Microsoft BugFixes April

Microsoft Fixes 66 Bugs in April Patch Tuesday Release

Target: Users using the affected software.

Attack Vector: Various methods of delivery.

Summary: Microsoft Patch Tuesday updates have been released for April including 66 CVE listed vulnerabilities, 24 of which are rated critical. The count of patches are fewer than recently observed, however, the number of vulnerabilities rated critical has increased by almost 50 percent, the majority of these being in browsers and browser-related technologies. The security updates were rolled out across numerous pieces of software, with elevation of privilege, bypass and remote code execution vulnerabilities making up a large portion of this month’s issue.

One of the most notably important flaws Microsoft focused on is an elevation privilege bug, CVE-2018-1034, which could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. Five font based flaws were also a major focus for Microsoft this month that could allow attackers to take control of the victim’s system through specially crafted websites and fonts. Furthermore, a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability, CVE-2018-8117, has also been observed, which could allow an attacker to log keystrokes.

Risk assessment summary: The threat is assessed as 4c LOW. Although there are several vulnerabilities in this release which could potentially be exploited by actors and an increase in critical vulnerabilities compared to last month, there is only one zero-day flaw. This flaw is identified as CVE-2018-1034 which is most likely used for cross-site scripting attacks. The elevation of privilege vulnerability leaves users at risk who installed the security updates in January and can only be fixed by the user installing the new service updates. The Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability has been patched by Microsoft who have enhanced the security by mandating unique AES encryption keys. The last vulnerability detailed is the remote code flaw in the Microsoft Malware Protection Engine. Microsoft released an emergency patch to mitigate this flaw earlier in the week.

Commonwealth hacktivism

Commonwealth Heads State meeting presents attractive hacktivism target

Target: Commonwealth governments and their partners.

Attack Vector: Potentially phishing emails, doxing, data breach, DDoS.

Threat Actor: Various, potential nation states include Russia and Iran. Potential groups include Anonymous.

Summary: On the 19th and 20th of April, heads of the Commonwealth states will be convening in London for the Commonwealth Heads of Government Meeting 2018 (CHOGM 2018). The summit has historically been an opportunity for heads of states to agree on policy for current events, issues such as apartheid in South Africa or others affecting member states of the Commonwealth. With the large concentration of heads of state, media and guests in one location, the summit has proved a prime opportunity for protests and potentially hacktivism.

Risk assessment summary: The threat is assessed as 3e MODERATE. The a large number of heads of state in one location, in addition to the intense media attention such a gathering provides, presents an opportunity for a high profile cyber-attack. This would invariably cause much embarrassment to the Commonwealth and Theresa May, Chair of the summit. As it is a member only summit, excluding nations with whom cold relations are maintained, this further raises the hacktivist threat, particularly in the current political climate. The fact that member states of the bloc have previously been targeted by hacktivist campaigns, such as #OpIsrael and #Africa, provides further motive for hacktivists.


Formbook Being Exported Without Use of Macros

Target: Windows systems.

Attack Vector: Malicious email or IM and malicious links on websites.

Summary: A new, previously unseen, type of document attack is now possible and is in use to deliver the previously observed FormBook malware. The attack does not require the enablement of macros for the infection to be carried out. The attacks began in March and have been seen in the financial and information sectors of companies in the US and the Middle East. It is notable in its infection technique, which is compiled of multiple stages. This new method also includes techniques to render security solutions obsolete. Risk assessment summary: The threat is assessed as 3e MODERATE. This threat has been reported in the wild and could continue as it currently does not trigger on security products. However, this can be limited through the implementation of good security practices, particularly with regard to emails and IM communications. This has recently has become a high priority in companies, with compliance improving, lessening the likelihood. While the initial malware does not harm the target system directly, the downloading of FormBook does. The ability to steal data from a target system is an issue, as the data can be used to facilitate further attacks, or sold to criminal gangs. In addition, using the C2 server to execute code on the target machine brings further attack vectors, increasing the risk.

LockCrypt Ransomware

LockCrypt Ransomware Introduces Weaknesses Leading to Data Recovery

Target: Systems with weak security.

Attack Vector: Encryption.

Summary: LockCrypt ransomware has been lying low since June 2017 with updates making an appearance every couple of months. Researchers have recently discovered a weakness in the code, along with the possibility to recover data in some cases. The ransomware is often used by amateur attackers as the code is created for manual distribution so they are focused on a fast and easy gain in to the victims system.

Risk assessment summary: The threat is assessed as 4d LOW and the likelihood has been rated as POSSIBLE. Although the LockCrypt code has several weaknesses, if successful, it is able to encrypt files, resulting in data loss and the potential to pay a ransom to retrieve the files. LockCrypt has been manually created and therefore contains faults in the encryption process and the exploitation of the malware.

Chemical attack Syria

Chemical attack in Syria provokes increased international tensions

Target: Government/Defense/Multiple Sectors


Attack Vector: Phishing Campaign/Vulnerability Exploits

Threat Actor: APT28 / APT29

Summary: On Saturday 7th April 2018, the White Helmets organization claimed that a chemical weapon attack had been

carried out against civilians in the Islamist rebel held town of Douma in Eastern Ghouta located just outside the Syrian capital Damascus. Unconfirmed reports suggest that at least 40 civilians were killed in the alleged attack with hundreds more affected. The incident has resulted in international condemnation against President Assad and his Russian ally President Putin. At the time of reporting, retaliatory airstrikes have been carried out against the Syrian T4 airbase near the city of Homs which have reportedly killed 14 people including Iranian personnel. Russia have claimed that two Israeli Air Force F15’s were responsible for firing eight guided missiles at the base during the attack and also stated that five of the missiles were shot down by air defense systems.

These latest incidents have markedly increased already strained international tensions, following the attempted murder of Sergei Skripal and his daughter Yulia on 4th March 2018 in Salisbury. The situation also mirrors the April 2017 chemical attacks in Syria, which provoked a number of retaliatory cruise missile strikes by the United States. This in turn led to the pro Russian actors The ShadowBrokers dumping a large number of NSA hacking tools into the public domain. This included the ETERNALBLUE malware, which led directly to the highly damaging WannaCry and NotPetya ransomware outbreaks.

Risk assessment summary: Given the current dynamic geo political climate, it continues to be assessed that a 2b HIGH threat of state sponsored activity exists to a broad spectrum of sectors although government and defense organizations remain

the most likely targets. The parallels between April 2017 and April 2018 are worrying and it should be expected that any nation which

participates in punitive military action against Syria will become a target for retaliatory cyber-attacks. Although harvesting and weaponisation of data continues to be the most likely current threat, if military conflict escalates in the region, it should be expected that critical infrastructure may also be targeted for disruptive attacks, especially those organizations which provide telecommunication services to the government or military sectors, however, the energy, health and finance sectors would also prove attractive targets to APT actors.

The Cisco vulnerability situation serves to illustrate that APT groups continue to be active in seeking to exploit any system flaws and is reminiscent of the way that ETERNALBLUE was used by North Korean actors to leverage the SMB vulnerability in order enable their WannaCry ransomware campaign, as did malicious Russian actors with their subsequent NotPetya outbreak. Given the direct correlation between military action in Syria in 2017 and these major cyber incidents, it should be anticipated that a similar situation may develop over the short to medium term in 2018 and it is strongly advised that all software patches and updates are applied.

System administrators should also anticipate cyber-attacks if the United States joins Israel in carrying out air strikes and move onto heightened awareness if military action reaches this point. Previous threat assessments regarding the Skripal situation remain valid and monitoring of the geo-political threat will continue in order to identify further actionable intelligence.


OpIsrael prepares for key event amongst constant activity

Target: Israeli government as well as state-owned and affiliated groups


Attack Vector: DDoS attacks, site defacement/hacking, data leaks

Threat Actor: Various, particularly @MCADDoSTeam as well as @LorianSynaro

Summary: BT has continued to observe steady activity in the #OpIsrael campaign, most notably originating from @MCADDoSTeam as well as @LorianSynaro. Attacks on the Israeli government have been observed and this type of operation can be expected to peak with Holocaust Remembrance Day period. The most recent incarnation has been dubbed #OpIsrael2018 and is expected to carry on through to the 14th of April. Risk assessment summary: The threat is assessed as 3d MODERATE. While there have been instances of governmental affiliated organisations being targeted, much of the focus is on the government itself. However, there has been evidence of medical organisations in particular being targeted, raising the risk in that sector. There is a high chance these attacks will continue, even after the end of #OpIsrael2018, with events on the ground contributing to increased cyber activity as well as the potential for tit-for-tat attacks between Israel and Arab league countries, particularly under the #OpIslam banner.

Microsoft Malware Protection Engine

Microsoft issued out-of-band patch to fix Malware Protection Engine flaw

Target: Users with Microsoft Malware Protection Engine

Attack Vector: Email and websites

Summary: Microsoft Malware Protection Engine is the core component for malware detection and cleaning for several Microsoft anti-malware products. Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a flaw that could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as possible. Successful exploitation of the vulnerability can allow the attacker to take control of the victim’s machine permitting them to install programs; view, change, or delete data and create new accounts with full user rights. However, Microsoft have released an emergency patch to mitigate this flaw which can silently deliver the necessary patches without needing user interaction as Microsoft decoupled MMPE component updates from OS updates.

NetSupport Manager RAT

NetSupport Manager RAT used as part of malicious malware campaign

Target: Users of infected sites

Attack Vector: Malicious links and adverts on compromised sites

Summary: Over the past few months, security analysts have observed a campaign utilizing the disguise of fake updates to spread malware. These appear on compromised websites which the threat actors now use to spread their malware. The final payload installed was in most cases NetSupport Manager RAT (Remote Access Trojan), which-despite being a commercially available software with legitimate uses-has previously been seen to be used for malicious cyber-activities and allows threat actors access to a victim’s machine.

Risk assessment summary: The threat is assessed as 3d MODERATE. The RAT is commercially available for threat actors to use, and this attack vector has been exploited in the wild. Certain variants of the malware are observed to feature persistence mechanism, which may make removal of the RAT once it is present on a system more difficult. This in tandem with the way it removes any trace of itself as well as adding itself to a target systems firewalls trusted programmers help to increase the likelihood of further infections. As well as this the risk of this RAT being used maliciously is significant, particularly the fact a remote attacker could take control of a system and theoretically carry out any operations a user would be able to.

FireEye M-Trends Report 2018

M-Trends 2018 report covers incidents and investigations undertaken by Mandiant, a FireEye subsidiary, from 1st October 2016 to 30th September 2017. The wide ranging report highlights the amount of dwell time, given as the number of days between evidence of an attack to its discovery, the rise of Iranian APT groups, the problems associated with legacy systems and the re-attack rate, defined as companies that were successfully attacked again within a year of a previous significant attack. The figures are given by region and industry, which gives some useful insights, however, the report does suffer from the limitation that it is solely reliant on Mandiant’s industry view, which is acknowledged in the report.

Strategic assessment:

Dwell Time statistics give a concerning view of the threats seen by Mandiant, and is perhaps useful in their marketing. The dwell time statistics show that although a significant amount of threats are detected within 30 days, there are spikes of activity at the three month and year mark. Globally, the median dwell time for 2017 was 101 days, which is the first yearly increase since Mandiant released figures in 2011. This suggests a global detection issue.

The report also details the strategic overview of new APT activity discovered by FireEye, with high-level TTPs covered. APT32 through to APT35 are mentioned, with a separate focus on Iranian actors and APT35.

According to Mandiant, the number of attacks originating from threat actors sponsored by Iran has significantly increased. The group are thought to leverage strategic web compromises (SWC) to ensnare more victims with persistency across multiple organisations for months and sometimes years. Home-grown custom malware is used in both destructive attacks and espionage campaigns. With reference to PUPYRAT, the report details an attack methodology used by the group to steal credentials which even showed a level of adaption to accommodate cloud migration trends, as companies moved to off-premises email solutions.

In a titled “Once a target, always a target” segment, FireEye quantify the subsequent risk of a follow-up significant cyberattack, taken to mean activity that may include data theft, compromised accounts, credential harvesting, lateral movement and spear phishing. Nearly half of customers with at least one significant attack were successfully attacked again within one year. However, there is a big geographical divide in this statistic. Over 91% of Mandiant’s APAC customers with at least one significant attack will have attacker activity within the next year, compared to 44% in the Americas and 47% in EMEA.

High tech, telecommunications, and education top the charts for the number of attack groups and number of significant attacks by different threat actors, although the financial, high tech and healthcare sectors saw the highest number of significant attacks. Although, the industry preference identified could also be to some extent reflective of Mandiant’s customer base rather than pure attack preferences, it supports similar findings by other vendors.


OpIsrael2018 to Commence 7th April 2018

Target: Israeli Linked Targets

Attack Vector: DDoS/Defacement/Hack & Data Leak

Threat Actor: @Anonymous Affiliated Actors

Summary: The @Anonymous hacktivist collective has announced it will be commencing a series of coordinated cyber-attacks against Israeli linked targets commencing Saturday 7th April 2018. The operation has been dubbed #OpIsrael2018 and is expected to last until 14th April 2018.

Risk assessment summary: It is assessed that #OpIsrael2018 presents a 3d MODERATE threat to organisations with links to Israel. Whilst the published target lists are likely to be the primary focus for hacktivists, organisations and individuals across the globe may also be considered legitimate targets. There is also a high likelihood that Israel state-sponsored actors will pre-empt or retaliate against hacktivists during this period, which could result in collateral damage. Although occurring annually on 7th April annually, the 2018 operation may have particular significance as a result of recent attempted Palestinian incursions on the Israeli border fence. This has resulted in a number of deaths among rioters at the hands of the Israeli Defence Forces.

The ongoing Anti-Semitism controversy in the UK regarding the Labour Party may also act as a driver for UK centric activity. Some left-wing hacktivists consider the recent negative publicity as part of a “Zionist Plot” aimed at discrediting the pro-Palestinian leadership of the party. This may have implications for media organisations deemed to display a pro-Israel bias in the reporting of the issue. Additionally, UK based organisations which trade with or operate in Israel, may also be targeted. Taking into account @Anonymous statements, this is likely to include the communications sector. Whilst DDoS is likely to be the main attack vector, website defacement and hacks/ data leaks are also likely to be utilised against targets. It is recommended that increased vigilance is maintained in Israeli linked organisations between the 7th and 14th of April. Monitoring of the threat environment will continue in order to identify further actionable intelligence.