December 21, 2017
Anissa Khalid

12 Days of Threats

<blockquote><p><em>On the first day of Christmas a hacker stole from me,<br /> Thousands in my favorite cryptocurrency…<br /> On the second day of Christmas a hacker stole from me,<br /> Two plain-text passwords and thousands in my favorite cryptocurrency...</em></p></blockquote><p>We’re sure by now you’ve heard too much Christmas music, so we’ll spare you a full rendition. However, as we approach the end of the year, we’d like to reflect on some of the year’s most notable cyber events.</p><h2>Freedom Hosting II</h2><p><strong>Threat description:</strong> February 2017 - A first-time hacker from <a href="" target="_blank">Anonymous took down approximately 20% of all Dark Web traffic this year</a> by breaching Freedom Hosting II (FH2), a Dark Web hosting provider. Anonymous posted messages on all of these sites explaining they did this because <a href="" target="_blank">FH2 provided services to child pornography and scamming sites</a>. The hackers initially tried to ransom the Freedom Hosting II database for .1 Bitcoin (a little over $100), but later released the information publicly. This information included plain-text emails and passwords, site users, personal information about site administrators, and a write-up of how they breached the systems.</p><p><strong>Holiday gift:</strong> Bad guys get empty stockings and empty sites</p><h2>Cloudbleed</h2><p><strong>Threat description:</strong> February 17th, 2017 - Internet infrastructure and security company Cloudflare wasn’t directly targeted by a malicious attack, but likely felt their fair share of panic this year. A security bug affected Cloudflare’s reverse proxies, unwittingly <a href="" target="_blank">leaking data from Cloudflare customers to other customers</a>. Personally Identifiable Information (PII) was downloaded by crawlers and users during everyday activity. This data included full https requests and responses, client IP addresses, cookies, and passwords. Tavis Ormandy of Google Project Zero, who <a href="" target="_blank">first identified the issue</a>, was able to get Cloudflare servers to return private messages from dating sites, full messages from chat services, online hotel bookings, and online password manager data. Cloudflare has since <a href="" target="_blank">reported on the potential impact of the bug</a>.</p><p><strong>Holiday gift:</strong> Proof that collaboration can identify and fix issues before a malicious actor takes advantage</p><p><img alt="" src="" /></p><h2>Wikileaks CIA Vault 7</h2><p><strong>Threat description:</strong> March 7th, 2017 - This year <a href="" target="_blank">Wikileaks released thousands of pages of CIA software tool and techniques</a> allegedly created in collaboration with British intelligence. This trove of documents, titled Vault 7, serves as a catalogue of advanced tactics for surveillance and cyber warfare, including how to hack into smartphones, computers, and Internet-connected TVs. The CIA has not confirmed the authenticity of these documents, but officials speaking anonymously have indicated that the information from Vault 7 is genuine. Wikileaks has not identified the source of the information. The existence of such documents is not necessarily surprising, but the scope of tools and procedures is alarming. Instructions are also available for compromising Skype, Wi-Fi networks, docs in PDF formats, commercial antivirus programs, WhatsApp, Signal, and Telegram.</p><p><strong>Holiday gift:</strong> The CIA is there to listen when we have a long day. Now we can be a good friend and hear a bit about theirs as well.</p><h2>Shadow Brokers</h2><p><strong>Threat description:</strong> The Shadow Brokers first came to public attention with an <a href="" target="_blank">announcement</a> on offering tools stolen from the NSA’s hacking division, officially called Tailored Access Operations and colloquially called the Equation Group. Few people offered to take the bait, so <a href="" target="_blank">The Shadow Brokers chose to publicly release some of the information</a> - all unredacted. The <a href="" target="_blank">exploits they have released are older</a> and often already issued patches, but still have significant potential for damage. For example, the NSA backdoor used in the WannaCry ransomware, DOUBLEPULSAR, <a href="" target="_blank">came from one of the Shadow Brokers’ leaks</a>. As of yet it’s unknown exactly who the Shadow Brokers are.</p><p><strong>Holiday gift:</strong> Catalogues more interesting than SkyMall.</p><h2>WannaCry</h2><p><strong>Threat description:</strong> May 12th, 2017 - The WannaCry ransomware outbreak serves as evidence that weapons-grade cyber attacks developed by nation states are now being used for profit. WannaCry was one of the first examples of ransomware that had the ability to <a href="" target="_blank">spread to other (Windows) computers on its own</a>, similar to malware of the past like <a href="" target="_blank">Conficker</a>. The ransomware was able to spread on its own by scanning for systems vulnerable to <a href="" target="_blank">MS17-010</a>, exploiting them, and then using a r<a href="" target="_blank">ecently leaked NSA backdoor</a> to install the ransomware on the system. Both the exploit, called ETERNALBLUE, and the backdoor, DOUBLEPULSAR, came from the recent <a href="" target="_blank">“Lost in Translation” dump</a> leaked by the Shadow Brokers. The United States government has <a href="" target="_blank">officially blamed North Korea</a> for WannaCry.</p><p><strong>Holiday gift:</strong> Some tissue for those impacted by WannaCry.</p><h2>Petya/NotPetya/Nyetya/PetrWrap</h2><p><strong>Threat description:</strong> June 27th, 2017 - The <a href="" target="_blank">Petya malware rapidly spread across Europe and North America</a> and infected tens of thousands of systems in more than 65 countries. The Petya ransomware trojan is speculated to be a part of a Ransomware-as-a-Service (RaaS) malware family that was first advertised by Janus Cybercrime Solutions as a RaaS in late 2015. The initial infection vector is believed to be contaminated software updates from Ukrainian financial tech company MeDoc. Anton Geraschenko, an aide to the Ukrainian Interior Minister, has stated that this infection was “the biggest in Ukraine’s history.” The estimated damages associated with NotPetya reached into the millions for companies like French construction group group Saint-Gobain, who <a href="" target="_blank">lost an estimated $387 million</a>.</p><p><strong>Holiday gift:</strong> Nothing. Ransomware still sucks :(</p><h2>Hackers Target Nuclear Facilities</h2><p><strong>Threat description:</strong> July 2017 - Critical infrastructure such as nuclear and energy facilities are frequently targeted by advanced persistent threat actors. Early this year the Department of Homeland Security and the Federal Bureau of Investigation <a href="" target="_blank">released a joint report</a> indicating that companies such as the Wolf Creek Nuclear Operating Corporation had been targeted by hackers. The various attack methods included targeted emails with malicious Word docs, man-in-the-middle attacks (redirecting internet traffic through malicious machines), and watering hole attacks (compromising legitimate websites). Evidence points to Russian hacking group <a href="" target="_blank">“Energetic Bear”</a> as the culprit. Luckily, no real damage was done.</p><p><strong>Holiday gift:</strong> Energy sector > energetic adversaries</p><p><img alt="" src="" /></p><h2>Ethereum</h2><p><strong>Threat description:</strong> July 2017 - Popular computer platform Ethereum was victim to multiple hacks in 2017. On separate occasions cyber criminals stole > $1 million, $7.4 million, and later <a href="" target="_blank">$32 million worth of “ether” tokens</a>, the second most widely-used cryptocurrency. For the latter hack, <a href="" target="_blank">white hat hackers (the good guys) drained $75 million worth of ether</a> from other accounts to protect it from thieves by exploiting the same vulnerability. Ethereum’s problems didn’t end there- a glitch later in the year caused $300 million to be frozen in Parity multi-signature wallets. <a href="" target="_blank">Parity Technologies suggested a fork</a> (think hard reset) to “unlock” the funds like the one enacted after the <a href="" target="_blank">DAO hack</a>.</p><p><strong>Holiday gift:</strong> We’ve identified a better solution than Nutcrackers for a tough nut to crack - white hat hackers.</p><h2>MongoDB</h2><p><strong>Threat description:</strong> September 2017 - Open-source document database MongoDB had over <a href="" target="_blank">27,000 databases wiped and ransomed for their restoration</a>. The targeted databases were running with default settings, making it easy for attackers to find and exploit them. Unfortunately, many of the companies that paid the ransom were never given back their data. Without proper management of permissions and settings, services like MongoDB present an easy opportunity for attackers.</p><p><strong>Holiday gift:</strong> <a href="" target="_blank">Security best practices from MongoDB</a>, and a reminder of their importance. This holiday season try to look at security not as the often-ignored fruitcake, but as the delicious frosting keeping your internet gingerbread house together.</p><h2>Campaign Hacks</h2><p><strong>Threat description:</strong> 2017 - After the direct foreign influence in the 2016 U.S. presidential election, many were left wondering if the <a href="" target="_blank">numerous European elections of 2017</a> would encounter the same challenges. In the Netherlands’ March election, concerns over security were so great that every vote was counted by hand. Interior Minister Ronald Plasterk directly cited Russia as a factor in this decision, along with insecure and outdated counting software. The Macron campaign of France, knowing that a targeted attack was inevitable, engaged in a <a href="" target="_blank">“cyber-blurring” strategy</a>. Fake email accounts were seeded with false documents to slow down hackers. The French government cyber security agency ANSSI later confirmed attacks on the Macron campaign, but did not officially name Russia as the culprit. The<a href="" target="_blank"> German election</a> did not encounter any direct interference, but they did have a bit of a scare - IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed German voting count software and found numerous security flaws. Overall, it appears that most of the elections were carried out relatively unscathed.</p><p><strong>Holiday gift:</strong> Putin snuck his way onto the nice list last year and got a bald eagle as an early Christmas gift. This year the EU got him for Secret Santa and gave him nada.</p><p><img alt="" src="" /></p><h2>Equifax Data Breach</h2><p><strong>Threat description:</strong> September 7th, 2017 - Equifax announced a major data breach to their systems, <a href="" target="_blank">exposing data associated with approximately 143 million Americans, 400,000 Britons, and 100,000 Canadians</a>. The exposed data contained a host of Personally Identifiable Information (PII), including addresses, Date of Birth (DOB), full names, dispute documents, and of course Social Security Numbers (SSNs). The exploited vulnerability, “CVE-2017-5638,” was issued a patch in March of 2017, which Equifax failed to apply. With half the population of the United States’ information now exposed, many are calling into question <a href="" target="_blank">the viability of the Social Security Number system</a>. People should keep on alert for fraud.</p><p><strong>Holiday gift:</strong> Free credit report monitoring from the same company that lost your information in the first place</p><h2>BadRabbit</h2><p><strong>Threat description:</strong> October 24th, 2017 - Yet another large ransomware campaign <a href="" target="_blank">targeted entities in Russia and Eastern Europe</a> and affected predominantly news and media websites. The <a href="" target="_blank">initial infection vector</a> was believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer. The ransomware was able to propagate itself through networks via Server Message Block (SMB). Bad Rabbit bears similarities to the WanaCry and Petya ransomware outbreaks earlier in the year.</p><p><strong>Holiday gift:</strong> A reminder of the movie Donnie Darko. That’s about it.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.