Memos And Briefs

CERT-EU Cyber Brief - May 2022 External link

Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.

  Wednesday, June 1, 2022 2:08:00 PM CEST

CERT-EU Threat Landscape Report for Q1 2022 - Executive Summary External link

CERT-EU Threat Landscape Report for Q1 2022 - Executive Summary

  Wednesday, May 25, 2022 5:57:00 PM CEST

CERT-EU Threat Landscape Report for Q4 2021 - Executive Summary External link

CERT-EU Threat Landscape Report for Q4 2021 - Executive Summary

  Tuesday, February 1, 2022 10:01:00 AM CET

CERT-EU Threat Landscape Report for Q3 2021 - Executive Summary External link

CERT-EU Threat Landscape Report for Q3 2021 - Executive Summary

  Friday, October 29, 2021 1:42:00 PM CEST

CERT-EU Threat Landscape Report for Q2 2021 - Executive Summary External link

CERT-EU Threat Landscape Report for Q2 2021 - Executive Summary

  Friday, July 30, 2021 2:23:00 PM CEST

CERT-EU Threat Landscape Report - Volume 1 External link

This document presents a synthetic overview of the principal cyber threats to which the EU institutions, bodies and agencies are currently exposed or are likely to be prone to in the foreseeable future.

  Monday, June 14, 2021 10:46:00 AM CEST

CERT-EU Threat Landscape Report for Q1 2021 - Executive Summary External link

Direct Threats to EU Institutions, Bodies, and Agencies

  Wednesday, May 12, 2021 4:23:00 PM CEST

Cyber-attacks against the 2020 US elections - A first analysis External link

- According to US authorities and security companies, several actors attempted to influence or disrupt the US 2020 presidential elections. - Four categories of attacks have been identified: influence operations, cyberespionage, cybercrime, and hacktivism. - US authorities took measures such as dismantling attackers' infrastructure, charging or sanctioning individuals or organisations, and sharing technical alerts. - Public reports allow to draw a first synthetic analysis on the _state of the art_ for election interference risk mitigation.

  Thursday, November 5, 2020 9:43:00 AM CET

Thanos ransomware: criminal and disruptive attacks External link

- Thanos is a ransomware-as-a-service offer used by different threat actors. - A variant was used for financial gain against various victims in Europe in June 2020. - Another variant was used in the Middle East and North Africa in July 2020. - Israeli researchers believe that the Iranian MuddyWater state-sponsored threat actor may also have used a variant of Thanos against prominent Israeli entities in September.

  Tuesday, October 20, 2020 3:25:00 PM CEST

US DoJ indicts Russia’s Sandworm threat actor External link

- US authorities charged 6 members of the Russian Military Intelligence unit 74455 (aka Sandworm) threat actor. - Sandworm is accused of - mostly disruptive - cyberoperations in Ukraine (electric grid), France (political entities), UK and the Netherlands (chemical laboratories), Georgia (government, media), South Korea (2018 Winter Olympics) and globally (NotPetya). - This indictment follows sanctions imposed on the same organisation by the EU in July 2020.

  Tuesday, October 20, 2020 1:14:00 PM CEST

CERT-EU Threat Landscape Report for Q3 2020 - Executive Summary External link

Direct Threats to EU Institutions, Bodies and Agencies

  Monday, October 19, 2020 5:51:00 PM CEST

A cryptomining worm that steals AWS credentials External link

- A new piece of malware is targeting Amazon Web Services and steals credentials from them. - Furthermore it uses these credentials to breach and exploit other cloud-based services for cryptomining. - There is a proliferation of automated cloud attacks, largely based on insufficient security measures on these services.

  Wednesday, August 19, 2020 6:01:00 PM CEST

Insecure S3 buckets can lead to serial exploitation External link

- Research shows that unsecured cloud-based storage buckets can be scanned for the existence of credentials. - The process of harvesting credentials and using them to exploit additional services has the potential to become automated.

  Wednesday, August 19, 2020 6:00:00 PM CEST

CERT-EU Threat Landscape Report for Q2 2020 - Executive Summary External link

Direct Threats to EU Institutions, Bodies, and Agencies

  Friday, July 31, 2020 4:36:00 PM CEST

Signed PDF documents vulnerable to manipulation External link

Key Points - 15 of the biggest PDF viewers are vulnerable to “Shadow Attack – Hide and Replace” involving manipulation of documents after signing. - The attack takes use of hidden layers in the document, invisible to the victim but included in the signed version. - Adobe, LibreOffice, Foxit and SodaPDF have issued patches for the vulnerability.

  Tuesday, July 28, 2020 3:45:00 PM CEST

Largest ever DDoS in PPS against a European bank External link

- The largest DDoS attack ever measured in packets per second (PPS) was mitigated by Akamai on June 21. - The attack reached a peak of 809 million PPS, more than double the previous PPS record. - The target was an unnamed European bank.

  Saturday, July 4, 2020 1:02:00 PM CEST

CERT-EU Cyber Brief - July 2020 External link

Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.

  Friday, July 3, 2020 11:05:00 AM CEST

Largest ever DDoS attack targeted AWS External link

- The largest DDoS attack ever recorded targeted AWS last February. - The attack lasted three days and the traffic reached 2,3 Tbps. - The attack highly likely targeted a single customer but had implications for the whole cloud services provider.

  Thursday, June 18, 2020 4:11:00 PM CEST

Recent state-sponsored disinformation operations on Twitter External link

- Twitter has discovered distinct state-sponsored disinformation operations originating in China, Russia and Turkey. - In previous months, countries such as Saudi Arabia, UAE, Egypt and Ecuador have also engaged in such campaigns.

  Tuesday, June 16, 2020 12:24:00 PM CEST

Ransomware and auctions External link

- Cybercriminals behind the REvil ransomware are auctioning off sensitive data stolen from their victims. - The current auction prices range from $50 000 to $200 000. - The new tactic adopted by REvil operators marks an escalation in methods aimed at coercing victims to pay up. - Like for other recently introduced ransomware extortion schemes, it is likely to be adopted by other cybercriminal groups.

  Friday, June 5, 2020 11:26:00 AM CEST

CERT-EU Cyber Brief - June 2020 External link

Cyber Security Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.

  Tuesday, June 2, 2020 7:30:00 PM CEST

Massive trading of stolen data External link

- At least 11 digital services companies affected by several breaches in the previous period, now see their databases sold on the darknet. - A single cybercriminal actor is claiming to be in possession of all the data. - Microsoft΄s GitHub account was highly likely also breached by the same threat actor.

  Wednesday, May 13, 2020 10:06:00 AM CEST

Corporate Mobile Device Management system breach External link

- Researchers have discovered a case where a mobile device management (MDM) system has been abused to spread malware to a large number of mobile devices in an enterprise.  - The central role MDMs play in managing mobile devices gives them unique access potential in case they are breached.

  Tuesday, May 12, 2020 9:57:00 AM CEST

CERT-EU Threat Landscape Report for Q1 2020 - Executive Summary External link

Direct Threats to EU Institutions, Bodies, and Agencies

  Tuesday, April 21, 2020 11:20:00 AM CEST

Children of Mirai External link

Key Points - New IoT botnets are building on Mirai’s success. - With new features and persistence methods, these new attack tools are formidable threats. - Most such botnets are created for financial gain and are highly likely available for hire.

  Monday, April 20, 2020 10:49:00 PM CEST

BGP hijacking by Rostelecom External link

Key Points - Rostelecom, a large Russian telecom provider, has committed a BGP hijacking on April 1. - BGP hijackings are myriad and often not intentional, although they can be used to obtain a man-in-the-middle position or to capture traffic for later decryption. - It is unclear if this incident was accidental. - Rostelecom has worked with one of the security firms reporting the incident on resolving it.

  Monday, April 20, 2020 10:47:00 PM CEST

Cryptomining attacks on Docker systems External link

Key Points - Insecure instances of the popular Docker virtualisation platform are being targeted in a wide spread campaign aiming to abuse them for cryptomining. - The methodology of the campaign exposes unsecured Docker installations and may also endanger other hosted applications, the hosting server, and adjacent systems. - The case underlines the dangers of inadequate security configurations resulting in publicly exposed systems.

  Wednesday, April 15, 2020 2:12:00 PM CEST

COVID-19 monitoring technology External link

Key Points - According to public reports, at least 33 countries have adopted monitoring technology to curb the COVID-19 pandemic as of April 15, 2020. - The purpose of this surveillance is to track entire or specific categories of populations, analyse movements, detect, diagnose and quarantine or alert individuals at risk. - Tracking projects have initially been started by governments, but now technology firms are proactively designing solutions. - Efforts to safeguard privacy vary significantly among countries.

  Wednesday, April 15, 2020 2:06:00 PM CEST

Attacks on Elasticsearch databases External link

Key Points - The widely used Elasticsearch data aggregation and analysis service is being targeted by an automated campaign. - The campaign identifies and wipes internet exposed databases. - Elasticsearch services have in the past been repeatedly found accessible due to misconfigurations and bad management, exposing troves of data they were supposed to safekeep.

  Monday, April 6, 2020 4:58:00 PM CEST

Mischievous RFC standards – ongoing threat External link

Key Points - The long-existingestablished and well- documented threat actor IETF (aka APT0) is likely to strike globally today. - Its historical activity of introducing mischievous standards into internet technology borders on the ridiculous. - Potential victims should scan their mail traffic for so-called RFC documents issued with today’s date and delete them immediately.

  Wednesday, April 1, 2020 9:24:00 AM CEST

Attacks on Healthcare External link

- Healthcare organisations provide interesting targets to cyber criminals. - Due to the criticality of their function, they are more prone to submit to cyber-extortion. - The most prevalent type of attack in the sector is ransomware.

  Monday, March 23, 2020 6:38:00 PM CET

Cookiethief allows for social media account takeover External link

Key Points - A newly discovered malware steals cookies from social network apps such as Facebook. - The attacker can then completely take over the victim’s social network account. - The malware abuses the trusted relationship between the victim’s device and the social network. - This attack is particularly difficult for the social network to detect.

  Tuesday, March 17, 2020 10:24:00 AM CET

Coronavirus – Cyber exploitation External link

- Heightened public interest on the coronavirus spurs cybercriminal and disinformation operations. - At least six different pieces of malware have been distributed using fraudulent coronavirus-themed emails in several campaigns worldwide. - At least two likely state-sponsored information operations have been reported.

  Friday, March 6, 2020 3:18:00 PM CET

Credit-card web-skimming infections can last several months External link

- E-commerce websites infections by credit-card web-skimmers can last several months. - The lack of security monitoring and reaction to notifications by e-commerce websites’ owners constitutes a major risk factor. - Online shops with large audiences would typically dedicate more resources in patching security flaws and therefore would likely be less risky.

  Friday, February 28, 2020 2:00:00 PM CET

Russian intelligence officers caught scouting undersea cables External link

- Russian agents were seen scouting undersea fibre-optic internet cables arriving at the Irish shore. - Irish police sources link the agents to Russian military intelligence service GRU. - It is currently unclear what their exact goal was.

  Wednesday, February 26, 2020 1:18:00 PM CET

US indicts Chinese military hackers External link

- The US Department of Justice charged four Chinese members of the People’s Liberation Army for conspiracy and hacking. - Indictments have been a component of the US cyber diplomatic and juridical toolbox since at least 2014. - In 2019 US technology firms started to enforce the US government’s sanctions against selected “foreign adversaries”.

  Monday, February 24, 2020 1:39:00 PM CET

State actors targeting mobile phones External link

- Amazon CEO’s mobile was highly likely infected by espionage malware, that exfiltrated personal information. - The infection was highly likely caused by Saudi Arabia rulers’ messages. - Likely candidates for the malware used are a number of espionage platforms marketed to governments. - Mobile devices continuously seen as valuable resources of personal and financial information by state and criminal actors.

  Monday, February 24, 2020 1:38:00 PM CET

Executive Summary of CERT-EU's Threat Landscape Report 2019Q4 External link

- A summary of direct threats to EU institutions, bodies and agencies - An overview of malware used - Targeted sectors and sectoral threats - Geographical threats

  Friday, January 24, 2020 2:50:00 PM CET

Ransomware in the transportation sector External link

- Transportation and logistics are particularly attractive to operators of ransomware. - Ransomware attacks against transportation operators usually correspond to the following scenarios: opportunistic criminal infections, hybrid attacks perpetrated by state-sponsored attacks, cybercriminal big game hunting.

  Wednesday, January 22, 2020 2:31:00 PM CET

Free smartphones for low-income households shipped with malware External link

- Free smartphones being issued in a welfare program contained irremovable malware. - The company issuing the phones has denied this software is malware, but this is repudiated by public knowledge. - The inclusion of data leaking malware is on the ri

  Wednesday, January 22, 2020 2:31:00 PM CET

SHA1 collision attacks shown to be practical External link

- A new research demonstrates the practicality and affordability of attacks against the SHA1 hash1 function. - SHA1 has been considered unsafe since 2005. - The new findings are relevant because SHA1 is still used in multiple applications.

  Wednesday, January 22, 2020 2:30:00 PM CET

Ransomware now combined with data leakage External link

- Ransomware extortion cases have started to include (and realise) data leakage threats. - In a number of cases in December 2019 and January 2020 operators of ransomware released victim's internal data. - The tactic represents an upscaling of ransomware operations in spite of the technical and logistical requirements.

  Wednesday, January 22, 2020 2:30:00 PM CET

Lazarus Group financial targeting External link

- North Korean threat actor Lazarus Group continues to target financial institutions and cryptocurrencies. - The goal is likely collecting funds for North Korea. - Lazarus Group continues to be an important asset for the North Korean regime for both revenue generation, but also technological cyberespionage.

  Wednesday, January 22, 2020 2:28:00 PM CET

Waves of ransomware in December 2019 External link

- Several high-profile ransomware attacks were observed in December 2019. - Public and private organisations in several countries and sectors have been affected. - In two cases, the ransom note reached $6M, the highest amount reported so far. - In two cases, cybercriminals have leaked data belonging to their victim in an attempt to force the payment of the ransom.

  Tuesday, January 7, 2020 11:13:00 AM CET

Major cryptocurrency provider compromised in a supply chain attack External link

- The official command line interface Monero wallet was compromised and used in a supply chain attack. - At least one person has reported financial loss due to the compromise. - Cryptocurrency platforms and software are a high-value target for cyber-thieves.

  Tuesday, January 7, 2020 11:10:00 AM CET

Major web hosting providers become victims of ransomware External link

- Outsourcing IT services such as web hosting, managed service providers and cloud service providers could increase the exposure of organisations to ransomware attacks. - In 2019, over 10 web provider companies have already been victims of targeted ransomware incidents. - Since the largest known paid ransom was from a web-hosting provider, cybercriminals will likely increase their efforts.

  Monday, November 25, 2019 12:54:00 PM CET

The Silence group External link

- Russian origin cyber-criminal group Silence is attacking banks and financial institutions. - Starting in 2016, the group has improved its tools and escalated its activities to attack worldwide. - Its capabilities make it a potentially serious threat currently and in the future.

  Monday, November 25, 2019 12:53:00 PM CET

Coordinated ransomware campaign in Spain External link

- Ransomware is targeting municipalities in Europe. - Multiple entities in Spain have seen significant outages because of the threat. - These attacks can be seen as a continuation of the Big Game Hunting tactics observed elsewhere in the world.

  Monday, November 25, 2019 12:52:00 PM CET

APT groups are exploiting vulnerabilities in various VPN products External link

- APT groups are reportedly exploiting vulnerabilities in several unpatched VPN products used worldwide. - US and UK agencies advise consumers to update VPN products from certain producers. - Affected VPN products were from Fortinet, Palo Alto Networks and Pulse Secure. - Certain bugs were detailed at Black Hat USA in August, before detecting attacks on Fortinet and Pulse Secure.

  Monday, November 25, 2019 12:51:00 PM CET

Iran’s APT35 targeting individuals tied to US 2020 elections External link

- An Iranian state-sponsored threat actor reportedly targeted accounts associated with the US presidential campaign. - The group has also reportedly targeted academic researchers focusing on Iran in France, the US and the Middle-East. - Attempts by state-sponsored threat actors from various countries to compromise business or personal cloud-based email or social media accounts remain a significant threat. - Even if not technically sophisticated, social engineering enabled attempts to compromise cloud based email or social network accounts remain an efficient method for motivated attackers.

  Monday, November 25, 2019 12:50:00 PM CET

Magecart cybercriminals leveraging public WiFi vulnerabilities External link

- Cyber-criminal groups dubbed Magecart are exploiting vulnerable e-commerce websites to steal user payment data. - One Magecart group has tested methods to compromise user devices browsing the internet via public WiFi hotspots. - The same group is also attempting to compromise code used by mobile app developers and affect a large user base.

  Monday, November 25, 2019 12:45:00 PM CET

Business email compromise on the rise External link

- In 2018, Business Email Compromise (BEC) has overtaken ransomware as the main reason behind cyber claims. - Between June 2016 and July 2019, BEC reportedly accounted for $26,2 billion USD in financial losses worldwide. - BEC continues to grow with a 100% increase in identified global exposed losses between May 2018 and July 2019. - Substantial financial losses due to BEC have been publicly reported in August and September 2019.

  Wednesday, October 2, 2019 1:44:00 PM CEST

Airbus supply chain hacked in a cyberespionage campaign External link

- According to Agence France Presse (AFP), Airbus has fallen victim to a sophisticated cyber-espionage campaign. - Attackers reportedly breached IT systems of several Airbus’s suppliers and, from there, penetrated Airbus’s IT systems. - Attackers have been looking after certification documentation, sensitive information related to A350 and A400M’s engines as well avionics details. - Several AFP’s sources suspect Chinese hacking groups, still no formal attribution has been made.

  Wednesday, October 2, 2019 1:43:00 PM CEST

SIMjacking – an attack on mobile phones External link

- A newly published mobile phone SIM exploit, called Simjacker, allows attackers to stealthily spy on mobile users. - The exploit allows attackers to find the device’s location or fully ‘take over’ the mobile phone. - The vulnerability exploits a piece of legacy software which is not present in a large number of modern SIM cards. - The vulnerability is actively being exploited either by a private company or its customers to locate mobile phones and thus their users.

  Wednesday, October 2, 2019 1:41:00 PM CEST

Large scale and powerful cyber surveillance by China External link

- According to researchers, Chinese authorities are purportedly monitoring Uyghurs, both locally and internationally, through cyber means. - The threat actors reportedly leveraged several techniques including multiple exploit chains against Android and iOS, several strategic web compromises, as well as bypassing the two-factor authentication of Google services. - The wide range of leveraged methods demonstrates the threat actors’ significant capabilities, funds and technical expertise.

  Wednesday, October 2, 2019 1:40:00 PM CEST

Android exploits commanding higher price than ever before External link

- The price of android exploits exceeds the price of iOS exploits for the first time. - This is possibly because Android security is improving over iOS. - The release of Android 10 is also a likely cause for the price hike.

  Wednesday, October 2, 2019 1:36:00 PM CEST

Big Game Hunting in the public sector External link

- Big Game Hunting extortion campaigns by cybercriminals have become a significant threat to the public sector. - In the US, several ransomware attacks impacting local governments, cities, and public services were recently observed. - Cybercriminals are striking victims with greater precision and timing. - Their attacks are very well coordinated and they are demanding higher ransoms. - US Officials are worried of attacks against the 2020 Election.

  Wednesday, October 2, 2019 1:38:00 PM CEST

Corporate IoT – an intrusion path for APT groups External link

- APT28 reportedly attempted to compromise IoT devices to gain initial access to corporate networks. - Such attacks are likely to expand as more IoT devices are deployed in corporate environments.

  Wednesday, October 2, 2019 1:31:00 PM CEST

Fighting disinformation on social networks in Hong Kong External link

- Twitter, Facebook and Google suspended thousands of accounts for “coordinated inauthentic behaviour” in Hong Kong. - The platforms’ operators claimed that accounts were associated with state-backed entities.

  Wednesday, August 28, 2019 11:47:00 AM CEST

Russia’s security services against one another External link

- Since 2014, Russia’s security services are competition with each other. - They act independently and take unnecessary risks in order to gain political influence over their counterparts. - This has also resulted in an increase of treason allegations aimed at high-ranking Russian officials.

  Wednesday, August 14, 2019 4:17:00 PM CEST

Massive breach at Capital One, purportedly due to a cloud misconfiguration External link

- A breach at Capital One, a major US bank, compromised data belonging to more than 106 million customers in both the US and Canada. - The breach was reportedly detected thanks to a vulnerability notification made by an ethical security researcher. - The alleged hacker, who was arrested, was reportedly an employee of the Amazon Web Services cloud service company, of which Capital One was a customer. - The breach purportedly exploited a misconfigured web application used to access the cloud infrastructure.

  Friday, August 2, 2019 9:55:00 AM CEST

Russian FSB’s projects leaks by hacktivists External link

- Russian FSB’s contractor SyTech was reportedly hacked and 7.5TB of data were leaked. - This leak contains information about at least 20 FSB’s digital monitoring projects. - A Russian-speaking hacktivist group dubbed the DigitalRevolution group is involved in the leak.

  Tuesday, July 30, 2019 10:06:00 AM CEST

China’s Ministry of State Security likely role in cyber attacks External link

Intrusion Truth, an anonymous entity, says that China’s MSS regional offices are likely involved in APT activities.

  Monday, July 29, 2019 4:16:00 PM CEST

Cloud hosting firm iNSYNQ hit by ransomware attack External link

- Cloud hosting provider iNSYNQ experienced a ransomware attack that has left customers unable to access their data. - One week after the infection, restoration was not yet completed and iNSYNQ encouraged its customers to rely on local backups.

  Monday, July 29, 2019 9:51:00 AM CEST

Extended use of the likely Chinese Winnti malware External link

- According to media, the Winnti malware has been used for cyber espionage purposes against German industries. - Initially, the malware was likely developed by cyber-criminals, then repurposed and shared with other actors.

  Thursday, July 25, 2019 2:09:00 PM CEST

Chinese surveillance app External link

- The Chinese border police extracts data from phones belonging to people visiting the Xinjiang region, as they cross the border. - An Android app is used to find specific content on the devices. iPhones are also impacted. - These techniques are consistent with China’s overall domestic cyber-surveillance strategy.

  Wednesday, July 24, 2019 11:45:00 AM CEST

Western technology firms targeted by Chinese threat actors External link

- Chinese hackers breached the networks of several technology firms, globally, from 2010 to 2017. - The attacks were reportedly conducted by first penetrating the cloud computing service of Hewlett Packard Enterprise. - Technology companies racing against Chinese firms appear to have been priority targets.

  Wednesday, July 24, 2019 11:45:00 AM CEST

Russian digital services provider targeted by Western intelligence agencies External link

- Hackers breached the systems of Russian digital services provider Yandex. - The breach occurred between October and November 2018. - A private assessment by Kaspersky concluded hackers likely tied to Western intelligence breached Yandex using Regin. - Previous Regin attacks (Belgacom case publicly uncovered in 2014) were attributed to US and British intelligence agencies.

  Wednesday, July 24, 2019 11:44:00 AM CEST

Global espionage campaign targeting the telecommunications sector External link

- A global cyber-espionage campaign has targeted telecommunications providers from Africa, the Middle East, and Europe. - Attackers were looking after call detail records, along with other personal data, credentials and geo-location of specific individuals. - The interest and resources shown by the attackers denote a highly likely state-sponsored espionage origin.

  Wednesday, July 24, 2019 11:44:00 AM CEST

US & Russia mutually targeting their power grids External link

- A New York Times report alleges that the US has infiltrated the Russian electrical grid with offensive malware. - The infiltration is not known to have been linked with any disruption. - If the report is true, this activity poses risks of escalation and retaliation. - A separate report by a security company indicates that a Russian threat group is probing US and Asian electrical grids.

  Wednesday, July 24, 2019 11:42:00 AM CEST

Ransomware paralyses European aircraft supplier External link

- Belgium-based airplane parts and aviation structuring business ASCO Industries has been hit by a cyber-attack. - ASCO confirmed that the breach was allegedly related to a piece of ransomware. - The company provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin. - About 1,000 people (70 percent of employees in Belgium) were sent home on unpaid leave, in Zaventem. - According to media, production was shut down in Belgium and other countries (Canada, Germany, USA, Brazil, and France).

  Wednesday, July 24, 2019 11:41:00 AM CEST

Hardware Security Modules not immune to hacking External link

- Security researchers released a paper revealing how they managed to hack a Hardware Security Module (HSM). - HSM-s are used to generate, manipulate and store sensitive cryptographic secrets (SIM cards, credit cards, secure boot hardware, disk and database encryption, PKI...). - HSM-s are also used by cloud service providers, such as Google or Amazon, allowing clients to centrally create, manage and use their cryptographic secrets.

  Wednesday, July 24, 2019 11:41:00 AM CEST

High volume of European network traffic re-routed through China Telecom External link

- A routing incident led to 70 000 routes used for European traffic being redirected through China Telecom for over 2 hours. - Border Gateway Protocol (BGP) errors are a relatively common issue but usually last just a few minutes. - China Telecom has still not implemented some basic routing safeguards to detect and remediate them in a timely manner.

  Wednesday, July 24, 2019 11:40:00 AM CEST

Android smartphones supply chain compromise External link

- Two Android smartphone models have been sold with pre-installed malware affecting at least 20000 users in Germany alone. - For app developers the introduction of undesirable functions might be the result of poor coding practices, or a deliberate criminal act to maximise the return on their investment. - Since 2016, several Android-related supply chain compromises have been reported, affecting up to 141 Android smartphone models.

  Wednesday, July 24, 2019 11:39:00 AM CEST

Ransomware extortion affecting local administrations External link

- In the US, the city of Baltimore’s IT infrastructure suffered a ransomware attack that created disruption in public services. - The attack was most likely executed with the use of a ransomware dubbed Robbinhood. - Similar ransomware attacks against local administrations or public services have taken place across the US and globally.

  Wednesday, July 24, 2019 11:36:00 AM CEST

Abuse of access to user information by employees of social media / digital service companies External link

- Snapchat personnel abused their level of access to user data some years ago. - Corporate Gmail accounts had their passwords stored in plain text. - These are the most recent cases of social media platforms exposing user data to insider’s abuse.

  Wednesday, July 24, 2019 11:36:00 AM CEST

Malware authors increasingly use legitimate certificates to bypass defences External link

- Malware authors increasingly use legitimate certificates to sign their code. - Certificate authorities sometimes fail to verify the identities of people applying for code-signing certificates. - Signing malware with legitimate certificates increases the chance of remaining undetected.

  Wednesday, July 24, 2019 11:35:00 AM CEST

Wireless attacks on aircraft instrument landing systems External link

- Modern aircraft rely heavily on several wireless technologies for communications, control, and navigation. - Attackers could potentially change the course of a flight using commercially available equipment. - The systems used to guide planes could be hijacked by compromising and spoofing the radio signals that are used during landing.

  Wednesday, July 24, 2019 11:35:00 AM CEST

Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leak External link

- Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak. - It is unknown how the threat group obtained the tool. - This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group.

  Wednesday, July 24, 2019 11:34:00 AM CEST

Chinese mass surveillance systems: insights and export External link

- A database containing personal data of Chinese citizens was left unprotected on the Internet. - These personal data were purportedly collected using smart cities and mass surveillance technologies. - Human Rights Watch released a report detailing how the Chinese government is using such technologies as a means to invade their citizens’ privacy. - Chinese companies and start-ups are exporting these technologies to foreign countries.

  Wednesday, July 24, 2019 11:34:00 AM CEST

Hacking groups compete for cryptojacking cloud-based infrastructure External link

- Two hacking groups associated with large-scale cryptomining campaigns wage war on one another. - Pacha Group and Rocke Group compete to compromise as much cloud-based infrastructure as possible. - One group is using techniques to kill any other cryptocurrency malware running on infected machines. - Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers.

  Wednesday, July 24, 2019 11:33:00 AM CEST

Cyber-attacks lead to conventional military strikes External link

- Israel Defence Forces destroyed the headquarters of the main cyber unit of the Palestinian organisation Hamas by airstrikes. - The assault is likely to be the first true example of a physical attack being used as a real-time response to digital aggression. - Affected entities will likely rebuild their lost capabilities and continue to conduct cyber operations against Israeli targets.

  Wednesday, July 24, 2019 11:32:00 AM CEST

Docker breach exposes a significant number of accounts External link

- Docker Hub, an open repository of software containers, announced a breach affecting about 190 000 of its users. - As the breach affects associated development platforms, it may impact several stages of software development workflows. - Threat actors adopt supply chain attacks as a method to bypass some of the traditional IT security measures.

  Wednesday, July 24, 2019 11:31:00 AM CEST

Cyber enabled espionage in the aviation sector External link

- A General Electric’s employee reportedly stole aerospace turbine technology secrets for the benefit of China. - The spy used several methods such as encryption, exfiltration via USB storage devices, steganography and sending stolen files to his personal email address. - China has been suspected to conduct cyber-espionage operations in the aviation sector for several years. - According to researchers, since 2004, a total of 20 active Chinese threat actor groups have been detected targeting aviation as a whole.

  Wednesday, July 24, 2019 11:30:00 AM CEST

Facebook urged to control the spread of US law enforcement fake accounts External link

- US Immigration and Customs Enforcement used fake accounts on Facebook to identify people committing immigration fraud. - The agency created social media profiles for a non-existent university and its staff. - All this activity violates Facebook’s policies but the involved US agencies have shown no concern. - Facebook is urged to curb the proliferation of undercover law enforcement accounts on the social media platform.

  Wednesday, July 24, 2019 11:30:00 AM CEST

Cyberattacks enabled disinformation in Lithuania External link

- The Lithuanian Ministry of Defence was targeted by a disinformation campaign. - The dissemination of disinformation was likely enabled and facilitated by cyberattacks.

  Wednesday, July 24, 2019 11:29:00 AM CEST

New TRITON attack External link

- TRITON is a sophisticated malware framework with the capacity to manipulate industrial safety systems, cause physical damage and shut down operations. - TRITON authors are believed to have ties with a Moscow-based scientific research institute. - Victims have been identified in the Middle East and in North America. - A comprehensive analysis of techniques and tools linked to TRITON have been recently published to help detecting and hunting related attacks.

  Wednesday, July 24, 2019 11:29:00 AM CEST

A Cryptojacking campaign had disruptive impact External link

- The systems of a Japanese company were shutdown following a first-stage attack suspected to precede a cryptojacking campaign. - This incident highlights the disruptive nature of cryptojacking attacks and their ability to affect victims' operations. - In 2018, several cases of disruption caused by cryptojacking attacks were reported.

  Wednesday, July 24, 2019 11:28:00 AM CEST

Airports & Operational Technology: 4 Attack Scenarios External link

- Security in global aviation is increasingly dependent on vulnerabilities in information technology (IT) and operational technology (OT) systems. - Airports are using several critical OT systems (e.g. baggage control, runway lights, air conditioning, and power). - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure. - Four important risk vectors have been more specifically identified: Baggage Handling, Aircraft Tugs, De-icing Systems, Fuel Pumps.

  Wednesday, July 24, 2019 11:27:00 AM CEST

WinRAR zero-day exploited in many attacks External link

- On February 20, a 20 years old zero-day vulnerability in the archiving software WinRAR, was publicly revealed. - On February 26, a patched version of WinRAR was released, the update must be done manually. - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.

  Wednesday, July 24, 2019 11:26:00 AM CEST


This website is managed by CERT-EU. Find out more about us.



For questions or comments, please contact us at:


PGP Fingerprint:  C9B2 0BAB 2C37 35AD FF79 7949 AFBD 579A 5DDA 8E13

Emergency phone: +32 229 52100




Load latest edition

Saturday, June 25, 2022

6:06:00 PM CEST



Edition: 1

Select another edition