The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- FireEye victim of major cyber security incident. One of the largest cyber security firms, FireEye, disclosed that an actor of “top-tier capabilities” was behind the hack.
- Not so smart devices. A plethora of vulnerabilities impact millions of smart and industrial devices, affecting customers worldwide.
- In other news, ransomware operators up the ante, Russian state-sponsored threat actors exploit a VMware vulnerability and major retailers become the targets of gift card spoofing.
- FireEye, a top US cyber security firm, has announced in a blog post by CEO Kevin Mandia that it suffered a breach at the hands of “a nation with top-tier offensive capabilities.” The firm is working with law enforcement and industry partners, including Microsoft, to investigate. Evidence so far, including information provided by the FBI’s Russia specialist team, suggests Russian state-sponsored groups may be responsible.
- The threat actor responsible was able to obtain software used by FireEye’s red team to test customers’ defences. FireEye has also said that the attacker was seeking information on government clients, though there has been no indication that customer data was successfully compromised.
So what for security teams? This story reiterates the security adage that it is not a question of if, but when your organisation is breached. FireEye has chosen to be transparent about the hack, in part to enable other organisations to protect themselves against the offensive tools the hackers were able to obtain.
Mandia’s blog post explained that no zero-day exploits were stolen, but the FireEye tools likely leverage other known vulnerabilities to get past a company’s defences. With this in mind, ensure your organisation’s patches are up to date and refer to our indicators of compromise section for relevant MD5 hashes. This will prevent threat actors from using offensive tools that leverage known vulnerabilities. Please note, FireEye has also shared countermeasures with the security community to enable security teams to protect their organisation from FireEye’s red team tools. Key defensive cyber security data and tooling has been, and will continue to be, posted to FireEye’s GitHub site.
Ransomware groups up the ante once more, now cold-calling victims
- Ransomware groups are reportedly now cold-calling victims via phone, seeking to discourage restoration from back-ups. The behaviour has been observed since at least September 2020. Coveware, a cyber security firm, suggests “it's the same outsourced call centre group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants.” 
- The ransomware groups so far known to have conducted cold-calling are Sekhmet, Maze, Conti, and Ryuk. Of the four, only Conti and Ryuk remain in operation at time of writing.
So what for leadership? This story shows how ransomware operators continue to update their playbook to force victims to pay ransom. Companies are getting better at maintaining up to date back-ups from which they can restore, and so ransom operators are pursuing new tactics to increase pressure on victims and ensure they receive payment. The creation of dark web leak sites by ransomware groups was another method we observed in the last 12 months being used to extort victims. We advise companies, who find themselves in a situation where their employees receive such cold-calls, to remain calm and inform your incident responders of this development.
Laundering ransomware funds lands BTC-e founder in prison
- The founder of the BTC-e cryptocurrency exchange has been sentenced to five years in prison for laundering funds for ransomware gangs. The founder, Alexander Vinnik, was sentenced for money laundering offences but dodged a longer sentence after French prosecutors failed to prove that Vinnik was also responsible for the creation and deployment of the Locky ransomware strain.
- Vinnik’s arrest was a complicated legal battle involving Russian authorities, who filed an extradition request claiming that Vinnik was a suspect in an investigation in Russia back in 2013. Analysts have claimed that this was to prevent Vinnik from dishing out secrets about Russia to US intelligence agencies.
- It is understood that BTC-e facilitated the laundering of more than USD 4 billion in illegal funds, allowing BTC payments to be converted into fiat currency.
So what for leadership? With the number of ransomware attacks having increased in 2020, more organisations are being forced to make the difficult decision of whether or not to pay ransom payments in exchange for decryption keys and a thinly veiled assurance that the adversary won’t leak stolen data. The sentencing of Vinnik, compounded by the Office of Foreign Assets Control’s advisory on potential sanctions for facilitating ransomware payments, highlights a shift in sentiment from regulators and law makers with regard to paying ransoms. Organisations are going to need to exhaust every possible option before considering making a ransom payment, in addition, threat intelligence regarding who that ransom payment is being made to is critical.
Security vulnerabilities affecting millions of smart and industrial devices discovered
- Security researchers discovered 33 vulnerabilities in four open-source TCP/IP libraries that are currently used inside the firmware of products for more than 150 vendors, impacting millions of industrial-grade and consumer smart devices. These devices range from smartphones and gaming consoles to heating, ventilation and air conditioning (HVAC) systems.
- The vulnerable open-source libraries, UIP, FNET, picoTCP, and Nut/Net, are most widely used for networking communications protocols. If exploited, remote code execution, denial of service, DNS cache poisoning, and information leaks are all possible attacks.
So what for security teams? Now, more than ever, organisations need to have vulnerability and patch management programs in place. All assets, including smart devices, need to be maintained in an asset register with key fields, such as IP and MAC addresses. Having these in place allows vulnerabilities to be identified and patched, or compensating controls put in place while awaiting patches, prior to an attacker discovering a vulnerability.
Russian state-sponsored threat actors exploiting a VMware vulnerability
- The NSA has issued a warning that unspecified Russian state-sponsored threat actors are actively exploiting a VMware vulnerability to steal sensitive data. VMware released a patch for the vulnerability on 3 December 2020.
- VMware initially rated the vulnerability (tracked as CVE-2020-4006) as ‘Critical’ but lowered this to ‘Important’ after sharing that the exploitation requires a valid password for the configurator admin account.
- The VMware products affected by the zero-day vulnerability include: VMware Workspace One Access 20.1, 20.10 (Linux); VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux); VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux); VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows); VMware Cloud Foundation 6 4.x; and VMware vRealize Suite Lifecycle Manager 7 8.x.
So what? The NSA refused to share information regarding the primary targets of these attacks but urged all organisations who use the affected products to apply the patch as soon as possible. Patching remains critical to ensure robust cyber security and should be prioritised. The NSA also recommended that network administrators limit the accessibility of the management interface to a small set of known systems and prevent it from accessing the internet directly.
Target-ed? Major retailers become the victims of gift card spoofing
- Researchers have identified an uptick in spoofed gift card balance checking websites that trick victims into providing the details of their gift cards to cybercriminals. While the malicious activity affects several retailers, it appears that Target, the major US retailer, has been the primary victim.
- According to Bolster, an online fraud prevention company, they identified as much as 220 new websites related to gift card fraud per day during November. These websites reportedly predominantly impersonated Target’s gift card balance checking webpages and, in some cases, would have been very difficult for most users to identify as fake. Innocent users have been submitting their gift card and access numbers to these websites which go directly to the fraudsters, without checking the balance on the gift card. The cybercriminals are then able to steal this information and either sell it or use the gift card to make purchases themselves.
So what? A spoofing attack is when one party impersonates another in order to get access to a system, steal data, or gain a victim’s confidence. Just like phishing, it often relies on victims not paying attention and identifying red flags. It is important for internet users to be attentive online and look for spelling and grammatical errors in URLs or on webpages. Furthermore, most reputable websites will have a valid SSL certificate, indicated by the green lock symbol in the URL bar. Lastly, most legitimate websites will also utilise encryption when transferring data, indicated by the “https” preceding the URL. Internet users should endeavour to only browse on secure and reputable websites.
Indicators of compromise
This week our Indicators of Compromise (IOCs) are related to the breach of FireEye’s systems by a highly sophisticated threat actor. FireEye has shared threat intelligence rules so that security teams are able to detect if any of the offensive tools the attacker stole from FireEye are being used against their environments.
Please find a sample of the MD5 hashes FireEye provided below. A complete list of hashes, YARA and snort rules can be found on FireEye’s GitHub, found here.
 ‘U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers’, Wall Street Journal, 8 December 2020.