The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Monday, 21 December 2015
Secret Code Found in Juniper’s Firewalls
From The Media
On Thursday, Juniper Networks reported it had found “unauthorized” code embedded in an operating system running on some of its firewalls. The code, found present in multiple versions of Juniper’s ScreenOS software going back to at least August 2012, could enable malicious actors to fully commandeer Juniper NetScreen firewalls running the affected software. This access would allow actors with sufficient skill and time to decrypt encrypted traffic running through the Virtual Private Network (VPN) on the firewalls. Juniper has released patches for the software and advised customers to install it immediately, noting that firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are vulnerable. The released patches provide some indication where the master password backdoor is located in vulnerable software according to Fox-IT. Once obtained, the password enables a user to log into all vulnerable firewalls. Previously captured VPN traffic that traveled over affected firewalls can also be decrypted using this method.
Read the Story: Wired
iSIGHT Partners Analyst Comment
At this time, there is insufficient information publicly available to properly assess the risk posed by the two vulnerabilities or identify who is truly responsible for the code in the first place. We have some indication that network device manufacturers have previously been the target of efforts to install backdoors. During Operation Aurora, which took place in 2009 and 2010, Chinese cyber espionage actors targeted multiple firms, including Juniper Networks, to modify source code, ostensibly for backdoor access. However, we have no indication that these incidents are related.
Related iSIGHT Partners Reports
15-00014538 (Juniper ScreenOS Vulnerability CVE-2015-7755), 18 Dec. 2015
Intel-743599 (Ties to Cyber Espionage Activity, Including Operation Aurora), 21 Feb. 2013
![]()
Congress Approves First Major Cyber Bill in Years
From the Media
The Cybersecurity Act of 2015 recently passed Congress as part of the Consolidated Appropriations Act of 2016. The Act provides incentives for companies to share data on cyber threats without the fear of lawsuits. President Barack Obama signed the bill into law on December 18, 2015.
Read the Story: The Hill
iSIGHT Partners Analyst Comment
While iSIGHT Partners has not yet finished reviewing the full text of the legislation, we believe it will encourage private companies to share cyber threat indicators with each other and the federal government, at least to some extent. We expect privacy advocates to continue to push for the law’s amendment or repeal, though we suspect their prospects for success are unlikely in the near-term. The U.S. Congress has been struggling unsuccessfully to pass cyber threat information sharing legislation since 2011.
Related iSIGHT Partners Reports
Intel-1251093 (‘Lame-Duck’ Session Likely Last Chance to Pass the Cybersecurity Information Sharing Act (CISA) Without Lengthy New Debate), 29 Sept. 2014
15-00000506 (White House Cyber Information-Sharing Bill Likely to Reinvigorate Legislative Efforts and Civil Liberties Concerns), 19 Feb. 2015
Intel-1112620 (Senate Intelligence Committee Drafts Bill Granting Antitrust Protection for Threat Indicator Sharing; Impact Uncertain), 17 June 2014
Phantom Squad Claims to Take Down Xbox Live With DDoS Attack
From The Media
Phantom Squad, the hacker group that threatened to take down Xbox Live and the PlayStation Network this Christmas, recently followed their threats with action and took down Xbox Live for a few hours. The group reiterated their threats, saying the PlayStation Network was next. Twitter took down Phantom Squad’s account shortly after this announcement.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
Xbox Live support posted several messages on Dec. 17, 2015 indicating that the service experienced intermittent disruptions following Phantom Squad’s claim to be targeting the service with DDoS attacks. We also observed Reddit’s Dec. 15, 2015 claim that their Cassandra databases were under extreme load, possibly indicating that Phantom Squad’s claim to have targeted them on that day was accurate, though it is also possible the site was experiencing unrelated technical issues. We were unable to find similar evidence to corroborate other DDoS attack claims by the group. The choice of high high-profile targets as well as social media messages by the group soliciting retweets in exchange for the cessation of DDoS attacks indicate that Phantom Squad’s goals are peer recognition and ego satisfaction.
Related iSIGHT Partners Reports
15-00012368 (Actor XTM Falsely Claimed to Have Disabled Call of Duty: Black Ops III), 8 Nov. 2015
15-00005418 (Group Profile: Lizard Squad), 26 June 2015
DDoS Attacks Up 180 Percent In Q3 2015
![]()
From The Media
Akamai recently reported in their Q3 2015 State of the Internet security report that the number of observed distributed denial of service (DDoS) attacks was up 180 percent from Q3 of last year, totaling 1,510 attacks for the quarter. According to Akamai, the attacks were shorter and had a lower volume. For Q3 2015, the average DDoS attack this period lasted 18.86 hours, the global average attack size was 5.1 Mbps and peak average attack strength was 32.2 Mbps.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
The growth of DDoS-for-hire services has made DDoS attacks available and affordable for a wider number of actors. While iSIGHT Partners expects to see the number of DDoS attacks grow, it is unclear from Akamai’s published data whether total DDoS attacks truly grew 180 over last year or whether Akamai simply detected 180 percent more than they detected in 2014. The average attack size reported does not appear to have increased from Q3 last year.
Related iSIGHT Partners Reports
15-00012330 (Recent Extortion-Linked DDoS Attacks Target Multiple Organizations; Many Attackers Likely Inspired by DD4BC), 1 Dec. 2015
15-00010360 (Overview of Cyber Crime Services for Sale in 2015), 2 Oct. 2015
15-00012940 (Notable Developments in Cyber Crime Tools During October 2015), 24 Nov. 2015
SlemBunk Android Banking Trojan Targets 31 Banks Across The World
From The Media
FireEye recently discovered a new Android banking Trojan, dubbed SlemBunk. It has been observed targeting 33 financial institutions, 2 online payment systems and 31 banks primarily in the US and Australia. The Trojan, once downloaded to a victim’s mobile device, will inject a fake login page onto legitimate banking apps.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
This incident showcases the continuing fallout of the OPM compromise and does not represent a new breach. We previously tied the compromise to TEMP.Avengers, a China-nexus team first reported on by iSIGHT Partners in May 2015. We believe this team has also targeted the healthcare and aviation sectors in search of personally identifiable information to identify US Government employees and associated contacts for counterintelligence purposes.
Related iSIGHT Partners Reports
15-00004452 (TEMP.Avengers, Cyber Espionage Actors Linked to Anthem, Inc. Breach, Tied to Additional Infrastructure), 21 May 2015
15-00006974 (ThreatScape Media Highlights Month in Review: June 2015), 28 July 2015
Hackers Likely To Target a U.S. Election Next Year
From The Media
Security expert Bruce Schneier has predicted that hackers will target the US election next year. He says that the attacks will not hit the voting system and may not include targets such as the presidential candidates. The attacks will more likely affect candidates’ websites and social media in an attempt to uncover information not intended for public consumption.
Read the Story: Computer World
iSIGHT Partners Analyst Comment
Elections provide a prominent opportunity for ideological actors to target political adversaries, for ego-driven actors to target visible systems for notoriety, for cyber criminals to collect large datasets of personally identifiable information (PII), and for cyber espionage actors to construct tempting lures. Additionally, candidates’ improper access of voter data may constitute a threat to US voters, as when staffers associated with the Sanders campaign accessed DNC voter data affiliated with the Clinton campaign. We regularly see activity relating to foreign election cycles, and we similarly expect to see activity directly targeting and related to the US election next year.
Related iSIGHT Partners Reports
15-00014142 (E-Mail Account Compromised in Earlier Operation Leveraged by Conference Crew Against Additional Political Targets), 14 Dec. 2015
15-00013052 (TEMP.Zhenbao Leverages US Presidential Election to Target Russian Interests), 29 Nov. 2015
15-00012462 (Actors in Spanish-Language Cyber Crime Forum Offer Information on More Than 100 Million Mexican Voters), 18 Nov. 2015
The post ThreatScape Media Highlights Update – Week Of December 21st appeared first on iSIGHT Partners.
