BigBrothers 2024 2023 2022 2021 2020
FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’
31.12.2020 BigBrothers Threatpost
Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold.
Stolen email passwords are being used to hijack smart home security systems to “swat” unsuspecting users, the Federal Bureau of Investigation warned this week. The announcement comes after concerned device manufacturers alerted law enforcement about the issue.
Swatting is a dangerous prank where police are called to a home with a fake emergency.
“Swatting may be motivated by revenge, used as a form of harassment, or used as a prank, but it is a serious crime that may have potentially deadly consequences,” the FBI statement said.
2020 Reader Survey: Share Your Feedback to Help Us Improve
By accessing a targeted home security device an attacker can initiate a call for help to authorities and watch remotely as the swat occurs. The FBI points out that by initiating a call for help from the actual security device lends authenticity and anonymity to the hacker.
Requests to the FBI for the specific manufacturers were not answered. However, the device category often is found to be insecure.
“Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks,” The FBI’s public service announcement read. “To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.”
In the past, the bad actors would spoof the numbers to make the call appear as if it were coming from the victim, the FBI explained. This new iteration makes the call directly from the compromised device.
“They then call emergency services to report a crime at the victims’ residence,” the FBI statement continued. “As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.”
Live Streaming Swatting Attacks
Live streaming swat attacks isn’t new. Last December, the publication Vice reported on a podcast called “NulledCast” which live streamed to the content sharing platform Discord an incident where criminal actors hijacked a Nest and Ring smart home video and audio to harass them in all sorts of creepy ways.
One incident captured showed a man talking to young children through the device in their bedroom, claiming to be Santa.
“In a video obtained by WMC5 courtesy of the family, you can see what the hacker would have seen: A viewpoint that looms over the entire room from where the camera is installed in a far corner, looking down on their beds and dressers while they play, Vice reported last year. “The hacker is heard playing the song ‘Tiptoe Through the Tulips‘ through the device’s speakers, and when one of the daughters, who is eight years old, stops and asks who’s there, the hacker says, ‘It’s Santa. It’s your best friend.'”
Vice also reported finding posts on hacker forums offering simple Ring credential stuffing software for as little as $6.
By Feb. 2020, Ring had rolled out an added layers of security beyond its already mandatory two-factor authentication, including requiring a one-time six-digit code to log on, alerts when someone logs onto the account and tools to control access by third-party service providers which could also be breached.
Ring is also preparing to roll out end-to-end video encryption, originally due by the end of the year.
“With End-to-End Encryption, your videos will be encrypted on the Ring camera, and you will be the only one with the special key (stored only on your mobile device) that can decrypt and view your recordings,” the Sept. 24 announcement read.
More Harm Than Help?
Just this month, an assessment from NCC Group of second-tier smart doorbells including brands Victure, Qihoo and Accfly, found vulnerabilities rendered these devices more harmful than helpful classified the popular gadgets a “domestic IoT nightmare.” Top-flight smart home security brands Ring, Nest, Vivint and Remo were not included in the review.
The report detailed undocumented features, like a fully functional DNS service in the Qihoo device; digital locks that could be picked in a snap because their communications were not encrypted; and shoddy hardware which could easily be tampered with by criminals.
“Unfortunately, consumers are the victims here,” Erich Kron, security awareness advocate at KnowBe4 told Threatpost. “A trend I am happy to see among consumer devices is the requirement to set your own complex password during device setup, rather than having a default one set at the factory.
Kron added Ring’s MFA implementation, along with its other protections is a “step in the right direction.”
While applications like Ring continue to work to keep their customer data safe, if customer email accounts are compromised, bad actors can easily grab 2FA and other verification codes and breach both accounts. That means it is up to individual users to take control of their privacy with strong password and basic security hygiene practices.
“Any organization that sells devices that have the kinds of privacy impacts such as always-on video cameras or devices that are always listening for commands, has an obligation to provide a reasonable amount of education to their customers,” he said. “The consumer device field is extremely competitive, and purchases are often based on a price difference of a couple of dollars or less. We must understand that adding any additional security features that are not required for every manufacturer can impact the price and therefore the organization’s bottom line. Because of this, we must be reasonable with our expectations from the manufacturers.”
CISA demands US govt agencies to update SolarWinds Orion software
31.12.2020 BigBrothers Securityaffairs
US Cybersecurity and Infrastructure Security Agency (CISA) urges US federal agencies to update the SolarWinds Orion software by the end of the year.
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance to order US federal agencies to update the SolarWinds Orion platforms by the end of the year.
According to the CISA’s Supplemental Guidance to Emergency Directive 21-01, all US government agencies running the SolarWinds Orion app must update to the latest 2020.2.1HF2 version by the end of the year or take them offline.
SolarWinds released the 2020.2.1HF2 version on December 15 to secure its installs and remove the Sunburst-related code from their systems.
“Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2.” reads CISA’s Supplemental Guidance to Emergency Directive 21-01. “The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code.”
The order is part of the update for the CISA’s guidance that was issued on December 18 following the discovery of the SolarWinds supply chain attack.
The US CERT Coordination Center issued the security note VU#843464 to detail the authentication bypass flaw in the Orion API, tracked as CVE-2020-10148, that allows attackers to execute remote code on Orion installations.
“This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.” reads the advisory.
The vulnerability was exploited by threat actors to install the Supernova backdoor in attacks not linked to the SolarWinds supply chain hack.
CISA urge to update to version 2020.2.1HF2 to fix any other SolarWinds Orion-related bug, including the CVE-2020-10148 vulnerability.
“Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020.” continues CISA.
ORION PLATFORM VERSION CONTINUED USE OF SOLARWINDS ORION PERMITTED AT THIS TIME UPDATE REQUIRED?
Affected versions: 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 (should be powered down or removed from networks based on ED 21-01) No N/A
All other versions that are currently online (if the instance did not previously use an affected version) Yes Yes (2020.2.1HF2)
Below the list of affected versions:
Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.
Yesterday, the Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.
FBI: Home Surveillance Devices Hacked to Record Swatting Attacks
31.12.2020 BigBrothers Securityweek
A warning issued this week by the FBI warns owners of smart home devices with voice and video capabilities that these types of systems have been targeted by individuals who launch so-called “swatting” attacks.
Swatting is a hoax where someone tricks emergency services into deploying armed law enforcement to a targeted individual’s location by claiming there is a life-threatening situation. These types of pranks are not uncommon, but they can result in lengthy jail sentences for the pranksters.
The FBI warned in an alert issued on Tuesday that swatters have been hijacking home surveillance and other types of devices with audio and video capabilities to watch their victims while they are being swatted. In some cases, the prankster also live-streams the video and engages the law enforcement responders.
“Smart home device manufacturers recently notified law enforcement that offenders have been using stolen e-mail passwords to access smart devices with cameras and voice capabilities and carry out swatting attacks,” the FBI said.
The agency has been working with the manufacturers of the targeted devices to warn customers about the threat and provide them with recommendations on how to avoid having their devices hacked.
“The FBI is also working to alert law enforcement first responders to this threat so they may respond accordingly,” the agency noted.
The FBI has advised users to enable two-factor authentication (2FA) for internet-accessible devices. However, given that the attackers rely on stolen email credentials to hijack surveillance devices, the FBI advises against using a secondary email account for the second factor, and instead recommends the use of a mobile device number. Cybersecurity professionals and even NIST have long urged users to stop relying on SMS-based 2FA.
U.S. Treasury Warns Financial Institutions of COVID-19 Vaccine-Related Cyberattacks, Scams
31.12.2020 BigBrothers Securityweek
The United States Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued an alert to warn financial institutions of fraud and cyberattacks related to COVID-19 vaccines.
As vaccination against the COVID-19 coronavirus is kicking off worldwide, fraudsters and other types of threat actors are attempting to capitalize on the situation by selling illegal or counterfeit goods, conducting phishing, targeting unsuspecting users with malware, and more.
Last week, several U.S. government organizations issued a warning of increasingly frequent fraud and phishing attacks, aimed at gathering personally identifiable information (PII) and stealing money.
Recent reporting has revealed that such attacks might also be the work of state-sponsored threat actors, which are also interested in targeting COVID-19 vaccine research.
In its newly released alert, FinCEN tells financial institutions to be wary of “potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 vaccines and their distribution.”
FinCEN has also published Suspicious Activity Report (SAR) filing instructions. Financial institutions are required to report suspicious transactions through SARs to help authorities disrupt terrorist, money laundering, drug trafficking, cybercrime and other types of illegal operations.
Leveraging the increased public interest in COVID-19 vaccines, fraudsters might attempt to sell unapproved and illegally marketed vaccines, counterfeit vaccines, or illegal diversion of legitimate vaccines, FinCEN says.
“Already, fraudsters have offered, for a fee, to provide potential victims with the vaccine sooner than permitted under the applicable vaccine distribution plan,” the alert reads.
Cybercriminals too are involved in COVID-19 vaccine-related activity, including ransomware attacks that directly target vaccine research. Thus, FinCEN warns financial institutions of potential ransomware attacks targeting either supply chains involved in the manufacturing of vaccines, or the vaccine delivery operations.
“Financial institutions and their customers should also be alert to phishing schemes luring victims with fraudulent information about COVID-19 vaccines,” FinCEN warns.
The Treasury recently issued an advisory to warn companies that facilitate ransomware payments of the potential legal implications resulting from sending money to sanctioned entities.
North Korean Hackers Trying to Steal COVID-19 Vaccine Research
24.12.2020 BigBrothers Thehackernews
Threat actors such as the notorious Lazarus group are continuing to tap into the ongoing COVID-19 vaccine research to steal sensitive information to speed up their countries' vaccine-development efforts.
Cybersecurity firm Kaspersky detailed two incidents at a pharmaceutical company and a government ministry in September and October leveraging different tools and techniques but exhibiting similarities in the post-exploitation process, leading the researchers to connect the two attacks to the North Korean government-linked hackers.
"These two incidents reveal the Lazarus group's interest in intelligence related to COVID-19," Seongsu Park, a senior security researcher at Kaspersky, said. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well."
Kaspersky did not name the targeted entities but said the pharmaceutical firm was breached on September 25, 2020, with the attack against the government health ministry occurring a month later, on October 27.
Notably, the incident at the pharmaceutical company — which is involved in developing and distributing a COVID-19 vaccine — saw the Lazarus group deploying the "BookCodes" malware, recently used in a supply-chain attack of a South Korean software company WIZVERA to install remote administration tools (RATs) on target systems.
The initial access vector used in the attack remains unknown as yet, but a malware loader identified by the researchers is said to load the encrypted BookCodes RAT that comes with capabilities to collect system information, receive remote commands, and transmit the results of the execution to command-and-control (C2) servers located in South Korea.
In a separate campaign aimed at the health ministry, the hackers compromised two Windows servers to install a malware known as "wAgent," and then used it to retrieve other malicious payloads from an attacker-controlled server.
As with the previous case, the researchers said they were unable to locate the starter module used in the attack but suspect it to have a "trivial role" of running the malware with specific parameters, following which wAgent loads a Windows DLL containing backdoor functionalities directly into memory.
"Using this in-memory backdoor, the malware operator executed numerous shell commands to gather victim information," Park said.
Irrespective of the two malware clusters employed in the attacks, Kaspersky said the wAgent malware used in October shared the same infection scheme as the malware that the Lazarus group used previously in attacks on cryptocurrency businesses, citing overlaps in the malware naming scheme and debugging messages, and the use of Security Support Provider as a persistence mechanism.
The development is the latest in a long list of attacks capitalizing on the coronavirus pandemic — a trend observed in various phishing lures and malware campaigns throughout the last year. North Korean hackers are alleged to have targeted pharma firms in India, France, Canada, and the UK-based AstraZeneca.
Defending Against State and State-Sponsored Threat Actors
23.12.2020 BigBrothers Threatpost
Saryu Nayyar of Gurucul discusses state and state-sponsored threat actors, the apex predators of the cybersecurity world.
Security threats from states and state-sponsored actors have been around since before the field of cybersecurity was defined. They have now evolved to cyberspace, and present unique challenges for defenders.
While there are fundamental differences between activist and criminal activity, and those who operate directly for (or with the tacit approval of) sovereign powers, there can often be a significant overlap in their agendas and techniques. But there are also significant difference — the most important of which is resourcing.
Where activists and small criminal gangs may have limited technical resources, states and state-sponsored actors have no such limitations. State actors can draw upon the skills and resources of their national intelligence communities, while state-sponsored actors, while not actually part of a state organization, can still draw upon the financial and technical assets of their sponsors.
Another fundamental difference between “civilian” and “state” actors is that law-enforcement agencies are better equipped to address threat actors who don’t have state backing. Even in cases where threats are acting across international borders, mechanisms exist where legal teams from different nations can work together to bring attackers to justice. However, when those attackers are working with the approval of their host countries, the situation becomes more difficult. It becomes nearly impossible for conventional law enforcement to address the issue when the attackers are working for a foreign power directly. In that case, the only recourse is diplomacy, or an escalation into what amounts to outright cyberwarfare.
We Can’t Return Fire
Cybersecurity professionals in the civilian space, and in most government agencies outside the intelligence and military communities, are restricted to an almost entirely defensive position. For legal and ethical reasons, we’re not allowed to “return fire” no matter how obvious, or egregious, the attack. While some individuals have been known to play the game on the attacker’s terms, it puts them firmly into a gray area where they are operating outside the law even if they have the moral high ground.
This all serves to put defense in the hands of mostly civilian cybersecurity professionals who develop the tools, techniques, training and processes needed to provide some level of defense. Fortunately, deploying defenses built to resist a well-funded state actor should be enough to defend against the average criminal gang. This means that it is more than worth the effort to raise our game to handle the worst-case scenario.
While recent reports from the National Security Agency [PDF] and the Cybersecurity and Infrastructure Security Agency have kept us abreast of the exploits and technical techniques most often employed by these adversaries, they also point out a reliance on social engineering, cast netting and spear phishing to infiltrate their target organizations. This is the same playbook we see used by criminal-level attackers where users are the assumed to be the weak link and technical attacks are deployed when they can’t find a vulnerable user. In fact, many state attackers lead with a phishing or social-engineering angle based on this very assumption.
Our Users Are Still a Target
Of course, one difference here between state adversaries and criminal organizations is that even well-funded criminals often lack the budget, and requisite skills, to use blackmail or bribery to turn an insider from an employee into a threat. It does happen, of course, as it did earlier in 2020 when a Russian adversary tried to bribe an employee of a major U.S. auto manufacturer to place malware on a network. That effort failed as much because of the target’s personal integrity as any technical or business-culture defenses.
Historically, user-education programs have been focused on countering the most common vectors. In most cases that is some form of phishing, whether a cast-net aimed at the target organization, or spear phishing aimed at an individual. Unfortunately, not every organization trains their employees to identify, let alone resist, social-engineering attacks. Also, not every organization fosters a culture where an employee would come forward and report a bribery attempt or similar effort, rather than take the money and run.
This is the first place where organizations need to up their game if they want to resist well-resourced state and state-sponsored actors. And it must include more than just the annual anti-phishing and business-ethics classes, but also more focused training on how to spot and avoid social-engineering efforts outside the context of email. There is also a place here to review the business culture and foster one where employees are willing to come forward when an outsider tries to compromise them.
Technical Defenses
On the technical side, the usual advice of keeping systems patched and properly configured is an obvious early step and one we have been talking about for years. But the NSA and CISA reports have shown that even sophisticated high-level attackers will leverage known exploits. That means staying on top of your patches isn’t just a best practice; it is a vital technique to keep the organization safe.
Making sure the security operations team (SecOps) is trained, adequate and prepared is another vital step. Budgets may be tight and qualified talent may be hard to attract and retain, but these are the people who run the last line of defense. This holds true when an organization’s security is a managed service. Your managed security service provider (MSSP) needs to be trained and prepared to confront threats at every level, from script kiddies to foreign-intelligence agencies.
There are other technical steps as well. Every organization needs to evolve their security stack to keep up with potential and active threats, making sure their tools and processes are up to the task. As new threats emerge, old technologies evolve and new ones emerge to fill the gaps. However, the stack needs to be looked at as a holistic whole. Perimeter devices and endpoint protections need to work in concert with some mechanism to consolidate the whole range of security telemetry into a coherent whole. And that whole needs to be processed, analyzed and presented in a way that SecOps personnel can use and understand, and can be leveraged to orchestrate and automate the organization’s defenses.
State and state-sponsored threat actors are the apex predators of the cybersecurity world. They have time, skills, effectively unlimited resources and can be very specific in their agenda. But if we keep our defenses up to date with the appropriate tools, training and best practices, we can reduce the risk to our organizations even from the most challenging adversaries.
Bulletproof VPN services took down in a global police operation
23.12.2020 BigBrothers Securityaffairs
A joint operation conducted by law European enforcement agencies resulted in the seizure of the infrastructure of three bulletproof VPN services.
A joint operation conducted by law enforcement agencies from the US, Germany, France, Switzerland, and the Netherlands resulted in the seizure of the infrastructure used by three VPN bulletproof services.
VPN bulletproof services are widely adopted by cybercrime organizations to carry out malicious activities, including ransomware and malware attacks, e-skimming breaches, spear-phishing campaigns, and account takeovers.
“The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down yesterday in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.” reads the press release published by the Europol.
“The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures.”
The three VPN bulletproof services were hosted at insorg.org, safe-inet.com, and safe-inet.net, their home page currently displays a law enforcement banner.
The takedown of the VPN is part of an international takedown of a virtual private network (VPN), dubbed “Operation Nova.”
“The coordinated effort was led by the German Reutlingen Police Headquarters together with Europol, the FBI and other law enforcement agencies from around the world.” reads the press release published by DoJ.
“The investigation revealed that three domains— INSORG.ORG; SAFE-INET.COM; SAFE-INET.NET.—offered “bulletproof hosting services” to website visitors. A “bulletproof hosting service” is an online service provided by an individual or an organization that is intentionally designed to provide web hosting or VPN services for criminal activity. These services are designed to facilitate uninterrupted online criminal activities and to allow customers to operate while evading detections by law enforcement. Many of these services are advertised on online forums dedicated to discussing criminal activity. A bulletproof hoster’s activities may include ignoring or fabricating excuses in response to abuse complaints made by their customer’s victims; moving their customer accounts and/or data from one IP address, server, or country to another to help them evade detection; and not maintaining logs (so that none are available for review by law enforcement).”
VPN bulletproof services 2
The three services were advertised on both Russian and English-speaking cybercrime forums. The services were offered for prices ranging from $1.3/day to $190/year.
According to the investigators, the three VPN bulletproof services are operated by the same threat actor and are active since at least 2010.
The VPN service shut down by law enforcement was used by crooks to avoid law enforcement interception, leveraging on up to 5 layers of anonymous VPN connections.
The law enforcement agencies identified roughly 250 companies worldwide that were being targeted by the criminals using this VPN service.
“These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.” continues the Europol. “The service has now been rendered inaccessible.”
“The investigation carried out by our cybercrime specialists has resulted in such a success thanks to the excellent international cooperation with partners worldwide. The results show that law enforcement authorities are equally as well connected as criminals,” said Udo Vogel, Police President of the Reutlingen Police Headquarters.
“The strong working relationship fostered by Europol between the investigators involved in this case on either side of the world was central in bringing down this service. Criminals can run but they cannot hide from law enforcement, and we will continue working tirelessly together with our partners to outsmart them.” said the Head of Europol’s European Cybercrime Centre, Edvardas Šileris.
North Korean Hackers Target COVID-19 Research
23.12.2020 BigBrothers Securityweek
The North Korea-linked threat actor known as Lazarus was recently observed launching cyberattacks against two entities involved in COVID-19 research.
Active since at least 2009 and believed to be backed by the North Korean government, Lazarus is said to have orchestrated some high-profile attacks, including the WannaCry outbreak. Last year, the group was observed mainly targeting cryptocurrency exchanges and expanding its toolset.
New Lazarus attacks in September and October 2020, Kaspersky reveals, targeted a Ministry of Health and a pharmaceutical company authorized to produce and distribute COVID-19 vaccines, revealing Lazarus’ interest in COVID-19 research.
In September, the hackers targeted a pharmaceutical company with the BookCode malware, which was attributed to the group a while ago. In late October, Lazarus targeted a Ministry of Health body with the wAgent malware, which was previously used to target cryptocurrency businesses.
Both pieces of malware were designed to function as full-featured backdoors, providing operators with full control over the infected machines. Different tactics, techniques and procedures (TTPs) were used in each attack, but Kaspersky is highly confident that Lazarus was behind both incidents.
Using wAgent, the attackers executed various shell commands to gather information from the victim machine. An additional payload that included a persistence mechanism was also deployed on two Windows servers, and the full-featured backdoor followed.
The BookCode backdoor was used to gather system and network information from the victim environment, along with a registry SAM dump containing password hashes. The adversary also attempted to collect information on other machines on the network, likely for lateral movement.
“We assess with high confidence that the activity […] is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters used in both incidents […] to the Lazarus group,” Kaspersky notes.
The security firm was unable to identify the initial infection vector in either of the incidents, but notes that spear-phishing was used by the group in the past, along with strategic website compromise.
“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” Seongsu Park, security expert at Kaspersky, said.
Microsoft reported last month that state-sponsored Russian and North Korean hackers had been trying to steal valuable data from pharmaceutical companies and vaccine researchers. Reuters reported that North Korean hackers had targeted British COVID-19 vaccine maker AstraZeneca.
Biden Says Huge Cyberattack Cannot Go Unanswered
23.12.2020 BigBrothers Securityweek
President-elect Joe Biden said Tuesday that the perpetrators of a massive cyberattack on the US government, unofficially blamed on Russia, must face consequences, and assailed President Donald Trump over his response to the threat.
"We can't let this go unanswered," Biden said in pre-holiday remarks to the American people.
"That means making clear, and publicly, who is responsible for the attack and taking meaningful steps to hold them in account."
Biden, who as president-in-waiting has received intelligence briefings on key national security issues, says much remains unknown about the extent of the damage from the attack.
Last week the US cybersecurity agency said a well-coordinated, highly technical operation penetrated US government and corporate systems months ago by hacking widely-used security software.
"I see no evidence that it's under control," Biden said, responding to Trump's claim to the contrary.
"This president hasn't even identified who is responsible yet," he noted.
He warned he would retaliate once he become president on January 20.
"When I learn the extent of the damage and, in fact, who is formally responsible, they can be assured that we will respond, and probably respond in kind," he said.
"There are many options which I will not discuss now."
- Devastating breach -
According to US officials, the most devastating breach of US computer security in years affected at least the departments of State, Commerce, Treasury, Energy and Homeland Security, as well as the National Institutes of Health.
Analysts expect that other departments, including possibly key intelligence agencies, were also victims in the hack, and that it could take months or longer to assess the damage.
Biden called the attack a "grave risk to our national security" and criticized Trump for de-emphasizing cybersecurity during his nearly four years in office.
The attack, he said, was "carefully planned and carefully orchestrated. It was carried out by using sophisticated cyber tools."
"The attackers succeeded in catching the federal government off-guard and unprepared."
He accused Trump of falling down on his job to protect the country and of an "irrational downplaying of the seriousness of this attack."
"It's still his responsibility as president to defend American interests for the next four weeks," he said.
"This assault happened on Donald Trump's watch when he wasn't watching," Biden said. "Rest assured that even if he does not take it seriously, I will."
The administration has yet to officially ascribe the attacks to any country or persons, even though top officials including Secretary of State Mike Pompeo and Attorney General Bill Barr, and senior members of Congress briefed on the issue, have all fingered Russia.
Trump, however, last week accused the media of always hyping the Russia threat.
"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted.
"I have been fully briefed and everything is well under control," he wrote.
"Russia, Russia, Russia is the priority chant when anything happens," he said, then suggesting China could be the perpetrator.
DHS Details Risks of Using Chinese Data Services, Equipment
23.12.2020 BigBrothers Securityweek
In an advisory this week, the Department of Homeland Security (DHS) warned American organizations of the risks posed by using data services and equipment from firms that have ties to the People’s Republic of China (PRC).
Both businesses and customers in the United States are at risk due to the PRC’s data collection activities, the DHS warns. Some of these risks include the theft of confidential business data, trade secrets and intellectual property, violation of privacy and export laws, breach of contractual provisions, and risk of surveillance.
“The PRC presents a grave threat to the data security of the U.S. government and U.S. businesses. It has both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws,” the DHS says.
The agency also underlines that data is often accessed without requesting the consent of or informing the non-PRC businesses or institutions owning the data.
In its advisory, the DHS also points out that data theft operations performed under the command of the Chinese government represent a persistent, growing threat, especially since newly enacted laws require all PRC businesses and citizens to “take actions related to the collection, transmission, and storage of data.”
These laws compel Chinese businesses to provide the government with data, encryption keys, technical information, and logical access. Furthermore, firms are required to install backdoors in equipment to create security vulnerabilities that PRC entities can easily exploit, the advisory warns.
In addition to detailing the various data collection practices of the Chinese government, and providing an overview of the applicable laws recently passed in the country, the advisory offers extensive details on the risks faced by companies partnering with China.
Chinese firms operating data centers, either in the country or abroad, are required to share data with the government upon request, even if the sharing of data is illegal under the jurisdiction in which firms operate.
Even data centers built using Chinese equipment are at risk, due to the backdoors equipment manufacturers are required to install, by law. By subsidizing the use of hardware, software, and telecoms infrastructure from domestic firms, the Chinese government helps corporations such as ZTE or Huawei undercut competitors, the DHS says.
“The spread of such equipment may even affect unwitting U.S. service providers. The CCP subsidies and the spread of PRC-developed equipment not only advantage PRC companies over U.S. providers economically, but also furthers the ongoing capabilities of the CCP where the equipment supplier maintains a service or maintenance contract that necessitates ongoing access,” the advisory continues.
DHS also warns that even data sharing agreements with Chinese firms are risky, and that the government may even purchase legally obtain data, to augment the illegally acquired information. Software and mobile apps from Chinese firms pose data collection risks too, just as fitness trackers and other wearables do.
“Businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information,” DHS says.
The advisory also provides a series of recommendations on how to minimize risks associated with using equipment and services from China, or partnering with firms linked to China.
“Today, the threats to our peace and prosperity emanate largely from China. […] Instead of competing fairly on a level playing field, China undermines the international system. Instead of fighting on the conventional battlefield, China wages secret disinformation and propaganda wars to cripple us from within. The results they have achieved thus far should concern every American,” Homeland Security Acting Secretary Chad F. Wolf commented.
U.S. Government Warns of Phishing, Fraud Schemes Using COVID-19 Vaccine Lures
23.12.2020 BigBrothers Securityweek
Several U.S. government organizations have issued warnings regarding various types of fraud and phishing schemes that use COVID-19 vaccine-related topics to lure potential victims.
While these types of operations typically impact non-enterprise users, some people could open the malicious websites or emails associated with these schemes from work devices, which could pose a risk to enterprises as well.
The Federal Bureau of Investigation (FBI), Department of Health and Human Services Office of Inspector General (HHS-OIG), and Centers for Medicare & Medicaid Services (CMS) have issued an alert on emerging COVID-19 vaccine-related fraud schemes.
Leveraging the increased public interest in COVID-19 vaccines, scammers are luring unsuspecting victims into sharing personally identifiable information (PII) or into sending money.
Such fraudulent activity, the alert from the FBI, HHS-OIG, and CMS reads, could take the form of ads that claim to offer early access to vaccines in exchange for a deposit or fee, requests to pay for the vaccine or enter personal information on a so-called waiting list, or offers to undergo medical testing to obtain the vaccine.
Some fraudsters might claim to be able to ship the vaccine domestically or internationally, or might advertise vaccines via social media, email, phone, or other channels, the alert reads.
Furthermore, individuals are advised to be wary of unsolicited emails or phone calls claiming to be from medical or insurance companies, or vaccine centers, which request personal and/or medical information, as well as of unverifiable claims that certain vaccines are FDA-approved.
Some scammers, the three agencies note, might contact unsuspecting victims via phone to tell them that government or government officials require the population to receive a COVID-19 vaccine.
On Friday, the U.S. Department of Justice announced the seizure of two websites claiming to belong to companies developing COVID-19 treatments, but which were instead meant to collect the personal information of their visitors.
The two websites, “mordernatx.com” and “regeneronmedicals.com,” were copies of the legitimate domains of two biotechnology companies headquartered in Cambridge, Massachusetts, and Westchester County, New York, respectively.
The domains were registered earlier this month. No personal information for the registrar was listed for mordernatx.com, while regeneronmedicals.com was registered to a resident of Onitsha Anambra, Nigeria.
Names and other personal information obtained through these websites could have been used to commit additional crimes.
“Malicious domain registrations are a growing problem and something that both companies and consumers must be wary of,” Skurio CEO Jeremy Hendy told SecurityWeek. “This story in particular highlights why the awareness of fake domains, which, utilises user oversights to trick people into believing they are visiting a genuine site, is an increasingly important issue. These compromised domains can be used by bad actors for social engineering attacks that defraud individuals and steal personal data.”
UN Rights Expert Urges Trump to Pardon Assange
23.12.2020 BigBrothers Securityweek
A UN rights expert on Tuesday urged outgoing US President Donald Trump to pardon Julian Assange, saying the WikiLeaks founder is not "an enemy of the American people".
WikiLeaks "fights secrecy and corruption throughout the world and therefore acts in the public interest both of the American people and humanity as a whole," Niels Melzer wrote in an open letter.
"In pardoning Mr Assange, Mr President, you would send a clear message of justice, truth and humanity to the American people and to the world," said Melzer, the UN special rapporteur on torture.
"You would rehabilitate a courageous man who has suffered injustice, persecution and humilation for more than a decade, simply for telling the truth," he added.
Assange, 49, is currently being held in the top-security Belmarsh jail in London awaiting a January 4 decision by a British judge on a US extradition request, in a case seen by his supporters as a cause celebre for media freedom.
The Australian publisher faces 18 charges in the United States relating to the 2010 release by WikiLeaks of 500,000 secret files detailing aspects of military campaigns in Afghanistan and Iraq.
Melzer has previously condemned the conditions at Belmarsh, saying the "progressively severe suffering inflicted" on Assange is tantamount to torture.
In his letter on Tuesday, Melzer wrote: "I visited Mr. Assange... with two independent medical doctors, and I can attest to the fact that his health has seriously deteriorated, to the point where his life is now in danger."
He noted that Assange suffers from a respiratory condition that makes him more vulnerable to Covid-19, which has infected several Belmarsh inmates.
Melzer said Assange "has not hacked or stolen any of the information he published (but) obtained it from authentic documents and sources in the same way as any other serious and independent investigative journalists conduct their work."
"Prosecuting Mr. Assange for publishing true information about serious official misconduct, whether in America or elsewhere, would amount to 'shooting the messenger'," Melzer wrote.
First arrested 10 years ago on December 7, 2010, Assange could be jailed for up to 175 years if convicted.
CISA Issues ICS Advisory for New Vulnerabilities in Treck TCP/IP Stack
23.12.2020 BigBrothers Securityweek
Security updates available for the Treck TCP/IP stack address two critical vulnerabilities leading to remote code execution or denial-of-service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn organizations using industrial control systems (ICS) about the risks posed by these flaws.
A low-level TCP/IP software library, the Treck TCP/IP stack is specifically designed for embedded systems, featuring small critical sections and a small code footprint. CISA says the product is used worldwide in the critical manufacturing, IT, healthcare and transportation sectors.
Last week, a series of four new vulnerabilities that Intel’s security researchers discovered in the Treck TCP/IP stack were made public. Two of these were rated critical severity.
The most severe of the two is CVE-2020-25066 (CVSS score of 9.8), a heap-based buffer overflow bug in the Treck HTTP Server components that could be abused by attackers to cause denial of service or execute code remotely.
Next in line is CVE-2020-27337 (CVSS score of 9.1), an out-of-bounds write in the IPv6 component that could be exploited by an unauthenticated user to cause a DoS condition via network access.
An out-of-bounds read in the DHCPv6 client component of Treck IPv6 could be abused by an unauthenticated user to cause denial-of-service via adjacent network access. The bug is tracked as CVE-2020-27338 (CVSS score of 5.9).
The fourth issue, CVE-2020-27336 (CVSS score 3.7), is an improper input validation in the IPv6 component that could lead to an out-of-bounds read of up to three bytes via network access, also without authentication.
Users are advised to install the latest version of the affected product (Treck TCP/IP 6.0.1.68 or later), which can be obtained via email from security(at)treck.com.
“Treck recommends users who cannot apply the latest patches to implement firewall rules to filter out packets that contain a negative content length in the HTTP header,” CISA’s advisory reads.
To minimize the risk of exploitation, users should ensure that control systems are not accessible from the Internet, they should isolate control system networks and remote devices from the business network and behind a firewall, and should use secure methods, such as VPNs, for remote access.
Just as these new vulnerabilities were publicly disclosed, security firm Forescout announced the release of an open-source script that can help identify the use of TCP/IP stacks vulnerable to the recently disclosed AMNESIA33 set of vulnerabilities.
“Although the script has been tested with the four stacks affected by AMNESIA:33 in a lab environment, we cannot guarantee its use to be safe against every possible device. […] Therefore, we do not recommend using it directly in live environments with mission-critical devices,” Forescout notes.
Cyberattack Hit Key US Treasury Systems: Senator
23.12.2020 BigBrothers Securityweek
Hackers broke into systems used by top US Treasury officials during a massive cyberattack on government agencies and may have stolen essential encryption keys, a senior lawmaker said Monday.
Senator Ron Wyden, who sits on both the Senate Intelligence and Finance Committees, said after a closed-door briefing that the hack at the US Treasury Department "appears to be significant."
Dozens of email accounts were compromised, he said in a statement.
"Additionally the hackers broke into systems in the Departmental Offices division of Treasury, home to the department's highest-ranking officials," said Wyden.
"Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen."
The US government admitted last week that computer systems in multiple departments were penetrated by attackers who hacked in through widely used security software made by the US company SolarWinds.
Members of Congress briefed by US intelligence, as well as Secretary of State Mike Pompeo and Attorney General Bill Barr, have all said Russians were behind the hack.
So far officials have said the hackers broke into computers at the State Department, Commerce Department, Treasury, Homeland Security Department, and the National Institutes of Health.
But experts have said they fear far more of the government could be affected, including US intelligence bodies, given the ubiquitousness of the SolarWinds security software.
Wyden said that the Internal Revenue Service had said there was no evidence that they had been compromised or data on taxpayers taken.
But he sharply criticized the government for not taking stronger measures to protect its systems.
The government "has now suffered a breach that seems to involve skilled hackers stealing encryption keys from (government) servers," he said.
That has happened despite "years of government officials advocating for encryption backdoors, and ignoring warnings from cybersecurity experts who said that encryption keys become irresistible targets for hackers."
North Korean Hackers Target COVID-19 Research
23.12.2020 BigBrothers Securityweek
The North Korea-linked threat actor known as Lazarus was recently observed launching cyberattacks against two entities involved in COVID-19 research.
Active since at least 2009 and believed to be backed by the North Korean government, Lazarus is said to have orchestrated some high-profile attacks, including the WannaCry outbreak. Last year, the group was observed mainly targeting cryptocurrency exchanges and expanding its toolset.
New Lazarus attacks in September and October 2020, Kaspersky reveals, targeted a Ministry of Health and a pharmaceutical company authorized to produce and distribute COVID-19 vaccines, revealing Lazarus’ interest in COVID-19 research.
In September, the hackers targeted a pharmaceutical company with the BookCode malware, which was attributed to the group a while ago. In late October, Lazarus targeted a Ministry of Health body with the wAgent malware, which was previously used to target cryptocurrency businesses.
Both pieces of malware were designed to function as full-featured backdoors, providing operators with full control over the infected machines. Different tactics, techniques and procedures (TTPs) were used in each attack, but Kaspersky is highly confident that Lazarus was behind both incidents.
Using wAgent, the attackers executed various shell commands to gather information from the victim machine. An additional payload that included a persistence mechanism was also deployed on two Windows servers, and the full-featured backdoor followed.
The BookCode backdoor was used to gather system and network information from the victim environment, along with a registry SAM dump containing password hashes. The adversary also attempted to collect information on other machines on the network, likely for lateral movement.
“We assess with high confidence that the activity […] is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters used in both incidents […] to the Lazarus group,” Kaspersky notes.
The security firm was unable to identify the initial infection vector in either of the incidents, but notes that spear-phishing was used by the group in the past, along with strategic website compromise.
“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” Seongsu Park, security expert at Kaspersky, said.
Microsoft reported last month that state-sponsored Russian and North Korean hackers had been trying to steal valuable data from pharmaceutical companies and vaccine researchers. Reuters reported that North Korean hackers had targeted British COVID-19 vaccine maker AstraZeneca.
ACLU Sues FBI to Learn How It Obtains Data From Encrypted Devices
23.12.2020 BigBrothers Securityweek
The American Civil Liberties Union (ACLU) announced on Tuesday that it has filed a lawsuit against the FBI in an effort to find out how the law enforcement agency can access information stored on encrypted devices.
The FBI has often turned to third parties for help in accessing information stored on encrypted devices, but it has come to light in recent court documents that the agency’s Electronic Device Analysis Unit (EDAU) has been acquiring solutions that can help it break into encrypted devices on its own.
The ACLU has filed a request under the Freedom of Information Act (FOIA) in hopes of obtaining more information on the EDAU’s capabilities and the technologies it has used. However, the FBI provided what is known as a Glomar response, which indicates that the agency does not even want to confirm or deny the existence of any records related to EDAU, let alone share details on its capabilities.
However, the ACLU says the FBI’s response is not valid and it has asked a federal court to order the Department of Justice and the FBI to hand over documents related to the EDAU.
“A valid Glomar response is rare, as there are only extremely limited instances where its invocation is appropriate — that is, only where the existence or nonexistence of records is itself exempt under FOIA,” ACLU representatives wrote in a blog post on Tuesday. “The problem with the FBI’s Glomar response is that, as detailed above, we already know records pertaining to the EDAU exist because information about the unit is already public. The fact that all of this information is already publicly known deeply undercuts the FBI’s Glomar theory.”
They added, “By invoking the Glomar response, the federal government is sending a clear message: It aims to keep the American public in the dark about its ability to gain access to information stored on our personal mobile devices. But it’s not that the FBI has just shut the door on this information — they’ve shut the door, closed the windows, drawn the shades, and refused to acknowledge whether the house that we’re looking at even exists. It’s imperative that the public gets meaningful access to these records regarding the federal government’s capabilities to access our phones and computers. Our privacy and security are at stake.”
Officials — not just in the U.S. but all Five Eyes countries — have been trying to find ways to force technology companies that develop encrypted communication applications to implement encryption backdoors that would make it easier for law enforcement to conduct investigations.
In the United States, the FBI is often provided as an example, with officials claiming that the agency’s investigations have been impeded by strong encryption — even though in many cases the FBI did manage to gain access to data on encrypted devices and their claims were sometimes found to be exaggerated.
Privacy and security experts have long argued that implementing encryption backdoors would allow not only law enforcement, but also malicious actors to access protected data. Nevertheless, lawmakers continue to try to find ways to pass laws aimed at ending what they call “warrant-proof encryption.”
Biden Says Huge Cyberattack Cannot Go Unanswered
23.12.2020 BigBrothers Securityweek
President-elect Joe Biden said Tuesday that the perpetrators of a massive cyberattack on the US government, unofficially blamed on Russia, must face consequences, and assailed President Donald Trump over his response to the threat.
"We can't let this go unanswered," Biden said in pre-holiday remarks to the American people.
"That means making clear, and publicly, who is responsible for the attack and taking meaningful steps to hold them in account."
Biden, who as president-in-waiting has received intelligence briefings on key national security issues, says much remains unknown about the extent of the damage from the attack.
Last week the US cybersecurity agency said a well-coordinated, highly technical operation penetrated US government and corporate systems months ago by hacking widely-used security software.
"I see no evidence that it's under control," Biden said, responding to Trump's claim to the contrary.
"This president hasn't even identified who is responsible yet," he noted.
He warned he would retaliate once he become president on January 20.
"When I learn the extent of the damage and, in fact, who is formally responsible, they can be assured that we will respond, and probably respond in kind," he said.
"There are many options which I will not discuss now."
- Devastating breach -
According to US officials, the most devastating breach of US computer security in years affected at least the departments of State, Commerce, Treasury, Energy and Homeland Security, as well as the National Institutes of Health.
Analysts expect that other departments, including possibly key intelligence agencies, were also victims in the hack, and that it could take months or longer to assess the damage.
Biden called the attack a "grave risk to our national security" and criticized Trump for de-emphasizing cybersecurity during his nearly four years in office.
The attack, he said, was "carefully planned and carefully orchestrated. It was carried out by using sophisticated cyber tools."
"The attackers succeeded in catching the federal government off-guard and unprepared."
He accused Trump of falling down on his job to protect the country and of an "irrational downplaying of the seriousness of this attack."
"It's still his responsibility as president to defend American interests for the next four weeks," he said.
"This assault happened on Donald Trump's watch when he wasn't watching," Biden said. "Rest assured that even if he does not take it seriously, I will."
The administration has yet to officially ascribe the attacks to any country or persons, even though top officials including Secretary of State Mike Pompeo and Attorney General Bill Barr, and senior members of Congress briefed on the issue, have all fingered Russia.
Trump, however, last week accused the media of always hyping the Russia threat.
"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted.
"I have been fully briefed and everything is well under control," he wrote.
"Russia, Russia, Russia is the priority chant when anything happens," he said, then suggesting China could be the perpetrator.
DHS Details Risks of Using Chinese Data Services, Equipment
23.12.2020 BigBrothers Securityweek
In an advisory this week, the Department of Homeland Security (DHS) warned American organizations of the risks posed by using data services and equipment from firms that have ties to the People’s Republic of China (PRC).
Both businesses and customers in the United States are at risk due to the PRC’s data collection activities, the DHS warns. Some of these risks include the theft of confidential business data, trade secrets and intellectual property, violation of privacy and export laws, breach of contractual provisions, and risk of surveillance.
“The PRC presents a grave threat to the data security of the U.S. government and U.S. businesses. It has both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws,” the DHS says.
The agency also underlines that data is often accessed without requesting the consent of or informing the non-PRC businesses or institutions owning the data.
In its advisory, the DHS also points out that data theft operations performed under the command of the Chinese government represent a persistent, growing threat, especially since newly enacted laws require all PRC businesses and citizens to “take actions related to the collection, transmission, and storage of data.”
These laws compel Chinese businesses to provide the government with data, encryption keys, technical information, and logical access. Furthermore, firms are required to install backdoors in equipment to create security vulnerabilities that PRC entities can easily exploit, the advisory warns.
In addition to detailing the various data collection practices of the Chinese government, and providing an overview of the applicable laws recently passed in the country, the advisory offers extensive details on the risks faced by companies partnering with China.
Chinese firms operating data centers, either in the country or abroad, are required to share data with the government upon request, even if the sharing of data is illegal under the jurisdiction in which firms operate.
Even data centers built using Chinese equipment are at risk, due to the backdoors equipment manufacturers are required to install, by law. By subsidizing the use of hardware, software, and telecoms infrastructure from domestic firms, the Chinese government helps corporations such as ZTE or Huawei undercut competitors, the DHS says.
“The spread of such equipment may even affect unwitting U.S. service providers. The CCP subsidies and the spread of PRC-developed equipment not only advantage PRC companies over U.S. providers economically, but also furthers the ongoing capabilities of the CCP where the equipment supplier maintains a service or maintenance contract that necessitates ongoing access,” the advisory continues.
DHS also warns that even data sharing agreements with Chinese firms are risky, and that the government may even purchase legally obtain data, to augment the illegally acquired information. Software and mobile apps from Chinese firms pose data collection risks too, just as fitness trackers and other wearables do.
“Businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information,” DHS says.
The advisory also provides a series of recommendations on how to minimize risks associated with using equipment and services from China, or partnering with firms linked to China.
“Today, the threats to our peace and prosperity emanate largely from China. […] Instead of competing fairly on a level playing field, China undermines the international system. Instead of fighting on the conventional battlefield, China wages secret disinformation and propaganda wars to cripple us from within. The results they have achieved thus far should concern every American,” Homeland Security Acting Secretary Chad F. Wolf commented.
SolarWinds hackers also breached the US NNSA nuclear agency
21.12.2020 BigBrothers Securityaffairs
US DOE confirmed that threat actors behind the recent SolarWinds supply chain attack also hacked the networks of the US NNSA nuclear agency.
US DOE confirmed this week that threat actors behind the recent SolarWinds supply chain attack also compromised the networks of the US National Nuclear Security Administration (NNSA) agency.
“The Department of Energy is responding to a cyber incident related to the Solar Winds compromise in coordination with our federal and industry partners. The investigation is ongoing and the response to this incident is happening in real time. At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA). When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.” said Shaylyn Hynes, DOE Spokeswoman.
“Additional background: As part of its ongoing response, DOE has been in constant communication with our industry partners, including the leadership of the energy sector Subsector Coordinating Councils, and is also in regular contact with Electricity, Oil & Natural Gas (ONG), and Downstream Natural Gas (DNG) Information Sharing and Analysis Centers (ISAC).”
NNSA is a semi-autonomous agency within the U.S. Department of Energy that was established by Congress in 2000. The agency is responsible for enhancing national security through the military application of nuclear science. NNSA maintains and enhances the safety, security, and effectiveness of the U.S. nuclear weapons stockpile; works to reduce the global danger from weapons of mass destruction; provides the U.S. Navy with safe and militarily effective nuclear propulsion; and responds to nuclear and radiological emergencies in the United States and abroad.
DOE and NNSA notified about the breach their congressional oversight bodies, government experts have found evidence of compromise in the US DOE and NNSA networks.
“They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE.” reads the post published by Politico.
“The hackers have been able to do more damage at FERC than the other agencies, and officials there have evidence of highly malicious activity, the officials said, but did not elaborate.”
According to the DOE officials, the agency that suffered the major damage was the FERC.
The hackers likely targeted the Federal Energy Regulatory Commission to disrupt the US electric grid. FERC has access to sensitive data on the electric grid that could be used by an advanced attacker to plan a disruptive attack on these infrastrutures.
The Cybersecurity and Infrastructure Security Agency was helping the federal agencies to respond to the hacking campaign.
According to the DoE, the threat actors did not get into critical defense systems.
“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration,” Shaylyn Hynes, a DOE spokesperson, said in a statement. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
Since the supply chain attack was disclosed, Microsoft, FireEye, and GoDaddy partnered to create a kill switch for the SolarWinds Sunburst backdoor.
Iranian Hackers Target Israeli Companies With Pay2Key Ransomware
21.12.2020 BigBrothers Securityweek
Attacks conducted by Iranian hackers against Israeli companies involved the deployment of ransomware and theft of information, threat intelligence company ClearSky reported last week.
Observed in November and December 2020 and collectively referred to as operation Pay2Key, the attacks appear to be the work of Iranian state-sponsored threat actor Fox Kitten.
Also referred to as Parisite and PIONEER KITTEN, the activity associated with Fox Kitten is said to represent a collaboration between two known state-sponsored Iranian groups, namely APT33 (Elfin, Magnallium, Holmium, and Refined Kitten) and APT34 (OilRig, Greenbug).
Known for the use of various open-source and self-developed offensive tools, the adversary was observed targeting enterprise VPNs for intrusion, as well as F5 Networks’ BIG-IP application delivery controller (ADC).
A new series of attacks targeting industrial, insurance and logistics companies in Israel appears to be the work of Fox Kitten, ClearSky noted in a new report. In November and December 2020, the threat actor targeted dozens of Israeli companies in attacks that involved the deployment of ransomware to encrypt servers and workstations.
In addition to the potentially misleading ransomware attacks, the adversary was observed performing “supply chain attacks,” where they leverage accessibility or information obtained from previously breached organizations.
“We believe that this campaign is part of the ongoing cyber confrontation between Israel and Iran, with the most recent wave of attacks causing significant damage to some of the affected companies,” ClearSky noted in a detailed technical report.
The same as in previous campaigns, the attackers target known vulnerabilities for initial compromise. According to ClearSky, the Pay2Key campaign appears to be aimed at creating panic in Israel, given that the attackers leak exfiltrated data instead of just demanding a ransom.
The oldest Pay2Key ransomware executable used in these attacks has a compilation date of October 26, 2020. Publicly available tools were used to enable a reverse proxy on the infected machines, and lateral movement was performed to take over additional servers before deploying ransomware.
Typically, the attackers demanded between seven and nine Bitcoin as ransom and displayed sensitive information stolen from the victims on a website, to pressure organizations into paying. The Pay2Key ransomware does not require connectivity with the command and control (C&C) server to operate, the security researchers discovered.
Vulnerabilities targeted in these attacks include CVE-2019-11510 (Pulse Secure), CVE-2018-13379 (Fortinet FortiOS), CVE-2018-1579 (Palo Alto Networks VPN), CVE-2019-19781 (Citrix NetScaler) and CVE-2020-5902 (F5 BIG-IP). Microsoft Exchange Server and RDP accounts were also targeted.
Pentagon Plan on Cyber Split Draws Strong Hill Criticism
21.12.2020 BigBrothers Securityweek
The Pentagon is proposing to end an arrangement in which a single military officer leads two of the nation’s main cybersecurity organizations, a move that a leading Democrat said Saturday makes him “profoundly concerned” amid a large-scale hacking campaign on U.S. government computer systems.
Rep. Adam Smith, chairman of the House Armed Services Committee, said in a letter to acting Defense Secretary Christopher Miller that he objects to the way the Pentagon is going about splitting off U.S. Cyber Command from the National Security Agency.
Both organizations currently are headed by Army Gen. Paul Nakasone, an arrangement know as “dual-hatting.”
“Any action to sever the dual-hat relationship could have grave impacts on our national security, especially during a time that the country is wrestling with what may be the most damaging cyberattack in our country’s history,” Smith wrote.
Smith was referring to revelations that elite hackers gained access to U.S. government computer systems and likely purloined a trove of delicate secrets over a monthslong period before being detected. Secretary of State Mike Pompeo said on Friday that Russia was “pretty clearly” behind the hack, which is ongoing. On Saturday, President Donald Trump suggested without evidence that China — not Russia — may be behind the hack and tried to minimize its impact.
A U.S. official confirmed Saturday that the Pentagon has a plan for separating the National Security Agency and Cyber Command. The official spoke on condition of anonymity to discuss an internal matter not publicly announced.
In his letter to Miller, Smith said the Pentagon has not met conditions set by the 2017 defense bill for severing the NSA from Cyber Command. Those conditions include certification by the secretary of defense and the chairman of the Joint Chiefs of Staff that ending the “dual-hat” arrangement will not hurt national security.
Smith sent a similar letter to Gen. Mark A. Milley, the Joint Chiefs chairman.
A spokesman for Milley, Col. Dave Butler, said Milley has “not officially reviewed or endorsed the proposal” for splitting the two organizations.
The notion of splitting NSA from Cyber Command goes back to the Obama administration, which proposed to elevate the status of Cyber Command by making it a unified military command, taking it from under the purview of U.S. Strategic Command. The move reflected growing concern about cyber security.
That move was approved by President Donald Trump in 2017, and it was foreseen that at some point Cyber Command would split away from the NSA, although such a move had strong opponents in Congress.
It’s not clear who the Trump administration might install as head of the NSA if it were split from Cyber Command before President-elect Joe Biden takes office Jan. 20.
Smith questioned the legality and timing of the Pentagon’s proposal to split the organizations.
“I am deeply concerned about measures to terminate the dual-hat structure and request that you immediately consult with the House Armed Services Committee regarding any potential efforts to take such action,” Smith wrote in his letter to Milley, which Smith made public on Saturday.
“Further, given that no assessment has been completed and no certification has been issued, I remind you that any action to terminate the dual-hat relationship with NSA and Cyber Command is not only inadvisable, but is contrary to law.”
Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
19.12.2020 BigBrothers Threatpost
The ongoing, growing campaign is “effectively an attack on the United States and its government and other critical institutions,” Microsoft warned.
Microsoft has become the latest victim of the ever-widening SolarWinds-driven cyberattack that has impacted rafts of federal agencies and tech targets. Its president, Brad Smith, warned late Thursday to expect many more victims to come to light as investigations continue.
Adversaries were able to use SolarWinds’ Orion network management platform to infect users with a stealth backdoor called “Sunburst” or “Solorigate,” that opened the way for lateral movement to other parts of a network. It was pushed out via trojanized product updates to almost 18,000 organizations around the globe, starting nine months ago. Once embedded, the attackers have been able to pick and choose which organizations to further penetrate.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” a Microsoft spokesperson said in a media statement. Microsoft and FireEye have created a “kill switch” for the backdoor that can defang it — though that doesn’t help remediate infections that have spread to other areas of networks.
In a Thursday evening blog post, Smith described the “broad and successful espionage-based assault” as “ongoing” and “remarkable for its scope, sophistication and impact.”
Smith noted, “we should all be prepared for stories about additional victims in the public sector and other enterprises and organizations.”
To that point, he said that Microsoft has so far notified 40 of its security customers that it’s products have found indicators of compromise on their networks, and that the attackers targeted them “more precisely and compromised through additional and sophisticated measures,” with more victims to come.
Around 80 percent of those customers have been located in the United States, Smith said, with the remaining located in Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. They are government agencies, security and other technology firms, and non-governmental organizations.
The supply-chain attack vector used for initial access (the SolarWinds’ Orion software) also allowed the attackers to reach “many major national capitals outside Russia,” Smith said. “This also illustrates the heightened level of vulnerability in the United States.”
Victims who are Microsoft security customers by industry sector. Click to enlarge.
However, above all, the campaign is “effectively an attack on the United States and its government and other critical institutions,” he warned.
So far, there are six known federal entities that have been impacted by the attack: The Pentagon, the Department of Energy, the Department of Homeland Security, the National Institute of Health, the Department of Treasury and the Department of Commerce.
Microsoft’s update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that there could be additional initial-access vectors used by the attackers, beyond the SolarWinds Orion platform.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” it said in an updated bulletin on Thursday.
Sources told Reuters that the hackers used Microsoft’s Azure cloud offerings as part of their attacks, but the Microsoft spokesperson said that there are “no indications that our systems were used to attack others.”
Unprepared for Response?
In a report breaking the news that the DoE, keeper of the nuclear arsenal, has been impacted by the attack, sources said that CISA admitted that it was overwhelmed and lacked the resources to properly respond. It’s also suffering from a lack of leadership: Its top official, Christopher Krebs, was fired for calling the 2020 U.S. Presidential election secure, and he has not been replaced.
This adds to an already chaotic cybersecurity posture in the federal government, Smith noted.
“It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy,” Smith wrote. “While parts of the federal government have been quick to seek input, information sharing with first responders in a position to act has been limited. During a cyber-incident of national significance, we need to do more to prioritize the information-sharing and collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.”
Attribution remains unspoken by U.S. government officials, but FireEye CEO Kevin Mandia said earlier this week that “We are witnessing an attack by a nation with top-tier offensive capabilities.” Smith noted that Microsoft has reached the same conclusion.
As for which government is behind the attacks, researchers and lawmakers alike, citing the highly sophisticated nature of the attack, have said the intrusions were likely carried out by Russian intelligence, though the U.S. has not officially made any attribution.
A classified briefing from the FBI and other agencies for members of Congress on the attacks is scheduled for Friday.
US Blacklists Chinese Companies Including Chip Giant SMIC
19.12.2020 BigBrothers Securityweek
The United States on Friday announced it has imposed export controls on 77 Chinese companies including the country's biggest chipmaker, SMIC, restricting its access to US technology over its alleged ties to China's military.
The announcement in the final weeks of President Donald Trump's term comes after relations between Washington and Beijing soured under his administration, which saw the US start a trade war with China and expand its list of sanctioned entities to a few hundred Chinese companies and subsidiaries.
In a statement, Commerce Secretary Wilbur Ross said the designations, which restrict US companies' abilities to do business with the firms, are over an array of charges including human rights abuses, the activities of the Chinese military, particularly in the South China Sea, as well as theft of US technology.
China Flag"China's corrupt and bullying behavior both inside and outside its borders harms US national security interests, undermines the sovereignty of our allies and partners, and violates the human rights and dignity of ethnic and religious minority groups," Ross said.
"Commerce will act to ensure that America's technology -- developed and produced according to open and free-market principles -- is not used for malign or abusive purposes."
SMIC has received billions of dollars in support from Beijing and is at the heart of its efforts to improve the country's technological self-sufficiency.
In a call with reporters, a senior Commerce Department official said Washington has evidence that SMIC has worked with the Chinese military on developing short- and medium-range ballistic missiles and exoskeletons for soldiers, but had been in talks with SMIC for months on a way to avoid the designation.
"We're adding SMIC to the entity list mostly because we need to make sure US intellectual property and manufacturing capabilities are not being used by SMIC's clients to continue to support the military-civil fusions efforts within China," the official said.
"We simply no longer could stand by and watch our adversary using our technologies to support its military capabilities."
The designation means US companies must apply for a license before exporting to SMIC, and specifically targets the Chinese firm's ability to acquire materials for producing chips of 10 nanometers or smaller, the best class in the industry.
Also targeted was drone manufacturer DJI "because of its complicity in human rights violations within China," the official said.
That company holds some 70 percent of the global drone market, and the US Department of the Interior last year grounded its fleet of the company's drones amid rising security concerns over Chinese electronics.
On January 20 Trump is set to hand power to President-elect Joe Biden, who has said he would maintain his predecessor's trade policies, at least at first.
Nuclear Weapons Agency Hacked in Widening Cyberattack – Report
18.12.2020 BigBrothers Threatpost
Sources said the DoE suffered “damage” in the attack, which also likely extends beyond the initially known SolarWinds Orion attack vector.
The Energy Department and its National Nuclear Security Administration (NNSA), which is the agency that maintains the U.S. nuclear stockpile, have been compromised as part of the widespread cyberattack uncovered this week stemming from the massive SolarWinds hack.
An exclusive report by Politico cited DoE official sources who said that their department was infiltrated by the cyberattackers, including hits on the NNSA; the Federal Energy Regulatory Commission (FERC) which has oversight for the entire department; the Sandia and Los Alamos national laboratories in Washington and New Mexico; and the Richland Field Office of the DOE.
NBC News on Thursday evening said that it had confirmed the report.
The sources also said that not only was the DoE caught up in the espionage portion of the campaign, but that the attackers have been able to do “more damage at FERC than the other agencies,” and that they have evidence of “highly malicious activity” aimed there, the officials said. They offered no other details.
DOE and NNSA officials have begun the notification process for their congressional oversight bodies, sources added.
With the DoE, the number of government divisions known to be impacted comes to six; that includes the Pentagon, the Department of Homeland Security, the National Institute of Health, the Department of Treasury and the Department of Commerce.
The Cybersecurity and Infrastructure Security Agency (CISA) warned earlier on Thursday that the already sprawling cyberattack could be much larger than originally thought. The known attack vector for the incident is SolarWinds’ Orion network management platform, whose users were infected by a stealth backdoor that opened the way for lateral movement to other parts of the network. It was pushed out via trojanized product updates to almost 18,000 organizations around the globe.
Now, it appears that SolarWinds may not be alone in its attack-vector role in the campaign. “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” it said in an updated bulletin on Thursday.
CISA meanwhile, whose top official, Christopher Krebs, was fired for calling the 2020 U.S. Presidential election secure, told FERC that it was overwhelmed and lacked the resources to properly respond, sources said.
The full extent of the attack is unknown, as are the perpetrators. Researchers and lawmakers alike, citing the highly sophisticated nature of the attack, have said the intrusions were likely carried out by Russian intelligence, though the U.S. has not officially made any attribution.
This is a developing story and Threatpost will update this post as more details become available
Police Vouch for Hacker Who Guessed Trump’s Twitter Password
18.12.2020 BigBrothers Threatpost
No charges for Dutch ethical hacker Victor Gevers who prosecutors say did actually access Trump’s Twitter account by guessing his password, “MAGA2020!” last October.
When Dutch ethical hacker Victor Gevers tried to alert Secret Service that he was able to guess the password to President Donald Trump’s Twitter handle last October, there were plenty of skeptics, most notably at the White House. Now, Dutch prosecutors have determined Gevers did, in fact, guess the password to the world’s most powerful Twitter account, but said that he will not be charged with a crime because he was acting honorably to track down vulnerabilities associated with high-profile accounts.
Ethical Hacker Vindicated
“This is not just about my work but all volunteers who look for vulnerabilities in the internet,” Gevers told the BBC. Gevers is a respected cyber-researcher who works for the Dutch government by day and in his spare time runs the ethical hacking non-profit GDI Foundation.
Gevers said last fall he was performing a random check of high-profile Twitter accounts. It only took him five guesses to come up with the right one for @realdonaldtrump, “MAGA2020!” He said beyond the incredibly weak password, two-factor authentication (2FA) had not been enabled on the account.
2FA generates a unique code, sent by email or text to a known device, which must be entered to log in. After Gevers reported the issue to Secret Service and a number of other agencies, including to the White House directly, he received no response but noticed the account was secured with 2FA two days later.
Once logged in, Gevers was able to access Trump’s private messages, photos, bookmarks and list of accounts he had blocked.
At the time, Gevers speculated Trump didn’t have basic protections in place because they’re a hassle, adding, “…elderly people often switch off two-step verification because they find it too complicated.”
Dutch Prosecutors Defend Hack
Following an investigation, Dutch authorities were convinced that Gevers was acting in good faith to protect Trump’s security.
“The hacker released the login himself,” Dutch police said, according to BBC. “He later stated to police that he had investigated the strength of the password because there were major interests involved if this Twitter account could be taken over so shortly before the presidential election.”
The White House denied that the breach occurred, and when Gevers informed Twitter that he was able to guess Trump’s password and access the account, the company said it was skeptical.
“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a Twitter spokesperson said in a statement responding to Threatpost’s inquiries.
Dutch police disagree.
This wasn’t the first time Trump’s Twitter was left vulnerable. In 2016, Gevers was also able to guess Trump’s password, “yourefired.”
“Leaving politics and personality aspects aside, this is still the perfect example of senior management being unsavvy about cybersecurity issues,” Dirk Schrader, global vice president of New Net Technologies, told Threatpost. “Countless security professionals have had this experience, that implementing stricter password rules in the security policy is approved by management for the company with an exception granted for management itself. The need to have senior management supporting security initiatives to become cyber-resilient is far too often impeded by that lack of participation in the efforts. If 2FA is seen as an obstacle, there is no ‘leading by good example’.”
Besides vindicating Gevers claims, this confirmation of an embarrassing lapse in security out of the White House looks more ominous during the same week the U.S. government is trying to grapple with the full extent of the Solar Winds breach.
Over the course of his presidency, Trump has used his Twitter account to announce firings at the top levels of government, conduct sensitive diplomatic negotiations with the likes of North Korean dictator Kim Jong-Un and set domestic policy. A breach could let a malicious actor tank markets, start wars and cause chaos throughout the globe.
U.S. Cybersecurity Emergency
The revelation that the Twitter compromise was real, despite the White House denial, hints at a troubling lack of concern and transparency about cybersecurity at the very top of the government, researchers said.
“This serves as vindication for the researcher; however, it also presents a troubling view of how security may have been handled by the administration,” Jack Mannino, CEO at nVisium told Threapost. “While you can’t jump to conclusions about practices elsewhere, these types of incidents are generally associated with teams who have a relatively low level of security maturity. This is certainly not what you would expect or hope for from the White House, if it proved to be true.”
While the Trump administration grapples with an ongoing, unprecedented number of breaches both large and small without senior staff in place (CISA chief Christopher Krebs was unceremoniously fired by Tweet by Trump last month after defending the integrity of the presidential election), officials from previous administrations say they see this as a moment of dire emergency for the country.
Former White House Chief Information Officer Theresa Payton told CNN that the state of U.S. cybersecurity in the wake of the Solar Winds attack is keeping her up at night.
“I woke up in the middle of the night last night just sick to my stomach,” said Theresa Payton, who served as White House CIO under President George W. Bush. “On a scale of one to 10, I’m at a nine — and it’s not because of what I know; it’s because of what we still don’t know.”
Launched OSSISNa, the Observatory for the Protection of the National Strategic Industrial System
18.12.2020 BigBrothers Securityaffairs
On 11th December 2020, the Observatory for the Protection of the National Strategic Industrial System (OSSISNa) was officially announced.
On 11th December 2020, during the international scientific conference on CBRNe events “SICC 2020”, the Observatory for the Protection of the National Strategic Industrial System (OSSISNa) was officially presented.
OSSISNa is a project created within the Italian Center for Strategy and Intelligence (CISINT) and it is aimed at studying issues concerning the protection of strategic industrial assets (companies and supply chains), which are fundamental for the State and for social well-being, constantly exposed to global threats.
OSSISNA
The observatory is a team of national experts from the institutional, industrial and academic world.
The main activities concern the elaboration of studies and in-depth analyses with particular attention to crisis scenarios (health emergencies, sabotage and terrorism actions, recessive socio-economic situations, natural disasters, environmental accidents, warfare events, etc.) that may affect the integrity and operational capacity of the Italian strategic industrial system.
In such a period, severely marked by the Covid-19 emergency, OSSISNa aims to provide methodological support for improving the capabilities of protection and operational continuity related to the so-called “strategic supply chains”.
These are mainly SMEs (small and medium-sized enterprises), often grouped into districts of excellence, which operate in the subcontracting chains of products, technologies and value-added activities for big corporates, that produce goods and services of primary general interest.
The observatory also provides the definition and implementation of academic courses for training and professional updating related to the protection of strategic industrial assets, jointly with universities and industrial districts.
By promoting SME best practices in terms of protection and business continuity, OSSISNa wants to provide a contribution to the national policies for the implementation of the “2030 Agenda for Sustainable Development” promoted by the United Nations, in which its “goal 9” aims at developing reliable, sustainable and resilient infrastructures.
University bodies and important corporates have already joined the project, since interested in actively promoting the issue about the protection of strategic assets, constituting a permanent forum in OSSISNa where to debate and propose effective solutions for strengthening the national industrial system.
Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing 'Grave Risk'
18.12.2020 BigBrothers Securityweek
U.S. Agency Says SolarWinds Orion Supply Chain Compromise is Not the Only Initial Infection Vector Leveraged by APT Actor
The U.S. government on Thursday added a new wrinkle to the global emergency response to the SolarWinds software supply chain attack, warning there are “additional initial access vectors” that have not yet been documented.
As the incident response and threat hunting world focuses on the SolarWinds Orion products as the initial entry point for the attacks, the Cybersecurity and Infrastructure Security Agency (CISA) added a note to its advisory to warn of the new information.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” according to the updated advisory (PDF).
The agency did not provide additional details, but promised to update its communications as new information becomes available.
The agency also strengthened the language in its communications, describing the threat as posing “grave risk” to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.
The newly discovered attack, believed to be an espionage operation by a foreign state-backed actor, has hit multiple U.S. government agencies, critical infrastructure entities, and private sector organizations.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,” CISA noted.
The U.S. government has issued an emergency directive ordering federal civilian executive branch departments and agencies to disconnect affected devices.
Some additional highlights from the latest CISA warning include:
• The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
• Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
• Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
Earlier today it was reported that a killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting SolarWinds and its customers.
The victims of the supply chain attack include several U.S. government organizations and, according to FireEye, many organizations in the government, technology, consulting, extractive and telecom sectors in North America, Europe, the Middle East and Asia.
Symantec, which also analyzed the attack, said it had identified the trojanized software updates on over 2,000 computers at more than 100 customers.
FBI, CISA, ODNI Describe Response to SolarWinds Attack
18.12.2020 BigBrothers Securityweek
The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have issued a joint statement outlining each of their roles in investigating and responding to the recently disclosed SolarWinds breach, which they described as a “significant and ongoing cybersecurity campaign.”
The organizations have formed a Cyber Unified Coordination Group (UCG) whose goal is to unify their efforts.
“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the statement reads.
The FBI has been tasked with collecting intelligence that can help attribute the attack to a threat actor and disrupt their activities. The agency is also working with victims to obtain information that can be useful to the government and network defenders.
Shortly after the incident came to light, CISA issued an emergency directive, instructing federal agencies to immediately take action to detect attacks, collect forensic evidence, and eject the attackers from a compromised network. CISA is also providing technical assistance to impacted organizations that reach out to the agency.
As for ODNI, it’s “helping to marshal all of the Intelligence Community’s relevant resources to support this effort and share information across the United States Government.”
SolarWinds provides IT management and monitoring solutions to 300,000 organizations worldwide, including governments, educational institutions and businesses. The company says the incident could impact up to 18,000 customers of its Orion monitoring platform.
While the U.S. government has not shared a list of impacted agencies, media reports say victims include the DHS, the Commerce Department, the Treasury, the Defense Department, the State Department, and the National Institutes of Health.
Russia appears to be the main suspect, but the Kremlin has denied the accusations. If the U.S. government reaches the conclusion that a Russian threat actor launched the attack, they will likely state so publicly. The U.S. has officially accused Russia for several high-profile cyberattacks, it has indicted suspected Russian hackers, and it has sanctioned hacking-related entities.
EU Unveils Revamp of Cybersecurity Rules Days After Hack
18.12.2020 BigBrothers Securityweek
The European Union unveiled Wednesday plans to revamp the 27-nation bloc’s dated cybersecurity rules, just days after data on a new coronavirus vaccine was unlawfully accessed in a hack attack on the European Medicines Agency.
The EU last year recorded around 450 cyber incidents involving European infrastructure, notably in the financial and energy sectors, and the pandemic has highlighted Europe’s deep dependence on the internet and exposed security weaknesses.
The EU’s current Network Information System regulations date from 2008, and the European Commission’s new proposals aim to bring them up to date and allow the EU to impose hefty fines on operators who break the rules.
“The time of innocence is over. We know that we are a target,” Commission Vice-President Margaritis Schinas told reporters. “We need to modernize, reinforce, and adapt.”
The plans include an “EU-wide Cyber Shield” linking national security authorities that would use artificial intelligence and machine learning to detect early signs of attacks, a cyber unit to respond to incidents and threats, and beefing up cooperation between countries and with organizations like NATO.
The new cyber-strategy would focus on protecting essential infrastructure like electricity grids, heating systems, gas and hydrogen plants as well as air, rail, water and road links. Financial market and health infrastructure would also be among the priorities.
The EU also wants to bolster its sanctions system related to cyber incidents, with a proposal for countries to agree on sanctions by qualified majority voting rather than unanimity. The Europeans imposed sanctions on people and organizations linked to Russia, China and North Korea this year.
The new plans must now be debated by EU countries and the European Parliament and are likely to change substantially. Once agreed upon, the 27 nations would have 18 months to adopt and start applying the rules nationally.
Microsoft Says Its Systems Were Also Breached in Massive SolarWinds Hack
18.12.2020 BigBrothers Thehackernews
The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought.
News of Microsoft's compromise was first reported by Reuters, which also said the company's own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter.
The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers.
In a statement to The Hacker News via email, the company said —
"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."
Characterizing the hack as "a moment of reckoning," Microsoft president Brad Smith said it has notified over 40 customers located in Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US that were singled out by the attackers. 44% of the victims are in the information technology sector, including software firms, IT services, and equipment providers.
CISA Issues New Advisory
The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) published a fresh advisory, stating the "APT actor [behind the compromises] has demonstrated patience, operational security, and complex tradecraft in these intrusions."
"This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations," it added.
But in a twist, the agency also said it identified additional initial infection vectors, other than the SolarWinds Orion platform, that have been leveraged by the adversary to mount the attacks, including a previously stolen key to circumvent Duo's multi-factor authentication (MFA) to access the mailbox of a user via Outlook Web App (OWA) service.
Digital forensics firm Volexity, which tracks the actor under the moniker Dark Halo, said the MFA bypass was one of the three incidents between late 2019 and 2020 aimed at a US-based think tank.
The entire intrusion campaign came to light earlier this week when FireEye disclosed it had detected a breach that also pilfered its Red Team penetration testing tools.
Since then, a number of agencies have been found to be attacked, including the US departments of Treasury, Commerce, Homeland Security, and Energy, the National Nuclear Security Administration (NNSA), and several state department networks.
While many details continue to remain unclear, the revelation about new modes of attack raises more questions about the level of access the attackers were able to gain across government and corporate systems worldwide.
Microsoft, FireEye, and GoDaddy Create a Killswitch
Over the last few days, Microsoft, FireEye, and GoDaddy seized control over one of the main GoDaddy domains — avsvmcloud[.]com — that was used by the hackers to communicate with the compromised systems, reconfiguring it to create a killswitch that would prevent the SUNBURST malware from continuing to operate on victims' networks.
For its part, SolarWinds has not yet disclosed how exactly the attacker managed to gain extensive access to its systems to be able to insert malware into the company's legitimate software updates.
Recent evidence, however, points to a compromise of its build and software release system. An estimated 18,000 Orion customers are said to have downloaded the updates containing the back door.
Symantec, which earlier uncovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, has now confirmed the deployment of a separate second-stage payload called Teardrop that's used to install the Cobalt Strike Beacon against select targets of interest.
The hacks are believed to be the work of APT29, a Russian threat group also known as Cozy Bear, which has been linked to a series of breaches of critical US infrastructure over the past year.
The latest slew of intrusions has also led CISA, the US Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) to issue a joint statement, stating the agencies are gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.
Calling for stronger steps to hold nation-states accountable for cyberattacks, Smith said the attacks represent "an act of recklessness that created a serious technological vulnerability for the United States and the world."
"In effect, this is not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency," he added.
Software Supply-Chain Attack Hits Vietnam Government Certification Authority
18.12.2020 BigBrothers Thehackernews
Cybersecurity researchers today disclosed a new supply-chain attack targeting the Vietnam Government Certification Authority (VGCA) that compromised the agency's digital signature toolkit to install a backdoor on victim systems.
Uncovered by Slovak internet security company ESET early this month, the "SignSight" attack involved modifying software installers hosted on the CA's website ("ca.gov.vn") to insert a spyware tool called PhantomNet or Smanager.
According to ESET's telemetry, the breach happened from at least July 23 to August 16, 2020, with the two installers in question — "gca01-client-v2-x32-8.3.msi" and "gca01-client-v2-x64-8.3.msi" for 32-bit and 64-bit Windows systems — tampered to include the backdoor.
"The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures," ESET's Matthieu Faou said.
After the attack was reported to VGCA, the certificate authority confirmed that "they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software."
The digital signature tool, mandated by Vietnam's Government Cipher Committee as part of an electronic authentication scheme, is used by the government sector as well as private companies to digitally sign documents using a USB token (also called a PKI token) that stores the digital signature and requires the aforementioned driver to operate.
As a consequence, the only way a user can get infected is when the compromised software hosted on the official website is manually downloaded and executed on the target system.
Once installed, the modified software starts the genuine GCA program to mask the breach and then runs the PhantomNet backdoor that masquerades as a seemingly harmless file named "eToken.exe."
The backdoor — compiled most recently on April 26 — takes the responsibility of collecting system information, with additional malicious capabilities deployed through plugins retrieved from hardcoded command-and-control servers (e.g. "vgca.homeunix[.]org" and "office365.blogdns[.]com") that mimic the names of VGCA and popular productivity software.
ESET said in addition to Vietnam, it saw victims in the Philippines, but their delivery mechanism remains unknown. The ultimate goal of the attackers remains unclear as well, what with little to no information about the post-compromise activity.
If anything, the incident highlights why supply-chain attacks are increasingly becoming a common attack vector among cyberespionage groups, as it allows the adversaries to deploy malware on many computers at the same time covertly.
In November, ESET disclosed a Lazarus campaign in South Korea that used legitimate security software and stolen digital certificates to distribute remote administration tools (RATs) on target systems.
Then last week, it also found that a chat software called Able Desktop, used by 430 government agencies in Mongolia, was abused to deliver the HyperBro backdoor, the Korplug RAT, and another Trojan called Tmanger.
Lastly, a supply-chain attack on SolarWinds Orion software discovered this week was exploited to breach several major US government agencies, including the Departments of Homeland Security, Commerce, Treasury, and State.
"Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult," Faou concluded.
EU Digital Services and Digital Markets Acts aim at setting new rules for tech giants
17.12.2020 BigBrothers Securityaffairs
The European Union is going to unveil two laws, the Digital Services and Digital Markets Acts, that will impose new rules for tech giants.
The European Union is set to unveil two laws, the Digital Services and Digital Markets Acts, that aim at defining new rules for the digital market, especially for the operations of ùtech giants operate.
The proposed laws focus on critical aspects of the European Union market, including competition and making platforms that host the content.
Eu authorities pointed out that the rules were never revisioned since 2000, the new laws have been anticipated by commissioners Margrethe Vestager and Thierry Breton.
Online platforms of any size have become central in our economy and society, especially during pandemics, when digital services play a crucial role in our society. Online services help us to continue working, doing business, learning, staying informed, shopping, entertaining ourselves, socializing, and staying in touch with other people and friends.
The duo explained that the interests of a few companies should not dictate the EU market threatening our future.
In order to enforce these rules, the EU proposes heavy fines for violations.
“While digital services offer unprecedented opportunities, the risks are also real: online bullying, hate speech, fake news, skewed elections, unsafe or counterfeited goods, being choked off from business opportunities if you’re a small player – the list is long.” both commissioners wrote on The Irish Times.
“The business and political interests of a handful of companies should not dictate our future.” “Our rules on digital services in Europe – the most coveted single market in the world – date back to 2000. Most online platforms hardly existed back then.”
The commissioners urge an update of the EU legislation framework, making sure that new rules and principles are respected everywhere.
Clearly, the new laws will have a significant impact on the operations of US-based tech giants, like Google and Facebook, labeled as “gatekeepers,” and address their market dominance.
“In particular, the European Commission has indicated it objects to such giants using the data they gather from one service to “improve or develop” a new one in a different area, making it difficult to compete with them.” reported the BBC.
“The Commission labels such firms “gatekeepers”, saying they “set the rules of the game for their users and their competitors”.”
German Government Backs Bill Requiring 5G Security Pledge
17.12.2020 BigBrothers Securityweek
German Chancellor Angela Merkel’s Cabinet approved a bill Wednesday that would require companies involved in setting up critical infrastructure such as high-speed 5G networks to guarantee that their equipment can’t be used for sabotage, espionage or terrorism.
The bill, which now goes to parliament, seeks to address concerns that vendors such as Chinese tech company Huawei might pose a security risk if they have access to core parts of the German telecoms network.
Companies will be required to submit a “guarantee” that contains details on how they ensure that components of critical systems can’t be misused for illegal purposes.
A vendor that fails to meet the threshold for trustworthiness can be banned from operating equipment.
The measure doesn’t amount to an outright ban on Huawei in Germany, as demanded by the United States.
A German government spokesman declined to comment directly when asked about the Trump administration’s threat to cut off intelligence sharing with countries that use Huawei gear.
“This law concerns fundamental questions of IT security and not individual manufacturers,” Steffen Seibert told reporters in Berlin.
Huawei denies U.S. allegations of facilitating spying by China, a major trading partner of Germany.
In a statement, the company welcomed the draft law.
“For the 5G rollout, we believe this means that there will be higher and uniform security standards for all technology vendors,” it said, adding that the law would allow all vendors to compete fairly if they meet the security requirements.
“This fact- and standards-based approach is exemplary in addressing global cybersecurity challenges,” the company said. “Huawei will continue to work transparently with regulators, customers, and industry organizations to ensure the security of mobile networks.”
Australia Watchdog Sues Facebook Over 'Misleading' VPN App
17.12.2020 BigBrothers Securityweek
Australia's consumer watchdog launched legal action against Facebook on Wednesday, alleging the social media giant "misled" thousands of Australians by collecting user data from a free VPN service advertised as private.
The platform could face a fine if found guilty of deceiving users, as Australia takes an increasingly assertive stance towards powerful US tech titans.
The Australian Competition and Consumer Commission (ACCC) has accused Facebook and two of its subsidiaries -- Facebook Israel and Onavo Inc -- of misleading people who downloaded its virtual private network (VPN) app Onavo Protect, by collecting and using their "very detailed and valuable personal activity data".
Records of which apps they accessed and the amount of time they spent using them were among the data allegedly used to support Facebook's market research.
The ACCC alleges Facebook and its two partners falsely represented the now-defunct VPN service as keeping user data "private, protected and secret" between February 2016 and October 2017.
"Consumers often use VPN services because they care about their online privacy, and that is what this Facebook product claimed to offer. In fact, Onavo Protect channelled significant volumes of their personal activity data straight back to Facebook," ACCC Chair Rod Sims said.
"We believe that the conduct deprived Australian consumers of the opportunity to make an informed choice about the collection and use of their personal activity data by Facebook and Onavo."
A Facebook spokesperson said the firm had cooperated with the ACCC's investigation and would review the court filing.
"When people downloaded Onavo Protect, we were always clear about the information we collect and how it is used," they said.
"We will... continue to defend our position in response to this recent filing."
The ACCC has previously helped draft a law that threatens Facebook and Google with millions of dollars in fines unless they agree to pay media outlets when their platforms host news content.
In March, the Office of the Australian Information Commissioner also began legal action against Facebook for allegedly exposing more than 300,000 Australians to a data breach by political consulting firm Cambridge Analytica.
Facebook has already paid penalties in the United States and Britain over the massive 2018 data hijacking scandal involving the now-defunct British company.
Hack May Have Exposed Deep US Secrets; Damage Yet Unknown
17.12.2020 BigBrothers Securityweek
Some of America’s most deeply held secrets may have been stolen in a disciplined, monthslong operation being blamed on elite Russian government hackers. The possibilities of what might have been purloined are mind-boggling.
Could hackers have obtained nuclear secrets? COVID-19 vaccine data? Blueprints for next-generation weapons systems?
It will take weeks, maybe years in some cases, for digital sleuths combing through U.S. government and private industry networks to get the answers. These hackers are consummate pros at covering their tracks, experts say. Some theft may never be detected.
What’s seems clear is that this campaign — which cybersecurity experts says exhibits the tactics and techniques of Russia’s SVR foreign intelligence agency — will rank among the most prolific in the annals of cyberespionage.
Data exfiltrated by attackersU.S. government agencies, including the Treasury and Commerce departments, were among dozens of high-value public- and private-sector targets known to have been infiltrated as far back as March through a commercial software update distributed to thousands of companies and government agencies worldwide. A Pentagon statement Monday indicated it used the software. It said it had “issued guidance and directives to protect” its networks. It would not say — for “operational security reasons” — whether any of its systems may have been hacked.
On Tuesday, acting Defense Secretary Chris Miller told CBS News there was so far no evidence of compromise.
In the months since the update went out, the hackers carefully exfiltrated data, often encrypting it so it wasn’t clear what was being taken, and expertly covering their tracks.
Thomas Rid, a Johns Hopkins cyberconflict expert, said the campaign’s likely efficacy can be compared to Russia’s three-year 1990s “Moonlight Maze” hacking of U.S. government targets, including NASA and the Pentagon. A U.S. investigation determined the height of the documents stolen — if printed out and piled up — would triple the height of the Washington Monument.
In this case “several Washington Monument piles of documents that they took from different government agencies is probably a realistic estimate,” Rid said. “How would they use that? They themselves most likely don’t know yet.”
The Trump administration has not said which agencies were hacked. And so far no private-sector victims have come forward. Traditionally, defense contractors and telecommunications companies have been popular targets with state-backed cyber spies, Rid said.
Intelligence agents generally seek the latest on weapons technologies and missile defense systems — anything vital to national security. They also develop dossiers on rival government employees, potentially for recruitment as spies.
President Donald Trump’s national security adviser, Robert O’Brien, cut short an overseas trip to hold meetings on the hack and was to convene a top-level interagency meeting later this week, the White House said in a statement.
O’Brien had been scheduled to return Saturday and had to scrap plans to visit officials in Italy, Germany, Switzerland and Britain, said an official familiar with his itinerary who was not authorized to discuss it and spoke on condition of anonymity.
Earlier, the White House said a coordinating team had been created to respond, including the FBI, the Department of Homeland Security and the Office of the Director of National Intelligence.
At a briefing for congressional staffers Monday, DHS did not say how many agencies were hacked, a reflection of how little the Trump administration has been sharing with Congress on the case.
Critics have long complained that the Trump administration failed to address snowballing cybersecurity threats — including from ransomware attacks that have hobbled state and local governments, hospitals and even grammar schools.
“It’s been a frustrating time, the last four years. I mean, nothing has happened seriously at all in cybersecurity,” said Brandon Valeriano, a Marine Corps University scholar and adviser to the Cyber Solarium Commission, which was created by Congress to fortify the nation’s cyber defenses. “It’s tough to find anything that we moved forward on at all.”
Trump eliminated two key government positions: White House cybersecurity coordinator and State Department cybersecurity policy chief.
Valeriano said one of the few bright spots was the work of Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency, whom Trump fired for defending the integrity of the election in the face of Trump’s false claims of widespread fraud.
Hackers infiltrated government agencies by piggybacking malicious code on commercial network management software from SolarWinds, a Texas company, beginning in March.
The campaign was discovered by the cybersecurity company FireEye when it detected it had been hacked — it disclosed the breach Dec. 8 — and alerted the FBI and other federal agencies. FireEye executive Charles Carmakal said it was aware of “dozens of incredibly high-value targets” infiltrated by the hackers and was helping “a number of organizations respond to their intrusions.” He would not name any, and said he expected many more to learn in coming days that they, too, were compromised.
Carmakal said the hackers would have activated remote-access back doors only on targets sure to have prized data. It is manual, demanding work, and moving networks around risks detection.
The SolarWinds campaign highlights the lack of mandatory minimum security rules for commercial software used on federal computer networks. Zoom videoconferencing software is another example. It was approved for use on federal computer networks last year, yet security experts discovered various vulnerabilities exploitable by hackers — after federal workers sent home by the pandemic began using it.
Rep. Jim Langevin, a Rhode Island Democrat and Cyberspace Solarium Commission member, said the breach reminded him of the 2015 Chinese hack of the U.S. Office of Personnel Management, in which the records of 22 million federal employees and government job applicants were stolen.
It highlights the need, he said, for a national cyber director at the White House, a position subject to Senate confirmation. Congress approved such a position in a recently passed defense bill.
“In all of the different departments and agencies, cybersecurity is never going to be their primary mission,” Langevin said.
Trump has threatened to veto the bill over objections to unrelated provisions.
Facebook Closes Disinformation Accounts Linked to French Military
16.12.2020 BigBrothers Securityweek
Facebook said Tuesday that it had removed two networks based in Russia and one linked to the French military, accusing them of carrying out interference campaigns in Africa.
Two networks running multiple Facebook accounts were assigned to people associated with the Russian Internet Research Agency, and the third had "links to individuals associated with French military," the social media platform said.
All three were removed from the site for breaking its policy against foreign or government interference, Facebook said, adding that the networks targeted countries mainly in north Africa and some in the Middle East.
The French military made no immediate comment on the allegations.
Nathaniel Gleicher, Facebook's head of security policy, and David Agranovich, head of global threat disruption, said in a blog that the campaigns dueled with each other online.
"This was the first time our team found two campaigns -- from France and Russia -- actively engage with one another, including by befriending, commenting and criticizing the opposing side for being fake," they said.
The networks "used fake accounts as a central part of their operations to mislead people about who they are and what they are doing, and that was the basis for our action," Facebook said.
The French network targeted the Central African Republic and Mali, and, to a lesser extent, Niger, Burkina Faso, Algeria, Cote d'Ivoire and Chad.
It involved 84 Facebook accounts, 6 pages, 9 groups and 14 Instagram accounts that violated policy against "coordinated inauthentic behavior."
Some of the posts, in French and Arabic, were about France's policies in Francophone Africa, claims of Russian interference in CAR elections, supportive comments about the French military and criticism of Russia.
"The Russian imperialists are a gangrene on Mali!" read a sample post shared by Facebook.
In disrupting the two Russian networks, the social network removed 274 Facebook accounts and 18 Instagram accounts, along with an array of groups and pages.
"We shared information about our findings with law enforcement and industry partners," Gleicher and Agranovich said.
"We are making progress rooting out this abuse, but as we've said before, it's an ongoing effort and we're committed to continually improving to stay ahead."
DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries – Report
15.12.2020 BigBrothers Threatpost
The attack was mounted via SolarWinds Orion, in a manual and targeted supply-chain effort.
The U.S. Department of Homeland Security (DHS), plus the Treasury and Commerce departments, have been hacked in an attack related to the FireEye compromise last week, according to reports. In addition, defense contractors and enterprises were caught up in the attack, FireEye said, which was carried out using a supply-chain attack targeting a SolarWinds network-management platform.
The Russian foreign-intelligence service is believed to be the culprit, people familiar with the matter told the Wall Street Journal. “Hundreds of thousands of government and corporate networks” have been opened to potential risk, making it a notable attack that goes far beyond the garden-variety espionage attempt, the sources said.
The Commerce Department has confirmed that its National Telecommunications and Information Administration was hit, while the FBI said that it was “appropriately engaged.” Chris Bing, a Reuters reporter, tweeted out that the DHS has also been confirmed as a victim.
The Russian Embassy in Washington D.C. meanwhile said that the reports are “unfounded attempts of the U.S. media to blame Russia.”
FireEye Hack a Precursor
On Dec. 8, FireEye confirmed what CEO Kevin Mandia described as a highly targeted cyberattack. The attacker was able to access certain Red Team assessment tools that the company uses to test its customers’ security.
Mandia said that based on the techniques and sophistication of the attack, he believes state-sponsored actors were behind the hack. The attacker was primarily hunting out data related to certain government customers, according to FireEye. The hack “used a novel combination of techniques not witnessed by us or our partners in the past,” he said.
Now, the Cybersecurity and Infrastructure Security Agency (CISA) said that the cyberattackers were able to infiltrate both FireEye and the government agencies via trojanized updates to SolarWind’s Orion IT monitoring and management software. The updates were pushed out between March and June, meaning that the attack has been going on for months. CISA has instructed all federal civilian agencies to cut off the use of Orion and to check for network compromise.
The attack appears to be possible thanks to a zero-day bug, researchers said.
“It’s not clear whether this is a flaw that SolarWinds totally understands yet,” Brandon Hoffman, CISO at Netenrich, said via email. “If they do, a fix needs to be issued immediately. If not, it may be worth shutting down that system until there is one. This may seem like overkill, but the risk is obvious, especially for targets considered higher priority. We still don’t know enough to determine if the attackers have been completely rooted out of the breached systems or even if the full extent of their lateral movements are known.”
Malicious Software Updates
SolarWinds acknowledged the bug in an advisory over the weekend, saying that exploitation of the issue must be done in a “narrow, extremely targeted, and manually executed attack,” and was likely the work of a nation-state. Users should upgrade to Orion Platform version 2020.2.1 HF 1 to protect themselves, it added.
The scope of the attack is for now unknown, but it could be wide-ranging: According to its website, SolarWinds has more than 300,000 customers around the globe, including most of the Fortune 500, the Secret Service, the Defense Department, the U.S. Post Office, the Federal Reserve, Lockheed Martin, PricewaterhouseCoopers and the National Security Agency.
FireEye said in a blog post late Sunday that government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East have all been affected.
“We anticipate there are additional victims in other countries and verticals,” FireEye said in its blog.
FireEye did not link the attack to Russia, but said it was tracking the campaign as “UNC2452,” and characterized it as “currently ongoing.” The cybercriminals are highly skilled, it added, with the operation exhibiting “significant operational security.”
The attackers were able to use SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers, according to the firm. The bad actors were able to trojanize the plug-in, to inject a backdoor that FireEye is calling “Sunburst.” Once the malicious update is installed, the malicious DLL will be loaded by the legitimate SolarWinds processes, making it difficult to detect.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine and disable system services,” according to the company. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and antivirus tools running as processes, services and drivers.”
Chris Krebs, former head of CISA prior to President Trump firing him for saying the presidential election was secure, noted that companies using SolarWinds should assume that they have been compromised.
“Hacks of this type take exceptional tradecraft and time,” Krebs tweeted. “If this is a supply-chain attack using trusted relationships, really hard to stop.”
“It’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce department,” Hoffman said. “However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat (APT) was coined to describe an attack just like this.”
US Agencies and FireEye were hacked with a supply chain attack on SolarWinds Software
15.12.2020 BigBrothers Securityaffairs
Hackers broke into the networks of federal agencies and FireEye by compromising SolarWinds’ Orion Network Management Products.
The cyber espionage group has tampered with updates released by IT company SolarWinds, which provides its products to government agencies, military, and intelligence offices, two people familiar with the matter told the Reuters agency.
Nation-state actors, allegedly Russia-linked hacked, have compromised the networks of several US government agencies, including the US Treasury, the Commerce Department’s National Telecommunications and Information Administration (NTIA). The hack allowed the threat actors to spy on the internal email traffic.
“Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.” reported the Reuters.
A report published by the Washington Post, citing unnamed sources, attributes the attacks to APT29 or Cozy Bear, the Russia-linked APT that’s believed to have recently compromised the top cybersecurity firm FireEye.
The Cybersecurity and Infrastructure Security Agency (CISA) immediately issued Emergency Directive 21-01, in response to the compromise involving SolarWinds Orion products that are currently being exploited by malicious threat actors. The US agency is calling on all federal civilian agencies to review their networks for indicators of compromise power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has released an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.
At the time of this writing, it is still unclear the extent of the hack, but the situation could be dramatic due to the popularity of SolarWinds’ networking and security products. Threat actors carried out a highly-sophisticated supply chain attack.
SolarWinds’ networking and security products are currently used by more than 300,000 customers worldwide, including government agencies, military offices, major US telecommunications companies, education institutions, and Fortune 500 companies.
The Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States use SolarWinds solutions.
FireEye is investigating the supply chain attack, it already confirmed that a threat actor tracked as UNC2452 had used a trojanized SolarWinds Orion business software updates to distribute a backdoor tracked as SUNBURST.
According to the experts, the campaign may have begun as early as Spring 2020 and is still ongoing.
The attacks are the work of a highly-skilled threat actor and the operation was conducted with significant operational security, FireEye explained.
“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.” reads the analysis published by FireEye.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.“
FireEye published the indicators of compromise (IoCs) and attack signatures for SUNBURST here.
FireEye discovered multiple weaponized updates that were digitally signed between March and May 2020 and posted to the SolarWinds updates website.
The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.
The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.
Microsoft also carried out its separate analysis and confirmed that the hackers mounted a supply chain attack on SolarWinds, the experts tracked the backdoor as”Solorigate,”
In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020. The vendor recommendss users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.
SolarWinds reported the security breach to the authorities and is still investigating the attack with the support of FireEye and the FBI. The company will release the 2020.2.1 HF 2 update on December 15 to replace the compromised component and implements security enhancements.
Norwegian Cruise Company Hurtigruten Hit by Cyberattack
15.12.2020 BigBrothers Securityweek
Norwegian cruise company Hurtigruten announced Monday that it had been hit by a major cyberattack involving what appeared to be "ransomware", designed to seize control of data to ransom it.
"It's a serious attack," said the company's chief digital officer Ole-Marius Moe-Helgesen in a statement. "The entire worldwide digital infrastructure of Hurtigruten seems to have been hit."
The company said it had alerted the relevant authorities when the attack was detected overnight Sunday to Monday. "The attack seems to be a so-called ransomware," Hurtigruten added.
Ransomware is a kind of malware -- malicious software -- that encrypts the data of the target, locking the owner out of its own system until the victim agrees to pay for a decryption key to let him back in.
The attack comes as the company, which like the rest of the cruise liner industry is owned by private investors, is struggling with the losses caused by the coronavirus pandemic.
The company tried to relaunch its cruisers in June but suspended them again in September until the end of the year after dozens of crew members and passengers were infected with the virus.
Europe's cruise liner sector has a turnover of 14.5 billion euros a year and employs nearly 53,000 people, according to the Cruise Lines International Association (CLIA).
The CLIA estimates that the damage wrought to the industry by coronavirus-related shutdowns could cost it up to 25.5 billion euros in revenue.
Global Espionage Campaign Used Software Supply Chain Hack To Compromise Targets, Including US Gov
15.12.2020 BigBrothers Securityweek
Tampered Versions of SolarWinds Orion IT Monitoring Software Used to Compromise Global Organizations
Incident response teams are scrambling as after details emerged late Sunday of a sophisticated espionage campaign leveraging a software supply chain attack that allowed hackers to compromise numerous public and private organizations around the world.
Among victims are multiple US government agencies, including the Treasury and Commerce departments, and cybersecurity giant FireEye, which stunned the industry last week when it revealed that attackers gained access to its Red Team tools.
FireEye indirectly confirmed the connection between the attack targeting its own systems, which it has blamed on an unidentified state-sponsored threat actor, and the attacks on U.S. government systems. The connection was made through a blog post published on Sunday, where FireEye described a widespread attack campaign that is exploiting SolarWinds' Orion IT monitoring software.
According to the cybersecurity firm, the campaign started as early as the spring of 2020 and is ongoing.
FireEye said the attackers, which it tracks as UNC2452, have leveraged trojanized Orion updates in an effort to deliver a backdoor identified by the company as SUNBURST. In at least one case, the hackers also delivered a previously unknown memory-only dropper named TEARDROP, which in turn attempted to deploy a custom version of Cobalt Strike’s Beacon payload.
FireEye said it observed multiple victims, including government, technology, consulting, extractive and telecom organizations in North America, Europe, the Middle East and Asia. The company has notified victims and it has made available indicators of compromise (IoC) to help organizations detect potential attacks and conduct investigations.
The wide range of victims is not surprising considering that SolarWinds claims on its website that it has more than 300,000 customers worldwide. The software maker says its customers include over 425 of U.S. Fortune 500 firms, the top ten telecoms companies in the United States, the U.S. Military, the Pentagon, the State Department, the NSA, and the Department of Justice.
FireEye says the trojanized update file is a “standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.”
A quick search on VirusTotal conducted by SecurityWeek early Monday revealed that the malicious file (MD5: b91ce2fa41029f6955bff20079468448) was detected as malicious by just 14 of 69 anti-malware engines.
FireEye’s analysis also found that the backdoor uses blocklists to detect forensic and anti-virus tools via processes, services, and drivers.
Microsoft has also been tracking these attacks, and has released Windows Defender updates to protect customers from the threat, which it has dubbed Solorigate.
In a security advisory, SolarWinds said versions 2019.4 HF 5 through 2020.2.1 of its Orion software are impacted, and it has advised customers to update to version 2020.2.1 HF 1 as soon as possible.
The company said annother update (version 2020.2.1 HF 2) is expected to be published on Tuesday, December 15, 2020, which will replace the compromised component and provide additional security enhancements.
U.S. government response to attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has launched an investigation in cooperation with agency partners, and the Department of Homeland Security (DHS) issued Emergency Directive 21-01 on Sunday, instructing federal agencies to immediately investigate potential breaches involving their SolarWinds Orion installations and take steps to neutralize the threat.
Government organizations have been instructed to create forensic images of system memory and operating systems hosting Orion, analyze network traffic for IoCs, disconnect or shut down Orion systems, and identify and remove accounts and persistence mechanisms that may have been set up by the attackers.
Christopher Krebs, former director of CISA, who was fired last month by U.S. President Donald Trump, took to Twitter to post several comments about the incident.
“If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team,” Krebs wrote.
Response from Russia
According to some reports, Russian state-sponsored threat actors are believed to be behind the SolarWinds attacks. In response to those reports, Russia’s embassy in the United States issued a statement on Sunday denying the allegations.
“We declare responsibly: malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations. Russia does not conduct offensive operations in the cyber domain,” the embassy said in its statement.
Much more fallout expected
While the initial focus of the campaign was on U.S. government agencies, several more victim organizations are likely to follow as security teams conduct invesgitations and companies prepare breach disclosures.
SecurityWeek will provide ongoing coverage of this threat, including additional resources for incident response teams.
Shares of publicly traded SolarWinds (NYSE: SWI) were trading down nearly 20% in pre-market trading on Monday.
US Government Confirms Cyberattack
14.12.2020 BigBrothers Securityweek
The US government on Sunday confirmed that its computer networks had been hit by a cyberattack, as The Washington Post reported at least two departments including the Treasury had been targeted by Russian state hackers.
"We have been working closely with our agency partners regarding recently discovered activity on government networks," a spokesperson for the Cybersecurity and Infrastructure Security Agency told AFP.
"CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises."
The Post said the hacks were linked to an attack last week on cybersecurity firm FireEye, which said its own defenses were breached by sophisticated attackers who stole tools used to test customers' computer systems.
FireEye said it suspected the attack was state-sponsored.
US media reports said the FBI was investigating a group working for the Russian foreign intelligence service, SVR, and that breaches had been taking place for months.
The same group also reportedly hacked US government agencies during the Obama administration.
"The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation," National Security Council spokesman John Ullyot said.
US Investigating Computer Hacks of Government Agencies
14.12.2020 BigBrothers Securityweek
Hackers broke into the networks of federal agencies including the Treasury and Commerce departments as U.S. government officials said Sunday that they were working to identify the scope of the breach and to fix the problem.
The FBI and the Department of Homeland Security’s cybersecurity arm are investigating.
The hacks were revealed just days after a major cybersecurity firm disclosed that foreign government hackers had broken into its network and stolen the company’s own hacking tools. Many experts suspect Russia as responsible for the attack against FireEye, a major cybersecurity player whose customers include federal, state and local governments and top global corporations.
There was no immediate connection between the attacks, and it wasn’t immediately clear if Russia was also responsible for the hack of the Treasury Department, which was first reported by Reuters. National Security Council spokesperson John Ullyot said in a statement that the government was “taking all necessary steps to identify and remedy any possible issues related to this situation.”
The government’s Cybersecurity and Infrastructure Security Agency said separately that it has been working with other agencies “regarding recently discovered activity on government networks. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.”
President Donald Trump last month fired the director of CISA, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump’s claims of widespread electoral fraud.
Federal government agencies have long been attractive targets for foreign hackers. Hackers linked to Russia were able to break into the State Department’s email system in 2014, infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation.
Reuters earlier reported that a group backed by a foreign government stole information from Treasury and a Commerce Department agency responsible for deciding internet and telecommunications policy. Intelligence agencies are reportedly concerned that other agencies were hacked using similar tools.
The Treasury Department deferred comment to the National Security Council. A Commerce Department spokesperson confirmed a “breach in one of our bureaus” and said “we have asked CISA and the FBI to investigate.”
Last Tuesday, prominent U.S. cybersecurity firm FireEye said that foreign government hackers with “world-class capabilities” broke into its network and stole offensive tools it uses to probe the defenses of its thousands of customers. Those customers include federal, state and local governments and top global corporations.
The hackers “primarily sought information related to certain government customers,” FireEye CEO Kevin Mandia said in a statement, without naming them. He said there was no indication they got customer information from the company’s consulting or breach-response businesses or threat-intelligence data it collects.
FireEye responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyberattack — and has played a key role in identifying Russia as the protagonist in numerous aggressions in the burgeoning netherworld of global digital conflict.
Neither Mandia nor a FireEye spokesperson said when the company detected the hack or who might be responsible. But many in the cybersecurity community suspect Russia.
US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor
14.12.2020 BigBrothers Thehackernews
State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.
The Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm FireEye a few days ago leading to the theft of its Red Team penetration testing tools.
"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks," said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has released an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.
The motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated supply chain attack.
SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.
It also serves the major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.
An Evasive Campaign to Distribute SUNBURST Backdoor
FireEye, which is tracking the ongoing intrusion campaign under the moniker "UNC2452," said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.
"This campaign may have begun as early as Spring 2020 and is currently ongoing," FireEye said in a Sunday analysis. "Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security."
This rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program (OIP) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands ("Jobs") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.
Orion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.
What's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.
Microsoft also corroborated the findings in a separate analysis, stating the attack (which it calls "Solorigate") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.
"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate," the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations."
SolarWinds Releases Security Advisory
In a security advisory published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.
The firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.
FireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.
Totaling as many as 60 in number, the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).
Furthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).
The campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.
The indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed here.
Interview with Massimiliano Brolli, Head of TIM Red Team Research
12.12.2020 BigBrothers Securityaffairs
Interview with Massimiliano Brolli, Head of TIM Red Team Research, which is a team of experts that focus on zero-day hunting.
For some time now we have been witnessing a series of undocumented vulnerabilities issued by a TIM IT Security laboratory called Red Team Research RTR, which already has 31 new CVEs to date in about a year.
A small, all-Italian “Project Zero” that aroused attention among professionals, because a new CVE is published every eleven days, which is not bad at all.
So I decided to interview Massimiliano Brolli, Head of Risk Monitoring & Assessment and Head of the Red Team Research (RTR) of TIM asking him some questions, in particular about why in an Italian context, which is notoriously far from the world of Bug Hunting, TIM has wanted to invest in research activities on undocumented vulnerabilities, the so-called zero-day.
Massimiliano Brolli Red Team Research RTR
Redazione SA: Good morning Mr Brolli and thank you for making the time to see us. Why has a company like TIM chosen to invest in such a unique area as Bug hunting?
Mr Brolli:
TIM is increasingly becoming a reference point for the supply of innovative digital services and solutions. This means that in addition to the traditional telecommunications business, the company is increasingly attentive to sectors like the cloud, the Internet of Things and cybersecurity. In this latter area, the evolution of cyber crime has led to the development of professional activities – like bug hunting – that can fight and prevent cyber threats, developing security solutions that legally exploit the techniques typically used by hackers. The aim is to have an advantage over a potential cyber attack, publicly sharing the areas for improvement to the benefit of the system as a whole.
It is an activity that also effectively fights the underground bug and vulnerability market, not included in the official statistics recorded in the US National Vulnerability Database (NVD – the database that contains all security bugs reported by the cybersecurity community).
Redazione SA: What do you think has led to what is today an impressive increase in cyber threats? At what point are we in Italy in terms of cybersecurity?
Zero risk does not exist and this is also stressed by the Special Publication NIST 800-115, which offers a guide to the assessment of information security controls. This is why cybersecurity is becoming so important in Italy too, in all businesses, thanks to the exploration of all its new frontiers, such as ethical hacking, threat intelligence and malware analysis.
TIM has been committed to addressing the new technological scenarios of cybersecurity for some time now; it does so by defining and finalising risk analysis methods, that is logical security by design and collaborations in the cyber area with public and private players aimed at preventing, assessing and treating operational risk on ICT assets. And this challenge is set to become even more important with the introduction of new technologies.
Redazione SA: So what can we do to encourage academy students to invest in these areas? – the younger generation is our future, after all.
Mr Brolli:
The younger generations are a great resource and every company needs to focus on them to make full use of all the new areas and tools involved in cybersecurity. Cybersecurity is a route and not a destination. Every day, we learn new things, we learn from our mistakes, often empirically, and above all from sharing with industry experts who can convey their experience and passion. It is important to have young people become interested in these subjects, get them involved and ignite that spark of interest in the highly technical matters that are at the very heart of our digital lives.
Redazione SA: Have you experienced difficulties with companies not inclined to ensure the responsible disclosure of vulnerabilities? Does the segment of product vendors always react the same way?
Mr Brolli:
Collaboration and transparency on vulnerabilities underlie the effectiveness of cybersecurity, both for large and small enterprises that are normally slowed by fears connected with the impact on their reputation.
We are firmly convinced that the adoption of a correct internal security programme, coupled with a responsible disclosure approach, will successfully raise the level of protection of cyber services and the products offered to the end customers. It is an approach that need not be the prerogative of large enterprises because it benefits the whole of the security ecosystem. To this end, bug-bounty programs have also been developed, which envisage recognition and recompense, including monetary, for reporting bugs and vulnerabilities. The secret, as I said, is to understand that zero risk does not exist and that by standing together, we are stronger.
FBI, CISA and MS-ISAC Warn of Cyberattacks Targeting K-12 Schools
12.12.2020 BigBrothers Securityweek
Threat actors are targeting K-12 educational institutions in the United States to deploy ransomware, steal data, or disrupt distance learning services.
In a joint alert this week, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned of continuous attacks targeting K-12 educational institutions.
The FBI, CISA, and MS-ISAC have received a large number of reports detailing ransomware targeting school computer systems. The incidents resulted in slowed access to the infected machines and, in some instances, made them inaccessible for distance learning and other functions.
Just as in attacks targeting businesses and industry, the ransomware operators have engaged in double extortion, stealing sensitive data and threatening to leak it on the Internet unless a ransom is paid.
According to MS-ISAC, the number of ransomware attacks on K-12 schools has increased significantly at the beginning of the 2020 school year, accounting for over half (57%) of reported incidents in August and September, compared to less than a third (28%) between January and July.
AKO, Ryuk, Maze, Nefilim, and Sodinokibi/REvil were identified as the most common ransomware families used in attacks on K-12 schools during the first nine months of 2020.
Over the past year, the FBI, CISA and MS-ISAC say, the ZeuS Trojan (targeting Windows) and the Shlayer malware downloader (targeting macOS) were the most prevalent malware families targeting K-12 schools. Agent Tesla, NanoCore, and CoinMiner round up the top 5.
K-12 schools and third-party services used for distance learning were also targeted in distributed denial-of-service (DDoS) attacks. Courtesy of DDoS-for-hire services, any wannabe criminal can launch disruptive attacks, regardless of experience level.
Live video-conferenced classroom sessions were also disrupted by uninvited users, show reports that the FBI, CISA, and MS-ISAC have been receiving since March 2020. In addition to verbally harassing students and teachers, these uninvited guests displayed pornography and/or violent images, or doxed meeting attendees.
“In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment,” the alert reads.
In their attacks, these threat actors are expected to employ social engineering tactics (usually observed in phishing attacks) to trick victims into revealing sensitive information, to target technology vulnerabilities and open/exposed ports, or exploit End-of-Life (EOL) software.
To stay protected, K-12 educational institutions should make sure apps and operating systems are up-to-date, regularly change passwords for network systems, use multi-factor authentication, disable unused technologies, audit user and administrator accounts, implement network segmentation, identify and remedy open ports, use anti-malware solutions, and educate users on phishing.
Cyberattack 'Won't Affect Vaccine Delivery Timeline': EMA
12.12.2020 BigBrothers Securityweek
A cyberattack targeting coronavirus data at the EU's medicines watchdog lasted two weeks but will not affect the timeline for approval of the jabs, the head of the regulator said on Thursday.
The European Medicines Agency announced the cyberattack on Wednesday but gave few details, while Pfizer-BioNTech said documents relating to its regulatory submission were illegally accessed.
"We have been subject of a cyberattack over the last couple of weeks. This is being investigated," EMA chief Emer Cooke told a European Parliament committee.
"I can assure you that this will not affect the timeline for the delivery of vaccines and that we are fully functional," she added.
The Amsterdam-based EMA was probing the hack "in conjunction with experts from cybersecurity authorities across the EU, and with the criminal authorities and the Dutch police."
The agency has said it will give a decision on conditional approval for Pfizer-BioNTech's Covid-19 vaccine at a meeting to be held by December 29 at the latest, while a ruling on Moderna's version should follow by January 12.
Cooke said based on the data for the two vaccines so far, "the safety and efficacy look very promising, and we have not seen the adverse events coming up that would be a concern."
Pfizer COVID-19 Vaccine Targeted in EU Cyberattack
11.12.2020 BigBrothers Threatpost
Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering.
Criminals haven’t given up on stealing COVID-19 vaccine data. Yet another cyberattack has been launched — this time, threat actors were able to break into the European Medicines Agency (EMA) server and access documentation about the vaccine candidate from Pfizer and BioNTech.
The breach is just another in a series of particularly cruel efforts by malicious actors to capitalize on the global desperation and suffering as COVID-19 spreads and death tolls mount.
The EMA, Pfizer and BioNTech have acknowledged the attack but are not releasing any details while the matter is investigated.
“EMA has been the subject of a cyberattack,” the agency’s brief statement read. “The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities.” It added that details “will be made available in due course.”
Pfizer and BioNTech, the companies behind a proposed vaccine called BNT162b2 (authorized for emergency use in the U.K. and elsewhere), also released a statement, adding that the two companies’ systems remain secure, including personal data collected from patient trials.
“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyberattack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” the Pfizer-BioNTech statement said. “It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”
Most critically, all parties assured the breach won’t slow down the EMA’s review of the vaccine for distribution.
COVID-19 Vaccines Under Attack
What’s also unlikely to be slowed down is the ongoing barrage of attacks aimed at every aspect of the vaccine’s lifecycle, from development to clinical trials and distribution.
The rise of the COVID-19 pandemic was almost immediately irresistible to scammers of all stripes. Back in March, the World Health Organization was targeted by a malicious site attempting to steal staffer credentials.
By May the FBI and CISA were compelled to release a statement warning about Chinese nation-state-backed attacks on a wide swath of the healthcare sector researching COVID-19 treatments and therapies.
“Health care, pharmaceutical, and research sectors working on COVID-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems,” the May 13 FBI and CISA joint statement said.
Two months later, in July, the U.S. Department of Homeland Security issued a joint alert with the U.S. National Cyber Security Center and Canada’s Communications Security Establishment to warn about cybercriminal gang APT29, also known as CozyBear, which were targeting research and academic institutions working on a COVID-19 vaccine.
“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” the report said.
By late July, the U.S. Justice department accused China of spying on Moderna in an effort to “conduct reconnaissance” on the company’s vaccine research.
Third-party vendors were also easy targets. Medical software supplier eResearchTechnology provides platforms for pharmaceutical companies to conduct clinical trials and was the target of a ransomware attack in early that forced researchers back to slow and tedious pen and paper data tracking.
Once the development of a vaccine got to the manufacturing stage, malicious actors kept up their efforts to capitalize.
Vaccine manufacturer Dr. Reddy’s Laboratories, which was contracted to manufacture the Sputnik V COVID-19 vaccine for the Russian government, was forced to shut down factories in India, Russia, the UK and the U.S. after a cyberattack in mid-October.
Cold Supply-Chain Attacks
By early December, criminals shifted their sights to the limited number of companies which could distribute the vaccine at the necessary super cold temperatures. Gavi, the Vaccine Alliance group aimed at rallying “cold chain” companies for vaccine distribution, was attacked in September.
More recently, phishing emails were sent impersonating an executive of Haier Biomedical, one of the sole end-to-end cold supply chain providers, in an attempt to steal credentials. The attack was uncovered by IBM.
On Dec. 7, Europol, the European Union’s law enforcement agency issued a warning about the rise of illicit COVID-19 vaccine activity on the Dark Web, including the sale of counterfeit vaccines.
“The detection of a fake influenza vaccine confirms that criminals seize opportunities as soon as they present themselves,” the Europol warning read. “Owing to the pandemic, the demand for the influenza vaccine has been higher than usual and their risks being a shortage. Criminals have reacted quickly by producing counterfeit influenza vaccines. The same scenario is also likely to happen when COVID-19 vaccines do become available.”
In turn, CISA issued guidance to Operation Warp Speed, the U.S. government’s designated COVID-19 vaccine development and distribution oversight group, about the need for cybersecurity vigilance around the vaccine’s supply chain.
“IBM X-Force has released a report on malicious cyber-actors targeting the COVID-19 cold chain—an integral part of delivering and storing a vaccine at safe temperatures,” the CISA statement read. “Impersonating a biomedical company, cyber-actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.”
This latest attack against the EMA is just another reminder of just how valuable COVID-19 vaccine data is to the world — and the criminals who would gladly steal it and sell it back to us for a profit.
Russian Cyberspies Use COVID-19 Vaccine Lures to Deliver Malware
11.12.2020 BigBrothers Securityweek
The Russia-linked cyberspy group known as Zebrocy has adopted COVID-19 vaccine-related lures in a recently observed phishing campaign, threat detection and response company Intezer reported on Wednesday.
Initially detailed in 2018, Zebrocy is believed to be associated with the infamous Russian state-sponsored hacking group Sofacy (also tracked as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium).
In September 2020, QuoINT security researchers revealed that Zebrocy attacks on countries associated with the North Atlantic Treaty Organization (NATO) had continued. One month later, the United States Cyber Command (USCYBERCOM) shared new malware samples associated with the group.
In November, Intezer’s security researchers observed Zebrocy phishing emails carrying lure documents about Chinese pharmaceutical company Sinopharm International Corporation, which has reached phase three clinical trials for a COVID-19 vaccine.
The documents were served as part of a Virtual Hard Drive (VHD) file that required Windows 10 to be opened without Microsoft’s hypervisor, Hyper-V. The employed malware was heavily obfuscated, the researchers say.
Initially, the adversary delivered the Zebrocy malware’s Delphi variant to the victims, but in mid-November the attackers switched to using the Go version instead.
First used in 2015, the Zebrocy malware functions as a downloader, but is also capable of collecting and exfiltrating information from the infected systems before fetching and executing a next stage payload.
The Delphi version of the malware was the first to be used in attacks, with AutoIT, C++, C#, Delphi, Go, and VB.NET samples discovered afterwards. To date, Zebrocy has been observed mainly in attacks targeting governments and commercial organizations in a large number of countries in Europe, Asia, Africa, and the Middle East.
The VHD file used in the recent attacks appears to have been created on November 20, 2020. It includes a PDF document (containing presentation slides about Sinopharm International Corporation) and an executable posing as a Word document.
The Chinese company referenced in the PDF has been working on a COVID-19 vaccine. Currently in phase three clinical trials, the vaccine has already been given to approximately one million people.
“It may not come as a surprise that the threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures,” Intezer points out.
The second file, the Go version of Zebrocy, collects information such as hostname and the path to the TEMP folder and sends it to the command and control (C&C) server. It also includes screenshot functionality, which the author has implemented directly into it, instead of relying on an external library. Screenshots are uploaded to the C&C, which may respond with the next stage payload.
During their investigation, Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.
“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. It’s important that companies use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.
48 U.S. States and FTC are suing Facebook for illegal monopolization
11.12.2020 BigBrothers Thehackernews
The US Federal Trade Commission and a coalition of 48 state attorneys general on Wednesday filed a pair of sweeping antitrust suits against Facebook, alleging that the company abused its power in the marketplace to neutralize competitors through its acquisitions of Instagram and WhatsApp and depriving users of better privacy-friendly alternatives.
"Facebook has engaged in a systematic strategy — including its 2012 acquisition of up-and-coming rival Instagram, its 2014 acquisition of the mobile messaging app WhatsApp, and the imposition of anti-competitive conditions on software developers — to eliminate threats to its monopoly," the FTC said in its complaint.
A separate lawsuit filed by New York Attorney General Letitia James also claimed that in illegally acquiring competitors in a predatory manner, the social media company stripped users of the benefits of competition, limited consumer choices, and their access to rivals with better privacy practices.
Specifically, the lawsuits seek to rescind the acquisitions of Instagram and WhatsApp (which it acquired in 2012 and 2014), spinning off both platforms into independent companies, prohibit Facebook from imposing anti-competitive conditions on software developers, and require the company to seek prior notice and approval for future mergers and acquisitions.
In response, Facebook called the lawsuits "revisionist history," while also pointing out the fact that regulators "correctly" allowed these deals to move forward because they did not threaten competition.
"These transactions were intended to provide better products for the people who use them, and they unquestionably did," Facebook's general counsel Jennifer Newstead argued. "The FTC and states stood by for years while Facebook invested billions of dollars and millions of hours to make Instagram and WhatsApp into the apps that users enjoy today."
Besides calling for a breakup of Facebook, the FTC also accused the company of imposing anti-competitive conditions on third-party software developers' access to Facebook APIs by forcing them to refrain from developing competing functionalities and adding features that promote other social networking services.
As an example, the consumer protection agency cited Twitter's now-defunct short-form video app Vine, which had its access to Facebook's friend-finding API cut off on the same day the service launched on iOS following CEO Mark Zuckerberg's stamp of approval.
Newstead, however, claimed this kind of API restriction is a standard practice in the industry. "Where platforms give access to other developers — and many do not provide access at all — they usually prohibit duplication of core functions," she said. "LinkedIn, The New York Times, Pinterest and Uber, to name a few, all have similar policies."
The question of retroactively breaking up Facebook is as much to do with addressing concerns of monopoly as it's about the "harm" caused by failing to meet user privacy expectations.
Essentially, antitrust laws prohibit business practices that unreasonably deprive consumers of the benefits of competition, resulting in higher prices for inferior products and services. But how do you demonstrate people are being harmed by a product that's offered for "free"?
In a paper titled The Antitrust Case Against Facebook, legal scholar Dina Srinivasan argued last year that by forcing users to accept less-than-adequate privacy settings, Facebook's monopoly power harmed consumers by charging them ever-increasing amounts of personal data in exchange for using its platform.
"The price of using Facebook has stayed the same over the years (it's free to join and use), but the cost of using it, calculated in terms of the amount of data that users now must provide, is an order of magnitude above what it was when Facebook faced real competition," Srinivasan said.
The development also comes as regulators and lawmakers are increasingly scrutinizing the business practices of tech companies, and amid Facebook's own plans to intertwine the backend infrastructure of Facebook Messenger, Instagram, and WhatsApp, possibly in part to make the three services harder to separate.
"Overall, we disagree with the government's allegations, and we plan to fight this in court," Zuckerberg said in a post to employees shared by New York Times' Mike Isaac on Twitter. "The reality is that we compete with many other services in everything we do, and we compete fairly."
The lawsuits mark the second major regulatory effort from the US government to check the power of Silicon Valley giants, following the Department of Justice's lawsuit against Google in October for alleged illegal monopolization of the search and online ad markets.
Pompeo Unloads on US Universities for China Ties
10.12.2020 BigBrothers Securityweek
Secretary of State Mike Pompeo on Wednesday accused U.S. universities of caving to Chinese pressure to blunt or bar criticism of the Chinese Communist Party.
The attack, which included identifying two university administrators by name, comes as the Trump administration seeks to cement its anti-China policies before leaving office in January.
Pompeo took aim at universities across the U.S., claiming they refused to address the Trump administration’s concerns about China’s attempts to influence students and academics. He specifically called out the president of MIT, alleging he refused to host Pompeo’s speech, and a senior official at the University of Washington over a case involving a Chinese student.
Both universities swiftly and emphatically denied the charges.
Pompeo defended the Trump administration’s tough stance on China in remarks at the Georgia Institute of Technology. The speech came less than a month before Georgia’s two critical run-off races that will determine control of the Senate.
“Americans must know how the CCP is poisoning the well of our higher education for its own ends, and how those actions degrade our freedoms and our national security. If we don’t educate ourselves, we’ll get schooled by Beijing,” he said. “They know that left-leaning college campuses are rife with anti-Americanism, and present easy target audiences for their anti-American messaging.”
Pompeo has been a champion of the administration’s hardline stance on Chinese policies in Taiwan, Tibet, Hong Kong, the western region of Xinjiang and the South China Sea, and he has made similar pronouncements before. He has imposed multiple layers of sanctions on Chinese officials; restricted visas for Chinese diplomats, journalists and academics; and lobbied other countries to reject Chinese high-tech communications.
But his comments on Wednesday were striking in that he named the two American university officials as complicit in alleged Chinese malfeasance.
Pompeo said he had initially wanted to give his Georgia Tech speech at MIT, but the president of the renowned scientific institution, Rafael Reif, had turned him down for fear of offending Beijing.
“MIT wasn’t interested in having me give this speech on their campus,” Pompeo said. “President Rafael Reif implied that my arguments might insult their ethnic Chinese students and professors.”
MIT spokeswoman Kimberly Allen rejected Pompeo’s assertion, saying the university declined to host the speech because of coronavirus restrictions. She said several other prospective high-level events had also been rejected.
Reif “had real concerns that a high-level visit might not only draw crowds but suggest to students that MIT was not taking its own rules seriously,” she said. “President Reif verbally conveyed MIT’s decision — based on a commitment to the health of our students and our surrounding community — with his deep regrets.”
Pompeo also criticized Sarah Castro, the University of Washington’s director of federal relations, for allegedly refusing to help Vera Zhou, a student of Chinese origin who had been detained in China in 2017, so as not to jeopardize a “multimillion-dollar deal” between the university and Beijing.
“Now, thank God, Vera was eventually released, and returned to the U.S,” Pompeo said of the student. “But no thanks to the University of Washington, and no thanks to its deal with China.”
A statement from university spokesman Victor Balta called Pompeo’s remarks a “shameful” and “outrageous” deflection by an administration that took “no effective action” on behalf of Zhou.
“That the Secretary of State would think a university has more power in this situation than the United States government is bizarre,” he said. “That he would single out a staff member by name is unbecoming of the office and his statement is flatly wrong.”
The university has no record of contact from the State Department regarding any negotiation with China, Balta said, and officials don’t know what “multimillion-dollar deal” Pompeo was referencing. He added that, as of this quarter, Zhou is again enrolled at the university.
Denmark Charges Russian Citizen With Spying for Russia
10.12.2020 BigBrothers Securityweek
A Russian citizen living in Denmark has been charged with espionage for allegedly having provided information about Danish energy technology, among other things, to an unnamed Russian intelligence service, the Danish prosecution authority said Wednesday.
The suspect, who was not identified, has been held in pre-trial custody since the beginning of July, Denmark’s Prosecution Authority said.
The case is based on “a major investigation” by the Danish Security and Intelligence Service, which added that the person had received money in exchange for the information.
If found guilty, the Russian citizen faces up to six years in jail. The prosecution can also seek to have the person deported from Denmark.
The Russian Embassy in Copenhagen identified the suspect as a man and said in a statement that it considers the arrest a mistake and hopes for his acquittal.
“We expect the Danish judiciary to take an unbiased approach to the case,” the Embassy said. “We hope that the court will acquit our citizen and set him free.”
No date has been set for the criminal case, which is is expected to be held behind closed doors. Denmark’s TV2 broadcaster said the trial would be held in Aalborg, northern Denmark.
In 2012, Finnish national Timo Kivimaki who was working with the University of Copenhagen as a researcher, was sentenced to four months in prison for spying on Denmark on behalf of Russia.
EU Agency Assessing Covid-19 Vaccines Hit by Cyberattack
10.12.2020 BigBrothers Securityweek
The EU's medicines regulator said Wednesday it had been the victim of a cyberattack, just weeks before it is due to decide on special approval for two coronavirus vaccines.
The Amsterdam-based European Medicines Agency (EMA) said the incident was being investigated, but did not specify when it took place or whether its work on Covid-19 was targeted.
"EMA has been the subject of a cyberattack. The agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities," the EMA said in a brief statement.
"EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course."
An EMA spokeswoman referred back to the statement when asked for more details by AFP.
The Dutch national police high-tech crime team was involved in the probe into the cyberattack, but police gave no more information, the Dutch news agency ANP reported.
The EMA's role as the drugs regulator for the 27-nation EU means it has access to data on the safety and quality of medicines from clinical trials and lab tests from companies that apply for authorisation.
The agency has said it will give a decision on conditional approval for Pfizer/BioNTech's Covid-19 vaccine at a meeting that will be held by December 29 at the latest, while a ruling on Moderna's version should follow by January 12.
It also carrying out reviews of vaccines developed by Oxford University-AstraZeneca vaccine and Johnson & Johnson.
- Series of warnings -
News of the cyberattack came the day before the EMA's chief Emer Cooke was due to brief the European Parliament about the process for approving coronavirus vaccines.
The EMA -- which moved to Amsterdam from London after Britain left the European Union in January 2019 -- is also due to hold a special online public meeting to discuss Covid-19.
There had also been a series of warnings about hacking related to the coronavirus pandemic.
Britain accused Russian-based, Kremlin-linked hackers in July of targeting labs conducting coronavirus vaccine research.
Cybercriminals have tried to attack several pharmaceutical companies developing vaccines including Johnson & Johnson, Novavax, AstraZeneca and South Korean laboratories, according to the Wall Street Journal.
Spanish laboratories also reportedly have been attacked by Chinese cybercriminals, the El Pais newspaper reported in September.
Microsoft urged a crackdown in November on cyberattacks perpetrated by states and "malign actors" after a spate of hacks disrupted healthcare organisations fighting the virus.
IBM said last week that it too had uncovered a string of attacks, again potentially carried out by state actors, against companies involved in the effort to distribute the vaccine.
The European Commission's Directorate-General for Taxation and Customs Union was one target of the attacks, as well as European and Asian companies involved in the supply chain, IBM said.
Meanwhile, it is not the first time a Netherlands-based international body has been targeted by hackers.
Dutch authorities expelled four alleged Russian intelligence agents in 2018 after an alleged bid to hack the Organisation for the Prohibition of Chemical Weapons in The Hague, using equipment in the back of a car parked in a neighbouring hotel.
Norway Accuses Russian Hackers of Parliament Attack
9.12.2020 BigBrothers Securityweek
Norway's domestic spy agency on Tuesday blamed a Russian hacker group linked to Moscow's military intelligence for a cyberattack on the Norwegian parliament earlier this year.
The Norwegian intelligence agency (PST) said the likely perpetrators were the Fancy Bear collective -- a group regularly accused of attacks including on the US election -- but there was not enough evidence to pursue charges.
A "vast" cyberattack on August 24 gained access to the emails of some MPs and parliamentary employees, officials announced at the time, without speculating on the identity of the attackers.
Norwegian Foreign Minister Ine Eriksen Soreide later accused Russia of being behind the attack, and PST investigators have now strengthened her claims.
"The investigation shows that the network operation which the Storting (Norwegian parliament) was subjected to was part of a broader national and international campaign that has been going on since at least 2019," PST said in a statement.
"Analyses show that it is likely that the operation was led by a cyber actor ... known as APT28 or Fancy Bear. This actor has ties to GRU, Russia's military intelligence agency."
Using a method known as a "brute force attack", where multiple passwords and usernames are submitted with the hope of eventually getting the right combination, the hackers were able to download "sensitive" information, PST said.
"The investigation has however not yielded enough elements to bring charges," it said in a statement.
Russia's embassy in Norway has yet to comment on the PST findings, but in October it lambasted Eriksen Soreide's accusation as "unacceptable".
"We consider this a serious and wilful provocation, destructive for bilateral relations," the embassy said on its Facebook page at the time.
While relations are generally good between NATO member Norway and Russia, who share a border in the Far North, several espionage cases on both sides have soured relations in recent years.
Norway's intelligence agency regularly singles out Russia as one of the country's main espionage threats alongside Iran and China.
Chinese Breakthrough in Quantum Computing a Warning for Security Teams
8.12.2020 BigBrothers Threatpost
China joins Google in claiming quantum supremacy with new technology, ratcheting up RSA decryption concerns.
China’s top quantum-computer researchers have reported that they have achieved quantum supremacy, i.e., the ability to perform tasks a traditional supercomputer cannot. And while it’s a thrilling development, the inevitable rise of quantum computing means security teams are one step closer to facing a threat more formidable than anything before.
Researchers from the University of Science and Technology of China explained in the journal Science they were able to get a system they named Jiuzhang to perform a calculation in minutes that would have taken a traditional supercomputer an estimated 10,000 years to solve.
The team joins Google, which claimed it achieved quantum supremacy in Oct. 2019 using a “supercold, superconducting metal,” according to WIRED. IBM has also entered the quantum computing fray, while leveling criticism against Google’s claims of supremacy.
Now, the Chinese researchers have claimed quantum supremacy using a quantum computation called Gaussian boson sampling (GBS), their paper explained, which uses particles of light sent through an optical circuit, measuring the output. This means there are now multiple proven quantum-computing technologies, with surely more to come.
The security concern is that quantum computers will be able to crack RSA public key cryptography, used to protect data in transit. That means security teams will have to pivot to new post-quantum cryptography solutions. A conservative estimate from a 2019 DigiCert report said teams will need to have protections from quantum computing breaches in place by 2022.
To be clear, quantum computing isn’t there just yet. And the Chinese aren’t any closer to being able to decrypt RSA than Google or IBM, but it’s only a matter of time, according to experts.
“China’s new quantum-computing breakthrough is important for a number of reasons,” Tim Hollebeek, industry and standards technical strategist with DigiCert told Threatpost. “First, China has invested heavily in funding quantum-computing research, and this new result shows that that investment is paying off. Second, it means two different approaches to building a quantum computer have now successfully achieved quantum supremacy. This could potentially speed up the arrival of commercially useful quantum computers, as one approach may succeed if and when the other runs into some technical roadblock.”
Quantum Computing and RSA
John Prisco, from Safe Quantum Inc., said the ability for quantum computing to beat RSA is the goal, not the claims of quantum supremacy.
“China’s GSB approach is interesting but cumbersome to implement,” Prisco told Threatpost. “Quantum supremacy is not the prize at the finish line. If it were, Google and IBM finished light years ahead of China’s claim. The finish line is a quantum prime computer capable of breaking encryption as we know it.”
He added when it comes to widespread implementation, the Chinese approach has challenges.
“Scaling the GSB approach to quantum prime levels is not likely, due to the enormity of the integration of classical mirrors and beam splitters,” he explained. “Ion trap or super-conducting quantum computers championed by IonQ and IBM respectively are likely to finish the race to a quantum prime computers well ahead of the China approach in this announcement.”
Nonetheless, Hollebeek warned that time is running short for security teams to prepare to combat malicious actors superpowered by quantum computing.
“While such quantum computers are not a threat to encryption today, they do remind us that the day is coming when that will no longer be true,” he said. “It is important that security professionals start planning for the transition to post-quantum cryptography, as such transitions take many years to plan and implement. The Chinese result probably does not materially change predictions of how soon that will be, but leading organizations still expect it to come within the next 10 years or so. So, it is important to start preparing now.”
The reasonable starting place would be a set of standards. But that’s been slow in coming.
Quantum-Computing Standards
The National Institute for Standards and Technology (NIST) hasn’t determined its guidance yet and is currently in a third round of a competition to decide the final Post-Quantum Cryptology standard going forward. The final draft standards aren’t expected to be available until 2022 at the earliest, according to NIST’s tentative timeline.
But while standards are still being hammered out, there are things business and IT teams can do to get prepared, including gaining an understanding of the looming landscape.
“Factorization of large prime numbers (RSA key cracking) by quantum computers is a real and huge problem,” Prisco warned. “Quantum literacy must improve in government agencies and corporations before a quantum prime computer exists. Creating a quantum-safe environment for data security will not occur overnight. ”
Today’s Threat from Quantum Computing
A harvesting attack right now could grab an RSA encryption key to be filed away until quantum computing catches up, he added.
“There is no time to waste, because of other classical security problems like harvesting attacks which occur today,” Prisco said. “A harvesting attack is the theft of encrypted data and the RSA encryption key used to encrypt that data. While the key cannot be hacked today with the currently available quantum computer, an adversary can steal the data and the key, store it inexpensively in memory, and decrypt the info when they have access to a more powerful quantum computer that can break the key.”
April Burdhardt from Quantum Xchage advised that security teams should deploy solutions agile enough to evolve along with both threats and still to-be-determined NIST standards — and they should do it now.
“Companies must start to prepare for the quantum threat now by deploying quantum-safe, crypto-agile solutions that can keep pace with the evolving threat landscape — not to mention guard against harvesting attacks,” Burdhardt told Threatpost. “We encourage companies and government agencies to adopt a multi-layered or defense-in-depth approach to secure-key transfer, protected by NIST post-quantum cryptography-candidate algorithms and/or [quantum key distribution] in a FIPS 140-2 validated implementation.
NSA Warns: Patched VMware Bug Under Active Attack
8.12.2020 BigBrothers Threatpost
Feds are warning that adversaries are exploiting a weeks-old bug in VMware’s Workspace One Access and VMware Identity Manager products.
Active attacks against a flaw in VMware’s Workspace One Access continue, three days after the vendor patched the vulnerability and urged customers to fix the bug (classified as a zero-day at the time). Now the U.S. National Security Agency (NSA) has escalated concerns and on Monday warned that foreign adversaries have zeroed in on exploiting – specifically VMware’s Workspace One Access and its Identity Manager products.
Those VMware products are two of 12 impacted by a command-injection vulnerability, tracked as CVE-2020-4006, and patched on Friday. At the time, VMware said there were no reports of exploitation in the wild.
According to the NSA, Russian-state threat actors are now leveraging the vulnerability to launch attacks to pilfer protected data and abuse shared authentication systems.
“The exploitation(s), via command injection, led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” wrote the NSA in its security bulletin (PDF).
SAML stands for Security Assertion Markup Language, which is a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.
“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”
VMware originally disclosed the vulnerability in late November – identifying it as an escalation-of-privileges flaw that impacts Workspace One Access and other platforms, for both Windows and Linux operating systems. A total of 12 product versions are impacted the flaw.
On Friday, VMware urged customers to update affected systems to the latest version as soon as possible to mitigate the issue. On Monday, the NSA urged IT security teams to review and harden configurations and monitoring of federated authentication providers. Details regarding a number of workaround mitigations are described by the NSA (PDF) and VMware.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote in an updated advisory last week.
At the time VMware revised the CVSS severity rating for the bug from “critical” to “important.” It explained, an attacker would need prior-knowledge of a password associated with the use of one of the products to exploit the vulnerability.
The password would need to be obtained via tactics such as phishing or brute forcing/credential stuffing, it wrote.
The Department of Homeland Security’s US-CERT, on Monday, also updated an existing security bulletin regarding the bug. However, the agency did not attribute the attacks to any specific group.
Europol Warns COVID-19 Vaccine Rollout Vulnerable to Fraud, Theft
8.12.2020 BigBrothers Threatpost
European Union’s law-enforcement agency, has issued a warning about the rise of vaccine-related Dark Web activity.
With the promise of a widely available COVID-19 vaccine on the horizon, Europol, the European Union’s law-enforcement agency, has issued a warning about the rise of vaccine-related Dark Web activity.
The agency joins a chorus of security professionals that have concerns about widespread attacks on the COVID-19 vaccine rollout.
The warning comes after Europol discovered a Mexico-based operation pushing fake influenza vaccines on the cybercrime underground in October. It said it is likely that these same actors will see another opportunity with the rollout of a COVID-19 vaccine.
“The detection of a fake influenza vaccine confirms that criminals seize opportunities as soon as they present themselves,” the Europol warning read. “Owing to the pandemic, the demand for the influenza vaccine has been higher than usual and there risks being a shortage. Criminals have reacted quickly by producing counterfeit influenza vaccines. The same scenario is also likely to happen when COVID-19 vaccines do become available.”
It’s a golden opportunity for cybercriminals, who can use fake vaccine offers as bait.. Europol added that high demand for the vaccine and potential shortages will likely drive consumers online looking for alternatives, the warning added.
“Some dark web markets feature advertisements for fake COVID-19 vaccines,” according to Europol. “The number of offers is limited at this stage but will likely increase once a legitimate vaccine becomes available. Criminals advertise their fake vaccines using the brands of genuine pharmaceutical companies that are already in the final stages of testing.”
COVID-19 Vaccine Phishing Attempts
The anticipation of a COVID-19 vaccine is precisely the kind of global event cybercriminals have learned to leverage into profits. There have been several other recent developments which clearly demonstrate that malicious actors will eagerly endanger public health if it means raising a quick buck, or Bitcoin.
Already, researchers have reported a phishing campaign spread across six countries targeted organizations associated with The Vaccine Alliance’s Cold Chain Equipment Optimizations Platform (CCEOP) program.
The attackers sent phishing emails to impersonate an executive of Haier Biomedical, a company known to the recipients as a member and reportedly the sole end-to-end cold supply chain provider, which is needed to deliver the COVID-19 vaccine, IBM reported.
“The targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan,” IBM’s report said. “Spear-phishing emails were sent to select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain. We also identified instances where this activity extended organization-wide to include help and support pages of targeted organizations.”
Operation Warp Speed Warning
As a result of the IBM X-Force findings, CISA issued guidance to Operation Warp Speed organizations to boost security related to COVID-19 vaccine storage and transport.
“Impersonating a biomedical company, cyber-actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials,” CISA’s Dec. 3 statement said. “The emails have been posed as requests for quotations for participation in a vaccine program.”
There have been signs for months that cybercriminals saw COVID-19 as a money-making opportunity.
COVID vaccine manufacturer Dr. Reddy’s Laboratories was forced to shut down factories in Brazil, India, the U.K. and U.S. in late October, which were contracted to make the Russian vaccine “Sputnik V.” And the APT group DarkHotel targeted the World Health Organization last March, in an attempt to steal any information they could find related to tests, vaccines or trial cures.
And just last month, antigen firm Miltenyi, which manufactures critical supplies for testing and treatment of COVID-19, fell victim to a malware attack, which slowed communications and operations across its operation spread across 73 countries.
And there doesn’t seem to be any relief in sight for already beleaguered pharmaceutical and healthcare teams anywhere in the world, meaning general security vigilance, even under these stressful circumstances, is more important than ever.
“There’s been an intense upscale in attacks,” Chloé Messdaghi, vice president of strategy at Point3 Security told Threatpost. “Anything connected to sensitive data for COVID-19 is definitely under threat by foreign nation-state actors or foreign competing companies looking to find usable information. Or it could be an individual attacker or a group of attackers trying to collect money.”
Russian Hackers Exploiting Recently Patched VMware Flaw, NSA Warns
8.12.2020 BigBrothers Securityweek
Russian state-sponsored hackers have been exploiting a vulnerability that VMware patched recently in some of its products, the National Security Agency (NSA) warned on Monday.
The vulnerability is tracked as CVE-2020-4006 and it has been found to impact the VMware Workspace ONE Access identity management product and some related components, including Identity Manager (vIDM) on Linux, vIDM Connector on Windows and Linux, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
An attacker who has gained access to the system’s web-based management interface can exploit the vulnerability to execute arbitrary commands with elevated privileges on the underlying operating system.
VMware first disclosed the vulnerability on November 23, when it told customers that it had been working on a fix. A few days ago, when it announced the availability of patches, the virtualization giant revealed that it learned of the flaw from the NSA, but without mentioning active exploitation.
In an advisory published on Monday, the NSA said “Russian state-sponsored malicious cyber actors” have been exploiting CVE-2020-4006, but it has not shared any information on the group (or groups) that launched the attacks or any of the targets. Based on the disclosure timeline, it’s likely that the security hole was being exploited before a patch was released.
The NSA did say that the vulnerability has been exploited as part of an attack that resulted in the attackers gaining access to sensitive data.
“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,” the NSA said in its advisory.
The agency highlighted that setting a unique and strong password, as well as ensuring that the web-based management interface is not accessible from the internet, reduces the risk of exploitation. However, it noted that setting a strong password “would likely not mitigate an existing compromise.”
The NSA’s advisory also includes information that can help organizations detect attacks — an “exit” statement followed by a 3-digit number in the configurator.log file indicates an attack — but the agency has not shared other indicators of compromise (IOCs) that could be useful to defenders, such as hashes and IP addresses.
While the NSA’s advisory focuses on providing advice to government organizations, the U.S. government, through the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), has also alerted the private sector about the risk posed by CVE-2020-4006.
NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks
8.12.2020 BigBrothers Thehackernews
The US National Security Agency (NSA) on Monday issued an advisory warning that Russian threat actors are leveraging recently disclosed VMware vulnerability to install malware on corporate systems and access protected data.
Specifics regarding the identities of the threat actor exploiting the VMware flaw or when these attacks started were not disclosed.
The development comes two weeks after the virtualization software company publicly disclosed the flaw—affecting VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux—without releasing a patch and three days after releasing a software update to fix it.
In late November, VMware pushed temporary workarounds to address the issue, stating permanent patches for the flaw were "forthcoming." But it wasn't until December 3rd the escalation-of-privileges bug was entirely resolved.
That same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a brief bulletin encouraging administrators to review and apply and patch as soon as possible.
Tracked as CVE-2020-4006, the command injection vulnerability was originally given a CVSS score of 9.1 out of a maximum of 10 but was revised last week to 7.2 to reflect the fact that a malicious actor must possess valid credentials for the configurator admin account in order to attempt exploitation.
"This account is internal to the impacted products and a password is set at the time of deployment," VMware said in its advisory. "A malicious actor must possess this password to attempt to exploit CVE-2020-4006."
Although VMware didn't explicitly mention the bug was under active exploitation in the wild, according to the NSA, adversaries are now leveraging the flaw to launch attacks to pilfer protected data and abuse shared authentication systems.
"The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data," the agency said.
SAML or Security Assertion Markup Language is an open standard and an XML-based markup for exchanging authentication and authorization data between identity providers and service providers to facilitate single sign-on (SSO).
Besides urging organizations to update affected systems to the latest version, the agency also recommended securing the management interface with a strong, unique password.
Furthermore, the NSA advised enterprises to regularly monitor authentication logs for anomalous authentications as well as scan their server logs for the presence of "exit statements" that can suggest possible exploitation activity.
U.S., Australia Partner on Virtual Cyber Training Range Development
7.12.2020 BigBrothers Securityweek
The United States and Australia on Friday announced a partnership for the continuous development of a virtual cyber training range.
The Cyber Training Capabilities Project Arrangement, which was signed on November 3, results in the incorporation of Australian Defense Force feedback into the U.S. Cyber Command’s simulated training domain, the Persistent Cyber Training Environment (PCTE).
A cyber-training platform for defensive missions, PCTE is meant to provide a collaborative environment for cyber forces worldwide to leverage existing content to train at all times.
Cyber-training ranges that the U.S. and allied cyber forces built were only designed for specific scenarios, meaning that they would only be used once. Courtesy of shared use and development, PCTE is expected to constantly evolve and keep pace with tactics, techniques and procedures.
“This project arrangement is a milestone for U.S.-Australian cooperation. It is the first cyber-only arrangement established between the U.S. Army and an allied nation, which highlights the value of Australia's partnership in the simulated training domain,” commented the U.S. signatory and deputy assistant secretary of the Army for defense exports and cooperation, Elizabeth Wilson.
The U.S. Army leads the PCTE development, working with the program executive office for the implementation of the cooperative cyber project with Australia. PCTE, which saw its first production version released in February 2020, is part of the U.S. military's Joint Cyber Warfighting Architecture.
The platform delivers a series of reconfigurable environments, such as virtual emulations of live networks, to enable simultaneous training activities. PCTE also includes an iterative development process, to ensure continuous evolution.
Through partnerships, all allied cyber-forces gain better insights of threat actors and can improve their defenses, and training platforms “enable lethal cyber mission forces” for both the U.S. and its allies, the U.S. argues.
In the long term, PCTE is expected to provide the cyberspace workforce within the U.S. Department of Defense with the ability to develop and conduct “full-spectrum, combined and joint cyberspace training, exercises, certification and mission rehearsal in a training environment” capable of emulating a realistic operational environment.
“To counter known and potential adversarial threats, the Army has recalibrated our strategic thinking; we've made smart decisions to refocus our efforts to invest in the new, emerging and smart technologies that will strengthen our ability to fight and win our nation's wars,” Wilson said.
The new U.S.-Australia project arrangement is valued at $215.19 million over a period of six years.
Iranian RANA Android Malware Also Spies On Instant Messengers
7.12.2020 Android BigBrothers Thehackernews
A team of researchers today unveiled previously undisclosed capabilities of an Android spyware implant—developed by a sanctioned Iranian threat actor—that could let attackers spy on private chats from popular instant messaging apps, force Wi-Fi connections, and auto-answer calls from specific numbers for purposes of eavesdropping on conversations.
In September, the US Department of the Treasury imposed sanctions on APT39 (aka Chafer, ITG07, or Remix Kitten) — an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) — for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.
Coinciding with the sanctions, the Federal Bureau of Investigation (FBI) released a public threat analysis report describing several tools used by Rana Intelligence Computing Company, which operated as a front for the malicious cyber activities conducted by the APT39 group.
Formally linking the operations of APT39 to Rana, the FBI detailed eight separate and distinct sets of previously undisclosed malware used by the group to conduct their computer intrusion and reconnaissance activities, including an Android spyware app called "optimizer.apk" with information-stealing and remote access capabilities.
"The APK implant had information stealing and remote access functionality which gained root access on an Android device without the user's knowledge," the agency stated.
"The main capabilities include retrieving HTTP GET requests from the C2 server, obtaining device data, compressing and AES-encrypting the collected data, and sending it via HTTP POST requests to the malicious C2 server."
ReversingLabs, in a newly published report today, dug deeper into this implant ("com.android.providers.optimizer") using a previous unobfuscated version of the malware described in the FBI Flash report.
According to researcher Karlo Zanki, not only did the implant have permissions to record audio and take photos for government surveillance purposes, but it also contained a feature to add a custom Wi-Fi access point and force a compromised device to connect to it.
"This feature was probably introduced to avoid possible detection due to unusual data traffic usage on the target's mobile account," Zanki said in an analysis.
Also of note was the ability to automatically answer calls from specific phone numbers, thereby allowing the threat actor to tap on conversations on-demand.
Besides featuring support for receiving commands sent via SMS messages, the latest variant of "optimizer" malware referenced by the FBI abused accessibility services to access contents of instant messaging applications such as WhatsApp, Instagram, Telegram, Viber, Skype, and an unofficial Iran-based Telegram client called Talaeii.
It's worth noting that Telegram had previously issued "unsafe" warnings to users of Talaeii and Hotgram in December 2018 following disclosure from the Center for Human Rights in Iran (CHRI) citing security concerns.
"When targeting individuals, threat actors often want to monitor their communication and movement," Zanki concluded. "Mobile phones are most suitable for such goals because of the computing power contained in your pocket, and the fact that most people carry them all the time."
"Since the Android platform maintains the biggest part of the global smartphone market share, it follows that it is also the primary target of mobile malware."
US Cyber Command and Australian IWD to develop shared cyber training range
7.12.2020 BigBrothers Securityaffairs
US Cyber Command and the Information Warfare Division (IWD) of the Australian Defense Force to develop a virtual cyber training platform.
The United States and Australia have signed a first-ever cyber agreement to develop a virtual cyber training platform, the project will be designed by the U.S. Cyber Command (USCYBERCOM) and the Information Warfare Division (IWD) of the Australian Defense Force.
As a result of the bilateral agreement, the IWD’s feedback will be incorporated in the USCYBERCOM’s Persistent Cyber Training Environment (PCTE). The Persistent Cyber Training Environment (PCTE) supports the United States Cyber Command (USCYBERCOM) by enabling a critical need for the DoD and Joint Cyberspace Operations Forces to train at the individual, team, and force level.
The two countries have already developed cyber training ranges separately and now they are joining the forces.
“This project arrangement is a milestone for U.S.-Australian cooperation. It is the first cyber-only arrangement established between the U.S. Army and an allied nation, which highlights the value of Australia’s partnership in the simulated training domain,” said Elizabeth Wilson, U.S. signatory and Deputy Assistant Secretary of the Army for Defense Exports and Cooperation. “To counter known and potential adversarial threats, the Army has recalibrated our strategic thinking; we’ve made smart decisions to refocus our efforts to invest in the new, emerging and smart technologies that will strengthen our ability to fight and win our nation’s wars.”
The agreement is valued at $215.19 million over six years and provides the flexibility to develop cyber training capabilities for the future.
“Cyber mission forces first identified the need for a shared, iterative virtual cyber range during exercise Cyber Flag 2015 and has since galvanized an expedited effort to define the requirement and find technical solutions. Leveraging agile acquisition and rapid prototyping, cyber mission operators actively test and provide feedback during development, enabling PCTE to meet their operational needs.” reads the press release published by the US Cyber Command.
“The long-term goal for PCTE is to provide the DOD cyberspace workforce the capability to build and conduct full-spectrum, combined and joint cyberspace training, exercises, certification and mission rehearsal in a training environment. The training environment requirements, driven by training objectives and user-defined specifications, must emulate a realistic operational environment that provides scope, scalability and fidelity.”
The PCTE platform was launched in February 2020 as a component of the U.S. military’s Joint Cyber Warfighting Architecture, it allows multiple independent cyber training operations to run simultaneously.
“The Cyber Training Capabilities Project Arrangement signed today by Australia and the US “is an example of how the cyber mission forces of the U.S. and Australia work together and showcases success in the Armaments Cooperation,” states USCYBERCOM added.
Italy Says Two Arrested for Defense Data Theft
6.12.2020 BigBrothers Securityweek
Two people have been arrested for stealing defense data from the Italian aerospace and electronics group Leonardo, the interior ministry said on Saturday.
The company has a wide range of activities from naval electronics, network and protection systems, electronic warfare and global communications, according to its website.
Along with European partners, Leonardo is involved in the MBDA group that makes several kinds of missiles, for example.
"At the end of a complex investigation by the Naples prosecutor into a serious computer attack against Leonardo .. a former worker and a company director were arrested," a ministry statement said.
A program inserted into dozens of work computers via a USB stick at the company's plant in Pomigliano d'Arco, near Naples, allowed hackers to harvest data on projects, including strategic ones, over a two-year period.
The attack was uncovered by a computer crime unit at the prosecutor's office, which issued arrest warrants for illegal access to a computer system, interception of IT communications and illegal use of personal data.
The head of Leonardo's anti-hacking unit was also arrested for obstructing the investigation and providing false information on the nature of the attacks and their effects.
Investigators said that from May 2015 until January 2017, the group's IT system was targeted by an "Advanced persistent threat" led by a worker tasked with keeping the computers secure.
They did not provide extensive details on which systems had been hacked
In January 2017, Leonardo officials uncovered abnormal data traffic from work stations that was generated by so-called malware dubbed "cftmon.exe".
Hackers were able to intercept messages that were typed into the computers and capture images from their screens.
Some of the work stations were used to create strategic products and services for Italy's defence.
A total of 94 computers were compromised, including 48 that belonged to companies working in the aerospace sector.
No less than 10 gigabytes of data, equivalent to around 100,000 files, were lifted from the plant in Pomigliano d'Arco, including information on components of civilian and military aircraft.
Iranian hackers access unsecured HMI at Israeli Water Facility
5.12.2020 BigBrothers Securityaffairs
A group of Iranian hackers gained access to a un unprotected ICS at an Israeli Water Facility and posted a video as proof of the hack.
Researchers from industrial cybersecurity firm OTORIO revealed that a group of Iranian hackers gained access to a un unprotected ICS at the Israeli Water Facility. The threat actors accessed a human-machine interface (HMI) system that was left unsecured online and published a video hack.
The hackers claimed to have breached an Israeli water facility, likely recycled water, in a video that was published the night of December 1st, 2020.
“The reservoir’s HMI system was connected directly to the internet, without any security appliance defending it or limiting access to it. Furthermore, at the time of the publication, the system did not use any authentication method upon access.” reads the blog post published by OTORIO.
“This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser.”
This access could have allowed the attackers to interact with processes at the water facility by manipulating the value of parameters such as water pressure and temperature.
The accessed system was secured by the administrators on December 2, but it was still exposed online.
Experts noticed that the system still allows communications on port 502, which is used for Modbus protocol, that doesn’t require any authentication/encryption. An attacker could easily interact with the system via Modbus.
At the time of this writing, it is not clear if the intrusion has caused any damage.
OTORIO experts said that the Iranian crew behind the attack, named “Unidentified TEAM, ” published the breach over its Telegram channel. This group also hit other American websites, including a governmental education website in Texas.
“In that case, the attackers stated they are avenging the death of Iranian nuclear scientist Mohsen Fakhrizadeh, who was assassinated at the end of November 2020.” concludes the post.
In April an attack hit an Israeli water facility attempting to modify water chlorine levels. In June, officials from the Water Authority revealed two more cyber attacks on other facilities in the country.
Two cyber-attacks took place in June and according to the officials, they did not cause any damage to the targeted infrastructure.
One of the attacks hit agricultural water pumps in upper Galilee, while the other one hit water pumps in the central province of Mateh Yehuda.
Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.
Organizations are recommended to implement supplementary security measures to protect SCADA systems used in the water and energy sectors. The government urges to immediately change the passwords of control systems exposed online, ensure that their software is up to date, and reduce their exposure online.
VMware Patches Workspace ONE Access Vulnerability Reported by NSA
5.12.2020 BigBrothers Securityweek
VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency (NSA).
Formerly VMware Identity Manager, Workspace ONE Access delivers multi-factor authentication, single sign-on, and conditional access functionality for SaaS, mobile and web applications.
Tracked as CVE-2020-4006, the recently discovered vulnerability has been downgraded from critical to important severity (its CVSS score dropped from 9.1 to 7.2), because VMware discovered that an attacker looking to exploit the flaw needs valid credentials for the configurator admin account.
Initially, VMware did not provide information on who identified the security bug, but an update it made to its advisory this week, in conjunction with the release of patches, revealed that the NSA discovered it. VMware also published workaround instructions for the issue.
An adversary capable of exploiting the vulnerability could execute commands on a vulnerable system.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware explains in its advisory.
The company also underlines that the configurator admin account is internal to the affected products and that a password for it is set at deployment. The attacker needs that password for a successful attack.
The command injection flaw was found to affect Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation, and vRealize Suite Lifecycle Manager. Patches were released for impacted products on both Linux and Windows.
Iranian Hackers Access Unprotected ICS at Israeli Water Facility
5.12.2020 BigBrothers Securityweek
A group of Iranian hackers recently posted a video showing how they managed to access an industrial control system (ICS) at a water facility in Israel.
According to industrial cybersecurity firm OTORIO, the hackers accessed a human-machine interface (HMI) system that was directly connected to the internet without any authentication or other type of protection. The target was apparently a reclaimed water reservoir.
“This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser,” OTORIO said in a blog post.
The hackers published their video on December 1 and by the next day the owner of the compromised system made some changes to prevent access to the HMI without authentication. However, OTORIO researchers noticed that the system itself is still exposed to the internet, allowing more skilled attackers to access it.
Cybersecurity professionals have long warned that malicious actors could cause serious damage to organizations in the energy and water sectors by targeting exposed HMIs.
OTORIO told SecurityWeek that the target is a relatively small site with a capacity of roughly 4-6 million cubic meters.
The company’s researchers could not say for sure what type of damage the attackers could have caused but said the “damage potential is very high.”
“Often there are other safety mechanisms (some mechanical) that can reduce the damage, but if such a system is not in place, the consequences can be catastrophic,” Noam Even, threat intelligence researcher at OTORIO, told SecurityWeek.
The Iranian hacker group that targeted this water facility in Israel is called the “Unidentified TEAM” and it does not appear to possess deep capabilities or knowledge for targeting industrial systems.
Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
The same group recently also targeted a governmental education website in Texas, which the hackers claimed was in response to the killing of Mohsen Fakhrizadeh, a top Iranian nuclear scientist. Both Iranian and US officials reportedly said Israel was behind the assassination.
This is not the first time Iranian hackers have targeted Israel’s water sector. There were at least two rounds of attacks this year, mainly targeting smaller, local facilities. Authorities said the attacks did not cause any damage, but the attackers apparently knew how to target industrial systems.
OTORIO’s Even told SecurityWeek that Israel’s water and water treatment facilities are generally secure, but noted that private facilities such as the one targeted earlier this month are “very loosely regulated and can be an easy target for attackers.”
US Intelligence Director Says China is Top Threat to America
5.12.2020 BigBrothers Securityweek
China poses the greatest threat to America and the rest of the free world since World War II, outgoing National Intelligence Director John Ratcliffe said Thursday as the Trump administration ramps up anti-Chinese rhetoric to pressure President-elect Joe Biden to be tough on Beijing.
“The intelligence is clear: Beijing intends to dominate the U.S. and the rest of the planet economically, militarily and technologically,” Ratcliffe wrote in an op-ed published Thursday in The Wall Street Journal. “Many of China’s major public initiatives and prominent companies offer only a layer of camouflage to the activities of the Chinese Communist Party.”
China Threat“I call its approach of economic espionage ‘rob, replicate and replace,’” Ratcliffe said. “China robs U.S. companies of their intellectual property, replicates the technology and then replaces the U.S. firms in the global marketplace.”
In Beijing, foreign ministry spokesperson Hua Chunying dismissed the editorial as a further move to spread “false information, political viruses and lies” in hopes of damaging China’s reputation and China-U.S. relations.
“It offered nothing new but repeated the lies and rumors aimed at smearing China and playing up the China threat by any means,” Hua said at a daily briefing on Friday. “It’s another hodgepodge of lies being produced by the relevant departments of the U.S. government for some time.”
Trump administration officials have been stepping up their anti-China rhetoric for months, especially during the presidential campaign as President Donald Trump sought to deflect blame for the spread of the coronavirus . On the campaign trail, Trump warned that Biden would go easy on China, although the president-elect agrees that China is not abiding by international trade rules, is giving unfair subsidies to Chinese companies and stealing American innovation.
The Trump administration, which once boasted of warm relations with Chinese President Xi Jinping, also has been ramping up sanctions against China over Taiwan, Tibet, trade, Hong Kong and the South China Sea. It has moved against the Chinese telecoms giant Huawei and sought restrictions on Chinese social media applications like TikTok and WeChat.
Ratcliffe, a Trump loyalist who has been accused of politicizing the position, has been the nation’s top intelligence official since May. In his op-ed, he did not directly address the transition to a Biden administration. Trump has not acknowledged losing the election.
Ratcliffe said he has shifted money within the $85 billion annual intelligence budget to address the threat from China. Beijing is preparing for an open-ended confrontation with the U.S., which must be addressed, he said.
“This is our once-in-a-generation challenge. Americans have always risen to the moment, from defeating the scourge of fascism to bringing down the Iron Curtain,” Ratcliffe wrote in what appeared to be call for action to future intelligence officials.
Biden has announced that he wants the Senate to confirm Avril Haines, a former deputy director of the CIA, to succeed Ratcliffe as the next national intelligence director.
“This generation will be judged by its response to China’s effort to reshape the world in its own image and replace America as the dominant superpower,” Ratcliffe wrote.
He cited several examples of Chinese aggression against the United States:
The Justice Department has charged a rising number of U.S. academics for transferring U.S. taxpayer-funded intellectual property to China.
He noted the theft of intellectual property from American businesses, citing the case of Sinoval, a China-based wind turbine maker, which was convicted and heavily fined for stealing trade secrets from AMSC, a U.S.-based manufacturer formerly known as American Superconductor Inc. Rather than pay AMSC for more than $800 million in products and services it had agreed to purchase, Sinovel hatched a scheme to steal AMSC’s proprietary wind turbine technology, causing the loss of almost 700 jobs and more than $1 billion in shareholder equity, according to the Justice Department.
Ratcliffe and other U.S. officials have said that China has stolen sensitive U.S. defense technology to fuel Xi’s aggressive military modernization plan and they allege that Beijing uses its access to Chinese tech firms, such as Huawei, to collect intelligence, disrupt communications and threaten the privacy of users worldwide.
Ratcliffe said he has personally briefed members of Congress about how China is using intermediaries to lawmakers in an attempt to influence legislation.
Hackers Targeting Companies Involved in Covid-19 Vaccine Distribution
5.12.2020 BigBrothers Thehackernews
A global spear-phishing campaign has been targeting organizations associated with the distribution of COVID-19 vaccines since September 2020, according to new research.
Attributing the operation to a nation-state actor, IBM Security X-Force researchers said the attacks took aim at the vaccine cold chain, companies responsible for storing and delivering the COVID-19 vaccine at safe temperatures.
The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert, urging Operation Warp Speed (OWS) organizations and companies involved in vaccine storage and transport to review the indicators of compromise (IoCs) and beef up their defenses.
It is unclear whether any of the phishing attempts were successful, but the company said it has notified appropriate entities and authorities about this targeted attack.
The phishing emails, dating to September, targeted organizations in Italy, Germany, South Korea, the Czech Republic, greater Europe, and Taiwan, including the European Commission's Directorate-General for Taxation and Customs Union, unnamed solar panel manufacturers, a South Korean software development firm, and a German website development company.
IBM said the attacks likely targeted organizations linked to the Gavi vaccine alliance with the goal of harvesting user credentials to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution.
To lend the emails an air of credibility, the operators behind the operation crafted lures that masqueraded as requests for quotations for participation in a vaccine program. The attackers also impersonated a business executive from Haier Biomedical, a legitimate China-based cold chain provider, in an attempt to convince the recipients to open the inbound emails without questioning the sender's authenticity.
"The emails contain malicious HTML attachments that open locally, prompting recipients to enter their credentials to view the file," IBM researchers Claire Zaboeva and Melissa Frydrych said.
Although the researchers could not establish the identities of the threat actor, the ultimate objective, it appears, is to harvest the usernames and passwords and abuse them to steal intellectual property and move laterally across the victim environments for subsequent espionage campaigns.
COVID-19 Vaccine Research Emerges a Lucrative Target
COVID-19 vaccine research and development has been a target of sustained cyberattacks since the start of the year.
Back in June, IBM disclosed details of a similar phishing campaign targeting a German entity connected with procuring personal protective equipment (PPE) from China-based supply and purchasing chains.
The cyberassaults led the US Department of Justice to charge two Chinese nationals for stealing sensitive data, including from companies developing COVID-19 vaccines, testing technology, and treatments, while operating both for private financial gain and on behalf of China's Ministry of State Security.
In November, Microsoft said it detected cyberattacks from three nation-state agents in Russia (Fancy Bear aka Strontium) and North Korea (Hidden Cobra and Cerium) directed against pharmaceutical companies located in Canada, France, India, South Korea, and the US that are involved in COVID-19 vaccines in various stages of clinical trials.
The last week, it emerged that suspected North Korean hackers have targeted British drugmaker AstraZeneca by posing as recruiters on networking site LinkedIn and WhatsApp to approach its employees with fake job offers and tricking them into opening what were purported to be job description documents to gain access to their systems and install malware.
Hackers are targeting COVID-19 vaccine cold chain
4.12.2020 BigBrothers Securityaffairs
IBM X-Force experts warned of threat actors actively targeting organizations associated with the COVID-19 vaccine cold chain.
Researchers from IBM X-Force warned of threat actors actively targeting organizations associated with the COVID-19 vaccine cold chain. The experts uncovered a large scale spear-phishing campaign that has been ongoing since September 2020. Threat actors are impersonating a biomedical company, Haier Biomedical, and are sending out spear-phishing messages to executives and global organizations involved in vaccine storage and transport. Haier Biomedical is a legitimate member company of the COVID-19 vaccine supply chain, it is also a qualified supplier for the CCEOP program.
Organizations involved in the cold chain play a crucial role in the distribution of the forthcoming COVID-19 vaccines because the shipment must maintain the vaccine at temperatures of minus 70 degrees Celsius for the one made by Pfizer and minus 20 Celsius for the Moderna one.
“The COVID-19 phishing campaign spanned across six countries and targeted organizations likely associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program“reads the analysis published by IBM.
“Spear-phishing emails were sent to select executives in sales, procurement, information technology and finance positions, likely involved in company efforts to support a vaccine cold chain. We also identified instances where this activity extended organization-wide to include help and support pages of targeted organizations.”
One of the targets of this campaign is the European Commission’s Directorate-General for Taxation and Customs Union, other organizations targeted by threat actors operate in the energy, manufacturing organizations, and IT.
The phishing campaign hit global organizations with headquarters in Germany, Italy, South Korea, Czech Republic, greater Europe, and Taiwan. The attackers aim at harvesting account credentials to use in further attacks against the same organizations.
DHS CISA also issued an alert warning organizations working on the COVID-19 cold chain of targeted attacks carried out by nation-state actors.
“Impersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.” reads the alert published by DHSCISA.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages Operation Warp Speed (OWS) organizations and organizations involved in vaccine storage and transport to review the IBM X-Force report Attackers Are Targeting the COVID-19 Vaccine Cold Chain.”
The TTPs observed in this campaign and the nature of the target suggest the involvement of a nation-state actor.
“While attribution is currently unknown, the precision targeting and nature of the specific targeted organizations potentially point to nation-state activity. Without a clear path to a cash-out, cyber-criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets.” continues the report published by IBM X-Force.
“Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
US, Estonia Partnered to Search Out Cyber Threat From Russia
4.12.2020 BigBrothers Securityweek
In the modern twist on old-fashioned war games, the U.S. military dispatched cyber fighters to Estonia this fall to help the small Baltic nation search out and block potential cyber threats from Russia. The goal was not only to help a NATO partner long targeted by its powerful neighbor but also to gain insight on Russian tactics that could be used against the U.S. and its elections.
The U.S. Cyber Command operation occurred in Estonia from late September to early November, officials from both countries disclosed this week, just as the U.S. was working to safeguard its election systems from foreign interference and to keep coronavirus research from the prying reach of hackers in countries including Russia and China.
Estonian officials say they found nothing malicious during the operation.
The mission, an effort analogous to two nations working jointly in a military operation on land or sea, represents an evolution in cyber tactics by U.S. forces who had long been more accustomed to reacting to threats but are now doing more — including in foreign countries — to glean advance insight into malicious activity and to stop attacks before they reach their targets.
The Defense Department has worked to highlight that more aggressive “hunt forward” strategy in recent years, particularly after Russia interfered through hacking and covert social media campaigns in the run-up to the 2016 presidential election. American officials were on high alert for similar interference in 2020 but described no major problems on Nov. 3.
“When we look at the threats that we face, from Russia or other adversaries, it really is all about the partnerships and our ability to expand really the scope, scale and pace of operations in order to make it more difficult for adversaries to execute operations either in the United States, Estonia or other places,” Brig. Gen. William Hartman, commander of the Cyber National Mission Force, said in a conference call with a small group of reporters this week.
Estonia, a former Soviet republic, was in some ways a natural fit for a partnership with Cyber Command because in years past it has been a cyber target of nearby Russia, including crippling attacks on government networks in 2007.
Estonian officials say they have since strengthened their cyber defenses, created a cybersecurity strategy and developed their own cyber command, which like the U.S. version is part of the country’s military.
While nothing malicious was found on the networks during the exercise, “what we did learn is how the U.S. conducts these kinds of operations, which is definitely useful for us because there are a lot of kind of capability developments that we are doing right now,” said Mihkel Tikk, deputy commander of Estonia’s Cyber Command.
Tikk added: “In some areas, it is wise to learn from others than having to reinvent the wheel.”
Hartman declined to discuss specifics of the operation but said the networks in Estonia were “very well defended.”
“I don’t want anyone to leave here with the impression that Estonian networks were full of adversary activity from a broad range of nation states” because that is not the case, he added.
Gen. Paul Nakasone, the commander of Cyber Command and the director of the National Security Agency, has hinted at a more aggressive, proactive federal government approach to cyber threats.
In an August piece for Foreign Affairs magazine, for instance, Nakasone wrote that U.S cyber fighters have moved away from a “reactive, defensive posture” and are increasingly engaging in combat with foreign adversaries online.
Cyber Command has worked in past years with countries including Montenegro and North Macedonia on similar missions. Estonian officials say they believe the partnership could be a deterrent to countries such as Russia.
“These kinds of operations, I think, they will continue,” said Undersecretary of Defense Margus Matt. But, he added, “I don’t know how much we will speak of them publicly.”
U.S. officials say they think the risks of a proactive approach — a country could regard such an operation as a provocation toward a broader international cyber conflict — are outweighed by the benefits.
“We believe that inaction in cyberspace contributes to escalation more than reasonable action in cyberspace,” said Thomas Wingfield, deputy assistant secretary of defense for cyber policy.
FBI Warns of Auto-Forwarding Email Rules Abused for BEC Scams
3.12.2020 BigBrothers Securityweek
The Federal Bureau of Investigation (FBI) has issued a notification to warn organizations of scammers setting up auto-forwarding email rules to facilitate business email compromise (BEC) schemes.
Cybercriminals are exploiting the mass shift to telework during the COVID-19 pandemic to conduct malicious operations, including BEC scams that are more likely to succeed due to the targeting of an email rule forwarding vulnerability.
In 2019, BEC losses surpassed $1.7 billion, the FBI said in February 2020.
According to the FBI, the attackers are able to conceal their activity through auto-forwarding rules implemented on victims’ web-based email clients, but which often do not sync with the desktop client, thus hiding the malicious rules from security administrators.
Using social engineering and stolen credentials, the attackers gain access to victim email accounts and engage in communication with specific employees to redirect pending or future money transfers to attacker-controlled accounts.
By creating auto-forwarding rules, the scammers prevent the victim from identifying fraudulent communications and ensure the success of their malicious activity. If web and desktop mail clients are not actively synced, administrators may not have visibility into the fraudulent activity.
“If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application. This leaves the employee and all connected networks vulnerable to cyber criminals,” the FBI warns.
One incident in which cyber-criminals set up such auto-forwarding email rules was observed in August 2020 and targeted a US-based medical equipment company. The attackers were able to impersonate a known international vendor and obtained $175,000 from the victim.
In another incident that occurred the same month, the same threat actor targeted the web-based email of an organization in the manufacturing sector. Three rules were created, to identify and forward emails containing specific terms (including bank, invoice, wide, and payment) to the attacker’s email address.
To stay protected, organizations should ensure web and desktop email clients are synced; email addresses are not altered; multi-factor authentication is enabled for all accounts; automatic forwarding of emails to external addresses is prohibited; unnecessary legacy email protocols are eliminated; emails coming from external addresses are flagged; and malicious emails are blocked.
State-Sponsored Hackers Likely Behind Attacks on COVID-19 Vaccine Cold Chain
3.12.2020 BigBrothers Securityweek
An unknown threat actor that is likely sponsored by a nation state is believed to be behind a recent phishing campaign targeting the COVID-19 vaccine cold chain, IBM Security reported on Thursday.
The company’s researchers believe the attacks started sometime in September and evidence suggests that the attackers have targeted organizations in at least six European and Asian countries.
The targets appear to be associated with the Cold Chain Equipment Optimization Platform (CCEOP) of Gavi, the Vaccine Alliance, whose main goal is to improve access to vaccines in poor countries. The CCEOP was launched a few years ago by Gavi and its partners due to the need for temperature-controlled environments to ensure that vaccines remain cold and effective until they reach their destination.
The coronavirus pandemic and the approval of COVID-19 vaccines are leading to an increase in demand for such solutions so it’s not surprising that entities related to the CCEOP have been targeted.
The attacks observed by IBM involved phishing emails apparently coming from an executive at Haier Biomedical, a Chinese firm that is qualified for the CCEOP program and which is said to be the only complete cold chain solutions provider in the world. The phishing emails, posing as a request for quotation related to the CCEOP program, were sent to executives in IT, sales, procurement and finance departments, and in some cases to a wide range of employees within the targeted organization.
The emails contained an HTML file that instructed recipients to enter their credentials in order to view its content. By attaching the phishing page directly to an email, the attackers can reduce the risk of their phishing pages being detected and shut down.
IBM Security researchers believe that the goal of the campaign may have been to collect credentials that would give the attackers access to internal communications and information on the distribution of a COVID-19 vaccine.
Targets of the attack included the European Commission’s Directorate General for Taxation and Customs Union, which could serve as an entry point to high-value organizations across the European Union, as well as companies in the IT, energy and manufacturing sectors that could provide access to valuable information related to the distribution of a coronavirus vaccine. Targeted organizations have been notified, but it’s unclear if any of them took the bait.
“However, the established role that Haier Biomedical currently plays in vaccine transport, and their likely role in COVID-19 vaccine distribution, increases the probability the intended targets may engage with the inbound emails without questioning the sender’s authenticity,” IBM Security explained in a blog post.
IBM has not been able to definitively link the campaign to a known group, but its sophistication and targets suggest that it’s a state-sponsored operation.
“Without a clear path to a cash-out, cyber criminals are unlikely to devote the time and resources required to execute such a calculated operation with so many interlinked and globally distributed targets,” it explained. “Likewise, insight into the transport of a vaccine may present a hot black-market commodity, however, advanced insight into the purchase and movement of a vaccine that can impact life and the global economy is likely a high-value and high-priority nation-state target.”
It would not be surprising to learn that a state-sponsored threat actor is indeed behind these attacks given the accusations made since the start of the pandemic by various countries. The US has accused China, the UK has accused Russia, and Microsoft has accused both Russia and North Korea of targeting vaccine research.
CISA, FBI Warn of Attacks Targeting U.S. Think Tanks
2.12.2020 BigBrothers Securityweek
Threat actors are continuously targeting United States think tanks, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warn.
This persistent malicious activity, the two agencies say, mostly targets individuals and organizations that are connected to international affairs or which focus on national security policy.
The adversaries, CISA and the FBI say in an advisory this week, attempt initial access through spear-phishing and third-party messaging services, targeting both corporate and personal accounts of intended victims.
At the same time, the attackers attempt to exploit vulnerable devices that are exposed to the Internet, along with remote connection capabilities within the target networks.
“Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic,” the advisory reads.
Other initial access techniques employed in these attacks include virtual private networks (VPNs), as well as other remote work tools. Such utilities are also employed to achieve persistence on the victim environments.
These approaches, the two agencies point out, require little effort from the attackers, but could yield high rewards when successful, including access to sensitive information and user credentials and achieving persistent access to the compromised systems.
“Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness,” the advisory reads.
CISA and the FBI also provide a list of tactics, techniques, and procedures (TTPs) employed by the threat actors targeting U.S. think tanks, along with mitigation recommendations and details on how organizations can strengthen their security posture.
Report Claims CIA Controlled Second Swiss Encryption Firm
30.11.20 BigBrothers Securityweek
Swiss politicians have voiced outrage and demanded an investigation after revelations that a second Swiss encryption company was allegedly used by the CIA and its German counterpart to spy on governments worldwide.
"How can such a thing happen in a country that claims to be neutral like Switzerland?" co-head of Switzerland's Socialist Party, Cedric Wermuth, asked in an interview with Swiss public broadcaster SRF late Thursday.
He called for a parliamentary inquiry after an SRF investigation broadcast on Wednesday found that a second Swiss encryption firm had been part of a spectacular espionage scheme orchestrated by US and German intelligence services.
A first investigation had revealed back in February an elaborate, decades-long set-up, in which the CIA and its German counterpart creamed off the top-secret communications of governments through their hidden control of a Swiss encryption company called Crypto.
SRF's report this week found that a second but smaller Swiss encryption firm, Omnisec, had been used in the same way.
That company, which was split off from Swiss cryptographic equipment maker Gretag in 1987, sold voice, fax and data encryption equipment to governments around the world until it halted operations two years ago.
SRF's investigative programme Rundschau concluded that, like Crypto, Omnisec had sold manipulated equipment to foreign governments and armies.
Omnisec meanwhile also sold its faulty OC-500 series devices to several federal agencies in Switzerland, including its own intelligence agencies, as well as to Switzerland's largest bank, UBS, and other private companies in the country, the SRF investigation showed.
- Espionage within Switzerland? -
The findings unleashed fresh outrage in Switzerland, which is still reeling from the Crypto revelations.
"This shows that the problem is broader than just one company and we still have no answers on the political responsibility aspect," Wermuth said.
Hans-Peter Portman, a parliamentarian with the Liberal Party, agreed, saying he was particularly concerned to learn "Swiss businesses are likely implicated and possibly affected."
"This raises the question of espionage even within the country," he told SRF.
An investigation by the Swiss parliament's Control Delegation into the Crypto case concluded earlier this month that Switzerland's own intelligence service had benefitted from the information gathered by its foreign counterparts through the encryption firm.
According to the revelations in February by SRF, the Washington Post and German broadcaster ZDF, Crypto served for decades as a Trojan horse to spy on governments worldwide.
The company supplied devices for encoded communications to some 120 countries from after World War II to the beginning of this century, including to Iran, South American governments, India and Pakistan.
Unknown to those governments, Crypto was secretly acquired in 1970 by the US Central Intelligence Agency together with the then West Germany's BND Federal Intelligence Service.
Together they rigged Crypto's equipment to be able to easily break the codes and read the government customers' messages.
Citing a classified internal CIA history of what was originally called operation "Thesaurus" and later "Rubicon," the reports said that in the 1980s the harvest from the Crypto machines supplied roughly 40 percent of all the foreign communications US code-breakers processed for intelligence.
Vietnam-Linked Cyberspies Use New macOS Backdoor in Attacks
30.11.20 BigBrothers Securityweek
Trend Micro’s security researchers have identified a new macOS backdoor that they believe is used by the Vietnamese threat actor OceanLotus.
Also referred to as APT-C-00 and APT32, and believed to be well-resourced and determined, OceanLotus has been observed mainly targeting government and corporate entities in Southeast Asia. Earlier this year, the group engaged in COVID-19 espionage attacks targeting China.
Compared to previous malware variants associated with OceanLotus, the newly discovered sample shows similarities in dynamic behavior and code, clearly suggesting a link to the threat actor.
A document used in the campaign features a Vietnamese name, which has led researchers to believe that users from Vietnam have been targeted with the new malware.
The observed sample masquerades as a Word document but it is an app bundled in a ZIP archive, which features special characters in its name, in an attempt to evade detection.
The app bundle, Trend Micro explains, is seen by the operating system as an unsupported directory type, meaning that the 'open' command is used to execute it.
Within the app bundle, the security researchers discovered two files, namely a shell script that performs multiple malicious routines, and a Word file that is displayed during execution.
The shell script is responsible for deleting the file quarantine attribute for the files in the bundle and for removing the file quarantine attribute of files in the system, copying the Word document to a temp directory and opening it, extracting the second-stage binary and changing its access permissions, then deleting the malware app bundle and the Word document from the system.
As for the second stage payload, it is responsible for dropping a third-stage payload, creating persistence, changing the timestamp of the sample using the touch command, and deleting itself.
Featuring encrypted strings, the third-stage payload contains two main functions, for collecting and sending operating system information to the command and control (C&C) servers, for receiving additional communication information, and for performing backdoor activities.
Similar to older OceanLotus samples, the backdoor can perform various operations based on received commands: get file size, fetch and run file, remove/download/upload file, exit, run commands in the terminal, and get configuration information.
Trend Micro, which also analyzed some of the C&C domains used by the new sample, recommends that all organizations train employees to refrain from clicking on links or downloading attachments coming from suspicious sources, keeping operating systems and applications updated, and employing security solutions to stay protected.
Tens of Dormant North American Networks Suspiciously Resurrected at Once
30.11.20 BigBrothers Securityweek
More than fifty networks in the North American region suddenly burst to life after being dormant for a long period of time, Spamhaus reveals.
The Geneva-based international nonprofit organization is focused on tracking spam, phishing, malware, and botnets, and provides threat intelligence that can help filter spam and related threats.
Last week, the organization noticed that, within days, 52 dormant networks in the ARIN (North-America) area were resurrected concurrently, and that each of them has been announced by a different autonomous system number (ASN), also inactive for a significant period of time.
“In 48 cases, these are /20 networks amounting to 4096 IPv4 addresses, and in the remaining 4 cases, they are /19 networks with 8192 addresses,” Spamhaus explains.
The main issue, the organization explains, is that chances are almost zero for 52 organizations to suddenly come back online, all at once, although (a rare occurrence as well) some organizations might resurface after taking their network offline for a while.
Furthermore, Spamhaus could not establish a connection between these networks and the ASNs announcing them, except for the fact that they had been inactive for a long period of time.
“Traceroutes and pings indicate that they are all physically hosted in the New York City area, in the US,” the organization notes.
While investigating the incident, Spamhaus also discovered that the Border Gateway Protocol (BGP) paths that connect these networks to their hosting facility involve Ukrainian ASNs, and that these Ukrainian companies are connecting these networks to major backbones.
“Given the unlikelihood that these routes are legitimate, we have placed almost all of them on our DROP (Do not Route or Peer) list, until their owners clarify the situation,” the organization notes.
The company has published full details on these networks, as well as information on associated resources and their Spamhaus Block List (SBL) IDs.
While some of the routes had been withdrawn shortly after resurrection, many were still up and running toward the end of the week.
North Korean hackers allegedly behind cyberattacks on AstraZeneca
28.11.20 BigBrothers Securityaffairs
The Reuters agency revealed in an exclusive that the COVID vaccine maker AstraZeneca was targeted by alleged North Korea-linked hackers.
According to a report published by Reuters, suspected North Korea-linked hackers targeted AstraZeneca, one of the companies that are developing a COVID vaccine.
The attack attempts took place in recent weeks, two people with knowledge of the matter told Reuters. The attackers used a well-known tactic, the hackers posed as recruiters on popular social network platforms and instant messaging applications, including LinkedIn and WhatsApp, to approach AstraZeneca employees with fake job offers.
“They then sent documents purporting to be job descriptions that were laced with malicious code designed to gain access to a victim’s computer.” reported Reuters. “The hacking attempts targeted a “broad set of people” including staff working on COVID-19 research, said one of the sources, but are not thought to have been successful.”
Pyongyang has always denied carrying out cyberattacks on healthcare organizations and entities involved in the development of a vaccine.
The attribution to North Korea is based on the analysis of tools and techniques used in the cyber that presents significant overlaps on an ongoing hacking campaign that U.S. officials and cybersecurity researchers.
According to the experts, the same campaign also aimed at defence companies, media organisations, and COVID-related targets, such as vaccine scientists and drugmakers.
A report recently published by the Canadian Centre for Cyber Security, titled “National Cyber Threat Assessment 2020,” warns of risks associated with state-sponsored operations from China, Russia, Iran, and North Korea.
Nation-state actors linked to the above countries pose the greatest strategic threats to Canada and according to the report, they will continue to attempt to steal Canadian intellectual property, especially related to COVID-19.
Threat actors are carrying out cyber espionage campaigns and online influence campaigns.
South Korean lawmakers announced last week that the country’s intelligence agency had foiled cyber attacks.
Reuters added that some of the accounts employed in the attacks on AstraZeneca were registered to Russian email addresses, but one of the sources speculated that it could be a false flag used by the attackers.
At the time of writing, AstraZeneca declined to comment.
Federated Learning: A Therapeutic for what Ails Digital Health
27.11.20 BigBrothers Threatpost
Researchers show the promise of Federated Learning to protect patient privacy and improve healthcare outcomes across the world.
For researchers and physicians the mountains of data hospitals and healthcare systems hold could be a goldmine for artificial intelligence and machine learning, but data privacy concerns and regulations have kept scientists from being able to harness that information to improve outcomes. Now researchers from Intel and the University of Pennsylvania Medical School say they have found a solution: Federated Learning.
Federated Learning isn’t new. Google invented the concept to train their predictive text models. Intel’s G. Anthony Reina, who is the company’s chief AI architect, explained during a recent Threatpost webinar focused on healthcare cybersecurity.
Models Move, Not Data
“Google realized that it wasn’t really privacy sensitive if they were literally sending your IM’s up to Google and having some Google data scientists read all of your IM to come up with what that model should do,” Reina said. “So they ended up coming up with this concept federated learning. And the idea is that you’re actually not going to move the data anywhere. The data just lives where it lives on your cell phone.”
Google’s Federated Learning model was able to detect when the phone was plugged in and on a Wi-Fi connections and “train a neural network on your local data,” Reina continued. “And I’m going to send the model out, so the model moves around, not the data.”
Reina and others suspected the same concept could be applied to healthcare data and allow hospitals and healthcare providers across the globe train collaboratively without ever needing direct access to the data.
The idea is the same as the Google scenario. The model moves around, rather than the data.
“And then basically, the models (plural) come back now from every user that they’ve trained on and you just have to come up with some way of getting a single consensus model,” Reina said.
Intel and the University of Pennsylvania Medical School teamed up to deploy federation across 29 international healthcare and research institutions to identify brain tumors, with incredibly promising results.
Federated Learning: A Therapeutic for what Ails Digital Health
Medical Imaging and FL
Their findings on Federated Learning and its applications in healthcare were published in the journal Nature and presented at their Supercomputing 2020 event last week.
Reina and his team were able to train a medical imaging model to identify brain tumors with more than 99 percent the accuracy of a model trained in the traditional method. This breakthrough could lead to earlier detection and better outcomes for the more than 80,000 people diagnosed with a brain tumor each year, according to Intel.
“So this is literally a neural network, a deep learning model and AI model that is taking MRIs and is trying to imagine if you had a crayon and you were trying to color in the section that’s the tumor, that’s the brain tumor,” Reina explained. “You can imagine how important this would be to have something that we just label areas of an MRI of the brain where tumor lives.”
The research published in Nature also offered several additional examples of how FL is improving healthcare outcomes right now.
Federated Learning: A Therapeutic for what Ails Digital Health Federated Learning Improving Outcomes
Federated Learning is being used to scan electronic health records to find patients with similar symptoms to predict hospital visits, mortality, ICU star time and more. Federated Learning has also been proven useful in medical imaging and MRI, according to the Nature report. ,
In addition to more precise diagnostics, Federated Learning promises to improve healthcare for everyone, regardless of proximity to expertise.
“Patients are usually treated locally,” the report said. “Establishing FL on a global scale could ensure high quality of clinical decisions regardless of the treatment location. In particular, patients requiring medical attention in remote areas could benefit from the same high-quality ML-aided diagnoses that are available in hospitals with a large number of cases. The same holds true for rare, or geographically uncommon, diseases, that are likely to have milder consequences if faster and more accurate diagnoses can be made.”
Reina explained that the broad collection of data, even if its not of the highest quality, is beneficial. He used the example of the lifeline choice in the game show “Who Wants to Be a Millionaire?”
“There’s, there’s a big data science mantra that, the more data you get, even if it’s not necessarily fantastic data, you learn enough to bring things up,” Reina said. “It’s kind of like on, ‘Who Wants to be a Millionaire?’ You poll the audience, and even if the audience isn’t an expert, It’s the collective knowledge of the audience, if you look at the statistics, they’re usually going to get the right answer, because not everybody has to be an expert. You can get a bunch of poor predictors, put them together, and you’ve got actually a super predictor.”
Federated Learning’s promise will continue to be researched and improved over the next decade, the paper concludes.
“Despite this, we truly believe that its potential impact on precision medicine and ultimately improving medical care is very promising.”
UK NCSC’s alert urges orgs to fix MobileIron CVE-2020-15505 RCE
25.11.20 BigBrothers Securityaffairs
The UK NCSC issued an alert to urge organizations to patch the critical CVE-2020-15505 RCE vulnerability in MobileIron MDM systems.
The UK National Cyber Security Centre (NCSC) issued an alert urging organizations to address the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.
MDM platforms allow administrators to remotely manage a fleet of mobile devices in their organization from a central server.
The CVE-2020-15505 vulnerability is a remote code execution issue in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.
The vulnerability was discovered in March by the security researcher Orange Tsai, and MobileIron addressed it in June. Below a video PoC for the exploitation of the flaw published by the researcher.
Experts at NCSC are aware of threat actors actively using the MobileIron CVE-2020-1550 vulnerability to compromise the networks in multiple sectors, including the healthcare, local government, logistics, and legal sectors.
“The NCSC is aware that Advanced Persistent Threat (APT) nation-state groups and cyber criminals are now actively attempting to exploit this vulnerability [T1190] to compromise the networks of UK organisations.” reads the alert.
At the end of October, the US National Security Agency (NSA) included the same RCE in the list of the top 25 vulnerabilities exploited by Chinese state-sponsored hacking groups in attacks in the wild.
The Cybersecurity and Infrastructure Agency (CISA) also warned that APT groups are chaining the CVE-2020-15505 RCE with the Netlogon/Zerologon vulnerability CVE-2020-1472 at least in a single intrusion.
The MobileIron versions affected by the CVE-2020-15505 flaw are:
10.3.0.3 and earlier
10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0
Sentry versions 9.7.2 and earlier
9.8.0
Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier
Chinese Threat Actor 'Mustang Panda' Updates Tools in Attacks on Vatican
25.11.20 BigBrothers Securityweek
A Chinese threat actor tracked as Mustang Panda was observed using an updated arsenal of tools in recent attacks, Proofpoint’s security researchers revealed on Monday.
Also referred to as TA416 and RedDelta, the threat group is known for the targeting of entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party, along with entities in Myanmar, and the new campaign appears to be a continuation of that activity.
Some of the observed toolset updates, Proofpoint says, include the use of a new Golang variant of the PlugX malware loader, in addition to the constant use of PlugX. While attribution remains fairly simple, automatic detection is more difficult.
“This may represent efforts by the group to continue their pursuit of espionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular amongst threat researchers,” Proofpoint notes.
Phishing lures used in recent attacks show a focus on the relations between the Vatican and the Chinese Communist Party, as well as spoofed emails imitating journalists from the Union of Catholic Asia News.
As part of the attacks, the hackers used RAR archives that serve as PlugX malware droppers, yet the delivery vector for these archives hasn’t been identified yet. However, the group is known to abuse Google Drive and Dropbox URLs within phishing emails.
The RAR archives used in this campaign include, among others, the encrypted PlugX payload, a legitimate Adobe executable for side loading, and a Golang binary to decrypt and load the payload.
According to Proofpoint, this is the first time the adversary has used a Golang binary in their attacks. The file has a compilation date of June 24, 2020, but the variant appears to have been used only since August 24.
Although it features a new file type, the PlugX loader hasn’t changed its functionality: it will execute PlugX and also ensure its persistence. The malware variant used in these attacks remains consistent when compared to previously observed versions, as does the command and control (C&C) communication in these PlugX samples.
The C&C IP, Proofpoint says, was hosted by the Chinese Internet Service Provider Anchnet Asia Limited and was in use as a C&C at least between August 24 and September 28, 2020. Since the IP is no longer in use, the threat actor is believed to have worked on overhauling its infrastructure.
“Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns,” Proofpoint concludes.
FBI Warns of Spoofed FBI-Related Domains
25.11.20 BigBrothers Securityweek
The Federal Bureau of Investigation (FBI) this week issued an alert to warn the public of spoofed FBI-related Internet domains.
According to the agency, “unattributed cyber actors” are registering domains designed to spoof legitimate websites pertaining to the FBI, “indicating the potential for future operational activity.”
In addition to spoofed domains, state-sponsored actors and cybercriminals are leveraging spoofed email accounts to trick unsuspecting victims into revealing sensitive, personal information.
“Adversaries can use spoofed domains and email accounts to disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses,” the FBI warns.
To ensure the success of their attempts, the threat actors create domains that feature slightly modified characteristics of legitimate domains. These spoofed domains may contain the alternate spelling of a word in their name or use an alternative top-level domain.
Due to these subtle alterations, unsuspecting victims may be tricked into visiting the spoofed domains when looking for information on the FBI's mission and services, or news coverage. Furthermore, spoofed email accounts may be used to entice individuals into opening malicious files or clicking on links.
“The FBI urges all members of the American public to critically evaluate the websites they visit, and the messages sent to their personal and business email accounts, to seek out reliable and verified FBI information,” the agency notes.
Users are advised to always check the spelling of websites and email addresses, to ensure that their operating systems and applications are always kept updated, and to use anti-malware software that is kept up to date.
Furthermore, the FBI advises users to never enable macros on documents that were received via email unless absolutely necessary and only after the file was scanned with an anti-virus application, and to refrain from opening emails or attachments from unknown individuals.
Personal information should never be provided over email, strong two-factor authentication should be enforced whenever possible, and domain whitelisting should be employed to only allow traffic to websites considered safe.
Users are also advised to disable or remove software that is no longer used or needed, as well as to verify that the visited websites have an SSL certificate (although threat actors are also known to employ encryption to increase the legitimacy of their websites).
“There are a wide range of reasons individuals or groups might have to spoof law enforcement or government websites. These specific examples are likely to be the potential for monetary gain through credential theft, as online reporting of crime is a feature of the genuine FBI website. The motive could also be more sinister, with the potential misuse to spread disinformation, and/or to impact the credibility and trust that individuals have in any agency or department,” Carl Wearn, head of e-crime at Mimecast, said in an emailed comment.
“Spoofing or the use of law enforcement credentials to defraud or scam people has been a regular tactic of fraudsters for a long time, even preceding the internet, as criminals seek to exploit the trust society places in these particular organisations and the enhanced likelihood of compliance with their instructions given that trust. Please ensure you go to any genuine website via your browser, and do not click on links in emails or other electronic communications which may take you to these fake or spoofed websites and steal your personal details or worse,” Wearn added.
Joe Biden Campaign Subdomain Down After Hacktivist Defacement
24.11.20 BigBrothers Threatpost
A Turkish hacktivist defaced a subdomain of the president-elect’s campaign website.
A subdomain used by President-elect Joe Biden’s official campaign website was defaced last week by a self-proclaimed Turkish hacktivist and still remains out of commission.
The subdomain, vote.joebiden.com, was part of the official campaign website JoeBiden.com used by the Biden campaign leading up to the 2020 U.S. presidential election. On Nov. 18, the subdomain reportedly began to display a message in Turkish. In the message, the hacker claims to be “RootAyy1ld1z,” a “Turkish And Muslim Defacer” who is not a group or organization, but who “fights alone.”
Biden Subdomain Before it was Hacked
Internet Archive version of the Biden subdomain vote.joebiden.com.
Threatpost was able to access the Internet Archives version of the domain to verify the hack. The subdomain was used by the Biden campaign help voters find polling centers, find a campaign event and offer state-specific voter guides. Post-election, the subdomain forwarded traffic to the self-serve voter registration information website “I WILL VOTE“. This separate website, maintained by the Democratic National Committee, offers state-specific vote-by-mail and voter registration verification services.“Like many organizations who quickly throw together a website or subdomain, likely missing some important cybersecurity best practices, this time a subdomain ‘vote.joebiden.com’ of presidential elect Joe Biden has become the latest victim of website defacing,” Joseph Carson, chief security scientist and advisory CISO at Thycotic, told Threatpost. “This of course is more of an embarrassment than a national security issue, however, it does raise important questions on ensuring that cybersecurity is a top priority for the incoming administration.”
The message, in Turkish, threatened Turkey’s opponents as well as U.S.-backed political parties in Turkey. It also featured a photo of Sultran Abdul Hamid II, who was the 34th sultan of the Ottoman empire from 1876 to 1909.
A translated version of the campaign website that was defaced. Credit: Web.archive.org
“We are the ones who stopped the tanks with their bare hands on the night of July 15. We are those who killed death that night,” a translated (via Google Translate) English version of the message concluded, likely referring to the 2016 Turkish coup d’etat attempt.
As of Nov. 23, the domain remains inaccessible. Of note, Biden’s main campaign website, joebiden.com, does not appear to be affected by the hack.
While there’s no indication as to how the bad actor accessed the website, popular methods for compromise can include vulnerabilities in third-party plugins and stolen login credentials.
The website hack also comes amid a Wall Street Journal report that the federal government is offering minimal assistance to Biden’s transition team when it comes to securing email and other communications.
Threatpost has reached out to the President-elect Joe Biden campaign for further comment.
“As additional data and searches indicate that the CMS was hacked to deface the subdomain’s web content, a lot more would have been possible than just a ‘political statement’ from a hacktivist,” Dirk Schrader, Global Vice President at New Net Technologies (NNT), told Threatpost. “A different content playing to the bias of parts of the population might have caused bigger issues. As it took the cyber security team more than 24 hours to realize the defacement and to take action, this incident demonstrates again how important it is to keep an eye on your full exposure and have constant monitoring and change control in place.”
Website Hacks
Government website defacements have popped up, particularly with the U.S. president elections being this year in November.
Hackers took over President Trump’s 2020 election campaign website in October, replacing parts of the site with a cryptocurrency scam before returning it to its original content several minutes later. And in January, a U.S. government website was vandalized by hackers who posted images of a bloodied President Donald Trump being punched in the face and pro-Iran messages. In September the Department of Justice (DoJ) indicted two hackers – including one teenager – for allegedly vandalizing more than 50 websites hosted in the U.S. with pro-Iran messages.
“Incidents, such as this, are a reminder how important it is to have top cybersecurity experts in the new administration to ensure mistakes like these do not happen,” Carson told Threatpost.
Subdomain of Official Joe Biden Campaign Website Defaced by Turkish Hacker
24.11.20 BigBrothers Securityweek
A subdomain of the official Joe Biden campaign website was defaced last week by what appears to be a Turkish hacktivist.
The targeted subdomain, vote.joebiden.com, originally redirected users to iwillvote.com, a website sponsored by the Democratic National Committee (DNC) that provides information about the voting process, including registration, voting from abroad, voting by mail, and finding voting locations. The vote.joebiden.com subdomain has been promoted in materials released by the Biden campaign before the elections.
On November 18, the subdomain started displaying a message written in Turkish apparently by a hacktivist called “RootAyyıldız,” who described themself as a “Turkish and Muslim defacer” and a patriot. The message threatened Turkey’s adversaries and Turkish political parties backed by the United States.
It’s unclear what method was used to hijack the subdomain, but it’s not uncommon for hacktivists to use unsophisticated methods to deface websites, including CMS misconfigurations or widely available and easy to use exploits. It’s also not uncommon for hackers to deface sites using DNS hijacking.
The incident does not appear to impact the main joebiden.com domain. The vote.joebiden.com subdomain is currently inaccessible, but the defacement is still indexed by Google at the time of writing. The Joe Biden campaign store subdomain is down for maintenance, but it’s unclear if that is related to the hack.
UK reveals new National Cyber Force to improve offensive cyber capabilities
21.11.20 BigBrothers Securityaffairs
The new National Cyber Force (NCF) is working to improve UK’s offensive cyber capabilities to disrupt adversaries and keep the UK safe.
UK Prime Minister, in a speech on defence spending, announced the GCHQ and Ministry of Defence (MoD) partnership aimed at conducting offensive cyber operations to disrupt hostile nation-state operations, terrorists, and cyber criminal campaigns that are threatening the national security.
The National Cyber Force (NCF) NCF plays a crucial role in enhancing its offensive cyber capabilities.
The UK government has announced a new defence spending of £16.5 billion ($22bn), part of which has been assigned to the creation of the National Cyber Force. The British government also reserved part of the spending for the creation of a Space Command and agency dedicated to AI.
“In recent years, our adversaries have developed and weaponised a myriad of emerging technologies which go beyond the traditional warfighting domains of air, land and sea.” states the UK Government.
“That’s why the Prime Minister has announced a new agency dedicated to developing Artificial Intelligence, the creation of a National Cyber Force and a new ‘Space Command’ that will protect the UK’s interests in space and control the UK’s first satellite launched from a UK rocket by 2022.”
The NCF is composed of personnel from intelligence, cyber and security agency GCHQ, the MoD, the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (Dstl).
“I can announce that we have established a National Cyber Force, combining our intelligence agencies and service personnel, which is already operating in cyberspace against terrorism, organised crime and hostile state activity.” reads Prime Minister Boris Johnson’s statement to the house about the new spending.
NCSC National Cyber Force
Prime Minister Boris Johnson confirmed that the Cyber Force is already operative.
The National Cyber Force will be involved in of cyber operations like:
Interfering with a mobile phone to prevent a terrorist from being able to communicate with their contacts;
Helping to prevent the internet from being used as a global platform for serious crimes, including sexual abuse of children and fraud; and
Keeping UK military aircraft safe from targeting by hostile weapons systems.
“For over a century, GCHQ has worked to keep the UK safe. Cyber security has become an integral part of this mission as we strive to make the UK the safest place to live and do business online. We are a world-leading cyber power.” said Director GCHQ Jeremy Fleming.
“Today the National Cyber Force builds out from that position of defensive strength. It brings together intelligence and defence capabilities to transform the UK’s ability to contest adversaries in cyber space, to protect the country, its people and our way of life. Working in close partnership with law enforcement and international partners, the National Cyber Force operates in a legal, ethical and proportionate way to help defend the nation and counter the full range of national security threats.”
The Prime Minister claims that the injection of £16.5 billion over four years is the biggest investment in the UK’s Armed Forces since the end of the Cold War.
Dutch tech reporter gatecrashes EU defence secret video conference
21.11.20 BigBrothers Securityaffairs
A Dutch tech reporter gatecrashed a video conference of EU defence ministers after the Dutch minister shared an image on Twitter.
Dutch journalist Daniel Verlaan of RTL Nieuws broke into a secret video conference of EU defence ministers after the Dutch defence minister Ank Bijleveld posted on Twitter an image of the call that accidentally exposed login details.
The tech journalist caught the login credential in the image and used it to join the meeting, the photo contained the login address and part of the PIN code.
“You know that you have been jumping into a secret conference?” EU foreign policy chief Josep Borrell said.
“Yes, yes. I’m sorry. I’m a journalist from the Netherlands. I’m sorry for interrupting your conference,” Mr Verlaan replied, to laughter from officials. “I’ll be leaving here.”
“You know it’s a criminal offence, huh?” Mr Borrell replied. “You’d better sign off quickly before the police arrives.“
EU video conference
The meeting was halted due to the intrusion, and the incident was reported to the authorities.
The image shared by the minister only contained part of the PIN code, but after a number of attempts the journalst guessed the secret code.
“In a number of attempts, RTL News managed to guess the pin code of the secret meeting, because five of the six digits of the pin code were visible in the photo.” reported the RTL Nieuws.
“After logging in with the correct pin code, there was no extra security, RTL News was immediately admitted to the meeting and Verlaan has identified himself as a journalist.”
The incident raises serious questions over the security of secret meetings of Government organizations, especially during the COVID-19 pandemic.
A Dutch defence ministry spokesperson admitted the error and defined it as a “stupid mistake”.
“This shows how careful you have to be with these kinds of meetings,” says Prime Minister Mark Rutte. “A meeting of the Ministers of Defense is never innocent. Caution is advised. The only by-product of this is that Bijleveld has pointed out to other ministers how careful you have to be.”
Major Power Outage in India Possibly Caused by Hackers: Reports
21.11.20 BigBrothers Securityweek
Authorities in India determined that a major power outage that occurred last month in Mumbai, the country’s largest city, may have been caused by hackers, according to reports.
The outage occurred in mid-October and it impacted the Mumbai metropolitan area, causing significant disruption to traffic management systems and trains. It took two hours to restore power just for essential services, and up to 12 hours to restore power in some of the affected areas.
Authorities immediately said sabotage could not be ruled out and the Mumbai Mirror reported on Friday that a cyber police unit found evidence suggesting that the incident may have been caused by a cyberattack.
India power outage possibly caused by hackers
According to the Mumbai Mirror, investigators found multiple suspicious logins into the servers linked to power supply and transmission utilities. It’s believed that manipulation of these servers may have triggered the outage. The activity was traced to several South Asian countries and investigators are trying to determine if it was part of a coordinated effort.
The paper learned from its sources that threat actors — in many cases profit-driven cybercriminals — have been targeting power utilities in India since February, including with ransomware, BGP hijacking, and DDoS attacks.
India Today reported that malware was discovered by investigators at a load dispatch center where the outage is said to have originated. Load dispatch centers are responsible for ensuring the operation of the power grid, monitoring grid operations, and scheduling and dispatching electricity.
There are several sophisticated threat groups known to have targeted electric utilities and at least some of them have targeted India, including one that has been linked to North Korea.
The most significant power outages caused by a cyberattack were observed in 2015 and 2016 in Ukraine and they were both attributed to Russia-linked threat actors.
Nation-state actors from Russia, China, Iran, and North Korea target Canada
20.11.20 BigBrothers Securityaffairs
Canada Centre for Cyber Security warns of risks related to state-sponsored programs from China, Russia, Iran, and North Korea.
A report published by the Canadian Centre for Cyber Security, titled “National Cyber Threat Assessment 2020,” warns of risks associated with state-sponsored operations from China, Russia, Iran, and North Korea.
The report is based on both classified and unclassified sources and identifies current cyber threats and the likelihood that they will occur, and how Canadians could be affected.
“The second iteration of our unclassified assessment notes that the number of cyber threat actors is increasing, and they are becoming more sophisticated, that cybercrime will almost certainly continue to be the cyber threat most likely to affect Canadians and that Ransomware attacks will almost certainly continue to target large enterprises and critical infrastructure providers.” reads the report.
China, Russia, Iran, and North Korea are developing cyber capabilities to disrupt key Canadian critical infrastructure, including electricity supply.
Nation-state actors linked to the above countries pose the greatest strategic threats to Canada and according to the report, they will continue to attempt to steal Canadian intellectual property, especially related to COVID-19.
Threat actors are carrying out cyber espionage campaigns and online influence campaigns.
“The most sophisticated capabilities belong to state sponsored cyber threat actors who are motivated by economic, ideological, and geopolitical goals,” the center said.
“We assess that almost certainly the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest state-sponsored cyber threats to Canadian individuals and organizations,” continues the report.
“However, many other states are rapidly developing their own cyber programs, benefiting from various legal and illegal markets to purchase cyber products and services.”
The report also states that other states are rapidly building their cyber capabilities, for this reason the Canadian Government believes that state-sponsored hacking will continue to target Canadian businesses, academia, and governments.
“Defending Canada against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity. Cyber security investments will allow Canadians to benefit from new technologies while ensuring that we do not unduly risk our safety, privacy, economic prosperity, and national security.” concludes the report. “We approach security through collaboration, combining expertise from government, industry, and academia. Working together, we can increase Canada’s resilience against cyber threats.”
Russia, China 'Cyber Threats' Target Canada: Report
19.11.20 BigBrothers Securityweek
State-sponsored programs from China, Russia, Iran and North Korea pose the greatest high-tech threats to Canada, a report from the nation's authority on cyber security warned Wednesday.
"The number of cyber threat actors is rising, and they are becoming more sophisticated", the Canadian Centre for Cyber Security said.
The center found that those four countries are very likely attempting to build up capacities to disrupt key Canadian infrastructure -- like the electricity supply -- to further their goals.
The report said they are also expected to target intellectual property related to the battle against the coronavirus pandemic in order to boost their own response to the contagion.
Threats against Canadians and their companies include cyber spying and online influence campaigns.
"The most sophisticated capabilities belong to state sponsored cyber threat actors who are motivated by economic, ideological, and geopolitical goals," the center said.
"We assess that almost certainly the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest state-sponsored cyber threats to Canadian individuals and organizations," it added.
That said, many other states are rapidly developing their own cyber threats.
State-sponsored attackers are expected to continue to "conduct commercial espionage against Canadian businesses, academia, and governments", the center said.
It further warned that the pandemic has led to a jump in teleworking and online activity in general for Canadians, a trend that will continue and could expose people to an evolving array of cyber threats.
Canadians lost over Can$43 million (US$32.8 million) to cybercrime fraud in 2019, according to statistics from the Canadian AntiFraud Centre.
Trump Fires Agency Head Who Vouched for 2020 Vote Security
18.11.20 BigBrothers Securityweek
President Donald Trump on Tuesday fired the nation’s top election security official, a widely respected member of his administration who had dared to refute the president’s unsubstantiated claims of electoral fraud and vouch for the integrity of the vote.
While abrupt, the dismissal of Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, was not a surprise. Since his loss, Trump has been ridding his administration of officials seen as insufficiently loyal and has been denouncing the conduct of an election that led to an embarrassing defeat to Democrat Joe Biden.
That made Krebs a prime target. He had used the imprimatur of Trump’s own Department of Homeland Security, where his agency was based, to issue a stream of statements and tweets over the past week attesting to the proper conduct of the election and denouncing the falsehoods spread by the president and his supporters — without mentioning Trump by name.
Krebs stood by those assertions after his ouster.
“Honored to serve. We did it right,” he said in a brief statement on Twitter. “Defend Today, Secure Tomorrow.”
He closed with the phrase “Protect 2020,” which had been his agency’s slogan ahead of the election.
The firing of Krebs, a Trump appointee, came the week after the dismissal of Defense Secretary Mark Esper, part of a broader shakeup that put Trump loyalists in senior Pentagon positions.
A former Microsoft executive, Krebs ran the agency, known as CISA, from its creation in the wake of Russian interference with the 2016 election through the November election. He won bipartisan praise as CISA coordinated federal state and local efforts to defend electoral systems from foreign or domestic interference.
Hours before being dismissed, Krebs tweeted out a report citing 59 election security experts saying there is no credible evidence of computer fraud in the 2020 election outcome.
Trump responded on Twitter later in the day. He repeated unsubstantiated claims about the vote and wrote “effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.”
Officials with CISA and its parent agency, the Department of Homeland Security, had no immediate comment.
Members of Congress — mostly Democrats — denounced the firing.
Rep. Adam Schiff, D-Calif., chairman of the House intelligence committee, assailed Trump for “retaliating against Director Krebs and other officials who did their duty. It’s pathetic, but sadly predictable that upholding and protecting our democratic processes would be cause for firing.”
One of the few Republicans joining in the criticism was Sen. Ben Sasse of Nebraska, a frequent Trump critic. “Chris Krebs did a really good job, as state election officials all across the nation will tell you, and he obviously should not be fired,” he said.
Biden campaign spokesman Michael Gwin noted that bipartisan election officials have dismissed Trump’s claims of widespread fraud. “Chris Krebs should be commended for his service in protecting our elections, not fired for telling the truth.”
Krebs kept a low profile even as he voiced confidence ahead of the November vote and, afterward, knocked down allegations that the count was tainted by fraud. The repudiation of Trump was notable coming from a component of DHS, which has been criticized for seeming to be too closely aligned with the president’s political goals.
CISA issued statements dismissing claims that large numbers of dead people could vote or that someone could change results without detection.
It also distributed a statement from a coalition of federal and state officials concluding there was no evidence that votes were compromised or altered in the Nov. 3 election and that the vote was the most secure in American history.
Krebs avoided ever directly criticizing the president and tried to stay above the political fray, even as he worked to contradict misinformation coming from the president and his supporters. “It’s not our job to fact check the president,” he said at a briefing with reporters on the eve of the election.
CISA works with the state and local officials who run U.S. elections as well as private companies that supply voting equipment to address cybersecurity and other threats while monitoring balloting and tabulation from a control room at its headquarters near Washington. It also works with industry and utilities to protect the nation’s industrial base and power grid from threats.
The agency enjoys a good reputation among its core constituency — the state and local election officials who rely on its advice and services at a time of near-constant cyberattack -- as well as on Capitol Hill, where lawmakers recently proposed an increase of its annual budget of around $2 billion.
His removal is a “disturbing sign for American government,” said California Secretary of State Alex Padilla.
“Chris Krebs has been an accessible, reliable partner for elections officials across the country, and across party lines, as we have fortified our cyber defenses since 2016,” Padilla said. “Our elections infrastructure has become stronger because of leaders like Chris Krebs and in spite of the actions and lies coming from the White House.”
The agency emerged from rocky beginnings. Just before President Barack Obama left office, the U.S. designated election systems as critical national security infrastructure, like dams or power plants, as a result of the interference by Russia, which included the penetration of state elections systems as well as massive disinformation.
Some state election officials and Republicans, suspicious of federal intrusion on their turf, were opposed to the designation. The National Association of Secretaries of State adopted a resolution in opposition to the move in February 2017. But the Trump administration supported the designation, and, eventually, skeptical state officials welcomed the assistance.
Zoom Takes on Zoom-Bombers Following FTC Settlement
18.11.20 BigBrothers Threatpost
The videoconferencing giant has upped the ante on cybersecurity with three fresh disruption controls.
Zoom has once again upped its security controls to prevent “Zoom-bombing” and other cyberattacks on meetings. The news comes less than a week after Zoom settled with the Federal Trade Commission over false encryption claims.
Two of the new features allow moderators to act as “club bouncers,” giving them the ability to remove and report disruptive meeting participants. The “Suspend Participant Activities” feature is enabled by default for all free and paid Zoom users; and, meeting participants can also report a disruptive user directly from the Zoom client by clicking the top-left “Security” badge.
Separately, the videoconferencing giant also rolled out an internal tool that acts as a filter, preventing meeting disruptions (like Zoom-bombing) before they happen.
Removing Disruptive Participants
Under the Security icon, hosts and co-hosts now have the option to temporarily pause their meeting and remove a disruptive participant or Zoom-bomber, according to a Monday Zoom blog posting.
“By clicking ‘Suspend Participant Activities, all video, audio, in-meeting chat, annotation, screen-sharing and recording during that time will stop, and Breakout Rooms will end,” the company explained. “The hosts or co-host will be asked if they would like to report a user from their meeting, share any details and optionally include a screenshot.”
Once the reporter clicks “Submit,” the offending user will be removed from the meeting, and hosts can resume the meeting by individually re-enabling the features they’d like to use.
“Zoom’s Trust & Safety team will be notified,” according to the host. “Zoom will also send them an email after the meeting to gather more information.”
As for the second enhancement, account owners and admins can enable reporting capabilities for non-host participants, so that they can report disruptive users from the Security icon (hosts and co-hosts already have this capability).
Both of the new controls are available on the mobile app, and for Zoom desktop clients for Mac, PC and Linux.
Support for the web client and virtual desktop infrastructure (VDI) will be rolling out later this year, the company said. VDI is a server-based computing model used by applications like Citrix or VMware; Zoom’s app for this allows meetings to be delivered to a thin client.
At-Risk Meeting Notifier
The internal tool, dubbed the “At-Risk Meeting Notifier,” scans public social-media posts and other websites for publicly shared Zoom meeting links – an exposure that can lead to Zoom-bombing.
Zoom-bombing is a trend that began earlier in 2020 as coronavirus lockdowns led to massive spikes in the videoconferencing service’s usage. Zoom saw its user base rocket from 10 million in December 2019 to 300 million in April during the ramp-up of the COVID-19 pandemic and a shift to remote work. These attacks occur when a bad actor gains access to the dial-in information and “crashes” a Zoom session – often sharing adult or otherwise disturbing content.
To thwart these kinds of attacks, the new tool can detect meetings that appear to have a high risk of being disrupted, Zoom said – and it automatically alerts account owners by email of the situation, providing advice on what to do.
That advice includes deleting the vulnerable meeting and creating a new one with a new meeting ID, enabling security settings, or using another Zoom solution, like Zoom Video Webinars or OnZoom.
“As a reminder – one of the best ways to keep your Zoom meeting secure is to never share your meeting ID or passcode on any public forum, including social media,” according to the company’s post.
FTC Encryption Settlement
Last week, the Federal Trade Commission (FTC) announced a settlement with Zoom, requiring the company “to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The FTC alleged that since at least 2016, Zoom falsely claimed that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.
While “encryption” means that in-transit messages are encrypted, true end-to-end encryption (E2EE) occurs when the message is encrypted at the source user’s device, stays encrypted while its routed through servers, and then is decrypted only at the destination user’s device. No other person – not even the platform provider – can read the content.
Zoom has now agreed to an FTC requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and “other detailed and specific relief.”
“The fines imposed by the FTC are a prime example of the type of actions companies are going to face when they do not take security in their products seriously,” Tom DeSot, executive vice president and CIO of Digital Defense, said via email. “Zoom unfortunately ended up being the poster child for how not to handle things when vulnerabilities are found in commercial products.”
And indeed, Zoom has faced various controversies around its encryption policies over the past year, including several lawsuits alleging that the company falsely told users that it offers full encryption. Then, the platform came under fire in May when it announced that it would indeed offer E2EE — but to paid users only. The company later backtracked after backlash from privacy advocates, who argued that security measures should be available to all. Zoom will now offer the feature to free/”Basic” users.
The first phase of its E2EE rollout began in mid-October, which aims to provide initial access to the feature with the hopes of soliciting feedback when it comes to its policies. Users will need to turn on the feature manually.
“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” said Max Krohn, head of security engineering with Zoom, in a post at the time.
Trump Fires Head of DHS Election Security Agency
18.11.20 BigBrothers Securityweek
President Donald Trump on Tuesday fired the director of the federal agency that vouched for the reliability of the 2020 election.
Trump fired Christopher Krebs in a tweet, saying his recent statement defending the security of the election was “highly inaccurate.”
The firing of Krebs, a Trump appointee and director of the Cybersecurity and Infrastructure Security Agency, comes as Trump is refusing to recognize the victory of Democratic President-elect Joe Biden and removing high-level officials seen as insufficiently loyal. He fired Defense Secretary Mark Esper on Nov. 9, part of a broader shakeup that put Trump loyalists in senior Pentagon positions.
Krebs, a former Microsoft executive, ran the agency, known as CISA, from its creation in the wake of Russian interference with the 2016 election through the November election. He won bipartisan praise as CISA coordinated federal state and local efforts to defend electoral systems from foreign or domestic interference.
He kept a low profile even as he voiced confidence ahead of the November vote and, afterward, knocked down allegations that the count was tainted by fraud. At times, he seemed to be directly repudiating Trump, a surprising move from a component of the Department of Homeland Security, an agency that has drawn criticism for seeming to be too closely allied with the president’s political goals.
CISA issued statements dismissing claims that large numbers of dead people could vote or that someone could change results without detection.
It also distributed a statement from a coalition of federal and state officials concluding there was no evidence that votes were compromised or altered in the Nov. 3 election and that the vote was the most secure in American history.
Krebs avoided ever directly criticizing the president and tried to stay above the political fray, even as he worked to contradict misinformation coming from the president and his supporters. “It’s not our job to fact check the president,” he said at a briefing with reporters on the eve of the election.
CISA works with the state and local officials who run U.S. elections as well as private companies that supply voting equipment to address cybersecurity and other threats while monitoring balloting and tabulation from a control room at its headquarters near Washington. It also works with industry and utilities to protect the nation’s industrial base and power grid from threats.
The agency enjoys a good reputation among its core constituency — the state and local election officials who rely on its advice and services at a time of near-constant cyberattack -- as well as on Capitol Hill, where lawmakers recently proposed an increase of its annual budget of around $2 billion.
Amid recent reports that Krebs feared he might be fired, Rep. Bennie Thompson, chairman of the House Homeland Security Committee, had said he was concerned and sent a text to the director to ask him if he was OK. The response was, in effect, “for now,” the Mississippi Democrat said.
“It’s a shame if someone with his talent is all of a sudden, muzzled,” Thompson said. “I have not seen a partisan bone in his body. He’s been a consummate professional.”
Rep. Jim Langevin, a Rhode Island Democrat who focuses on cybersecurity issues, had called on his Republican colleagues to stand up for him before he could be removed from his post. “Chris Krebs and CISA have done so well under his leadership because he and his team have kept their heads down and done the job they were tasked with doing and not gotten caught up in partisan politics,” Langevin said.
The agency emerged from rocky beginnings. Just before President Barack Obama left office, the U.S. designated election systems as critical national security infrastructure, like dams or power plants, as a result of the interference by Russia, which included the penetration of state elections systems as well as massive disinformation.
Some state election officials and Republicans, suspicious of federal intrusion on their turf, were opposed to the designation. The National Association of Secretaries of State adopted a resolution in opposition to the move in February 2017. But the Trump administration supported the designation, and, eventually, skeptical state officials welcomed the assistance.
Russia Denies Microsoft Claims of Healthcare Cyber Attacks
18.11.20 BigBrothers Securityweek
Moscow on Tuesday vehemently rejected claims by Microsoft that Russia was behind cyber attacks on companies researching coronavirus vaccines and treatments, saying it was being made a scapegoat.
Russian Deputy Foreign Minister Sergei Ryabkov told state news agency RIA Novosti it had become "politically fashionable" to pin the blame for cyber attacks on Moscow.
Russia announced in August that it had registered the world's first coronavirus vaccine, Sputnik V -- named after the Soviet-era satellite -- but did so ahead of large-scale clinical trials.
In October, President Vladimir Putin announced that Russia had also registered its second coronavirus vaccine, EpiVacCorona.
"We do not need anything other than a normal approach towards the projects we already have in Russia and are promoting including in cooperation with foreign partners," Ryabkov said.
Ryabkov also claimed that Russian companies themselves were frequently becoming targets of foreign cyber attacks.
He said Russia and the United States should allow experts to look into the issue.
"However, Washington has persistently steered clear of such dialogue," Ryabkov added.
Last week, Microsoft urged a crackdown on cyber attacks perpetrated by states and "malign actors" after a spate of hacks disrupted healthcare organisations fighting the coronavirus.
The US tech giant said the attacks came from Russia and North Korea.
The Kremlin has previously denied US claims that Russian military intelligence was behind cyber attacks targeting Ukraine's power grid, the 2017 French election and the 2018 Winter Olympic Games, describing them as "Russophobia".
Privacy Activists in EU File Complaints Over iPhone Tracking
16.11.20 Apple BigBrothers Securityweek
European privacy activists have filed complaints against Apple over its use of software to track the behavior of iPhone users.
The Vienna-based group NOYB - short for “none of your business” - said Monday that it has asked data protection authorities in Germany and Spain to examine the legality of Apple’s tracking codes.
The codes, known as IDFA or Identifier for Advertisers, are similar to the cookies that websites use to store information on user behavior.
NOYB says the iOS operating system creates unique codes for each iPhone that allow Apple and other third parties to “identify users across applications and even connect online and mobile behaviour.”
The group argues that this amounts to tracking without users’ knowledge or consent, a practice that is banned under the European Union’s electronic privacy rules.
“Tracking is only allowed if users explicitly consent to it,” said Stefano Rossetti, a lawyer for NOYB. The privacy group said it is currently reviewing a similar system used by Google.
Apple declined to immediately respond to a request for comment.
NOYB, founded by privacy activist and lawyer Max Schrems, has filed numerous cases against major tech companies including one against Facebook that recently led the European Union’s top court to strike down an agreement that allows companies to transfer data to the United States over snooping concerns.
CISA Chief Chris Krebs expects to be fired by the White House
15.11.20 BigBrothers Securityaffairs
Chris Krebs, the director of DHS’ Cybersecurity and Infrastructure Security Agency, expecting to be fired as White House frustrations hit agency protecting elections.
Chris Krebs, the director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA) expects the White House to fire him, as the Trump administration continues a purge of officials that are considered disloyal to the former President Trump.
Chris Krebs has hardly wort to protect the election process, as a consequence it is not possible for Trump administrators to prove fraud or interference.
Krebs and its staff have made great work ensuring that the 2020 election was not tampered with by nation-state actors, this election was called by the DHS “the most secure in election history.”
“The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result.” reads the statement published by CISA.
“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.
Former President Trump, after having lost the election speculated that widespread voter fraud took place during the election, he also filed several lawsuits in several US states disavowing the result of the vote without producing evidence to support his allegations.
Because of the CISA’s support of a fair election process, the White House is expected to call for Krebs’ resignation, according to a Reuters report, citing sources close to the CISA chief.
CISA set up a website dubbed “Rumor Control” to debunk misinformation about the election, a move that aroused the ire of the White House
“White House officials have asked for content to be edited or removed which pushed back against numerous false claims about the election, including that Democrats are behind a mass election fraud scheme. CISA officials have chosen not to delete accurate information.” reported the Reuters agency in exclusive.
“In particular, one person said, the White House was angry about a CISA post rejecting a conspiracy theory that falsely claims an intelligence agency supercomputer and program, purportedly named Hammer and Scorecard, could have flipped votes nationally. No such system exists, according to Krebs, election security experts and former U.S. officials.”
Bryan Ware, assistant director for cybersecurity at CISA, also told Reuters that he had handed in his resignation on Thursday, a U.S. official familiar with his matter said the White House asked for Ware’s resignation earlier this week.
Lawmakers and other observers condemned the decision that the administration has taken.
“Chris Krebs has done a great job protecting our elections,” tweeted Sen. Mark Warner (D-Va.).
“Krebs has been one of the top and most visible election security officials and has aggressively debunked misinformation in the aftermath,” said Patrick Howell O’Neill, a cyber reporter at MIT Technology Review.
It is my opinion that the CISA, under the Krebs’s administration, demonstrated a great efficiency, providing detailed and regular security advisories about cyber threats, threat actors and key vulnerabilities.
Report: CISA Chief Expects White House to Fire Him
14.11.20 BigBrothers Threatpost
Chris Krebs, the first and current U.S. cybersecurity director, said his protection of election process drew ire from Trump administration.
Top U.S. cybersecurity official Christopher Krebs said he expects to be fired by the Trump administration after he delivered a secure presidential election that didn’t go in the current administration’s favor.
Krebs, the first and current director of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Agency (CISA), ensured that the 2020 election was not tampered with by nation-state actors and remained secure for all voters, with the DHS calling it “the most secure in election history” on Thursday.
However, Krebs’ efforts to debunk misinformation about the legitimacy of the election angered the president given the fact that his opponent and former Vice President Joe Biden has been projected the winner. President Trump has been insisting that widespread voter fraud occurred during the election and filed lawsuits in a number of states to challenge the results, despite lack of evidence.
Because of the CISA’s support of a fair election process, the White House is expected to call for Krebs’ resignation, according to a Reuters report, citing sources close to the CISA chief.
“[The] government statement about the election being secure should be unremarkable,” tweeted Jonathan Swan, a reporter with news organization Axios. “But the reality is every person who had a hand in writing it will almost certainly face the wrath of President Trump and his inner circle in the White House.”
Indeed, another CISA official—Krebs’ assistant director, Bryan Ware—also has been a casualty of election fallout. He confirmed to Reuters that he was asked to resign earlier this week, a request with which he complied on Thursday.
Upon hearing the news, lawmakers and other observers took to Twitter and to praise the job Krebs has done as CISA director, nothing how he put aside partisanship to work for a common goal to protect U.S. cybersecurity infrastructure and the election process. Many also condemned the administration’s decision to fire him.
“Chris Krebs has done a great job protecting our elections,” tweeted Sen. Mark Warner (D-Va.). “He is one of the few people in this administration respected by everyone on both sides of the aisle. There is no possible justification to remove him from office. None.”
Molly McKew, lead writer at Great Power and a writer and lecturer on Russian influence and information warfare, called the White House’ decision to fire Krebs and Ware “pathetic” given the CISA’s success in protecting the election process.
“US officials credited with significant successes in defending our elections from interference, cyberattacks, disinfo are being asked to resign/expect to be fired. Because of course POTUS would rather compromise national security than grow up,” she tweeted.
“Krebs has been one of the top and most visible election security officials and has aggressively debunked misinformation in the aftermath,” noted Patrick Howell O’Neill, a cyber reporter at MIT Technology Review, on Twitter. “Widely respected for his work this year.”
Security experts also chimed in to laud Krebs for the work he’s done since he took on the job as CISA director in June 2018 to protect federal cyber infrastructure and the public from cyber-attack.
Chloé Messdaghi, vice president of strategy at Point 3 Security, told Threatpost: “This last election cycle has been a clear example of why CISA is so important to our national security. The evenhandedness that Christopher Krebs and his team have brought to bear has been invaluable in ensuring election fairness, and in strengthening our threat awareness. CISA confirmed the security of election machines themselves, and highlighted the potential risks of misinformation campaigns by nation state threats.
“He and the team worked closely with other government agencies to bring misinformation threats to the front and let keep us informed on threat actors.”
Under Krebs, the CISA issued regular advisories about key vulnerabilities affecting ubiquitous software used by the administration, ordering departments and agencies to update when necessary to remain secure. The agency also issued warnings when the administration became aware of nation-state-sponsored cyberthreats not only to government infrastructure but also the public as well.
“Under his leadership, CISA pushed forward on informing the country of longstanding vulnerabilities being exploited or exploitable by foreign actors, and which needed immediate patching, both for the security of the election and for ongoing organizational and national security,” Messdaghi added. “The United States needs the depth of experience or evenhandedness that he and his team have brought to our nation’s cybersecurity.”
Nation-State Attackers Actively Target COVID-19 Vaccine-Makers
14.11.20 BigBrothers Threatpost
Three major APTs are involved in ongoing compromises at pharma and clinical organizations involved in COVID-19 research, Microsoft says.
Three nation-state cyberattack groups are actively attempting to hack companies involved in COVID-19 vaccine and treatment research, researchers said. Russia’s APT28 Fancy Bear, the Lazarus Group from North Korea and another North Korea-linked group dubbed Cerium are believed to be behind the ongoing assaults.
According to Tom Burt, corporate vice president of Customer Security and Trust at Microsoft, said on Friday that Microsoft has seen ongoing cyberattacks against at least seven different targets, spread out across the globe.
The majority of the targets are vaccine-makers that have advanced to various stages of clinical trials, Burt said – but one is a clinical research organization involved in trials, and one developed a COVID-19 test.
“These [are] companies directly involved in researching vaccines and treatments for COVID-19,” he wrote, in a blog post. “The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States.”
He added, “Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for COVID-19-related work.”
At least some of the attacks have been successful, he added, but a Microsoft spokesperson declined to say what that exactly means. It’s unclear if the attackers were successful in initial compromise or in actually stealing research or other data.
As for the advanced persistent threat (APT) actors involved, Russia’s APT28 group (which Microsoft calls Strontium and which is also known as Fancy Bear or Sofacy) is using password-spraying and brute-force efforts to crack employee accounts, according to Microsoft telemetry.
Lazarus Group meanwhile (called “Zinc” by Microsoft) is using spear-phishing emails to accomplish credential theft, sending messages with fabricated job descriptions pretending to be recruiters.
And as for Cerium, it too is using spear-phishing emails, but in that case the messages masquerade as coming from World Health Organization (WHO) employees.
When reached for comment on the revelations, a Microsoft spokesperson said the company couldn’t comment further on which specific companies were targeted, nor could the software giant provide any further details on the attacks themselves.
“At a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of a safe and effective vaccine for COVID-19, it is essential for world leaders to unite around the security of our healthcare institutions and enforce the law against cyberattacks targeting those who endeavor to help us all,” Burt said.
The news is just the latest in a disturbing trend of cybercriminals targeting those focused on getting the world out of a deadly pandemic. Both private and state-sponsored groups are targeting pharmaceuticals because of the economic and influential advantages a successful vaccine will provide to countries, according to researchers.
Ongoing COVID-19 Research Attacks
In October, COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories shut down its plants in Brazil, India, Russia, the U.K. and the U.S. following a cyberattack. The Indian company is the contractor for Russia’s “Sputinik V” COVID-19 vaccine, which has entered Phase 3 human trials. It’s unclear what the nature of the attack was.
In July, the U.S. Department of Homeland Security warned that Russia-linked group APT29 (a.k.a. CozyBear or the Dukes) has been targeting British, Canadian and U.S. research companies. The APT looks to pilfer COVID-19 vaccine research from academic and pharmaceutical institutions, in a likely attempt to get ahead on a cure for coronavirus, DHS warned.
Earlier on in the pandemic, WHO was targeted by the DarkHotel APT group, which looked to infiltrate its networks to steal information.
And meanwhile, the Justice Department recently accused Chinese government-linked hackers of spying on Moderna, the Massachusetts biotech company. The federal government is supporting the development of Moderna’s vaccine research, with nearly $1 billion invested and clinical trials underway.
“A vaccine for COVID is a strategically valuable (maybe crucial) asset: Whoever gets a vaccine first has an economic advantage and it is worth billions of dollars to a country and its economy,” Sam Curry, Cybereason CSO, told Threatpost. “It is the ultimate IP with immediate value. Having a six-month lead on ‘re-opening’ the world could have a lasting balance of power impact. It’s like having an oil rush, a data advantage or territorial gain in older real political terms. At the very least, there is the potential for trade, diplomacy, military and strategic advantage.”
Ray Kelly, principal security engineer at WhiteHat Security, said that stealing medical secrets is not the only potential motivation for the attacks.
“At the moment, vaccine manufacturers are ideal targets for ransomware as they are on the cusp of finalizing their COVID-19 trials,” he told Threatpost on Friday. “If a manufacturer is hit by ransomware right now, the malicious actors could ask for the type of money we have never seen when it comes to ransom payments.”
He added, “If it comes to choosing between saving lives, or a massive ransom payment, the choice would be clear.”
FBI Investigating Hack Involving Black Students at Gonzaga
13.11.20 BigBrothers Securityweek
The FBI and Spokane police are now investigating an incident in which the Gonzaga University Black Student Union was hacked during a Zoom meeting and bombarded with racial and homophobic slurs.
The incident occurred last Sunday during a virtual call among members of the Black Student Union. KXLY-TV reports several people joined the call using offensive screen names and began yelling racial and homophobic slurs and sharing pornography on their screens.
Gonzaga University leaders issued a letter this week saying their technical staff was able to capture data of the Zoom-bombing, identifying IP addresses from the people who hijacked the call. The IP addresses were both domestic and international.
They also noted that other universities around the U.S. have had similar Zoom-bombings.
The university said the Spokane Police Department’s criminal investigation unit and the FBI are now involved in the investigation.
“We are deeply disheartened that we must identify ways to maintain safety and security in virtual meeting experiences, but that is a clear reality,” the letter from university leadership said.
DHS Says Voting Systems Not Compromised, Amid Departures at CISA
13.11.20 BigBrothers Securityweek
Two election committees of the U.S. Department of Homeland Security (DHS) issued a joint statement on Thursday saying there was no evidence of voting systems being compromised, noting that the recent election “was the most secure in American history.”
The statement comes from the Election Infrastructure Government Coordinating Council (GCC) Executive Committee — which includes the Cybersecurity and Infrastructure Security Agency (CISA) — and the Election Infrastructure Sector Coordinating Council (SCC).
“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised,” the statement, posted on CISA’s website, reads.
“Other security measures like pre-election testing, state certification of voting equipment, and the U.S. Election Assistance Commission’s (EAC) certification of voting equipment help to build additional confidence in the voting systems used in 2020.
“While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too,” the committees told the public.
The statement was released following apparently unfounded allegations of election fraud made by the Trump administration and its supporters.
It also follows reports of CISA officials departing. Bryan Ware, assistant director for cybersecurity at CISA, is leaving the agency on Friday and some unconfirmed reports say the White House has asked him to resign.
There have also been reports that Christopher Krebs, the director of CISA, expects to be fired by the White House.
CISA has set up a Rumor Control website whose goal is to debunk misinformation regarding the election. The website addresses rumors related to bad actors changing election results, the DHS and CISA printing ballots with security measures, the election process being hacked or compromised if the results reported on election night change over the following days, defaced election websites resulting in a compromised election, and voter registration database leaks, among many others.
Reuters reported that the White House did not like some of the content posted on the Rumor Control website and demanded that CISA edit or delete information. The agency has refused to do so.
Several officials, including senators Ron Wyden and Mark Warner, have praised Krebs for his role in protecting the elections following the news of his possible ousting.
Microsoft: Russian, North Korean Hackers Target Vaccine Work
13.11.20 BigBrothers Securityweek
Microsoft said it has detected attempts by state-backed Russian and North Korean hackers to steal valuable data from leading pharmaceutical companies and vaccine researchers.
It said in a blog post Friday that most of the attacks in recent months were unsuccessful, but provided no information on how many succeeded or how serious those breaches were.
Chinese state-backed hackers have also been targeting vaccine-makers, the U.S. government said in July while announcing criminal charges.
Microsoft said most of the targets — located in Canada, France, India, South Korea and the United States — were “directly involved in researching vaccines and treatments for COVID-19.” It did not name the targets but said most had vaccine candidates in various stages of clinical trials.
The company identified one of the state-backed hacker groups as Fancy Bear, the Russian military agents who Britain’s National Cyber Security Center said in July were behind such intrusion attempts. Two others were North Korea’s Lazarus Group and a group Microsoft calls Cerium.
Most of the break-in efforts involved attempts to steal the login credentials of people associated with the targeted organizations. The Lazarus Group posed as job recruiters while Cerium targeted spear-phishing emails that masqueraded as missives from World Health Organization representatives, Microsoft said.
The blog post coincided with an appearance by Microsoft president Brad Smith at an international forum calling on nations to protect health care facilities from cyberattacks. This year, the Paris Peace Forum is taking place online.
Optimism about a COVID-19 vaccine has grown since pharmaceutical giant Pfizer announced earlier this week that preliminary data showed its vaccine to be 90% effective.
At the same time, coronavirus cases are surging. In the U.S., deaths per day have soared more than 40% over the past two weeks to an average of more than 1,100, the highest level in three months.
Trump Administration Says Still Searching for TikTok Resolution
13.11.20 BigBrothers Securityweek
President Donald Trump's administration said Wednesday it was still working to resolve its security concerns over Chinese-owned app TikTok after the firm sought to delay a deadline to sell its US operations.
Chinese company ByteDance has until Thursday to restructure ownership of the app in the United States to meet national security concerns, but it filed a petition in a Washington court this week asking for a delay.
The company said in a Tuesday statement that it had asked the government for a 30-day extension because of "continual new requests and no clarity on whether our proposed solutions would be accepted," but it had not been granted.
On Wednesday, the US Treasury Department said in a statement it "remains focused on reaching a resolution of the national security risks arising from ByteDance's acquisition of Musical.ly."
ByteDance had established TikTok in the United States three years ago by buying Musical.ly -- a lip-syncing video app that was already present in the country -- and merging the two platforms together.
The Treasury department disputed the firm's allegations of a lack of clarity from the government, saying "we have been clear with ByteDance regarding the steps necessary" to reach a resolution.
The Trump administration has been seeking to ban the app in the US, citing the risk of it handing over American user data to Beijing.
The company flatly denies the allegations.
Trump signed a set of orders against the video platform this summer.
One required ByteDance to sell its US TikTok operations within 90 days, citing national security concerns.
The company also faced an order that would effectively ban the app from the country by the same date.
But on October 30, a Pennsylvania judge issued an injunction temporarily blocking the order aimed at banning it.
The order would have knocked the Chinese-owned video-sharing app offline by cutting it off from US businesses providing website hosting, data storage and other fundamentals needed to operate.
The Trump administration has appealed the ruling.
ByteDance and TikTok have proposed creating a new company with IT firm Oracle as a technology partner and retail giant Walmart as a business partner.
The plan seemed to convince the administration, but the platform is still awaiting a green light.
TikTok has 100 million users in the United States.
Huawei Wins Stay Against Exclusion From Sweden 5G
13.11.20 BigBrothers Securityweek
A Swedish court has suspended a decision banning Huawei equipment from the country's 5G network while it considers the merits of the case against the Chinese telecoms giant.
The ruling by the Stockholm administrative court forced the Swedish Post and Telecom Authority (PTS) to announce late Monday that it would postpone an auction of 5G network frequencies that was due to have taken place on Tuesday.
Huawei contests its ban as a security risk, claiming that it "lacks legal basis, violates fundamental human rights, violates fundamental EU legal principles... and is incorrect in substance".
PTS has said that its October 20 ban, which also affects Chinese company ZTE, is in line with new legislation "to ensure that the use of radio equipment in these (5G network) bands does not cause harm to Sweden's security."
The court ordered the PTS to submit its arguments so it could decide on the merits of the case.
Huawei said that the ban, which prohibits operators in Sweden from acquiring new equipment and gradually remove Huawei kit already installed on their 5G networks, will cause irreparable harm to its business.
Sweden's move against Huawei comes after the United States piled pressure on allies to cut the firm from their telecommunications infrastructure.
Washington alleges that Beijing uses Chinese tech firms to spy for it -- allegations which China and the companies deny.
After Britain in July, Sweden is the second country in Europe to outright ban Huawei equipment and the first in the EU to do so.
Sweden's Ericsson and Finnish firm Nokia are major competitors of Huawei in the supply of 5G equipment and infrastructure.
Swiss Spies Benefitted From Secret CIA Encryption Firm: Probe
13.11.20 BigBrothers Securityweek
Switzerland benefitted from a spectacular espionage scheme orchestrated by the CIA and its German counterpart who used a Swiss encryption company to spy on governments worldwide, a parliamentary probe showed Tuesday.
A large media investigation revealed back in February an elaborate, decades-long set-up, in which US and German intelligence services creamed off the top-secret communications of governments through their hidden control of the Crypto encryption company in Switzerland.
The revelation sent shock waves through Switzerland, and the parliament's Control Delegation was asked to investigate.
In a statement announcing the delegation's findings Tuesday, parliament said the Swiss intelligence service had known "since 1993 that foreign intelligence services were hiding behind the company Crypto AG."
The Swiss intelligence service had subsequently benefitted from an "information collaboration", it said.
The Swiss government had meanwhile not been informed of the arrangement until late last year, it said, warning that this raised concerns about gaps in the control over the intelligence service.
"Thus, the government carries some of the responsibility, since the company Crypto AG for years exported "vulnerable" encryption machines," it said.
The government has until June 2021 to officially comment on the report.
Several of Switzerland's left-leaning parties meanwhile called Tuesday for the creation of a full-fledged parliamentary commission to do a more in-depth investigation.
According to the revelations in February by the Washington Post, German broadcaster ZDF and Swiss broadcaster SRF, Crypto served for decades as a Trojan horse to spy on governments worldwide.
The company supplied devices for encoded communications to some 120 countries from after World War II to the beginning of this century, including Iran, South American governments, and India and Pakistan.
Unknown to those governments, Crypto was secretly acquired in 1970 by the US Central Intelligence Agency together with the then West Germany's BND Federal Intelligence Service.
Together they rigged Crypto's equipment to be able to easily break the codes and read the government customers' messages.
Citing a classified internal CIA history of what was originally called operation "Thesaurus" and later "Rubicon," the reports said that in the 1980s the harvest from the Crypto machines supplied roughly 40 percent of all the foreign communications US code-breakers processed for intelligence.
The spy agencies were thus able to gather precious information during major crises, such as the hostage crisis at the US embassy in Tehran in 1979 and the 1982 Falklands War between Argentina and Britain.
TikTok Files Last-Minute Petition Against Trump Order
12.11.20 BigBrothers Securityweek
TikTok asked a Washington court Tuesday to stop an order from US President Donald Trump's administration from taking effect this week as the White House seeks to ban the Chinese-owned app in the United States.
Chinese company ByteDance is facing a Thursday deadline to restructure ownership of the app in the United States to meet US security concerns.
In its court petition, TikTok asked for more time, saying it has not received enough feedback on its proposed solution.
The company said in a statement that it had asked the government for a 30-day extension because it was "facing continual new requests and no clarity on whether our proposed solutions would be accepted" but it had not been granted.
It was turning to the court for that reason, it said.
US President Donald Trump signed a set of orders against the video platform this summer.
One required ByteDance to sell its US TikTok operations within 90 days, citing national security concerns.
The company also faced an order that would effectively ban the app from the country by the same date.
But on October 30, a Pennsylvania judge issued an injunction temporarily blocking the order aimed at banning it.
The order would have knocked the Chinese-owned video-sharing app offline by cutting it off from US businesses providing website hosting, data storage and other fundamentals needed to operate.
Trump has accused the popular video-sharing app of handing over American user data to Beijing -- which the company flatly denies.
After negotiations with several US firms, ByteDance and TikTok proposed creating a new company with IT company Oracle as a technology partner and retail giant Walmart as a business partner.
The plan seemed to convince the administration, but the platform is still awaiting a green light.
TikTok said that with Thursday's "deadline imminent and without an extension in hand, we have no choice but to file a petition in court to defend our rights and those of our more than 1,500 employees in the US."
TikTok has 100 million users in the United States.
EU bodies agree on new EU export rules for dual-use technology
11.11.20 BigBrothers Securityaffairs
The European Union this week agreed to tighten up rules for the sale and export of dual-use technology.
European Parliament votes to tighten up rules for the sale and export of surveillance and encryption technology.
EU lawmakers and the European Council aim to update controls for the sale of dual-use solutions such as surveillance spyware, facial recognition systems and drones to prevent authoritarian government abusing them for censorship and to persecute political opponents and dissidents violating human rights.
The term “dual-use” refers to technology that can be used for both peaceful and military aims.
The new rules oblige European companies to apply for government licenses to export surveillance solutions demonstrating that the sale doesn’t pose a risk to human rights.
EU authorities also request countries more transparency about the export licenses they grant.
The current update was urged by technological developments and growing security risks.
“EU countries will also have to be more transparent by publicly disclosing details about the export licenses they grant. And the rules can also be swiftly changed to cover emerging technologies.” states the Asspciated Press.
“Dual use technology could also include high-performance computers, drones and certain chemicals.”
Most countries have export controls on dual-use technologies that restrict the export of certain commodities and technologies without the permission of the government.
In the US the Bureau of Industry and Security (BIS) Office of Export Enforcement (OEE) is the agency that investigates potential violations of export control.
In the European Union dual-use technology is controlled through the Control List of Dual Use Items.
“Today is a win for global human rights. We have set an important example for other democracies to follow,” said Marketa Gregorova, a European Parliament lawmaker who was one of the lead negotiato. “Authoritarian regimes will no longer be able to secretly get their hands on European cyber-surveillance.”
The agreement is the result of intense negotiations that last several years and still have to be formally approved by the European Parliament and other bodies.
The rule of human rights group was crucial in providing considerations about the definition of new criteria that have to prevent the sale and the export of certain surveillance and intrusion technologies to governments that could use the to abuse human rights.
“The informal political agreement now needs to be formally endorsed by the International Trade Committee and Parliament as a whole, as well as the Council, before it can enter into effect.” concludes the press release published by the European Parliament.
Czech Intel Report Targets Russian, Chinese Spies
11.11.20 BigBrothers Securityweek
The Czech Republic's intelligence agency said Tuesday Russian and Chinese spies posed an imminent threat to the EU member's security and other key interests last year.
In its annual report, the Security Information Service (BIS) said the intelligence services of Russia and China played an important role in promoting their interests abroad.
"The key difference is that Russia seeks to destabilise and disintegrate its opponents, while China is trying to build a Sinocentric global community wherein other nations acknowledge the legitimacy of China's interests," BIS said.
All Russian intelligence services were active on Czech territory in 2019. Spies with a diplomatic cover focused on promoting Russia's interests and the Kremlin's views, as well as boosting Russia's reputation in the Czech Republic.
Chinese spies used covers as diplomats, journalists or scientists and "used the openness of the Czech environment to the offer of Chinese investment," BIS said.
They targeted the tech sector, the military, security, infrastructure, the health sector, the economy and environmental protection and looked for ways to create a favourable portrait of China.
BIS added that foreign spies also targeted Czech cyberspace with attacks aimed at the foreign ministry and diplomatic missions abroad, but also the infrastructure of Czech anti-virus software maker Avast.
It said Russian and Chinese services were behind these attacks, adding that phishing and spear-phishing emails were the most frequently used tactic.
Trump Site Alleging AZ Election Fraud Exposes Voter Data
10.11.20 BigBrothers Threatpost
Slapdash setup of Trump website collecting reports of Maricopa County in-person vote irregularities exposed 163,000 voter data records to fraud, via SQL injection.
A security flaw on a website set up to gather evidence of in-person voter fraud in Arizona would have opened the door for SQL injection and other attacks.
The bug, found on a site set up by Trump campaign called dontpressthegreenbutton.com, was discovered by cybersecurity pro Todd Rossin, almost by accident.
The researcher saw a news story about alleged voter fraud in Maricopa County, which is home to Phoenix, Scottsdale and the main bulk of Arizona’s population. The article explained that the Trump campaign has filed a lawsuit alleging that voters were tricked by poll workers into submitting ballots with errors, overriding the system by pressing a green button. The news article linked to the site associated with the suit, dontpressthegreenbutton.com, which said it is collecting legal, sworn declarations of such fraud to be used as evidence.
Rossin clicked on the site and started poking around.
“I went to the Green Button site and made up a name, and [then] saw all these other voters’ names and addresses pop up,” Rossin told Threapost. “I wasn’t looking for it but was surprised to see it.”
Rossin shared his findings on Reddit under his username BattyBoomDaddy, and the post quickly gained traction, racking up nearly 250 comments and more than 7,600 upvotes so far.
“Someone…ran a script to test out how easy it would be to pull the data and change the parameters to start with the letter ‘A’ and to stop at the first 5,000 entries – and bam, the first 5,000 names and addresses,” Rossin explained. “Someone else used a SQL injection to pull names, addresses, dates-of-birth (DOBs) and last four of Social Security numbers.”
Plenty of voter data is public in Arizona – but Social Security numbers and dates of birth are supposed to be kept confidential.
API and SQL Injection
Rossin told Threatpost that he, along with others, reported the breach to the Maricopa County Elections Department.
“This is a perfect example of ‘rushing to market’ as it is clear that this site was rushed with little to no thought given to security,” Ray Kelly, principal security engineer at WhiteHat Security, told Threatpost. “For example, a simple automated security scan would certainly have found the SQL-injection vulnerability in minutes and prevented the sensitive data from being pulled from their database.”
The Green Button site.
Infosec professional Richey Ward saw Rossin’s post and decided to do a little digging of his own. Ward shared his findings on Twitter, where he explained that he was able to access full names and addresses of 163,000 voters, tagging the Maricopa County Elections Department. While this information is made publicly accessible to campaigns, Arizona law prohibits it from being shared via he web.
“Tracing this to a Algolia API call is trivial alongside API keys,” Ward wrote. “This allows anyone with the keys to query the data outside the website.”
Just hours later, Ward found that the API was taken down and no longer accessible.
“I was happy that people recognized it was a big deal,” Rossin added. “I also looked up Ariz. law on it and the law specifically says that the information is not to be distributed and specially says not on the internet.”
And while the obvious security vulnerabilities associated with the Green Button site have been addressed, Rossin, said the site is still far from secure.
“Yes, they pulled the API down,” Rossin told Threatpost. “It still has very lax security.”
Rejected Voter Lawsuit
Threatpost hasn’t been successful in multiple attempts to contact the attorney behind the Green Button lawsuit, Alexander Kolodin or his firm, Kolodin Law group.
The security issue comes to light amid attacks targeting voters and voter data. Just a month ago, in the lead up to the election, voters were victimized by a phishing lure trying to convince them to give up their information. And election cybersecurity more generally is a crucial point of focus for campaigns and law-enforcement officials. It’s up to campaigns to make sure their keeping their eye on security in all phases of their outreach.
“Looking at the evidence so far, it does indeed look like an issue for voter data exposure,” Brandon Hoffman, CISO at Netenrich, said about the site. “These political campaigns, in their haste, are doing more damage to people than the good they can hope to deliver. While everybody understands the desire and need for transparency and a fair outcome for all, they also have the utmost responsibility to voter to keep our information protected if they plan to use it.”
Despite the reported security vulnerabilities, the dontouchthegreenbutton.com site assures visitors, “The Republican National Committee and Donald J. Trump for President, Inc. will not disclose personally identifying information except as required by law.”
Netenrich added although this breach is associated with the Trump campaign, neither political party is effectively protecting voter data. In September, the official application of the Joe Biden campaign was found to have a privacy issue.
The Vote Joe app allows users to share data about themselves and their contacts with a voter database run by Target Smart. The App Analyst noted at the time that “an issue occurs when the contact in the phone does not correspond with the voter, but the data continues to enrich the voter database entry. By adding fake contacts to the device, a user is able to sync these with real voters.”
“Both campaigns have now provided exposures of data for voters with no apparent ramifications,” Netenrich said. “If a lay person put up a website leaking Social Security numbers and addresses of people, they would likely be in jail and under litigation. The companies and campaigns that are using personally identifiable information of Americans must take the time and diligence to protect that data.”
FBI warns of attacks on unsecured SonarQube used by US govt agencies and businesses
10.11.20 BigBrothers Securityaffairs
The FBI warns that threat actors are abusing misconfigured SonarQube applications to steal source code from US government agencies and businesses.
The Federal Bureau of Investigation has issued an alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and businesses. The alert, coded as MU-000136-MW, was issued on October 14th, but only publicly disclosed last week.
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
SonarQube apps are installed on web servers and are directly connected to systems and source code repositories, such as BitBucket, GitHub, or GitLab accounts, or Azure DevOps.
The attacks took place since at least April 2020, threat actors are targeting systems using default configuration (on port 9000) with default admin credentials (admin/admin).
“Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly.” reads the alert. “The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.”
The attacks aimed at accessing and stealing proprietary or private and sensitive applications.
The alert cites two incidents in which threat actors exploited the misconfiguration to carry out the attacks. In August 2020, unknown attackers leaked internal data from two organizations using a public lifecycle repository tool. The stolen data were connected to unsecured SonarQube instances that were using default port settings and admin credentials running on the affected organizations’ networks.
In July 2020, an identified cyber actor exfiltrated proprietary source code from enterprises through unsecured SonarQube instances and published it on a self-hosted public repository.
The alert provides the following mitigations:
Change the default settings, including changing default administrator username, password, and port (9000).
Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.
In May 2018, the UK EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.
The code was exposed on the SonarQube open source platform hosted on an EE subdomain.
Rights Activists Slam EU Plan for Access to Encrypted Chats
10.11.20 BigBrothers Securityweek
Digital rights campaigners on Monday criticized a proposal by European Union governments that calls for communications companies to provide authorities with access to encrypted messages.
The plan, first reported by Austrian public broadcaster FM4, reflects concern among European countries that police and intelligence services can’t easily monitor online chats that use end-to-end encryption, such as Signal or WhatsApp.
A draft proposal dated Nov. 6 and circulated by the German government, which holds the EU’s rotating presidency, proposes creating a “better balance” between privacy and crime fighting online.
The confidential draft, obtained independently by The Associated Press, states that “competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity.”
It adds that “technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.”
German Left party lawmaker Anke Domscheit-Berg accused European governments of using anxiety caused by recent extremist attacks, such as those in France and Austria, as an excuse for greater surveillance measures, and argued that providing authorities with a key to unlock all forms of encrypted communications would pose a grave security risk to all users.
“Anyone who finds an open back door into my house can enter it, the same is true for back doors in software,” Domscheit-Berg said. “The proposed EU regulation is an attack on the integrity of digital infrastructure and therefore very dangerous.”
Patrick Breyer, a member of the European Parliament with Germany’s Pirate Party, said enabling governments to intercept encrypted communications “would be the end of secure encryption altogether and would open back doors also for hackers, foreign intelligence, etc.”
The proposal, which would still need to be adopted by EU governments later this month, is not legally binding. But it sets out the political position that EU member states want the bloc’s executive commission to pursue in its dealings with technology companies and the European Parliament.
FBI warns of attacks on unsecured SonarQube used by US govt agencies and businesses
9.11.20 BigBrothers Securityaffairs
The FBI warns that threat actors are abusing misconfigured SonarQube applications to steal source code from US government agencies and businesses.
The Federal Bureau of Investigation has issued an alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and businesses. The alert, coded as MU-000136-MW, was issued on October 14th, but only publicly disclosed last week.
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
SonarQube apps are installed on web servers and are directly connected to systems and source code repositories, such as BitBucket, GitHub, or GitLab accounts, or Azure DevOps.
The attacks took place since at least April 2020, threat actors are targeting systems using default configuration (on port 9000) with default admin credentials (admin/admin).
“Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly.” reads the alert. “The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.”
The attacks aimed at accessing and stealing proprietary or private and sensitive applications.
The alert cites two incidents in which threat actors exploited the misconfiguration to carry out the attacks. In August 2020, unknown attackers leaked internal data from two organizations using a public lifecycle repository tool. The stolen data were connected to unsecured SonarQube instances that were using default port settings and admin credentials running on the affected organizations’ networks.
In July 2020, an identified cyber actor exfiltrated proprietary source code from enterprises through unsecured SonarQube instances and published it on a self-hosted public repository.
The alert provides the following mitigations:
Change the default settings, including changing default administrator username, password, and port (9000).
Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.
In May 2018, the UK EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.
The code was exposed on the SonarQube open source platform hosted on an EE subdomain.
Huawei Appeals Swedish 5G Ban
7.11.20 BigBrothers Securityweek
Chinese telecoms group Huawei has appealed Sweden's decision to ban it from the country's 5G network for security reasons, a legal filing obtained by AFP on Friday showed.
The ban, announced by the Swedish Post and Telecom Authority (PTS) on October 20, "lacks legal basis, violates fundamental human rights, violates fundamental EU legal principles ... and is incorrect in substance," Huawei wrote in its appeal to PTS and the Stockholm administrative court.
If carried out, it would cause "exceptionally comprehensive and irreparable damage" to its business, Huawei added.
PTS has said that its ban, which also affects Chinese company ZTE, is in line with new legislation that took effect in January 2020, following an examination by Sweden's armed forces and security service "to ensure that the use of radio equipment in these (5G network) bands does not cause harm to Sweden's security."
Carriers using any existing Huawei and ZTE installations must also remove them by January 2025, PTS said.
The United States alleges Chinese firms are used to spy for Beijing -- allegations which China denies -- and has piled pressure on allies to cut Huawei from their telecommunications infrastructure.
Huawei said in its appeal there was "no concrete evidence of a cyber security threat" posed by the company, and insisted that "the Chinese state cannot order Huawei to spy".
China's embassy in Stockholm has previously urged the Swedish government to review its decision.
North Korean Hackers Used 'Torisma' Spyware in Job Offers-based Attacks
6.11.20 BigBrothers Thehackernews
A cyberespionage campaign aimed at aerospace and defense sectors in order to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought.
The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia and India, involved a previously undiscovered spyware tool called Torisma stealthily monitor its victims for continued exploitation.
Tracked under the codename of "Operation North Star" by McAfee researchers, initial findings into the campaign in July revealed the use of social media sites, spear-phishing, and weaponized documents with fake job offers to trick employees working in the defense sector to gain a foothold on their organizations' networks.
The attacks have been attributed to infrastructure and TTPs (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra — an umbrella term used by the US government to describe all North Korean state-sponsored hacking groups.
The development continues the trend of North Korea, a heavily sanctioned country, leveraging its arsenal of threat actors to support and fund its nuclear weapons program by perpetrating malicious attacks on US defense and aerospace contractors.
While the initial analysis suggested the implants were intended to gather basic victim information so as to assess their value, the latest investigation into Operation North Star exhibits a "degree of technical innovation" designed to remain hidden on compromised systems.
Not only did the campaign use legitimate job recruitment content from popular US defense contractor websites to lure targeted victims into opening malicious spear-phishing email attachments, the attackers compromised and used genuine websites in the US and Italy — an auction house, a printing company, and an IT training firm — to host their command-and-control (C2) capabilities.
"Using these domains to conduct C2 operations likely allowed them to bypass some organizations' security measures because most organizations do not block trusted websites," McAfee researchers Christiaan Beek and Ryan Sherstibitoff said.
What's more, the first-stage implant embedded in the Word documents would go on to evaluate the victim system data (date, IP Address, User-Agent, etc.) by cross-checking with a predetermined list of target IP addresses to install a second implant called Torisma, all the while minimizing the risk of detection and discovery.
This specialized monitoring implant is used to execute custom shellcode, in addition to actively monitoring for new drives added to the system as well as remote desktop connections.
"This campaign was interesting in that there was a particular list of targets of interest, and that list was verified before the decision was made to send a second implant, either 32 or 64 bits, for further and in-depth monitoring," the researchers said.
"Progress of the implants sent by the C2 was monitored and written in a log file that gave the adversary an overview of which victims were successfully infiltrated and could be monitored further."
U.S. Seizes More Domains Used by Iran for Disinformation
5.11.20 BigBrothers Securityweek
The United States this week announced that it seized 27 domain names that were employed by Iran’s Islamic Revolutionary Guard Corps (IRGC) to spread disinformation.
All of the domains, seizure documents reveal, were violating U.S. sanctions against the government of Iran and the IRGC. Twenty-three of the domains were targeting audiences abroad.
The other four, the U.S. Department of Justice reveals, were posing as news outlets, but were in fact controlled by the IRGC to target audiences in the United States. The purpose of these domains was to covertly influence U.S. policy and public opinion, thus violating the Foreign Agents Registration Act (FARA).
The seizure was performed following similar action in early October, when a total of 92 domain names leveraged by the IRGC for disinformation were seized.
Details on how these domains were being used in violation of federal law were included in the seizure warrant issued on November 3, 2020.
The fact that the IRGC controlled these domains was in violation of the International Emergency and Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSR), which require that U.S. persons obtain a license for providing services to the government of Iran.
IRGC is also believed to have provided material support to terrorist groups such as Hizballah, Hamas, and the Taliban, which resulted in IRGC being added to the Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) list of Specially Designated Nationals.
The seized domains were registered with U.S.-based domain registrars and also employed top-level domains that are owned by U.S.-based registries, but no license was obtained from OFAC for them.
Domain names “rpfront.com,” “ahtribune.com,” “awdnews.com” and “criticalstudies.org” were also seized pursuant to FARA, which seeks to keep both the U.S. government and U.S. citizens informed on the “the source of information and the identity of persons attempting to influence U.S. public opinion, policy, and law.”
Although these domains targeted an audience in the U.S., they failed to obtain proper registration pursuant to FARA and did not notify the public who is behind the content on these domains.
CERT/CC Seeks to Remove Fear Element From Named Vulnerabilities
4.11.20 BigBrothers Securityweek
Most people will immediately recognize CVE-2014-0160 as a vulnerability, but few will know which vulnerability it refers to. Call it Heartbleed, however, and more people will know more about it. That's the strength of natural language over numbers -- humans remember words more easily than numbers. It's the same argument as that for using domain names rather than IP addresses for web browsing.
The weakness, however, is that natural language words carry emotive undertones, and that is a concern for Leigh Metcalf at Carnegie Mellon's Software Engineering Institute. She worries that some vulnerability discoverers choose to name their discoveries purely for maximum media impact rather than accurately reflecting the severity of the flaw -- which could lead to worry, or even fear, among users. Other examples she specifically mentions are Spectre, Meltdown, and Dirty Cow.
"This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public," she blogs. The reasoning is similar to that of the technical director of the NCSC, Ian Levy, who wrote in November 2016, "One thing that’s missing in cyber security is unbiased data... It’s time to stop talking about what the winged ninja cyber monkeys can do and... be in a place where the skilled network defender community are free to tackle the really nasty stuff."
Related: Industry CMO on the Downstream Risks of "Logo Disclosures"
CERT/CC set itself the task of automatically generating natural language descriptors to represent CVE numbers, but without any emotive bias. "Our goal," writes Metcalf, "is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is."
To achieve this, CERT/CC decided to 'randomly' pair an adjective with a noun, acquiring both word lists from Wiktionary "and categories of words such as animals, plants, objects in space, and more." Word pairs are then mapped to the CVE IDs using the Cantor Depairing Function, which allows a natural number to be mapped to two natural numbers uniquely.
The results of the process can be seen on Twitter (@vulnonym, which is "a bot for generating names for CVE IDs"). Recent examples include Privileged Ukulele for CVE-2020-16006; Collected Camp for CVE-2020-16002; and Shielded Agnus for CVE-2020-16001. There is no doubt that there is no apparent emotive bias to the new naming convention, but much still needs to be done on the project -- and it is not entirely clear that two disconnected words are any better than one emotive word.
There is also the possibility that an automated bot can generate an entirely unacceptable combination. "In case anyone considers a word or name to be offensive," writes Metcalf, "we have a simple process to remove it from the corpus and re-generate a name." However, what is inoffensive to one person could be very offensive to another. For example, one @vulnonym tweet reads, "My real name is CVE-2020-15996 but all my friends call me Brisk Squirt." Brisk Squirt, incidentally, is entirely inoffensive to me. It (CVE-2020-15996) is a high-risk use after free in passwords Android vulnerability fixed in Chrome 86 (86.0.4240.99) for Android.
@vulnonym is currently described as an experiment, and CERT/CC asks users to "let us know if this naming experiment is useful." However, many of the researching vendors who discover vulnerabilities are primarily motivated by the marketing potential of an emotive description -- they may be reluctant to give up exposing MeltdownPlus in favor of Brisk Squirt. Only time will tell whether this naming experiment proves worth the effort, or if the project gets consigned to the Ministry of Silly Names.
New Kimsuky Module Makes North Korean Spyware More Powerful
3.11.20 BigBrothers Thehackernews
A week after the US government issued an advisory about a "global intelligence gathering mission" operated by North Korean state-sponsored hackers, new findings have emerged about the threat group's spyware capabilities.
The APT — dubbed "Kimsuky" (aka Black Banshee or Thallium) and believed to be active as early as 2012 — has been now linked to as many as three hitherto undocumented malware, including an information stealer, a tool equipped with malware anti-analysis features, and a new server infrastructure with significant overlaps to its older espionage framework.
"The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe," Cybereason researchers said in an analysis yesterday.
Last week, the FBI and departments of Defense and Homeland Security jointly released a memo detailing Kimsuky's tactics, techniques, and procedures (TTPs).
Leveraging spear-phishing and social engineering tricks to gain the initial access into victim networks, the APT has been known to specifically target individuals identified as experts in various fields, think tanks, the cryptocurrency industry, and South Korean government entities, in addition to posing as journalists from South Korea to send emails embedded with BabyShark malware.
In recent months, Kimsuky has been attributed to a number of campaigns using coronavirus-themed email lures containing weaponized Word documents as their infection vector to gain a foothold on victim machines and launch malware attacks.
"Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions," the Cybersecurity and Infrastructure Security Agency (CISA) said.
Now according to Cybereason, the threat actor has acquired new capabilities via a modular spyware suite called "KGH_SPY," allowing it to carry out reconnaissance of target networks, capture keystrokes, and steal sensitive information.
Besides this, the KGH_SPY backdoor can download secondary payloads from a command-and-control (C2) server, execute arbitrary commands via cmd.exe or PowerShell, and even harvest credentials from web browsers, Windows Credential Manager, WINSCP and mail clients.
Also of note is the discovery of a new malware named "CSPY Downloader" that's designed to thwart analysis and download additional payloads.
Lastly, Cybereason researchers unearthed a new toolset infrastructure registered between 2019-2020 that overlaps with the group's BabyShark malware used to previously target US-based think tanks.
"The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques," the researchers said.
"While the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure targeted organizations dealing with human rights violations."
Russian Election Threat Potent, But Interference So Far Slim
2.11.20 BigBrothers Securityweek
Russian interference has been minimal so far in the most tempestuous U.S. presidential election in decades. But that doesn’t mean the Kremlin can’t inflict serious damage. The vulnerability of state and local government networks is a big worry.
One troubling wildcard is the potential for the kind of ransomware attacks now affecting U.S. hospitals. Russian-speaking cybercriminals are demanding ransoms to unscramble data they’ve locked up. It’s uncertain whether they are affiliated with the Kremlin or if the attacks are timed to coincide with the election.
U.S. national security officials have repeatedly expressed confidence in the integrity of the election. And they report little actual election meddling of consequence from Moscow outside of disinformation operations. There have been phishing attempts aimed at breaking into the networks of political campaigns, operatives and think tanks, but no indication that valuable political information was stolen. That’s in contrast to the 2016 Russian hack-and-leak operation that U.S. officials say was aimed at boosting Donald Trump’s campaign.
“The big story so far is how little we have seen from Russia during the course of this election,” said Dmitri Alperovitch, former chief technical officer of Crowdstrike, the cybersecurity firm hired by Democrats to probe the 2016 hack-and-leak operation.
But U.S. intelligence officials still consider Russia the most serious foreign cyberthreat, and fear it might try to capitalize on turmoil in an election in which Trump has claimed without basis that the voting is rigged and has refused to commit to honoring the result.
State and local government networks remain highly vulnerable, and dozens have already been battered by ransomware attacks sown largely by a few Russian-speaking criminal gangs.
“If the elections are a mess and we won’t find out for weeks who won, that creates all sorts of opportunities for Russians and others to try to cause more divisions and more havoc and chaos,” Alperovitch said. Those go beyond disinformation operations — such as Kremlin attempts to smear former Vice President Joe Biden — which he considers “background noise.”
There are indications that Russian malware planted long ago is lurking hidden, awaiting activation should Russian President Vladimir Putin give the order.
Agents from Russia’s elite Energetic Bear hacking group have since September infiltrated dozens of state and local government networks, federal officials announced last week. They said there was no evidence that election infrastructure was targeted or violated.
Election officials fear a “blend” of overlapping attacks intended to undermine voter confidence and incite political violence: taking over state or local government websites to spread misinformation, crippling election results-reporting websites with denial-of-service attacks, hijacking officials’ social media accounts and making false claims about rigged voting.
So far, the highest-profile foreign meddling incident has been by Iran — a ham-fisted, quickly detected operation in which some Democratic voters received emails threatening them if they didn’t vote for Trump. U.S. officials said Iranians spoofed the sender addresses, purporting to be from the far-right Proud Boys.
On Friday, the FBI and DHS issued an advisory saying the Iranians had scanned state election websites at the end of September — researching their firewalls — and successfully obtained voter registration data in at least one state, using it in a amateurish propaganda video that almost nobody saw before YouTube took it offline. The advisory did not name the affected states or say if any voter registration data was altered.
There have been other incidents. Tuesday’s brief hacking of Trump’s campaign website — an apparent scam by someone seeking to collect cryptocurrency — is a taste of what could be in store. Another was a ransomware attack on Hall County, Georgia, that scrambled a database of voter signatures used to authenticate absentee ballot envelopes.
Election officials across the country have faced phishing attempts and scans of their networks but that’s considered routine and none have been publicly linked this election cycle to specific malware infections by foreign adversaries.
Election security officials say they worry more about misinformation mongers eroding confidence in the election than about the potential for vote-tampering.
“The goal is not necessarily to influence a race, but to break down democracy,” said Dave Tackett, chief information officer for West Virginia’s secretary of state. “My biggest concern is a hook that is already in that could explode.”
Such a hook would be malware bombs long hidden in government networks that Russia or another adversary could activate in the thick of a close election as ballot-counting continues past Tuesday due to the large number of mailed-in ballots.
In 2016, Kremlin agents didn’t act after infiltrating Illinois’ voter registration database and election operations in at least two Florida counties. It’s not clear they would show similar restraint this year.
“I do think they returned those arrows to their quiver and made them better for this year,” Peter Strzok, a former FBI agent who helped lead the 2016 election interference probe, said in an interview. He declined to elaborate.
Following Russian military agents’ posting online of emails they hacked from Democrats in 2016, federal officials endeavored to harden state and local government networks. But cybersecurity experts say they remain highly vulnerable, and the public should be wary of claims by election officials that vote-staging and tabulation are fully segregated from those networks.
Often, computer systems “that are thought to be completely isolated turn out to have some sort of connection to the network that the folks weren’t aware of,” said Suzanne Spaulding, the Department of Homeland Security’s top cybersecurity official during the Obama administration.
That exacerbates concerns about ransomware, the FBI’s biggest worry for election interference. Typically seeded weeks before activation, it encrypts entire networks into gibberish until the victims pay up. An attack — with plausible deniability for the Kremlin — could freeze up voter registration databases or election-reporting systems.
While care has been made to segment election systems from other operations at the state level, counties generally don’t separate them. That spells danger.
The cybersecurity firm Awake Security reviewed publicly available databases of internet-facing government servers in 48 states this month and found apparently vulnerable machines in every one. More than 2,500 servers showed critical or high-risk vulnerabilities. A skilled adversary could wipe entire networks clean.
Complicating the equation is the Trickbot network of infected zombie computers controlled by a Russian-speaking criminal consortium that Microsoft has been attempting to disable. It has been the main conduit for Ryuk, the ransomware the FBI says is being wielded against U.S. healthcare facilities.
Alexander Heid, chief research officer for SecurityScorecard, said his firm found 30,000 Trickbot infections on 12 state networks in September and early October.
It’s unclear who’s behind Trickbot and Ryuk or if there’s a relationship with the Kremlin. But cybersecurity threat analysts say that cybercrime syndicates based in its realm generally can’t operate without the tacit consent of Russian security services.
“In many cases, when Russian cybercriminals are arrested they’re given a choice to put on a uniform and work for the state or go to prison. And obviously, many choose the former,” said Alperovitch, the Crowdstrike co-founder.
U.S. Says Iranian Hackers Accessed Voter Information
2.11.20 BigBrothers Securityweek
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert to warn that an Iranian threat actor recently accessed voter registration data.
The warning comes roughly one week after the United States revealed that the same adversary targeted Democratic voters in multiple states with emails seeking to intimidate them into voting for President Donald Trump.
In the previous alert, CISA and the FBI noted that the Iranian hackers targeted known vulnerabilities in virtual private network (VPN) products and content management systems (CMSs), including CVE-2020-5902 (code execution in F5 BIG-IP) and CVE-2017-9248 (XSS in Telerik UI).
Now, the two agencies reveal that the legitimate vulnerability scanner Acunetix was employed by the hackers in their endeavor, and that stolen data was used to send intimidation emails in at least four different states.
“CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the alert reads.
Between September 29 and October 17, the adversary launched attacks on U.S. state websites, including election websites, to access voter information, CISA and the FBI say.
Observed activity includes exploitation of known vulnerabilities, the use of web shells, and the abuse of web application bugs.
“CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” CISA and the FBI say.
The two agencies also note that not all of the observed activity could be attributed to the same Iranian threat actor (which posed as the hate group Proud Boys), but did not share details on other threat groups involved in election targeting.
According to the alert, the Iran-based adversary used open-source queries to access PDF documents from state voter sites and also researched specific information to leverage in their exploitation attempts, namely the YOURLS exploit, bypassing the ModSecurity web application firewall, detecting web application firewalls, and an SQLmap tool.
To stay protected, the two agencies say, organizations should make sure their applications and systems are always up to date, that known vulnerabilities are identified and addressed, firewalls and other protections are implemented, and that two-factor authentication is used.
Nuclear Regulation Authority shut down email systems after a cyber attack
2.11.20 BigBrothers Securityaffairs
Japan’s Nuclear Regulation Authority (NRA) issued a warning of temporary suspension of its email systems, likely caused by a cyber attack.
The Japan’s Nuclear Regulation Authority (NRA) temporarily suspended its email systems, the interruption is likely caused by a cyber attack.
The agency published a warning on its website, it is asking people to contact it via phone or fax because it is unable to receive emails from the outside world.
“From 17:00 on October 27, 2nd year of Reiwa, sending and receiving e-mails with the Nuclear Regulation Authority has been temporarily suspended. As a result, we are unable to accept e-mail registrations for applications for general hearings such as the Nuclear Regulation Authority and review meetings.” reads the message published by the NRA on its website. “If you would like to hear, please register by phone or fax.”
The email systems at the authorities were disabled earlier this week and the authority has launched an investigation into the incident. According to the media, there’s no impact on operations of Japanese nuclear plants.
U.S. government is warning of a North Korea-linked APT group that has targeted the U.S., South Korea and Japan to gather intelligence on nuclear policy and sanctions.
Japanese media reported that an unknown external party managed to gain unauthorized access to the Nuclear Regulation Authority’s networks.
“On the 26th, Deputy Secretary of State Okada said at a press conference that there was an unauthorized access to the network system of the Nuclear Regulation Authority, which seems to be an attack from the outside, and the fact of information leakage to the outside has not been confirmed at this time I made it clear.” reported the NHK website.
At the time of publishing this post, the agency did not provide any official statement on the incident.
Even in case of a security breach, the threat actor had not access to information related to the security measures implemented in the nuclear plants in the country, because this information is stored in a separate air-gapped network, Deputy Secretary of State Katsuya Okada explained.
“At this point, the fact of information leakage to the outside, including sensitive information, has not been confirmed. Information on nuclear security is managed by an independent system that is not connected to the outside. This means that there is no information leakage.” Deputy Secretary-General Okada said.
“After that, he said, “We have received reports that the Nuclear Regulatory Commission is continuing to investigate in collaboration with the Cabinet Cyber Security Center, etc.” and expressed his intention to proceed with the analysis of the cause and to thoroughly prevent recurrence.”
All Bark No Byte? Unease Over Irish Performance as EU's Lead Data Watchdog
2.11.20 BigBrothers Securityweek
Two years after the EU launched its landmark GDPR data rights charter, there are signs Ireland is faltering in its outsized role as regulator of many of the most powerful digital giants.
Hailed as a potent weapon to bring tech titans to heel, the General Data Protection Regulation endowed national watchdogs with cross-border powers and the possibility to impose sizeable fines for data misuse.
Ireland hosts the regional headquarters of Facebook, Apple, Google and Twitter, and is therefore largely responsible for policing their European activities.
But its Data Protection Commission has yet to issue a major decision against any of the giants in Dublin's glimmering "Silicon Docks".
"It's a blessing for Ireland economically to be the seat of these big digital companies for Europe, and that brings a lot of revenue," one EU Commission official with deep knowledge of the area told AFP.
"With this, of course, comes an obligation. With the role as a lead regulator it has a duty to the citizens all over Europe.
"The patience of the other authorities will fade if Ireland doesn't get its act together. It's as simple as that."
- 'Tax haven' -
Government and business leaders are coy but it is generally understood that multinational tech companies chose Ireland because of its low 12.5 percent corporate tax rate.
In 2018, Facebook Ireland generated 25.5 billion euros ($29 billion) in revenue and paid 63.2 million euros ($73.8 million) in tax, according to the Companies Registration Office.
Meanwhile the government coffers of Ireland -- a nation of just five million people -- are regularly padded with receipts from multinationals.
Last year, 77 percent of Irish corporation tax receipts came from foreign multinationals and 40 percent were from just 10 companies.
Tax Justice Network chief executive Alex Cobham said his campaign group generally avoids the term "tax haven" because "every jurisdiction has a lot of work to do to improve".
"With that caveat, yes, Ireland is a tax haven," he said.
"Ireland is probably the most exposed to a small number of fairly similar US multinationals in pharma and in tech and it really can't afford to cross them."
- 'Regulatory austerity' -
GDPR stipulates that data protection commissions should be separate from outside interference and there is no suggestion of government influence in the Irish process.
But little of the tax bonanza from tech companies is funnelled into Ireland's Data Protection Commission, which acts as the EU's regulator for firms like Facebook and their services such as Whatsapp and Instagram.
GDPR requires that countries ensure their data protection commission has the "human, technical and financial resources... necessary for the effective performance of its tasks and exercise of its powers".
Ireland's Data Protection Commissioner, Helen Dixon, said the organisation was "disappointed" by the 2020 government allocation of 16.9 million euros ($19.7 million).
Additional funding was "less than one third" of the figure requested which "reflected a year of experience of regulating under the GDPR", she added.
For Cobham, this suggests "regulatory austerity", where high regulatory standards are set "but then you refuse to provide the resources to allow any type of effective enforcement".
"You achieve the effect of not having the regulations while being able to say, 'but look, we have the regulation', he added.
Ireland's 2021 budget raised DPC funding to 19.1 million euros ($22.3 million) -- the same amount Facebook Ireland generated in revenue in about six and a half hours in 2018.
A government spokesman insisted the DPC "has received ongoing and positive funding support which has more than met its actual resourcing requirements".
DPC Deputy Commissioner Graham Doyle added the "considerable" increases in government funding had allowed it to go from 29 staff in 2014 to 150.
But the EU Commission insider said: "It's a good step forward but more is necessary."
- The first case -
The DPC's first major decision is expected against Twitter in November, making it the first European authority to complete a cross-border case against a tech giant under GDPR.
It is a relatively straightforward test of whether Twitter informed the data protection authority of a breach within 72 hours and properly documented the event.
Nonetheless, the investigation was started in January last year and the DPC made a draft decision in May.
The case has since been tied up in regulatory mechanisms seeking input and consensus from data watchdogs in other EU states.
The drawn-out process is a reminder that the complexities of pan-European regulation still sprawl across the bloc.
But under the stiff GDPR regime Twitter could be fined up to four percent of its annual global turnover -- a $140 million wedge of the firm's reported $3.5 billion 2019 revenue.
If Ireland's DPC becomes the first watchdog to impose such a stinging penalty accusations its bark is worse than its bite may begin to fade.
Crippling Cyberattacks, Disinformation Top Concerns for Election Day
31.10.20 BigBrothers Threatpost
Cyber-researchers weigh in on what concerns them the most as the U.S. heads into the final weekend before the presidential election — and they also highlight the positives.
What keeps researchers up at night leading up to Nov. 3 isn’t election-day winners and losers. Most cite possible attacks on local infrastructure, crippling ransomware incidents and disinformation campaigns.
There are also many concerned voters this year. Election-related cybersecurity attacks have been making headlines daily, keeping the U.S. electorate worried about possible late-stage cyberattacks.
So, heading into the homestretch weekend before Election Day, Threatpost asked researchers to weigh in on the state of play.
“The last weekend before the election is like the Super Bowl for malicious actors that want to disrupt or influence the election,” said Ray Kelly, principal security engineer at WhiteHat Security. “Authorities and election officials know this is the case and have taken precautions to try to ensure a safe election. These include election infrastructure assessment and securing voting registration systems. However, given the recent hack involving Hall County, Ga., where election data was released to public for failure to pay a ransom, it really brings into question how effective the measures will be in the final stretch of the election.”
That said, just to balance things out, researchers were also asked about what’s going right – it can’t all be a black cloud of worry after all.
Top Concerns
As Kelly intimated, one big area of dread for researchers is the threat to local municipalities and their elections infrastructure.
“The biggest cyber-risks to the election are most likely going to come in the form of disruption to local support services: e-pollbooks, municipal IT infrastructure, informational applications,” said Rob Bathurst, CTO at Digitalware.
Digitalware recently found that the average municipal computer contains more than 30 potential vulnerabilities or risk conditions at any time. And, in an average local government network, an attacker has over 15 ways to penetrate a typical computer and reach an intended target.
“The reason these services would be the most likely to be disrupted is that they are publicly accessible (voter registration/polling place lookup) and common targets of criminals/ransomware actors (municipal IT infrastructure/systems),” Bathurst explained. “The rest of the systems used to support the actual voting process (DRE, ballot markers, tallying) generally has a very limited connectivity timeframe and a small attack surface, meaning the odds of an incident involving them would be small compared to the aforementioned targets.”
Mike Hamilton, CISO at CI Security, also has local elections infrastructure on his radar screen.
“The biggest danger is the threat of counties being hit with ransomware on November 4th. Why? Because at that point in-person voting will have been completed and votes tabulated,” he said. “If ransomware hits a county (only counties conduct elections), the mail-in count will be thrown into question. Because Republicans are known to vote in person on election day and Democrats favor mail-in ballots, this is a danger.”
He added ominously, “It doesn’t matter whether ransomware can actually ‘change vote tallies,’ it’s that if there is enough access to a network to encrypt data, there’s enough access to change it.”
Hamilton isn’t alone in anticipating direct cyberattacks on election infrastructure that could cripple vote-tallying or vote-casting.
“Instead of hacking into voter-registration databases, which are better protected now than they were in 2016, we should be prepared for cyber-attacks that deny access to voter-registration lists on election day,” said Suzanne Spaulding, advisor to Nozomi Networks and former DHS undersecretary of cyber and infrastructure.
She added, “This might be through ransomware attacks that would lock up the data so poll workers could not access it. Or, cyber-activity could disrupt the tabulation or reporting of results. In addition, with a significant increase in mail-in voting expected, we should look for disinformation designed to undermine the public’s trust in that process. We are seeing it already in the Russian propaganda outlets.”
And indeed, another major area of concern for researchers lies in disinformation campaigns, which continue to rage on in the home stretch of the election season. Digital Shadows for instance recently found that China, Iran and Russia are all ramping up their attempts to spread fake news and misinformation about candidates and policies.
“Russia’s Internet Research Agency (IRA), which allegedly takes its direction from the Kremlin, has been primarily responsible for this interconnected ‘carousel of lies, as one former member of the IRA described it,” according to the firm’s report. “In many cases, the fake news stories they spread are more appealing to Americans due to pop culture references, pictures and cartoons.”
The tactic works, too: In September, Facebook took down groups and accounts that were affiliated with the deceptive news organization, Peace Data, but not before hundreds of stories were shared on Facebook.
“At this stage in the election process, the only significant cyber-risk is disinformation with the confidence on the actual result of the election,” opined Joseph Carson, chief security scientist and advisory CISO at Thycotic. “Hacking an election is not about influencing the outcome, it is about hacking democracy. It is always important to determine the ultimate motive and that is about dividing people to create distrust in both government and your fellow citizens.”
Brandon Hoffman, CISO at Netenrich, noted that while it’s important to boost awareness around these types of influence campaigns, the focus in the news on disinformation may also be an intentional distraction for something else.
“We may be creating the smokescreen the real adversaries need to perform the attacks they have been waiting to execute,” he said. “My hunch tells me that there is something waiting in the wings related to voting infrastructure or a major information bomb coming on either Monday or Tuesday. That information bomb may be real or fake, however, as long as it creates chaos and discontent, the effect will be the same.”
Bikash Barai, co-founder of FireCompass, warned that disinformation efforts stretch far beyond just posting or sharing fake news on social media.
“Based on FireCompass’ internet wide monitoring data, there are currently more than 5 million open, vulnerable databases, which include usernames, passwords, emails and personal details,” he said. “When this data gets in the hands of hackers, it can be used to send personalized and targeted misinformation to skew results.”
He added, “In addition, breaking into the ‘information supply chain’ is not a challenge for hackers. In fact, more than 90 percent of organizations have at least one major security vulnerability, which can be used to break in, steal and corrupt data.”
What’s Going Right?
After the hack-and-leak operation against the Democratic National Committee and widely publicized election meddling by foreign actors in 2016, the U.S. population is a bit nervous on the cyberattack front when it comes to ensuring a free and fair election.
And to be sure, there have been plenty of headlines: Iranian actors posing as the hate group “Proud Boys” launching email campaigns against registered Democrats; the aforementioned ransomware attack affecting a Georgia database of voter signatures; the Trump Campaign website defaced with a cryptocurrency scam; scammers bilking Wisconsin Republicans out of $2.3 million; and rampant mobile phishing issues – just to name a few.
But can we hope things will go smoothly in these last few days? Threatpost asked researchers what they consider to be the bright side of cyber for the remaining election season. Most pointed first and foremost to improvements overall in risk awareness.
“Local governments are now aware that their systems could be targeted, and most larger city/county governments have moved to try to shore up their security operations in the run-up to the election,” Digitalware’s Bathurst said. “Some have even taken the proactive approach of attempting to understand their attack surface and how things like misconfigured/unmanaged systems could impact their security.”
Also, so far it’s been pretty quiet in terms of any major bombshells, noted James McQuiggan, security awareness advocate at KnowBe4.
“We haven’t had any significant data breaches with the government or political party systems, like what happened in 2016 with the Democratic party,” he said. “More and more organizations are taking notice of the recent attacks and taking the necessary steps to educate their staff to make sure they can spot social engineering scams. These actions can help to reduce the risk of a cyberattack.”
CI Security’s Hamilton sees other reasons to be positive too. “The cooperation between Microsoft and the Department of Defense at taking down the TrickBot botnet, Microsoft giving Defender/ATP free to counties until the election is over, and the information-sharing that seems to have been stepped up with the FBI and DHS/CISA are all positive,” he said.
On the free protection service front, Spaulding added, “It’s hard to know all the things the political parties may be doing to better protect their data and information systems. I am on the board of an organization, called Defending Digital Campaigns, that got a ruling from the FEC that allows us to work with cybersecurity companies to provide their services to campaigns for free or at a discount. Campaigns have not traditionally focused on cybersecurity and they have a long way to go!”
Netenrich’s Hoffman had a tougher time being positive: “It’s hard to say what’s going right in this election,” he said. “From a place of false comfort, I would say there haven’t been any major cyber issues…but it feels like foreshadowing.”
Operation Earth Kitsune: hackers target the Korean diaspora
31.10.20 BigBrothers Securityaffairs
Experts uncovered a new watering hole attack, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers.
Researchers at Trend Micro have disclosed details about a new watering hole campaign, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers such as Google Chrome and Internet Explorer to deploy backdoors.
Threat actors behind the Operation Earth Kitsune used SLUB (for SLack and githUB) malware and two new backdoors tracked as dneSpy and agfSpy to exfiltrate data from the infected systems and for taking over them.
The attacks were spotted by the researchers during the months of March, May, and September.
Attackers have deployed the spyware on websites associated with North Korea, but experts pointed out that access to these sites is blocked for visitors from South Korean IP addresses.
“The threat, which we dubbed as such due to its abuse of Slack and GitHub in previous versions, has not abused either of the platforms this time; instead, it employed Mattermost, an open-source online chat service that can be easily deployed on-premise.” reads the analysis published by Trend Micro.
This campaign, unlike other ones, deployed numerous samples (7) to the victim machines and used multiple command-and-control (C&C) servers (5), attackers also employed exploits for four N-day bugs.
Experts were investigating a strange redirection of visitors of the Korean American National Coordinating Council (KANCC) website to the Hanseattle website. Users were redirected to a weaponized version of a proof of concept (POC) for the CVE-2019-5782 Chrome vulnerability published by Google researchers. Experts discovered that the exploit was infecting the victim machine with three separate malware samples.
The attack chain initiates with a connection to the C&C server to receive the dropper, which once executed first checks for the presence of anti-malware solutions on the target system before delivering the three backdoor samples (in “.jpg” format) and executing them.
The attackers used Mattermost server to keep track of the deployment across multiple infected machines and to create a separate channel for each machine for data exfiltration.
The agfSpy backdoor support multiple commands to exfiltrate data, capture screenshots, enumerate directories, upload, download, and execute files.
“One interesting aspect of dneSpy’s design is its C&C pivoting behavior. The central C&C server’s response is actually the next-stage C&C server’s domain/IP, which dneSpy has to communicate with to receive further instructions.” continues the analysis.
agfSpy uses its own C&C server mechanism to receive commands that could instruct the backdoor to execute shell commands and send the execution results back to the server.
agfSpy and dneSpy are very similar except for the use of a different C&C server and various formats in message exchanges.
“Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them,” the researchers concluded. “The campaign’s use of new samples to avoid detection by security products is also quite notable.”
“From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time.”
U.S. Cyber Command Shares More Russian Malware Samples
31.10.20 BigBrothers Securityweek
The United States Cyber Command (USCYBERCOM) this week released new malware samples associated with the activity of Russian threat actors Turla and Zebrocy.
Linked to malicious activity dating back two decades and also referred to as Snake, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON, Turla was most recently observed targeting a European government organization with multiple backdoors.
On Thursday, USCYBERCOM shared on VirusTotal new samples of the ComRAT Trojan, which is believed to be one of the oldest malware families employed by the Russia-linked threat actor.
“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations,” a malware analysis report from the Cybersecurity and Infrastructure Security Agency (CISA) reads.
The report shares details on a PowerShell script used to install another script that in turn loads a ComRAT version 4 DLL. CISA explains that the malware includes DLLs employed as communication modules that are injected in the default browser and which communicate with the ComRATv4 file using a named pipe. A Gmail web interface is used to receive commands and exfiltrate data.
A total of five ComRAT files were shared by USCYBERCOM on VirusTotal, alongside two samples associated with the Russian threat actor Zebrocy.
Initially detailed in 2018, the Russian hacking group is considered by some security firms part of the infamous Sofacy APT (also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium), while others see it as a separate entity.
In September 2020, new Zebrocy attacks were uncovered, showing continuous targeting of countries associated with the North Atlantic Treaty Organization (NATO).
The two samples that USCYBERCOM shared on VirusTotal are Windows executables believed to be a new variant of the Zebrocy backdoor. The malware provides attackers with remote access to a compromised system and supports various operations, CISA says.
CISA recommends users and administrators apply security best practices to ensure that their systems remain protected from the newly shared malware samples or other threats.
US Cyber Command details implants used in attacks on parliaments and embassies
30.10.20 BigBrothers Securityaffairs
US Cyber Command published technical details on malware implants used by Russia-linked APTs on multiple parliaments, embassies
US Cyber Command shared technical details about malware implants employed by Russian hacking groups in attacks against multiple ministries of foreign affairs, national parliaments, and embassies.
Experts from the US Cyber Command’s Cyber National Mission Force (CNMF) unit and the Cybersecurity and Infrastructure Security Agency (CISA) uploaded the samples on the Virus Total online virus scan platform.
CISA also published two joint advisories with the FBI and CNMF that provides info regarding the ComRAT and Zebrocy malware that were used by Russia-linked APT groups, including the APT28 and Turla.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, NASA and the US Central Command.
“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations.” reads the advisory published CISA.
Russia-linked cyberespionage groups utilized the Zebrocy backdoor in attacks aimed at embassies and ministries of foreign affairs from Eastern Europe and Central Asia.
“Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.” reads the CISA’s advisory.
Zebrocy is known to be a malware of the APT28’s arsenal, a Russia linked APT group working under the control of the Russian Main Intelligence Directorate (GRU).