Our February 2014 Intelligence Update

In the past month, Cytegic’s CIAC has observed the following events and developments which are either indicators of trends, independent significant issues, or are important enough to inform our customers:

Turkey as a Case Study – How Internal Conflicts Impact Foreign Entities: As the internal political tensions in Turkey continue to rise, RedHack, one of the most active Political Activist (Hacktivist) groups in the Middle-East continues its campaign of cyber-attacks. This month, the group joined the protests against the government’s new Internet Law, which is said to censor and limit freedom of speech in the country. After the group leaked communication details of 600 government personnel last month, this month they defaced the websites of Kars municipality and the Gas Distribution Authority of Sakarya. In addition, the group leaked data from the websites of the City of Amasya and the Ministry of Education. The group also managed to leak personal information of 36 US Embassy personnel, in protest of what they claim to be US intervention in the country. What makes this attack unique is the targeting of foreign diplomats in Turkey by hacktivists, which normally focus on internal targets. Foreign companies, organizations and diplomats should notice this trend and understand that internal struggles may affect them as well, as Cytegic has identified in the past year (in cases such as the Indian-Pakistani conflict, the Arab-Israeli conflict, and more).

Largest DDoS Attack Ever: This month, we have seen a severe escalation in DDoS capabilities, when an unknown attacker targeted DDoS protection and content-delivery firm CloudFlare. The attack consisted of an extremely powerful TTP known as NTP Amplification, which peaked at 400Gbps – even larger than the Spamhous attack last year. The hackers leveraged a vulnerability in the NTP protocol, abusing 1,298 different NTP servers. This attack shows the trend we have monitoring in the recent year, of continuing developments in DDoS attacks that abuse common protocols and the growing ease of their manipulation.
A Continuation of Data Harvesting Attacks, now against the academic and healthcare sectors – This month we have seen the continuation of the trend we covered in previous update – large data theft attacks. Until now, we covered mostly PII theft from retailers and IT firms, but this month we have seen the trend spreading to new fields. Attackers have begun targeting academic and medical institutions in order to steal large amounts of sensitive data, mostly in the US. Such was the case when a Texas-based health care provider St. Joseph Health System was hacked and some 405,000 people were put at risk. In parallel, the University of Maryland was breached and some 300,000 records were exposed. While hacking academic and medical institution is not new, the breadth of the attacks suggest the sectors are being pulled into the current trend.

SEA Attacks Forbes, Barcelona FC and EBay/PayPal, also in Israel: The Syrian Electronic Army (SEA) did not let February go by without some interesting attacks. This month the SEA continued its regular campaign and targeted EBay and PayPal’s websites in the UK and in Israel. In addition they hacked the Twitter account of FC Barcelona and posted remarks against Qatar, which funds the team. Despite that, the most interesting attack was the one against Forbes, in which the SEA went out of their way and leaked the personal information of more than 1 million Forbes subscribers. Until now, most of the SEA’s attacks consisted of Phishing, Spear-Phishing and Abuse of Authorization in order to deface and embarrass their targets. This attack makes it clear that the SEA continues to adapt and add new attacks and objectives to their toolbox.

IE 10 0Day Attack on US Military and Defense Contractors: A sophisticated attack exploiting a vulnerability in Internet Explorer 9 and 10 (CVE-2014-0322) has been identified this month by several security firms. The exploit was first believed to be part of an Advanced Persistent Threat (APT) targeting ex-military personnel and defense contractors, but now it is much more wide-spread. The attack’s vector uses a rogue iFrame injected into many sites to deliver a Trojan that gathers and exfiltrates sensitive data. The attack has been used in many parts of the world, including the Middle-East. Microsoft has yet to publish a patch for the CVE, but it has published workarounds like updating to IE 11 or installing EMET.

Zeus Continues to Evolve and Adapt: The popular banking malware Zeus is constantly being updated to fit new infection vectors and targets. This month researchers from Adallom found a new Zeus variant targeting Salesforce users. They claim the Zeus variant is able to target an enterprise SaaS application in order to exfiltrate sensitive corporate data. The Zeus variant was configured to detect Salesforce sessions and not online banking sessions as it usually does. In another development, a new Zeus variant was found disguised as a crucial configuration code in a digital photo. The variant is called ZeusVM, and according to researchers, it downloads a configuration file that contains the domains of banks that the malware is instructed to intervene in during a transaction.

Leave a Reply

Your email address will not be published. Required fields are marked *