The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 20 April 2016
APT Targeting Tibetans Packs Four Vulnerabilities in One Compromise
From The Media
Journalists, Tibetans and human rights workers in Taiwan and Hong Kong are being targeted in an advanced persistent threat (APT) campaign. The APT campaign leverages Microsoft Rich Text Files (RTF) documents to compromise victims’ computers. According to Arbor Networks, the RTF attack method leverages four vulnerabilities: CVE-2012-0158, CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770. Malware payloads such as Grabber and Gh0St RAT are downloaded once target systems have been compromised.
Read the Story: ThreatPost
iSIGHT Partners Analyst Comment
China-nexus cyber espionage targeting of Tibetan interests and use of multiple exploits is consistent with previously observed activity; iSIGHT Partners has tracked such activity since 2012 and observed the use of some of the malware Arbor Networks listed, including Grabber, which we track as IE Checker. The Arbor Networks report addresses the practice of shared development and logistics used to support several cyber espionage actors in unique but overlapping cyber campaigns. This operation is made possible by a “digital quartermaster,” a sort of cyber arms dealer, who offers several cyber actors the same builder tools, vulnerabilities or malware. This report emphasizes how many seemingly unrelated cyber campaigns could be part of a broader offensive driven by a shared development and logistics infrastructure led by a digital quartermaster.
Related iSIGHT Partners Reports
15-00011990 (Chinese Espionage Targets Dissident Media Organizations Using WMIGhost), 29 Oct. 2015
16-00000782 (Cyber Espionage Actors Leveraged BadAV Malware Against Tibetan Organizations), 25 Jan. 2016
FireEye Labs (Supply Chain Analysis, From Quartermaster to SunshopFireEye), 2013
New Thanatos Trojan Can Delete Competing Malware from the Infected Target
From The Media
Proofpoint discovered a Trojan last month dubbed “Thanatos” that allegedly possesses the ability to kill malware. According to its creators, Thanatos (aka Alphabot) is similar to Zeus. Thanatos comes with an AV-Module that allows it to discover malware already residing on a system, upload it to Virus Total to ensure it is malicious, and then delete it. The malware is being sold in underground markets for $1,000 USD per month, or $12,000 USD for a lifetime subscription.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
The malware Proofpoint is terming “Alphabot” is almost certainly the malware iSIGHT has reported on as “Alpha 2.0.” The group or individual behind this malware is likely sophisticated, participates in a range of malicious activity (including the alleged compromise of a hosting service used by professional sports teams), and has been involved with malware development since at least mid-2014. Based on the malware’s capabilities and its author’s experience, Thanatos Trojan is likely to be attractive to a wide variety of cyber criminals for credential theft and other types of malicious activity.
Related iSIGHT Partners Reports
16-00004964 (Update: Previously Reported Compromises Likely Linked to Envision Power Board Vulnerability or Shared Hosting Compromise), 15 April 2016
16-00004670 (Shared Resource Used by Multiple Websites Including NFL, NHL and NBA Team Sites Allegedly Compromised for Malware Distribution), 12 April 2016
Pro-ISIS Group Defaces 88 Websites in Three-Day Rampage
From The Media
The Pro-ISIS group “Team System Dz” recently defaced several websites from the UK, US, Israel and France. In total, Team System Dz defaced 88 websites with pro-ISIS messages. The hackers do not appear to be skilled enough to conduct malicious activity beyond defacements, and it does not appear that any data leaks occurred in the attacks. In fact, according to a popular defacement monitor, many of the sites Team System DZ targeted over the past few days, were previously defaced by the group in March and April 2015.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
iSIGHT Partners previously assessed that Team System Dz is a low-sophistication hacktivist group that has been active since at least 2013 and is motivated by pro-ISIS, anti-Israel and anti-US ideologies. We have observed no evidence that the group is officially connected to or directed by ISIS. While the increase in the number of pro-ISIS hacktivists since January 2015 has led to greater diversity in terms of tactics, techniques and procedures (TTPs) and levels of sophistication exhibited by these actors, we judge that it remains true that the majority of pro-ISIS activity observed to date has consisted of low sophistication activity, primarily defacements.
Related iSIGHT Partners Reports
15-00002916 (Pro-ISIS Hacktivist Group ‘Team System Dz’ Defaces Airport, Casino Reinvestment Development Authority Websites), 14 April 2015
Intel-1283314 (‘Team System Dz’ Conducts Pro-ISIS Defacements, but Are Not Likely Tied to ISIS Organization), 16 Jan. 2015
15-00009824 (Pro-ISIS Hacktivism Overview), 22 Dec. 2015
Over 750,000 Websites Were Breached in Just a Year
From The Media
A recent Google study analyzed 760,935 websites that were detected as compromised in one year and found that notifications to webmasters from Google’s Safe Browsing Alerts initiative can decrease the length of website infection by 62 percent. WordPress ranked as the highest breached platform, and over one third of all compromised websites were in English, followed by Chinese.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
This study is one of the largest ever conducted and focuses particularly on interesting aspects of notification and remediation. These findings include that 12 percent of sites that successfully removed their infection were re-infected within 30 days, suggesting a significant portion of webmasters either failed to remove the root cause of an infection or were targeted by adversaries who returned to identify a second exploitable flaw in the site. Overall, however, the paper makes a strong argument that notification of webmasters regarding compromises on their sites can be highly effective in increasing remediation.
Related iSIGHT Partners Reports
15-00002812 (Google Report Claims Low Rate of Android Malware Infestation, but Issues with Methodology Exist), 10 April 2015
15-00002136 (Google’s Play Store Implements Human Review of Apps Prior to Publication, Will Have Positive but Limited Impact on Android App Security), 30 March 2015
Corporate, Internal Network Breaches on the Rise
From The Media
Data breaches affecting internal and corporate networks significantly increased in 2015 compared to 2014, says a recent Trustwave report. Specifically, corporate and internal network breaches accounted for 40 percent of breaches in 2015, compared to 2014’s 18 percent. Attackers intended to damage compromised information, rather than steal it, in 20 percent of the operations targeting corporate networks.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
Although corporate and internal networks were increasingly targeted, with a decline in eCommerce and point-of-sale targeting, the study found payment card data retains the largest share of targeted data, as magnetic stripe and card-not-present data combined for 60 percent of targeted information. The reported rise of corporate network targeting and attacks “intended to damage compromised information” could reflect increased use of ransomware over the studied time period.
Related iSIGHT Partners Reports
16-00004786 (‘FIN6’ Operators Responsible for Multiple Point-of-Sale Breaches Monetized Through eCrime Underground), 19 April 2016
16-00004450 (Chinese-Speaking Actor Offers Card Monetization via POS Terminals, Will Likely Enable Money Laundering Activities), 13 April 2016
The post ThreatScape Media Highlights Update – Week Of April 20th appeared first on iSIGHT Partners.
