- BigBrothers -

Last update 09.10.2017 13:51:26

Home  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Vulnerebility  Virus  EN  List  Czech Press  Page

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 


 


18.12.18

Czech cyber-security agency warns over Huawei, ZTE security threat

BigBrothersSecurityaffairs

18.12.18

Czech Warning Over Huawei, ZTE Security 'Threat'

BigBrothersSecurityweek

18.12.18

New Cyber Readiness Program Launched for SMBs

BigBrothersSecurityweek

18.12.18

Technical Data on U.S. Missile Defense System Lacks Adequate Protections, DoD Says

BigBrothersSecurityweek

18.12.18

U.S. Ballistic Missile Defense System Rife with Security Holes

BigBrothers

Net-security

17.12.18

'No Evidence' of Huawei Spying, Says German IT Watchdog

BigBrothersSecurityweek

17.12.18

Germany’ BSI chief says ‘No Evidence’ of Huawei spying

BigBrothersSecurityaffairs

16.12.18

U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

BigBrothers

Bleepingcomputer

14.12.18

AP Exclusive: Iran Hackers Hunt Nuke Workers, US OfficialsBigBrothersSecurityweek

14.12.18

Secure Critical Infrastructure Top of Mind for U.S.

BigBrothers

Net-security

13.12.18

French foreign ministry announced its Travel Alert Registry Hack

BigBrothersSecurityaffairs

13.12.18

Russia-Linked Phishing Attacks Hit Government Agencies on Four Continents

BigBrothersSecurityweek

13.12.18

U.S. Believes Chinese Intelligence Behind Marriott HackBigBrothersSecurityweek

13.12.18

Super Micro: No Malicious Hardware Found on MotherboardsBigBrothersSecurityweek

13.12.18

Guidelines for assessing ISPs’ security measures in the context of net neutrality

BigBrothers

Net-security

13.12.18

Hacking democracy efforts continue with upticks in malware deployments

BigBrothers

Net-security

12.12.18

Super Micro Says Its Gear Wasn’t Bugged By Chinese Spies

BigBrothers

Threatpost

11.12.18

Russian Critical Infrastructure Targeted by Profit-Driven CybercriminalsBigBrothersSecurityweek

10.12.18

Australia Anti-Encryption Law Rushed to PassageBigBrothersSecurityweek
8.12.18

Australia Anti-Encryption Law Triggers Sweeping Backlash

BigBrothers

Threatpost

7.12.18

Under Fire Huawei Agrees to UK Security Demands: ReportBigBrothersSecurityweek

7.12.18

EU Should Worry About Huawei, Other Chinese Firms: OfficialBigBrothersSecurityweek

7.12.18

North Korea-linked Hackers Target Academic InstitutionsBigBrothersSecurityweek

7.12.18

Australia Passes Anti-Encryption Bill—Here's Everything You Need To KnowBigBrothersThehackernews

7.12.18

Arrest of Tech Exec Signals Tougher US Stand on China Tech FirmsBigBrothersSecurityweek

7.12.18

Chinese Government Suspected in Marriott Hack: ReportBigBrothersSecurityweek
6.12.18Ukraine’s SBU: Russia carried out a cyberattack on Judiciary SystemsBigBrothersSecurityaffairs
6.12.18Australia Passes Cyber Snooping Laws With Global ImplicationsBigBrothersSecurityweek
6.12.18UK Spy Agency Joins NSA in Sharing Zero-Day Disclosure ProcessBigBrothersSecurityweek

6.12.18

Ukraine Accuses Russia of Cyberattack on Judiciary SystemsBigBrothersSecurityweek

6.12.18

White House Facial Recognition Pilot Raises Privacy Alarms

BigBrothers

Threatpost

5.12.18

House GOP Campaign Arm Targeted by 'Unknown Entity' in 2018BigBrothersSecurityweek

5.12.18

Email accounts of top NRCC officials were hacked in 2018

BigBrothers

Securityaffairs

5.12.18

National Republican Congressional Committee Hacked - Emails ExposedBigBrothersBleepingcomputer

4.12.18

Israeli Firm Rejects Alleged Connection to Khashoggi KillingBigBrothersSecurityweek
4.12.18

U.S. Military Members Catfished and Hooked for Thousands of Dollars

BigBrothers

Threatpost

3.12.18New Zealand Security Bureau halts Spark from using Huawei 5G equipmentBigBrothersSecurityaffairs
3.12.18Russian Hackers Use BREXIT Lures in Recent AttacksBigBrothersSecurityweek
3.12.18Kaspersky's U.S. Government Ban Upheld by Appeals CourtBigBrothersSecurityweek
3.12.18NATO Exercises Cyber Defences as Threat GrowsBigBrothersSecurityweek
2.12.18

UK's NCSC Explains How They Handle Discovered Vulnerabilities

BigBrothers

Bleepingcomputer
2.12.18

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

BigBrothers

Securityaffairs
29.11.18Google Accused of Manipulation to Track Users

BigBrothers

Securityweek

28.11.18

New Zealand Halts Huawei From 5G Upgrade Over Security FearsBigBrothers

Securityweek

27.11.18

UK Parliament Seizes Confidential Facebook DocumentsBigBrothersSecurityweek

27.11.18

Google Wants to Ensure Integrity of EU Parliamentary ElectionsBigBrothersSecurityweek

27.11.18

Gov Committee Raises Concerns Over UK Critical Infrastructure Security

BigBrothers

Securityweek

27.11.18

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

BigBrothers

Securityaffairs

24.11.18

US Government is asking allies to ban Huawei equipment

BigBrothers

Securityaffairs

22.11.18

German eID Authentication Flaw Lets You Change Identity

BigBrothers

Bleepingcomputer

19.11.18Suspected Russian Hackers Impersonate State Department AideBigBrothersPBWCZ.CZ
19.11.18Does Not Compute: Japan Cyber Security Minister Admits Shunning PCsBigBrothersPBWCZ.CZ
18.11.18Europol, Diebold Nixdorf to Share Information on Cyber ThreatsBigBrothersPBWCZ.CZ
18.11.18Japanese government’s cybersecurity strategy chief has never used a computerBigBrothersPBWCZ.CZ
16.11.18OPM Security Improves, But Many Issues Still Unresolved: GAOBigBrothersPBWCZ.CZ
16.11.18Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHSBigBrothersPBWCZ.CZ

16.11.18

Secret Charges Against Julian Assange Revealed Due to "Cut-Paste" Error

BigBrothersThehackernews
14.11.18State vs. Federal Privacy Laws: The Battle for Consumer Data ProtectionBigBrothers  PrivacyPBWCZ.CZ
14.11.1851 States Pledge Support for Global Cybersecurity RulesBigBrothersPBWCZ.CZ
13.11.18Google Services down due to BGP leak, traffic hijacked through Russia, China, and NigeriaBigBrothersPBWCZ.CZ
13.11.18Cyberattacks Top Risk to Business in North America, EAP, Europe: WEFBigBrothersPBWCZ.CZ
12.11.18France seeks Global Talks on Cyberspace security and a “code of good conduct”BigBrothersPBWCZ.CZ
9.11.18Snowden speaks about the role of surveillance firm NSO Group in Khashoggi murderBigBrothersPBWCZ.CZ
9.11.18Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwideBigBrothersPBWCZ.CZ
8.11.18China Telecom Constantly Misdirects Internet TrafficBigBrothersPBWCZ.CZ
8.11.18U.S. Cyber Command CNMF Shares unclassified malware samples via VirusTotalBigBrothersPBWCZ.CZ
8.11.18U.S. Air Force announced Hack the Air Force 3.0, the third Bug Bounty ProgramBigBrothersPBWCZ.CZ
7.11.18UK Regulator Calls for Tougher Rules on Personal Data UseBigBrothersPBWCZ.CZ
6.11.18U.S. Air Force Announces Third Bug Bounty ProgramBigBrothersPBWCZ.CZ
6.11.18Iran Accuses Israel of Failed Cyber AttackBigBrothersPBWCZ.CZ
6.11.18Google dorks were the root cause of a catastrophic compromise of CIA’s communicationsBigBrothersPBWCZ.CZ
6.11.18New attack by Anonymous Italy: personal data from ministries and police have been released onlineBigBrothersPBWCZ.CZ
5.11.18Kemp Cites Voter Database Hacking Attempt, Gives No EvidenceBigBrothersPBWCZ.CZ
3.11.18Joshua Adam Schulte, ex CIA employee, accused of continuing leaks from prisonBigBrothersPBWCZ.CZ
3.11.18Top Australia Defence company Austal notifies a serious security breachBigBrothersPBWCZ.CZ
3.11.18Cyber attack exposes sensitive data about a nuclear power plant in FranceBigBrothersPBWCZ.CZ
2.11.18Top Australia Defence Firm Reports Serious Cyber BreachBigBrothersPBWCZ.CZ
2.11.18Qualys Acquires Container Security Firm Layered InsightBigBrothersPBWCZ.CZ
2.11.18U.S. Intel Budget Soars Under TrumpBigBrothersPBWCZ.CZ
2.11.18US Accuses China, Taiwan Firms With Stealing Secrets From Chip Giant MicronBigBrothersPBWCZ.CZ
2.11.18New Bill Proposes Prison for Execs Misusing Consumer DataBigBrothersPBWCZ.CZ
1.11.18Iran hit by a more aggressive and sophisticated Stuxnet versionBigBrothersPBWCZ.CZ
1.11.1885 Millions of voter records available for sale ahead of the 18 US Midterm ElectionsBigBrothersPBWCZ.CZ
31.10.18UK Regulator Issues Second GDPR Enforcement Notice on Canadian FirmBigBrothersPBWCZ.CZ
31.10.18Ex-Air Force Airman in New Mexico Accused of Computer FraudBigBrothersPBWCZ.CZ
31.10.18Proposal for Cybersecurity Civilian Corps Gets Mixed ReceptionBigBrothersPBWCZ.CZ
30.10.18Russian Held as Agent Studied US Groups' CyberdefensesBigBrothersPBWCZ.CZ
30.10.18US Election Integrity Depends on Security-Challenged FirmsBigBrothersPBWCZ.CZ
29.10.18The Belgacom hack was the work of the UK GCHQ intelligence agencyBigBrothersPBWCZ.CZ
28.10.18Analysis of North Korea's Internet Traffic Shows a Nation Run Like a Criminal SyndicateBigBrothers  CyberPBWCZ.CZ
25.10.18Pentagon Launches Continuous Bug Bounty ProgramBigBrothersPBWCZ.CZ
24.10.18Super Micro to Customers: Chinese Spy Chips Story Is WrongBigBrothersPBWCZ.CZ
24.10.18Triton Malware Linked to Russian Government Research InstituteBigBrothers  VirusPBWCZ.CZ
24.10.18To Secure Medical Devices, the FDA Turns to Ethical HackersBigBrothersPBWCZ.CZ
24.10.18Russian Government-owned research institute linked to Triton attacksBigBrothersPBWCZ.CZ
23.10.18NATO military command center should be fully operational in 2023BigBrothersPBWCZ.CZ
23.10.18Israel Defense Forces were searching systems to spy on private social media messagesBigBrothersPBWCZ.CZ
22.10.18NSA-Linked 'DarkPulsar' Exploit Tool DetailedBigBrothersPBWCZ.CZ
22.10.18DarkPulsar and other NSA hacking tools used in hacking operations in the wildBigBrothersPBWCZ.CZ
21.10.18EU Leaders Vow Tough Action on Cyber AttacksBigBrothersPBWCZ.CZ
19.10.18'GreyEnergy' Cyberspies Target Ukraine, PolandBigBrothersPBWCZ.CZ
19.10.18Britain Leads Calls for EU Action Against HackersBigBrothersPBWCZ.CZ
18.10.18After 2016 Hack, Illinois Says Election System SecureBigBrothers  HackingPBWCZ.CZ
18.10.18Russia-Linked Hackers Target Diplomatic Entities in Central AsiaBigBrothersPBWCZ.CZ
17.10.1835 million US voter records available for sale in a hacking forumBigBrothersPBWCZ.CZ
14.10.18Pentagon Reveals Cyber Breach of Travel RecordsBigBrothersPBWCZ.CZ
14.10.18Pentagon Defense Department travel records data breachBigBrothersPBWCZ.CZ
14.10.18Ex-NASA Contractor Pleads Guilty in Cyberstalking SchemeBigBrothersPBWCZ.CZ
14.10.18U.S. Senators Demand Internal Memo Related to Google+ IncidentBigBrothersPBWCZ.CZ
13.10.18Five Eyes Intelligence agencies warn of popular hacking toolsBigBrothersPBWCZ.CZ
12.10.18'Five Eyes' Agencies Release Joint Report on Hacking ToolsBigBrothersPBWCZ.CZ
10.10.18New Pentagon Weapons Systems Easily Hacked: ReportBigBrothersPBWCZ.CZ
8.10.18UK, US Security Agencies Deny Investigating Chinese Spy ChipsBigBrothersPBWCZ.CZ
8.10.18Russia's Hackers Long Tied to Military, Secret ServicesBigBrothersPBWCZ.CZ
8.10.18Man Pleads Guilty to Hacking Websites of New York City Comptroller and West PointBigBrothersPBWCZ.CZ
7.10.18Russian State-Sponsored Operations Begin to Overlap: KasperskyBigBrothersPBWCZ.CZ
7.10.18DHS Warns of Threats to Precision AgricultureBigBrothersPBWCZ.CZ
7.10.18China Tech Stocks Lenovo, ZTE Tumble After Chip Hack ReportBigBrothersPBWCZ.CZ
7.10.18Industry Reactions to Chinese Spy Chips: Feedback FridayBigBrothersPBWCZ.CZ
7.10.18West Accuses Russian Spy Agency of Scores of AttacksBigBrothersPBWCZ.CZ
6.10.18US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping OrganizationsBigBrothersPBWCZ.CZ
6.10.18DHS issued an alert on attacks aimed at Managed Service ProvidersBigBrothersPBWCZ.CZ
5.10.18Canada blames Russia for cyber attacks against its structuresBigBrothersPBWCZ.CZ
5.10.18Canada Says it Was Targeted by Russian Cyber AttacksBigBrothersPBWCZ.CZ
5.10.18DHS Warns of Threats to Precision AgricultureBigBrothersPBWCZ.CZ
5.10.18China Used Tiny Chips on US Computers to Steal Secrets: ReportBigBrothersPBWCZ.CZ
5.10.18China planted tiny chips on US computers for cyber espionageBigBrothersPBWCZ.CZ
5.10.18U.S. Charges 7 Russian Intel Officers as West Condemns GRUBigBrothersPBWCZ.CZ
5.10.18UK, Australia Blame Russia for Bad Rabbit, Other AttacksBigBrothersPBWCZ.CZ
5.10.18US to Let NATO Use its Cyber Defense SkillsBigBrothersPBWCZ.CZ
4.10.18US offers its cyber warfare defense capabilities to NATOBigBrothersPBWCZ.CZ
4.10.18U.S. Links North Korean Government to ATM HacksBigBrothersPBWCZ.CZ
4.10.18California Law Sets Up Fresh Legal Clash Over 'Net Neutrality'BigBrothersPBWCZ.CZ
2.10.18U.S. Energy Department Invests Another $28 Million in CybersecurityBigBrothersPBWCZ.CZ
28.9.18EU Lawmakers Push for Cybersecurity, Data Audit of FacebookBigBrothersPBWCZ.CZ
27.9.18Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky LeakBigBrothersPBWCZ.CZ
27.9.18Senate Committee Approves Several Cybersecurity BillsBigBrothersPBWCZ.CZ
27.9.18Senate Panel to Hear From Internet Execs on Privacy PoliciesBigBrothersPBWCZ.CZ
26.9.18U.S. Unveils First Step Toward New Online Privacy RulesBigBrothersPBWCZ.CZ
26.9.18Ex-NSA Hacker Sentenced to Jail Over Kaspersky LeakBigBrothersPBWCZ.CZ
25.9.18U.S. General Service Administration Launches Bug Bounty ProgramBigBrothersPBWCZ.CZ
22.9.18NSA-Linked 'DarkPulsar' Exploit Tool DetailedBigBrothersPBWCZ.CZ
22.9.18Lawmaker: US Senate, Staff Targeted by State-Backed HackersBigBrothersPBWCZ.CZ
22.9.18FBI Warns of Cyber-Thieves Targeting Payroll AccountsBigBrothersPBWCZ.CZ
22.9.18Department of Defense Releases New Cyber StrategyBigBrothersPBWCZ.CZ
21.9.18US State Department confirms data breach to unclassified email systemBigBrothersPBWCZ.CZ
20.9.18Nation State Cyber Attacks on Rise, Says EuropolBigBrothersPBWCZ.CZ
20.9.18iOS 12 Brings Patches for 16 Security VulnerabilitiesBigBrothersPBWCZ.CZ
17.9.18Dutch expelled two Russian spies over hack plan on Swiss lab working on Skripal caseBigBrothersPBWCZ.CZ
15.9.18Trump OKs Sanctions for Foreigners Who Meddle in ElectionsBigBrothersPBWCZ.CZ
15.9.18Russian Spies Arrested on Suspicion of Plans to Hack Swiss LaboratoryBigBrothersPBWCZ.CZ
15.9.18German Troops Face Russian 'Hybrid War' in Lithuania: MerkelBigBrothersPBWCZ.CZ
14.9.18Greek Supreme Court Approves Russian Request for Bitcoin SuspectBigBrothersPBWCZ.CZ
14.9.18N. Korea Calls Sony, Wannacry Hack Charges Smear CampaignBigBrothersPBWCZ.CZ
14.9.18Senators Concerned About State Department's Cybersecurity FailuresBigBrothersPBWCZ.CZ
10.9.18Georgia Extradites Russian Data Theft Suspect to USBigBrothersPBWCZ.CZ
8.9.18Opsec Mistakes Allowed U.S. to Link North Korean Man to HacksBigBrothersPBWCZ.CZ
8.9.18Russian citizen behind JPMorgan Chase and Dow Jones attacks has been extradited to USBigBrothersPBWCZ.CZ
8.9.18Homeland Security Head: Colorado Tops US in Vote Security  
8.9.18Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday  
6.9.18Iranian Hackers Improve Recently Used Cyber Weapon  
6.9.18 What's GRU? A Look at Russia's Shadowy Military Spies  
5.9.18'Five Eyes' Agencies Demand Reignites Encryption Debate  
4.9.18Will Russian Hackers Affect This Year's US Election?  
30.8.18Lithuanian Media Sign Pact With Govt to Counter Hackers  
29.8.18Telegram Says to Cooperate in Terror Probes, Except in Russia  
28.8.18Google Tells Toomey Hackers Tried to Infiltrate Staff Email  
28.8.18North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report  
28.8.18Sacrilegious Spies: Russians Tried Hacking Orthodox Clergy  
25.8.18Australia banned Huawei from 5G network due to security concerns  
24.8.18Google Blocks Accounts in 'Influence Operation' Linked to Iran  
24.8.18 Australia Bans Huawei From 5G Network Over Security Concerns  
23.8.18Attempt to Break Into Democratic Party Voter Data Thwarted  
23.8.18Operation Red Signature – South Korean Firms victims of a supply chain attack  
22.8.18 Iran-Linked Influence Campaign Targets US, Others  
22.8.18 Microsoft Disrupts Election-Related Domains Used by Russian Hackers  
22.8.18Hacking Elections: Georgia's Midterm Electronic Voting in the Dock  
22.8.18FBI Probes Computer Hacks in California House Campaigns  
22.8.18 Russian Hackers Went After Conservative US Groups: Microsoft  
21.8.18Microsoft's Anti-Hacking Efforts Make it an Internet Cop  
21.8.18Microsoft says Russian hackers continue targeting 18 midterm elections  
21.8.18North Korean Hackers Exploit Recently Patched Zero-Day  
21.8.18China Believes Its Cyber Capabilities Lag Behind US: Pentagon  
20.8.18China’s Belt and Road project (BRI) is a driver of regional cyber threat activity  
17.8.18 China's 'Belt and Road Initiative' Drives Cyber Spying  
17.8.18U.S. and Chile Agree to Cooperate on Cyber Security  
16.8.18

NIST Small Business Cybersecurity Act Becomes Law

  
16.8.18

Senate Passes MAIN STREET Cybersecurity Act for Small Business

  
15.8.18

FBI Eyes Plethora of River-Related Threats

  
15.8.18

UK Police Deploy Homemade Mobile Fingerprint Scanners

  
14.8.18

Google tracks users’ movements even if they have disabled the “Location History” on devices

  
13.8.18

Google Tracks Your Movements, Like It or Not

  
11.8.18

Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

  
7.8.18

Pentagon Restricts Use of Fitness Trackers, Other Devices

  
5.8.18

Russian troll factory suspected to be behind the attack against Italian President Mattarella

  
2.8.18

Trump Criticized for Not Leading Effort to Secure Elections

  
2.8.18

Leaked Chats Show Alleged Russian Spy Seeking Hacking Tools

  
1.8.18

DHS Unveils National Risk Management Center

  

Senator Urges Federal Agencies to Ditch Adobe Flash
28.7.18 securityweek BigBrothers

United States Senator Ron Wyden on Wednesday sent a letter to national agencies demanding a collaboration on ending the government use of Adobe Flash.

Set to reach an end-of-life status in 2020, Adobe’s Flash Player is continually plagued by critical vulnerabilities. Two zero-days in the software were patched this year alone, but not before threat actors had exploited them in targeted attacks.

Immediately after Adobe announced plans to kill-off the plugin a year ago, Apple, Facebook, Google, Microsoft and Mozilla outlined plans to completely remove support for Flash from their products as well.

Sent to National Institute of Standards and Technology (NIST) Director Walter G. Copan, National Security Agency Director General Paul M. Nakasone, and Department of Homeland Security Secretary Kirstjen Nielsen, Senator Wyden’s letter (PDF) requests the end of government use of Flash by August 2019.

Senator Wyden cites not only the looming end of technical support for Flash, but also the inherited security vulnerabilities in the plugin as the main reason to dispose of it.

“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life,” the letter reads.

The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash nearly a decade ago, the letter also reads.

“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Senator Wyden says. He also noted that the federal government has previously failed to transition from decommissioned software, as was the case with Windows XP, which cost millions for premium support after its end-of-life in 2014.

The three agencies, he says, provide the majority of cybersecurity guidance to government agencies, so they should ensure that federal workers are protected from cyber threat.

“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming – the government must act to prevent the security risk posed by Flash from reaching catastrophic levels,” the letter reads.

The Senator asks NIST, NSA, and DHS to mandate that no new Flash-based content should be deployed on federal websites within 60 days and that all Flash-based content should be removed from the federal websites by August 1, 2019.

Flash should also be removed from the agencies’ employees’ computers by that date, Wyden said.


Cybersecurity, Compliance Slowing U.S. Government's Digital Transformation
24.7.18 securityweek BigBrothers

Complex Compliance Requirements are Delaying U.S. Government's Digital Transformation, Study Shows

With trust in the U.S. government at an all-time low (the Pew Research Center says that only 3% of Americans trust Washington to do the right thing 'just about always'), the suggestion is that a new 'moonshot moment' is necessary for government. A new report (PDF) says that moment is possible with digital transformation.

Success, however, is dependent on three requirements: federal agencies must create a culture of innovation; must prioritize the citizen experience; and must implement an integrated approach to digital transformation.

Consulting firm ICF employed Wakefield Research to survey 500 federal employees to understand the opportunities and obstacles for federal digital transformation. The prize, says ICF, is reigniting citizen trust and satisfaction in government, regardless of the administration. Cybersecurity and compliance issues are among the greatest of the obstacles, with user satisfaction an additional problem.

Eighty-nine percent of the respondents said that security and privacy requirements significantly delay technological innovation. More than half of the respondents admitted to experiencing a cybersecurity incident after implementing a new digital initiative, while almost half of those said that the incident delayed future innovation.

The federal IT procurement process is also an inhibitor, with 91% of respondents saying it needs to be completely overhauled. More than 30% go so far as to recognize benefits in using unauthorized technologies that have not been officially sanctioned by the IT department.

ICF believes that the combination of security/compliance concerns and strict procurement policy is inhibiting the creativity of federal agencies. "Creating a culture of innovation," says the report, "requires encouraging staff within agencies to think outside the box and empowering them to follow through on new ideas by providing targeted support."

Baris Yener, an SVP at ICF, told SecurityWeek, "Compliance has become an overly-complex aspect of security in the government. This is due primarily to the fact that the public sector thinks of security as an afterthought, something that is tacked on to existing processes, rather than building solutions with a security-first mindset. Compliance will remain a hindrance," he added, "until the government and its agencies embrace a shift in thinking that prioritizes an integrated approach to creating tools and services. Once that shift takes place, and stakeholders from across departments are brought together, compliance will be simpler."

In the meantime, he does not believe that empowering creativity will necessarily lead to an unacceptable expansion of shadow IT within federal agencies.

"By embracing outside-the-box thinking, and fostering a culture that encourages creativity," he said, "those staff members will instead raise their hand to offer new solutions, rather than turn to shadow IT. Creative thinking needs to be nurtured and rewarded. If there's anything we know about the nature of cybersecurity today, it's that the threat landscape is constantly changing. Feds with a different perspective will be critical to navigating uncharted territory."

Essential to the moonshot moment of digital transformation is user engagement with the outcome. Ninety-seven percent of the survey respondents say that government agencies now have a greater responsibility than ever to provide the digital tools and services that will make a positive difference in citizens' lives. But 80% also said that government is prioritizing perfecting the technology over the citizen experience.

The extent to which regulations affect new digital technology can be seen by 44% of respondents claiming that compliance is the biggest priority when implementing a new digital technology, with 36% saying that speed of implementation is the prime priority. User adoption of that technology ranks second to last (30%), worsened only by the ability to measure its success (23%).

With such driving principles, ICF sees little chance of government maximizing the potential for engaging the trust of citizens. Federal staff accept the problem, with 92% suggesting that improving usability of the technology should be prioritized over technology development. "Instead of looking to the private sector primarily for technology solutions," suggests ICF, "federal leaders must implement user research and feedback loops that are designed to create and improve digital services."

This may seem a little surprising, since the issue of usability is understood and being tackled by new technologies in the private sector. The big development is the increasing use of artificial intelligence -- for example in reducing user friction in access control. However, Yener does not believe that such solutions can simply be transposed to the federal sector.

"For example," he told SecurityWeek, "when implementing new technologies like AI, the government needs to consider how to identify and document the standardization of those technologies, along with how it will be used within all agencies. Private sector by comparison has the freedom and flexibility to implement whatever would be beneficial to the business, with minimal standardization required or concern for other companies in their industry."

If project funding is available, the biggest obstacles to new digital developments are security concerns (41%), outdated policies (28%), skilled staff shortages (27%), complexity (22%), and lack of time (22%). Other obstacles include poor inter-office communication, difficulty in procuring services, and lack of support from senior management.

"To develop an integrated approach to digital transformation," says the report, "agencies should build a multidisciplinary team that executes technology implementation and prioritizes user adoption. Leaders need to ensure that every department -- including common omissions like HR -- is represented to better understand the needs of the entire organization as it works to apply digital transformation." Successful digital transformation, it adds, "will position the federal government to launch its next moonshot: digital transformation that reignites citizen trust and satisfaction in the government -- regardless of the administration."


EU Antitrust Officials Probe Thales, Gemalto Merger
24.7.18 securityweek  BigBrothers

The European Union said Monday it has launched an anti-trust investigation into the planned purchase by French aerospace and defence group Thales of SIM manufacturer Gemalto.

The European Commission, the 28-nation EU's executive arm, said it wants to determine whether the merger will increase prices as well as reduce choice and innovation for customers of hardware security modules (HSM).

An HSM is hardware that "runs on encryption software to "generate, protect, and manage encryption keys used to protect data in a secure, tamper-resistant module," it said.

"Our society is increasingly dependent on data security solutions to secure all sorts of social, commercial or personal information," the EU's competition commissioner Margrethe Vestager said in a statement.

"We are opening this in-depth investigation to ensure that the proposed transaction between Thales and Gemalto would not lead to higher prices or less choice in hardware security modules for customers looking to safely encrypt their data," Vestager added.

In a deal valued at about 4.8 billion euros, Thales agreed in December to buy Gemalto, based in the Netherlands, outbidding French competitor Atos.

With the merger, Thales is aimming to become a global leader in digital security.

The commission expressed concern that the merger would reduce players in the market.

Gemalto is active in mobile platforms and services, mobile embedded software and products, smart cards, identification documents, government programs, machine to machine communication, and enterprise security.

The Commission said it has until 29 Noveber to take a decision.


Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’
23.7.18 securityaffairs BigBrothers

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector.
The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

The three experts with experience in the private sector, intelligence community and military, agreed that the private organization victims of cyber attacks have to delegate the response against the attackers to the US Cyber Command.

“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer.

The experts highlighted that private companies have no intelligence abilities to attribute the attacks to a specific threat actor and have no specific offensive capabilities to conduct hack backs.

Private companies not only have no capabilities to conduct hack backs, they are not legally authorized to do it.

“The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.” reported CyberScoop.

“The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.”

Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, approached the problem of cyber attacks against critical infrastructure that in most of the cases are owned by private entities.

The response of attacks against critical infrastructure operated by private organizations must be delegated to the US Government.

In the majority of the cases, attacks against critical infrastructure are powered by persistent attackers and for this reason, a response requests specific cyber skills and the US CYBERCOM has them.

Speaking of the CYBERCOM Bolling said it is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,”

Hack backs the Air Force

Private companies cannot carry out hack backs if we want to avoid a digital far west. A private company that decides to target its attackers is anyway a serious threat to the overall digital community.

“For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.” continues CyberScoop.

According to Edward Amoroso, CEO of Tag Cyber, the US CYBERCOM should isolate the specific target to hit and attack it limiting the risk of any collateral damage.

“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.

Experts warn of the risk of hack back non-responsible party due to a wrong attribution of the attack.

Of course, every threat must be properly approached especially the ones that daily target the U.S. private sector. The three experts urge a proper cyber hygiene to mitigate the risks of cyber attacks and limit the necessity to carry out hack backs.


Robocalling Firm Exposes U.S. Voter Records
22.7.18 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.


Trump-Putin Meeting Puts Finland on Cyber-Attack Target List
22.7.18 securityweek BigBrothers

Historically, Finland has not been targeted by a high number of cyber-attacks, but digital assaults spiked in the days prior to the July 16 meeting between U.S. President Donald Trump and Russian President Vladimir Putin in Helsinki.

The massive rise in cyber-attacks isn’t surprising, given the precedent established earlier this year, when Singapore received a massive wave of attacks from June 11 to June 12, during the Trump-Kim summit.

While most of the cyber-attacks observed during President Trump’s meeting with the North Korean leader appeared to originate from Russia, those observed last week were mainly launched from China, F5 reports.

The Finland and Singapore cyber-attacks showed some similarities in targeted ports, which included SIP port 5060, which is typically used by VoIP phones (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

The most attacked port in the new wave of assaults, however, was SSH port 22, followed by SMB port 445. SSH is often used for the secure remote administration of Internet of Things (IoT) devices, but vendors often secure devices with easily guessable credentials, which turns these products into easy targetes for cybercriminals.

“The device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks,” F5 notes.

The Finland assaults also targeted ports that weren’t seen in the Singapore attacks, including HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Despite the massive spike in cyber-attacks targeting Finland between July 12 and July 15, the country remained far behind top targeted countries. Compared to Canada, which typically makes it to top 10 but not top 5, Finland received on a small fraction of cyber-attacks on July 12 and July 14 and “doesn’t even register on the chart,” F5 says.

The top targeting countries during the spike were China (29%), United States (14%) and France (9%), followed by Italy (8%) and Russia (7%). Many of the attacks originated from networks usually seen launching such attacks, the security researchers say.

ChinaNet, consistently at the top of the threat actor network list globally, remained the top attacking network during the attack spike.

Such attacks, F5 notes, are possible because of the rise of poorly secured IoT devices. By targeting vulnerable devices, nation-states, spies, mercenaries, and others can easily launch attacks against anyone.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 notes.


Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland
22.7.18 securityaffairs  BigBrothers

F5 experts observed a spike in the attacks in the days prior to the Trump-Putin meeting on July 16 that was held in Helsinki, Finland.
Important events represent an element of attraction for cyber attacks, in June we discussed the Trump-Kim summit and the way Singapore that held it was hit by an unprecedented number of attacks from June 11 to June 12.

At the time most of the cyber attacks were originated in Russia.

Let’s analyze the effect in the cyberspace of another event, the Trump-Putin meeting that was held in Helsinki in Finland that historically is not a privileged target of hackers.

The experts pointed out that they have no data to suggest the attacks against Finland were successful.

Once again researchers at security firm F5 analyzed the number of attacks that hit the location during the summit and made an interesting discovery, most of the cyber attacks were originated in China.

“On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.” reports the security firm F5.

Trump-Putin attacks

Experts observed many similarities between the attacks that were observed against the countries that hosted the two meeting. Hackers targeted the same ports, including included SIP port 5060 typically used by VoIP systems (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

Most of the attacks targeted SSH port 22 which is typically used for the secure remote administration of Internet of Things (IoT) devices. Attackers scan for devices configured with default credentials to compromise them with brute force attacks.

The second most targeted port was the SMB port 445.

“The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. ” continues F5.

Experts noticed that some ports targeted by the attacks during the Trump-Putin meeting were not hit during the Singapore summit, for example, the HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Experts highlighted that Finland is not included in the list of top-targeted countries.

Which were the other top targeting countries during the Helsinki meeting?

The top targeting countries were

China (29%);
United States (14%);
France (9%);
Italy (8%);
Russia (7%);
According to F5, ChinaNet was the top attacking network during the attack spike.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 concludes.


Ecuador to withdraw asylum for Julian Assange in coming weeks or days
22.7.18 securityaffairs  BigBrothers

According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Now Ecuador is planning to withdraw its political asylum, likely next week, this means that Assange will leave the embassy and British authorities will catch him.

“Sources close to Assange said he himself was not aware of the talks but believed that America was putting ‘significant pressure’ on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy,” reported RT.

The newly-elected President of Ecuador Lenín Moreno arrived in London on Friday, officially the motivation of his travel is the participation at the Global Disability Summit on 24 July 18, but media reports suggest he was reaching an agreement with UK government to withdraw the asylum protection of Assange.

“ECUADOR’S PRESIDENT Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 18 Global Disabilities Summit (Moreno has been using a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.” wrote Glenn Greenwald on the Intercept.

Glenn Greenwald

@ggreenwald
· 20 Jul
The editor-in-chief of RT says the Ecuadorian government - now highly subservient to the west under @Lenin's government - will withdraw its asylum grant to Julian Assange and hand him over to the UK. People pretending to believe in press freedom will cheer if he's sent to the US: https://twitter.com/M_Simonyan/status/1019958571889577985 …

Glenn Greenwald

@ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

6:05 PM - Jul 20, 18
946
590 people are talking about this
Twitter Ads info and privacy

Glenn Greenwald

@ggreenwald
· 20 Jul
Replying to @ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

Glenn Greenwald

@ggreenwald
The above report that UK & Ecuador are preparing to turn Assange over to UK appears to be true. Big question is whether the US will indict him & seek his extradition, the way Sessions & Pompeo vowed they would. Can't wait to see how many fake press freedom defenders support that.

8:37 PM - Jul 20, 18
624
503 people are talking about this
Twitter Ads info and privacy
In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

Julian Assange

Three months ago, Ecuador blocked Assange from accessing the internet, mainly to avoid that he could express support to Catalonia and its dispute with the Spanish Government for the independence.

According to Ecuador, Assange had violated the agreement to refrain from interfering in other states’ politics.

Which are current charges against Assange in the UK?

The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

This charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence.


Industry Reactions to U.S. Indicting 12 Russians for DNC Hack
20.7.18 securityweek BigBrothers

The U.S. last week indicted 12 Russian intelligence officers over their alleged role in a hacking operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s 2016 presidential campaign.

The charges, part of special counsel Robert Mueller’s investigation into Russia’s attempt to interfere in the presidential election, were announced just days before President Donald Trump met his Russian counterpart, Vladimir Putin.

Industry professionals have commented on the charges, their impact, the possible threat actors responsible for the operation, and how these types of attacks can be avoided.

And the feedback begins...

John Hultquist, Director of Intelligence Analysis, FireEye:

“While we had already been aware of much of the information covered in the indictment, there were several interesting insights into the organizations that lie behind the intrusion operators we track. In particular, the document indicates that more than one GRU unit was involved in efforts to undermine the elections. The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems.

We have been actively tracking an actor we believe was tied to those incidents, and have found some connection between those incidents and others, such as efforts to target the 2017 French elections, and disruptive attacks on the 18 Olympics, as well as other incidents. Ultimately, though much of their activity remains opaque, we believe GRU organizations have been behind many of the most aggressive incidents in recent memory, including the economically devastating NotPetya attacks and attacks on Ukraine’s grid.”

John Gomez, CEO, Sensato:

“When you consider all that is going on and developing with the Russian hackers, it is important to note that we are very much in the embryonic stages of learning what, specifically, occurred. As more and more comes to light, I suspect we will come to appreciate the high level of sophistication that was employed to carry out the attacks. This attack was planned far in advance. It relied upon the coordination of various assets, including the development of fake personas, the recruitment of cybercriminals, monitoring news feeds, and establishing on-the-ground assets that could be plied for information and intelligence. The attackers timed the attacks to shake confidence and cause confusion.

Although the Russian hackers targeted our government, the real lesson here is that this level of sophistication is not isolated to the Russian hackers identified in the U.S Federal indictment. Rather, we are seeing that other criminal organizations, nation states, and even terrorists are employing the same level of sophistication in their operations. This development with Russia simply highlights what many of us have known all along: Attackers, regardless of motivation, have matured their tactics, techniques, and procedures. They’re innovating at a pace that far outstrips the defenses that most organizations have erected. Even basic attacks, such as phishing, are not the same approaches used a few years ago.

We may be appalled, shocked, and even outraged. Yet, maybe the biggest lesson is that despite all efforts, we failed at protecting one of our most treasured assets--the democratic process. What is more appalling is that many will continue to believe that the adversaries our IT organizations faced just a few years ago are the same adversaries our IT organizations face today. Hopefully, what has occurred with Russia will be a wake-up call, not only at the national level, but within our own organizations. If Russia can manipulate an electoral process, what could they and other, highly focused, well-funded cyber attackers do to our economy, our healthcare organizations, and other critical infrastructure systems like transportation or communications?”

Richard Ford, Chief Scientist, Forcepoint:

“We shouldn’t be distracted by talks of how they did this or why but instead – how will the international community respond to these types of asymmetric attacks that impact the very core of our democratic process? While an indictment is a nice gesture, it has little real consequences beyond drawing yet more attention to the issue.

Cybersecurity knows no borders, and so it is relatively easy for a nation state – or even an enthusiastic group of individuals – to launch attacks from the safety of their own country that can be impactful but carry very little personal risk. How we decide to treat these offensive cyber operations is one of the most pressing questions of our time, and those questions cannot be answered by governments alone. Attacks often involve third-party infrastructure, and vulnerabilities in this infrastructure have to be addressed by those in the commercial world.

It’s time for us as an international community to truly come together and determine not only what constitutes acceptable behavior online at the nation state level, but what checks and balances can be meaningfully put in place to those states that refuse to adhere to these agreed upon practices.”

Ross Rustici, Head of Intelligence Research, Cybereason:

"This further confirms the links already exposed from the indictments related to the social media influence campaigns. The concentrated effort of the Russia state to influence the election is undeniable. The most surprising thing about this is not only the relative ease of the intrusions but the wide spread campaign perpetrated by the GRU. This only serves to reinforce the dramatic changes that the internet has brought to influence operations around world. The ease with which intelligence agencies can have a direct influence in the information age is something that they could only dream of during the Cold War."

Kevin Mitnick, Chief Hacking Officer, KnowBe4:

“After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.

The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

Leo Taddeo, CISO, Cyxtera:

“The indictment teaches cyber security professionals several important lessons. Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today's adversaries.

A user-Centric, context-aware model is non-negotiable – Access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password. It must be be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. It should also be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Authenticate first, connect second – The indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk. Alternate access control technologies, such as Software-Defined Perimeter (SDP), are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security. With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Manage the risks of third-party access – The indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. Then, they installed and managed different types of malware to explore the DNC network and steal documents. This highlights the need for organizations to better manage the risks of third-party access. By using a solution that leverages the Software-Defined Perimeter (SDP) security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”


Robocalling Firm Exposes U.S. Voter Records
20.7.18 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.


12 Russian Intel Officers charged of hacking into U.S. Democrats
19.7.18 securityaffairs BigBrothers

The week closes with the indictment for twelve Russian intelligence officers by a US grand jury. The charges were formulated just three days before President Donald Trump is scheduled to meet with Vladimir Putin.
The special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, now charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein announced the indictment at a press conference in Washington.

“there’s no allegation in this indictment that any American citizen committed a crime.” said Rosenstein. “the conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers,”

During the news conference, the Deputy Attorney General Rod Rosenstein described the technical details of the operations conducted by the units of Russia’s GRU intelligence agency. The cyberspies stole emails from the Democratic National Committee and Hillary Clinton’s campaign, then leaked them in ways meant to influence the perception of Americans about the Presidential election.

Rosenstein reported a second operation in which the officers targeted the election infrastructure and local election officials. The Russian intelligence set up servers in the U.S. and Malaysia under fake names to run their operations, the agents used payment with cryptocurrency that had been “mined” under their direction.

“The fine details of Russian intelligence operations — the names of officers, the buildings where they worked and the computers they used to run phishing operations and make payments — suggest that prosecutors had an inside view aided by their own or another government’s intelligence apparatus.” reads an article published by Bloomberg.

Rosenstein also remarked that “there’s no allegation that the conspiracy changed the vote count or affected any election result.”

Rosenstein also announced that Trump was informed about the indictment before the announcement and that the timing was determined by “the facts, the evidence, and the law.”

The Deputy Attorney General, confirmed that 11 of the Russians indicted were charged with “conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.”

“One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections,” he added.

“The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016,”

“They also hacked into the computer networks of a congressional campaign committee and a national political committee.”

The minority at the US Government is pressing Trump to cancel the meeting with Putin because he intentionally interfered with the election to help Trump’s presidential campaign.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Senator Chuck Schumer, the Democratic Senate minority leader said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections,”

Speaking on Friday, before the indictments were announced, Trump explained that he would ask Putin about the alleged interference of Russian intelligence in the Presidential election.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” Trump told a joint press conference with British Prime Minister Theresa May.

Trump described the Mueller investigation as a “rigged witch hunt,” and added that he has been “tougher on Russia than anybody.”

“We have been extremely tough on Russia,”

Russian intelligence

The White House

@WhiteHouse
At a press conference with U.K. Prime Minister @theresa_may, President @realDonaldTrump made it clear: "We have been far tougher on Russia than anybody."

10:03 PM - Jul 13, 18
8,718
5,186 people are talking about this
Twitter Ads info and privacy
Russian intelligence
Hillary Clinton and Donald Trump are tightening their grips on the Democratic and Republican presidential nominations.

Trump evidently believes that the hostility against Russia is a severe interference with the relationship and the collaboration between the two states.

Russia denies any involvement in the elections, and the Kremlin expelled 60 intelligence officers from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

No Americans were charged Friday, but the indictment reports unidentified Americans were in contact with the Russian intelligence officers.

According to the indictment, there was at least a person close to the Trump campaign and a candidate for Congress that in contact the Russians officers.


FBI: Overall BEC/EAC losses between Oct 2013 and May 18 result in $12 billion
19.7.18 securityaffairs BigBrothers

The number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 18.
FBI provided further data related to Email Account Compromise, according to the feds, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 18.

“Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.” reads the announcement published by the FBI.

“The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The number of BEC/EAC scams continues to grow and the techniques adopted by scammers are evolving, targeting small, medium, and large business and personal transactions.

Unfortunately, business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 18.
Overall losses between October 2013 and May 18 result in $12 billion.

According to the FBI, the number of scam incidents in the US was 41,058 resulting in $2.9 billion in losses. Feds highlighted that most of the fraudulent activities leveraged on China and Hong Kong banks as receipt of fraudulent funds.

The authorities observed that banks in the United Kingdom, Mexico, and Turkey have also been identified recently as prominent destinations for fraudulent funds.

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees,” reads the announcement published by the FBI.

Scammers appear very focused on the organizations in the real estate industry, from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims.

“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals.” continue the announcement.

“The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”

Below the BEC/EAC statistics that were shared by the FBI:

Domestic and international incidents: 78,617
Domestic and international exposed dollar loss: $12,536,948,299
The following BEC/EAC statistics were reported in victim complaints where a country was identified to the IC3 from October 2013 to May 18:
Total U.S. victims: 41,058
Total U.S. victims: $2,935,161,457
Total non-U.S. victims: 2,565
Total non-U.S. exposed dollar loss: $671,915,009
The following BEC/EAC statistics were reported by victims via the financial transaction component of the IC3 complaint form, which became available in June 20163. The following statistics were reported in victim complaints to the IC3 from June 2016 to May 18:
Total U.S. financial recipients: 19,335
Total U.S. financial recipients: $1,629,975,562
Total non-U.S. financial recipients: 11,452
Total non-U.S. financial recipients exposed dollar loss: $1,690,788,278
FBI BEC
According to a report published by TrendMicro published in January 18, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 18.8.


Trump might ask Putin to extradite the 12 Russian intelligence officers
19.7.18 securityaffairs BigBrothers

A few hours before the upcoming meeting between Donald Trump and Vladimir Putin, the US President said he might ask the extradition to the US of the 12 Russian intelligence officers accused of being involved in attacks against the 2016 presidential election.
Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Trump will meet with Putin in Finland, despite calls from Democratic lawmakers to cancel the summit in light of indictments.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Trump confirmed that Russian hackers targeted the 2016 Presidential election, but denied that they supported his campaign, he added that his Republican Party had also been hit by Russian hackers.

“I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked,” he said. “They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But — and this may be wrong — but they had much stronger defenses.”

The President blamed the DNC for poor security of its systems.

“The President then placed blame on Democrats for “allowing” the data and security breaches that led to Russia’s tampering in the election, saying the Democratic National Committee was ill-equipped to handle a cyberattack from a foreign actor. The Republican National Committee, on the other hand, had “much better defenses,” Trump claimed.” reported the CNN.
“They were doing whatever it was during the Obama administration,” Trump said of the Russians. “And I heard that they were trying, or people were trying, to hack into the RNC too, the Republican National Committee, but we had much better defenses. I’ve been told that by a number of people, we had much better defenses so they couldn’t. I think the DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses, and they were able to be hacked, but I heard they were trying to hack the Republicans too, but, and this may be wrong, but they had much stronger defenses.”

The attempts of hacking of “old emails” of the Republican National Committee was first reported by the CNN in January last year when it quoted the then-FBI Director James Comey.

Comey told a Senate panel that “old emails” of the Republican National Committee had been the target of hacking, but the material was never publicly released. Comey confirmed that there was no evidence the current RNC or the Trump campaign had been successfully hacked.

Trump admitted that he was going to meet Putin with “low expectations.”

“I’m not going with high expectations,” he added.

“I think it’s a good thing to meet,” he said. “I believe that having a meeting with Chairman Kim was a good thing. I think having meetings with the president of China was a very good thing.”

“I believe it’s really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out.”


Director of National Intelligence warns of devastating cyber threat to US infrastructure
19.7.18 securityaffairs BigBrothers

The Director of the National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”
The Director of National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he used the following words to express his concerns:

“warning lights are blinking red again”

The U.S. intelligence chief highlighted that computer networks of US government agencies, enterprises, and academic institutions are under incessant attack launched by foreign states.

Russia, North Korea, China, and Iran are the most persistent attacker, the number of their attacks continue to increase and the level of sophistication is growing too.

US infrastructure threat

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it. On Friday, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Of the four, “Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

Coats spoke at the Hudson Institute think tank shortly after the announcement of the indictment.

Coats warned of threat a “crippling cyber attack on our critical infrastructure” by a nation state actor is growing.

“Coats said the U.S. government has not yet detected the kinds of cyber attacks and intrusions that officials say Russia launched against state election boards and voter data bases before the 2016 election.” reported the Reuters.

“However, we fully realize that we are just one click away of the keyboard from a similar situation repeating itself,” Coats continued.

He made a parallelism on the current situation in the cyberspace with the “alarming activities” that U.S. intelligence detected before al Qaeda conducted Sept. 11, 2001 attack.

“The system was blinking red. Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,” he said.

While I’m writing, President Donald Trump has arrived at Finland’s Presidential Palace for a summit with Russian President Vladimir Putin.

Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Coats also mentioned the so-called “troll factory” operated by unnamed “individuals” affiliated with the Internet Research Agency based in the St. Petersburg that was indicted by federal authorities in February.

These individuals have been “creating new social media accounts, masquerading as Americans and then using these accounts to draw attention to divisive issues,” he said.


Trump – Putin meeting: “I don’t see any reason” for Russia to interfere with the US presidential election
19.7.18 securityaffairs BigBrothers

Russian President Vladimir Putin ‘just said it’s not Russia,’ and President Trump believes him.
Today the controversial meeting between Russian President Vladimir Putin and US President Donald Trump was held in Helsinki, but as expected Russian President denied any interference with the 2016 US election.
After the meeting, Putin and Trump made a joint news conference and of course, the US President Trump confirmed its trust in the words of the ally Putin.

“So I have great confidence in my intelligence people, but I will tell you that President Putin was extremely strong and powerful in his denial today,” Trump said.

Special Counsel Robert Mueller has a different opinion about alleged Russia’s interference in the 2016 Presidential election, his investigation led to the indictment of 12 Russian intelligence officials working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

“I don’t see any reason” for Russia to interfere with the US presidential election, this is the Trump’s though.

On Friday, director of national intelligence Daniel R. Coats warned of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it.

“Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

“The role of the Intelligence Community is to provide the best information and fact-based assessments possible for the President and policymakers. We have been clear in our assessments of Russian meddling in the 2016 election and their ongoing, pervasive efforts to undermine our democracy, and we will continue to provide unvarnished and objective intelligence in support of our national security,” said Coats in a press statement released after the Trump-Putin press event.

Trump Putin
HELSINKI, FINLAND – JULY 16: U.S. President Donald Trump (L) and Russian President Vladimir Putin answer questions about the 2016 U.S Election collusion during a joint press conference after their summit on July 16, 18 in Helsinki, Finland. The two leaders met one-on-one and discussed a range of issues including the 2016 U.S Election collusion. (Photo by Chris McGrath/Getty Images)

Below the excerpt from the full transcript from the Helsinki press conference about alleged interference in 2016 Presidential election.

“Once again, President Trump mentioned issue of so-called interference of Russia with the American elections. I had to reiterate things I said several times, including during our personal contacts, that the Russian state has never interfered and is not going to interfere in internal American affairs, including election process. Any specific material, if such things arise, we are ready to analyze together. For instance, we can analyze them through the joint working group on cyber security, the establishment of which we discussed during our previous contacts.” said Putin.

“During today’s meeting, I addressed directly with President Putin the issue of Russian interference in our elections. I felt this was a message best delivered in person. Spent a great deal of time talking about it. And President Putin may very well want to address it and very strongly, because he feels strongly about it and he has an interesting idea. We also discussed one of the most critical challenges facing humanity, nuclear proliferation. I provided an update on my meeting last month with Chairman Kim on the denuclearization of North Korea. After today, I am very sure that President Putin and Russia want very much to end that problem. Going to work with us, and I appreciate that commitment.” said Trump.


Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online
19.7.18 securityaffairs BigBrothers

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Gender
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.


Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin
19.7.18 securityweek BigBrothers

Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.

"During the period of the World Cup, almost 25 million cyber-attacks and other criminal acts on the information structures in Russia, linked in one way or another to the World Cup, were neutralised," Putin said during a meeting on Sunday with security services.

The president, whose comments were reported by the Kremlin on Monday, gave no information on the nature or possible origins of the cyber-attacks.

"Behind this (World Cup) success lies huge preparatory, operational, analytical and information work, we operated at maximum capacity and concentration," said Putin.

Russia, which hosted the World Cup from June 14 to July 15 in 11 cities and 12 stadiums, has been repeatedly accused by Western countries of conducting cyber-attacks.

On Friday, 12 Russian military intelligence officers were charged with hacking Hillary Clinton's 2016 presidential campaign and the Democratic Party in a stunning indictment three days before President Donald Trump meets with Putin in Helsinki on Monday.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the November 2016 vote and whether any members of Trump's campaign team colluded with Moscow.


Russia's National Vulnerability Database Slow, Incomplete
19.7.18 securityweek BigBrothers

Russia’s national vulnerability database is slow, incomplete and it focuses on security flaws that could pose a threat to the country’s IT systems, according to an analysis conducted by threat intelligence firm Recorded Future.

After analyzing the national vulnerability databases of the United States and China, Recorded Future has decided to take a look at Russia’s database, known as the BDU. The BDU is maintained by the Federal Service for Technical and Export Control of Russia (FSTEC), an agency whose role is to protect state secrets and provide support for counterespionage and counterintelligence missions.

Researchers discovered significant differences both in the number of vulnerabilities and the time it takes to add them to the database, compared to the databases run by China and the United States. For instance, while the US’s NVD stored information on nearly 108,000 security holes, the BDU only documented just over 11,000 flaws in March, when Recorded Future conducted its analysis.

As for the time it takes for a vulnerability to be included in the BDU, the average is 95 days, much more than in the United States (45 days) and China (11 days).

While Russia’s database only covers roughly 10 percent of known vulnerabilities, there are certain pieces of software and certain types of bugs that seem more important to the maintainers of the database.

Software vulnerabilities covered above average in Russia's national vulnerability database

Researchers noticed that the BDU stores information on 61 percent of the vulnerabilities known to have been exploited by Russia-linked advanced persistent threat (APT) groups in their campaigns. This is in contrast to China, whose CNNVD database hides or delays flaws exploited by the country’s intelligence services.

While the vulnerabilities exploited by Russia-linked APTs affect some of the world’s most widely used software, their presence in the vulnerability database suggests that the systems of the Russian government also run these programs, especially since FSTEC’s mission is to protect government systems. This also provides insight into the applications used by the Russian government.

Moreover, Recorded Future points out it’s also possible that hackers sponsored by the Russian military leverage vulnerabilities in the BDU in their operations, or that the military may be obligated to protect the state’s IT systems by providing information on these flaws.

“The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations,” Recorded Future said in its report.

On the other hand, while the BDU covers many vulnerabilities affecting Adobe products, even in this category the database is incomplete. According to researchers, there are over 1,200 Adobe bugs with a CVSS score higher than 8 that are not present in Russia’s database.

So why waste resources on an incomplete and very slow vulnerability database?

A lack of resources could be an explanation, but analysts note that FSTEC has over 1,100 employees, nearly triple compared to the US’s NIST Information Technology Laboratory (ITL), which maintains the country’s NVD.

Another possible scenario is that FSTEC has both an offensive and defensive mission and its database covers vulnerabilities based on competing needs. However, experts believe this theory is not accurate either considering that the agency is not a public service organization, as its main mission is to protect state and critical infrastructure systems and support counter intelligence initiatives.

The most likely scenario, Recorded Future believes, is that the DBU is “simply a baseline for government information systems security and software inspections.”

One of the roles of FSTEC is to review the software of foreign companies that want to sell their products in Russia. This includes firewalls, antiviruses and applications that use encryption.

“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” the threat intelligence firm said.


North Korean Hackers Launch New ActiveX Attacks
19.7.18 securityweek BigBrothers

Watering Hole Attacks Target South Korean Users With ActiveX Exploits

A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group.

In May, the group was observed exploitnig an ActiveX zero-day vulnerability in a series of attacks on South Korean targets, mainly for reconnaissance purposes. A script injected into compromised websites would identify the visitors’ operating system and browser and check for ActiveX and running plugins from a specific list of ActiveX components if Internet Explorer was detected.

Highly active in recent months, the Andariel group has apparently launched a new reconnaissance attack against South Korean targets, by injecting their code into four other compromised websites. The attack, which was spotted on June 21, attempts to collect different object information than before.

Despite targeting objects it wasn’t targeting before, the newly discovered script is similar to the one used in May, which led Trend Micro to the conclusion that the same group of hackers is behind both campaigns.

Previously, the group collected targeted ActiveX objects on users’ Internet Explorer browser and only launched the zero-day exploit after identifying the right targets.

“Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering hole exploit attack,” Trend Micro explains.

The new attack lasted until June 27 and targeted the visitors of a Korean non-profit organization’s website and those of three South Korean local government labor union websites.

The injected script, which had similar obfuscation and structure as the Andariel-linked script found in May, was designed to collect visitor information such as browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.

According to Trend Micro, the script was attempting to detect two additional ActiveX objects that were not previously targeted, namely one related to a DRM (Digital Rights Management) software from a South Korean Document Protection Security vendor and another related to a South Korea-based voice conversion software company.

The script also included code to connect websocket to localhost. “The voice conversion software has websocket service listening on the local host so the injected script can detect the software by checking if they can establish a connection to ports 45461 and 45462, which the software uses,” Trend Micro explains.

The websocket verification, the security researchers say, could also be performed on Chrome and Firefox, in addition to Internet Explorer, which would suggest that the hackers have expanded their target base, aiming at the software and not just the ActiveX objects.

“Based on this change, we can expect them to start using attack vectors other than ActiveX,” Trend Micro notes.


At Summit, Trump Refuses to Confront Putin on Vote Row
19.7.18 securityweek BigBrothers

President Donald Trump refused to confront Vladimir Putin over meddling in the US election at their first face to face summit, publicly challenging the findings of the US intelligence community and triggering bipartisan outrage at home.

The US and Russian presidents came out of their meeting in Helsinki Monday expressing desire for a fresh start between the world's leading nuclear powers and more talk on global challenges, after discussing an array of issues from Syria, Ukraine and China to trade tariffs and the size of their nuclear arsenals.

There were indications of an arrangement to work together and with Israel to support a ceasefire in southern Syria, suggesting that the US administration is backing off its demand that Moscow's ally Bashar al-Assad step down.

If that is anathema to many in Washington, Trump's apparent concessions to Putin over the election controversy drew stinging condemnation from across the political divide.

Standing alongside the Kremlin boss at a joint news conference, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Hillary Clinton in 2016.

But, insisting he had won the race fair and square, the wealthy property tycoon said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Friday's US indictment of 12 Russian military intelligence agents exploded with embarrassing timing for Trump as he prepared to meet Putin. On Monday, officials said another Russian agent had been arrested for seeking to influence US politics.

But the US leader insisted that his counterpart had delivered a "powerful" denial of any Russian manipulation, and that the investigation by special counsel Robert Mueller was proving a "disaster" for the United States.

In his own interview with Fox, Trump said he was "fascinated" by an offer from Putin for US agents to indirectly grill the indicted Russians by submitting their questions to Russian officials but said Mueller's team "probably won't want to go" to Moscow.

- 'Never interfered' -

Trump again denied any collusion between his campaign and the Kremlin, while Putin insisted: "The Russian state has never interfered and is not planning to interfere in the USA's internal affairs."

As criticism mounted, Trump tweeted from Air Force One on his way home from Finland that he had "GREAT confidence in MY intelligence people".

"However, I also recognize that in order to build a brighter future, we cannot exclusively focus on the past – as the world’s two largest nuclear powers, we must get along."

Angry criticism of his disavowal of his own intelligence agencies came even from within Trump's Republican Party.

Senior Republican Senator John McCain was particularly scathing, saying: "Coming close on the heels of President Trump's bombastic and erratic conduct towards our closest friends and allies in Brussels and Britain, today's press conference marks a recent low point in the history of the American presidency."

Director of National Intelligence Dan Coats distanced himself from his boss, issuing a statement saying the US intelligence community's judgment that Russia interfered in the 2016 election was "clear".

But the top Democrat in the US Senate, Chuck Schumer, tweeted that many Americans can only wonder if "the only possible explanation for this dangerous behaviour is the possibility that President Putin holds damaging information over President Trump."

And former CIA director John Brennan said Trump's behavior at the news conference "rises to & exceeds the threshold of 'high crimes & misdemeanors.' It was nothing short of treasonous."

Putin denied the notion that Russian spy bosses may hold compromising information on Trump, who in his previous business career oversaw the Miss Universe pageant in Moscow in 2013.

"Please get this rubbish out of your heads," the Russian leader said.

In a post-summit interview with Fox News, Putin said US-Russia relations should not be held "hostage" to "internal political games," referring to the Mueller probe.

The two leaders appeared relaxed at the Helsinki news conference, smiling on occasion, in contrast to their sombre demeanour at the start of the day.

Trump, bent on forging a personal bond with the Kremlin chief despite the election allegations, went into the summit blaming the "stupidity" of his predecessors for plunging ties to their present low.

His manner towards Putin was also a contrast to the anger Trump flashed at NATO allies at a combative summit of the alliance in Brussels last week, which critics said would only hearten Putin.

- 'Only the beginning' -

A post-NATO trip to Britain, supposedly America's partner in a "special relationship", was riddled with controversy as well.

In Helsinki, however, Trump was determined to accentuate the positive, as was Putin.

The two leaders met one-on-one for more than two hours, with just their interpreters present, before they were joined by their national security teams.

Many in Washington were agog at Trump's decision to sit alone with Putin, worried about what he might give away to the former KGB spymaster, after previously cosying up to the autocratic leaders of China and North Korea.

But Trump, convinced his unique brand of diplomacy can win over Putin, pressed ahead and looked forward to "having an extraordinary relationship" as the pair sat down to discuss global hotspots.

- 'Foolishness and stupidity' -

Trump began the day by firing a Twitter broadside at his domestic opponents, blaming the diplomatic chill on the election investigation.

"Our relationship with Russia has NEVER been worse thanks to many years of U.S. foolishness and stupidity and now, the Rigged Witch Hunt!" Trump tweeted.

Russia's foreign ministry tweeted in response: "We agree."

In a weekend interview with CBS News, Trump admitted that Russia remains a foe, but he put Moscow on a par with China and the European Union as economic and diplomatic rivals.


Irish Silk Road Suspect Extradited to US: Prosecutors
19.7.18 securityweek BigBrothers

A 30-year-old Irish man accused of working for now defunct "dark web" marketplace Silk Road has been extradited to the United States to face charges in New York, four years after his arrest, prosecutors announced Friday.

Gary Davis, who went by the alias "Libertas," was allegedly a Silk Road administrator in 2013 -- and was paid a weekly salary to carry out duties that included resolving disputes between drug dealers and buyers on the site.

He is charged with one count of conspiracy to distribute narcotics, which carries a maximum sentence of life in prison, one count of conspiracy to commit computer intrusion and one count of conspiracy to commit money laundering.

The Wicklow man, who was arrested in January 2014, appeared before a Manhattan federal court on Friday.

"Thanks to our partner agencies here and abroad, Davis now faces justice in an American court," said Manhattan US Attorney Geoffrey Berman.

Until the FBI shut it down in October 2013, the US government called Silk Road "the most sophisticated and extensive criminal marketplace on the Internet" used by vendors in more than 10 countries in North America and Europe.

Texan mastermind Ross Ulbricht was convicted and sentenced to life in prison in 2015 for running the online enterprise that sold $200 million in drugs worldwide.

Operating under the alias "Dread Pirate Roberts," Ulbricht amassed $13 million in commissions by making the purchase of heroin, cocaine and crystal meth as easy as shopping online at eBay or Amazon, the government said.

His four-week trial was considered a landmark case in the murky world of online crime and government surveillance.


Back in Washington, Trump Under Pressure to Reverse Course on Russia
19.7.18 securityweek BigBrothers

President Donald Trump found himself isolated and under pressure to reverse course Tuesday after publicly challenging the US intelligence conclusion that Russia meddled in the 2016 election during his face-to-face with Vladimir Putin.

At his inaugural summit with the Russian president in Finland, Trump appeared to accept at face value the strongman's denial that Moscow interfered in a bid to undermine the Democrat Hillary Clinton -- a stance that triggered bipartisan outrage at home.

Back in Washington, Trump sounded a defensive note, insisting his meeting with Putin had been "even better" than his one last week with traditional allies NATO -- a testy gathering seen as having badly strained trans-Atlantic ties.

But the US president -- who is expected to speak about the meeting at 2:00 pm (1800 GMT) on Tuesday -- has found precious little support for his decision not to confront Putin, and faced calls even from allies to change tack.

"He has to reverse course immediately and he's gotta get out there as soon as possible before the concrete starts to set on this," former White House communications director Anthony Scaramucci said on CNN.

"Loyalty right now requires you to tell the truth and sit with him and explain to him the optics of the situation, why the optics are bad, the strategy in terms of trying to get along with Vladimir Putin and deploying a strategy of going against the intelligence agency is very bad," Scaramucci said.

Former House speaker and longtime Trump ally Newt Gingrich put it yet more bluntly.

"President Trump must clarify his statements in Helsinki on our intelligence system and Putin," he tweeted as Trump headed home. "It is the most serious mistake of his presidency and must be corrected -- immediately.

Trump's performance at the summit has even come under fire from the hosts at Fox News, usually a reliable defender of the president.

"No negotiation is worth throwing your own people and country under the bus," Fox anchor and Fox & Friends co-host Abby Huntsman -- the daughter of the US ambassador to Russia -- wrote on Twitter.

And former president Barack Obama, who has remained above the political fray since leaving office, appeared to allude to the events of the day before during a rare public appearance Tuesday at which he warned the world had plunged into "strange and uncertain times."

"Strongman politics are ascendant, suddenly, whereby elections and some pretense of democracy are maintained -- the form of it -- but those in power seek to undermine every institution or norm that gives democracy meaning," Obama said in Johannesburg.

- 'Undermine democracy' -

Trump and Putin met for two hours in Helsinki on Monday with only their interpreters present, then held a joint press conference.

Standing alongside the Kremlin boss, Trump acknowledged that his intelligence chiefs believe Russia hacked and leaked Democrats' emails containing politically damaging information about his rival Clinton in 2016.

But, insisting he had won the race fair and square, the Republican said: "I have President Putin, he just said it is not Russia. I will say this: I don't see any reason why it would be."

Special Counsel Robert Mueller's investigation into Russian meddling and possible collusion with the Trump campaign has increasingly put pressure on the White House, and the president -- who regards it as an attack on his legitimacy -- has dubbed it a "witch hunt."

But the investigation continues to progress, resulting in the indictment of 12 Russian military intelligence agents on Friday -- timing that was embarrassing in light of the upcoming summit.

While Trump has faced intense criticism over Helsinki, he is not entirely without defenders.

Republican Senator Rand Paul has given a series of interviews supporting Trump's stance towards Putin, and berating his critics as biased.

"I think the president did a good thing by meeting with Putin and I think it's a mistake for people to try to turn this into a partisan escapade," the Kentucky Republican said on CBS.

Paul's efforts drew praise from Trump, who tweeted: "Thank you @RandPaul, you really get it!"

But the bipartisan consensus has been broadly hostile to Trump's stance -- as the top Republican in Congress, House Speaker Paul Ryan made clear once more at a press conference Tuesday on Capitol Hill.

"We stand by our NATO allies and all those countries who are facing Russian aggression," Ryan said. "Vladimir Putin does not share our interests, Vladimir Putin does not share our values."

"We just conducted a yearlong investigation into Russia's interference in our elections. They did interfere in our elections. It's really clear. There should be no doubt about that," he said.

"Russia is trying to undermine democracy itself."


NIST to Withdraw 11 Outdated Cybersecurity Publications
19.7.18 securityweek BigBrothers

The U.S. National Institute of Standards and Technology (NIST) announced on Tuesday that its Computer Security Division has decided to withdraw eleven outdated SP 800 publications.

NIST’s 800 series Special Publications (SP) focus on cybersecurity and include guidelines, technical specifications, recommendations, and annual reports. These publications are meant to address and support the security and privacy needs of government agencies, but they are often used and referenced by private sector companies.

NIST’s website currently lists over 180 SP 800 publications, including drafts and final versions. Eleven of them, which are now considered out of date, will be withdrawn on August 1, 18, and will not be revised or superseded.

The documents will still be available for historical reference, but their status will be changed from “final” to “withdrawn.”

The following SP 800 publications will be withdrawn, with the reason for withdrawal listed for each document:

● SP 800-13 (October 1995): Telecommunications Security Guidelines for Telecommunications Management Network – describes outdated technologies;

● SP 800-17 (February 1998): Modes of Operation Validation System (MOVS): Requirements and Procedures – validation system is for deprecated algorithms, such as DES and Skipjack;

SP 800-19 (October 1999): Mobile Agent Security – environments and technologies far less complex than what is used today;

SP 800-23 (August 2000): Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products – based on outdated laws, regulations and executive directives;

● SP 800-24 (April 2001): PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does – does not address newer technologies, such as VOIP;

● SP 800-33 (December 2001): Underlying Technical Models for Information Technology Security – describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework;

● SP 800-36 (October 2003): Guide to Selecting Information Technology Security Products – outdated references and it does not reflect current types of security products;

● SP 800-43 (November 2002): Systems Administration Guidance for Securing Windows 2000 Professional System – Windows 2000 no longer supported;

● SP 800-65 (January 2005): Integrating IT Security into the Capital Planning and Investment Control Process – pre-dates the Cybersecurity Framework and other important SP 800 guidance;

● SP 800-68 Rev. 1 (October 2008): Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist – Windows XP no longer supported;

● SP 800-69 (September 2006): Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist – Windows XP no longer supported.


US Lifts Export Ban on Suppliers to China's ZTE
18.7.18 securityweek  BigBrothers

The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.

The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.

"While we lifted the ban on ZTE, the Department will remain vigilant as we closely monitor ZTE's actions to ensure compliance with all US laws and regulations," Commerce Secretary Wilbur Ross said in a statement.

But the move to reverse the harsh penalties, made at President Donald Trump's insistence, has left US lawmakers irate. Congress has taken steps to keep the ban in place and accused Trump of rewarding a company which had repeatedly flouted American law, lied to authorities and engaged in espionage.

The about-face to rescue to the company created a stark contrast with the escalating trade war between Washington and Beijing.

The Commerce Department in April banned US companies from supplying ZTE with crucial components, forcing it to halt operations, after officials found further violations even after reaching a settlement in March of last year over the initial complaints.

The company had paid bonuses rather than reprimanding employees involved in illegal activity and created an "elaborate scheme" to deceive US officials and obstruct justice, US officials said.

But as a favor to Chinese President Xi Jinping, Trump ordered Commerce to ease the penalties on ZTE.

In an agreement struck last month, Washington agreed to lift the export ban if ZTE paid an additional $1 billion fine -- beyond the $892 million penalty imposed in 2017.

The company also was required to replace its board of directors, retain outside monitors and put $400 million in escrow to cover any future violations -- a final step it took this week.

In a statement this week, Senator Mark Warner of Virginia, the senior Democrat on the Select Committee on Intelligence, lambasted the reversal, saying the US military and spy agencies had branded ZTE an "ongoing threat" to US national security.

"This sweetheart deal not only ignores these serious issues, it lets ZTE off the hook for evading sanctions against Iran and North Korea with a slap on the wrist," Warner said.


BEC Scam Losses Top $12 Billion: FBI
18.7.18 securityweek  BigBrothers

The losses and potential losses reported as a result of business email compromise (BEC) and email account compromise (EAC) scams exceed $12 billion globally, according to an alert published last week by the FBI.

The report is based on data collected by the FBI’s Internet Crime Complaint Center (IC3), international law enforcement and financial institutions between October 2013 and May 18. The amounts represent both money that was actually lost by victims and money they could have lost had they taken the bait.

BEC scams, which involve sending requests for fund transfers and personally identifiable information from hijacked business email accounts, have been observed in 50 U.S. states and 150 countries, with money being sent to 115 countries.

The top destinations for money generated by BEC scams are Asian banks in China and Hong Kong, but a significant number of schemes involve financial organizations in the U.K., Mexico and Turkey.

According to the FBI, more than 78,000 complaints have been made globally between October 2013 and May 18, with over 41,000 victims reported in the United States. Targeted individuals and businesses lost or could have lost $12.5 billion, nearly $3 billion of which in the U.S. Losses increased by 136% between December 2016 and May 18.

The number of non-U.S. victims known to the FBI is 2,565, with losses totaling over $670 million.

In comparison, the FBI’s previous report on BEC scams, which covered the period between October 2013 and December 2016, said there had been 40,203 incidents globally with exposed losses totaling over $5.3 billion.

In its recent 2017 Internet Crime Report, the FBI said IC3 received over 15,000 BEC and EAC complaints last year, reporting losses of $675 million.

The law enforcement agency highlighted that the real estate sector continues to be increasingly targeted. Victims include law firms, title companies, real estate agents, sellers, and buyers.

In scams targeting this sector, the fraudsters use spoofed emails on behalf of real estate transaction participants and instruct recipients to transfer money into fraudulent accounts.

“Based on victim complaint data, BEC/EAC scams targeting the real estate sector are on the rise,” the FBI said. “From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss. May 18 reported the highest number of BEC/EAC real estate victims since 2015, and September 2017 reported the highest victim loss.”

BEC scam losses in real estate sector

The topic of BEC scams and how the threat can be prevented using human-powered intelligence was covered recently in a SecurityWeek column by Josh Lefkowitz, CEO of business risk intelligence firm Flashpoint.

“BEC underscores why even the most technically sophisticated cyber defenses aren’t always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security—it requires humans to understand the threat,” Lefkowitz said.


12 Russian Intelligence Officers Indicted for Hacking U.S. Democrats
18.7.18 securityweek  BigBrothers

Twelve Russian intelligence officers were indicted by a US grand jury on Friday -- just three days before President Donald Trump is scheduled to meet with Russia's Vladimir Putin -- for interfering in the November 2016 presidential election.

The charges were drawn up by Special Counsel Robert Mueller, the former FBI director who is looking into Russian interference in the 2016 vote and whether any members of Trump's campaign colluded with Moscow.

The indictment accuses members of Russia's military intelligence agency known as the GRU of carrying out "large-scale cyber operations" to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein, who announced the indictment at a press conference in Washington, said "there's no allegation in this indictment that any American citizen committed a crime."

Rosenstein said "the conspirators corresponded with several Americans during the course of the conspiracy through the internet."

However, "there's no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers," he said.

Rosenstein also stressed that "there's no allegation that the conspiracy changed the vote count or affected any election result."

Rosenstein said he briefed Trump about the indictment before Friday's announcement and that the timing was determined by "the facts, the evidence, and the law."

The deputy attorney general's press conference came as Trump was meeting Queen Elizabeth II and just three days before his meeting with Putin in Helsinki.

- Calls to cancel Putin meeting -

Senator Chuck Schumer, the Democratic Senate minority leader, immediately called on Trump to cancel the Putin talks.

"These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win," Schumer said in a statement.

"President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won't interfere in future elections," he said.

Speaking earlier Friday, before the indictments were announced, Trump said he would ask Putin about the allegations of Russian election meddling.

"I will absolutely, firmly ask the question, and hopefully we'll have a good relationship with Russia," he told a joint press conference with British Prime Minister Theresa May.

But he simultaneously denounced the Mueller investigation as a "rigged witch hunt," and said he has been "tougher on Russia than anybody."

"We have been extremely tough on Russia," Trump said.

The US president recalled that 60 intelligence officers were expelled from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

Russia has denied any involvement in the attack and rejected accusations that it interfered in the US presidential election in a bid to bring about the defeat of Democrat Hillary Clinton.

Rosenstein said 11 of the Russians indicted Friday were charged with "conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.

"One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections," he added.

"The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016," the deputy attorney general said.

"They also hacked into the computer networks of a congressional campaign committee and a national political committee."


Departing Apple Engineer Stole Autonomous Car Tech: FBI
18.7.18 securityweek  BigBrothers

An ex-Apple engineer on Monday was charged with stealing secrets from a hush-hush self-driving car technology project days before he quit to go to a Chinese startup.

Xiaolang Zhang was in custody for stealing trade secrets from the Apple project, according to a copy of the criminal complaint posted online.

The charge is punishable by 10 years in prison and a $250,000 fine.

"Apple takes confidentiality and the protection of our intellectual property very seriously," the California-based internet titan said in response to an AFP query.

"We're working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."

Zhang was hired by Apple in December of 2015 to be part of a team developing hardware and software for self-driving vehicles, a project that was a "closely-guarded secret," according to the complaint filed by the FBI.

Zhang took paternity leave in the month of April, going with his family to China.

Upon his return to Apple at the end of April, he told a supervisor he was quitting to return to China to be near his ailing mother.

Zhang mentioned he planned to go work for a Chinese self-driving vehicle startup called Xiaopeng Motors, or XMotors, in Guangzhou, according to the complaint.

The supervisor thought Zhang "evasive" and brought in an Apple product security team, which had Zhang turn in all company devices and walked him off campus, according to the filing.

Apple security found that Zhang's activity on the company network surged "exponentially" in the days before he returned from paternity leave.

Zhang did searches of confidential databases, and downloaded technical files, the criminal complaint said.

Documents downloaded by Zhang included some on topics such as "prototypes," according to the case against him.

Apple also had closed-circuit camera recording of Zhang going into autonomous driving tech team labs late on a Saturday night while he was on paternity leave, according to the filing.

Zhang later admitted to taking circuit boards and a Linux server from the hardware lab, and to transferring some Apple files to his wife's computer, the FBI said in the complaint.

Zhang was "voluntarily terminated" from Apple in early March, and FBI agents searched his home in June as part of their investigation.

Zhang told the FBI at that time he was working at XMotors offices in Silicon Valley, according to the complaint.

Zhang was heading to China with a "last-minute round-trip ticket" when FBI agents arrested him at an airport in the Silicon Valley city of San Jose, the filing said.


Outdated DoD IT Jeopardizes National Security: Report
18.7.18 securityweek  BigBrothers

Failure to Modernize Legacy DoD Systems is Putting U.S. National Security in Jeopardy, Report Claims

In a new study titled 'Innovation Imperative: The Drive to Modernize DoD', Meritalk queried 150 federal IT managers working in Department of Defense (DoD) organizations. The stated objective was "to understand the state of their IT infrastructure and applications." This was to include levels of satisfaction, an indication of where missions are being met or missed, and what should be done next.

In fact, this report is solely about DoD IT managers' attitude towards cloud migration -- which is perhaps unsurprising since the survey was underwritten by AWS and Red Hat.

The results confirm a strong belief that cloud is the way forward -- and perhaps the only way for the U.S. military to maintain an advantage over the world's other super powers: China and increasingly Russia. For example, 80% of the respondents say the DoD needs to improve the use of cloud to maintain the military’s technical advantage and support mission success; and 81% say accelerating DoD’s adoption of cloud is critical.

86% of respondents said that failing to modernize legacy DoD systems is putting U.S. national security in jeopardy.

The increasing use of artificial intelligence and big data analytics by the military, the need for more efficient data sharing between agencies, and the power to transcribe and translate massive amounts of recorded voice in almost real time can only be served by the power and flexibility of the cloud.

PentagonRespondents to the survey specifically see DoD cloud adoption important for big data analytics (85%), electronic warfare (83%), shared services (82%), DevOps (81%), AI (77%), IoT (73%), machine learning (72%) and blockchain (61%). But this understanding is not new to the DoD.

The Joint Enterprise Defense Infrastructure (JEDI) initiative is a plan for the DoD to acquire its own commercial cloud infrastructure suitable to hold DoD data at all classification levels, and available to any organization in DoD. It is a massive project spread over a ten-year ordering period, and thought to have a budget of around $10 billion over that timeframe.

It is believed that the DoD's preference is to award the project to a single provider; and it is equally believed that AWS is the frontrunner. Smaller existing cloud providers would lose out, and have been lobbying for a multi-provider approach. Microsoft, Google and IBM are also rumored to be interested in bidding for the project.

There is little mention of JEDI within the Meritalk survey. However, 51% of the respondents said they believe that a single-vendor cloud solution has more pros than cons. Sixty-three percent said that talk about JEDI has had "a positive impact on the pace of their organization’s IT modernization efforts"; and "72% feel utilizing multiple cloud vendors would increase the complexity of their organization’s system integrations."

The Meritalk survey, underwritten by AWS and Red Hat, offers strong support for the DoD's single supplier JEDI preference, where AWS (most probably backed by Red Hat software) is the frontrunner.

But regardless of who wins the JEDI provider contract, the survey also demonstrates that DoD IT managers are ready to increase their migration to the cloud. More than 50% of the respondents would recommend moving 50% of their current data to the cloud (13% would move 'the vast majority' of their data). They are unlikely -- and in some cases for reasons of national security unable -- to adopt a cloud-only strategy.

This will set the DoD on a path directly parallel to that faced by commercial enterprises today -- to what extent should existing infrastructures and data be migrated to the cloud, how can it be achieved, and how do you secure it. The only primary difference is that DoD already knows which cloud; that is, the JEDI cloud.

"The survey shows that the interest and promise of the cloud is well recognized, but the DoD would benefit from the lessons being learned right now by large private enterprises going through the same processes," Ken Spinner, VP of field engineering at Varonis told SecurityWeek. "Private industry, which is often recognized for its agility and embrace of new technologies, still largely works with a hybrid mix of cloud and on-premises systems and storage."

"One thing is certain," agrees Rick Moy, head of marketing at Acalvio: "hybrid networks, or cloud and on-premises." Both agree that adoption of JEDI -- or any other cloud solution -- will present the DoD organizations with both challenges and opportunities.

"There’s no easy button and the cloud is not without risks," says Spinner. "Another concern, and perhaps the weakest link, are the defense contractors that access confidential intelligence as part of their daily workload. It’s far too tempting for a few bad actors to breach a system and attempt to steal data -- the cloud needs to be protected just like on-premises systems and data. Another challenge will be to ensure that the security capabilities people currently have with on-prem solutions are available and tested with both pure cloud solutions and hybrid solutions."

But Moy adds the possibility of 'starting over'. "“I would argue that a move to cloud represents a fresh opportunity to build in better security and advanced monitoring capabilities," he told SecurityWeek: "ones that we may have overlooked in on-premises deployments. For instance, unified policy, access controls, deception, logging and monitoring, and so on."

The JEDI project shows that the DoD hierarchy is already set on a cloud future; and the Meritalk survey shows that individual DoD IT managers are ready for the challenge. "As DoD knows," concludes the Meritalk report, "cloud isn’t the final destination -- but it sets the foundation for necessary innovation, collaboration, and next-generation technologies like big data analytics, shared services, AI, and electronic warfare. Agencies must keep their eyes on the future and consider cloud in terms of broader IT modernization efforts government-wide."


Fitness App Revealed Data on Military, Intelligence Personnel
12.7.18 securityweek  BigBrothers

Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.

The revelation on the application from Finnish-based app Polar Flow comes months after another health app, Strava, was found to have showed potentially sensitive information about US and allied forces around the world.

Security researchers in the Netherlands said Sunday they were able to find data on some 6,000 individuals including military personnel from dozens of countries and employees of the FBI and National Security Agency.

The disclosure illustrates the potential security risks of using fitness apps which can track a person's location, and which may be "scraped" for espionage.

"With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning," security researcher Foeke Postma said in a blog post Sunday after an investigation with the Dutch news organization De Correspondent.

"We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer's identity."

The investigation found detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea, the researchers said.

Polar said in a statement it was suspending the app's feature that allowed users to share data, while noting that any data made public was the result of users who opted in to location tracking.

"It is important to understand that Polar has not leaked any data, and there has been no breach of private data," the statement said.

It said the location tracking feature "is used by thousands of athletes daily all over the world to share and celebrate amazing training sessions."

According to De Correspondent, only about two percent of Polar users chose to share their data, but that nonetheless allowed anyone to discover potentially sensitive data from military or civilian personnel.

"We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea," the report said.

In January, the Pentagon said it was reviewing its policies on military personnel use of fitness application after Strava's map showed a series of military bases in Iraq as well as sites in Afghanistan.


Polar fitness app broadcasted sensitive data of intelligence and military personnel
11.7.18 securityaffairs BigBrothers

The Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel.
A new privacy incident involved Fitness application and military. this time the Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel from 69 countries.

This is the second incident in a few months, in January experts discovered that military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases.

During the weekend, Dutch security experts revealed they were able to find data on some 6,000 individuals including military personnel from dozens of countries and FBI and National Security Agency personnel.

According to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent, the fitness devices were leaking data belonging to the military or intelligence officials who could be exploited by a threat actors to spy on them.

“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” explained the security researcher Foeke Postma that investigated the case with the Dutch news outlet De Correspondent.

“We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.”

Polar

The experts discovered detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea.

The exposure of such data poses serious risks to the military personnel as reported in a post published by Defensenews.com.

“Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information.” reads the blog post published by Defensenews.com.

“They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.”

In response to the privacy incident, Polar has disabled the feature that allowed users to share data and pointed out that any data made public was the result of users who opted in to location tracking.

The company has already implemented a number of measures to mitigate the exposure of its users along with the suspension for the Flow Explore feature until further notice.

The location tracking feature allows thousands of athletes daily all over the world to share and data related to their training sessions.

“If there hasn’t been a data breach, why have you suspended the Explore feature?

While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.” reads the statement published by Polar.

“I have seen statements that suggest that Polar leaked data – Did Polar leak any data?Contrary to what has been reported—it’s important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.”

De Correspondent investigation revealed that only about two percent of Polar users chose to share their data, but journalists and experts were able to collect sensitive data from military or civilian personnel.

“We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea,” states the De Correspondent report.


Chinese hackers breached into systems at Australian National University … and are still there
6.7.18 securityaffairs BigBrothers

Chinese hackers breached into the systems of Australian National University (ANU) and according to the experts they are still there.
Chinese hackers continue to target organizations worldwide, this time attackers based in China breached into the systems of Australian National University (ANU), one of the most prestigious Australian universities.

The bad news is that experts are still working to lock the hackers out because the threat is still active in the network of the Australian University.

“The ABC has been told the Australian National University (ANU) system was first compromised last year.” reported the ABC news.

The ANU had been working with intelligence agencies for several months to contain the threat and minimize its impact.

“The university has been working in partnership with Australian government agencies for several months to minimise the impact of this threat, and we continue to seek and take advice from Australian government agencies,” reads the official statement published by the Australian National University.

“Current assessments indicate no staff, student or research information has been taken and counter-measures are being undertaken.”

Chinese hackers

The Cyber Security Minister Angus Taylor pointed out that the Australian Government “condemns any malicious activity” that targets the systems of the country.

“We know that nation states and criminal groups actively target research and tertiary institutions to steal the intellectual property of hardworking Australians,” he said.

“Malicious cyber activity against Australia’s national interests, whether from criminal syndicates or foreign states, is increasing in frequency, sophistication and severity, and the Australian Government’s highest priority is ensuring Australians are safe and our interests are secure.”

Mr Taylor confirmed that the Australian Cyber Security Centre (ACSC) had been supporting ANU in this case.

“The Australian Cyber Security Centre works closely with any affected organisations to reduce the likelihood of threat actors being successful and to help them recover when they are compromised,” he said.

Australian systems are always under attack, in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.

In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.

The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.

Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.


Hamas cyber-operatives lure Israeli soldiers to spyware hidden in tainted apps

6.7.18 securityaffairs BigBrothers

Israeli military intelligence accused Hamas operatives of creating tainted apps to lure soldiers into downloading spyware onto their phones.
According to a report published by the Israeli military, Hamas hackers are attempting to lure Israel Defence Forces (IDF) soldiers into installing tainted apps on their devices.

Israeli military already blamed Hamas of similar attacks, but this time the hackers managed to serve the apps through the official Google Play Store to increase the likelihood of success.

The experts from the Israel firm ClearSky have identified the following apps:

WinkChat – com.winkchat.apk (dating app)
GlanceLove – com.coder.glancelove.apk (dating app)
Golden Cup – anew.football.cup.world.com.worldcup.apk (Wordcup app)
Hamas GlanceLove fake app

Hamas operatives created a number of fake Facebook profiles using photos of attractive women to lure IDF soldiers into private conversations, then trick them into installing one of the compromised apps.

Israeli military officials explained that Hamas operatives adopted the same tactic in a campaign launched in January-

In January, the hackers used the profile of a woman named “Elianna Amer,” in these last attacks, that lasted at least for three months, they used the profile of a woman named “Lina Kramer.”

“I got a message on Facebook that looked innocent at first, from someone named Lina Kramer, we started talking on Facebook, then we moved to Whatsapp, and then she asked me to download an app called GlanceLove,” explained a former IDF soldier.

“At this stage, my suspicion was final, and I decided to consult a friend who helped me understand that it was a fictitious profile with malicious intentions. From there I turned to the information security officer in my unit who helped me.”

According to Israeli army intelligence officers, the attacks failed to damage military security.

“No damage was done, as we stopped it in time,” one of the officers said.

Th Israeli newspaper Haaretz provided a different version of the facts, it reported that at least “hundreds” of soldiers were infected.

“Hamas managed to hack into the phones of hundreds of Israeli soldiers using dating and World Cup apps and managed to gather sensitive information about the military and some of its bases around the Gaza strip.” reported Haaretz.

“The apps allowed malicious software controlled by Hamas to be planted into Android smartphones, enabling militants in the Strip to access pictures, phone numbers and email addresses of soldiers posted close to the border, and even allowed Hamas to control the phones’ cameras and microphones remotely.”

The analysis of the apps revealed they were tainted with a spyware that can take over devices and exfiltrate sensitive data.

According to the experts, threat actor behind these attacks is codenamed Arid Viper.

In 2015, security experts at Trend Micro uncovered a cyber espionage campaign, dubbed Operation Arid Viper, that targeted Israeli institutions. The Operation Arid Viper was run by Arab-speaking hackers that sought to extract sensitive documents by sending phishing emails. The phishing campaigns targeted government office, infrastructure providers, a military organization, and academic institutions in Israel and Kuwait

In the past, security experts linked Hamas operatives to another APT tracked as Gaza Cybergang (Gaza Hackers Team or Molerats).


NHS Digital Erroneously Reveals Data of 150,000 Patients
5.7.18 securityweek BigBrothers

On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.

"As a result," says the statement, "these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 18. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients."

NHS Digital is the national information and technology partner to the health and social care system. It has responsibility for standardizing, collecting and publishing data and information from across the health and social care system in England. It is therefore responsible for storing and disseminating NHS patient data to those qualified to receive it.

On the same day, NHS Digital released its own statement. "We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people's data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data."

It seems that a software error in an application named SystmOne, written by software firm TPP and designed to allow patients to opt out of data sharing at their local NHS surgery, failed to record the objections. Those objections were therefore not relayed to NHS Digital. Since the system relies on patients opting out rather than opting in to data sharing, NHS Digital assumed that all patients had agreed.

The software error was detected on 28 June, three years after SystmOne was released, when TPP switched to a new system. Neither Jackie Doyle-Price nor NHS Digital has given figures on how many times this data might have been erroneously shared externally during this period. However, NHS Digital compiles and publishes a register of organizations that receive patient data. The most recent publication (XLS) covers the period from December 2017 to February 18. It shows that patient data was shared more than 5,300 times in these three months.

It also shows where the data shared is considered to be sensitive or non-sensitive, and whether the data was anonymized or is identifiable. The anonymization is performed in accordance with the UK data protection regulator's requirements; but many privacy activists do not believe that anonymization is irreversible.

"As part of our commitment to the secure and safe handling of health data, on 25 May 18 [the date on which GDPR became required] the Government introduced the new national data opt-out. The national data opt-out replaces Type 2 objections. This has simplified the process of registering an objection to data sharing for uses beyond an individual's care. The new arrangements give patients direct control over setting their own preferences for the secondary use of their data and do not require the use of GP systems, and therefore will prevent a repeat of this kind of GP systems failure in the future."

It remains an opt-out of data sharing rather than an opt-in to data sharing -- the latter being generally required by GDPR.

Dr John Parry, Clinical Director at TPP, said: "TPP and NHS Digital have worked together to resolve this problem swiftly. The privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information. In light of this, TPP apologizes unreservedly for its role in this issue."

NHS Digital added, "We are confident that we are now respecting all opt-outs that have been recorded in the system. We will also be contacting organizations with whom we have shared data that may have been affected, and work with them to destroy the data where possible."

In an emailed comment, Mike Smart, a security strategist at Forcepoint, told SecurityWeek, "In this case, it appears the underlying program left patient data exposed, even though each party involved in handling the data was aware of the privacy policy settings. It's a clear indicator that relying too heavily on software will cause these mistakes to happen in the future. We can't afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live."


Israel Accuses Hamas of Targeting Soldiers With World Cup App
4.7.18 securityweek BigBrothers

Tel Aviv - Israeli military intelligence on Tuesday accused Hamas hackers of creating a World Cup app and two online dating sites to tempt soldiers into downloading spyware onto their phones.

Briefing journalists at national defence headquarters in Tel Aviv, army intelligence officers said the scam by members of the Palestinian Islamist movement that runs the Gaza Strip failed to damage military security.

"No damage was done, as we stopped it in time," one of the officers said, with the military's response codenamed "Operation Broken Heart".

But he said the attempt showed the Islamist militants had adopted new tactics since a similar attempt was revealed in January 2017.

The emphasis then was solely on the dating game, with the hackers posing online as attractive young women seeking to lure men in uniform into long chats.

This time the traps were aimed at both sexes and there was the additional bait of World Cup action with an app offering "HD live streaming of games, summaries and live updates".

Attackers used stolen identities to create more convincing fake Facebook profiles of young Israelis, written in fluent Hebrew studded with current slang.

"What Hamas is bringing to the table is a very good knowledge of our young people and their state of mind," another officer said. Asked how he could be sure Hamas was behind the online offensive, he declined to say but insisted there was no doubt.

The assailants uploaded their custom-built Golden Cup, Wink Chat and Glance Love applications to the Google Store, to make them seem legitimate, according to the officers.

Using Facebook sharing and Whatsapp messages, they urged young men and women performing Israel's compulsory military service to download the infected apps.

Once on the recipient's phone, officers said, the device could be taken over to covertly take and send photographs, eavesdrop on conversations, copy stored files and pictures and transmit location details.

But in most cases, they said, soldiers did not download the apps and informed their superiors of their suspicions.

Google has since deleted the apps from its store, they added.

They said that awareness of the potential risk had soared since the army publicised the previous attempts.

"Thanks to the soldiers' vigilance, Hamas' intelligence infrastructure was exposed before it caused actual security damage," army briefing notes said. Israel and Palestinian militants in Gaza have fought three wars since 2008.

In March 2016 a Palestinian from Gaza was charged with hacking into Israeli military drones.


Iranian Hackers Impersonate Israeli Security Firm
4.7.18 securityweek BigBrothers

A group of Iranian hackers focused on cyber-espionage recently built up a website to impersonate ClearSky Cyber Security, the Israeli firm that exposed their activities not long ago.

The hackers, tracked as APT35 and also known as NewsBeef, Newscaster, and Charming Kitten, have been active since at least 2011, with their activities detailed for the first time several years ago.

In December 2017, ClearSky Cyber Security published a report detailing the group’s activities during the 2016-2017 timeframe. The security firm not only described the actor’s infrastructure, but also provided information on DownPaper, a new piece of malware the hackers had been using.

The security firm exposed the link between the group and Behzad Mesri, also known as Skote Vahshat, who was charged in November 2017 with the hacking of HBO. Furthermore, the researchers also managed to establish the identity of two other alleged members of the group.

Roughly half a year after the report was published, the security firm announced on its Twitter account that the hackers built their own site impersonating ClearSky.

“#CharmingKitten built a phishing website impersonating our company. The fake website is clearskysecurity\.net (the real website is http://clearskysec.com),” the security firm announced.

The advanced persistent threat (APT) apparently copied entire pages from the legitimate website, but also changed one of them to include a sign in option with multiple services. Anyone entering credentials there would have had them sent to the actor instead.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them,” the security firm announced.

One of the pages on the fake website, the security researchers discovered, featured content related to a Charming Kitten campaign that ClearSky exposed only several weeks ago. That page, however, wasn’t customized to look like the security firm’s website.

The fake website started being flagged as deceptive soon after ClearSky discovered it. The security firm says that its employees, services, and customers were not affected.

Over the past years, security researchers managed to link various hacking groups to Iran, including APT33, Rocket Kitten, Magic Hound, and CopyKittens, and even revealed that they tend to share infrastructure and malware code.


NSA began deleting all call detail records (CDRs) acquired since 2015
3.7.18 securityaffairs BigBrothers

NSA is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities.
The US National Security Agency announced it is deleting hundreds of millions of records of phone calls and text messages dating back to 2015 due to technical irregularities in some data received from telecommunications service providers.

“Consistent with NSA’s core values of respect for the law, accountability, integrity, and transparency we are making public notice that on May 23, 18, NSA began deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)” reads the announcement published by the NSA.

“NSA is deleting the CDRs because several months ago NSA analysts noted technical irregularities in some data received from telecommunications service providers. “

Title V of the Foreign Intelligence Surveillance Act (FISA) and the USA Freedom Act of 2015 allow the intelligence agencies to collect call metadata related to certain types of calls involving persons of interest whom activity may pose a threat to the homeland security.

The National Security Agency received more call detail records (CDRs) that it was allowed to retain under the current law framework.

The NSA decided to destroy the data because it was infeasible to identify and isolate properly produced data

“Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision.” continues the announcement.

The National Security Agency started to delete malformed CDRs on May 23, this year, more than a month ago.

NSA

The intelligence Agency also confirmed to have addressed the root cause of the problem for future CDR acquisitions.

The National Security Agency reported the problem to the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice that notified it to the Foreign Intelligence Surveillance Court.

This isn’t the first time that such kind of incident occurs, civil liberties journalist Marcy Wheeler published last year a catalog for all the times the National Security Agency had violated FISA since the Stellar Wind phone dragnet went under FISA in 2004.


Russia Expert to Lead Canada's Electronic Eavesdropping Agency
29.6.18 securityweek  BigBrothers

A Russia expert was appointed Wednesday to lead Canada's electronic eavesdropping agency, amid ongoing concerns of Russian hacking and meddling in Western elections.

Shelly Bruce moves up from number two at the Communications Security Establishment (CSE) to replace her former boss, outgoing CSE head Greta Bossenmaier.

Bruce studied Russia and Slavic languages at university before joining the CSE in 2004 as director of intelligence, and quickly moved up the ranks.

Her appointment as the head of the CSE comes only two months after Ottawa moved to safeguard Canada's elections from cyber threats and "foreign interference," following accusations of Russia meddling in the last US election, which Russia has denied.

Canada's next federal election is scheduled for 2019.

Also in April, G7 foreign ministers called on Russia to come clean about a nerve agent attack on a former spy in Britain, calling it in a joint statement "a threat to us all."

Western nations had a month prior expelled 150 Russian diplomats in a coordinated action against Moscow in support of Britain, and Russia retaliated with similar moves.

They included four diplomats serving at either Russia's embassy in Ottawa or its consulate in Montreal who were "identified as intelligence officers or individuals who have used their diplomatic status to undermine Canada's security or interfere in our democracy," Foreign Minister Chrystia Freeland said then.

Canada is a member the US-led Five Eyes intelligence gathering alliance.

The CSE last year urged Ottawa to step up its hacking countermeasures, after identifying between 2013 and 2015 approximately 2,500 state-sponsored hacking attempts.


Ops … the DoublePulsar NSA-Linked implant now works also on Windows Embedded devices
28.6.18 securityaffairs BigBrothers

This is a very bad news for security community, the NSA-linked DoublePulsar exploit can now target Windows Embedded devices.
The DoublePulsar exploit was released publicly in April 2017 by ShadowBrockers hackers that allegedly stole them from the NSA.

The hackers leaked a huge trove of hacking tools and exploit codes used by the US intelligence agency, most of Windows exploits were addressed by Microsoft the month before.

DoublePulsar is sophisticated SMB backdoor that could allow attackers to control the infected systems since its leak it was working on almost any Windows system except on devices running a Windows Embedded operating system.

News of the day is that a security researcher who uses the online with the moniker of Capt. Meelo has developed a version of the DoublePulsar exploit code that also works on devices running a Windows Embedded operating system.

The experts discovered that even if the devices running a Windows Embedded operating system are vulnerable to the exploits, the relevant Metasploit modules wouldn’t work on them.

To confirm this hypothesis, the researcher used the NSA FuzzBunch exploit code and discovered that the target device was indeed vulnerable via the EternalBlue exploit.

“I then quickly used the EternalBlue module and the result was successful – the backdoor was successfully installed on the target. So I guessed the authors of the MSF exploit modules just forgot to add the support for Windows Embedded version. ” wrote the expert in a blog post.

“Since the backdoor was already installed, the last thing that needs to be done to complete the exploitation and gain a shell was to use DoublePulsar.”

Summarizing the expert was able to exploit the EternalBlue attack against the target device but the deployment of the DoublePulsar backdoor was failing , so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

The expert used the @stalkr_’s script (https://stalkr.net/files/ida/idadif.py) to patch the modified exe file. and then moved the modified Doublepulsar-1.3.1.exe back to its original location.

This trick allowed him to inject the generated DLL payload to the target host.


France Also Interested in Greece's Russian Bitcoin Suspect
28.6.18 securityweek BigBrothers

France has joined the US and Russia in seeking the extradition of a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency, a court source said Wednesday.

The French warrant says Alexander Vinnik, who headed bitcoin exchange BTC-e, had defrauded over 100 people in six French cities between 2016 and 18.

He is sought for extortion, money laundering and crimes committed online, the court source said.

Vinnik has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki. He denies the accusation.

He was indicted by a US court last year on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

Greece's Supreme Court in December said Vinnik should be extradited to the US, but the final decision is up to the Greek justice minister.

Russia has also filed a demand to extradite Vinnik so he can stand trial on separate fraud charges.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.

According to the US indictment, it was "heavily reliant on criminals".

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".

It allegedly received more than $4 billion (3.5 billion euros) worth of Bitcoin over the course of its operation.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.

The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.

In Russia, Vinnik is wanted on separate fraud charges totalling 9,500 euros.

He has said he would accept extradition to his home country.


NSA-Linked Implant Patched to Work on Windows Embedded
28.6.18 securityweek BigBrothers

DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.

The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.

In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).

As it turns out, although it would work on a wide range of Windows releases, DoublePulsar wouldn’t work on devices running a Windows Embedded operating system, even if the platform itself is vulnerable to the NSA-linked exploits, a security researcher who uses the online handler of Capt. Meelo says.

Windows Embedded, the researcher discovered, was indeed vulnerable to the exploits, but the relevant Metasploit modules wouldn’t work on it. Using FuzzBunch, however, he verified that the target device was indeed vulnerable via the EternalBlue exploit.

While exploitation via the EternalBlue module and the result were successful, the installation of DoublePulsar failed, so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

Using a script from a security enthusiast who calls himself StalkR, he then patched the modified .exe file and then moved the modified Doublepulsar-1.3.1.exe back to its original location. This resulted in a successful injection of the generated DLL payload to the target host.


North Korean Hackers Exploit HWP Docs in Recent Cyber Heists
26.6.18 securityweek  BigBrothers

A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports.

The attacks appear to include the recent assault on Bithumb, the largest virtual currency exchange in South Korea, with more than 1 million customers. As part of the incident, hackers managed to steal over $30 million worth of cryptocurrencies.

Lazarus, or BlueNoroff, is a state-sponsored hacking group believed to have launched the $81 million cyber heist from the Bangladesh Bank in 2016 and considered the most serious threat against banks. Earlier this year, the group was observed hitting an online casino in Central America and switching interest to crypto-currency.

Earlier this month, AlienVault revealed that Lazarus has been leveraging a new ActiveX vulnerability in attacks on South Korean targets. Now, the security firm says that the hackers have also been using a series of malicious documents to target members of a recent G20 Financial Meeting.

AlienVault's security researchers analyzed three similar malicious documents that have been already associated with Lazarus. One of these mentions the G20 International Financial Architecture Working Group meeting, seeking coordination of the economic policies between the wealthiest countries.

The HWP files include malicious code that fetches next stage malware (either a 32 or 64 bit version of Manuscrypt, which has been already detailed by other security researchers), a threat communicated by impersonating South Korean forum software. Decoy documents of resumes were also included.

A series of reports within South Korea have already suggested that malicious HWP files were used earlier in May and June to set up the Bithumb heist, and that these documents appear linked to previous attacks by Lazarus.

The investigation of a South Korean security company into the thefts also revealed that fake resumes strikingly similar to those delivering the Lazarus-linked Manuscrypt were sent to cryptocurrency organizations.

“Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect,” AlienVault notes.

Related malicious HWP documents from Lazarus have been reportedly targeting crypto-currency users in South Korea earlier this month.

Furthermore, the researchers noticed cryptocurrency phishing domains registered to the same phone number as a domain (itaddnet[.]com) and delivering some of the malware. This would suggest the attackers are also phishing for credentials, in addition to delivering malware.

“It is unusual to see Lazarus registering domains - normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus,” AlienVault says.

Apparently, it would be entirely possible for Lazarus to have hacked Bithumb earlier this month, considering that the group raided the exchange last year as well, which likely provided them with the necessary knowledge to do it again. Over the past year, the group targeted other crypto-currency exchanges as well.

“It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organizations have the double impact of weakening their closest competitor,” AlienVault said.


UK Tax Agency HMRC has recorded the voice tracks of 5.1 Million Brits
25.6.18 securityaffairs BigBrothers

The UK-based privacy group Big Brother Watch revealed that the British tax agency HMRC has recorded the voice of over 5.1 million Britons.
The UK-based privacy and civil liberties group Big Brother Watch has revealed that the British tax agency HMRC (Her Majesty’s Revenue and Customs) has recorded the voice of over 5.1 million Britons.

The Her Majesty’s Revenue and Customs agency collected these voice records via the Voice ID service that was launched in January 2017. The service was created to allow UK citizens to authenticate when calling HMRC call centers using their voice.

When the service was initially launched, the tax agency claimed users would be able to opt out of using it and continue to authenticate themselves by using usual methods.

The Big Brother Watch group discovered that there’s no opt-out option when users call the agency support line.

Every citizen accessing the service recorded a voice track to use with the Voice ID authentication feature

“Far from ‘encouraging’ customers, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a Government database.” reads the Big Brother Watch.

“In our investigation, we found that the only way to avoid creating a voice ID is to say “no” to the system – three times – before the system resolves to create your voice ID “next time”.”

Advocated at the Big Brother Watch group claim the HMRC is outlaw because it doesn’t provide a clear way of opting out and because there is no way to ask the agency to remove voice track from HMRC’s database.

The Big Brother Watch filed freedom of information (FOIA) requests, but the tax agency refused to provide instruction to the users on how to delete their voice tracks from HMRC’s database.

 HMRC

Another aspect that is still under investigation is how the agency manages voice tracks and if it shares them with third-parties and government agencies.

It is clear that the that the Her Majesty’s Revenue and Customs agency is not in compliance with the GDPR regulation that was adopted by EU member states.

Big Brother Watch officials are inviting Britons to file a complaint with the HMRC and with the UK’s Information Commissioner’s Office (ICO), this latter already started an official investigation into HMRC’s process.


Supreme Court of the US Police ruled that police need warrant for mobile location data
24.6.18 securityaffairs BigBrothers

The Supreme Court of the US ruled that police must obtain a search warrant before obtaining mobile location data from mobile carriers and similar services.
The Supreme Court of the United States ruled this week that law enforcement must obtain a search warrant before obtaining cell phone location information from mobile carriers or third-party services.

“When the government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” Chief Justice John Roberts wrote in the 5-4 opinion.” reported The Wall Street Journal.

“Unlike the nosy neighbor who keeps an eye on comings and goings,” he wrote, the signal towers and processing centers that track cellphone users “are ever alert, and their memory is nearly infallible,” making analog-era precedents prosecutors cited to justify such warrantless searches all but obsolete.”

location data

The decision aims at preventing surveillance activities operated by the government and protecting the privacy of the citizens under the Fourth Amendment.

The Supreme Court ruled that a warrant is also needed to access location data stored by mobile carriers and similar companies, this data allows to monitor almost any activity of citizens.

“While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time. A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales.” continues Chief Justice John Roberts.

“Critically, because location information is continually logged for all of the 400 million
devices in the United States – not just those belonging to persons who might happen to come under investigation – this newfound tracking capacity runs against everyone.”

Of course, the authorities can operate without a warrant when there are situations of danger for life of citizens or when handling national security issues.

The ruling came in the wake of Timothy Carpenter v. US case filed in 2011, when the US police arrested members of a gang who committed armed robberies at several stores.

Gang members confessed the group was led by Timothy Carpenter, a version that was verified by the Police obtaining a court order for Carpenter’s cell phone location information and verifying the presence of the suspect near the robberies.

Carpenter was condemned to more than 100 years in prison, but lawyers for the American Civil Liberties Union that represented him at the high court defined the decision “a truly historic vindication of privacy rights.”

The lawyers argued that a court order should not have been enough to obtain access to the mobile’s location data of the suspect, and a search warrant should have been obtained instead.

The Supreme Court ruling was praised by privacy advocated because it aims at defending the privacy of the citizens against any abuse.


China-Linked 'Thrip' Spies Target Satellite, Defense Companies
20.6.18 securityweek BigBrothers

A China-linked cyber espionage group has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia, Symantec reported on Tuesday.

Symantec has been tracking the threat actor, which it has named “Thrip,” since 2013. However, the security firm says the group’s activities have not been made public until now.

Thrip has used a combination of custom malware and legitimate tools in its attacks. One victim was a satellite communications operator, where the hackers targeted devices involved in operations, as well as systems running software designed for monitoring and controlling satellites.

“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec researchers said.

Thrip has also targeted a company specializing in geospatial imaging and mapping. The attackers attempted to gain access to machines hosting MapXtreme GIS, Google Earth Server and Garmin imaging software.

The list of victims identified by Symantec also includes three telecoms firms in Southeast Asia. The companies themselves appear to have been Thrip’s targets rather than their customers. Another victim is a defense contractor, but no details have been shared by the security firm on this attack.

Symantec has been monitoring Thrip since 2013, when it spotted a campaign conducted from systems located in China. The group initially relied mostly on custom malware, but more recent campaigns, which started last year, also involved legitimate tools.

The pieces of malware used by the group include Trojan.Rikamanu, a trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities.

Thrip has also been spotted using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec, both of which have been observed in the group’s older campaigns.

As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software.

“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”


Ex-CIA Employee Charged With Leaking Agency's Hacking Tools
19.6.18 securityweek BigBrothers

A former employee of the U.S. Central Intelligence Agency (CIA) has been charged with stealing classified national defense information from the agency and sharing it with WikiLeaks.

The Department of Justice announced on Monday that Joshua Adam Schulte, 29, of New York, New York, had been charged in a 13-count indictment. The indictment does not specifically name WikiLeaks, but the media revealed last month that authorities had been preparing to charge Schulte for providing WikiLeaks the CIA hacking tools that were published by the whistleblower organization as part of its Vault 7 leak.

Schulte worked for the NSA for five months in 2010 as a systems engineer. He then joined the CIA, where he worked as a software engineer until November 2016, when he moved to New York City and started working as a software engineer for Bloomberg.

The man reportedly became the main suspect for the Vault 7 leaks one week after WikiLeaks started releasing files. However, when investigators searched his apartment and devices, they uncovered a file sharing server hosting child pornography.

Schulte was charged on three counts of receipt, possession and transportation of child pornography in August 2017 and was released the following month. He was arrested again in December for violating the conditions of his release and he has been in custody ever since.

Schulte has now been charged with illegal gathering of national defense information; illegal transmission of lawfully possessed national defense information; illegal transmission of unlawfully possessed national defense information; unauthorized access to a computer to obtain classified information; theft of Government property; unauthorized access of a computer to obtain information from a Department or Agency of the United States; and causing transmission of a harmful computer program, information, code, or command.

The list of charges also includes making material false statements to representatives of the FBI; obstruction of justice; receipt of child pornography; possession of child pornography; transportation of child pornography; and copyright infringement. If convicted, the man could spend decades behind bars.

The hacking-related charges involve Schulte’s activities inside the CIA’s networks while being employed by the agency.

"Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization,” said Geoffrey S. Berman, US Attorney for the Southern District of New York. “During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Schulte previously pleaded not guilty to the child pornography-related charges, claiming that up to 100 people had access to the server storing illegal content. Investigators, on the other hand, claim they have proof Schulte had been aware of the presence of the files.

As for leaking CIA hacking tools, Schulte told the press last month that the FBI likely suspected him due to the fact that he had left the CIA on poor terms just months before the Vault 7 leak started.


In Trump Rebuke, US Senate Votes to Reimpose Ban on China's ZTE
19.6.18 securityweek  BigBrothers

The US Senate defied President Donald Trump by voting Monday to overrule his administration's deal with Chinese telecom firm ZTE and reimpose a ban on high-tech chip sales to the company.

Senators added an amendment targeting ZTE into a sweeping, must-pass national defense spending bill that cleared the chamber on an 85-10 vote.

The company has been on life support ever since Washington said it had banned US companies from selling crucial hardware and software components to ZTE for seven years, after staffers violated trade sanctions against Iran and North Korea.

It was fined $1.2 billion for those violations, but earlier this month the Trump administration gave ZTE a lifeline by easing sanctions in exchange for a further $1.4 billion penalty on the company.

The Senate measure nullifies that action, proposing an outright ban on the government buying products and services from ZTE and another Chinese telecoms firm, Huawei.

"We're heartened that both parties made it clear that protecting American jobs and national security must come first when making deals with countries like China, which has a history of having little regard for either," a bipartisan group of senators said.

Hong Kong-listed shares in ZTE plunged more than 20 percent soon after the opening bell on Tuesday. The company has lost around 60 percent of its value since it resumed trading last week after a two-month suspension that followed the initial ban. The lawmakers, who introduced the amendment, include top Democrat Chuck Schumer and Republican Marco Rubio.

Providing $716 billion in funding for national defense for fiscal year 2019 and giving policy guidance to the Pentagon, the bill is not a done deal.

The House of Representatives passed its own version of the measure, and the two chambers must now hash out a compromise.

"It is vital that our colleagues in the House keep this bipartisan provision in the bill as it heads towards a conference," Schumer and Rubio said.

ZTE, which employs 80,000 people, said recently that its major operations had "ceased" after the ban, raising the possibility of its collapse.

Its fiberoptic networks depend on US components and its cheap smartphones sold en masse abroad are powered by US chips and the Android operating system.


DHS, FBI Share Details of North Korea's 'Typeframe' Malware
18.6.18 securityweek  BigBrothers

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.Typeframe malware used by North Korea detailed by FBI and DHS

“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections,” the agencies said.

The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.

The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.

The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.

While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.


Cyber Attack Aims to Manipulate Mexican Election
18.6.18 securityweek   BigBrothers

On Wednesday June 13, in the run-up to Mexico's July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.

PAN secretary Damian Zepeda later suggested that front-running leftist candidate Andres Manuel Lopez Obrador (AMLO) was behind the attack. "The AMLO bots have been activated to try to crash the page debate18.mx where there are proofs of contracts worth millions given to AMLO's friend," Zepeda wrote on Twitter.

PAN later claimed that the site had been hit by 185,000 visits in 15 minutes, "with the attacks coming mainly from Russia and China." Lopez Obrador denied any involvement in the attack, and laughed off any suggestion of ties with Russia by calling himself 'Andres Manuelovich'.

The source of the DDoS attack is unknown and possibly unknowable -- but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.

The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.

The FCC claimed it had been taken off-line by a DDoS attack. Critics of the FCC plans have suggested it was purposely taken off-line to avoid registering mass public dissent over the FCC rules. If the Mexico event was a direct parallel to these claims, it could suggest that PAN couldn't prove the criticisms it was making, and took down the website itself.

This last possibility is not a serious proposal -- but it illustrates the plausible deniability and difficulty of attribution that comes with cyber activity. The DDoS attack could have been delivered by Russia (because it has a history of interference); by AMLO (to prevent access to his competitor's website); by the U.S. (because it would almost certainly prefer a right-leaning to a left-leaning neighbor); or by PAN itself (as a false flag). Or, of course, none of the above -- a straightforward DDoS attack by cybercriminals.

At this stage, the only thing is certain is that a DDoS attack did take place in Mexico. Netscout Arbor's analysis of the period shows more than 300 attacks per day in Mexico during the period 12th-13th June -- which is 50% higher than the normal frequency in the country. The largest volumetric DDoS attack targeting Mexico during the week was more than 200 Gbps.

"Political websites are frequent targets of DDoS attacks not only due to the ease of launching attacks, but also due to the desire and capabilities of attackers to impact the election process while staying undiscovered," comments Kirill Kasavchenko, principal security technologist at Netscout Arbor. "Due to the nature of modern DDoS attacks, it is quite easy to launch attacks from third countries utilizing computers and IoT devices infected by malware or using techniques like reflection of DDoS traffic. Tracing down the original source of the attack and the people behind it is problematic not only from a technical, but also from an administrative point of view."


DHS, FBI published a join alert including technical details of Hidden Cobra-linked ‘Typeframe’ Malware
18.6.18 securityaffairs BigBrothers

The US DHS and the FBI have published a new joint report that includes technical details of a piece of malware allegedly used by the Hidden Cobra APT.
A new joint report published by US DHS and FBI made the headlines, past document details TTPs associated with North Korea-linked threat groups, tracked by the US government as Hidden Cobra.

The US authorities have published the report to reduce the exposure to the activities of North Korea-linked APT groups.

Hidden Cobra’s arsenal includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

The latest joint report includes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples analyzed by the government experts.

The researchers analyzed several executables and weaponize Word documents containing VBA macros.

“DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.” reads the joint report.

“This malware report contains analysis of 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.”

Hidden Cobra

The security alert includes indicators of compromise (IoCs) for each of the sample analyzed by the experts.

The report includes a description of the functionality for each sample, hashes, IPs, antivirus detections, metadata, and YARA rules.

In May, US authorities published another report on the Hidden Cobra detailing the Joanap backdoor trojan and the Brambul worm.

The unique certainly is that North Korea continues to be one of the most aggressive and persistent threat actors in the cyberspace.


Europol dismantled the Rex Mundi hacker crew, it arrested another member of the gang
16.6.18 securityaffairs BigBrothers

The Europol announced that several French nationals were arrested in the past year on suspicion of being involved with notorious Rex Mundi crime gang.
Another success of the Europol made the headlines, the European police announced that several French nationals were arrested in the past year on suspicion of being involved with notorious hacker group known as Rex Mundi (“King of the World”).

The Rex Mundi crime group has been active since at least 2012. it hacked into the systems of several organizations worldwide and attempted to blackmail them.

The list of the victims is long and includes AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE).


The hackers used to steal sensitive information from the victims, then they demanded fees for not disclosing the stolen data.

The operation coordinated by the Europol was launched in May 2017 after the group targeted a UK-based company. Crooks stole significant amounts of customer data from the company, then attempted to blackmail it by demanding the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not disclosing the incident. The group also requested more than €825,000 ($776,000) for details on the hack.

The hackers also asked the victim additional €210,000 ($240,000) for each day the payment was delayed.

“A 25-year-old coder was arrested on 18 May by the Royal Thai Police based on a French international arrest warrant. The arrest of this young cybercriminal was the eight in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) that started exactly one year ago.” reads the announcement published by the Europol.

“In May 2017 a British-based company was the victim of a cyber-attack during which a large amount of customer data was compromised. The attack was immediately claimed by an organisation called Rex Mundi.”

After the victim reported the incident to the authorities, the UK’s Metropolitan Police, the French National Police and Europol launched a joint operation that lead to the identification of a French national.

“Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” continues the Europol.

In June 2017, the authorities identified and arrested five suspects, two were arrested in October 2017 and one on May 18, 18.

All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The last member of the crew is a 25-year-old developer that was arrested last month by the Royal Thai Police.

The leader of the Rex Mundi group admitted blackmailing the company but claimed to have hired hackers on the Dark Web to hack the victims.


Singapore was hit by an unprecedented number of attacks during the Trump-Kim Summit
16.6.18 securityaffairs BigBrothers

Researchers observed a spike in the number of cyber-attacks targeting Singapore during the Trump-Kim Summit, from June 11 to June 12.
Researchers at F5 Labs have observed a spike in the number of cyber-attacks targeting Singapore from June 11 to June 12, in the wake of the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel.

Experts remarked that typically Singapore is not a top attack destination, and the skipe of the number of attacks coincides with Trump-Kim Jong-un meeting.

Most of the attacks originated from Russia (88% of overall attacks) and frankly speaking, I’m not surprised due to the importance of the Trump-Kim summit.

According to F5 Labs and Loryka, 97% of all the attacks that originated from Russian from June 11 to June 12 targeted Singapore.

“From June 11 to June 12, 18, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.” reads the analysis published by F5 Labs. “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel.”

The cyber attacks hit almost any computer system, from VoIP phones to IoT devices. The attacks began out of Brazil targeting port SIP 5060 of IP phones where communications are transmitted in clear text.

After an initial attack that lasted for a couple of hours, researchers observed a reconnaissance activity originated from the Russian IP address 188.246.234.60 that is owned by ASN 49505, operated by Selectel; the scans targeted a variety of ports.

None of the attacks was carried out to spread malware.

“The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest.” continues the analysis.

“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”

Singapore was hit by 40,000 attacks in just 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time.

The experts highlighted that only 8% were exploit attacks, while 92% were reconnaissance scans for potential targets.

34% of the attacks originated from Russia, the list of top attackers includes China, the US, France, and Italy.

Singapore attacks Trump-Kim Summit

Trump-Kim Summit

During the summit time frame, Singapore was the top destination of cyber-attacks, it received 4.5 times more attacks than countries like the U.S. and Canada.

The SIP port 5060 was targeted 25 times more than Telnet port 23, hackers were attempting to gain access to insecure communication systems or VoIP server and to compromise IoT devices to spy on communications.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 Labs concludes.


Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore
16.6.18 securityweek BigBrothers

The number of cyber-attacks targeting Singapore skyrocketed from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia, F5 Labs reports.

Russia has long been said to keep the United States under a continuous barrage of cyber-attacks, and even attracted a series of sanctions following the hacking aimed at the 2016 presidential election, which was supposedly the doing of state-sponsored Russian threat actors.

Thus, it’s no wonder the Trump-Kim summit earlier this week was targeted as well, but the number of assaults coming from Russia is indeed impressive: 88% of the total number of observed cyber-attacks came from this country. Furthermore, 97% of all the attacks that originated from Russian during the timeframe targeted Singapore, data from F5 Labs and Loryka reveals.

“We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.

The flurry of attacks, the security firm reveals, started out of Brazil by targeting port SIP 5060, the single most attacked port in the timeframe. IP phones use this port to send and receive communications in clear text.

This initial phase, which lasted for only a couple of hours, was followed by reconnaissance scans from the Russian IP address 188.246.234.60 – an IP owned by ASN 49505, operated by Selectel – targeting a variety of ports.

The attacks observed on June 11 and June 12 also targeted the Telnet port, which is normally assaulted in Internet of Things (IoT) incidents. Other targeted ports include SQL database port 1433, web traffic ports 81 and 8080, port 7541 (used by Mirai and Annie to target ISP-managed routers), and port 8291 (previously targeted by Hajime).

During a period of 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time, a total of 40,000 attacks were launched on Singapore. Of these, 92% were reconnaissance scans looking for vulnerable devices, while the remaining 8% were exploit attacks.

“Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia,” F5 reveals.

During the period, Singapore became the top destination of cyber-attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Typically, Singapore is not a top attack destination, and the anomaly coincides with President Trump’s meeting with Kim Jong-un.

While Russia was the main source of attacks, accounting for 88% of them, Brazil was the second largest attacker, launching 8% of the assaults. Germany rounded up top three attackers, with 2%.

The security researchers also note that there was no attempt made to conceal the attacks launched from Russia and that none of the attacks originating from this country carried malware.

The SIP port 5060 received 25 times more attacks than Telnet port 23, which was the second most targeted. Although attacks on port 5060 are unusual, chances are that the attackers were attempting to gain access to insecure phones or perhaps the VoIP server. The attacks on Telnet were likely trying to compromise IoT devices to spy on communications and collect data.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 concludes.


French Nationals Arrested for 'Rex Mundi' Hacks
16.6.18 securityweek BigBrothers

Europol announced this week that several French nationals were arrested in the past year on suspicion of being involved with Rex Mundi, a group that hacked into the systems of several organizations and attempted to blackmail them.

According to Europol, the alleged members of the hacker group were identified after in May 2017 they targeted a UK-based company. The cybercriminals stole significant amounts of customer data from the firm and demanded the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not making the stolen files public or more than €825,000 ($776,000) for information on how the attack was carried out. The hackers also told the victim that the amounts would increase by €210,000 ($240,000) for each day the payment was delayed.

After the victim reported the attack to law enforcement, the UK’s Metropolitan Police, the French National Police and Europol teamed up to identify the hackers. “Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” Europol said.

Five suspects were arrested in June 2017, two were arrested in October 2017 and one was apprehended on May 18, 18. All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The individual who was arrested last month by the Royal Thai Police is a 25-year-old developer. The suspects arrested in October 2017 were described as “hackers.” The “main suspect,” as Europol describes him, admitted blackmailing companies, but claimed to have used the dark web to hire someone to conduct the hacking.

Rex Mundi was active since at least 2012 and until 2015 it made many of its operations public in hopes of convincing victims to pay up. Its victims included AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE). Many of the hacker group’s victims were Belgian companies.


European Parliament Votes to Ban Kaspersky Products
14.6.18 securityweek BigBrothers  

Kaspersky Suspends Collaboration With Europol and NoMoreRansom

Kaspersky Lab has suspended its collaboration with Europol and the NoMoreRansom initiative after the European Parliament passed a resolution that describes the company’s software as being “malicious.”

Kaspersky is not trusted by some governments due to its alleged ties to Russian intelligence, which has sparked concerns that the company may be spying for Moscow.

The call for a ban on Kaspersky’s products in the European Union is part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.

The next-to-last proposal in the report “Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”

The resolution was approved with 476 votes in favor and 151 against. In response, Kaspersky Lab’s founder and CEO, Eugene Kaspersky, said his company would be freezing collaboration with Europol and the NoMoreRansom project, and highlighted that the EU’s decision “welcomes cybercrime in Europe.”

Kaspersky is one of the private sector companies that founded NoMoreRansom, and it has helped Europol in several major cybercrime investigations, including a $1 billion cyber-heist.

“[It is] frustrating that there was no investigation, no evidence of any wrongdoing from our side, just references to false allegations from anonymous sources. This is the essence of media-ocracy: fake news → political decisions,” Eugene Kaspersky said on Twitter. “The risks of using our software are purely hypothetical. Just as hypothetical as with any other cybersecurity software of any country. But the risk of becoming a victim of a genuine cyberattack is real – and extremely high. Ergo: EP's political decision plays *for* cybercrime.”

Interestingly, an answer given in April by the European Commissioner for Digital Economy and Society, Mariya Gabriel, in response to a question from Polish politician Anna Fotyga regarding the risks associated with the use of Kaspersky software states that “the Commission has no indication for any danger associated with this anti-virus engine.”

On the other hand, Paet says he stands by his report. “These decisions must be taken seriously, they have not been taken out of the blue but instead have been drawn from various partners and intelligence sources. Considering the overall situation of EU-Russia relations, and Russia’s aggressive behaviour, we should not be taking risks that could cause serious damage to the EU,” he told EURACTIV after the vote.

The report is not legally binding, but it could influence some EU member states, especially since the U.K., the Netherlands and Lithuania have already moved to ban the use of Kaspersky software on sensitive systems. Kaspersky took legal action in the United States in an effort to overturn a decision to prohibit the use of its products by government agencies, but a judge rejected the lawsuit.

Many in the cybersecurity industry are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.

Reaction to EU vote to ban Kaspersky products

The security firm has been trying to clear its reputation, first by launching a transparency initiative that included giving partners access to source code, and more recently by announcing a move of core processes from Russia to Switzerland.


DHS HART Biometric Database Raises Security, Civil Liberties Concerns
13.6.18 securityweek BigBrothers

Protecting the DHS HART National Biometric Database Against Theft and Abuse

In February 18, Northrop Grumman Corporation announced that it had been awarded a $95 million contract to develop increments one and two of the Department of Homeland Security (DHS) Homeland Advanced Recognition Technology (HART) system.

The announcement said very little about HART, except that it is a "multi-modal processing and matching technology that uses a combination of face, finger and iris biometrics meeting DHS accuracy requirements." It is a database and system designed to incorporate, expand and replace the existing Automated Biometric Identity System (IDENT) built in the 1990s.

Last week the Electronic Frontier Foundation (EFF) provided more information on HART. In a Deeplinks blog, senior staff attorney Jennifer Lynch explained, "The agency's new Homeland Advanced Recognition Technology (HART) database will include multiple forms of biometrics -- from face recognition to DNA, data from questionable sources, and highly personal data on innocent people. It will be shared with federal agencies outside of DHS as well as state and local law enforcement and foreign governments."

HART will support, she expands, "at least seven types of biometric identifiers, including face and voice data, DNA, scars and tattoos, and a blanket category for 'other modalities'. It will also include biographic information, like name, date of birth, physical descriptors, country of origin, and government ID numbers. And it will include data we know to be highly subjective, including information collected from officer 'encounters' with the public and information about people's 'relationship patterns'."

EFF's primary concern over this vast new database of DNA, physical biometrics and social behavior is what it describes as the chilling effect on people exercising their First Amendment-protected rights to speak, assemble and associate. "Data like face recognition makes it possible to identify and track people in real time, including at lawful political protests and other gatherings," she writes.

Through EFF's understanding of the HART project and its concern over civil liberties, we now know more about the DHS biometric database. But there are other concerns beyond civil liberties. Security for this vast trove of the nation's most personal information is never mentioned. Indeed, Northrop Grumman's contract announcement merely states, "A keen focus on safeguarding personally identifiable information as well as ensuring the critical sharing of data across interagency partners underpins the technology."

But government does not have a good track record in securing the data it holds. In 2015, The Office of Personnel Management lost personal information on 21.5 million people to what is generally believed to be Chinese government-sponsored hackers.

In 2010, Chelsea Manning (born Bradley Manning) leaked 750,000 classified or sensitive military and diplomatic documents to WikiLeaks, including the infamous 'collateral murder' Baghdad airstrike video.

In 2013, Edward Snowden exfiltrated and leaked thousands of classified NSA documents exposing NSA and GCHQ clandestine global surveillance programs.

In 2016, the hacking group known as The Shadow Brokers leaked a series of exploits stolen from the Equation Group – believed to be the Tailored Access Operations (TAO) unit of the NSA. One of these exploits, EternalBlue, was used in both the WannaCry ransomware and NotPetya cyberattacks of 2017.

In March 2017, WikiLeaks began publishing a series of CIA classified documents and cybersecurity exploits under the name Vault 7.

These incidents demonstrate that government databases have historically been susceptible to both external hacks and insider breaches. However, the extent to which the HART database will become a magnetic target for hackers is conjecture, and not universally agreed.

Joseph Carson, chief security scientist at Thycotic, doesn't believe the database will be very attractive to hackers. "The only reason this would be attractive to cybercriminals," he told SecurityWeek, "would be to sell it onwards to nation states who would use such data for intelligence or economic advantages. However, the data alone would not be as valuable without the technology that analyzes the metadata for matches and relationships. So, cybercriminals and nation states would need to compromise both to make value of the stolen data."

Others take a different view. "This massive, aggregated database will represent an incomparable trove of intelligence about US citizens. You can be sure it will be a target," said Rick Moy, CMO at Acalvio.

Migo Kedem, director of product management at SentinelOne, adds, "There will be many criminals and states who would like to get their hands on this type of information, ranging from commercial and marketing, through business espionage to state level."

Protecting this database from external hackers, whether organized crime or nation states, is going to be a challenge. But it will be equally difficult to protect it from insiders. According to the EFF's figures, the IDENT fingerprint database already holds data on 220 million individuals, and processes 350,000 fingerprint transactions every day. The full HART database will go far beyond just fingerprints, and will be shared with federal agencies outside of DHS, with state and federal law enforcement, and even with foreign governments.

The ability to control everybody with access to the database will consequently be another challenge – health workers and policemen already covertly query their own databases to provide information for worried friends and relatives. The temptation to check on the relationship patterns of a daughter's new boyfriend – if possible – is just one danger. Looking at private industry, High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek, "Data protection is certainly a high priority in large companies such as Google or Apple, but as we recently saw with Facebook – authorized third-parties are the uncontrollable Achilles' heel."

The subversion of authorized users through bribery, blackmail or stolen credentials is another difficulty. "When human interactions are involved, it is generally the easiest link to compromise," says SentinelOne's Kedem.

Just as securing access to the HART database will be difficult, so too will be securing the use of the database. While it can provide value to its users manually, there is little doubt that machine learning and artificial intelligence will be used to help locate the needles in this massive haystack. This is particularly concerning because of the intention to include 'relationship patterns', which will be easier sifted with AI than manual searches.

Indeed, it is tempting to wonder if HART will become the basis for the FBI's often-promised move into 'predictive policing'. Thycotic's Carson believes this is probable. "This goes way back," he said. "'Trapwire' was exposed by Wikileaks back in 2012 resulting from the Stratfor hacks. It reportedly used CCTV surveillance to recognize people from their facial biometrics, how they walked and even from the clothing they wear. The purpose of such technology was prioritized for national security and it has been known that such technology had existed; but this was a clear indication that it was formerly in use. However, it is now clear that such data is being used beyond national security in both government and commercial use for profit and control."

Acalvio's Rick Moy simply said, "Predictive models need tons of data, so it would certainly be an enabler."

But this brings us to the next problem: false positives potentially generated by built-in bias in the artificial intelligence algorithms. Carson is not too concerned: "I would assume the results would have to be verified by a human. The AI and machine learning is typically to find the needle in a haystack and a human is used to validate the results."

Moy, however, does have concerns. "False positives come with any algorithm based on diverse data inputs. Bias is a human trait, and humans are still writing the algorithms. But it's worth noting that there's quite a difference between searching for known features of a past incident versus asking a system what the most relevant features of an incident were, versus predicting who will commit a future crime."

The implication is that use of the HART database to identify suspects is likely to be very accurate; but its use to predict criminal, terrorist or simply anti-social behavior would be worrying. If there is a bias against certain ethnic groups for, say, criminal or terrorist activity within society and existing records, that bias can potentially be transferred to the AI algorithms resulting in damaging and far-reaching false positives.

"US Congress needs to look at the old adage of 'we could, but should we?' while going forward with the DHS HART database," comments Abhishek Iyer, Technical Marketing Manager at Demisto. "AI and ML algorithms often mirror and amplify the biases of the data collected. If DHS investigation will be based on biometric recognition whose accuracy is already compromised by bias, it can lead to wrongful arrests, distress for US travelers, and lost government resources."

There is little doubt that a national biometric database could help law enforcement. But at what cost? The Electronic Frontier Foundation fears is will damage freedom of speech and association, and massively impinge upon personal privacy. But the challenges posed by HART go beyond civil liberties. Securing both access to and use of the data is going to be very difficult.


North Korean Hackers Abuse ActiveX in Recent Attacks
12.6.18 securityweek  BigBrothers

An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.

ActiveX controls are usually disabled on most systems, but the South Korean government demands they are enabled on machines in the country. This has led to numerous attacks abusing ActiveX to compromise systems in South Korea, with many of the attacks attributed to North Korean hackers.

The same applies to the newly observed attacks, where JavaScript code was used to deploy various ActiveX vulnerabilities, including a zero-day. Soon after the attacks occurred, local media attributed them to the Andariel gang, which is said to be part of Lazarus, the state-sponsored hacking group considered the most serious threat against banks.

Also referred to as BlueNoroff, the group has orchestrated high profile attacks such as the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016. This year, the actor supposedly switched targets to cryptocurrency, but also hit an online casino in Central America.

According to a new AlienVault report, the Lazarus hackers were behind the recently revealed ActiveX attacks as well.

The group used a profiling script as the initial reconnaissance tool, in an attempt to gather information on possible targets. Although this is a tactic the Lazarus group has employed before, other threat actors use it as well.

The next step of the attack involved scripts capable of gathering additional information from the system and designed to deliver the ActiveX exploit.

In a tweet several weeks ago, Cyber Warfare Intelligence Center and IssueMakersLab founder Simon Choi shared some details on the scripts used in the assault, revealing that an initial reconnaissance stage was deployed in January 2017, while script injections only occurred in late April 18.

The script was designed to identify the browser and operating system running on the victim’s machine and borrows much of the code from PinLady’s Plugin-Detect. When detecting Internet Explorer on a machine, the script checks if ActiveX is enabled, as well as plugins running (from a specific list of ActiveX components).

AlienVault also notes that one of the other scripts involved in the attack, apparently used for profiling, sends data to a website that might have been compromised a while back, as it was previously recorded as a command and control (C&C) server for Lazarus malware in 2015.

The ActiveX exploit used in the recent assault, also shared by Simon Choi on Twitter, was meant to download malware from peaceind[.]co.kr and save it to the system as splwow32.exe.

“Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable,” AlienVault says.

The malware appears to be called Akdoor, a simple backdoor designed to execute commands using Command Prompt. The malware also uses a “distinctive command and control protocol,” the security researchers say.


U.S. Blacklists Russian Firms Tied to FSB Hacking Ops
12.6.18 securityweek BigBrothers

The United States placed five Russian companies and three individuals on its sanctions blacklist Monday for allegedly supporting the FSB intelligence agency's hacking operations, including a firm involved in subsea operations.

The US Treasury named Digital Security and two subsidiaries as helping develop offensive cyber capabilities for Russian intelligence services, including the already-sanctioned FSB.

The Kvant Scientific Research Institute was also included on the blacklist, as a state enterprise supervised by the FSB.

In addition, Divetechnoservices and three officials of the firm were sanctioned for supplying and supporting the government's underwater capabilities in monitoring and hacking subsea communications cables around the world.

US officials have become alarmed over the past year at the extent of US-targeted offensive cyber operations that Washington alleges have official backing from Moscow.

Those include the global NotPetya cyber attack, which paralyzed thousands of computers around the world last year; intrusions into the control systems of the US energy grid; and the insertion of trojans into home and company networking devices around the world, which allow both the diversion of data and attacks that could shut down networks.

The sanctions freeze property and assets under US jurisdiction and seek to lock those named out of global financial networks.


Vietnam MPs Approve Sweeping Cyber Security Law
12.6.18 securityweek BigBrothers

Vietnamese lawmakers on Tuesday approved a sweeping cyber security law which could compel Facebook and Google to take down critical posts within 24 hours, as space for debate is crushed inside the Communist country.

Activists and dissenters are routinely harassed, jailed or tied up in legal cases in Vietnam, a one-party state which is hyper-sensitive to critical public opinion.

Social media and Internet forums have provided a rare platform to share and debate views against authorities.

But the bill, waved through by an overwhelming majority of MPs in the National Assembly, is poised to end that relative freedom.

The law's far-reaching provisions mean internet companies will have to remove posts deemed to be a "national security" threat within a day and store personal information and data of their users inside Vietnam.

"Currently, Google and Facebook store personal data of Vietnamese users in Hong Kong and Singapore," Vo Trong Viet, chairman of National Assembly's defence and security committee told lawmakers.

"Putting data centres in Vietnam will increase expenses for the service providers... but it is necessary to meet the requirements of the country's cyber security."

The new law outlaws material encouraging public gatherings or that "offends" everything from the national flag to the country's leaders and "heroes".

There was no immediate detail of the punishment for violating the new rules.

Only 15 out of the 466 MPs present in the rubber-stamp assembly voted against the bill, which the government says will become law from January 1, 2019.

Rights advocates said it further shrinks the small space for debate.

"In the country's deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities," said Clare Algar of Amnesty International.

"With the sweeping powers it grants the government to monitor online activity, this vote means there is now no safe place left."

The Asia Internet Coalition, an advocacy group for behalf of Facebook, Google, Twitter and other tech firms in the region, said it was "disappointed" by the assembly's vote.

"Unfortunately, these provisions, will result in severe limitations on Vietnam's digital economy, dampening the foreign investment climate and hurting opportunities for local businesses and SMEs to flourish inside and beyond Vietnam," said Jeff Paine, managing director of the internet coalition.

The country's conservative leadership, which has been in charge since 2016, is waging a crackdown on activists and dissidents.

At least 26 dissidents and actives have been prosecuted during the first five months this year, according to Human Rights Watch.

The government has also unveiled a 10,000-strong brigade to fight cybercrimes and "wrongful views" on the internet, according to state media reports.

The unit, dubbed Force 47, is also tasked with fighting anti-state propaganda on the web.


Operation WireWire – Law enforcement arrested 74 individuals involved in BEC scams
12.6.18 securityaffairs BigBrothers

US authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting BEC scams.
On Monday, the U.S. authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting business email compromise (BEC) scams.

The authorities conducted the investigation for over six months, 42 suspects have been arrested in the United States, 29 in Nigeria, the remaining in Canada, Mauritius, and Poland.

Law enforcement seized roughly $2.4 million and was able to recover of roughly $14 million in fraudulent wire transfers.

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland.” reads the press note released by the Department of Justice and the FBI.

“The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.”

bec operation wirewire

During Operation WireWire, law enforcement executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters

The suspects have been involved in schemes targeting businesses of all sizes and individual victims.

According to the DoJ, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. in one case the suspects tricked a real estate closing attorney into wiring $246,000 to their account.

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 18. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

BEC frauds have devastating impacts not only on the individual business but also on the global economy.

“Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.” continues the note.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

The analysis of losses caused by crimes reported in the FBI 2017 Internet Crime Report, a document that outlines cybercrime trends over the past year, BEC/EAC ($676,151,185) is prominent, followed by Confidence Fraud/Romance ($211,382,989), and Non-Payment/Non-Delivery ($141,110,441).

“BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments.” states the report.

“It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks.”

Today’s announcement highlighting this recent surge in law enforcement resources targeting BEC schemes “demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” according to FBI Director Christopher Wray.

And he added, “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”


Crooks used multi-stage attacks aimed at Russian Service Centers
12.6.18 securityaffairs BigBrothers

Fortinet recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.
Security researchers from Fortinet have recently spotted a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

Experts highlighted the hackers conducted multi-stage attacks but excluded the involvement of a nation-state actor.

Attackers leveraged spear-phishing messages using weaponized Office documents exploiting the 17-Year-Old MS Office flaw CVE-2017-11882 that was addressed by Microsoft updates in October.

The first attacks were observed at the end of March when crooks sent spear-phishing emails to a service company that repairs Samsung’s electronic devices.

The messages were written in Russian and contained a file named “Symptom_and_repair_code_list.xlsx”.

Russian service centers

“FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.” reads the post published by Fortinet.

“A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.”

Experts noticed that the content of the email was the result of a translation made by a translator service, analyzing the headers of the email the experts discovered that the IP address of the sender wasn’t associated with to the domain in the “From” field.

The attackers used a different XLSX file for each email, they used shellcode to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload.

“The two most important functions “imported” by the shellcode are: URLDownloadToFileW and ExpandEnvironmentStringsW.” continues the analysis.

“The purpose of the first one is obvious. The last function is used to determine the exact location where the shellcode should store downloaded payload, since this location will be different under different platforms. Finally, Shellcode downloads a file from the URL: hxxp://brrange.com/imm.exe, stores it in %APPDATA%server.exe, and then tries to execute it.”

The final payload uses multiple-layer multi-packer protection to avoid detection.

The first stage implements the first layer of protection, the popular ConfuserEx packer that obfuscates objects names, as well as names of methods and resources,

The resources are used to determine the next stage payload, which is encrypted using DES, and executes the decrypted file named BootstrapCS that represents the second stage of the multi-layer protection.

BootstrapCS is not obfuscated, but it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This check is essential to avoid the code being execute in a virtualized environment and also searches for and shuts dowIt also writes the payload path to the following startup registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[Specified Name]
The stage 3 of the payload is represented by a binary resource named mainfile that represents the third level of packing protection, a simple XOR algorithm with the KEY = 0x20 was used for encryption.

Once the payload is decrypted payload it is injected into a process based on the value in the settings resource file.

The stage 3 of the payload resolves a commercial Remote Administration Tool (RAT) dubbed Imminent Monitor. At stage 4, the security researchers once again used the ConfuserEx packer.

The Imminent Monitor RAT includes the following five modules:

Aforge.Video.DirectShow 2.2.5.0
Aforge.Video 2.2.5.0
Injector 1.0.0.0
ClientPlugin 1.0.0.0
LZLoader 1.0.0.0
that allows the malicious code to control the victim’s machine, including the webcam.

The analysis of the C&C servers revealed 50 domains registered by the attackers on the same day, some of them were used by crooks to deliver malware, while others were involved in phishing attacks. The experts also discovered older .XLSX samples that exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” concludes Fortinet.

Further details are included in the IoCs section of the report.


Multi-Stage Attacks Target Service Centers in Russia

11.6.18 securityweek   BigBrothers

Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

The attacks stand out because of their multi-staging and are believed to have been launched by a non-Russian actor. The attackers used spear-phishing emails and malicious Office documents exploiting CVE-2017-11882, a 17 years old vulnerability in Office’s Equation Editor that Microsoft manually patched in October last year.

The targeted attack started at the end of March with spear-phishing emails received at a service company that repairs Samsung’s electronic devices. Pretending to come from representatives of Samsung, the emails specifically targeted this organization, were written in Russian, and contained a file named Symptom_and_repair_code_list.xlsx, related to the targeted company’s profile.

The emails were likely the result of machine translation, instead of being created by a native Russian speaker, the security researchers reveal. Furthermore, the headers of the email revealed that the IP address of the sender wasn’t related to the domain in the “From” field.

The attackers used different attachments for each email, but all messages had seemingly legitimate .XLSX files attached. Furthermore, all of the documents contained an exploit for the CVE-2017-11882 vulnerability.

The shellcode used in the attacks was meant to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload. It also imports other functions, including one used to determine the exact location where the downloaded payload should be stored.

The payload features multiple-layer multi-packer protection, starting with an initial layer where the well-known ConfuserEx packer was used to obfuscate objects names, along with the names of methods and resources. From these resources, it reads the next stage payload, which is encrypted using DES, and executes the decrypted file.

The decrypted file, named BootstrapCS, is the second stage of the multi-layer protection. While not obfuscated, it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

This stage can check for various emulation, sandbox, and virtual machine tools, and also searches for and shuts down specified processes, in addition to disabling system utilities. It also writes the payload path to startup registry keys, hides the file with system and hidden attributes, and injects the payload in various processes.

A binary resource named mainfile is the encrypted stage 3 of the payload. It is an executable that represents the third level of packing protection: a simple XOR algorithm with the KEY = 0x20 was used for encryption. The decrypted payload is injected into a process based on the value in the settings resource file.

The stage 3 of the payload references to a commercial Remote Administration Tool (RAT) called Imminent Monitor, which can be purchased by anyone, directly from the app developer (who apparently prohibits the malicious use of the program). At stage 4, the security researchers once again stumbled upon ConfuserEx.

The main payload of the attack, however, turned out to be the commercial version of the Imminent Monitor RAT, which includes five modules to record videos using the victim’s webcam, to spy on victims, and to control their machines.

The command and control (C&C) servers used in these attacks led the researchers to discover 50 domains registered on the same day, some of which were used to spread malware, while others for phishing attacks. The researchers also discovered older .XLSX samples that use the same C&C but attempt to exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” Fortinet concludes.


Former GCHQ chief Hannigan warns of Russia’s aggressive approach to the cyberspace

11.6.18 securityaffairs  BigBrothers

According to former GCHQ chief, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.
Former GCHQ chief Robert Hannigan has warned that the availability of hacking tools in the main marketplaces is rapidly changing the threat landscape. Hannigan served as the director of the UK intelligence agency between November 2014 until January 2017.

Threat actors have an easy access to attack tools even without having specific knowledge.

Hannigan spoke had a keynote speech titled “Weaponising the web: Nation-state hacking and what it means for enterprise cybersecurity” at the Infosec conference in London last week.

Hannigan highlighted the risks associated with the operation conducted by nation-state actors that had dramatically increased over the last five years.

State-sponsored hackers pose a serious risk for enterprises as well as governments, the former GCHQ chief warned of Government APT group using crime gangs as a proxy machine hard the attribution.

“Nation state attacks using criminal group as a proxy” is a “fairly new issue.” Hacking tools are becoming a commodity for threat actors and represent problem companies.

Hannigan mentioned the activity conducted by North Korea-linked APT and Iranian state-sponsored hackers.

North Korean APT groups, like the infamous Lazarus APT crew, focused its activity on SWIFT network as well as crypto exchanges to steal funds.

“This is a rational state pursuing rational objectives,” explained Hannigan.

Hannigan warned of the intensification of the Iranian hackers that also targeted financial institutions.

Which is the greatest threat?

Russia, of course! Russia-linked APT groups are very sophistication and continuously target infrastructure worldwide. in some cases they demonstrated destructive abilities, like the attacks against the Ukrainian power grid.

Russia

According to Hannigan, the recently discovered VPNFilter botnet is the demonstration that Russia appears to be live-testing cyberattacks.

“It’s unclear if that was a mistake or an experiment,” Hannigan said. “Russia seems to be live testing things in cyber, as it has been [on the ground] in Syria, but it’s a doctrine we don’t fully understand.”

The former spy chief highlighted the risks associated with state-sponsored malware like WannaCry that caused billion dollars damages to organizations worldwide and severe problems to critical infrastructures, like hospitals in the UK.

“The problem is that the risk of miscalculation is huge,” Hannigan warned.


Search Engines in Russia cannot link to banned VPN services and Internet proxy services
10.6.18 securityaffairs BigBrothers 

Russia strengthens online censorship by announcing fines for search engines that link to VPN serviced banned in the country.
Russian Government has approved a new bill to punish search engines that are not aligned with Moscow and that allows its users to find VPN services, and anonymization tools that allow circumventing the censorship.

According to the amendments to the Code of Administrative Offenses of the Russian Federation, Duma will also impose fines on search engines if they will continue to provide results about queries on an up-to-date database of blocked domains upon users’ request.

Fines for individuals will range between 3,000 and 5,000 rubles (roughly $48 to $80), while officials will face fines up to 50,000 rubles (roughly $800), and legal entities will face fines between 500,000 to 700,000 (roughly $8,019 to $11,227).

“The failure of the operator to perform the search system to connect to this system “entails the imposition of an administrative fine on citizens in the amount of three thousand to five thousand rubles; on officials – from thirty thousand to fifty thousand rubles; on legal entities – from five hundred thousand to seven hundred thousand rubles, “- reads the press release published by the Duma.

Russians ordinary use VPN services and other anonymizing services to access blocked content and bypass censorship, in the following graph we can see the continuous growth for the number of Tor users in Russia.

Search Engines Tor User VPN Russia

In 2017, Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites, and the Duma approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

The bill prohibited the use of any service from the Russian territory if they could be used to access blacklisted websites.

VPN operators and proxy services operating in the country must register themselves with the Government regularity authority.

Since May 3rd, 18, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

However, many VPNs and Internet proxy services still haven’t complained about the country law by registering themselves, for this reason, Moscow introduced fines for search engines.

The Russian communications watchdog Roskomnadzor will also provide a Federal State Information System (FGIS) containing the list of banned websites and services in the country, and search engines will need to update the results they provide by connecting to FGIS.

Search engines have 30 days to be aligned with Federal State Information System (FGIS) if the service providers

Those who fail to connect to this system will also face fines similar to those detailed above.

In May, the Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.


Chinese state-sponsored hackers steal 600GB U.S. Navy data
9.6.18 securityaffairs BigBrothers 

According to a report published by The Washington Post, Chinese hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor.
China-linked hackers have stolen a huge trove of sensitive data from a U.S. Navy contractor, the Washington Post reported Friday. The threat actors stole more than 614 gigabytes of data including secret plans to develop a new type of submarine-launched anti-ship missile.

The Washington Post was informed by government officials that spoke on the condition of anonymity.

According to the Washington Post, the security breach took place in January and February, the hackers belong to a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The report published by the media outlet doesn’t reveal the name of the U.S. Navy contractor, it only reports that works for the Naval Undersea Warfare Center, based in Newport, Rhode Island.

“Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.” states the report published by the Washington Post.

“The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry.”

Stolen data included unclassified information relating to submarine cryptographic systems, signals and sensor data, and a project called Sea Dragon.

The project Sea Dragon was launched by the Pentagon to extend existing US military technologies for new applications, the US Government already spent more than $300 million for the initiative since 2015.

“The Defense Department, citing classification levels, has released little information about Sea Dragon other than to say that it will introduce a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.” continues the post.

“The Pentagon has requested or used more than $300 million for the project since late 2015 and has said it plans to start underwater testing by September.”

U.S. Navy chinese hackers

At the time, the U.S. Navy did not comment on the incident for security reason.

“There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.” said Cmdr. Bill Speaks, a U.S. Navy spokesman,

“it would be inappropriate to discuss further details at this time.”

“Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities,” he told AFP.

This incident is the last in order of time, Chinese hackers already stole in the past sensitive information from the US military such as the blueprint of the F-35 stealth fighter, the advanced Patriot PAC-3 missile system, and other highly secret projects.


Chinese Government Hackers Steal Trove of U.S. Navy Data: Report

9.6.18 securityweek BigBrothers

Chinese government hackers have stolen a massive trove of sensitive information from a US Navy contractor, including secret plans to develop a new type of submarine-launched anti-ship missile, the Washington Post reported Friday.

Investigators told the newspaper that breaches were executed in January and February by a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.

The contractor, which was not named in the report, works for the Naval Undersea Warfare Center, based in Newport, Rhode Island. It conducts research and development for submarines and underwater weapons systems.

According to the Post, hackers swiped 614 gigabytes of data that included information relating to sensors, submarine cryptographic systems and a little-known project called Sea Dragon.

The Pentagon has not said much about Sea Dragon, launched in 2012, except that it is aimed at adapting existing military technologies to new uses.

At the Navy's request, the Post withheld information about the compromised new missile system, but said it was for a supersonic anti-ship missile that could be launched from submarines.

Navy spokesman Commander Bill Speaks declined to confirm the Post report, citing security reasons.

"Evolving cyber threats are serious matters and we are continuously bolstering our cybersecurity culture by focusing on awareness of the cyber threat, and the adequacy of our cyber defenses and information technology capabilities," he told AFP.

Chinese hackers have for years targeted the US military to steal information and the Pentagon says they have previously swiped crucial data on the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system and other highly sensitive projects.

News of the hack comes amid rising tensions between Beijing and Washington on a range of issues including trade and military matters.

The Pentagon last month pulled its invitation for China to join maritime exercises in the Pacific because of Beijing's "continued militarization" of the South China Sea.