Escalating Attacks Stretch Across Nations and Industries

As you can see, this Threat Intelligence Update has more content than usual. We think it's important to highlight a significant number of cybersecurity events. We believe that increased information sharing among cybersecurity experts will help manage the problem of higher incident volume.

Summary of Findings

• Norwegian intelligence officials are publicly blaming a China-linked APT for a 2018 attack that breached the government’s IT network.
• One of the largest attacks on the airline industry’s supply chain targeted SITA PSS, an international IT services provider that processes passenger data.
• Leading Polish politicians are targeted in a cyberattack attributed to Russia-linked threat actors.
• APT groups use known VPN vulnerabilities and private email accounts to initiate cyberattacks.
• Unidentified operational technology (OT) in critical public infrastructure such as water treatment systems may be driving cyberattacks attempting to modify industrial control systems (ICS).
• Data theft and leaks are now part of many ransomware attackers’ TTPs, likely aimed at pressuring victims to pay larger ransoms.
• The Aveddon ransomware syndicate has shut down and released decryption keys.
• A splinter group of Darkside launched a supply chain attack immediately following the main group’s shutdown.
• Cybercriminals are evolving automated tactics targeting software containers such as Docker.
• Google’s silent installation of COVID-19 apps on users’ phones potentially increases the lack of trust among Americans regarding privacy protection.
• The pandemic continues to play into the TTPs of cybercriminals, who take advantage of high awareness and anxiety by using vaccine-themed spam.

Norway Publicly Names China in Cyberattack

For the first time, Norwegian officials have publicly accused a China-linked APT group of a cyberattack. The country’s Police Security Service stated that China’s APT31 group carried out a long-term cyberattack campaign against Norway and Finland between 2018 and 2020. The APT group gained administrator privileges for the central IT system used by government officials and was able to conduct widespread espionage from that point of compromise.

Multi-year Airline Supply Chain Compromise Attributed to APT41

An espionage campaign named ColunmTK that targeted SITA, the global IT provider for 90 percent of the world’s airline industry, led to a massive breach of passenger data. It is very likely the largest airline supply chain attack to date. The APT41 group, a Chinese nation-state threat actor, was able to dwell undetected for almost three months. Shortly after Air India, a SITA customer, disclosed a passenger data breach, a database allegedly exfiltrated from the airline was put up for sale on a leak site for $3,000. EclecticIQ analysts posit with high confidence that the low dollar amount indicates the leak contains little data of secondary value to cybercriminals and is aimed at obfuscating attribution.

Private Email Account Breach Enables APT Operation Aimed at Polish Politicians

In mid-June, Poland attributed a large cyberattack against some of its highest-ranking politicians to Russia-linked threat actors. The attack was enabled by accessing politicians’ private email accounts, which were allegedly being used for official communications. One party leader, Jaroslaw Kaczynski, claimed the attack was being conducted by the Russian government to destabilize Poland.

VPN Gateways Remain Popular Targets for Initiating Espionage Attacks

South Korea last week blamed North Korea for espionage against a government-funded nuclear technology developer. The intrusion was accomplished through a vulnerability at an unnamed VPN vendor. Security specialists should prioritize VPN vulnerability management and threat hunting from VPN ingress points to prevent similar breaches.

Security Gap in OT Identification for Utility Networks Likely Poses High Risk of ICS Attacks

In January a cyberattack targeted a water treatment plant in San Francisco, California, USA. Initial reports state an unauthorized user leveraged credentials to valid accounts for the TeamViewer application on a remote system to establish access and persistence. The threat actor then attempted to delete applications that managed water treatment facility. A separate attack in February on a water utility in Florida, USA, also involved the exploitation of TeamViewer. Aside from APTs, one of the largest risks to the utility sector is lack of operational technology (OT) management and asset identification – a fundamental principle in IT security. The security gap results in having unidentified systems (therefore unmanaged and unpatched) connected to the network. They are more vulnerable to exploitation and permit little to no visibility into malicious activity.

Increasing Ransomware Attacks Mean More Breaches of Sensitive Data

Ransomware syndicates successfully attacked the fertility clinic Reproductive Biology Associates, a fertility clinic in Georgia, USA, Chipmaker ADATA in Taiwan, and US-based nuclear technology subcontractor Sol-Oriens. Although the attacks were conducted by different groups, they all involved sensitive data theft -- a now-standard ransomware TTP. Attacks on high-profile organizations could indicate that ransomware groups are homing in on victims whose systems house sensitive data, betting that they will negotiate higher ransoms.

One of the primary ways ransomware operators compromise victims is by installing payloads via valid accounts harvested from an earlier, separate attack. Ransomware operators partner with so-called “initial access brokers” that specialize in credential harvesting because establishing access through valid accounts is one of the easiest methods of establishing both initial access and persistence in a given ransomware kill chain.

Law Enforcement Prioritization of Counter-ransomware Operations May Have Shut Down Syndicate

The Avaddon ransomware syndicate announced they will shut down operations and released decryption keys for previous victims. The timing of the shutdown is possibly the result of recent increased law enforcement attention to ransomware operations, though there is no indication of direct government pressure on Avaddon. The elimination of the Avaddon syndicate is unlikely to have an impact on the larger ransomware attack landscape because other syndicates, operating in countries that do not pursue ransomware cybercriminals, will almost certainly fill the space vacated by Avaddon.

Ransomware Affiliates Very Likely to Commit Further Cybercrime When Syndicates Shut Down

Days after the Darkside ransomware syndicate announced closure of operations, Mandiant discovered that a Darkside affiliated threat actor, UNC2465, had initiated a supply chain attack on a CCTV vendor, implanting a trojan in a downloadable web app.

Software Containers at High Risk from Cryptominers

Cybercriminals are improving their TTPs aimed at automatic identification and exploitation of software containers such as Docker. The most common objective of these attacks is to install cryptominers; however it is not the threat actors’ only goal. The Nautilus group at Aquasec observed some container attacks that used privilege escalation techniques to escape from within containers and pivot to other areas of the network, as well as attackers’ trojanizing the build process of containers to leverage supply chain attacks. If cryptocurrency valuation falls, EclecticIQ analysts expect these attacks will almost certainly shift focus from cryptominer installation to credential theft. More-invasive malware such as ransomware and backdoors will be used for credential resale.

Risks to User Privacy and Trust Arise When Platforms Fail to Communicate

Android users in Massachusetts, USA, and Costa Rica reported observing new application functionality pushed to their mobile phones without explicit consent over the weekends of June 19 and June 11, respectively. Data from Google’s Play Store and numerous citizen accounts support the theory that most users in Massachusetts had a COVID-19 reporting feature called MassNotify pushed to their Android phones overnight. While users need to manually opt in to fully enable the new service, it's unclear what functionality was active by default and what data might have been exposed. The silent rollout in Massachusetts coincided with the announced completion of MassNotify the week prior, under the same name. Google and Massachusetts officials avoided direct responses to pointed questions by the mainstream media and social media regarding the incidents.

Vaccine-related Spam Expected to Continue Dominating COVID-19 Themed TTPs

Fears about the pandemic have yielded a high success rate in pandemic-themed attacks paired with commodity malware. In a recent attack, AgentTesla variants used CVE-201711882, a very common exploited vulnerability in Microsoft Office documents, to initiate remote code execution through spam. The lure capitalizes on vaccine anxiety for social engineering leverage. The attack Kill Chain exemplifies how cybercriminals access increasingly sophisticated commodity malware. Better-functioning and obfuscated malware, when paired with generic, unsophisticated spam, enables cybercriminals to achieve higher success rates. Both attack elements require less effort from cybercriminals directing spam, which enables more attacks. Also, pandemic-related anxiety provides cybercriminals with a much larger audience than normal during the weaponization phase of a single attack.