The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 16 March 2016
Chinese Hackers Turn to Ransomware
From The Media
Four security companies have observed sophisticated ransomware attacks believed to come from China. There is speculation that the hackers behind these operations are state-sponsored. According to Dell SecureWorks, an attack that occurred at an unnamed technology firm resulted in the encryption of 30 percent of the firm’s computers. The Chinese Government has responded by stating that they would investigate the matter if reliable proof can be presented.
Read the Story: BBC
iSIGHT Partners Analyst Comment
We are currently investigating this activity; however, media reports indicate that some of the malware related to this activity was associated with China-based Codoso Team. While we do not currently have evidence linking Codoso Team to the use of ransomware, we have observed criminal malware tools like BlackEnergy malware variants and the Zeus Trojan being leveraged by espionage operators in the past. This may demonstrate a connection between the criminal underground and espionage activity, or that associated operators may be performing these operations on the side as a means for profit. Further, it is possible that operators may use criminal malware to obfuscate attribution.
Related iSIGHT Partners Reports
Intel-1114421 (The Increasing Confluence of Cyber Crime and Cyber Espionage), 20 May 2014
Intel-889787 (Overview of Codoso Team Activity), 4 March 2015
Intel-1263700 (Sandworm Team Leverages Zero-Day), 14 Oct. 2014
New Malware Attacks When You Type a URL Wrong
From the Media
Security firm Endgame has discovered 300 popular .com domains registered in .om. These domains do not go to the common sites, such as Netflix and Citibank, but rather route visitors to pages that attempt to download the OS X malware “Genieo.” This case serves as an example of typosquatting, where actors prey on the possibility that users will mistype their desired destination and thus accidently visit a malicious webpage. According to Endgame, users who visit the malicious pages are redirected several times before being confronted with a fake Adobe Flash update prompt.
Read the Story: Gizmodo
iSIGHT Partners Analyst Comment
Typosquatting is commonly used by both cyber crime and cyber espionage actors. In this case the payload was unwanted adware, but campaigns that have used typosquatting in the past have resulted in a wide variety of malicious activities ranging from wire fraud to espionage-related credential collection. While having users avoid mistyping web addresses entirely is not a realistic solution, users should be able to identify suspicious activity and spoofed webpages to reduce the threat to this type of activity.
Related iSIGHT Partners Reports
16-00003318 (Tsar Team Adopts New Tactics, Establishes Infrastructure Indicating Suspected Targeting of Geopolitical Hotspots and Defense Industrial Base), 12 March 2016
Intel-983479 (Updates on Typosquatting Campaign Identified in July; Changes to URLs, Infrastructure and Propagation Mechanisms), 24 Jan. 2014
15-00008694 (Domain Registrations Spoofing US Electric Sector Tied to Wire Fraud Scheme), 27 Aug. 2015
Hacktivist Collective Anonymous Declares Total War on Donald Trump
From The Media
Hackers associated with the Anonymous collective are planning to conduct a massive DDoS attack against Trump election websites and find and expose any information that will harm Trump’s appearance. The group posted a video declaring “total war” against Trump. The hackers noted that the attack will start on April 1, 2016, initially focusing on the trumpchicago.com website.
Read the Story: Tech Times
iSIGHT Partners Analyst Comment
Trump’s provocative and controversial statements also previously antagonized the hacktivist group Telecomix Canada, which defaced his homepage in August 2015. At this time no attacks related to this announcement have been observed, and the operation appears to be more focused on planning and preparations. It remains to be seen if the campaign will attract more participation and operational coordination as the April 1 date draws closer. If Trump secures the Republican Party nomination, additional hacktivist operations may be launched in an attempt to undermine his presidential campaign.
Related iSIGHT Partners Reports
16-00001328 (‘Anonymous Conservative’ Defaces Iowa Caucus Website), 30 Jan. 2016
15-00007682 (Donald Trump’s Website Defaced by Hacktivist Group ‘Telecomix Canada’), 6 Aug. 2015
Yahoo Patches Sender Spoofing Email Vulnerability
From The Media
Yahoo has patched a vulnerability that could have allowed an attacker to spoof Yahoo e-mail addresses. An independent security researcher discovered the vulnerability in the message-composing module of the e-mail service. The vulnerability specifically allows an attacker to inject or intercept traffic in the POST/GET parameters, altering the sender name to any desired name.
Read the Story: ZDNet
iSIGHT Partners Analyst Comment
This vulnerability poses no long-term threat as Yahoo has already patched the issue, thus fully mitigating it. Further, we have no evidence that this issue was exploited in the wild before it was patched. While spoofing vulnerabilities have limited direct impact, actors highly value them because they improve the effectiveness of other activities, such as spam or spear-phishing campaigns.
Related iSIGHT Partners Reports
16-00001238 (Dridex Spam Distribution Leverages Spoofed E-Mails), 8 Feb. 2016
15-00012908 (Threats to Investment Sector Include China-Nexus Actors Spoofing E-Mails), 7 Dec. 2015
Big-Name Sites Hit by Rash of Malicious Ads Spreading Crypto Ransomware
From The Media
Malicious advertisements recently appeared on high-profile websites, exposing tens of thousands of browsers to the Angler exploit kit, according to Trend Micro. According to Trustwave, who reported on the same incident, actors were observed installing the backdoor BEDEP, and in some cases TeslaCrypt. Similarly, Malwarebytes reported that several major sites, such as msn.com and bbc.com, were hit with malvertising over the weekend.
Read the Story: Ars Technica
iSIGHT Partners Analyst Comment
Measures for authenticating firms purchasing digital advertising space have almost certainly become less effective since the adoption of real-time bidding by major digital ad exchanges, such as those operated by Google, AppNexus, and AOL. While many ad exchanges and other entities within digital advertising networks are presumably making active efforts to stop malicious advertisers, it is very likely that the increased complexity and time-limited nature of the automated bidding process makes these efforts less effective, allowing occasional malicious advertisements to slip through.
Related iSIGHT Partners Reports
11-17688 (Malvertising Leads to a Black Hole Exploit Kit and Rogue AV), 22 Nov. 2011
15-00014258 (Overview of Exploit Kits and the Exploit Kit Market), 11 Jan. 2016
16-00001924 (eCrime Actors May Have Taken Advantage of Web Traffic on Denver Broncos Site Leading Up to Super Bowl; Redirected Users to Angler Exploit Kit), 17 Feb. 2016
The post ThreatScape Media Highlights Update – Week Of March 16th appeared first on iSIGHT Partners.
