ApophisSquad activity increases; threat to British entities

Target: Large/government related British corporations, schools and gaming sector.
Attack Vector: Hoax threats, DDoS attacks, data leaks.
Threat Actor: ApophisSquad.
Summary: Since late 2017 increasing activity has been observed from the hacktivist group known as ApophisSquad. The group have been particularly active since March with the brunt of their activity targeted towards British institutions. The group have been observed sending hoax threats, conducting DDoS attacks and carrying out data leaks. These have all been carried out against various high-level targets, some related to government as well as major banks, such as Barclays UK. In addition, the group has promised further attacks. Risk assessment summary: This threat is assessed as 3b MODERATE. The release of open source tools which any threat actor can use is a significant risk in the long term. Many threat actors are restricted from carrying out DDoS attacks or gaining leaked credentials due to insufficient capacity or intelligence. The use of these tools will enable threat actors to overcome this barrier. The threat actor has also displayed an expert execution of DDoS attacks on numerous instances and also appears to prefer targeting big businesses and the gaming industry.

The chance of further attacks is also high, with the group indicating they will continue and also plan to release their DDoS tool which is still in development. In addition, the group has repeatedly disrupted the same targets, suggesting further repeated attacks are possible. However, there is no indication that the group is state-owned, which may alleviate the possibility of a tit-for-tat situation developing.

Adobe Flash Player zero-day vulnerability

Adobe Flash Player zero-day vulnerability

Target: Middle Eastern markets.
Attack Vector: Adobe’s Flash Player software.
Summary: Security researchers from a number of security firms independently contacted Adobe to report attackers using a previously undisclosed zero-day vulnerability in the wild on a large scale. The vulnerability, CVE-2018-5002, affects Adobe’s Flash Player software with firmware version of and earlier. Adobe released a new firmware patch and urged users to install it if they do not have automatic updates activated. This is the second zero-day vulnerability Adobe have patched in 2018 following Korean based attackers deploying CVE-2018-4878 against Korean targets in January .
Risk assessment summary: The threat is assessed as 3c MODERATE. This zero-day vulnerability has been observed actively exploited and, although patched, it remains a vulnerability with many systems still unprotected, driving up the likelihood of successful exploitation. This is likely to stay high until organisations update firmware in their estate. Flash Player is one of Adobes most popular products, raising the likelihood and risk of attack.

Lazarus Subsidy

Lazarus Subsidy Seen Directing Attacks Towards South Korea

Target: South Korean corporations and related entities
Attack Vector: Watering hole attacks
Threat Actor: Andariel
Summary: The Lazarus group have been seen carrying out state-sponsored attacks on behalf of the North Korean government for some time. A subsidy of the group, identified as Andariel Group, has now emerged. They have been observed exploiting a zero-day vulnerability in ActiveX and subsequently infecting South Korean targets with malware or to carry out theft of data.
Andariel are a little known state sponsored threat actor and have been active since 2014. The group has historically targeted South Korea, with commercial entities which are widely used within the country also used as an attack vector. The group are known for their use of command and control infrastructure and malware with the March 2013 DarkSeoul attack a notable example of their work.
Risk assessment summary: This threat is assessed as 3e MODERATE. North Korean threat actors have typically shown a high capability in their actions and Andariel are no different. The ability to exploit vulnerabilities and push out malware together, could lead to particularly effective attacks. Currently, North Korean state-sponsored activity is expected to continue at the same level, but recent diplomatic missions in South Korea and the West could change this forecast in the long run.


#OpRussia Resurgence Continues Amidst Ukrainian Tension

Target: Russian governmental and major organisations
Attack Vector: Data leaks. But DDoS attacks and site defacement are also likely in the future
Threat Actor: @AnonyInfo, @SambaCry
Summary: In April BT Security Threat Intelligence observed the return of the #OpRussia campaign targeting the Russian government and major companies. This is largely in relation to events on the ground including Russia’s increasingly aggressive foreign policy. The upcoming FIFA World Cup has been touted as a likely factor in the return of the campaign, with diplomatic relations between Russia and the West currently at a low point.
In late May several attacks were observed by @AnonyInfo_ against various sites. In addition, Russia has been particularly aggressive in recent weeks against Ukraine, a nation which already has been sharing a prickly relationship with Moscow in recent years. With Ukraine becoming increasingly pro-EU, this corrosive relationship could pave the way for further attacks under the #OpRussia banner.
Risk assessment summary: This threat is assessed as 3d MODERATE. Russia has been engaging in increasing cyber espionage campaign activity, with the VPN Filter malware in Ukraine in May a key example which could potentially trigger a response in hacktivist activity. The hacktivist activity observed in May is significant as it signals the #OpRussia campaign is here to stay after resuming, with the World Cup impending in June, further attacks are likely.
The risk is also at a significant level. @AnonyInfo have been seen to carry out DDoS attacks as well as data leaks and much of their capability is still to be displayed in this campaign. The high amount of threat actors active in this campaign means the use of shared resources could lead to damaging compromises of systems and sites.

BackSwap Banking Trojan

BackSwap Banking Trojan’s New Browser Manipulation Technique

Target: Polish online banking users

Attack Vector: Browser address manipulation

Summary: The banking industry may find itself under a new wave of malware attacks after the discovery of a new groundbreaking trojan technique. The trojan is currently able to avoid antivirus detection techniques at browser level and has been dubbed BackSwap.

Risk assessment summary: The threat is assessed as 3d MODERATE. If successful, this backdoor Trojan technique installs BackSwap malware inside infected systems. Due to the new innovative avoidance techniques used, it can be difficult to detect any changes in system behaviors. Therefore, BackSwap malware can lie undetected and enable an attacker to make bank transfers or complete other transactions against a target. The risk is also heightened as BackSwap malware may be expanded further to target other countries and banking organisations.

MnuBot Trojan

New Banking Trojan MnuBot Discovered

Target: Brazilian online banking users

Attack Vector: A 2 stage download

Summary: A new banking Trojan malware dubbed MnuBot has been observed in the wild. The malware has a number of unique features, most noticeable is that its command and control server is a Microsoft SQL server, a highly uncommon trait. Additionally, the configuration method used to provide the authors with the ability constantly update it is also an unusual feature

Risk assessment summary: This threat is assessed at 3e MODERATE. As an active banking Trojan, the potential financial loss to a victim is high, as this is the aim of the malware. As this has, to date, only been observed active in Brazil, the risk is reduced as most Brazilian malware does not tend to leave the Latam continent However, this malware is sophisticated and there is nothing to suggest the authors would not be capable of disseminating it geographically.

Stealth Mango malware

Pakistan Based APT Targets Multiple Countries During May

Target: High profile individuals in Asian countries as well as Western nations indirectly.
Attack Vector: Watering-hole attack to download Stealth Mango malware.
Threat Actor: Pakistani state-sponsored threat actors, belonging to the Army.
Summary: As more and more countries increase their cyber capability and arm themselves with cyber weapons, new nations are observed joining the main players on the international stage. One of the nations, Pakistan, have been observed involved in various hacktivist based attacks over recent months. They appear to have launched a state-sponsored cyber espionage campaign targeting multiple countries in Asia and are believed to have collected data from Western nations such as the US, Australia, and Britain.
The campaign utilises malware known as Stealth Mango and Tangelo, used on Android and iOS devices respectively, it has the potential to compromise a target phone. The threat actors appear to belong to the Pakistan Army and have targeted individuals in communication with senior officials in the aforementioned nations in order to collect sensitive data. In addition, it appears the group may be related to Op C Major and Transparent Tribe, also active cyber threat actors operating in, or in relation to, Pakistan.
Risk assessment summary: This threat is assessed as 3d MODERATE. Considering the operation has been running for only a short period of time, a large amount of data has been collected. This displays the capability of Pakistan’s state-sponsored cyber espionage teams with over 15 GB worth of data stolen, including sensitive documents. In addition, Pakistan’s placing in the world and the potential allies in a global conflict, alongside their cyber capability, is a concerning combination of factors for the West. However, the availability is limited with the Android application appearing to be a third-party program which can be mitigated against. The iOS app appears to only be a danger to jailbroken iPhones, further limiting the vulnerability.


#OpIslam Activity Observed in Reaction to Events on the Ground

Target: Governmental sites and major corporations in Muslim majority nations.
Attack Vector: Server targeting, DDoS attacks.
Threat Actor: @EZRA; @BLASTER.
Summary: As predicted, #OpIslam has seen an increase in activity towards the end of May. The rise comes with attacks predominantly originating from Israel, the primary nation with an interest in the campaign, as a counter for the #OpIsrael campaign carried out by many pro-Palestinian and Iranian groups against Jerusalem. Israel has countered the rise of attacks seen in May due to Holocaust Remembrance Day, the opening of the US embassy in Israel and the 70th anniversary of the Jewish state. Activity against Israel remained high after this due to Palestinian-Israeli clashe,s as well as tensions between Israel and Iran due to the uncertainty regarding the Iran nuclear deal and the situation in Syria. The response we have been expecting for some weeks has now materialised with targets in Palestine and Iran struck by cyber attacks originating from Israel.
Risk assessment summary: The threat is assessed as 4b LOW. While these attacks under the #OpIslam banner do not directly affect business for Western nations, retaliatory attacks could well do so. The more sophisticated operations such as intelligence gathering could put data at risk for Western nations with much communication between the US and Britain with allies such as Israel and Saudi Arabia. Despite this, the likelihood of this is low from a hacktivist perspective and attacks which affect Western nations are likely to be of a lower sophistication.

Xenotime Hacking Group

US Industrial Safety Systems Targeted by Xenotime Hacking Group

Target: Industries using Triconex safety instrumented systems. Attack Vector: Multi stage download. Summary: Industrial safety systems in the US, used in the oil and electricity industry, have been the victims of a malware attack from a hacker group dubbed Xenotime. This is a new variant of the group’s tailor-made Trisis malware that was used successfully in attacks against critical infrastructure in the Middle East.

Risk assessment summary: This threat is assessed at 3c MODERATE. Although the malware was not successfully executed, it is believed that people are still being targeted. The group are still active and as they are targeting critical infrastructure and safety systems, the result can only be serious damage or loss of life. The risk is further raised as the group are seen to be highly sophisticated and possibly state sponsored, although there is no proof of this yet.

Trickbot Malware

Hidden Desk Top Installed by Trickbot Malware

Target: Online banking users.
Attack Vector: Virtual Desktop in Windows.
Summary: Trickbot malware has seen a recent surge in activity, driven by a the addition of a new module, making it very powerful tool. It allows an attacker to compromise and gain full control of a target machine, in some cases without the victim even being aware. This new module uses a technique more commonly associated with RATs (Remote Access Trojans), called “Hidden VNC” (virtual network computer) and allows attackers to gain full user-level access to a target machine. The new module appears to be still in development and could evolve into a fully working RAT module.
Risk assessment summary: The threat is assessed as 3c MODERATE. If successful, this backdoor Trojan technique installs Trickbot malware inside infected systems. Due to the advanced module, it can be difficult to detect any changes in system behaviors. Therefore, the Trickbot malware can lie undetected and enable an attacker to steal documents. gather information on the connected system, server types, network drives, mac addresses, computer names and IP addresses. The risk is also heightened as the Trickbot malware may be expanded further to have full RAT capabilities.