BigBrothers Articles - H 2020 1 2 3 4 5 BigBrothers List - H 2021 2020 2019 2018 BigBrother blog BigBrother blog
China-linked hackers are attempting to steal COVID-19 Vaccine Research
14.5.2020 Securityaffairs BigBrothers
US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.
US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal research related to treatments and vaccines for COVID-19.
“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” reads the joint alert. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”
“The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.” reported The New York Times.
“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” reads a statement from the FBI and the CISA.
“China’s efforts to target these sectors pose a significant threat to our nations response to COVID-19”.
The US agencies recommend targeted organizations to adopt cybersecurity best practices to prevent state-sponsored hackers from stealing COVID-19-related material.
“What else is new with China? What else is new? Tell me. I’m not happy with China.” President Trump commented. “We’re watching it very closely,”.
“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic,” said Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively.”
The Chinese Government rejected the allegation Beijing on Monday.
“We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence,” Foreign Affairs ministry spokesman Zhao Lijian said.
The Chinese government is not the only one interested in COVID-19 research, nation-state hackers from Russia, Iran, and North Korea are launching spear-phishing and misinformation campaigns in the attempt to target organizations and scientists involved in the vaccine research.
Last week the US and the UK issued a joint alert to warn of the rise in cyber attacks carried out by foreign states against healthcare organizations and researchers.
Senate Narrowly Rejects New Limits on Internet Surveillance
14.5.2020 Securityweek BigBrothers
The Senate came one vote short Wednesday of approving a proposal to prevent federal law enforcement from obtaining internet browsing information or search history without seeking a warrant.
The bipartisan amendment won a solid majority of the Senate but just shy of the 60 votes needed for adoption. The 59-37 vote to allow such warrantless searches split both parties, with Republicans and Democrats voting for and against.
The amendment’s authors, Democratic Sen. Ron Wyden of Oregon and Republican Sen. Steve Daines of Montana, have long opposed the expansion and renewal of surveillance laws that the government uses to track and fight terrorists. They say the laws can infringe on people’s rights.
“Should law-abiding Americans have to worry about their government looking over their shoulders from the moment they wake up in the morning and turn on their computers to when they go to bed at night?” Wyden asked. “I believe the answer is no. But that’s exactly what the government has the power to do without our amendment.”
The amendment vote came as the Senate considered renewal of three surveillance provisions that expired in March before Congress left due to the coronavirus pandemic. The legislation is a bipartisan, House-passed compromise that has the backing of President Donald Trump, Attorney General William Barr and House Speaker Nancy Pelosi, D-Calif. It would renew the authorities and impose new restrictions to try and appease civil liberties advocates.
Senate Majority Leader Mitch McConnell, R-Ky., encouraged senators to vote against Wyden and Daines’ amendment, saying the legislation was already a “delicate balance.” He warned changing it could mean the underlying provisions won’t be renewed.
“We cannot let the perfect become the enemy of the good when key authorities are currently sitting expired and unusable,” McConnell said on the Senate floor before the vote.
The House passed the compromise legislation shortly before the chamber left town two months ago. But McConnell couldn’t find enough support to approve the measure in the Senate, and instead passed a simple extension of the surveillance laws. Pelosi never took that legislation up, and McConnell is trying again to pass the House bill this week.
“The attorney general and members of Congress have worked together to craft a compromise solution that will implement needed reforms while preserving the core national security tools,” McConnell said. “These intense discussions have produced a strong bill that balances the need for accountability with our solemn obligation to protect our citizens and defend our homeland.”
It’s unclear if McConnell will be able to get the votes for final passage on Thursday. The close outcome on the Wyden and Daines amendment indicates that a majority of the Senate would like to see the House legislation changed to better protect civil liberties.
An aide to Sen. Patty Murray, D-Wash., said after the vote that she would have supported the amendment if she had been present — meaning it would have passed. Murray was in her home state and will be present for Thursday’s vote, said the aide, who declined to be identified and was granted anonymity to share the senator’s thinking.
Julian Sanchez, a senior fellow at the Cato Institute, a think tank, said it was striking that the amendment failed by only one vote and said the vote total would have been “inconceivable” five years ago.
“It suggests a sea change in attitudes” following revelations in problems with how the FBI has used its secret surveillance powers, Sanchez said. “It goes to the sort of collapse in trust in the intelligence community to deploy these authorities in a restrained way.”
The Senate did adopt a amendment by Republican Sen. Mike Lee of Utah and Democratic Sen. Patrick Leahy of Vermont that would boost third-party oversight to protect individuals in some surveillance cases. If the Senate passes the legislation with that amendment intact, the bill would then have to go back to the House for approval instead of to the president’s desk for signature.
A third amendment by Kentucky Sen. Rand Paul, a Republican who is a longtime skeptic of surveillance programs, is expected to be considered Thursday before a final vote. Paul’s amendment would require the government to go to a traditional federal court, instead of the secretive Foreign Intelligence Surveillance Court, to get a warrant to eavesdrop on an American.
The expired provisions of the Foreign Intelligence Surveillance Act allow the FBI to get a court order for business records in national security investigations, to conduct surveillance on a subject without establishing that they’re acting on behalf of an international terrorism organization and to more easily continue eavesdropping on a subject who has switched cell phone providers to thwart detection.
The congressional debate coincides with internal efforts by the FBI and Justice Department to overhaul its surveillance procedures after a harshly critical inspector general report documented a series of problems in the FBI’s investigation into ties between Russia and the 2016 Trump campaign.
The report identified significant errors and omissions in applications that were submitted in 2016 and 2017 to monitor the communications of former Trump campaign adviser Carter Page.
The Justice Department inspector general has since said that it has identified additional problems in applications. The FBI has announced steps designed to ensure that the application process is more accurate and thorough, and that information that cuts against the premise of the requested surveillance is disclosed to the court.
With encouragement from Barr and congressional Republicans, Trump has said he will support the House-passed legislation. But Paul has made it clear that he will try and lobby the president to veto it, if it passes the Senate.
“You are the president of the US, and you’re allowing your intelligence community to spy on your political opponents?” Paul tweeted at Trump on Tuesday. “I’d be surprised if President Obama didn’t know about the abuses that occurred against @realDonaldTrump! We need to fix FISA now so it never happens again!”
Feds Reveal Hidden Cobra’s Trove of Espionage Tools
14.5.2020 Threatpost BigBrothers
The APT’s new cyber-attack tools are laid bare on three-year anniversary of WannaCry.
The U.S. Department of Homeland Security and Federal Bureau of Investigation have exposed what they say are hacking tools used by the North Korean-sponsored APT group Hidden Cobra. The disclosure was the result of a broad government effort to combat the advanced persistent threat group, who have been active for a number of years.
The agencies have published malware analysis reports (MARs) for three pieces of malware—Copperhedge, Taintedscribe and Pebbledash which the agencies said come from the toolbox of Hidden Cobra, according to a United States Computer Emergency Readiness Team (US-CERT) release posted late Tuesday.
“The information contained in the alerts and MARs listed above is the result of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the Federal Bureau of Investigation to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government,” according to the post.
Each of the documents includes malware samples as well as descriptions, suggested response actions and recommended mitigation techniques to help companies identify and fight attacks by North Korean state-sponsored actors.
The tools included in the documentation allow Hidden Cobra to perform nefarious tasks such as remotely take over systems and steal information as well as install spyware on targeted systems to perform espionage activities.
The government released its documentation of the malware on an auspicious date—the third anniversary of the infamous WannaCry attack that impacted more than 300,000 machines in 150 countries, causing unprecedented financial damage and crippling companies who were infected. The attack eventually was attributed to North Korea in December 2017.
Copperhedge is a full-featured remote access tool that can run arbitrary commands, performing system reconnaissance, and exfiltrate data, according to its documentation. It is one of six distinct variants of the malware classified under a family of tools called Manuscrypt; each variant is categorized based on common code and a common class structure, researchers said.
Taintedscribe is a full-featured beaconing implant, including its command modules. Samples posted uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register algorithm, according to US-CERT.
The main executable of this tool disguises itself as Microsoft’s Narrator to download a command execution module from a command and control (C2) server. At this point, Tainted Scribe can download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration, researchers said.
Pebbledash also is a full-featured beaconing implant that also uses FakeTLS for session authentication as well as for network encoding using RC4, but without command modules, according to the post. This piece of malware can download, upload, delete and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration, according to US-CERT.
The U.S. authorities have had Hidden Cobra in their crosshairs for a number of years and have been tracking the activities of the group, which typically target financial institutions.
In 2017, US-CERT first warned it believed North Korean attackers operating a campaign called Hidden Cobra targeting U.S. businesses with malware- and botnet-related attacks that they identified as Hidden Cobra.
Since then, several attacks have been attributed to the group. One in 2018 targeted organizations in the media, aerospace, financial and critical infrastructure sectors with two types of malware—a RAT dubbed Joanap; and a Server Message Block (SMB) worm called Brambul–that could steal sensitive and proprietary information, disrupt regular operations, and disable systems and files.
Last year, Hidden Cobra struck again, using a never-before-seen spyware variant called Hoplight to target U.S. companies and government agencies in active attacks.
Authorities urge organizations to report any activity they discover associated with the malware to the Cybersecurity and Infrastructure Security Agency or the FBI Cyber Watch.
U.S. Government Issues Alert on Most Exploited Vulnerabilities
14.5.2020 BigBrothers
Several Microsoft Office vulnerabilities that were patched years ago continue to be among the security flaws most exploited in attacks, the U.S. government warns.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) this week published an alert to provide guidance on some of the vulnerabilities that are most targeted in attacks.
The bugs, the alert underlines, are routinely exploited by foreign cyber actors in attacks targeting both the public and private sectors, and risks associated with them could be mitigated “through an increased effort to patch systems and implement programs to keep system patching up to date.”
Between 2016 and 2019, threat actors mainly attempted to compromise systems through vulnerabilities in Microsoft Office (CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2015-1641), Apache Struts (CVE-2017-5638), Microsoft SharePoint (CVE-2019-0604), Microsoft Windows (CVE-2017-0143), Microsoft .NET Framework (CVE-2017-8759), Adobe Flash Player (CVE-2018-4878), and Drupal (CVE-2018-7600).
Attacks attempting to exploit these security issues tried to deploy a broad range of malware families, including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBoss, China Chopper, DOGCALL, FinFisher, WingBird, Toshliph, UWarrior, and Kitty, among others.
The three vulnerabilities that state-sponsored threat actors from China, Iran, North Korea, and Russia are abusing most frequently impact Microsoft Office and have been patched long ago: CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158.
“According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts,” the alert reads.
In 2015, the U.S. government assessed that CVE-2012-0158 was the most used in Chinese threat actors’ cyber operations, and the vulnerability continues to be widely used by these hackers.
“This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective,” the U.S. government says.
In 2020, in addition to the aforementioned vulnerabilities, threat actors started wide exploitation of virtual private network flaws (CVE-2019-19781 and CVE-2019-11510), Microsoft Office 365 misconfigurations, and cybersecurity weaknesses such as poor employee training on social engineering, and the lack of system recovery and contingency plans.
US Says China Trying to Steal COVID-19 Vaccine Research
14.5.2020 BigBrothers
US authorities warned healthcare and scientific researchers Wednesday that Chinese-backed hackers were attempting to steal research and intellectual property related to treatments and vaccines for COVID-19.
Organizations researching the disease were warned of "likely targeting and network compromise by the People's Republic of China," a statement from the FBI and the Cybersecurity and Infrastructure Security Agency said.
"These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research," they said.
"China's efforts to target these sectors pose a significant threat to our nations response to COVID-19," they said.
The two organizations gave no evidence or examples of their allegation against Beijing.
But they urged "all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material."
On Monday US media reported that the FBI was poised to release the warning about vaccine-research hacking.
Asked about the coming report, President Donald Trump replied: "What else is new with China? What else is new? Tell me. I'm not happy with China."
"We're watching it very closely," he added.
In Beijing on Monday, Foreign Affairs ministry spokesman Zhao Lijian rejected the allegation, saying China firmly opposes all cyber attacks.
"We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence," Zhao said.
The warning comes as dozens of companies, institutes and countries around the world are racing to develop vaccines to halt the spread of the coronavirus, which has killed at least 292,000 worldwide.
Many more groups are researching treatments for infected patients. Currently there is no proven treatment.
The warning adds to a series of alerts and reports accusing government-backed hackers in Iran, North Korea, Russia and China of malicious activity related to the coronavirus pandemic, from pumping out false news to targeting workers and scientists.
Last week in a joint message Britain and the United States warned of a rise in cyber attacks against health professionals involved in the coronavirus response by organised criminals "often linked with other state actors."
Britain's National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency said they had detected large-scale "password spraying" tactics -- hackers trying to access accounts through commonly used passwords -- aimed at healthcare bodies and medical research organizations.
Reporting the expected FBI warning on Monday, The New York Times said it could be a prelude to officially sanctioned counterattacks by US agencies involved in cyber warfare, including the Pentagon's Cyber Command and the National Security Agency.
Chancellor Merkel has ‘hard evidence’ of Russian hackers targeted her
13.5.2020 Securityaffairs BigBrothers
German Chancellor Angela Merkel revealed that she is the target of an “outrageous” cyber espionage campaign carried out by Russia.
German Chancellor Angela Merkel revealed that Russia-linked threat actors were targeting her in an “outrageous” cyberespionage campaign.
“I can honestly say that it pains me. Every day I try to build a better relationship with Russia and on the other hand there is such hard evidence that Russian forces are doing this,” she told parliament.
The news is not surprising, in several occasions, the German intelligence blamed Russia-APT groups of spying on lawmakers or leading politicians.
Germany’s intelligence service has repeatedly called out attempts by Russian hackers to spy on lawmakers or leading politicians.
Bundestag
According to the German news agency the Bild, the Merkel’s computer was one of the first systems to be infected with the malware used by the hackers to target other members of the Parliament in 2015 the Bundestag hack.
The attackers used Merkel’s PC to target other German politicians by sending malicious messages.
Merkel confirmed that investigation conducted on the 2015 incident allowed to identify the suspect.
“Unfortunately the conclusion I have reached is that this is not new,” she said, noting that “cyber-disorientation, the distortion of facts” were all part of “Russia’s strategy”.
“Obviously this doesn’t make it easier” to foster a better relationship with Moscow, she said, calling such spying tactics “more than uncomfortable”.
USCYBERCOM shares five new North Korea-linked malware samples
13.5.2020 Securityaffairs BigBrothers
The United States Cyber Command (USCYBERCOM) has uploaded five new North Korean malware samples to VirusTotal.
The United States Cyber Command (USCYBERCOM) has shared five new malware samples attributed to the North Korea-linked Lazarus APT, it has uploaded the malicious code to VirusTotal.
“On May 12, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) released three Malware Analysis Reports (MARs) on malware variants used by the North Korean government.” reads the DHS CISA’s advisory.
May 12, 2020: Malware Analysis Report (1028834-1.v1) – North Korean Remote Access Tool: COPPERHEDGE
May 12, 2020: Malware Analysis Report (1028834-2.v1) – North Korean Trojan: TAINTEDSCRIBE
May 12, 2020: Malware Analysis Report (1028834-3.v1) – North Korean Trojan: PEBBLEDASH
The information contained in the alerts and MARs listed above is the result of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the Federal Bureau of Investigation to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government.”
Since November 2018, the USCYBERCOM’s Cyber National Mission Force (CNMF) is sharing the unclassified malware samples on the CYBERCOM_Malware_Alert VirusTotal account.
In February, the government experts released new and updated Malware Analysis Reports (MARs) related to new malware families involved in new attacks carried out by North Korea-linked HIDDEN COBRA group.
Now, USCYBERCOM shares five more samples, the older one dated 2017 while the rest has been created in 2018.
The samples belong to the COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH malware families.
COPPERHEDGE is a remote access trojan (RAT) that allows attackers to run arbitrary commands, perform system reconnaissance, and exfiltrate data. COPPERHEDGE, aka Manuscrypt, has been employed in attacks on cryptocurrency exchanges. USCYBERCOM experts discovered six distinct variants of the malware.
TAINTEDSCRIBE is an implant that’s could execute the attacker’s commands on a compromised system.
PEBBLEDASH is an implant that has the capability to download, upload, delete, and execute files; the malicious code enables Windows CLI access, creates and terminates processes, and performs target system enumeration. The implant uses FakeTLS for session authentication and RC4 for network encoding.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) published security advisories for the three malware on its website.
Merkel Cites 'Hard Evidence' Russian Hackers Targeted Her
13.5.2020 Securityweek BigBrothers
German Chancellor Angela Merkel voiced frustration Wednesday that Russia was targeting her in hacking action, saying she had concrete proof of the "outrageous" spying attempts.
"I can honestly say that it pains me. Every day I try to build a better relationship with Russia and on the other hand there is such hard evidence that Russian forces are doing this," she told parliament.
Germany's intelligence service has repeatedly called out attempts by Russian hackers to spy on lawmakers or leading politicians.
German media reported that among information copied by hackers in 2015 was data from Merkel's email account. That attack also targeted the Bundestag. Merkel said investigators into the 2015 hacking had identified a specific suspect.
"Unfortunately the conclusion I have reached is that this is not new," she said, noting that "cyber-disorientation, the distortion of facts" were all part of "Russia's strategy".
"Obviously this doesn't make it easier" to foster a better relationship with Moscow, she said, calling such spying tactics "more than uncomfortable".
U.S. Cyber Command Shares More North Korean Malware Variants
13.5.2020 Securityweek BigBrothers
The United States Cyber Command (USCYBERCOM) has uploaded five malware samples to VirusTotal total today, which it has attributed to the North Korean threat group Lazarus.
Since November 2018, USCYBERCOM has shared numerous malware samples as part of a project started by its Cyber National Mission Force (CNMF), including malicious files attributed to nation states from North Korea, Russia, and Iran.
In September last year, it shared with the popular scanning engine 11 samples attributed to Lazarus, which the U.S. refers to as “Hidden Cobra.” 6 other samples were added in February this year.
Today, USCYBERCOM shared five more files, four of which appear to have been created in 2018, and one dated 2017.
These files are samples of three malware families that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) are calling COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH.
Two of the samples have high detection rates on VirusTotal, with more than 35 of the 71 antivirus engines recognizing them as malicious. One of the files appears to be a variant of Destover that was initially spotted in 2017.
COPPERHEDGE is the malware family that many security companies track as Manuscrypt, and which has been used in previous attacks on cryptocurrency exchanges and related entities.
A full-featured Remote Access Tool (RAT), Manuscrypt provides attackers with support for running arbitrary commands on the compromised machines, perform system reconnaissance, and exfiltrate data deemed of interest.
Analysis of network and code features has revealed the existence of six distinct variants of the malware, USCYBERCOM says.
TAINTEDSCRIBE is described as a full-featured beaconing implant that is accompanied by its command modules. The malware can download/upload/delete/execute files, enable Windows CLI access, create/terminate processes, and enumerate the target system.
“These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator,” USCYBERCOM explains.
PEBBLEDASH, another full-featured beaconing implant that also uses FakeTLS for session authentication, but uses RC4 for network encoding, has similar capabilities.
The samples appear to share some code similarities that result in some detection engines identifying them as variants of the NukeSped RAT, something that was observed with previously shared malware samples as well.
U.S Defense Warns of 3 New Malware Used by North Korean Hackers
13.5.2020 Thehackernews BigBrothers
Yesterday, on the 3rd anniversary of the infamous global WannaCry ransomware outbreak for which North Korea was blamed, the U.S. government released information about three new malware strains used by state-sponsored North Korean hackers.
Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD).
The three new malware strains are the latest addition to a long list of over 20 malware samples, including BISTROMATH, SLICKSHOES, HOPLIGHT, and ELECTRICFISH, among others, that have been identified by the security agencies as originating as part of a series of malicious cyber activity by the North Korean government it calls Hidden Cobra, or widely known by the moniker Lazarus Group.
Full-Featured Trojans
COPPERHEDGE, the first of the three new variants, is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. It's being used by advanced threat actors to target cryptocurrency exchanges and related entities. Six different versions of COPPERHEDGE have been identified.
TAINTEDSCRIBE functions as a backdoor implant that masquerades itself as Microsoft's Narrator screen reader utility to download malicious payloads from a command-and-control (C2) server, upload, and execute files, and even create and terminate processes.
Lastly, PEBBLEDASH, like TAINTEDSCRIBE, is another trojan with capabilities to "download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; perform target system enumeration."
A significant Cyber Espionage Threat
The WannaCry ransomware infection of 2017, also known as Wanna Decryptor, leveraged a Windows SMB exploit, dubbed EternalBlue, that allowed a remote hacker to hijack unpatched Windows computers in return for Bitcoin payments of up to $600. The attack has since been traced to Hidden Cobra.
With the Lazarus Group responsible for the theft of more than $571 million worth of cryptocurrency from online exchanges, the financially-motivated attacks led the US Treasury to sanction the group and its two off-shoots, Bluenoroff and Andariel, last September.
Then earlier this March, the US Department of Justice (DoJ) charged two Chinese nationals working on behalf of the North Korean threat actors to allegedly launder over $100 million worth of the stolen cryptocurrency using prepaid Apple iTunes gift cards.
Last month, the US government had issued guidance on the 'significant cyber threat' posed by North Korean state-sponsored hackers to the global banking and financial institutions, in addition to offering a monetary reward of up to $5 million for information about past or ongoing illicit DPRK activities in the cyber realm.
"The DPRK's malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system," the advisory cautioned.
"Under the pressure of robust US and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs."
A cyber attack hit a port on Strait of Hormuz, Iran said
12.5.2020 Securityaffairs BigBrothers
Iran ‘s officials revealed that hackers compromised and damaged a small number of computers at the port of Shahid Rajaei in the city of Bandar Abbas.
Iranian officials announced on sunday that hackers damaged a small number of systems at the port of Shahid Rajaei in the city of Bandar Abbas.
Bandar Abbas is the capital of Hormozgān Province on the southern coast of Iran, on the Persian Gulf. The city occupies a strategic position on the narrow Strait of Hormuz, and it is the location of the main base of the Iranian Navy. Bandar Abbas is also the capital and largest city of Bandar Abbas County.
Iranian officials did not reveal details of the cyber attack that took place last week.
Local authorities, including the Ports and Maritime Organization (PMO) in the state of Hormozgan, confirmed that operations at the port were impacted by the cyber attack.
Initially, officials denied the cyber-attack, but due to media pressure that later admitted the cyber intrusion.
Speaking to ILNA news agency, the Managing Director of Ports and Maritime Organization revealed that the cyber-attack failed to penetrate the Ports and Maritime Organization’s systems (PMO). The Managing Director explained that the attackers were able to compromise only a limited number of computers at the ports.
“The organization is well protected, but still needs to continuously strengthen and update the layers of protection to minimize the risk of a cyber-attack,” he added.
The authorities did not attribute the attack to a specific threat actor, Iran’s Deputy Minister of Roads and Urban Development stated that he did not have any information about the origin of the attack.
“Currently, the distribution of cargo in northern ports is good; although the performance of all southern ports is negative.” Mohammad Rastad.
In the same hours an apparently unrelated incident took place in the same area, The Iranian support ship Konarak was hit by a new anti-ship missile being tested by the frigate Jamaran during an exercise on Sunday.
The Konarak had been putting targets out in the water and remained too close to one, according to the reports. Nineteen sailors have been killed and 15 others injured in the incident.
Local media speculated that the two incidents could have been linked, for this reason, Iranian authorities decided to disclose the cyber attacks and officially explain that the two incidents were not related.
In December 2020, the New York Times revealed that the US carried out a cyberattack in June on a database used by Iran’s Islamic Revolutionary Guard Corps to plot attacks on oil tankers in the Gulf.
The attack took place on June 20, 2020, the US hackers had interfered with the cyber capabilities of Iran’s paramilitary arm to target the shipping in the Gulf. The database was used by Iran Guards to choose the tankers to target.
In December 2019, Iran foiled two massive cyber-attacks in less than a week, the country’s telecommunications minister Mohammad Javad Azari-Jahromi revealed.
The news was reported by both the ISNA and Mehr news agencies, the Iranian minister defined the attacks as “really massive” and attributed them to a nation-state actor.
US Says Chinese Hacking Vaccine Research: Reports
11.5.2020 Securityweek BigBrothers
The US Federal Bureau of Investigation and cybersecurity experts believe Chinese hackers are trying to steal research on developing a vaccine against coronavirus, two newspapers reported Monday.
The FBI and Department of Homeland Security are planning to release a warning about the Chinese hacking as governments and private firms race to develop a vaccine for COVID-19, the Wall Street Journal and New York Times reported.
The hackers are also targeting information and intellectual property on treatments and testing for COVID-19.
US officials alleged that the hackers are linked to the Chinese government, the reports say.
The official warning could come within days.
In Beijing Foreign Affairs ministry spokesman Zhao Lijian rejected the allegation, saying China firmly opposes all cyber attacks.
"We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence," Zhao said.
The warning would add to a series of alerts and reports accusing government-backed hackers in Iran, North Korea, Russia and China of malicious activity related to the pandemic, from pumping out false news to targeting workers and scientists.
The New York Times said it could be a prelude to officially-sanctioned counterattacks by US agencies involved in cyber warfare, including the Pentagon's Cyber Command and the National Security Agency.
Last week in a joint message Britain and the United States warned of a rise in cyber attacks against health professionals involved in the coronavirus response by organised criminals "often linked with other state actors."
Britain's National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency said they had detected large-scale "password spraying" tactics -- hackers trying to access accounts through commonly used passwords -- aimed at healthcare bodies and medical research organisations.
Nation-state hackers are targeting COVID-19 response orgs
9.5.2020 Bleepingcomputer BigBrothers
Organizations involved in international COVID-19 responses, healthcare, and essential services are actively targeted by government-backed hacking groups according to a joint advisory issued today by cyber-security agencies from the US and the UK.
Healthcare bodies, medical research organizations, pharmaceutical companies, academia, and local governments are some examples of organizations currently being targeted by state-backed hacking groups.
Vulnerabilities introduced by remote working actively exploited
"APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities," the advisory says.
"The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research."
The DHS Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) say (1, 2) that they are currently investigating incidents where advanced persistent threat (APT) groups attacked universities, research organizations, and pharmaceutical companies.
Government-backed hackers have been abusing new vulnerabilities stemming from the shift to remote working in their attacks, exploiting the CVE-2019-19781 Citrix vulnerability and the CVE-2019-11510 Pulse Secure VPN vulnerability (1, 2) in vulnerable appliances exposed to remote access.
Password spraying used against international healthcare entities
CISA and NCSC are also investigating APT campaigns using large-scale password spraying in attacks against international healthcare orgs and national healthcare entities from several countries including but not limited to the United States and the United Kingdom.
In password spraying attacks, threat actors are using a slow approach to test commonly used weak passwords against large numbers of accounts for the same online service provider, thus escaping detection and avoiding being locked out or blocked.
After they get access to one account, it will be used to take control of other accounts that reuse the same credentials, to move laterally within the network, or as a launch point for future cyber-attacks.
"Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies," the two agencies further explain.
Mitigation measures
CISA and NCSC have also shared guidance and mitigation measures (1, 2) for drastically reducing the risk of compromise in password spraying attacks.
The two cyber-security agencies also provide tips on how to protect against other active APT campaigns currently targeting healthcare and essential services across the globe:
Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations (guidance on enterprise VPN security and guidance on virtual private networks)
Use multi-factor authentication to reduce the impact of password compromises (how-to guide for multi-factor authentication, guidance on multi-factor authentication services and setting up two factor authentication)
Protect the management interfaces of your critical operational systems (guidance on protecting management interfaces)
Set up a security monitoring capability (introduction to logging security purposes)
Review and refresh your incident management processes (guidance on incident management)
Use modern systems and software (guidance on obsolete platform security)
Further info: Invest in preventing malware-based attacks across various scenarios (guidance on ransomware, protecting against malicious code, mitigating malware and ransomware attacks)
A previous joint alert from last month also warned that cybercriminal and advanced persistent threat (APT) groups are using COVID-19-related themes in their attacks against individuals, small and medium enterprises, and large organizations.
They are exploiting the pandemic as part of phishing attacks, for malware distribution, to register coronavirus or COVID-19 related domains for use as part of their attack infrastructure, and in attacks targeting hastily deployed remote access and teleworking infrastructure.
The U.S. Federal Bureau of Investigation (FBI) alerted of ongoing phishing campaigns against US healthcare providers using COVID-19 themed lures to distribute malicious payloads during late-April.
The INTERPOL (International Criminal Police Organisation) also warned in April about an increasing number of attempts to lockout hospitals out of critical systems by deploying ransomware on their networks amid the ongoing COVID-19 outbreak.
FCC: No more warnings for robocallers before fines
3.5.2020 Bleepingcomputer BigBrothers
The US Federal Communications Commission (FCC) today issued an order saying that it will no longer warn robocallers before fining them for harassing consumers and violating the law.
Today's order also extends the timeframe within which the FCC can penalize robocallers for Telephone Consumer Protection Act (TCPA) and spoofing calls violations, and increases the penalties for intentional unlawful robocalls.
"Robocall scam operators don’t need a warning these days to know what they are doing is illegal, and this FCC has long disliked the statutory requirement to grant them mulligans," FCC Chairman Ajit Pai said today.
"We have taken unprecedented action against spoofing violations in recent years and removing this outdated ‘warning’ requirement will help us speed up enforcement to protect consumers."
This change follows the enactment of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act in December 2019 that removed the robocaller warning requirement from law and also made it possible to fine them for violations occurring before the warnings were issued.
Under the prior statutory requirement, the Commission had to issue robocallers that did not otherwise fall within its jurisdiction warnings—formally called citations—related to their alleged violations of the Telephone Consumer Protection Act (by, for example, robocalling cell phones without prior consumer consent) before the agency was able to move forward with an enforcement action. - FCC
Fines of up to $10,000 per robocall
The order increases the maximum penalty per intentional unlawful robocall to $10,000, in addition to the Commission-proposed forfeiture penalty amount.
In addition, the penalties can now be enforced within four years since the day the TCPA and spoofing robocall violations took place, extending the previous statute of limitations from the previous timeframe of up to two years.
"By extending the enforcement period for intentional violations, Congress granted the Commission additional time to pursue violators that intentionally violate laws restricting the use of prerecorded or artificial voice messages and/or automatic telephone dialing systems," the FCC order reads.
According to FCC's news release, the Commission has carried out unprecedented enforcement actions against robocallers under the Truth in Caller ID Act since Chairman Pai took office in January 2017.
Previous fines against robocallers
Among them, the FCC highlights a $120 million fine issued in May 2018 against a Florida-based telemarketing operation for making roughly 100 million spoofed robocalls over three months.
Also, during September 2018, the FCC issued an $82 million penalty against a North Carolina-based health insurance telemarketer for more than 21 million robocalls to market health insurance and proposed a $37.5 million fine against Arizona marketer Affordable Enterprises for peddling home improvement and remodeling services to millions.
In all these three cases, the FCC was also forced by law to issue citations for TCPA violations.
"The Enforcement Bureau and the Federal Trade Commission also recently pushed gateway providers to stop their suspected facilitation of COVID-19-related scam robocalls," the FCC adds. "Within 24 hours, those gateway providers stopped carrying those scam robocalls."
US govt agencies to disable DoH until federal service is ready
3.5.2020 Bleepingcomputer BigBrothers
US government agencies' chief information officers were recommended today to disable third-party encrypted DNS services until an official DNS resolution service with DNS over HTTPS (DoH) and DNS over TLS (DoT) support is ready.
Until then, agencies were reminded that they are legally required to use the EINSTEIN 3 Accelerated (E3A) DNS service on devices connected to federal agency networks, although the Cybersecurity and Infrastructure Security Agency (CISA) encourages vendors' current efforts to make network traffic encryption the default choice for users.
E3A provides a DNS sinkholing service, which automatically protects users by blocking their access to malicious infrastructure by overriding public DNS records identified as harmful. This DNS resolver service also provides CISA with "insight into DNS requests made from agency networks."
DoH allows DNS resolution requests over encrypted HTTPS connections, while DoT encrypts and wraps all DNS queries via the Transport Layer Security (TLS) protocol instead of using insecure plain text DNS lookups.
Requirements and recommendations
According to a memorandum sent today by CISA Director Christopher C. Krebs, government agencies are required to set E3A as the primary (or ultimate) upstream DNS resolver for all local DNS recursive resolvers.
Among several recommendations, US govt agencies are advised to configure fallback upstream DNS resolvers using public resolvers such as the ones provided by Cloudflare, Google, Quad9, or Cisco, with the mention that agencies should let CISA know of their choice to more accurately understand traffic on their networks.
Until a DNS resolution service with support for DoH and DoT is provided by CISA, federal agencies are also recommended to "set and enforce enterprise-wide policy (e.g., Group Policy Objects [GPO] for Windows environments) for installed browsers to disable DoH use."
NEW: As the federal government’s #cyber adviser, we’ve issued a memo to remind federal agencies of their responsibilities concerning Domain Name System (#DNS) service. Read more: https://t.co/mkcUV7g1cL
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 30, 2020
"CISA encourages efforts to make network communications encrypted by default. Doing so increases user security, making it harder for attackers to monitor and modify communication," Director Krebs said.
"DoH and DoT add desirable security features to DNS resolution; however, federal agencies that use DNS resolvers other than E3A lose the protection that defensive DNS filtering provides, and E3A does not currently offer encrypted DNS resolution.
"CISA intends to offer a DNS resolution service that supports DoH and DoT in time. Until then, agencies must use E3A for DNS resolution."
Encrypted DNS rollout, trials, and future plans
Mozilla has already rolled out DNS-over-HTTPS by default to all Firefox users in the U.S. starting February 25, 2020, enabling Cloudflare's DNS provider with users still being able to switch to NextDNS or another custom provider from Firefox's network options.
Google is also running a limited DoH trial on all supported platforms other than Linux and iOS starting with the release of Chrome 79. Unlike Mozilla, Google will not change the DNS provider but instead will only upgrade Chrome's DNS resolution protocol only for default providers with DoH support.
Microsoft has also announced during mid-November 2019 that it will add DoH support to the Windows DNS client in a future Windows 10 release, with plans to only upgrade the protocol to encrypted DNS for default providers that come with this feature.
"There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal," Microsoft said at the time.
"To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS."
US govt updates Microsoft Office 365 security best practices
3.5.2020 Bleepingcomputer BigBrothers
The Cybersecurity and Infrastructure Security Agency (CISA) today issued an update to its Microsoft Office 365 security best practices as part of an alert distributed via the US National Cyber Awareness System.
These recommendations were compiled to address Office 365 security configuration errors that can weaken an organization's otherwise sound security strategy while migrating from on-premise to cloud collaboration solutions during the pandemic.
"As organizations adapt or change their enterprise collaboration capabilities to meet 'telework' requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration services," CISA explains in the AA20-120A alert published today.
Today's alert is an update to the AR19-133A analysis report from May 13, 2019, and containing Microsoft Office 365 security observations.
Recently migrated to Microsoft Office 365? Review @CISAgov’s updated Alert on cloud collaboration best practices and how to protect O365 services against cyberattacks at https://t.co/VcDTJdhWFy. #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) April 29, 2020
Poorly configured Office 365 lead to cyber attacks
"Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms," the agency adds.
"CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks."
The DHS cyber-security agency created its list of security best practices following several engagements with organizations that have migrated to cloud-based collaboration solutions such as Office 365 since October 2018, with some of them being forced to do it to support a fully remote workforce.
To prevent attackers from exploiting weaknesses in their Office 365 security configuration, CISA recommends taking the following measures:
• Enable multi-factor authentication for administrator accounts: this is needed because Microsoft doesn't enable MFA by default, not even for Azure Active Directory (AD) Global Administrators (the equivalent of Domain Administrator in an on-premises AD environment).
• Assign Administrator roles using Role-based Access Control (RBAC): always switch from Global Administrator to other built-in administrator roles with fewer privileges to provide admins with the absolute minimum permissions for their job.
• Enable Unified Audit Log (UAL): allows admins to hunt for signs of potentially malicious actions or outside established policies.
• Enable multi-factor authentication for all users: helps block attackers from using stolen credentials to take control of user accounts.
• Disable legacy protocol authentication when appropriate: greatly reduce an organization’s attack surface.
• Enable alerts for suspicious activity: makes it possible to get notified of malicious activity as it happens and drastically reduce mitigation time.
• Incorporate Microsoft Secure Score: provides organizations with advice on enhancing their Office 365 security posture.
• Integrate Logs with your existing SIEM tool: helps detect anomalous activity faster and correlate it with any potential Office 365 anomalous activity.
Microsoft's Office 365 security recommendations
A security roadmap with an extensive list of measures to be taken to protect Microsoft 365 environments is also available from Microsoft, with tasks to be accomplished during the first 30 days, within 90 days, and beyond.
Below you can find the Microsoft Ignite video session on which Microsoft's security roadmap was based on.
Microsoft is also improving the security capabilities of Office 365 as shown by the addition of a new Office 365 Advanced Threat Protection (ATP) feature that would block email sender domains automatically if they fail DMARC authentication.
Microsoft is also currently adding new features designed to block malicious content in Office 365 regardless of the custom configs set up by admins or users unless manually overridden.
Office 365 ATP now also has a Campaign Views feature designed to help Security Operations (SecOps) teams analyze phishing attacks, as well as enhanced compromise detection and response to help detect breaches, remediate hacked accounts, and automatically detect and investigate suspicious users
US universities targeted with malware used by state-backed actors
25.4.2020 Bleepingcomputer BigBrothers
Faculty and students at several U.S. colleges and universities were targeted in phishing attacks with a remote access Trojan (RAT) previously used by Chinese state-sponsored threat actors.
The malware used in this mid-sized is the Hupigon RAT, a RAT well-known for being employed by Chinese APTs such as APT3 (also tracked as Gothic Panda, UPS, and TG-011 and active since at least 2010) during multiple campaigns.
Hupigon was first spotted by FireEye in 2010 while using a zero-day vulnerability affecting versions 6, 7, and 8 of Microsoft's Internet Explorer to infect victims.
Adult dating lures used to drop RATs
The operators behind these phishing attacks use adult dating lures asking the potential victims to choose one of two dating profiles to connect with as security researchers at Proofpoint discovered.
Once the recipient clicks one of the two embedded links, an executable used to install the Hupigon RAT is downloaded on their computers.
Once their devices are infected, attackers can use the malware to steal sensitive personal info including user credentials, screenshots, and audio recordings, to control the webcam, and to gain full control of infected computers.
Phishing email sample (Proofpoint)
The phishing campaign was the most active on April 14 and April 15, with roughly 80,000 messages rotating between two malicious payloads.
'This campaign delivered over 150,000 messages to over 60 different industries, with 45% focused on education, colleges, and universities," Proofpoint said.
"These attacks demonstrate the inverse relationship of commoditized RATs incorporated into criminal and state-sponsored campaigns over time.
"In this case, cybercriminals repurposed an attack tool leveraged by state-sponsored threat actors among others," the researchers added. "In this particular case, this is a general crimeware-based campaign."
Infection chain (Proofpoint)
"This campaign is also notable for the social savvy it shows the attackers possess in directing online dating lures with visually attractive pictures to university students and faculty," Proofpoint senior director of threat research Sherrod DeGrippo added.
More details regarding this phishing campaign and an extensive list of indicators of compromise (IOCs) can be found within Proofpoint's report.
Universities exposed to cyberattacks
US universities are attractive targets to cyber-criminals and state-sponsored actors, with cyberattacks targeting them leading to credentials and personally identifiable information (PII) getting stolen.
For instance, in June 2019, three US universities — Graceland University, Oregon State University, and Missouri Southern State University — disclosed data breaches exposing faculty and students' PII data following unauthorized access to some of their employees' email accounts.
The attackers behind these breaches potentially gained access to first and last names, dates of birth, home addresses, email addresses, telephone numbers, and social security numbers, in various combinations.
A threat actor associated with the Iranian government tracked as Cobalt Dickens and Silent Librarian targeted over 60 universities from the US, the UK, Australia, Hong Kong, Canada, and Switzerland in July 2019 and August 2019 according to a Secureworks report from September 2019.
400.000 US, South Korean card records put up for sale online
25.4.2020 Bleepingcomputer BigBrothers
Details on roughly 400,000 payment cards related to US and South Korean financial organizations and banks are currently up for sale on Joker's Stash, the largest carding shop on the Internet.
The seller of this huge card dump put a $1,985,835 price tag on the full set, for a median price of $5 per record, and says that the buyers should expect a validity rate of around 30-40%.
While the database containing 397,365 card records is advertised as a mix of cards from the US and various EU countries, it's actually made up of 198,233 items South-Korean card records (about 49.9% of the total number of items) and 49.3% are from US banks and financial orgs.
"It should be noted that it is the biggest sale of South Korean records on the dark web in 2020, which contributes to the growing popularity of APAC-issued card dumps in the underground," according to security researchers at Group-IB who spotted the payment card database put up for sale on April 9.
Card details not harvested in Magecart attacks
"The database of the credit and debit card details mainly contains Track 2 information — the data stored on the magnetic stripe of a card, which includes the bank identification number (BIN), the account number, expiration date and may also include the card verification value (CVV)," the researchers explained.
Track 2 data that is stored on payment card magnetic stripes usually gets harvested from infected POS terminal, skimmed from ATMs, or harvested as part of merchants' payment systems breaches.
However, as Group-IB security researchers said in their report, the source of the stolen payment card data is still an unknown.
The only known fact at the moment about this database is that the records were not stolen from e-commerce sites in Magecart attacks where Track 2 data is never involved.
Joker's Stash ad (Group-IB)
"Even though there is not enough information in this dump to make online purchases, fraudsters who buy this data can still cash out stolen records," Group-IB Senior Threat Intelligence analyst Shawn Tay said.
"If a breach is not detected promptly by the card-issuing authority, crooks usually produce cloned cards ('white plastic') and swiftly withdraw money via ATMs or use cloned cards for illicit in-person purchases.
"Constant underground monitoring for compromised personal and payment records of their customers gives banks and financial organizations the ability to mitigate risks and further damage by quickly blocking stolen cards and track down the source of the breach."
Group-IB has informed US and South Korean financial sharing orgs and the countries' national CERTs of this incident to mitigate the risks of this leak, and the company is working to reach out to all affected parties.
Group-IB #ThreatIntelligence team has discovered nearly 400,000 payment card records related to S.Korean and US banks valued about $2 mln on Joker's Stash #cardshop. Read more: https://t.co/9OgkAOtpqc
— Group-IB (@GroupIB_GIB) April 24, 2020
Over 1 million South Korean cards for sale in 2019
Details for more than 1 million South Korean payment cards were also put up for sale online last year according to a report from security researchers at Gemini Advisory.
At the time, the median price per record was of about $40 USD, "significantly higher than the median price of South Korean CP records across the dark web overall, which is approximately $24 USD."
"Gemini Advisory observed 42,000 compromised South Korean-issued CP records posted for sale in the dark web in May 2019, which is generally in line with monthly additions from the past two years," the researchers said.
"However, June 2019 had 230,000 records, a 448% spike. July was even more drastic with 890,000 records, a 2,019% increase from May’s benchmark amount."
NSA: Hackers exploit these vulnerabilities to deploy backdoors
25.4.2020 Bleepingcomputer BigBrothers
The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint report warning of threat actors increasingly exploiting vulnerable web servers to deploy web shells.
Web shells are malicious tools that hackers can deploy on a compromised internal or internet-exposed server to gain and maintain access, as well as remotely execute arbitrary commands, deliver additional malware payloads, and pivot to other devices within the network.
They can be uploaded onto vulnerable servers in a wide variety of forms, from programs specifically designed to provide web shell features and Perl, Ruby, Python, and Unix shell scripts to app plugins and PHP and ASP code snippets injected within a web app's pages.
"Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks," the NSA said.
"This guidance will be useful for any network defenders responsible for maintaining web servers," the ASD added.
Malicious cyber actors are actively using web shells in their intrusion campaigns.
Protect your networks—apply the mitigations listed in the @NSAGov and @ASDGovAu #Cybersecurity Information Sheet found here: https://t.co/5BGbm1Ewy0 pic.twitter.com/6BUf9UV2t1
— NSA/CSS (@NSAGov) April 22, 2020
Web shell detection, prevention, and mitigation
The 17-page long security advisory published by the two intelligence government agencies contains a wide range of information for security teams who want to detect hidden web shells, to manage the response and recovery processes after detecting web shells, and to block malicious actors from deploying such tools on unpatched servers.
The NSA has a dedicated GitHub repository containing tools that companies can use to detect and block web shell threats, and to prevent web shell deployment including:
• Scripts for "Known-Good" file comparison
• Scripts, Splunk queries, YARA rules, network and Snort signatures to detect web shells
• Instructions on how to use Endpoint Detection and Response solutions (Microsoft Sysmon, Auditd) to detect web shells on Windows and Linux
• HIPS rules to allow McAfee's Host Based Security Systemto block file system changes
"Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems," the two agencies said.
"Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems.
"Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks."
Vulnerabilities used to install web shells
Organizations are urged to patch their internet-facing and internal web apps immediately mitigate risks from 'n-day' vulnerabilities that attackers could take advantage of to compromise servers.
The NSA and the ASD list multiple security vulnerabilities commonly exploited by hackers to install web shell malware including Microsoft SharePoint, Citrix appliances, Atlassian software, Adobe ColdFusion, Zoho ManageEngine, the WordPress Social Warfare plugin, and the Progress Telerik UI app building toolkit.
Vulnerability Identifier Affected Application Reported
CVE-2019-0604 Microsoft SharePoint 15 May 2019
CVE-2019-19781 Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances 22 Jan 2020
CVE-2019-3396 Atlassian Confluence Server 20 May 2019
CVE-2019-3398 Atlassian Confluence Server and Atlassian Confluence Data Center 26 Nov 2019
CVE-2019-9978 WordPress “Social Warfare” Plugin 22 Apr 2019
CVE-2019-18935
CVE-2017-11317
CVE-2017-11357 Progress Telerik UI 7 Feb 2019
CVE-2019-11580 Atlassian Crowd and Crowd Data Center 15 July 2019
CVE-2020-10189 Zoho ManageEngine Desktop Central 6 Mar 2020
CVE-2019-8394 Zoho ManageEngine ServiceDesk Plus 18 Feb 2019
CVE-2020-0688 Microsoft Exchange Server 10 Mar 2020
CVE-2018-15961 Adobe ColdFusion 8 Nov 2018
Roughly 77,000 web shells tracked daily
To highlight just how popular web shells are these days among threat actors, a Microsoft report from February says that its Microsoft Defender Advanced Threat Protection (ATP) team "detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines."
"Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to," Microsoft said.
Image: Microsoft
FBI Warns of Attacks on Remote Work, Distance Learning Platforms
4.4.2020 Bleepingcomputer BigBrothers
FBI's Internet Crime Complaint Center (IC3) issued a public service announcement today about the risk of attacks exploiting the increased usage of online communication platforms for remote working and distance learning caused by the SARS-CoV-2 pandemic.
The FBI says that it's expecting an acceleration of exploitation attempts of virtual communication environments used by government agencies, private organizations, and individuals as a direct result of the COVID-19 outbreak.
"Computer systems and virtual environments provide essential communication services for telework and education, in addition to conducting regular business," IC3's PSA said.
"Cyber actors exploit vulnerabilities in these systems to steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion."
Private and government entities under siege
FBI's warning mentions over 1,200 complaints related to coronavirus scams being received and reviewed since March 30, 2020, with threat actors engaging in phishing campaigns targeting first responders, launching Distributed Denial of Service (DDoS) attacks against government agencies, deployed ransomware on health care facilities, as well as creating fake COVID-19 landing pages to be used in attacks that infect victim's devices with malware.
In early-February, the FBI issued a Private Industry Notification (PIN) informing of a potential DDoS attack that targeted a state-level voter registration and information site.
During late-March, a PSA published on the IC3 platform warned of a series of phishing attacks delivering spam that used fake government economic stimulus checks as a lure to steal personal information from victims.
"Based on recent trends, the FBI assesses these same groups will target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and new Business Email Compromise schemes," the federal law enforcement agency said.
Attacks on remote work communication services
The US domestic intelligence and security service advises employees that work remotely throughout this period to carefully select the telework software they use to access company resources remotely and collaborate with colleagues online, as well as to make sure they understand the risks seeing the malicious actors' ongoing attempts to exploit telework software vulnerabilities.
"While telework software provides individuals, businesses, and academic institutions with a mechanism to work remotely, users should consider the risks associated with them and apply cyber best practices to protect critical information, safeguard user privacy, and prevent eavesdropping," the FBI explained.
Threat actors can use any of the tactics outlined below to successfully compromise remote working services and platforms:
• Software from Untrusted Sources: booby-trapped telework software platforms designed to look like legitimate ones
• Communication Tools: video-teleconferencing hijacking, conference eavesdropping
• Remote Desktop Access: desktop sharing abuse
• Supply Chain: rented IT equipment with pre-installed malicious tools
Online classrooms under assault
Malicious actors have been exploiting vulnerabilities in schools' information technology (IT) systems and online learning platforms for years, hacking their way in and stealing students' personal information, medical records, and school reports to run blackmail campaigns.
"The actors sent text messages to parents and local law enforcement, publicized students' private information, posted student personally identifiable information on social media, and stated how the release of such information could help child predators identify new targets," the PSA reads.
"Additionally, parents and caretakers should be aware of new technology issued to children who do not already have a foundation for online safety.
"Children may not recognize the dangers of visiting unknown websites or communicating with strangers online."
Just three days ago, the FBI's Boston Division warned of ongoing Zoom-bombing attacks where hijackers joining and disrupting Zoom video conferences used for online lessons.
To defend yourself and your organization against attackers that would exploit weaknesses in education and telework communication services to security vulnerabilities in other software, the FBI recommends not to:
• Share links to remote meetings, conference calls, or virtual classrooms on open websites or open social media profiles.
• Open attachments or click links within emails from senders you do not recognize.
• Enable remote desktop access functions like Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) unless absolutely needed.
• Provide exact information on children when creating user profiles (e.g., use initials instead of full names, avoid using exact dates of birth, avoid including photos, etc.)
• Open attachments or click links within emails received from senders you do not recognize.
• Provide usernames, passwords, birth dates, social security numbers, financial data, or other personal information in response to an email or phone call.
• Use public or non-secure Wi-Fi access points to access sensitive information.
• Use the same password for multiple accounts.
BEC scammers also on the loose
On top of the increased risk of attacks targeting remote working and learning platforms, the FBI also says that Business Email Compromise (BEC) fraudsters have also started targeting businesses to ask them for early payments because of the pandemic.
During mid-March, a BEC scammer group tracked by Agari researchers as Ancient Tortoise launched the first known coronavirus-themed BEC attack specifically designed to exploit the global COVID-19 event.
"Due to the news of the Corona-virus disease (COVID-19) we are changing banks and sending payments directly to our factory for payments, so please let me know total payment ready to be made so I can forward you our updated payment information," the crooks said in their scam emails.
IC3' 2019 Internet Crime Report released in February says that BEC was the cybercrime type with the highest reported total victim losses in 2019 as it was behind roughly $1.8 billion in losses following attacks that targeted wire transfer payments of both individuals and businesses.
The FBI also warned private industry partners during early March of threat actors actively abusing Microsoft Office 365 and Google G Suite in BEC attacks.
To protect against such scams, the FBI recommends paying attention and avoid acting on a payment request if any of the following signs are identified:
The use of urgency and last-minute changes in wire instructions or recipient account information;
Last-minute changes in established communication platforms or email account addresses;
Communications only in email and refusal to communicate via telephone;
Requests for advanced payment of services when not previously required; and
Requests from employees to change direct deposit information.
The FBI recommends visiting the Internet Crime Complaint Center website at www.ic3.gov if you have any evidence that your child's data may have been compromised, if you were the victim of an internet scam or cybercrime, or if you want to report any suspicious activity you may have encountered online.
More tips on what do to protect yourself against the incoming wave of attacks targeting online collaboration and communication services are provided by the FBI in the public service announcement published today.
FBI Warns of Ongoing Zoom-Bombing Attacks on Video Meetings
4.4.2020 Bleepingcomputer BigBrothers
The US Federal Bureau of Investigation (FBI) warned today of hijackers who join Zoom video conferences used for online lessons and business meetings with the end goal of disrupting them or for pulling pranks that could be later shared on social media platforms.
"The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language," the warning published by FBI's Boston Division says.
Zoom-bombing incidents
According to FBI Boston's Kristen Setera, two Massachusetts schools within the division's area of responsibility (Maine, Massachusetts, New Hampshire, and Rhode Island) reported such incidents.
During late March 2020, a Massachusetts-based high school reported to the FBI that an unidentified individual(s) joined an online classroom taking place over the Zoom teleconferencing platform, yelling profanities and shouting the teacher’s home address.
In another incident reported by a Massachusetts-based school, an unidentified individual dialed into another Zoom classroom meeting displaying swastika tattoos on his webcam.
"As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called 'Zoom-bombing') are emerging nationwide," the FBI alert added.
Defend against video conference hijacking
Those who use Zoom's online video conference platform to host business meetings or online lectures are advised by the FBI to take a number of measures to prevent future hijacking attempts:
• Do not make meetings or classrooms public: In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share Zoom conference links on public social media: Provide the link directly to specific people.
• Manage screen-sharing options: In Zoom, change screen sharing to 'Host Only.'
• Ensure users keep their Zoom clients up to date: In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
FBI advises zoom-bombing victims to report such incidents via the FBI’s Internet Crime Complaint Center and any direct threats during a video conference hijacking incident at https://tips.fbi.gov/.
In January, a vulnerability was patched in Zoom's video conference software that could have made it possible for attackers to find and join unprotected Zoom meetings.
Last year, Zoom fixed another security vulnerability (1, 2) that enabled hackers to remotely execute code via a maliciously crafted launch URL on Macs where the app was uninstalled.
A different security issue (1, 2, 3) was patched last year to block remote attackers from forcing Windows, Linux, and macOS users to join video meetings with their cameras forcibly activated.
Zoom also used as bait for phishing and malware
Attackers are also attempting to capitalize on Zoom's increasing user base since the COVID-19 outbreak started by registering hundreds of new Zoom-themed domains that they later use for malicious purposes.
"Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week," as Check Point Research discovered. "Out of these registered domains, 4% have been found to contain suspicious characteristics."
The researchers also spotted malicious files using a zoom-us-zoom_##########.exe naming scheme which launch InstallCore installers that will try to install potentially unwanted apps or malicious payloads depending on the attackers' end goal.
"When using a known brand name in a website, the intention of the malicious actors is usually to hide among other legitimate websites and lure users by impersonating the original website or a relating service and getting the user's credentials, personal information or payment details," Check Point told BleepingComputer.
"Malware infections would usually occur via phishing emails with malicious links or files. The actual malware used can change based on the attackers' capabilities and goals."
FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
29.3.2020 Bleepingcomputer BigBrothers Virus
Hackers from the FIN7 cybercriminal group have been targeting various businesses with malicious USB devices acting as a keyboard when plugged into a computer. Injected commands download and execute a JavaScript backdoor associated with this actor.
In a FLASH alert on Thursday, the FBI warns organizations and security professionals about this tactic adopted by FIN7 to deliver GRIFFON malware.
The attack is a variation of the “lost USB” ruse that penetration testers have used for years in their assessments quite successfully and one incident was analyzed by researchers at Trustwave.
One client of the cybersecurity company received a package, allegedly from Best Buy, with a loyalty reward in the form of a $50 gift card. In the envelope was a USB drive claiming to contain a list of products eligible for purchase using the gift card.
This is not a one-off incident, though.
The FBI warns that FIN7 has mailed these packages to numerous businesses (retail, restaurant, hotel industry) where they target employees in human resources, IT, or executive management departments.
"Recently, the cybercriminal group FIN7,1 known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles," the FBI alert states.
The FBI says that the malicious drive is configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP addresses in Russia.
The days when USB flash drives were just for storage are long gone. Several development boards (Teensy, Arduino) are now available for programming to emulate a human interface device (HID) such as keyboards and mice and launch a pre-configured set of keystrokes to drop malicious payloads. These are called HID or USB drive-by attacks are easy to pull and don't cost much.
Trustwave analyzed this malicious USB activity and noticed two PowerShell commands that lead to showing a fake error for the thumb drive and ultimately to running third-stage JavaScript that can collect system information and downloading other malware.
To better summarize the attack flow, the researchers created the image below, which clarifies the stages of the compromise that lead to deploying malware of the attacker’s choice.
The alert from the FBI informs that after the reconnaissance phase the threat actor starts to move laterally seeking administrative privileges.
FIN7’s uses multiple tools to achieve their goal; the list includes Metasploit, Cobalt Strike, PowerShell scripts, Carbanak malware, Griffon backdoor, Boostwrite malware dropper, and RdfSniffer module with remote access capabilities.
BadUSB attacks, demonstrated by security researcher Karsten Nohl in 2014, are now common in penetration testing and multiple alternatives exist these days. The more versatile ones sell for $100.
FIN7 went with a simple and cheap version, though, that costs between $5-$14, depending on the supplier and the shipping country. The FBI notes in its alert that the microcontroller is an ATMEGA24U, while the one seen by Trustwave had ATMEGA32U4.
However, both variants had “HW-374” printed on the circuit board and are identified as an Arduino Leonardo, which is specifically programmed to act as a keyboard/mouse out of the box. Customizing the keystrokes and mouse movements is possible using the the Arduino IDE.
Connecting unknown USB devices to a workstation is a well-known security risk but it is still disregarded by many users.
Organizations can take precautions against attacks via malicious USB drives by allowing only vetted devices based on their hardware ID and denying all others.
Furthermore, updating PowerShell and enabling logging (the larger the log size, the better) can help determining the attack vector and the steps leading to compromise.
Russian-Speaking Hackers Attack Pharma, Manufacturing Companies in Europe
29.3.2020 Bleepingcomputer BigBrothers
Malware belonging to Russian-speaking threat actors was used in attacks in late January against at least two European companies in the pharmaceutical and manufacturing industries.
Based on the tools employed in the attacks, the suspects are likely the Silence and TA505 financially-motivated groups.
While TA505’s history of attacks includes targets in the medical sector, if security researchers are right, these incidents would mark for Silence a departure from its regular targets, which are banks and financial institutions.
Clean IPs for command and control
The first malware samples used in these attacks emerged on VirusTotal scanning platform on February 2, identified as Silence.ProxyBot and updated versions of Silence.MainModule.
Both samples are associated with Silence, a group that started in 2016 targeting banks in the former Soviet Union territory, later expanding their attack region globally. The activity of this threat actor has been described in two reports (1, 2) from Group-IB, a Singapore-based cyber security company.
Looking at the malware samples, researchers at Group-IB identified at least two victims in Belgium and Germany, both receiving the necessary information to stop the attackers’ progress.
The analysis revealed two IP addresses used for command and control activity. One is from the Czech Republic (195.123.246[.]126 - active since late January) and the other from Denmark (37.120.145[.]253); neither has a history of malicious trails, being marked as clean by multiple security services.
Checking the cybercriminal infrastructure showed that the attacker leveraged two vulnerabilities (CVE-2019-1405 and CVE-2019-1322) in Windows 10 and lower that allowed local privilege escalation. The exploit was embedded in an executable named ‘comahawk.exe.’
TA505 contribution in the attacks became visible after the researchers found a TinyMet Meterpreter stager, associated with this adversary in the past and compressed with the group’s custom packer.
The link between Silence and TA505 is not new. Group-IB in 2019 reported that the two actors likely used tools (Silence.Downloader and FlawedAmmyy.Downloader) developed by the same individual.
Furthermore, the company’s incident response team discovered in late 2019 that Silence compromised at least one bank in Europe with the help of TA505, who provided access to the target network.
Ransomware attack suspected
Moving from banks and financial institutions to pharma and manufacturing companies is an odd move for the Silence gang, who specialized in breaching banks and financial organizations.
How the attackers managed to compromise the latest targets and the damage caused remains unknown at this point, as the researchers found tools used for lateral movement.
Rustam Mirkasymov, the head of the Dynamic Malware Analysis team at Group-IB, says that the purpose of the attack might have been either a ransomware infection or a complex supply-chain attack.
If ransomware was the end game, TA505 is known to have deployed at least three strains in the past - Locky, Rapid, and Clop. However, the final payload in these recent cases could not be identified because the intrusion was stopped at an intermediary stage, Mirkasymov told BleepingComputer.
The expert assesses with moderate confidence that Silence is behind these activities, although he does not exclude the possibility that the group’s tools were sold to another threat actor or borrowed by TA505.
“Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now” - Rustam Mirkasymov
Google Warned Users of 40,000 State-Sponsored Attacks in 2019
29.3.2020 Bleepingcomputer BigBrothers
Google says that it delivered almost 40,000 alerts of state-sponsored phishing or malware hacking attempts to its users during 2019, with a 25% drop when compared to the previous year.
One of the reasons behind this notable drop in the number of government-backed hacking incidents is the increasingly effective protections Google sets up to protect its users.
Due to the more effective protections, hackers are forced to slow down their attacks and try to adapt their campaigns which leads to less frequent hacking attempts.
Journalist and news outlet impersonation were among the most frequently identified phishing methods used by state-backed hackers during 2019 according to Toni Gidwani, a Security Engineering Manager with Google’s Threat Analysis Group (TAG).
Government-backed phishing targets (Google)
"For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation," he said.
"In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow-up email."
All Advanced Protection Program users protected from phishing
"We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted," Gidwani explained.
"APP provides the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts."
Google's APP is a program designed to allow high-risk or regular users to defend their accounts from state-sponsored spear-phishing attempts using a more secure login procedure that requires them to use smartphones or security keys to verify their identity.
APP works by limiting the third-party apps and sites that can get access to a user's data bad by blocking malicious actors from impersonating the account's owner to take over their account with the help of additional identity checks.
Google recommends enrolling in APP to anyone at risk of targeted online attacks including but not limited to business leaders, journalists, activists, and IT administrators.
Users can learn more about how to sign up for Google's Advanced Protection Program by going to here.
"With attacks on the rise, and many major events on the horizon this year like the U.S. elections in November, the Advanced Protection Program offers a simple way to incorporate the strongest account protection that Google offers," Google Advanced Protection Program PM Shuvo Chatterjee said in January.
Attacks leveraging zero-days
Zero-day vulnerabilities were also among the favorite weapons identified by Google's TAG during 2019 while being used in targeted campaigns, with multiple 0-days being delivered via spearphishing emails, via watering hole attacks, and links to malicious attacker-controlled sites.
In one instance, TAG researchers were able to spot five different zero-days used by a single threat actor within a really short time frame, something that rarely happens.
"TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total," Gidwani added.
Sectors targeted by SANDWORM (Google)
Additionally, "government-backed attackers continue to consistently target geopolitical rivals, government officials, journalists, dissidents and activists."
For instance, Google tracked the SANDWORM Russian-backed threat group's targeting efforts (by industry sector) during the last three years and plotted their attacks in the table embedded above.
Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks
29.3.2020 Bleepingcomputer BigBrothers
The Chinese state-sponsored group APT41 has been at the helm of a range of attacks that used recent exploits to target security flaws in Citrix, Cisco, and Zoho appliances and devices of entities from a multitude of industry sectors spanning the globe.
It is not known if the campaign that started in January 2020 was designed to take advantage of companies having to focus on setting up everything needed by their remote workers while in COVID-19 lockdown or quarantine but, as FireEye researchers found, the attacks are definitely of a targeted nature.
Broadest Chinese APT campaign in years
As FireEye notes, APT41's recent campaign is one of the most extensive ones Chinese cyber-espionage actors ran in recent years.
"Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers." the report says.
APT41 is a highly prolific Chinese backed hacking group active since at least 2012 and known for espionage, cybercrime, and surveillance operations against a large array of industries, as well as individuals.
This group will usually rely on spear-phishing emails to infiltrate a target's network and then use second-stage malware payloads to compromise the entire environment with the help of dozens of malicious tools while maintaining persistence.
Citrix devices under attack
In their latest campaign, the APT41 hackers were observed while attacking targets from banking and finance, government, high tech, oil & gas to telecom, healthcare, media, and manufacturing.
During this series of seemingly targeted attacks, they focused their attention on entities from a multitude of countries including but not limited to the US, the UK, France, Italy, Japan, Saudi Arabia, and Switzerland.
"It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature," FireEye's researchers added.
Timeline of APT41 attacks (FireEye)
While exploiting the CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, APT41 only tried to exploit Citrix devices which hints that the group was using a list of previously identified servers collected during past Internet scans.
During these series of attacks, the APT41 actors were seen fluctuating between periods of high exploitation activity and intermissions.
As FireEye discovered, the hiatus intervals coincide either with Chinese holidays or with quarantine measures taken by the Chinese government in response to the COVID-19 pandemic.
"While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry," the researchers said.
Zoho and Cisco exploitation
On February 21, APT41 compromised a telecommunications organization's Cisco RV320 router but FireEye researchers were unable to determine what exploit was used during this attack after analyzing the incident.
"It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload," FireEye said.
APT41 then moved on to exploiting the CVE-2020-10189 Zoho ManageEngine zero-day no-auth remote code execution vulnerability that allows threat actors to execute arbitrary code as SYSTEM/root on unpatched systems.
Starting on March 8, one day after Zoho permanently fixed CVE-2020-10189, the Chinese group attacked over a dozen FireEye customers and managed to compromise the systems of at least five of them.
Christopher Glyer
@cglyer
Replying to @cglyer
The CVE-2020-10189 exploitation activity is convoluted enough that you should probably just read the blog...but the TLDR is: exploit --> some combo of bitsadmin, powershell, Cobalt Strike backdoor, CertUtil, VMProtected Meterpreter downloader, BEACON shellcode pic.twitter.com/3FRTzre53H
16
2:52 PM - Mar 25, 2020
Twitter Ads info and privacy
See Christopher Glyer's other Tweets
The hackers then deployed a trial-version of the Cobalt Strike BEACON loader and dropped another backdoor used for downloading a VMProtected Meterpreter downloader.
This isn't the first time APT41 used publicly available exploits to target internet-facing systems as they have been previously been observed by FireEye while abusing both CVE-2019-11510 in Pulse Secure VPN and CVE-2019-3396 in Atlassian Confluence as recently as October 2019.
"It is notable that we have only seen these exploitation attempts to leverage publicly available malware such as Cobalt Strike and Meterpreter," the report concludes.
"While these backdoors are full-featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.
"This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage."
More details on APT41's activities since the start of 2020 including indicators of compromise (IOCs) and a MITRE ATT&CK technique mapping are available at the end of FireEye's report.
Israel Govt's New 'Shield' App Tracks Your Coronavirus Exposure
28.3.2020 Bleepingcomputer BigBrothers
The Israeli Ministry of Health has released a new mobile app called "The Shield" that will alert users if they have been at a location in Israel at the same time as a known Coronavirus patient.
This app, available for both Android and iOS, works by collecting the GPS and SSID (WiFi network) information of a user's mobile device throughout the day. This data is saved only on the mobile device and is not transmitted to the Ministry of Health, other government agencies, or any organization.
When interviewing new Coronavirus patients, the Ministry of Health will ask for the locations that they visited throughout the day. If the patient volunteers, this information is then added to a JSON file that is downloaded by the app every hour so it has the latest information.
When using the app, it will compare your data to the data in the downloaded JSON file and if the app detects that you were exposed to a known Coronavirus patient, it will alert you with a message stating that a match was found.
Location Match found
Matched users will then be prompted to report their exposure to the Ministry of Health using this link (English link).
If you have not been exposed to any known Coronavirus patients, the app will alert you of this as well.
No Exposure
Due to the nature of the data collection from patients, there may be false positives while using the app. Doctors, for example, who know that no Coronavirus patient was at a specific location can report these false positives so it can be corrected in the data file.
It is important to note that this app relies on known information about existing Coronavirus patients.
As many are carriers without any symptoms, the best preventative measure against the Coronavirus is to perform self-isolation, social distancing, wash your hands frequently, and to work from home if possible.
Collected data is only saved on the device
As this app requests a great deal of security permissions on Android and is tracking your location throughout the day, people are rightfully concerned about the privacy ramifications of this app.
To assure users that the collected data is only being stored locally, Israel's Ministry of Health has released the source code for the app on GitHub under the MIT license so that other countries can also utilize it.
To ease concerns, a security review of the app was also conducted by Israeli cybersecurity firm Profero.
In a telephone conversation with Profero CEO Omri Moyal, BleepingComputer was told that his company has reviewed the code for the app and has confirmed that no data is being transmitted from the device.
Moyal told BleepingComputer that all GPS and collected data are saved internally on the device and compared locally on the app to the JSON file being updated by the Ministry of Health.
If a user has been notified that they were in the same location as a known patient, the Ministry of Health is not automatically alerted and it is up to the user to volunteer that they have potentially been exposed and are now in self-quarantine.
This is further outlined in a post by Moyal and in the included infographic below that explains in Hebrew how the data is collected and used.
Infographic shared by Profero
(Click to see full size)
Moyal emphasized that the goal is to get Israeli users to install the app and stay protected from being exposed to the Coronavirus. Due to this, careful attention has been made towards the privacy of users and only sharing information if the user specifically volunteers it.
In the future, Moyal told us that the app may ask users to voluntarily upload their GPS data if they have been exposed or are known to be infected with the virus. This could then be integrated into the app to add a greater degree of accuracy to its alerts.
It is not known if and when this feature will be added.