Threat intelligence

  • Cyber-attacks against the 2020 US elections - A first analysis

    Thursday, November 05, 2020 08:43:00 AM CET

    - According to US authorities and security companies, several actors attempted to influence or disrupt the US 2020 presidential elections.
    - Four categories of attacks have been identified: influence operations, cyberespionage, cybercrime, and hacktivism.
    - US authorities took measures such as dismantling attackers' infrastructure, charging or sanctioning individuals or organisations, and sharing technical alerts.
    - Public reports allow to draw a first synthetic analysis on the _state of the art_ for election interference risk mitigation.

  • Thanos ransomware: criminal and disruptive attacks

    Tuesday, October 20, 2020 03:25:00 PM CEST

    - Thanos is a ransomware-as-a-service offer used by different threat actors.
    - A variant was used for financial gain against various victims in Europe in June 2020.
    - Another variant was used in the Middle East and North Africa in July 2020.
    - Israeli researchers believe that the Iranian MuddyWater state-sponsored threat actor may also have used a variant of Thanos against prominent Israeli entities in September.

  • US DoJ indicts Russia’s Sandworm threat actor

    Tuesday, October 20, 2020 01:14:00 PM CEST

    - US authorities charged 6 members of the Russian Military Intelligence unit 74455 (aka Sandworm) threat actor.
    - Sandworm is accused of - mostly disruptive - cyberoperations in Ukraine (electric grid), France (political entities), UK and the Netherlands (chemical laboratories), Georgia (government, media), South Korea (2018 Winter Olympics) and globally (NotPetya).
    - This indictment follows sanctions imposed on the same organisation by the EU in July 2020.

  • Threat Landscape Report for Q3 2020 - Executive Summary

    Monday, October 19, 2020 05:51:00 PM CEST

    Direct Threats to EU Institutions, Bodies and Agencies

  • A cryptomining worm that steals AWS credentials

    Wednesday, August 19, 2020 06:01:00 PM CEST

    - A new piece of malware is targeting Amazon Web Services and steals credentials from them.
    - Furthermore it uses these credentials to breach and exploit other cloud-based services for cryptomining.
    - There is a proliferation of automated cloud attacks, largely based on insufficient security measures on these services.

  • Insecure S3 buckets can lead to serial exploitation

    Wednesday, August 19, 2020 06:00:00 PM CEST

    - Research shows that unsecured cloud-based storage buckets can be scanned for the existence of credentials.
    - The process of harvesting credentials and using them to exploit additional services has the potential to become automated.

  • Threat Landscape Report for Q2 2020 - Executive Summary

    Friday, July 31, 2020 04:36:00 PM CEST

    Direct Threats to EU Institutions, Bodies, and Agencies

  • Signed PDF documents vulnerable to manipulation

    Tuesday, July 28, 2020 03:45:00 PM CEST

    Key Points
    - 15 of the biggest PDF viewers are vulnerable to “Shadow Attack – Hide and Replace” involving manipulation of documents after signing.
    - The attack takes use of hidden layers in the document, invisible to the victim but included in the signed version.
    - Adobe, LibreOffice, Foxit and SodaPDF have issued patches for the vulnerability.

  • Largest ever DDoS in PPS against a European bank

    Saturday, July 04, 2020 01:02:00 PM CEST

    - The largest DDoS attack ever measured in packets per second (PPS) was mitigated by Akamai on June 21.
    - The attack reached a peak of 809 million PPS, more than double the previous PPS record.
    - The target was an unnamed European bank.

  • CERT-EU Cyber Brief - July 2020

    Friday, July 03, 2020 11:05:00 AM CEST

    Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.

  • Largest ever DDoS attack targeted AWS

    Thursday, June 18, 2020 04:11:00 PM CEST

    - The largest DDoS attack ever recorded targeted AWS last February.
    - The attack lasted three days and the traffic reached 2,3 Tbps.
    - The attack highly likely targeted a single customer but had implications for the whole cloud services provider.

  • Recent state-sponsored disinformation operations on Twitter

    Tuesday, June 16, 2020 12:24:00 PM CEST

    - Twitter has discovered distinct state-sponsored disinformation operations originating in China, Russia and Turkey.
    - In previous months, countries such as Saudi Arabia, UAE, Egypt and Ecuador have also engaged in such campaigns.

  • Ransomware and auctions

    Friday, June 05, 2020 11:26:00 AM CEST

    - Cybercriminals behind the REvil ransomware are auctioning off sensitive data stolen from their victims.
    - The current auction prices range from $50 000 to $200 000.
    - The new tactic adopted by REvil operators marks an escalation in methods aimed at coercing victims to pay up.
    - Like for other recently introduced ransomware extortion schemes, it is likely to be adopted by other cybercriminal groups.

  • CERT-EU Cyber Brief - June 2020

    Tuesday, June 02, 2020 07:30:00 PM CEST

    Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:WHITE.

  • Massive trading of stolen data

    Wednesday, May 13, 2020 10:06:00 AM CEST

    - At least 11 digital services companies affected by several breaches in the previous period, now see their databases sold on the darknet.
    - A single cybercriminal actor is claiming to be in possession of all the data.
    - Microsoft΄s GitHub account was highly likely also breached by the same threat actor.

  • Corporate Mobile Device Management system breach

    Tuesday, May 12, 2020 09:57:00 AM CEST

    - Researchers have discovered a case where a mobile device management (MDM) system has been abused to spread malware to a large number of mobile devices in an enterprise.
    - The central role MDMs play in managing mobile devices gives them unique access potential in case they are breached.

  • Threat Landscape Report for Q1 2020 - Executive Summary

    Tuesday, April 21, 2020 11:20:00 AM CEST

    Direct Threats to EU Institutions, Bodies, and Agencies

  • Children of Mirai

    Monday, April 20, 2020 10:49:00 PM CEST

    Key Points
    - New IoT botnets are building on Mirai’s success.
    - With new features and persistence methods, these new attack tools are formidable threats.
    - Most such botnets are created for financial gain and are highly likely available for hire.

  • BGP hijacking by Rostelecom

    Monday, April 20, 2020 10:47:00 PM CEST

    Key Points
    - Rostelecom, a large Russian telecom provider, has committed a BGP hijacking on April 1.
    - BGP hijackings are myriad and often not intentional, although they can be used to obtain a man-in-the-middle position or to capture traffic for later decryption.
    - It is unclear if this incident was accidental.
    - Rostelecom has worked with one of the security firms reporting the incident on resolving it.

  • Cryptomining attacks on Docker systems

    Wednesday, April 15, 2020 02:12:00 PM CEST

    Key Points
    - Insecure instances of the popular Docker virtualisation platform are being targeted in a wide spread campaign aiming to abuse them for cryptomining.
    - The methodology of the campaign exposes unsecured Docker installations and may also endanger other hosted applications, the hosting server, and adjacent systems.
    - The case underlines the dangers of inadequate security configurations resulting in publicly exposed systems.

  • COVID-19 monitoring technology

    Wednesday, April 15, 2020 02:06:00 PM CEST

    Key Points
    - According to public reports, at least 33 countries have adopted monitoring technology to curb the COVID-19 pandemic as of April 15, 2020.
    - The purpose of this surveillance is to track entire or specific categories of populations, analyse movements, detect, diagnose and quarantine or alert individuals at risk.
    - Tracking projects have initially been started by governments, but now technology firms are proactively designing solutions.
    - Efforts to safeguard privacy vary significantly among countries.

  • Attacks on Elasticsearch databases

    Monday, April 06, 2020 04:58:00 PM CEST

    Key Points
    - The widely used Elasticsearch data aggregation and analysis service is being targeted by an automated campaign.
    - The campaign identifies and wipes internet exposed databases.
    - Elasticsearch services have in the past been repeatedly found accessible due to misconfigurations and bad management, exposing troves of data they were supposed to safekeep.

  • Mischievous RFC standards – ongoing threat

    Wednesday, April 01, 2020 09:24:00 AM CEST

    Key Points
    - The long-existingestablished and well- documented threat actor IETF (aka APT0) is likely to strike globally today.
    - Its historical activity of introducing mischievous standards into internet technology borders on the ridiculous.
    - Potential victims should scan their mail traffic for so-called RFC documents issued with today’s date and delete them immediately.

  • Attacks on Healthcare

    Monday, March 23, 2020 05:38:00 PM CET

    - Healthcare organisations provide interesting targets to cyber criminals.
    - Due to the criticality of their function, they are more prone to submit to cyber-extortion.
    - The most prevalent type of attack in the sector is ransomware.

  • Cookiethief allows for social media account takeover

    Tuesday, March 17, 2020 09:24:00 AM CET

    Key Points
    - A newly discovered malware steals cookies from social network apps such as Facebook.
    - The attacker can then completely take over the victim’s social network account.
    - The malware abuses the trusted relationship between the victim’s device and the social network.
    - This attack is particularly difficult for the social network to detect.

  • Coronavirus – Cyber exploitation

    Friday, March 06, 2020 02:18:00 PM CET

    - Heightened public interest on the coronavirus spurs cybercriminal and disinformation operations.
    - At least six different pieces of malware have been distributed using fraudulent coronavirus-themed emails in several campaigns worldwide.
    - At least two likely state-sponsored information operations have been reported.

  • Credit-card web-skimming infections can last several months

    Friday, February 28, 2020 01:00:00 PM CET

    - E-commerce websites infections by credit-card web-skimmers can last several months.
    - The lack of security monitoring and reaction to notifications by e-commerce websites’ owners constitutes a major risk factor.
    - Online shops with large audiences would typically dedicate more resources in patching security flaws and therefore would likely be less risky.

  • Russian intelligence officers caught scouting undersea cables

    Wednesday, February 26, 2020 12:18:00 PM CET

    - Russian agents were seen scouting undersea fibre-optic internet cables arriving at the Irish shore.
    - Irish police sources link the agents to Russian military intelligence service GRU.
    - It is currently unclear what their exact goal was.

  • US indicts Chinese military hackers

    Monday, February 24, 2020 12:39:00 PM CET

    - The US Department of Justice charged four Chinese members of the People’s Liberation Army for conspiracy and hacking.
    - Indictments have been a component of the US cyber diplomatic and juridical toolbox since at least 2014.
    - In 2019 US technology firms started to enforce the US government’s sanctions against selected “foreign adversaries”.

  • State actors targeting mobile phones

    Monday, February 24, 2020 12:38:00 PM CET

    - Amazon CEO’s mobile was highly likely infected by espionage malware, that exfiltrated personal information.
    - The infection was highly likely caused by Saudi Arabia rulers’ messages.
    - Likely candidates for the malware used are a number of espionage platforms marketed to governments.
    - Mobile devices continuously seen as valuable resources of personal and financial information by state and criminal actors.

  • Executive Summary of CERT-EU's Threat Landscape Report 2019Q4

    Friday, January 24, 2020 01:50:00 PM CET

    - A summary of direct threats to EU institutions, bodies and agencies
    - An overview of malware used
    - Targeted sectors and sectoral threats
    - Geographical threats

  • Ransomware in the transportation sector

    Wednesday, January 22, 2020 01:31:00 PM CET

    - Transportation and logistics are particularly attractive to operators of ransomware.
    - Ransomware attacks against transportation operators usually correspond to the following scenarios: opportunistic criminal infections, hybrid attacks perpetrated by state-sponsored attacks, cybercriminal big game hunting.

  • Free smartphones for low-income households shipped with malware

    Wednesday, January 22, 2020 01:31:00 PM CET

    - Free smartphones being issued in a welfare program contained irremovable malware.
    - The company issuing the phones has denied this software is malware, but this is repudiated by public knowledge.
    - The inclusion of data leaking malware is on the ri

  • SHA1 collision attacks shown to be practical

    Wednesday, January 22, 2020 01:30:00 PM CET

    - A new research demonstrates the practicality and affordability of attacks against the SHA1 hash1 function.
    - SHA1 has been considered unsafe since 2005.
    - The new findings are relevant because SHA1 is still used in multiple applications.

  • Ransomware now combined with data leakage

    Wednesday, January 22, 2020 01:30:00 PM CET

    - Ransomware extortion cases have started to include (and realise) data leakage threats.
    - In a number of cases in December 2019 and January 2020 operators of ransomware released victim's internal data.
    - The tactic represents an upscaling of ransomware operations in spite of the technical and logistical requirements.

  • Lazarus Group financial targeting

    Wednesday, January 22, 2020 01:28:00 PM CET

    - North Korean threat actor Lazarus Group continues to target financial institutions and cryptocurrencies.
    - The goal is likely collecting funds for North Korea.
    - Lazarus Group continues to be an important asset for the North Korean regime for both revenue generation, but also technological cyberespionage.

  • Waves of ransomware in December 2019

    Tuesday, January 07, 2020 10:13:00 AM CET

    - Several high-profile ransomware attacks were observed in December 2019.
    - Public and private organisations in several countries and sectors have been affected.
    - In two cases, the ransom note reached $6M, the highest amount reported so far.
    - In two cases, cybercriminals have leaked data belonging to their victim in an attempt to force the payment of the ransom.

  • Major cryptocurrency provider compromised in a supply chain attack

    Tuesday, January 07, 2020 10:10:00 AM CET

    - The official command line interface Monero wallet was compromised and used in a supply chain attack.
    - At least one person has reported financial loss due to the compromise.
    - Cryptocurrency platforms and software are a high-value target for cyber-thieves.

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.