BROUGHT TO YOU BY

THE

VISIONEXPERTISE DELIVERED STRAIGHT FROM THE FRONTLINES OF CYBER ATTACKS

PAGE 3 STATE OF THE NATIONS

A global look at the rise in State sponsered cyber attacks in 2018

PAGE 4 A FINANCIAL STRONGHOLD

How one bank is winning the war on cyber crime

PAGE 6 WHAT ABOUT THE PROTECTIVE STATE THE PLANT FLOOR? The evolving role of Governments in cybersecurity

different threats. With cybersecurity vital to a governments are not even the primary security POLITICAL properly functioning and prosperous economy, provider, such as when they don’t provide it is critical that governments take the lead, and close supervision of, or operational control The role of governments as their that this is recognized by its citizens. over, critical infrastructures operated by the nations’ primary provider of private sector. security against all threats is as So far, the 21st century has seen continued compelling as ever. Yet few still wide scale deregulation and privatisation, This changing global landscape shouldn’t Our six subversive concerns for with many nations’ critical infrastructure – in mean a lesser responsibility for governments industrial environments have difficulty in grasping the rapid increase in interconnectedness and sectors such as energy, transport, finance as legitimate providers of security, but rather and medicine – now in the hands of the that they should work to understand the interdependency to determine how private sector. These sectors are constantly changing world and their role within this new best to use a Regulate, Facilitate, under threat, not least because of increased environment of increasing interconnectedness. PAGE 8 FOLLOW Collaborate (RFC) model for the THE MONEY globalisation of societies and economies. For governments to be successful in this benefit of the private sector in When these threats transpire, the potentially new environment, their remit must transcend creating a robust environment in crippling effects are felt regionally, nationally their historical regulatory role and, instead, which to conduct business and, and even globally. they must tackle how they can best assist the increasingly, operate critical private sector to invest in security (facilitation), The difficulty in securing critical infrastructures national infrastructure. and how the public and private sectors can is due in part to the differing motives of the work together to improve the prevailing state Because the security environment around private and public sectors. One is corporate of security (collaboration). us is complex – and different organisations efficiency with maximized profit, often leading are more receptive to certain measures than to the implementation of minimum levels of We cannot overstate the importance of others – there’s no one-size-fits-all solution. security in order. The latter is social order, developing strategies through a Regulate, We take a look at the operations Whilst governments cannot control every national security and economic prosperity. Facilitate, Collaborate (RFC) framework, of the FIN6 cyber crime group aspect of cybersecurity, they can certainly Most developed countries have an ‘all hazards’ supported by the ability to draw upon lessons help to shape its future, with the benefit of approach to address a wide range of threats learned from other types of threat such as past lessons learned from other nations and to their population. Yet in some cases, pandemics, war and terrorism. 2 3

THE VISION | FIRST EDITION BROUGHT TO YOU BY Disturbing attack trends on industrial control systems THE EDITORS STATE OF VIEW THE NATIONS FOUR NEW STATE-SPONSORED APTS COME TO THE FORE

2017: The worst year in cybersecurity history?

The Vision recalls on a year that the and reputation, but potentially, a risk to human life and INDUSTRY industry would be happy to consign political stability. to history. Until recently, cyber attacks occurred The type of systems in question monitor processes and mainly in digital, rather than physical trigger alarms if hazardous thresholds are reached. You know when a cyber attack has reached a different level Last July, a joint US Department of Homeland Security governments, journalists, and dissidents APT34, has been carrying out reconnaissance APT35 – aka the Newscaster Team – is yet environments. But the ability for / FBI bulletin warned that hackers had targeted such when its effects are global, and the general public talk about INTERNATIONAL since at least 2014. It’s also believed that the aligned with Iranian strategic interests since another threat group sponsored by the systems at the Wolf Creek nuclear power plant in it. Last year, we witnessed not one, but three such incidents. organisations to control and monitor group has targeted network security and 2014. From monitoring the group’s activity, Iranian government, set up to carry out long- Kansas. And our own investigators recently responded At FireEye we label attackers as When WannaCry rampaged across the globe on May 12 more of their physical processes online technology infrastructure corporations with we believe its main targets are Middle term, resource-heavy operations to collect to an incident at a facility where an attacker deployed 2017, it infected more than 300,000 computers in 150 APT groups when we have solid connections to foreign investors. It recently East-based financial, government, energy, strategic intelligence. Targets include the US drastically increases their vulnerability. malware designed to manipulate safety systems. The countries. In the UK alone, more than 80 National Health evidence of their sponsoring used social engineering emails with Microsoft chemical, telecommunications and other and Middle Eastern military, diplomatic and This is being increasingly exploited by nation consequences of emergency shutdown systems at a Service hospitals were impacted, resulting in cancelled ActiveMime file attachments to deliver industries. There’s strong evidence government personnel and organisations states who are turning their sights toward chemical nuclear plant or chemical facility being manipulated or nation, TTPs, target profile and surgeries and diverted ambulances. President Trump’s malicious macros, downloaded from a remote that the group is acting on behalf of the in the media, energy, defense, engineering, facilities, energy platforms, transportation networks, disabled are unthinkable. homeland security adviser Tom Bossert attributed the attack motivations. Last year, server. We believe the group may be aligned Iranian government. business services and telecoms sectors. manufacturing plants, pipelines and water systems. Illicit attack to North Korea, saying: “North Korea has acted four joined the ranks. Unlike with the Vietnamese national interest, with reprogramming of safety instrumented systems in this On a similar note, please read our article especially badly, largely unchecked, for more than a recent activity targeting private interests critical national infrastructure, could bring catastrophic describing the types of subversive concerns many cyber criminals, APT decade... WannaCry was indiscriminately reckless. If suggesting a threat to companies doing ramifications. Not only to physical assets, revenues for industrial control systems, Page 6. attackers often pursue their ordinary men and women around the world hadn’t known business or preparing to invest in Vietnam. the meaning of ‘ransomware’, they did now. targets over months or years, all Whilst being unclear about the group’s the while adapting to attempts to specific motivation, we believe it could The following month, the NotPetya virus was launched ultimately erode organisations’ competitive remove them from the network in Ukraine and rapidly spread across the world. In a way, advantage. BUILD BETTER VISIBILITY NotPetya’s ‘wiper’ malware was even worse than WannaCry and frequently targeting the The Iranian threat group APT33 has been because affected organisations’ data was destroyed, rather You are not an island - same victim if their access is lost. INTO YOUR NETWORK than merely held hostage. Consumer goods manufacturers, conducting cyber espionage to collect transport and logistics companies, pharmaceutical firms Russia and China still top the list of the most information from defense, aerospace and utilities suffered reported losses of over $1 billion in everybody is connected sophisticated adversaries, but May last and petrochemical organisations since year saw the first APT group attributed to a economic losses. at least 2013. There’s also evidence that different nation and the number is increasing. suggests targeting of Saudi Arabian and The summer of cyber woe peaked in August when Equifax western organisations that provide training, INTERNATIONAL APT32 – aka the OceanLotus Group – has reported the loss of the sensitive personal records of 145 maintenance and support for the country’s been targeting foreign corporations with million people. The reaction was swift and severe. Within military and commercial fleets. Whilst today’s unprecedented efficiency investments in Vietnam as well as foreign days, the market cap loss exceeded $5 billion. In the US, the FTC and both houses of Congress launched investigations. and speed of communication within Equifax’s CIO, CISO and, later CEO all fell on their swords in organisations, across borders and the aftermath. between governments has brought Industries Investigated By Mandiant in 2017

2017: not a year to remember with fondness, nor untold benefits, it is causing headaches Below shows the percentage of investigations for each industry carried out by Mandiant one that anybody would like to see repeated. for CIOs, CISOs and others responsible on targeted attack activity, conducted between October 1, 2016 and September 30, 2017. for their organisations’ cyber security. Industry Americas APAC EMEA Global Even if they are not a direct target, organisations may be regions, wherever in the world an organisation is based Financial 17% 39% 24% 20% affected indirectly due to connected infrastructure, as or has operations. Nobody is in any doubt that, as amply demonstrated in last year’s widespread attacks by Business & Professional Services 18% 10% 12% 16% hostile activity by nation states ramps up, these types EternalPetya, WannaCry and BADRABBIT. of incident will increase, causing significant economic Other 12% 20% 22% 15% EternalPetya targeted businesses, airports and losses and widespread disruption. Entertainment and Media 11% 7% 5% 10% government departments in Ukraine, but also disrupted Aside from this, organisations will continue to be the operations of some multinational organisations Healthcare 12% 2% 2% 9% caught out by more ‘everyday’ threats because basic with ties to the country. Any future cyber attacks on precautions which should be regarded as a given Government 6% 7% 18% 8% elements of Ukraine’s critical infrastructure could cause are not enforced in many public and private sector substantial collateral damage to neighbouring countries High Tech 9% 10% 7% 8% organisations. Poor employee education, not updating and businesses operating in the region. systems and software, inadequate password control, Retail and Hospitality 10% 2% 4% 8% This serves as a warning of the potential for poor supply chain due diligence and lack of governance Energy 5% 2% 7% 5% geopolitically motivated attacks to cause significant are still making it simple for cyber criminals to operate economic damage in the immediate and surrounding with relative ease. Source: M-Trends 2018 report 4 5

THE VISION | FIRST EDITION BROUGHT TO YOU BY

“It was the Mandiant THE VOICE OF THE CLIENT Incident Response Jed Lumain, Chief that link or that attachment but safely, because they Technology Officer, Rizal do it in a sandbox and they observe what happens to that payload. We also have the NX which actually Commercial Banking services from FireEye that guards our internet traffic or our HTTP traffic. It Corporation, summarizes guards the browsing capabilities of all our employees A FINANCIAL enabled us to understand the benefits of and it guards our applications to where it connects partnering with FireEye. to one of my favourite applications, the HX. We have several thousand endpoints and it’s really impossible the extent of the breach, “RCBC is one of the top universal banks in the to monitor each one of them. HX gave me a way STRONGHOLD Philippines. We are forth to eighth, depending on the to protect all these endpoints even when they are reverse engineer all of metric that you want to use. We pride ourselves in travelling or outside the bank. being very innovative. We have the courage to go and HOW ONE BANK IS WINNING “You get to learn about the problems that others – try out new things. THE CYBER WAR WITH FIREEYE the malware, and block probably across the globe – have encountered so you “We are entrusted with the very precious personal don’t get to suffer the consequences. You cannot further attempts.” information of our clients and we have to be very have a solution that works for a problem in the past; careful about that … our business is trusted. In the you have to have a solution that works for a problem — Spokesperson for Financial Services Provider last two or three years, crime suddenly took notice of for today. So far, we have had that kind of solution the fact that you don’t have to go to the bank to steal with FireEye. anything … you can do it from wherever, and so that “One of our basic strategies is to work with very few became a problem. and select partners. We have viewed FireEye as one “We now have to worry about third party connections of those strategic partners … both the people and the as well. We sort of prioritize what we call ingress technology in FireEye are very reliable to us. FireEye points where these are potential areas where you is one of the main security companies out there, could be breached. We knew that email is the easiest but it’s probably the only one that comes up with source, so we started with FireEye ES PX, which innovations that are really relevant.” would actually mimic the person from clicking on

discovered a suspicious login account with The drawn-out campaign was uncovered the first month of the attack, but evaded CASE STUDY domain administrator privileges, enabling before the attackers managed to accomplish detection by the bank’s security infrastructure unrestricted access to thousands of Windows their final goal. However, our team found that by using encryption, anti-forensics and other FireEye’s expertise recently servers and clients across the organisation. 96 systems had been breached, including sophisticated techniques. CURRENT CYBER THREATS helped one of Asia’s oldest and The potential for many host systems to have 30 which had active malware running at the On the Mandiant team’s advice, the bank been compromised became quickly apparent. time of investigation. These included many most profitable financial services put in measures that successfully blocked advanced malware samples that were named TO INSURANCE AND FSI providers to block a sustained The bank immediately retained our Mandiant the attackers’ infrastructure access. It also to blend in with commonly-installed utilities on Incident Response services to assist with blocked comms between the bank and an cyber attack and prevent the bank’s systems. an enterprise-wide investigation. Initial infected subsidiary to halt any further lateral further breaches. findings revealed that the breach followed The attackers had planted backdoor and movement attempts, as well as removing a very familiar pattern: initial compromise, data loading programs before using screen compromised access control lists which had The attack first became apparent when WITCHCOVEN Upatre bank staff were unable to access a domain establishment of a foothold, escalation grabbing and key logging to capture been fraudulently set up between the bank XtremeRAT Ruskill Gh0stRAT Zeus (aka Zbot) of privileges, internal reconnaissance and passwords from authenticated users. and the subsidiary. controller — a server that responds to security CANNONFODDER Jenxcus authentication requests within a Windows completion of mission. They had established their presence in the Hussarini Fareit Server domain. An internal investigation Microsoft Windows environment during 26 servers & 70 workstations compromised involvement. Alternatively, they may draw ANALYSIS attention to an unrelated issue using this 20 IP addresses & highly visible platform. OUR FRONTLINE INTELLIGENCE 5 fully qualified domain The volume of sensitive data, APT groups names associated with high worth of client bases IS YOUR GREATEST ALLY attackers’ infrastructure and prominent profiles of APT groups sponsored or otherwise associated with a country may conduct 30 hosts identified organisations in the financial disruptive or destructive attacks to give their with screen grabber malware artefacts services and insurance sectors government leverage over an adversary. make them continued key targets We investigated a situation at a bank that had 50+ user profiles infiltrated for attackers. discovered criminals using fraudulent debit with key logging software cards to make unauthorized ATM withdrawals Here, we look at the three most likely in Eastern Europe. They had breached types of attackers, and their motives. the bank’s card management system and VISION IS THE ABILITY TO The attackers withdrew on realizing that the software, and then stolen, or attempted to bank was committed to tracking their activity. Cybercriminals steal, $150,000 from customer accounts. ACT ON WHAT YOU CAN SEE An aggressive remediation plan was drawn Consumer services and mobile apps for The breach had been made possible by an up covering short, medium and long-term personal financial management are key employee inadvertently visiting a website time frames, as guidance and supervision for targets for credential theft. Existing infections hosting a browser-based exploit that installed several external vendors involved in executing such as bots can provide a way to gain access a backdoor on his or her system. This enabled the plan. to large networks of high value victims. the attackers to use the employee’s legitimate credentials to gain access to the card As is always the case, the profiles and management system and increase recorded characteristics used in the attack were Hacktivists balances and withdrawal limits for several uploaded to Mandiant Advanced Threat Hacktivists focusing on economic, social or customer accounts. They then changed the Response Centers around the world to political issues will seize the chance to disrupt accounts’ PINs, which allowed them to take further enhance our industry-leading global and/or embarrass organisations they view the maximum amount from these accounts threat intelligence. as responsible, or at the very least have any using seemingly legitimate credentials. 6

THE VISION | FIRST EDITION

UNAUTHENTICATED OUTDATED WEAK USER PROTOCOLS HARDWARE AUTHENTICATION

Many industrial control systems (ICS) protocols operate Because ICS hardware can be quietly running away User authentication is the ability to ensure that only without authentication and therefore lack the ability in the background for decades, it may operate too intended individuals can access a computer or use its to ensure that data comes from a trusted source. This simplistically or lack the processing power and memory programs. With ICS, this is commonly done by means of enables any computer on the network to send commands to handle the threat environment present in modern passwords, and here lies a problem. User authentication that alter the physical process, such as changing the set network technology. We’re referring to PLCs, RTUs, weaknesses in legacy systems often include passwords point or sending an inaccurate measurement value to the VFDs, protective relays, flow computers and gateway that are hard-coded, easily cracked or guessed, stored in Human Machine Interface (HMI). communicators. easily recoverable formats or sent in clear text.

This may in turn lead to incorrect process operation, with Both these and software assets may also not be viable Any attacker who obtains these passwords may be a number of potentially catastrophic results including for monitoring or testing, and the older systems become, able to interact with the controlled process at will. It’s damaged goods, damage or destruction of plant the fewer people possess detailed technical knowledge also not uncommon for users to not be included within equipment, risk to personnel and environmental damage. of their operation, and how to resolve problems. Not corporate IT governance strategies, nor made aware of Source authentication is normally achieved by verification only that, but the effect of system changes could also be the implications of poor practice. and use of cryptographic keys. difficult to predict, bringing its own risks. WHAT ABOUT THE PLANT FLOOR?

SUBVERSIVE CONCERNS 6 FOR INDUSTRIAL ENVIRONMENTS

MANUFACTURING FEATURE

Industrial enterprises including electric utilities, petroleum companies, and manufacturing organisations invest heavily in industrial control systems (ICS). Without the technology operating the plant floor, their business doesn’t exist. Board members, executives, and security officers are often unaware that the technology operating the economic engine of their enterprise invites undetected subversion. Here are the six key weaknesses that an adversary can use to undermine a plant’s operation.

WEAK FILE VULNERABLE UNDOCUMENTED INTEGRITY CHECKS WINDOWS OS THIRD-PARTY A GREAT REPUTATION CAN RELATIONSHIPS Integrity checking means being able to verify the Engineering workstations and HMIs often run outdated integrity and origin of data or code, normally achieved by and unpatched Microsoft Windows operating systems, In our experience, organisations running ICS seldom TAKE A LIFETIME TO BUILD cryptographic verification. Unfortunately, this is deficient leaving them exposed to known vulnerabilities when document and track third-party dependencies in the in ICS under the following circumstances: connected to the internet. In some cases, this means that ICS software that they operate. Indeed, many vendors attackers can access systems without needing specific themselves may not immediately be able to lay their Weak software signing: allows attackers to either knowledge, purely by using kits that incorporate exploits mislead users into installing software that didn’t originate hands on what third-party components they use, for older and non-updated systems. LOSING IT CAN TAKE SECONDS from the vendor, or maybe replace legitimate files with making it difficult for them to share information about vulnerabilities with their customers. malicious ones. This can happen even if patches are available (it’s

Weak firmware integrity checks: An attacker who can not difficult for attackers to obtain exploit code for An attacker who understands these dependencies can upload firmware – which is normally more difficult to vulnerabilities affecting supported Windows operating target ICS software that an organisation may not even change or update than software – can control the entire systems, let alone Microsoft Windows XP for which know it has. Numerous vulnerabilities in ICS systems operation of the device. support ceased in 2014, and Windows Server 2003 and produced by global vendors have gone undetected – Small Business Server 2003, support for which ended sometimes for years – for this very reason. Weak control logic integrity checks: inadequate checks in 2015). mean that a PLC will accept the logic without verifying it, enabling unauthorized users to alter set points and take control of the equipment. 8

THE VISION | FIRST EDITION

initial intrusion to the methods used to appearing in the shop within six months of navigate victims’ networks to the sale of the the FIN6 breach and, in turn, was invariably stolen payment card data. purchased very soon afterwards. The volume of data through the shop varies according From tracking sophisticated FIN groups, to the breach, but in some cases more than we know that they employ a high level of 10 million cards associated with a specific planning, organisation and task management FIN6-linked breach have been identified. to accomplish their goals. They generally The same shop has sold data from millions target a particular demographic or type of of other cards, potentially linked to breaches organisation, and their unwavering goal is perpetrated by other attackers. financial gain from the data they steal. They profit from the direct sale of stolen data (as is Good threat intelligence comes from a the case with FIN6), unauthorized transfer of combination of factors, requiring visibility funds or, sometimes, insider trading. into the threat landscape including both a

FOLLOW FIN 6’s METHODS Payment card data to Email phishing POS the cyber criminals THE MONEY credential theft malware

Lateral movement DISSECTING THE Grab new on the network Card shop OPERATIONSOF malware THE CYBER CRIME INDISCRIMINATE TARGETED CASH OUT GROUP FIN6 Three years ago, FireEye Threat Intelligence broad view (the ability to identify activity supported several Mandiant Consulting across a range of countries, industries and investigations in the hospitality and retail organisations) and a deep view (the ability to sectors where criminals had aggressively gather detailed information about how cyber targeted point-of-sale (POS) systems, criminals operate). And, of course, stealing millions of payment card numbers. it requires skilled analysts who are able to review, fuse and understand the Benefiting from iSIGHT Partners’ collected available data. intelligence, we ascertained that the stolen payment card data was sold in an In this case, the combined intelligence from Frustratingly, reports on payment card underground card ‘shop’ which is advertised our teams was able to not only identify FINANCIAL intrusions and theft are often fragmentary, on multiple underground cyber crime forums malicious activity aimed at stealing payment concerning individual elements of the attack FireEye Threat Intelligence and and offers millions of stolen payment card card data, but provide a detailed of the rather than capturing the end-to-end cycle records. This closes the loop on the ‘lifecycle’ operational lifecycle from compromise our subsidiary iSIGHT Partners of compromise, data theft, illicit sale and of cyber criminal activity and personifies through monetization of that stolen data. recently got together to illuminate use. This is due to the full scope of attacker one of the final stages of cyber criminals: the activities of a financial activity traditionally occurring beyond the The account of FIN6 has shed valuable light monetizing their stolen data. threat group known as FIN6. view of any one investigation team. on how real-world threat actors operate, Having identified that data stolen from not only in technical terms but compromise This unique combined insight FireEye Threat Intelligence and iSIGHT several of FIN6’s victims was being sold by also into the human factor. It has identified provided extensive visibility into its Partners (part of FireEye) recently combined this shop as far back as 2014, we can safely interactions between different criminals or our research to illuminate the activities of operations, from initial intrusion to conclude that it has almost certainly ended groups, and how it is not just data being one particular financial threat group. This navigating victims’ networks, and up in the hands of fraud operators across bartered or sold in the underground, but also combined insight has provided unique and the world. In each case, the data began tools, credentials and access. the sale of the stolen card data. extensive visibility into its operations – from

Why do organisations keep failing at IR? We hope you enjoyed your first edition of The Vision. What makes an incident Get in touch to find out how response team work? our security solutions can help protect your organisation. How do I maximise the efficiency of my resources? T +442036087538 Join us for a 3-part on demand webinar series T +353216019160 on state-of-the-art incident investigation [email protected] techniques and breach response strategies. www.fireeye.com

Watch online now at www.fireeye.com