Let’s analyze the state of last week’s global threat landscape. As you can expect, we had a pretty action-packed week. The categories to be studied and analyzed are:
- Malware of the week.
- Threat actor of the week.
- Data breaches of the week.
- Zero Day attacks of the week.
#1 Olympic Destroyer – KNOW Your Malware
On Olympic Destroyer’s threat intel page, you can scroll down and check out the most trending stories surrounding this malware. According to the report collated by KNOW, The US government has officially indicted Sandworm, one of the most dangerous threat actors from Russia, for their cyberattack during the Winter Olympics.
Reactions from Twitter
Big news: DOJ today unsealed charges against Sandworm, naming the Russian GRU hackers who have for 5 years crossed every red line in cyberwar from blackouts to disrupting the Olympics to unleashing the NotPetya worm that cost $10 billion.
“No country has weaponized its cyber capabilities as maliciously or irresponsibly as #Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite.”
Olympic Destroyer references from KNOW
- Total references: 3,036
- References in the last 60 days: 64
- References during the previous 7 days: 64
Olympic Destroyer context from KNOW
- Industries: Finance, Pharmaceuticals & Biotechnology, and Sports.
- Related intrusion methods: Malware, spam, process hollowing, phishing, malicious apps, and hard-coded credentials.
- IP addresses: 3
- Associated domains: 3
- Hashes: 27
#2 FIN11 – KNOW Your Threat Actor
FIN11 is a financially-motivated threat actor that is monetizing its activities by spreading ransomware. As per KNOW’s threat intel dashboard, they are the most referenced threat actor over the last 7 days.
The financially-motivated hacker group FIN11 has started spreading ransomware to monetize its cybercriminal activities. The threat actor group has conducted multiple operations targeting companies in North America and Europe. Security researchers believe that they operated from the Commonwealth of Independent States (CIS – former Soviet Union countries).
Thoughts from Twitter
“The cybercrime gang relies primarily on phishing emails to gain a foothold in corporate networks, and is moving into hybrid extortion by distributing CLOP ransomware.”
FIN11 Cybercrime Gang Shifts Tactics to Double-Extortion Ransomware: The Clop ransomware has become a tool of choice for the financially motivated group.
FIN11 references from KNOW
- Total references: 639
- References over the last 60 days: 422
- References in the last 7 days: 419
#3 Luxottica and NEFILIM – KNOW Your Data Breaches
The most trending in the “data breaches” category was about Luxottica being hit by the NEFILIM ransomware. Luxottica is a Milan-based sunglasses conglomerate that owns the world’s biggest eyewear brands like Ray-Ban, Persol, and Oakley. They have 80,000 employees globally had revenue of €9.493 billion (A$15.8 billion) in 2019.
Luxottica’s data breach
A long list of files has been stolen from Luxottica that appears to be related to the personnel office and finance departments. These files contain:
- Confidential information regarding the recruitment process, professional resumes, and info about the internal structures of their HR department
- Other exposed financial data includes budgets, marketing forecast analysis, etc.
Thoughts from Twitter
The #Nefilim hacker group published #Luxottica’s files after the #ransomware attack.
Two file lists and 2 GB of data stored in the #darkweb:
Luxottica, the company behind Ferrari, Michael Kors, Ray-Ban, Armani, and Coach eyeglasses, recently found itself on the receiving end of a ransomware attack.
NEFILIM reference from KNOW
- Total references: 1,817.
- References in the last 60 days: 152.
- References in the last 7 days: 30.
Context from KNOW
- Risk rules triggered: 3 out of 48.
- Related intrusion methods: Double extortion, data exfiltration, data breach, data exfiltration, and spearphishing.
- Hashes: 33
- Most recent sandbox reference: Any Run Sandbox result for 24ada19b269279612370bdf16f2becc1d5b7e0f69821050e2d9b48cfc874dca0
#4 Zero Day Attack Revealed In KNOW – Google Chrome Updates
Technology giant, Google, has rolled out Chrome version 86.0.4240.111 that brings about a patch for an actively exploited zero-day vulnerability. Per our KNOW platform, the zero-day attack could be described as “a memory corruption bug in the FreeType font rendering library that’s included with standard Chrome distributions”. Project Zero is one of Google’s internal security teams. KNOW discovered that these attacks were leveraging the FreeType bug. Project Zero team lead Ben Hawkes pointed out a threat actor that was abusing this FreeType bug to mount attacks against Google Chrome users.
Investigating Zero-Day Attack with KNOW
In this particular story, KNOW has detected two Zero-Day Attack vulnerabilities which could provide more context into the problem discussed above:
Now, let’s look into each of them and see what we can learn.
Zero Day Attack Vulnerability 1: CVE-2019-13720
Risk rules triggered: 4 out of 48 rule(s) triggered
Historically Linked To Campaign: 1 sighting(s)
1 Related Campaign: Operation WizardOpium.
Historically Linked To Threat Research: 5 sighting(s)
4 Related Intrusion Methods: Zero Day, Use-After-free, Watering Hole Attack, Privilege Escalation.
Historic Sandbox Sighting: 2 sighting(s)
Most recent reference: Hybrid Analysis result for ‘file’
See how Netenrich detects and resolves CVE-2019-13720
Zero Day Attack Vulnerability 2: CVE-2020-6418
Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Products Affected: Google, Chrome, 80.0.3987.122
KNOW more about CVE-2020-6418 and other pernicious beings
Netenrich Threat + Attack Surface Intelligence
KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now. However, Netenrich’s offering isn’t just limited to threat intelligence. We offer a powerful combination of threat and attack surface intelligence.
Threat and Attack Surface Intelligence will help your SecOps to:
- Find hidden risks to your brand on the public Internet
- Stay informed about threats in minutes versus hours
- Act on the most critical threats first
- Reduce effort and alert fatigue
- Measure and demonstrate value
If you want to know more about Netenrich’s Attack Surface Intelligence (ASI), click here.
Hey, before you leave, you might want to read our CISO, Brandon Hoffman’s take on the rise of cyber crimes during U.S. Elections 2020 — as part of our National Cyber Security Awareness Month series. Sure, take me there