7 cyber security stories from 2018 you don’t want to miss

With September just around the corner we are now two-thirds of the way through 2018, so we thought this was a good time to reflect on some of the most interesting stories Symantec Security Response researchers have encountered in the last few months.

Meltdown and Spectre: Chip Vulnerabilities Could Facilitate Memory Leaks

The year started with a bang with the revelation of the Meltdown and Spectre vulnerabilities in January. The new vulnerabilities affected nearly all modern processors and can only be mitigated through operating system patches. Meltdown and Spectre work by exploiting flaws in processors in order to bypass memory isolation in the operating system.

“Meltdown and Spectre affected almost all modern processors”

Between them, Meltdown and Spectre affected almost all modern processors, including Intel, AMD, and ARM chips. Since the initial discovery, a variety of variants of both Meltdown and Spectre have been discovered.

New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia

In April, we published details about Orangeworm, a new attack group that used the Kwampirs (Trojan.Kwampirs) backdoor to target organizations in the healthcare sector and related industries.

“There are no indications as to where Orangeworm itself is based”

Kwampirs is a custom backdoor that Orangeworm used to carry out targeted attacks on large international corporations operating within the healthcare sector in the U.S., Europe, and Asia. It also targeted organizations in industries related to healthcare as part of supply chain attacks in order to reach their intended victims. Orangeworm has been active since at least January 2015, and based on its activities on victim machines its purpose is corporate espionage. There is nothing to indicate that this is the activity of a nation state, it appears to be the work of an individual or a small group of people. Most of its victims are in the U.S., but there are no indications as to where Orangeworm itself is based.

VPNFilter: New Router Malware with Destructive Capabilities

One of the biggest cyber security stories of 2018 broke in May: VPNFilter. The malware in question targets a range of routers and network-attached storage (NAS) devices and is capable of knocking out infected devices by rendering them unusable. One of the reasons VPNFilter attracted a lot of attention is because, unlike other Internet of Things (IoT) threats, it is able to maintain persistence on an infected device, even after the device is rebooted. VPNFilter has a range of capabilities, including spying on the traffic being routed through a device. It can also “brick” a device by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

“It targeted devices using default credentials or those with known exploits”

The attackers behind VPNFilter appeared to be particularly interested in targets in Ukraine. Unlike a lot of IoT malware, it didn’t seem interested in indiscriminately infecting every IoT device it could. It targeted devices using default credentials or those with known exploits. Late in May, the FBI announced that it had taken immediate action to disrupt VPNFilter, securing a court order authorizing it to seize a domain that was part of the malware’s command and control (C&C) infrastructure.

VPNFilter was such a big deal that Symantec created a free online tool to let people check if their router is impacted by the threat.

Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies

In June we published research on Thrip, a cyber crime group targeting companies operating in the areas of satellite, telecoms, and defense. Thrip’s motive appears to be cyber espionage, and the companies it’s targeting are located in the U.S. and Southeast Asia.

The most interesting thing about Thrip was that one of the companies it targeted is a satellite communications operator. The group seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites. This suggests the group’s motives go beyond spying and may also include disruption.

In all cases, Thrip appeared to be interested in the company itself, not its customers. Thrip used a mixture of custom malware (Infostealer.Catchamas) and living off the land tools in its attacks.

Symantec’ s Targeted Attack Analytics (TAA) technology, which leverages advanced artificial intelligence and machine learning to comb through Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks, helped to uncover Thrip’s activity.

Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions

In a lengthy blog post in July, we detailed research into Leafminer, a new group targeting government organizations and business verticals in various regions of the Middle East. Active since at least 2017, poor opsec on Leafminer’s behalf gave us insight into the group’s activities.

Leafminer adapts publicly available techniques and tools for its attacks and experiments with published proof-of-concept exploits. It attempts to infiltrate target networks through various means of intrusion, including watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. The group’s post-compromise toolkit suggests that it is looking for email data, files, and database servers on compromised target systems.

The top industries targeted by Leafminer are financial, government, and petrochemical, with the most targeted countries being Saudi Arabia and Lebanon. The group uses two strains of custom malware in its activities — Trojan.Imecab and Backdoor.Sorgu — as well as living off the land tools.

Postmortem of a Compromised MikroTik Router

A story broke in August that hundreds of thousands of MikroTik routers had been infected in a large-scale cryptojacking campaign. Cryptojacking peaked at the end of 2017 but, while we have seen a decline in activity in recent months, this attack showed that cyber criminals are not finished innovating in this area.

“It then altered the campaign to only infect error pages returned by the routers”

In this campaign, the attackers altered the traffic passing through the routers in order to inject a copy of the Coinhive library inside all the pages served through the router — allowing them to infect a huge amount of web traffic. The attacker(s) soon realized that they were making a bit too much noise by infecting all the traffic passing through the routers, so then altered the campaign to only infect error pages returned by the routers.

The campaign began in Brazil, where the most infections occurred, but it quickly spread worldwide.

Mobile Privacy: What Do Your Apps Know About You?

In a major piece of research from Security Response researcher Gillian Cleary, we asked just how much personal information are your mobile apps gathering about you — and do they really need it all?

Gillian downloaded and analyzed the top 100 free apps as listed on the Google Play Store and Apple App Store on May 3, 2018. For each app, two main things were investigated: how much personal information was the user sharing with the app, and which smartphone features the app accessed?

Among the findings of this research were that the most common piece of personally identifiable information (PII) shared with apps were email addresses (48 percent of iOS apps and 44 percent of Android apps). Meanwhile, 45 percent of Android apps and 25 percent of iOS apps sought to track a user’s location. These are just two of many findings made by Gillian in this research, which can be read in full by following this link.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.