Development Bank Of Kenya Attacked Under OpIcarus

Target: Development Bank Of Kenya

Attack Vector: Hack & Data Leak

Threat Actor: @UnitedSecTeam

Summary: The @anonymous affiliated group @unitedsecteam have claimed responsibility for a hack and data leak against the Development Bank of Kenya (devbank[.]com) on 11th March 2018. The claim was accompanied by the hashtag #OpIcarus and is consistent with previous attacks against banks during 2018 by the actors.

Risk assessment summary: It is currently assessed that #OpIcarus presents a 3e MODERATE threat to the finance sector, however the operation has been directly linked to the energy sector and the Syrian civil war. Anonymous accused Genie Oil and Gas of precipitating the Syrian conflict in order to exploit Golan Heights oil reserves. They also accuse the business of having an interest in a pipeline planned from Qatar to Europe and indicated that telecom, energy and government sector companies would be targeted.

Although @unitedsecteam have not released large amounts of data, it is likely that other hacktivists will also support #OpIcarus when not engaged on Catalonia and Yemen centric activity, presenting a greater threat to targeted sectors. Although activity will remain at a relatively low level into the medium term, the release of small amounts of data could still prove damaging to targeted organizations and cause a disproportionate effect on reputation. Monitoring of the threat environment will continue in order to identify further actionable intelligence.


Vulnerability Exposed in Windows Devices via Cortana

Target: Windows systems with Cortana enabled.


Attack Vector: Intercepting web sessions or connecting a target machine to a network controlled by a threat actor.

Summary: While passwords are generally seen to protect computers and limit any threat unless the password can be bypassed, two Israeli researchers have found this is not the case with Windows devices. Using Windows voice assistant Cortana, similar to Siri and Google Assistant, threat actors can carry out operations despite the target machine being locked. What is notable is that other voice assistants, manufactured by Apple and Google, offer limited functionality when the machine is locked. Cortana offers far greater functionality than others, leaving Windows systems exposed.

Risk assessment summary: This threat is assessed as 4C LOW. The flaw is very easy to exploit, with less skilled threat actors also possibly being able to carry out a successful exploit. There are multiple threat vectors, which offer a threat actor a wide range of further attack options. Threat actors are also able to choose what type of malware or virus they drop on a target machine, increasing the risk. However, threat actors would generally need physical access to a machine, lowering the chances of the initial attack.

FormGrabber Malware

Multiple Attack Vectors used to spread FormGrabber Malware

Target: Unpatched machines for two software vulnerabilities or victims of social engineering.

Attack Vector: Two buffer overflow exploits and social engineering.

Summary: FormGrabber is a piece of malware which, when present on a system, acts as a particularly effective piece of

spyware. Screenshots, keystrokes and login details are captured and sent back to a threat actor. More recently this has been observed to be exported through an attack, which can be considered distinctive as it employs the expanding trend of using multiple attack vectors to achieve its end goal.

Two vulnerabilities are exploited in this incident. The first is a historic buffer overflow vulnerability existing in Microsoft Equation Editor (CVE-2017-11882) and the second, a similar vulnerability in existence due to the patch for the former vulnerability not being fully effective (CVE-2018-0802). In addition, social engineering techniques are employed in an attempt to deliver the payload to the target machine. This is only triggered in a final effort to deliver the payload and will not be actioned if either of the initial attack vectors detailed are successful.

Risk assessment summary: This threat is assessed as 3e MODERATE. The flaw is not particularly easy to exploit as a threat actor would need to be skilled in compiling and executing remote .hta files. In addition, the attack leaves a note once in action that gives the victim an alert of the attack. This could limit the amount of time a threat actor has to snoop credentials and record keystrokes, lessening the risk. However, the fact there are three separate attack methods increases the likelihood of a successful exploit, particularly as it has been observed being exploited in the wild.

Slingshot Malware

Slingshot Malware Found Infecting Machines via Compromised Routers

Target: The current targets for this malware are “sysadmin” users who use MikTrotik routers.

Attack Vector: Zeroday vulnerability in MikroTik Routers and Data leaks.

Summary: An APT malware, dubbed Slingshot, has been discovered in Mikrotik routers. It is currently unknown how the initial infection of the routers takes place, however, once transferred on to a device, it is able to load a number of different modules providing the attackers with the ability to steal a variety of information. The malware has been active since at least 2012, however, has only been detected in February of this year.

Risk assessment summary: The campaign is still live and the threat from information stealing malware is directly. The risk is dependent on the information held on the infected device, this is heightened as this malware attempts to infiltrate “sysadmin” machines. Although the malware has been seen to have infected a small number of victims, it is highly likely that that number is much more substantial with the information gained being used in retaliation against the suspected nation-state actors.

MAC Malware

A macro view of MAC Malware

MalwareBytes have published a report detailing malware targeting Apple Macs. Tackling the fallacy that Mac users aren’t targeted by malware authors, there are several examples of Mac malware that have appeared in 2018. The headline reported a 270% increase in MAC malware between 2016 and 2017 and has a clear business impact, particularly at companies employing a bring-your-own-device policy. According to MalwareBytes, most Mac users fail to have adequate protection against malware, adware or PUPs, which could leave businesses open to increased, unaccounted risk.

Strategic assessment:

The threat vector often gets overlooked, but as MalwareBytes’ report makes clear, the trend of Mac-targeted malware is increasing. Already in 2018 several malware variants, using a wide range of techniques, have been witnessed. Several threat actors are also apparent, seeming not just trialing their hand in a traditionally under-targeted object.

From Man-in-the-middle attacks, such as the capable OSX.MaMi malware used to phish credentials, to the crude OSX.Coldroot backdoor, that could only affect older versions of macOS, the threat is varied and wide. Additionally, even despite the standard security features, most can be bypassed by the newer malware highlighted by MalwareBytes. In their report, it is clear that not only is the threat viable, but is becoming more substantial.

The actors behind the attacks are as varied as the techniques used. The CrossRAT malware was linked to the resourceful @DarkCaracal group who used the code in a targeted campaign. A group also compromised MacUpdates to carry out a supply chain attack, with the subsequently distributed Monero cryptominer dubbed OSX.CreativeUpdate. A stark difference to the OSX.Coldroot, which was likely either written by amateurs or as a deployment of a proof of concept. CrossRAT and CreativeUpdate demonstrates that there are technical actors already designing specific threats.

The risk to businesses depends on the count and frequency of use of Macs on the corporate estate. As made clear in MalwareBytes’ report, the lack of malware protection when comparing Mac and Windows users is concerning, with businesses potentially open to risks which they have little to no oversight of.

Customer Records

2.4 Customer Records

Target, the major retailer, was hacked on Black Friday in 2013. Over 40 million debit card accounts were scooped up. The data was not encrypted. Groups of Target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices.” Roll forward to 2015 when Target paid out $10 million to customers as a result of lawsuits. This $10 million does not include costs to notify, legal costs, loss of good will among existing customers, and the effect on Target’s reputation in the marketplace.

Go back

Human Resources Records

2.3 Human Resources (HR) Records

The largest HR or personnel records breach (break in with theft/manipulation of data) in history occurred in 2015 at the United States Office of Personnel Management or OPM for short. The breach involved the theft of 21.5 million US government employee records along with 5.6 million fingerprint records. Keep in mind that these records contain the contents of the SF86 a questionnaire completed when applying for a security clearance and include information not only about the applicant, but also about their extended families and neighbour’s. It is rumoured that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.

This breach was a classic case of risk versus reward. Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.

Access was obtained through a breach of a US Government contractor who had access, and, unfortunately, less security to go through. We the defensive team, the good guys failed to encrypt the records, disperse the records (so they’re not all in one place), and keep non-current records offline. To make matters worse, the intrusion was not detected for a long period of time.

Go back

Medical Records

2.2 Medical Records

Medical records are worth about ten times what credit card numbers are on the black market. “Why?” you ask. Because medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than to notice a problem with your credit card number. This time differential combined with the relatively poor cyber security of hospitals provides hackers with a very lucrative market.

Note that medical records fall under HIPAA. HIPAA is the Health Insurance Portability and Accountability Act—you probably signed a form at your doctor’s office. Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation. This is capped at $1.5 million per year for violations of each HIPAA provision.

Go back

Exim software Vulnerability

Vulnerability in Exim software allows hackers to gain control of your mail server

Target: Exim users

Attack Vector: Remote code execution


A new critical vulnerability has been discovered in Exim, a widely developed mail transfer agent (MTA) used on Unix based operating systems. An attacker can exploit an off-by-one buffer overflow with a precisely constructed mail message. It is possible for attackers to exploit remotely without any authentication due to the nature of the vulnerability in relation to how SMTP transactions are conducted.

Risk assessment summary:

The threat is assessed as 3e MODERATE and the likelihood has been rated as POSSIBLE. If successful, by sending specially manipulated input to a server running Exim, attackers may be able to remotely execute code and take control of mail servers. Although a patch has been released, it may take weeks or even months for the vulnerability to be fully mitigated as users may not update their servers, leaving them at risk.

Annabelle Ransomware

New Annabelle Ransomware discovered

Target: Potentially high profile companies, as the threat actor want to primarily advertise their skills

Attack Vector: Ransomware tool which first disables processes that may interfere with its actions


During March 2018 a new type of ransomware was observed. Discovered by security researcher @bartblaze, the tool is based on the horror movie Annabelle and seems to be designed to show off the skill and capability of the threat actor behind it rather than to be used maliciously. The ransomware has extensive capabilities which combine many different features usually observed individually in separate ransomware tools.

In addition, Annabelle appears to carry out several pre-operations which make it easier to carry out its goals, a tactic observed more often in ransomware tools.

Risk assessment summary:

The threat is assessed as 4d LOW. There are clear risks such as theft of sensitive information or inaccessibility of important files. The malware has not yet been observed in any mass distribution campaigns with its infrequent use lowering this possibility.

Additionally, the ransomware can be decrypted by a user following the correct process which suggests there may not be any long-term damage. However, the fact it can disable interfering programs and configure a target system to make a ransomware attack easier, does mean Annabelle remains a plausible threat.