Scammers Take Advantage of GDPR Rush

Emails from various actors masquerading as legitimate services informing users of an updated privacy policy in line with General Data Protection Regulation (GDPR) has seen a dramatic increase. The regulation came into force on the 25 May and has caused a significant spike in email traffic and related spam activity. This was expected and was part of a National Cyber Security Centre (NCSC) security advisory last week.

Strategic assessment: It is important to note that the majority of these phishing attacks do not technically deviate from the norm. One of the first instances of a GDPR-related phishing attack, which prompted the NCSC security advisory, targeted Airbnb. Reported by Redscan, the phishing email insists that new bookings will not be taken on behalf of the host until a new privacy policy has been accepted. The redirect led to a page where the user is prompted for personal information, including account credentials and payment card information. Another example included targeting Apple users. In this instance, the actors claimed the user’s accounts had been ‘limited’ due to unusual activity. Contained in the body of the email was a link to a website, controlled by the scammers, requesting user details. Although this was not directly linked to GDPR, the actors deliberately timed the emails to hide in the traffic sent from legitimate companies. Interestingly, the phishing technique demonstrated a higher technical ability than previously observed. The actors employed Advanced Encryption Standard protocols when redirecting victims to the scammer-controlled page, this was in order to avoid anti-phishing tools. This is unusual and signifies a more sophisticated actor group is responsible. Across the board, it appears that the actors seeking to leverage GDPR are financially motivated and interested in personal data, as opposed to seeking to infect the target with malware. It is almost certain that GDPR-related scams will decline as the high volume of emails from companies to users reduces. Employees should be encouraged to remain vigilant for suspicious emails during this period, especially from companies they are unfamiliar with or were not expecting contact from.

Turla Group

Turla Group Observed using Open-Source Tools

Target: Eastern European organisations and embassies
Attack Vector: Fake flash loader subsequently loading Metasploit, which executes shellcode and installing a backdoor
Threat Actor: @Turla
Summary: It has been observed that well known Russian based @Turla group has continued its activity over spring, yet their behaviour differs slightly from previously observed methods used. @Turla are known to utilise their own tools such as Skipper to carry out attacks, yet recently, a range of open-source tools have been used instead to achieve these aims, signalling a change of methodology. The group has continued to push its Mosquito backdoor, previously reported on in GTS Issue 5, 16th January 2018, yet instead of using a Fake Flash Installer, Metasploit is used as an initial vector to drop the Mosquito backdoor.
The group have not previously been observed using Metasploit and this change in tactic could provide an opportunity to mitigate against the group’s activities. The malware is generally being directed at Eastern European targets and could escalate tensions with the current relations between Russia and Ukraine.
Risk assessment summary: This threat is assessed as 3d MODERATE. While Mosquito already presents a risk due to its capability to steal information from a target machine and relay it back to a threat actor, this variant increases the likelihood of infection. The use of Metasploit means that the commands which download the malware do not remain on the system, unlike the previous variant which would allow the fake Flash Installer to be examined for its weaponized version of Flash Player. This improvement allows the exploit to have an additional level of covertness, making it difficult to detect post-infection activity.
Anti-Russian sentiment is high in Ukraine where protesters have constantly campaigned for closer ties to the EU, something which does not sit well with Moscow. As long as this situation is maintained, it is likely Ukraine will be a victim of Russian APT activity.

Cobalt Strike

Cobalt Strike reemerges under new APT10 campaign, targets Japan

Target: Japanese organizations currently, potential future risk for Western nations
Attack Vector: Cobalt Strike program is pushed on target PC’s through either an executable file or malicious macros
Threat Actor: APT10 (also known as Menupass Team)

Summary: The penetration testing tool, Cobalt Strike has once again been observed as part of a campaign, this time by APT10, who are suspected to originate in China. This is the first time the group have been seen using this tool, which previously was utilised by APT19. Since late April, APT10 have been targeting Japanese corporations. Due to it being a legitimate programme, the use of Cobalt Strike makes the group’s attacks even more difficult to defend against. Furthermore, the use of cyber espionage tactics from a Chinese-based APT group against Japanese organisations is a concerning trend. The two nations have long held cold relations and this will further strain Sino-Japanese ties. Risk assessment summary: This threat is assessed as 3c MODERATE. While there is a constant underlying threat of escalation between Japan and China, it is unlikely that an isolated cyber espionage campaign would trigger conflict, largely due to both nations being large trading partners. Any military conflict would leave both sides losing a large amount of trade and it is unlikely either nation would want to risk this unless absolutely necessary. Yet APT10 is still an active group and it is likely they will continue to carry out actions in the name of the Chinese state. Persistent cyber espionage, in tandem with events on the ground, could contribute to a rise in tensions and a change in the situation. There is also the possibility APT10 will target other nations such as the US or UK.
Cobalt Strike has been seen to be used to great effect by multiple threat actors, and in this case, allows APT10 access to a range of sensitive information and the ability to control what files are present on a target system as well as the ability to execute said commands on a target system


Presidential election fallout in Venezuela increases likelihood of hacktivist activity

Target: Venezuelan organisations, particularly governmental and financial
Attack Vector: DDoS attacks, site defacement, data leaks. Also potential for SQL injection
Threat Actor: @YoSoyJustin
Summary: Venezuela has recently re-elected President Maduro to serve another 6-year term as head of state. Yet the appointment comes with much controversy as opposition parties, voters, and much of the international community allege the election to have been rigged, with low voter turnouts and limited opposition to the ruling party in Caracas, with many opposition leaders disqualified from the election.
The country has been in a state of turmoil since 2013, with the economy sharply dipping and dramatically increased poverty prompting protests over recent years. This has also been supported by hacktivist activity and the heightened tensions from the recent election and controversy are likely to provide fuel for further protests and hacktivist activity.
Risk assessment summary: This threat is assessed as 3d MODERATE. The Venezuelan people have seen their country collapse rapidly and dramatically since 2013, with very little action undertaken to appease them. Hyperinflation continues to exist with everyday goods still in short supply. This makes the continuation of protests in the Latin American nation extremely likely, and thus hacktivist activity is also likely to continue. The latter is more dependent on events on the ground, should there be another election or further unrest, it is almost certain further attacks will be observed.
The ability of @YoSoyJustin is also of particular note. The majority of attacks over the past two months have been data leaks and have yielded documents containing sensitive information as well as login credentials. The group have also been observed to delete company data as well as provide information for other threat actors on how to exploit vulnerabilities in websites.

Vulnerabilities in Dell EMC

Vulnerabilities in Dell EMC’s Disaster Recovery System

Target: Dell EMC’s Disaster Recovery System
Attack Vector: Remote code execution flaw, administrative menu arbitrary file read & LDAP credentials in Tomcat log
Summary: Penetration testers from Foregenix Ltd have released details of six new vulnerabilities in Dell EMC RecoverPoint devices. The devices provide continuous data protection (CDP), tracks changes and subsequently records them to allow for faster and easier recovery of data following any corruption. One of the flaws detected is a critical remote code execution flaw which allows total command of the target machine. The vulnerabilities affect all Dell’s EMC RecoverPoint software prior to 5.1.2 and RecoverPoint for Virtual Machines prior to Three of the vulnerabilities have been patched and on 21 May an advisory notice, only available to registered customers, offered instructions on how to mitigate the three remaining unpatched vulnerabilities. It is also noted that the CVE’s for these have either not been issued or have been revoked
Risk assessment summary: This threat is assessed as a 3d MODERATE. Whilst the most critical flaw has been patched, a further three vulnerabilities identified remain unpatched at this time and could be actively exploited. This is likely to stay high until further patches are rolled out to cover the remaining vulnerabilities. Any unpatched devices would be vulnerable to the critical remote access flaw vulnerability, which allows threat actors to gain complete control over a targeted machine. This could lead to data and credential harvesting and lateral movement within an organisation.

VPNFilter Malware

Advanced VPNFilter Malware Targets over 500K Devices Worldwide

Target: Ukraine and small office/home hosts.
Attack Vector: Botnet
Summary: A newly discovered malware infection, dubbed VPNFilter, has compromised more than 500,000 home and small office routers and NAS boxes in 54 countries. It is believed to have been under the control of APT28, a unit of the Russian Military’s Main Intelligence Directorate, however, due to the malware’s capabilities, it has now been taken over by the FBI. The malware spreads by taking advantage of known vulnerabilities in individual products, it does not rely on any one specific exploit. VPNFilter can be used for three main purposes: conducting attacks that are mistakenly attributed to the malware’s victims; collecting information from devices connected to the affected products; and cutting off victim’s access to the internet via the built-in “kill” command. Activating the malware could completely stop affected devices from functioning, which could affect hundreds of thousands of user’s internet access.
Risk assessment summary: The threat has been assessed as 3c MODERATE. If successful, the malware allows attackers to access infected computers remotely and then use them to spy on networks, steal login credentials, destroy devices and control access to the internet. Targeted devices are difficult to defend, they will typically have no intrusion protection or antivirus package and may have many known public exploits, or default credentials, that can make compromise relatively straightforward.

Whilst smaller attacks have been taking place worldwide, it was expected that larger, more targeted, attacks would take place imminently involving Ukraine as a the main target due to a large number of attacks seen against them in the past two weeks. However, as the FBI has seized the domain used, known as ‘’ – the URL where VPNFilter bots would connect to get their commands and additional modules ahead of the Champions League Football Final, which was set to take place in Kiev, the risk of a larger attack has subsided. However, it is important that businesses worldwide are aware of the capabilities that VPNFilter holds as there are over 500,000 infected machines globally. The FBI has stated that they are compiling a list of vulnerable devices to disseminate to ISPs and both public and private sector partners dealing with infections.

CrowdStrike Taking Protection to a New Level

Taking Protection to a New Level: CrowdStrike Announces its $1 Million Breach Prevention Warranty







Although many industries have long offered product warranties to assure customers the products they purchase will function as advertised, this has not been true for cybersecurity.

When a security product fails, customers have had little recourse — until now. CrowdStrike® is thrilled to be changing the game once again by offering our customers a $1 million dollar warranty on our most comprehensive solution, CrowdStrike Falcon EPP Complete™. The warranty covers a range of expenses should EPP Complete fail to protect your organization as expected and what’s more — it’s included with the solution at no charge.

Falcon EPP Complete is a unique offering that combines the effectiveness of the Falcon platform with the efficiency of a dedicated team of security professionals.

It ensures that all aspects of endpoint security are handled — from on boarding, configuration and maintenance to monitoring, alert handling and remediation.

CrowdStrike is so confident in Falcon EPP Complete’s breach protection capabilities that we have established a breach warranty of up to $1 million in the event that a customer using EPP Complete experiences a breach within their protected environment that EPP Complete should have prevented. If a legitimate breach occurs, we’ve made the warranty easy to implement, without unachievable requirements or hidden caveats. And the beauty is that the warranty is included in the purchase price of the product. All new EPP Complete clients are eligible for this warranty.

If the warranty is triggered, it provides a broad spectrum of benefits that cover the following breach response expenses:  incident response, legal fees, notification, credit monitoring, forensic investigation and public communications expenses. Also, for customers who are developing an overall cyber risk management program that includes a balance between cyber risk mitigation and cyber risk transfer, Falcon EPP Complete is the ideal solution. If a Falcon EPP Complete customer experiences a breach, the breach prevention warranty transfers risk from the customer to CrowdStrike.

The benefits for CrowdStrike customers are self-evident: The warranty provides an extra layer of protection at no additional cost.

The combination of the efficacy and simplicity of EPP Complete with the CrowdStrike warranty gives our customers ultimate peace-of-mind, relieving anxiety and financial loss if an unexpected breach occurs, and making the breach response process more convenient, efficient, and stress-free.

With this warranty for CrowdStrike Falcon EPP Complete, we are demonstrating our confidence in the most tangible way possible: by giving customers the peace-of-mind and financial assurance they deserve.

Learn more about the Falcon EPP Complete Warranty

Read the Falcon EPP Complete Warranty Press Release

For a free trial of CrowdStrike Falcon Prevent™ next-gen AV, click here

Efail Vulnerabilities

Efail Vulnerabilities Expose Popular Email Encryption Techniques

Target: PGP/S/MIME Users
Attack Vector: Direct exfiltration and Cipher Block Chaining/Ciphertext Feedback CFB Gadget attack.
Summary: A critical flaw, dubbed Efail, has been discovered which affects the way certain email programs handle a popular encryption technology aiming to safeguard emails. It targets the encryption standards of Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME), both similar protocols commonly used by businesses and enterprises. The flaw can affect applications such as Apple Mail, Outlook and Mozilla Thunderbird. The vulnerability allows hackers to read an encrypted email by making changes to its HTML, essentially tricking the affected email applications into decrypting the rest of the message, allowing the attackers to read it in plaintext.
Risk assessment summary: This threat has been assessed as 4c LOW. If successful, attackers have the potential to gain access to sensitive information, including financial data, contained within encrypted emails. However, the Efail attack requires hackers to have a high level of access initially, that in itself, is difficult to achieve. They must be able to intercept encrypted messages before they can exfiltrate them, which lowers the risk of exploitation. Users and businesses who are using PGP and S/MIME hold a greater risk as opposed to businesses using other encryption standards. The flaw appears to be more serious in S/MIME than PGP, as attacking S/MIME is more straightforward and tests have shown a much higher success rate.

Vega Stealer Malware

Vega Stealer Malware Harvests Credentials in Firefox and Chrome Browsers

Target: Marketing, public relations and advertising along with the retail and manufacturing industries.
Attack Vector: Phishing, with malicious document attached.
Summary: A new malware variant, dubbed Vega Stealer, is currently being used in a new phishing campaign to harvest saved sensitive data including credit card details, cryptocurrency details and sensitive documents from the widely used Google Chrome and Firefox browsers. Although the malware is currently being employed in simplistic and minor phishing campaigns, it has the potential, and is expected to become, a more common threat to businesses in the future. Vega is a variant of August Stealer which also contained stealing functionality, however, Vega offers several significant new features.
Risk assessment summary: This threat has been assessed as 3c moderate. If successful, Vega Stealer has the capability to steal victim’s sensitive and financial information including passwords, credit card details and login details saved in both Google Chrome and Mozilla Firefox internet browsers. Although simplistic methods are currently being used and the delivery of the phishing email itself is not sophisticated, it is predicted that the campaign will develop and grow in order to disseminate more widely, potentially evolving into a more commonly found stealer.

CheckPoint Top Malware April 2018

Crypto miners remain dominant in the latest instalment of CheckPoint’s global malware tracker having been consistently rated in the top 10 for several months. The persistent inclusion and furore surrounding crypto miners is questionable. Also evident in the monthly lists are the top three mobile malware threats and top three vulnerabilities.
The threats in these categories are not mutually exclusive as the top vulnerabilities, as rated by CheckPoint, are associated with the Crypto mining threat. In particular, the Microsoft Windows Server 2003 (CVE-2017-7269) and Oracle Web Logic (CVE-2017-10271) vulnerability. As noted in the report, 46% of organisations around the world were targeted using the Microsoft vulnerability, whilst the Oracle vulnerability was targeted 40% of the time.
The threat from these vulnerabilities is clear, but despite patches having been available for more than six months, many companies are evidently still susceptible to this threat vector.

Strategic assessment: The top 10 malware in April were:

• Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval.

• Cryptoloot – Crypto-Miner that uses the victim’s CPU or GPU power and existing resources to add transactions to the blockchain and release new currency.

• Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system and utilises ad-blocker bypassing and fingerprinting in order to ensure it delivers the most relevant attack.

• Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, the miner is run directly in the browser in exchange for ad-free browsing, in-game currency and other incentives.

• Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts and can be modified to create different types of botnets.

• Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to the dropping of additional malware.

• XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency and first seen in-the-wild on May 2017.

• Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system. The primary motivation being to steal sensitive information and launch denial-of-service attacks.

• Nivdort – Multipurpose bot, also known as Bayrob used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, making each file unique.

• Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

Interestingly, the more versatile and lethal malware is rated lower on the list than expected. This could reflect a lower infection rate than crypto miners. From a cybersecurity viewpoint, crypto mining is highly likely to pose less of a business threat compared to the more traditional malware listed. Infostealers, such as Andromeda, should be more of a concern to businesses, given the backdoor capabilities and use in cybercrime-as-a-service.

The top three mobile malware were:

• Lokibot – Android banking Trojan and info-stealer which can also turn into ransomware that locks the phone.

• Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware.

• Hiddad – Android malware which repackages legitimate apps and releases them to a third-party store.

The top three vulnerabilities were:

• Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service condition on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in the HTTP request.

• Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles XML decodes. A successful attack could lead to a remote code execution.

• SQL Injection – Inserting an injection of SQL query in input from the client to the application, while exploiting a security vulnerability in an application’s software.