Memos And Briefs
Executive Summary of CERT-EU's Threat Landscape Report 2019Q4 
- A summary of direct threats to EU institutions, bodies and agencies - An overview of malware used - Targeted sectors and sectoral threats - Geographical threats
Ransomware in the transportation sector
- Transportation and logistics are particularly attractive to operators of ransomware. - Ransomware attacks against transportation operators usually correspond to the following scenarios: opportunistic criminal infections, hybrid attacks perpetrated by state-sponsored attacks, cybercriminal big game hunting.
Free smartphones for low-income households shipped with malware
- Free smartphones being issued in a welfare program contained irremovable malware. - The company issuing the phones has denied this software is malware, but this is repudiated by public knowledge. - The inclusion of data leaking malware is on the ri
SHA1 collision attacks shown to be practical
- A new research demonstrates the practicality and affordability of attacks against the SHA1 hash1 function. - SHA1 has been considered unsafe since 2005. - The new findings are relevant because SHA1 is still used in multiple applications.
Ransomware now combined with data leakage
- Ransomware extortion cases have started to include (and realise) data leakage threats. - In a number of cases in December 2019 and January 2020 operators of ransomware released victim's internal data. - The tactic represents an upscaling of ransomware operations in spite of the technical and logistical requirements.
Lazarus Group financial targeting
- North Korean threat actor Lazarus Group continues to target financial institutions and cryptocurrencies. - The goal is likely collecting funds for North Korea. - Lazarus Group continues to be an important asset for the North Korean regime for both revenue generation, but also technological cyberespionage.
Waves of ransomware in December 2019
- Several high-profile ransomware attacks were observed in December 2019. - Public and private organisations in several countries and sectors have been affected. - In two cases, the ransom note reached $6M, the highest amount reported so far. - In two cases, cybercriminals have leaked data belonging to their victim in an attempt to force the payment of the ransom.
Major cryptocurrency provider compromised in a supply chain attack
- The official command line interface Monero wallet was compromised and used in a supply chain attack. - At least one person has reported financial loss due to the compromise. - Cryptocurrency platforms and software are a high-value target for cyber-thieves.
Major web hosting providers become victims of ransomware
- Outsourcing IT services such as web hosting, managed service providers and cloud service providers could increase the exposure of organisations to ransomware attacks. - In 2019, over 10 web provider companies have already been victims of targeted ransomware incidents. - Since the largest known paid ransom was from a web-hosting provider, cybercriminals will likely increase their efforts.
- Russian origin cyber-criminal group Silence is attacking banks and financial institutions. - Starting in 2016, the group has improved its tools and escalated its activities to attack worldwide. - Its capabilities make it a potentially serious threat currently and in the future.
Coordinated ransomware campaign in Spain
- Ransomware is targeting municipalities in Europe. - Multiple entities in Spain have seen significant outages because of the threat. - These attacks can be seen as a continuation of the Big Game Hunting tactics observed elsewhere in the world.
APT groups are exploiting vulnerabilities in various VPN products
- APT groups are reportedly exploiting vulnerabilities in several unpatched VPN products used worldwide. - US and UK agencies advise consumers to update VPN products from certain producers. - Affected VPN products were from Fortinet, Palo Alto Networks and Pulse Secure. - Certain bugs were detailed at Black Hat USA in August, before detecting attacks on Fortinet and Pulse Secure.
Iran’s APT35 targeting individuals tied to US 2020 elections
- An Iranian state-sponsored threat actor reportedly targeted accounts associated with the US presidential campaign. - The group has also reportedly targeted academic researchers focusing on Iran in France, the US and the Middle-East. - Attempts by state-sponsored threat actors from various countries to compromise business or personal cloud-based email or social media accounts remain a significant threat. - Even if not technically sophisticated, social engineering enabled attempts to compromise cloud based email or social network accounts remain an efficient method for motivated attackers.
Magecart cybercriminals leveraging public WiFi vulnerabilities
- Cyber-criminal groups dubbed Magecart are exploiting vulnerable e-commerce websites to steal user payment data. - One Magecart group has tested methods to compromise user devices browsing the internet via public WiFi hotspots. - The same group is also attempting to compromise code used by mobile app developers and affect a large user base.
Business email compromise on the rise
- In 2018, Business Email Compromise (BEC) has overtaken ransomware as the main reason behind cyber claims. - Between June 2016 and July 2019, BEC reportedly accounted for $26,2 billion USD in financial losses worldwide. - BEC continues to grow with a 100% increase in identified global exposed losses between May 2018 and July 2019. - Substantial financial losses due to BEC have been publicly reported in August and September 2019.
Airbus supply chain hacked in a cyberespionage campaign
- According to Agence France Presse (AFP), Airbus has fallen victim to a sophisticated cyber-espionage campaign. - Attackers reportedly breached IT systems of several Airbus’s suppliers and, from there, penetrated Airbus’s IT systems. - Attackers have been looking after certification documentation, sensitive information related to A350 and A400M’s engines as well avionics details. - Several AFP’s sources suspect Chinese hacking groups, still no formal attribution has been made.
SIMjacking – an attack on mobile phones
- A newly published mobile phone SIM exploit, called Simjacker, allows attackers to stealthily spy on mobile users. - The exploit allows attackers to find the device’s location or fully ‘take over’ the mobile phone. - The vulnerability exploits a piece of legacy software which is not present in a large number of modern SIM cards. - The vulnerability is actively being exploited either by a private company or its customers to locate mobile phones and thus their users.
Large scale and powerful cyber surveillance by China
- According to researchers, Chinese authorities are purportedly monitoring Uyghurs, both locally and internationally, through cyber means. - The threat actors reportedly leveraged several techniques including multiple exploit chains against Android and iOS, several strategic web compromises, as well as bypassing the two-factor authentication of Google services. - The wide range of leveraged methods demonstrates the threat actors’ significant capabilities, funds and technical expertise.
Android exploits commanding higher price than ever before
- The price of android exploits exceeds the price of iOS exploits for the first time. - This is possibly because Android security is improving over iOS. - The release of Android 10 is also a likely cause for the price hike.
Big Game Hunting in the public sector
- Big Game Hunting extortion campaigns by cybercriminals have become a significant threat to the public sector. - In the US, several ransomware attacks impacting local governments, cities, and public services were recently observed. - Cybercriminals are striking victims with greater precision and timing. - Their attacks are very well coordinated and they are demanding higher ransoms. - US Officials are worried of attacks against the 2020 Election.
Corporate IoT – an intrusion path for APT groups
- APT28 reportedly attempted to compromise IoT devices to gain initial access to corporate networks. - Such attacks are likely to expand as more IoT devices are deployed in corporate environments.
Fighting disinformation on social networks in Hong Kong
- Twitter, Facebook and Google suspended thousands of accounts for “coordinated inauthentic behaviour” in Hong Kong. - The platforms’ operators claimed that accounts were associated with state-backed entities.
Russia’s security services against one another
- Since 2014, Russia’s security services are competition with each other. - They act independently and take unnecessary risks in order to gain political influence over their counterparts. - This has also resulted in an increase of treason allegations aimed at high-ranking Russian officials.
Massive breach at Capital One, purportedly due to a cloud misconfiguration
- A breach at Capital One, a major US bank, compromised data belonging to more than 106 million customers in both the US and Canada. - The breach was reportedly detected thanks to a vulnerability notification made by an ethical security researcher. - The alleged hacker, who was arrested, was reportedly an employee of the Amazon Web Services cloud service company, of which Capital One was a customer. - The breach purportedly exploited a misconfigured web application used to access the cloud infrastructure.
Russian FSB’s projects leaks by hacktivists
- Russian FSB’s contractor SyTech was reportedly hacked and 7.5TB of data were leaked. - This leak contains information about at least 20 FSB’s digital monitoring projects. - A Russian-speaking hacktivist group dubbed the DigitalRevolution group is involved in the leak.
China’s Ministry of State Security likely role in cyber attacks
Intrusion Truth, an anonymous entity, says that China’s MSS regional offices are likely involved in APT activities.
Cloud hosting firm iNSYNQ hit by ransomware attack
- Cloud hosting provider iNSYNQ experienced a ransomware attack that has left customers unable to access their data. - One week after the infection, restoration was not yet completed and iNSYNQ encouraged its customers to rely on local backups.
Extended use of the likely Chinese Winnti malware
- According to media, the Winnti malware has been used for cyber espionage purposes against German industries. - Initially, the malware was likely developed by cyber-criminals, then repurposed and shared with other actors.
- The Chinese border police extracts data from phones belonging to people visiting the Xinjiang region, as they cross the border. - An Android app is used to find specific content on the devices. iPhones are also impacted. - These techniques are consistent with China’s overall domestic cyber-surveillance strategy.
Western technology firms targeted by Chinese threat actors
- Chinese hackers breached the networks of several technology firms, globally, from 2010 to 2017. - The attacks were reportedly conducted by first penetrating the cloud computing service of Hewlett Packard Enterprise. - Technology companies racing against Chinese firms appear to have been priority targets.
Russian digital services provider targeted by Western intelligence agencies
- Hackers breached the systems of Russian digital services provider Yandex. - The breach occurred between October and November 2018. - A private assessment by Kaspersky concluded hackers likely tied to Western intelligence breached Yandex using Regin. - Previous Regin attacks (Belgacom case publicly uncovered in 2014) were attributed to US and British intelligence agencies.
Global espionage campaign targeting the telecommunications sector
- A global cyber-espionage campaign has targeted telecommunications providers from Africa, the Middle East, and Europe. - Attackers were looking after call detail records, along with other personal data, credentials and geo-location of specific individuals. - The interest and resources shown by the attackers denote a highly likely state-sponsored espionage origin.
US & Russia mutually targeting their power grids
- A New York Times report alleges that the US has infiltrated the Russian electrical grid with offensive malware. - The infiltration is not known to have been linked with any disruption. - If the report is true, this activity poses risks of escalation and retaliation. - A separate report by a security company indicates that a Russian threat group is probing US and Asian electrical grids.
Ransomware paralyses European aircraft supplier
- Belgium-based airplane parts and aviation structuring business ASCO Industries has been hit by a cyber-attack. - ASCO confirmed that the breach was allegedly related to a piece of ransomware. - The company provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin. - About 1,000 people (70 percent of employees in Belgium) were sent home on unpaid leave, in Zaventem. - According to media, production was shut down in Belgium and other countries (Canada, Germany, USA, Brazil, and France).
Hardware Security Modules not immune to hacking
- Security researchers released a paper revealing how they managed to hack a Hardware Security Module (HSM). - HSM-s are used to generate, manipulate and store sensitive cryptographic secrets (SIM cards, credit cards, secure boot hardware, disk and database encryption, PKI...). - HSM-s are also used by cloud service providers, such as Google or Amazon, allowing clients to centrally create, manage and use their cryptographic secrets.
High volume of European network traffic re-routed through China Telecom
- A routing incident led to 70 000 routes used for European traffic being redirected through China Telecom for over 2 hours. - Border Gateway Protocol (BGP) errors are a relatively common issue but usually last just a few minutes. - China Telecom has still not implemented some basic routing safeguards to detect and remediate them in a timely manner.
Android smartphones supply chain compromise
- Two Android smartphone models have been sold with pre-installed malware affecting at least 20000 users in Germany alone. - For app developers the introduction of undesirable functions might be the result of poor coding practices, or a deliberate criminal act to maximise the return on their investment. - Since 2016, several Android-related supply chain compromises have been reported, affecting up to 141 Android smartphone models.
Ransomware extortion affecting local administrations
- In the US, the city of Baltimore’s IT infrastructure suffered a ransomware attack that created disruption in public services. - The attack was most likely executed with the use of a ransomware dubbed Robbinhood. - Similar ransomware attacks against local administrations or public services have taken place across the US and globally.
Abuse of access to user information by employees of social media / digital service companies
- Snapchat personnel abused their level of access to user data some years ago. - Corporate Gmail accounts had their passwords stored in plain text. - These are the most recent cases of social media platforms exposing user data to insider’s abuse.
Malware authors increasingly use legitimate certificates to bypass defences
- Malware authors increasingly use legitimate certificates to sign their code. - Certificate authorities sometimes fail to verify the identities of people applying for code-signing certificates. - Signing malware with legitimate certificates increases the chance of remaining undetected.
Wireless attacks on aircraft instrument landing systems
- Modern aircraft rely heavily on several wireless technologies for communications, control, and navigation. - Attackers could potentially change the course of a flight using commercially available equipment. - The systems used to guide planes could be hijacked by compromising and spoofing the radio signals that are used during landing.
Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leak
- Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak. - It is unknown how the threat group obtained the tool. - This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group.
Chinese mass surveillance systems: insights and export
- A database containing personal data of Chinese citizens was left unprotected on the Internet. - These personal data were purportedly collected using smart cities and mass surveillance technologies. - Human Rights Watch released a report detailing how the Chinese government is using such technologies as a means to invade their citizens’ privacy. - Chinese companies and start-ups are exporting these technologies to foreign countries.
Hacking groups compete for cryptojacking cloud-based infrastructure
- Two hacking groups associated with large-scale cryptomining campaigns wage war on one another. - Pacha Group and Rocke Group compete to compromise as much cloud-based infrastructure as possible. - One group is using techniques to kill any other cryptocurrency malware running on infected machines. - Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers.
Cyber-attacks lead to conventional military strikes
- Israel Defence Forces destroyed the headquarters of the main cyber unit of the Palestinian organisation Hamas by airstrikes. - The assault is likely to be the first true example of a physical attack being used as a real-time response to digital aggression. - Affected entities will likely rebuild their lost capabilities and continue to conduct cyber operations against Israeli targets.
Docker breach exposes a significant number of accounts
- Docker Hub, an open repository of software containers, announced a breach affecting about 190 000 of its users. - As the breach affects associated development platforms, it may impact several stages of software development workflows. - Threat actors adopt supply chain attacks as a method to bypass some of the traditional IT security measures.
Cyber enabled espionage in the aviation sector
- A General Electric’s employee reportedly stole aerospace turbine technology secrets for the benefit of China. - The spy used several methods such as encryption, exfiltration via USB storage devices, steganography and sending stolen files to his personal email address. - China has been suspected to conduct cyber-espionage operations in the aviation sector for several years. - According to researchers, since 2004, a total of 20 active Chinese threat actor groups have been detected targeting aviation as a whole.
Facebook urged to control the spread of US law enforcement fake accounts
- US Immigration and Customs Enforcement used fake accounts on Facebook to identify people committing immigration fraud. - The agency created social media profiles for a non-existent university and its staff. - All this activity violates Facebook’s policies but the involved US agencies have shown no concern. - Facebook is urged to curb the proliferation of undercover law enforcement accounts on the social media platform.
Cyberattacks enabled disinformation in Lithuania
- The Lithuanian Ministry of Defence was targeted by a disinformation campaign. - The dissemination of disinformation was likely enabled and facilitated by cyberattacks.
- TRITON is a sophisticated malware framework with the capacity to manipulate industrial safety systems, cause physical damage and shut down operations. - TRITON authors are believed to have ties with a Moscow-based scientific research institute. - Victims have been identified in the Middle East and in North America. - A comprehensive analysis of techniques and tools linked to TRITON have been recently published to help detecting and hunting related attacks.
A Cryptojacking campaign had disruptive impact
- The systems of a Japanese company were shutdown following a first-stage attack suspected to precede a cryptojacking campaign. - This incident highlights the disruptive nature of cryptojacking attacks and their ability to affect victims' operations. - In 2018, several cases of disruption caused by cryptojacking attacks were reported.
Airports & Operational Technology: 4 Attack Scenarios
- Security in global aviation is increasingly dependent on vulnerabilities in information technology (IT) and operational technology (OT) systems. - Airports are using several critical OT systems (e.g. baggage control, runway lights, air conditioning, and power). - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure. - Four important risk vectors have been more specifically identified: Baggage Handling, Aircraft Tugs, De-icing Systems, Fuel Pumps.
WinRAR zero-day exploited in many attacks
- On February 20, a 20 years old zero-day vulnerability in the archiving software WinRAR, was publicly revealed. - On February 26, a patched version of WinRAR was released, the update must be done manually. - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.
Info
This website is managed by CERT-EU. Find out more about us.
For questions or comments, please contact us at:
email: services@cert.europa.eu
PGP Fingerprint: CBD6 07BA 59AC 4462 B98F 8DB2 32AB 2903 830D ACB8
Emergency phone: +3222990005
Tools
Thursday, February 6, 2020
4:26:00 PM CET
Edition
Edition: 1
Select another edition
Contents
