Commonwealth hacktivism

Commonwealth Heads State meeting presents attractive hacktivism target

Target: Commonwealth governments and their partners.

Attack Vector: Potentially phishing emails, doxing, data breach, DDoS.

Threat Actor: Various, potential nation states include Russia and Iran. Potential groups include Anonymous.

Summary: On the 19th and 20th of April, heads of the Commonwealth states will be convening in London for the Commonwealth Heads of Government Meeting 2018 (CHOGM 2018). The summit has historically been an opportunity for heads of states to agree on policy for current events, issues such as apartheid in South Africa or others affecting member states of the Commonwealth. With the large concentration of heads of state, media and guests in one location, the summit has proved a prime opportunity for protests and potentially hacktivism.

Risk assessment summary: The threat is assessed as 3e MODERATE. The a large number of heads of state in one location, in addition to the intense media attention such a gathering provides, presents an opportunity for a high profile cyber-attack. This would invariably cause much embarrassment to the Commonwealth and Theresa May, Chair of the summit. As it is a member only summit, excluding nations with whom cold relations are maintained, this further raises the hacktivist threat, particularly in the current political climate. The fact that member states of the bloc have previously been targeted by hacktivist campaigns, such as #OpIsrael and #Africa, provides further motive for hacktivists.


Formbook Being Exported Without Use of Macros

Target: Windows systems.

Attack Vector: Malicious email or IM and malicious links on websites.

Summary: A new, previously unseen, type of document attack is now possible and is in use to deliver the previously observed FormBook malware. The attack does not require the enablement of macros for the infection to be carried out. The attacks began in March and have been seen in the financial and information sectors of companies in the US and the Middle East. It is notable in its infection technique, which is compiled of multiple stages. This new method also includes techniques to render security solutions obsolete. Risk assessment summary: The threat is assessed as 3e MODERATE. This threat has been reported in the wild and could continue as it currently does not trigger on security products. However, this can be limited through the implementation of good security practices, particularly with regard to emails and IM communications. This has recently has become a high priority in companies, with compliance improving, lessening the likelihood. While the initial malware does not harm the target system directly, the downloading of FormBook does. The ability to steal data from a target system is an issue, as the data can be used to facilitate further attacks, or sold to criminal gangs. In addition, using the C2 server to execute code on the target machine brings further attack vectors, increasing the risk.

LockCrypt Ransomware

LockCrypt Ransomware Introduces Weaknesses Leading to Data Recovery

Target: Systems with weak security.

Attack Vector: Encryption.

Summary: LockCrypt ransomware has been lying low since June 2017 with updates making an appearance every couple of months. Researchers have recently discovered a weakness in the code, along with the possibility to recover data in some cases. The ransomware is often used by amateur attackers as the code is created for manual distribution so they are focused on a fast and easy gain in to the victims system.

Risk assessment summary: The threat is assessed as 4d LOW and the likelihood has been rated as POSSIBLE. Although the LockCrypt code has several weaknesses, if successful, it is able to encrypt files, resulting in data loss and the potential to pay a ransom to retrieve the files. LockCrypt has been manually created and therefore contains faults in the encryption process and the exploitation of the malware.

Chemical attack Syria

Chemical attack in Syria provokes increased international tensions

Target: Government/Defense/Multiple Sectors


Attack Vector: Phishing Campaign/Vulnerability Exploits

Threat Actor: APT28 / APT29

Summary: On Saturday 7th April 2018, the White Helmets organization claimed that a chemical weapon attack had been

carried out against civilians in the Islamist rebel held town of Douma in Eastern Ghouta located just outside the Syrian capital Damascus. Unconfirmed reports suggest that at least 40 civilians were killed in the alleged attack with hundreds more affected. The incident has resulted in international condemnation against President Assad and his Russian ally President Putin. At the time of reporting, retaliatory airstrikes have been carried out against the Syrian T4 airbase near the city of Homs which have reportedly killed 14 people including Iranian personnel. Russia have claimed that two Israeli Air Force F15’s were responsible for firing eight guided missiles at the base during the attack and also stated that five of the missiles were shot down by air defense systems.

These latest incidents have markedly increased already strained international tensions, following the attempted murder of Sergei Skripal and his daughter Yulia on 4th March 2018 in Salisbury. The situation also mirrors the April 2017 chemical attacks in Syria, which provoked a number of retaliatory cruise missile strikes by the United States. This in turn led to the pro Russian actors The ShadowBrokers dumping a large number of NSA hacking tools into the public domain. This included the ETERNALBLUE malware, which led directly to the highly damaging WannaCry and NotPetya ransomware outbreaks.

Risk assessment summary: Given the current dynamic geo political climate, it continues to be assessed that a 2b HIGH threat of state sponsored activity exists to a broad spectrum of sectors although government and defense organizations remain

the most likely targets. The parallels between April 2017 and April 2018 are worrying and it should be expected that any nation which

participates in punitive military action against Syria will become a target for retaliatory cyber-attacks. Although harvesting and weaponisation of data continues to be the most likely current threat, if military conflict escalates in the region, it should be expected that critical infrastructure may also be targeted for disruptive attacks, especially those organizations which provide telecommunication services to the government or military sectors, however, the energy, health and finance sectors would also prove attractive targets to APT actors.

The Cisco vulnerability situation serves to illustrate that APT groups continue to be active in seeking to exploit any system flaws and is reminiscent of the way that ETERNALBLUE was used by North Korean actors to leverage the SMB vulnerability in order enable their WannaCry ransomware campaign, as did malicious Russian actors with their subsequent NotPetya outbreak. Given the direct correlation between military action in Syria in 2017 and these major cyber incidents, it should be anticipated that a similar situation may develop over the short to medium term in 2018 and it is strongly advised that all software patches and updates are applied.

System administrators should also anticipate cyber-attacks if the United States joins Israel in carrying out air strikes and move onto heightened awareness if military action reaches this point. Previous threat assessments regarding the Skripal situation remain valid and monitoring of the geo-political threat will continue in order to identify further actionable intelligence.


OpIsrael prepares for key event amongst constant activity

Target: Israeli government as well as state-owned and affiliated groups


Attack Vector: DDoS attacks, site defacement/hacking, data leaks

Threat Actor: Various, particularly @MCADDoSTeam as well as @LorianSynaro

Summary: BT has continued to observe steady activity in the #OpIsrael campaign, most notably originating from @MCADDoSTeam as well as @LorianSynaro. Attacks on the Israeli government have been observed and this type of operation can be expected to peak with Holocaust Remembrance Day period. The most recent incarnation has been dubbed #OpIsrael2018 and is expected to carry on through to the 14th of April. Risk assessment summary: The threat is assessed as 3d MODERATE. While there have been instances of governmental affiliated organisations being targeted, much of the focus is on the government itself. However, there has been evidence of medical organisations in particular being targeted, raising the risk in that sector. There is a high chance these attacks will continue, even after the end of #OpIsrael2018, with events on the ground contributing to increased cyber activity as well as the potential for tit-for-tat attacks between Israel and Arab league countries, particularly under the #OpIslam banner.

Microsoft Malware Protection Engine

Microsoft issued out-of-band patch to fix Malware Protection Engine flaw

Target: Users with Microsoft Malware Protection Engine

Attack Vector: Email and websites

Summary: Microsoft Malware Protection Engine is the core component for malware detection and cleaning for several Microsoft anti-malware products. Microsoft released an emergency security update via Windows Update that fixes CVE-2018-0986, a flaw that could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as possible. Successful exploitation of the vulnerability can allow the attacker to take control of the victim’s machine permitting them to install programs; view, change, or delete data and create new accounts with full user rights. However, Microsoft have released an emergency patch to mitigate this flaw which can silently deliver the necessary patches without needing user interaction as Microsoft decoupled MMPE component updates from OS updates.

NetSupport Manager RAT

NetSupport Manager RAT used as part of malicious malware campaign

Target: Users of infected sites

Attack Vector: Malicious links and adverts on compromised sites

Summary: Over the past few months, security analysts have observed a campaign utilizing the disguise of fake updates to spread malware. These appear on compromised websites which the threat actors now use to spread their malware. The final payload installed was in most cases NetSupport Manager RAT (Remote Access Trojan), which-despite being a commercially available software with legitimate uses-has previously been seen to be used for malicious cyber-activities and allows threat actors access to a victim’s machine.

Risk assessment summary: The threat is assessed as 3d MODERATE. The RAT is commercially available for threat actors to use, and this attack vector has been exploited in the wild. Certain variants of the malware are observed to feature persistence mechanism, which may make removal of the RAT once it is present on a system more difficult. This in tandem with the way it removes any trace of itself as well as adding itself to a target systems firewalls trusted programmers help to increase the likelihood of further infections. As well as this the risk of this RAT being used maliciously is significant, particularly the fact a remote attacker could take control of a system and theoretically carry out any operations a user would be able to.


OpIsrael2018 to Commence 7th April 2018

Target: Israeli Linked Targets

Attack Vector: DDoS/Defacement/Hack & Data Leak

Threat Actor: @Anonymous Affiliated Actors

Summary: The @Anonymous hacktivist collective has announced it will be commencing a series of coordinated cyber-attacks against Israeli linked targets commencing Saturday 7th April 2018. The operation has been dubbed #OpIsrael2018 and is expected to last until 14th April 2018.

Risk assessment summary: It is assessed that #OpIsrael2018 presents a 3d MODERATE threat to organisations with links to Israel. Whilst the published target lists are likely to be the primary focus for hacktivists, organisations and individuals across the globe may also be considered legitimate targets. There is also a high likelihood that Israel state-sponsored actors will pre-empt or retaliate against hacktivists during this period, which could result in collateral damage. Although occurring annually on 7th April annually, the 2018 operation may have particular significance as a result of recent attempted Palestinian incursions on the Israeli border fence. This has resulted in a number of deaths among rioters at the hands of the Israeli Defence Forces.

The ongoing Anti-Semitism controversy in the UK regarding the Labour Party may also act as a driver for UK centric activity. Some left-wing hacktivists consider the recent negative publicity as part of a “Zionist Plot” aimed at discrediting the pro-Palestinian leadership of the party. This may have implications for media organisations deemed to display a pro-Israel bias in the reporting of the issue. Additionally, UK based organisations which trade with or operate in Israel, may also be targeted. Taking into account @Anonymous statements, this is likely to include the communications sector. Whilst DDoS is likely to be the main attack vector, website defacement and hacks/ data leaks are also likely to be utilised against targets. It is recommended that increased vigilance is maintained in Israeli linked organisations between the 7th and 14th of April. Monitoring of the threat environment will continue in order to identify further actionable intelligence.

Russian NATO Alliance

Russian Envoy To NATO Claims Alliance Has Crossed A Red Line

Target: UK Government & Private Sector

Attack Vector: Phishing Campaign

Threat Actor: APT28/29

Summary: Aleksandr Grushko, the Russian envoy to NATO, has stated that the increasing military build-up on Russia’s doorstep cannot be justified and the NATO alliance have crossed a line with recent activity. In a meeting on 3rd April 2018 of the Russian think-tank the “Valdai Discussion Club” Grushko claimed that Russia have never developed a military dimension with neighbouring states, even when in dispute with them and stated “Now, thanks to NATO, we have a military dimension, it was their choice, they crossed the red line.”

The statement comes at a time when the diplomatic relationship between Russia, the UK, and its NATO allies are at breaking point as a result of the March assassination attempt on Sergei Skripal. Recently, Russia have continued to vehemently deny any involvement in the suspected nerve agent attack and claim that the incident was a ‘false flag’ carried out by MI6 as a means of isolating Russia internationally. The situation has been further complicated by a statement from Porton Down scientists admitting they were unable to positively identify the chemical agent used against Skripal as having originated from Russia. This is certain to be seized on by Moscow as another means of undermining the UK government narrative.

Risk assessment summary: Given the ongoing tensions between Russia and the UK it continues to be assessed that a 2b HIGH threat exists to a broad spectrum of UK sectors. There are clear indicators that Russian state-sponsored actors are actively probing UK organisations in both the government and private sector. This reconnaissance type activity is a strong indicator of a clear intent to target these entities for subsequent cyber-attacks. Whilst it continues to be assessed that harvesting and weaponisation of data for use in influence operations remains the most likely scenario, disruptive, service affecting attacks cannot be ruled out.

The Grushko statement is of particular concern as this suggests Russia may place its forces into a more aggressive defence posture in response to what it sees as NATO expansion into its ‘near abroad’. This would almost certainly include increased ‘hybrid warfare’ activity from the cyber defence elements of the Russian military and intelligence agencies. Additionally, the combination of factors which have occurred during the past week, such as the Aeroflot search, the accusations against diplomats stationed in Canada, the expulsions of diplomats, the extradition of the hacker Nikulin and the Porton Down Novichok statement, are all likely promote an ‘under siege’ mentality in Moscow. Whilst the forthcoming World Cup may act as a restraining factor for any overt cyber-attacks, Moscow is likely to be preparing for subsequent retaliation against the West, commencing with the probing of potential targets. All previous recommendations and threat assessments remain valid and monitoring of the threat environment will continue in order to identify further actionable intelligence.


Input Validation issue unearthed in Drupal

Target: Sites utilizing insufficiently patched versions of Drupal and site users

Attack Vector: RCE using CVE-2018-7600

Summary: The developers of the open source software Drupal have announced the existence of a major, high severity vulnerability, CVE-2018-7600. This vulnerability affects Drupal versions 7.x. and 8.x. along with certain legacy iterations of the software. The vulnerability allows for several attack vectors to be exploited using remote code execution (RCE), with any webpage utilising Drupal software vulnerable. It is estimated that over 1 million sites are vulnerable. Risk assessment summary: The threat is assessed as 3c MODERATE. There is a significant risk from this vulnerability. A threat actor could access sensitive information without any authentication, as well as modify and delete system data. However, despite all of this, the flaw has not been exploited in the wild, nor is there any exploit code publicly available. In addition, a patch is available, with relevant sites pre-notified to prepare, all mitigating.