The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 9 December 2015
IRAN-BASED HACKERS MAY BE TRACKING DISSIDENTS AND ACTIVISTS
FROM THE MEDIA
Iran-based hackers have been spying on potential activists and dissidents, among others in Iran, according to Symantec. The two hacker groups involved go by Cadelle and Chafer. According to Symantec, the two groups have had access to their victims’ computers for over a year and have used malware designed to exfiltrate information from servers and computers, including telecommunications and airlines in the region.
Read the Story: CIO
iSIGHT PARTNERS ANALYST COMMENT
The activity referenced in the Symantec report is consistent with activity we have previously attributed to Iranian actors. Furthermore, Symantec’s claims that the operators may have ties to Operation Cleaver, which iSIGHT Partners tracks as Jafar Team, could account for the drop-off in observed Jaraf Team activity following the publication of the Operation Cleaver report. Though Symantec indicates that dissidents were targeted, we do not yet know the full extent of this activity.
RELATED iSIGHT PARTNERS REPORTS
15-00013038 (Overview of Beanie Team Espionage Activity), 24 Nov. 2015
15-00007836 (TEMP.Lice Activity Defined; Operations Expand to Include Israel), 21 Aug. 2015
Intel-1245356 (TEMP.Jafar Activity Targets Energy Sector; Probable Iranian Origins), 2 Oct. 2014
ATTACKERS ARE BUILDING BIG DATA WAREHOUSES OF STOLEN CREDENTIALS AND PII
FROM THE MEDIA
Actors are linking sets of personally identifiable information (PII) together to create fuller, more valuable sets of combined data, according to McAfee Labs. Actors are using big data business models to enhance the underground marketplace. McAfee Labs says that 2016 will see the development of a more robust market for stolen PII.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
Organizations should be aware that malicious actors are not only interested in financial information. PII has long been sold in underground markets, and actors target such data to meet market demand for it. While iSIGHT Partners has not observed actors performing this type of data aggregation on a large scale, the activity fits the convergence of PII data sales and continued expansion of underground market specialization. Cyber criminals are likely to offer services contextualizing several streams of data with the intent to sell that data to other actors at a higher price.
RELATED iSIGHT PARTNERS REPORTS
15-00012904 (Actors Sells Extensive Customer Records Associated with Financial Institutions and Retailers Operating in Mexico), 19 Nov. 2015
15-00012908 (Threats to the Investment Sector), 7 Dec. 2015
15-00006858 (Cyber Criminal Theft and Exploitation of Databases: Targeted Data, Targeted Industries and Malicious Uses), 11 Aug. 2015
ANONYMOUS PLANS ‘TROLLING DAY’ AGAINST ISIS
FROM THE MEDIA
Anonymous is planning to target social media accounts used by ISIS and stage protests on Dec. 11, 2015 in an effort to mock the terror group. Specifically, Anonymous plans to hack ISIS Twitter, YouTube and Facebook accounts.
Read the Story: Time
iSIGHT PARTNERS ANALYST COMMENT
We have previously observed examples of humorous anti-ISIS advocacy from participants in the #OpISIS and #OpParis campaigns. For example, the hacktivist group GhostSec claimed to have defaced a pro-ISIS website with an advertisement for Viagra and the message “Enhance your calm.” We also observed campaign participants circulating images with rubber ducks photoshopped over the heads of ISIS fighters. The popularity of this activity is at least partially explained by it being a low-risk, low-skill means of publicly opposing ISIS, though it likely has limited effect on ISIS’s overall propaganda efforts.
RELATED iSIGHT PARTNERS REPORTS
15-00013520 (Hacktivist Operations Report for the Week of Dec. 7, 2015), 7 Dec. 2015
15-00013222 (Hacktivist Operations Report for the Week of Nov. 30, 2015), 1 Dec. 2015
15-00012766 (Hacktivist Reactions to Paris Terror Attacks Likely; Anonymous-Affiliated Actors Discuss Anti-ISIS Campaign #OpParis), 15 Nov 2015
EU LAWMAKERS, COUNTRIES AGREE ON BLOC’S FIRST CYBER-SECURITY LAW
FROM THE MEDIA
EU lawmakers and member states have come to an agreement on a cyber security law that will require Internet companies such as Amazon and Google to report serious breaches. The new law, known as the Network and Information Security (NIS) Directive, will establish security and reporting requirements for entities in critical sectors, such as the transportation and financial industries.
Read the Story: Reuters
iSIGHT PARTNERS ANALYST COMMENT
Both the NIS Directive and the related General Data Protection Regulation (GDPR) will have a significant impact on information security and compliance for companies doing business in the EU. The directive is expected to be passed by the EU Parliament on December 17 and published in early 2016, from which point EU member states will have 21 months to integrate it into their national legal frameworks. iSIGHT Partners strongly recommends that enterprises whose business operations include the possession or processing of personal data belonging to individuals located in the EU consult legal counsel to determine the impact of these two pending laws.
RELATED iSIGHT PARTNERS REPORTS
15-00000016 (Negotiations over EU Network and InfoSec Directive Nearing Conclusion; Will Create Common Regulatory Framework Between EU Member States), 2 Jan. 2015
15-00000134 (Romanian Network and InfoSec (NIS) Directive Faces Constitutional Hurdles, Tests Pending EU NIS Directive), 19 Jan. 2015
Intel-1297441 (EU Council Proposal Would Ease General Data Protection Regulation’s Compliance Obligations with Risk-Based Approach), 26 Nov. 2014
FRAMEWORKPOS MALWARE RETURNS WITH A FRANKENSTEIN VERSION
FROM THE MEDIA
A new version of the FrameworkPOS malware has been observed in the wild by Trustwave security researchers. The new version uses two PowerShell scripts to inject the malware version into the target machine’s memory, making the malware harder to detect. Trustwave researchers believe that this version of the FrameworkPOS is an intermediary between the older version and a new major update because the malware appears to be stitched together with remaining old code.
Read the Story: Softpedia
iSIGHT PARTNERS ANALYST COMMENT
It is unclear whether the current coding of FrameworkPOS indicates an imminent major update, though Trustwave’s analysis is plausible. However, we expect that the upcoming major holidays create an incentive for cyber criminals to deploy new versions of malware, especially versions that include additional methods to avoid detection. Use of PowerShell scripts is not unique, but has proved to be an effective method of avoiding detection for other types of malware.
RELATED iSIGHT PARTNERS REPORTS
14-33059 (Analysis of FrameworkPOS), 17 Oct. 2014
15-00013004 (Cyber Crime Threats During the 2015 Holiday Season), 23 Nov. 2015
14-32083 (Analysis of Powelix Malware, Which Uses PowerShell Scripts), 5 Oct. 2014
The post ThreatScape Media Highlights Update – Week Of December 9th appeared first on iSIGHT Partners.
