TLP-AMBER
Threat Landscape Report – 1st Quarter 2018
(FINAL) V1.0 – 10/04/2018
This quarterly report summarises the most significant direct cyber threats to EU institutions, bodies, and agencies (EU-I or 'Constituents') in Part I, the development of cyber-threats on a broader scale in Part II, and recent technical trends in Part III.
KEY FINDINGS Direct Threats • In Europe, APT28 / Sofacy threat actor (likely affiliated to Russia military intelligence GRU) targeted government institutions related to foreign affairs and attendees of a military conference. Another threat actor, Turla (likely affiliated to Russia’s security service FSB) executed a cyber-operation against foreign affairs entities in a European country. • A spear-phishing campaign that targeted European foreign ministries in the end of 2017 was attributed to a China-based threat actor (Ke3chang) which has a long track record of targeting EU institutions (since 2011). As regards cyber-criminality against EU institutions, attempts to deliver banking trojans are stable, ransomware activities are still in decline and cryptojacking on the rise. Phishing lures involve generic matters (’invoice’, ‘payment’, ‘purchase’, ‘wire transfer’, ‘personal banking’, ‘job application’) and more specific ones (foreign affairs issues, European think tanks matters, energy contracts, EU delegation, EU watch keeper). Almost all EU-I are affected by credential leaks (email address | password) on pastebin-like websites. Several credential- harvesting attempts have also been detected. Attackers keep attempting to lure EU-I staff by employing custom methods such as spoofed EU-I email addresses or weaponisation of EU-I documents. Broader Threats • Critical infrastructure. In the energy sector, the US authorities have accused Russian actors of targeting critical infrastructure (including nuclear) for several years and are expecting this to continue in 2018. The transportation sector has been subject to targeted intrusions (aviation and maritime companies), while the risk of disruption by devastating attack malware (e.g NotPetya) has proven to be real (large shipping company, airport). In the health sector, data breaches keep exposing patient data while more medical devices are reportedly vulnerable to cyber-attacks. In the banking sector, customers have been impacted by denial of service attacks against financial institutions. • Digital infrastructure and services. Vulnerabilities affect digital infrastructure software. Ethical hackers and service providers contribute to resolving security issues related to browsers, web hosting, cloud storage, social media platform and peer-to-peer software. • Defence and foreign affairs. The European defence (military data) and foreign affairs (embassy, think tanks) sectors were targeted by several actors likely based in Russia or China (see direct threats above). • Geopolitical. China exhibits new cyber capabilities and reserves high value vulnerabilities for offensive operations. Chinese threat actors executed targeted intrusions against several countries (US, Europe, Asia) and sectors (maritime, engineering, military, IT, think tanks, activists). Russia reinforces its internet sovereignty and internet surveillance capabilities. Russian actors employ sophisticated false-flag and false-front tactics for hybrid warfare and execute targeted intrusions in the military, defence, and foreign affairs sectors. The US have deployed an unprecedented set of diplomatic responses to cyber-attacks: finger pointing respectively North Korea and Russia for the destructive attacks; economic sanctions against Russian entities (including the FSB, GRU and Internet Research Agency) for cyber information operations; publicly naming Russian hackers for targeting critical infrastructures; indicting Iranian hackers for intellectual property theft. Additionally, the US NSA has reportedly monitored other nations’ offensive cyber operations with advanced custom tools. Iranian threat actors have recently exhibited improved capacities while attacking entities in Asia and the Middle East. North Korean actors keep targeting the finance sector to steal funds for the regime, but they also attempt targeted intrusions in several additional sectors (chemicals, manufacturing, electronics, aerospace, automotive, telecom). • Data protection. Data breaches can have severe political (Cambridge Analytica & Facebook) and regulatory (energy company facing fines) implications. Data breaches affect public (citizen biometrics, public service employees) and private entities (social media platform, energy, retail, bank, telecom, sport, travel, cloud services, online forum). • Techniques. “Living off the land” malwareless intrusion techniques are increasingly used by attackers who use native or legitimate tools present on a compromised system to accomplish malicious objectives and evade detection.
Page 1 of 33
TLP-AMBER
10 selected attacks
1. Russia-based DragonFly has targeted organisations in the energy, nuclear, water, aviation, and critical manufacturing sectors since at least March 2016 (page 13).
2. An Iran-linked threat actor dubbed OilRig has attempted to compromise critical infrastructure, banks, airlines, and government entities in the Middle East and the US since 2015 (page 14).
3. In February, a phishing attack by Sofacy (APT28) targeted two government institutions related to Foreign Affairs (page 17).
4. Turla (Snake) attacked several Foreign Affairs entities in an EU country (page 17).
5. According to recent public reporting China-based Ke3chang targeted UK government departments and military technology in the UK in May 2017 (page 17).
6. Since early 2018, a wave of intrusions has targeted US engineering and maritime entities, especially those connected to South China Sea issues (page 20).
7. Likely Russia-based hackers employed advanced false-flag techniques to deceive attribution of OlympicDestroyer malware attack against the winter Olympic Games (page 21).
8. An Iran-based threat actor (MuddyWater, Temp.Zagros) exhibited advanced obfuscation techniques while attacking entities in Asia and the Middle East (page 22).
9. The NSA has employed a tool (Territorial Dispute) to track cyber-operations executed by other nation-state hackers (page 24).
10. A targeted intrusion exploited a zero-day vulnerability of an industrial safety control system (page 28).
Page 2 of 33 TLP-AMBER
Contents PART I: DIRECT THREATS AGAINST EU-I ...... 7 TARGETED INTRUSIONS ...... 7 RANSOMWARE ...... 7 BANKING TROJANS ...... 8 MINERS & CRYPTOCURRENCIES ...... 8 EXPLOIT KITS ...... 8 Trojans / Bots / Tools...... 9 DENIAL OF SERVICE AND DEFACEMENT ...... 10 PHISHING & DELIVERY LURES ...... 10 CREDENTIAL LEAKAGE AND HARVESTING ...... 11 VULNERABILITIES ...... 11 METHODS ...... 12 PART II: BROADER THREAT LANDSCAPE ...... 13 SECTOR: ENERGY ...... 13 Regulation – Protection ...... 13 Events ...... 13 SECTOR: TRANSPORTATION ...... 14 Government – administration ...... 14 Civil Aviation ...... 14 Maritime ...... 14 Automotive ...... 14 SECTOR: BANKING & FINANCIAL MARKET INFRASTRUCTURE ...... 15 Banking Trojans ...... 15 SWIFT payment system ...... 15 Banking DoS ...... 15 Carding ...... 15 SECTOR: HEALTH ...... 16 Targeted intrusions ...... 16 Data breaches ...... 16 Vulnerabilities ...... 16 Ransomware ...... 16 DDoS ...... 16 SECTOR: DEFENCE AND FOREIGN AFFAIRS ...... 17 Foreign Affairs ...... 17 Defence ...... 17 SECTOR: DIGITAL INFRASTRUCTURE ...... 18 Internet Service Providers ...... 18 BGP ...... 18 DHCP ...... 18 SECTOR: DIGITAL SERVICES...... 19 Social media ...... 19 Browsers ...... 19 Cloud services ...... 19
Page 3 of 33 TLP-AMBER
VPN ...... 19 Web Hosting ...... 19 Peer-to-peer ...... 19 Secure messaging ...... 19 GEOGRAPHIC: CHINA ...... 20 Policy and capabilities ...... 20 Targeted intrusions ...... 20 Supply Chain Attacks ...... 20 GEOGRAPHIC: RUSSIA...... 21 Policy ...... 21 Cyber war ...... 21 Cyber-crime and Underground ...... 21 Espionage...... 21 GEOGRAPHIC: IRAN ...... 22 Domestic ...... 22 Targeted attacks ...... 22 Ransomware & Iran ...... 22 GEOGRAPHIC: NORTH KOREA...... 23 Capabilities ...... 23 Operations ...... 23 MOTIVE: CYBER-WAR ...... 24 Attribution & False-flag ...... 24 Sanctions ...... 24 Lethal cyber-weapon ...... 24 Proxy-war in Ukraine ...... 24 MOTIVE: CYBER ESPIONAGE ...... 25 Russian threat groups attributed by the Estonian foreign intelligence service ...... 25 Likely Chinese actor targeting entities in Kazakhstan ...... 25 Kaspersky exposes Slingshot, a likely counter-ISIS US cyber-espionage operation ...... 25 APT28 targets military conference ...... 25 Windows Defender can now spot FinFisher government spyware ...... 25 Likely Turla campaign in Germany ...... 25 MOTIVE: HACKTIVISM ...... 26 Hacktivists ...... 26 Hacktivists-Nationalists ...... 26 ASSET: DATA BREACH AND EXPOSURE ...... 27 General ...... 27 Breaches ...... 27 ASSET: INDUSTRIAL CONTROL SYSTEMS ...... 28 New vulnerabilities ...... 28 Analysis ...... 28 Trends ...... 28 ASSET: CRYPTOCURRENCY ...... 29 Trend – Cryptominers ...... 29 Attacks against cryptocurrency systems ...... 29
Page 4 of 33 TLP-AMBER
PART III: TECHNIQUES, TACTICS AND PROCEDURES ...... 30 TECHNIQUES and TOOLS ...... 30 Techniques ...... 30 Living off the land ...... 30 EXPLOITS and VULNERABILITIES ...... 31 GrayKey iPhone unlocker ...... 31 CPU – AMD ...... 31 Samba Servers – password reset and DoS vulnerabilities ...... 31 Critical Apache Solr bug – cryptocurrency mining ...... 31 Cisco– SSH exploitation ...... 31 Exim Email Platform ...... 31 Combojack targets cryptocurrencies ...... 31 4G LTE networks spy and spoof vulnerabilities...... 31 Remotely Exploitable Flaws Patched in DHCP ...... 31 Microsoft partly patches a copy/overwrite vulnerability ...... 31 BGP Flaws Patched in Quagga Routing Software ...... 32 [Zero Day] Telegram ...... 32 WordPress websites DoS flaw ...... 32 Adobe Flash ...... 32 DCShadow...... 32 Oracle MICROS PoS system ...... 32 Cisco (SSL) VPN ...... 32 10 new VM escape vulnerabilities discovered in VirtualBox ...... 32 Web application writing platform...... 32 Oracle WebLogic Exploit – Cryptocurrency Mining Campaign...... 32 Microsoft Office Zero-Day ...... 32 JBoss Deserialisation vulnerability ...... 32 MALWARE ...... 33 Olympic Destroyer attacks the Olympic games ...... 33 Slingshot ...... 33 HeaderDropper ...... 33
Page 5 of 33 TLP-AMBER
NOTICE REGARDING DISTRIBUTION
This report is based on information from public and non-public sources. It is labelled TLP-AMBER and therefore it should NOT be distributed beyond the intended recipients before obtaining prior approval from CERT-EU.
NOTICE FOR THE READER
Cyber-threats are multifaceted and can therefore be described from several perspectives. This is illustrated in the figure below.
A given threat can be described with its geographical origin (who is behind it?), the motive of the actor (what is the intention?), the sector targeted (what is impacted?), the asset affected (what informational or non-informational asset is being leveraged to create the intended effect?), the techniques, tactics, and procedures used (what tools, malware, infrastructure, modus operandi is being used by the attacker?). In most cases, it is possible to determine a dominant factor for a given threat (origin / motive / targeted sectors / impacted asset / methods), often because information is simply missing or incomplete for the other factors. The dominant factor determines the chapter the threat will be described in this report.
REPORTING AND FEEDBACK
If you want to provide feedback to CERT-EU on this report, or if you want to inform us on a particular threat, you may contact us at: Email: [email protected] PGP Key ID: 0xCC97325F PGP Fingerprint: 4ECF 7FBF 0569 8DCE F417 7B49 53C1 0B4F CC97 325F
Page 6 of 33 TLP-AMBER
PART I: DIRECT THREATS AGAINST EU-I
In this Direct Threats part, all malicious activities reported are Interpretation of tables: attempts. CERT-EU will not disclose if these attempts were means ‘Observed activities for this TTP’ successful or not. means ‘No observed activities for this TTP’ ‘no symbol’ means ‘No monitoring in place for this TTP’ TARGETED INTRUSIONS
Note: In the ‘Targeted Intrusions’ chapter, CERT-EU is institutions related to foreign affairs and attendees of a reporting on activities of advanced threat actors observed military conference. not just against EU institutions / bodies / agencies (EU-I) but Turla (likely affiliated to Russia security service FSB) also in Europe. Indeed, targeted intrusions are difficult to executed a cyber-operation against foreign affairs detect, and enlarging the scope of the monitoring (to include entities in a European country. activities with a ‘European nexus’) allows us to better assess See also Russia (21). the level of threat. Therefore the table below ‘Targeted intrusions’ reflects observed activities in Europe. Additionally, a spear-phishing campaign that targeted European foreign ministries in the end of 2017 in Europe No successful targeted intrusions were detected with EU-I was recently attributed to a China-based threat actor in the past three months, based on the information (Ke3chang) which as a long track record of targeting EU reported to CERT-EU. institutions (since 2011). In Europe, activities from two likely Russia-based threat The same actor had allegedly targeted military technology actor were observed: in a European country in May 2017. APT28 / Sofacy threat actor (likely affiliated to Russia See also China (20). military intelligence GRU) targeted government
Targeted intrusion 2017 2017 2017 2018 Trend Name Description Q2 Q3 Q4 Q1 3 months Turla Snake, Uroburos, Venomous Bear, Sofacy Fancy Bear, APT28, Pawn Storm Ke3Chang Apt15, Mirage, Metushy Lazarus BlueNoroff
RANSOMWARE
In this quarter, formerly active threat actors using popular unsuccessful. GandCrab (ransomware delivered via ransomware (CERBER, Torrentlocker and Jaff) did not malvertising) emerged in 2018Q1 and the JS ransomware re- attempt attacks against EU-I. Wannacry attempts remained appeared. Ransomware 2017 2017 2017 2018 Trend Q2 Q3 Q4 Q1 3 months Locky CERBER Torrentlocker Jaff Wannacry Nymaim GandCrab JS Ransomware
Page 7 of 33 TLP-AMBER
BANKING TROJANS
Attempts to infect our constituents’ workstations via emerged in mid-2014 and the criminal operators soon popular banking Trojans decreased with the exception of added new trojan capabilities. Emotet is currently the Emotet which was observed in at least 8 EU-I. Emotet first most observed banking trojan in Europe. Banking Trojans 2017 2017 2017 2017 Trend Name Q1 Q2 Q3 Q4 3 months Dridex Emotet Possible SWIFT malware
MINERS & CRYPTOCURRENCIES
Since the last quarter of 2017, EU-I are victims of crypto- make money, similarly to ransomware that emerged a miners. Especially in the past quarter, in-browser few years ago. cryptojacking has been observed. Cryptojacking can be seen as a new technique employed by cyber-criminals to
Miners & Cryptocurrencies Name 2017 2017 2017 2018 Trend Q2 Q3 Q4 Q1 3 months Monero miner Bitcoin miner Cryptojacking Browser cryptojacking suspicious .bit DNS query
EXPLOIT KITS
New individual vulnerability exploitation attempts were detected (e.g. CVE-2017-11882) while the use of exploit kits seems to be in decline.
Exploit Kit & Exploits Name 2017 2017 2017 2018 Trend Q2 Q3 Q4 Q1 3 months Rig Dotkachef Struts 2 Fiesta Nailed Magnitude SambaCry ETERNALBLUE DOUBLEPULSAR CVE-2017-11882 CVE-2010-3333 Exploit_ObfsStrm_RTF Taskkill WebLogic vulnerability exploitation Java Deserialisation Exploit Microsoft IE meta tag double free Multiple exploit kits malicious pdf
Page 8 of 33 TLP-AMBER
Trojans / Bots / Tools
CERT-EU observes recurring attempts of popular, generic countered by technical security controls or thanks to user trojans, bots and attack tools trying to penetrate EU-I vigilance. infrastructure. These malware are accessible to a wide range of cyber-criminals. Most infection attempts are appropriately
Trojans / Bots / Tools 2017 2017 2017 2018 Trend Name Q2 Q3 Q4 Q1 3 months Houdini Kovter Fareit Kbot Java/Jrat LuminosityLink Loki bot Adwind MSIL_malware Necurs Ursnif Trickbot Artemis Pony stealer ISR stealer ZippyLoader CKOG Valyria Nymeria Nanocore ShadowPad O97M/Donoff!sc MindSpark Imminent Monitor HanaRat Elirks Kemoge Havex Lightweight Backdoor 10 Gh0st REDLEAVES FinSpy Mobile (iOS) Pmabot Tdrop2 Trojan.VBA Trojan.Maljava Trojan.Mdropper Trojan.Gen.NPE Trojan/Win32.VBKrypt Trojan.Win32.Generic!BT Trojan-Downloader.VBA.Agent W97M.Downloader Trojan.Mdropper Malware-gen [Trj] PasswordStealer Winnti Eldorado Ukpa Camelot Panda Zeus Generic backdoor Andromeda Trojan/VB script Trojan Razy NanoRat
Page 9 of 33 TLP-AMBER DENIAL OF SERVICE AND DEFACEMENT
No network-based denial of service (DoS) attacks have been CERT-EU observed defacements of EU-I websites by highly reported by the EU institutions in the past three months likely Turkish hacktivists. The issues were quickly resolved. with the exception of a recently appeared OpenSSL SSLv3 DOS.
Denial Of Service and Defacement 2017 2017 2017 2018 Trend Name Q2 Q3 Q4 Q1 3 months DDoS OpenSSL SSLv3 DoS Email bombing DDoS extortion Defacement
PHISHING & DELIVERY LURES
The usual phishing themes are generic and concern cloud more specific are also used to lure EU-I staff: European services (e.g. Microsoft 365), shipping orders or tracking think tanks matters, foreign affairs matters, spoofed (e.g. FedEx), personal banking, insurance, job application, delegations. invoices, tax and payment. Interestingly, themes that are
Phishing & Delivery Lures 2017 2017 2017 2018 Trend Name Q2 Q3 Q4 Q1 3 months SWIFT IT Service – Cloud (MICROSOFT 365, OneDrive) IT Service – Spoofed EUI IT desk IT Service – (Oracle,Adobe, ...) Apple.com impersonation Shipping (UPS, FedEx, Bpost, DHL, ...) Invoice Tax Payment Purchase / Sale order Wire Transfert (Western Union, etc) Job application Insurance Personal Banking Foreign Affairs matters European Think Tanks matters Energy contract The Google Foundation Grant Award Scam Spoofed EEAS EU WATCHKEEPER Spoofed EEAS Delegation
Page 10 of 33 TLP-AMBER CREDENTIAL LEAKAGE AND HARVESTING
EU institutions, bodies and agencies (EU-I) have seen stolen email account credentials is an ideal way of some of their staff members’ email addresses and launching spear-phishing attacks. credentials leaked on Pastebin-like sites. This trend Additionally, attempts to harvest credentials used for affects almost all EU-I. It is difficult to say if this data has cloud services are increasing. been exploited by attackers in email account takeovers or phishing. This represents a serious threat since the use of
CREDENTIAL LEAKAGE AND HARVESTING 2017 2017 2017 2018 Trend Q2 Q3 Q4 Q1 3 months Credentials and Data leak Admin Credentials leak Credentials harvesting / stealer Cloud Credentials harvesting (OneDrive/Office365, SharePoint)
VULNERABILITIES
Web applications vulnerable to Cross-Site Scripting (XSS) EU Institutions, Agencies, and Bodies by reporting attacks remain the most reported vulnerability. security issues and vulnerabilities discovered. Several new types of vulnerabilities have been reported, (https://cert.europa.eu/cert/newsletter/en/latest_HallO thanks to contributions of external individual researchers fFame_.html ). who participate in the Hall of Fame programme of CERT- EU. This programme helps improving the security of the
VULNERABILITIES 2017 2017 2017 2018 Trend Name Q2 Q3 Q4 Q1 3 months XSS HTML injection Time Based SQL İnjection Open Redirection & Authentication Bypass Email Flooding Attack Directory Listing Text injection Full Path Disclosure (FPD) Citrix login screen open to the outside network Insecure SSL and No Captcha URL redirection vulnerability Open directory (full disclosure) File path traversal Clickjacking Tab nabbing Lucky 13 cryptographic timing TLS attack Host Header Injection Exposed Cisco Adaptive Security Appliance
Page 11 of 33 TLP-AMBER METHODS
CERT-EU reports on noteworthy methods used by Therefore, this chapter includes a significant number of attackers. For this quarter, CERT-EU has made a more new techniques. exhaustive review of alerts raised by its sensors.
METHODS 2017 2017 2017 2018 Trend Name Q2 Q3 Q4 Q1 3 months Fake EU-I website Spoofed EU-I email address Weaponised / lure EU-I official document Request to fake Apple webform Brute force attack on Europass Typosquatting Malicious use as network proxy Fake Outlook Web App (OWA) to harvest credentials Javascript obfuscation technique Embedded iframe redirection ISDN lines abuse Impersonation of EU-I employee SQL related attacks Apache Tomcat remote JSP file upload attempt Apache Struts remote code execution scanning D-Link vulnerability scanning Joomla! vulnerability scanning Acrobat dll-load exploit attempt Windows SMB possible leak of kernel heap memory SMB Exploit Recon – Trans2 SESSION_SETUP client request JBoss JMXInvokerServlet access attempt Adobe ColdFusion vulnerability scanning Siemens IP-Camera credential disclosure attempt Java XML deserialisation remote code execution attempt WordPress config access via directory traversal attempt WordPress vulnerability scanning HTTP Tunnel Lite Initial Request B64 3 Netgear ReadyNAS Surveillance command injection attempt Avtech IP Camera unauthenticated config access attempt Shellshock vulnerability scanning Malware installed via bitsadmin Obfuscated PowerShell scripts Acunetix Scanner potential inbound request header Bash CGI environment variable injection attempt J Powershell RevSlider information disclosure attempt CKnife penetration testing tool attempt Microsoft emf file download request SMB2 Create PSEXESVC.EXE SAP ConfigServlet command execution attempt Javascript dropper Connection to TOR hidden service
Page 12 of 33 TLP-AMBER
PART II: BROADER THREAT LANDSCAPE
TH SECTOR: ENERGY
TAKE AWAY The NIS Directive dictates stricter critical infrastructure protection safeguards The US Department of Energy establishes specialised energy cybersecurity office Russia is conducting operations targeting critical infrastructure; expected to continue in 2018
Regulation – Protection admitted nor denied violating Critical Infrastructure Protection (CIP) NERC reliability standards. NIS Directive: the UK Government pushes cyber security boost for critical industries US nuclear power regulator asked to reject limiting the The EU Directive on Security of Network and Information scope of cyber defence measures Systems (commonly known as the NIS Directive) is to come Since June 2014 the US Nuclear Energy Institute industry into force in May 2018. The NIS Directive obliges operators group has requested the Nuclear Regulatory Commission to of essential services to “take appropriate and proportionate limit the scope of the agency’s cyber-protection safeguards technical and organisational measures to manage the risks only to systems with a direct impact on safety. The Union of posed to the security of network and information systems Concerned Scientists has characterised the request as which they use in their operation”. The security posture “dangerous”. should regard the “state of the art”. The British Department for Digital, Culture, Media & Sport Events (DCMS) has issued a new advisory for organisations in industries such as water, health, energy, and transport. Russian government cyber activity targeting energy and These organisations could be fined as much as £17 million if other critical infrastructure sectors they do not follow industry standards when it comes to On March 15, 2018, the US-CERT (under the Department of cybersecurity. The advisory also establishes the role of Homeland Security), together with the Federal Bureau of regulators, who will assess critical industries, making sure Investigation issued a joint Technical Alert (TA) that provided cybersecurity setups are as “robust as possible”. information on Russian threat actor (DragonFly) targeting US The regulator will have the power to create legally binding government entities as well as organisations in the energy, instructions to improve security, and even (as a “last resort”) nuclear, commercial facilities, water, aviation, and critical issue fines. manufacturing sectors, since at least March 2016. The alert characterised this activity as a multi-stage intrusion US DOE introduces new cybersecurity office to protect the campaign that first targeted small commercial facilities’ energy sector networks and then gained remote access into energy sector The US Department of Energy (DOE) has announced the networks. The exploitation behaviour (using SMB) has been establishing of a new cybersecurity office to help protect the associated with the Dragonfly threat actor. After obtaining energy sector, including the oil and gas industry. access, the intruders conducted network reconnaissance, Named the Office of Cybersecurity, Energy Security, and moved laterally, and collected information pertaining to Emergency Response, or CESER, the new office received Industrial Control Systems (ICS). See also Russia (21). nearly $96 million in funding for the 2019 fiscal year. The (CERT-EU MEMO-0321-2018) new CESER office will be led by an Assistant Secretary that will focus on energy infrastructure security, support the US National Intelligence chief predicts Russia's bolder expanded national security responsibilities assigned to the cyber-attacks on Ukraine in 2018, esp. in the energy sector Department and report to the Undersecretary of Energy. The The US Director of National Intelligence (DNI), Daniel Coats, creation of the CESER office is expected to elevate the has prepared a statement for the US Senate Armed Services Department’s focus on energy infrastructure protection and Committee, titled "Worldwide Threat Assessment of the US will enable more coordinated preparedness and response to Intelligence Community". In this document, he expresses his threats. concern that Russia will conduct bolder and more disruptive cyber operations during 2018, most likely using new US energy firm fined $2.7 million over data security incident capabilities against Ukraine. The Russian government is likely The North American Electric Reliability Corporation (NERC) to build upon the wide range of operations it is already revealed in February 2018 that an energy firm in the United conducting, including disruption of Ukrainian energy States was fined $2,7 million over a data security incident distribution, hack-and-leak influence operations, distributed that resulted in the exposure of critical cyber assets. The denial of service attacks, and false flag operations. Russian incident, which got a risk rating “serious,” involved a third- intelligence and security services are also expected to party contractor that improperly copied data from the continue to probe US and allied critical infrastructure. See energy firm to its own network. The power company (not also Russia (21). named) agreed to pay the massive penalty but neither
Page 13 of 33
TLP-AMBER SECTOR: TRANSPORTATION
TAKE AWAY Targeted intrusions affect major transportation infrastructure Ransomware attacks are feared by critical transportation infrastructure (e.g. Airport, Shipping) for their disruption potential Credit card details of airlines customers are attractive assets for criminals Connected cars expose personal data of users
Government – administration Maritime Ransomware – According to industry reporting, the US Targeted intrusion – China – Since early 2018, security Colorado Department of Transportation fell victim to a researchers have been tracking an ongoing wave of ransomware incident by Samas (a.k.a. SamSam or SamSa). intrusions targeting engineering and maritime entities, The incident, which occurred on 21 February 2018, especially those connected to South China Sea issues. The reportedly infected more than 2,000 of the department’s campaign is linked to a group of suspected Chinese cyber computers. espionage actors active since at least 2013 and dubbed Leviathan (TEMP.Periscope). Civil Aviation Targeted intrusion – Iran – In January, Erel Margalit, who Targeted intrusion – An Iran-linked threat actor dubbed served in an Israeli cybersecurity task force for the country’s OilRig has attempted to compromise critical infrastructure, parliament (Knesset), stated at a cybersecurity conference banks, airlines and government entities since 2015 in a in Israel that blueprints for Israeli submarines, built by range of countries, including Saudi Arabia, Qatar, United Germany-based industrial conglomerate ThyssenKrupp, Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the were copied by an Iranian cyber operative. Margalit stated United States. The results of an investigation published in that an Iranian hacker used an unspecified trojan to access March indicate that the attacks were focused on a number and steal secret information from the German company. of organisations across the Middle East and show that the group has significantly evolved its tactics, techniques and NotPetya impact – Maersk – the Danish transport and procedures to include more stealthy malware and data logistics conglomerate – has revealed that the NotPetya exfiltration methods. 2017 devastating ransomware attack required close to a "complete infrastructure" overhaul and the reinstallation of Ransomware – Atlanta’s airport has taken down its Wi-Fi thousands of machines (4000 servers, 45000 PCs). network and disabled parts of its website “out of an abundance of caution” following a ransomware cyberattack Automotive on the city’s computer network. A spokesman for the Airport, said that they were not affected by the attack that Cryptojacking – Researchers discovered that Tesla's AWS hit the City, but “We don’t want to open up the airport to cloud systems were compromised for the purpose of any possible cyberattack.” cryptomining. Tesla's AWS system also contained sensitive data including vehicle telemetry, which was exposed due to Scam/Phishing – Norwegian Air and Ryanair have warned credentials theft. A Tesla spokesperson told "We maintain customers to watch out for a fake competitions claiming to a bug bounty program to encourage this type of research, offer winners two free flights to a destination of their and we addressed this vulnerability within hours of learning choice. The scam is being shared on Facebook. Singapore about it.” Airlines customers have been warned of two convincing new phishing and vishing campaigns designed to harvest Targeted intrusion – A North Korea based threat actor their credit card details. Fraudsters are tricking recipients (APT37) lately expanded the scope and sophistication of its into believing they’ve been selected for a draw or have won campaigns to include organisations in several areas, air tickets. including the automotive sector, in an effort to collect information. Cyberattack simulator – Boeing received a US patent in December 2017 for a system that simulates a cyberattack Connected cars and personal data – Recent smart and within an airplane to detect pilot response and realistically connected cars are collecting all kinds of information about determine how that response affects the airplane’s users. A Canadian Senate committee last month flagged operations, with the ultimate aim of strengthening an privacy and security as major issues of the coming internet- aircraft's defences against cyberattacks. connected automotive revolution.
Page 14 of 33 TLP-AMBER SECTOR: BANKING & FINANCIAL MARKET INFRASTRUCTURE
TAKE AWAY Banking trojans such as Bankbot and TrickBot include new capabilities The SWIFT international payment messaging system is subject to abuse DDOS attacks against banks impacted mobile / online banking applications Criminals develop new carding malware to attack ATM and Point of Sales (POS)
Banking Trojans Banking DoS Bankbot Anubis banking trojan evolved to a new version In January, open sources reported multiple DDoS attacks that includes ransomware, key logging abilities, remote that occurred over the course of several days against Dutch access trojan functions, SMS interception, call forwarding, financial institutions including ABN Amro, ING, Rabobank, and lock screen functionality. The malware masquerades as and the Dutch tax office Belastingdienst. The Dutch single popular mobile applications (like Adobe Flash Player). This sign-on service, DigiD, and the Ministry of Infrastructure, signals a general trend where Android banking malware Rijkswaterstaat, were also disclosed as victims of these evolve to include more functionality, with Lokibot being the attacks. first to include ransomware capabilities. New functionality According to industry sources, the DDoS attacks caused for Bankbot is highly likely linked with the public leak of its temporary disruptions to financial websites and mobile source code, which is also related to the wider use of the applications. ABN Amro was impacted for several hours at a malware by multiple threat actors. time due to multiple iterations of attacks. Attacks against another bank lasted approximately an hour each and TrickBot – A cyber-criminal group is behind the core impacted their mobile banking, online banking, and iDeal development and distribution of the TrickBot banking Trojan payment applications. (first observed in September 2016). This group aims to conduct credential theft and wire fraud. Victims are widespread internationally, and the malware affects Carding multiple business sectors as well as the general public. The European carding threats have been decreasing over the group initially uses a lure document with a “Paypal theme” years. One of the source of future carding activities is Although the TrickBot malware is fairly simple in its advanced malware from Brazilian cybergangs. Fraud functionality, it is well-developed, which demonstrates that statistics show that Brazil ranks third in credit card fraud, this group is well-versed in what is required to succeed in the behind Mexico and the US. Brazilian cyber criminals use well criminal market. known tactics for stealing money which include ATM The malware is split into group tags (gtags) suggesting that skimming, Point of Sale (PoS) compromise or even hardware this actor operates an affiliate model, but at this stage it modifications for massive credit and debit cards collection. remains unclear how each of the gtags is operated and by Illicit activities also include credit card cloning as well as whom. The TrickBot malware is not openly advertised on active manipulation of chip enabled cards that will render criminal forums indicating that the group likely only sells them valid in most point of sale systems. access to, or works alongside, trusted criminal groups. There is a special malware though that attracted IT security experts’ attention. It is called Prilex and is a complete SWIFT payment system malware suite which includes a graphical user interface able to support criminal-to-criminal business model. The group According to the local central bank, a Russian private bank behind Prilex initially used a device with a mobile data lost 339.5 million roubles ($6 million) in an attack that modem able to remotely control ATMs and command them leveraged the SWIFT international payments messaging to dispense money. Their malware evolved to include system. This adds to a series of SWIFT heists over the last cloning capabilities for traditional magnetic stripe cards. years, like the ones that hit the Bangladesh Bank, Taiwan’s Even though the group hasn’t displayed advanced technical Far Eastern International Bank and Nepal’s NIC Asia Bank. capabilities, the integrity of their business model makes SWIFT has been constantly updating its customers about Prilex a serious threat for the financial industry. malicious activities against the SWIFT network. However, protection of the systems is difficult due to use of legacy installations with limited security features.
Page 15 of 33
TLP-AMBER SECTOR: HEALTH
TAKE AWAY Companies in the heath sector are victims of targeted intrusions Breaches of sensitive health data affect several organisations in the US and Europe Researches indicate that medical devices – some of them critical for patients’ health – are highly vulnerable to cyber attacks Ransomware attacks caused disruption of hospital operations
Targeted intrusions managed to meet the government-backed Cyber Essentials Plus recommendations. US – A US company in the health sector was reportedly one of the victims of the Iranian hackers who targeted several UK – Cybersecurity researchers found that Medical Imaging critical sectors, universities, companies and government Devices (MIDs), such as Magnetic Resonance Imaging (MRI) bodies. See Iran (22). or Computed Tomography (CT) systems, are under biggest risk of being targeted and are becoming increasingly Asia – According to researchers, a Chinese-speaking threat vulnerable to cyberattacks. Vulnerable MIDs may result in actor executed cyber-espionage operations against attacks which "target the devices' infrastructure and pharmaceutical organisations in South East Asia. components, which can disrupt digital patient records, and Asia & Middle East – North Korean hacking Group APT37 potentially jeopardise patients' health". The research team expanded their list of targets to organisations in several new believes that attacks on MIDs are going to increase as sectors including healthcare. See North Korea (23). vulnerabilities are uncovered in more and more medical devices, and as we've already seen, attackers have no Data breaches qualms when it comes to targeting hospitals.
US – A US department for aging and disability services accidentally shared personal data and health information in Ransomware an unauthorised email to business associates. US – Allscripts, a provider of electronic health record (EHR)
US – The health system of the university of Virginia (US) technology to hospitals, was hit by Samsam ransomware, notified patients of a cyberattack that gave a hacker access provoking an outage that affected thousands of physicians’ to over 1,800 medical records. practices and healthcare providers across the US. Allscripts reportedly handles data for 180,000 physicians, 100,000 US – On 8 January 2018, open sources reported a potential electronically prescribing physicians, 40,000 in-home breach of 30,000 medical records belonging to Florida clinicians, 2,700 hospitals, 13,000 extended care Medicaid recipients. Stolen data included name, date of organisations and 7 million patients across the country. birth, address, medical history, Social Security numbers, and Besides electronic health record (EHR) tools, it develops and Medicaid ID numbers. The breach was reportedly triggered sells solutions for patient engagement and care by a phishing email and initiated on 15 November 2017. coordination, as well as financial and analytics technology. In Norway – Hackers breached the systems of the Southern and one of the affected hospitals, the attacker gained access via Eastern Norway Regional Health Authority, and possibly the hospital’s remote access portal and used stolen third- made off with personal information and health records of party vendor credentials to gain access. some 2.9 million Norwegians. Norway’s police, military intelligence and its National Security Authority are DDoS investigating the breach, but it is unknown if the attackers Latvia – On 16 January the Latvian National Health Service IT managed to access and exfiltrate patient data. system and the 'e-health' system used by doctors to write prescriptions and sick leaves came under cyber attack, Vulnerabilities according to the Latvian Ministry of Health. The Lattelecom UK – The UK National Health Service (NHS) completed 200 IT company, which maintains the system, cooperated with on-site cyber-security assessments, and no Trusts had the authorities to bring it back online.
Page 16 of 33 TLP-AMBER SECTOR: DEFENCE AND FOREIGN AFFAIRS
TAKE AWAY Russia-based threat actor Sofacy (APT28) has been particularly active against foreign policy making and military entities Russia-based threat actor Turla (Snake) targeted foreign policy entities and diplomats China based Ke3chang (Mirage) targeted UK military in 2017 Russian hacktivist proxy groups target defence conglomerate in Ukraine
Foreign Affairs Mirage, Metushy, Vixen Panda) is a threat actor that is believed to be of Chinese origin. Its main motive is Sofacy vs Embassy – In February, a phishing attack by espionage and it has been operating since at least 2010, Sofacy targeted two government institutions related to seeing continuous technical development along the way. foreign affairs. One organisation is an EU Member State See also chapter Direct Threats (7). embassy in Moscow and the other is located in North America. The attack targeted potential attendees of Sofacy vs Czech Military – On 10 January 2018, the Deputy Defence, Military and Intelligence events (CITAR-Flash- Commander of the 43rd Airborne Battalion of the Czech 2018-004). military, Ivo Zelinka, claimed that his Twitter account was targeted by an unidentified entity based in St. Petersburg, Sofacy vs Foreign Policy Think Tanks – A CERT-EU partner Russia. Zelinka received a prompt to click a link to reset his has learned of a new implant likely used by the APT28 password. These alerts mirror fake password resets threat actor. The newfound implant had been in previously used by FANCY BEAR. This possibly indicates development since at least August 2016. In December 2016, Russia-based targeted intrusion activity against Zelinka. it was used against several foreign policy think tanks in With approximately 1,200 followers on Twitter, Zelinka is Germany (CITAR-Flash-2018-003). known for his opposition to pro-Russians. See also Russia Turla vs Foreign Ministry – Officials in an EU country are (21). investigating a computer security incident that concerns Sofacy vs Defence Conference – In February and March, several federal organisations. The attackers first government entities in at least three European countries compromised a government administration in order to have been targeted by a spear-phishing campaign executed install malware that then served as a hop point to carry out by the threat actor APT28 (Sofacy, Fancy Bear). Repeated the attack against the Foreign Ministry. Technical details attempts to target the same individual were observed in indicate that the malware in use was likely ComRAT. This one of these countries. One phishing email used the subject remote access tool has been previously linked to Turla line of “Underwater Defence & Security 2018 Conference (Snake, Venomous Bear) with high confidence. The Estonian Agenda” as a lure (CITAR-Flash-2018-008). Foreign Intelligence Service (Välisluureamet) has linked this group to Russia’s Federal Security Service (FSB) (CITAR- See also chapter Direct Threats (7).
Flash-2018-005). Russia – On 22 March 2018, Russian media reported that See also chapter Direct Threats (7). the Russian Ministry of Defence website was subject to DDoS attacks during a national contest to select names for Turla vs Eastern European Diplomats – Security firm ESET the new suite of weapons announced by President Putin. identified and analysed new malware used by Turla to According to news reports, which cited an unidentified target high-value political organisations in Eastern Europe. Ministry of Defence source, a total of seven DDoS attacks This new tool, ESET reveals, attempts to trick victims into targeted the site on 22 March (the final day of voting). The installing malware from what appears to be Adobe’s reports stated that the attacks originated from identified, website, with the goal of extracting sensitive information but unnamed, states in Western Europe, North America, from targets. While the Turla group has in the past too and Ukraine. The reports went on to suggest that the utilised fake Flash installers to dupe users to install one of attacks were neutralised by the Ministry of Defence. their backdoors, this is the first time that the malicious program is downloaded from legitimate Adobe URLs and IP Korea – North Korean group APT37 (Reaper, Group123, addresses. Nevertheless, the researchers are confident that ScarCruft) has reportedly been targeting South Korean Turla’s malware has not compromised any legitimate Flash military since at least 2012. See also North Korea (23).
Player updates, nor is it associated with any known Adobe False Front & Ukraine – The pro-Russia hacktivist front product vulnerabilities. group CyberBerkut resurfaced with a narrative claiming a Defence secret arms sales deal between German defence wholesale company—Waffen Schumacher GmbH Großhandel—and Ke3chang vs UK military – According to recent public SpetsTechnoExport, a subsidiary of Ukraine’s defence reporting, Ke3chang was active in the UK in May 2017. A sector conglomerate, UkrOboronProm. CyberBerkut is number of sensitive documents were stolen by the believed to be one of the longest running hacktivist front attackers during the incident as Ke3chang was reportedly groups operating in support of Russian information targeting information related to UK government operations (IO). See also Russia (21) and Cyber War (24). departments and military technology. Ke3chang (APT15,
Page 17 of 33 TLP-AMBER SECTOR: DIGITAL INFRASTRUCTURE
TAKE AWAY North Korea gets a new internet connection through Russia Türk Telekom customers were redirected to nation-state spyware Several vulnerabilities reported in BGP routing software A vulnerability was discovered reported in DHCP client software
Internet Service Providers of Sandvine’s PacketLogic deep packet inspection (DPI) devices. When anyone using a target IP address on Türk DPRK gets a new internet connection through Russia. Telekom's network attempted to download legitimate According to open sources, the Democratic People’s software such as security tools Avast and CCleaner or the Republic of Korea (DPRK) has acquired a new Russia-based Opera browser and file archiver 7-Zip, their connections internet connection, provided by the Russian state-run were intercepted by the PacketLogic tool and redirected to Transtelecom. Reportedly, this is the second link from websites serving malware-laden versions of the software. DPRK to the outside world. Up until October 2017, North The same happened when potential victims in Turkey and Korea was served by a single connection to the outside Syria attempted to download specific applications from world, provided by China’s Unicom. Download.com. Malware served in these cases was Comment: For the DPRK, the new connection presents FinFisher and StrongPity. several advantages. It offers them greater resistance against DDoS attacks. Also, a single point on connection may go down for a technical or political reason. Spreading BGP out digital infrastructure helps to mitigate this threat. BGP Flaws Patched in Quagga Routing Software. Several Improved connectivity allows them to better perform vulnerabilities that could lead to denial-of-service, offensive online operations from their own territory. information disclosure, and remote code execution have For Russia, the new connection is a political win and offers been patched in the Quagga routing software suite. See leverage over both North Korea and its opponents. There is also Exploits and Vulnerabilities (31). also a possibility of increasing cooperation between Russia and DPRK. Sharing a connection, the two countries may DHCP also share technical know-how and plausibly even conduct Remotely exploitable flaws patched in DHCP. A security joint cyber operations. researcher at Google discovered that the ubiquitous
Dynamic Host Configuration Protocol (DHCP) client has a Sandvine’s PacketLogic used to deploy government buffer overflow vulnerability that in some cases can spyware in Turkey plausibly lead to remote code execution. In some cases, a According to open sources, hundreds of Türk Telekom malicious server can cause a client to crash. A patch has users were redirected to nation-state spyware when they been released to address these issues. attempted to download certain legitimate Windows applications. The redirection likely happened with the help
Page 18 of 33 TLP-AMBER SECTOR: DIGITAL SERVICES
TAKE AWAY Facebook leaked personal data of about 50 million users Google made takes action to improve Chrome and Cloud services security Serious vulnerabilities found in major VPNs, secure messaging and peer-to-peer services Web hosting software infected in a supply chain attack
Social media Cloud services Facebook leaked personal data of 87 million users. Google Cloud Security Command Center. Google will According to open sources, the US Federal Trade create a Cloud Security Command Center to help Commission is investigating Facebook after allegations that enterprises gather data, identify threats, and act on them 50 million users’ private information was misused by before they result in business damage or loss. Cloud Cambridge Analytica (CA), a political consultancy firm. CA Security Command Center will reportedly consolidate was hired by the Trump campaign in the 2016 election. The visibility into cloud assets across App Engine, Compute data was collected by a psychology professor, Aleksandr Engine, Cloud Storage, and Cloud Datastore. Kogan, to create a Facebook personality quiz that harvested information not only about its own users but also their VPN friends. Kogan amassed records of about 50 million users VPN IP leaks found on 3 major VPNs. Ethical hackers and turned it over to CA for a fee. This data was then used randomly selected and tested popular VPNs (Hotspot in the pro-Trump campaign in the 2016 US elections. The Shield, PureVPN, and Zenmate) and found vulnerabilities: data was also possibly used in the pro-Brexit campaign. all VPNs suffer from IP leaks. The leaks could allow Facebook co-founder and CEO Mark Zuckerberg apologised governments, hostile organisations, or individuals to for data breaches that affected 87 million users. Following identify the actual IP address of a user, even with the use of the reports of the data breach, Facebook’s value has the VPNs. plunged by 80-100 billion dollars, depending on the source.
Comment: The breach will possibly influence the amount of Web Hosting data people are sharing with Facebook. There is also a “Delete Facebook” social media campaign, encouraging WordPress, Joomla and CodeIgniter sites infected. people to remove their Facebook profiles and joined most Hundreds of websites have been infected with malware famously by Elon Musk and his Tesla plus SpaceX that masquerades as legitimate ionCube-encoded files. companies. A more serious threat to the company is the ionCube is an old and powerful PHP obfuscation technology possible loss of big advertising money. Facebook and its two that can be used to scramble text-based PHP files to hide billion users are desirable targets for advertisers. Loss of the intellectual property. Due to licensing costs, ionCube trust can possibly mean withdrawal of at least some isn’t usually used for malicious purposes. Malicious advertising contracts. attackers, however, found a way to pack their malware in a manner that resembles that of ionCube-encoded files, and Browsers started targeting various websites. WordPress, Joomla and CodeIgniter sites have been infected. Chrome & cryptojacking. According to Google, Chrome
Web Store will no longer accept extensions that mine Peer-to-peer cryptocurrency. Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store Critical vulnerabilities in uTorrent clients. White hat in late June. Extensions with blockchain-related purposes hackers at Google Project Zero discovered two critical other than mining will continue to be permitted in the Web remote code execution vulnerabilities in versions of Store. BitTorrent’s web-based uTorrent Web client and uTorrent Classic desktop client. The flaws are tied to the way the Chrome Google & URL Homograph (Unicode) Attacks. The web-based apps handle JavaScript Object Notations (JSON) team from Phish.ai has released a Chrome extension that as they relate to the company’s remote procedure call (RPC) can detect when users are accessing domains spelled using servers. The issue can allow an attacker to trigger a flaw in non-standard Unicode characters and warn the users about the clients by hiding commands inside web pages that the potential of a homograph attack. Hackers often use interact with uTorrent’s RPC servers. such intentionally misspelled domains to lure users on phishing sites, where they collect user credentials or trick Secure messaging victims into downloading files laced with malware. Zero-Day Attack on Bitmessage Client. An emergency Edge web browser vulnerability. Google Project Zero has update was released for the PyBitmessage application to fix made public the details of an unpatched vulnerability a critical remote code execution vulnerability that has been affecting the Edge web browser after Microsoft failed to exploited in attacks. Bitmessage has become increasingly release a patch within a 90-day deadline. An attacker could popular in the past years. While the protocol is often used bypass Arbitrary Code Guard (ACG), a feature added by by people looking to protect their privacy, it has also been Microsoft to Edge in Windows 10 Creators Update leveraged by cybercriminals, including in ransomware alongside Code Integrity Guard (CIG). The features, attacks for communications between victims and the introduced in February 2017, are designed to prevent hackers. browser exploits from executing malicious code.
Page 19 of 33 TLP-AMBER GEOGRAPHIC: CHINA
TAKE AWAY China exhibits new cyber capabilities and reserves high value vulnerabilities for offensive operations Chinese threat actors conducted targeted intrusions against several countries and multiple sectors China is involved in large supply chain based attacks
Policy and capabilities stealing proprietary source code from the company. Prosecutors said the proprietary computer code the Sigint – According to satellite imagery, a substantial number engineer stole was related to a so-called clustered file of new radar facilities have been installed on South China Sea system, which facilitates faster computer performance. (SCS) islands for the purposes of communication, aircraft navigation, and improved command and control. Most UK – Some UK think tanks were hacked by China-based relevant to cyber are enhanced capabilities of People’s groups last year, according to Crowdstrike cyber-security Liberation Army Strategic Support Force (PLASSF) for company, who also said it investigated the breaches. This reconnaissance, as well as for monitoring maritime campaign, targeting think tanks specialising in international operations in the SCS. See also Transportation (14). security and defence issues, began in April 2017.
National Vulnerability Database – Researchers identified Mongolia – A new Chinese-speaking actor has been China’s National Vulnerability Database (CNNVD) as a shell targeting Mongolian military-related entities, Russian for the China Information Technical Security Evaluation defence contractors, and finances-related from summer Center (CNITSEC), which is controlled by the Ministry of State 2017 until present time. During the campaign, the actor Security (MSS). MSS likely reserved high-value vulnerabilities changed their tactics from the original exploit to leveraging for use in offensive operations. Furthermore, the operators the CVE-2017-11882 (Microsoft Office Equation Editor) of the CNNVD appear to be systematically delaying vulnerability. publishing information on certain highly effective South-Eastern Asia – A campaign using the Microsoft Office vulnerabilities so the MSS can assess them for use in vulnerability CVE-2018-0802 (see Exploit Chapter) targeted intelligence operations. Finally, public reporting indicated Southeast Asia-based targets. The dropped first-stage that several prominent, domestic Chinese cybersecurity implant, as well as the connected command-and-control (C2) companies were prevented from competing in global infrastructure, have been previously associated with the Capture the Flag (CTF) and hacking competitions; instead, Goblin Panda (Hellsing) Chinese group. these companies would be required to provide vulnerability information to the CNITSEC. Asia-Pacific – ShaggyPanther is a cluster of malicious activity focused in the APAC region (Malaysia, Taiwan), active since Cloud – Apple will hand over the operation of iCloud services at least 2008 and targeting governmental entities using an for Chinese users to a local Chinese company as part of the unusual backdoor family. Attackers managed to stay below company's efforts to comply with Chinese law. the radar of researchers all this time even when the Crypto-currencies – The Central Bank of China announced a backdoors used were individually detected. further measure to limit or fully eliminate Chinese citizens’ Tibet – For just over $1,000, a phishing operation interaction with cryptocurrencies. The new regulation successfully spied on members of the Tibetan community for impedes online access to foreign cryptocurrency exchanges 19 months, Citizen Lab found. The sloppiness of the and similar entities by utilising the internet-filtering tool campaign suggests the threat actors were operating with known as the Great Firewall to block all search results and little fear of getting caught. The profile of the operator related advertising from search engines and social media. suggests it may be a low-level contractor.
Exploit Research – Google awarded a record $112,500 bug Multi-sector – A security firm reported on operation bounty to a Chinese security researcher after he submitted “PZChao” that targeted entities in education, government, the first working Android remote exploit chain since the telecommunications, and technology sectors to gather company’s Android Security Rewards program raised top intelligence and intellectual property. Chinese group pay-out levels. Emissary Panda (APT27, Iron Tiger) is possibly responsible for it. Targeted intrusions US, maritime, engineering – Since early 2018, a wave of Supply Chain Attacks intrusions has targeted US engineering and maritime Further investigations showed that a malware attributed to entities, especially those connected to South China Sea the China-based threat actor Axiom (aka APT17, Aurora issues. The campaign is linked to a group of suspected Panda) was used in the CCleaner supply chain attacks last Chinese cyber espionage actors tracked since 2013, dubbed year. TEMP.Periscope (Leviathan). Additional known targets of this group include research institutes, academic In February, US intelligence agencies warn Americans organisations, and private firms in the United States. See also against buying Chinese smartphones by Huawei, ZTE or
Transportation (14). others on the grounds that they pose a security threat to American customers. US – A former software engineer for IBM in China was sentenced to five years in prison after he pleaded guilty to
Page 20 of 33 TLP-AMBER
GEOGRAPHIC: RUSSIA
TAKE AWAY Russia reinforces its internet sovereignty and internet surveillance capacities Russian actors employ sophisticated false-flag and false-front tactics for hybrid warfare Russian actors attempted targeted intrusions in the military, defence, and foreign affairs sectors The Russian cybercriminal underground is dynamic
Policy hacktivist entity may constitute a false front for APT28 (Sofacy, Fancy Bear). Infoforum 2018, the Russian National Forum on Information Security, took place in February and addressed the digital False Front & Ukraine – The pro-Russia hacktivist front group economy; artificial intelligence; the future of data security; CyberBerkut resurfaced in Ukraine. See Defence and Foreign and quantum technologies in information security. Affairs (17) and Cyber War (24).
Internet sovereignty – The Russian Presidential Advisor on Elections – In February, the US Department of Justice Internet Development stated that Russia is prepared should publicly released an indictment accusing Russian companies the nation be cut off from the global internet. He cited and citizens of influence operations targeting the political cybersecurity and privacy among the major concerns in his process of the United States. In March the US Department of advocacy for growing Russian government desire to control Treasure sanctioned 19 individuals and 5 entities. See Cyber access to and regulate the Russian domestic internet. War (24).
Domestic surveillance – The “Yarovaya Law”, a data storage Netherlands – Dutch media reports indicated that the and decryption effort planned to enter into force on 1 July General Intelligence and Security Service of the Netherlands 2018, will be delayed. The Russian internet watchdog (AIVD) tracked and identified Russia-based threat actor Cozy agency, Roskomnadzor (RKN), is planning to conduct Bear operatives as they conducted targeted intrusions “supervisory activities” within some social networks of US against the US Democratic National Committee. origin in the latter half of 2018, which it claims are in line NotPetya – UK, US, Canada, Australia, New Zealand and with compliance with a Russian law governing the protection Denmark publicly attribute the destructive NotPetya cyber- of citizens’ data. attack to Russia. Domestic surveillance – The Russian Federal Security Service (FSB) obtained Universal Forensic Extraction Device (UFED) Cyber-crime and Underground Cellebrite Cloud Analyzer software and hardware. Cellebrite A Russian man accused of operating a network of infected claims to allow access to mobile device backups on systems, computers has been extradited to the United States by and impacts devices running iOS and Android. These types of Spain. Peter Levashov ran the Kelihos botnet, a network of platforms pose a risk to mobile devices, as they not only more than 100,000 infected devices used by cyber criminals allow access to the data, but can also purportedly enable to distribute viruses, ransomware, phishing emails and other state-affiliated entities to defeat two-factor authentication. spam attacks. Bug bounty program – The Russian government plans to Experts discovered a new ransomware-as-a-service dubbed launch an 800 million rouble program that would pay GandCrab advertised in the Russian dark web. As is individuals or companies to identify vulnerabilities in becoming a pattern for Russian malware, the ransomware systems and software. The program will likely provide the cannot infect systems in countries of the Commonwealth of Russian government with a virtual treasure trove of Independent States. vulnerabilities. Russian law enforcement investigated fraudulent activities Cyber war involving gas-station payment systems. Dozens of gas- station employees installed malicious programs on False Flags are becoming a standard part of the toolkit for electronic gas pumps to trick customers into paying for more nation-state hackers. Instead of simply hiding their identity, fuel than they pumped into their vehicles. they paste a new one over it, invented or borrowed. Russia's hackers, in particular, have lately experimented with that In January 2018, sensitive sources identified an exploit for digital mask-swapping with increasingly deceptive tactics. CVE-2018-0802 circulating in the Russian underground. See in Malware (33). According to the vendor of the tool, it is capable of exploiting a vulnerability in Microsoft Office. See in Exploits (31). Front group – In January, the pro-Russia hacktivist front group known as Fancy Bears’ International Hack Team Espionage (FBIHT) resurfaced with claims of Olympic-themed data leaks under a new post titled “WADA vs. IOC: Fight for Clean Sport APT28 (Fancy Bear, Sofacy) shifts focus. In late 2017 their or Fight for Power?”. interest likely has shifted from NATO member countries and Ukraine to the Middle East and Central Asia. This observation False Front – After 1 August 2016, an entity that used the was made by Kaspersky Lab. Anonymous Poland name and Twitter handles @anpoland For other targeted intrusion activities by Russian groups and @opanon_pl conducted Information Operations (IO) in (Sofacy, Turla), see chapter Direct Threats (7) and Defence support of the goals of Russia-based adversaries. This and Foreign Affairs (17)
Page 21 of 33
TLP-AMBER GEOGRAPHIC: IRAN
TAKE AWAY The Iranian government tries to limit domestic use of foreign IT technologies Iranian threat actors are accused of targeted intrusions against universities and technology companies in the US, UK, and other countries An Iran-based threat actor exhibited advanced obfuscation techniques while attacking entities in Asia and the Middle East
Domestic From January 2018 to March 2018, a highly likely Iranian threat actor dubbed TEMP.Zagros (MuddyWater) conducted In January, Brigadier General Gholamreza Jalali, the leader of attacks leveraging the latest code execution and persistence Iran’s Passive Defence Organisation (responsible for techniques to distribute malicious macro-based documents countering threats to Iranian cyber networks), claimed that to individuals in Asia and the Middle East. One of the more Iranian user data retrieved by the Telegram messaging interesting observations during the analysis of these files application is mined and sold to enemies of the Islamic was the re-use of the latest AppLocker bypass, and lateral Republic—most notably the US and Israeli governments. This movement techniques for the purpose of indirect code activity is part a broader effort displayed by many members execution. The IP address in the lateral movement of Iran’s security and conservative establishment to ban techniques was substituted with the local machine IP Telegram. address to achieve code execution on the system. This
activity shows us that TEMP.Zagros stays up-to-date with the Targeted attacks latest techniques and that they can quickly leverage these On 23 March 2018, the US government released an practices to update their malware. By combining multiple indictment against nine Iran-based hackers-for-hire who layers of obfuscation, they deter the process of reverse operated for an Iranian entity called the Mabna Institute. engineering and also attempt to evade security products. The indictment specifies that the group stole almost 31.5 terabytes (TB) of information from at least 320 universities Ransomware & Iran around the world, with 144 of them located in the US. The Recently, new ransomware called Black Ruby was discovered hacker-for-hire outfit also reportedly targeted 36 US-based by security researchers. This malware will encrypt files on a private sector companies and 11 others around the world as computer, scramble the file name, and then append the they expanded their operations beyond the academic sector. BlackRuby extension. To make matters worse, Black Ruby Targeted entities include the Federal Energy Regulatory will also install a Monero miner on the computer that utilises Commission (FERC), which houses sensitive information tied as much of the CPU capacity as it can. Black Ruby will only to the energy and power grid. encrypt files if the victim is not from Iran.
Page 22 of 33 TLP-AMBER GEOGRAPHIC: NORTH KOREA
TAKE AWAY Recent investigations detail the capabilities of North Korea’s threat actors Beyond the financial sector (which remains the most targeted), North Korea actors also attack entities in the chemicals, manufacturing, electronics, aerospace, automotive, telecom sectors, as well as defectors and journalists
Capabilities defence industrial base; however, they have expanded to other international targets in the last year. Since early 2017, North Korea has reportedly been targeting Other reporting indicated that malicious Flash files targeting South Korea’s cryptocurrency industry. Some industry this vulnerability were distributed through a Korean- reporting indicated that the Reconnaissance General Bureau language social networking platform (likely KakaoTalk), as (RGB) may be at the centre of these financially motivated well as through targeted email attacks. cyberattacks. Bureau 121 (under the Reconnaissance General Bureau/RGB) is likely the most important cyber Finance – McAfee discovered an aggressive Bitcoin-stealing security organisation in North Korea. The bureau reportedly phishing campaign, dubbed HaoBao, by Lazarus group that comprises approximately 6,000 to 7,000 cyber soldiers. uses sophisticated malware with long-term impact. This new Bureau 121’s operational scope encompasses both military campaign targets Bitcoin users and global financial operations (espionage, targeted intrusion, GPS jamming, organisations. When victims open malicious documents etc.) and currency generation. attached to emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data- A North Korean group dubbed APT37 (Reaper, Group123, gathering. ScarCruft) has been active since at least 2012, but it has not been analysed as much as the North Korea-linked Lazarus Defectors / journalists – In January, South Korean media group. APT37 only started making headlines in early wrote about North Korean refugees and journalists being February when researchers revealed that it had been using a targeted by unknown actors using KakaoTalk (a popular chat zero-day vulnerability in Adobe Flash Player to deliver app in South Korea) and other social network services (such malware to South Korean users. APT37, whose goals appear as Facebook) to send links to install malware on victims’ to align with North Korea’s military, political, and economic devices. This method shows that attackers are always interests, has mainly focused on targeting public and private looking for different ways to deliver malware. Analysis of entities in South Korea, including government, defence, malicious APK files that were used in the targeted attacks military and media organisations. However, according to shows that Google-shortened URLs were used to spread FireEye, the group expanded its attacks to Japan, Vietnam malware. and even the Middle East last year. The list of targets Canada – In January, Ontario transit agency Metrolinx said it includes organisations in the chemicals, manufacturing, had been the target of a cyber attack that originated in North electronics, aerospace, healthcare, and automotive sectors. Korea, but no personal information was compromised and See also chapter Defence (17), Transportation (14), Health systems that operate its trains and buses were not affected. (16). Spokeswoman Anne Marie Aikins said that the cyber attack happened recently, but would not give a date or what Operations specifically was targeted because of security concerns.
Finance – The state-sponsored North Korean Lazarus Group Egypt – Telecom – Open-source reporting indicated that (Hidden Cobra) targeted Turkish financial institutions in a Egyptian telecom company Orascom suffered a network spear phishing campaign in early March, attempting to intrusion attack by North Korean actors. Orascom maintains deliver its Bankshot malware. The phishing emails included a business interest in North Korea. In 2008, the Egyptian an attached Microsoft Word document containing an exploit telecom giant established a mobile phone unit called for CVE-2018-4878, a recently patched Adobe Flash Player Koryolink in the country, in a partnership with the then- vulnerability that was used in a zero-day campaign against supreme leader KIM Jong-il, the late father of KIM Jong-un. South Korean targets late last year (See Exploits and Orascom is credited with helping build the regime’s mobile Vulnerabilities (31)). An analyst assessed that “the attackers communication networks. The business began experiencing may plan a future heist against these targets by using financial difficulties when KIM Jong-un approved the launch Bankshot to gather information.” of the state-run mobile phone service called Byol in 2015 to Another report stated that CVE-2018-4878 was leveraged by compete with Koryolink. The motive of the attack may have North Korean hackers, dubbed TEMP.Reaper (Group 123, been to collect intelligence on the regime’s business Scarcruft). Historically, the majority of their targeting has competitor in order to gain an upper hand in the market. been focused on the South Korean government, military, and
Page 23 of 33 TLP-AMBER MOTIVE: CYBER-WAR
TAKE AWAY Russian actors employ false flag and false front tactics in hybrid wars The US NSA developed tools to monitor operations of other advanced threat actors The US employ sanction against Russian hackers as a cyber-diplomatic tool Researcher found that cyber operations could be designed to cause death Russia and the US are engaged in a proxy cyber war in Ukraine
Attribution & False-flag • The Internet Research Agency (IRA). The IRA allegedly created a vast number of fake online personas and posted Olympic Destroyer – Several independent researchers thousands of ads that reached millions of people online. supported the conclusion that the wiping component • The Federal Security Service (FSB), which is suspected to deployed in these Olympic Destroyer attacks was designed be the real-world organisation behind the front group as a “false flag” tool, aiming to imitate tools deployed by Turla (Snake, Uroburos). North Korean threat actors and perhaps to implicate the • The Main Intelligence Directorate (GRU), which is North Korea in the reported disruptions during the opening suspected to be the real-world organisation behind the ceremony of the games. See in Malware (33). front group APT28 (Fancy Bear, Sofacy). NotPetya – UK, US, Canada, Australia, New Zealand and • Concord Management and Consulting LLC and Concord Denmark publicly attribute the destructive NotPetya cyber Catering, accused of providing material assistance and attack to Russia. Kremlin spokesman Dmitry Peskov said that funding to the IRA. the claims were "groundless". He pointed out that Russian Russia & SWIFT – Discussions of cutting Russia off from businesses were among those whose systems were affected. SWIFT have been heightened surrounding the release of the Comment: Technically, it is very difficult to provide US Department of Treasury's extensive list of influential irrefutable proof to implicate a state actor. Accordingly, this Russians for possible further sanctions. Russian Deputy kind of “finger-pointing” is likely employed as a useful Prime Minister Arkady Dvorkovich stated that while it would instrument in the cyber diplomacy tool box to exert pressure not be as fast or efficient, the Russian banking system could on the offending country. nonetheless function without SWIFT. This is likely due to NSA leaks – spy vs spy – A researcher at a Hungarian firm Russia’s alternative Financial Message Transfer System, discovered that scripts and scanning tools known as which the Central Bank launched in December 2014 as a Territorial Dispute and dumped by Shadow Brokers, were response to initial demands to disconnect the country after created by an NSA team and were designed to track cyber- the annexation of Crimea. operations executed by other nation-state hackers. The NSA Lethal cyber-weapon likely established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter In August 2017, a petrochemical company with a plant in plane from US defence contractors in 2007. The team was Saudi Arabia was hit by a new kind of cyber attack. According supposed to detect and counter sophisticated nation-state to investigators’ findings that surfaced in 2018, the attack attackers more quickly. was not designed to simply destroy data or shut down the plant. It was meant to sabotage the firm’s operations and US cyber-war against jihadists– Open sources reported that trigger an explosion. The attackers compromised Schneider’s a US-led counterterrorism cyber-espionage operation Triconex controllers, which keep equipment operating safely targeting ISIS and al-Qaeda members was exposed by by performing tasks like regulating voltage, pressure and Kaspersky as a campaign dubbed Slingshot. According to temperatures. See ICS (28). Kaspersky, Slingshot compromised thousands of devices through breached routers in various African and Middle Proxy-war in Ukraine Eastern countries, including Afghanistan, Iraq, Kenya, Sudan, The US Congress is discussing a legislation to reinforce Somalia, Turkey and Yemen. Kaspersky did not attribute cybersecurity cooperation and information sharing with Slingshot to any single country or government in its public Ukraine and prevent Russia from continuing its cyber report, describing it only as an advanced persistent threat assaults on Ukraine. In recent years, the Russian government (APT). US officials fear the exposure may cause the US to lose has disrupted Ukraine’s critical infrastructure via access to a valuable, long-running surveillance program and cyberattacks (e.g. 2015 compromise of Ukraine’s put soldiers’ lives at risk. See also Espionage (25). Prykarpattyaoblenergo power utility).
Sanctions The pro-Russia hacktivist front group CyberBerkut has resurfaced with a narrative supposedly exposing a secret Russia & US Elections – In the context of investigation for arms sale deal between a German defence wholesale interferences in the 2016 presidential election, US company and a subsidiary of Ukraine’s defence sector authorities sanctioned Russian entities and individuals for conglomerate, UkrOboronProm. CyberBerkut is believed to engaging in significant malicious cyber-enabled activities. be one of the longest running hacktivist front groups Sanctioned entities are: operating in support of Russian IO. See Defence and Foreign Affairs (17).
Page 24 of 33 TLP-AMBER MOTIVE: CYBER ESPIONAGE
TAKE AWAY Russian APT actors attributed by a government agency Kaspersky Lab exposes Slingshot, a likely US cyber espionage program APT28 targets entities related to a military conference Likely Turla campaign discovered in Germany
Russian threat groups attributed by the Estonian avoid further exposure. This means that the Kaspersky foreign intelligence service paper describing the Slingshot operation likely ended up Estonian Välisluureamet, which also serves as the Estonian being very costly for the US administration. foreign intelligence service and national communications APT28 targets military conference security authority, stated in their yearly security In February and March, government entities in at least three environment assessment that APT28 (Sofacy/Fancy Bear) European countries were targeted by a spear-phishing was associated with the Russian military intelligence GRU; campaign likely conducted by APT28 (Sofacy, Fancy Bear). Snake (Turla) tied to the federal security service FSB; and Repeated attempts to target the same individual were APT29 (Cozy Bear, the Dukes) associated with the FSB and observed. One phishing email used the subject line of the foreign intelligence service SVR. While these “Underwater Defence & Security 2018 Conference Agenda” associations have been treated as facts for a long time by which likely refers to an event that takes place in March the cyber threat research community, no official state 2018 in Portsmouth, UK. It focusses on topics related to institution seems to have taken on the burden of submarines and the danger posed by mines. Attribution to attribution. See also Russia (21). APT28 was made by one of the targeted countries as the Comment: officially sanctioned acts of finger-pointing are of DealersChoice tool used in this attack is uniquely attributed great help to private cyber threat intelligence companies. to APT28. See also Russia (21). They now have a point of reference and can speak more The group has a history of targeting attendees of military directly about Russian intelligence agencies-related threat conferences (for example the Cyber Conflict US conference actors, associating various cyber operations to particular organised by the NATO Cooperative Cyber Defence Centre intelligence agencies with a higher degree of confidence. of Excellence, see CITAR-Flash-2017-020). Likely Chinese actor targeting entities in Kazakhstan Comment: APT28 is a GRU-associated Russian-speaking Recently, a Russian-language lure document exploiting the attack group active since at least 2004. It has a history of CVE-2017-11882 vulnerability was observed by cyber targeting EU institutions. security researchers. Reportedly, the targeted organisations Windows Defender can now spot FinFisher were in Kazakhstan and the threat actor is likely Chinese. government spyware Kaspersky exposes Slingshot, a likely counter-ISIS US The espionage software, which is sold exclusively to cyber-espionage operation government entities, was notoriously hard to detect and A report from Moscow-based Kaspersky Lab describes a defend against. Windows Defender now has the capability cyber espionage operation called Slingshot, which has been to detect FinFisher intrusions. collecting a wide variety of data and exfiltrating it in a covert Comment: the improving Windows built-in anti-FinFisher fashion. According to open sources, Slingshot is associated capabilities is bad news for governments that use it for with a U.S. military program run by Joint Special Operations lawful interception and combating cybercrime. However, Command (JSOC), a component of Special Operations there are indications that several authoritarian Command (SOCOM). The campaign compromised governments are using FinFisher to monitor dissidents and thousands of devices through breached MikroTik routers in opposition. various African and Middle Eastern countries and seems to Likely Turla campaign in Germany have been targeted against ISIS and al-Qaeda members. There is conflicting open source reporting that multiple Comment: Kaspersky Lab has a history of working to German federal institutions were targeted by what appears uncover likely US-associated cyber threats, such as Stuxnet, to be a Turla campaign. Sensitive sources suggest that Flame, Duqu, and the Equation group. The company is attackers first compromised a federal administration in accused of playing a part in leaking the Equation group tools order to install malware that then served as a hop point to which paved a way to the devastating WannaCry attack carry out the attack against the Foreign Ministry. The (TLR2017Q2 p.25). Apparent intentional or forced officials say that the incident has been isolated and brought participation in espionage against the US caused Kaspersky under control. software to be banished from government systems there The Turla group is a sophisticated and stealthy Russian FSB- (TLR2017Q3 p.27). Kaspersky has sued US Department of associated adversary with a long track record of attacking Homeland Security over blacklisting. Uncovering the government institutions. Slingshot operation is likely not going to help the Russian company in overturning the ban. According to open sources, the standard operating procedure in case a cyber espionage program gets exposed is to “burn”, or get rid of all associated infrastructure to
Page 25 of 33 TLP-AMBER MOTIVE: HACKTIVISM
TAKE AWAY Hacktivists report vulnerabilities to help solving industrial control system (ICS) issues In the US several hacktivist campaigns support political causes The Winter Olympics were targeted by a disruptive cyber operation Turkish nationalist hacktivists react to reports perceived as hostile to Turkey and support Turkish military activities in Syria Russian nationalist hacktivists release sensitive files concerning the sports sector
Hacktivists German magazine, Der Spiegel; India’s envoy to the United Nations (U.N.); and the president of the World Economic SCADA/ICS – The hacktivist known as GhostShell reported Forum (WEF). vulnerabilities in Indian Industrial Control Systems to several Attacks were incited by news reports or statements that the national CERTs. GhostShell, who claims to be a Romanian hacktivists perceived as hostile to Turkey. These cyber hacker and leader of Team GhostShell, reported the IP activities are also part of the group’s campaign supporting addresses and port numbers of more than 46 vulnerable Turkish military operations in northern Syria. SCADA systems, as well as information on remediation to Ayyildiz Tim members claim that the entity dates back to CERT India. GhostShell says the motivation behind reporting 2002. The collective is both relatively large and organised. It these SCADA/ICS vulnerabilities is that he currently works in operates a web forum and classifies much of its membership the cybersecurity industry. based on function. For example, some members self-identify US – Hackers affiliated to Anonymous took down the as “social media experts”, while others focus on offensive websites of AT&T and of the US Army, as part of the #OpUSA operations. Group members maintain affiliations with other campaign. AT&T recently made comments that many known Turkish hacktivist collectives, such as the Turk Hack members of Anonymous viewed the company as being Team. While these associations often claim to directly against net neutrality. support the Turkish government, it is currently unclear #OpUSA targeted government and financial sectors of the US whether a direct relationship between the two exists. to protest current policies. Lithuania & Russia – In January, Lithuanian activists wishing In the wake of the US nationwide discussion on gun to remain anonymous launched an online project called regulation an IP address of the National Rifle Association was “Vatnikas”, a slur against supporters of Russia or the Soviet reportedly targeted with Memcached DDoS attacks Union. This activity was purposed to tribute Freedom Spain – The feminist hacktivist group known as La Nueve de Defender's Day, which honours Lithuania's independence Anonymous compromised the official website of the Bishop from the Soviet Union. The Vatnikas project will likely serve of the Basque city of Donostia (San Sebastián), in retaliation to expose some Russian influence operations. to anti-feminist statements he made earlier. Russia vs US election – According to US media, Guccifer 2.0, Olympics – The Winter Olympics that took place in the hacker provided WikiLeaks with stolen emails from the Pyeongchang, South Korea, were targeted by a malware Democratic National Committee, was an officer of Russia’s attack (wiper) that caused damage on non-critical systems. military intelligence (GRU). Disruption of services included the Olympic website being Russia vs Sports – In January, the pro-Russia hacktivist front offline, meaning individuals could not print their tickets. The group Fancy Bears’ Hack Team released new data that the opening ceremony reporting was degraded due to WiFi group claimed was taken from the International Luge failing for reporters on site. See in Malware (33). Federation (FIL). The release, titled “The FIL Files: Scandinavian Asthmatics, Missed Athletes and Berlinger Hacktivists-Nationalists Bottles,” targets the FIL for Therapeutic Use Exemption (TUE) approvals of prohibited medications, such as salbutamol. Turkey – In January, the Turkish nationalist hacktivist group, Fancy Bears’ Hack Team had previously targeted athletes of Ayyildiz Tim, compromised the social media accounts of two the 2016 Summer Olympics seeking TUE approvals who were former Fox News commentators. In March, Ayyildiz Tim also included in a six-part World Anti-Doping Agency (WADA) the Twitter account of a British Labour Member of database release throughout September 2016. Parliament. This hacktivist group plays an active role in Russian The account compromises are part of an ongoing campaign information operations against sports organisations with the conducted by Ayyildiz Tim that has been active since at least aim to discredit against other athletes and organisations. 14 January 2018. High-profile social media accounts also compromised by the group include that of the editor of the
Page 26 of 33
TLP-AMBER ASSET: DATA BREACH AND EXPOSURE
TAKE AWAY Data breaches can have severe political implications (Cambridge Analytica & Facebook) An energy company faces fines for a data security incident New high profile data breaches affect public and private entities
General Forum – Approximately 685,000 user profiles were affected when the HardwareZone (HWZ) Forum website was hit by a Data breach aficionado Troy Hunt has significantly updated security breach – a senior moderator’s account compromise. his "Have I Been Pwned?" website, adding a data set of 2,844 breach incidents involving 80 million stolen records, and Bank (India) – The embattled Punjab National Bank has introducing version two of his Pwned Passwords service. The reported a data breach affecting 10,000 credit and debit card new data set comes from an online hacking forum. customers. Breached data has been available for purchase through a website for at least three months.
Breaches Telecom (Swisscom) – Swisscom has revealed its customer Facebook – Cambridge Analytica, a U.K.-based data firm that data systems were compromised and information belonging worked for the Trump campaign, harvested the data of 87 to roughly 800,000 customers has been stolen. million Facebook users. In response, Facebook announced it Sports (Olympic Games) – The hacking group “Fancy Bears’ had suspended both Cambridge Analytica for violating user Hack Team” leaked data purportedly taken from the data policies. However, Facebook allegedly knew about their International Olympics Committee (IOC). See in Hacktivism data harvesting for 2 years prior to his revelations. (26). According to media outlets, Facebook acknowledged that Cambridge Analytica may have obtained the data of some Telecom (OnePlus) – Chinese OnePlus smartphone company 2.7m EU-based users of the social network. was breached and up to 40,000 customers’ payment details were likely impacted. Accounting (Equifax) – Equifax announced that the number of affected individuals in last year’s major data breach was Travel – Travel website Orbitz (owned by Expedia) disclosed higher by 2.4 million people and reaches 147.9 million in a possible breach that likely resulted in hackers making away total. with personal information on 880,000 customer payment cards. Energy – A US energy firm has been fined $2.7 million over a data security incident. The unnamed power company had Leaked source – The man behind LeakedSource was arrested agreed to pay the massive penalty and take action to avoid by Canadian authorities. LeakedSource.com is a major future leaks. The incident involved a third-party contractor repository that compiled public data breaches and sold that improperly copied data from the energy firm to its own access to the data. Launched in late 2015, LeakedSource had network. The contractor allowed anyone to access the more collected around 3 billion records from some massive data breaches (LinkedIn, MySpace, Twitter, Weebly, etc.). than 30,000 records. The information was available online for 70 days. Third-party email provider – The email provider Mailgun,
Retails – A misconfigured Amazon (S3) Simple Storage one of the mail services used by the forum site Reddit, was breached. Stolen data included Bitcoin Cash tip accounts. Service bucket, managed by a Walmart jewellery partner, left personal data of 1.3 million customers exposed to the India biometric – India’s biometric database, called Aadhaar public internet. and containing more than 1 billion citizens’ data, was
Cloud – Amazon AWS S3 cloud storage servers might soon reportedly sold on social media for 500 rupees fall victims to ransom attacks, similarly to how hacker groups (approximately USD $7.89). Aadhaar, faced criticism by held tens of thousands of MongoDB databases for ransom Indian privacy activists over its lack of security multiple times throughout 2017, according to a security researcher. in 2017, with breaches reported in May and November. Amazon AWS S3 storage servers have been leaking data all Aadhaar data for sale includes names, telephone numbers, 2017 (NSA, US Army, analytics providers, etc.). and home addresses, but not the database's biometric data, which includes fingerprints. Aadhaar has been increasingly Telecom (BSNL) – French security researcher Baptiste connected to India’s financial system as institutions have Robert, has unearthed loopholes in Bharat Sanchar Nigam integrated their identity verification systems through the Limited (BSNL) website and databases with passwords of database. Such endeavours have created an even greater 47,000 employees. BSNL Mobile (formerly CellOne) is an target for criminal adversaries. Indian state-owned mobile network operator. US DHS – On 3 January, some Department of Homeland Digital services (Certificates) – Digital certificate reseller Security’s (DHS) employees received notification letters that Trustico is sparring with certificate authority DigiCert, which they may have been impacted by a privacy incident. The recently took over Symantec's digital certificate business, privacy incident did not stem from a cyber-attack by external over a serious security incident. Both companies accuse the actors, and the evidence indicates that affected individual’s other of substandard procedures regarding 23,000 digital personal information was not the primary target of the certificates issued by Trustico. The private keys of those unauthorised transfer of data. certificates have been leaked.
Page 27 of 33
TLP-AMBER ASSET: INDUSTRIAL CONTROL SYSTEMS
TAKE AWAY New vulnerabilities steadily appearing in ICS Triton attack on Schneider Electric equipment revealed first-ever RAT on safety-instrumented systems Continuous increase in the number of ICS components accessible over the Internet
New vulnerabilities systems and ensure they are operating within acceptable safety thresholds. Eventually, the malware accidentally 147 Security vulnerabilities found in ICS mobile applications triggered emergency system shutdowns that gave it away. A report from security firms IOActive and Embedi reveals See also Cyber War (24). that flaws in mobile industrial control applications could be exposing industrial IT systems to risks. These are mobile Trends applications used with supervisory control and data acquisition (SCADA) systems deployed in industrial Cryptojacking in water utility company environments around the world. The researchers found 147 Cryptojacking, the relatively new trend of commandeering different security vulnerabilities spread across 34 mobile ICS computing resources for digital currency mining, has found a applications. It is not clear if attackers have exploited any of new target in the infrastructure sector. Recently, a water the reported vulnerabilities against ICS infrastructure. utility in Europe was compromised with Monero mining malware. Siemens fixed three flaws in TeleControl plant Comment: this seems to be the first public discovery of an management product unauthorised cryptocurrency miner impacting Industrial On Feb. 1, 2018 Siemens released patches for three security Control (ICS) or Supervisory Control and Data Acquisition vulnerabilities in its Plant Management Product, the Siemens (SCADA) systems. TeleControl Basic system. The system is utilised in water treatment facilities, traffic monitoring systems, and energy Number of Internet-accessible ICS components is distribution plants. The vulnerabilities are: increasing every year • CVE-2018-4835. Bypass of the authentication mechanism In its review of the year 2017, security company Positive to access TeleControl Server information. Technologies, found that the number of industrial control • CVE-2018-4836. Privilege escalation up to administrative system (ICS) components left open to internet access, is operations. increasing every year. Of the 175.632 internet-accessible ICS • CVE-2018-4837. TeleControl webserver can cause a denial- components detected, approximately 42% were in the, of-service DoS condition disabling the device. representing a 10% increase over the previous year (from Siemens also provided some workarounds to mitigate the 50.795 to 64.287). Germany followed for the second year risk of attacks. with 13.242 components discovered. The Positive Technologies research team also noted that ICS products affected by a critical flaw in CODESYS WebVisu more and more Internet-accessible ICS components are A security researcher from the company IOT discovered a actually network devices, such as Lantronix and Moxa critical stack-based buffer overflow vulnerability in the web interface converters, which represented 12,86% of detected server component of 3S-Smart Software Solutions’ CODESYS components in 2017, up from 5,06% in 2016. Although these WebVisu. The product allows users to view human-machine converters are often regarded as relatively unimportant, interfaces (HMIs) for programmable logic controllers (PLCs) they can be quite useful for hackers. in a web browser. The vulnerability is identified as CVE-2018- 5440 and is quite easy to exploit. The WebVisu product is Risks to ICS environments from Spectre and Meltdown currently used in 116 PLCs and HMIs from many vendors, attacks including Schneider Electric, Hitachi, Advantech, Berghof The Spectre and Meltdown vulnerabilities affect hardware Automation, Hans Turck, and NEXCOM. An attacker can running in the majority of the world’s computing devices. remotely trigger the flaw to cause a DoS condition or remote Spectre comprises two vulnerabilities: CVE-2017-5753 command execution. (bounds check bypass) and CVE-2017-5715 (branch target injection), while Meltdown consists of CVE-2017-5754 Analysis (rogue data cache load). Many HMIs, panels, and displays utilise the affected chips. Some PLC manufacturers are still Schneider Electric: the Triton/Trisis attack assessing the threat. Many systems that support industrial Industrial control systems manufacturer Schneider Electric controllers such as automation systems, batch control presented how hackers gained control of the emergency systems, production control servers, printers, OPC Systems, shutdown system in a targeted attack on one of its SCADA systems, peripheral devices, and IIoT devices customers. Initially, the malware was introduced into the including cameras, sensors, etc., are likely vulnerable. plant through flaws in security procedures that allowed However, Spectre and Meltdown vulnerabilities in these access to some stations, as well as the safety control systems does not necessarily mean industrial control devices network. A zero-day privilege-escalation vulnerability in the are at risk. Triconex Tricon safety-controller firmware was next On 18 of January 2018, seven vendors in the market were exploited to allow the attackers gain control. Via this still “investigating” the impact of Spectre and Meltdown: vulnerability the attackers also introduced the first-ever ABB, Abbott, Johnson & Johnson, Philips, Schneider Electric, remote access Trojan (RAT) to infect safety-instrumented and Siemens. More information on Meltdown and Spectre systems (SIS) equipment. Industrial sites such as oil and gas can be found in CITAR-Flash-2018-001. and water utilities typically use SISes to monitor critical
Page 28 of 33
TLP-AMBER
ASSET: CRYPTOCURRENCY
TAKE AWAY Cryptominers become one of the favourite profit tools for cybercriminals Cryptomining activity is done either via malware or by insiders using an organisation computing resources Most types of computing resources can be abused for this purpose The first case of a cryptocurrency miner affecting industrial control systems was discovered; indicates an ongoing trend of cryptominers on ICS
Trend – Cryptominers Oracle WebLogic exploit used in cryptocurrency mining Cryptocurrency miners become an advancing threat campaign A March 2018 report by Microsoft notes that cybercriminals In January 2018, it was found that attackers had installed and are starting to shift from ransomware to cryptocurrency utilised a cryptominer in vulnerable Oracle Weblogic miners as a source of illegal income. Established malware installations worldwide. The attackers were using a critical families have started to include coin mining routines in vulnerability in the WebLogic app server, known since recent versions. Exploit kits have evolved from spreading December 2017. Cryptominers were installed on PeopleSoft banking trojans to ransomware. Now they are being used to and WebLogic app servers as well as Oracle and Amazon distribute coin miners. cloud environments that were tied to WebLogic app servers. Still, there are additional threats. Browser-based coin miners The crypto mining operation was discovered after several are hosted on websites. When accessed, the malicious servers crashed due to overuse of processing resources. The scripts mine cryptocurrency using the visiting device’s total financial gain of the attackers is estimated at $226.000. computing power (with or without consent). Enterprises face the threat of another form of cryptocurrency miners: It is possible to inject cryptomining software via WiFi legitimate but unauthorised miners that employees and hacking other parties sneak in to take advantage of the sizable Following similar real-world attacks of December 2017 and processing power in enterprise environments. The report using a tool called Coffeeminer researchers have remarks that in such environments blocked unwanted demonstrated how a man-in-the-middle (MITM) attack on a applications of this type increased from 2% in September common access WiFi network (e.g. in a café) can inject 2017, to 6% in January 2018. javascript in html pages, to force all the devices on that network to mine a cryptocurrency for the attacker. Malware targeted mobile devices to mine Monero cryptocurrency tokens Attacks against cryptocurrency systems On February 3, 2018, industry sources disclosed a rapidly expanding botnet called ADB.Miner affecting Android IOTA cryptocurrency users lose $4 million in wallet attack phones and smart TVs in China and South Korea. Since Starting August 2017, an attacker implemented a web site January 31, this worm-like infection has affected supposedly to help IOTA users generate the unique random approximately 5,000 Android smartphones and TVs. string that plays the role of wallet's private key, also named ADB.Miner is a mining botnet based on code from the Mirai a seed. The code that was offered generated a fixed seed and malware. It attempts to mine Monero (XMR) tokens with registered the users. Starting January 19 2018, the attackers infected Android-based devices. The threat actors are likely used the logs to access IOTA accounts with the private keys, seeking to expand mineware operations to other mobile and then collected and started transferring funds out of owners' smart devices. wallets. At the same time IOTA network nodes suffered a DDoS preventing IOTA developers from investigating the Water Utility in Europe hit by cryptocurrency malware suspicious transactions. mining attack, emphasising the trend of abusing ICS Security firm Radiflow, discovered cryptocurrency mining Malware attacks clipboards to steal cryptocurrency malware in the network of a water utility provider in Europe. Since cryptocurrencies use complex strings for identifying The attack was the first public discovery of an unauthorised wallets, users are sure to copy-paste them. Malware cryptocurrency miner affecting industrial control systems ComboJack, discovered by Paloalto first infects users using (ICS) or supervisory control and data acquisition (SCADA) classic phishing techniques and then constantly checks the servers. user’s clipboard. Every time it finds that a sting resembling a The Kaspersky Lab ICS-CERT has reported that wallet is on the clipboard, it replaces it with the attacker’s cryptocurrency miners, between February 2017 and wallet ID aiming to hijack and direct any user fund transfer February 2018, targeted 3.3 percent of the industrial control there. systems it monitors. There has been an increasing trend since September 2017. Security company Darktrace has More on cryptojacking can be found in CITAR-Flash-2018- identified more than 20 cryptocurrency miner attacks over 002. the past six months in the energy and utilities sectors. See also ICS (28).
Page 29 of 33 TLP-AMBER
PART III: TECHNIQUES, TACTICS AND PROCEDURES
TECHNIQUES and TOOLS
TAKE AWAY Memcached reflective DDoS attacks recorded as biggest ever Living off the land – malwareless adversary techniques and tools Slingshot used MikroTik routers to compromise workstations
turning them into microphones by exploiting a feature in the Techniques audio chip. This allows for data exfiltration even if the Memcached servers exploited in biggest DDoS attacks ever computers do not have microphones. Recently, several security firms detected a new technique of Living off the land UDP amplification attacks that takes advantage of exposed Memcached servers. Memcached is a widely used open- The technique of “living off the land” has come to denote the source tool for distributed memory object caching. It is used use of native or other legitimate tools already present on a to speed up queries for frequently accessed data on servers. compromised system to accomplish malicious objectives. It DDoS attacks based on Memcached were first publicly is a so-called “malwareless” technique as there is usually no reported on Feb 27. On February 28, 2018 a record high virus, worm, or any other sort of malicious code involved and traffic of 1,35 Terabits per second hit the software therefore signature-based antivirus software have nothing development hosting site GitHub. On March 5, 2018 a new to detect. The following is a quick overview of native or other record of 1,7Tbps reflection/amplification attack targeted a legitimate tools and what can be achieved with them. customer of a US based internet service provider. This can be Windows PowerShell is the star of fileless attacks. It is considered the world’s largest DDoS attack, a title previously present on any modern Windows computer and allows full held by the Mirai botnet (1,2Tbps). computer management via its own scripting language. The Memcached protocol was never intended to be exposed Virtually any task can be performed using PowerShell. to the internet and therefore does not have sufficient Remote Desktop Protocol, RDP, can be brute forced for security controls. The method utilised is to send “forged” initial attack. request packets to the unprotected Memcached servers. There are examples of BITS, Microsoft Background These requests are spoofed to look as if they come from the Intelligent Transfer Service misuse. Attackers can create addresses to be attacked – flooded with traffic. The self-contained BITS tasks with no registry traces and very Memcached servers respond as expected for legitimate limited footprints. These tasks can be used to download requests but the information they provide (multiplied in malware or malicious PowerShell scripts from a remote volume by several orders of magnitude to the original server, running an installation script, and cleaning up after request) is directed towards the victim, producing what is the malicious tasks have been completed. called a “reflection” DDoS attack. PsExec is a Windows command line based remote Comment: while reflection DDoS is nothing new, the administration tool and allows for the remote execution of exploitation of Memcached has taken it to a new level of processes on other systems. As such, it can be used to efficiency and effectiveness. accomplish a number of malicious tasks, such as starting a Slingshot espionage malware propagated by MikroTik backdoor on a remote computer or running any malicious routers via their management software scripts there. A novel technique was used by the Slingshot APT campaign Wget and cURL can be used for downloading malware files, that distributed the eponymous campaign to its likely ISIS or malicious scripts or new commands from an external al-Qaeda associated victims. The campaign targeted location. It can also be used to download new legitimate MikroTik routers and had its management software, WinBox, tools such as Netcat. download an infected DLL from the router. For more Netcat is a computer networking utility for reading from and information, please see chapter writing to network connections. It can be used by other See also Malware (33). applications and it can work in a “listen” mode for incoming connections. It can be used for port scanning and file transfer. It can even be set up to forward connections and Mosquito attack allows air-gapped computers to exchange act as a proxy. All these features are very useful for system data administrators. Unfortunately, they’re just as useful for Security researchers have demonstrated how two or more cyber attackers. unconnected computers placed in the same room can share data via ultrasound. The new technique, dubbed Mosquito, works by reversing the function of computer speakers and
Page 30 of 33 TLP-AMBER EXPLOITS and VULNERABILITIES
TAKE AWAY Serious vulnerabilities affect many types of IT assets (CPU, servers, routers, VPNs, messaging, virtualisation, web hosting, etc.) Several of the exploits are used for crypto mining
GrayKey iPhone unlocker gained, the attacker could elevate to root privileges and take full control of the device. Cisco Bug IDs: CSCvc82982. In late 2017, word of a new iPhone unlocker device started to circulate: a device called GrayKey, made by a company Exim Email Platform named Grayshift. Based in Atlanta, Georgia, Grayshift was CVE-2018-6789 founded in 2016, and is a privately-held company with fewer An issue was discovered in the base64d function in the SMTP than 50 employees. The GrayKey iPhone unlocker device is listener in the open-source Exim email platform before marketed for in-house use at law enforcement offices or 4.90.1. By sending a handcrafted message, buffer overflow labs. This is drastically different from Cellebrite’s business may happen. This can be used to execute code remotely. model, in that it puts complete control of the process in the 400,000 servers are likely vulnerable. hands of law enforcement while Cellebrite asks the devices to be sent to their lab. Combojack targets cryptocurrencies
CPU – AMD CVE-2017-8579, CVE-2017-8579 Researchers discovered a new asset stealer which targets Israeli hardware security company CTS-Labs published a cryptocurrencies and online wallets. “CryptoJack” functions high-level report on 13 critical vulnerabilities in Advanced by replacing clipboard addresses with an attacker-controlled Micro Devices (AMD) Zen processors. In its analysis, CTS-Labs address which sends funds into the attacker’s wallet. This divided these vulnerabilities into four classes: technique relies on victims not checking the destination MASTERKEY, requires Re-flashing of system BIOS, results in wallet prior to finalising a transaction. In contrast to that Bypass Hardware Validation Boot and code execution in one, which focused on Bitcoin, ComboJack targets a range of AMD’s Platform Secure Processor. cryptocurrencies in addition to Bitcoin, including Litecoin, RYZENFALL, requires SYSTEM level privileges and vendor Monero, and Ethereum. supplied driver, results in code execution in AMD’s Platform Secure Processor. 4G LTE networks spy and spoof vulnerabilities FALLOUT, requires SYSTEM level privileges and vendor Researchers discovered a number of weaknesses in the 4G supplied driver, results in access to BIOS protected memory LTE networks that could be exploited by attackers to regions and code execution in AMD’s Platform Secure eavesdrop on phone calls and text messages, knock devices Processor. offline, track location, and spoof emergency alerts. CHIMERA, requires SYSTEM level privileges and additional Researchers highlighted that defence against the attacks unknown resources, results in code execution. may be difficult without a significant overhaul of the current Samba Servers – password reset and DoS vulnerabilities 4G LTE infrastructure. The vulnerabilities are most worrying and once again raise concerns about the security of the cell CVE-2018-1050, CVE-2018-1057 standards in the real world, potentially having an industry- In March, Samba maintainers released urgent patches for wide impact. two critical vulnerabilities that could allow unprivileged remote attackers to launch DoS attacks against servers and Remotely Exploitable Flaws Patched in DHCP change any users' passwords, including admin's. CVE-2018-5732
Critical Apache Solr bug – cryptocurrency mining Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) CVE-2017-12629 software patch two remotely exploitable vulnerabilities Hackers hit over 1,400 Apache Solr servers in order to install discovered by a researcher at Google. A malicious client a cryptocurrency miner. The attack on Apache Solr servers which is allowed to send very large amounts of traffic bears some resemblance to a campaign which exploited (billions of packets) to a DHCP server can eventually overflow unpatched Oracle WebLogic instances to install a mining a 32-bit reference counter, potentially causing dhcpd to script and earn attackers the bitcoin-alternative Monero. crash. The security hole is rated high severity. ISC said there
Cisco– SSH exploitation was no evidence that the vulnerabilities had been exploited for malicious purposes. CVE-2018-0141 A vulnerability in Cisco Prime Collaboration Provisioning Microsoft partly patches a copy/overwrite vulnerability (PCP) Software 11.6 could allow an unauthenticated, local CVE-2018-0826 attacker to log in to the underlying Linux operating system. The vulnerability allows an attacker to copy or overwrite files The vulnerability is due to a hard-coded account password to locations it normally shouldn't, such as the \Windows on the system. An attacker could exploit this vulnerability by folder. Since files located in that and other folders are connecting to the affected system via Secure Shell (SSH) sometimes automatically executed by various trusted using the hard-coded credentials. A successful exploit could applications and even the OS itself, this bug is a good and allow the attacker to access the underlying operating system simple way of gaining admin-level privileges on a Windows as a low-privileged user. After low-level privileges are system. The researcher that uncovered the vulnerability
Page 31 of 33
TLP-AMBER specifically filed two distinctive bug reports with Microsoft Researchers disclosed a vulnerability in the Oracle MICROS so its engineers would understand there are two ways of PoS system. There are more than 300,000 potentially exploiting this vulnerability. Despite his efforts, the affected systems worldwide, mainly in the hospitality researcher was unpleasantly surprised when Microsoft only industry (food, beverage, hotels). The personal data of patched the first method, but not the second. customers—including credit and debit card information— and confidential business information are at risk. BGP Flaws Patched in Quagga Routing Software Cisco (SSL) VPN CVE-2018-5379, CVE-2018-5381, CVE-2018-5378 CVE-2018-0101 Several vulnerabilities that could lead to denial-of-service, Cisco released a security advisory regarding a vulnerability in information disclosure, and remote code execution have the SSL VPN functionality of the Cisco Adaptive Security been patched in the Quagga routing software suite. Quagga Appliance (ASA) software. Cisco stated that this vulnerability implements the Open Shortest Path First (OSPF), Routing could allow unauthenticated actors to remotely execute Information Protocol (RIP), Border Gateway Protocol (BGP) code. This vulnerability is rated 10 out of 10 (Critical). and Intermediate System to Intermediate System (IS-IS) protocols for Unix-like platforms, particularly Linux, Solaris, 10 new VM escape vulnerabilities discovered in VirtualBox FreeBSD and NetBSD. See Digital Infrastructure (18). CVE-2018-2676, CVE-2018-2685, CVE-2018-2686, CVE-2018-
2687, CVE-2018-2688, CVE-2018-2689, CVE-2018-2690, CVE- [Zero Day] Telegram 2018-2693, CVE-2018-2694 Oracle has released patches for ten vulnerabilities in A zero-day vulnerability was discovered in the desktop VirtualBox – its virtualisation platform – which allow version for end-to-end encrypted Telegram messaging app. attackers to break out of guest operating systems and attack It was being exploited in the wild in order to spread malware the host operating system that VirtualBox runs on. that mines cryptocurrencies such as Monero and ZCash. The Telegram vulnerability was uncovered by security researcher Web application writing platform Alexey Firsh from Kaspersky Lab last October and affects only CVE-2018-1000006 the Windows client of Telegram. Electron, a popular web application writing platform WordPress websites DoS flaw underlying some extremely widespread software including Skype and Slack, is vulnerable to a critical remote code CVE-2018-6389 execution vulnerability. A security researcher exposed a vulnerability tracked as CVE- 2018-6389 that could be exploited to trigger DoS condition Oracle WebLogic Exploit – Cryptocurrency Mining of WordPress websites. The expert explained that the CVE- Campaign 2018-6389 flaw is an application-level DoS issue that affects CVE-2017-10271 the WordPress CMS and could be exploited by an attacker A security researcher found attackers had mined 611 even without a massive amount of malicious traffic. An Monero coins, which carries a current value of $226,070, by attacker with a good bandwidth or a limited number of bots exploiting the WebLogic Flaw in vulnerable servers around can trigger the CVE-2018-6389 vulnerability to target the globe. The attackers were using a proof-of-concept popular WordPress websites. The researcher reported this exploit released in late December by Chinese researcher Lian DoS vulnerability to the WordPress team through HackerOne Zhang that uses a critical vulnerability in the WebLogic app platform, but the company refused to acknowledge the flaw. server; Oracle issued a patch for the flaw in October. In this Adobe Flash recent case, the attackers were using the exploit solely to launch crypto miners on PeopleSoft and WebLogic app CVE-2018-4878 servers as well as Oracle and Amazon cloud environments The Flash vulnerability is a use-after-free vulnerability that that were tied to WebLogic app servers. allows remote code execution. It was spotted targeting Windows users via emails with Office documents that Microsoft Office Zero-Day contain embedded and malware-laden Flash content. CVE-2018-0802 Successful exploitation could potentially allow an attacker to The zero-day vulnerability is a memory corruption flaw in MS take control of the affected system. It has been exploited in Office. In the past few months it had been actively exploited the wild, especially by North Korea based threat actors. See by multiple attackers in the wild. The vulnerability can be also North Korea (23). exploited for remote code execution by tricking the victim
into opening a specially crafted malicious Word file in MS DCShadow Office or WordPad. A tool targeting the vulnerability was observed circulating in the Russian underground. It was Two researchers demonstrated an attack, dubbed allegedly exploited by China-based actors for targeted DCShadow, on Microsoft's Active Directory software that let intrusions operations in Asia. them insert their own domain controller into an existing enterprise setup. Benjamin Delpy, the Mimikatz creator, and JBoss Deserialisation vulnerability Vincent Le Toux presented their technique at the Windows' CVE-2017-12149 Blue Hat conference in Israel. DCShadow allows an attacker Security experts discovered a new Linux Monero crypto- to create a rogue domain controller in an Active Directory miner botnet dubbed PyCryptoMiner spreading over the SSH environment, and use it to push malicious objects. protocol. The botnet is actively being developed and Oracle MICROS PoS system operators have added scanner functionality hunting for vulnerable JBoss servers (exploiting CVE-2017-12149). CVE-2018-2636
Page 32 of 33 TLP-AMBER
MALWARE
TAKE AWAY Olympic Destroyer destructive malware was used in false flag operation Slingshot cyber espionage tool uses MikroTik routers to infect victims
Olympic Destroyer attacks the Olympic games Slingshot The website for the PyeongChang 2018 Winter Olympics Slingshot is the general name of a likely US-cyber espionage suffered a denial of service attack and went down just before software suite as well as the operation conducted with the the opening ceremony. The site stayed down for about help of this toolset. It has a unique infection mechanism that twelve hours. Users were unable to view information about targets its victims via the MikroTik routers. WinBox, the the Games and print tickets to Olympic events. Sung Baik- router management software, downloads a DLL straight you, the Olympic Games organising committee spokesman from the router. The attackers compromised this DLL and confirmed, that the problems were caused by a cyber attack. added the Slingshot loader. The compromised file proceeds He also said that a decision has been made not to reveal the to download various modules, including a kernel module and source of the denial of service attack. The attack is likely a user-mode module. These modules are designed to collect related to credential harvesting campaigns noticed in the and steal data and keep the system compromised. As some sports sector in November and December 2017. of the code runs with kernel privileges, it has full control over The malware associated with the incidents is the system and can conceal itself from anti-virus software. OlympicDestroyer. It does not try to steal data from The malware collects screenshots, keyboard data, network compromised systems or hold files for ransom. Instead, it data, passwords, USB connections, desktop activity, the tries to spread laterally from computer to computer and contents of the clipboard. It also disables the defragmenting render them unusable. It deletes Windows volume shadow the hard drive because it uses its own encrypted file system copies, system backup folder, disables Windows pre-boot that can be in an unused part of the hard drive, so recovery console, deletes event logs, disables all services and defragmenting can overwrite the Slingshot file system. shuts down the computer. The result is a crippled Windows See also Cyber Espionage (Error! Bookmark not defined.). system that is unable to start up. Comment: The malware was designed to spread aggressively HeaderDropper and render computers unusable. This suggests that Olympic HeaderDropper is a custom malware dropper that has been Destroyer is truly what the name says – malware designed to in development since 2015. This malware is used to deliver sabotage the Olympic Games. an embedded payload. HeaderDropper is uniquely There has been no clear attribution of the attacks. Some attributed to the Russian GRU-associated Fancy Bear researchers point out North Korea’s potential involvement. (Sofacy, APT28) and has been used to deploy other tools Others highlight technical similarities to NotPetya and such as DownRage and X-Agent. It is likely that Fancy Bear BadRabbit Russian-associated attacks. Yet other researchers uses this malware in espionage operations against foreign point out that the malware code is similar to multiple governments and government-related entities. The likely Chinese cyber tools. However, open sources predominantly propagation technique is spear phishing. attribute the destructive attack to Russia. See also false-flag attacks. See also Cyber War (24).
Page 33 of 33