March is typically a busy month, for attackers and defenders alike. We felt this month has been a bit quieter than we expected… That said slim pickings don’t exist anymore. Here’s this months’ top threats overview.
Bundestrojaner targeting Germany and Guccifer 2.0 opsec fail
On March 1st, the German government conﬁrmed an ongoing cyber attack against the German government, resulting in loss of sensitive government data. The attack was supposedly carried out by a Russian cyber espionage group dubbed Fancy Bear, also known as APT28. They have a history of political objectives that could be detrimental to elections, as recently shown in the interference in the United States 2016 election. If you’re a German, this is relevant. If you’re European, pretty relevant. There’s a lot of activity attributed to APT28 over the last months, and Russia has been on the receiving end of attacks too.
The plot specifically thickens with regards to Guccifer 2.0. This ”lone Romanian hacker” took credit for the US election meddling DNC hack in 2016. His narrative countered the widely speculated Russian interference, and the Crowdstrike investigation pointing out Russia as the perpetrator. In March, Daily Beast reported it had found proof Guccifer 2.0 was actually no lone Romanian, but an officer in the GRU, Russia’s military intelligence office. An opsec failure lead to the attribution. This fail was due to not using a VPN, revealing his IP address which could be correlated to an identity. It sounds laughably stupid, but we have seen criminals under pressure make this mistake more than once. Guccifer 2.0 has now landed on Mueller’s desk. This is a real-time cold war movie progressing in real-time. We are watching this space and reporting.
Saudi explosive attack failed
Just last month, we argued safety and security are converging. The Saudi’s learned this lesson the hard way, when they experienced a targeted cyber attack against a petrochemical plant. The unidentiﬁed adversaries’ intentions were to disrupt operations, in order to trigger an explosion, causing maximum physical damage and death. It is not yet known how the attack took place, or the root cause of the compromise. However, these kinds of attacks are considered highly dangerous. Due to a human error, a mistake in the attacker’s computer code, the intended explosion was prevented. Lucky for the Saudi’s, even bad guys are human.
Cryptojacking with GhostMiner
We noticed a trend of malicious cryptocurrency miners over the past few months, and now they’ve advanced with a ﬁleless malware called GhostMiner, targeting servers running Oracle WebLogic, MSSQL, and phpMyAdmin. What is unique with GhostMiner is its goal of avoiding detection by antivirus by using stealthy techniques that run the malicious code in memory and remove any other cryptocurrency miners that could be detected in the system. Our advice? Good old fashioned update and patch diligence, network hygiene, and not letting your guard down just because the mining malware is not destroying things.
Ransomware still not dead?
Nope. On March 26th, a new kind of ransomware, dubbed AVCrypt, targeted endpoint protection solutions such as Windows Defender and Malwarebytes by uninstalling the services before performing encryption in order to avoid detection. The malware was reported as ineﬀective and the suspicion is that it is under development. However, it will probably not be long until similar variants are discovered with more advanced features than AVCrypt.
Web interfaces for known leaked password dumps lead to panic in NL
When we blogged about the 1.4 billion stolen passwords in a neat database in December, we asked ourselves: should you care? Answer: yes, but not not more than usual. People shrugged their shoulders and went on with their lives.
Fast forward four months to when an anonymous Dutch hacker downloaded said database, grepped for (.NL|.nl), and found 3.3M Dutch passwords. He created a web interface and called some journalists, and the news exploded all over. We grudgingly acknowledge that this is a good way to grab attention. The upside is: another wake up call for many that passwords are broken.
The bad news: the panic was unnecessary, and there’s still a misalign between infosec and the press. This was illustrated when someone else created another web interface, returning full cleartext passwords. While the info is there for any geek to tinker with, it’s turning into an ethical issue. Everyone not tech savvy can now look up old passwords of friends, neighbors, policemen they know, VIP’s and so on. And try to use them. Would you want to facilitate this?
If you have ever used online services over the past 10 years, there’s a good chance your password is stolen and known. So don’t reuse passwords, use a password manager and use 2 factor authentication.
Joakim Wahlgren, Diana Selck, Eward Driehuis