind. Sicherheitsforscher haben eine neue Variante von früherem Exploit-Code identifiziert, die auf eine zuvor gepatchte Sicherheitslücke bei der Ausführung von Remote-Code abzielt, die in der Internet Explorer(IE) VBScript Engine vorhanden ist. Der Schadcode wird mindestens in einer seit mindestens Juli 2018 laufenden Kampagne verwendet, die die endgültige Schadsoftware von Quasar- ein Remote-Access-Trojan- verteilt. Ein Sicherheitsforscher veröffentlichte eine ungepatchte Zero-Day-Schwachstelle, die in der Microsoft JET (Joint Engine Technology) Database Engine existiert und mindestens das Betrieb- ssystem Windows 7 betrifft. Gemäß der 120-tägigen Frist der Zero Day Initiative (ZDI) wurde diese Schwachstelle ohne Patch öffentlich bekannt gegeben. Cyber Tätergruppen Aktivität Industry Impacted: Financials Am 25. September hat QuoInt einen neuen Spear-Phishing Angriff von Cobalt entdeckt, der Oracle imitiert. Schadenmeldungen Industry Impacted: Energy, Government Ein Sicherheitsforscher entdeckte sensible interne Dokumente und technische Details für Web- sites der Vereinten Nationen (UN), die online zugänglich sind, aufgrund von Fehlkonfigurationen im Projektmanagementdienst Trello der UNO, dem Issue-Ticketing-Tool Jira und der Office-Suite Google Docs. Zusätzlich fand ein anderer Forscher sowohl eine Schwachstelle bei der Offenlegung von Dateipfaden als auch Informationen auf der WordPress-Seite der Vereinten Nationen, die seit 2016 Lebensläufe von Tausenden von Bewerbern enthüllte. Die Website des deutschen Energiekonzerns RWE soll Anfang dieser Woche einen Angriff auf Distributed Denial of Service (DDoS) erlitten haben, der dazu führte, dass die Website ”manchmal schwierig oder manchmal an einigen Stellen nicht erreichbar” war. Der Angriff ist angeblich auf die Beteiligung des Unternehmens an den Rodungen im Kölner Westen zurückzuführen, um den Braunkohleabbau fortzusetzen. KRYPTOWÄHRUNGEN Die deutsche Kryptoassetbörse Bitwala gab bekannt, dass sie ihre letzte Finanzierungsrunde zur Eröffnung eines vollständig regulierten Bankkontos auf Basis der Blockchain abgeschlossen hat. Die französische Nationalversammlung wird Berichten zufolge eine Änderung der französischen Gesetzgebung zur Regulierung aller Dienstleister in der Kryptoasset-Industrie diskutieren. Die Gesamtmarktkapitalisierung für Kryptoanlagen sank in der Vorwoche um 1,6 Prozent auf 184 Milliarden Euro. GEOPOLITIK Die Deutsche Telekom kündigte eine Kooperation mit der Bundeswehr in Sachen Cyberabwehr an. Der Konflikt zwischen den USA und dem Iran war eines der vorherrschenden Themen während der jährlichen Sitzung der UN-Generalversammlung. Die US-Regierung hat ihre National Cyber Strategy veröffentlicht, in der sie vorrangige Maßnahmen zum Schutz der US-Bürger vorgibt.
2|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
CYBER
VULNERABILITIES
Linux Kernel IP Fragment Reassembly Vulnerability impacting multiple Cisco Products Attack Vector: DDoS | Industry Impacted: Information Technology, ANY On 24 September, Cisco released an updated security advisory1 as they continue to investigate their products using the affected Linux Kernel Version 3.9 and later, to determine and mitigate susceptibility to a Denial-of-Service (DoS) vulnerability (CVE-2018-5391) known as FragmentSmack. The inital vulner- ability disclosure from CERT Coordination Center 2 on 14 August states the issue is in the IP stack used by the Linux Kernel. To exploit, an unauthenticated, remote attacker would need to send a stream of fragmented IPv4 or IPv6 packets designed to trigger the vulnerability in a vulnerable device.specially- crafted a remote attacker to cause a DoS condition. Based on Microsoft’s latest Patch Tuesday release 3, Linux based products are not exclusively affected by FragmentStack. Microsoft states that various Windows systems are affected, including servers. For Cisco, the vulnerability affects over 80 products such as web conferencing, and IP phones. Patches are available from various vendors with affected products to address the vulnerability.
Analyst Comment: For situations where it is not possible to apply a vendor patch, various mit- igations/workarounds exist, however, Carnegie Mellon’s CERT notes that at least the workaround provided by them is not fully reliable against a significantly strong attack, resulting in a denial of service condition. At this time, QuoINT is not aware of any Proof of Concept (PoC) code or exploits used in the wild but, in our estimation, creating a script capable of exploiting this vulnerability would require little technical ability.
New Exploit Variation of Recent VBScript Engine Vulnerability in theWild Attack Vector: Drive-by Download | Industry Impacted: ANY Researchers identified4 a new variation of earlier exploit code targeting a previously patched remote code execution vulnerability (CVE-2018-8373) existing in the Internet Explorer(IE) VBScript Engine. Although the exploit code variant is being used in the wild by at least one campaign, it is reported that it will not work against the latest version of IE(11), or supported and patched versions of IE. Separate reporting5 indicates the campaign utilizing the variant exploit code is a campaign ongoing since atleast July 2018, and the known distributed final payload is a modified version of Quasar- an open source Remote Administration Tool (RAT) that can be used for cyber crime or cyber espionage. In additionto the CVE-2018-8373 variant exploit code, the campaign is also attempting to exploit another previously patched remote code execution vulnerability (CVE-2018-8174) existing in the Internet Explorer(IE) VBScript Engine.
Analyst Comment: Malwarebytes researchers report the variation exploit code of CVE-2018-8373 has implementation issues, causing an error when attempting to invoke an embedded Powershell script. They additionally add that the exploit code for the other VBScript vulnerability (CVE-2018- 8174) works without issue. Regardless, the public availability of the PoC code will enable threat
1 CISCO, B1, 24 September, Linux Kernel IP Fragment Reassembly Denial of Service Vulnerability Affecting Cisco Products
2 Carnegie Mellon CERT, F1, 14 August, Linux kernel IP Fragment Re-assembly Vulnerable to Denial of Service 3 Microsoft, B1, 11 September, ADV180022 | Windows Denial of Service Vulnerability 4 TrendMicro, B1, 25 September, New CVE-2018-8373 Exploit Spotted 5 Malwarebytes, B1, 26 September, Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT
3|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
actors to have a basis that they can improve to work as needed. Noteworthy, both vulnerabilities were previously exploited in limited targeted campaigns by the APT threat actor known as Darkhotel. As mentioned earlier, both vulnerabilities were addressed by earlier patches from Microsoftso considering this newly observed exploitation activity, if patching is not achieved yet, prioritization is encouraged. At this time, the overall campaign is detected by AV vendors at a moderate tohigh rate.
Zero Day Initiative Reports Remote Code Execution Vulnerability in Microsoft Windows Jet Database Engine Attack Vector: Email (Attachment) | Industry Impacted: ANY A security researcher publicly disclosed6 an unpatched zero-day vulnerability existing in the Microsoft Joint Engine Technology (JET) Database Engine, affecting at least the Windows 7 operating system. JET is database engine integrated into Microsoft products such as Access and Visual Basic. Successful exploitation could allow a remote attacker to execute arbitrary code. To exploit, an attacker would need to convince a user to open a specially-crafted JET database file on a vulnerable machine. In accordance with the Zero Day Initiative (ZDI) 120 day deadline, this vulnerability was disclosed publicly without a patch7. Proof of Concept (PoC) code is publicly available8. Currently, no CVE is assigned to this vulnerability.
Analyst Comment: The ZDI 120 day deadline covers the time from the initial vulnerability dos closure to the vendor until a patch is released to address the vulnerability; if the vendor fails to provide a patch in the allotted 120 day time frame then ZDI releases the vulnerability details publicly. QuoINT is unaware of any related exploitation activity. Even though Microsoft hasnot publicly acknowledged the vulnerability, ZDI highlights the vendor successfully reproduced the vulnerability and experienced an issue with the fix for the September Patch Tuesday release. The patch may potentially be prepared for the October release. QuoINT confirms that the PoCdoes work on Windows 7 x64 systems with Microsoft Access 2016. AV detection for the exploit fileis relatively low at this time.The initial researcher confirmed the vulnerability exists inWindows7, however, it may potentially affect all supported Windows versions, including servers. As well, users of vulnerable systems need to restrict interaction with the affected applications to trusted files9.
6 Zero Day Initiative, B1, 20 September, ZDI-CAN-6135: A Remote Code Execution Vulnerability In The Microsoft Windows Jet Database Engine 7 Zero Day Initiative, B1, 20 September, (0Day) Microsoft Windows Jet Database Engine Out-Of-Bounds Write Remote Code Execution Vulnerability 8 Github, B1, 20 September, thezdi 9 Zero Day Initiative, B1, 20 September, (0Day) Microsoft Windows Jet Database Engine Out-Of-Bounds Write Remote Code Execution Vulnerability
4|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
THREAT ACTOR ACTIVITY
COBALT: Latest campaign activity spoofing Oracle Attack Vector: Email (Attachment) | Motivation: Financial Gain | Capability: Advanced |Industry Impacted: Financials On 25 September, QuoINT detected a new Cobalt spear-phishing attack imitating Oracle. The emails used in the attack had different subjects about a new vulnerability/notification from Oracle, with both the email’s subject line and body written in English. The malicious email included the malware as an attachment that is exploited when opened. The TTPs observed in this attack overlap to the ones previously observed and reported by QuoINT over the last months and attributed to the Cobalt threat actor group. In this latest attack, attackers used the malware building kit ThreadKit, which Cobalt last used in spear-phishing attacks targeting English and Russian speakers in August. Malicious RTF created by ThreadKit are normally detected by major AV vendors because of the use of old exploits, many of which are from 2017. Companies implementing updated AV scanners on their endpoints, or having the latest Microsoft patches installed, were likely protected from this attack. The malicious RTF ultimately dropped a Cobalt Strike reverse-HTTPS beacon: this is also one ofthe typical techniques used by Cobalt threat actor group for establishing communications between the compromised host and the C2 server. Further, the domain impersonating Oracle in this latest campaign resolved to an IP address that was also associated with a domain used in the observed activity in early September. Like recent campaigns, attackers reused part of the same infrastructure that was already used to conduct previous attacks. The reuse of known malicious C2 servers indicates that companies that blacklisted the network indicators of compromise previously shared by QuoINT were almost certainly protected. Separately, last week we detected another campaign that was likely executed beginning of Septem- ber, which-instead- finally executed the custom backdoor Cobint on the victim system. However, we were not able to uncover the original email used as attack vector, so we are not aware at this time which company Cobalt group impersonated. From our observations, the malicious email likely used a ”Fraud Notification” related theme since the malicious file – a Microsoft Word document exploiting CVE-2017-0199- was named ”Fraud Transaction.doc”.
REPORTED INCIDENTS
The United Nations Experiences Data Incidents on Third Party Platforms Attack Vector: N/A | Industry Impacted: Government A security researcher discovered10 sensitive internal documents and technical details for websites of the United Nations (U.N.) accessible online due to misconfigurations in the U.N’s. project management service Trello, issue ticketing tool Jira and office suite Google Docs. The leak exposed credentials fora U.N. file server, video conferencing system at the U.N. language school, a web development environment for the U.N.’s office for the Coordination of Humanitarian Affairs, and more. The researcher claims that the public Trello pages, with some linking to Google Docs and Jira, can be accessed with a specific URL, or even searching Google. However, the researcher notified the U.N. of the data leak and confirms much of the material is no longer available as a response. Separately, another researcher found11 both a path
10 The Intercept, F2, 24 September, United Nations Accidentally Exposed Passwords and Sensitive Information 11 Seekurity, F2, 24 Septemeber, A tail of Leaking Thousands of Job Applicants CVs and documents online, Path Disclosure and Information Disclosure Vulnerabilities
5|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n disclosure and information disclosure vulnerability in The United Nations WordPress site that exposed CV’s of thousands of job applicants since 2016. According to the researcher, the web application where users submit their resume is misconfigured, allowing for a potential Man-in-the-Middle attack (MITM). Further, this misconfiguration also allows for open access to a directory index of sensitive documents, which are supposedly CVs of individuals looking for a job. The researcher first notified the U.N. of the vulnerabilities in August, however, the U.N. responded to the researcher in early September toclaim the information belongs to the United Nations Development Programme (UNDP) and not theUnited Nations Secretariat. The vulnerabilities are still reportedly present on the WordPress site.
Analyst Comment: The second highlighted incident involving WordPress is potentially an ongoing threat. Now that the vulnerabilities are disclosed, along with a supposed video on how toaccess the sensitive data, it is likely the said data will be accessed more frequently, potentially leading to an increase in fraud attempts against the compromised applicants. Worth noting, while the researcher has listed a video describing how the sensitive information can be accessed, QuoINT has not confirmed the validity of the video. As such, we cannot confirm the researchers claims that the information is still available to the public. Both reported incidents represent a common threatwhen hosting sensitive information on misconfigured, third party platforms. In most cases, ensuring a robust authentication on third party platforms mitigate against such information disclosure threats. Additionally, as new security vulnerabilities for various platforms are identified monthly,it is imperative for administrators to continuously update the software and plugins to protect against like threats.
Energy Company RWE Suffers DDoS Attack Attack Vector: DDoS | Industry Impacted: Energy The website for the German energy company RWE reportedly suffered a Distributed Denial of Service (DDoS) attack on Monday, 24 September, that caused the site tobe”sometimes difficult or sometimes not reachable in some places” 12 according to an RWE spokesman. The attack is reportedly due to the company’s involvement in the deforestation efforts in west Cologne in order to continue mining lignite. In a video titled Anonymous Operation: RWE Shutdown, a group claiming to be associated to hacktivism collective Anonymous states ”Hello world, hello RWE. If you do not immediately stop clearing the Hambacher Forst, we will attack your servers and shut down your sites until your corporation bears any economic damage that you will not recover.”13. Reportedly, the attack did not impact company safety equipment.
Analyst Comment: Since 2017, we reported 13 attacks from hacktivists group where the most used attack vector was DDoS. As DDoS attacks are the preferred method of attack used by Hacktivists, companies are encouraged to engage with anti DDoS providers as soon as intelligence teams determine that threat actors motivated by hacktivism are a credible threat, especially when those publicly advertise a new Anonymous operation. The YouTube and Twitter users ”Anonymous Deutsch” that originally disseminated the threatening video were both created on 20 September, four days prior RWE’s website experienced the DDoS attack. Our analysis revealed that the attacked website likely migrated to the German anti-DDoS provider Link11 after the attack on 24 September. According to the public DDoS monitoring service ”DDoS Mon” 14the website experienced two separate DDoS attacks on 25 September, with a third attack documented on 26 September after said migration. The two attacks on the 25th are over protocols UDP and TCP, respectively, whilethe third attack on the 26th is over UDP, with a significantly lower volume of traffic. While theattack on Monday, 24 September is not registered on DDoS Mon, it is likely the attackers used either
12 Handelsblatt, C3, 24 September, Hackers paralyze RWE website - clearing work in Hambacher Forst continues 13 YouTube, Anonymous Deutsch, F1, 20 September, Anonymous Operation: RWE Abschalten
6|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
an amplification attack or SYN flood attack as they were the types of attack used the following days. Demonstrators set up tree houses in Hambacher Forst, an ancient forest near Cologne, six years ago to block RWE’s plans to clear the woodland to expand coal mining.15In September, police began clearing the tree houses but briefly halted operations after a journalist fell to his death. As protests are expected to continue, similar hacktivism attempts are likely to continue as well.In fact, after the death of a journalist, it is possible for hacktivism attempts to escalate evenfurther as a result of the casualty. Anonymous Operations historically are tracked via operation hashtags and this operation is using the hashtag #OpRWEabschalten. QuoINT is monitoring this hashtag for new planned activity and developments.
ROLLUP Apache HTTP Server vulnerability On 25 September, a vulnerability impacting the widely used Apache HTTP Server 2.4.17 to 2.4.34 16 was publicly released. The vulnerability, which is remote executable enables the sending of continuous SETTINGS frames of a maximum value to an ongoing HTTP/2 con- nection. This would keep the server busy preventing the connection to never time out and thereforeif exploited could lead a denial of service (DoS) attack. Data breach at U.S. retailer Shein impacts over six million users On 21 September 17, the U.S. fashion retailer Shein reported that on 22 August personally identifiable information of approximately 6.42 million customers was stolen during a criminal cyberattack. Shien procured the help of a forensic cybersecurity firm and an international law firm to conduct the investigation. So far, the investigation confirmed that the perpetrators accessed email addresses and encrypted password credentials of customers who registered on the company website.
14 DDoS Mon, C2, 27 September, Attack Time Line 15 Deutsche Welle, C3, 25 September, Hackers attack RWE website amid Hambach Forest evictions 16 Apache, 25 September, Apache HTTP Server 2.4 vulnerabilities 17 Shein, 21 September, Online statement by Shein
7|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
CRYPTOCURRENCY
Cryptocurrency Total Market Capitalization Declines
The total crypto asset market capitalization decreased by 1.6 percent in the previous week toEUR 184 billion. The price for Bitcoin temporarily increased by 2.4 percent, however declined to EUR 5.764 by the end of the week. Ethereum behaved similarly, while its price reached a peak of EUR 212 early in the week, it declined to EUR 193 by the end. The price of Ripple fell by 17 percent, after its market capitalization temporarily overtook Ethereum’s for the firsttime.18There are several reasons which might have influenced this surge of Ripple’s price. One potential reason was the announcement that Ripple would launch its xRapid system this month, which aims to facilitate cross-border payments.19Additionally, the U.S. bank PNC announced it will start using Ripple’s xCurrent software to process international payments.20According to the Wall Street Journal 21, the fall in Ripple’s price was potentially caused by McCaleb, a co-founder of Ripple, selling his holdings of Ripple. McCaleb left Ripple and co-founded a rivaling crypto company, Stellar. However, McCaleb denied selling any more than what was agreed upon with Ripple. The market was considerablbly volatile during the previous week and it is difficult to determine if any events had aparticular impact on its development. However, a recent report22by the Bank for International Settlements (BIS) confirmed that the cryptoasset market is influenced by regulatory announcements, especially on the legality of cryptocurrencies and ICOs. This includes regulation on Anti-Money Laundering (AML), Know Your Customer (KYC) and Countering Financing of Terrorism (CFT).
Figure 1: Total Market Capitalization German Cryptoasset Exchanges Launches First Blockchain Bank Account Crypto Entity Impacted: Bitwala The German cryptoasset exchange Bitwala announced it completed its latest funding round to launch a fully regulated bank account based on the blockchain.26 The launch is scheduled for November and would be the first of its kind worldwide. The bank account is supervised by Germany’s banking supervisor BaFin and the central bank, Bundesbank. Bitwala’s bank accounts combine traditional fiat accounts with an integrated wallet for cryptocurrencies. Bitwala has partnered with a German bank
21 Bloomberg, C3, 25 September, Crypto Coins Retreat as XRP Hangover Proves to Be Painful 22 CNBC, C3, 17 September, Ripple hints its cryptocurrency product will go live 'in the next month or so' 23 Twitter, F1, 19 September, Ripple (@Ripple) 24 The Wall Street Journal, C3, 24 September, Ripple Co-Founder’s Token Selloff Accelerates 25 Bank of International Settlement, F1, 23 September, Regulating cryptocurrencies: assessing market reactions 26 Bitwala, F1, 25 September, Announcing our new €4 million funding round
8|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n which offers SEPA transactions and debit cards. According to Bitwala, more than 30,000 people have registered for their bank account so far.
Analyst Comment: Bitwala is the first cryptocurrency exchange to offer a bank account based on the blockchain which combines fiat and cryptocurrencies, however other exchanges will very likely follow soon. In fact, the Swiss SEBA Crypto AG recently raised approximately EUR 88 million to also create a regulated bank that combines crypto and traditional currencies.27As cryptocurrencies are increasingly accepted among institutional and private investors, governments will have to create more regulatory frameworks. This will in turn further increase investors’ confidence and might lead to a stabilization of prices. Although connecting cryptocurrencies to banks is the opposite of what blockchain creators attempted to achieve, it might boost investment into them. However, in previous cases in which companies promised customers to facilitate SEPA payments, their claims were misleading. For example, the British Fintech Revolut had to end fiat currency withdrawals from several cryptoasset exchanges as they were not compliant with British financial regulations. In addition, Revolut only accepted cryptocurrencies bough through its brokers28
French Government Reportedly Creating Legal Framework for Cryptoasset Providers Crypto Entity Impacted: Autorité des Marchés Financiers (AMF) The French National Assembly will reportedly discuss an amendment to the French legislation to regulate all service providers in the cryptoasset industry.29 The proposed amendment will extend the existing legal framework to include cryptoasset providers and enable them to receive approval form the stock market regulators, Autorité des Marchés Financiers (AMF). However, obtaining the approval is voluntary. Earlier in September, France’s Finance Minister Le Maire announced the AMF created a regulatory framework for ICO companies.30
Analyst Comment: France is another European state that aims to become an inviting destination for cryptoasset companies by extending regulations to incorporate cryptoasset providers. In order to attract cryptoasset companies, France’s government has already launched a blockchain accelerator program, as well as lowered taxes on cryptocurrencies.31These developments might incite additional European investors to enter the market, as they are reassured by the regulations. Europe is one of the largest markets for cryptocurrencies, behind Asia and the U.S. However, as several Asian countries are strictly regulating and even prohibiting cryptoasset companies, Europe’s favorable legislation has already led to Asian cryptoasset companies moving, especially toMalta and Switzerland.
ROLLUP Bleutrade Cryptocurrency Exchange Set to Begin Operations in Malta The Brazilian cryptoasset exchange Bleutrade announced their move to Malta.32 Bleutrade is the 159th largest cryptoasset exchange with an adjusted daily trading volume of EUR 113,000. Malta continues to attract cryptoasset companies
27 SEBA, F1, 27 September, SEBA Crypto AG raises CHF100 million to build a FINMA licensed Bank and Securities Dealer 28 QuoScient, N/A, 18 May, QuoINT Weekly Intelligence Bulletin 20 29 Les Echos, F3, 21 September, Crypto-actifs : la France veut créer un cadre juridique pour tous les acteurs 30 Twitter, F1, 12 September, Bruno Le Maire (@BrunoLeMaire) 31 QuoScient, N/A, 22 June, QuoINT Weekly Intelligence Bulletin 25 32 Twitter, F1, 22 September, Bleutrade (@BLEUTRADE)
9|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n due to its favorable legislation. Gemini Cryptoasset Exchange Reportedly Planning Expansion to the U.K. The cryptocurrency exchange Gemini Trust Company is reportedly planning an expansion to the U.K.33 Gemini is the 50th largest cryptocurrency exchange with a daily trading volume of almost EUR 20 million. Europe is becoming an interesting destination for cryptoasset companies, especially due to Malta’s push to attract companies, as well as France’s latest incentives (see above).
33 Financial Times, C3, 24 September, Winklevoss crypto exchange explores UK market
10|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
GEOPOLITICS
Deutsche Telekom and German Armed Forces Cooperate on Cyber Defense Deutsche Telekom announced a cooperation with the German Armed Forces (Bundeswehr) oncyber defense.34 According to Telekom, the cooperation will center around regular information exchanges, job visits by both organisations, and collaboration on training IT security experts. This comes afterthe German government released its cyber strategy, in which it calls for greater cooperation between the public sector and the industry.
Analyst Comment: Countries are increasing their national cyber security strategies as the threat of cyberattacks targeting states’ critical infrastructure remains possibly exacerbated by the current tense geopolitical situation. The cooperation between Telekom, the largest network operator in Germany, and Bundeswehr comes as the U.S. also released their first cyber strategy in 15 years. Information sharing, especially between the private and public sectors, between critical infrastructure providers, and between telecommunication providers, on which the Internet relies, is essential to protect from cyber threats.This enables companies and the government to remain up to date on current threats and campaigns which might target the public sector and companies across industries. However, information sharing between private companies and the public sector also raises privacy concerns. For example, The Intercept35has reported on how the U.S. National Security Agency (NSA) cooperates with the telecommunications provider AT&T to covertly monitor calls, emails, and online chats that pass through AT&T’s networks.
U.N. General Assembly Annual Session The United Nation General Assembly is the main policy making organ of the U.N. in which all193 member states are equally represented. During its annual session, member states discuss international issues covered by the U.N. charter. This year, the conflict between the U.S. and Iran was one of the dominating issues during the assembly as the U.S. and Iranian administrations exchanged threats during their respective speeches. President Trump accused Iran’s "corrupt dictatorship" to spread "mayhem"36. The Secretary of State Pompeo further warned Iran it will have "hell to pay" if it continues lying, cheating and deceiving.37 During his speech, Iran’s President Rouhani blamed the U.S. for inciting discord in the region. This was further highlighted after Iranian military personnel accused the U.S. of financing terrorists who were responsible for the attack on a military parade last weekend (see Rollup section). Rouhani also said Iran will retaliate against the U.S. if they continued threatening Iran and called Trump’s re-imposed sanctions "economic terrorism."38 Regarding the sanctions, the remaining parties ofthe Iran nuclear deal, the E.U., Russia, and China, agreed to create a Special Purpose Vehicle (SPV) to continue trading with Iran and avoid the sanctions imposed 39by theU.S. This was again criticized by Pompeo who said cooperation with Iran was "detrimental to regional and global peace"40 Other issues discussed were Trump accusing China of meddling in the upcoming U.S. elections, the conflicts in Syria and Yemen, and the improved relationship between North Korea and the U.S.
34 Deutsche Telekom, F1, 25 September, Deutsche Telekom and Bundeswehr (German Armed Forces) cooperate in cyber defense 35 The Intercept, F3, June 2018, The Wiretap Rooms 36 United Nations, F1, 25 September, Donald Trump - United States - President Addresses General Debate, 73rd Session (video) 37 The Washington Post, C3, 25 September, The Latest: US to warn Iran of ‘hell to pay’ for defiance 38 United Nations, F1, 25 September, Iran - President Addresses General Debate, 73rd Session (video) 39 Deutsche Welle, C3, 25 September, EU and Iran create 'special vehicle' for trade despite US sanctions 40 The Guardian, C3, 26 September, EU, China and Russia in move to sidestep US sanctions on Iran
11|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
Analyst Comment: The U.N.’s General Assembly session generally mirrors international relations sentiments. For example, last year, while the U.S. and North Korea exchanged threats over their ability to destroy the other, President Trump called Kim Jong Un "Rocket Man."41However this year, the diplomatic reconciliation between the states was depicted in Trump thanking Kimfor "the steps he has taken."42However, the conflict between the U.S. and Iran dominated each of the Presidents’ speeches. Although the speeches are influenced by ongoing conflict, at the same time, they might negatively impact these conflicts. For example, as a result of Trump’s and Rouhani’s rhetoric, the war in Syria could further escalate, as both states are fighting on opposite sites. In order to obfuscate their operations, cyber campaigns targeting the other country could increase. This comes as the U.S. released a new National Cyber Strategy, which paves the way for the useof offensive cyber weapons (see below).
President Trump Presents National Cyber Strategy The U.S. administration released its National Cyber Strategy in which it outlines priority actionsto protect U.S. citizens.43 The strategy is structured around the National Security Strategy, thus cyber is integrated in all elements of U.S. national defense. The strategy consists of four pillars: 1. securing critical infrastructure, federal networks and fighting cybercrime; 2. promoting the digital economy, protecting American innovation, and training cybersecurity experts; 3. encouraging cyber norms to identify and deter malicious activity; 4. cooperation with allied states to increase international cyber security. The Department of Defense’s Cyber Strategy 2018,44 which implements the priorities outlined in the National Security Strategy, stresses the need to "defend forward, shape the day-to- day competition, and prepare for war." It aims to achieve this by building a more lethal joint force to compete with and deter competitors in the cyber space. Analyst Comment: The new National Cyber Strategy provides the U.S. with a comprehensive strategy on how to defend against cyber threats as well as how cyber operations will be used against adversaries in conflict. As the Department of Defense outlines, the U.S. administration will use offensive cyber capabilities in conflict, as well as "defend forward" to disrupt malicious cyber operations which fall below the level of armed conflict. As a result of this strategy, cyberweapons might be used more frequently which might cause conflicts to escalate, especially as there is still a lack of an international regulatory framework on the use of cyber capabilities.
ROLLUP Facebook, Google and Twitter Commit to E.U. Code of Practice on Disinformation Several online plat- forms, including large social media networks and advertisers, signed a self-regulatory Code of Practice designed by the E.U. Commission to address online disinformation and fake news.45 The code outlines several commitments, including transparency in political advertisement and closing of fake accounts. The signatories include Facebook, Twitter, Google and Mozilla. Russia to Send Newer, S-300 Missile Defense Systems to Syria Russia’s Ministry of Defence (MOD) announced it will provide Syria with advanced anti-aircraft missile systems after Syrian systems acciden- tally shot down a Russian surveillance plane last week.46 The Russian MOD will also provide additional 41 The Washington Post, C3, September 2017, 'Rocket Man' enters Trump's U.N. speech — and the president's universe of belittling nicknames 42 The Guardian, C3, 25 September, Rouhani condemns 'recklessness of some states for international values' 43 President of the United States, F1, 20 September, National cyber Strategy of the United States of America 44 Department of Defense, F1, 20 September, Summary Department of Defense cyber Strategy 2018 45 European Commission, F1, 26 September, Code of Practice on Disinformation 46 Twitter, F1, 24 September, Ministry of Defence of Russia (@mod_russia)
12|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n measures, such as automated control systems, in order to improve Syria’s ability to identify Russian airplanes. It further said the measures are taken to protect Russian soldiers, as well as to *”cool the ’hot heads’ and keep from rash actions.” The U.S. and Israel criticized this, as they say it will further worsen tensions in the region as “any additional weapons going in to support Assad right now keeps him in a position of threat to the region.”47 Several People Killed in Terror Attack on Military Parade in Iran On 22 September, 25 people were killed and 60 injured in a attack on a military parade in Ahvaz,48 Iran. Shortly after the attack, Iranian officials said the U.S. and Gulf states are behind the attack, as Foreign Minister Zarif said that he held the U.S. accountable for sponsoring regional terror groups.49 Iran’s Revolutionary Guard further said the operators behind the attack will face a "deadly and unforgiving revenge in the near future."50
47 Bloomberg, C3, 24 September, Russia Hardens Line With Israel, Sends Air Defenses to Syria 48 Al Jazeera, C3, 23 September, Iran's Revolutionary Guard vows to avenge Ahvaz attack 49 Twitter, F1, 22 September, Javad Zarif (@JZarif) 50 AP News, C3, 24 September, The Latest: Boy wounded in Iran parade attack has died
13|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
OUTLOOK
Date Events
30 Macedonia Holds Referendum on Name Change
Macedonia Holds Referendum on Name Change Location: Republic of Macedonia | Industry Impacted: Government Macedonia will hold a referendum on changing their name from Republic of Macedonia to North Macedonia, which will enable the country to apply for E.U. and NATO memberships.51 Greece has previously vetoed Macedonia’s applications, as it argued Macedonia’s name implies a territorial claim to a Greek region of the same name. In the run up to the referendum, the U.S. has accused Russia of financing influence campaigns to defeat it.
51 Stratfor, C3, February 2018, Macedonia: A Name Worth Fighting For
14|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n About this Intelligence Product
Intelligence Bulle�ns include descriptive analysis that aims at overviewing and describing current happenings, and answering the Who? What? When? Where? How? questions. When applicable, the bulletin will include analyst comments that highlight patterns, identify trends, and further insights. Bulletin redaction and dissemi- nation is our first step for informing customers on specific happenings, as quick notifications on currentthreats are imperative for awareness and possible mitigation against those threats. When applicable, threats covered in bulletins will then be analyzed more in-depth and distributed via other analytical products (e.g. Briefs, Assessments or Estimates). As stated, Intelligence Bulletins might contain analyst comments, which should not be confused with judgments. Analyst comments are based on the analyst’s opinion of the happening, which is provided after a quick review and analysis of the discussed topic. Differently, judgments only followan extensive analysis performed by meeting our high analytic standards.
Weekly Bulle�ns contain the information that Executives in different industry sectors should be aware of. The weeklies cover notable events in the in the Cyber, Cryptocurrency and Geopolitics fields which occurred in the last seven calendar days, as well as highlights events scheduled for the following seven calendar days. This intelligence product covers both open source (OSINT) findings and QuoINT internal investigations. The collected and reported OSINT is processed, validated, and reviewed by our analysts who then provide their comment reporting their opinion-based findings.
Admiralty Code Scoring System Code Source Reliability Definition Code Informa�on Reliability Definition Reliable. No doubt about the source’s authenticity, Confirmed. Logical, consistent with other relevant A trustworthiness, or competency. History of com- 1 information, confirmed by independent sources. plete reliability. Usually reliable. Generally a reliable source that Probably True. Relevant information, not con- B provides a degree of analysis to reports. Has con- 2 firmed. Logical, consistent with other relevant in- sistently provided accurate information. formation, not confirmed. Fairly reliable. Fairly reliable and provides valid in- Possibly true. Reasonably logical, agrees with C formation, but generally does not provide in-depth 3 some relevant information, not confirmed. analysis. Not usually reliable. Significant gaps within infor- Doub�ully true. Not logical, but possible, no other D mation provided. Provided valid information in the 4 information on the subject but confirmed. past. Unreliable. Unconfirmed information provided, Improbable. Not logical, contradicted by other rel- E and competency cannot be assessed. History of 5 evant information. invalid information. Cannot be judged. Insufficient information to eval- Cannot be judged. The validity of the information F 6 uate reliability. May or may not be reliable. cannot be determined.
15|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n Admiralty Code All sources QuoINT collects undergo a source and information reliability assessment. The returned assessment is expressed using the Admiralty Code scoring system, which is composed of two elements: source reliability and information reliability. QuoINT rates the reliability of each source by initially assigning the provided information a reliability score (1-5) based on our analysis, and then, on amonthly basis, averaging the score of all the collected information provided by said source. Once completed, the source is assigned the relative source reliability letter (where A=1, B=2, C=3, D=4, E=5andF=61). Our Admiralty Code is biased based on (a) the number of articles we process by each source; and (b) the score QuoINT analysts apply to the article2. The assigned admiralty code is represented on every article citations, apart from the rollup and outlook items. Weekly Articles Titles
1. Title of the article. Title of the article provided by the analyst. 2. Icons. Quick visualization of what is treated in the article, especially the entities impacted, such as countries, industry sectors, and companies. Every Weekly Bulletin includes a legend after the table of content that explains the significance of every icon used in the report. 3. Additional tags. This section is dedicated to quickly highlight the most relevant metadata ofthe article. The fields vary depending of the category of the article, and includes: Attack Vector. If known, what mean was used to perform the attack. Threat Actor Type. Which category the threat actor belongs to. Threat Actor Motivation. What is the main TA’s motivation. Threat Actor Capability. What is the current TA’s capability estimated by QuoINT. QuoLab indicators. Hyperlink to QuoLab case. All the technical indicators are extracted, enriched, tagged, and validated by QuoINT analysts within QuoScient’s Collaborative Analy- sis and Incident Response Platform QuoLab. The access to this platform requires aVPN connection to our external network, which is only granted to QuoScient’s clients. References
1. Source. Name of the information source. 2. Admiralty Score. Admiralty Score provided by the analyst. 3. Publication Time. Month and year when the information was published. 4. Publication Title. Title of the publication, hyperlinked to the original Internet source. 1 Sources that were analyzed less than four times will have a default ranking score of ’F’ 2 Although QuoINT analysts are trained to enforce the highest quality-control standards, our analysis is not encompassing of all information ever publicized by each source and thus we cannot guarantee 100% accuracy in our evaluation.
16|Page QuoScient- Intelligence Operations (Quoint)- [email protected] TLP: AMBER Intelligence Bulle�n
CONTACTS
Digital Active Defense
Radilostrasse 43 60489 Frankfurt
Germany +49 69 33 99 79 38 [email protected] www.quoscient.io
Disclaimer: This product is issued by QuoScient. While all reasonable care was taken in preparing this product, no responsibility or liability for any errors of fact, omission or opinion expressed herein. Readers are advised to exercise their own independent judgement or with support from our own professional advisor/s as necessary with respect to the risks and consequences of any material contained in this product. QuoScient expressly disclaims liability and responsibility for any issues arising from the use to which this communication is put and for any errors or omissions in this product.
17|Page QuoScient- Intelligence Operations (Quoint)- [email protected]