Geopolitical and Cybersecurity Risk Weekly Brief 7 December 2020

7 december 2020

Executive Summary

This week saw a significant development in the fight against COVID-19 with regulators in the UK approving the use of a vaccine jointly developed by US-firm Pfizer and Germany-based BioNTech, paving the way for vaccinations to begin. In the same week, Johnson & Johnson revealed that healthcare organisations are experiencing cyberattacks from state-sponsored attackers “every single minute of every single day.” State-sponsored APTs have persistently targeted the pharmaceutical industry in 2020.

As such, it is unsurprising that cybersecurity remains a priority. The EU will propose sanctions against entities spreading disinformation, particularly ‘foreign actors’ located in countries such as China and Russia. In Saudi Arabia, authorities said that levels of corruption and cybercrime had risen over recent months amid the COVID-19 pandemic.

Insufficient data security processes continue to plague companies and governments worldwide. Following a ransomware incursion on 5 November, and its failure to pay a USD11 million ransom demand, Capcom’s data has been leaked. This week it was revealed that 113,000 Alaskan citizens’ voting information had been leaked following a network intrusion. Data included drivers’ license numbers and dates of birth. Elsewhere, Verizon exposed customers' personal information through a bug in its Fios availability chat feature and researchers discovered complete backups of a Cayman Islands investment firm exposed publicly in an unsecure database. All client data was visible.

Talks between the UK and EU have entered a crucial phrase amid intense negotiations and signs that a breakthrough in Brexit negotiations is possible. In Burkina Faso, the president fell short of a legislative majority in the 22 November National Assembly elections but is likely to face little opposition.

Tensions with Iran persist. Iran’s Guardian Council, a 12-member constitutionally mandated body, approved the Strategic Act to Revoke Sanctions law that will effectively force the government to suspend all IAEA inspections of nuclear sites and initiate a move to enrich uranium past the restrictions set out under the JCPOA 2015 deal. Iran’s rising noncompliance will pose considerable challenges for President-elect Joe Biden, who has pledged to rebuild diplomatic ties with Iran.

The US government this week issued new visa rules for Chinese Communist Party (CCP) members seeking to travel to the US. Meanwhile in Hong Kong, three leading pro-democracy activists were given prison sentences; the move will likely increase scrutiny of and pressure on the Hong Kong administration by foreign governments as their imprisonment will be viewed as a political rather than legal response.

 

Attacks and cybersecurity news

Marene Allison, the Chief Information Security Officer at Johnson & Johnson, claims that healthcare organisations are experiencing cyberattacks from state-sponsored attackers "every single minute of every single day". This statement followed reports from the Wall Street Journal claiming that Johnson & Johnson was one of six COVID-19 vaccine research companies being targeted by North Korean APTs. The added publicity following the vaccine development process led to a 30 per cent uptick in cyberattacks against Johnson & Johnson. State-sponsored APTs have persistently targeted the pharmaceutical industry in 2020. Russian threat group CozyBear has been linked by the NSA to attacks on organisations involved in vaccine development. Microsoft recently revealed that at least three state-sponsored threat groups have targeted seven companies involved in COVID-19 vaccine research, with one posing as the World Health Organization (WHO) in one campaign.

Several notable tactics, techniques, and procedures (TTPs) were uncovered during the investigation of a recent BestCrypt ransomware attack against a Japanese organisation. Some of the TTPs have been leveraged by multiple groups including Lazarus and Winnti. It is possible that the two are coordinating attacks or sharing tools. Although there is no solid evidence that this attack was the work of either Winnti or Lazarus, both groups share an interest in Japan and have often targeted Japanese organisations; neither, however, has been observed using BestCrypt before. The use of the DTrack RAT to support ransomware deployment is also a new TTP. A combination of these two threat groups in targeting organisations would be a worrying development as they are two of the most skilled on the threat landscape today. It is more likely, however, that they are sharing tooling: a concern in and of itself.

A ransomware attack hit US department store Kmart and impacted its back-end services. Bleeping Computer claims that the ransomware responsible is Egregor, after analysis of a ransom note shared with the researchers. The number of Kmart stores in the US has decreased over the past two years, with only 34 stores remaining. Despite this, it is still a household name in the country. It is currently unknown if any data was compromised in this attack, but Egregor is known to steal user data and leak it on their darknet blog if the victim does not pay the ransom demand.

 

Data security, fraud, and darknet

Data Security

A large data leak has been connected to a Cayman Islands investment fund. The unnamed firm exposed the entirety of its backups in an internet-facing Microsoft Azure Blob; it reportedly manages USD500m of client funds. This includes sovereign wealth funds, prominent financial institutions, corporations, and family offices. Details of the fund's members and correspondence with investors could be read by anyone with the URL to the Blob. For an undisclosed period, this exposed who its shareholders are, how many shares they hold, and the value of those holdings. Other documents in the leak included scans of directors’ passports, letters between investors, files sent during negotiations, term sheets, share certificates, bank statements, and documents signed by directors.

Voter registration data for almost 113,000 Alaskan citizens has been exposed in a data breach. Following a network intrusion by an unknown attacker, the breach was discovered on 27 October. Affected users had used the online voter registration system in the past five years to change their details. The exact information accessed in this attack is currently unknown but is thought to have included personal data such as driver's license numbers and dates of birth. It has been noted that vote-counting equipment is not linked to the online voter registration system, so the ballot tabulation process during the recent 2020 US presidential election remained secure.

Verizon has exposed customers' personal information after a bug in its Fios availability chat feature showed transcripts of other people's chats. Information, which was leaked over several days, includes customer addresses, phone numbers, account numbers, and "other personal information." These appear when people click on a link to chat with a Verizon representative. Some of the transcripts date back to June 2020. This exposure could cause reputational damage to Verizon, as it has taken multiple days for the organisation to investigate, and a resolution still has not been reached. The company has also failed to take this chat function offline while they deal with the issue, meaning that more data will continue to be exposed until the bug is fixed.

Capcom was hit by the RagnarLocker ransomware on 5 November. The attackers demanded a ransom of USD11 million in Bitcoin. However, it now appears that the company did not engage in ransom negotiations and the RagnarLocker operators have now leaked a significant amount of data from Capcom. However, they claim there is still more data in their possession and have urged Capcom to contact them "to make a deal". No deadline was provided.

Fraud

A credit card skimmer is using an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores. The web skimmer was hidden inside an image hosted on the site's own server using steganography. This skimmer steals and exfiltrates all order form data entered by the victims. This is then used to pre-fill fake PayPal payment forms that will be injected and displayed during the checkout process instead of legitimate forms. This is known as a Magecart attack, conducted by various threat groups all of which operate in a similar fashion and under the broader moniker of Magecart. This is a highly sophisticated campaign, with multiple working parts helping the threat actors appear legitimate and obfuscate their malicious activity.

Darknet

White House market has now reached 400,000 registered members. The operators’ announcement was accompanied by multiple administrative changes to the way the market operates. Notably, vendor bond has been increased to USD1,000 and vendors can see more information about customers purchase history. In terms of the broader darknet market landscape, this announcement is relatively significant because it shows how far ahead of its potential rivals White House market is.

The operators of the Avaddon ransomware have updated their malware, which will now also include a new control panel for affiliates. Notably, the operators have also stated they will begin to use new unspecified methods to pressure victims into paying the ransom. It is possible this will include DDoS attacks, as other ransomware operators have begun to utilise these in combination with leaking victim data.

 

APT activity, malware campaigns, and vulnerabilities

APT activity

New research from Microsoft indicates that an APT group known as BISMUTH is deploying cryptocurrency mining malware as part of its operations, which normally focus on espionage. BISMUTH shares similarities with the Vietnamese APT group OceanLotus and has been active since 2012. Between July and August, BISMUTH was observed deploying Monero cryptocurrency mining malware in operations targeting both government and private sector organisations in France and Vietnam. APT groups who rely on contractors will often conduct more financially driven operations alongside their primary objectives. In some instances, APT groups will be tasked directly to conduct financially beneficial operations as a means of securing additional funding.

CISA and the FBI have released a joint advisory over continued cyber intrusions by APT groups targeting US think tanks. The activity often begins by targeting individuals and organisations that focus on international affairs or national security policy. The key findings are as follows:

  • Initial access is established via multiple avenues. These include spear-phishing emails, third-party messaging services, and exploitation of vulnerable web-facing devices.
  • Due to the COVID-19 pandemic and an increased number of remote connections, APT groups can camouflage their traffic and blend in with the higher volume of traffic.
  • Virtual private networks (VPNs) and other remote work tools are often leveraged to gain initial access or persistence on a victim’s network.
  • APT groups will continue to exploit these low-effort, high-reward opportunities that enable them to steal sensitive information, acquire credentials, and gain long-term persistence in target environments. 

MALWARE

A new cyber-espionage campaign has been linked to the Russian group Turla in which a previously undocumented backdoor and document stealer, dubbed Crutch by its developers, is deployed. Notably, the tool uses Dropbox accounts under the Turla operators’ control. The network of a Ministry of Foreign Affairs from an EU country was reportedly compromised. Turla is one of the most advanced APTs on the threat landscape. It has a diverse malware arsenal that will require considerable resources and expertise to develop and maintain. The Crutch malware demonstrates that the group has new and undocumented tools that it can deploy against targets at will. Crutch is a significant threat because it can bypass multiple layers of security by leveraging legitimate cloud services, such as Dropbox, to blend into normal network traffic. Crutch enables the group to covertly exfiltrate stolen documents during intelligence gathering campaigns.

A new cryptocurrency mining campaign, dubbed Xanthe, is targeting Docker containers. The threats actors responsible employ multiple tactics to spread on the network. Like many cryptocurrency mining botnets, Xanthe targets containers with a misconfigured Docker API. The malware also harvests client-side certificates for spreading to known hosts using SSH. This highlights the need for defenders to monitor the behaviour of systems on their network. Attackers are always searching for ingress points, such as misconfigured Docker APIs in this instance.

A previously undocumented Windows PowerShell malware dubbed PowerPepper has been linked to the hackers-for-hire group known as DeathStalker. PowerPepper was discovered in May 2020; it is an in-memory Windows PowerShell-based backdoor that allows its operators to execute shell commands remotely via a C&C server. DeathStalker is one of four hackers-for-hire mercenary groups known to be active today. A similar organisation, known as Bahamut, has been using malicious applications, disinformation, and software flaws to surveil targets in the Middle East and South Asia, for instance. An Indian cybersecurity firm known as BellTroX (also called DarkBasin) has also been conducting cyber-operations for its clients. CostaRicto, the final group, was only disclosed in November when a report revealed that it had been targeting organisations predominantly located in South Asia, as well as Africa, Europe, and the Americas. The group is believed to from South Asia and, like its mercenary counterparts, has no specific geographical or industry sector focus.

Vulnerabilities

CISA has issued a security advisory over a new vulnerability disclosed in Schneider Electric ICS products. Successful exploitation can result in unauthorised command execution by a local user of the Windows engineering workstation, which could result in loss of availability, confidentiality, and integrity of the workstation. Schneider Electric has prepared Version 3.1 Service Pack 1B of the EcoStruxure Operator Terminal Expert product with a fix for this vulnerability. This fix is also available through Schneider Electric Software Update (SESU).

 

Geopolitical Threats and Impacts

Americas

US & CHINA – WASHINGTON TIGHTENS ENTRY RULES FOR CHINESE COMMUNIST PARTY MEMBERS

On Wednesday (2 December), the US government issued new visa rules for Chinese Communist Party (CCP) members seeking to travel to the US. Under the new measures, the maximum validity of visitor visas issued to CCP members and their families has been reduced from 10 years to one month, with visitors allowed only a single entry to the country. The measures do not impact CCP members’ eligibility for other forms of US visas, including immigrant visas. The move is the latest measure imposed by US officials to restrict Chinese citizens access to the country, following other restrictive measures on students, journalists, and diplomats. For its part, China this week accused the US of harassing crews of Chinese vessels and airlines, including questioning crews on their CCP party status. The measures mark the latest deterioration in bilateral ties under President Donald Trump, whose administration has had a host of disputes with China on issues as varied as trade, human rights, and military affairs. The incoming administration of President-elect Joe Biden, however, shares many of the Trump-era grievances and is unlikely to oversee a rapid improvement in bilateral ties.

BRAZIL – CONSECUTIVE BANK ATTACKS HIGHLIGHT MAJOR THREAT POSED BY CRIMINAL GROUPS

In the early hours of Wednesday (2 December), armed men stormed the northern city of Cametá, Pará state, attacking a bank branch and taking residents hostage, one of whom reportedly died. The assailants targeted a branch of state-controlled Banco do Brasil and used hostages as human shields, before fleeing the city after 90 minutes via a convoy of vehicles and later a boat on the Tocantins river. The attack took place approximately 24 hours after an almost identical raid in the southern city of Criciúma, Santa Catarina state, which also targeted a branch of Banco do Brasil. As of Wednesday morning, no direct link between the two attacks has been established. The Cametá attack, therefore, appears to be an opportunistic copycat incident inspired by Tuesday’s raid in Criciúma. The attacks highlight the major security threat posed by armed groups across Brazil, with social media footage showing the well-armed men travelling in large, coordinated convoys. This threat is particularly high in small and mid-sized cities, which host bank branches and other potential targets yet often lack the security forces capabilities of their larger counterparts.

Asia-pacific

HONG KONG – HIGH-PROFILE PRO-DEMOCRACY ACTIVISTS IMPRISONED OVER 2019 PROTEST

Three leading pro-democracy Hong Kong activists were given prison sentences by a local court on Wednesday (2 December). Joshua Wong, one of Hong Kong’s most prominent young political activists, was sentenced to 13.5 months imprisonment. Agnes Chow, a leading female activist, received a 10-month term and Ivan Lam, also from their Demosisto political group, seven months detention. All had earlier pleaded guilty to charges of unauthorised assembly relating to a demonstration in June 2019 outside the territory’s police headquarters that attracted thousands of protesters. While it was widely assumed the activists would receive custodial sentences, their imprisonment can now be expected to further increase scrutiny of and pressure on the Hong Kong administration by foreign governments and non-state activist groups as their imprisonment is likely to be viewed primarily as a political rather than legal response. Further, their detention on unauthorised assembly charges imply many thousands of mainly young people now face being criminalised or imprisoned. Foreign companies closely linked to Hong Kong should be aware that the perceived ‘martyrdom’ of the three young activists may cause reputational harm to their business interests beyond the territory.

SOUTH KOREA & CHINA – VIDEO GAME LICENCE AUGURS POTENTIAL WARMING IN TRADE TIES

The presidential office in Seoul on Thursday (3 December) said that China the day prior had, for the first time in four years, granted a licence to a South Korean mobile game. China has curbed sales of South Korean games, dramas, concerts, as well as tours to South Korea since 2017. The measures were widely viewed as a reprisal to Seoul’s decision to host the US’ Terminal High Altitude Area Defense (THAAD) missile defence system. Although the US and South Korean governments insisted that THAAD is aimed at deterring North Korean missile threats, the Chinese government is concerned that the THAAD system’s radar can reach into Chinese territory, harming its security interests. Wang Yi’s visit also secured a ‘two-plus-two’ meeting of Chinese and South Korean foreign and defence ministers, a gesture further illustrating accelerated attempts by Beijing to improve relations with Seoul during the instability of the US administration’s transition period. Although South Korea is a US ally, it is significantly dependent on China for trade and the game license signals a potential warming in trade ties.

Europe and Russia

REGIONAL – EU EXECUTIVE ARM TO PROPOSE SANCTIONS AGAINST ACTORS SPREADING DISINFORMATION

European Commission vice-president Vera Jourova has said the EU’s executive institution will propose sanctions against entities spreading disinformation, particularly ‘foreign actors’ located in countries such as China and Russia. Since the coronavirus (COVID-19) pandemic, reports of fake news aimed at fuelling polarisation, exacerbating ethnic tensions, and undermining efforts to tackle national outbreak have increased considerably. Multiple European countries have taken a step further and banned media organisations; in June Latvia’s media regulator banned the broadcasting of seven TV channels belonging to the Russia-based RT group in Latvia ostensibly over their role in promoting fake news and disinformation. Meanwhile the EU will propose new legislation that will involve stricter oversight of firms such as Facebook, Google, and Twitter amid growing calls on prominent platforms to enhance checks on content. More political and regulatory scrutiny will likely mean increased requirements on firms hosting, creating, and distributing content.

UNITED KINGDOM – REGULATORS APPROVE USE OF HIGHLY EFFECTIVE COVID-19 VACCINE

On Wednesday (2 December), regulators approved the use of a coronavirus (COVID-19) vaccine jointly developed by US-firm Pfizer and Germany-based BioNTech, paving the way for vaccinations to begin. The UK has ordered 40 million doses of the vaccine, enough to vaccinate 20 million for free. Mass distribution and vaccinations are expected for next year. An EU decision on the Pfizer/BioNTech vaccine, which offers up to 95 per cent protection against COVID-19, is expected later this month. The UK is now the first country to have approved the Pfizer/BioNTech for use. Other regulatory authorities are likely to follow suit once internal requirements and assessments indicate the vaccine is safe for mass vaccinations. A successful rollout of the vaccine will likely shorten the duration of highly disruptive restrictions imposed to suppress the spread of COVID-19. However, a growing movement opposing COVID-19 vaccinations and its supporters known as ‘anti-vaxxers’ imperils substantial progress in tackling the national outbreak. Indeed, conspiracy theories and disinformation have been a key feature of the global pandemic. High levels of public distrust have led to a proliferation of false information online, generally popular with marginal audiences but spreading more into the mainstream in recent months. As such, efforts for the vaccine to be effective in creating wider immunity must be complemented by a robust public health outreach campaign in a way that clearly communicates its efficacy and safety to the public.

EU & UK – BREAKTHROUGH LIKELY AS BREXIT TALKS ENTER CRUCIAL PHASE

Intense negotiations and positive signs on both sides of the channel suggest that a breakthrough in Brexit negotiations is possible. Officials are optimistic because the 31 December deadline – when the current transition period ends – is fast approaching; this will give extra momentum for negotiators to reach a deal. Another positive indication comes after the EU reportedly made an offer to grant 18 per cent of the fishing quota in UK territorial waters used by fishermen from EU member states back to the UK. Softer language from EU leaders also indicates that more flexibility has been granted to negotiators on key points. Numerous obstacles remain before a deal can be reached. The EU has maintained that the UK cannot continue to maintain the same trade benefits as members after Brexit. From 1 January, the UK will no longer be part of the single market and customs union, meaning that in a no-deal scenario, businesses will face tariffs on goods amid a range of new requirements at border entry points. Businesses in the UK have repeatedly expressed concerns that they lack information regarding new procedures and requirements, in addition to having very little time to make appropriate preparations. Recent developments reinforce our earlier assessments that a deal before the 31 December deadline remains the most likely outcome. An alternative scenario would see an extension of talks into next year.

MENA and Central Asia

IRAN – GUARDIAN COUNCIL APPROVES LAW EFFECTIVELY BREAKING OFF COMPLIANCE WITH JCPOA

The Guardian Council, a 12-member constitutionally mandated body, approved the Strategic Act to Revoke Sanctions law on Wednesday (2 December) that will effectively obligate the government to suspend all IAEA inspections of nuclear sites and initiate a move to enrich uranium past the restrictions set out under the JCPOA 2015 deal. The shift away from compliance is conditioned on the failure of European signatories to ease sanctions across Iran’s banking and energy sectors within a two-month time frame. President Hassan Rouhani has now been asked by the parliamentary speaker to implement the law. The new law marks a significant turning point for Iran in terms of compliance with the JCPOA deal, which has deteriorated over the past 18 months in response to the US ‘maximum pressure’ campaign and, most recently, the assassination of senior nuclear scientist Mohsen Fakhrizadeh on 27 November. Iran’s rising noncompliance will likely pose considerable challenges for the incoming US administration under President-elect Joe Biden, especially regarding efforts to rejoin the JCPOA pact; Biden has previously pledged his commitment to rebuilding diplomatic ties with Iran.

SAUDI ARABIA – ELEVATED SECURITY & CORRUPTION RISK AMID HIGH LEVELS OF CYBERCRIME, FRAUD

On Wednesday (2 December) the governor of the Saudi central bank and chair of the Anti-Money Laundering Permanent Committee, Ahmed Abdulkarim Al-Kholifey, said that levels of corruption and cybercrime had risen over recent months amid the COVID-19 pandemic. In a notable threat, he specifically referenced an increase in the number of financial fraud cases, whereby a growing number of individuals have fraudulently claimed investments in digital currencies. Al-Kholifey also outlined a number of corruption cases emerging in recent months where officials affiliated to the government have exploited the current health crisis by conducting side deals on the additional resources coming into the country, such as medical supplies. Finally, according to Al-Kholifey’s statement cybercrime cases have also risen, particularly via mobile phone hacking and fake financial donation campaigns established through the pandemic. The details underscore the elevated security and corruption risk to staff in the country and across the wider region amid the ongoing pandemic. Companies in Saudi Arabia and MENA have ramped up digitalisation processes in answer to lockdown and social distancing restrictions. However, this has resulted in a significant increase in the number of identity related fraud cases due to larger quantities of personal data available online and greater means of accessing this as employees utilise personal tech equipment more frequently.

Sub-Saharan Africa

SOUTH AFRICA – NEW DETAILS OF ABSA DATA LEAK EMERGE, SIGNALLING HIGH FRAUD RISKS

In an interview with local media outlet eNCA News on Wednesday (2 December), commercial bank Absa Group’s chief security officer, Sandro Bucchianeri, revealed that a recent leak of retail client data had affected 200,000 accounts, or 2 per cent of the bank’s retail banking customers. He confirmed that the bank gained knowledge of the leak on 27 October, and that personal details that were compromised included credit card numbers, addresses, contact details, and description of financed vehicles. Passwords and PIN-numbers were not affected, however. Bucchianeri also said that the unnamed credit analyst who had leaked the data to third parties had passed the regular vetting processes in place at the bank, but that the organisation was reviewing current practices. The incident highlights the need for a risk-based approach to access control lists, which limit the number of people with access to specific types of data. Furthermore, it is probable that regulators will increase scrutiny of financial service providers over the coming six months, as the incident follows the so-called Experian data breach in August, which also affected Absa along with other major banks.

ANGOLA – AUTHORITIES TO REVIEW IMMUNITY OF FORMER VP AS PRESSURE MOUNTS TO FIGHT CORRUPTION

Local media reported on Wednesday (2 December) that the attorney-general will review the immunity of former vice president Manuel Vicente, who is also the former CEO of state-owned oil group SONANGOL. The move comes amid an expanding judicial investigation into suspected embezzlement and money laundering of public funds related to Hong Kong-based investment group China International Fund’s (CIF) local subsidiary. Specifically, the investigation relates to past dealing between Vicente and former CIF CEO Sam Pa, who has been under US sanctions since 2014 and was arrested in China in 2015, suspected of corruption. The moves will likely cement President João Lourenço’s grip on the MPLA over the coming six months, amid mounting public pressure on his government to intensify its fight on corruption. Given Vicente’s role in SONANGOL, the investigation also carries significant corruption and political risks to companies that have done business with the state-oil group. Pa is widely believed to have played a key role in facilitating deals between SONANGOL and CIF (sometimes referred to as the 88 Queensway group), and other foreign entities. It is likely that scrutiny will increase in the home jurisdictions of some of those companies, including in China, Norway, Portugal, Switzerland, and the US, as more details emerge from some of the deals between SONANGOL and foreign entities, many of which are believed to have remained secret through a series of third-party companies registered in multiple jurisdictions.

BURKINA FASO – PRESIDENT FALLS SHORT OF LEGISLATIVE MAJORITY BUT LIKELY TO FACE LITTLE OPPOSITION

The electoral commission, CENI, announced on Sunday (20 November) that the Mouvement du peuple pour le progrès (MPP), the party of President Roch Marc Christian Kaboré, had obtained 56 out of 127 seats in the National Assembly during elections on 22 November. Opposition party Congrès pour la démocratie et le progrès (CPP) of former president Blaise Compaoré, which was barred from running in 2015, is the second-largest party with 20 seats. Despite initial accusations of voter fraud by opposition leaders, most candidates have congratulated the president, and legal challenges are unlikely to significantly alter the overarching election results. Nevertheless, the ruling party falls short of an absolute legislative majority, making it reliant on allied parties. Initially, this is unlikely to significantly challenge Kaboré’s policies. But the CPP’s return to the political scene as the main opposition block underscores growing frustration with the authorities’ inability to slow the expansion of Islamist militant groups in the north and east, and signals that it may become an obstructive political force and stability risk during the next five-year term.