Major web hosting providers become victims of ransomwareMonday, November 25, 2019 12:54:00 PM CEST
- Outsourcing IT services such as web hosting, managed service providers and cloud service providers could increase the exposure of organisations to ransomware attacks.
- In 2019, over 10 web provider companies have already been victims of targeted ransomware incidents.
- Since the largest known paid ransom was from a web-hosting provider, cybercriminals will likely increase their efforts.
The Silence groupMonday, November 25, 2019 12:53:00 PM CEST
- Russian origin cyber-criminal group Silence is attacking banks and financial institutions.
- Starting in 2016, the group has improved its tools and escalated its activities to attack worldwide.
- Its capabilities make it a potentially serious threat currently and in the future.
Coordinated ransomware campaign in SpainMonday, November 25, 2019 12:52:00 PM CEST
- Ransomware is targeting municipalities in Europe.
- Multiple entities in Spain have seen significant outages because of the threat.
- These attacks can be seen as a continuation of the Big Game Hunting tactics observed elsewhere in the world.
APT groups are exploiting vulnerabilities in various VPN productsMonday, November 25, 2019 12:51:00 PM CEST
- APT groups are reportedly exploiting vulnerabilities in several unpatched VPN products used worldwide.
- US and UK agencies advise consumers to update VPN products from certain producers.
- Affected VPN products were from Fortinet, Palo Alto Networks and Pulse Secure.
- Certain bugs were detailed at Black Hat USA in August, before detecting attacks on Fortinet and Pulse Secure.
Iran’s APT35 targeting individuals tied to US 2020 electionsMonday, November 25, 2019 12:50:00 PM CEST
- An Iranian state-sponsored threat actor reportedly targeted accounts associated with the US presidential campaign.
- The group has also reportedly targeted academic researchers focusing on Iran in France, the US and the Middle-East.
- Attempts by state-sponsored threat actors from various countries to compromise business or personal cloud-based email or social media accounts remain a significant threat.
- Even if not technically sophisticated, social engineering enabled attempts to compromise cloud based email or social network accounts remain an efficient method for motivated attackers.
Magecart cybercriminals leveraging public WiFi vulnerabilitiesMonday, November 25, 2019 12:45:00 PM CEST
- Cyber-criminal groups dubbed Magecart are exploiting vulnerable e-commerce websites to steal user payment data.
- One Magecart group has tested methods to compromise user devices browsing the internet via public WiFi hotspots.
- The same group is also attempting to compromise code used by mobile app developers and affect a large user base.
Business email compromise on the riseWednesday, October 2, 2019 1:44:00 PM CEST
- In 2018, Business Email Compromise (BEC) has overtaken ransomware as the main reason behind cyber claims.
- Between June 2016 and July 2019, BEC reportedly accounted for $26,2 billion USD in financial losses worldwide.
- BEC continues to grow with a 100% increase in identified global exposed losses between May 2018 and July 2019.
- Substantial financial losses due to BEC have been publicly reported in August and September 2019.
Airbus supply chain hacked in a cyberespionage campaignWednesday, October 2, 2019 1:43:00 PM CEST
- According to Agence France Presse (AFP), Airbus has fallen victim to a sophisticated cyber-espionage campaign.
- Attackers reportedly breached IT systems of several Airbus’s suppliers and, from there, penetrated Airbus’s IT systems.
- Attackers have been looking after certification documentation, sensitive information related to A350 and A400M’s engines as well avionics details.
- Several AFP’s sources suspect Chinese hacking groups, still no formal attribution has been made.
SIMjacking – an attack on mobile phonesWednesday, October 2, 2019 1:41:00 PM CEST
- A newly published mobile phone SIM exploit, called Simjacker, allows attackers to stealthily spy on mobile users.
- The exploit allows attackers to find the device’s location or fully ‘take over’ the mobile phone.
- The vulnerability exploits a piece of legacy software which is not present in a large number of modern SIM cards.
- The vulnerability is actively being exploited either by a private company or its customers to locate mobile phones and thus their users.
Large scale and powerful cyber surveillance by ChinaWednesday, October 2, 2019 1:40:00 PM CEST
- According to researchers, Chinese authorities are purportedly monitoring Uyghurs, both locally and internationally, through cyber means.
- The threat actors reportedly leveraged several techniques including multiple exploit chains against Android and iOS, several strategic web compromises, as well as bypassing the two-factor authentication of Google services.
- The wide range of leveraged methods demonstrates the threat actors’ significant capabilities, funds and technical expertise.
Big Game Hunting in the public sectorWednesday, October 2, 2019 1:38:00 PM CEST
- Big Game Hunting extortion campaigns by cybercriminals have become a significant threat to the public sector.
- In the US, several ransomware attacks impacting local governments, cities, and public services were recently observed.
- Cybercriminals are striking victims with greater precision and timing.
- Their attacks are very well coordinated and they are demanding higher ransoms.
- US Officials are worried of attacks against the 2020 Election.
Android exploits commanding higher price than ever beforeWednesday, October 2, 2019 1:36:00 PM CEST
- The price of android exploits exceeds the price of iOS exploits for the first time.
- This is possibly because Android security is improving over iOS.
- The release of Android 10 is also a likely cause for the price hike.
Corporate IoT – an intrusion path for APT groupsWednesday, October 2, 2019 1:31:00 PM CEST
- APT28 reportedly attempted to compromise IoT devices to gain initial access to corporate networks.
- Such attacks are likely to expand as more IoT devices are deployed in corporate environments.
Fighting disinformation on social networks in Hong KongWednesday, August 28, 2019 11:47:00 AM CEST
- Twitter, Facebook and Google suspended thousands of accounts for “coordinated inauthentic behaviour” in Hong Kong.
- The platforms’ operators claimed that accounts were associated with state-backed entities.
Russia’s security services against one anotherWednesday, August 14, 2019 4:17:00 PM CEST
- Since 2014, Russia’s security services are competition with each other.
- They act independently and take unnecessary risks in order to gain political influence over their counterparts.
- This has also resulted in an increase of treason allegations aimed at high-ranking Russian officials.
Massive breach at Capital One, purportedly due to a cloud misconfigurationFriday, August 2, 2019 9:55:00 AM CEST
- A breach at Capital One, a major US bank, compromised data belonging to more than 106 million customers in both the US and Canada.
- The breach was reportedly detected thanks to a vulnerability notification made by an ethical security researcher.
- The alleged hacker, who was arrested, was reportedly an employee of the Amazon Web Services cloud service
company, of which Capital One was a customer.
- The breach purportedly exploited a misconfigured web application used to access the cloud infrastructure.
Russian FSB’s projects leaks by hacktivistsTuesday, July 30, 2019 10:06:00 AM CEST
- Russian FSB’s contractor SyTech was reportedly hacked and 7.5TB of data were leaked.
- This leak contains information about at least 20 FSB’s digital monitoring projects.
- A Russian-speaking hacktivist group dubbed the DigitalRevolution group is involved in the leak.
China’s Ministry of State Security likely role in cyber attacksMonday, July 29, 2019 4:16:00 PM CEST
Intrusion Truth, an anonymous entity, says that China’s MSS regional offices are likely involved in APT activities.
Cloud hosting firm iNSYNQ hit by ransomware attackMonday, July 29, 2019 9:51:00 AM CEST
- Cloud hosting provider iNSYNQ experienced a ransomware attack that has left customers unable to access their data.
- One week after the infection, restoration was not yet completed and iNSYNQ encouraged its customers to rely on local backups.
Extended use of the likely Chinese Winnti malwareThursday, July 25, 2019 2:09:00 PM CEST
- According to media, the Winnti malware has been used for cyber espionage purposes against German industries.
- Initially, the malware was likely developed by cyber-criminals, then repurposed and shared with other actors.
Chinese surveillance appWednesday, July 24, 2019 11:45:00 AM CEST
- The Chinese border police extracts data from phones belonging to people visiting the Xinjiang region, as they cross the border.
- An Android app is used to find specific content on the devices. iPhones are also impacted.
- These techniques are consistent with China’s overall domestic cyber-surveillance strategy.
Western technology firms targeted by Chinese threat actorsWednesday, July 24, 2019 11:45:00 AM CEST
- Chinese hackers breached the networks of several technology firms, globally, from 2010 to 2017.
- The attacks were reportedly conducted by first penetrating the cloud computing service of Hewlett Packard Enterprise.
- Technology companies racing against Chinese firms appear to have been priority targets.
Russian digital services provider targeted by Western intelligence agenciesWednesday, July 24, 2019 11:44:00 AM CEST
- Hackers breached the systems of Russian digital services provider Yandex.
- The breach occurred between October and November 2018.
- A private assessment by Kaspersky concluded hackers likely tied to Western intelligence breached Yandex using Regin.
- Previous Regin attacks (Belgacom case publicly uncovered in 2014) were attributed to US and British intelligence agencies.
Global espionage campaign targeting the telecommunications sectorWednesday, July 24, 2019 11:44:00 AM CEST
- A global cyber-espionage campaign has targeted telecommunications providers from Africa, the Middle East, and Europe.
- Attackers were looking after call detail records, along with other personal data, credentials and geo-location of specific individuals.
- The interest and resources shown by the attackers denote a highly likely state-sponsored espionage origin.
US & Russia mutually targeting their power gridsWednesday, July 24, 2019 11:42:00 AM CEST
- A New York Times report alleges that the US has infiltrated the Russian electrical grid with offensive malware.
- The infiltration is not known to have been linked with any disruption.
- If the report is true, this activity poses risks of escalation and retaliation.
- A separate report by a security company indicates that a Russian threat group is probing US and Asian electrical grids.
Ransomware paralyses European aircraft supplierWednesday, July 24, 2019 11:41:00 AM CEST
- Belgium-based airplane parts and aviation structuring business ASCO Industries has been hit by a cyber-attack.
- ASCO confirmed that the breach was allegedly related to a piece of ransomware.
- The company provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.
- About 1,000 people (70 percent of employees in Belgium) were sent home on unpaid leave, in Zaventem.
- According to media, production was shut down in Belgium and other countries (Canada, Germany, USA, Brazil, and France).
Hardware Security Modules not immune to hackingWednesday, July 24, 2019 11:41:00 AM CEST
- Security researchers released a paper revealing how they managed to hack a Hardware Security Module (HSM).
- HSM-s are used to generate, manipulate and store sensitive cryptographic secrets (SIM cards, credit cards, secure boot hardware, disk and database encryption, PKI...).
- HSM-s are also used by cloud service providers, such as Google or Amazon, allowing clients to centrally create, manage and use their cryptographic secrets.
High volume of European network traffic re-routed through China TelecomWednesday, July 24, 2019 11:40:00 AM CEST
- A routing incident led to 70 000 routes used for European traffic being redirected through China Telecom for over 2 hours.
- Border Gateway Protocol (BGP) errors are a relatively common issue but usually last just a few minutes.
- China Telecom has still not implemented some basic routing safeguards to detect and remediate them in a timely manner.
Android smartphones supply chain compromiseWednesday, July 24, 2019 11:39:00 AM CEST
- Two Android smartphone models have been sold with pre-installed malware affecting at least 20000 users in Germany alone.
- For app developers the introduction of undesirable functions might be the result of poor coding practices, or a deliberate criminal act to maximise the return on their investment.
- Since 2016, several Android-related supply chain compromises have been reported, affecting up to 141 Android smartphone models.
Ransomware extortion affecting local administrationsWednesday, July 24, 2019 11:36:00 AM CEST
- In the US, the city of Baltimore’s IT infrastructure suffered a ransomware attack that created disruption in public services.
- The attack was most likely executed with the use of a ransomware dubbed Robbinhood.
- Similar ransomware attacks against local administrations or public services have taken place across the US and globally.
Abuse of access to user information by employees of social media / digital service companiesWednesday, July 24, 2019 11:36:00 AM CEST
- Snapchat personnel abused their level of access to user data some years ago.
- Corporate Gmail accounts had their passwords stored in plain text.
- These are the most recent cases of social media platforms exposing user data to insider’s abuse.
Malware authors increasingly use legitimate certificates to bypass defencesWednesday, July 24, 2019 11:35:00 AM CEST
- Malware authors increasingly use legitimate certificates to sign their code.
- Certificate authorities sometimes fail to verify the identities of people applying for code-signing certificates.
- Signing malware with legitimate certificates increases the chance of remaining undetected.
Wireless attacks on aircraft instrument landing systemsWednesday, July 24, 2019 11:35:00 AM CEST
- Modern aircraft rely heavily on several wireless technologies for communications, control, and navigation.
- Attackers could potentially change the course of a flight using commercially available equipment.
- The systems used to guide planes could be hijacked by compromising and spoofing the radio signals that are used during landing.
Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leakWednesday, July 24, 2019 11:34:00 AM CEST
- Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak.
- It is unknown how the threat group obtained the tool.
- This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group.
Chinese mass surveillance systems: insights and exportWednesday, July 24, 2019 11:34:00 AM CEST
- A database containing personal data of Chinese citizens was left unprotected on the Internet.
- These personal data were purportedly collected using smart cities and mass surveillance technologies.
- Human Rights Watch released a report detailing how the Chinese government is using such technologies as a means to invade their citizens’ privacy.
- Chinese companies and start-ups are exporting these technologies to foreign countries.
Hacking groups compete for cryptojacking cloud-based infrastructureWednesday, July 24, 2019 11:33:00 AM CEST
- Two hacking groups associated with large-scale cryptomining campaigns wage war on one another.
- Pacha Group and Rocke Group compete to compromise as much cloud-based infrastructure as possible.
- One group is using techniques to kill any other cryptocurrency malware running on infected machines.
- Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers.
Cyber-attacks lead to conventional military strikesWednesday, July 24, 2019 11:32:00 AM CEST
- Israel Defence Forces destroyed the headquarters of the main cyber unit of the Palestinian organisation Hamas by airstrikes.
- The assault is likely to be the first true example of a physical attack being used as a real-time response to digital aggression.
- Affected entities will likely rebuild their lost capabilities and continue to conduct cyber operations against Israeli targets.
Docker breach exposes a significant number of accountsWednesday, July 24, 2019 11:31:00 AM CEST
- Docker Hub, an open repository of software containers, announced a breach affecting about 190 000 of its users.
- As the breach affects associated development platforms, it may impact several stages of software development workflows.
- Threat actors adopt supply chain attacks as a method to bypass some of the traditional IT security measures.
Cyber enabled espionage in the aviation sectorWednesday, July 24, 2019 11:30:00 AM CEST
- A General Electric’s employee reportedly stole aerospace turbine technology secrets for the benefit of China.
- The spy used several methods such as encryption, exfiltration via USB storage devices, steganography and sending stolen files to his personal email address.
- China has been suspected to conduct cyber-espionage operations in the aviation sector for several years.
- According to researchers, since 2004, a total of 20 active Chinese threat actor groups have been detected targeting aviation as a whole.
Facebook urged to control the spread of US law enforcement fake accountsWednesday, July 24, 2019 11:30:00 AM CEST
- US Immigration and Customs Enforcement used fake accounts on Facebook to identify people committing immigration fraud.
- The agency created social media profiles for a non-existent university and its staff.
- All this activity violates Facebook’s policies but the involved US agencies have shown no concern.
- Facebook is urged to curb the proliferation of undercover law enforcement accounts on the social media platform.
Cyberattacks enabled disinformation in LithuaniaWednesday, July 24, 2019 11:29:00 AM CEST
- The Lithuanian Ministry of Defence was targeted by a disinformation campaign.
- The dissemination of disinformation was likely enabled and facilitated by cyberattacks.
New TRITON attackWednesday, July 24, 2019 11:29:00 AM CEST
- TRITON is a sophisticated malware framework with the capacity to manipulate industrial safety systems, cause physical damage and shut down operations.
- TRITON authors are believed to have ties with a Moscow-based scientific research institute.
- Victims have been identified in the Middle East and in North America.
- A comprehensive analysis of techniques and tools linked to TRITON have been recently published to help detecting and hunting related attacks.
A Cryptojacking campaign had disruptive impactWednesday, July 24, 2019 11:28:00 AM CEST
- The systems of a Japanese company were shutdown following a first-stage attack suspected to precede a cryptojacking campaign.
- This incident highlights the disruptive nature of cryptojacking attacks and their ability to affect victims' operations.
- In 2018, several cases of disruption caused by cryptojacking attacks were reported.
Airports & Operational Technology: 4 Attack ScenariosWednesday, July 24, 2019 11:27:00 AM CEST
- Security in global aviation is increasingly dependent on vulnerabilities in information technology (IT) and operational technology (OT) systems.
- Airports are using several critical OT systems (e.g. baggage control, runway lights, air conditioning, and power).
- More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.
- Four important risk vectors have been more specifically identified: Baggage Handling, Aircraft Tugs, De-icing Systems, Fuel Pumps.
WinRAR zero-day exploited in many attacksWednesday, July 24, 2019 11:26:00 AM CEST
- On February 20, a 20 years old zero-day vulnerability in the archiving software WinRAR, was publicly revealed.
- On February 26, a patched version of WinRAR was released, the update must be done manually.
- More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.