OccamSec View - Attribution

Attribution, while inherently difficult to determine is important. Being able to correlate methods and motivations with a specific malicious group can help an organization prioritize resources for defense as well as determine an adversary to monitor through intelligence operations.

This month a sophisticated attack was reported on, detailing the discovery and tactics deployed, including reverse engineering details on the malware to better understand the attack and target. Like any other report published these days it provided in depth details and descriptions on the findings along with the specific group that was responsible for the attack. However, even with all the effort and resources that were attached to producing this report, it received criticism within the security community due to an incorrect attribution. While the nation responsible was correct, the wrong group of actors was reported as being responsible.

Malicious actors, for the most part, do not act with the intent of being discovered and work hard to minimize traces of their attack. Advanced groups are not likely to leave a calling card to taunt authorities, and use tactics to erase their presence or in some cases credit their actions to another group. This is achieved by using augmenting information creation such as log dates and times, IP source details, code comments in malware, etc. Additionally, to provide misdirection, a group may attack their target by replicating the approach of another group by use of specific vectors and exploits.

Even with all the deceptive tactics used to misdirect a group’s actions or minimize their breached presence, attribution is still possible. Intelligence gathering and infiltration in to underground nefarious groups helps provide positive identification of malicious operations. And despite best efforts for anonymity, much like physical crimes, people make mistakes. Each of these mistakes and new pieces of information from forensic activities can be analyzed and cross referenced to form a clearer picture for attribution. This bigger picture fleshes out not just a group responsible but also their attack methods, specific vectors or technologies they focus on exploiting or leveraging and, just as important, their motivation and end goal.

While attribution is usually only considered after an incident occurs, it can also act as an additional data point to provide relevant intelligence to an organization. With proper attribution it could be determined that a malicious group focusses on a specific industry. If an organization is not in that industry, they can lower that group as a potential threat. This can also be the same for attack vectors and even motives. If an organization is part of an industry being targeted by a malicious group but their infrastructure does not contain the attack vector of choice by this group, the organization can still be vigilant about the group but focus their resources on other parts of their exposed footprint.


CEO's More worried about cybersecurity than possible recession

With markets uncertain, one might think a CEO in today’s world is worried about a possible recession. Wrong. According to a new survey by the Conference Board, domestic CEOs do not find heavy economic headwinds their biggest external business worry — they are more concerned about cybersecurity.

After high-profile data breaches experienced over the last two years by such companies as Marriott, Equifax and Uber, it is understandable that most CEOs would fear the dreaded cyber breach.

The study found that only U.S. CEOs were most concerned about cybersecurity. CEOs in countries like Latin America, Japan and China found a possible cyber breach to be less worrisome barely breaking the top ten list of pressing issues.

When it comes to recession, Europe, Japan, China and Latin America all rated this as their number one business worry.

However, while cybersecurity was a big issue, compliance with privacy regulations that protect consumers of so much data theft was not. Appearing on the list of internal issues, U.S. CEOs didn’t even list compliance as a worry that broke their top ten, appearing at 12 on most lists.

In Europe, where the GDPR has just taken affect, CEOs listed compliance as an eight on their scale of worries.


Source: Security Today


Global Cyber Attack Could Cause $85 Billion-$193 Billion Worth of Damage

A co-ordinated global cyber attack, spread through malicious email, could cause economic damages anywhere between $85 billion and $193 billion, a hypothetical scenario developed as a stress test for risk management showed.

Insurance claims after such an attack would range from business interruption and cyber extortion to incident response costs, the report jointly produced by insurance market Lloyd’s of London and Aon said on Tuesday.

Total claims paid by the insurance sector in this scenario is estimated to be between $10 billion and $27 billion, based on policy limits ranging from $500,000 to $200 million.

The stark difference between insured and economic loss estimates highlights the extent of underinsurance, in case of such an attack, the stress test showed. An attack could affect several sectors globally, with the largest losses in retail, healthcare, manufacturing and banking fields.

Regional economies that are more service dominated, especially the United States and Europe, would suffer more and are vulnerable to higher direct losses, the report said.

Cyber attacks have been in focus after a virus spread from here Ukraine to wreak havoc around the globe in 2017, crippling thousands of computers, disrupting ports from Mumbai to Los Angeles and even halting production at a chocolate factory in Australia.

Governments are increasingly warning against the risks private businesses face from such attacks, both those carried out by foreign governments and financially motivated criminals.

For example, Britain’s National Cyber Security Centre announced on Friday it was investigating a large-scale Domain Name System (DNS) hijacking campaign that hit governments and commercial organizations across the world.

In another recent incident, French engineering consultancy Altran Technologies was the target of a cyber attack that hit its operations in some European countries.

On a larger scale, personal data and documents from hundreds of German politicians and public figures, including Chancellor Angela Merkel, were published online in what appears to be one of Germany’s most far-reaching data breaches.


Source: Reuters


The golden age of dark web drug markets is over

In July 2017, federal agents took down the Alphabay marketplace, then one of the largest and most profitable sources for drugs on the dark web. At the time, it seemed like a messy end to the string of dark net takedowns that started with the Silk Road. But more than a year and a half after the takedown, federal agents are still making arrests in Alphabay cases, chasing down dealers who sold drugs through the site.

The most recent case came to a close this past week, when Canadian national Christopher Bantli pled guilty to selling fentanyl and other opioid analogues through Alphabay under the name “canadasunshine.” Bantli sold to a string of undercover DEA agents throughout 2015 and 2016, and was indicted under seal as early as September 2016. But he wasn’t arrested until January 2019, when federal agents were able to extradite him to the US for the recent plea. It’s unclear how agents located Bantli or whether they used information seized in the Alphabay takedown to do so.

Those cases are growing more common across the board. Even before the takedown, drug enforcement agents were able to take down individual vendors through targeted buys. That technique that only grew more effective as the sketchier bitcoin exchanges got shut down and agencies were able to prop up phony money-laundering operations in their place, generating even more leads.

By now, the playbook for taking down dark web drug dealers is pretty well established. A money-laundering sting in June implicated in 35 different vendors, but smaller cases have trickled in at a regular clip. A month after Alphabay was taken down, an alleged cocaine vendor was arrested in the central valley of California. Ten days later, six more were indicted in the same district. Two Brooklyn-based heroin dealers were sentenced that January. In March, a Stockton man was sentenced to eight years for buying unlicensed firearms through the market. The vendor arrests have gone on and on and on, long after the markets themselves have closed up.

When the Silk Road first came onto the scene, it seemed like law enforcement had been outsmarted. The combination of Tor and Bitcoin seemed like a safe, untraceable way to buy illegal goods. Even when feds took one site down, more would spring up in its place. Looking at all the illicit commerce being done each day, the markets seemed unstoppable.

But after a seemingly endless stream of vendor arrests, that model is less convincing. Instead of a new paradigm, dark web marketplaces now look more like a brief window where marketplace technology outpaced law enforcement’s ability to track it. But now law enforcement has caught up — and judging by the rate of indictments, they’re making up for lost time.


Source: TheVerge


Unsecured Databases Expose Kremlin's Backdoor Into Russian Businesses

“Admin@kremlin.ru” account spotted on thousands of Russian-linked, internet-exposed MongoDB databases.

A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia.

The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password.

Any hacker who noticed the account could have used it to gain access to sensitive information from thousands of companies operating in Russia.

“The first time I saw these credentials was in the user table of a Russian Lotto website,” Victor Gevers told ZDNet in an interview today. “I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions.”

The researcher says that after his initial finding, he later found the same “admin@kremlin.ru” account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia.

Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.


Source: ZDNet


New Rules Target Supply Chain Risks to the Power Grid

The Federal Energy Regulatory Commission (FERC) passed new cybersecurity rules last fall that, for the first time, focus on cyber risks the supply chain could pose to the Bulk Electric System (BES) — a call to arms for many power generation and transmission companies. These rules cover cyber-related hardware, software, equipment, and services that make up the BES that lies at the heart of power generation, transmission, and distribution companies.

Among several mandates, the rules require power and utility (P&U) organizations to develop and document “supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems,” including items such as vendor incident notification processes and software verification and integrity procedures. Compliance monitoring and enforcement procedures—appropriate to the new cyber standards—also need to be adopted, and the rules provide examples of different levels of violation, from low to severe.

Vast networks of third-party vendors and suppliers produce many of the components used to power the grid. This raises concerns about a new channel for criminal or political threats—from fraudsters out for financial gain to state -sponsored terrorism—that could find their way into the P&U industry’s infrastructure and, ultimately, the power grid.

Although P&U organizations have until mid-2020 to comply with the new FERC regulations, the amount of changes to processes and vendor contracts for many will likely be substantial.

The FERC regulations do not extend enforcement to the vendor community at this point, which means catching and addressing cyber issues at the vendor level is the ultimate responsibility of the P&U company, while a significant amount of the risk resides with the vendors.


Source: Wall Street Journal


E-Ticketing Flaw could Allow Hackers to Print Boarding Passes

E-ticketing systems used by eight major airlines, suffer from a lax security that could expose personal information and result in tampering with seats and boarding passes. Researchers at mobile security firm, Wandera, published a report highlighting vulnerability found in check-in emails delivered to passengers. While there is no evidence of any significant breach, the vulnerability may still give travelers pause.

According to the researchers, the issue stems from the use of unencrypted check-in links sent to passengers via email. When a person clicks on the link, they are directed to a site to check in for their flight, make changes or print their boarding pass. Because the links are unencrypted, Wandera warns that a malicious actor connected to the same Wi-Fi network could intercept the link request and gain access to the person’s check-in page.

Once a hacker has access to the page, they could view a significant amount of personal information, from names and addresses to Passport and ID numbers. They could also access specific details about the flight including booking references, flight times and numbers and seat assignments.

Because of how the vulnerability is exploited, it is unlikely that any sort of widespread attack could be launched against travelers. It would have to be a focused effort directed at individuals. However, it does open up the possibility of a hacker making someone’s life miserable by changing their travel plans. Travelers can primarily avoid such an attack by making sure to only visit check-in links on a secure network.


Source: Engadget


APT39: An Iranian Cyber Espionage Group Focused on Personal Information

APT39 is an Iranian cyber espionage group responsible for widespread theft of personal information.

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as “Chafer.” However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.

APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms.

FireEye, a public cybersecurity company, has moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East, infrastructure, timing, and similarities to APT34, a group that loosely aligns with activity publicly reported as “OilRig”. While APT39 and APT34 share some similarities, including malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting overlaps, we consider APT39 to be distinct from APT34 given its use of a different POWBAT variant. It is possible that these groups work together or share resources at some level.

APT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle.

-Initial compromise: APT39 leverages spear phishing emails with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection. APT39 frequently registers and leverages domains that masquerade as legitimate web services and organizations that are relevant to the intended target.

-Establish a foothold: APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment.

-Lateral movement and maintained presence: APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used

to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment.

-Complete mission: APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip.


Telecommunications firms are attractive targets given that they store large amounts of personal and customer information, provide access to critical infrastructure used for communications, and enable access to a wide range of potential targets across multiple verticals. APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale. APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals.


Source: FireEye