header image

Cyber Threat Intelligence Briefing: 16 October 2020

Billy Gouveia, Mona Damian 16 October 2020
16 October 2020    Billy Gouveia, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • TrickBot command and control servers targeted to prevent election disruption. It was revealed this week that an operation led by US Cyber Command disrupted the notorious botnet, a significant facilitator of ransomware attacks.
  • Commercialisation of hacking is a prominent theme this week. Hackers-for-hire operating in the Middle East and South Asia were identified by Blackberry, while German authorities raided offices of the surveillance tool provider FinFisher.

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

Security Round-up

TrickBot disrupted ahead of US election
  • A joint effort by US Cyber Command and Microsoft has disrupted the notorious TrickBot botnet. The operation identified the IP addresses of the botnet’s command and control servers and disabled them from being able to communicate with the over two million devices that make up the botnet.
  • Microsoft has said that the aim of the operation is both to secure US election infrastructure and additionally protect a “wide range of organisations, including financial services institutions, government agencies, healthcare facilities, businesses, and universities” from malware attacks facilitated by TrickBot.[1] The primary malware threat here is ransomware; TrickBot has become a crucial initial component of ransomware attacks.
  • The longevity of the steps taken to disrupt TrickBot are yet to be seen. Already, the Emotet malware botnet has been observed dropping TrickBot from one of its server clusters, according to the security vendor Cofense.[2]

So what? While ransomware attacks are typically financially motivated, they also have the capability to be severely disruptive. This year’s US election is already facing challenges due to the COVID-19 pandemic. US states are dealing with operationalising unprecedented demand for mail-in ballots and implementing social-distancing for in-person voting. Cyber Command’s disruption of TrickBot demonstrates the US government’s effort to ensure well-timed ransomware attacks do not create any additional disruption, for instance by disabling computer systems used to report results on election night.

New data shows abuse of OST by cybercriminals
  • The publication of open source tools (OST) relating to hacking techniques, exploits, and other offensive cyber capabilities continues to be a contentious topic in the cyber security industry. On the one hand, the release of OSTs helps cyber security professionals learn and prepare for novel attacks, while on the other, there is an argument to be made that their publication reduces the cost for threat actors to develop their own tools.
  • New data released by a security researcher at Intezer Labs suggests that OSTs released by security researchers are indeed broadly adopted by cybercriminals for a variety of nefarious activities.[3]

So what for security teams? Intezer Labs’ research suggests that, while cybercriminals do resort to the use of OSTs, they generally keep away from complex OSTs. This suggests including complex code in any OSTs makes their weaponisation less appealing to threat actors; this should inform a security team’s decision when releasing a new tool to the public.

H&M fined for GDPR violation
  • At the beginning of October, Germany’s privacy regulator fined H&M, the multinational clothing retailer, USD 41 million for violating EU General Data Protection Regulation (GDPR) privacy regulations.[4]
  • H&M was accused of spying on its employees at its Nuremberg-based service centre by collecting and storing data about employees, including relating to their religious beliefs, health, and families, which in some cases, was reportedly used to inform employment-related decisions.
  • GDPR is a comprehensive data protection and privacy regulation promulgated by the EU that has global application to data relating to EU residents.

So what for leadership? The fine against H&M is a solid reminder that data governance and compliance with data regulations remain a critical part of a business’s information security strategy. While ransomware and other malware can inflict significant financial damage, the fines that can be imposed for violations of the GDPR can potentially be much higher.

Magecart infects mobile operator
  • The US website of mobile operator Boom! suffered a card-skimming infection. Such attacks are known as Magecart attacks, perpetrated by a range of threat groups. Security vendor Malwarebytes has attributed this particular attack to the criminal group Fullz House, a group known for its phishing and web skimming operations.[5]
  • The infection has since been removed from the mobile operator’s store. The injected malicious JavaScript code was harvesting the information of unsuspecting customers purchasing phone plans for the major telecom networks.

So what for security teams? As the security vendor Malwarebytes has observed, Boom! is in some ways an unusual victim for a Magecart-style infection. Online retail stores are the more traditional victim of these web-skimming attacks. The incident demonstrates that online stores not just in the retail space are vulnerable to malicious code attacks. Implementing webpage monitoring is a useful risk mitigation strategy against such attacks, providing full visibility of websites that are used to conduct sales to monitor for malicious behaviour.

Hackers for hire in the Middle East and South Asia
  • According to research by security company Blackberry, a group of hackers for hire, known as Bahamut, has been targeting a range of individuals and organisations across the Middle East and South Asia.[6]
  • Given their varying activities, the threat group is understood to be working for multiple clients and their targets have reportedly included government ministries and officials, business executives, and human rights activists.
  • Bahamut was also linked to several mobile apps on both the Apple and Google Play stores. These have reportedly since been removed.

So what? Bahamut is one of several hacker-for-hire mercenary groups that have been exposed this year, demonstrating that, for the right price, private organisations and individuals are increasingly able to launch cyber-attacks as powerful and sophisticated as those usually attributed to nation states. Often, these mercenaries recruit talent from military and intelligence agencies and so have knowledge of cutting-edge tools and practices.

Surveillance tool provider FinFisher raided by German authorities
  • German law enforcement has raided offices connected to the German software company FinFisher in both Germany and Romania. FinFisher is a known provider of surveillance technology. The raids come after a 2019 complaint from advocacy groups.
  • FinFisher’s surveillance software has previously been found on devices of activists and journalists in Bahrain, Egypt, Turkey, and other countries whose governments stand accused of restricting free speech.

So what? The commercial availability of surveillance software is a somewhat grey area. FinFisher is one of a number of such software providers, another being the well-known Israeli vendor NSO Group. Germany has export restrictions considered relatively stringent – in FinFisher’s case, the company allegedly used satellite companies to circumvent these restrictions.[7] Precisely how FinFisher exported its product Finspy without correct licensing is no doubt forming a significant part of the ongoing investigation.  

Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.

Emotet spam activity continues to remain active

Researchers managing the Twitter accounts @MBThreatIntel and @Cryptolaemus1 continue to provide rolling feeds of latest Emotet IOCs.

Latest hashes:

28198fa4d2cbca99a86832010ad1c4f598c978b6ed8c522c8b902c0b6e0c9f33

90841a6c955ce2784af33f019c47af7781abee1b1aae50cb464635f70af7fa21

97eeeab2d01cd6548115c2552f9815951fb1d78e01913173ac7e40c24b2d023e

267f3d030df86b7025ec1ef3973900f97c7024976d871cfe9cff79f2a9abd0d7

25ee2b880853dfaf0aba707f5514f4d38859b6db7324ce2b89b9313a132b3ea5

Latest URLs:

Newcarturkiye[.]com/wp-admin/Sbp/

Hbmonte[.]com/wp-content/wer/

Thewakestudio[.]com/wp-admin/3D/

Formedbyme[.]com/wp-content/3e/

Lilianwmina[.]com/wp-includes/Y/

partners.ripplealpha[.]com/data/ultimatemember/L/

unitedway.giving[.]agency/sys-cache/XnT/

 

References

[1] ‘New action to combat ransomware ahead of U.S. elections’, Microsoft, 12 October 2020

[2] @Cofense Labs, 14 October 2020

[3] ‘Malware gangs love open source offensive hacking tools’, ZDNet, 13 October 2020.

[4] ‘German privacy watchdog fines H&M $41M for spying on workers’, AP, 1 October 2020; ‘Employee-Monitoring in Europe Comes Under Spotlight After H&M Fine’, Wall Street Journal, 14 October 2020.

[5] ‘Mobile network operator falls into the hands of Fullz House criminal group’, Malwarebytes, 6 October 2020

[6] ‘'Mercenary' hacker group runs rampant in Middle East, cybersecurity research shows’, Reuters, 7 October 2020.

[7] ‘Razzia bei Spionage-Firma FinFisher’, Tagesschau, 14 October 2020

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report