20200710
pdf
keyboard_arrow_up
School
Wichita State University *
*We aren’t endorsed by this school
Course
453
Subject
Information Systems
Date
Nov 24, 2024
Type
Pages
7
Uploaded by eras3r98
UNCLASSIFIED
Page 1
10 July 2020
Table of Contents
U.S. finalizing federal contract ban for companies that use Huawei, others
DOJ indicts 'fxmsp' hacker who reportedly breached hundreds of companies
German intel warns against giving data to Chinese tech firms
MongoDB is subject to continual attacks when exposed to the internet
Casino App Clubillion Leaks PII on “Millions” of Users
BMW customer database for sale on dark web
One out of every 142 passwords is '123456'
Connection discovered between Chinese hacker group APT15 and defense contractor
Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
New ThiefQuest ransomware discovered targeting macOS users
BBC Publishes Screenshots Allegedly Depicting Ransomware Negotiations Between NetWalker and
UCSF
'Keeper' hacking group behind hacks at 570 online stores
U.S. finalizing federal contract ban for companies that use
Huawei, others
Reuters, 9 Jul 2020:
The Trump administration plans to finalize regulations this week
that will bar the U.S. government from buying goods or services from any company
that uses products from five Chinese companies including Huawei, Hikvision and
Dahua, a U.S. official said.
The rule, which was prompted by a 2019 law, could have
far-ranging implications for companies that sell goods and services to the U.S.
government since they will now need to certify they do not use products from Dahua
or Hikvision, even though both are among the top sellers of surveillance equipment
and cameras worldwide.
The same goes for two-way radios from Hytera
Communications Corp and telecommunications equipment or mobile devices like
smartphones from Huawei Technologies or ZTE Corp.
Any company that uses
equipment or services in their day-to-day operations from these five companies will
no longer be able to sell to the U.S. government without obtaining a U.S. government
waiver.
The White House action comes amid increasing U.S.-China tension over the
handling of the novel coronavirus, China’s actions in the former British colony of Hong
Kong and a nearly two-year trade war.
While it is unclear if this will have an impact on
current contracts, it could complicate future contracts.
Amazon.com Inc, for example,
received 1,500 cameras to take temperatures of workers during the coronavirus
pandemic from Zhejiang Dahua Technology Co Ltd in April.
Amazon’s cloud unit is a
major contractor with the U.S. intelligence community, and it has been battling
Microsoft Corp for an up to $10 billion cloud computing deal with the Pentagon.
The
official said the administration will require agencies to conduct a national security
analysis before they grant any waivers, something Congress did not expressly require
in the statute.
On June 30, the Federal Communications Commission formally
designated Huawei and ZTE Corp as posing threats to U.S. national security, a
Purpose
Educate recipients of cyber
events to aid in protecting
electronically stored DoD,
corporate proprietary, and/or
Personally Identifiable
Information from unauthorized
access, theft or espionage
Source
This publication incorporates
open source news articles to
educate readers on cyber
security matters IAW USC Title
17, section 107, Para a. All
articles are truncated to avoid
the appearance of copyright
infringement
Newsletter Team
* SA Sylvia Romero
Albuquerque FBI
* CI Agent Scott Daughtry
Purple Arrow Founder
Subscription/Questions
Click
HERE
to request for your
employer-provided email address
to be added to this product’s
distribution list
Purple Arrow Overview
The Purple Arrow Working Group
was founded in 2009 to address
suspicious reporting originating
from New Mexico (NM) cleared
companies. Purple Arrow is a
subset of the NM CI Working
Group.
Purple Arrow Members
Our membership includes
representatives from these New
Mexico-focused agencies:
902nd
MI, AFOSI, DOE, DCSA, DTRA, FBI,
HSI and NCIS
Disclaimer
Viewpoints, company names, or
products within this document
are not necessarily the opinion
of, or an endorsement by, the FBI
or any member of the Purple
Arrow Working Group or NM CI
Working Group
Distribution
You may freely forward this
product to U.S. person
co-workers or other U.S. agency /
U.S. company managed email
accounts
Personal Email/Foreigners
The FBI will
not
send Purple
Arrow products to a non-United
States employer-provided email
account (e.g. Hotmail, Gmail)
UNCLASSIFIED
Page 2
declaration that bars U.S. firms from tapping an $8.3 billion government fund to
purchase equipment from the companies.
DOJ indicts 'fxmsp' hacker who reportedly breached hundreds
of companies
Engadget, 7 Jul 2020:
An American court has unsealed the criminal charges [
link
]
against a prolific hacker known as fxmsp, finally revealing the identity of the “invisible
god of networks.” In an announcement posted by the Western District of
Washington’s US Attorney’s Office, authorities have identified fxmsp as a 37-year-old
Kazakhstan citizen named Andrey Turchin. The five felony charges against Turchin
date back to December 2018, but they remained sealed until this revelation, which
follows a report published by security vendor Group-IB about the extent of fxmsp’s
illicit activities [
link
]. According to authorities, Turchin and his accomplices targeted
hundreds of corporate networks in more than 40 countries between October 2017
and December 2018. Group-IB’s report says fxmsp and his group sold network access
to hotel chains, banks and other financial firms, making at least $1.5 million from
their operation. As a result of their activities, their victims reportedly lost tens of
millions of dollars to malware and network damage. They’ve been inactive since last
year after fxmsp made headlines for advertising access to data from popular
cybersecurity firms McAfee, Trend Micro and Symantec. However, at least one
cybersecurity firm believes they’re still operating under different names.
German intel warns against giving data to Chinese tech firms
Associated Press, 9 Jul 2020:
Germany's domestic intelligence agency is warning
consumers that personal data they provide to Chinese payment companies or other
tech firms could end up in the hands of China's government. In its annual report
released Thursday, the BfV agency noted that Chinese government offices have
access to data stored in China by companies such as Tencent, Alibaba “as well as
other apps, web services and mobility providers such as for example (bike sharing)
providers” that operate in Germany.
The head of the BfV, Thomas Haldenwang, said
German's data isn't safe with Chinese companies because they are required by law to
provide the data to their government.
“Any customer here in Germany who uses
such a system shouldn't be surprised if this data is abused in Beijing,” he told
reporters. “We can only warn against this.”
Seehofer added that Germany has yet to
reach a “political decision” on whether to let Chinese telecom equipment company
Huawei supply infrastructure to German cellphone service providers.
Incident Reporting
- Cleared Company: notify your
Defense Counterintelligence and
Security Service representative. If
the event compromised DoD
information, you must also
initiate the
DIBNET
process.
-
Financial Scam/Fraud:
submit a
complaint to the FBI’s Internet
Crime Complaint Center (
IC3
)
- Children:
if a child has been
targeted via the Internet, contact
your state’s Attorney General via
their web site. They likely have
an Internet Crimes against
Children task force that
specializes in this crime category
Cyber investigations are likely to
require the original offending
email (to obtain the email
headers) and/or log files that are
generated/maintained by an IDS,
router or firewall. Ensure your IT
office preserves this information
should law enforcement request
them for analysis.
Newsletter Archival
We do not maintain a formal
archive of this newsletter. Your
company/agency may archive
Purple Arrow products on its
internal network. This product
may NOT be altered in any way.
Cybersecurity Training
All employees must understand
cyber threats and think
defensively every time they use
automated systems. Many
intrusions occur because a single
employee failed basic
cybersecurity practices and
clicked on a hostile hyperlink or
opened a malicious file
attachment. The Defense
Counterintelligence and Security
Agency (formerly known as DSS)
offers free cyber training via its
Center for Development of
Security Excellence (CDSE)
website. Click
HERE
for info
UNCLASSIFIED
Page 3
MongoDB is subject to continual attacks when exposed to the internet
Helpnet Security, 8 Jul 2020:
On average, an exposed Mongo database is breached within 13 hours of being
connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set
up, according to Intruder.
MongoDB is a general purpose, document-based, distributed database that
consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organizations all
over the globe to store and secure sensitive application and customer data.
There are 80,000 exposed
MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000
are already infected with ransomware.
The research shows that MongoDB is subject to continual attacks
when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an
unsecured database is compromised less than 24 hours after going online.
At least one of the honeypots was
held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them
with a ransom note, requesting payment in Bitcoin for recovery of the data.
Attacks originated from locations
all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where
attacks are really coming from. The fastest breach came from an attacker from Russian ISP Skynet and over
half of the breaches originated from IP addresses owned by a Romanian VPS provider.
“Even if security teams
can detect an unsecured database and recognise its potential severity, responding to and containing such a
misconfiguration in less than 13 hours may be a tall order, let alone in under 9 minutes. Prevention is a much
stronger defence than cure.”
Casino App Clubillion Leaks PII on “Millions” of Users
Infosecurity Magazine, 8 Jul 2020:
An unsecured Elasticsearch database has been leaking data on millions of
global gambling app users, according to researchers at vpnMentor.
The group discovered the unsecured
database hosted on AWS as part of a broader web mapping project. It was quickly traced back to casino app
Clubillion, which was contacted on March 23. The database was finally secured on April 5, five days after AWS
was also contacted.
Unlike many similar discoveries, this online database was updated with huge amounts of
users’ personal information every single day: in the region of 200 million new records, or 50GB, daily, and
sometimes considerably more, according to vpnMentor.
These records included every action taken by every
player on the app (“win,” “lose,” “update account,” etc.) and personally identifiable information (PII) including
emails, private messages, winnings and IP addresses.
The research team warned that gambling apps are a
popular target for cyber-criminals, who go looking for PII and to target software vulnerabilities in order to
install malware on users’ devices.
“On a single day, tens of thousands of individual Clubillion players were
exposed. Each one of these players could be targeted by malicious hackers for fraud and cyber-attacks – along
with millions more whose records were also contained in the database,” it claimed.
BMW customer database for sale on dark web
SC Magazine, 2 Jul 2020:
A database of 384,319 BMW car owners in the U.K. is being offered for sale on an
underground forum by the KelvinSecurity Team hacking group, according to KELA, a darknet threat
intelligence firm, based in Tel Aviv. According to KELA, the threat actor claimed that the BMW data came from
a “call center” that manages customers of different car suppliers. KELA said it obtained the database and
found that it contains almost 500,000 customer records from 2016 to 2018, also affecting U.K. owners of other
car manufacturers, including Mercedes, SEAT, Honda and Hyundai, among others. KELA told SC Media
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
UNCLASSIFIED
Page 4
KelvinSecurityTeam has been highly active on underground forums, offering in June 2020 alone for sale 16
databases, including data related to U.S government contractors and Russian military weapons development.
In addition, the group reportedly dumped for free 28 databases affecting entities in Mexico, Iran, U.S.,
Australia, Sweden, France and Indonesia.
One out of every 142 passwords is '123456'
ZD Net, 1 Jul 2020:
In one of the biggest password re-use studies of its kind, an analysis of more than one
billion leaked credentials has discovered that one out of every 142 passwords is the classic "123456" string.
The study, carried out last month by computer engineering student Ata Hakçıl, analyzed username and
password combinations that leaked online after data breaches at various companies.
The data dumps are
easily available online, on sites like GitHub or GitLab, or freely distributed via hacking forums and file-sharing
portals.
Over the years, tech companies have been collecting these data dumps. For example, Google,
Microsoft, and Apple, have collected leaked credentials to create in-house alert systems that warn users when
they're utilizing a "weak" or "common" password.
Last month, Hakçıl, a Turkish student studying at a
university in Cyprus, downloaded and analyzed more than one billion leaked credentials.
The main discovery
was that the 1,000,000,000+ credentials dataset included only 168,919,919 unique passwords, of which more
than 7 million were the "123456" string.
This means that one out of every 142 passwords included in the
sample Hakçıl analyzed was th
e weakest password known today -- with the "123456" string being the most
commonly reused password online for the past five years in a row, and counting.
The study's full results are
available on GitHub [
link
], with a short summary below:
•
From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in
improper format) or test accounts.
•
1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
•
Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million
times per billion)
•
Most common 1000 passwords cover 6.607% of all the passwords.
•
With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million
passwords hit rate is at 54.00%.
•
Average password length is 9.4822 characters.
•
12.04% of passwords contain special characters.
•
28.79% of passwords are letters only.
•
26.16% of passwords are lowercase only.
•
13.37% of passwords are numbers only.
•
34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.
Connection discovered between Chinese hacker group APT15 and defense
contractor
ZD Net, 2 Jul 2020:
Lookout said it linked APT15 malware to Xi'an Tianhe Defense Technology, a Chinese
defense contractor.
In a report published today [
link
], cyber-security firm Lookout said it found evidence
connecting Android malware that was used to spy on minorities in China to a large government defense
UNCLASSIFIED
Page 5
contractor from the city of Xi'an.
Some of the group's past hacking operations have been documented by
other cyber-security firms, and the hacking group is already known in industry circles under different
codenames, such as APT15, GREF, Ke3chang, Mirage, Vixen Panda, and Playful Dragon.
The vast majority of
past APT15 attacks involved malware designed to infect Windows desktops, but Lookout said the group also
developed an arsenal of Android hacking tools.
Hacking tools that were already known include malware
strains identified as HenBox, PluginPhantom, Spywaller, and DarthPusher. On top of these, Lookout said it also
discovered four new ones, which they codenamed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. The
fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery.
From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired
by Chinese intelligence agencies operating in various regional offices.
This includes:
•
APT3 - linked to a company named Boyusec operating on behalf of Chinese state security officials in
the province of Guangdong
•
APT10 - linked to several companies operating on behalf of Chinese state security officials in the
province of Tianjin
•
APT17 - linked to several companies operating on behalf of Chinese state security officials in the
province of Jinan
•
APT40 - linked to several shell companies operating on behalf of Chinese state security officials in the
province of Hainan
Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in
November 2017 and December 2018, respectively. Based on previous threat intelligence reports published by
cyber-security firm Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources
hacking operations to outside contractors, who report directly and take orders from intelligence officials.
Netgear not quite halfway there with patches for 28 out of 79 vulnerable router
models
TheRegister, 30 Jun 2020:
Netgear has now patched 28 out of 79 vulnerable router models, six months after
infosec researchers first noticed security problems potentially allowing an attacker to remotely execute code
as root.
The latest hotfixes come after two models were fixed earlier in June. The vulnerability in question
could, for example, allow the opening of a superuser-level telnet backdoor, as we reported at the time.
Over
the past few weeks Netgear has been pushing out fixes, having so far plugged problems with 28 of the 79
models it says are affected by the unwanted remote-superuser flaw.
The vulnerabilities, initially discovered by
Trend Micro's Zero Day Initiative (ZDI) in January, were meant to have been patched by 15 June. Netgear
asked for an extension at the end of May for a further month, prompting the ZDI to publish an advisory note.
"The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update
to the most recent firmware version and to replace end-of-life devices that are no longer supported with
security patches," said the US computer security agency in a note issued last night.
UNCLASSIFIED
Page 6
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
DarkReading, 30 Jun 2020:
In the first quarter of 2020, distributed denial-of-service (DDoS) attacks jumped
more than 542% compared with the last quarter of 2019 and more than 278% year-over-year. NexusGuard
researchers suggest the spike may be linked to a parallel increase in malicious cyber activity during the COVID-
19 pandemic [
link
].
Cybercriminals have responded to the work-from-home shift with a series of long DDoS
attacks aimed at hosting providers and businesses. The Akamai team recently mitigated the largest packet-
per-second DDoS attack recorded on the company's platform — double the volume of its previous record.
Researchers see attackers shifting toward attacks with lower bits-per-second and higher packets-per-second,
likely seeking weak spots in DDoS mitigation techniques.
In addition to traditional DDoS attacks, NexusGuard
researchers detected abnormal traffic patterns from ISPs such as traffic generated from infected devices, and
traffic generated by exploiting open resolvers (DNS, DLAP, etc.) to create small, short attacks they call
"invisible killers." ISPs often overlook these threats, the researchers explain in a new DDoS threat report.
New ThiefQuest ransomware discovered targeting macOS users
ZD Net, 30 Jun 2020:
Named OSX.ThiefQuest (or EvilQuest), this ransomware is different from previous macOS
ransomware threats because besides encrypting the victim's files, ThiefQuest also installs a keylogger, a
reverse shell, and steals cryptocurrency wallet-related files from infected hosts.
"Armed with these
capabilities, the attacker can main full control over an infected host," said Patrick Wardle, Principal Security
Researcher at Jamf. This means that even if victims paid, the attacker would still have access to their computer
and continue to steal files and keyboard strokes.
Reed and Stokes are currently looking for a weakness or bug
in the ransomware's encryption scheme that could be exploited to create a decryptor and help infected
victims recover their files without paying the ransom.
But the researcher who first spotted the new
ThiefQuest ransomware is K7 Lab security researcher Dinesh Devadoss.
Devadoss tweeted about his finding
yesterday, June 29. However, new evidence surfaced in the meantime has revealed that EvilQuest has been, in
reality, distributed in the wild since the start of June 2020.
Reed told ZDNet in a phone call today that
Malwarebytes found ThiefQuest hidden inside pirated macOS software uploaded on torrent portals and online
forums, such as a pirated version of music production app Ableton, DJ mixing software Mixed In Key, and
security tool Little Snitch.
However, Reed told us he believes the ransomware is most likely more broadly
distributed, leveraging many more other apps, and not just these three.
Stokes told ZDNet the ransomware
will encrypt any files with the following file extensions:
.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py,
.h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3,
.wallet, .dat.
After the encryption process ends, the ransomware installs a keylogger to record all the user's
keystrokes, a reverse shell so the attacker can connect to the infected host and run custom commands, and
will also look to steal certain files. In his own analysis of ThiefQuest, Reed also noted that the ransomware also
attempts to modify files specific to Google Chrome's update mechanism, and use the files as a form of
persistence on infected hosts.
All victims infected by this point should consider their data lost forever, unless
researchers find a way to break the encryption and recover their files.
ThiefQuest is the third ransomware
strain that has exclusively targeted macOS users after KeRanger and Patcher. Another macOS ransomware
strain called Mabouia only existed at a theoretical level and was never released in the real world.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
UNCLASSIFIED
Page 7
BBC Publishes Screenshots Allegedly Depicting Ransomware Negotiations
Between NetWalker and UCSF
Security Boulevard, 1 Jul 2020:
The BBC claims to have obtained proof of ransom negotiations between the
NetWalker gang and the University of California San Francisco almost a week after the college publicly
reported on the costly security incident.
Readers might recall that NetWalker ransomware operators recently
persuaded the UCSF to pay over $1 million in an extortion scheme using data-encrypting malware. Now, BBC
News reports that an anonymous tip-off allegedly enabled the outlet to follow the ransom negotiations in a
live chat on the dark web.
According to the screen captures, NetWalker operators initially demanded a $3
million ransom, reasoning the amount is pennies for an education institution with billions in annual turnover.
But the university, likely with the help of an external specialist negotiator, explained the pandemic had been
“financially devastating” for the college and asked them to accept $780,000. After some back and forth, the
hackers eventually accepted 116.4 bitcoins, or roughly $1.14 million.
'Keeper' hacking group behind hacks at 570 online stores
ZD Net, 7 Jul 2020:
A hacking group known as "Keeper" is responsible for security breaches at more than 570
online e-commerce portals over the last three years.
The Keeper gang broke into online store backends,
altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers
in checkout forms.
These types of attacks are what the cyber-security community calls web skimming, e-
skimming, or "Magecart" intrusions (named so after the first hacker group that used these tactics).
In a report
published today by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating
since at least April 2017, and continues to operate even today.
By fingerprinting this backend panel, Gemini
was able to track all of Keeper's historical activities. This included the locations of past backend panels,
malicious URLs used to host hacking infrastructure, but also a list of hacked online stores where Keeper
inserted its malicious scripts.
Gemini said that almost 85% of the 570 hacked stores ran on top of the
Magento e-commerce platform. Most of the stores were small to medium-sized operations.
Based on
Amazon's Alexa traffic rankings, Gemini says the vast majority of stores were small-scale operations but that
Keeper also hit some big names -- sites that drew between 500,000 and 1,000,000 monthly visitors.
"Based on
the provided number of collected cards during a nine-month window, and accounting for the group's
operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards,"
Gemini experts said in a report shared today with ZDNet [
link
].
"Given the current dark web median price of
$10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD
from stealing and selling compromised payment cards in its full lifespan."
The Gemini Advisory report
contains the full list of all the 570+ sites that the Keeper gang hacked since April 2017 [
link
]. The Keeper group
is tracked by other cyber-security companies as Magecart Group #8 , CoffeeMokko, and JS-Sniffers 4.