Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

Luxottica, FIN11, Olympic Destroyer, and Google Chrome Zero Day – KNOW More

Keep up with what happened in an action-packed week.

Post by Rajarshi Mitra In Security on Oct 26, 2020

Let’s analyze the state of last week’s global threat landscape. As you can expect, we had a pretty action-packed week. The categories to be studied and analyzed are:

#1 Olympic Destroyer – KNOW Your Malware

On Olympic Destroyer’s threat intel page, you can scroll down and check out the most trending stories surrounding this malware. According to the report collated by KNOW, The US government has officially indicted Sandworm, one of the most dangerous threat actors from Russia, for their cyberattack during the Winter Olympics.

Reactions from Twitter

@a_greenberg

Big news: DOJ today unsealed charges against Sandworm, naming the Russian GRU hackers who have for 5 years crossed every red line in cyberwar from blackouts to disrupting the Olympics to unleashing the NotPetya worm that cost $10 billion.

@jbcraig

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as #Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite.”

Olympic Destroyer references from KNOW

olympic destroyer

  • Total references: 3,036
  • References in the last 60 days: 64
  • References during the previous 7 days: 64

Olympic Destroyer context from KNOW

olympic destroyer

  • Industries: Finance, Pharmaceuticals & Biotechnology, and Sports.
  • Related intrusion methods: Malware, spam, process hollowing, phishing, malicious apps, and hard-coded credentials.
  • IP addresses: 3
  • Associated domains: 3
  • Hashes: 27

#2 FIN11 – KNOW Your Threat Actor

FIN11 is a financially-motivated threat actor that is monetizing its activities by spreading ransomware. As per KNOW’s threat intel dashboard, they are the most referenced threat actor over the last 7 days.

FIN11

 

The financially-motivated hacker group FIN11 has started spreading ransomware to monetize its cybercriminal activities. The threat actor group has conducted multiple operations targeting companies in North America and Europe. Security researchers believe that they operated from the Commonwealth of Independent States (CIS – former Soviet Union countries).

Thoughts from Twitter

@pauldokas

“The cybercrime gang relies primarily on phishing emails to gain a foothold in corporate networks, and is moving into hybrid extortion by distributing CLOP ransomware.”

@cipherstorm

FIN11 Cybercrime Gang Shifts Tactics to Double-Extortion Ransomware: The Clop ransomware has become a tool of choice for the financially motivated group.

FIN11 references from KNOW

 

FIN11

  • Total references: 639
  • References over the last 60 days: 422
  • References in the last 7 days: 419

#3 Luxottica and NEFILIM – KNOW Your Data Breaches

The most trending in the “data breaches” category was about Luxottica being hit by the NEFILIM ransomware. Luxottica is a Milan-based sunglasses conglomerate that owns the world’s biggest eyewear brands like Ray-Ban, Persol, and Oakley. They have 80,000 employees globally had revenue of €9.493 billion (A$15.8 billion) in 2019.

Luxottica’s data breach

A long list of files has been stolen from Luxottica that appears to be related to the personnel office and finance departments. These files contain:

  • Confidential information regarding the recruitment process, professional resumes, and info about the internal structures of their HR department
  • Other exposed financial data includes budgets, marketing forecast analysis, etc.

Thoughts from Twitter

@_odisseus 

The #Nefilim hacker group published #Luxottica’s files after the #ransomware attack.

Two file lists and 2 GB of data stored in the #darkweb:

– LUXOTICA_Human_Res_part1_filelist_part1.txt
– LUXOTICA_Finance_part1_filelist.txt

@RobertSchrader

Luxottica, the company behind Ferrari, Michael Kors, Ray-Ban, Armani, and Coach eyeglasses, recently found itself on the receiving end of a ransomware attack.

NEFILIM reference from KNOW

nefilim

  • Total references: 1,817.
  • References in the last 60 days: 152.
  • References in the last 7 days: 30.

Context from KNOW

nefilim

  • Risk rules triggered: 3 out of 48.
  • Related intrusion methods: Double extortion, data exfiltration, data breach, data exfiltration, and spearphishing.
  • Hashes: 33
  • Most recent sandbox reference: Any Run Sandbox result for 24ada19b269279612370bdf16f2becc1d5b7e0f69821050e2d9b48cfc874dca0

#4 Zero Day Attack Revealed In KNOW – Google Chrome Updates

Technology giant, Google, has rolled out Chrome version 86.0.4240.111 that brings about a patch for an actively exploited zero-day vulnerability. Per our KNOW platform, the zero-day attack could be described as “a memory corruption bug in the FreeType font rendering library that’s included with standard Chrome distributions”. Project Zero is one of Google’s internal security teams. KNOW discovered that these attacks were leveraging the FreeType bug. Project Zero team lead Ben Hawkes pointed out a threat actor that was abusing this FreeType bug to mount attacks against Google Chrome users.

Investigating Zero-Day Attack with KNOW

In this particular story, KNOW has detected two Zero-Day Attack vulnerabilities which could provide more context into the problem discussed above:

  • CVE-2019-13720
  • CVE-2020-6418

Now, let’s look into each of them and see what we can learn.

Zero Day Attack Vulnerability 1: CVE-2019-13720

CVE-2019-13720
617 Reference(s) to this entity
First seen: 31 Oct, 2019
Last seen: 21 Oct, 2020
Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Products Affected: Google, Chrome, Chrome 78.0.3904.87

Risk rules triggered: 4 out of 48 rule(s) triggered

Historically Linked To Campaign: 1 sighting(s)

Related Campaign: Operation WizardOpium.

Historically Linked To Threat Research: 5 sighting(s)

Related Intrusion Methods: Zero Day, Use-After-free, Watering Hole Attack, Privilege Escalation.

Historic Sandbox Sighting: 2 sighting(s)

Most recent reference: Hybrid Analysis result for ‘file’

 

CVE-2019-13720 reference count

See how Netenrich detects and resolves CVE-2019-13720

Zero Day Attack Vulnerability 2: CVE-2020-6418

CVE-2020-6418177 Reference(s) to this entity
First seen: 24 Feb, 2020
Last seen: 21 Oct, 2020

Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Products Affected: Google, Chrome, 80.0.3987.122

zero day attack

KNOW more about CVE-2020-6418 and other pernicious beings

Netenrich Threat + Attack Surface Intelligence

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now. However, Netenrich’s offering isn’t just limited to threat intelligence. We offer a powerful combination of threat and attack surface intelligence.

Threat and Attack Surface Intelligence will help your SecOps to:

  • Find hidden risks to your brand on the public Internet
  • Stay informed about threats in minutes versus hours
  • Act on the most critical threats first
  • Reduce effort and alert fatigue
  • Measure and demonstrate value
Why did we create Knowledge NOW? Read our story

If you want to know more about Netenrich’s Attack Surface Intelligence (ASI), click here.

Hey, before you leave, you might want to read our CISO, Brandon Hoffman’s take on the rise of cyber crimes during U.S. Elections 2020 — as part of our  National Cyber Security Awareness Month series. Sure, take me there

CONNECT WITH US

About Author

Rajarshi is a creative and accomplished writer who made his mark in the blockchain space before stepping into cybersecurity. When he is not working, he is busy chilling with his wife and cat, catching up on the latest Netflix docu-series.....or watching Harry Potter for the 5781241516th time.