Category Archives: Cyber War

Hat tip to NSA FBI for Cracking Drovorub

Posted on by

The National Security Agency and the FBI are jointly exposing malware that they say Russian military hackers use in cyber-espionage operations.

Hackers working for Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center, military unit 26165, use the malware, which the Russians themselves call “Drovorub,” to target Linux systems, the NSA and FBI said Thursday in a detailed report.

The hackers, also known as APT28 or Fancy Bear, allegedly hacked the Democratic National Committee in 2016 and frequently target defense, government, and aerospace entities. The Russian military agency is also known as the GRU.

FBI e NSA descobrem novo malware Linux chamado Drovorub ...

While the alert does not include specific details about Drovorub victims, U.S. officials did say they published the alert Thursday to raise awareness about state-sponsored Russian hacking and possible defense sector vulnerabilities. The disclosure comes just months before American voters will conduct a presidential election.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. Presidential Election,” the NSA and FBI said in the report.

The U.S. intelligence community has assessed that multiple foreign governments may “seek to compromise our election infrastructure.” It was not clear if the Russian hackers were using Drovorub malware in any ongoing interference efforts related to the 2020 presidential elections.

The NSA and FBI urged national security personnel, including the U.S. Department of Defense, to be on the alert for Drovorub attacks.

“The malware represents a threat because Linux systems are used pervasively throughout National Security Systems, Department of Defense, and the Defense Industrial Base,” the statement said. “All stakeholders should take action as appropriate.”

The announcement comes nearly one year after the NSA stood up a new cybersecurity directorate aimed at sharing more adversary threat intelligence with the public, and in recent weeks the NSA has worked to expose a spate of Russian campaigns, including Russian hackers’ efforts to target coronavirus research.

Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, told CyberScoop the release shows these hackers are not easily deterred.

“Most importantly it demonstrates that FANCY BEAR has more tools and capabilities that are still being identified. This actor didn’t pack up and go home, they still have tricks up their sleeve,” Meyers told CyberScoop, adding that the news should raise alarm bells about Linux security. “Another important take away is that Linux is an area that organizations need to keep in mind from a malware perspective, many have not invested in similar security tools for this platform as they have for user platforms.”

Attacks employing Drovorub may be linked with previous Russian military efforts against connected devices, according to the NSA and the FBI. An APT28 attack that Microsoft security researchers identified last year against devices such as an office printer or a VOIP phone, for instance, was linked with an IP address that has also been used to access the Drovorub command and control IP address, the NSA and FBI said.

In such attacks, the hackers appeared interested in exploiting so-called internet of things devices in order to gain access to broader networks, other insecure accounts, and sensitive data, according to Microsoft.

The joint NSA and FBI release also has the effect of alerting the Russian government that U.S. officials are capable of tracking some of their work. The 780th Military Intelligence Brigade, which currently works with the Pentagon’s offensive cyber arm, Cyber Command, tweeted information out about the malware, and tagged a state-funded media outlet, RT, to flag the news for them.

The Drovorub malware consists of several components, the NSA and the FBI said, including an implant, a kernel module rootlet, a file transfer tool, and an attacker-controlled command and control server.

“When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the NSA and FBI said.

More detail for zdnet:

“Technical details released today by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cyber defenders across the United States.”

To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

The joint security alert [PDF] contains guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules — all helpful for deploying proper detection measures.

Some interesting details we gathered from the 45-page-long security alert:

  • The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.
  • The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”
  • The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft.

Seizure of Three Terror Finance Cyber-Enabled Campaigns

Posted on by

Global Disruption of Three Terror Finance Cyber-Enabled Campaigns

Largest Ever Seizure of Terrorist Organizations’ Cryptocurrency Accounts

The Justice Department today announced the dismantling of three terrorist financing cyber-enabled campaigns, involving the al-Qassam Brigades, Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS).  This coordinated operation is detailed in three forfeiture complaints and a criminal complaint unsealed today in the District of Columbia.  These actions represent the government’s largest-ever seizure of cryptocurrency in the terrorism context.

These three terror finance campaigns all relied on sophisticated cyber-tools, including the solicitation of cryptocurrency donations from around the world.  The action demonstrates how different terrorist groups have similarly adapted their terror finance activities to the cyber age.  Each group used cryptocurrency and social media to garner attention and raise funds for their terror campaigns.  Pursuant to judicially-authorized warrants, U.S. authorities seized millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise.

Funds successfully forfeited with a connection to a state sponsor of terrorism may in whole or in part be directed to the United States Victims of State Sponsored Terrorism Fund (http://www.usvsst.com/) after the conclusion of the case.

“It should not surprise anyone that our enemies use modern technology, social media platforms and cryptocurrency to facilitate their evil and violent agendas,” said Attorney General William P. Barr.   “The Department of Justice will employ all available resources to protect the lives and safety of the American public from terrorist groups.  We will prosecute their money laundering, terrorist financing and violent illegal activities wherever we find them.  And, as announced today, we will seize the funds and the instrumentalities that provide a lifeline for their operations whenever possible.  I want to thank the investigators from the Internal Revenue Service, Department of Homeland Security, Federal Bureau of Investigation, and the prosecutors from the D.C. United States Attorney’s Office and National Security Division for their hard and innovative work in attacking the networks that allow these terrorists to recruit for and fund their dangerous actions.”

“Terrorist networks have adapted to technology, conducting complex financial transactions in the digital world, including through cryptocurrencies. IRS-CI special agents in the DC cybercrimes unit work diligently to unravel these financial networks,” said Secretary of the Treasury Steven T. Mnuchin.  “Today’s actions demonstrate our ongoing commitment to holding malign actors accountable for their crimes.”

“The Department of Homeland Security was born after the September 11, 2001 terrorist attacks and, nearly 20 years later, we remain steadfast in executing our critical mission to safeguard the American people, our homeland, and our values,” said Acting Secretary of Homeland Security Chad F. Wolf.  “Today’s announcement detailing these enforcement actions targeting foreign terrorist organizations is yet another example of the Department’s commitment to our mission. After launching investigations that identified suspected online payments being funneled to and in support of terrorist networks, Homeland Security Investigations skillfully leveraged their cyber, financial, and trade investigative expertise to disrupt and dismantle cyber-criminal networks that sought to fund acts of terrorism against the United States and our allies.  Together with our federal law enforcement partners, the Department will utilize every resource available to ensure that our Homeland is and remains secure.”

“These important cases reflect the resolve of the D.C. United States Attorney’s Office to target and dismantle these sophisticated cyber-terrorism and money laundering actors across the globe,” stated Acting United States Attorney Michael R. Sherwin.  “While these individuals believe they operate anonymously in the digital space, we have the skill and resolve to find, fix and prosecute these actors under the full extent of the law.”

“IRS-CI’s ability to trace funds used by terrorist groups to their source and dismantle these radical group’s communication and financial networks directly prevents them from wreaking havoc throughout the world,” said Don Fort, Chief, IRS Criminal Investigation.  “Today the world is a safer place.”

“As the primary law enforcement agency charged with defeating terrorism, the FBI will continue to combat illicit terrorist financing regardless of platform or method employed by our adversaries,” said FBI Director Christopher Wray. “As demonstrated by this recent operation, the FBI remains committed to cutting off the financial lifeblood of these organizations that seek to harm Americans at home and abroad.”

“Homeland Security Investigations continues to demonstrate their investigative expertise with these enforcement actions,” said ICE Deputy Director and Senior Official Performing the Duties of the Director Matthew T. Albence.  “Together with law enforcement partners, HSI has utilized their unique authorities to bring to justice those cyber-criminal networks who would do us harm.”

Al-Qassam Brigades Campaign

The first action involves the al-Qassam Brigades and its online cryptocurrency fundraising efforts.  In the beginning of 2019, the al-Qassam Brigades posted a call on its social media page for bitcoin donations to fund its campaign of terror.  The al-Qassam Brigades then moved this request to its official websites, alqassam.net, alqassam.ps, and qassam.ps.

al_qassam_1

The al-Qassam Brigades boasted that bitcoin donations were untraceable and would be used for violent causes.  Their websites offered video instruction on how to anonymously make donations, in part by using unique bitcoin addresses generated for each individual donor.

al_qassam_2

 

However, such donations were not anonymous.  Working together, IRS, HSI, and FBI agents tracked and seized all 150 cryptocurrency accounts that laundered funds to and from the al-Qassam Brigades’ accounts.  Simultaneously, law enforcement executed criminal search warrants relating to United States-based subjects who donated to the terrorist campaign.

With judicial authorization, law enforcement seized the infrastructure of the al-Qassam Brigades websites and subsequently covertly operated alqassam.net.   During that covert operation, the website received funds from persons seeking to provide material support to the terrorist organization, however, they instead donated the funds bitcoin wallets controlled by the United States.

The United States Attorney’s Office for the District of Columbia also unsealed criminal charges for two Turkish individuals, Mehmet Akti and Hüsamettin Karataş, who acted as related money launderers while operating an unlicensed money transmitting business.

Al-Qaeda Campaign

The second cyber-enabled terror finance campaign involves a scheme by al-Qaeda and affiliated terrorist groups, largely based out of Syria.  As the forfeiture complaint details, these terrorist organizations operated a bitcoin money laundering network using Telegram channels and other social media platforms to solicit cryptocurrency donations to further their terrorist goals.  In some instances, they purported to act as charities when, in fact, they were openly and explicitly soliciting funds for violent terrorist attacks.  For example, one post from a charity sought donations to equip terrorists in Syria with weapons:

al_qaeda

Undercover HSI agents communicated with the administrator of Reminder for Syria, a related charity that was seeking to finance terrorism via bitcoin donations.  The administrator stated that he hoped for the destruction of the United States, discussed the price for funding surface-to air missles, and warned about possible criminal consequences from carrying out a jihad in the United States.

Posts from another Syrian charity similarly explicitly referenced weapons and extremist activities:

al_qaeda_2
al_qaeda_3.

Al-Qaeda and the affiliated terrorist groups together created these posts and used complicated obfuscation techniques, uncovered by law enforcement, to layer their transactions so to conceal their actions.  Today’s complaint seeks forfeiture of the 155 virtual currency assets tied to this terrorist campaign.

ISIS Campaign

The final complaint combines the Department’s initiatives of combatting COVID-19 related fraud with combatting terrorism financing.  The complaint highlights a scheme by Murat Cakar, an ISIS facilitator who is responsible for managing select ISIS hacking operations, to sell fake personal protective equipment via FaceMaskCenter.com (displayed below)

isis_1.

The website claimed to sell FDA approved N95 respirator masks, when in fact the items were not FDA approved.  Site administrators claimed to have near unlimited supplies of the masks, in spite of such items being officially-designated as scarce.  The site administrators offered to sell these items to customers across the globe, including a customer in the United States who sought to purchase N95 masks and other protective equipment for hospitals, nursing homes, and fire departments.

The unsealed forfeiture complaint seized Cakar’s website as well as four related Facebook pages used to facilitate the scheme.  With this third action, the United States has averted the further victimization of those seeking COVID-19 protective gear, and disrupted the continued funding of ISIS.

The claims made in these three complaints are only allegations and do not constitute a determination of liability.  The burden to prove forfeitability in a civil forfeiture proceeding is upon the government.  Further, charges contained in criminal complaint are merely allegations, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

IRS-CI Cyber Crimes Unit (Washington, D.C.), HSI’s Philadelphia Office, and FBI’s Washington D.C., New York, and Los Angeles field offices are investigating the case. Assistant U.S Attorneys Jessi Camille Brooks and Zia M. Faruqui, and National Security Division Trial Attorneys Danielle Rosborough and Alexandra Hughes are litigating the case, with assistance from Paralegal Specialists Brian Rickers and Bria Cunningham, and Legal Assistant Jessica McCormick.  Additional assistance has been provided by Chainalysis and Excygent.

Warnings of Ransomware Affecting Elections

Posted on by

According to an intelligence report issued by the Department of Homeland Security, one of the top 2020 election security concerns is ransomware. A report entitled “Cybercriminals and Criminal Hackers Capable of Disrupting Election Infrastructure”, echos concerns CISA head Chris Krebs articulate at the Black Hat security conference in early August.

Department of Homeland Security fears 'ransomware' attacks ... source

The FBI and Department of Homeland Security have issued advisories to local governments, including recommendations for preventing attacks.
“From the standpoint of confidence in the system, I think it is much easier to disrupt a network and prevent it from operating than it is to change votes,” Adam Hickey, a Justice Department deputy assistant attorney general, said in an interview.

US officials state that election interference will not be tolerated. They are proactively working with social media companies, among other groups, to help safeguard the elections.

In addition, the US Department of State’s “Rewards for Justice” program is offering a 10M to anyone who can provide information about foreign interference. The Department of State has reached out to targeted individuals in Iran soliciting information.

US officials are interested in identifying individuals who aim to disrupt campaigns, meddle with election infrastructure, and who pose threats to election officials. This is the third major “Rewards for Justice” initiative this year. More here.

***

“We’re seeing state and local entities targeted with ransomware on a near daily basis,” said Geoff Hale, a top election security official with Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Steps taken to improve security of voter registration systems after the 2016 election could help governments fend off election-related ransomware attacks. They’ve also acted to ensure they can recover quickly in the event of an attack.

Colorado, for example, stores redundant versions of its voter registration data at two separate secure locations so officials can easily shift operations. Backups are regular so the system can be quickly rebuilt if needed.

Even so, ransomware is an added concern for local election officials already confronting staffing and budget constraints while preparing for a shift from in-person voting to absentee balloting because of the pandemic.

In West Virginia, state officials are more concerned about the cyberthreat confronting its 55 county election offices than a direct attack on the statewide voter registration system. One click from a county employee falling victim to a spearphishing attack could grant a hacker access to the county network and eventually to election systems.

“I’m more worried that those people who are working extra hours and working more days, the temporary staff that may be brought in to help process the paperwork, that all this may create a certain malaise or fatigue when they are using tools like email,” said David Tackett, chief information officer for the secretary of state.

In states that rely heavily on in-person voting and use electronic systems to check in voters, a well-timed attack particularly during early voting could prevent officials from immediately verifying a voter’s eligibility, making paper backups critical.

For states conducting elections entirely by mail, including Colorado, an attack near Election Day may have little effect on voting because ballots are sent early to all voters, with few votes cast in-person. But it could disrupt vote-tallying, forcing officials to process ballots by hand.

In many states, local officials will face an influx of new ballot requests. That means they’ll need constant access to voter data as they handle these requests. An attack could cause major disruptions.

Hickey said he was unaware of ransomware attacks directly targeting election infrastructure. But local election offices are often connected to larger county networks and not properly insulated or protected.

A criminal targeting a county or state “may not even know what parts of the network they got into,” Hickey said. But as the malware creeps along and spreads, “what gets bricked is the entire network — and that includes but is not limited to election infrastructure.”

Even if election infrastructure isn’t directly targeted, there would likely be immediate assumptions it was, said Ron Bushar of the FireEye cybersecurity company.

A February advisory issued by the FBI and obtained by The Associated Press recommends local governments separate election-related systems from county and state systems to ensure they aren’t affected in an unrelated attack.

Russian ‘Dukes’ Overtly Hack Vaccine Trial Data

Posted on by

Primer: Will this cause an Article 5 response?

In response to malicious activity targeting COVID-19 research and vaccine development in the United States, United Kingdom (UK), and Canada, the Cybersecurity and Infrastructure Security Agency (CISA), UK’s National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) released a Joint Cybersecurity Advisory to expose the threat. A malicious cyber actor is using a variety of tools and techniques to target organizations involved in COVID-19 research and vaccine development.

Tools include SOREFANG, WELLMESS, and WELLMAIL malware.

CISA encourages users and administrators to review the Joint Cybersecurity Advisory and the following Malware Analysis Reports for more information and to apply the mitigations provided.

LONDON (AP) — Britain, the United States and Canada accused Russia on Thursday of trying to steal information from researchers seeking a COVID-19 vaccine.

The three nations alleged that hacking group APT29, also known as Cozy Bear and said to be part of the Russian intelligence service, is attacking academic and pharmaceutical research institutions involved in coronavirus vaccine development.

UK, US, Canada accuse Russia of hacking virus vaccine ... source

Britain’s National Cybersecurity Centre made the announcement, which was coordinated with authorities in the U.S. and Canada.

“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,″ Foreign Secretary Dominic Raab said in a statement. “While others pursue their selfish interests with reckless behaviour, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health.″

The persistent and ongoing attacks are seen by intelligence officials as an effort to steal intellectual property, rather than to disrupt research. The campaign of “malicious activity″ is ongoing and includes attacks “”predominantly against government, diplomatic, think-tank, healthcare and energy targets,″ the National Cybersecurity Centre said in a statement.

It was unclear whether any information actually was stolen but the center says individuals’ confidential information is not believed to have been compromised. The Russian Foreign Ministry did not immediately respond to a request for comment.

Cozy Bear, also known as the “dukes,″ has been identified by Washington as one of two Russian government-linked hacking groups that broke into the Democratic National Committee computer network and stole emails ahead of the 2016 presidential election. The other group is usually called Fancy Bear.

The director of operations for the British cybersecurity center, Paul Chichester, urged “organizations to familiarize themselves with the advice we have published to help defend their networks.”

The statement did not say whether Russian President Vladimir Putin knew about the vaccine research hacking, but British officials believe such intelligence would be highly prized.

A 16-page advisory made public by Britain, the U.S. and Canada on Thursday accuses Cozy Bear of using custom malicious software to target a number of organizations globally. The malware, called WellMess and WellMail, has not previously been associated with the hacking group, the advisory said.

“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. The group then deployed public exploits against the vulnerable services identified,” the advisory said.

The U.S. Department of Homeland Security’s cybersecurity agency warned in April that cybercriminals and other groups were targeting COVID-19 research, noting at the time that the increase in people teleworking because of the pandemic had created potential avenues for hackers to exploit.

Vulnerable targets include health care agencies, pharmaceutical companies, academia, medical research organizations, and local governments, security officials have said.

The global reach and international supply chains of these organizations also make them vulnerable, the U.S. Cybersecurity and Infrastructure Security Agency said in an alert published in conjunction with its counterparts in Britain.

CISA said it and the British cyberseucity agency have detected the threat groups scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. It did not name any of the targeted companies.

U.S. authorities have for months leveled similar accusations against China. FBI Director Chris Wray said last week, “At this very moment, China is working to compromise American health care organizations, pharmaceutical companies, and academic institutions conducting essential COVID-19 research.”

Google Sent Users 40,000 Warnings

Posted on by

Primer questions: Did other tech companies do the same and if so, how many? What does Congress know and where are they with a real cyber policy?

Google’s threat analysis group, which counters targeted and government-backed hacking against the company and its users, sent account holders almost 40,000 warnings in 2019, with government officials, journalists, dissidents, and geopolitical rivals being the most targeted, team members said on Thursday.

The number of warnings declined almost 25 percent from 2018, in part because of new protections designed to curb cyberattacks on Google properties. Attackers have responded by reducing the frequency of their hack attempts and being more deliberate. The group saw an increase in phishing attacks that impersonated news outlets and journalists. In many of these cases, attackers sought to spread disinformation by attempting to seed false stories with other reporters. Other times, attackers sent several benign messages in hopes of building a rapport with a journalist or foreign policy expert. The attackers, who most frequently came from Iran and North Korea, would later follow up with an email that included a malicious attachment.

Color-coded Mercator projection of the world.

“Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks,” Toni Gidwani, a security engineering manager in the threat analysis group, wrote in a post.

Top targets

Countries with residents that collectively received more than 1,000 warnings included the United States, India, Pakistan, Japan, and South Korea. Thursday’s post came eight months after Microsoft said it had warned 10,000 customers of nation-sponsored attacks over the 12 previous months. The software maker said it saw “extensive” activity from five specific groups sponsored by Iran, North Korea, and Russia.

Thursday’s post also tracked targeted attacks carried out by Sandworm, believed to be an attack group working on behalf of the Russian Federation. Sandworm has been responsible for some of the world’s most severe attacks, including hacks on Ukrainian power facilities that left the country without electricity in 2015 and 2016, NATO and the governments of Ukraine and Poland in 2014, and according to Wired journalist Andy Greenberg, the NotPetya malware that created worldwide outages, some that lasted weeks.

The following graph shows Sandworm’s targeting of various industries and countries from 2017 to 2019. While the targeting of most of the industries or countries was sporadic, Ukraine was on the receiving end of attacks throughout the entire three-year period:

Sandworm’s targeting efforts (mostly by sector) over the last three years.
Enlarge / Sandworm’s targeting efforts (mostly by sector) over the last three years.
Google

Tracking zero-days

In 2019, the Google group discovered zero-day vulnerabilities affecting Android, iOS, Windows, Chrome, and Internet Explorer. A single attack group was responsible for exploiting five of the unpatched security flaws. The attacks were used against Google, Google account holders, and users of other platforms.

“Finding this many zeroday exploits from the same actor in a relatively short time frame is rare,” Gidwani wrote.

The exploits came from legitimate websites that had been hacked, links to malicious websites, and attachments embedded in spear-phishing emails. Most of the targets were in North Korea or were against individuals working on North Korea-related issues.

The group’s policy is to privately inform developers of the affected software and give them seven days to release a fix or publish an advisory. If the companies don’t meet that deadline, Google releases its own advisory.

One observation that Google users should note: of all the phishing attacks the company has seen in the past few years, none has resulted in a takeover of accounts protected by the account protection program, which among other things makes multifactor authentication mandatory. Once people have two physical security keys from Yubi or another manufacturer, enrolling in the program takes less than five minutes.