The first intelligence collection in 2019 was an FBI Liaison Alert System on APT10 intrusion activities targeting cloud-based managed service providers. Throughout the month, the Verizon Threat Research Advisory Center (VTRAC) intelligence collections reflected a continuation of some of 2018’s trends and emerging developments that would occupy us throughout the new year. New intelligence linked two Russian APT-grade actors, GreyEnergy and APT28 (Sofacy). Two months since we began tracking “the DNSpionage campaign,” new collections revealed its global span and complexity. GandCrab and Ryuk ransomware surged in January, in part to occupy the vacuum left after the SamSam operators were indicted and ceased operations. The VTRAC continued to track and report Magecart payment card scripting skimmer attacks on e-retailers, a threat that would resurface several more times in 2019. The Indian subsidiary of Milan-based Tecnimont SpA, fell prey to a fraud after US$18.6 million (₨130 crore) was stolen by Chinese hackers. The attackers breached the email system of the Mumbai branch to learn the “rhythm” of the business, identifying key players, vocabulary and customs. A series of staged conference calls with executives in Italy and a Swiss lawyer convinced the head of the Indian office to transfer funds to Hong Kong banks.
Australia's parliament revealed that its computer network had been compromised by an unspecified "security incident." Norwegian cloud computing company Visma attributed a breach to the menuPass threat actor. A whaling campaign was observed that was probably aiming for Office 365 credentials to be used for a business email compromise operation. The Bank of Valetta in Malta was the victim of a €13 million fraud. Analysis of weaponized documents used by APT-grade actors in APAC sought to determine if a shared “digital quartermaster” was supplying multiple actors, including multiple state-aligned ones. It found links among some Chinese actors but that, “the current exchange of offensive cyber tools remains opaque,” and requires more research.
The successful exploitation of new vulnerabilities was a recurring problem in March, including vulnerabilities in Cisco Adaptive Security Appliances, Cold Fusion, Drupal, Microsoft Exchange Server and in the Windows kernel. Attacks on two “zero-day” vulnerabilities were mitigated among 36 patches on “Patch Tuesday.” “Operation ShadowHammer” by the Chinese Winnti threat actor tampered with software updates from PC-maker ASUSTeK Computer to install malware on victims’ computers. Aluminum manufacturer Norsk Hydro was attacked with LockerGoga ransomware. Citrix disclosed a data breach after the FBI warned them the attackers probably used a password spraying attack to gain a foothold. We collected intelligence about three separate campaigns targeting point-of-sale systems.
Pharmaceutical company Bayer announced it had prevented an attack by the Winnti threat actors targeting sensitive intellectual property. The Indian IT services giant Wipro was breached in order to attack their customers. The ultimate aim of the group behind the attack appeared to be gift-card fraud. The Vietnam-aligned APT32 (Ocean Lotus) actor targeted foreign automotive companies to acquire IP. The U.S. Department of Energy reported grid operators in Los Angeles County, California, and Salt Lake County, Utah, suffered a DDoS attack that disrupted their operations, but did not cause any outages. The US-CERT warned that multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. Cisco, Palo Alto Networks, F5 Networks and Pulse Secure products were affected. A new DNS hijacking campaign, “Sea Turtle,” was discovered targeting private and public organizations primarily located in the Middle East and North Africa.
“Patch Tuesday” in May included patches for CVE-2019-0708, a vulnerability in Remote Desktop Protocol that was nicknamed “BlueKeep.” A hue and cry to patch so as to avoid an imminent WannaCry-like worm went hyperbolic. The City of Baltimore, Maryland, was paralyzed by RobbinHood ransomware. A new ransomware, “Sodinokibi” appeared to be spreading from unpatched Oracle WebLogic servers. Magecart groups continued to deploy payment card scraping scripts. They expanded their targeted platforms beyond Magento to the PrismWeb and OpenCart e-commerce platforms. A vulnerability in Magento patched in March became the target of mass scanning and SQLinjection attacks.
LabCorp disclosed that a breach at a third-party billing collections firm exposed the personal information of 7.7 million Americans. Chinese intelligence services hacked into the Australian National University to collect data they could use to groom students as informants before they were hired into the civil service. U.S. grid regulator NERC issued a warning that Xenotime, a major hacking group with suspected Russian ties, was conducting reconnaissance into the networks of electrical utilities. “Operation Soft Cell” ran over the course of seven years by the APT10 Chinese espionage actor. They hacked into 10 international mobile phone providers operating across 30 countries to track dissidents, officials and suspected spies. The operators behind GandCrab ransomware announced they were shutting down. Most analysts assessed they were simply shifting from GandCrab to Sodinokibi.
Capital One revealed a hacker accessed data on 100 million credit card applications, including Social Security and bank account numbers. Improperly secured Amazon cloud storage was at the heart of the theft of 30 GB of credit application data by a single subject. Microsoft revealed that it had detected almost 800 cyberattacks over the past year targeting think tanks, non-governmental organizations and other political organizations around the world, with the majority of attacks originating in Iran, North Korea and Russia. Several major German industrial firms, including BASF, Siemens and Henkel, announced that they had been the victim of a state-sponsored hacking campaign by the Chinese Winnti group.
On Friday, August 16, 22 Texas towns were infected with Trickbot followed by Sodinokibi ransomware after attackers breached their managed service provider (MSP), TSM Consulting, and employed the MSP's ConnectWise Control remote management tool to distribute the malware. The following week, malware researchers observed revived activity in Emotet distribution networks. In June, the Emotet crew seemed to suspend operations. By mid-September Emotet seemed to be fully operational. Emotet had been linked to multiple Russian threat actors, including Mummy Spider, TA542 and TA505. Emotet mal-spam had been delivering other malware payloads, including Dridex, Ursnif, Trickbot and Ryuk.
At the end of August and early in September, multiple sources began reporting strategic web compromises targeting Tibetan rights activists and ethnic minority Uyghurs using iOS and Android Trojans. Operation Soft Cell reported in June was probably part of this campaign. Another new Chinese APT-grade actor, APT5, emerged and was discovered attacking vulnerable VPN servers. Two “zero-day” Windows vulnerabilities were included in September’s Patch Tuesday and before the end of the month, Microsoft released an out-of-cycle patch for a third zero-day. A breach at social video-game developer Zynga affected over 175 million players.
In October, the VTRAC was swamped by intelligence covering APT-grade actors, including TA505, FIN6, FIN7 and RTM cybercrime actors. FIN4, FIN6 and Carbanak were linked to different Magecart groups. Intelligence on cyber-espionage and cyber-conflict actors included Charming Kitten, Turla, Winnti and APT29 actors. We learned of a September attack on India’s Kudankulam Nuclear Power Plant (KNPP) by the Lazarus group. The attack did not affect either the nuclear power-plant control system or the electricity-generating power plant control system. A new spin on business email compromises emerged and was dubbed “Vendor Email Compromises.”
Facility services company Allied Universal suffered a Maze ransomware infection. The miscreants demanded about US$2 million in bitcoin and threatened to release 5 GB of stolen internal files if they weren’t paid. They did release at least 700 MB. Before the end of the year, criminals behind at least four ransomware families had begun to exfiltrate internal files before triggering file encryption. They threatened to make the data public to add leverage on the victims to pay. The Iranian APT33 had been targeting industrial control system (ICS) equipment that is used in oil refineries, electrical utilities and manufacturing.
The U.S. government warned of malicious spam-spreading Dridex banking Trojans that were used to gain a foothold to infect networks with BitPaymer ransomware. Petróleos Mexicanos (Pemex) was the victim of DoppelPaymer, a variant of Dridex and BitPaymer. One of 36 vulnerabilities Microsoft patched was being exploited in watering-hole attacks before December’s Patch Tuesday. Microsoft released another out-of-cycle security bulletin and patch for a SharePoint vulnerability that was being exploited in the wild. The Gallium threat actor was linked to Operation Soft Cell and the watering-hole attacks on Tibetans and Uyghurs.
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
54 Thanks to David M. Kennedy from the VTRAC for this contribution.