ThreatScape Media Highlights Update – Week Of March 2nd

The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.

Wednesday, 2 March 2016 

Download PDF Version Here

More Than 11 Million HTTPS Websites Imperiled by New Decryption Attack

From The Media
Researchers are warning that 11 million websites and e-mail services protected by the transport layer security protocol (TLS) are vulnerable to an attack, dubbed DROWN. The attack method allows attackers to decrypt intercepted TLS communications by leveraging SSLv2 to make repeated connections to a server. Over 81,000 of the top 1 million most popular websites are vulnerable to the DROWN attack.
Read the Story:  Arstechnica

iSIGHT Partners Analyst Comment
iSIGHT Partners considers the DROWN Attack vulnerability (CVE-2016-0800) to be medium-risk and believe its exploitation poses only a moderate threat to users. Although a large number of systems are reportedly vulnerable, exploitation requires notable manual effort and can only be used to obtain the private key for individual users. Further, since the attacker needs to be in a position to intercept traffic, we believe most victims will be targets of opportunity, not targeted. Therefore, we anticipate limited actor interest and do not expect widespread exploitation.

Related iSIGHT Partners Reports
16-00002626 (SSLv2 DROWN Attack Vulnerability CVE-2016-0800), 1 March 2016
Intel-1267065 (POODLE Attack Method Exploiting Flaws in SSL 3.0), 15 Oct. 2014
14-33041 (SSL 3.0 POODLE Attack Vulnerability CVE-2014-3566), 26 Feb. 2016

TeaMp0isoN Hacks Time Warner Cable Business Website, Dumps Customer Data

From the Media
Hackers associated with the TeaMp0isoN hacking crew allegedly hacked into the Time Warner Cable Business Class website and leaked data. According to DataBreaches.net, the dump contained 4,191 records consisting of e-mail addresses, usernames, encrypted passwords and database IDs. TeaMp0isoN claimed responsibility for the attack on Twitter and revealed that they used an SQL injection flaw to gain access to website’s backend.
Read the Story:  Softpedia

iSIGHT Partners Analyst Comment
Hacktivist groups such as TeaMp0isoN often inflate the importance of leaked data to gather attention and notoriety. This attack almost certainly compromised the Time Warner Cable Business Class Managed Security Solutions website; however, it contains little sensitive information. The database predominately lists small businesses and local government clients of this service, but other malicious actors may use information from this leak to conduct further threat activity.

Related iSIGHT Partners Reports
Intel-532366 (Group Profile: TeaMp0isoN), 9 Feb. 2012
Intel-425336 (TeaMp0isoN Adopts LulzSec Tactics, Releases Tony Blair PII), 1 July 2011
Intel-592444 (TeamP0ison Leader ‘Trick’ Arrested), 15 June 2012

Sneaky New Mac Malware Suggests Notorious Spy Vendor, Hacking Team, Is Back

From The Media
A new type of OS X malware has been identified, and it may have come from Hacking Team. Hacking Team was breached in July 2015, resulting in the exposure of 400GB worth of data, including source code and exploits. The discovered OS X malware is a dropper, and it appears that this particular malware is intended to install Hacking Team’s Remote Control System (RCS). It is currently unknown whether the Hacking Team is using the malware or if another actor took and modified the code.
Read the Story:  PC World

iSIGHT Partners Analyst Comment
iSIGHT Partners previously reported on Hacking Team and its practice of selling licenses to their “Remote Control System” platform, which gives customers significant cyber espionage capabilities. The July 2015 Hacking Team breach made those tools widely available to other actors, including known cyber espionage groups. As a result, associated tools and exploits may be available to a wide range of actors with varying motivations. At present, limited technical indicators hinder our ability to attribute the use of this newly discovered OS X malware, though it may not be used by Hacking Team customers given the fallout from the July 2015 breach.

Related iSIGHT Partners Reports
15-00006544 (Overview of Hacking Team Commercial Cyber Espionage Services), 10 July 2015
15-00006302 (Surveillance Company ‘Hacking Team’ Compromised: Leaked Data May Pose Threat to Customers and Associated Companies), 6 July 2015
Intel-1046863 (Proliferation of Commercial Surveillance Software and Links to Cyber Espionage Campaigns), 27 Feb. 2014

Obama Administration to Renegotiate Rules for ‘Intrusion Software’

From The Media
The Obama Administration is now seeking to renegotiate parts of the Wassenaar Arrangement. The arrangement, shared among 41 nations, is designed to keep hacking tools out of the hands of malicious actors. The Obama Administration now seeks to remove the 2013 controls on the development of intrusion software.
Read the Story:  The Hill

iSIGHT Partners Analyst Comment
While iSIGHT Partners has not yet reviewed the White House’s proposal to renegotiate the 2013 amendments to the Wassenaar Arrangement, we believe that the removal of export controls for so-called “intrusion software” would significantly lessen the burden that would be placed upon cyber security professionals if the amendments were implemented in their current form. While some government officials outside the US have expressed reservations toward and/or begun to re-examine the 2013 amendments, it remains unclear how much support the renegotiation initiative will receive from other signatories to the arrangement. Amendments to the Wassenaar Arrangement are adopted during annual meetings via a consensus process, which is designed to reach a decision that signatories can at least accept as workable, if not ideal.

Related iSIGHT Partners Reports
16-00001684 (Policy Brief: White House Assures Lawmakers It Intends to Fix Wassenaar Proposal), 9 Feb. 2016
Intel-1021023 (International Sale of Offensive Cyber and Surveillance Tools Likely to Be Impacted by Changes to the Wassenaar Arrangement), 14 Jan. 2014
Intel-1123664 (Overview of the Global Surveillance Industry), 4 June 2014

US Military Launches Cyberattacks Against ISIS to Complement Airstrikes and Radio Jamming

From The Media
The US military has acknowledged, for the first time, that it is using cyber attacks and digital weapons against ISIS. The US military has indicated that it is seeking to use more digital weapons to attack ISIS’s online infrastructure. Specifically, digital weapons and online attacks are being used to disrupt not only the group’s online propaganda and recruitment efforts, but also its ability to command its forces and control its territory.
Read the Story:  International Business Times

iSIGHT Partners Analyst Comment
While we cannot independently confirm the US military announcement, we have no reason to doubt it. Pro-ISIS hacktivists may seek retaliation for this announcement by conducting cyber threat activity against U.S. Government websites. It is also possible that the news will encourage ISIS to declare the formation or the existence of an ISIS cyber threat capability. To date, we have still not observed public acknowledgment from official ISIS media outlets or representatives that the organization possesses a cyber threat capability, though we believe that ISIS members or associates are conducting cyber threat activity on a limited basis.

The post ThreatScape Media Highlights Update – Week Of March 2nd appeared first on iSIGHT Partners.