IT threat evolution Q3 2019

Targeted attacks and malware campaigns

Mobile espionage targeting the Middle East

At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate ‘Conversations’ messenger that included the malicious code. You can read more about Operation ViceLeaker here.

APT33 beefs up its toolset

In July, we published an update on the 2016-17 activities of NewsBeef (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with spear-phishing emails, links sent over social media and standalone private messaging applications, and watering-hole attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our private intelligence reports receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.

New FinSpy iOS and Android implants found in the wild

We recently reported on the latest versions of FinSpy for Android and iOS. Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn’t provide infection exploits for its customers and so can only be installed on jailbroken devices – suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.

Turla revamps its toolset

Turla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. The two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan – are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more here.

CloudAtlas uses new infection chain

Cloud Atlas (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn’t changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor’s Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates – whitelisted per victim – hosted on remote servers. Previously, Cloud Atlas dropped its ‘validator’ implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.

Dtrack banking malware discovered

In summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers – we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps. Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack here.

Other security news

Sodin ransomware attacks MSP

In April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan exploited the CVE-2019-2725 vulnerability to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered – CVE-2019-2729. Sodin also carried out attacks on MSPs. In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, the attackers penetrated MSP infrastructure using an RDP connection, elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn’t require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.

Ransomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the Yatron and FortuneCrypt malware. If you ever face a situation where a ransomware Trojan has encrypted your data, and you don’t have a backup, it’s always worth checking the No More Ransom site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs here and here.

The impact of web mining

Malicious miners are programs designed to hijack the victim’s CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their CPU or GPU to generate coins and earn real-world money through legal exchanges and transactions. It’s not obvious to the victim that they are infected – most people seldom use most of their computer’s processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there’s also another model – using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.

The total power saving can be calculated using the formula ·N, where is the average value of the increase in power consumption of the victim’s device during the web mining process, and N is the number of blocked attempts according to KSN (Kaspersky Security Network) data for 2018. This figure is equal to 18.8±11.8 gigawatts (GW) – twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula ‘·N·t’, where ‘t’ is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to €250,000 for residents in Europe.

You can read our report here.

Mac OS threat landscape

Some people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.

Our database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category – these threats are easier to create, offering a better return on investment for cybercriminals.

The number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years – by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million – already an increase of 9% over the previous year.

You can read our report on the current Mac OS threat landscape here.

Smart home vulnerabilities

One of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the Kaspersky ICS CERT team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter – the Fibaro hub used the patched version.

Our researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house’s location, geo-location data from the owner’s smartphone, the email address used to register with Fibaro, information about smart devices in the owner’s home and even the owner’s password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story here.

Security of smart buildings

This quarter we also looked at the security of automation systems in buildings – sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.

Most of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building’s automation system.

Smart cars and connected devices

Kaspersky has investigated smart car security several times in recent years (here and here), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn’t just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience – from car scanners to tuning gadgets. In a recent report, we reviewed a number of automotive connected devices and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.

We found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It’s also due to the vigilance of vendors. However, as we move towards a more and more connected future, it’s important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim’s car or spy on an entire car fleet.

We continue to develop KasperskyOS, to help customers secure connected systems – including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.

If you’re considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it’s possible to apply security updates to it. Don’t automatically buy the most recently released product, since it might contain a security flaw that hasn’t yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the ‘mobile dimension’ of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.

Personal data theft

We’ve become used to a steady stream of reports in the news about data breaches. Recent examples include the theft of 23,205,290 email addresses together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by Have I Been Pwned – CafePress didn’t notify its customers until some months after the breach had occurred.

In August, two Israeli researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.

Facebook has faced criticism on several occasions for failing to handle customers’ data properly. In the latest of a long list of incidents, hundreds of millions of phone numbers linked to Facebook accounts were found online on a server that wasn’t protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.

On September 12, mobile gaming company Zynga reported that some player account data may have been accessed illegally by ‘outside hackers’. Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of Words With Friends, as well as data from Draw Something and the discontinued game OMGPOP, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it’s worrying that passwords were stored in cleartext.

Consumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.

It’s also worth bearing in mind that hacking the server of an online provider isn’t the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer’s computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers here.