Cyber security in the modern/post-modern Internet

[Astronuc]

If malware isn't bad enough, . . .

Exclusive: FBI warns of 'destructive' malware in wake of Sony attack
http://news.yahoo.com/exclusive-fbi...ware-wake-sony-attack-002204335--finance.html

This is becoming increasingly critical. Large corporations, particularly technology and financial institutions, and government labs are under constant attack, but there are some really skilled directed attacks.

Be careful, be alert and be informed.

 

[Chestermiller]

If malware isn't bad enough, . . .

Exclusive: FBI warns of 'destructive' malware in wake of Sony attack
http://news.yahoo.com/exclusive-fbi...ware-wake-sony-attack-002204335--finance.html

This is becoming increasingly critical. Large corporations, particularly technology and financial institutions, and government labs are under constant attack, but there are some really skilled directed attacks.

Be careful, be alert and be informed.

Thanks.

 

[Astronuc]

The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat.

https://www.yahoo.com/movies/s/sony-cyber-security-firm-calls-hack-unparalleled-well-223638815.html

https://www.mandiant.com/threat-landscape/

 

[Astronuc]

How to Watch Worldwide Cyberattacks — Live!
https://www.yahoo.com/tech/how-to-watch-worldwide-cyberattacks-live-124594707994.html

 

[Greg Bernhardt]

Next XF update supports 2 factor login. I am mulling over requiring it for staff.

 

[berkeman]

2 factor login

What dat?

 

[Greg Bernhardt]

What dat?

Most likely a secondary temp password will be sent to your email. There are more advanced services that give you temporary pin numbers too in different ways. All will be explained if we go that route. Might be as early as next month.

 

[berkeman]

Oh, like VPN dongles?

 

[Greg Bernhardt]

Oh, like VPN dongles?

Yeah, but now a days there are mobile apps to take the place of the actual dongle.

 

[berkeman]

Oh cool.

 

[Astronuc]

For future reference - https://www.dhs.gov/cyber-incident-response

 

[Astronuc]

Cyber attacks are becoming more complex.

East coast Internet service attack resolved
http://www.usatoday.com/story/tech/...-east-coast-netflix-spotify-twitter/92507806/

Apparently this was a widely distributed DDoS in which 'devices', e.g., webcams, connected to the internet were used to attack Dyn's servers.

 

[Astronuc]

When I made the initial post, OPM had been hacked.
Interesting read - https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.

Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called opmsecurity.org. But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log into all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

OPM has a multifactor authentication scheme, but it wasn’t fully implemented until January 2015—too late to prevent the PlugX attack.

As the investigators laboriously sifted through interview transcripts and network logs, they created a rough timeline of the attack. The earliest incursion they could identify had been made with an OPM credential issued to a contractor from KeyPoint Government Solutions. There was no way to know how the hackers had obtained that credential, but the investigators knew that KeyPoint had announced a breach of its own in December 2014. There was a good chance that the hackers had first targeted KeyPoint in order to harvest the single credential necessary to compromise OPM.

 

[Astronuc]

U.S. Cyber Agency: Computer Hack Poses 'Grave Risk'


https://www.wired.com/story/russia-solarwinds-hack-targets-fallout/

I heard about this first on a radio news program about December 16 (SolarWinds and the Orion platform were mentioned) and have seen bits and pieces since. As far as I know, FireEye alerted the government concerning a breach. I don't think SolarWinds knew then that they had been hacked, and apparently the malware was still available to their unwitting customers.

https://www.fireeye.com/blog/produc...yber-attack-actions-to-protect-community.html
They didn't mention SolarWinds or the Orion software is the above posting on Dec 8.

https://www.csoonline.com/article/3600893/fireeye-breach-explained-how-worried-should-you-be.html

https://www.lawfareblog.com/reflections-solarwinds-breach

Since Dec. 13, the SolarWinds breach has dominated the news cycle. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate the consequences of the security breach. SolarWinds, the company responsible for the software in question, reported that as many as 18,000 customers may have been affected. Other reports indicate that a variety of government agencies—including the departments of Treasury, State, Commerce, Energy (specifically, the National Nuclear Security Administration, which is responsible for the U.S. nuclear weapons stockpile), and Homeland Security—have been affected as well.

SolarWinds like to advertise their customer, which may be one reason their software was used to perpetrate this cyberattack.

Clearly, SolarWinds did not have very good security, but then FireEye, a cybersecurity firm, also seemed to be vulnerable as were many other institutions that were supposed to be secure.

 

[anorlunda]

Several of the astute analysts have always told us that the mechanism of distributing updates and security patches is itself a threat delivery vector. Even in the heated Apple-FBI debate about encryption, Apple claimed that they had no mechanism to decrypt the data, but some analysts pointed out that Apple need only send a new version of IOS to all phones that had encryption disabled.

Conventional wisdom is that end users must keep current on security update patches, and that failure to do so is malpractice. It's a paradox.

A defense against that is to use diversity. If every device used a different make/model/vintage/OS/protocol, then a successful hack must target one at a time rather than all at once. If SolarWinds had only one customer, this hack would not make headlines.

Of course, diversity can carry a large cost to support. For example, we enjoy the Internet only thanks to the universality of TCP/IP. If every network node had unique protocols, there would be no Internet.

Re: the power grid, I discussed diversity in this Insights article. Simply said, because the grid uses every make and model device offered by every manufacturer in the past 30-40 years, it is pretty diverse. Any successful cyber attack could only influence spots of the grid here and there. Compare it to cars. A cyber attack that hits only 2010-2017 Toyota Corollas would be serious but it can never be close to bringing down the world's fleet of vehicles.

Also, I'm not sure it is fair to say that any organization that gets hacked has, by definition, bad security.

 

[Astronuc]

Back when I worked at previous employer, we had a very secure system behind a robust firewall. We were getting attacked an average of 2K to 3K times a day from China, Russia, N. Korea, Eastern Europe and various other random actors from around the world. We never got breached. We also had separate, isolated computer systems for sensitive work. At the same time, we knew that various government institutions got breached, and we know of several DOE labs (at one lab we know of, hackers used a portal through a university as a backdoor) and NASA sites that got hacked.

— The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks it gained access to when it inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.

— The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security.

— “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.

and

— SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. Its chief executive, Kevin Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion.

— Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.

https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html

last week, CrowdStrike, another security company, revealed that it was also targeted, unsuccessfully, by the same hackers, but through a company that resells Microsoft software.

With respect to Eastern Europe

But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.

Seriously?!

Older news - https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html

 

[Greg Bernhardt]

@Astronuc this is an interesting and important thread going forward, mind if I move to a public forum?

 

[Astronuc]

@Astronuc this is an interesting and important thread going forward, mind if I move to a public forum?

Various media organizations are reporting on it, and it is very important.

I'm astounded that even government agencies didn't know that SolarWinds had satellite offices in Belarus. It is mindboggling given the sensitivity of information and cybersecurity risks.

 

[Astronuc]

https://www.yahoo.com/movies/s/sony-cyber-security-firm-calls-hack-unparalleled-well-223638815.html

https://www.mandiant.com/threat-landscape/

That was 2014, and now, here we are again in 2020.

 

[Astronuc]

StreamWorks: Near Real-Time Detection of Emerging Patterns of Cyberattacks in Massive Data Streams
https://www.pnnl.gov/available-tech...ection-emerging-patterns-cyberattacks-massive

Technology Overview

One hundred forty-six days—that’s how long, on average, it takes to detect a cyber breach from the time it begins. Pacific Northwest National Laboratory’s patented StreamWorks cuts that time significantly—to near real time—by detecting emerging patterns of sophisticated cyberattacks in massive data streams.

Combining several analytic approaches, never before seen together in a cybersecurity tool, StreamWorks tells a cyber analyst when major suspicious patterns are occurring. The tool also provides a description of the potential threat and a rationale for why the threat was selected—so the analyst doesn't have to guess but, instead, can act swiftly.

 

[Astronuc]

A new cybersecurity threat has been identified publicly.
https://www.yahoo.com/finance/news/...-malware-in-us-systems-in-guam-195805235.html

China may have conducted digital espionage against the US' Pacific interests. Microsoft and the National Security Agency (NSA) have revealed that an alleged state-sponsored Chinese hacking group, Volt Typhoon, installed surveillance malware in "critical" systems on the island of Guam and elsewhere in the US. The group has been operating since mid-2021 and reportedly compromised government organizations as well as communications, manufacturing, education and other sectors.

Volt Typhoon prioritizes stealth, according to the investigators. It uses "living off the land" techniques that rely on resources already present in the operating system, as well as direct "hands-on-keyboard" action. They use the command line to scrape credentials and other data, archive the info and use it to stay in targeted systems. They also try to mask their activity by sending data traffic through small and home office network hardware they control, such as routers. Custom tools help them set up a command and control channel through a proxy that keeps their info secret.

I heard about this yesterday.
https://www.microsoft.com/en-us/sec...tructure-with-living-off-the-land-techniques/

https://www.afr.com/politics/federa...volt-typhoon-hacking-campaign-20230525-p5db4d

Businesses have been warned to be on high alert after Five Eyes members, including Australia, blamed a Chinese state-backed hacking group for a stealth surveillance campaign responsible for a series of attacks on US critical infrastructure.

In a rare public attribution, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued an advisory saying the group had exploited built-in Windows tools on compromised hosts.

https://wraltechwire.com/2023/05/25...se-clear-present-danger-to-us-says-microsoft/

https://www.yahoo.com/finance/news/china-rejects-claim-spying-western-091913475.html

(Reuters) - The Chinese government has rejected claims that its spies are penetrating Western infrastructure, calling the joint warning issued by the United States and its allies a "collective disinformation campaign."

Chinese foreign ministry spokesperson Mao Ning told reporters that alerts issued by the U.S., Britain, Canada, Australia and New Zealand were intended to promote their intelligence alliance, known as the Five Eyes - and that it was Washington that was guilty of hacking,

 

[Astronuc]

Vulnerability in Secure FTP program, MOVEIt. Russian hacker group, CL0P, apparently exploited a vulnerability in the MOVEIt software.

https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/

Researchers say the newly discovered security flaw was exploited as far back as 2021

The Russia-linked ransomware gang has been exploiting the security flaw in MOVEit Transfer, a tool used by corporations and enterprises to share large files over the internet, since late May. Progress Software, which develops the MOVEit software, patched the vulnerability — but not before hackers compromised a number of its customers.

While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw. The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.

 

[Astronuc]

Back in the day of WannaCry (from 2019)
https://www.physicsforums.com/threads/the-story-behind-the-wannacry-heroes.974474/

The rest of the story in May 12, 2020.

The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet​

At 22, he single-handedly put a stop to the worst cyberattack the world had ever seen. Then he was arrested by the FBI. This is his untold story.
https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/

 

[gmax137]

Thanks, @Astronuc that was an interesting read.

 

[Astronuc]

Spy agency issues urgent warning to billions of smartphone users to avoid being spied on​

https://www.msn.com/en-us/news/tech...one-users-to-avoid-being-spied-on/ar-BB1nCmCn
In other words, take steps to avoid malware and hacking.

The government agency’s Mobile Device Best Practices report is aimed at the billions of people around the world who use either an Android or an iOS smartphone, who are all exposed to a variety of cyber risks like spear-phishing attacks and zero-click exploits.

Smartphone users can protect themselves against many of these hacks by simply turning their phones off and on again, according to the NSA’s guidance.

“Threats to mobile devices are more prevalent and increasing in scope and complexity,” the US surveillance agency wrote in its guide.

“Users of mobile devices desire to take full advantage of the features available on those devices, but many of the features provide convenience and capability but sacrifice security.”

Apparently, turning off the smartphone at least once per week is one method to avoid or minimize risk of hackers breaching verification vulnerabilities, aka zero-click exploits.

The NSA also recommends updating a device’s software as often as possible and to never connect a personal device to government computers via WiFi or Bluetooth, or to public WiFi networks.

“Disable location services when not needed [and] do not bring the device with you to sensitive locations,” the advice states.

“Do not have sensitive conversations in the vicinity of mobile devices not configured to handle secure voice. Do not have sensitive conversations on personal devices, even if you think the content is generic.”

Since it was formed in 1952, the NSA has grown into one of the biggest surveillance agencies in the world, hiring tens of thousands of employees to collect data and communications on behalf of the US government.

Avoid logging into to sensitive or secure accounts on public systems, e.g., airport or hotel WiFi or through a Bluetooth connection. Certainly don't use foreign/public USB charging stations. Instead, use a portable power supply, or your own power plug and cable.

 

[Astronuc]

BBC (2021) - The Lazarus heist: How North Korea almost pulled off a billion-dollar hack
https://www.bbc.com/news/stories-57520169

Beware of unsolicited emails. Beware of phishing emails. Even the best malware detectors can miss sometimes.

 

[WWGD]

Spy agency issues urgent warning to billions of smartphone users to avoid being spied on​

https://www.msn.com/en-us/news/tech...one-users-to-avoid-being-spied-on/ar-BB1nCmCn
In other words, take steps to avoid malware and hacking.



Apparently, turning off the smartphone at least once per week is one method to avoid or minimize risk of hackers breaching verification vulnerabilities, aka zero-click exploits.



Avoid logging into to sensitive or secure accounts on public systems, e.g., airport or hotel WiFi or through a Bluetooth connection. Certainly don't use foreign/public USB charging stations. Instead, use a portable power supply, or your own power plug and cable.

If in a hotel, and you receive a request to clarify info (possibly as part of a MITM server) about yourself to the (alleged) hotel clerk, make an extra effort and go speak with them in person to verify. Ditto for supposed free e-Coupons sent to you for food when you arrive late in the day and hungry, use the food apps ( hopefully vetted) on your phone to order food. As a non-cyber security issue, block the view of the peephole in your hotel room. It may be revertible so others can look in (Peepholes who need peepholes are the luckiest ; ) ).