In June, we’ve seen attacks continue, evolve, and plagiarize. So, whether they’re upping their ante, broadening their scope, or preying on the bad reputation of predecessors, this month can be characterized as the month of “Sequel Threats”. As always, we’ve included links to industry resources for further reading. Stay safe out there!
Olympic Destroyer evolves
Olympic Destroyer, a so-called “false flag confusion bomb”, that is targeting the South Korea Winter Olympics, is still alive. In May and June spear phishing activity has been observed, targeting financials in Russia, and “chemical threat prevention” laboratories in Europe and the Ukraine. It’s delivered with credible spear phishing scenario’s, through malicious document macro’s and leveraging powershell.
This attack marks the ongoing trend of destructive attacks, without monetary incentives. There might be a nation state behind it, or an activist group. Attribution for Olympic Destroyer will take quite some time, as researchers discovered in March the attack was riddled with “false flags”, pointing to Lazarus, a NKO connected group. These “false flags” were discovered to be pretty blatant, much like a conveniently dropped identity card in a burglary. We’re in an era where fake news is spread not only via social media but via IoC’s too.
VPN Filter continues
The VPNFilter malware, reportedly connected to Russian APT’s, has expanded its list of affected home router devices. 500,000 routers in over 50 countries have been affected, with the list of known routers including Linksys, Mikro Tik, Netgear, TP-Link, QNAP, Asus, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. We have reported this several times, and many great resources have overviews. The FBI recommends that you reboot, so if you haven’t done that by now, do it and run a firmware update. If the router or any other network devices have an auto-update function, make sure to enable it.
Another Flash exploit using Office documents
Another Adobe Flash zero-day exploit has been discovered this month. The exploit uses Microsoft Office files to spread a stack-based buffer overflow attack. It is not unusual to use Microsoft Office files in attacks, even if the malicious file itself does not contain any actual malware. It remotely downloads a Shockwave Flash file that contains the actual payload. This increases the chance of staying undetected by email filters and antivirus vendors. Adobe has released a patch to address the zero-day exploit, and everyone using Flash is advised to update immediately. This type of malware is typically spread via phishing, which emphasizes the importance of being wary of suspicious emails and unknown senders.
We have seen lazy attacks before. It’s also a known fact that criminals leverage each other’s “brand and reputation”. In this case, the scammers are sending e-mails mentioning “Hello! WannaCry is back!” They’re threatening victims, saying they’ll encrypt everything, and are demanding a ransom of 0.1 Bitcoin ($650 USD) to prevent it. The attack is actually backed by nothing of the sort. Anyone tech savvy understands there’s no technology available today that is able to encrypt across Mac, Windows, Android and iPhone. It’s a lazy attack for sure, but alas statistics dictate with a large enough amount of e-mails, some will provide a payday for this type of criminal.
Do not believe anything a criminal tells you. You can’t trust them.
MyHeritage leaks 92 million passwords
MyHeritage, an Israel-based ancestry platform where users can create family trees and search through familial and historical records, was alerted by a security researcher that 92 million usernames and password hashes have been found. Passwords are leaked and stolen all the time, and 92 million might seem like a minor addition to the databases of billions available, but what’s worrying is the site hosts DNA information and credit card information too. Although there’s no indication these have been compromised (they were stored on a separate infrastructure), this might be a little bit too close for comfort.
- Olympic Destroyer is still alive – Securelist
- Olympic Destroyer: A False Flag Confusion Bomb | The first stop for security news | Threatpost
- WannaCry ransomware scam tries to extort money without actually infecting your computer
- VPNFilter: New Router Malware with Destructive Capabilities | Symantec Blogs
- MyHeritage breach leaks millions of account details – The Verge
- MyHeritage Statement About a Cybersecurity Incident « MyHeritage Blog
This month’s top threats was heavily built on input from Diana Selck, TDM coordinator in the Cyber Defense Center in Malmö, Sweden, and Emma Blid, Security Analyst in the Cyber Defense Center in Malmö, Sweden.