As we get to the end of a busy year for cybersecurity, Unit 42 threat research team at Palo Alto Networks wrap up below the key cybersecurity threats of 2017.
The Rise of Unauthorised Coin Mining in the Browser (October 2017)
- Unit 42 released details of coin mining secretly taking place on consumer devices without the consent of the users. There is a broad spectrum of victims all across the globe, with the highest impact happening in the US and Europe.
- Unauthorised cryptocurrency mining means that visitors to websites end up coin mining without their knowledge. The mined value goes to the site owner who has installed coin mining software on their site.
Bad Rabbit Ransomware (October 2017)
- Unit 42 released details of the ransomware spreading throughout Eastern Europe, attacking multiple organisations in Russia, Ukraine, Turkey and other countries in the region.
- Bad Rabbit gains initial entry by posing as an Adobe Flash update. Once inside a network it spreads by harvesting credentials with the Mimikatz tool as well as using hard coded credentials.
FreeMilk: A Highly Targeted Spear Phishing Campaign (October 2017)
- Unit 42 released details of a threat actor staying under the radar by making malware that only executes when a proper argument is given, hijacked an existing email conversation and carefully crafted each decoy document based on the hijacked conversation to make it look more legitimate.
- The team believes the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear phishing emails to the recipients.
Android devices not running Oreo vulnerable to ‘Toast’ overlay attack (September 2017)
- Unit 42 released details of a new vulnerability affecting older versions of the Google Android Platform. This vulnerability can be used to easily enable an “overlay attack”, tricking the user into unwittingly installing malware onto the device, or indeed taking it over completely.
- Overlay attacks have not been reckoned as a serious threat for a while now as there were always two significant hurdles the attacker needed to overcome to be successful. However, Unit 42 has uncovered that these mitigating factors can be in fact be bypassed.
Operation Blockbuster, Lazarus Group and phishing (August 2017)
- Unit 42 released details of the activities of Lazarus, a group tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks. The report addresses the tools and techniques that were used to infiltrate computer networks.
- This recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely speak both Korean and English. This blog details the recently discovered samples, their functionality, and their ties to the threat group behind Operation Blockbuster.
Petya Ransomware (June 2017)
- Unit 42 blog released details on the threat situation surrounding attacks using the Petya Ransomware which were impacting organisations in Ukraine, Russia and to a lesser extent around the world. At least 50 organisations reported impacts from the malware, including government and critical infrastructure operators.
- The team became aware of a new variant of the Petya malware which is spreading through multiple lateral movement techniques. One technique includes the ETERNALBLUE exploit tool. This is the same exploit the WanaCrypt0r/WannaCry malware exploited to spread globally.
Waves Of Shamoon Attacks In Saudi Arabia (March 2017)
- Unit 42 released details into the method by which threat actors delivered the Disttrack payload. They found evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network.
- The team explores a possible connection between Shamoon 2 and the Magic Hound campaign, where we outline evidence of a potential connection between these two attack campaigns. Furthermore, we explore a possible scenario on how these two attack campaigns could have worked in conjunction with each other to execute the Shamoon 2 attacks.
RanRan Ransomware Attacks Middle Eastern Government Organisations (March 2017)
- Unit 42 released details of attacks using a previously unseen ransomware family. Based on embedded strings within the malware. Due to the targeted nature of the ransom message delivered by the malware, and the small sample set of this malware family, Unit 42 believes that this attack was targeted in nature.
- The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.