The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
Nation state activity takes centre stage. The US and UK called out Russian hacking activity this week, an Iranian influence operation was outed, and Chinese hackers were caught leveraging publicly known vulnerabilities.
TrickBot on the run. Operators of the TrickBot malware botnet are trying to regain control after last week’s disruption by US Cyber Command and Microsoft.
In other stories this week, Google patches a Chrome zero-day vulnerability, Toshiba agrees to launch quantum cryptography by 2025, and British Airways is fined GBP 20 million by the UK’s data privacy regulator.
Russia: US indicts six GRU hackers, UK warns of attacks against Tokyo Olympics
- Russian cyber activity was exposed by both the UK and US government this week. The US Department of Justice took action by charging six individuals for various hacking operations.
- The US government issued an indictment against six Russian nationals for a range of cyber crimes, identifying them as hackers operating under the Russian military intelligence agency GRU. Charges levelled at the hackers include launching the destructive malware campaign NotPetya that caused widespread destruction in 2017, penetrating the Ukrainian power grid in 2015 and 2016, and conducting hack-and-leak operations to destabilise French elections in 2017.
- The UK government announced that state-sponsored Russian hackers were preparing cyber-attacks against the organisers of the Tokyo Olympics and Paralympic games. This comes after Russia’s four-year ban from all major sporting events, awarded by the World Anti-Doping Agency (Wada).
- According to the UK National Cyber Security Centre (NCSC), the Russian activity involved reconnaissance, targeting logistics providers, sponsors, and the Olympics’ organisers. This echoes similar activity observed in February 2018 when Russian hackers deployed the OlympicDestroyer malware that disrupted web servers during the opening ceremony of the 2018 Winter Olympics. 
So what for leadership? Foreign policy and cyber security intersect, and can directly impact your organisation. The US indictment and UK call-out of Russian activity will no doubt be reciprocated by Russia, whether through cyber, economic or other means. Maintaining an awareness of nation state cyber activity and considering how this might impact your business - both in terms of cyber and physical security risks - is key.
Chinese state-sponsored actors exploiting publicly known vulnerabilities
- An advisory released by the National Security Agency (NSA) has provided the Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state actors. 
- Most of the vulnerabilities listed can be exploited to gain initial access to victim networks using products directly accessible from the internet. The majority of the products are for remote access or external web services and should be patched with priority.
- The advisory recommends disabling external management capabilities and isolating internet-facing services in a network Demilitarised Zone (DMZ) to reduce the exposure of the internal network.
So what for security teams? We have seen an uptick in the volume of state-sponsored attacks over the last few months. A common theme is the exploitation of publicly known vulnerabilities. As ever, this highlights the importance of implementing and maintaining a robust vulnerability and patch management programme. Systems, particularly those relating to remote access, should be patched as soon as possible after patches are released. In addition to this, robust logging should be enabled for internet-facing services and the logs reviewed regularly.
Iran blamed for intimidating emails sent to US voters
- Iranian operatives are behind threatening emails sent to US voters in the states of Florida, Arizona and Alaska, according to the US government. The emails, claiming to be authored by the Proud Boys, a far-right group, were sent to Democratic voters and threatened the victims to vote for the incumbent President Trump, “or else.”
- The emails claimed that the sender had been able to obtain voter data on their victims which revealed for whom they had voted. Some of the emails displayed video footage claiming to show a hacker using the information of others to print a voting ballot. 
- Director of National Intelligence John Ratcliffe stated that, while Russia and Iran may have obtained voter record information, US citizens “can be confident your votes are secured."
So what? Iran is becoming increasingly adept and engaged in influence operations, a modus operandi this nation state will no doubt continue to flex going forward. While threatening emails do not constitute a risk to the integrity of election infrastructure, it does undermine the public’s confidence in the democratic process.
Toshiba eyes quantum cryptography services
- This week Japanese electronics producer, Toshiba Corp, stated they planned to launch services involving the use of quantum cryptography to corporate clients by 2025.
- Quantum cryptography is a method of encrypting data that employs the principles of quantum mechanics, such as the principle of superposition, which states that a particle exists in all possible states until observed, at which point, the particle collapses into one of the many possible states with a defined probability.
- Why quantum cryptography? This comes as a response to the quantum arms race that governments and organisations are currently engaged in. Quantum computers, although their widespread adoption is still far off, could crack our public key infrastructure in seconds. Quantum cryptography is designed to provide a layer of protection that even a quantum computer couldn’t crack. The current horizon for quantum computing adoption is around the 2030s.
So what? Data that has been encrypted using public key infrastructure may be secure nowadays. However, with the advent of quantum computers on the horizon, this encryption could be easily cracked. As such, ensuring that sensitive data is encrypted is not enough to protect the confidentiality of data from future technology. Rigorous access controls need to be implemented and data egress points should be monitored for signs of exfiltration.
Trick or Treat? Revival of the TrickBot trojan
- Despite Microsoft’s early Halloween treat announcement that it had brought down 94% of TrickBot command and control servers last week, it appears the malicious banking trojan has a couple of tricks up its sleeve.
- While it was expected that the disruption to TrickBot’s command and control servers would ultimately hamper malicious operations in the short term, Crowdstrike reports that TrickBot activity has shown no signs of interruption.
- Furthermore, security researchers have observed the increasing shift from use of TrickBot to BazarLoader, which is a trojan linked to the TrickBot operators through very similar source code. BazarLoader is being used in a similar way to TrickBot: to deliver the Ryuk ransomware payload.
So what for security teams? Although the latest operation has caused little disruption to TrickBot activities, it is positive for the cyber security community at large that US Cyber Command and private sector entities like Microsoft are partnering up to disrupt these trojans. However, security teams need to remain vigilant and continue to monitor for recent Indicators of Compromise (IOCs) related to TrickBot and BazarLoader.
BA fined GBP 20 million for GDPR infringement
- On 16 October, the Information Commissioner’s Office (ICO), the UK’s data privacy regulator, fined British Airways (BA) GBP 20 million for failing to protect the personal and financial information of over 400,000 customers.
- The failure came to light following a data breach suffered by BA in June 2018, which subsequently went undetected for over two months.
- With the ICO announcing in July last year its intention to fine BA over GBP 183 million for the incident, the fine is significantly less than expected, and took mitigating factors into account, including the financial pressure brought on by the COVID-19 pandemic.
So what? The fine against BA is the largest imposed by the ICO under GDPR regulations and comes off the back of the EUR 35 million fine received by H&M earlier this month. It is yet another reminder to ensure that businesses’ information security strategies adequately incorporate the obligations and requirements of the GDPR and other data regulations. Failure to do so can have dire financial consequences.
Google releases patch for Chrome
- On Tuesday this week, Google released a patch for an actively exploited zero-day vulnerability.
- The vulnerability, described as a memory corruption vulnerability, specifically targeted the Freetype font rendering library that is inherently packaged with Chrome.
So what for security teams? Chrome users can protect themselves by updating their Chrome software, which usually also involves relaunching the programme. This should be implemented on all devices across an organisation as soon as possible. Other software programmes that use the Freetype library are likely also at risk, so it is important to ensure you are patched across your environment with the latest Freetype update.
Indicators of compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.
TrickBot’s new command and control servers
Latest active hosts:
 ‘Google releases Chrome security update to patch this dangerous bug’, TechRadar, 21 October 2020; ‘Google releases Chrome security update to patch actively exploited zero-day’, ZD Net, 20 October 2020.
 FreeType 2.10.4, released on 20 October 2020.