News Items

September 09, 2021 4:00pm - 6:00pm (GMT-05:00) Eastern Time (US & Canada)

Please join us for an engaging NSALive Adobe Webinar on Sept 9th 2021 from 4-6pm EST to learn about the National Security Agency and Student Program opportunities, as well as a deep dive into the 2021 Codebreaker Challenge! Codebreaker Challenge is our annual cybersecurity & cryptanalysis challenge with a realistic, NSA mission-centric scenario open to U.S based academic institutions. The 2021 challenge is open from August 2nd – December 31st 2021

Researchers from Cisco Talos were able to translate the Conti ransomware gang's leaked internal materials, thus revealing details about the group's attack methods. The materials suggest that their attack methods were designed to allow low-skilled actors to successfully launch attacks against targets considered valuable. The ransomware gang's attack playbook was leaked by an unhappy Conti member. Following the leak, the researchers analyzed them and released an English translation, clarifying the steps and tools involved in a Conti attack. The documents revealed detailed information on attack scenarios that amateur hackers could perform. Though these attacks could be performed by low-skilled hackers, they have the potential to cause significant destruction. The instructions teach Conti's affiliates how to gain administrator access to a targeted network after using provided commands and tools to list users, specifically those that have Active Directory access. They also detail the performance of simple reconnaissance such as checking LinkedIn and other social media platforms to identify employees who could have privileged network access. The Cobalt Strike red-teaming framework and its cracked version 4.3 was the most popular tool in the instructions. There were also instructions on how to exploit the ZeroLogon vulnerability, PrintNightmare, and other critical bugs. Some of the tools described by the group are not what researchers usually see during incident response. These tools include SharpView, a .NET port of the PowerView tool from the PowerShell-based PowerSploit offensive toolkit, Armitage, a Java-based GUI front-end for the Metasploit penetration testing platform, and SharpChrome, a tool for decrypting logins and cookies in Chrome. Common-line utilities mentioned in the leaked documents included ADFind, SMBAutoBrute, and AnyDesk. The leak also contained video tutorials on how to use PowerShell to carry out different tasks such as penetration testing and attacking the Active Directory. Defenders could use the leak to implement better strategies and controls for detecting such attacks. This article continues to discuss the translation of the Conti ransomware gang's playbook, the information contained by the leaked instructions, and how defenders could take advantage of this information.

CyberIntelMag reports "Conti Ransomware Gang's Playbook Gets Translated Into English, Gives Insight Into Attacks"

The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency alert pertaining to the active exploitation of Microsoft Exchange ProxyShell vulnerabilities by threat actors in the wild. ProxyShell is a set of vulnerabilities discovered by DevCore security researcher Orange Tsai and demonstrated at the August Black Hat security conference. The cybersecurity firm Huntress also found more than 140 webshells executed against 1,900 unpatched Exchange servers. According to a security researcher at Huntress, organizations that have been impacted include manufacturing, seafood processors, auto repair shops, industrial machinery, a small residential airport, and more. Several other researchers also detected malicious activity involving the exploitation of ProxyShell vulnerabilities for the potential launch of LockFile ransomware attacks. Threat actors have dropped webshells using ProxyShell vulnerabilities to gain persistent access on affected Microsoft Exchange servers. The webshells were used to install backdoors for LockFile ransomware attacks as well as launch Petitpotam attacks to hijack servers. This article continues to discuss the weaponization of ProxyShell vulnerabilities for potential LockFile ransomware attack execution.

CPO Magazine reports "LockFile Ransomware Attacks Exploit ProxyShell Vulnerabilities on Unpatched Microsoft Exchange Servers"

The cloud and data center security company Guardicore discovered a new attack vector on Comcast's XR11 voice remote that would allow attackers to turn it into a listening device, posing a significant threat to a user's privacy. The attack dubbed WarezTheRemote, which Comcast has now remediated, was a major security threat as over 18 million units of the XR11 were deployed across homes in the U.S., making it one of the most widespread remote controls. The Guardicore researchers were able to break into RF communication between the remote and set-top box and then eavesdrop on conversations using a basic RF transceiver. WarezTheRemote applies a man-in-the-middle (MITM) attack to exploit the remote's RF communication with the set-top box and over-the-air firmware upgrades by pushing a malicious firmware image back to the remote, allowing attackers to record audio, without user interaction, continuously. The attack does not require the malicious actor to have physical contact with the targeted remote. It also does not require any interaction from the victim. Bud Broomhead, CEO at Viakoo, a provider of automated Internet of Things (IoT) cyber hygiene, highlighted this as another example of the potential exploitation of IoT device vulnerabilities by cyber attackers that could lead to ransomware, stolen data, or a system takeover. Remediation of IoT device vulnerabilities includes upgrading firmware, credentialing with password enforcement, and more. John Bambenek, Threat Intelligence Advisor at Netenrich, a digital IT and security operations company, adds that WarezTheRemote emphasizes the need for IoT device makers to think about security to prevent such basic attacks, but it is more important not to overlook the more severe risks. Organizations must think about the amount of data these IoT devices are allowing them to gather and whether cybercriminals can take and abuse that data. This article continues to discuss the WarezTheRemote attack that could have allowed Comcast's XR11 voice remote to be turned into a listening device and the remediation of IoT device vulnerabilities.

Security Magazine reports "Comcast Flaw Could Have Turned Remotes into Listening Devices"

As part of the National Security Agency (NSA), the National Centers of Academic Excellence in Cybersecurity awarded a two-year $1.67 million grant to the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio to help communities become more cyber secure. During the two-year grant, the CIAS will work with multiple communities to help develop a community-wide K-12 cybersecurity program, support local industry and government in becoming more cyber resilient, and help local academic institutions develop cybersecurity programs for students. Dr. Greg White, director of the CIAS, emphasized that the increased targeting of communities nationwide by both domestic and foreign cyber threats calls for a whole-community approach to be taken to protect citizens, organizations, and infrastructures from cyberattacks. The NSA grant will enable the CIAS to work with Angelo State University in implementing a cybersecurity program that starts with K-12 education and continues into local businesses, government, and the general public. The two-year pilot program will establish a K-12 cybersecurity initiative for elementary, middle, and high schools in which cybersecurity lesson plans, tools, and resources are provided to students, teachers, and counselors during the school year. The program will also expand upon cybersecurity summer camps and promote the establishment of CyberPatriot teams as well as Cyber Threat Defender tournaments. This grant will help establish a Culture of Cybersecurity program geared towards K-5 students. It will also help develop certification training, assist 2- and 4-year institutions meet the requirements for an NSA/DHS Center of Academic of Excellence designation, and more. This article continues to discuss the NSA grant aimed at helping communities become more cyber secure.

Homeland Security News Wire reports "Cybersecurity Education Help Communities Become More Cyber Secure"

Researchers from Barracuda Networks conducted a new study and published their work in a report called Bot attacks: Top Threats and Trends. During their research, the researchers found that nearly two-fifths (39%) of all internet traffic is comprised of "bad bot" activity, with e-commerce assets most at risk of attack. The researchers also found that automated traffic accounts for the vast majority (64%) of all internet traffic today, including search engine crawlers and social media bots. The researchers stated that only a quarter (25%) of internet traffic can be labeled "good bot" activity. Most of the traffic analyzed in the report came from AWS and Azure public clouds. North America accounted for 67% of bad bot traffic, followed by Europe and Asia. However, in Europe, malicious bots are more likely to come from hosting services or residential IPs, the report said. The researchers warned that e-commerce apps and login portals are the most common target of advanced persistent bots, which are harder to detect as they closely imitate human behavior.

Infosecurity reports: "Bad Bots Focus Attacks on E-Commerce Targets"

The FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday, noting that ransomware actors often ambush organizations on holidays and weekends when offices are typically closed, making the upcoming three-day weekend a prime opportunity for threat actors. The agencies stated that they haven't discovered "any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday," they are instead working on the idea that it is better to be safe than sorry given that some significant cyberattacks have occurred over holidays and weekends during the past few months. Researchers at Cerberus Sentinel stated that attackers usually go after organizations when there are three-day weekends, mainly because the absence of crucial personnel makes it less likely that targeted organizations can quickly detect and contain attacks once launched. The additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to. The now-infamous Colonial Pipeline attack by now-defunct ransomware group DarkSide that crippled the oil pipeline on the East Coast for some weeks after occurred in the lead-up to Mother's Day weekend, agencies observed. Then later in May, over the Memorial Day weekend, the REvil ransomware group targeted the world's largest meat distributor JBS Foods, forcing the shutdown of some operations in both the United States and Australia and causing disruption in the global food supply chain. Like DarkSide, REvil also has since closed up shop. Another major ransomware attack by REvil occurred over the Fourth of July holiday weekend, this time exploiting zero-day vulnerabilities in the Kaseya Virtual System/Server Administrator (VSA) platform. Though the two ransomware players who launched these previous attacks are now gone, there are still plenty who are active, federal agencies warned. The FBI's Internet Crime Complaint Center (IC3), which logs cyber incident complaints about various types of Internet crime, said attacks from the following ransomware variants have been the most frequently reported to the FBI over the last month: Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos.

Threatpost reports: "Feds Warn of Ransomware Attacks Ahead of Labor Day"

A career with the Intelligence Community (IC) can be enormously rewarding. It also demands the very best of the workforce. To meet the requirements, you must be highly competent in your field. You must also be highly reliable and trusted to safeguard some of the nation’s most sensitive information.

Researchers from the NCC Group have found that the number of ransomware attacks surged by 288% between the first and second quarters of 2021 as double extortion attempts grew. The researchers claimed that nearly a quarter (22%) of data leaks came from the Conti group in the second quarter. Conti typically gains initial network access to victim organizations via phishing emails, the researchers stated. Next came Avaddon, which accounted for 17% of incidents, although this variant is now thought to be inactive. Unsurprisingly, nearly half (49%) of victims with known locations in Q2 were based in the US, followed by 7% in France and 4% in Germany. Christo Butcher, global lead for threat intelligence at NCC Group, argued that no organization in any sector is safe from ransomware today. Christo Butcher also stated that it is crucial for organizations to be proactive about their resilience and should include proactive remediation of security issues and operating a least-privilege model.

Infosecurity reports: "Ransomware Attacks Soar 288% in First Half of 2021"

The largest independent group of physicians in Illinois is notifying 600,000 patients that their personal information may have been exposed. DuPage Medical Group (DMG) said that patient data could have been compromised when its computer network was hacked last month. Patient information that the hackers may have accessed includes names, addresses, dates of birth, diagnosis codes, information on medical procedures, and treatment dates. For some patients, there is a chance that their Social Security number may also have been compromised. DMG experienced a network outage on July 13. Third-party cyber-forensic specialists were hired to investigate the security incident. They were able to find that unauthorized actors had gained access to the DMG network between July 12, 2021, and July 13, 2021, and that it was the adversaries who had caused the outage.

Infosecurity reports: "Illinois Physicians Notify 600K Patients of Data Breach"

Bangkok Airways issued a statement to its customers apologizing for a data breach involving their passport information and other personal data. According to the company, the cybersecurity incident occurred because of unauthorized and unlawful access to its information system on August 23. Bangkok Airways has not yet revealed how many customers were impacted by the breach or the timeframe from which the data came. However, an investigation of the incident did reveal that names, nationalities, genders, phone numbers, emails, addresses, contact information, historical travel information, partial credit card information, and more had been accessed in the cyberattack. According to the statement, the attackers were not able to impact Bangkok Airways' operational or aeronautical security systems. Passengers are urged to contact their bank or credit card providers for further advice and change compromised passwords immediately. Bangkok Airways' announcement coincided with a notice from the LockBit ransomware group claiming that it was planning to leak 103 GB of compressed files stolen from the company. Members of the LockBit group are actively exploiting vulnerabilities contained by Fortinet FortiOS and FortiProxy products to gain initial access to specific victim networks. The group largely targets commercial and professional services, as well as the transportation sector. This article continues to discuss the data breach faced by Bangkok Airways and key findings surrounding the LockBit ransomware group.

ZDNet reports "Bangkok Airways Apologizes for Passport Info Breach as LockBit Ransomware Group Threatens Data Leak"

---

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Higher education providers have become an increasingly attractive target for state-sponsored actors in cyberattacks. The number of publicly acknowledged cybersecurity incidents impacting Australian universities have risen this year. Earlier this year, the Australian Security Intelligence Organization (ASIO) confirmed that Australian universities and researchers were under threat from foreign states. There are several reasons why universities' systems may be vulnerable to cyberattacks. Universities are designed to be open and collaborative, and they typically use many public-facing systems, some of which may be outdated. Many universities are spread across many campuses and research locations. They have many different users accessing systems and services, including students, academics, researchers, and staff members. These various touch points provide a broader attack surface to hackers that is difficult to combat. The fact that universities store a significant amount of intellectual property assets and personal information stemming from research activities and users, also makes them more vulnerable to cyberattacks. In response to the rising threat of cyberattacks against universities, the Australian government introduced legislative reforms requiring improvements to existing university compliance frameworks. There are several steps that universities can take now to strengthen existing controls and mitigate the risk of a cyberattack, such as leveraging sector-specific networks to collaborate on security-related initiatives, performing effective staff training on cybersecurity, assessing cybersecurity maturity and compliance against the National Institute of Standards and Technology (NIST) cybersecurity framework, and more. This article continues to discuss the increased targeting of universities in cyberattacks, government efforts to tackle the rising threat of such attacks against universities, and how universities could mitigate cyber risk now.

Lexology reports "What Universities Need To Know About Cyber Risk"

There were 24 percent more distributed denial-of-service (DDoS) attacks in 2020 than in 2019. DDoS attacks increased by 55 percent between January 2020 and March 2021. According to both F5 Networks and IBM X-Force, government agencies were the sixth most targeted vertical in 2020. As these attacks involve the hijacking or abuse of network protocols, one approach to detecting attacks that the government could take is monitoring certain types of network traffic. There are five network packet types and protocols commonly abused in DDoS attacks, which include Transmission Control Protocol Synchronize (TCP-SYN), the Domain Name System (DNS), Application Flooding, the User Datagram Protocol, and the Internet Control Message Protocol (ICMP). Although monitoring these systems and protocols is an important step, network visibility in government agencies is different compared to the private sector. For many government agencies, packet data is required to be stored for certain intervals (i.e., 10 days, 30 days, etc.). In addition, the chosen monitoring solution and packet capture (PCAP) storage have to scale accordingly. Having the appropriate network visibility, security delivery, and packet capture storage capability is important to maintaining performance and security, as well as to providing PCAP forensics. Agencies should have the right tools and look at the right protocols to stay ahead of the latest threats. This article continues to discuss the increase in DDoS attacks, the network packet types and protocols commonly abused in these attacks, and how to monitor them.

NextGov reports "5 Items to Monitor to Detect DDoS Attacks"

At a productive White House meeting on August 25th, Microsoft, Google, Amazon, Apple, IBM and others committed to significant efforts in the cybersecurity area. Google plans to invest more than 10 billion to strengthen cybersecurity and train 100,000 Americans in technical security fields. Apple is making security improvements through their supply chain. Microsoft committed $20 billion dedicated to more advanced security tools and $150 billion assisting government agencies to upgrade their systems.

The SANS 2021 OT/ICS Cybersecurity Report shares findings from a survey of 480 individuals from a wide range of industries. The survey showed that almost 70 percent of respondents believe their Operational Technology (OT) environments face high or severe risk, which is an increase from the 51 percent in 2019 when SANS did a similar survey. Although many organizations have expressed concern about cyber threats to their OT environments, 48 percent of respondents revealed that they do not know whether they experienced a security breach on OT or control systems in the past year, thus emphasizing the need for organizations to improve their detection and response capabilities. Only 12 percent of respondents were confident that their systems had not been compromised, and 15 percent admitted to detecting security incidents, many of which resulted in the disruption of operations. Most of the respondents blamed hackers for incidents, followed by organized crime, service providers, employees, activists, and state-sponsored threat actors. External remote services were cited as the top initial attack vector involved in incidents, followed by the exploitation of public-facing applications, Internet-accessible devices, spear-phishing, removable media, and compromised engineering workstations. This article continues to discuss key findings shared in the SANS 2021 OT/ICS Cybersecurity Report.

Security Week reports "Engineering Workstations Are a Concerning Initial Access Vector in OT Attacks"

The FBI has issued a warning to firms about an increasingly prolific new ransomware variant known as Hive. The FBI noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate. The multiple mechanisms used to compromise corporate networks include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally. The malware itself looks for and terminates processes linked to backups, anti-virus, and file copying to boost its chances of success. Encrypted files end with a .hive suffix. The FBI stated that the Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished by deleting the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file. The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed, or deleted, they can't be recovered. Some victims told the FBI they had received follow-up phone calls from their attackers urging payment. A second tactic is to exfiltrate and publish stolen files on a public leak site. The FBI believes that the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals. According to researchers at Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company.

Infosecurity reports: "FBI Warns Businesses of New Hive Ransomware"

The security firm Bitdefender conducted a forensic analysis of a new backdoor used by the financially motivated threat group FIN8 in recent attacks. FIN8 used the backdoor called Sardonic in attacks against two unidentified financial organizations. According to researchers, Sardonic is an updated version of the threat group's previous backdoor called Badhatch. The gang typically attacks point-of-sale (PoS) systems to steal payment card data. Bitdefender emphasizes that Sardonic differs from Badhatch in that it is significantly potent and has various capabilities, allowing the threat actors to use new malware without having to update components. Sardonic can be automatically enhanced with new functionality without having to re-deploy malware. This suggests that FIN8 is adopting a more agile approach to cyberattacks. FIN8 seems to have spent several months building and testing the new backdoor before employing it for its attacks. Sardonic is more flexible than Badhatch because it can deploy other payloads to the computer, which is already compromised, saving the group extra effort and time in re-infecting existing victims if it chooses to take a different approach. The Sardonic backdoor is also believed to be under development. Future versions are expected to give the group new capabilities. The actual way in which FIN8 gains initial access to its victims' networks remains undetermined, but some evidence has shown that the group may have used social engineering and spear-phishing attacks. In previously studied FIN8 attacks that occurred before the release of Sardonic, researchers saw compromised user accounts, with evidence of the compromise first appearing on one of the database servers. When the malware was on the network, the attackers performed network reconnaissance and used their access to recover a list of trusted domains and a list of domain controllers. Next, the attackers moved laterally by targeting domain controllers. The malware used the built-in Windows Management Interface Command utility for remote code execution. This article continues to discuss the reemergence of FIN8 with a dangerous new backdoor.

BankInfoSecurity reports "FIN8 Using an Updated Backdoor"

According to researchers at Kaspersky, hackers have inserted the Triada trojan into a modified version of FMWhatsapp, a WhatsApp mod. Such mods have a following among users who want to customize WhatsApp, such as being able to send larger files or apply custom animated themes. The Triada trojan can launch advertisements, issue paid subscriptions, and intercept text messages. FMWhatsapp isn't available on the Google Play store and is only available via third-party websites, which means users who desire the extra features the mod offers don't get the security protections inherent in more officially-vetted apps. Kaspersky first spotted Triada in 2016, when the company deemed the hacking tool "one of the most advanced mobile Trojans our malware analysts have ever encountered." The researchers stated that the users grant FMWhatsapp permission to read SMS messages, simultaneously granting the trojan access to text messages. The researchers noted that with this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed, it adds additional features. However, the researchers have observed how cybercriminals have started to spread malicious files through the ad blocks in such apps. The researchers stated that the case of FMWhatsapp and Triada is a lesson about how, in a drive to give users "improved" versions of a software, modders can introduce security holes. Foud Apps, the reported developer of FMWhatsapp, didn't respond to a message seeking comment about Kaspersky's research. Nor did Facebook, owner of WhatsApp. Among the malware that FMWhatsapp downloads is XHelper, a sticky kind of Android malware that's difficult to remove.

CyberScoop reports: "Hackers Exploit WhatsApp Modification Tool to Snoop on Texts, Force Paid Subscriptions"

Coordinated automation could improve traffic flow, boost efficiency, and slash emissions. A combination of machine learning, big data, and Amazon Web Services is making this future possible.

By Sean O'Neill | August 23, 2021

The data backup and recovery provider HYCU has announced a new free cloud application that can help organizations identify and measure their ability to recover if they are hit with a ransomware attack. The company's R-Score (ransomware score) evaluation service has been made available via GetRScore.org. R-Score comes from work by HYCU data protection and cybersecurity experts, as well as company partners. For an organization to get a preliminary R-Score and assess its data recovery readiness in the event of a ransomware attack, questions must be answered. The R-Score provided is generated within a range of 0 to 1,000. In addition to a score, the service recommends steps that a company can take to improve its score. According to HYCU founder and CEO Simon Taylor, user data or information used in generating the initial R-Score is not stored or captured in any form where a user can be identified. A free consultation is offered to users to get a better understanding of what they should do to improve their organization's overall R-Score. An organization's preparedness to repel and recover from a ransomware attack is assessed based on its backup process, backup infrastructure, security and networking, disaster recovery, and restore processes. This article continues to discuss the growing threat of ransomware and the new evaluation service aimed at helping organizations improve their ability to recover from ransomware attacks.

ZDNet reports "HYCU Initiative Offers Free Evaluation for Ransomware Recovery Prospects"

Cyber Scene #59 -

Cyber Around the World

According to researchers at UpGuard, dozens of major companies, state and federal agencies, and other organizations that misconfigured a setting in their Microsoft software inadvertently exposed millions of people's personal information to the public internet for months. The data leak, which affected American Airlines, Maryland's health department, and New York's Metropolitan Transportation Authority, among others, led to the exposure of at least 38 million records, including employee information as well as data related to Covid-19 vaccinations, contact tracing, and testing appointments. After UpGuard privately notified Microsoft and the affected organizations, the leaks were plugged, and the ability to access the information was removed. While the information was unsecured, names, Social Security numbers, phone numbers, dates of birth, demographic information, addresses, and even dates of employer drug tests and union membership data were available to anyone with the know-how and inclination to look, stated the researchers. In the case of Ford Motor Co., UpGuard said, lists of loaner vehicles distributed to dealerships had also been exposed.

CNN reports: "Data Leak Exposes Tens of Millions of Private Records From Corporations And Government Agencies"