The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 13 April 2016
Improved Qbot Malware Targets Public Institutions
From The Media
An improved version of the Qbot malware (aka Qakbot) has been observed by researchers with BAE Systems targeting public institutions in the United States, UK and Canada. The malware now uses multiple types of polymorphism functionality to evade detection and encrypts many functions whenever possible. BAE Systems has indicated that the majority of Qbot targets are public organizations such as hospitals, police departments and universities.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
Qakbot is typically used to steal sensitive information such as banking and e-mail credentials. Our comparative analysis of Qakbot samples from 2011 and 2016 indicated that Qakbot is undergoing continued development with several notable modifications. The polymorphism measures it employs are noteworthy improvements and, if properly implemented, would enable Qakbot malware infections to almost certainly evade initial anti-virus detection. We believe that Qakbot will continue to be developed and improved.
Related iSIGHT Partners Reports
16-00002908 (Qakbot: Malware Behavior, Capabilities and Communications), 28 March 2016
11-15227 (Qakbot Worm Analysis), 21 June 2011
Bribery Helped Criminals Whitelist Malware in Chinese Antivirus Product
From The Media
Chinese IT security company Qihoo 360 unintentionally whitelisted malware after employees of a third party were bribed, says Check Point Software. The actors bribed employees of a Chinese gaming company into adding their malware to a set of legitimate apps sent to Qihoo 360. The attackers allegedly leveraged the whitelisted malware to install Trojans and attack Taobao.com sellers.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
This is a complex operation conducted by a combination of malicious actors with significant funds (likely obtained via other operations) and insider threat activity. Insider threat activity will highly likely remain a potential threat to enterprises for the foreseeable future. Enterprises should follow best practices such as limiting access to sensitive systems to employees that have a demonstrable need to accesses such systems.
Related iSIGHT Partners Reports
14-00000097 (Overview of Prominent Threat Vectors Leveraged in Targeted Attacks), 6 Feb 2015
15-00001252 (ThreatScape Media Highlights (TSMH) Month in Review: February 2015), 12 March 2015
Australia’s New Cyber Security Strategy
From The Media
Australia’s federal government is planning to reveal its new national cyber security policy in the following weeks. The policy is expected to complement voluntary information security health checks and joint threat sharing centers. The document lays out five key areas and contains a total of about 19 initiatives. The government will depend on the private sector to aid in delivering the majority of the policies’ key areas.
Read the Story: IT News
iSIGHT Partners Analyst Comment
While we cannot confirm the specifics of Australia’s soon-to-be-released strategy discussed in the media, it reportedly will include a wide array of initiatives designed to bolster Australia’s cyber security industry, innovation and public-private as well as international cooperation. The initiatives included in the strategy appear to reflect similar measures adopted in the US and EU in recent years. The Australian Government’s design and implementation of national cyber security-related policies and legislation have experienced repeated delays in recent years. Australia’s existing cyber security strategy document was adopted in 2009.
Related iSIGHT Partners Reports
ThreatScape Media Highlights (Australian Industry Lashes Out at Data Breach Notification Scheme), 25 March 2016
ThreatScape Media Highlights (Majority of ISPS not Ready for Metadata Laws that Come into Force Today), 14 Oct. 2015
16-00003754 (Australian Data Breach Notification Bill Public Comment Period Ends; Passage Increasingly Likely), 24 March 2016
Lithuanian Parliament Under Cyber Attack
From The Media
Lithuania’s parliamentary website came under attack during the special session of the World Congress of Crimean Tartars. The website was blocked, preventing coverage of the session. According to Baltic Course, this was aimed at preventing foreign viewing of the session.
Read the Story: EurActiv
iSIGHT Partners Analyst Comment
Ethnically-motivated hacktivist targeting is common. iSIGHT Partners has previously observed such attacks targeting the interests of various ethnic groups in Eastern Europe and Central Asia; historical grievances and rivalry typically drives such targeting. DDoS attacks are also a cheap, easy and accessible way to harass opponents and will almost certainly be favored in similar future attacks.
Related iSIGHT Partners Reports
Intel-1051968 (Crimean Conflict Attracts Hacktivist Targeting), 7 March 2014
15-00003104 (Group Profile: Shaltai Boltai), 4 Feb. 2016
Citadel Banking Trojan Returns as ‘Atmos’
From The Media
A new strain of the Citadel banking Trojan is targeting banks in France and has also been observed delivering ransomware. The new strain, dubbed Atmos, has been observed being delivered with TeslaCrypt and connects to command and control servers in Vietnam, Ukraine, Russia, Canada, Turkey and the US. Furthermore, according to Heimdal Security, there are almost 1,000 bots already in the network.
Read the Story: Info Security Magazine
iSIGHT Partners Analyst Comment
Since April 2015, iSIGHT Partners has observed discussions and advertisements regarding “Atmos” within Russian-language underground forums. The malware has the ability to record keystrokes, capture clipboard information, collect detailed system information, hook popular web browsers to steal user cookies and credentials, take screenshots, and establish remote desktop control over the victim machine. The malware is also capable of detecting and avoiding popular anti-virus software. Our observations of underground marketplace activity are consistent with reports that Atmos is based on Citadel, though we cannot confirm the potential connection to Teslacrypt at this time.
Related iSIGHT Partners Reports
15-00010948 (Atmos Trojan: Observed Underground Activity and Behavior, Capabilities and Communications), 26 Oct. 2015
15-00003550 (TeslaCrypt: Malware Behavior, Capabilities and Communications), 13 Aug. 2015
The post ThreatScape Media Highlights Update – Week Of April 13th appeared first on iSIGHT Partners.
