Geopolitical and Cybersecurity Risk Weekly Brief 28 September 2020

28 september 2020

Executive Summary

This week government departments and industry bodies continued to warn about the ZeroLogon vulnerability (CVE-2020-1472). In the US, federal departments were given until 21 September to apply patches. Servers that could not be secured were taken offline and removed from government networks. Three days later, Microsoft Threat Intelligence Center (MSTIC) warned attackers were actively leveraging Windows Server ZeroLogon exploits. It has since emerged that attackers are taking advantage of other flaws to leverage ZeroLogon. Those that have not patched should do so immediately.

In the geopolitical sphere, Peru’s President Martín Vizcarra survived an impeachment vote in congress over his ties to irregular government contracts. US President Donald Trump announced new sanctions on Cuba.  UK foreign minister Dominic Raab said that sanctions would be imposed targeting Belarusian officials accused of human rights violations after President Alexander Lukashenko’s ‘fraudulent inauguration’. In Mali, transitional president Bah N’Daw appointed Moctar Ouane as prime minister.

In the cyber domain, several sophisticated threat groups targeted government entities. The US Cybersecurity and Infrastructure Security Agency (CISA) responded to an attack on a federal agency using sophisticated multi-stage malware. An unpatched Pulse Secure VPN server was the suspected ingress point. While it is not clear who is responsible, the threat group appears to be a nation-state-sponsored or financially-motivated APT.

Geopolitical tensions continue to have the potential to manifest in cyberattacks. In Belarus, a group of anonymous hackers leaked the personal data of 1,000 police officers in response to a continuing crackdown on anti-government protesters since the 9 August presidential election. The US announced that all UN sanctions against Iran had been restored to pre-2015 levels in a move that will put it at odds with the Security Council, many of whose members have stated their intention to ignore Washington’s move, as well as Tehran.

Tensions with China continue. A spike in Chinese military activity, including Chinese military aircraft entering Taiwan’s airspace, has elevated cross-strait tensions. The move comes ahead of the signing of a comparatively large arms deal and a potential Taiwan-US free trade agreement, in combination with an increasing US naval presence in the Taiwan Strait. Meanwhile, Beijing has targeted the Hong Kong-based Foreign Correspondents Club in a move widely seen as an indicator of the territory’s probable trajectory under increased rule from mainland China.

Elsewhere, details of the GADOLINIUM APT were revealed. This advanced threat group had been compromising targets for over a decade. Organisations operating in the APAC maritime and health sectors were primary targets. However, targeting has recently been expanded to other sectors and regions, including higher education and local governments. GADOLINIUM delivers custom malware in spear phishing emails to compromise victims.

Attacks and cybersecurity news

The US Cybersecurity and Infrastructure Security Agency (CISA) recently responded to a cyberattack on a US federal agency’s enterprise network. Sophisticated multi-stage malware bypassed the agency’s anti-malware systems, achieved persistence through two reverse proxies, and exploited a vulnerability in the agency’s firewall. It is not confirmed how the adversary initially obtained the credentials, but it is believed to have been via an unpatched Pulse Secure VPN server, vulnerable to CVE-2019-11510. The advanced TTPs indicate that a sophisticated adversary is likely involved, such as a state-sponsored or profit-driven APT.

Researchers reported an attack on a government agency in the Middle East, which saw the deployment of the Glupteba malware to steal sensitive information from browsers. The targeted data could have included passwords, credit card information, and email account credentials. The agency remains unnamed at the time of publication, but this attack stands as a timely reminder of the ever-present threat to government systems, in a week where an American federal agency was also hit by potentially state-sponsored threat actors and a Texan County came under scrutiny for its security practices in the run-up to the US presidential election.

The AgeLocker ransomware, first detected in July 2020, is targeting publicly exposed QNAP Network Attached Storage (NAS) devices and encrypting them with an encryption algorithm called Age (Actually Good Encryption). Age was introduced to replace GPG for encrypting files, backups, and streams. Files affected by ransomware using this encryption method have the URL 'age-encryption.org' placed at the beginning of the text. According to researchers, AgeLocker has been targeting QNAP NAS devices since August 2020.

New research has revealed a rise in the number of cyberattacks targeting industrial control system (ICS) computers deployed by companies in the oil and gas sector. Growth in the number of attacks on these sectors occurred as the percentage of ICS devices attacked in other industries declined. This appears to indicate that threat actors are now moving their focus away from the automotive, manufacturing, engineering, and ICS integration industries.

Data breaches, fraud, and vulnerabilities

Data Breaches

On 22 September, Radio Canada confirmed that data from 38 Canadian police departments was leaked in June 2020 as part of the BlueLeaks data collection. Confidential documents, internal memos, emails, and communication with police forces from the US, as well as the personally identifiable information (PII) of an unknown number of Canadian police officers is present in the leak. An analysis of the disclosed data showed that it ‘did not have a material impact on sensitive operations’. The BlueLeaks data collection was released on 19 June 2020. The files, which span more than 24 years, from August 1996 to June 2020, are said to contain names, email addresses, phone numbers, PDF documents, images, as well as multiple text, video, CSV, and ZIP files. They cover police forces in the US and Canada.

An unsecured database exposed sensitive data for users of Microsoft’s Bing search engine mobile application. The data was kept in a 6.5TB server owned by Microsoft, that researchers believe was exposed for six days between 10 and 16 September. Due to the sheer amount of data exposed, researchers estimate that anyone in over 70 countries who made a Bing search with the mobile app between 10 and 16 September is at risk. The researchers claim that ‘once the hacker has the search query, it could be possible to find out the person’s identity thanks to all the details available on the server, making them an easy blackmail target.’

Over eight million patients in India had their personal and medical details exposed due to multiple vulnerabilities in a government-run COVID-19 surveillance system, Surveillance Platform Uttar Pradesh Covid-19. The software was first discovered by researchers on 1 August. Both CERT-In and the cybercrime department of the Uttar Pradesh government were contacted as soon as this issue was discovered in Surveillance Platform Uttar Pradesh Covid-19. The platform was only fixed, however, on 10 September. 

Fraud

Researchers reported a phishing page set up to replicate the AT&T Global employee login page. The phishing page offered five ways for potential victims to ‘authenticate’ themselves - and submit their data. This phish was sophisticated, targeting the one-time passwords used in Multi-Factor Authentication (MFA) sign-ins.

Threat actors are using Google's App Engine domains to deliver phishing and malware while remaining obfuscated from enterprise security products. A Google App Engine subdomain represents an app, the app version, service name, project ID, and region ID fields. If any of these fields are incorrect, the site will display the app's default page. As a result, there are multiple permutations of subdomains that could lead to a malicious app because numerous domains can lead to the same app. This makes it difficult for system administrators and security professionals to block malicious activity. All of the subdomains are stamped with the ‘Google Trusted Services’ seal of approval in their SSL certificates; these are automatically approved by most security solutions. 

Vulnerabilities

Over 200,000 businesses that have deployed Fortigate VPN solutions are vulnerable to man-in-the-middle (MitM) attacks that could enable a remote attacker to fraudulently take over a connection. The Fortigate SSL-VPN client only verifies that the certificate was issued by Fortigate (or another trusted Certificate Authority). Consequently, an attacker can easily present a certificate issued to a different Fortigate router without raising any flags and implement a MitM attack. According to CISA and the FBI, VPN products are currently being targeted by both Iranian APT groups and the Chinese Ministry of State Security. US federal agencies and other US-based networks have been attacked in these campaigns.

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • CISA has issued two security advisories for multiple vulnerabilities in General Electric (GE) ICS products. These are used in industrial sectors such as chemical, manufacturing, energy, food production, and water management.
  • Microsoft Threat Intelligence Center (MSTIC) has warned that attackers are actively leveraging the Windows Server ZeroLogon exploits. Threat actors are incorporating CVE-2020-1472 into their payloads to escalate their privileges to domain administrator level and take over a domain.
  • 34 vulnerabilities have been revealed in Cisco IOS and ISO XE networking gear software. These were outlined by the company in 25 high-severity security advisories as part of Cisco's semi-annual release covering its router and network switch software. These are particularly serious issues given the wide deployment of Cisco IOS and ISO XE networking gear software. Users are urged to update their products as soon as possible.

APT Activity and Malware Campaigns

APT activity

Cybercrime group Old Gremlin has been targeting Russian businesses with a new ransomware strain called TinyCryptor (also known as decr1pt). The group was first detected in August, but its attacks have been traced back to March. Despite being of Russian origin, Old Gremlin has exclusively targeted Russian organisations - an unusual move for Russian-speaking threat actors who are generally understood to have an unspoken rule about not working within Russia or ex-Soviet countries. That said, some of the most infamous Russian groups - such as silence and Cobalt - began their cybercriminal careers by targeting small companies in Russia before expanding their operations to the rest of the world. It is also possible that Old Gremlin operate from a CIS country but harbour anti-Russian sentiments.

The TTPs of an APT group dubbed GADOLINIUM have been revealed. The group prefers to use open-source tools to weaponise its payloads and command and control (C&C) servers, as well as cloud services for distribution. GADOLINIUM is a nation state-level adversary that has been compromising targets worldwide for over a decade. It focuses on the maritime and health industries. The group's attacks begin with crafted spear-phishing emails with malicious attachments to achieve user execution and to bypass defences. The group typically uses custom-made malware for each engagement and has recently ventured outside of the Asia Pacific region and targeting other sectors, such as higher education and regional government entities.

A new campaign using NATO-themed lures has been identified. The attacks, which started on 5 August and targeted a government entity in the Middle East, have been attributed to APT28 (also known as Fancy Bear). The malware used in this campaign was the Delphi version of Zebrocy, which is often deployed by APT28.  The NATO lure used to deploy Zebrocy was called ‘Course 5 - 16 October 2020.zipx’. It contained a JPG that showed the logo of the Supreme Headquarters Allied Powers Europe (SHAPE). Instead, the JPG file contained a renamed concatenated '.zipx' file that had to be opened with WinRAR. APT28 is thought to have used a renamed ‘.zipx’ to evade antivirus systems.

Malware

Emotet ‘Epochs’ (the name for its three different spamming botnets) continue to push the malware in thousands of malspam emails. Japan has been particularly hard hit, and the US has recently seen an uptick. The malware is being distributed in malicious ZIP files. Many of the lures in the emails have related to government issues or financial business transactions.

The US CISA has reported ‘a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020.’ The spike has been independently confirmed by Malwarebytes. LokiBot is an infostealer that searches infected devices for locally installed apps and extracts credentials from their internal databases. By default, LokiBot can target browsers, email clients, FTP apps, and cryptocurrency wallets. LokiBot is the second most popular prolific malware in terms of the number of credentials supplied to the store. This data can be used to further penetrate target organisations, pivot to other suppliers, or be sold on darknet markets.

A new attack campaign is leveraging backdoored Windscribe VPN installers. These are used to provide access and control over infected devices without the need for authentication. The Windscribe installers are delivered via fraudulent sources, not from the official download centre or app stores. Virtual Private Networks (VPN) are now relied upon more than ever as many companies' employees are working from home for the foreseeable future, away from office network environments. Recent samples of Cobalt Strike discovered in the wild masqueraded as legitimate VPN installers, as well as an Office 365 installer. Legitimate software is packed with the malware to increase the chances of successful infection.

An emerging Android banking Trojan has been identified that also functions as a remote access Trojan (RAT). The malware, dubbed Alien, is also related to the Cerberus Android malware, which was recently discontinued. Alien comes with a wide range of features and enables the theft of credentials from 226 applications. Most of the banking apps targeted by Alien developers were for financial institutions based in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK. 

Darknet

Over 179 arrests were made this week as part of Operation DisrupTor. The internationally coordinated effort by the Joint Criminal Opioid and Darknet Enforcement (JCODE) team aimed to disrupt the opioid trade on darknet markets. Law enforcement utilised data taken from a Wall Street Market server, which was seized when the market was shut down in May 2019. USD6.5 million in cash and cryptocurrencies were seized, alongside 500 kilograms of drugs. Moreover, law enforcement was able to use this historic data to identify active users across a broad range of markets. This operation underscores the value in obtaining market server data for law enforcement.

Invictus market is continuing to grow rapidly, through many users remain suspicious of it in the wake of Empire’s exit scam. Currently, White House remains the most popular market by some margin, however it has not consolidated its lead in the same way that Empire did after Apollon exit scammed.

Geopolitical Threats and Impacts

Americas

PERU – President Survives Impeachment Vote in Congress

On 18 September, President Martín Vizcarra survived an impeachment vote in congress over his ties to irregular government contracts awarded to a little-known singer, Richard Cisneros. The failure of the impeachment process is a positive development for political stability in Peru, which is facing major public health and economic crises due to the novel coronavirus (COVD-19) pandemic. It removes the potential for immediate-term political instability to overshadow the concurrent health and economic crises, with Vizcarra due to remain in office until mid-2021.

CUBA & US – Trump Announces News Sanctions in Likely Electoral

On 23 September, US President Donald Trump announced new sanctions on Cuba, as part of his administration’s efforts to curtail revenue to the island’s communist government. Under the measures announced, US travellers are no longer permitted to stay in hotels owned or controlled by the Cuban government. Travellers returning from Cuba are also prohibited from bringing Cuban cigars and rum into the US.

The measures are likely to prevent many US travellers from legally visiting the island, given that most Cuban hotels are owned or controlled by the local government. The primary motive for the sanctions is highly likely to be November’s presidential election. The Cuban-American community in Florida, a key swing state, are an important demographic group which has historically supported the Republican Party, and whose support is important if Trump is to secure a win in Florida.

Asia-Pacific

TAIWAN, CHINA & US – Spike in Chinese Military Activity Fuels Cross-Strait Tensions

Eighteen Chinese military aircraft entered Taiwan’s airspace on 18 September followed by 19 more on 19 September, according to Taiwan’s Ministry of National Defense. The ministry on 21 September responded by saying that Taiwan has the right ‘to self-defence and to counterattack.’ Taiwanese President Tsai Ing-wen said that the activities would make other countries in the region more wary of China.

Before the weekend’s activities, Chinese military aircraft had only deliberately entered Taiwanese airspace three times since 1999, according to Taiwan and US government reports. Washington is preparing a USD7 billion arms deal with Taipei, according to a Wall Street Journal report last week. The signing of a comparatively large arms deal and a potential Taiwan-US free trade agreement, in combination with an increasing US naval presence in the Taiwan Strait, will likely further stoke cross-strait tensions. Businesses with interests in Greater China should monitor cross-strait developments and factor potential diplomatic and commercial reprisals into their strategic planning.

HONG KONG – China Targets Territory’s Foreign Media in Move to Curb its Existing Status

China’s foreign ministry on 23 September demanded that the Hong Kong-based Foreign Correspondents Club (FCC) stop ‘meddling’ in the territory’s affairs, while also accusing it of sheltering what it called ‘black rioters’ – a reference to the clothing worn by protesters during the months of street demonstrations in 2019. The foreign ministry’s intervention followed the FCC’s criticism of a decision by the police to instruct its officers on how to deal with different categories of journalists in situations ranging from protests to media conferences.

The treatment of the foreign and local media in Hong Kong by the authorities in Beijing is widely viewed as an indicator of the territory’s probable trajectory under increased rule from mainland China. Many foreign companies in Hong Kong increasingly recognise that their previous status and actions are now under greater scrutiny by Beijing, with China seemingly viewing the overseas media as a useful sector to signal its expectations and the consequences of failing to meet them.

Europe and Russia

UK, EU, & BELARUS – UK Foreign Minister Sanctions Belarusian Officials Over Election

UK foreign minister Dominic Raab said on 24 September that sanctions would be imposed targeting Belarusian officials accused of human rights violations after President Alexander Lukashenko’s ‘fraudulent inauguration’, a low-key ceremony held in Minsk on 23 September. The UK will be cooperating with the US and Canada ‘to prepare appropriate listings as a matter of urgency’.

The UK sanctions will be imposed under the 2018 ‘Magnitsky’ law, which allows measures against individuals and entities responsible for human rights violations. Meanwhile in Belarus, protests in the wake of the 9 August presidential election continue with the same intensity. EU joint action has stalled due a veto by Cyprus preventing the adoption of sanctions against around 40 people considered responsible for a widespread crackdown on protesters. An EU summit on 1-2 October, however, may lead to an agreement on co-ordinated action.

BELARUS – Hackers Leaks Personal Data of 1,000 Police Officers as Large Protests Continue

A group of anonymous hackers leaked the personal data of 1,000 police officers in Belarus in response to a continuing crackdown on anti-government protesters since the 9 August presidential election. The data leak is significant because it highlights growing pressure on President Alexander Lukashenko; for the regime, support from the military and wider security apparatus is crucial. Efforts to de-mask police officers, who wear balaclavas during interventions, have become a symbol of resistance among the protest movement. There is a possibility that the data leak triggers retaliatory moves against police officers; it may also test their loyalty and support of the government. The internal affairs ministry confirmed the leak on September through its website, adding that those responsible would be prosecuted. Shortly after the website was reportedly taken down through a DDoS attack.

IRELAND – Google Accused of Illegally Collecting Data for Advertising Use

According to a report published on 21 September, US-technology firm Google and multiple data brokers have allegedly violated EU privacy rules through collecting people’s personal information and using it to build comprehensive online profiles. Both Google and online advertisers maintain that they have strengthened privacy safeguards since the adoption of the EU General Data Protection Regulation. If substantiated, the claims will add further political and regulatory pressure on Google. Under current data protection rules, sensitive user data, including information about a person’s sexual orientation or health status, must be treated carefully. Companies need explicit approval from users before such data can be collected and processed. Because several major technology firms are headquartered in Ireland, authorities there have additional oversight over whether they follow EU rules.

MENA and Central Asia

IRAN & US – Reimposition of Pre-2015 Sanctions Signals Official Split with Security Council  

On 19 September, US Secretary of State Mike Pompeo marked an official split from the position of UN security council members by announcing that all UN sanctions against Iran had been restored to pre-2015 levels, and that an arms embargo, initially scheduled to expire on 18 October, will also be extended. The move comes after the US proposed a ‘snapback mechanism’ on 20 August with the intention of reimposing sanctions that were previously lifted after the Joint Comprehensive Plan of Action (JCPOA), under which Iran agreed to limit its uranium enrichment programme. On 21 September, an unidentified senior official reportedly stated that the US will sanction over two dozen people and entities involved in Iran’s nuclear program.

The imposition of a new round of sanctions was expected. The move will likely cement the growing divisions between the US and its UN Security Council partners; 13 out of the 15 members have stated their intention to ignore Washington’s move, viewing it as void primarily because the US quit the JCPOA nuclear deal in 2018. The discord and resultant conflict that will likely emerge in the upcoming months as UN member states ignore sanctions could have wide ranging trade implications if the US bars violators from their markets.

ISRAEL – Lockdown Measures Widened with Possible Extension Amid Surge in Covid-19

Prime Minister Benjamin Netanyahu announced on 24 September that his cabinet had decided to tighten recently reimposed lockdown measures, which came into force on 18 September. The initial measures included the shutting of schools, hotels and all non-essential shops; however, new restrictions will now require all businesses and workplaces expect for factories and essential services to close for two weeks starting 25 September.  Netanyahu also stated that after the current three-week lockdown, a further two-week lockdown could be imposed depending on case numbers.

The ramping up of lockdown measures come as COVID-19 daily case numbers continue to surge across the country. Objections to the decision are likely to be widespread, already including opposition from Finance Minister Israel Katz and Bank of Israel Governor Amir Yaron, who have both indicated that the economy, which is already in recession, will likely lose a further USD10.6 billion in the lockdown period. The legislation will likely result in the curbing of large-scale protests in the coming weeks ahead, although smaller spates of unrest cannot be ruled out.

Sub-Saharan Africa

MALI – Transitional Government Appoints Leaders as ECOWAS Softens Sanctions Threat

Bah N’Daw, who was sworn-in as transitional president on 25 September, has appointed Moctar Ouane as prime minister. Ouane, a former foreign minister, is due to announce his cabinet on 29 September. The nomination comes after the Economic Community of West African States (ECOWAS) said it would lift sanctions once a civilian prime minister had been appointed.

The nomination of Ouane, who is a civilian as demanded by ECOWAS, signals a probable lifting of sanctions by the 15-member regional trade and political bloc. However, that decision will be contingent upon the profile of the cabinet. ECOWAS leaders have expressed concern about the military’s control of the political transition since the coup d’etat that toppled former president Ibrahim Boubacar Keita on 18 August. The latest moves suggest a lifting of the sanctions is likely to occur in the one-week outlook.

CÔTE D'IVOIRE – Opposition Calls for Civil Disobedience Against President’s Election Bid

The main opposition parties have rallied behind Henri Konan Bédié, the leader of the Parti Démocratique de la Côte d'Ivoire — Rassemblement Démocratique Africain (PDCI-RDA), following a conference at his party’s headquarters in the Cocody commune of Abidjan. They called for a civil disobedience campaign against President Alassane Ouattara’s re-election bid, arguing that the two-term limit has been exhausted. The coalition also called for the dissolution of the Constitutional Court and electoral commission (or CEI), which they consider biased towards Ouattara, and demanded the liberation of party members in detention.

While specific actions the opposition coalition have yet to be announced, they will take the form of likely well-attended street protests, given Bédié’s support from political heavy weights including exiled leaders Laurent Gbagbo and Guillaume Soro.  Such activity will probably be announced over the coming week and are likely to continue until at least 31 October, when the first round of the polls will be held.

ZAMBIA – Government’s Default on Three Eurobonds Likely to Precede Other Arrears

The finance ministry on 22 September asked creditors to suspend debt-service payments on three Eurobonds by nearly six months from 14 October. The request for a delay of nearly USD120 million in service payments on the three Eurobonds, totalling USD3 billion, is due to the impact of the COVID-19 pandemic, which has caused severe liquidity shortages.

The move is unexpected, as Zambia’s risk of external debt distress was high even before the pandemic broke out at the beginning of the year. The latest debt-service delay request likely marks the first in a series of sovereign debt defaults over the coming year. In turn, this is likely to lead to decreased revenue for creditors. In addition, nearly 30 per cent of Zambia’s external debt is held by Chinese institutions, many of which have financed large infrastructure projects. While specific details are unclear of that part of the debt, which is also being renegotiated, there are growing concerns that Chinese lenders will seek to take a controlling stake in the country’s copper mines as collateral.