20200630

UNCLASSIFIED Page 1 30 June 2020 Table of Contents The Senate has questions about DISA’s network security system Australia Spending Nearly $1 Billion on Cyberdefense as China Tensions Rise Senators Introduce Deepfake-Focused Amendment to Defense Authorization Act US Cyber Command says foreign hackers will most likely exploit new PAN-OS security bug Lucy Security uncovers collection of SQL databases leaked to the dark web from 945 websites Russian National Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses Google removes 106 Chrome extensions for collecting sensitive user data Maze Group Now Threatens Hardware Manufacturer, Leaks Personal and Financial Details ‘Invisible God’ Hacker Sold Access To More Than 135 Companies In Just Three Years Defense Information Network to Host Data Repository for Contractors’ Cybersecurity Audits The Senate has questions about DISA’s network security system C4ISRNET, 29 Jun 2020: The Senate Armed Services Committee’s version of the National Defense Authorization Act for fiscal year 2021, released June 23, would preclude the department from spending fiscal 2021 funds on the Joint Regional Security Stacks (JRSS) program for use on its Secret Internet Protocol Router Network. JRSS, run by the Defense Information Systems Agency provides cybersecurity services for many DoD components through intrusion detection and prevention, enterprise management, and virtual routing. DISA is tasked with operating and maintaining DoD networks, But the JRSS program has a checkered history for being effective. In 2018, the Defense Department’s chief weapons tester suggested that the program be shut down. Other tests have also found several operational and technical troubles. Now defense committees in both legislative chambers are trying to rein in the program. The Senate bill authorizes cuts of about $11.6 million from the JRSS, including $11.1 million in JRSS procurement funds for SIPRNet and about $500,000 in research, development, testing and evaluation. The House bill authorizes deeper cuts, slashing procurement dollars from $88 million to $8 million and research and development funds to zero from $9 million. Because of the continued challenges plaguing the program “the committee believes that the deployment of JRSS on the Secret Internet Protocol Router Network is thus inappropriate, given JRSS’ limited cybersecurity capability and the existence of alternative capabilities to execute its network functions,” the Senate committee wrote in a report accompanying the bill. As Congress questions the efficacy of the program, it also wants answers. Under the legislation, the Secretary of Defense would have to answers the following questions by Dec. 1, 2021. If the DoD finds that JRSS should move forward, it must develop a plan to transition it to a program of record by October 2021. Australia Spending Nearly $1 Billion on Cyberdefense as China Tensions Rise Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)

UNCLASSIFIED Page 2 NY Times, 30 Jun 2020: Confronting a surge of cyberattacks attributed to the Chinese government, Australia moved to bolster its defenses on Tuesday, promising to recruit at least 500 cyberspies and build on its ability to take the battle overseas. The investment of $930 million over the next decade is the largest the country has ever made in cyberweapons and defenses. It follows what Prime Minister Scott Morrison has described as a sharp increase in the frequency, scale and sophistication of online attacks — and, more broadly, a steady deterioration in relations between Australia and China. “The federal government’s top priority is protecting our nation’s economy, national security and sovereignty,” Mr. Morrison said Tuesday. “Malicious cyberactivity undermines that.” The new initiative points to growing frustration in Australia with what current and former intelligence officials have described as a relentless, increasingly aggressive campaign by China to spy on, disrupt and threaten the country’s government, vital infrastructure and most important industries. The full details of attacks that appear to have come from China are still mostly hidden — Australian officials remain wary of provoking Beijing by naming and shaming culprits — but the public record now includes several examples of elaborate hacking that has less to do with theft for profit than growing aggression against a rival government. The Australian Signals Directorate and the Australian Cyber Security Center will build up their capacity to defend against attacks and their connections with the companies that run the country’s digital networks. The defense minister, Senator Linda Reynolds, said in a statement that the investment aimed to create a rapid-response process that would “prevent malicious cyberactivity from reaching millions of Australians by blocking known malicious websites and computer viruses at speed.” Mr. Jennings said the investment was substantial and needed. He added that it would most likely be a down payment. “The need for more investment in cybersecurity, both defense and offense, will keep growing,” he said. “This won’t be the last investment, I’m sure.” Senators Introduce Deepfake-Focused Amendment to Defense Authorization Act NextGOV, 29 Jun 2020: Sens. Rob Portman, R-Ohio and Brian Schatz, D-Hawaii proposed adding the Deepfake Report Act—originally unveiled one year ago—to the annual authorization bill Thursday. The Deepfake Report Act, which passed the Senate in October and was referred to the House Consumer Protection and Commerce Subcommittee, would mandate the Homeland Security Department to investigate the potential impacts of deepfakes and other, related technologically altered content on national and election security. “As [artificial intelligence] rapidly becomes an intrinsic part of our economy and society, AI-based threats, such as deepfakes, have become an increasing threat to our democracy,” Portman said in a statement. “Addressing the challenges posed by deepfakes will require policymakers to grapple with important questions related to civil liberties and privacy. This bill Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info

UNCLASSIFIED Page 4 could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices. In a security advisory published today [ link ], Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable. Lucy Security uncovers collection of SQL databases leaked to the dark web from 945 websites Lucy Security, 29 Jun 2020: Austin, TX, Monday, June 29 2020 – A boutique hotel in Kathmandu, a Raspberry Pi tutorial blog, a photographer from Chelsea or an EMS service provider – according to Lucy Security’s Dark Web research team, 945 Websites worldwide have been hacked. Archived SQL files stolen from 945 websites are being offered on the dark web, with tens of millions of potential victims. Information that is now publicly available includes usernames, full names, phone numbers, hashed and non-hashed passwords, IP and email addresses as well as physical addresses. Two databases totaling approximately 150gb of unpacked SQL files were released on June 1st, 2020 and on June 10th, 2020 respectively. Apparently, all of the sites were hacked by different actors. The websites were targeted, according to Lucy Security, according to their Alexa Ranking ( link ). Russian National Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses DOJ, 26 Jun 2020: One of the leaders of the Infraud Organization pleaded guilty today to RICO conspiracy. Infraud was an Internet-based cybercriminal enterprise engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband. Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division made the announcement. Sergey Medvedev, aka “Stells,” “segmed,” “serjbear,” 33, of the Russian Federation, pleaded guilty before U.S. District Court Judge James C. Mahan in the District of Nevada. According to the indictment, the Infraud Organization was created in October 2010 by Svyatoslav Bondarenko aka “Obnon,” “Rector,” and “Helkern,” 34, of Ukraine, to promote and grow interest in the Infraud Organization as the premier destination for “carding”— purchasing retail items with counterfeit or stolen credit card information—on the Internet. Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods. It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members. In March 2017, there were 10,901 registered members of the Infraud Organization. During the course of its seven-year history, the Infraud Organization inflicted approximately $2.2 billion in intended losses, and more than $568 million in actual losses, on a wide swath of financial institutions, merchants, and private individuals, and would have continued to do so for the foreseeable future if left unchecked.

UNCLASSIFIED Page 5 Google removes 106 Chrome extensions for collecting sensitive user data ZD Net, 18 Jun 2020: Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data. The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published today by cyber-security firm Awake Security [ link ]. Awake says these extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more. But in reality, Awake says the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords). Awake believes all the extensions were created by the same threat actor, although the company has yet to identify it. The primary connection between all the extensions was that they sent user data back to domains registered through the GalComm domain registrar. The company provided the list of the 111 malicious extension IDs here . Users can visit the chrome://extensions page and see if they installed any of the malicious extensions and remove them from their browsers. Maze Group Now Threatens Hardware Manufacturer, Leaks Personal and Financial Details CyWare, 21 Jun 2020: The Maze ransomware has been a threat for organizations across various industries and geographies, carrying out disruptive and destructive attacks almost every new day. This time, it has attacked the US-based hardware company MaxLinear. The system-on-chip (SOC) manufacturing company MaxLinear has been targeted by the Maze ransomware attack. The company became aware of the intrusion more than one month after the initial attack. This month, MaxLinear disclosed that its internal computing systems were targeted by the Maze Ransomware, which was first identified by them on May 24. According to the notification provided by MaxLinear, intruders had gained unauthorized access to the systems from around April 15, 2020, until May 24, 2020, and were able to access to the personal and financial details of MaxLinear customers. On June 15, Maze ransomware operators publicly released around 10.3 GB of data, including accounting and financial information, out of the over 1TB of data allegedly stolen by them before encrypting MaxLinear's systems. ‘Invisible God’ Hacker Sold Access To More Than 135 Companies In Just Three Years Forbes, 23 Jun 2020: Major antivirus companies, banks, insurance providers, government agencies, large hotels, wineries, restaurants, airlines. Think of almost any kind of company and there’s a good chance a prolific, financially-motivated hacker known as Fxmsp has broken into it, or attempted to, according to a report released Tuesday [ link ]. Dubbed the “invisible god of networks,” he’s a suspected male from Kazakhstan who claimed to have broken into 135 companies since his first appearance in 2017, according to the report. Group-IB, a security company that recently shifted operations from Russia to Singapore, estimated he’s made $1.5 million along the way, working with an unidentified accomplice known as Lampeduza to sell access to victim networks. He came to prominence in May last year after claiming to have broken into a handful of cybersecurity companies: McAfee, Symantec and Trend Micro. (Trend was the only one to confirm a breach of its labs). The hacker was reportedly offering access to the antivirus software source code and various product design documents for $300,000. The name Fxmsp was first seen by Group-IB in 2016 on a

UNCLASSIFIED Page 7 accreditation body. Scheiber spoke during a press conference he and other accreditation-body board members held Tuesday following developments in their efforts to stand up an education and auditing ecosystem for issuing certifications to the DOD’s CMMC standard. Though the formal education of assessors isn’t slated to start until late 2020 or early 2021, said Ben Tchoubineh, chairman of the accreditation body’s training committee, applicants are already paying to line up. New documents on the website of the CMMC accreditation body lay out requirements for applicants to serve in various roles. The C3PAOs, for example, will have to undergo their own certification process, which is to be determined by the accreditation body and will include some level of adherence to requirements issued by the International Organization for Standardization. “For C3PAOs, some of those requirements are still being discussed, but there are security requirements for all C3PAOs related to CMMC and related to ISO,” said Jeff Dalton, chair of the CMMC accreditation body’s credentialing committee. “So they will be required to adhere to a standard and a certification standard themselves to make sure they are protecting the data they are privileged to see when they conduct an assessment.” The accreditation body also introduced a new role to the CMMC ecosystem: registered practitioners (RPs) and the registered provider organizations (RPOs) they can serve under. “The RPOs and the registered practitioners are an opportunity for those who want to be consultants or coaches in the field to not only get training and some qualifications in the CMMC but also be associated with ... our logo, but it also gives the AB an opportunity to understand who’s doing what out in the field,” Dalton said.