Here is the Second Week December 2017 Global Threat Summary reports which provides an overview of the current threat landscape from around the world. The report includes a summary of the threats we’ve recently profiled, including:
- Doppelganging process helps malware go undetected on Windows
- Microsoft issues out of band patch for Security program flaw
- TurkHackTeam Hacks And Defaces EU And UN Targets
The Global Threat Summary is designed to provide organizations with an overview of the current threat landscape from across the world. It combines assessment of the strategic picture with a thought leadership approach and is also a collated summary of all the threats that we have profiled each week. The report should be received at a high level within organizations to give an overview of risk and summary of trends.
1. Strategic insight
This section includes a review of significant reports that have been published and provides a strategic viewpoint on identified or high profile trends.
1.1 The Reality of Contemporary Cybercriminal Groups
MalwareByte’s The New Mafia: Gangs and Vigilantes report illustrates one perception of the strategic state of contemporary cybercrime. Dividing the threat landscape into four crude groups, MalwareBytes seeks to influence CEOs and C-Grades understanding of the different business risks posed by cybercriminal groups. In a more academic-styled report, MalwareBytes strikes a tone much supported in industry, namely that as cybercrime becomes more sophisticated, more businesses are vulnerable.
MalwareBytes’ report makes cybercrime a business leader’s priority through exposing a wide contrast between business leaders and “technologists” recognition of the threat landscape. MalwareBtyes purports this contrasts to have been created by a shared idea that cybercrime is considered the domain of CIOs and IT departments. Dubbed as a flawed approach by the report, “the extent of cybercrime and the depth of the strategies needed to combat must be central to general business strategy – thus, it must become the domain of chief executives”.
This false belief has converged with intensifying and increasingly frequent cybercrime activity. As the report notes, ‘in the first 10 months of 2017, the number of attacks had already surpassed the total for all of 2016. The average number of monthly attacks has also increased by 23% in 2017. 2016 itself saw a spectacular rise in business-targeted cybercrime, with a 96% increase in attacks compared to the previous year”.
Therefore, the acknowledgement of divisions of cybercrime is a useful handrail to help identify and recognize part of the contemporary cyber threat landscape at a strategic level. The supposedly “new syndicates of cybercrime” are: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. These generalized divisions are not as “new” as the report suggests but remains a useful framework to unpack the complexities of malicious actors. In BT’s analysis, the divisions are academic only, with current actors not fitting so neatly into such partitions.
MalwareBytes characterize the groups by: the presence of an organizational structure akin to crime families, the sophistication of hacking, the emergence of a highly professional service economy for cybercrime and the co-option of these services by ideological groups and nation-states.
Ideological groups, often referred to as hacktivists outside the report, are categorized by their motivation in perceived moral and ethical duty. Interestingly, MalwareBytes view these groups as attempting to use the threat of classified leaks to coerce governments and individuals to act in their favour. However, WikiLeaks aside, ideologically-motivated groups target a more diverse set of entities than just governments. For example, mid-2017 witnessed cyber divestment campaigns targeted against private businesses as part of anti-fracking demonstrations in Lancashire, UK.
The state-sponsored hackers were also slightly mis-defined in the report, given as “beyond the international espionage that typically comes to mind with state-sponsored activity, these hackers are increasingly interested in corporate theft and sabotage”. However, this definition is hard to substantiate when contrasted against the current APT-Cybercriminal relationship.
Historically, excluding cyberespionage as a motivation, the division between high-end cybercriminal actors and state-orchestrated groups, or APTs, is trivial as the groups are not mutually exclusive and often share individual actors. It is important to note, that groups that fall under this category, due to their geopolitical motivations, target private enterprise. For example, the Lazarus group targeting of Bangladesh banks or APT10’s CloudHopper operation. Although simple categorizations help understand the picture, it is important to understand that such divisions are a slightly distorted reality.
2. Threat Reporting
This section provides a summary of the threats that Security Threat Intelligence has profiled over the past week. These are categorized based on modules included in Threat Reporting which is covered in Section 2 whilst Section 3 covers Cybercrime and Hacktivism.
2.1 Malware analysis
|Doppelganging process helps malware go undetected on Windows systems||Threat||4a L||M||H|
|Target: Windows users (currently just a PoC)||Attack Vector: RCE|
|Summary: A new malware evasion technique has been discovered and unveiled at the Black Hat Europe 2017 security conference in London. The technique, called Process Doppelganging, exploits a built-in Windows NTFS transaction function, allowing malware to be bundled into a Windows system undetected.
The process bears many similarities to Process Hollowing, a similar technique, which also replaced the memory of a legitimate process with malicious code. It deceives process monitoring tools and antivirus by replacing code in the original process.
Process Doppelganging differentiates itself though its exploitation of the Windows built-in function of NTFS Transactions. Firstly, Doppelganging utilises the NTFS transactions to make changes to an executable file, which is then executed but not committed to disk. This ensures the malware remains invisible to security products. Secondly, the undocumented implementation details of the process loading mechanism, which attackers must obtain. Details are used to load the executable file that has been modified using NTFS transactions and the changes are rolled back. As such, this creates a process from the modified file, without triggering any security processes.
|Risk Assessment Summary:
The threat is assessed as 4a LOW. This is a Proof of Concept (PoC) and has not been seen in the wild. In order for an attacker to successfully exploit this flaw, they will need prior access to a machine.
If it can be achieved, it is very effective, however, the attacker needs a high level of knowledge on Windows systems and components to exploit this flaw. The flaw is not yet publicly disclosed. In a successful attack, any type of malware can be placed on the system, heightening the risk. However, it should be noted that once malware is placed on the system, it is no longer hidden. When the next scheduled security scan of the system runs, the malware will be discovered and most likely removed. Some systems also have real-time monitoring, scanning new files which are dropped on the system. While the malware may be able to get onto the system undetected, once it is there it will not be so easily hidden.
|Napoleon Extension Added to Blind Ransomware||Threat||4a L||M||H|
|Target: Standard users (none specific)||Attack Vector: Compromised IIS server|
|Summary: A new variant of the “Blind” ransomware, named “Napoleon”, has emerged. As the predecessor to Napoleon, the original Blind ransomware was initially discovered in December 2017. When executed, it scans all available drives on a targeted user’s system, determines which files can be encrypted and then proceeds with the encryption of the targeted files with the .blind extension. Recently, however, an altered version of Blind has been spotted with the extension .napoleon. Attackers deploy the malware in a fairly uncommon way, by manually dropping it onto the targeted machine via a compromised Internet Information Services (IIS) web-server. After Napoleon is dropped, it will look through files on the system and add the .napoleon extension to every file it can encrypt. After the encryption is complete, a ransom note is left in HTA format. Unlike Blind, Napoleon is not currently removable without the attacker’s private key.|
|Risk Assessment Summary:
The threat is assessed as 4c LOW. As with most ransomware, the threat is the associated cost of losing access to files on the targeted system, with decryption highly unlikely. However, considering it must be manually deployed on a machine via an already compromised IIS server and is not expected to be wide-reaching, the likelihood of an average user being infected is low. Furthermore, actors employing Napoleon are currently using an emails address to collect payment for the campaign, suggesting it is not meant to be widespread.
2.2 Vulnerability reporting