Report

Weekly Threat Report 24th March 2017

Created:  24 Mar 2017
Updated:  24 Mar 2017
This report is drawn from recent open source reporting

Yahoo breach indictments

The FBI has indicted four individuals for unauthorised access to Yahoo’s networks. According to the indictment, two were alleged cyber criminals and two were members of Russia’s Federal Security Service (FSB) who “conspired to protect, direct, facilitate and pay criminal hackers to collect information through computer intrusions in the USA and elsewhere”.

The intrusion into Yahoo’s networks, and the group’s subsequent exploitation of this, reportedly began in 2014 and was still active in 2016. During this time, information from more than 500 million Yahoo user accounts was taken.

The two alleged cyber criminals were reportedly directed by the FSB officers on how to avoid being detected by law enforcement, and they tried to hide their activities using methods such as leasing servers in various countries, using virtual private networks (VPNs) and using webmail accounts opened with fake details. This trend was highlighted in the NCSC’s recent “Cyber threat to UK businesses” report, demonstrating how threat actors such as criminals and state actors might work together for mutual benefit. Collaborations such as this may result in the potential ‘upskilling’ of cyber criminals.

The indictment states that spear phishing was used to gain access to the networks. Some of the spear phishing emails contained malicious hyperlinks or attachments that directed to malware, while others lured recipients into divulging legitimate login details for their accounts. According to Ars Technica, the FBI have suggested that the initial intrusion likely occurred after the targeting of a “semi-privileged” Yahoo employee, and not top executives. This neatly demonstrates that the most useful staff members for malicious actors to target are often those administrators with escalated levels of privilege and not necessarily the organisation’s most senior staff. The NCSC has issued guidance on the importance of protecting administrators from spear phishing which can be found here.

As well as seeking information on topics of interest to Russian intelligence services, such as email accounts belonging to Russian journalists and accounts of US and Russian government officials, the attackers sought monetary gain from the breach. They did this using methods like scraping accounts for credit or gift card numbers, and taking address books from compromised accounts to use in a spam marketing campaign. The indictment does not state how much money was generated from these activities, but it is appears that the Yahoo compromise was used for both espionage and criminal purposes.

Malware money launderers charged

Metropolitan Police officers investigating the laundering of money illegally obtained from malware attacks in the UK have brought charges against two London-based Russian nationals. The pair were charged with conspiracy to commit fraud by false representation and with money laundering. They were arrested on suspicion of conspiracy to defraud UK clearing banks of over £2 million.

Cyber criminals will at some point need to launder the proceeds of their unlawful online activities for use in the real world. The process is therefore an important aspect of their activity, and potentially offers disruption opportunities against those hoping to profit from malware attacks.

Laundering methods include opening bank accounts using false identities and/or documents and ‘cashing out’ the deposited funds through the purchase of high value items, buying foreign currency or simply withdrawing money. Alternatively, the criminals may recruit money mules, individuals hired (sometimes unwittingly) to receive and move illegally obtained money between accounts and/or countries. This offers disruption opportunities against those hoping to profit from malware attacks.

Vulnerabilities

This week there were many updates from Cisco relating to different products, from the WebEx Meetings Server, Unified Communications Manager, Unified Computing System Director, Telepresence, Wireless LAN Controller, Prime Infrastructure, Nexus 7000 and 9000 Series, ASR routers, ASA and IOS/IOS XE. These updates addressed a range of problems from remote users conducting cross-site scripting, spoofing devices, modifying the configuration, bypassing the firewall, gaining root privileges, executing arbitrary code or obtaining potentially sensitive information.

Mozilla updated Firefox to fix a vulnerability that existed in version 52, and possibly earlier versions, that could allow for remote code execution due to an integer overflow.

HPE updated LoadRunner and Performance Center to address remote code execution vulnerabilities, and an update for NonStop Software Essentials to fix an unspecified flaw that could allow for local users to potentially obtain sensitive information.

QNAP Have released version 4.2.4 to fix multiple flaws that could potentially allow remote users to inject SQL commands, steal cookies, conduct cross-site scripting and clickjacking attacks, obtain potentially sensitive information, and/or execute arbitrary code

Elsewhere this week there were updates from IBM WebSphere, Ettercap, Drupal, Red Hat, EMC RecoverPoint, PuTTY, OpenSSH and for the Linux Kernel.

Debian issued updates for the Chromium browser, R, sitesummary and Wireshark.

Was this report helpful?

We need your feedback to improve this content.

Yes No