The number and frequency of vulnerabilities to raise cybersecurity concerns continues to grow. On average, organizations suffer two to three focused security breaches each month—attacks they admit could take months, or even years, to detect. In some instances, such breaches could be impossible to detect. Accenture Security is monitoring existing and potential threats and offers deep experience to help organizations build resilience from the inside out. Find out more about the latest threats.
A number of security vendors reported a series of cyberattacks involving the use of a malware family called SOCKSBOT and claimed to be associated with CANDLEFISH (also known as Patchwork, Dropping Elephant). However, as disclosed in our report, research by Accenture Security iDefense analysts shows that SOCKSBOT was used by a threat group in an 18-month-long campaign dubbed Goldfin, spoofing financial institutions in the Commonwealth of Independent States (CIS) countries since as early as February 2017 to as recently as May 2018. Based on the tactics, techniques and procedures (TTPs) observed in this campaign, iDefense assesses with moderate confidence that the reported campaign is unlikely to be associated with CANDLEFISH.
In addition, iDefense analysts have identified infrastructure overlap and the shared use of a PowerShell obfuscation technique with FIN7. Although these observations are not enough to attribute the Goldfin campaign to FIN7, iDefense assesses these to be interesting and noteworthy observations that further highlight the complex relationships that exist behind-the-scenes in organized cybercrime.DOWNLOAD REPORT [PDF]
The report identifies the modus operandi of a highly active threat group that is targeting financial institutions for financial gain. Security operation center (SOC) analysts and engineers can use this report's detailed information around the workings of a malware family and indicators of compromise (IoCs) to contain or mitigate the discussed threat through monitoring or blocking. SOC analysts can use the information provided in the analysis and mitigation sections of this cyber advisory report for hunting activities for systems that may have been compromised already. Analysts and security engineers can use the IoCs by adding them to hunting lists on endpoint detection and response (EDR) solutions as well as network- and host-based blacklists to detect and deny malware implantation and command-and-control (C2) communication. Intelligence analysts may want to use the information provided in this cyber advisory report to better inform their own analyses. The information provided can also help inform ongoing intelligence analyses and forensic investigations, particularly for compromise discovery, damage assessment, and attribution. Management and executive leadership may wish to assess the risks associated with the threats described to make the appropriate operational and policy decisions.
To effectively defend against the threats identified in this report, we recommend:
On January 3, 2018, various media reports announced that researchers had discovered two major flaws in microprocessor design which leave the world’s laptops, desktops, servers, smartphones, other mobile devices and cloud services vulnerable to attack. Considering the nature of the vulnerabilities, it is highly unlikely that organizations will be able to detect whether a system has been successfully attacked.
Meltdown is a vulnerability affecting main microprocessor manufacturers with Advanced Micro Devices (AMD) currently being reported as unaffected. Part of the reason that this vulnerability exists is the race for microprocessor performance. To perform as fast as possible, a chip predicts which code it may need to run next. If this predictive assumption is wrong, the chip discards the operations it did not need. Remnants of the “speculative” code—which can include logins, passwords, personally identifiable information (PII) and encryption keys—remain in the memory cache at risk of exploitation. Meltdown enables attackers to execute software that can read this memory and capture the data. Meltdown is relatively easy to exploit, but patches are becoming available to remediate its effects. These patches can degrade processor speed by five to 30 percent according to reports—which will affect cost and performance.
Spectre is a flaw in the architecture of microprocessor design making processors from most, if not all, manufacturers vulnerable to attack. Fixing it is difficult and may rely on a new generation of redesigned microprocessors.
Of the two vulnerabilities, Spectre appears more serious, although it is harder to exploit. The repair for Spectre is challenging, will take the industry a long time to address completely, and the impact could be felt throughout a complete generation of CPU hardware.
The information obtained from system memory can be used to conduct further attacks and expose vulnerabilities on a range of devices. Cloud services are also affected, as multiple virtual machines are often provided on a single physical machine. An attacker with a presence on a virtual machine in the cloud could theoretically use a specially crafted program to access the memory contents of other customers’ virtual machines on the same physical system. Although the performance impact is uncertain, older devices are likely to suffer most and the resultant poor performance costs may have to be absorbed by organizations. With the potential for services to be disrupted, and the difficulties of enforcing patch updates, the overall cost to businesses could be punitive.
Take practical steps today to protect your organization from future malware attacks that may exploit the Meltdown and Spectre vulnerabilities.
Prioritize patching, especially of virtual machine software
Test patches for performance before deploying them to production
Increase scrutiny of phishing e-mails that may contain attached executable files
Regularly review performance metrics on cloud-based servers looking for unexplained performance degradation
Conduct adequate performance testing, and add more resources as required to arrive at the desired performance level—applying operating system (OS) patches to mitigate the Meltdown attack may degrade performance.
Take a risk-based review of the unpatchable systems in your estate—given the ubiquity of microprocessors, older systems running critical functions may be most at risk.
TRITON (also known as TRISIS or HatMan) is a new and destructive malware and framework that can alter and disrupt operations of safety instrumented systems (SIS). SIS are used across Oil and Gas, Chemicals, Utilities, and other sectors, to provide a mechanism to safely shut down an industrial process when it has encountered unsafe operating conditions.
SIS, like main process control systems used at industrial plants, can be susceptible to a cyber attack or malware. TRITON can replace safety-functional logic with alternative logic crafted by the attacker which could, for example, fail to engage the safety system when an unsafe condition occurs, leading to infrastructure damage and potentially even loss of life. TRITON was purposefully built to target a specific brand of SIS—Triconex, manufactured by Schneider Electric. Its acts as legitimate software that is normally used to analyze SIS data and event logs.
Download the report and take practical steps today to protect your organization from future malware attacks like the TRITON/TRISIS threat model:
Physical controls—SIS controllers, like all other critical hardware components, should be kept in locked spaces, monitored and accessible only to authorized personnel.
Logical access control—Only authorized and properly controlled USB sticks, writable media, and programming laptops, should be used for system access. Portable media should be verified each time before being allowed to connect to SIS.
Network segmentation—SIS components should reside in an isolated network.
Configuration and change management—Industrial Control System (ICS) governance roles, processes, and tools should be in place to facilitate the correct and authorized deployment, maintenance and verification of SIS equipment and its configuration.
Security monitoring and scanning—Deploy network security monitoring technology, along with ICS vendor certified scanning technology, where possible.
Monero is a cryptocurrency designed to keep users anonymous and known to be highly resistant to transaction analysis by law enforcement. It is rapidly becoming the cryptocurrency of choice in the cyber-criminal underground economy. Monero is also extremely popular with operators of miner malware—like WannaMine—malware that infects personal computers and uses the spare processing power to “mine” cryptocurrency—because of its low difficulty rate, compared to other cryptocurrencies of similar value.
Monero is popular and easy to mine. It was initially positioned as a major competitive alternative to Bitcoin. Its popularity is actually due in large part to the demand from the criminal underground. In 2016 administrators of the now defunct criminal marketplace AlphaBay attempted to manipulate the price of Monero, encouraging mass buying of the currency. This pushed Monero into the cyber criminal mainstream. Monero’s capabilities are now being promoted as part of the suite of criminal malware available on the black market. It is also believed it is being used by state-sponsored cyber operations groups affiliated with North Korea attempting to avoid sanctions. Organizations in all industries should take note because they may have to deal with miner malware, or other types of criminal probing/hijacking attempts related to Monero. Financial Services and Government Agencies in particular may have already been affected.
To reduce the risks and impact of Monero miner malware on your organization, security teams should:
Monitor system performance of hosts with business IT network environments to detect unusual rises in CPU or GPU use—or performance degradation
Monitor outbound network communications to known Monero mining pools
Monitor for cryptocurrency wallet and mining pool addresses in host process memory via endpoint detection and response (EDR) tools
HOGFISH, more commonly known as APT10 has been heavily targeting Japan and Western organizations since as early as 2009. The malware used in this campaign uncovered by iDefense analysts, is the latest iteration of RedLeaves: a capable RAT that allows the threat group to perform the following actions on a compromised machine:
Gather browser usernames and passwords
Gather extended system information
Send, receive, and execute commands from the C2 server
This report contains a full overview of a recent HOGFISH campaign targeting organizations in Japan, and taunting tactics used on other intelligence analysts, researchers and responders.
Despite the recent high profile disclosure in the Operation Cloud Hopper by the National Cyber Security Centre (NCSC) and others, HOGFISH remains a highly active and innovative threat group. Hogfish does not shy away from targets around the world, but does have a particular interest on Japan. Stolen data and proprietary information is likely to be transformed by the threat group into actionable intelligence for the group’s sponsors.
To effectively mitigate against threats posed by this particular HOGFISH campaign, security teams should look for and block access to the following C2 domains and IP addresses:
For threat hunting, it is also useful to examine the content of the following folders and look out for anomalous data:
A mutex named jH10689DS, 2N6541mb, or rV6880B9.
After the first attack in 2015, a new form of the Elise malware has been identified by the iDefense team in Accenture Security. The well-known threat group called DRAGONFISH—also known as Lotus Blossom—is distributing a new form of the malware targeting organizations for espionage purposes.
The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia, specifically those located in countries near the South China Sea. These attacks have mainly targeted high-profile government, military and political institutions, but other victims include those operating in the education and telecommunication industries. iDefense analysts have identified a campaign likely to be targeting members of—or those with affiliation or interest in—the ASEAN Defence Ministers’ Meeting (ADMM).
To mitigate the threat of the described campaign, security teams can consider blocking access to the C2 server 103.236.150[.]14 and, where applicable, ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability. For threat hunting, iDefense also suggests that analysts look for the following artifacts:
Ransomware introduces malicious software onto a target computer or server to exploit one or more programmatic flaws and gain expanded access to the computer. With files “locked” with an encryption key that only the attacker possesses, the impacted user is asked to pay money—often in the digital currency bitcoin—to reinstate access to the encrypted files. Ransomware in itself is not the real risk. The risk lies in the impact to the business that is caused by a service or process that has been suddenly removed. Now, ransomware-as-a-service (RaaS) is enabling less-skilled malicious actors to employ this threat tactic, with high reward for little effort or technical knowledge.
In the last year, we have seen high-profile cyber attacks from destructive malware as a result of people mistakenly downloading malicious files. A variant of the Petya/Petwrap malware was in evidence in June 2017 when companies’ computers in Europe, the Middle East and the United States were hit with a ransom note demanding US$300 to recover their files. Such an incident highlights not only the frequency and sophisticated of cyber threats, but also serves as a reminder of the outcomes of human error.
Download the report and take practical steps today to protect your organization from future malware attacks like Petya/Petwrap:
Adopt proactive prevention: Many, but not all, ransomware attacks are initiated by a disguised trustworthy entity asking for sensitive information via an electronic communication. Known as phishing, employees can be helped to recognize such scams through prevention training and awareness programs. Make it easy for your employees to report fraudulent e-mails quickly, and keep testing internally to prove the training is working.
Elevate e-mail controls: Strengthening e-mail controls can often prevent malicious e-mails from reaching employees. Maintain strong spam filters and authentication. Scan incoming and outgoing e-mails to detect threats and filter executable files. Consider a cloud-based e-mail analytics solution and revisit how you configure your e-mail.
Insulate your infrastructure: Stay one step ahead of smart attackers by removing or limiting local workstation admin rights or seeking out the right configuration combinations (virus scanners, firewalls and so on). Also, regular patches of operating systems and applications can foil known vulnerabilities—Microsoft patches related to the WannaCry threat is one of the measures that should be included as part of a normal patching cycle.
Plan for continuity: Having a strong cyber resilience plan for recovery that is regularly reviewed, updated, and tested makes it easier to avoid paying any ransom. Recovery objectives must be aligned to the critical tasks within an acceptable timeframe. Workstations and file servers should not be constantly connected to backup devices, and the backup solution should store periodic snapshots rather than regular overwrites of previous backups, so that in the event of a successful attack, backups will not be encrypted.
Security experts and market commentators alike are voicing their concerns after examination of a power outage in Ukraine’s capital, Kiev, in December 2016 identified a malware framework known as CRASHOVERRIDE or INDUSTROYER. The malware targeted Kiev’s electrical infrastructure via its Industrial Control Systems (ICS) in an unprecedented and sophisticated cyber-attack. The event has serious implications globally, and is proving to be a hacker’s paradise for more than power grids in the near future. Read the practical steps organizations can take to better protect themselves from future malware attacks like CRASHOVERRIDE/INDUSTROYER.
Alongside the use of digital technologies for enhanced automation greatly increasing hackers’ potential attack surface, aging critical infrastructure support has not always been architected with cybersecurity top of mind. CRASHOVERRIDE/INDUSTROYER targeted circuit breakers and switches hijacking electrical systems from a distance by taking advantage of standard device-level communication protocols, making it almost completely undetectable in the power infrastructure.
CRASHOVERRIDE/INDUSTROYER could be a blueprint for a more widespread and longer-lasting attack. The potential to disrupt energy, water supplies and other critical industries using ICS for automation, in an economic context, could be highly damaging to a company, municipality or nation for a long period of time.
Download the report and take practical steps today to protect your organization from future malware attacks like CRASHOVERRIDE/INDUSTROYER.
Assess and isolate
Monitor and detect
Plan and prepare
In May 2017, the WanaCrypt0r/WannaCry ransomware attack saw systems infected in more than 200,000 organizations across 150 countries—in particular, the attack affected 47 National Health Service trusts in the United Kingdom resulting in cancelled operations and patient disruption.
Ransomware, also known as cryptoware, attacks a company’s data by encrypting it until a ransom is paid—with no guarantees that the data will be decrypted once the payment has been made to the adversary. Threat intelligence and law enforcement agencies warn such attacks are accelerating in frequency and targeting more businesses with increasing ransom demands. Watch the webinar video for practical steps organizations can take to better protect themselves from future ransomware attacks like WanaCrypt0r.
Find out how you can protect your organization against ransomware attacks like WanaCrypt0r. Listen to the webinar (above) where our distinguished panel of security specialists discuss the latest ransomware attack for:
In-depth analysis and remediation of the current WanaCrypt0r/WannaCry attack to prepare organizations for new variants
Practical advice on steps organizations can take to better protect themselves from future ransomware attacks