1.3 Offensive

Think football. This is the other team. The one wanting your data or wanting to do damage to you. The offensive has different plays that it can run such as distributed denial of service (DDos) attacks, phishing and spear phishing, malware, social engineering, software and hardware flaws, and insider threat. We’ll be calling the offensive “bad actors” or “hackers” throughout this article.


Go back

SgxSpectre attack

SgxSpectre attack can extract data from Intel SGX Enclaves

Target: Intel SGX

Attack Vector: Repetitive code execution patterns

Summary: A new variation of the Spectre attack named SgxSpectre that can extract information from Intel SGX enclaves has been revealed this week. The new variant can allow an attacker to completely compromise the confidentiality of SGX enclaves and learn the content of the enclaves memory.

Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as POSSIBLE. If successful, attackers can potentially compromise the confidentiality of SGX enclaves and retract sensitive information held in the enclaves. Although the original variants of Spectre have been mitigated the new variant is not expecting mitigations until 16th March 2018 so companies are still at risk of exposure.

New malicious app found harvesting Facebook data

Target: Android devices/Facebook users

Attack Vector: Malicious app which steals credentials before using them to harvest more info

Summary: Throughout 2017 and into this year, malicious applications on Android devices have been a continuous, notable threat which we have reported on multiple times. Now in March 2018, a new malicious application “FakeApp” has been detected.

This application is notable in its aggressive methods, as it logs into its victim’s Facebook accounts and harvests account details from devices. It also uses the search functionality on Facebook to amass further data. The abilities it has shown to crawl Facebook, scrolling and taking content is something that has not previously been observed on Android malware.

Risk assessment summary: The threat is assessed as 3e MODERATE. While the threat is mainly limited to the Asia-Pacific region currently, the capability it shows is significant and in some cases never seen before. This could indicate a new trend which we may see more of in the future. The harvesting of such a wide range of personal data is also significant as it could be used to help facilitate a future attack or open up attack vectors on friends of the victim, who would also have information harvested during this attack. Furthermore, information could also be sold on the Dark Web, where there is no guarantee of a buyer’s intentions.

Hackers Targets

1.2 Targets

The target is what the attack is directed against. The primary target is whatever the main objective is think data, data, data. The intermediate target is the hacker’s means to achieving the primary target. Intermediate targets include a network or network appliance, server, workstation, and mobile device (tablet, laptop, phone). Also included are infrastructure devices such as network connected thermostats, circuit boards, and the software applications that run them. Many different types of devices are now connected to the Internet and controlled using webpage based interfaces. These devices can be particularly susceptible targets unless proper investment is made to produce secure programming code.

Data is the end goal of attacking a target. Data can take many forms. A few examples are records in a database containing customer data or health records, data files such as word processing documents or drawings of intellectual property, your GPS location, the words being said in a conference room, your personal credit card information or that of your customers, and even video information.

Go back

The Hacker’s Objectives

1.1 The Hacker’s Objectives

There are many reasons why people hack computer powered devices, but they all boil down to data. Steal data! Change data! Destroy data!

The motivations and objectives of hackers vary widely. Motivations range from idle curiosity to criminal intent. Perhaps the hacker just wants to brag that he or she can do it proving one’s cyber manhood (or womanhood). Perhaps the hacker was paid by a nation state for political and military benefit. Maybe the hacker was hired as an industrial spy for competitive and personal gain.

Objectives can be as simple as proving that the hacker could “log in” or as complex as stealing information from someone’s network for years without being noticed. Most of the time, the motivation has nothing to do with you personally, except that your data was valuable enough to merit the risk.

As examples, objectives might include:

  1. Denial of data access (blocking someone from accessing a storage device).
  2. Intellectual Property (IP) theft (stealing the top secret formula for a soft drink).
  3. Inflicting loss of reputation through exposure of sensitive information (revealing a political candidate’s tax returns or medical records).
  4. Creating loss of trust in a corporation (exposing a bank or credit card institution’s security weakness).
  5. Extortion (demanding a ransom payment in return for restoring one’s data access or keeping sensitive data from becoming public).
  6. Kinetic effect (having something happen in the real world—such as shutting off a power grid, controlling a patient drug infusion device, or controlling an airplane).

Go back

What is Cyber Security?

Computer and data security is broadly divided into physical security and logical security. Physical security (sometimes referred to as just “security”) includes building and personnel security. Logical security is focused on the data—both in storage and in transit on the network—and is sometimes called cyber security. Cyber comes from the word cybernetics which means the science of communications and automatic control systems. The military uses “cyber” to refer to computers or computer networking.

The general perception that cyber security is a relatively new field is false. Only the current emphasis in the media is new. Cyber security has existed for years; however, it previously received minimal funding and attention due to the costs of cyber defense. It also lacked visibility, because you don’t see attacks that were deflected—nor do organizations want you to be aware of how many times they have been attacked.

This article is a broad overview of cyber security. There are several sub-areas of cyber security, but not all experts classify cyber security the same way. There is not, as of yet, an agreed upon division or taxonomy of the subject. But, relax. This article does not cover all these sub-areas and their sub-areas in detail. There are just enough highlights to make you an informed consumer, employee, or manager.

Cyber security tends to employ military terms like defense in depth, target, attack, offensive, and defensive. The various areas of cyber security use lots of terms that may be foreign to you. Included at the back of this book is a glossary of terms.

The decision of a hacker (or the hacker’s sponsor) to mount an attack is based on the perceived reward versus the risk—in other words, the ability to obtain or manipulate data without negative consequence. A defensive investment in cyber security—or how much you are willing to spend to defend against hacking—is driven by the value of the data versus the perceived risk of it being stolen, changed, or destroyed. As an example of low cost security, I used to have a large dog that accompanied me on trips. To create the illusion of high risk, I would leave a two inch chewed-through bone on the front porch while I was gone. It never failed to work.

So, what reward is worth the risk for a hacker?

Go back

RIG Exploit Kit

RIG Exploit Kit (EK)

Analysis conducted by Palo Alto compared activity levels, malware payloads and network traffic characteristics from the RIG Exploit Kit (EK) between January 2017 and January 2018. RIG EK was the most prominent and popular EK across 2016, but has since seen a significant decline in its use. The decline in itself is interesting, but the identification by Palo Alto of recent developments in its use has much more business impact.

Strategic assessment:

RIG EK’s decline has been observed since April 2017. Palo Alto views this as the result of arrests and “vendor efforts to fortify browsers and browser-based applications”. Additionally, malicious actors shifted their focus to other types of exploits, with the example of various Microsoft Office vulnerabilities evident. Similarly, actors also began using the phishing attack vector.

Firstly, the decline in RIG is not related to obfuscation or anti-detection techniques, although efforts had been made by the authors to include such components. Domain shadowing was removed and replaced with IP addresses. Base64-encoded strings were also used where the exploit kit had previously used English text in domains. The move from domain shadowing was forced upon the malware’s authors. In June 2017 a coordinated effort, documented by RSA Research, took down associated domain shadowing infrastructure.

The payload of RIG has also adapted. Analysis by Palo Alto highlighted that 36 out of 39 previous campaigns linked to RIG were used to send different types of ransomware, such as Locky, CryptoMix, CryptoShield and Spora. This has since changed to incorporate the ‘malware of the moment’, crypto miners. Specifically, Ramnit, Remcos RAT, coin miners and GandCrab ransomware were identified.

The threat from RIG EK has somewhat diminished but remains significant. As previously reported, crypto miners in themselves are on the lower end of the malware spectrum when comparing impact to business. The initial infection method however, still requires remediation to prevent subsequent infections. In the profile by Palo Alto, evidence of the exploit kit switching from crypto miner to an infostealer was presented. Although the frequency of attacks has changed and is likely to remain low, the payload’s change is likely only temporary in nature.


APT28 FancyBear Targeted Germany’s Interior Ministry Throughout 2017

Target: German Interior Ministry Network

Attack Vector: Possible Phishing E mail

Threat Actor: FancyBear

Summary: It has been reported by German security sources that a serious cyber-attack has been carried out against the servers of the country’s Interior Ministry throughout 2017, which was only discovered in December of the same year. It is believed that large quantities of data may have been obtained by the actors and authorities have suggested that APT28 (aka FancyBear, Pawn Storm, Sednit, Tsar Team and Sofacy) may be responsible.

Risk assessment summary: It is currently assessed that state-sponsored Russian actors continue to present an ongoing 2c HIGH threat to a broad spectrum of sectors. Although specific technical details of the latest breach have not been released at present, investigators have positively identified the presence of an unspecified malware on the affected servers.

The fact that investigators have stated Russian actors may be responsible for the attack, suggests the malware concerned may be one of the tools commonly used by APT28. The targeting of German political and intelligence entities is entirely compatible with the group’s previous activity in the country. The ability to covertly obtain intelligence from such a major player in the EU and, by implication, the Ukraine conflict would be highly attractive to Moscow.

It is likely that the attack was initiated via a phishing email which may have contained a specifically tailored lure. Now that APT28 may be in possession of personal details of German interior ministry personnel means they might be able to refine future phishing campaigns to mimic subject lines copied from genuine email exchanges, increasing the likelihood of subsequent breaches.

The incident does serve to illustrate that the APT threat remains constant and that the tempo of such attacks is not necessarily bound to geopolitical effects on the ground. Although increased military or political tensions often act as a driver for the subsequent release of hacked data.

It is recommended that all organizations ensure that system users receive sufficient training in order to understand and identify phishing emails. Additionally, the timely implementation of updates and patches cannot be over-emphasized and should always be treated as a matter of urgency, irrespective of any threat level. Monitoring of the threat environment will continue in order to identify further actionable intelligence.


OpSpain New Phase To Commence 1st March 2018

Target: Spanish Organizations

Attack Vector: DDoS/Defacement/Hack & Data Leak

Summary: Following the arrest of the hacktivist Xelijomuo by Spanish authorities in relation to #OpCatalunya linked activity, a number of @Anonymous affiliated actors and groups have announced their intention to retaliate against a number of Spanish linked organizations commencing 1st March 2018.

Risk assessment summary: It is currently assessed that #OpSpain and affiliated operations present a 3b MODERATE threat to Spanish linked entities. Although hacktivists have released a target list, this is likely to expand as the operations develop and it should be anticipated that this threat will extend into the medium term.

Although @Anonymous have announced 1st March 2018 as the start date, it appears that activity has already commenced against Spanish targets and it should be assumed that #OpSpain is now in an active phase. The operation also comes as Hacktivist activity has been increasing and the currently active hacktivists appear capable and credible. Although social media activity is relatively muted at present, the arrest of one of their own is almost certain to act as a driver for the wider @Anonymous collective to become involved.

It is likely that attacks will be a mixture of DDoS, website defacement, hacks and data leaks. It is recommended that stakeholders increase awareness, ensure all DDoS mitigation measures are in place, all patches and updates have been carried out and system users remain vigilant for phishing attempts. Additionally, customer-facing websites should be closely monitored for signs of defacement. Monitoring of the threat environment will continue in order to identify further actionable intelligence.


MalSpam Campaign Targets Unpatched Flash Exploit Systems

Target: Users with unpatched Flash vulnerability – CVE-2018-4878

Attack Vector: Malicious Word Document distributed by email

Summary: Attackers are leveraging a newly patched critical Adobe Flash Player vulnerability in a spam campaign targeting unpatched devices. Spam messages urging recipients to click on links to download malicious Word Documents are being distributed to victims in an attempt to exploit CVE-2018-4878, an Abode Flash Player bug. This can result in the attacker taking control of the victim’s device.

Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as POSSIBLE. If successful, victims could ultimately hand over control of their systems to an attacker by merely opening a suspicious email urging the recipient to click on a URL. The attackers are attempting to exploit the period between patch release and point where the majority of users are protected. Therefore the key to mitigation in this instance is to ensure an efficient and prioritized patch roll out to ensure critical internet facing systems user systems are protected at the earliest available opportunity.