PenguinSecurity group becomes active on OpTurkey in addition to activity in Russia

Target: Sites relating to the Turkish government as well as Russian sites

Attack Vector: DDoS attacks, website defacement

Threat Actor: @PenguinSecurity

Summary: A previously unknown hacktivist group, @PenguinSecurity, previously known as @ThePenguinsPlace have been involved in operations relating to Russia and Turkey and has carried out defacements of websites in both nations. Their attacks against Russia were particularly concerning as they occurred during the increased tensions between the UK and Moscow as a result of the Sergei Skripal poisoning incident. It was believed that Moscow might consider the group a western state sponsored entity but since then, they have taken part in @Anonymous affiliated activity under #OpTurkey.

Risk assessment summary: The threat is assessed as 3d MODERATE. While PenguinSecurity is a relatively new group, making it more difficult to assess the threat they may present, the fact they have emerged during a period of heightened international tensions means it is prudent to closely monitor their activity. They appear to be effective at carrying out both defacement and DDoS attacks which indicate’s enough technical capability to present a plausible threat to targeted organisations. The risk is raised further when their actions are put into the context of the current political situation, with Russia particular likely to consider “new” hacktivist groups with a great deal of suspicion which could lead to a retaliatory response.


OpCatalunya activity increases in response to recent arrests

Target: Spainish/European & Scottish Targets

Attack Vector: DDoS/Website Defacement/Hacks & data Leaks

Threat Actor: @MinionGhost/ @AnonymousCatalonia / @Lulzsaints

Summary: Following the arrest under a European Arrest warrant of the former Catalan leader Carles Puidgemont in Germany on 25th March 2018, @Anonymous affiliated actors have targeted a growing number of organisations as part of #OpCatalunya. The hacktivist group @MinionGhost has also announced it will be carrying out a “massive attack” on 29th March in support of the operation although at the time of writing no target list has been issued. During the same period, the former Catalan Education Minister Clara Ponsati was also made subject to an arrest warrant and is currently making arrangements to hand herself into Police Scotland.

Risk assessment summary: It is currently assessed that #OpCatalunya linked activity presents a 3d MODERATE threat to Spanish, German and Scottish targets, most likely in the government, police and judicial sectors although other targets of opportunity are likely to be exploited if vulnerabilities are identified by the hacktivists concerned. It is also likely that EU institutions will be targeted as a retaliatory measure.

As the arrests are the result of European arrest warrants being used against elected politicians for the crime of holding a referendum on Catalan independence, the case is almost certain to generate a great deal of international controversy. In Scotland, there is a concern following the Scottish government admission that it is powerless to intervene to halt the extradition of Ponsati. This will undoubtedly be seized upon by pro-Brexit and opposition groups to embarrass the heavily pro-EU first Minister Nicola Sturgeon. The situation also makes it likely that Scottish institutions will be targeted by @Anonymous actors for co-operating in any subsequent extradition proceedings.

Although @MinionGhost have announced the 29th as the date for their planned “massive attack” it should be expected that DDoS, hacks and data leaks, as well as defacement attacks, will continue both before and after this date until at least the medium term and future activity may be timed to coincide with any court appearances. There has also been an increase in Catalonia related direct action activity in Spain, which may also increase as the legal situation develops.

System users are advised to ensure adequate DDoS mitigation and cyber security precautions are in place as a matter of routine. Monitoring of the threat environment will continue in order to identify target lists and other actionable intelligence.

APT24 OilRig

APT24 OilRig group active in new phishing campaign

Target: Middle East/USA/Possibly UK & Europe

Attack Vector: Phishing Campaign

Threat Actor: APT34 OilRig

Summary: The Iranian APT24 group (aka OilRig) appears to have been active in a sophisticated phishing campaign from November 2017 onwards. Intelligence indicates the group has evolved and introduced new malware and data exfiltration techniques against a number of Middle Eastern targets. During its latest activities, it appears OilRig has employed around 20 different tools which include off the self, dual purpose utilities as well as previously undetected malware which used Google Drive and SmartFile as well as the Internet Server Application Programming Interface (ISAPI) filter for compromising IIS servers.

Risk assessment summary: It is currently assessed that APT34 OilRig present a 2c HIGH threat to a broad spectrum of sectors. Whilst the group usually operates in support of Iranian strategic interests within the Middle East, it has also operated beyond the region against the United States during a period which coincided with internal unrest which Tehran laid at Washington’s door. Given that the UK is seen as a major weapons and intelligence supplier to Iran’s main regional rival Saudi Arabia, then this willingness to attack entities beyond the region increases the possibility that UK organisations could potentially be considered valid targets.

Iran also continues to be a key player in both the Syrian and Yemen conflicts and is closely allied to Russia both politically and militarily. This alliance is almost certainly one of the factors in the increasing sophistication of OilRig activity and it may be that Tehran is still employing Russian “Hackers For Hire” as a means of enhancing the country’s offensive cyber capabilities. Such cooperation would certainly suit Moscow, who would undoubtedly benefit from intelligence sharing with Iran, whilst also being able to benefit from “plausible deniability”.

In the current diplomatic climate where the United States has just expelled 60 Russian diplomats as a result of the alleged Russian poisoning of Sergei Skripal, the use of Iranian actors to carry out “proxy” attacks would also be a useful means of obfuscation in any forthcoming campaign against the West. If this proves to be the case, it may be possible to draw some commonalities between the TTP’s used by both Russian and Iranian APT’s. With this in mind, it is recommended that system users remain vigilant for plausible seeming email lures which are designed to specifically appeal to the recipient. Monitoring of the threat environment will continue in order to identify further actionable intelligence.


Trickbot banking Trojan updated with screen locker component

Target: The financial sector worldwide

Attack Vector: Worldwide

Summary: The well-established banking Trojan Trickbot, has been upgraded to include a new screen locker module. It is thought that this will be used to hold victim’s devices to ransom if they are not e-banking users and it is believed to be a way for the attackers to enhance monetisation during attacks. The module is not yet fully functional, however as it has been witnessed in the wild, it will be in a testing stage and therefore close to full operation.

Risk assessment summary: This threat is assessed at 3C MODERATE, although this module is not fully functional, it is cause for concern that it has been seen in the wild as this suggests it is in the testing phase of its development. With this new module, it means the malware will have a much higher hit rate in terms of money gained from infection. With the worm module that is also included in this update, the speed in which it spreads across internal networks is now increased. With both of these updates the Trojan becomes a bigger threat to a company’s brand image if an infection takes place alongside the potential for data and finance loss.

GhostMiner cryptominer




New GhostMiner cryptominer displays unusual attributes

Target: Systems using unpatched versions of Oracle WebLogic server

Attack Vector: Exploitation of CVE-2017-10271 before running fileless operations

Summary: A new strain of cryptocurrency-mining malware has been observed over the last week, with researchers discovering GhostMiner software. The malware exploits a vulnerability on Oracle WebLogic servers to initially access a target system. This distinctive tool is also able to carry out Fileless execution utilising PowerShell code. It also scans to see if any other minors are running on a host before terminating their processes. Notably, the exploit has not amassed a high amount of income through its operations, meaning perhaps the threat actor’s aims are not financial.

Risk assessment summary: The threat is assessed as 4b LOW. This is not the first time Oracle WebLogic servers have been observed to be susceptible to an exploit. We are only in March and already multiple campaigns have been found to be exploiting this, raising the likelihood of further attacks. As well as this, this malware shows signs of being some kind of test, preparing the ground for future attacks, indicating we are likely to see further instances of it.


AVCrypt ransomware tries to uninstall your AV software

Target: Windows Users

Attack Vector: Unknown – assumed popular strategies i.e emails, malvertising, fake software updates.

Summary: AVCrypt is a malicious program that targets anti-virus and security software. The virus drops an empty +HOW_TO_UNLOCK.txt file which is supposedly a ransom note, but it has not been identified as to whether this is a wiper malware or ransomware. A variety of Windows services are attempted to be deleted and the ransom note does not contain any instructions to decrypt the files which could point to it being a wiper malware instead or simply that it is still in development. It is capable of making system changes, deleting files and deleting anti-virus software on the targeted machine. The malicious program specifically targets Windows Defender and Malwarebytes and deletes Windows services in order to stop their proper operation.

Risk assessment summary: The threat can be assessed as 3e MODERATE. If successful, the malware is capable of deleting security software and encrypting files as part of a ransomware attack. It can be destructive to an infected machine, however, at the same time, it does appear to upload the encryption key to a remote server. Instructions or the demand of bitcoin to un-encrypt files is not a part of the ransom note. Therefore, it is not known whether this is a true ransomware that is still in development or a wiper disguised as one.


Polymorphic and malicious IPs highlighted by Webroot

The speed of change is one of the main conclusions of the Webroot Threat Report 2018. In the opening text, the length of phishing attacks and activity of high risk IP addresses were highlighted to show the current levels of malicious-benign flux. Based on Webroot’s proprietary Threat Intelligence Platform, the report largely corresponds with industry’s known behaviors, however the statistics given makes it a should read from most cyber security practioners. The report has in-depth discussions surrounding the threats from the increasing use of polymorphic malware, cryptojacking, phishing and malicious mobile apps.

Strategic assessment:

In the case of malicious IPs, Webroot provided the following insight:

• 90% of phishing attacks came from just 62 domains

• In one case, 400,000 phishing sites came from a single IP address

• 50 of the unique IPs hosting phishing sites were responsible for more than 1.5 million phishing attacks

The bulk of phishing has not diversified and the vast majority of attacks are limited to a small number of domains and IP addresses. Further in the report, it highlights that the US (12%), China (12%) and Indonesia (8%) were the top three locations for malicious IPs. Overall, just 10 countries accounted for 62% of total malicious IPs.

From a malware perspective:

• 94% of malicious executable files were found to be polymorphic

• Windows 10 was found to be almost twice as safe – in terms of malware detected – as Windows 7

• In 2017, 93% of malware was unique.

There was a drop in the number of malware files per device in 2017, Webroot suggest a few reasons for this trend. The first is that the development of polymorphic malware has increased by a significant margin, indicating the malware authors are changing tact. This also came at a time where there were significant changes in the use of exploit kits, which suffered some major takedowns across 2017. Furthermore, Windows 10’s implementation across businesses and personal devices also correlated to better malware protection.


After flurry of activity in February, events on the ground keep #OpTurkey on the radar

Target: Organizations within and doing business with the Turkish administration.

Attack Vector: DDoS attacks, doxing, data leaks.

Summary: February 2018 was the busiest month observed for #OpTurkey in over 12 months with, on average, at least one incident per day. This coincided with events on the ground as the Turkish-Kurdish conflict continued, in addition to indicators of increased cooperation between Ankara and the EU which triggered further attacks. Now in March, the number of attacks are significantly less than previously observed, however there remains a steady flow of incidents. More worringly, recent events on the ground may trigger further attacks.

Risk assessment summary: The threat is assessed as 3d MODERATE. Historically, events on the ground do dictate events in the cybersphere. The capture of Afrin in Syria is a major event in the Turkish-Kurdish conflict and is likely to antagonise hacktivist groups such as @AnonymousKurdistan. This group in particular have shown themselves to have the capability to leak data and cause downtime against government, financial and medical organisations. The EU issue is also one steadily ticking away and while it continues, Turkey cannot expect attacks from Anonymous and allied groups to relent.

Facebook Data Leak

Data Leaked From Facebook Used to Sway US Election

Target: Facebook.

Attack Vector: Worldwide Facebook users.

Threat Actor: Cambridge Analytica.

Summary: Cambridge Analytica, a data analysis and strategic communication company, has been accused of knowingly using data mined from Facebook via the third party app thisisyourdigitallife. The data was collected due to a flaw in Facebooks API and terms of use, which allowed the app to collect the data of not only its users, but also their friends. This eventually resulted in the collection of information on over 50 million people.

Risk assessment summary: This threat is assessed as 3d MODERATE. There are a very high number of people whose data has been breached and used without their knowledge. Although the firm claim all data collected without consent has been deleted, the level and manner of the breach leaves many sceptical. The risk is also heightened due to the political standing of individuals involved.

Russian World Cup

A Look forward to the Russian World Cup

The World Cup in 2014, hosted by Brazil, saw a large amount of hacktivist activity and the Russian World Cup in 2018 is likely to see a similar, although smaller, amount. Previous campaigns include #OpWorldCup, #OpHackingCup, #OpMundial2014 and #OpBrazil, which had a variety of successful attacks including DDoS and data leaks. Controversies exist surrounding Russia’s successful bid for the World Cup 2018, which reflect a similar theme to the previous hacktivist motivations for attacks against Brazil, namely alleged state corruption. The conditions in-country, however, somewhat mute the chances of cyberattacks across the 2018 World Cup.

Strategic assessment:

It is unlikely that the level of street protests seen in Brazil in 2014 will be repeated across Russia in 2018. Although street protests do occur, the Russian state law enforcement will be at heightened awareness for such events during the World Cup period. The televised or reported protests help publicise hacktivist activity and the likely denial of such activity during the Russian World Cup will impact on the amount of hacktivists actively campaigning.

There are also nuances in the different potential hacktivist motivations for attacking Brazil compared to Russia. @Anonymous’ announcement of a 2014 boycott, media coverage of the infrastructure development displacing residents and the deaths of many stadium workers due to unsafe labour practices preceded the event. These specific conditions are yet to be seen in Russia. However, other aspects, such as perceived police brutality, have. In the case of Brazil, this resulted in several attacks against law enforcement websites.

In March 2018, several defacement attacks against Russian websites have been announced. In separate attacks @ThePenguinsPlace and @FSecurity targeted a variety of private company websites, claiming responsibility on Twitter. In the weeks leading up to and during the World Cup 2018, these type of attacks will change to target government websites. It is also expected that more hacktivists will conduct similar activity closer to the event, although an official campaign has yet to be announced.

The threats to businesses with significant ties to the World Cup 2018 are DDoS, website defacement and data leaks. Hacktivist activity has not been associated with particularly complex or high volume DDoS attacks and, with a lack of an official campaign, defacement and data leaks are only likely to affect “low hanging fruit”.