BigBrothers Articles 2020

BigBrothers 2024 2023 2022 2021 2020

FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’
31.12.2020 BigBrothers Threatpost

Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold.

Stolen email passwords are being used to hijack smart home security systems to “swat” unsuspecting users, the Federal Bureau of Investigation warned this week. The announcement comes after concerned device manufacturers alerted law enforcement about the issue.

Swatting is a dangerous prank where police are called to a home with a fake emergency.

“Swatting may be motivated by revenge, used as a form of harassment, or used as a prank, but it is a serious crime that may have potentially deadly consequences,” the FBI statement said.
2020 Reader Survey: Share Your Feedback to Help Us Improve

By accessing a targeted home security device an attacker can initiate a call for help to authorities and watch remotely as the swat occurs. The FBI points out that by initiating a call for help from the actual security device lends authenticity and anonymity to the hacker.

Requests to the FBI for the specific manufacturers were not answered. However, the device category often is found to be insecure.

“Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks,” The FBI’s public service announcement read. “To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.”

In the past, the bad actors would spoof the numbers to make the call appear as if it were coming from the victim, the FBI explained. This new iteration makes the call directly from the compromised device.

“They then call emergency services to report a crime at the victims’ residence,” the FBI statement continued. “As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.”

Live Streaming Swatting Attacks

Live streaming swat attacks isn’t new. Last December, the publication Vice reported on a podcast called “NulledCast” which live streamed to the content sharing platform Discord an incident where criminal actors hijacked a Nest and Ring smart home video and audio to harass them in all sorts of creepy ways.

One incident captured showed a man talking to young children through the device in their bedroom, claiming to be Santa.

“In a video obtained by WMC5 courtesy of the family, you can see what the hacker would have seen: A viewpoint that looms over the entire room from where the camera is installed in a far corner, looking down on their beds and dressers while they play, Vice reported last year. “The hacker is heard playing the song ‘Tiptoe Through the Tulips‘ through the device’s speakers, and when one of the daughters, who is eight years old, stops and asks who’s there, the hacker says, ‘It’s Santa. It’s your best friend.'”

Vice also reported finding posts on hacker forums offering simple Ring credential stuffing software for as little as $6.

By Feb. 2020, Ring had rolled out an added layers of security beyond its already mandatory two-factor authentication, including requiring a one-time six-digit code to log on, alerts when someone logs onto the account and tools to control access by third-party service providers which could also be breached.

Ring is also preparing to roll out end-to-end video encryption, originally due by the end of the year.

“With End-to-End Encryption, your videos will be encrypted on the Ring camera, and you will be the only one with the special key (stored only on your mobile device) that can decrypt and view your recordings,” the Sept. 24 announcement read.

More Harm Than Help?

Just this month, an assessment from NCC Group of second-tier smart doorbells including brands Victure, Qihoo and Accfly, found vulnerabilities rendered these devices more harmful than helpful classified the popular gadgets a “domestic IoT nightmare.” Top-flight smart home security brands Ring, Nest, Vivint and Remo were not included in the review.

The report detailed undocumented features, like a fully functional DNS service in the Qihoo device; digital locks that could be picked in a snap because their communications were not encrypted; and shoddy hardware which could easily be tampered with by criminals.

“Unfortunately, consumers are the victims here,” Erich Kron, security awareness advocate at KnowBe4 told Threatpost. “A trend I am happy to see among consumer devices is the requirement to set your own complex password during device setup, rather than having a default one set at the factory.

Kron added Ring’s MFA implementation, along with its other protections is a “step in the right direction.”

While applications like Ring continue to work to keep their customer data safe, if customer email accounts are compromised, bad actors can easily grab 2FA and other verification codes and breach both accounts. That means it is up to individual users to take control of their privacy with strong password and basic security hygiene practices.

“Any organization that sells devices that have the kinds of privacy impacts such as always-on video cameras or devices that are always listening for commands, has an obligation to provide a reasonable amount of education to their customers,” he said. “The consumer device field is extremely competitive, and purchases are often based on a price difference of a couple of dollars or less. We must understand that adding any additional security features that are not required for every manufacturer can impact the price and therefore the organization’s bottom line. Because of this, we must be reasonable with our expectations from the manufacturers.”

CISA demands US govt agencies to update SolarWinds Orion software
31.12.2020 BigBrothers Securityaffairs

US Cybersecurity and Infrastructure Security Agency (CISA) urges US federal agencies to update the SolarWinds Orion software by the end of the year.
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance to order US federal agencies to update the SolarWinds Orion platforms by the end of the year.

According to the CISA’s Supplemental Guidance to Emergency Directive 21-01, all US government agencies running the SolarWinds Orion app must update to the latest 2020.2.1HF2 version by the end of the year or take them offline.

SolarWinds released the 2020.2.1HF2 version on December 15 to secure its installs and remove the Sunburst-related code from their systems.

“Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2.” reads CISA’s Supplemental Guidance to Emergency Directive 21-01. “The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code.”

The order is part of the update for the CISA’s guidance that was issued on December 18 following the discovery of the SolarWinds supply chain attack.

The US CERT Coordination Center issued the security note VU#843464 to detail the authentication bypass flaw in the Orion API, tracked as CVE-2020-10148, that allows attackers to execute remote code on Orion installations.

“This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.” reads the advisory.

The vulnerability was exploited by threat actors to install the Supernova backdoor in attacks not linked to the SolarWinds supply chain hack.
CISA urge to update to version 2020.2.1HF2 to fix any other SolarWinds Orion-related bug, including the CVE-2020-10148 vulnerability.

“Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020.” continues CISA.

ORION PLATFORM VERSION CONTINUED USE OF SOLARWINDS ORION PERMITTED AT THIS TIME UPDATE REQUIRED?
Affected versions: 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 (should be powered down or removed from networks based on ED 21-01) No N/A
All other versions that are currently online (if the instance did not previously use an affected version) Yes Yes (2020.2.1HF2)
Below the list of affected versions:

Orion Platform 2019.4 HF5, version 2019.4.5200.9083
Orion Platform 2020.2 RC1, version 2020.2.100.12219
Orion Platform 2020.2 RC2, version 2020.2.5200.12394
Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.

Yesterday, the Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.

FBI: Home Surveillance Devices Hacked to Record Swatting Attacks
31.12.2020 BigBrothers Securityweek

A warning issued this week by the FBI warns owners of smart home devices with voice and video capabilities that these types of systems have been targeted by individuals who launch so-called “swatting” attacks.

Swatting is a hoax where someone tricks emergency services into deploying armed law enforcement to a targeted individual’s location by claiming there is a life-threatening situation. These types of pranks are not uncommon, but they can result in lengthy jail sentences for the pranksters.

The FBI warned in an alert issued on Tuesday that swatters have been hijacking home surveillance and other types of devices with audio and video capabilities to watch their victims while they are being swatted. In some cases, the prankster also live-streams the video and engages the law enforcement responders.

“Smart home device manufacturers recently notified law enforcement that offenders have been using stolen e-mail passwords to access smart devices with cameras and voice capabilities and carry out swatting attacks,” the FBI said.

The agency has been working with the manufacturers of the targeted devices to warn customers about the threat and provide them with recommendations on how to avoid having their devices hacked.

“The FBI is also working to alert law enforcement first responders to this threat so they may respond accordingly,” the agency noted.

The FBI has advised users to enable two-factor authentication (2FA) for internet-accessible devices. However, given that the attackers rely on stolen email credentials to hijack surveillance devices, the FBI advises against using a secondary email account for the second factor, and instead recommends the use of a mobile device number. Cybersecurity professionals and even NIST have long urged users to stop relying on SMS-based 2FA.

U.S. Treasury Warns Financial Institutions of COVID-19 Vaccine-Related Cyberattacks, Scams
31.12.2020 BigBrothers Securityweek

The United States Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued an alert to warn financial institutions of fraud and cyberattacks related to COVID-19 vaccines.

As vaccination against the COVID-19 coronavirus is kicking off worldwide, fraudsters and other types of threat actors are attempting to capitalize on the situation by selling illegal or counterfeit goods, conducting phishing, targeting unsuspecting users with malware, and more.

Last week, several U.S. government organizations issued a warning of increasingly frequent fraud and phishing attacks, aimed at gathering personally identifiable information (PII) and stealing money.

Recent reporting has revealed that such attacks might also be the work of state-sponsored threat actors, which are also interested in targeting COVID-19 vaccine research.

In its newly released alert, FinCEN tells financial institutions to be wary of “potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 vaccines and their distribution.”

FinCEN has also published Suspicious Activity Report (SAR) filing instructions. Financial institutions are required to report suspicious transactions through SARs to help authorities disrupt terrorist, money laundering, drug trafficking, cybercrime and other types of illegal operations.

Leveraging the increased public interest in COVID-19 vaccines, fraudsters might attempt to sell unapproved and illegally marketed vaccines, counterfeit vaccines, or illegal diversion of legitimate vaccines, FinCEN says.

“Already, fraudsters have offered, for a fee, to provide potential victims with the vaccine sooner than permitted under the applicable vaccine distribution plan,” the alert reads.

Cybercriminals too are involved in COVID-19 vaccine-related activity, including ransomware attacks that directly target vaccine research. Thus, FinCEN warns financial institutions of potential ransomware attacks targeting either supply chains involved in the manufacturing of vaccines, or the vaccine delivery operations.

“Financial institutions and their customers should also be alert to phishing schemes luring victims with fraudulent information about COVID-19 vaccines,” FinCEN warns.

The Treasury recently issued an advisory to warn companies that facilitate ransomware payments of the potential legal implications resulting from sending money to sanctioned entities.

North Korean Hackers Trying to Steal COVID-19 Vaccine Research
24.12.2020 BigBrothers Thehackernews
Threat actors such as the notorious Lazarus group are continuing to tap into the ongoing COVID-19 vaccine research to steal sensitive information to speed up their countries' vaccine-development efforts.

Cybersecurity firm Kaspersky detailed two incidents at a pharmaceutical company and a government ministry in September and October leveraging different tools and techniques but exhibiting similarities in the post-exploitation process, leading the researchers to connect the two attacks to the North Korean government-linked hackers.

"These two incidents reveal the Lazarus group's interest in intelligence related to COVID-19," Seongsu Park, a senior security researcher at Kaspersky, said. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well."

Kaspersky did not name the targeted entities but said the pharmaceutical firm was breached on September 25, 2020, with the attack against the government health ministry occurring a month later, on October 27.

Notably, the incident at the pharmaceutical company — which is involved in developing and distributing a COVID-19 vaccine — saw the Lazarus group deploying the "BookCodes" malware, recently used in a supply-chain attack of a South Korean software company WIZVERA to install remote administration tools (RATs) on target systems.

The initial access vector used in the attack remains unknown as yet, but a malware loader identified by the researchers is said to load the encrypted BookCodes RAT that comes with capabilities to collect system information, receive remote commands, and transmit the results of the execution to command-and-control (C2) servers located in South Korea.

In a separate campaign aimed at the health ministry, the hackers compromised two Windows servers to install a malware known as "wAgent," and then used it to retrieve other malicious payloads from an attacker-controlled server.

As with the previous case, the researchers said they were unable to locate the starter module used in the attack but suspect it to have a "trivial role" of running the malware with specific parameters, following which wAgent loads a Windows DLL containing backdoor functionalities directly into memory.

"Using this in-memory backdoor, the malware operator executed numerous shell commands to gather victim information," Park said.

Irrespective of the two malware clusters employed in the attacks, Kaspersky said the wAgent malware used in October shared the same infection scheme as the malware that the Lazarus group used previously in attacks on cryptocurrency businesses, citing overlaps in the malware naming scheme and debugging messages, and the use of Security Support Provider as a persistence mechanism.

The development is the latest in a long list of attacks capitalizing on the coronavirus pandemic — a trend observed in various phishing lures and malware campaigns throughout the last year. North Korean hackers are alleged to have targeted pharma firms in India, France, Canada, and the UK-based AstraZeneca.

Defending Against State and State-Sponsored Threat Actors
23.12.2020 BigBrothers Threatpost

Saryu Nayyar of Gurucul discusses state and state-sponsored threat actors, the apex predators of the cybersecurity world.

Security threats from states and state-sponsored actors have been around since before the field of cybersecurity was defined. They have now evolved to cyberspace, and present unique challenges for defenders.

While there are fundamental differences between activist and criminal activity, and those who operate directly for (or with the tacit approval of) sovereign powers, there can often be a significant overlap in their agendas and techniques. But there are also significant difference — the most important of which is resourcing.

Where activists and small criminal gangs may have limited technical resources, states and state-sponsored actors have no such limitations. State actors can draw upon the skills and resources of their national intelligence communities, while state-sponsored actors, while not actually part of a state organization, can still draw upon the financial and technical assets of their sponsors.

Another fundamental difference between “civilian” and “state” actors is that law-enforcement agencies are better equipped to address threat actors who don’t have state backing. Even in cases where threats are acting across international borders, mechanisms exist where legal teams from different nations can work together to bring attackers to justice. However, when those attackers are working with the approval of their host countries, the situation becomes more difficult. It becomes nearly impossible for conventional law enforcement to address the issue when the attackers are working for a foreign power directly. In that case, the only recourse is diplomacy, or an escalation into what amounts to outright cyberwarfare.

We Can’t Return Fire
Cybersecurity professionals in the civilian space, and in most government agencies outside the intelligence and military communities, are restricted to an almost entirely defensive position. For legal and ethical reasons, we’re not allowed to “return fire” no matter how obvious, or egregious, the attack. While some individuals have been known to play the game on the attacker’s terms, it puts them firmly into a gray area where they are operating outside the law even if they have the moral high ground.

This all serves to put defense in the hands of mostly civilian cybersecurity professionals who develop the tools, techniques, training and processes needed to provide some level of defense. Fortunately, deploying defenses built to resist a well-funded state actor should be enough to defend against the average criminal gang. This means that it is more than worth the effort to raise our game to handle the worst-case scenario.

While recent reports from the National Security Agency [PDF] and the Cybersecurity and Infrastructure Security Agency have kept us abreast of the exploits and technical techniques most often employed by these adversaries, they also point out a reliance on social engineering, cast netting and spear phishing to infiltrate their target organizations. This is the same playbook we see used by criminal-level attackers where users are the assumed to be the weak link and technical attacks are deployed when they can’t find a vulnerable user. In fact, many state attackers lead with a phishing or social-engineering angle based on this very assumption.

Our Users Are Still a Target
Of course, one difference here between state adversaries and criminal organizations is that even well-funded criminals often lack the budget, and requisite skills, to use blackmail or bribery to turn an insider from an employee into a threat. It does happen, of course, as it did earlier in 2020 when a Russian adversary tried to bribe an employee of a major U.S. auto manufacturer to place malware on a network. That effort failed as much because of the target’s personal integrity as any technical or business-culture defenses.

Historically, user-education programs have been focused on countering the most common vectors. In most cases that is some form of phishing, whether a cast-net aimed at the target organization, or spear phishing aimed at an individual. Unfortunately, not every organization trains their employees to identify, let alone resist, social-engineering attacks. Also, not every organization fosters a culture where an employee would come forward and report a bribery attempt or similar effort, rather than take the money and run.

This is the first place where organizations need to up their game if they want to resist well-resourced state and state-sponsored actors. And it must include more than just the annual anti-phishing and business-ethics classes, but also more focused training on how to spot and avoid social-engineering efforts outside the context of email. There is also a place here to review the business culture and foster one where employees are willing to come forward when an outsider tries to compromise them.

Technical Defenses
On the technical side, the usual advice of keeping systems patched and properly configured is an obvious early step and one we have been talking about for years. But the NSA and CISA reports have shown that even sophisticated high-level attackers will leverage known exploits. That means staying on top of your patches isn’t just a best practice; it is a vital technique to keep the organization safe.

Making sure the security operations team (SecOps) is trained, adequate and prepared is another vital step. Budgets may be tight and qualified talent may be hard to attract and retain, but these are the people who run the last line of defense. This holds true when an organization’s security is a managed service. Your managed security service provider (MSSP) needs to be trained and prepared to confront threats at every level, from script kiddies to foreign-intelligence agencies.

There are other technical steps as well. Every organization needs to evolve their security stack to keep up with potential and active threats, making sure their tools and processes are up to the task. As new threats emerge, old technologies evolve and new ones emerge to fill the gaps. However, the stack needs to be looked at as a holistic whole. Perimeter devices and endpoint protections need to work in concert with some mechanism to consolidate the whole range of security telemetry into a coherent whole. And that whole needs to be processed, analyzed and presented in a way that SecOps personnel can use and understand, and can be leveraged to orchestrate and automate the organization’s defenses.

State and state-sponsored threat actors are the apex predators of the cybersecurity world. They have time, skills, effectively unlimited resources and can be very specific in their agenda. But if we keep our defenses up to date with the appropriate tools, training and best practices, we can reduce the risk to our organizations even from the most challenging adversaries.

Bulletproof VPN services took down in a global police operation
23.12.2020 BigBrothers Securityaffairs

A joint operation conducted by law European enforcement agencies resulted in the seizure of the infrastructure of three bulletproof VPN services.
A joint operation conducted by law enforcement agencies from the US, Germany, France, Switzerland, and the Netherlands resulted in the seizure of the infrastructure used by three VPN bulletproof services.

VPN bulletproof services are widely adopted by cybercrime organizations to carry out malicious activities, including ransomware and malware attacks, e-skimming breaches, spear-phishing campaigns, and account takeovers.

“The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down yesterday in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.” reads the press release published by the Europol.

“The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures.”
The three VPN bulletproof services were hosted at insorg.org, safe-inet.com, and safe-inet.net, their home page currently displays a law enforcement banner.
The takedown of the VPN is part of an international takedown of a virtual private network (VPN), dubbed “Operation Nova.”
“The coordinated effort was led by the German Reutlingen Police Headquarters together with Europol, the FBI and other law enforcement agencies from around the world.” reads the press release published by DoJ.

“The investigation revealed that three domains— INSORG.ORG; SAFE-INET.COM; SAFE-INET.NET.—offered “bulletproof hosting services” to website visitors. A “bulletproof hosting service” is an online service provided by an individual or an organization that is intentionally designed to provide web hosting or VPN services for criminal activity. These services are designed to facilitate uninterrupted online criminal activities and to allow customers to operate while evading detections by law enforcement. Many of these services are advertised on online forums dedicated to discussing criminal activity. A bulletproof hoster’s activities may include ignoring or fabricating excuses in response to abuse complaints made by their customer’s victims; moving their customer accounts and/or data from one IP address, server, or country to another to help them evade detection; and not maintaining logs (so that none are available for review by law enforcement).”

VPN bulletproof services 2
The three services were advertised on both Russian and English-speaking cybercrime forums. The services were offered for prices ranging from $1.3/day to $190/year.

According to the investigators, the three VPN bulletproof services are operated by the same threat actor and are active since at least 2010.
The VPN service shut down by law enforcement was used by crooks to avoid law enforcement interception, leveraging on up to 5 layers of anonymous VPN connections.

The law enforcement agencies identified roughly 250 companies worldwide that were being targeted by the criminals using this VPN service.

“These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.” continues the Europol. “The service has now been rendered inaccessible.”

“The investigation carried out by our cybercrime specialists has resulted in such a success thanks to the excellent international cooperation with partners worldwide. The results show that law enforcement authorities are equally as well connected as criminals,” said Udo Vogel, Police President of the Reutlingen Police Headquarters.

“The strong working relationship fostered by Europol between the investigators involved in this case on either side of the world was central in bringing down this service. Criminals can run but they cannot hide from law enforcement, and we will continue working tirelessly together with our partners to outsmart them.” said the Head of Europol’s European Cybercrime Centre, Edvardas Šileris.

North Korean Hackers Target COVID-19 Research
23.12.2020 BigBrothers Securityweek

The North Korea-linked threat actor known as Lazarus was recently observed launching cyberattacks against two entities involved in COVID-19 research.

Active since at least 2009 and believed to be backed by the North Korean government, Lazarus is said to have orchestrated some high-profile attacks, including the WannaCry outbreak. Last year, the group was observed mainly targeting cryptocurrency exchanges and expanding its toolset.

New Lazarus attacks in September and October 2020, Kaspersky reveals, targeted a Ministry of Health and a pharmaceutical company authorized to produce and distribute COVID-19 vaccines, revealing Lazarus’ interest in COVID-19 research.

In September, the hackers targeted a pharmaceutical company with the BookCode malware, which was attributed to the group a while ago. In late October, Lazarus targeted a Ministry of Health body with the wAgent malware, which was previously used to target cryptocurrency businesses.

Both pieces of malware were designed to function as full-featured backdoors, providing operators with full control over the infected machines. Different tactics, techniques and procedures (TTPs) were used in each attack, but Kaspersky is highly confident that Lazarus was behind both incidents.

Using wAgent, the attackers executed various shell commands to gather information from the victim machine. An additional payload that included a persistence mechanism was also deployed on two Windows servers, and the full-featured backdoor followed.

The BookCode backdoor was used to gather system and network information from the victim environment, along with a registry SAM dump containing password hashes. The adversary also attempted to collect information on other machines on the network, likely for lateral movement.

“We assess with high confidence that the activity […] is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters used in both incidents […] to the Lazarus group,” Kaspersky notes.

The security firm was unable to identify the initial infection vector in either of the incidents, but notes that spear-phishing was used by the group in the past, along with strategic website compromise.

“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” Seongsu Park, security expert at Kaspersky, said.

Microsoft reported last month that state-sponsored Russian and North Korean hackers had been trying to steal valuable data from pharmaceutical companies and vaccine researchers. Reuters reported that North Korean hackers had targeted British COVID-19 vaccine maker AstraZeneca.

Biden Says Huge Cyberattack Cannot Go Unanswered
23.12.2020 BigBrothers Securityweek

President-elect Joe Biden said Tuesday that the perpetrators of a massive cyberattack on the US government, unofficially blamed on Russia, must face consequences, and assailed President Donald Trump over his response to the threat.

"We can't let this go unanswered," Biden said in pre-holiday remarks to the American people.

"That means making clear, and publicly, who is responsible for the attack and taking meaningful steps to hold them in account."

Biden, who as president-in-waiting has received intelligence briefings on key national security issues, says much remains unknown about the extent of the damage from the attack.

Last week the US cybersecurity agency said a well-coordinated, highly technical operation penetrated US government and corporate systems months ago by hacking widely-used security software.

"I see no evidence that it's under control," Biden said, responding to Trump's claim to the contrary.

"This president hasn't even identified who is responsible yet," he noted.

He warned he would retaliate once he become president on January 20.

"When I learn the extent of the damage and, in fact, who is formally responsible, they can be assured that we will respond, and probably respond in kind," he said.

"There are many options which I will not discuss now."

- Devastating breach -

According to US officials, the most devastating breach of US computer security in years affected at least the departments of State, Commerce, Treasury, Energy and Homeland Security, as well as the National Institutes of Health.

Analysts expect that other departments, including possibly key intelligence agencies, were also victims in the hack, and that it could take months or longer to assess the damage.

Biden called the attack a "grave risk to our national security" and criticized Trump for de-emphasizing cybersecurity during his nearly four years in office.

The attack, he said, was "carefully planned and carefully orchestrated. It was carried out by using sophisticated cyber tools."

"The attackers succeeded in catching the federal government off-guard and unprepared."

He accused Trump of falling down on his job to protect the country and of an "irrational downplaying of the seriousness of this attack."

"It's still his responsibility as president to defend American interests for the next four weeks," he said.

"This assault happened on Donald Trump's watch when he wasn't watching," Biden said. "Rest assured that even if he does not take it seriously, I will."

The administration has yet to officially ascribe the attacks to any country or persons, even though top officials including Secretary of State Mike Pompeo and Attorney General Bill Barr, and senior members of Congress briefed on the issue, have all fingered Russia.

Trump, however, last week accused the media of always hyping the Russia threat.

"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted.

"I have been fully briefed and everything is well under control," he wrote.

"Russia, Russia, Russia is the priority chant when anything happens," he said, then suggesting China could be the perpetrator.

DHS Details Risks of Using Chinese Data Services, Equipment
23.12.2020 BigBrothers Securityweek

In an advisory this week, the Department of Homeland Security (DHS) warned American organizations of the risks posed by using data services and equipment from firms that have ties to the People’s Republic of China (PRC).

Both businesses and customers in the United States are at risk due to the PRC’s data collection activities, the DHS warns. Some of these risks include the theft of confidential business data, trade secrets and intellectual property, violation of privacy and export laws, breach of contractual provisions, and risk of surveillance.

“The PRC presents a grave threat to the data security of the U.S. government and U.S. businesses. It has both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws,” the DHS says.

The agency also underlines that data is often accessed without requesting the consent of or informing the non-PRC businesses or institutions owning the data.

In its advisory, the DHS also points out that data theft operations performed under the command of the Chinese government represent a persistent, growing threat, especially since newly enacted laws require all PRC businesses and citizens to “take actions related to the collection, transmission, and storage of data.”

These laws compel Chinese businesses to provide the government with data, encryption keys, technical information, and logical access. Furthermore, firms are required to install backdoors in equipment to create security vulnerabilities that PRC entities can easily exploit, the advisory warns.

In addition to detailing the various data collection practices of the Chinese government, and providing an overview of the applicable laws recently passed in the country, the advisory offers extensive details on the risks faced by companies partnering with China.

Chinese firms operating data centers, either in the country or abroad, are required to share data with the government upon request, even if the sharing of data is illegal under the jurisdiction in which firms operate.

Even data centers built using Chinese equipment are at risk, due to the backdoors equipment manufacturers are required to install, by law. By subsidizing the use of hardware, software, and telecoms infrastructure from domestic firms, the Chinese government helps corporations such as ZTE or Huawei undercut competitors, the DHS says.

“The spread of such equipment may even affect unwitting U.S. service providers. The CCP subsidies and the spread of PRC-developed equipment not only advantage PRC companies over U.S. providers economically, but also furthers the ongoing capabilities of the CCP where the equipment supplier maintains a service or maintenance contract that necessitates ongoing access,” the advisory continues.

DHS also warns that even data sharing agreements with Chinese firms are risky, and that the government may even purchase legally obtain data, to augment the illegally acquired information. Software and mobile apps from Chinese firms pose data collection risks too, just as fitness trackers and other wearables do.

“Businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information,” DHS says.

The advisory also provides a series of recommendations on how to minimize risks associated with using equipment and services from China, or partnering with firms linked to China.

“Today, the threats to our peace and prosperity emanate largely from China. […] Instead of competing fairly on a level playing field, China undermines the international system. Instead of fighting on the conventional battlefield, China wages secret disinformation and propaganda wars to cripple us from within. The results they have achieved thus far should concern every American,” Homeland Security Acting Secretary Chad F. Wolf commented.

U.S. Government Warns of Phishing, Fraud Schemes Using COVID-19 Vaccine Lures
23.12.2020 BigBrothers Securityweek

Several U.S. government organizations have issued warnings regarding various types of fraud and phishing schemes that use COVID-19 vaccine-related topics to lure potential victims.

While these types of operations typically impact non-enterprise users, some people could open the malicious websites or emails associated with these schemes from work devices, which could pose a risk to enterprises as well.

The Federal Bureau of Investigation (FBI), Department of Health and Human Services Office of Inspector General (HHS-OIG), and Centers for Medicare & Medicaid Services (CMS) have issued an alert on emerging COVID-19 vaccine-related fraud schemes.

Leveraging the increased public interest in COVID-19 vaccines, scammers are luring unsuspecting victims into sharing personally identifiable information (PII) or into sending money.

Such fraudulent activity, the alert from the FBI, HHS-OIG, and CMS reads, could take the form of ads that claim to offer early access to vaccines in exchange for a deposit or fee, requests to pay for the vaccine or enter personal information on a so-called waiting list, or offers to undergo medical testing to obtain the vaccine.

Some fraudsters might claim to be able to ship the vaccine domestically or internationally, or might advertise vaccines via social media, email, phone, or other channels, the alert reads.

Furthermore, individuals are advised to be wary of unsolicited emails or phone calls claiming to be from medical or insurance companies, or vaccine centers, which request personal and/or medical information, as well as of unverifiable claims that certain vaccines are FDA-approved.

Some scammers, the three agencies note, might contact unsuspecting victims via phone to tell them that government or government officials require the population to receive a COVID-19 vaccine.

On Friday, the U.S. Department of Justice announced the seizure of two websites claiming to belong to companies developing COVID-19 treatments, but which were instead meant to collect the personal information of their visitors.

The two websites, “mordernatx.com” and “regeneronmedicals.com,” were copies of the legitimate domains of two biotechnology companies headquartered in Cambridge, Massachusetts, and Westchester County, New York, respectively.

The domains were registered earlier this month. No personal information for the registrar was listed for mordernatx.com, while regeneronmedicals.com was registered to a resident of Onitsha Anambra, Nigeria.

Names and other personal information obtained through these websites could have been used to commit additional crimes.

“Malicious domain registrations are a growing problem and something that both companies and consumers must be wary of,” Skurio CEO Jeremy Hendy told SecurityWeek. “This story in particular highlights why the awareness of fake domains, which, utilises user oversights to trick people into believing they are visiting a genuine site, is an increasingly important issue. These compromised domains can be used by bad actors for social engineering attacks that defraud individuals and steal personal data.”

UN Rights Expert Urges Trump to Pardon Assange
23.12.2020 BigBrothers Securityweek

A UN rights expert on Tuesday urged outgoing US President Donald Trump to pardon Julian Assange, saying the WikiLeaks founder is not "an enemy of the American people".

WikiLeaks "fights secrecy and corruption throughout the world and therefore acts in the public interest both of the American people and humanity as a whole," Niels Melzer wrote in an open letter.

"In pardoning Mr Assange, Mr President, you would send a clear message of justice, truth and humanity to the American people and to the world," said Melzer, the UN special rapporteur on torture.

"You would rehabilitate a courageous man who has suffered injustice, persecution and humilation for more than a decade, simply for telling the truth," he added.

Assange, 49, is currently being held in the top-security Belmarsh jail in London awaiting a January 4 decision by a British judge on a US extradition request, in a case seen by his supporters as a cause celebre for media freedom.

The Australian publisher faces 18 charges in the United States relating to the 2010 release by WikiLeaks of 500,000 secret files detailing aspects of military campaigns in Afghanistan and Iraq.

Melzer has previously condemned the conditions at Belmarsh, saying the "progressively severe suffering inflicted" on Assange is tantamount to torture.

In his letter on Tuesday, Melzer wrote: "I visited Mr. Assange... with two independent medical doctors, and I can attest to the fact that his health has seriously deteriorated, to the point where his life is now in danger."

He noted that Assange suffers from a respiratory condition that makes him more vulnerable to Covid-19, which has infected several Belmarsh inmates.

Melzer said Assange "has not hacked or stolen any of the information he published (but) obtained it from authentic documents and sources in the same way as any other serious and independent investigative journalists conduct their work."

"Prosecuting Mr. Assange for publishing true information about serious official misconduct, whether in America or elsewhere, would amount to 'shooting the messenger'," Melzer wrote.

First arrested 10 years ago on December 7, 2010, Assange could be jailed for up to 175 years if convicted.

CISA Issues ICS Advisory for New Vulnerabilities in Treck TCP/IP Stack
23.12.2020 BigBrothers Securityweek

Security updates available for the Treck TCP/IP stack address two critical vulnerabilities leading to remote code execution or denial-of-service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn organizations using industrial control systems (ICS) about the risks posed by these flaws.

A low-level TCP/IP software library, the Treck TCP/IP stack is specifically designed for embedded systems, featuring small critical sections and a small code footprint. CISA says the product is used worldwide in the critical manufacturing, IT, healthcare and transportation sectors.

Last week, a series of four new vulnerabilities that Intel’s security researchers discovered in the Treck TCP/IP stack were made public. Two of these were rated critical severity.

The most severe of the two is CVE-2020-25066 (CVSS score of 9.8), a heap-based buffer overflow bug in the Treck HTTP Server components that could be abused by attackers to cause denial of service or execute code remotely.

Next in line is CVE-2020-27337 (CVSS score of 9.1), an out-of-bounds write in the IPv6 component that could be exploited by an unauthenticated user to cause a DoS condition via network access.

An out-of-bounds read in the DHCPv6 client component of Treck IPv6 could be abused by an unauthenticated user to cause denial-of-service via adjacent network access. The bug is tracked as CVE-2020-27338 (CVSS score of 5.9).

The fourth issue, CVE-2020-27336 (CVSS score 3.7), is an improper input validation in the IPv6 component that could lead to an out-of-bounds read of up to three bytes via network access, also without authentication.

Users are advised to install the latest version of the affected product (Treck TCP/IP 6.0.1.68 or later), which can be obtained via email from security(at)treck.com.

“Treck recommends users who cannot apply the latest patches to implement firewall rules to filter out packets that contain a negative content length in the HTTP header,” CISA’s advisory reads.

To minimize the risk of exploitation, users should ensure that control systems are not accessible from the Internet, they should isolate control system networks and remote devices from the business network and behind a firewall, and should use secure methods, such as VPNs, for remote access.

Just as these new vulnerabilities were publicly disclosed, security firm Forescout announced the release of an open-source script that can help identify the use of TCP/IP stacks vulnerable to the recently disclosed AMNESIA33 set of vulnerabilities.

“Although the script has been tested with the four stacks affected by AMNESIA:33 in a lab environment, we cannot guarantee its use to be safe against every possible device. […] Therefore, we do not recommend using it directly in live environments with mission-critical devices,” Forescout notes.

Cyberattack Hit Key US Treasury Systems: Senator
23.12.2020 BigBrothers Securityweek

Hackers broke into systems used by top US Treasury officials during a massive cyberattack on government agencies and may have stolen essential encryption keys, a senior lawmaker said Monday.

Senator Ron Wyden, who sits on both the Senate Intelligence and Finance Committees, said after a closed-door briefing that the hack at the US Treasury Department "appears to be significant."

Dozens of email accounts were compromised, he said in a statement.

"Additionally the hackers broke into systems in the Departmental Offices division of Treasury, home to the department's highest-ranking officials," said Wyden.

"Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen."

The US government admitted last week that computer systems in multiple departments were penetrated by attackers who hacked in through widely used security software made by the US company SolarWinds.

Members of Congress briefed by US intelligence, as well as Secretary of State Mike Pompeo and Attorney General Bill Barr, have all said Russians were behind the hack.

So far officials have said the hackers broke into computers at the State Department, Commerce Department, Treasury, Homeland Security Department, and the National Institutes of Health.

But experts have said they fear far more of the government could be affected, including US intelligence bodies, given the ubiquitousness of the SolarWinds security software.

Wyden said that the Internal Revenue Service had said there was no evidence that they had been compromised or data on taxpayers taken.

But he sharply criticized the government for not taking stronger measures to protect its systems.

The government "has now suffered a breach that seems to involve skilled hackers stealing encryption keys from (government) servers," he said.

That has happened despite "years of government officials advocating for encryption backdoors, and ignoring warnings from cybersecurity experts who said that encryption keys become irresistible targets for hackers."

North Korean Hackers Target COVID-19 Research
23.12.2020 BigBrothers Securityweek

The North Korea-linked threat actor known as Lazarus was recently observed launching cyberattacks against two entities involved in COVID-19 research.

ACLU Sues FBI to Learn How It Obtains Data From Encrypted Devices
23.12.2020 BigBrothers Securityweek

The American Civil Liberties Union (ACLU) announced on Tuesday that it has filed a lawsuit against the FBI in an effort to find out how the law enforcement agency can access information stored on encrypted devices.

The FBI has often turned to third parties for help in accessing information stored on encrypted devices, but it has come to light in recent court documents that the agency’s Electronic Device Analysis Unit (EDAU) has been acquiring solutions that can help it break into encrypted devices on its own.

The ACLU has filed a request under the Freedom of Information Act (FOIA) in hopes of obtaining more information on the EDAU’s capabilities and the technologies it has used. However, the FBI provided what is known as a Glomar response, which indicates that the agency does not even want to confirm or deny the existence of any records related to EDAU, let alone share details on its capabilities.

However, the ACLU says the FBI’s response is not valid and it has asked a federal court to order the Department of Justice and the FBI to hand over documents related to the EDAU.

“A valid Glomar response is rare, as there are only extremely limited instances where its invocation is appropriate — that is, only where the existence or nonexistence of records is itself exempt under FOIA,” ACLU representatives wrote in a blog post on Tuesday. “The problem with the FBI’s Glomar response is that, as detailed above, we already know records pertaining to the EDAU exist because information about the unit is already public. The fact that all of this information is already publicly known deeply undercuts the FBI’s Glomar theory.”

They added, “By invoking the Glomar response, the federal government is sending a clear message: It aims to keep the American public in the dark about its ability to gain access to information stored on our personal mobile devices. But it’s not that the FBI has just shut the door on this information — they’ve shut the door, closed the windows, drawn the shades, and refused to acknowledge whether the house that we’re looking at even exists. It’s imperative that the public gets meaningful access to these records regarding the federal government’s capabilities to access our phones and computers. Our privacy and security are at stake.”

Officials — not just in the U.S. but all Five Eyes countries — have been trying to find ways to force technology companies that develop encrypted communication applications to implement encryption backdoors that would make it easier for law enforcement to conduct investigations.

In the United States, the FBI is often provided as an example, with officials claiming that the agency’s investigations have been impeded by strong encryption — even though in many cases the FBI did manage to gain access to data on encrypted devices and their claims were sometimes found to be exaggerated.

Privacy and security experts have long argued that implementing encryption backdoors would allow not only law enforcement, but also malicious actors to access protected data. Nevertheless, lawmakers continue to try to find ways to pass laws aimed at ending what they call “warrant-proof encryption.”