Memos And Briefs
CERT-EU Cyber Brief - May 2022 
Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.
CERT-EU Threat Landscape Report for Q1 2022 - Executive Summary
CERT-EU Threat Landscape Report for Q1 2022 - Executive Summary
CERT-EU Threat Landscape Report for Q4 2021 - Executive Summary
CERT-EU Threat Landscape Report for Q4 2021 - Executive Summary
CERT-EU Threat Landscape Report for Q3 2021 - Executive Summary
CERT-EU Threat Landscape Report for Q3 2021 - Executive Summary
CERT-EU Threat Landscape Report for Q2 2021 - Executive Summary
CERT-EU Threat Landscape Report for Q2 2021 - Executive Summary
CERT-EU Threat Landscape Report - Volume 1
This document presents a synthetic overview of the principal cyber threats to which the EU institutions, bodies and agencies are currently exposed or are likely to be prone to in the foreseeable future.
CERT-EU Threat Landscape Report for Q1 2021 - Executive Summary
Direct Threats to EU Institutions, Bodies, and Agencies
Cyber-attacks against the 2020 US elections - A first analysis
- According to US authorities and security companies, several actors attempted to influence or disrupt the US 2020 presidential elections. - Four categories of attacks have been identified: influence operations, cyberespionage, cybercrime, and hacktivism. - US authorities took measures such as dismantling attackers' infrastructure, charging or sanctioning individuals or organisations, and sharing technical alerts. - Public reports allow to draw a first synthetic analysis on the _state of the art_ for election interference risk mitigation.
Thanos ransomware: criminal and disruptive attacks
- Thanos is a ransomware-as-a-service offer used by different threat actors. - A variant was used for financial gain against various victims in Europe in June 2020. - Another variant was used in the Middle East and North Africa in July 2020. - Israeli researchers believe that the Iranian MuddyWater state-sponsored threat actor may also have used a variant of Thanos against prominent Israeli entities in September.
US DoJ indicts Russia’s Sandworm threat actor
- US authorities charged 6 members of the Russian Military Intelligence unit 74455 (aka Sandworm) threat actor. - Sandworm is accused of - mostly disruptive - cyberoperations in Ukraine (electric grid), France (political entities), UK and the Netherlands (chemical laboratories), Georgia (government, media), South Korea (2018 Winter Olympics) and globally (NotPetya). - This indictment follows sanctions imposed on the same organisation by the EU in July 2020.
CERT-EU Threat Landscape Report for Q3 2020 - Executive Summary
Direct Threats to EU Institutions, Bodies and Agencies
A cryptomining worm that steals AWS credentials
- A new piece of malware is targeting Amazon Web Services and steals credentials from them. - Furthermore it uses these credentials to breach and exploit other cloud-based services for cryptomining. - There is a proliferation of automated cloud attacks, largely based on insufficient security measures on these services.
Insecure S3 buckets can lead to serial exploitation
- Research shows that unsecured cloud-based storage buckets can be scanned for the existence of credentials. - The process of harvesting credentials and using them to exploit additional services has the potential to become automated.
CERT-EU Threat Landscape Report for Q2 2020 - Executive Summary
Direct Threats to EU Institutions, Bodies, and Agencies
Signed PDF documents vulnerable to manipulation
Key Points - 15 of the biggest PDF viewers are vulnerable to “Shadow Attack – Hide and Replace” involving manipulation of documents after signing. - The attack takes use of hidden layers in the document, invisible to the victim but included in the signed version. - Adobe, LibreOffice, Foxit and SodaPDF have issued patches for the vulnerability.
Largest ever DDoS in PPS against a European bank
- The largest DDoS attack ever measured in packets per second (PPS) was mitigated by Akamai on June 21. - The attack reached a peak of 809 million PPS, more than double the previous PPS record. - The target was an unnamed European bank.
CERT-EU Cyber Brief - July 2020
Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.
Largest ever DDoS attack targeted AWS
- The largest DDoS attack ever recorded targeted AWS last February. - The attack lasted three days and the traffic reached 2,3 Tbps. - The attack highly likely targeted a single customer but had implications for the whole cloud services provider.
Recent state-sponsored disinformation operations on Twitter
- Twitter has discovered distinct state-sponsored disinformation operations originating in China, Russia and Turkey. - In previous months, countries such as Saudi Arabia, UAE, Egypt and Ecuador have also engaged in such campaigns.
- Cybercriminals behind the REvil ransomware are auctioning off sensitive data stolen from their victims. - The current auction prices range from $50 000 to $200 000. - The new tactic adopted by REvil operators marks an escalation in methods aimed at coercing victims to pay up. - Like for other recently introduced ransomware extortion schemes, it is likely to be adopted by other cybercriminal groups.
CERT-EU Cyber Brief - June 2020
Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.
Massive trading of stolen data
- At least 11 digital services companies affected by several breaches in the previous period, now see their databases sold on the darknet. - A single cybercriminal actor is claiming to be in possession of all the data. - Microsoft΄s GitHub account was highly likely also breached by the same threat actor.
Corporate Mobile Device Management system breach
- Researchers have discovered a case where a mobile device management (MDM) system has been abused to spread malware to a large number of mobile devices in an enterprise. - The central role MDMs play in managing mobile devices gives them unique access potential in case they are breached.
CERT-EU Threat Landscape Report for Q1 2020 - Executive Summary
Direct Threats to EU Institutions, Bodies, and Agencies
Key Points - New IoT botnets are building on Mirai’s success. - With new features and persistence methods, these new attack tools are formidable threats. - Most such botnets are created for financial gain and are highly likely available for hire.
Key Points - Rostelecom, a large Russian telecom provider, has committed a BGP hijacking on April 1. - BGP hijackings are myriad and often not intentional, although they can be used to obtain a man-in-the-middle position or to capture traffic for later decryption. - It is unclear if this incident was accidental. - Rostelecom has worked with one of the security firms reporting the incident on resolving it.
Cryptomining attacks on Docker systems
Key Points - Insecure instances of the popular Docker virtualisation platform are being targeted in a wide spread campaign aiming to abuse them for cryptomining. - The methodology of the campaign exposes unsecured Docker installations and may also endanger other hosted applications, the hosting server, and adjacent systems. - The case underlines the dangers of inadequate security configurations resulting in publicly exposed systems.
COVID-19 monitoring technology
Key Points - According to public reports, at least 33 countries have adopted monitoring technology to curb the COVID-19 pandemic as of April 15, 2020. - The purpose of this surveillance is to track entire or specific categories of populations, analyse movements, detect, diagnose and quarantine or alert individuals at risk. - Tracking projects have initially been started by governments, but now technology firms are proactively designing solutions. - Efforts to safeguard privacy vary significantly among countries.
Attacks on Elasticsearch databases
Key Points - The widely used Elasticsearch data aggregation and analysis service is being targeted by an automated campaign. - The campaign identifies and wipes internet exposed databases. - Elasticsearch services have in the past been repeatedly found accessible due to misconfigurations and bad management, exposing troves of data they were supposed to safekeep.
Mischievous RFC standards – ongoing threat
Key Points - The long-existingestablished and well- documented threat actor IETF (aka APT0) is likely to strike globally today. - Its historical activity of introducing mischievous standards into internet technology borders on the ridiculous. - Potential victims should scan their mail traffic for so-called RFC documents issued with today’s date and delete them immediately.
- Healthcare organisations provide interesting targets to cyber criminals. - Due to the criticality of their function, they are more prone to submit to cyber-extortion. - The most prevalent type of attack in the sector is ransomware.
Cookiethief allows for social media account takeover
Key Points - A newly discovered malware steals cookies from social network apps such as Facebook. - The attacker can then completely take over the victim’s social network account. - The malware abuses the trusted relationship between the victim’s device and the social network. - This attack is particularly difficult for the social network to detect.
Coronavirus – Cyber exploitation
- Heightened public interest on the coronavirus spurs cybercriminal and disinformation operations. - At least six different pieces of malware have been distributed using fraudulent coronavirus-themed emails in several campaigns worldwide. - At least two likely state-sponsored information operations have been reported.
Credit-card web-skimming infections can last several months
- E-commerce websites infections by credit-card web-skimmers can last several months. - The lack of security monitoring and reaction to notifications by e-commerce websites’ owners constitutes a major risk factor. - Online shops with large audiences would typically dedicate more resources in patching security flaws and therefore would likely be less risky.
Russian intelligence officers caught scouting undersea cables
- Russian agents were seen scouting undersea fibre-optic internet cables arriving at the Irish shore. - Irish police sources link the agents to Russian military intelligence service GRU. - It is currently unclear what their exact goal was.
US indicts Chinese military hackers
- The US Department of Justice charged four Chinese members of the People’s Liberation Army for conspiracy and hacking. - Indictments have been a component of the US cyber diplomatic and juridical toolbox since at least 2014. - In 2019 US technology firms started to enforce the US government’s sanctions against selected “foreign adversaries”.
State actors targeting mobile phones
- Amazon CEO’s mobile was highly likely infected by espionage malware, that exfiltrated personal information. - The infection was highly likely caused by Saudi Arabia rulers’ messages. - Likely candidates for the malware used are a number of espionage platforms marketed to governments. - Mobile devices continuously seen as valuable resources of personal and financial information by state and criminal actors.
Executive Summary of CERT-EU's Threat Landscape Report 2019Q4
- A summary of direct threats to EU institutions, bodies and agencies - An overview of malware used - Targeted sectors and sectoral threats - Geographical threats
Ransomware in the transportation sector
- Transportation and logistics are particularly attractive to operators of ransomware. - Ransomware attacks against transportation operators usually correspond to the following scenarios: opportunistic criminal infections, hybrid attacks perpetrated by state-sponsored attacks, cybercriminal big game hunting.
Free smartphones for low-income households shipped with malware
- Free smartphones being issued in a welfare program contained irremovable malware. - The company issuing the phones has denied this software is malware, but this is repudiated by public knowledge. - The inclusion of data leaking malware is on the ri
SHA1 collision attacks shown to be practical
- A new research demonstrates the practicality and affordability of attacks against the SHA1 hash1 function. - SHA1 has been considered unsafe since 2005. - The new findings are relevant because SHA1 is still used in multiple applications.
Ransomware now combined with data leakage
- Ransomware extortion cases have started to include (and realise) data leakage threats. - In a number of cases in December 2019 and January 2020 operators of ransomware released victim's internal data. - The tactic represents an upscaling of ransomware operations in spite of the technical and logistical requirements.
Lazarus Group financial targeting
- North Korean threat actor Lazarus Group continues to target financial institutions and cryptocurrencies. - The goal is likely collecting funds for North Korea. - Lazarus Group continues to be an important asset for the North Korean regime for both revenue generation, but also technological cyberespionage.
Waves of ransomware in December 2019
- Several high-profile ransomware attacks were observed in December 2019. - Public and private organisations in several countries and sectors have been affected. - In two cases, the ransom note reached $6M, the highest amount reported so far. - In two cases, cybercriminals have leaked data belonging to their victim in an attempt to force the payment of the ransom.
Major cryptocurrency provider compromised in a supply chain attack
- The official command line interface Monero wallet was compromised and used in a supply chain attack. - At least one person has reported financial loss due to the compromise. - Cryptocurrency platforms and software are a high-value target for cyber-thieves.
Major web hosting providers become victims of ransomware
- Outsourcing IT services such as web hosting, managed service providers and cloud service providers could increase the exposure of organisations to ransomware attacks. - In 2019, over 10 web provider companies have already been victims of targeted ransomware incidents. - Since the largest known paid ransom was from a web-hosting provider, cybercriminals will likely increase their efforts.
- Russian origin cyber-criminal group Silence is attacking banks and financial institutions. - Starting in 2016, the group has improved its tools and escalated its activities to attack worldwide. - Its capabilities make it a potentially serious threat currently and in the future.
Coordinated ransomware campaign in Spain
- Ransomware is targeting municipalities in Europe. - Multiple entities in Spain have seen significant outages because of the threat. - These attacks can be seen as a continuation of the Big Game Hunting tactics observed elsewhere in the world.
APT groups are exploiting vulnerabilities in various VPN products
- APT groups are reportedly exploiting vulnerabilities in several unpatched VPN products used worldwide. - US and UK agencies advise consumers to update VPN products from certain producers. - Affected VPN products were from Fortinet, Palo Alto Networks and Pulse Secure. - Certain bugs were detailed at Black Hat USA in August, before detecting attacks on Fortinet and Pulse Secure.
Iran’s APT35 targeting individuals tied to US 2020 elections
- An Iranian state-sponsored threat actor reportedly targeted accounts associated with the US presidential campaign. - The group has also reportedly targeted academic researchers focusing on Iran in France, the US and the Middle-East. - Attempts by state-sponsored threat actors from various countries to compromise business or personal cloud-based email or social media accounts remain a significant threat. - Even if not technically sophisticated, social engineering enabled attempts to compromise cloud based email or social network accounts remain an efficient method for motivated attackers.
Magecart cybercriminals leveraging public WiFi vulnerabilities
- Cyber-criminal groups dubbed Magecart are exploiting vulnerable e-commerce websites to steal user payment data. - One Magecart group has tested methods to compromise user devices browsing the internet via public WiFi hotspots. - The same group is also attempting to compromise code used by mobile app developers and affect a large user base.
Business email compromise on the rise
- In 2018, Business Email Compromise (BEC) has overtaken ransomware as the main reason behind cyber claims. - Between June 2016 and July 2019, BEC reportedly accounted for $26,2 billion USD in financial losses worldwide. - BEC continues to grow with a 100% increase in identified global exposed losses between May 2018 and July 2019. - Substantial financial losses due to BEC have been publicly reported in August and September 2019.
Airbus supply chain hacked in a cyberespionage campaign
- According to Agence France Presse (AFP), Airbus has fallen victim to a sophisticated cyber-espionage campaign. - Attackers reportedly breached IT systems of several Airbus’s suppliers and, from there, penetrated Airbus’s IT systems. - Attackers have been looking after certification documentation, sensitive information related to A350 and A400M’s engines as well avionics details. - Several AFP’s sources suspect Chinese hacking groups, still no formal attribution has been made.
SIMjacking – an attack on mobile phones
- A newly published mobile phone SIM exploit, called Simjacker, allows attackers to stealthily spy on mobile users. - The exploit allows attackers to find the device’s location or fully ‘take over’ the mobile phone. - The vulnerability exploits a piece of legacy software which is not present in a large number of modern SIM cards. - The vulnerability is actively being exploited either by a private company or its customers to locate mobile phones and thus their users.
Large scale and powerful cyber surveillance by China
- According to researchers, Chinese authorities are purportedly monitoring Uyghurs, both locally and internationally, through cyber means. - The threat actors reportedly leveraged several techniques including multiple exploit chains against Android and iOS, several strategic web compromises, as well as bypassing the two-factor authentication of Google services. - The wide range of leveraged methods demonstrates the threat actors’ significant capabilities, funds and technical expertise.
Android exploits commanding higher price than ever before
- The price of android exploits exceeds the price of iOS exploits for the first time. - This is possibly because Android security is improving over iOS. - The release of Android 10 is also a likely cause for the price hike.
Big Game Hunting in the public sector
- Big Game Hunting extortion campaigns by cybercriminals have become a significant threat to the public sector. - In the US, several ransomware attacks impacting local governments, cities, and public services were recently observed. - Cybercriminals are striking victims with greater precision and timing. - Their attacks are very well coordinated and they are demanding higher ransoms. - US Officials are worried of attacks against the 2020 Election.
Corporate IoT – an intrusion path for APT groups
- APT28 reportedly attempted to compromise IoT devices to gain initial access to corporate networks. - Such attacks are likely to expand as more IoT devices are deployed in corporate environments.
Fighting disinformation on social networks in Hong Kong
- Twitter, Facebook and Google suspended thousands of accounts for “coordinated inauthentic behaviour” in Hong Kong. - The platforms’ operators claimed that accounts were associated with state-backed entities.
Russia’s security services against one another
- Since 2014, Russia’s security services are competition with each other. - They act independently and take unnecessary risks in order to gain political influence over their counterparts. - This has also resulted in an increase of treason allegations aimed at high-ranking Russian officials.
Massive breach at Capital One, purportedly due to a cloud misconfiguration
- A breach at Capital One, a major US bank, compromised data belonging to more than 106 million customers in both the US and Canada. - The breach was reportedly detected thanks to a vulnerability notification made by an ethical security researcher. - The alleged hacker, who was arrested, was reportedly an employee of the Amazon Web Services cloud service company, of which Capital One was a customer. - The breach purportedly exploited a misconfigured web application used to access the cloud infrastructure.
Russian FSB’s projects leaks by hacktivists
- Russian FSB’s contractor SyTech was reportedly hacked and 7.5TB of data were leaked. - This leak contains information about at least 20 FSB’s digital monitoring projects. - A Russian-speaking hacktivist group dubbed the DigitalRevolution group is involved in the leak.
China’s Ministry of State Security likely role in cyber attacks
Intrusion Truth, an anonymous entity, says that China’s MSS regional offices are likely involved in APT activities.
Cloud hosting firm iNSYNQ hit by ransomware attack
- Cloud hosting provider iNSYNQ experienced a ransomware attack that has left customers unable to access their data. - One week after the infection, restoration was not yet completed and iNSYNQ encouraged its customers to rely on local backups.
Extended use of the likely Chinese Winnti malware
- According to media, the Winnti malware has been used for cyber espionage purposes against German industries. - Initially, the malware was likely developed by cyber-criminals, then repurposed and shared with other actors.
- The Chinese border police extracts data from phones belonging to people visiting the Xinjiang region, as they cross the border. - An Android app is used to find specific content on the devices. iPhones are also impacted. - These techniques are consistent with China’s overall domestic cyber-surveillance strategy.
Western technology firms targeted by Chinese threat actors
- Chinese hackers breached the networks of several technology firms, globally, from 2010 to 2017. - The attacks were reportedly conducted by first penetrating the cloud computing service of Hewlett Packard Enterprise. - Technology companies racing against Chinese firms appear to have been priority targets.
Russian digital services provider targeted by Western intelligence agencies
- Hackers breached the systems of Russian digital services provider Yandex. - The breach occurred between October and November 2018. - A private assessment by Kaspersky concluded hackers likely tied to Western intelligence breached Yandex using Regin. - Previous Regin attacks (Belgacom case publicly uncovered in 2014) were attributed to US and British intelligence agencies.
Global espionage campaign targeting the telecommunications sector
- A global cyber-espionage campaign has targeted telecommunications providers from Africa, the Middle East, and Europe. - Attackers were looking after call detail records, along with other personal data, credentials and geo-location of specific individuals. - The interest and resources shown by the attackers denote a highly likely state-sponsored espionage origin.
US & Russia mutually targeting their power grids
- A New York Times report alleges that the US has infiltrated the Russian electrical grid with offensive malware. - The infiltration is not known to have been linked with any disruption. - If the report is true, this activity poses risks of escalation and retaliation. - A separate report by a security company indicates that a Russian threat group is probing US and Asian electrical grids.
Ransomware paralyses European aircraft supplier
- Belgium-based airplane parts and aviation structuring business ASCO Industries has been hit by a cyber-attack. - ASCO confirmed that the breach was allegedly related to a piece of ransomware. - The company provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin. - About 1,000 people (70 percent of employees in Belgium) were sent home on unpaid leave, in Zaventem. - According to media, production was shut down in Belgium and other countries (Canada, Germany, USA, Brazil, and France).
Hardware Security Modules not immune to hacking
- Security researchers released a paper revealing how they managed to hack a Hardware Security Module (HSM). - HSM-s are used to generate, manipulate and store sensitive cryptographic secrets (SIM cards, credit cards, secure boot hardware, disk and database encryption, PKI...). - HSM-s are also used by cloud service providers, such as Google or Amazon, allowing clients to centrally create, manage and use their cryptographic secrets.
High volume of European network traffic re-routed through China Telecom
- A routing incident led to 70 000 routes used for European traffic being redirected through China Telecom for over 2 hours. - Border Gateway Protocol (BGP) errors are a relatively common issue but usually last just a few minutes. - China Telecom has still not implemented some basic routing safeguards to detect and remediate them in a timely manner.
Android smartphones supply chain compromise
- Two Android smartphone models have been sold with pre-installed malware affecting at least 20000 users in Germany alone. - For app developers the introduction of undesirable functions might be the result of poor coding practices, or a deliberate criminal act to maximise the return on their investment. - Since 2016, several Android-related supply chain compromises have been reported, affecting up to 141 Android smartphone models.
Ransomware extortion affecting local administrations
- In the US, the city of Baltimore’s IT infrastructure suffered a ransomware attack that created disruption in public services. - The attack was most likely executed with the use of a ransomware dubbed Robbinhood. - Similar ransomware attacks against local administrations or public services have taken place across the US and globally.
Abuse of access to user information by employees of social media / digital service companies
- Snapchat personnel abused their level of access to user data some years ago. - Corporate Gmail accounts had their passwords stored in plain text. - These are the most recent cases of social media platforms exposing user data to insider’s abuse.
Malware authors increasingly use legitimate certificates to bypass defences
- Malware authors increasingly use legitimate certificates to sign their code. - Certificate authorities sometimes fail to verify the identities of people applying for code-signing certificates. - Signing malware with legitimate certificates increases the chance of remaining undetected.
Wireless attacks on aircraft instrument landing systems
- Modern aircraft rely heavily on several wireless technologies for communications, control, and navigation. - Attackers could potentially change the course of a flight using commercially available equipment. - The systems used to guide planes could be hijacked by compromising and spoofing the radio signals that are used during landing.
Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leak
- Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak. - It is unknown how the threat group obtained the tool. - This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group.
Chinese mass surveillance systems: insights and export
- A database containing personal data of Chinese citizens was left unprotected on the Internet. - These personal data were purportedly collected using smart cities and mass surveillance technologies. - Human Rights Watch released a report detailing how the Chinese government is using such technologies as a means to invade their citizens’ privacy. - Chinese companies and start-ups are exporting these technologies to foreign countries.
Hacking groups compete for cryptojacking cloud-based infrastructure
- Two hacking groups associated with large-scale cryptomining campaigns wage war on one another. - Pacha Group and Rocke Group compete to compromise as much cloud-based infrastructure as possible. - One group is using techniques to kill any other cryptocurrency malware running on infected machines. - Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers.
Cyber-attacks lead to conventional military strikes
- Israel Defence Forces destroyed the headquarters of the main cyber unit of the Palestinian organisation Hamas by airstrikes. - The assault is likely to be the first true example of a physical attack being used as a real-time response to digital aggression. - Affected entities will likely rebuild their lost capabilities and continue to conduct cyber operations against Israeli targets.
Docker breach exposes a significant number of accounts
- Docker Hub, an open repository of software containers, announced a breach affecting about 190 000 of its users. - As the breach affects associated development platforms, it may impact several stages of software development workflows. - Threat actors adopt supply chain attacks as a method to bypass some of the traditional IT security measures.
Cyber enabled espionage in the aviation sector
- A General Electric’s employee reportedly stole aerospace turbine technology secrets for the benefit of China. - The spy used several methods such as encryption, exfiltration via USB storage devices, steganography and sending stolen files to his personal email address. - China has been suspected to conduct cyber-espionage operations in the aviation sector for several years. - According to researchers, since 2004, a total of 20 active Chinese threat actor groups have been detected targeting aviation as a whole.
Facebook urged to control the spread of US law enforcement fake accounts
- US Immigration and Customs Enforcement used fake accounts on Facebook to identify people committing immigration fraud. - The agency created social media profiles for a non-existent university and its staff. - All this activity violates Facebook’s policies but the involved US agencies have shown no concern. - Facebook is urged to curb the proliferation of undercover law enforcement accounts on the social media platform.
Cyberattacks enabled disinformation in Lithuania
- The Lithuanian Ministry of Defence was targeted by a disinformation campaign. - The dissemination of disinformation was likely enabled and facilitated by cyberattacks.
- TRITON is a sophisticated malware framework with the capacity to manipulate industrial safety systems, cause physical damage and shut down operations. - TRITON authors are believed to have ties with a Moscow-based scientific research institute. - Victims have been identified in the Middle East and in North America. - A comprehensive analysis of techniques and tools linked to TRITON have been recently published to help detecting and hunting related attacks.
A Cryptojacking campaign had disruptive impact
- The systems of a Japanese company were shutdown following a first-stage attack suspected to precede a cryptojacking campaign. - This incident highlights the disruptive nature of cryptojacking attacks and their ability to affect victims' operations. - In 2018, several cases of disruption caused by cryptojacking attacks were reported.
Airports & Operational Technology: 4 Attack Scenarios
- Security in global aviation is increasingly dependent on vulnerabilities in information technology (IT) and operational technology (OT) systems. - Airports are using several critical OT systems (e.g. baggage control, runway lights, air conditioning, and power). - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure. - Four important risk vectors have been more specifically identified: Baggage Handling, Aircraft Tugs, De-icing Systems, Fuel Pumps.
WinRAR zero-day exploited in many attacks
- On February 20, a 20 years old zero-day vulnerability in the archiving software WinRAR, was publicly revealed. - On February 26, a patched version of WinRAR was released, the update must be done manually. - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.
Info
This website is managed by CERT-EU. Find out more about us.
For questions or comments, please contact us at:
email: services@cert.europa.eu
PGP Fingerprint: C9B2 0BAB 2C37 35AD FF79 7949 AFBD 579A 5DDA 8E13
Emergency phone: +32 229 52100
Tools
Saturday, June 25, 2022
6:06:00 PM CEST
Edition
Edition: 1
Select another edition
Contents
