Global Threat Summary report Second Week December 2017

Here is the Second Week December 2017 Global Threat Summary reports which provides an overview of the current threat landscape from around the world.  The report includes a summary of the threats we’ve recently profiled, including:

  • Doppelganging process helps malware go undetected on Windows
  • Microsoft issues out of band patch for Security program flaw
  • TurkHackTeam Hacks And Defaces EU And UN Targets

The Global Threat Summary is designed to provide organizations with an overview of the current threat landscape from across the world. It combines assessment of the strategic picture with a thought leadership approach and is also a collated summary of all the threats that we have profiled each week. The report should be received at a high level within organizations to give an overview of risk and summary of trends.

1. Strategic insight

This section includes a review of significant reports that have been published and provides a strategic viewpoint on identified or high profile trends.

1.1 The Reality of Contemporary Cybercriminal Groups

MalwareByte’s The New Mafia: Gangs and Vigilantes report illustrates one perception of the strategic state of contemporary cybercrime. Dividing the threat landscape into four crude groups, MalwareBytes seeks to influence CEOs and C-Grades understanding of the different business risks posed by cybercriminal groups. In a more academic-styled report, MalwareBytes strikes a tone much supported in industry, namely that as cybercrime becomes more sophisticated, more businesses are vulnerable.

Strategic assessment:

MalwareBytes’ report makes cybercrime a business leader’s priority through exposing a wide contrast between business leaders and “technologists” recognition of the threat landscape. MalwareBtyes purports this contrasts to have been created by a shared idea that cybercrime is considered the domain of CIOs and IT departments. Dubbed as a flawed approach by the report, “the extent of cybercrime and the depth of the strategies needed to combat must be central to general business strategy – thus, it must become the domain of chief executives”.

This false belief has converged with intensifying and increasingly frequent cybercrime activity. As the report notes, ‘in the first 10 months of 2017, the number of attacks had already surpassed the total for all of 2016. The average number of monthly attacks has also increased by 23% in 2017. 2016 itself saw a spectacular rise in business-targeted cybercrime, with a 96% increase in attacks compared to the previous year”.

Therefore, the acknowledgement of divisions of cybercrime is a useful handrail to help identify and recognize part of the contemporary cyber threat landscape at a strategic level. The supposedly “new syndicates of cybercrime” are: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. These generalized divisions are not as “new” as the report suggests but remains a useful framework to unpack the complexities of malicious actors. In BT’s analysis, the divisions are academic only, with current actors not fitting so neatly into such partitions.

MalwareBytes characterize the groups by: the presence of an organizational structure akin to crime families, the sophistication of hacking, the emergence of a highly professional service economy for cybercrime and the co-option of these services by ideological groups and nation-states.

Ideological groups, often referred to as hacktivists outside the report, are categorized by their motivation in perceived moral and ethical duty. Interestingly, MalwareBytes view these groups as attempting to use the threat of classified leaks to coerce governments and individuals to act in their favour. However, WikiLeaks aside, ideologically-motivated groups target a more diverse set of entities than just governments. For example, mid-2017 witnessed cyber divestment campaigns targeted against private businesses as part of anti-fracking demonstrations in Lancashire, UK.

The state-sponsored hackers were also slightly mis-defined in the report, given as “beyond the international espionage that typically comes to mind with state-sponsored activity, these hackers are increasingly interested in corporate theft and sabotage”. However, this definition is hard to substantiate when contrasted against the current APT-Cybercriminal relationship.

Historically, excluding cyberespionage as a motivation, the division between high-end cybercriminal actors and state-orchestrated groups, or APTs, is trivial as the groups are not mutually exclusive and often share individual actors. It is important to note, that groups that fall under this category, due to their geopolitical motivations, target private enterprise. For example, the Lazarus group targeting of Bangladesh banks or APT10’s CloudHopper operation. Although simple categorizations help understand the picture, it is important to understand that such divisions are a slightly distorted reality.

 

2. Threat Reporting

This section provides a summary of the threats that Security Threat Intelligence has profiled over the past week. These are categorized based on modules included in Threat Reporting which is covered in Section 2 whilst Section 3 covers Cybercrime and Hacktivism.

2.1 Malware analysis

Doppelganging process helps malware go undetected on Windows systems Threat 4a L M H
Target: Windows users (currently just a PoC) Attack Vector: RCE
Summary: A new malware evasion technique has been discovered and unveiled at the Black Hat Europe 2017 security conference in London. The technique, called Process Doppelganging, exploits a built-in Windows NTFS transaction function, allowing malware to be bundled into a Windows system undetected.

The process bears many similarities to Process Hollowing, a similar technique, which also replaced the memory of a legitimate process with malicious code. It deceives process monitoring tools and antivirus by replacing code in the original process.

Process Doppelganging differentiates itself though its exploitation of the Windows built-in function of NTFS Transactions. Firstly, Doppelganging utilises the NTFS transactions to make changes to an executable file, which is then executed but not committed to disk. This ensures the malware remains invisible to security products. Secondly, the undocumented implementation details of the process loading mechanism, which attackers must obtain. Details are used to load the executable file that has been modified using NTFS transactions and the changes are rolled back. As such, this creates a process from the modified file, without triggering any security processes.

Risk Assessment Summary:

The threat is assessed as 4a LOW. This is a Proof of Concept (PoC) and has not been seen in the wild. In order for an attacker to successfully exploit this flaw, they will need prior access to a machine.

If it can be achieved, it is very effective, however, the attacker needs a high level of knowledge on Windows systems and components to exploit this flaw. The flaw is not yet publicly disclosed. In a successful attack, any type of malware can be placed on the system, heightening the risk. However, it should be noted that once malware is placed on the system, it is no longer hidden. When the next scheduled security scan of the system runs, the malware will be discovered and most likely removed. Some systems also have real-time monitoring, scanning new files which are dropped on the system. While the malware may be able to get onto the system undetected, once it is there it will not be so easily hidden.

Napoleon Extension Added to Blind Ransomware Threat 4a L M H
Target: Standard users (none specific) Attack Vector: Compromised IIS server
Summary: A new variant of the “Blind” ransomware, named “Napoleon”, has emerged. As the predecessor to Napoleon, the original Blind ransomware was initially discovered in December 2017. When executed, it scans all available drives on a targeted user’s system, determines which files can be encrypted and then proceeds with the encryption of the targeted files with the .blind extension. Recently, however, an altered version of Blind has been spotted with the extension .napoleon. Attackers deploy the malware in a fairly uncommon way, by manually dropping it onto the targeted machine via a compromised Internet Information Services (IIS) web-server. After Napoleon is dropped, it will look through files on the system and add the .napoleon extension to every file it can encrypt. After the encryption is complete, a ransom note is left in HTA format. Unlike Blind, Napoleon is not currently removable without the attacker’s private key.
Risk Assessment Summary:

The threat is assessed as 4c LOW. As with most ransomware, the threat is the associated cost of losing access to files on the targeted system, with decryption highly unlikely. However, considering it must be manually deployed on a machine via an already compromised IIS server and is not expected to be wide-reaching, the likelihood of an average user being infected is low. Furthermore, actors employing Napoleon are currently using an emails address to collect payment for the campaign, suggesting it is not meant to be widespread.

2.2 Vulnerability reporting

 

Global Threat Summary report First Week December 2017

Here is the Global Threat Summary reports First Week December 2017 which provides an overview of the current threat landscape from around the world.  The report includes a summary of the threats we’ve recently profiled, including:

  • Q3 2017 Akamai State of The Internet report
  • Bitcoin’s exponential value brings increased threats to cryptocurrency
  • Kaspersky boycott crosses into Britain

The Global Threat Summary is designed to provide organizations with an overview of the current threat landscape from across the world. It combines assessment of the strategic picture with a thought leadership approach and is also a collated summary of all the threats that we have profiled each week. The report should be received at a high level within organizations to give an overview of risk and summary of trends.

1. Strategic insight

This section includes a review of significant reports that have been published and provides a strategic viewpoint on identified or high profile trends.

1.1 Q3 2017 Akamai State of The Internet report

Akamai’s State of the Internet Q3 2017 report highlights useful quarterly statistics on threat vector trends. Akamai used data obtained globally from its infrastructure and DDoS solution to detail the current level of network-based attacks. Overall, more attacks were detected, which is expected due to rising technological skill sets, tool availability and sophistication. However, the geographical nature of these threats, as discussed in the report, opens questions about the perceptions of “less risky” cyber security regions.

Strategic assessment:

Comparing Q3 2016 and Q3 2017, several key trends have emerged:

• Web application attacks have increased by 69%

• Attacks sourcing from the US increased by 217% (Q3 2017 Top Source Country)

• The US also bears the brunt of targeting – 11 times as many registered attacks as the second most targeted, Brazil.

Overall, they show that US IP addresses are most likely to be the source of an attack. According to Akamai, 39% of all recorded attacks were attributed to US IP addresses, trumping Russia with 7%. Geographical-based blocking or rule sets may need refining to account for this finding. This is especially prudent for US domestic markets as the report also details a much higher risk of attack. Netherlands, Ukraine and Brazil accounted for 6% each.

The report also detailed that the emerging market for DDoS activity is Germany with “22% (58,746) of the unique IP addresses used in volumetric DDoS attacks” traced to the country. The report does not say what is driving this increase in unique IPs but, on a strategic level, it suggests that Germany’s technology infrastructure is perhaps neglecting cybersecurity.

The report found 86% of DDoS attacks targeted gaming customers. Indeed, the statistic may be viewed as more of a reflection on Akamai’s customer base which has over-represented the gaming industry. The culture around the gaming industry means the sector is more susceptible to DDoS targeting, as the threat vector is used a means of score-settling. However, every sector should still plan and mitigate for a DDoS activity.

2. Threat Reporting

This section provides a summary of the threats that Security Threat Intelligence has profiled over the past week. These are categorised based on modules included in Threat Reporting which is covered in Section 2 whilst Section 3 covers Cybercrime and Hacktivism.

2.1 Malware analysis

Bitcoin’s exponential value brings increased threats to cryptocurrency

 

Threat L 3e

M

H
Target: Web users Attack Vector: JavaScript
Summary: In the cybersphere, Bitcoin has featured a great deal in reporting due to its incredible year of trading. Introduced in 2009, 2017 has seen it the value greatly increase, with stock rising from $1000 dollars at the start of the year to over $11,000 in November. Investors are willing to pay increasing amounts for the asset due to a fear of missing out on potential profit, similar to the dot-com bubble. In addition, the currency is being used at a growing rate with speculation that it may gain a foothold in the mainstream financial industry. At the moment it cannot be used to pay bills, taxes or settle debts. However, it can be used for a range of online activities, purchasing items on the dark web for example, as well as many everyday activities such as music downloads or gift cards. The digital currency, existing online, is a virtual token and there is no middleman in a transaction. This peer-to-peer characteristic is something that attracts many to the cryptocurrency market.

The rise of Bitcoin has inevitably also brought about a new wave of threat actors across the cryptocurrency spectrum attempting to reap the rewards of the rising stock through the illegal means of spreading malware. In order to obtain cryptocurrency, without actually buying it, they have to be “mined” using a high volume of computer power and resources. It involves solving large amounts of algorithms and, if successful, a user can gain currency. Due to the scale of processing power required, some miners work with several machines together to acquire currency.

This has also resulted in a shortage of affordable graphics cards, with the price of the stock rising far above RRP prices as they are extremely effective for crypto mining. While they have seen a rise in demand for many years, more recently their value has increased exponentially. This is due to certain types of mining cannot be carried out with specialized application-specific integrated chip (ASIC) mining hardware, leaving graphics cards, particularly AMD, as the only viable solution. The demand is so great that Nvidia has announced plans to release graphics cards specially designed for crypto mining.

A result of the increase in the value of cryptocurrency is threat actors infecting websites with coin mining code, designed to run in the background of the machine of any visitor to a targeted website. Once this is done, the threat actor can have hundreds, even thousands, of unsuspecting users helping mine for cryptocurrency on their behalf.

However, Bitcoin is notoriously difficult to mine and requires significant processing power, Other cryptocurrencies have been put at risk instead, with threat actors using victim’s machines to help them in their mining activities.

Risk Assessment Summary: It should be noted that this attack vector offers scope for a user to have their machine used for activities they are unaware of and undertaken without their permission. Additionally, this activity utilises RAM and CPU of the victims power without permission. Although coin-mining does not perform any malicious activity, it does expend a user’s CPU power and RAM without their permission. There are certain websites (detailed in this report) that have this code injected into their site and this is certainly increasing. Therefore a risk exists here but it is still reasonably low due to mitigations which can be put in place.

3. Cybercrime and hacktivism

3.1 Global geo-political threat analysis

Kaspersky boycott crosses into Britain Threat L 3e

M

H
Target: Businesses using Kaspersky products Attack Vector: Supply-chain
Summary: Since 2015, Russian Anti-Virus software company Kaspersky Lab has allegedly been working with the Russian government to aid interference into the 2016 US Election and pass Intel from the United States government to Moscow. Many professionals within the security industry believe it is probable that Kaspersky software; installed on the machines of NSA employees, helped obtain intelligence for the Russian government. When Israeli hackers breached Kaspersky systems, they uncovered stolen tools belonging to the NSA.

The resulting actions by US Homeland Security caused them to remove all Kaspersky products from all branches of the US Government, damaging the Russian antivirus providers’ market share, along with their reputation. This drastic decision lead to many other Kaspersky customers reviewing their partnership. In December 2017, Kaspersky has begun to lose business on this side of the Atlantic. The UK National Cyber Security Centre advised all government departments against using Kaspersky software for systems related to national security. Following this, all anti-virus products from Russia were effectively banned.

In addition, Barclays, who offer Kaspersky products to over 2 million customers, halted their distribution of Kaspersky as a free product and notified 290,000 customers who had taken up the offer.

Risk Assessment Summary: It appears the Russian government has already gained access into the NSA they may also be exploring access into other organisations. As the NSA, UK Government and Barclays have all taken steps to limit Kaspersky’s presence in their businesses, this indicates it is considered a tangible threat. Although highly likely, it is not confirmed that the attack vector is via Kaspersky. Since the NSA discovery, Russian government operations have been brought into the spotlight. This mitigates the threat to some degree and affords businesses the opportunity to review their vendors, limiting their attack vectors.