20200720

UNCLASSIFIED Page 1 20 July 2020 Table of Contents Hackers Attack Telecom Argentina, Demand USD 7.5m In Monero Russian Hacker Finally Found Guilty of 2012 LinkedIn Breach With a new setup, the Air Force hopes to improve information warfare operations Cloudflare DNS goes down, taking a large piece of the internet with it Vulnerability Found in Kasa Camera Twitter confirms 130 accounts were targeted as FBI launches probe on massive hack Space Force tests compatibility of U.S. secure satcom network with U.K. Skynet UK 'Confident' Moscow Helped Hackers Target Virus Vaccine New BlackRock Android malware can steal passwords and card data from 337 apps Cyber-Attack Downs Alabama County’s Network Honeywell Sees Rise in USB-Borne Malware That Can Cause Major ICS Disruption 95% of Brits Unable to Consistently Identify Phishing Messages Hackers Attack Telecom Argentina, Demand USD 7.5m In Monero CryptoNews, 20 Jul 2020: Telecom S.A., the largest telecommunications company in Argentina, has suffered a ransomware attack as hackers demand USD 7.5m ir privacy coin monero (XMR) to be paid until the night of Tuesday, July 21. If the company does not meet the deadline, the payable amount will rise to USD 15 million (XMR 216,189). The hackers are not only demanding the ransom to be paid in XMR but also left a message with links where to buy this privacy coin. Per the local news outlet, the attack has not affected users or internet and telephone services provided by Telecom Argentina. Still, the company has reportedly lost access to Office365 and OneDrive files. Other affected internal systems include corporate VPN, Citrix, Siebel, Genesys, the Customer and Field Service virtual machines, and internal users’ PCs. The attack has likely come through an attachment in an email, according to speculations on social media. Twitter user @pablowasserman said that the malware targeted company’s customer relationship management (CRM) software Siebel, which contains data from its clients. According to local reports, the attack had started as early as Wednesday, when employees began noticing trouble accessing company’s VPN and other databases. Preliminary estimates indicate that the attack may impact daily operations of at least 18,000 teams. The malware used in the attack is REvil ransomware, also known as Sodinokibi, which was first detected on April 17, 2019. The malware is used by a financially motivated group GOLD SOUTHFIELD. Russian Hacker Finally Found Guilty of 2012 LinkedIn Breach InfoSecurity Magazine, 13 Jul 2020: A Russian hacker has finally been convicted of cyber-attacks on LinkedIn, Dropbox and Formspring which breached millions of customer accounts, after spending years in custody. Yevgeniy Nikulin, now 32, was arrested in 2016 in Prague and detained there for over a year while US and Russian officials submitted extradition requests. According to a 2016 indictment by US Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)

UNCLASSIFIED Page 2 prosecutors [ link ], Nikulin hacked LinkedIn, Dropbox and Formspring back in 2012. The attacks are subsequently revealed to have hit 117 million LinkedIn accounts, 69 million Dropbox users and 28 million Formspring accounts. He’s alleged to have used many of the stolen log-ins to launch subsequent attacks on individuals. In the first case to be held in the Northern California district since the start of the pandemic, it took a jury just a few hours to convict Nikulin. He now faces up to 10 years in prison for each count of selling stolen usernames and passwords and installing malware onto computers, and up to five years for each count of conspiracy and computer hacking. There’s also a two-year stretch potentially awaiting for identity theft. Sentencing will be handed down on September 29. With a new setup, the Air Force hopes to improve information warfare operations Defense News, 19 Jul 2020: The Air Force is realigning the cyber mission force teams it provides to U.S. Cyber Command as a way to have intelligence personnel work more closely with cyber operators. In the past, Air Forces Cyber was made up of cyber and intelligence personnel from 24th Air Force and 25th Air Force, respectively. However, the arrangement created difficulties with command relationships and oversight of teams since the intelligence operators served beneath a separate Air Force command with a separate commander. But in October, the Air Force decided to merge 24th and 25th Air Force into 16th Air Force/Air Forces Cyber, placing cyber, intelligence, surveillance and reconnaissance, electronic warfare and weather capabilities under one commander, and creating the Air Force’s first information warfare entity. The new organization also serves as the Air Force’s component to Cyber Command. The new organization of teams moves intelligence forces from the 70th Intelligence, Surveillance and Reconnaissance Wing to the 67th Cyber Operations Wing. “We looked at the intelligence squadron and focused on the position descriptions that really were supporting the cyber mission force … so that we can merge those intelligence professionals into the cyber operations squadron in order to build the mission elements that supported the combatant command requirements,” Col. Lauren Courchaine, commander of the 67th Cyberspace Operations Group, told C4ISRNET in an interview. Specifically, these teams are combat mission teams – the teams that conduct cyber operations on behalf of combatant commands mostly in the offensive sphere – and cyber support teams, which provide intelligence, mission planning and other necessary support work for combat mission team. This new structure - with cyber operators, developers and intelligence forces in the same room and read in on the same missions - provides a tighter mission thread, Courchaine said. In the past, she said, when cyber operators needed intelligence support, they’d have to ask their intelligence teammates who weren’t always privy to the mission or technical context, which created gaps. The final realignment package is still at the Air Staff awaiting final approval with details Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info

UNCLASSIFIED Page 4 Twitter confirms 130 accounts were targeted as FBI launches probe on massive hack ABC News, 17 Jul 2020: Twitter confirmed that approximately 130 accounts were targeted in the massive hack that has sent the social media company reeling and now has the attention of the Federal Bureau. On Wednesday, the Twitter accounts of a handful of prominent users including Joe Biden, Barack Obama, Elon Musk, Bill Gates and Kanye West were apparently compromised by a hacker asking users to send funds to a Bitcoin account. At the time, the social media company said in a statement that attackers "successfully targeted some of our employees with access to internal systems and tools" and temporarily suspended the ability of all verified Twitter accounts from posting. In an update Thursday evening, the company revealed more details about the reach of the cyberattacks, saying approximately 130 accounts were targeted and for a "small subset" of those accounts, "the attackers were able to gain control of the accounts and then send Tweets from those accounts." Twitter said it has disabled downloading personal Twitter data for all accounts while the investigation continues. Space Force tests compatibility of U.S. secure satcom network with U.K. Skynet SpaceNews, 19 Jul 2020: A cyber-secure operating system developed for U.S. military communications satellites also works with the United Kingdom’s Skynet satellites, the U.S. Space Force said in a news release July 17. The U.S. Space Force Space and Missile Systems Center and the U.K. Ministry of Defence on July 13 conducted a demonstration of the Protected Tactical Waveform over the Skynet satellite system, according to the announcement [ link ]. The Protected Tactical Waveform, known as PTW, has been in development for several years and will run over the U.S. military Wideband Global Satcom (WGS) communications satellites. It was designed to mitigate the effects of jamming on tactical communications networks. UK 'Confident' Moscow Helped Hackers Target Virus Vaccine AFP, 20 Jul 2020: British Foreign Secretary Dominic Raab said on Sunday he was "absolutely confident" in allegations by the UK and its allies that Russia targeted labs conducting coronavirus research, branding the behavior "outrageous and reprehensible." Britain, the United States and Canada on Thursday accused a hacking group called APT29 of spearheading the online attacks on various organizations involved in Covid 19 vaccine development. They said the collective is "almost certainly" linked to Russian intelligence, and intended to steal information and intellectual property. Raab reiterated that the trio's conclusions were based on assessments by Britain's National Cyber Security Centre (NCSC) and its counterparts in the U.S. and Canada. "We're absolutely confident that the Russian intelligence agencies were engaged in a cyber attack on research and development efforts in organizations in this country and internationally with a view either to sabotage or to profit," he told Sky News. "At the time that the world has come together to try and tackle Covid-19... I think it's outrageous and reprehensible that the Russian government is engaged in this activity." Raab said Thursday that perpetrators in Russia had circulated leaked trade documents between Britain and the United States, in a bid to sow greater division in the contest.

UNCLASSIFIED Page 5 New BlackRock Android malware can steal passwords and card data from 337 apps ZD Net, 16 Jul 2020: A new Android malware strain has emerged in the criminal underworld that comes equipped with a wide range of data theft capabilities allowing it to target a whopping 337 Android applications. Named BlackRock, this new threat emerged in May this year and was discovered from mobile security firm ThreatFabric. Researchers say the malware was based on the leaked source code of another malware strain (Xerxes, based itself on other malware strains) but was enhanced with additional features, especially on the side that deals with the theft of user passwords and credit card information. The trojan will steal both login credentials (username and passwords), where available, but also prompt the victim to enter payment card details if the apps support financial transactions. Per ThreatFabric, the data collection takes place via a technique called "overlays," which consists of detecting when a user tries to interact with a legitimate app and showing a fake window on top that collects the victim's login details and card data before allowing the user to enter the intended legitimate app. In a report shared with ZDNet this week prior to publication, ThreatFabric researchers say the vast majority of BlackRock overlays are geared towards phishing financial and social media/communications apps. However, there are also overlays included for phishing data from dating, news, shopping, lifestyle, and productivity apps. The full list of targeted apps is included in the BlackRock report. To show the overlays, BlackRock isn't that unique, and, under the hood, BlackRock works like most Android malware these days and uses old, tried, and tested techniques. Once installed on a device, a malicious app tainted with the BlackRock trojan asks the user to grant it access to the phone's Accessibility feature. Currently, BlackRock is distributed disguised as fake Google update packages offered on third-party sites, and the trojan hasn't yet been spotted on the official Play Store. However, Android malware gangs have usually found ways to bypass Google's app review process in the past, and at one point or another, we'll most likely see BlackRock deployed in the Play Store. Cyber-Attack Downs Alabama County’s Network InfoSecurity Magazine, 9 Jul 2020: A suspected ransomware attack has caused the temporary closure of an Alabama county’s computer network. Chilton County implemented a shutdown after being targeted by a suspected ransomware attack on the morning of July 7. County Commission Chairman Joseph Parnell announced the incident on the social media network Facebook. “The incident has caused a temporary disruption to the County’s computer records systems including the tag office and probate court records,” wrote Parnell. “Persons needing services provided by our various departments should check with the clerks in the particular department before coming to the courthouse to ensure that needed records are accessible.” As a result of the attack, local records required by the courthouse in the performance of its regular services have been rendered unavailable. In a phone interview with the Clanton Advertiser, Parnell said an investigation was underway to determine the severity of the cyber-incident. The county servers and computers in several departments have been closed in a bid to limit the spread of any malware infection that may have occurred. Employees reported the discrepancies to the local IT team, which then shut down the county’s internal network. “We have a cyber-policy in place and have hired a firm of professional IT people out of New York that is going to come in and assess the system,” Parnell said. The cyber-branch of the FBI and the Alabama Attorney General’s Office have been notified of the incident.