Threat intelligence
- 
                        
                            Major web hosting providers become victims of ransomwareMonday, November 25, 2019 11:54:00 AM CET- Outsourcing IT services such as web hosting, managed service providers and cloud service providers could increase the exposure of organisations to ransomware attacks. 
 - In 2019, over 10 web provider companies have already been victims of targeted ransomware incidents.
 - Since the largest known paid ransom was from a web-hosting provider, cybercriminals will likely increase their efforts.
- 
                        
                            The Silence groupMonday, November 25, 2019 11:53:00 AM CET- Russian origin cyber-criminal group Silence is attacking banks and financial institutions. 
 - Starting in 2016, the group has improved its tools and escalated its activities to attack worldwide.
 - Its capabilities make it a potentially serious threat currently and in the future.
- 
                        
                            Coordinated ransomware campaign in SpainMonday, November 25, 2019 11:52:00 AM CET- Ransomware is targeting municipalities in Europe. 
 - Multiple entities in Spain have seen significant outages because of the threat.
 - These attacks can be seen as a continuation of the Big Game Hunting tactics observed elsewhere in the world.
- 
                        
                            APT groups are exploiting vulnerabilities in various VPN productsMonday, November 25, 2019 11:51:00 AM CET- APT groups are reportedly exploiting vulnerabilities in several unpatched VPN products used worldwide. 
 - US and UK agencies advise consumers to update VPN products from certain producers.
 - Affected VPN products were from Fortinet, Palo Alto Networks and Pulse Secure.
 - Certain bugs were detailed at Black Hat USA in August, before detecting attacks on Fortinet and Pulse Secure.
- 
                        
                            Iran’s APT35 targeting individuals tied to US 2020 electionsMonday, November 25, 2019 11:50:00 AM CET- An Iranian state-sponsored threat actor reportedly targeted accounts associated with the US presidential campaign. 
 - The group has also reportedly targeted academic researchers focusing on Iran in France, the US and the Middle-East.
 - Attempts by state-sponsored threat actors from various countries to compromise business or personal cloud-based email or social media accounts remain a significant threat.
 - Even if not technically sophisticated, social engineering enabled attempts to compromise cloud based email or social network accounts remain an efficient method for motivated attackers.
- 
                        
                            Magecart cybercriminals leveraging public WiFi vulnerabilitiesMonday, November 25, 2019 11:45:00 AM CET- Cyber-criminal groups dubbed Magecart are exploiting vulnerable e-commerce websites to steal user payment data. 
 - One Magecart group has tested methods to compromise user devices browsing the internet via public WiFi hotspots.
 - The same group is also attempting to compromise code used by mobile app developers and affect a large user base.
- 
                        
                            Business email compromise on the riseWednesday, October 02, 2019 01:44:00 PM CEST- In 2018, Business Email Compromise (BEC) has overtaken ransomware as the main reason behind cyber claims. 
 - Between June 2016 and July 2019, BEC reportedly accounted for $26,2 billion USD in financial losses worldwide.
 - BEC continues to grow with a 100% increase in identified global exposed losses between May 2018 and July 2019.
 - Substantial financial losses due to BEC have been publicly reported in August and September 2019.
- 
                        
                            Airbus supply chain hacked in a cyberespionage campaignWednesday, October 02, 2019 01:43:00 PM CEST- According to Agence France Presse (AFP), Airbus has fallen victim to a sophisticated cyber-espionage campaign. 
 - Attackers reportedly breached IT systems of several Airbus’s suppliers and, from there, penetrated Airbus’s IT systems.
 - Attackers have been looking after certification documentation, sensitive information related to A350 and A400M’s engines as well avionics details.
 - Several AFP’s sources suspect Chinese hacking groups, still no formal attribution has been made.
- 
                        
                            SIMjacking – an attack on mobile phonesWednesday, October 02, 2019 01:41:00 PM CEST- A newly published mobile phone SIM exploit, called Simjacker, allows attackers to stealthily spy on mobile users. 
 - The exploit allows attackers to find the device’s location or fully ‘take over’ the mobile phone.
 - The vulnerability exploits a piece of legacy software which is not present in a large number of modern SIM cards.
 - The vulnerability is actively being exploited either by a private company or its customers to locate mobile phones and thus their users.
- 
                        
                            Large scale and powerful cyber surveillance by ChinaWednesday, October 02, 2019 01:40:00 PM CEST- According to researchers, Chinese authorities are purportedly monitoring Uyghurs, both locally and internationally, through cyber means. 
 - The threat actors reportedly leveraged several techniques including multiple exploit chains against Android and iOS, several strategic web compromises, as well as bypassing the two-factor authentication of Google services.
 - The wide range of leveraged methods demonstrates the threat actors’ significant capabilities, funds and technical expertise.
- 
                        
                            Big Game Hunting in the public sectorWednesday, October 02, 2019 01:38:00 PM CEST- Big Game Hunting extortion campaigns by cybercriminals have become a significant threat to the public sector. 
 - In the US, several ransomware attacks impacting local governments, cities, and public services were recently observed.
 - Cybercriminals are striking victims with greater precision and timing.
 - Their attacks are very well coordinated and they are demanding higher ransoms.
 - US Officials are worried of attacks against the 2020 Election.
- 
                        
                            Android exploits commanding higher price than ever beforeWednesday, October 02, 2019 01:36:00 PM CEST- The price of android exploits exceeds the price of iOS exploits for the first time. 
 - This is possibly because Android security is improving over iOS.
 - The release of Android 10 is also a likely cause for the price hike.
- 
                        
                            Corporate IoT – an intrusion path for APT groupsWednesday, October 02, 2019 01:31:00 PM CEST- APT28 reportedly attempted to compromise IoT devices to gain initial access to corporate networks. 
 - Such attacks are likely to expand as more IoT devices are deployed in corporate environments.
- 
                        
                            Fighting disinformation on social networks in Hong KongWednesday, August 28, 2019 11:47:00 AM CEST- Twitter, Facebook and Google suspended thousands of accounts for “coordinated inauthentic behaviour” in Hong Kong. 
 - The platforms’ operators claimed that accounts were associated with state-backed entities.
- 
                        
                            Russia’s security services against one anotherWednesday, August 14, 2019 04:17:00 PM CEST- Since 2014, Russia’s security services are competition with each other. 
 - They act independently and take unnecessary risks in order to gain political influence over their counterparts.
 - This has also resulted in an increase of treason allegations aimed at high-ranking Russian officials.
- 
                        
                            Massive breach at Capital One, purportedly due to a cloud misconfigurationFriday, August 02, 2019 09:55:00 AM CEST- A breach at Capital One, a major US bank, compromised data belonging to more than 106 million customers in both the US and Canada. 
 - The breach was reportedly detected thanks to a vulnerability notification made by an ethical security researcher.
 - The alleged hacker, who was arrested, was reportedly an employee of the Amazon Web Services cloud service
 company, of which Capital One was a customer.
 - The breach purportedly exploited a misconfigured web application used to access the cloud infrastructure.
- 
                        
                            Russian FSB’s projects leaks by hacktivistsTuesday, July 30, 2019 10:06:00 AM CEST- Russian FSB’s contractor SyTech was reportedly hacked and 7.5TB of data were leaked. 
 - This leak contains information about at least 20 FSB’s digital monitoring projects.
 - A Russian-speaking hacktivist group dubbed the DigitalRevolution group is involved in the leak.
- 
                        
                            China’s Ministry of State Security likely role in cyber attacksMonday, July 29, 2019 04:16:00 PM CESTIntrusion Truth, an anonymous entity, says that China’s MSS regional offices are likely involved in APT activities. 
- 
                        
                            Cloud hosting firm iNSYNQ hit by ransomware attackMonday, July 29, 2019 09:51:00 AM CEST- Cloud hosting provider iNSYNQ experienced a ransomware attack that has left customers unable to access their data. 
 - One week after the infection, restoration was not yet completed and iNSYNQ encouraged its customers to rely on local backups.
- 
                        
                            Extended use of the likely Chinese Winnti malwareThursday, July 25, 2019 02:09:00 PM CEST- According to media, the Winnti malware has been used for cyber espionage purposes against German industries. 
 - Initially, the malware was likely developed by cyber-criminals, then repurposed and shared with other actors.
- 
                        
                            Chinese surveillance appWednesday, July 24, 2019 11:45:00 AM CEST- The Chinese border police extracts data from phones belonging to people visiting the Xinjiang region, as they cross the border. 
 - An Android app is used to find specific content on the devices. iPhones are also impacted.
 - These techniques are consistent with China’s overall domestic cyber-surveillance strategy.
- 
                        
                            Western technology firms targeted by Chinese threat actorsWednesday, July 24, 2019 11:45:00 AM CEST- Chinese hackers breached the networks of several technology firms, globally, from 2010 to 2017. 
 - The attacks were reportedly conducted by first penetrating the cloud computing service of Hewlett Packard Enterprise.
 - Technology companies racing against Chinese firms appear to have been priority targets.
- 
                        
                            Russian digital services provider targeted by Western intelligence agenciesWednesday, July 24, 2019 11:44:00 AM CEST- Hackers breached the systems of Russian digital services provider Yandex. 
 - The breach occurred between October and November 2018.
 - A private assessment by Kaspersky concluded hackers likely tied to Western intelligence breached Yandex using Regin.
 - Previous Regin attacks (Belgacom case publicly uncovered in 2014) were attributed to US and British intelligence agencies.
- 
                        
                            Global espionage campaign targeting the telecommunications sectorWednesday, July 24, 2019 11:44:00 AM CEST- A global cyber-espionage campaign has targeted telecommunications providers from Africa, the Middle East, and Europe. 
 - Attackers were looking after call detail records, along with other personal data, credentials and geo-location of specific individuals.
 - The interest and resources shown by the attackers denote a highly likely state-sponsored espionage origin.
- 
                        
                            US & Russia mutually targeting their power gridsWednesday, July 24, 2019 11:42:00 AM CEST- A New York Times report alleges that the US has infiltrated the Russian electrical grid with offensive malware. 
 - The infiltration is not known to have been linked with any disruption.
 - If the report is true, this activity poses risks of escalation and retaliation.
 - A separate report by a security company indicates that a Russian threat group is probing US and Asian electrical grids.
- 
                        
                            Ransomware paralyses European aircraft supplierWednesday, July 24, 2019 11:41:00 AM CEST- Belgium-based airplane parts and aviation structuring business ASCO Industries has been hit by a cyber-attack. 
 - ASCO confirmed that the breach was allegedly related to a piece of ransomware.
 - The company provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.
 - About 1,000 people (70 percent of employees in Belgium) were sent home on unpaid leave, in Zaventem.
 - According to media, production was shut down in Belgium and other countries (Canada, Germany, USA, Brazil, and France).
- 
                        
                            Hardware Security Modules not immune to hackingWednesday, July 24, 2019 11:41:00 AM CEST- Security researchers released a paper revealing how they managed to hack a Hardware Security Module (HSM). 
 - HSM-s are used to generate, manipulate and store sensitive cryptographic secrets (SIM cards, credit cards, secure boot hardware, disk and database encryption, PKI...).
 - HSM-s are also used by cloud service providers, such as Google or Amazon, allowing clients to centrally create, manage and use their cryptographic secrets.
- 
                        
                            High volume of European network traffic re-routed through China TelecomWednesday, July 24, 2019 11:40:00 AM CEST- A routing incident led to 70 000 routes used for European traffic being redirected through China Telecom for over 2 hours. 
 - Border Gateway Protocol (BGP) errors are a relatively common issue but usually last just a few minutes.
 - China Telecom has still not implemented some basic routing safeguards to detect and remediate them in a timely manner.
- 
                        
                            Android smartphones supply chain compromiseWednesday, July 24, 2019 11:39:00 AM CEST- Two Android smartphone models have been sold with pre-installed malware affecting at least 20000 users in Germany alone. 
 - For app developers the introduction of undesirable functions might be the result of poor coding practices, or a deliberate criminal act to maximise the return on their investment.
 - Since 2016, several Android-related supply chain compromises have been reported, affecting up to 141 Android smartphone models.
- 
                        
                            Ransomware extortion affecting local administrationsWednesday, July 24, 2019 11:36:00 AM CEST- In the US, the city of Baltimore’s IT infrastructure suffered a ransomware attack that created disruption in public services. 
 - The attack was most likely executed with the use of a ransomware dubbed Robbinhood.
 - Similar ransomware attacks against local administrations or public services have taken place across the US and globally.
- 
                        
                            Abuse of access to user information by employees of social media / digital service companiesWednesday, July 24, 2019 11:36:00 AM CEST- Snapchat personnel abused their level of access to user data some years ago. 
 - Corporate Gmail accounts had their passwords stored in plain text.
 - These are the most recent cases of social media platforms exposing user data to insider’s abuse.
- 
                        
                            Malware authors increasingly use legitimate certificates to bypass defencesWednesday, July 24, 2019 11:35:00 AM CEST- Malware authors increasingly use legitimate certificates to sign their code. 
 - Certificate authorities sometimes fail to verify the identities of people applying for code-signing certificates.
 - Signing malware with legitimate certificates increases the chance of remaining undetected.
- 
                        
                            Wireless attacks on aircraft instrument landing systemsWednesday, July 24, 2019 11:35:00 AM CEST- Modern aircraft rely heavily on several wireless technologies for communications, control, and navigation. 
 - Attackers could potentially change the course of a flight using commercially available equipment.
 - The systems used to guide planes could be hijacked by compromising and spoofing the radio signals that are used during landing.
- 
                        
                            Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leakWednesday, July 24, 2019 11:34:00 AM CEST- Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak. 
 - It is unknown how the threat group obtained the tool.
 - This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group.
- 
                        
                            Chinese mass surveillance systems: insights and exportWednesday, July 24, 2019 11:34:00 AM CEST- A database containing personal data of Chinese citizens was left unprotected on the Internet. 
 - These personal data were purportedly collected using smart cities and mass surveillance technologies.
 - Human Rights Watch released a report detailing how the Chinese government is using such technologies as a means to invade their citizens’ privacy.
 - Chinese companies and start-ups are exporting these technologies to foreign countries.
- 
                        
                            Hacking groups compete for cryptojacking cloud-based infrastructureWednesday, July 24, 2019 11:33:00 AM CEST- Two hacking groups associated with large-scale cryptomining campaigns wage war on one another. 
 - Pacha Group and Rocke Group compete to compromise as much cloud-based infrastructure as possible.
 - One group is using techniques to kill any other cryptocurrency malware running on infected machines.
 - Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers.
- 
                        
                            Cyber-attacks lead to conventional military strikesWednesday, July 24, 2019 11:32:00 AM CEST- Israel Defence Forces destroyed the headquarters of the main cyber unit of the Palestinian organisation Hamas by airstrikes. 
 - The assault is likely to be the first true example of a physical attack being used as a real-time response to digital aggression.
 - Affected entities will likely rebuild their lost capabilities and continue to conduct cyber operations against Israeli targets.
- 
                        
                            Docker breach exposes a significant number of accountsWednesday, July 24, 2019 11:31:00 AM CEST- Docker Hub, an open repository of software containers, announced a breach affecting about 190 000 of its users. 
 - As the breach affects associated development platforms, it may impact several stages of software development workflows.
 - Threat actors adopt supply chain attacks as a method to bypass some of the traditional IT security measures.
- 
                        
                            Cyber enabled espionage in the aviation sectorWednesday, July 24, 2019 11:30:00 AM CEST- A General Electric’s employee reportedly stole aerospace turbine technology secrets for the benefit of China. 
 - The spy used several methods such as encryption, exfiltration via USB storage devices, steganography and sending stolen files to his personal email address.
 - China has been suspected to conduct cyber-espionage operations in the aviation sector for several years.
 - According to researchers, since 2004, a total of 20 active Chinese threat actor groups have been detected targeting aviation as a whole.
- 
                        
                            Facebook urged to control the spread of US law enforcement fake accountsWednesday, July 24, 2019 11:30:00 AM CEST- US Immigration and Customs Enforcement used fake accounts on Facebook to identify people committing immigration fraud. 
 - The agency created social media profiles for a non-existent university and its staff.
 - All this activity violates Facebook’s policies but the involved US agencies have shown no concern.
 - Facebook is urged to curb the proliferation of undercover law enforcement accounts on the social media platform.
- 
                        
                            Cyberattacks enabled disinformation in LithuaniaWednesday, July 24, 2019 11:29:00 AM CEST- The Lithuanian Ministry of Defence was targeted by a disinformation campaign. 
 - The dissemination of disinformation was likely enabled and facilitated by cyberattacks.
- 
                        
                            New TRITON attackWednesday, July 24, 2019 11:29:00 AM CEST- TRITON is a sophisticated malware framework with the capacity to manipulate industrial safety systems, cause physical damage and shut down operations. 
 - TRITON authors are believed to have ties with a Moscow-based scientific research institute.
 - Victims have been identified in the Middle East and in North America.
 - A comprehensive analysis of techniques and tools linked to TRITON have been recently published to help detecting and hunting related attacks.
- 
                        
                            A Cryptojacking campaign had disruptive impactWednesday, July 24, 2019 11:28:00 AM CEST- The systems of a Japanese company were shutdown following a first-stage attack suspected to precede a cryptojacking campaign. 
 - This incident highlights the disruptive nature of cryptojacking attacks and their ability to affect victims' operations.
 - In 2018, several cases of disruption caused by cryptojacking attacks were reported.
- 
                        
                            Airports & Operational Technology: 4 Attack ScenariosWednesday, July 24, 2019 11:27:00 AM CEST- Security in global aviation is increasingly dependent on vulnerabilities in information technology (IT) and operational technology (OT) systems. 
 - Airports are using several critical OT systems (e.g. baggage control, runway lights, air conditioning, and power).
 - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.
 - Four important risk vectors have been more specifically identified: Baggage Handling, Aircraft Tugs, De-icing Systems, Fuel Pumps.
- 
                        
                            WinRAR zero-day exploited in many attacksWednesday, July 24, 2019 11:26:00 AM CEST- On February 20, a 20 years old zero-day vulnerability in the archiving software WinRAR, was publicly revealed. 
 - On February 26, a patched version of WinRAR was released, the update must be done manually.
 - More than a hundred unique exploits have been spotted since the publication of proofs of concept and payload creation tools, after the disclosure.