Geopolitical and Cybersecurity Risk Weekly Brief 19 October 2020
Entities in the governmental sector remain one of the most regularly attacked by state-sponsored groups. This week US authorities reported multiple attacks chaining exploits to target election organisations and government networks from the local to the federal level. Geopolitical and national tensions continue to have the potential to manifest in cyberattacks. Norway said that Russia was responsible for an attack against the country’s parliament in August. Norwegian-Russian relations are characterised by mutual suspicion and allegations of spying. Meanwhile, the EU has agreed to impose sanctions against six people and one entity potentially responsible for the poisoning of Russian opposition figure Alexei Navalny in August.
Microsoft’s October Patch Tuesday release saw several critical vulnerabilities patched. A number of these were subsequently the subject of alerts from national cybersecurity bodies US Cyber Command and the NCSC in the UK. Patching these should be of the highest priority for all organisations (see details in Vulnerabilities section).
This week saw the announcement of a successful collaboration between security vendors, software manufacturers and telecoms companies to bring down part of the infrastructure used by the Trickbot malware. While this represents remarkable teamwork, it is only a qualified success insofar as the malware has so many fallbacks that it remained online and active throughout. Trickbot has infected over a million devices worldwide since late 2016.
Technology companies come under scrutiny periodically: ZKA, the German customs investigation agency, raided several premises with links to Munich-based surveillance software company FinFisher. The firm is suspected of exporting the FinSpy surveillance software overseas, including to Turkey, without obtaining an appropriate export license.
The latest World Economic Outlook (WEO) report released on 13 October, saw the IMF project sharp falls in GDP for several regions. This includes Latin America and the Caribbean, where many small countries dependent on the export of raw materials and tourism are in difficulty. Meanwhile, Singapore said its third-quarter GDP contracted at 7 per cent against 13.3 per cent in the second quarter, an improved performance probably linked to the government’s decision to introduce a national ‘circuit breaker’. In Sudan, the National Statistics Office of Sudan said year-on-year inflation for September had reached 212 per cent amid continued deterioration of macro-economic conditions and purchasing power for residents.
Relations with China continue to be a concern for many countries. The Taiwanese Financial Supervisory Commission (FSC) said that several Chinese investors had illicitly purchased shares of the Taipei-headquartered conglomerate Tatung Company to influence the firm’s management. China’s ambassador to Canada made comments regarding Ottawa giving asylum to ‘violent criminals’ from Hong Kong while seemingly making a threat against Canadians in Hong Kong. Four Chinese state-owned utilities were reportedly ordered to halt Australian coking and thermal coal imports in an apparent attempt by Beijing to impose an economic cost on Canberra’s political decisions.
Attacks and cybersecurity news
CISA and the FBI have warned that APT groups are chaining vulnerability exploits to target critical infrastructure, election organisations, and federal and state, local, tribal, and territorial (SLTT) government networks. In multiple attacks observed by the US authorities, more than one APT group was seen to exploit several legacy vulnerabilities in combination with a relatively new privilege escalation vulnerability known as ZeroLogon (CVE-2020-1472) in Windows NetLogon. In some instances, this resulted in unauthorised access to election support systems; however, CISA has no evidence that the integrity of election data was at risk.
US-based international law firm Seyfarth Shaw LLP has disclosed that it shut down a large number of its systems due to a ransomware attack. The company claims that it was able to quickly stop the attack once it was detected, but that many systems had already been encrypted. Seyfarth Shaw provides advisory, litigation, and transactional legal services to clients around the world, 300 of which are companies in the Fortune 500. No evidence has been found of data theft and the ransomware has not been named.
In September, the FBI warned US organisations that companies worldwide were being threatened with DDoS attacks unless they pay a Bitcoin ransom within six days. This ‘Ransom Denial of Service’ (RDoS) campaign started on 12 August and has continued into October. Targeted sectors include retail, financial, travel, and e-commerce. UK foreign-exchange company Travelex is one of the latest high-profile threat recipients. The malicious actors still pose as the FancyBear,
ArmadaCollective, and Lazarus threat groups. They switch between APTs depending on which sector they are attacking using Lazarus to target finance, and FancyBear to target technology and manufacturing organisations. It appears that Travelex did not pay the ransom, so it is unclear how successful these attacks have been.
A press release published on 13 October has claimed that Russian threat actors were responsible for the attack on the Norwegian supreme legislature (Stortinget) at the end of August. No details have been provided on how this attribution was made, however, and Russia has adamantly denied the claims. The Head of the Russian Federation Council’s Committee on Foreign Affairs stated that the accusations have been made with "no effort made to present any proof or to propose to discuss the incident at an expert level."
Security researcher Peter Kruse claims that Iranian threat actor SilentLibrarian (also known as CobaltDickens or TA407) is currently attacking the Australian Catholic University (ACU). The group appears to be using a fake ACU page to steal login information from students. Subsequent research has indicated that SilentLibrarian is in control of sufficient infrastructure and has the resources to target educational institutions around the world over the course of the next few months. Organisations in this sector should train staff appropriately. In a potentially connected incident, two schools in Massachusetts were hit with DDOS attacks this week. The education sector is an easy target for threat actors.
The operators of the Avaddon ransomware have announced Lonrho as their latest victim. Lonrho is a London-based conglomerate engaged in multiple business sectors in Africa, mainly focussing on agriculture, infrastructure, transport, hospitality, and support services. The company has been given until 15 October to pay the ransom before its data is leaked, which the threat actors claim, "will lead to a lot of problems and lawsuits." Screenshots of some stolen data have been published, showing that the group has stolen 74.5GB of "Finance" information from the organisation: these files relate to tax, payroll data, customer accounts, phone reports, internal letters, and various forms.
Data security, fraud, and vulnerabilities
Cyjax has identified an advertisement by the threat actor Joker promoting a new breach on his sit Joker’s Stash. This set of data is believed to be comparable to the Wawa breach of 2019 (in which millions of track 1 and track 2 cards were leaked from the American petrol station company). Joker has named the collection of cards “BLAZINGSUN”: it is advertised as comprising 3 million cards. The source of the stolen cards from the BLAZINGSUN breach was subsequently revealed as Dicky’s Barbeque Restaurant. According to American financial institutions, the cards were all used at the restaurant over the last 13-15 months.
Over 50,000 home security cameras in Singapore have been compromised, with stolen footage being sold on adult websites, and X-rated footage being sold as a subscription service. Videos stolen from the cameras contain couples, breastfeeding mothers, and some feature teenagers and children, all in "various states of undress or compromising positions." A Discord group has also been found with almost 1,000 members globally who have shared over 3TB of clips. This group also offers advice for subscribers on how to find, watch, and record these compromised cameras.
Threat actors have used a ransomware attack to steal almost a terabyte of data from US technology firm Intcomex. This data was then leaked on a Russian darknet forum in two parts between 14 and 20 September. After being informed of the leak, Intcomex confirmed that it had experienced a cyberattack and had engaged third-party cybersecurity experts and law enforcement to assist with remediation of the incident. The malware used in this attack has not been named.
Broadvoice, a VoIP provider for small- and medium-sized businesses, has exposed more than 350 million customer records. The data is related to the company’s “b-hive” cloud-based communications suite which is used by a diverse client base including doctors' offices, law firms, retail stores, and community organisations. It appears that the company left an Elasticsearch database cluster open to the internet, accessible to anyone, with no authentication required. The misconfigured cluster included 10 separate collections of data, related to b-hive.
The European Association for Secure Transactions (EAST) has recently published a report looking at crime targeting ATMs across Europe in the first six months of 2020. The European Payment Terminal Crime Report shows a 269 per cent increase in ATM malware and logical attacks against ATMs as compared to the same period in 2019. All these attacks were so-called Black Box attacks in which threat actors directly connect an unauthorised device to the target ATM and send dispense commands. This enables the 'cash-out' or 'jackpot' of the ATM and has caused losses of over EUR1 million in some cases. This should not be taken lightly: cybercriminal groups and state-sponsored APTs all look to target the financial sector as a means of directly accessing significant funds. While these attacks remain lucrative, threat actors will continue to improve their tactics, techniques, and procedures, and losses will only grow.
Microsoft has released its October 2020 Patch Tuesday security updates, with 87 vulnerabilities patched in total. The most dangerous bug patched this month is CVE-2020-16898 (also called Ping of Death Redux by Sophos and Bad Neighbor by McAfee) an issue in the Windows TCP/IP driver's handling of IPv6 which, if successful, could allow a remote attacker to execute commands on the targeted device, as well as cause a DoS condition.
Subsequently, US Cyber Command urged everyone to "Update your Microsoft software now so your system isn't exploited: CVE-2020-16898 in particular should be patched or mitigated immediately, as vulnerable systems could be compromised remotely." It is clearly a critical issue and should be treated as such, with all clients recommended to expedite the update process.
In the days after this, another vulnerability was highlighted as requiring urgent attention by the UK’s NCSC. In an alert, all UK organisations were urged to address the high-risk vulnerability in Microsoft SharePoint servers, tracked as CVE-2020-16952. Successful exploitation of this bug can enable an attacker to take control over an affected system. Applying the patches from Microsoft's October Patch Tuesday as soon as possible can prevent exploitation of this vulnerability.
Adobe has released patches for nine newly disclosed vulnerabilities, which affect a wide range of Magento products. Two of the nine vulnerabilities have been rated critical and could potentially facilitate arbitrary code execution. Given that Magento products are consistently targeted by Magecart groups, patching these vulnerabilities should be considered a priority.
APT Activity and Malware Campaigns
Threat researchers have shared details on infrastructure connected to the Kimsuky APT, which has recently been targeting government entities in South Korea, the defence sector of Japan, policymakers in the US, and supranational bodies such as the UN. Kimsuky attacks have also focused on gathering military intelligence and information on economic sanctions. Reporting on human rights violations, economic sanctions, or working with defectors will often attract North Korea's advanced persistent threat groups.
IssueMakersLab also reported this week that Kimsuky (which it calls RGB-D5) has launched several spear-phishing attacks against an unnamed South Korean pharmaceutical company. The firm is reportedly developing a COVID-19 vaccine – thought to be the main objective of the campaign. Further spear-phishing attacks have been launched against Johnson & Johnson and the Beth Israel Deaconess Medical Center, which are also jointly developing a COVID-19 vaccine.
Google's Threat Analysis Group (TAG) has also confirmed that in September, it saw multiple North Korean APT groups shifting their targeting towards COVID-19 research and pharmaceutical companies, including those based in South Korea. In these campaigns, the North Korean threat actors used shortened URLS and impersonated the targets' webmail portals to collect login credentials. In another campaign, the DPRK cyberspies masqueraded as recruiters to lure targets into downloading malware.
Kimsuky was also linked this week to a software supply chain attack targeting an Android mobile cryptocurrency wallet app distributed through the Google Play Store. A Windows version of the app was also uncovered in this campaign. The trojanised apps targeted credentials and exfiltrated them to the attackers. It is well-documented that North Korean hackers frequently target cryptocurrency exchanges and continue to hit around the globe to generate funds for the regime. Experts believe the country’s state-sponsored groups have stolen over USD2 billion in cyberattacks. Both Lazarus and Kimsuky have maintained the frequency of their attacks during the COVID-19 pandemic.
An espionage campaign targeting Israeli organisations throughout September 2020 has been attributed to the MuddyWater APT, a contractor that works with the Islamic Revolutionary Guard Corps (IRGC) of Iran. In this campaign, a variant of the PowGoop malware was disguised as fake Google update DLL files. Unit42 has previously reported on the PowGoop malware in a report about the destructive variant of Thanos ransomware that was used in attacks targeting organisations in the Middle East and Northern Africa. These attacks are believed to be connected to MuddyWater.
This week saw collaboration between major security vendors, software companies, and various telecommunications providers to take down key Trickbot infrastructure. As a result, these parts will be unable to distribute additional Trickbot payloads or the Ryuk ransomware. However, trying to takedown the botnet proved challenging as it has various fallback channels and connections to multiple cybercriminal groups that have been known to deploy the malware. The botnet remains online and continues to be used in attacks.
Trickbot has infected over a million devices around the world since late 2016. In 2020 alone, ESET researchers analysed over 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules. In total, there 28 known modules with their own features that have been deployed by the Trickbot operators, WizardSpider, one of the most dangerous groups on the threat landscape. The cybercriminals have evolved into a highly capable group with a diverse arsenal including the Ryuk and Conti ransomware, the BazarLoader and BazarBackdoor, and Trickbot.
Cyjax analysts have uncovered a recruitment drive for a new Ransomware-as-a-Service (RaaS) affiliate program called Ranzy. The RaaS operators, ranzycorp, are Russian-speaking threat actors that do not welcome English speaking users. They appear to be well-funded organised cybercriminals and are offering "10 BTC per week". This post gives further insight into the way in which RaaS offerings are run: ranzycorp states they have a "limited number of slots" - indicative of the fact that RaaS offerings often work with multiple initial access brokers.
New samples connected to the RedDelta APT group have been uncovered by threat researchers and uploaded to malware submission sites. The malware masqueraded as fake versions of Adobe Flash Player - packed with a backdoor. RedDelta is believed to be a Chinese state-sponsored group that has targeted law enforcement, governments, and educational institutions across Hong Kong, India, Indonesia, and Myanmar. It is also responsible for a recent cyber-espionage campaign targeting the Hong Kong Catholic Church and allegedly infiltrated the computer networks in Vatican City.
DeepSea market has gone offline in an apparent exit scam. One of the market’s former staff members announced that they had received no communication from the market owners for several days. Although DeepSea’s fate has not been confirmed, most of the darknet community is now treating it as having exit scammed. Prior to its disappearance, DeepSea had been making a name for itself and was experiencing rapid growth, particularly in the wake of the Empire exit scam. Its userbase now appears to be splintering, with many choosing either White House or Dark0de.
There is a growing body of evidence indicating ransomware groups are outsourcing their operations to other cybercriminals. There have been indications of this for some time, but recent findings have established some clear links between ransomware groups and certain criminal actors. In particular, there appears to be a growing level of cooperation between ransomware groups and initial access brokers. For ransomware groups, purchasing access from third parties allows them to increase the number of organisations they attack without significantly increasing their reconnaissance time.
A post on RAID forums claimed to be selling access to an undisclosed bank. The post claims to have network access to the bank as well as high level accounts, source codes for the bank’s products, network infrastructure plans, and database credentials. The location of the bank was not disclosed, but we expect a buyer to appear soon given the extensive nature of the offering. We cannot verify the validity of this seller nor what they are selling and it could well be fake.
Geopolitical Threats and Impacts
REGIONAL – IMF forecasts sharp fall in Latin America’s GDP, worst among major regions
In its latest World Economic Outlook (WEO) report released on 13 October, the International Monetary Fund (IMF) projected an 8.1 per cent decrease in GDP for Latin America and the Caribbean in 2020. Among the region’s largest countries, the fund forecast an 11.8 per cent drop in Argentina’s GDP in 2020, a 9.0 per cent fall for Mexico, and a 5.8 per cent contraction in Brazil. In a statement, the IMF said that small countries and those dependent on the export of raw materials and tourism were in an ‘especially difficult’ position. Furthermore, the IMF said that Caribbean countries and the aviation sector faced a particularly challenging economic panorama. The sharp economic contraction, which is very likely to be accompanied by rising unemployment and growing poverty, increases the risk of short-to-medium term political instability and potentially civil unrest in the worst affected countries.
BRAZIL & US – Meat giant JBS’s parent company pleads guilty to US FCPA charges
On 14 October, J&F Investimentos, the parent company of Brazilian meat processing giant JBS, pleaded guilty to violating the US Foreign Corrupt Practices Act (FCPA) and agreed to pay USD128.25 million in criminal fines. According to US prosecutors, J&F executives paid bribes worth more than USD150 million to high-ranking government officials in Brazil in order to secure financing from state-run banks, with bribery taking place between 2005 and 2017. In Brazil, J&F has admitted to bribing more than 1,900 politicians in order to further their business interests. The bribery scandal surrounding J&F has parallels with a similar bribery scheme conducted by construction giant, which has had significant political repercussions throughout Brazil.
CANADA & CHINA – Chinese ambassadors’ remarks to concern HK-based Canadians
At a news conference on 15 October, China’s ambassador to Canada, Cong Peiwu, urged Ottawa not to grant political asylum to ‘violent criminals’ from Hong Kong, in reference to Canada’s granting of asylum to pro-democracy protesters from the territory. Cong said that if Canada ‘really cares about the good health and safety of those 300,000 Canadian passport holders in Hong Kong’, it should support efforts to counter perceived violent crime in Hong Kong. Cong’s remarks have been perceived in Canada as a thinly-veiled threat against Canadians in Hong Kong. The hostile relations between Ottawa and Beijing mirror the poor state of Sino-US relations. Hopes for an improvement in relations between Canada and China rest largely on a resolution to Meng’s case in Beijing’s favour, which could be triggered by a potential change in US administration if Joe Biden were to win next month’s presidential election.
TAIWAN & CHINA – Taipei’s scrutiny of Chinese investment indicates influence concerns
The Taiwanese Financial Supervisory Commission (FSC) on 13 October said that it had found that a number of Chinese investors had since May 2019 illicitly purchased a total of TWD130 million (USD4.53m) shares of the Taipei-headquartered conglomerate Tatung Company via a financial institution in Singapore, in an effort to influence the firm’s management. The FSC has ordered the Chinese investors to revoke their investments in the next six months or face a fine of TWD25m for breaching the Act Governing Relations between the People of the Taiwan Area and the Mainland Area. The act stipulates that Chinese entities are not allowed to invest in Taiwan without permission from Taiwanese authorities. The FSC’s announcement comes ahead of an extraordinary general meeting scheduled for 21 October to re-elect Tatung’s board of directors. There are concerns that a Chinese controlled management would yield national security risks for Taiwan, as Tatung is also involved in the manufacturing and semiconductor industries, and holds sensitive data for the Taiwanese government.
AUSTRALIA & CHINA – Halt to Australia’s China coal exports linked to political factors
The Australian government on 13 October sought to clarify earlier media reports that four Chinese state-owned utilities had been verbally notified by China's customs to immediately halt Australian coking and thermal coal imports with effect from 9 October. According to the reports, the Australian government had not received any formal notification from the Chinese authorities regarding any measure to restrict coal imports. Australia is China’s largest supplier of thermal and coking coal imports used respectively by the country’s electricity generation and steel making industries. The implication of the seemingly orchestrated reduction in Australian exports is that Beijing is seeking to impose an economic cost on Canberra’s political decisions regarding a range of issues relating to human rights, the coronavirus pandemic and support for US policies in Asia that China views as ‘unfriendly.’
SINGAPORE – Economic contraction eased in third quarter reflecting ‘circuit breaker’ policy
Singapore's Ministry of Trade and Industry (MTI) reported on 14 October that third-quarter GDP contracted at 7 per cent against 13.3 per cent in the second quarter. MITI noted the improved performance reflected the aftermath of the government’s decision to introduce a national ‘circuit breaker’ that greatly reduced economic and commercial activity between 1 April and 1 June 2020 in a bid to control the impact of the coronavirus (COVID-19) pandemic on Singapore. Singapore’s decision to introduce a circuit breaker reflected a huge surge in the number of COVID-19 infections among the country’s estimated 350,000 migrant labour force, most of whom are housed in industrial areas and readily isolated from the wider resident community. Singapore’s experience, supported by data, is a useful if not universal indicator of the impact of direct and enforced government intervention on commercial activity largely absent elsewhere outside China.
Europe and Russia
NORWAY – Foreign minister accuses Russia of cyber-attack against Parliament
In a statement on 13 October foreign minister Ine Eriksen Soereide said that Russia was responsible for a cyber-attack targeting the country’s parliament in August. The attack was confirmed on 1 September, when the legislature said email accounts belonging to multiple lawmakers and staff had been hacked. Moscow rejected the claims as ‘a deliberate provocation, which is harmful for bilateral relations’. The claim suggests that Norwegian intelligence agencies have seemingly credible evidence connecting the attack with Russia. Mutual suspicion and allegations of spying has characterised modern relations between NATO member Norway and Russia. The claims support the conclusion from a risk assessment published by Norway’s intelligence services in February warning that attacks on computer networks were ‘a persistent and long-term threat to Norway’.
GERMANY – Properties linked to surveillance software firm raided over suspected export violation
ZKA, the German customs investigation agency, raided 15 residential and commercial premises in Germany and abroad with links to Munich-based surveillance software company FinFisher. This comes as the firm is suspected of exporting the FinSpy surveillance software overseas, including to Turkey, without obtaining an appropriate export license. The software enables users to access address books, photographs and videos on smartphones being targeted as well as monitor phone conversations. Strict laws regulate how and to which countries surveillance software can be legally exported. The FinFisher case is notable because the company’s software, including another called Federal Trojan, is being used by a number of German agencies, including the police and the ZKA.
EU & RUSSIA – Brussels agrees to impose sanctions over Navalny poisoning
The EU has agreed to impose sanctions against six people and one entity potentially responsible for the poisoning of Russian opposition figure Alexei Navalny in August. Sanctions will involve asset freezes and travel bans. Confirmation on 6 October by the Organization for the Prohibition of Chemical Weapons that Novichok was used against Navalny prompted France and Germany to harden their stance towards Russia. In the current context, the EU has used sanctions to demonstrate solidarity and a united front when it comes to political repression and violent acts committed against regime critics. This approach is consistent with the one taken towards Belarus, and the EU has warned it could impose more sanctions over a crackdown there, including on President Alexander Lukashenko.
MENA and Central Asia
JORDAN – Government under Khasawneh sworn in ahead of November elections
A new government under the leadership of Prime Minister Bisher al Khasawneh was sworn in by King Abdullah on 12 October. The development comes after the monarch dissolved parliament on 27 September under constitutional rules, which stipulated that the government under former Prime Minister Omar Razzaz must resign by 4 October. Khasawneh, who previously served as a diplomat and palace aide, will now oversee the upcoming parliamentary elections, scheduled for 10 November. The results are likely to produce a majority of pro-government deputies; under current laws, the voting system marginalises Islamist and independent political parties.
KYRGYZSTAN – Zhaparov appointed as new PM amid tightened security restrictions
On 10 October, parliament named Sadyr Zhaparov prime minister. The Central Election Commission (CEC) indicated on 9 October that it will announce a date for the parliamentary elections to be repeated by 6 November. Alongside this development, President Sooronbai Jeenbekov announced that the state of emergency measures implemented on 9 October would be extended beyond their original deadline of 21 October amid ramped up efforts to re-stablise the country. Jeenbekov has confirmed that he will resign once a new government is formed. The official appointment of Zhaparov during an emergency session as prime minister brings an end to a power vacuum, caused by the collapse of the government last Wednesday. He has indicated that no changes will be made to the current cabinet for now, likely in a bid to temporarily avoid the inevitable political infighting that will ensue once the process to re-select members commences. His appointment will curb the uncertainty associated with such a vacuum; however, it is unlikely that Zhaparov’s opponents will end their protests in the short-term outlook.
TUNISIA – Protests sparked in Sbeitla risk spreading across region
On 13 October violent protests occurred in the city of Sbeitla, located in the west-central Kasserine province. The unrest was in response to the death of a local resident, a 51-year-old man who had been killed during the bulldozing of his cigarette kiosk. Local authorities carried out the demolition orders as the kiosk did not have a valid licence. Sbeitla has been the regular site of protests in recent years largely over unemployment levels and a lack of investment. This incident will therefore work to inflame simmering anti-government tensions in the region.
ANGOLA – Charging of ex-president’s allies for corruption signals declining long-term risks
Retired generals Manuel Helder Vieira ‘Kopelipa’ Dias and Leopoldino ‘Dino’ Do Nascimento appeared at the attorney-general's office in Luanda on 14 October to face charges of embezzlement, money laundering, and fraud. Specifically, the two generals are accused of diverting large sums relating to a USD2.5 billion credit line between Angolan state-owned bank Banco de Comércio e Indústria (BCI) and Hong Kong-based investment group China International Fund (CIF). The legal proceedings against the two generals may lead to their arrest and legal sentencing. The potential sentencing of two of the three most influential individuals of the dos Santos administration would provide a strong signal to investors and creditors that the government is serious about its pledge, indicating declining corruption risks in the long-term.
SUDAN – Year-on-year inflation reaches 212 per cent, raising the risk of civil unrest
The National Statistics Office of Sudan on 13 October said year-on-year inflation for September had reached 212 per cent. The increase marks a continued deterioration of macro-economic conditions and purchasing power for residents, and follows the government’s declaration of a state of economic emergency in September over the same issue. The continued rise in consumer prices was likely further fuelled by extensive floods in September, which disrupted roads and transport. The continued deterioration of local livelihoods is highly likely to fuel civil unrest in the three-month outlook, as the prospects for improved macroeconomic conditions are few.