Summary of Findings
- It is likely thatthreat actors linked to Russia’s foreign intelligence service will continue to threaten SolarWinds clients.
- Device maker Gigaset suffered a supply chain attack delivered to Android phones via firmware updates.
- Limited details were released about a large and targeted malware attack on EU organizations, including the European Commission.
- The Charming Kitten intrusion attempt points to the central role of hacking in espionage between Iran, Israel, and the United States.
- The North Korea-backed Lazarus Group used a new backdoor to target a freight and logistics company.
- A ransomware attack shut down the IT systems of Bakker Logistiek, a Dutch company specializing in food transport and warehousing.
- Reporting indicates organizations continue to be at higher risk of disruptive malware attacks, with further waves imminent.
- Increased value of Bitcoin may be tied to new DDoS extortion exploits.
- Mobile malware appearing on official app marketplaces creates a higher risk of disruption during the pandemic.
Espionage Activities Tied to SolarWinds Likely to Continue
Further analysis of SolarWinds command and control activities were released by ProDraft. Security researchers were able to infiltrate the command and control infrastructure of certain SolarWinds threat actors. They found evidence of attacks on SolarWinds victims, stemming from the 2019-2020 breach, which were still active in March 2021. The White House officially attributed SolarWinds to the SVR, Russia’s foreign intelligence service.
Supply Chain Attack Targets Global Android Device Manufacturer
Gigaset, a device maker based in Germany and active in about 70 countries, was the victim of a supply chain attack that enabled malicious downloads on Android phones . The operation began around April. The attack produced multiple malicious Android packages originating from a firmware update server, according to Gigaset and user reports. The company indicated that only users who received firmware updates from the single compromised server were impacted.
EU Organizations Hit by Attacks
“A range of European Union institutions including the European Commission were hit by a significant cyber-attack”, reported Bloomberg. Senior political officials were alerted to the event and reporting indicates the attacks were both large and targeted. No further details have been made available due to the ongoing forensic analysis.
APT Group Uses High-interest Regional Spearphishing Lures to Gather Intelligence
Proofpoint has detected attacks attempting to access email credentials of Israeli and U.S. medical professionals. The Charming Kitten APT group of Iranian hackers targets professionals in the genetics, neurology and oncology fields. The attacks utilizing national nuclear-themed emails are very likely aimed at intelligence gathering. EclecticIQ analysts assess the TTPs described in the Kill Chain post-delivery as not highly obfuscated and reliant on standard application-layer protocols.
Maritime Freight Industry at High Risk from APT Attacks
A backdoor named Vyveva targeted a freight and logistics company in South Africa. ESET found code similarities to the NukeSpeed family and command and control operations that resemble previous Lazarus operations. The attacks are almost certainly aimed at strategic information gathering. Shipping is currently a strategic target due to disruption caused by the pandemic.
Ransomware Disrupts Food Supply Chain in the Netherlands
Over Easter weekend ransomware infected the network of Bakker Logistiek, a transport company serving Albert Hein food stores, the largest supermarket chain in the Netherlands. The attack slowed logistics operations affecting a limited list of foodstuffs known to include prepackaged cheese. The CEO of Bakker stated ProxyLogon vulnerabilities were possibly exploited to gain unauthorized access.
Spiking Attacks Using IcedID Loader Signal Increased Waves of Malware
It is possible that IcedID is resurging as a result of the deficit created by the Emotet takedown earlier this year. IcedID infections are growing according to multiple sources and are of increasing concern to many organizations. Since 2017, IcedID has been paired with powerful malware such as Sodinokibi ransomware and financial information stealers including Trickbot.
Rise in Bitcoin Value Possibly Driving New DDoS Extortion Attacks
DDoS over DCCP (Datagram Congestion Control Protocol) represents a new way to abuse an old (2006), unreliable application protocol implemented over TCP and UDP. Bitcoin enables obfuscated financial transactions, and its value has remained above 40000 euro since the end of February. The high value is likely incentivizing growing DDoS (Distributed Denial of Service) extortion. It is unlikely that many organizations utilize DCCP, so EclecticIQ analysts assess the risk is relatively low.
Malware Uploaded to AppGallery Highlights Mobile as an Increasing Target for Threat Actors
The official Huawei app marketplace, AppGallery, housed Android malware disguised as apps uploaded by “developers.” AppGallery is likely becoming a more popular target for cybercriminals. The Doctor Web report recalls the trend of malware increasingly targeting mobile users. Remote lifestyles created by the pandemic are almost certainly increasing reliance on mobile devices since people are physically more isolated. Two U.S. studies found mobile screen time increased 25%-30% between 2019 and 2020. Their dependence on mobile devices places victims at higher risk of any malware that may disrupt normal mobile operations.