The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
CHINA-TIED HACKERS THAT HIT U.S. SAID TO BREACH UNITED AIRLINES
FROM THE MEDIA
The Chinese group believed to be responsible for the US Office of Personnel Management (OPM) and Anthem breaches has allegedly hacked United Airlines. The breach is said to have occurred in May or early June and has compromised a variety of IT systems. Compromised information ranges from passengers’ personal information to possibly United’s forward-looking mergers and acquisitions strategy.
Read the Story: Bloomberg
iSIGHT PARTNERS ANALYST COMMENT
Media reports reference TEMP.Avengers activity, a distinct subset of Chinese cyber espionage activity believed to have targeted multiple healthcare providers in early 2015. Along with the healthcare sector, TEMP.Avengers-identified infrastructure indicated the scope of the group’s activity included United Airlines, the OPM, IT services companies and foreign governments. It is likely the group is collecting personally identifiable information from a variety of sources to identify and exploit individuals with access to sensitive information for follow-on cyber espionage operations.
RELATED iSIGHT PARTNERS REPORTS
15-00004452 (TEMP.Avengers Linked to Anthem Breach), 21 May 2015
15-00001674 (TEMP.Avengers Health Care Breaches), 20 March 2015
Intel-1346271 (TEMP.Avengers Activity), 10 Feb. 2015
CRITICAL VULNERABILITY IN APPLE APP STORE, iTUNES REVEALED
FROM THE MEDIA
A critical flaw has recently been discovered in Apple’s App Store and iTunes invoice system. The persistent injection flaw could lead to session hijacking and malicious invoice manipulation. Specifically, an attacker could exploit the vulnerability by manipulating a device cell name though the exchange of malicious scripted code.
Read the Story: ZDNet
iSIGHT PARTNERS ANALYST COMMENT
The flaw certainly appears to be a legitimate cross-site scripting (XSS) attack resulting from improper input validation of a device’s name, which is a user-supplied field. When an attacker provides malicious code as a device name, it is processed and rendered as part of the HTML code used to generate invoices automatically, allowing an attacker to perform a number of different potentially malicious actions (including session hijacking, phishing and redirection) following a purchase. This vulnerability has already been patched, mitigating the risk this flaw poses to Apple App Store and iTunes clients.
RELATED iSIGHT PARTNERS REPORTS
Intel-936221 (Analysis of Common XSS Vectors and Mitigation Measures), 20 Sept. 2013
Intel-874890 (Mitigating XSS Attacks), 2 July 2013
ANONYMOUS RELEASE HACKED CSIS DOCUMENT AFTER MEMBER’S DEATH, THREATENS TO LEAK ‘STUNNING SECRETS’
FROM THE MEDIA
Anonymous has allegedly released a Canadian government document containing sensitive communications and information about the Canadian Security Intelligence Service’s (CSIS) information sharing system. Government officials have not confirmed the document’s legitimacy. Anonymous released the document with a recorded video.
Read the Story: National Post
iSIGHT PARTNERS ANALYST COMMENT
Hacktivist actors have been targeting Canadian government agency websites for a number of months in opposition to the Canadian surveillance law dubbed “C-51.” The document appears authentic and has been implicitly confirmed by Canadian authorities. According to media reports, the actors possess additional documentation they are considering releasing in the near-term. The actors’ delay in releasing the additional documents is likely associated with a mix of track-covering measures and apprehension over law enforcement reprisal.
RELATED iSIGHT PARTNERS REPORTS
15-00006296 (Hacktivist Group Targets Canadian Govt. for Operation #OpC51), 6 July 2015
15-00005646 (Weekly Hacktivist Operation Update for #OpC51), 22 June 2015
15-00005580 (Hacktivists Target Canadian Govt. Domains), 19 June 2015
PLANNED PARENTHOOD REPORTEDLY HACKED
FROM THE MEDIA
Anti-abortion activists hacked Planned Parenthood’s website and were allegedly able to gain access to the organization’s online database and employee information. The hackers have threatened to release Planned Parenthood’s internal e-mails.
Read the Story: CS Monitor
iSIGHT PARTNERS ANALYST COMMENT
The group claiming responsibility for the breach, 3301, appears to be led by the actor “E.” iSIGHT Partners has observed no previous activity by this group. After the intrusion, allegedly executed via SQL injection, the attackers posted the e-mail addresses and passwords, though the passwords are hashed as MD5s and salted. The attackers claim staff e-mails will be released once decrypted, though—given the difficulty of reversing properly salted MD5 passwords—it is uncertain they have the capability to do so.
RELATED iSIGHT PARTNERS REPORTS
15-00007386 (Hacktivist Operations for July 27, 2015), 28 July 2015
Intel-360120 (Contraceptive Pill Website Targeted), 23 Feb. 2011
DARKODE FORUM RESURFACES
FROM THE MEDIA
The Darkode website, taken down by authorities on July 15, has resurfaced. According to the new website, the takedown only focused on new and long-retired individuals. Furthermore, the post indicated that most of the staff remains intact, including senior members, and that the site will relaunch soon, with new security measures.
Read the Story: Security Week
iSIGHT PARTNERS ANALYST COMMENT
If Darkcode’s leading members were residing in Russia or other countries without an extradition agreement with the US or European countries, then they were most likely not affected by the recent law enforcement activity. While US and cooperating law enforcement agencies were able to take down the infrastructure supporting Darkode, this portion of the forum leadership was likely easily able to set up new infrastructure to continue their activities. To be most effective, law enforcement activity requires cooperation of cyber criminals’ host countries to detain suspected administrators, organizers and other core members of criminal groups.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights (Cyber Criminal Forum Taken Down), 16 July 2015
Intel-1295446 (eCrime Marketplaces Taken Down in ‘Operation Onymous’ Almost Certainly Being Replaced by Alternatives), 24 Nov. 2014
15-00003500 (Russian Law Enforcement Arrests Individuals Connected to SVPENG, Likely to Discourage Russian Criminals from Using Mobile Malware against Russian Victims), 30 April 2015
The post ThreatScape Media Highlights Update – Week Of July 29th appeared first on iSIGHT Partners.
