Threat intelligence
-
Major web hosting providers become victims of ransomware
Monday, November 25, 2019 11:54:00 AM CET- Outsourcing IT services such as web hosting, managed service providers and cloud service providers could increase the exposure of organisations to ransomware attacks.
- In 2019, over 10 web provider companies have already been victims of targeted ransomware incidents.
- Since the largest known paid ransom was from a web-hosting provider, cybercriminals will likely increase their efforts. -
The Silence group
Monday, November 25, 2019 11:53:00 AM CET- Russian origin cyber-criminal group Silence is attacking banks and financial institutions.
- Starting in 2016, the group has improved its tools and escalated its activities to attack worldwide.
- Its capabilities make it a potentially serious threat currently and in the future. -
Coordinated ransomware campaign in Spain
Monday, November 25, 2019 11:52:00 AM CET- Ransomware is targeting municipalities in Europe.
- Multiple entities in Spain have seen significant outages because of the threat.
- These attacks can be seen as a continuation of the Big Game Hunting tactics observed elsewhere in the world. -
APT groups are exploiting vulnerabilities in various VPN products
Monday, November 25, 2019 11:51:00 AM CET- APT groups are reportedly exploiting vulnerabilities in several unpatched VPN products used worldwide.
- US and UK agencies advise consumers to update VPN products from certain producers.
- Affected VPN products were from Fortinet, Palo Alto Networks and Pulse Secure.
- Certain bugs were detailed at Black Hat USA in August, before detecting attacks on Fortinet and Pulse Secure. -
Iran’s APT35 targeting individuals tied to US 2020 elections
Monday, November 25, 2019 11:50:00 AM CET- An Iranian state-sponsored threat actor reportedly targeted accounts associated with the US presidential campaign.
- The group has also reportedly targeted academic researchers focusing on Iran in France, the US and the Middle-East.
- Attempts by state-sponsored threat actors from various countries to compromise business or personal cloud-based email or social media accounts remain a significant threat.
- Even if not technically sophisticated, social engineering enabled attempts to compromise cloud based email or social network accounts remain an efficient method for motivated attackers. -
Magecart cybercriminals leveraging public WiFi vulnerabilities
Monday, November 25, 2019 11:45:00 AM CET- Cyber-criminal groups dubbed Magecart are exploiting vulnerable e-commerce websites to steal user payment data.
- One Magecart group has tested methods to compromise user devices browsing the internet via public WiFi hotspots.
- The same group is also attempting to compromise code used by mobile app developers and affect a large user base. -
Business email compromise on the rise
Wednesday, October 02, 2019 01:44:00 PM CEST- In 2018, Business Email Compromise (BEC) has overtaken ransomware as the main reason behind cyber claims.
- Between June 2016 and July 2019, BEC reportedly accounted for $26,2 billion USD in financial losses worldwide.
- BEC continues to grow with a 100% increase in identified global exposed losses between May 2018 and July 2019.
- Substantial financial losses due to BEC have been publicly reported in August and September 2019. -
Airbus supply chain hacked in a cyberespionage campaign
Wednesday, October 02, 2019 01:43:00 PM CEST- According to Agence France Presse (AFP), Airbus has fallen victim to a sophisticated cyber-espionage campaign.
- Attackers reportedly breached IT systems of several Airbus’s suppliers and, from there, penetrated Airbus’s IT systems.
- Attackers have been looking after certification documentation, sensitive information related to A350 and A400M’s engines as well avionics details.
- Several AFP’s sources suspect Chinese hacking groups, still no formal attribution has been made. -
SIMjacking – an attack on mobile phones
Wednesday, October 02, 2019 01:41:00 PM CEST- A newly published mobile phone SIM exploit, called Simjacker, allows attackers to stealthily spy on mobile users.
- The exploit allows attackers to find the device’s location or fully ‘take over’ the mobile phone.
- The vulnerability exploits a piece of legacy software which is not present in a large number of modern SIM cards.
- The vulnerability is actively being exploited either by a private company or its customers to locate mobile phones and thus their users. -
Large scale and powerful cyber surveillance by China
Wednesday, October 02, 2019 01:40:00 PM CEST- According to researchers, Chinese authorities are purportedly monitoring Uyghurs, both locally and internationally, through cyber means.
- The threat actors reportedly leveraged several techniques including multiple exploit chains against Android and iOS, several strategic web compromises, as well as bypassing the two-factor authentication of Google services.
- The wide range of leveraged methods demonstrates the threat actors’ significant capabilities, funds and technical expertise. -
Big Game Hunting in the public sector
Wednesday, October 02, 2019 01:38:00 PM CEST- Big Game Hunting extortion campaigns by cybercriminals have become a significant threat to the public sector.
- In the US, several ransomware attacks impacting local governments, cities, and public services were recently observed.
- Cybercriminals are striking victims with greater precision and timing.
- Their attacks are very well coordinated and they are demanding higher ransoms.
- US Officials are worried of attacks against the 2020 Election. -
Android exploits commanding higher price than ever before
Wednesday, October 02, 2019 01:36:00 PM CEST- The price of android exploits exceeds the price of iOS exploits for the first time.
- This is possibly because Android security is improving over iOS.
- The release of Android 10 is also a likely cause for the price hike. -
Corporate IoT – an intrusion path for APT groups
Wednesday, October 02, 2019 01:31:00 PM CEST- APT28 reportedly attempted to compromise IoT devices to gain initial access to corporate networks.
- Such attacks are likely to expand as more IoT devices are deployed in corporate environments. -
Fighting disinformation on social networks in Hong Kong
Wednesday, August 28, 2019 11:47:00 AM CEST- Twitter, Facebook and Google suspended thousands of accounts for “coordinated inauthentic behaviour” in Hong Kong.
- The platforms’ operators claimed that accounts were associated with state-backed entities. -
Russia’s security services against one another
Wednesday, August 14, 2019 04:17:00 PM CEST- Since 2014, Russia’s security services are competition with each other.
- They act independently and take unnecessary risks in order to gain political influence over their counterparts.
- This has also resulted in an increase of treason allegations aimed at high-ranking Russian officials. -
Massive breach at Capital One, purportedly due to a cloud misconfiguration
Friday, August 02, 2019 09:55:00 AM CEST- A breach at Capital One, a major US bank, compromised data belonging to more than 106 million customers in both the US and Canada.
- The breach was reportedly detected thanks to a vulnerability notification made by an ethical security researcher.
- The alleged hacker, who was arrested, was reportedly an employee of the Amazon Web Services cloud service
company, of which Capital One was a customer.
- The breach purportedly exploited a misconfigured web application used to access the cloud infrastructure. -
Russian FSB’s projects leaks by hacktivists
Tuesday, July 30, 2019 10:06:00 AM CEST- Russian FSB’s contractor SyTech was reportedly hacked and 7.5TB of data were leaked.
- This leak contains information about at least 20 FSB’s digital monitoring projects.
- A Russian-speaking hacktivist group dubbed the DigitalRevolution group is involved in the leak. -
China’s Ministry of State Security likely role in cyber attacks
Monday, July 29, 2019 04:16:00 PM CESTIntrusion Truth, an anonymous entity, says that China’s MSS regional offices are likely involved in APT activities.
-
Cloud hosting firm iNSYNQ hit by ransomware attack
Monday, July 29, 2019 09:51:00 AM CEST- Cloud hosting provider iNSYNQ experienced a ransomware attack that has left customers unable to access their data.
- One week after the infection, restoration was not yet completed and iNSYNQ encouraged its customers to rely on local backups. -
Extended use of the likely Chinese Winnti malware
Thursday, July 25, 2019 02:09:00 PM CEST- According to media, the Winnti malware has been used for cyber espionage purposes against German industries.
- Initially, the malware was likely developed by cyber-criminals, then repurposed and shared with other actors. -
Chinese surveillance app
Wednesday, July 24, 2019 11:45:00 AM CEST- The Chinese border police extracts data from phones belonging to people visiting the Xinjiang region, as they cross the border.
- An Android app is used to find specific content on the devices. iPhones are also impacted.
- These techniques are consistent with China’s overall domestic cyber-surveillance strategy. -
Western technology firms targeted by Chinese threat actors
Wednesday, July 24, 2019 11:45:00 AM CEST- Chinese hackers breached the networks of several technology firms, globally, from 2010 to 2017.
- The attacks were reportedly conducted by first penetrating the cloud computing service of Hewlett Packard Enterprise.
- Technology companies racing against Chinese firms appear to have been priority targets. -
Russian digital services provider targeted by Western intelligence agencies
Wednesday, July 24, 2019 11:44:00 AM CEST- Hackers breached the systems of Russian digital services provider Yandex.
- The breach occurred between October and November 2018.
- A private assessment by Kaspersky concluded hackers likely tied to Western intelligence breached Yandex using Regin.
- Previous Regin attacks (Belgacom case publicly uncovered in 2014) were attributed to US and British intelligence agencies. -
Global espionage campaign targeting the telecommunications sector
Wednesday, July 24, 2019 11:44:00 AM CEST- A global cyber-espionage campaign has targeted telecommunications providers from Africa, the Middle East, and Europe.
- Attackers were looking after call detail records, along with other personal data, credentials and geo-location of specific individuals.
- The interest and resources shown by the attackers denote a highly likely state-sponsored espionage origin. -
US & Russia mutually targeting their power grids
Wednesday, July 24, 2019 11:42:00 AM CEST- A New York Times report alleges that the US has infiltrated the Russian electrical grid with offensive malware.
- The infiltration is not known to have been linked with any disruption.
- If the report is true, this activity poses risks of escalation and retaliation.
- A separate report by a security company indicates that a Russian threat group is probing US and Asian electrical grids. -
Ransomware paralyses European aircraft supplier
Wednesday, July 24, 2019 11:41:00 AM CEST- Belgium-based airplane parts and aviation structuring business ASCO Industries has been hit by a cyber-attack.
- ASCO confirmed that the breach was allegedly related to a piece of ransomware.
- The company provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.
- About 1,000 people (70 percent of employees in Belgium) were sent home on unpaid leave, in Zaventem.
- According to media, production was shut down in Belgium and other countries (Canada, Germany, USA, Brazil, and France). -
Hardware Security Modules not immune to hacking
Wednesday, July 24, 2019 11:41:00 AM CEST- Security researchers released a paper revealing how they managed to hack a Hardware Security Module (HSM).
- HSM-s are used to generate, manipulate and store sensitive cryptographic secrets (SIM cards, credit cards, secure boot hardware, disk and database encryption, PKI...).
- HSM-s are also used by cloud service providers, such as Google or Amazon, allowing clients to centrally create, manage and use their cryptographic secrets. -
High volume of European network traffic re-routed through China Telecom
Wednesday, July 24, 2019 11:40:00 AM CEST- A routing incident led to 70 000 routes used for European traffic being redirected through China Telecom for over 2 hours.
- Border Gateway Protocol (BGP) errors are a relatively common issue but usually last just a few minutes.
- China Telecom has still not implemented some basic routing safeguards to detect and remediate them in a timely manner. -
Android smartphones supply chain compromise
Wednesday, July 24, 2019 11:39:00 AM CEST- Two Android smartphone models have been sold with pre-installed malware affecting at least 20000 users in Germany alone.
- For app developers the introduction of undesirable functions might be the result of poor coding practices, or a deliberate criminal act to maximise the return on their investment.
- Since 2016, several Android-related supply chain compromises have been reported, affecting up to 141 Android smartphone models. -
Ransomware extortion affecting local administrations
Wednesday, July 24, 2019 11:36:00 AM CEST- In the US, the city of Baltimore’s IT infrastructure suffered a ransomware attack that created disruption in public services.
- The attack was most likely executed with the use of a ransomware dubbed Robbinhood.
- Similar ransomware attacks against local administrations or public services have taken place across the US and globally. -
Abuse of access to user information by employees of social media / digital service companies
Wednesday, July 24, 2019 11:36:00 AM CEST- Snapchat personnel abused their level of access to user data some years ago.
- Corporate Gmail accounts had their passwords stored in plain text.
- These are the most recent cases of social media platforms exposing user data to insider’s abuse. -
Malware authors increasingly use legitimate certificates to bypass defences
Wednesday, July 24, 2019 11:35:00 AM CEST- Malware authors increasingly use legitimate certificates to sign their code.
- Certificate authorities sometimes fail to verify the identities of people applying for code-signing certificates.
- Signing malware with legitimate certificates increases the chance of remaining undetected. -
Wireless attacks on aircraft instrument landing systems
Wednesday, July 24, 2019 11:35:00 AM CEST- Modern aircraft rely heavily on several wireless technologies for communications, control, and navigation.
- Attackers could potentially change the course of a flight using commercially available equipment.
- The systems used to guide planes could be hijacked by compromising and spoofing the radio signals that are used during landing. -
Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leak
Wednesday, July 24, 2019 11:34:00 AM CEST- Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak.
- It is unknown how the threat group obtained the tool.
- This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group. -
Chinese mass surveillance systems: insights and export
Wednesday, July 24, 2019 11:34:00 AM CEST- A database containing personal data of Chinese citizens was left unprotected on the Internet.
- These personal data were purportedly collected using smart cities and mass surveillance technologies.
- Human Rights Watch released a report detailing how the Chinese government is using such technologies as a means to invade their citizens’ privacy.
- Chinese companies and start-ups are exporting these technologies to foreign countries. -
Hacking groups compete for cryptojacking cloud-based infrastructure
Wednesday, July 24, 2019 11:33:00 AM CEST- Two hacking groups associated with large-scale cryptomining campaigns wage war on one another.
- Pacha Group and Rocke Group compete to compromise as much cloud-based infrastructure as possible.
- One group is using techniques to kill any other cryptocurrency malware running on infected machines.
- Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers. -
Cyber-attacks lead to conventional military strikes
Wednesday, July 24, 2019 11:32:00 AM CEST- Israel Defence Forces destroyed the headquarters of the main cyber unit of the Palestinian organisation Hamas by airstrikes.
- The assault is likely to be the first true example of a physical attack being used as a real-time response to digital aggression.
- Affected entities will likely rebuild their lost capabilities and continue to conduct cyber operations against Israeli targets. -
Docker breach exposes a significant number of accounts
Wednesday, July 24, 2019 11:31:00 AM CEST- Docker Hub, an open repository of software containers, announced a breach affecting about 190 000 of its users.
- As the breach affects associated development platforms, it may impact several stages of software development workflows.
- Threat actors adopt supply chain attacks as a method to bypass some of the traditional IT security measures. -
Cyber enabled espionage in the aviation sector
Wednesday, July 24, 2019 11:30:00 AM CEST- A General Electric’s employee reportedly stole aerospace turbine technology secrets for the benefit of China.
- The spy used several methods such as encryption, exfiltration via USB storage devices, steganography and sending stolen files to his personal email address.
- China has been suspected to conduct cyber-espionage operations in the aviation sector for several years.
- According to researchers, since 2004, a total of 20 active Chinese threat actor groups have been detected targeting aviation as a whole. -
Facebook urged to control the spread of US law enforcement fake accounts
Wednesday, July 24, 2019 11:30:00 AM CEST- US Immigration and Customs Enforcement used fake accounts on Facebook to identify people committing immigration fraud.
- The agency created social media profiles for a non-existent university and its staff.
- All this activity violates Facebook’s policies but the involved US agencies have shown no concern.
- Facebook is urged to curb the proliferation of undercover law enforcement accounts on the social media platform. -
Cyberattacks enabled disinformation in Lithuania
Wednesday, July 24, 2019 11:29:00 AM CEST- The Lithuanian Ministry of Defence was targeted by a disinformation campaign.
- The dissemination of disinformation was likely enabled and facilitated by cyberattacks. -
New TRITON attack
Wednesday, July 24, 2019 11:29:00 AM CEST- TRITON is a sophisticated malware framework with the capacity to manipulate industrial safety systems, cause physical damage and shut down operations.
- TRITON authors are believed to have ties with a Moscow-based scientific research institute.
- Victims have been identified in the Middle East and in North America.
- A comprehensive analysis of techniques and tools linked to TRITON have been recently published to help detecting and hunting related attacks. -
A Cryptojacking campaign had disruptive impact
Wednesday, July 24, 2019 11:28:00 AM CEST- The systems of a Japanese company were shutdown following a first-stage attack suspected to precede a cryptojacking campaign.
- This incident highlights the disruptive nature of cryptojacking attacks and their ability to affect victims' operations.
- In 2018, several cases of disruption caused by cryptojacking attacks were reported. -
Airports & Operational Technology: 4 Attack Scenarios
Wednesday, July 24, 2019 11:27:00 AM CEST- Security in global aviation is increasingly dependent on vulnerabilities in information technology (IT) and operational technology (OT) systems.
- Airports are using several critical OT systems (e.g. baggage control, runway lights, air conditioning, and power).
- More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.
- Four important risk vectors have been more specifically identified: Baggage Handling, Aircraft Tugs, De-icing Systems, Fuel Pumps. -
WinRAR zero-day exploited in many attacks
Wednesday, July 24, 2019 11:26:00 AM CEST- On February 20, a 20 years old zero-day vulnerability in the archiving software WinRAR, was publicly revealed.
- On February 26, a patched version of WinRAR was released, the update must be done manually.
- More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.