Cyber security weekly summary 10 - 16 April

On 11 April, WordFence specialists discovered a hacking campaign which affected thousands of poorly protected home routers. The devices, which were compromised by uncovered 7547 ports otherwise used for their remote management, were at least during March used for brute-force attacks on admin accounts of WordPress-based sites. The specific indication, which helped to determine the range of activities involved, was that the individual IP addresses alternately engaged in the attack for only several hours and remained passive for the rest of the month. The total extent of the router botnet (or botnets) is not known, but it affected equipment in the networks of 28 internet providers across the world.

In its report, F-Secure Labs informed about activities of the Callisto Group, a hacker group specialised in cyber espionage against countries in Eastern Europe and South Caucasus. The campaign, which has been going on since at least 2015, focused on political and army representatives, journalists, scientists, and other persons with access to information regarding foreign and security policy of the attacked states. The attacks were started by a phishing application and the attackers relied on tools originally owned by the Italian company Hacking Team, which is involved in software development for state force units. The company lost the source codes of its programs during a hacker attack in 2015. It can be assumed that Callisto Group is linked to both the state sphere and the cyber criminal underworld.

While WikiLeaks has been continuously publishing documentation regarding cyber tools likely belonging to the CIA, on 14 April, actors known as Shadow Brokers released the rest of the materials. The alleged author of the materials is the APT Equation group who, according to a number of experts, is backed by another intelligence organisation operating in the United States – NSA. According to the conclusions of companies who worked on its analysis, the material contains a variety of hacking tools, including those designed to penetrate Windows operating systems and documents, suggesting that (likely) the NSA has compromised the systems of two institutions (one of which is Dubai company EastNets) that manage SWIFT transactions for the Middle East region, which would potentially allow it access to financial data of local banks. Representatives of both SWIFT and EastNets have denied their infrastructure was compromised in any way.

Microsoft responded to the new information with a statement, that the majority of the mentioned vulnerabilities have already been removed using security patches released in currently supported versions of operating systems. In the case of some exploits, this step dates back to March 2017, which, given that Microsoft failed to inform how it learned of the vulnerabilities, indicates that the NSA itself informed Microsoft about the risks, or that Microsoft purchased the information directly from Shadow Brokers.

Perhaps the most essential information, brought by security company Symantec, was the discovery of an exploitation that was a part of Stuxnet malware, which was deployed (probably by the US and Israel) against the Iranian Natanz uranium enrichment plant, and fundamentally sabotaged its operation. According to Symantec's analyst, Liam O'Murch, the platform in question, which allows the creation of MOF files, is in terms of source code almost identical to the script used in Stuxnet. As other security experts noticed, one of the texts in the documents contains the code name "Olympic Games", under which the operation against the Iranian nuclear industry is known.

About author: Roman Šulc


Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace