Facebook Data Leak

Data Leaked From Facebook Used to Sway US Election

Target: Facebook.

Attack Vector: Worldwide Facebook users.

Threat Actor: Cambridge Analytica.

Summary: Cambridge Analytica, a data analysis and strategic communication company, has been accused of knowingly using data mined from Facebook via the third party app thisisyourdigitallife. The data was collected due to a flaw in Facebooks API and terms of use, which allowed the app to collect the data of not only its users, but also their friends. This eventually resulted in the collection of information on over 50 million people.

Risk assessment summary: This threat is assessed as 3d MODERATE. There are a very high number of people whose data has been breached and used without their knowledge. Although the firm claim all data collected without consent has been deleted, the level and manner of the breach leaves many sceptical. The risk is also heightened due to the political standing of individuals involved.

Russian World Cup

A Look forward to the Russian World Cup

The World Cup in 2014, hosted by Brazil, saw a large amount of hacktivist activity and the Russian World Cup in 2018 is likely to see a similar, although smaller, amount. Previous campaigns include #OpWorldCup, #OpHackingCup, #OpMundial2014 and #OpBrazil, which had a variety of successful attacks including DDoS and data leaks. Controversies exist surrounding Russia’s successful bid for the World Cup 2018, which reflect a similar theme to the previous hacktivist motivations for attacks against Brazil, namely alleged state corruption. The conditions in-country, however, somewhat mute the chances of cyberattacks across the 2018 World Cup.

Strategic assessment:

It is unlikely that the level of street protests seen in Brazil in 2014 will be repeated across Russia in 2018. Although street protests do occur, the Russian state law enforcement will be at heightened awareness for such events during the World Cup period. The televised or reported protests help publicise hacktivist activity and the likely denial of such activity during the Russian World Cup will impact on the amount of hacktivists actively campaigning.

There are also nuances in the different potential hacktivist motivations for attacking Brazil compared to Russia. @Anonymous’ announcement of a 2014 boycott, media coverage of the infrastructure development displacing residents and the deaths of many stadium workers due to unsafe labour practices preceded the event. These specific conditions are yet to be seen in Russia. However, other aspects, such as perceived police brutality, have. In the case of Brazil, this resulted in several attacks against law enforcement websites.

In March 2018, several defacement attacks against Russian websites have been announced. In separate attacks @ThePenguinsPlace and @FSecurity targeted a variety of private company websites, claiming responsibility on Twitter. In the weeks leading up to and during the World Cup 2018, these type of attacks will change to target government websites. It is also expected that more hacktivists will conduct similar activity closer to the event, although an official campaign has yet to be announced.

The threats to businesses with significant ties to the World Cup 2018 are DDoS, website defacement and data leaks. Hacktivist activity has not been associated with particularly complex or high volume DDoS attacks and, with a lack of an official campaign, defacement and data leaks are only likely to affect “low hanging fruit”.

ThePenguinsPlace

ThePenguinsPlace Hacks And Defaces Six Russian Websites

Target: Russia

Attack Vector: Website Defacement

Threat Actor: @ThePenguinsPlace

Summary: A previously unknown hacktivist group, @ThePenguinsPlace, claim to have hacked and defaced six Russian websites and posted the details of the attack on twitter on 18th March 2018. At the time of writing, the post appears to have been taken down and there is no further sign of activity from these actors.

Risk assessment summary: It is currently assessed that a 2b HIGH threat exists to a number of sectors as a result of this incident. Under normal circumstances, this attack would be considered a low threat to UK interests, however it comes at a time when diplomatic tensions between the UK and Russia are at breaking point following the recent nerve agent poisoning of Sergei Skripal and his daughter. In the two weeks since the incident, the possibility of UK cyber retaliation aimed against Russia has been raise both in parliament and the media, adding fuel to what is already a growing fire.

Additionally, the @ThePenguinsPlace defacement attacks follow on from currently unattributed DDoS attacks against other Russian targets in the lead up to the 18th March election. These include the Russian Central Election Commission and the communications regulator Roskomnadzor which has close links with Russian security agencies. These incidents are likely to fuel Moscow’s suspicions that the UK may be launching covert cyber-attacks against the country and this suspicion could well precipitate a tit for tat situation.

The fact that @ThePenguinPlace suddenly appeared and disappeared is unusual and may also lead Russia to believe they are a fake group created by Western intelligence agencies. This is particularly relevant as Russia itself has been known to mimic non state threat actors, including the UnitedCyberCaliphate, to obfuscate their own attacks.

This creates the possibility that hacktivist type activity may be launched by state groups during this period of international tensions. It is recommended that organisations ensure adequate DDoS mitigation is in place and that public facing webpages are regularly monitored for signs of defacement. Monitoring of the threat environment will continue for further actionable intelligence.

APT28 DealersChoice

APT28 Uses DealersChoice To Target European Government Entities

Target: UK Government & Defence linked Entities

Attack Vector: Phishing Campaign / DDoS

Threat Actor: APT28

Summary: On 12th and 14th March 2018, a European government agency was targeted by the Russian state sponsored

group APT28, aka @FancyBear and Sofacy, via a phishing e mail utilising an updated version of its DealersChoice attack technique.

The spear-phishing email contained the subject header “Defence & Security 2018 Conference Agenda” and contained a file named “Defence & Security 2018 Conference Agenda.docx”. This document detailed a genuine conference agenda which APT28 had simply copied from the Underwater Defence & Security 2018 Conference website in order to add authenticity to the e mail. This method was consistent with an earlier APT28 phishing attack against the 2017 CyCon conference in Washington DC in which the threat actors directly copied imagery from the organiser’s event webpage to create a similar illusion of authenticity.

Risk assessment summary: Given current political tensions, it is assessed that Russian state sponsored actors continue to present a 2b HIGH threat to UK organisations. Although the primary focus is likely to be government and defence sector targets, it is probable that telecommunications organisations which provide services to these sectors will be considered legitimate targets.

Although cyber espionage and the harvesting of data remains the most probable threat, escalation attacks against critical infrastructure such as power, transport and health cannot be ruled out, particularly if diplomatic relationships continue to deteriorate.

The overwhelming success of President Putin in the election will also have strengthened his hand internally, although his desire to ensure the forthcoming World Cup is a success may act as a restraining factor on him and the ‘patriotic hacker’ supporters. However, the DDoS attack against the CEC is likely to be met with some form of retaliatory response and the UK would seem the logical target for this.

Whilst the DealersChoice attack comes at a politically sensitive time, this could simply be coincidental as the nature of the attack is entirely consistent with ongoing Russian APT activity and could be unrelated to the Skripal poisoning incident. However, it does serve to illustrate how these actors present a sophisticated and adaptive threat, and it should still be assumed that APT28 / APT29 and affiliated actors will be focusing their main effort against the UK. All previous intelligence reporting and recommendations remain valid and monitoring of the threat environment will continue for further actionable intelligence.

Samba Vulnerabilities

Two Critical Vulnerabilities Patched in Samba

Target: Samba software on Linux and Windows systems

Attack Vector: Exploitation of two vulnerabilities, CVE-2018-1050 & CVE-2018-1057

Summary: New versions of the popular open source networking software Samba have been issued to fix two critical flaws. The patches were issued for both the Windows and Linux versions and closed the scope for remote attackers to launch a DoS attack against servers running Samba, or allow a threat actor to change user passwords.

Due to its availability on Windows and Linux, companies using both operating systems often use the software to link together various types of operations.

Risk assessment summary: The threat is assessed as 4d LOW. While DoS attacks are more difficult to defend against than a typical piece of malware, the way the attack is delivered makes it unlikely to be exploited in the wild. It only affects the print spooler, significantly limiting the damage that can be done. Furthermore, both vulnerabilities have workarounds that can be put in place should a company need to delay patching the flaws. However, a certain amount of risk remains as it is possible for a threat actor to change another user’s password with little skill, potentially providing an opportunity for further attacks. While these vulnerabilities have not been exploited in the wild, the continuing problems with the Samba software make the chances of future issues possible.

MikroTik Vulnerability

Vulnerability found in MikroTik’s RouterOS software

Target: Users of MikroTik’s RouterOS software

Attack Vector: Worldwide

Summary: A buffer overflow vulnerability, classed as critical, has been found in hardware and software developers MikroTik’s RouterOS software. It affects all MikroTik routers running software versions prior to 6.41.3. The routers are used worldwide by a plethora of different companies and following the publication of this vulnerability, exposes them to an attack if not patched.

Risk assessment summary: The threat is assessed as 3e MODERATE. The researchers who discovered the vulnerability have stated that the method is reliable and therefore dangerous to any company using MitroTik RouterOS, who have not installed the updated version of the software that includes the patch. As this vulnerability makes it possible for an attacker to execute malware on a router, it raises a concern for any company due to the risk of an infection on their network.

Hancitor Malware

Hancitor Malware Resurfaces With New Methods

Target: Windows machines

Attack Vector: Email containing a malicious attachment, disguised as a PayPal invoice

Summary: While the Hancitor malware is by no means a new threat, it has been observed since the early days of 2017, this week a new variant has been observed displaying a fresh payload and attack vector. Instead of simply injecting malware on a machine, exploiting a vulnerability or some kind of brute-force into a target machine, threat actors are opting to use social engineering tactics in this instance.

Risk assessment summary: The threat is assessed as 3e MODERATE. The use of social engineering in this attack is significant as it provides the threat actor with a simpler way to deliver the malware, as well as a higher chance of success due to human behavior. In addition, the malware uses a range of effective techniques to hide from detection such as Process Hollowing and user-land monitoring evasion. Despite this, an effective Anti-Virus tool should help a user to make an informed decision regarding the downloading of malicious attachments as well as flagging up the existence of malware on a target machine, should an attachment be downloaded.

OpIcarus

Development Bank Of Kenya Attacked Under OpIcarus

Target: Development Bank Of Kenya

Attack Vector: Hack & Data Leak

Threat Actor: @UnitedSecTeam

Summary: The @anonymous affiliated group @unitedsecteam have claimed responsibility for a hack and data leak against the Development Bank of Kenya (devbank[.]com) on 11th March 2018. The claim was accompanied by the hashtag #OpIcarus and is consistent with previous attacks against banks during 2018 by the actors.

Risk assessment summary: It is currently assessed that #OpIcarus presents a 3e MODERATE threat to the finance sector, however the operation has been directly linked to the energy sector and the Syrian civil war. Anonymous accused Genie Oil and Gas of precipitating the Syrian conflict in order to exploit Golan Heights oil reserves. They also accuse the business of having an interest in a pipeline planned from Qatar to Europe and indicated that telecom, energy and government sector companies would be targeted.

Although @unitedsecteam have not released large amounts of data, it is likely that other hacktivists will also support #OpIcarus when not engaged on Catalonia and Yemen centric activity, presenting a greater threat to targeted sectors. Although activity will remain at a relatively low level into the medium term, the release of small amounts of data could still prove damaging to targeted organizations and cause a disproportionate effect on reputation. Monitoring of the threat environment will continue in order to identify further actionable intelligence.

Cortana

Vulnerability Exposed in Windows Devices via Cortana

Target: Windows systems with Cortana enabled.

 

Attack Vector: Intercepting web sessions or connecting a target machine to a network controlled by a threat actor.

Summary: While passwords are generally seen to protect computers and limit any threat unless the password can be bypassed, two Israeli researchers have found this is not the case with Windows devices. Using Windows voice assistant Cortana, similar to Siri and Google Assistant, threat actors can carry out operations despite the target machine being locked. What is notable is that other voice assistants, manufactured by Apple and Google, offer limited functionality when the machine is locked. Cortana offers far greater functionality than others, leaving Windows systems exposed.

Risk assessment summary: This threat is assessed as 4C LOW. The flaw is very easy to exploit, with less skilled threat actors also possibly being able to carry out a successful exploit. There are multiple threat vectors, which offer a threat actor a wide range of further attack options. Threat actors are also able to choose what type of malware or virus they drop on a target machine, increasing the risk. However, threat actors would generally need physical access to a machine, lowering the chances of the initial attack.

FormGrabber Malware

Multiple Attack Vectors used to spread FormGrabber Malware

Target: Unpatched machines for two software vulnerabilities or victims of social engineering.

Attack Vector: Two buffer overflow exploits and social engineering.

Summary: FormGrabber is a piece of malware which, when present on a system, acts as a particularly effective piece of

spyware. Screenshots, keystrokes and login details are captured and sent back to a threat actor. More recently this has been observed to be exported through an attack, which can be considered distinctive as it employs the expanding trend of using multiple attack vectors to achieve its end goal.

Two vulnerabilities are exploited in this incident. The first is a historic buffer overflow vulnerability existing in Microsoft Equation Editor (CVE-2017-11882) and the second, a similar vulnerability in existence due to the patch for the former vulnerability not being fully effective (CVE-2018-0802). In addition, social engineering techniques are employed in an attempt to deliver the payload to the target machine. This is only triggered in a final effort to deliver the payload and will not be actioned if either of the initial attack vectors detailed are successful.

Risk assessment summary: This threat is assessed as 3e MODERATE. The flaw is not particularly easy to exploit as a threat actor would need to be skilled in compiling and executing remote .hta files. In addition, the attack leaves a note once in action that gives the victim an alert of the attack. This could limit the amount of time a threat actor has to snoop credentials and record keystrokes, lessening the risk. However, the fact there are three separate attack methods increases the likelihood of a successful exploit, particularly as it has been observed being exploited in the wild.