So, this concludes our 12th installment of this annual report. If the DBIR were a bottle of decent Scotch whiskey it would cost you around 100 bucks, instead of being free like this document. Likewise, the decisions you might make after finishing them would probably differ wildly as well.17 Nevertheless, we hope you gain a certain degree of enjoyment and enlightenment from both.
On behalf of the team that labored to produce this document, we sincerely thank you, our readers, for your continued support and encouragement of this effort. We believe it to be of value to Information Security professionals and to industry at large, and we are grateful for the opportunity to bring it before you once again. As always, a tremendous thank you to our contributors who give of their time, effort, insight, and most importantly, their data. The task of creating this document is in no way trivial and we simply could not do it without their generosity of resources. We look forward to bringing you our 14th report (we are taking the high-rise hotel concept of enumeration here) next year, and in the meantime, may your security budgets be large and your attack surface small. Until then, feel free to reflect on the more noteworthy publicly disclosed security events in 2018 from the VTRAC before jumping into the Appendices.
Year in Review
On the second day of the year, the Verizon Threat Research Advisory Center (VTRAC) began to learn that researchers had discovered “Meltdown” and “Spectre,” new information disclosure vulnerabilities in most modern microprocessors. The vulnerabilities lie in foundational CPU architectures. Patching continued through 2018. We collected no reports of successful Meltdown or Spectre attacks in 2018. The first week of the month included the first report of malware attacks targeting the 2018 Winter Olympics in Pyeongchang, Republic of Korea. Investigative journalists reported India’s national ID database, “Aadhaar,” suffered a data breach affecting more than 1.2 billion Indian citizens. We began collecting reports of targeted attacks on Latin American banks. Attackers used disk wiping malware, probably to eliminate evidence of their actions minimize the scale of the banks' losses. On January 26th, we collected the first report of GandCrab ransomware.
The first “zero-day” in Adobe Flash kicked off February after APT37 embedded an exploit in Excel spreadsheets. The Punjab National Bank reported fraudulent transfers of ₹11,600 crore (USD 1.77 billion dollars). The Russian Central Bank reported “unsanctioned operations” caused the loss of ₽339 million (€4.8 million). “Olympic Destroyer” malware disrupted the opening ceremony of the Pyeongchang Olympics but did not result in their cancellation. GitHub was hit with a new type of reflection denial of service attack leveraging misconfigured memcached servers. GitHub and other organizations endured 1.35-terabit-per-second junk traffic storms.
Intelligence for attacks on the Pyeongchang Olympics continued after the February 25th closing ceremonies. Operations Gold Dragon, HaoBao and Honeybee began as early as July 2017. In March, we collected intelligence on a full spectrum of APT-grade threat actors including APT28, menuPass (APT10), Patchwork, MuddyWater, OilRig, Lazarus and Cobalt. US-CERT published 15 files with intelligence on Russian actors attacking critical infrastructure in the USA. Malaysia’s Central Bank foiled an attack that involved falsified SWIFT wire-transfer requests. The Drupal project patched a remote code execution vulnerability reminiscent of the 2014 vulnerability that led to “Drupalgeddon.”
Attacks on “smart install” software in Cisco IOS switches by Russian threat actors were probably the most noteworthy InfoSec risk development in April. The VTRAC collected updated intelligence on the “Energetic Bear” Russian actor. A supply-chain attack on Latitude Technologies forced four natural-gas pipeline operators to temporarily shut down computer communications with their customers. Latitude supplies Electronic Data Interchange (EDI) services to the Energy and Oil verticals. March’s Drupal vulnerability did indeed attract cybercriminals. A variant of the Mirai IoT botnet began scanning for vulnerable Drupal servers and the subsequent compromises to install cryptomining software became known as Drupalgeddon2. The cyber-heist of US$150,000 in Ethereum from MyEtherWallet paled in significance to the BGP hijacking of the Internet’s infrastructure to do it.
Intelligence about the “Double Kill” zero-day vulnerability in Internet Explorer was collected at the end of April. In May the VTRAC collected intelligence of a malicious PDF document with two more zero-day vulnerabilities, one each in Adobe PDF Reader and in Windows. Microsoft and Adobe patched all three on May’s Patch Tuesday. A surge in GandCrab ransomware infections were the focus of several of the best intelligence collections in May. New intelligence collections documented the Cobalt threat actor’s phishing campaign was targeting the financial sector. Multiple sources reported VPNFilter malware had infected routers and network-attached storage (NAS) appliances. Control the router—control the traffic passing through it.
Multiple sources released updated intelligence on North Korean threat actors engaged in cyber-conflict and cybercrime operations. Adobe patched a new zero-day vulnerability in Flash. Like February’s, Flash zero-day, it was being used in malicious Excel files but the targets were in the Middle East. Two Canadian Imperial Bank of Commerce subsidiaries – BMO (Bank of Montreal) and Simplii Financial suffered a leak of about 90,000 customer records. They learned of the breach when threat actors demanded US$750,000 for the return of the records. The Lazarus threat actor stole roughly KR ₩35 billion (around $31 million) in cryptocurrency from the South Korea-based exchange Bithumb. DanaBot, a new banking Trojan was discovered targeting Commonwealth Bank in Australia.
The first major Magecart attack in 2018 was Ticketmaster’s UK branch. Hackers compromised Inbenta, a third-party functionality supplier. From Inbenta they placed digital skimmers on several Ticketmaster websites. The Ticketmaster attack was part of a campaign targeting third-party providers to perform widespread compromises of card data. July’s Magecart collections included indicators of compromise of over 800 victim websites. A malicious Mobile Device Management platform was used in highly targeted attacks on 13 iPhones and some Android and Windows platforms. Russia’s PIR Bank lost ₽58 million ($920,000) after the MoneyTaker actor compromised an outdated, unsupported Cisco router at a branch office and used it to pivot into the bank’s network
The second Boundary Gateway Protocol (BGP) hijacking to steal cryptocurrency in 2018 redirected legitimate traffic from an Amazon DNS server. The malicious DNS server redirected users of MyEtherWallet to a spoofed site that harvested their credentials. Users of the service lost Ethereum worth about $152,000. Cosmos Bank in Pune, India, was the victim of US $13.4 million of fraudulent SWIFT and ATM transfers. The US Dept. of Justice announced the arrests of three managers from the FIN7 (Anunak, Carbanak, Carbon Spider) threat actor. Intelligence indicated a new vulnerability in Apache Struts, CVE-2018- 11776, was following the course set by March 2017’s CVE-2017-9805, the Jakarta multi-parser Struts vulnerability. The 2017 vulnerability led to the Equifax data breach. A detailed code reuse examination of malware linked to North Korea linked most malware attacks to the Lazarus Group. APT37 was linked to a small portion but was assessed to be more skilled and reserved for attacks with national strategic objectives.
New intelligence revealed Japanese corporations were being targeted by the menuPass (APT10) threat actor. On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. Within a week, we collected intelligence British Airways had become another victim of a Magecart attack. Intelligence indicated in the preceding 6 months, 7,339 E-commerce sites had hosted Magecart payment card skimming scripts including online retailer Newegg. Weaponized IQY (Excel Web Query) attachments were discovered attempting to evade detection to deliver payloads of FlawedAmmyy remote access Trojan (RAT). The FBI and DHS issued an alert about the Remote Desktop Protocol (RDP). The alert listed several threats that exploit RDP connections: Crysis (Dharma), Crypton and SamSam ransomware families. DanaBot expanded its target set to Italy, Germany and Austria.
The VTRAC assessed claims that Chinese actors had compromised the technology supply chain did not constitute intelligence. The related report lacked technical details or corroboration and was based on unqualified, unidentified sources. US-CERT issued an updated alert on attacks on MSS providers by the menuPass (APT10) threat actor. Multiple sources reported North Korean actors engaged cybercrime attacks intended to provide revenue to the sanction-constrained regime. GreyEnergy is the latest successor to the Sandworm/ BlackEnergy/Quedagh/Telebots threat actor. GreyEnergy was linked to attacks on the energy sector and other strategic targets in Ukraine and Poland for the past three years. DanaBot began targeting financial services establishments in the USA. The Magecart threat actors executed a scaled supply chain attack on Shopper Approved, a customer scoring plugin used by 7000+ e-commerce sites. Detailed reports in August and October indicated the Cobalt threat actor had reorganized into a group with journeymen and apprentice members and a second group of masters reserved for more sophisticated campaigns.
Intelligence based on examination of Magecart malware indicated there are at least six independent threat actors conducting Magecart attacks. The initial Magecart successes in late 2016 and high-profile attacks beginning with Ticketmaster UK/Inbenta in June led to a bandwagon effect. Other threat actors copied and improved upon the TTP of early Magecart threat actor(s). The SamSam ransomware attack came to a standstill after two Iranian hackers were indicted for US$6 million extortion. Cisco released an advisory due to “active exploitation” of a vulnerability in Cisco Adaptive Security Appliance Software (ASA) and Cisco Firepower Threat Defense Software that could allow an unauthenticated, remote attacker to cause a denial of service. US-CERT released Activity Alert AA18-284A, “Publicly Available Tools Seen in Cyber Incidents Worldwide,” on five tools threat actors had been using for their “Living off the Land” tactics. Marriott announced a 2014-18 breach had exposed the records of up to 500 million customers in its Starwood hotels reservation system.
VTRAC collections in December began with “Operation Poison Needles.” An unidentified actor exploited the third Adobe Flash zero-day vulnerability to attack Polyclinic of the Presidential Administration of Russia. “Operation Sharpshooter” was a global campaign targeting nuclear, defense, energy and financial companies. Oil and gas services contractor Saipem suffered an attack that employed a new variant of Shamoon disk-wiping malware. December’s Patch Tuesday fixed CVE-2018-8611, the latest Windows zero-day being exploited by the FruityArmor APT threat actor. Partly in reaction to the 77 percent plunge in Bitcoin, cybercriminals did not abandon cryptomining altogether, instead, SamSam and GandCrab ransomware were being used to attack corporations, government agencies, universities and other large organizations. Criminals targeted larger purses: organizations likely to pay ransom in lieu of days of lost business and productivity recovering from backups, re-imaging or other BCP/DR measures. At the end of 2018 the VTRAC was running like a Formula 1 car finishing a mid-race lap: at full speed, staying ahead of some, striving to catch others and constantly improving our engineering.