Weekly Executive Summary for Week Ending May 20, 2016

Targeted Industries

• Information Technology
• Banking
• Software
• Telecommunications
• Finance

Active Threats

• Anonymous
• Inj3ct0r Team
• APT28 Pawn Storm – Tsar Team
• Ghost Squad
• APT1 Comment Crew

Major Events

• SmsSpy.88 Banking Trojan has Infected at least 40,000 Android Users Worldwide
• Clickfraud Malware Hijacked Searches on 900,000 Devices
• KnowBe4 on New Malicious HTML Attachments
• German Spy Service Says Russia is Behind Major Cyber Attacks

Conclusions

There have been numerous incidents this week, and many lessons to be learned from them. First on the list would be banking Trojans that have been attacking/affecting thousands of Android users. A major contributor to this is Sms.88 which was first spotted in 2014. Despite this seeming outdated – now two years old – popularity for the trojan is still rating high. Cyber criminals have made the Trojan more dangerous and capable of performing ransomware functions.  

Source: SmsSpy.88 Banking Trojan

In other news, a clickfraud botnet has ensured that more than 900,000 devices around the world have hijacked search results. This will assist cyber criminals in making a profit through Google’s AdSense program. A majority of these victims are located in India, but infections have been spotted in the United States, Malaysia, Greece, Italy, Brazil, and several African countries. Once a device is infected the Trojan makes modifications to the system so that the results from popular search engines like Google, Yahoo, and Bing are replaced with the results of a custom Google search, ensuring the attackers make a profit from the ads that are displayed.

Source: Clickfraud Malware

KnowBe4 is the US’s most popular security awareness training and integrated phishing platform. They have put out a warning to their customers this week of a new wave of social engineering tactics being introduced by cyber criminals. Over the past six to nine months .DOC and .JS file attachments have dominated the news surrounding phishing attacks, and this is used in security awareness training. Though a new type of attack using .HTML attachments is arising. These types of attachments are commonly used by financial institutions to deliver secure documents, messages, as well as allowing users to conduct banking business in a secure environment.

Source: Malicious HTML Attachments

Finally, Germany’s domestic secret service(BfV intelligence agency) announced that it had evidence that Russia was behind a series of cyber attacks, including one that targeted the German parliament last year. The BfV detected various aggressive attacks Sofacy or APT 28 that hit (NATO) North Atlantic Treaty Organization and knocked the French TV station TV5Monde off of the air. A hacking campaign called Sandstorm brought down part of Ukraine’s power grid last year, this refers to a group of hackers who deploy the malware known as Black Energy and KillDisk through phishing attacks. The BfV said “Cyber attacks carried out by Russian secret services are part of multi-year international operations that are aimed at obtaining strategic information.”. IT experts believe that Sofacy or APT 28 is a phishing tool that has been used by Operation Pawn Storm, which has been blamed for targeting NATO, the US government and military, as well as Ukrainian activists and Russian dissidents.

Source: German Spy Service Says Russia is Behind Major Cyber Attacks

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu