ThreatScape Media Highlights Update – Week Of February 24th

The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.

Wednesday, 24 February 2016 

Download PDF Version Here

Employees of Russian Banks Targeted With ‘Ratopak’ Malware

From The Media
Actors are attempting to target Russian bank employees with a data-stealing Trojan. Symantec reported that actors have used the Ratopak Trojan against employees of at least six Russian banks. The Trojan, if installed correctly, can open a back door enabling actors to capture keystrokes, steal data and conduct other malicious activities. It appears the attack, which took place in December, used fake Central Bank employment e-mails as a lure to trick victims into downloading the malware.
Read the Story:  Security Week

iSIGHT Partners Analyst Comment
Media reporting suggests the actors behind this campaign have been active since at least 2014, focusing primarily on Russian banks. Public reporting indicates Ratopak malware checks for Ukrainian or Russian language settings prior to execution, further indicating the focused nature of these operations. An actor recently shared what he claimed was the source code for this malware, which is also known as “Buhtrap”; however, we have not confirmed the connection between the source code and the Buhtrap/Ratopak malware.

Related iSIGHT Partners Reports
15-00008142 (Overview of the Cyber Crime Threats to Investment Services), 19 Aug. 2015
15-00012742 (Newly Identified VaultCrypt Ransomware Campaign Targeting Russia- and Ukraine-Based Organizations), 3 Dec. 2015

Japan’s Critical Infrastructure Under ‘Escalating’ Cyber Attack

From the Media
Cylance has released a report detailing “Operation Dust Storm,” which focuses on attacks since 2010 against industries in Europe, the United States and Asian countries including South Korea and Japan. According to Cylance’s research department, the unknown attackers have adjusted and are focusing on targeting only Japanese companies. In addition, the actors are significantly resourced and financed with the purpose of maintaining a long-term espionage presence.
Read the Story:  ZDNet

iSIGHT Partners Analyst Comment
Technical indicators associated with Operation Dust Storm are consistent with cyber espionage activity we track as Menupass Team. We agree that these operators appear well-resourced, and we believe Menupass Team is Chinese in origin. Primary targets include public and private entities in the US, Japan, and the European Union that we believe can yield operators data related to military and political intelligence, intellectual property and advanced technology.

Related iSIGHT Partners Reports
15-00010148 (Menupass Team Targets Japan; Finance, Economic, and Industrial Targets Identified), 23 Sept. 2015
Intel-945788 (Menupass Team Cyber Activity), 13 March 2014

Child Tracker Firm in ‘Hack’ Row

From The Media
uKnowKids, a firm specializing in child tracking services, is accusing a security researcher of hacking its database after uKnowKids customer profiles were discovered on Shodan. Security researcher Chris Vickery allegedly found text messages, images and 1,700 detailed child profiles publicly accessible online. When Vickery alerted uKnowKids that there was no password protection in place and that the data was publicly accessible, he was accused of hacking the service’s database.
Read the Story:  BBC

iSIGHT Partners Analyst Comment
uKnowKids’ improperly configured database posed an obvious risk to the company’s intellectual property and client data, including information about minors, so the somewhat accusatory tone with regards to Vickery’s reporting is most likely misplaced. In addition to properly configuring databases, organizations should have processes in place in the event a security researcher alerts them to a vulnerability.

Related iSIGHT Partners Reports
15-00008770 (Data Loss Prevention (DLP) Software Effectiveness and Best Practices), 30 Sept. 2015
Intel-786924 (Cloud Storage ‘Buckets’ Set to Public; Amazon S3 Customer Data Exposed), 5 June 2013
Intel-412216 (eCrime Actor Selling Access to Compromised Databases, Possibly from Victimized Customers of a Cloud-Based Service), 8 June 2011

French Ministry of Defense Website Hacked by Anonymous

From The Media
Hackers associated with the Anonymous collective have hacked the website of France’s Ministry of Defense, Centre d’ldentification des Materiels de la Defense (CIMD), in protest of France’s foreign arms trade operations. The hackers leaked a database containing information on topics such as army suppliers, website accounts, and clear text passwords. They also took down the website, making it unavailable to visitors.
Read the Story:  SC Magazine

iSIGHT Partners Analyst Comment
Based on images posted by Anonymous-affiliated actors, the website’s content management system appears outdated. This claim is supported by the attackers, who described it as “archaic.” While additional analysis may indicate some exposure of sensitive network information, initial assessment suggests much of the data is not sensitive. This attack will almost certainly not affect France’s diplomacy or the importance of its defense sector, which could prompt additional Anonymous targeting.

Related iSIGHT Partners Reports
16-00002152 (#OpPS Presents Low DDoS Threat to French Websites), 18 Feb. 2016
15-00002340 (‘El-Moujahidin Team’ Defaces Three Domains Associated with Air France), 3 April 2015

Wireless Mouse/Keyboard Dongles Expose Computers to Attacks

From The Media
Researchers from security company Bastille are reporting that they have uncovered a flaw in many wireless mice and keyboards that could allow an attacker to input arbitrary commands. The flaw, dubbed Mousejack, can allow an attacker within 100 meters to attack a target device through the USB dongle. Affected devices include those produced by Logitech, HP, Dell, Amazon, Lenovo, Microsoft and Gigabyte.
Read the Story:  Security Week

iSIGHT Partners Analyst Comment
The use of wireless USB devices can introduce additional risk into an enterprise environment, as communications can be intercepted or, as in this case, abused to conduct malicious activity. We are unaware of actors widely targeting this flaw; since it requires relatively close proximity, this would likely be limited to targeted attacks.

Belgian Government Plagued by Hackers

From the Media
Hacker collective DownSec is claiming to have conducted a distributed denial-of-service (DDoS) attack on the Belgian National Bank. The same group is also allegedly responsible for conducting DDoS attacks on the Belgian Agency for Nuclear Control, the Federal Crisis Center and Federal Cyber Emergency Team. According to Belgian authorities, officials suspect that the hackers used a botnet purchased from a foreign criminal organization.
Read the Story:  Politico

iSIGHT Partners Analyst Comment
Practically any actor with access to underground cyber crime communities can launch DDoS attacks via for-rent DDoS services. These services send traffic from purchased, rented or stolen infrastructure and can use a variety of DDoS traffic types to target a victim website. While many DDoS services only produce low volumes of attack traffic for unsophisticated attacks, and thus pose little threat to most organizations, some services can produce enough traffic volume to threaten even well-secured sites.

Related iSIGHT Reports
16-00001236 (Thirteen Irish Government and Corporate Websites Taken Offline by DDoS Attacks), 29 Jan. 2016
15-00014910 (Hacktivist Group ‘Phantom Squad’ Claims Credit for Several Christmas Holiday Gaming Service Disruptions; At Least One Claim Very Likely Fabricated), 22 Jan. 2016
16-00000894 (Lizard Squad Associates ‘L7 Crew’ Conduct Successful DDoS Attack Newly Announced Game Studio Pixelmage Games), 22 Jan. 2016

The post ThreatScape Media Highlights Update – Week Of February 24th appeared first on iSIGHT Partners.