Russian Envoy To NATO Claims Alliance Has Crossed A Red Line
Target: UK Government & Private Sector
Attack Vector: Phishing Campaign
Threat Actor: APT28/29
Summary: Aleksandr Grushko, the Russian envoy to NATO, has stated that the increasing military build-up on Russia’s doorstep cannot be justified and the NATO alliance have crossed a line with recent activity. In a meeting on 3rd April 2018 of the Russian think-tank the “Valdai Discussion Club” Grushko claimed that Russia have never developed a military dimension with neighbouring states, even when in dispute with them and stated “Now, thanks to NATO, we have a military dimension, it was their choice, they crossed the red line.”
The statement comes at a time when the diplomatic relationship between Russia, the UK, and its NATO allies are at breaking point as a result of the March assassination attempt on Sergei Skripal. Recently, Russia have continued to vehemently deny any involvement in the suspected nerve agent attack and claim that the incident was a ‘false flag’ carried out by MI6 as a means of isolating Russia internationally. The situation has been further complicated by a statement from Porton Down scientists admitting they were unable to positively identify the chemical agent used against Skripal as having originated from Russia. This is certain to be seized on by Moscow as another means of undermining the UK government narrative.
Risk assessment summary: Given the ongoing tensions between Russia and the UK it continues to be assessed that a 2b HIGH threat exists to a broad spectrum of UK sectors. There are clear indicators that Russian state-sponsored actors are actively probing UK organisations in both the government and private sector. This reconnaissance type activity is a strong indicator of a clear intent to target these entities for subsequent cyber-attacks. Whilst it continues to be assessed that harvesting and weaponisation of data for use in influence operations remains the most likely scenario, disruptive, service affecting attacks cannot be ruled out.
The Grushko statement is of particular concern as this suggests Russia may place its forces into a more aggressive defence posture in response to what it sees as NATO expansion into its ‘near abroad’. This would almost certainly include increased ‘hybrid warfare’ activity from the cyber defence elements of the Russian military and intelligence agencies. Additionally, the combination of factors which have occurred during the past week, such as the Aeroflot search, the accusations against diplomats stationed in Canada, the expulsions of diplomats, the extradition of the hacker Nikulin and the Porton Down Novichok statement, are all likely promote an ‘under siege’ mentality in Moscow. Whilst the forthcoming World Cup may act as a restraining factor for any overt cyber-attacks, Moscow is likely to be preparing for subsequent retaliation against the West, commencing with the probing of potential targets. All previous recommendations and threat assessments remain valid and monitoring of the threat environment will continue in order to identify further actionable intelligence.
Input Validation issue unearthed in Drupal
Target: Sites utilizing insufficiently patched versions of Drupal and site users
Attack Vector: RCE using CVE-2018-7600
Summary: The developers of the open source software Drupal have announced the existence of a major, high severity vulnerability, CVE-2018-7600. This vulnerability affects Drupal versions 7.x. and 8.x. along with certain legacy iterations of the software. The vulnerability allows for several attack vectors to be exploited using remote code execution (RCE), with any webpage utilising Drupal software vulnerable. It is estimated that over 1 million sites are vulnerable. Risk assessment summary: The threat is assessed as 3c MODERATE. There is a significant risk from this vulnerability. A threat actor could access sensitive information without any authentication, as well as modify and delete system data. However, despite all of this, the flaw has not been exploited in the wild, nor is there any exploit code publicly available. In addition, a patch is available, with relevant sites pre-notified to prepare, all mitigating.
Critical vulnerabilities on Cisco devices
Target: Systems using unpatched Cisco software
Attack Vector: 3 separate critical vulnerabilities
Summary: Over the Easter break, multiple vulnerabilities were found on Cisco devices, placing millions of devices at risk. 34 vulnerabilities in total and 17 critical vulnerabilities have been discovered. Three of the most severe vulnerabilities relate to two flaws which could allow for a Denial of Service (DoS) to take place, CVE-2018-0171 and CVE-2018-0151, in addition to unauthorised access via hardcoded default credentials, CVE-2018-0150. Risk assessment summary: The threat is assessed as 3c MODERATE. The three vulnerabilities discussed are all of a critical nature, with two allowing an opportunity for a DoS attack and the third allowing sensitive devices to be compromised. In addition, authentication is not required for a threat actor to carry out these exploits. However, due to the availability of patching, along with workarounds for some of the vulnerabilities, these are issues which will become much rarer and difficult to exploit.
Keylogger Malware Dubbed Fauxpersky Discovered
Target: Computers running Microsoft Windows
Attack Vector: Infected USB drives
Summary: A new keylogger malware imitating the well-known Anti-virus programme Kaspersky has been witnessed infecting victim’s devices worldwide. Spread via infected USB drives, the malware logs keystrokes and uploads them to a malicious Google form. The malware is not very advanced or stealthy, however, it is highly efficient at infecting USB drives and collecting the keylogger data.
Risk assessment summary: This threat is assessed at 3e MODERATE. As it has only been recently discovered, it is unknown how many infections have taken place, hence it is not possible to gauge how widespread the malware is. There has been little attempt to avoid discovery, therefore it can easily be blocked by antivirus software. Although very efficient at exfiltrating data, any infection on a machine would suggest that confidential information such as usernames and passwords had already been obtained.
PenguinSecurity group becomes active on OpTurkey in addition to activity in Russia
Target: Sites relating to the Turkish government as well as Russian sites
Attack Vector: DDoS attacks, website defacement
Threat Actor: @PenguinSecurity
Summary: A previously unknown hacktivist group, @PenguinSecurity, previously known as @ThePenguinsPlace have been involved in operations relating to Russia and Turkey and has carried out defacements of websites in both nations. Their attacks against Russia were particularly concerning as they occurred during the increased tensions between the UK and Moscow as a result of the Sergei Skripal poisoning incident. It was believed that Moscow might consider the group a western state sponsored entity but since then, they have taken part in @Anonymous affiliated activity under #OpTurkey.
Risk assessment summary: The threat is assessed as 3d MODERATE. While PenguinSecurity is a relatively new group, making it more difficult to assess the threat they may present, the fact they have emerged during a period of heightened international tensions means it is prudent to closely monitor their activity. They appear to be effective at carrying out both defacement and DDoS attacks which indicate’s enough technical capability to present a plausible threat to targeted organisations. The risk is raised further when their actions are put into the context of the current political situation, with Russia particular likely to consider “new” hacktivist groups with a great deal of suspicion which could lead to a retaliatory response.
OpCatalunya activity increases in response to recent arrests
Target: Spainish/European & Scottish Targets
Attack Vector: DDoS/Website Defacement/Hacks & data Leaks
Threat Actor: @MinionGhost/ @AnonymousCatalonia / @Lulzsaints
Summary: Following the arrest under a European Arrest warrant of the former Catalan leader Carles Puidgemont in Germany on 25th March 2018, @Anonymous affiliated actors have targeted a growing number of organisations as part of #OpCatalunya. The hacktivist group @MinionGhost has also announced it will be carrying out a “massive attack” on 29th March in support of the operation although at the time of writing no target list has been issued. During the same period, the former Catalan Education Minister Clara Ponsati was also made subject to an arrest warrant and is currently making arrangements to hand herself into Police Scotland.
Risk assessment summary: It is currently assessed that #OpCatalunya linked activity presents a 3d MODERATE threat to Spanish, German and Scottish targets, most likely in the government, police and judicial sectors although other targets of opportunity are likely to be exploited if vulnerabilities are identified by the hacktivists concerned. It is also likely that EU institutions will be targeted as a retaliatory measure.
As the arrests are the result of European arrest warrants being used against elected politicians for the crime of holding a referendum on Catalan independence, the case is almost certain to generate a great deal of international controversy. In Scotland, there is a concern following the Scottish government admission that it is powerless to intervene to halt the extradition of Ponsati. This will undoubtedly be seized upon by pro-Brexit and opposition groups to embarrass the heavily pro-EU first Minister Nicola Sturgeon. The situation also makes it likely that Scottish institutions will be targeted by @Anonymous actors for co-operating in any subsequent extradition proceedings.
Although @MinionGhost have announced the 29th as the date for their planned “massive attack” it should be expected that DDoS, hacks and data leaks, as well as defacement attacks, will continue both before and after this date until at least the medium term and future activity may be timed to coincide with any court appearances. There has also been an increase in Catalonia related direct action activity in Spain, which may also increase as the legal situation develops.
System users are advised to ensure adequate DDoS mitigation and cyber security precautions are in place as a matter of routine. Monitoring of the threat environment will continue in order to identify target lists and other actionable intelligence.
APT24 OilRig group active in new phishing campaign
Target: Middle East/USA/Possibly UK & Europe
Attack Vector: Phishing Campaign
Threat Actor: APT34 OilRig
Summary: The Iranian APT24 group (aka OilRig) appears to have been active in a sophisticated phishing campaign from November 2017 onwards. Intelligence indicates the group has evolved and introduced new malware and data exfiltration techniques against a number of Middle Eastern targets. During its latest activities, it appears OilRig has employed around 20 different tools which include off the self, dual purpose utilities as well as previously undetected malware which used Google Drive and SmartFile as well as the Internet Server Application Programming Interface (ISAPI) filter for compromising IIS servers.
Risk assessment summary: It is currently assessed that APT34 OilRig present a 2c HIGH threat to a broad spectrum of sectors. Whilst the group usually operates in support of Iranian strategic interests within the Middle East, it has also operated beyond the region against the United States during a period which coincided with internal unrest which Tehran laid at Washington’s door. Given that the UK is seen as a major weapons and intelligence supplier to Iran’s main regional rival Saudi Arabia, then this willingness to attack entities beyond the region increases the possibility that UK organisations could potentially be considered valid targets.
Iran also continues to be a key player in both the Syrian and Yemen conflicts and is closely allied to Russia both politically and militarily. This alliance is almost certainly one of the factors in the increasing sophistication of OilRig activity and it may be that Tehran is still employing Russian “Hackers For Hire” as a means of enhancing the country’s offensive cyber capabilities. Such cooperation would certainly suit Moscow, who would undoubtedly benefit from intelligence sharing with Iran, whilst also being able to benefit from “plausible deniability”.
In the current diplomatic climate where the United States has just expelled 60 Russian diplomats as a result of the alleged Russian poisoning of Sergei Skripal, the use of Iranian actors to carry out “proxy” attacks would also be a useful means of obfuscation in any forthcoming campaign against the West. If this proves to be the case, it may be possible to draw some commonalities between the TTP’s used by both Russian and Iranian APT’s. With this in mind, it is recommended that system users remain vigilant for plausible seeming email lures which are designed to specifically appeal to the recipient. Monitoring of the threat environment will continue in order to identify further actionable intelligence.
Trickbot banking Trojan updated with screen locker component
Target: The financial sector worldwide
Attack Vector: Worldwide
Summary: The well-established banking Trojan Trickbot, has been upgraded to include a new screen locker module. It is thought that this will be used to hold victim’s devices to ransom if they are not e-banking users and it is believed to be a way for the attackers to enhance monetisation during attacks. The module is not yet fully functional, however as it has been witnessed in the wild, it will be in a testing stage and therefore close to full operation.
Risk assessment summary: This threat is assessed at 3C MODERATE, although this module is not fully functional, it is cause for concern that it has been seen in the wild as this suggests it is in the testing phase of its development. With this new module, it means the malware will have a much higher hit rate in terms of money gained from infection. With the worm module that is also included in this update, the speed in which it spreads across internal networks is now increased. With both of these updates the Trojan becomes a bigger threat to a company’s brand image if an infection takes place alongside the potential for data and finance loss.
New GhostMiner cryptominer displays unusual attributes
Target: Systems using unpatched versions of Oracle WebLogic server
Attack Vector: Exploitation of CVE-2017-10271 before running fileless operations
Summary: A new strain of cryptocurrency-mining malware has been observed over the last week, with researchers discovering GhostMiner software. The malware exploits a vulnerability on Oracle WebLogic servers to initially access a target system. This distinctive tool is also able to carry out Fileless execution utilising PowerShell code. It also scans to see if any other minors are running on a host before terminating their processes. Notably, the exploit has not amassed a high amount of income through its operations, meaning perhaps the threat actor’s aims are not financial.
Risk assessment summary: The threat is assessed as 4b LOW. This is not the first time Oracle WebLogic servers have been observed to be susceptible to an exploit. We are only in March and already multiple campaigns have been found to be exploiting this, raising the likelihood of further attacks. As well as this, this malware shows signs of being some kind of test, preparing the ground for future attacks, indicating we are likely to see further instances of it.
AVCrypt ransomware tries to uninstall your AV software
Target: Windows Users
Attack Vector: Unknown – assumed popular strategies i.e emails, malvertising, fake software updates.
Summary: AVCrypt is a malicious program that targets anti-virus and security software. The virus drops an empty +HOW_TO_UNLOCK.txt file which is supposedly a ransom note, but it has not been identified as to whether this is a wiper malware or ransomware. A variety of Windows services are attempted to be deleted and the ransom note does not contain any instructions to decrypt the files which could point to it being a wiper malware instead or simply that it is still in development. It is capable of making system changes, deleting files and deleting anti-virus software on the targeted machine. The malicious program specifically targets Windows Defender and Malwarebytes and deletes Windows services in order to stop their proper operation.
Risk assessment summary: The threat can be assessed as 3e MODERATE. If successful, the malware is capable of deleting security software and encrypting files as part of a ransomware attack. It can be destructive to an infected machine, however, at the same time, it does appear to upload the encryption key to a remote server. Instructions or the demand of bitcoin to un-encrypt files is not a part of the ransom note. Therefore, it is not known whether this is a true ransomware that is still in development or a wiper disguised as one.