Q1 2020 was packed full of significant global events, including military and geopolitical tensions and the onset of the COVID-19 (aka coronavirus) pandemic. The cyber threat landscape has remained as busy as ever, and the upcoming months are very likely to continue challenging us.

It’s no surprise that cyber threat actors have seen these global events as profitable opportunities. At Digital Shadows (now ReliaQuest), we have been keeping up with these threats and are constantly researching and analyzing the ways threat actors take advantage of current events. As we continue through Q2 2020, we wanted to share some of our most popular research and security trends from the first quarter of 2020.

SOLEIMANI’S ASSASSINATION AND THE CYBER RESPONSE

On January 3rd, 2020, the U.S. conducted a drone strike near Baghdad International Airport in Iraq, killing Iran’s Major General Qasem Soleimani. This controversial assassination was followed by threats of retaliation against the U.S. by Iran’s Supreme Leader Ayatollah Ali Khamenei. After a short period of mourning set by the Ayatollah, on January 8th, 2020, Iran retaliated by launching several missiles at Iraqi military bases housed by U.S. military personnel, resulting in no reported casualties.

Shortly after the assassination, Digital Shadows (now ReliaQuest) identified an increase in cyber threat actor activity from pro-Iran hacktivists. The majority of this activity consisted of disinformation campaigns, phishing attacks, and website defacements. We identified several instances of website defacements in the wild, one of the first was from the self-proclaimed hacktivist group Shield Iran: 

Shield Iran hacktivism group
Figure 1: Shield Iran defacement page

These defacements marked the first activity from Shield Iran since campaigns in 2015 and 2016 when they were linked with at least 35 self-reported defacements targeting French, German, and American websites. Digital Shadows (now ReliaQuest) detected at least eleven other sites that were confirmed to be defaced with the same message above, using the Farsi hashtag #hardrevenge. Our analysts also identified hundreds of other defacements by a threat actor dubbed Mrb3hz4d, who became increasingly active following Soleimani’s killing. Additionally, Digital Shadows (now ReliaQuest) also identified HTML code for defacement pages by an Indonesian hacktivist group called G3MB3ZT001 on text sharing websites.

HTML code for G3MB3ZT001 defacement page shared on Pastebin
Figure 2: HTML code for G3MB3ZT001 defacement page shared on Pastebin
G3MB3ZT001-defacement-page-produced-by-the-HTML-code
Figure 3: G3MB3ZT001 defacement page produced by the HTML code

In what was perhaps a surprising twist, there was relatively little activity from Iranian nation-state threat actors following Soleimani’s killing: The majority of publicly reported activity was linked to the Iranian advanced persistent threat (APT) group APT34 (aka OilRig). In the days and weeks following the assassination, several attacks were attributed to APT34, such as the targeting of a government-related U.S. company called Westat: It’s realistically possible these campaigns were at least in part motivated by Soleimani’s killing.

Most of these attacks relied on social engineering techniques for initial access, typically involving spear phishing emails with malicious macro-enabled Excel sheets. In the past, APT34 has primarily targeted government, financial, telecommunications, energy, and chemical industries in the Middle East. Still, the group was also observed targeting U.S. industries and government entities in cyberespionage campaigns.

We have created a list of things that companies can do to protect against threats from nation-state-associated threat groups like APT34:

  1. Disable Windows scripting systems where appropriate to help defend against spear phishing attempts that may find their way into your network
  2. Disable unnecessary ports and protocols and review control logs for those services which are intended to be available
  3. Enhance monitoring of network and email traffic
  4. Patch internet-facing infrastructure which is vulnerable to publicly available exploits, raising the bar of entry for attackers
  5. Limit admin credentials to only specific users, practicing the concept of least privilege
  6. Ensure system and network configuration backups are up-to-date and ready to be deployed in case of emergency
  7. Educate employees on threats associated with spear phishing emails using an ongoing security awareness program.

COVID-19: THE ERA OF SOCIAL DISTANCING

The ongoing COVID-19 pandemic has impacted nearly every aspect of social and business interactions across the globe. Many companies have since implemented work from home policies and began making use of third-party tools, such as video conferencing apps, to continue business as usual. This shift has been natural for organizations already accustomed to remote work culture, but for some, like schools and medical providers, the transition may have been more difficult. Many of these new remote workers were likely not accustomed to teleconferencing platforms, maintained very little knowledge of cyber threats, and may even have been using outdated solutions.

Within a couple of weeks of the virus becoming a topic of discussion in late January, reports of phishing attacks in the wild using COVID-19 related lures already began to appear. These attacks were designed to exploit the public’s fears and uncertainties about the global pandemic: Attacks were observed impersonating health organizations or legitimate informational authorities.

Digital Shadows (now ReliaQuest) also observed personal protective equipment (PPE) and purported COVID-19 cures for sale on cybercriminal marketplaces. We also identified listings for illicit drugs that mentioned COVID-19 deals to help attract sales. Some vendors who typically engage in the sale of drugs have moved their offerings to include COVID-19-related products.

Face masks and chloroquine for sale on Empire market
Face masks and chloroquine for sale on Empire market
Figure 4: Face masks and chloroquine for sale on Empire market

In an analysis of potentially malicious third-party mobile apps, Digital Shadows (now ReliaQuest) identified 376 Android apps claiming to be related to public health agencies such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). Many of these apps requested dangerous permissions on user’s phones, such as the ability to read contacts and access cameras.

Permissions for coronavirus-live-statistic.apk
Figure 5: Permissions for coronavirus-live-statistic.apk

We also identified many apps that claimed to offer COVID-19-related functions but contained completely different applications once downloaded. Also, many of these apps downloaded packages containing malware such as adware and various trojans.

Malicious signatures detected in the downloaded aioupdate.apk file
Figure 6: Malicious signatures detected in the downloaded aioupdate.apk file

Digital Shadows (now ReliaQuest) also monitored cybercriminal’s reactions to COVID-19 on dark web forums and identified several conversations about how threat actors could exploit the pandemic for cyber-attacks and financial gain.  For example, we identified the following user on Torum, a popular English-language dark web forum, seeking advice on how to take advantage of the COVID-19 pandemic.

user on Torum asking how to take advantage of COVID-19
Figure 7: User on Torum asking how to take advantage of COVID-19

We also observed some unusual discussions on these forums typically used for cybercrime, such as:

  1. Users discouraging others from profiting off the pandemic
  2. Users expressing solidarity for countries affected (particularly Italy)
  3. Users providing health and safety information
User on Torum talking about the impact of the virus in Spain and Germany
Figure 8: User on Torum talking about the impact of the virus in Spain and Germany

There were also many reported instances of cybercriminals exploiting vulnerabilities in video conferencing applications such as Zoom, which have become popular in the current climate for meetings. In our blog covering Zoom security and privacy issues, we observed the following:

  1. Close to 500,000 Zoom account details were put up for sale on cybercriminals forums and promoted as “hacked” credentials. It is important to note here, though, that Zoom did not get compromised. These accounts were gathered using credential stuffing, a brute-forcing sub-technique, which involves attackers using previously exposed credentials across multiple different services.
  2. Users were also observed sharing tools to target Zoom. For example, a user on the cybercriminal cracking forum Nulled shared a download link to a configuration file targeting Zoom. This file can be used with the credential stuffing tool OpenBullet. However, some administrators of these forums, such as Cracked, have prohibited the mention of malicious content targeting Zoom, likely to avoid law enforcement action.
  3. Zero-day exploits were also identified being sold on trading websites for hefty prices, affecting Windows and macOS. However, there has been no public reporting of the effectiveness of the exploits, no evidence that anyone has purchased the supposed exploits, and no reported attacks using them in the wild.

STORIES FROM THE DARK WEB

In Q1 2020, Digital Shadows (now ReliaQuest) also published several blogs that discuss broader trends in gated or part-gated cybercriminal communities:

  1. Our analysts provided an in-depth overview of the dark web search engine Kilos, which began gaining some popularity as the successor for Grams, another dark web search engine that was reportedly taken down in December 2017. Kilos can be used to search through over a purported 550k forum posts, 68k listings, 2.8k vendors, and 248k reviews across various dark web cybercriminal marketplaces. Kilos was found to have a much broader index and more advanced filters than Grams, with the service still reportedly being under active development. New features include the addition of a CAPTCHA task that also improves Kilos’ machine learning algorithm and a Bitcoin mixer service called Krumble.
kilos dark web search engine interface with advanced filtering
Figure 9: Kilos search engine
  • The Apollon dark web marketplace was reportedly conducting an exit scam while also launching Distributed Denial-of-Service (DDoS) campaigns against competing English-speaking forums and marketplaces. On cybercriminal platforms, exit scamming means that the administrators of the website takes money for products, but never actually delivers products to buyers. The motivation behind the DDoS attacks remains unknown, but some users speculated that it was a cover-up for the exit scam.
  • Digital Shadows (now ReliaQuest) also analyzed the emergence of a new dark web account selling service called Kapusta.World advertised across multiple Russian-language forums. What made Kapusta unique when compared to other sites offering the same service, was that they focused heavily on professional branding, effective marketing, and customer service options. The services provided included the sale of brute-forced accounts, license keys, bitcoin accounts, hacking of emails, and look-up services.
kapusta thread on XSS
Figure 10: Kapusta dedicated thread on XSS forum
  • A ransomware-as-a-service (RaaS) platform called Cryptonite was identified being offered on the English-language cybercriminal forum Torum. Cryptonite allegedly differentiated itself from its competitors by creating a professional design and comprehensive payment structure, making the product very user-friendly and easy to understand. According to their website, they had reached over 700 happy customers and infected over 20k sites. Since reporting, however, offerings for the Cryptonite service have disappeared, with users claiming the service was a scam.
Cryptonite payment structure
Figure 11: Cryptonite RaaS offerings

How to Stay Safe

As we come to a close, one question comes to mind. With these continuously evolving cyber threats, what can organizations do to stay safe? These four practices can help organizations and users stay on top of the cyber threat landscape and protect their environment from malicious activity.

  1. Beware of phishing: As we have seen, most threat actors still rely on social engineering techniques as initial attack vectors; therefore, the first step has to do with awareness. It goes beyond merely telling employees not to click on suspicious links or attachments. Employees need to opt-in security, rather than be forced, and be fully committed to the cause. Effective security requires the contribution and understanding of every employee. 
  2. Always apply the latest security patches: Zero-day vulnerabilities are continually being discovered, but developers are usually quick to release security patches addressing those vulnerabilities. Keeping systems up to date is crucial to protect from cyber threats.
  3. Defense in depth: Businesses’ most crucial assets must be protected behind several layers of security controls, so when one control fails, another one can keep us safe. Organizations should have strong password policies, two-factor authentication, encrypt sensitive data with robust protocols, deploy social awareness programs, and use detection and prevention security mechanisms.
  4. Stay up to date: Threat actors are continually evolving their tactics, techniques, procedures (TTPs), so it is crucial to keep up with the latest developments related to your industry. Knowledge can be the shield that allows us to stay safe when our barriers are taken down.