20200710

UNCLASSIFIED Page 1 10 July 2020 Table of Contents U.S. finalizing federal contract ban for companies that use Huawei, others DOJ indicts 'fxmsp' hacker who reportedly breached hundreds of companies German intel warns against giving data to Chinese tech firms MongoDB is subject to continual attacks when exposed to the internet Casino App Clubillion Leaks PII on “Millions” of Users BMW customer database for sale on dark web One out of every 142 passwords is '123456' Connection discovered between Chinese hacker group APT15 and defense contractor Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models DDoS Attacks Jump 542% from Q4 2019 to Q1 2020 New ThiefQuest ransomware discovered targeting macOS users BBC Publishes Screenshots Allegedly Depicting Ransomware Negotiations Between NetWalker and UCSF 'Keeper' hacking group behind hacks at 570 online stores U.S. finalizing federal contract ban for companies that use Huawei, others Reuters, 9 Jul 2020: The Trump administration plans to finalize regulations this week that will bar the U.S. government from buying goods or services from any company that uses products from five Chinese companies including Huawei, Hikvision and Dahua, a U.S. official said. The rule, which was prompted by a 2019 law, could have far-ranging implications for companies that sell goods and services to the U.S. government since they will now need to certify they do not use products from Dahua or Hikvision, even though both are among the top sellers of surveillance equipment and cameras worldwide. The same goes for two-way radios from Hytera Communications Corp and telecommunications equipment or mobile devices like smartphones from Huawei Technologies or ZTE Corp. Any company that uses equipment or services in their day-to-day operations from these five companies will no longer be able to sell to the U.S. government without obtaining a U.S. government waiver. The White House action comes amid increasing U.S.-China tension over the handling of the novel coronavirus, China’s actions in the former British colony of Hong Kong and a nearly two-year trade war. While it is unclear if this will have an impact on current contracts, it could complicate future contracts. Amazon.com Inc, for example, received 1,500 cameras to take temperatures of workers during the coronavirus pandemic from Zhejiang Dahua Technology Co Ltd in April. Amazon’s cloud unit is a major contractor with the U.S. intelligence community, and it has been battling Microsoft Corp for an up to $10 billion cloud computing deal with the Pentagon. The official said the administration will require agencies to conduct a national security analysis before they grant any waivers, something Congress did not expressly require in the statute. On June 30, the Federal Communications Commission formally designated Huawei and ZTE Corp as posing threats to U.S. national security, a Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)

UNCLASSIFIED Page 2 declaration that bars U.S. firms from tapping an $8.3 billion government fund to purchase equipment from the companies. DOJ indicts 'fxmsp' hacker who reportedly breached hundreds of companies Engadget, 7 Jul 2020: An American court has unsealed the criminal charges [ link ] against a prolific hacker known as fxmsp, finally revealing the identity of the “invisible god of networks.” In an announcement posted by the Western District of Washington’s US Attorney’s Office, authorities have identified fxmsp as a 37-year-old Kazakhstan citizen named Andrey Turchin. The five felony charges against Turchin date back to December 2018, but they remained sealed until this revelation, which follows a report published by security vendor Group-IB about the extent of fxmsp’s illicit activities [ link ]. According to authorities, Turchin and his accomplices targeted hundreds of corporate networks in more than 40 countries between October 2017 and December 2018. Group-IB’s report says fxmsp and his group sold network access to hotel chains, banks and other financial firms, making at least $1.5 million from their operation. As a result of their activities, their victims reportedly lost tens of millions of dollars to malware and network damage. They’ve been inactive since last year after fxmsp made headlines for advertising access to data from popular cybersecurity firms McAfee, Trend Micro and Symantec. However, at least one cybersecurity firm believes they’re still operating under different names. German intel warns against giving data to Chinese tech firms Associated Press, 9 Jul 2020: Germany's domestic intelligence agency is warning consumers that personal data they provide to Chinese payment companies or other tech firms could end up in the hands of China's government. In its annual report released Thursday, the BfV agency noted that Chinese government offices have access to data stored in China by companies such as Tencent, Alibaba “as well as other apps, web services and mobility providers such as for example (bike sharing) providers” that operate in Germany. The head of the BfV, Thomas Haldenwang, said German's data isn't safe with Chinese companies because they are required by law to provide the data to their government. “Any customer here in Germany who uses such a system shouldn't be surprised if this data is abused in Beijing,” he told reporters. “We can only warn against this.” Seehofer added that Germany has yet to reach a “political decision” on whether to let Chinese telecom equipment company Huawei supply infrastructure to German cellphone service providers. Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info

UNCLASSIFIED Page 4 KelvinSecurityTeam has been highly active on underground forums, offering in June 2020 alone for sale 16 databases, including data related to U.S government contractors and Russian military weapons development. In addition, the group reportedly dumped for free 28 databases affecting entities in Mexico, Iran, U.S., Australia, Sweden, France and Indonesia. One out of every 142 passwords is '123456' ZD Net, 1 Jul 2020: In one of the biggest password re-use studies of its kind, an analysis of more than one billion leaked credentials has discovered that one out of every 142 passwords is the classic "123456" string. The study, carried out last month by computer engineering student Ata Hakçıl, analyzed username and password combinations that leaked online after data breaches at various companies. The data dumps are easily available online, on sites like GitHub or GitLab, or freely distributed via hacking forums and file-sharing portals. Over the years, tech companies have been collecting these data dumps. For example, Google, Microsoft, and Apple, have collected leaked credentials to create in-house alert systems that warn users when they're utilizing a "weak" or "common" password. Last month, Hakçıl, a Turkish student studying at a university in Cyprus, downloaded and analyzed more than one billion leaked credentials. The main discovery was that the 1,000,000,000+ credentials dataset included only 168,919,919 unique passwords, of which more than 7 million were the "123456" string. This means that one out of every 142 passwords included in the sample Hakçıl analyzed was th e weakest password known today -- with the "123456" string being the most commonly reused password online for the past five years in a row, and counting. The study's full results are available on GitHub [ link ], with a short summary below: • From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts. • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames. • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion) • Most common 1000 passwords cover 6.607% of all the passwords. • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%. • Average password length is 9.4822 characters. • 12.04% of passwords contain special characters. • 28.79% of passwords are letters only. • 26.16% of passwords are lowercase only. • 13.37% of passwords are numbers only. • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits. Connection discovered between Chinese hacker group APT15 and defense contractor ZD Net, 2 Jul 2020: Lookout said it linked APT15 malware to Xi'an Tianhe Defense Technology, a Chinese defense contractor. In a report published today [ link ], cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense

UNCLASSIFIED Page 5 contractor from the city of Xi'an. Some of the group's past hacking operations have been documented by other cyber-security firms, and the hacking group is already known in industry circles under different codenames, such as APT15, GREF, Ke3chang, Mirage, Vixen Panda, and Playful Dragon. The vast majority of past APT15 attacks involved malware designed to infect Windows desktops, but Lookout said the group also developed an arsenal of Android hacking tools. Hacking tools that were already known include malware strains identified as HenBox, PluginPhantom, Spywaller, and DarthPusher. On top of these, Lookout said it also discovered four new ones, which they codenamed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices. This includes: • APT3 - linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong • APT10 - linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin • APT17 - linked to several companies operating on behalf of Chinese state security officials in the province of Jinan • APT40 - linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively. Based on previous threat intelligence reports published by cyber-security firm Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly and take orders from intelligence officials. Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models TheRegister, 30 Jun 2020: Netgear has now patched 28 out of 79 vulnerable router models, six months after infosec researchers first noticed security problems potentially allowing an attacker to remotely execute code as root. The latest hotfixes come after two models were fixed earlier in June. The vulnerability in question could, for example, allow the opening of a superuser-level telnet backdoor, as we reported at the time. Over the past few weeks Netgear has been pushing out fixes, having so far plugged problems with 28 of the 79 models it says are affected by the unwanted remote-superuser flaw. The vulnerabilities, initially discovered by Trend Micro's Zero Day Initiative (ZDI) in January, were meant to have been patched by 15 June. Netgear asked for an extension at the end of May for a further month, prompting the ZDI to publish an advisory note. "The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update to the most recent firmware version and to replace end-of-life devices that are no longer supported with security patches," said the US computer security agency in a note issued last night.

UNCLASSIFIED Page 7 BBC Publishes Screenshots Allegedly Depicting Ransomware Negotiations Between NetWalker and UCSF Security Boulevard, 1 Jul 2020: The BBC claims to have obtained proof of ransom negotiations between the NetWalker gang and the University of California San Francisco almost a week after the college publicly reported on the costly security incident. Readers might recall that NetWalker ransomware operators recently persuaded the UCSF to pay over $1 million in an extortion scheme using data-encrypting malware. Now, BBC News reports that an anonymous tip-off allegedly enabled the outlet to follow the ransom negotiations in a live chat on the dark web. According to the screen captures, NetWalker operators initially demanded a $3 million ransom, reasoning the amount is pennies for an education institution with billions in annual turnover. But the university, likely with the help of an external specialist negotiator, explained the pandemic had been “financially devastating” for the college and asked them to accept $780,000. After some back and forth, the hackers eventually accepted 116.4 bitcoins, or roughly $1.14 million. 'Keeper' hacking group behind hacks at 570 online stores ZD Net, 7 Jul 2020: A hacking group known as "Keeper" is responsible for security breaches at more than 570 online e-commerce portals over the last three years. The Keeper gang broke into online store backends, altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers in checkout forms. These types of attacks are what the cyber-security community calls web skimming, e- skimming, or "Magecart" intrusions (named so after the first hacker group that used these tactics). In a report published today by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating since at least April 2017, and continues to operate even today. By fingerprinting this backend panel, Gemini was able to track all of Keeper's historical activities. This included the locations of past backend panels, malicious URLs used to host hacking infrastructure, but also a list of hacked online stores where Keeper inserted its malicious scripts. Gemini said that almost 85% of the 570 hacked stores ran on top of the Magento e-commerce platform. Most of the stores were small to medium-sized operations. Based on Amazon's Alexa traffic rankings, Gemini says the vast majority of stores were small-scale operations but that Keeper also hit some big names -- sites that drew between 500,000 and 1,000,000 monthly visitors. "Based on the provided number of collected cards during a nine-month window, and accounting for the group's operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards," Gemini experts said in a report shared today with ZDNet [ link ]. "Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from stealing and selling compromised payment cards in its full lifespan." The Gemini Advisory report contains the full list of all the 570+ sites that the Keeper gang hacked since April 2017 [ link ]. The Keeper group is tracked by other cyber-security companies as Magecart Group #8 , CoffeeMokko, and JS-Sniffers 4.