This report is drawn from recent open source reporting.
The Saudi Arabian Government warned on 23 January that the destructive wiper malware Shamoon 2 had been detected on its government networks.
Shamoon 2 is an updated version of Shamoon, the disk-wiping malware that disabled thousands of computers at Saudi state-linked energy company Saudi Aramco in 2012.
The Saudi authorities are reporting on these latest compromises publicly and have provided reassurance that the damage is currently limited and mitigation is in place.
The re-emergence of Dridex
The notorious Dridex banking Trojan has returned. Flashpoint researchers observed a small Dridex spear-phishing campaign targeting UK financial institutions on 25 January. This is not the first time Dridex has made a reappearance; there have been peaks and troughs in the distribution of this Trojan since it first emerged in 2014. What has remained consistent, however, is the upgraded capability seen within the malware upon its return.
This Dridex re-emergence is no exception: Flashpoint researchers identified a previously unobserved User Account Control bypass mechanism in the most recent iteration of the malware. This bypass means the Windows user prompt requesting administration access for an application is not displayed, enabling Dridex to gain administrative system access without user approval.
This frequent evolution ensures infection levels are kept high, whilst frustrating the capability of network defenders to respond to attacks. Although relatively resource intensive, these regular changes have so far been worthwhile in establishing Dridex's status as one of the most prolific banking Trojans to feature in the UK, as well as yielding estimated profits of upwards of £20 million.
The Evolution of Ransomware
An earlier weekly threat report predicted further innovations in ransomware, and this has already happened with the targeting of internet-connected devices to create a “Ransomware of Things”.
Internet of Things (IoT) devices are increasing, many with poor security, which presents opportunities for exploitation by cyber criminals. According to research company, Gartner, there will be more than 26 billion IoT devices by 2020.
Researchers from IT security company ESET predict that the next step in the evolution of ransomware is "jackware" where internet-connected devices are targeted to create a Ransomware of Things (RoT). Recent RoT incidents have locked people out of hotel rooms and left a family unable to access their smart TV.
2016 was dubbed "The Year of Ransomware", but as the number of connected devices continues to increase, this phenomenon will only continue to gather pace.
Hiding in Plain Sight
According to recent research by Forcepoint Security Labs, the Carbanak Group is now using malware that uses Google cloud services for command and control infrastructure. The group is named after Carbanak (aka Anunak) malware, which is a banking Trojan that has been used to steal hundreds of millions of pounds from international financial institutions.
The new malware issues command and control instructions to and from Google Forms Services, Google Apps Script and Google Sheets to manage infected computers. Investigations suggest that a trojanised RTF document was likely responsible for infecting the computers with the malware.
Using a legitimate third party service like Google helps the attacker hide their communications in plain sight amongst regular traffic that is unlikely to be blocked by an organisation or identified by intrusion detection systems. Detecting such threats will therefore require an evolution in protective monitoring.
This isn't the first time that cloud hosting services have been used as an attack vector, services like DropBox have been used in the past, but it is likely to become more popular as individual users, government departments and industry organisations make increasingly greater use of the cloud.
This was a relatively quiet week for vulnerabilities, with mainly platform-agnostic updates issued for Linux and Unix systems. Google Chrome, OpenSSL and WordPress each fixed multiple flaws addressing remote access, bypassing of security controls, and spoofing of the user interface, among other issues. Elsewhere there were updates from F5 Networks, RSA, and IBM. No one sector was disproportionately affected this week.