Wrap up

  • So, this concludes our 12th installment of this annual report. If the DBIR were a bottle of decent Scotch whiskey it would cost you around 100 bucks, instead of being free like this document. Likewise, the decisions you might make after finishing them would probably differ wildly as well.17 Nevertheless, we hope you gain a certain degree of enjoyment and enlightenment from both. 

    On behalf of the team that labored to produce this document, we sincerely thank you, our readers, for your continued support and encouragement of this effort. We believe it to be of value to Information Security professionals and to industry at large, and we are grateful for the opportunity to bring it before you once again. As always, a tremendous thank you to our contributors who give of their time, effort, insight, and most importantly, their data. The task of creating this document is in no way trivial and we simply could not do it without their generosity of resources. We look forward to bringing you our 14th report (we are taking the high-rise hotel concept of enumeration here) next year, and in the meantime, may your security budgets be large and your attack surface small. Until then, feel free to reflect on the more noteworthy publicly disclosed security events in 2018 from the VTRAC before jumping into the Appendices.


    Year in Review


    On the second day of the year, the Verizon Threat Research Advisory Center (VTRAC) began to learn that researchers had discovered “Meltdown” and “Spectre,” new informa­tion disclosure vulnerabilities in most modern microproces­sors. The vulnerabilities lie in foundational CPU architec­tures. Patching continued through 2018. We collected no reports of successful Meltdown or Spectre attacks in 2018. The first week of the month included the first report of malware attacks targeting the 2018 Winter Olympics in Pyeongchang, Republic of Korea. Investi­gative journalists reported India’s national ID database, “Aadhaar,” suffered a data breach affecting more than 1.2 billion Indian citizens. We began collecting reports of targeted attacks on Latin American banks. Attackers used disk wiping malware, probably to eliminate evi­dence of their actions minimize the scale of the banks' losses. On January 26th, we collected the first report of GandCrab ransomware.


    The first “zero-day” in Adobe Flash kicked off February after APT37 embedded an exploit in Excel spread­sheets. The Punjab National Bank reported fraudulent transfers of ₹11,600 crore (USD 1.77 billion dollars). The Russian Central Bank reported “unsanctioned operations” caused the loss of ₽339 million (€4.8 million). “Olympic Destroyer” malware disrupted the opening cere­mony of the Pyeongchang Olympics but did not result in their cancellation. GitHub was hit with a new type of reflection denial of service attack leveraging misconfig­ured memcached servers. GitHub and other organi­zations endured 1.35-tera­bit-per-second junk traffic storms.


    Intelligence for attacks on the Pyeongchang Olympics continued after the February 25th closing ceremonies. Opera­tions Gold Dragon, HaoBao and Honeybee began as early as July 2017. In March, we collected intelligence on a full spectrum of APT-grade threat actors including APT28, menuPass (APT10), Patchwork, MuddyWater, OilRig, Lazarus and Cobalt. US-CERT published 15 files with intelligence on Russian actors attacking critical infrastructure in the USA. Malaysia’s Central Bank foiled an attack that involved falsified SWIFT wire-transfer requests. The Drupal project patched a remote code exe­cution vulnerability reminis­cent of the 2014 vulnerability that led to “Drupalgeddon.”


    Attacks on “smart install” software in Cisco IOS switches by Russian threat actors were probably the most noteworthy InfoSec risk development in April. The VTRAC collected updated intelligence on the “Energetic Bear” Russian actor. A supply-chain attack on Latitude Technologies forced four natural-gas pipeline operators to tempo­rarily shut down computer communications with their customers. Latitude supplies Electronic Data Interchange (EDI) services to the Energy and Oil verticals. March’s Drupal vulnerability did indeed attract cybercrimi­nals. A variant of the Mirai IoT botnet began scanning for vulnerable Drupal servers and the subsequent compro­mises to install cryptomining software became known as Drupalgeddon2. The cyber-heist of US$150,000 in Ethereum from MyEther­Wallet paled in significance to the BGP hijacking of the Internet’s infrastructure to do it.


    Intelligence about the “Dou­ble Kill” zero-day vulnerability in Internet Explorer was col­lected at the end of April. In May the VTRAC collected in­telligence of a malicious PDF document with two more zero-day vulnerabilities, one each in Adobe PDF Reader and in Windows. Microsoft and Adobe patched all three on May’s Patch Tuesday. A surge in GandCrab ran­somware infections were the focus of several of the best intelligence collections in May. New intelligence collections documented the Cobalt threat actor’s phish­ing campaign was targeting the financial sector. Multiple sources reported VPNFilter malware had infected rout­ers and network-attached storage (NAS) appliances. Control the router—control the traffic passing through it.


    Multiple sources released updated intelligence on North Korean threat actors engaged in cyber-conflict and cybercrime opera­tions. Adobe patched a new zero-day vulnerability in Flash. Like February’s, Flash zero-day, it was being used in malicious Excel files but the targets were in the Middle East. Two Canadian Imperial Bank of Commerce subsidiaries – BMO (Bank of Montreal) and Simplii Financial suffered a leak of about 90,000 customer records. They learned of the breach when threat actors demanded US$750,000 for the return of the records. The Lazarus threat actor stole roughly KR ₩35 billion (around $31 million) in cryp­tocurrency from the South Korea-based exchange Bithumb. DanaBot, a new banking Trojan was discov­ered targeting Common­wealth Bank in Australia.


    The first major Magecart attack in 2018 was Ticket­master’s UK branch. Hackers compromised Inbenta, a third-party functionality supplier. From Inbenta they placed digital skimmers on several Ticketmaster websites. The Ticketmaster attack was part of a cam­paign targeting third-par­ty providers to perform widespread compromises of card data. July’s Mage­cart collections included indicators of compromise of over 800 victim websites. A malicious Mobile Device Management platform was used in highly targeted attacks on 13 iPhones and some Android and Windows platforms. Russia’s PIR Bank lost ₽58 million ($920,000) after the MoneyTaker actor compromised an outdated, unsupported Cisco router at a branch office and used it to pivot into the bank’s network


    The second Boundary Gate­way Protocol (BGP) hijacking to steal cryptocurrency in 2018 redirected legitimate traffic from an Amazon DNS server. The malicious DNS server redirected users of MyEtherWallet to a spoofed site that harvested their credentials. Users of the service lost Ethereum worth about $152,000. Cosmos Bank in Pune, India, was the victim of US $13.4 million of fraudulent SWIFT and ATM transfers. The US Dept. of Justice announced the arrests of three managers from the FIN7 (Anunak, Carbanak, Carbon Spider) threat actor. Intelligence indicated a new vulnerability in Apache Struts, CVE-2018- 11776, was following the course set by March 2017’s CVE-2017-9805, the Jakarta multi-parser Struts vulner­ability. The 2017 vulnerabil­ity led to the Equifax data breach. A detailed code re­use examination of malware linked to North Korea linked most malware attacks to the Lazarus Group. APT37 was linked to a small portion but was assessed to be more skilled and reserved for at­tacks with national strategic objectives.


    New intelligence revealed Japanese corporations were being targeted by the menuPass (APT10) threat actor. On September 6th, British Airways announced it had suffered a breach resulting in the theft of cus­tomer data. Within a week, we collected intelligence British Airways had become another victim of a Magecart attack. Intelligence indicated in the preceding 6 months, 7,339 E-commerce sites had hosted Magecart payment card skimming scripts includ­ing online retailer Newegg. Weaponized IQY (Excel Web Query) attachments were discovered attempting to evade detection to deliver payloads of FlawedAmmyy remote access Trojan (RAT). The FBI and DHS issued an alert about the Remote Desktop Protocol (RDP). The alert listed several threats that exploit RDP connec­tions: Crysis (Dharma), Crypton and SamSam ran­somware families. DanaBot expanded its target set to Italy, Germany and Austria.


    The VTRAC assessed claims that Chinese actors had compromised the technol­ogy supply chain did not constitute intelligence. The related report lacked techni­cal details or corroboration and was based on unqual­ified, unidentified sources. US-CERT issued an updated alert on attacks on MSS providers by the menuPass (APT10) threat actor. Multi­ple sources reported North Korean actors engaged cybercrime attacks intended to provide revenue to the sanction-constrained regime. GreyEnergy is the latest successor to the Sandworm/ BlackEnergy/Quedagh/Tele­bots threat actor. GreyEner­gy was linked to attacks on the energy sector and other strategic targets in Ukraine and Poland for the past three years. DanaBot began targeting financial services establishments in the USA. The Magecart threat actors executed a scaled supply chain attack on Shopper Approved, a customer scor­ing plugin used by 7000+  e-commerce sites. Detailed reports in August and Oc­tober indicated the Cobalt threat actor had reorganized into a group with journeymen and apprentice members and a second group of masters reserved for more sophisticated campaigns.


    Intelligence based on examination of Magecart malware indicated there are at least six independent threat actors conducting Magecart attacks. The initial Magecart successes in late 2016 and high-profile attacks beginning with Ticketmaster UK/Inbenta in June led to a bandwagon effect. Other threat actors copied and im­proved upon the TTP of early Magecart threat actor(s). The SamSam ransomware attack came to a standstill after two Iranian hackers were indict­ed for US$6 million extortion. Cisco released an advisory due to “active exploitation” of a vulnerability in Cisco Adaptive Security Appliance Software (ASA) and Cisco Firepower Threat Defense Software that could allow an unauthenticated, remote attacker to cause a denial of service. US-CERT released Activity Alert AA18-284A, “Publicly Available Tools Seen in Cyber Incidents Worldwide,” on five tools threat actors had been using for their “Living off the Land” tactics. Marriott announced a 2014-18 breach had ex­posed the records of up to 500 million customers in its Starwood hotels reservation system.


    VTRAC collections in De­cember began with “Oper­ation Poison Needles.” An unidentified actor exploited the third Adobe Flash zero-day vulnerability to attack Polyclinic of the Presidential Administra­tion of Russia. “Operation Sharpshooter” was a global campaign targeting nuclear, defense, energy and finan­cial companies. Oil and gas services contractor Saipem suffered an attack that em­ployed a new variant of Sha­moon disk-wiping malware. December’s Patch Tuesday fixed CVE-2018-8611, the lat­est Windows zero-day being exploited by the FruityArmor APT threat actor. Partly in reaction to the 77 percent plunge in Bitcoin, cybercriminals did not abandon cryptomining altogether, instead, SamSam and GandCrab ransomware were being used to attack corporations, government agencies, universities and other large organizations. Criminals targeted larg­er purses: organizations likely to pay ransom in lieu of days of lost business and productivity recovering from backups, re-imaging or other BCP/DR measures. At the end of 2018 the VTRAC was running like a Formula 1 car finishing a mid-race lap: at full speed, staying ahead of some, striving to catch others and constantly improving our engineering.

17 We do not assert that your decisions would differ wildly as we do not have sufficient data to support that statement. It is, admittedly, a surmise on our part but internal research remains ongoing.