New OpNicaragua campaign observed in protest at governmental policies

Target: Nicaraguan governmental sites as well as companies important to the running of the country

Attack Vector: Mostly DDoS attacks and website leaks but also website defacement

Threat Actor: Various, including @SHARPSHOOTER, @MinionGhost and @AnonymousNicaragua

Summary: Threat Intelligence has observed a new hacktivist campaign currently known as #OpNicaragua. While not the only factor, the campaign seems to have been triggered by unpopular governmental policies, but also is in response to the alleged corruption and oppression carried out by the administration in Managua. This has sparked widespread protests and rioting in the Caribbean state and it seems the hacktivist campaigns are related to the protests on the ground as they appear to be carried out in assistance of the citizens of Nicaragua. Risk assessment summary: This threat is assessed as 3d MODERATE. While civilians in Nicaragua have long been silenced by the oppression of the Ortega administration, the mass protests observed could be a landmark moment in which the oppressed begin to show their frustration more actively. This is even more likely given the violence with which the government has responded, driving more and more people to protest. All of this gives hacktivist groups more incentive to target the Nicaraguan administration, the oppressive policies and corruption of whom they disagree with.

The risk is also at a greater level than most hacktivist operations with a higher proportion of attacks seen to be DDoS (Distributed Denial of Service) attacks and data leaks as opposed to simply website defacements. This requires a deeper level of sophistication, indicating the threat actors involved to be of a more advanced capability. The risk is also raised by the potential for Nicaragua to respond to the cyberattacks by utilising the resources of their allies in Moscow. Such a response could increase political tension between the East and West as well as bring Central American countries into the dispute. Were it not for the fact Nicaragua is not particularly notorious for cyber-hacktivism, the risk would be raised even further.

Energetic Bear Crouching Yeti

Kaspersky Labs report on Energetic Bear/Crouching Yeti

Target: Various Sectors across several countries

Attack Vector: Wateringhole attack

Summary: Kaspersky released details of an attributed phishing campaign seeking to infect various servers to Energetic Bear (also known as Crouching Yeti). This follows recent public US and UK advisories on Russian APT activity.

The activity, dating back to 2010, has affected manufacturing, health, construction, education and technology sectors in at least 7 countries. Kaspersky’s report gives an overview of the threat vector, which uses a watering hole attack followed by stages of reconnaissance and network intrusion. The aim of the group’s activity is varied. There is evidence to suggest the compromised machines were part of a staging phase for further malicious activity and given some of the industries targeted, other compromises are likely to be motivated by cyberespionage.

Risk assessment summary: Although the campaign is basic in terms of tools, it has been effective. Energetic Bear are a highly capable and skilled group, but the campaign outlined by Kaspersky does little to demonstrate their technical skill.

It is likely that the large majority of compromised servers were leveraged for the purposes of multi-faceted attacks, seen in the spam components of the two dropped .php files. The compromises would provide some anonymity to a subsequent spam campaign, for example. The impact to business is therefore moderate, although this is highly dependent on the server compromised.

Using low attribution, open source tools, the actors have demonstrated an attack which could be leveraged by many other, less skilled actors. This trend is highly likely to become more apparent in the mid to long-term, with Energetic Bear among the first state-sponsored actors to be attributed to such attacks.

Vulnerability Oracle WebLogic

Work-around discovered for a previously patched vulnerability in Oracle’s WebLogic server

Target: Oracle WebLogic servers

Attack Vector: Accessing the WebLogic servers through a T3 connection when they are running on port 7001

Summary: A workaround has been released for the vulnerability tracked as CVE-2018-2628. The vulnerability lies in Oracle’s WebLogic servers, and provides an attacker the opportunity to execute code on remote servers. After releasing the patch, a researcher found that rather than fully patching the vulnerability, Oracle developers had only blacklisted certain commands, with one or two still available.

Risk assessment summary: This threat is assessed at 3d MODERATE. The threat of this vulnerability is heightened as there is a fully weaponised proof of concept available on GitHub. This means that anyone who uses Oracle WebLogic servers and has not blocked incoming traffic on port 7001 are vulnerable to this attack, and with the rise in scans for port 7001, it is becoming more likely an attack will take place. The threat is heightened further with the consequences of an attack being an attacker gaining compete control of a server if successful.


GravityRAT evolution

Target: India predominantly

Attack Vector: Backdoor Trojan installs GravityRAT

Summary: In August 2017 the NIC-Cert Team (National Informatics Centre for managing the cyber security incidents) in India released an advisory notice NIC-CERT/2017-08/013 on a then, little known piece of malware called GravityRAT a (Remote Access Tool), which was not known to be specifically targeting any individuals. GravityRAT has been gradually developed four times over the last 18 month period with many more tools added to its arsenal, which include file exfiltration, remote command execution capability and anti-virus avoidance techniques. The constant and determined evolution of this malware beyond the normal standard remote access features indicates that it is now a highly advanced malware and it has been suggested that this is the work of an APT group.

Risk assessment summary: The threat is assessed as 3e MODERATE. If successful, this backdoor Trojan technique installs GravityRAT malware inside infected systems. Due to the advanced persistence and anti-virus avoidance techniques it can be difficult to detect any changes in system behaviours. Therefore the GravityRAT malware can lie undetected and able to steal documents contained in .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf files. GravityRAT also gathers information on system types, network drives, mac addresses, computer names and IP addresses.

The risk is also heightened as the GravityRAT malware is suspected of being used by an APT group in a targeted attack against India and may be expanded or exploited by other actors in future.


The world’s largest botnet, Necurs seen to be using new evasion techniques

Target: Worldwide

Attack Vector: A 2 stage download from a remote server

Summary: The latest spam distribution campaign by the world’s largest botnet Necurs, sees a number of different evasion techniques implemented by the authors, the main being an evolved download method for the final malware payload. The malware now implements a 2 step download method for the new final payload.

Risk assessment summary: This threat is assessed at 3d MODERATE. With these new evasion techniques, the risk of infection is raised as anti-virus software are less likely to discover new and unknown variants of Necurs and any other malware it may be downloading.

The risk is also heightened as the malware the botnet drops is constantly changing, dependent on what the authors want to use the victims’ devices for.


OpIcarus Activity Observed In April With OpUK Newly Active

Target: Banking and financial institutions, as well as the British Government for #OpUK

Attack Vector: DDoS attack, website defacements, data leaks

Threat Actor: Various, including @SHARPSHOOTER and @Manwe for OpIcarus and @AnonySec_ and @UnitedSecTeam for #OpUK

Summary: After a lull in activity during the early months of 2018, #OpIcarus has given indications of a resurgence in April. Threat Intelligence has observed attacks from @SHARPSHOOTER as well as @Manwe against the banking industry, the prime target of the campaign. In addition, events on the ground have indicated that further activity may be imminent and linked to the crisis in Syria. Another campaign linked to the ongoing situation in Syria is #OpUK with @AnonySec_ and @UnitedSecTeam both observed active. Risk assessment summary: The threat is assessed as 3d MODERATE. It is highly likely that we will continue to see activity in Syria which may prove incensory to hacktivist groups. However, #OpIcarus is not as heavily linked to events on the ground as other campaigns. The newly created #OpUK appears to be very reactionary to events on the ground and while it is in its early stages, there is a high probability it will continue to be active. The risk from both campaigns can be defined as significant with several high capability threat actors committed to both.



Target: Medical Devices

Attack Vector: Wireless Signal Interception

Summary: Brainjacking is the term for an internet connected medical device that has been compromised. There are a number of medical devices that are connected to the internet and therefore have the capacity to be compromised, such as pacemakers, defibrillators & intravenous drug delivery systems. Hacking the brain of a patient with a medically implanted stimulation device has now been proven as a potential target for actors. Threat actors could change the voltage delivered to the device, which could easily invoke sensory changes or denial, other disabilities or, in extreme circumstances, death.

The devices use wireless protocol for programming updates and to receive medical data from the patient. This makes the possibility of radio-based attacks a reality. Additionally, the possibility of patient data leakage, such as names and dates of birth from compromised wireless signalling, is a real possibility.

In the current political climate, there could be a variety of reasons why a bad actor may wish to carry out a brainjacking attack. These include political, cyber warfare, extortion, blackmail, revenge or even perverted amusement.

Currently, it is not possible to use this technology to inject inferences into the patient’s brain. Further developments and enhanced software will enable patient’s brainwave behaviours to be analysed to facilitate more precise care delivery. Therefore, if these signals were able to be intercepted and reverse engineered, it has been theorised that future attacks could be used to inject an inference into the patient’s brain.

Risk assessment summary: This threat has been assessed as 3F MODERATE. The possibility of this kind of attack is unlikely, due to extremely limited number of actors who could potentially look to exploit this weakness. In addition, the specialist nature of the equipment and the fact that the target is an extremely small section of the Internet of Things connected devices, also reduces the risk. However, due to current political tensions, if this type of vulnerability could be exploited or developed further, it could potentially have extremely serious consequences. The impact of any such incidents could have a critical threat to life.

Cisco Flaws Discovered

Cisco Flaws Discovered On Hardware Products As Well As Cisco Software

Target: Networking devices which have not rolled out Cisco patches, unpatched Cisco consumer software

Attack Vector: Exploitation of numerous detailed vulnerabilities

Summary: American industrial automation and information products supplier Rockwell Automation has recently disclosed the existence of a number of flaws within a range of switches they produce. Upon investigation, they discovered the actual flaw was due to the switches use of Cisco software which allows secure communications with enterprise networks, thus the vulnerability’s reside within Cisco’s software.

These flaws, while on a specific router are due to the software the routers rely on, are relevant to any routers which utilise Cisco software. Furthermore, three other flaws have been reported in Cisco client products which open up further attack vectors.

Risk assessment summary: The threat is assessed as 3d MODERATE. Whist the threat to some Rockwell devices has been mitigated with patching, it will take time to roll out across enterprise networks. They still present a danger given some of these vulnerabilities, CVE-2018-0171 in particular, has proved a popular attack vector and carries a high risk with the ability to cause downtime on a system. Further vulnerabilities, such as CVE-2018-0151, have the potential to cause damage to an organisation with the opportunity they provide to leak data, further increasing the risk.

In addition, it is probable we will find other routers which have similar vulnerabilities as they are also dependent on Cisco software. However, these devices will also have updates available, it is simply down to the organisation to roll out the patches Cisco supply. Furthermore, the risk of attack for Cisco products is reduced if all patches have been applied.


Adwind Discovered in Two New Malware Packages Being Dropped via Spam Campaigns

Target: Various

Attack Vector: Phishing / Data Theft

Summary: Two new malware strains delivering Adwind have resulted in a number of different final payloads including Loki, XTRAT and DUNIHI. Both campaigns have been designed to avoid detection whilst attempting to steal information. Both campaigns have been observed making use of a previously patched vulnerability, CVE-2017-11882.

Risk assessment summary: This threat is assessed at 3e MODERATE. As there has been such a large number of infections, the attack methods have been observed abusing a vulnerability for which patches are available. There is a risk that an infection could be spread across a network. In addition to detection avoidance, both strains come with new information stealing malware payloads, increasing the risk of loss of personal data and intellectual property.


#OpUSA active in early months of 2018

Target: Businesses within America or contributing to the country economically/politically

Attack Vector: DDoS attacks, Data breaches, website defacement, doxing

Threat Actor: Various, including @UnitedSecTeam, Phoenix420 and @Anonymous

Summary: Security Intelligence outlined the prospect of a reboot of the #OpUSA hacktivist campaign. This campaign focused on the United States and is mainly driven by anti-American sentiment in protest at their involvement in foreign wars, perceived corruption of the media, alleged war crimes and creation of the financial crisis. Now, in April 2018, further hacktivist activity has been observed, with @Phoenix420 delivering effective DDoS attacks against targets as well as hacks and data leaks being carried out by @UnitedSecTeam.

Risk assessment summary: The threat is assessed as 3d MODERATE. This is one of a number of campaigns currently active and comes at a time of heightened diplomatic tension between the US, its allies and Russia. These tensions seem set to continue due to East and West involvement in the war in Syria and the investigations of Russian influencing Western elections, raising the threat level.

The USA is set to continue its involvement in Syria, giving further motivation for threat actors to continue campaigns against the West including #OpUSA, #OpUK and #OpPeaceForSyria. The US also seems bound to continue to support Israel, with President Trump congratulating the nation on its 70th birthday on the 18th of April, declaring the US had “no better friends anywhere”. This declaration of the close bond between the US and Israel is a provocative move likely to antagonise other nations in the Middle East, including allies of Russia such as Iran. This raises the possibility that some hacktivist activity may be used as a cover for state sponsored entities.