The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Monday, 11 January 2016
Confirmation of a Coordinated Attack on the Ukranian Power Grid
From The Media
SANS ICS now assesses that cyber attacks were directly responsible for power outages in Ukraine. The attack was due to direct interaction with the systems, followed by efforts to disrupt mitigation efforts, forcing responders to switch to “manual mode” in order to restart systems. Furthermore, Sandworm Team and BlackEnergy malware are tied to the incident.
Read the Story: SANS
iSIGHT Partners Analyst Comment
The SANS ICS blog confirms conclusions previously reached by iSIGHT regarding the nature of the Ukrainian attacks (specifically the role of destructive malware and phone disruption) and attribution to Sandworm Team. iSIGHT Partners believes this incident is a milestone because it is the first major cyber attack to substantially affect the civilian population and because of the overwhelming importance of the grid to multiple reliant sectors. Furthermore, Sandworm Team’s previous interest in US and European critical systems underscores the threat they pose.
Related iSIGHT Partners Reports
16-00000208 (Ukrainian Power Outage and Previous Media Attacks Attributed to Sandworm Team), 7 Jan. 2016
15-00014822 (Power Outage by Cyber Attack on Energy Control Systems in Several Regions of Ukraine), 30 Dec. 2015
Cyber Criminals Target Japanese Banks with Rovnix Trojan
From the Media
Cyber crime actors controlling the Rovnix Trojan were observed targeting fourteen major Japanese Banks. Since December 2015, the campaign has allegedly infected users with the Trojan via a downloader hidden in phishing e-mails. The e-mails purport to be coming from an international transport company and attempt to socially engineer victims into downloading a malicious attachment disguised as a waybill. The Trojan attempts to collect bank login credentials and secondary authentication data.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
Malicious actors engaged in spam activities commonly use phony shipping and postal service updates or bills to convince victims to download and open malicious files. Users should be wary of notices regarding packages they do not remember sending or requesting. If a particular e-mail message is in question, verify the sender e-mail address. Users may often also log into the carrier’s websites to check a package’s status.
Related iSIGHT Partners Reports
Intel-507566 (Spam Spoofing Russian Shipping Company Drops Smoke Loader Trojan), 6 Jan. 2012
Intel-1030121 (Continued Uptick in Asprox Spam Delivering Kuluoz Malware), 29 Jan. 2014
11-17987 (USPS E-Mail Campaign Distributes Gamarue), 20 Dec. 2011
Anonymous Nigeria Hacks Government Websites, Declares Cyberwar Against Corruption, Poverty, Theft
From The Media
Individuals claiming association with the loosely affiliated collective Anonymous announced they had targeted several Nigerian Government websites on Jan. 8, 2015. They said the attacks were conducted to protest alleged Nigerian corruption, poverty and theft. Access to the websites of Nigeria’s Finance, Foreign Affairs and Justice Ministries and the Federal Capital Territory Administration was disrupted this past Friday.
Read the Story: IBTimes
iSIGHT Partners Analyst Comment
We believe the attacks were likely successful, and we also observed unverified claims of successful SQLi leading to the exposure of data. Nigerian Government websites also likely do not have sufficient technical capability to defend against various cyber attacks, including DDoS attacks or basic vulnerability scanning. Anonymous-affiliated actors frequently target national governments that they perceive are corrupt, as anti-establishment opposition to corruption remains a core pillar of the collective’s ethos and will almost certainly remain intact and motivate future attacks.
Related iSIGHT Partners Reports
15-00012368 (Actor XTM Falsely Claimed to Have Disabled Call of Duty: Black Ops III), 8 Nov. 2015
15-00005418 (Group Profile: Lizard Squad), 26 June 2015
EU Cookie Law Notification Abused to Hijack Clicks for Invisible Ads
From The Media
Malicious actors are abusing the EU requirement that websites inform users of website cookies to disguise ads. Legitimate websites will notify visitors of cookie usage by issuing a popup in the middle of the webpage. The scammers are loading invisible iframes over the popups with a Google ad inside.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
Since many internet users are used to clicking through the EU cookie law notification, malicious actors can easily abuse this practice for click fraud or malware distribution. Taking advantage of dialog boxes and users’ expectations is used in existing malvertising schemes. However, in order to successfully exploit this practice, malicious actors must compromise the website, third-party tools or vulnerabilities on the victim’s computer.
Related iSIGHT Partners Reports
15-00000404 (ASUS eStore Website Compromised for Affiliate Fraud), 6 Feb. 2015
15-00007594 (Traffic Distribution Systems and Methods of Performing a Redirect), 24 Aug. 2011
Antivirus Software Could Make Your Company More Vulnerable
From The Media
Vulnerability researchers found that antivirus (AV) programs can potentially be exploited by malicious actors to gain a foothold into corporate networks. The researchers indicated the critical flaws in AV programs could be easily found and exploited. Since June, dozens of vulnerabilities in AV programs been reported in a wide variety of products from several providers. Affected vendors include but are not limited to Kaspersky Lab, ESET, Avast, AVG Technologies and Intel Security. Several of the vulnerabilities did not require any user interaction and could have allowed the creation of computer worms.
Read the Story: PCWorld
iSIGHT Partners Analyst Comment
All software, including security software, contains vulnerabilities. In fact, vulnerabilities affecting security software may pose a more significant threat to enterprise environments as these applications typically run with elevated privileges and have access to potentially malicious incoming data, which could be used as an attack vector to target them. While security software can be leveraged as a means to gain access to or execute code on a given system, their benefits almost certainly outweigh any potential risk.
Related iSIGHT Partners Reports
15-00003342 (Alleged Compromise of Anti-Virus Vendor Website May Enable Malware Distribution or Other Malicious Activity), 23 Apr. 2015
15-00010238 (High-Risk Kaspersky Buffer Overflow Vulnerability), 13 Oct. 2015
US Says Only Jeeps Had Hacker Vulnerability via Radios
From The Media
The National Highway Traffic Safety Administration ended a five-month investigation into reported vulnerabilities initially found to affect Jeep brand vehicles (which are produced by Fiat-Chrysler). The investigation found that only radio systems used by Fiat-Chrysler were affected. A vulnerability in the Uconnect infotainment system enabled hackers to remotely alter a vehicle’s speed, brakes, radio, windshield wipers and transmission. Further, the agency reported that the 2015 summer recall of 1.4 million Jeep, Chrysler, Dodge and Ram vehicles effectively fixed the vulnerable vehicles.
Read the Story: WSJ
iSIGHT Partners Analyst Comment
While we have no indication that this specific vulnerability will be widely exploited, remotely exploitable vulnerabilities that enable attackers to take control of vehicles do pose a legitimate ongoing threat, especially as vehicles continue to become more technologically advanced and wirelessly connected. Exacerbating this threat is that patches are currently not automatically pushed to vulnerable systems, meaning that many vehicles are likely to remain vulnerable for extended periods of time. Owners will need to manually apply the patches or take the car to dealership to have them applied.
Related iSIGHT Partners Reports
Intel-1251618 (Threats to the Automotive Industry), 30 Sept. 2014
Intel-1111421 (Car Hacking Threat Currently Low; Forthcoming Technological Milestones Indicate Rise), 16 May 2014
15-00012340 (Car Diagnostics Tools Susceptible to Cyber Attack), 6 Nov. 2015
The post ThreatScape Media Highlights Update – Week Of January 11th appeared first on iSIGHT Partners.
