20200721

UNCLASSIFIED Page 1 21 July 2020 Table of Contents COVID-19 fuels cyber attacks, exposes gaps in business recovery Critical Industrial Control Systems on Target Again - Its Snake Ransomware This Time Russian cyberattacks an 'urgent threat' to national security Personal details and SSNs of 40,000 US citizens available for sale Ransomware attacks jump as crooks target remote working Records of 45 million+ travelers to Thailand and Malaysia surfaced in the darkweb iPhone iOS 13.6 battery draining fast for no obvious reason? Try this fix Attackers Used Legitimate SurveyMonkey Domain to Bypass Security Filters Hacker breaches security firm in act of revenge Wells Fargo tells employees to delete TikTok from their company devices Two more cyber-attacks hit Israel's water system Huawei 5G kit must be removed from UK by 2027 A hacker is selling details of 142 million MGM hotel guests on the dark web COVID-19 fuels cyber attacks, exposes gaps in business recovery ZD Net, 21 Jul 2020: The majority of businesses worldwide have seen a jump in cyber attacks as a result of employees working from home, with most reporting an increase in COVID-19 related malware. In Singapore, the global pandemic also revealed gaps in organisations' disaster recovery plans and IT operations. Some 91% of enterprises reported an increase in cyber attacks with more employees working from home amidst the coronavirus outbreak, according to a global survey released Tuesday by VMware Carbon Black. Conducted in March by research firm Opinion Matters, the study polled 3,012 IT and cybersecurity leaders across several markets including Japan, Australia, Germany, the UK, and Singapore, where there were 251 respondents. COVID-19 inspired malware saw the highest jump across the globe, with 92% noting an increase in such threats compared to typical volumes before the outbreak. Pandemic aside, 90% reported a climb in cyber attacks over the past year, with 80% noting an increase in the level of sophistication in such threats. Some 94% said they suffered breaches in the past 12 months, including 100% in Canada and the Netherlands, and 99.6% in the Nordics. In Asia-Pacific, 96% in Australia, 92% in Japan, and 80% in Singapore reported likewise. Vulnerabilities in OSes were the most common cause of breaches, as cited by 18% worldwide, while island-hopping was the main cause of breaches in markets such as Italy and the Nordics and web application attacks were most common in Canada. With added risks from third-party applications and the supply chain, these findings revealed that the extended enterprise was under pressure, according to Rick McElroy, VMware Carbon Black's cyber security strategist. The COVID-19 outbreak also unveiled gaps in business recovery planning of 89% in the country, who described such holes as slight to severe. Another 86% uncovered gaps in their IT operations as a result of the pandemic, while 85% identified problems due to a remote workforce and 73.5% had issues related to visibility of cybersecurity threats. Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)

UNCLASSIFIED Page 2 McElroy said: "The global situation with COVID-19 has put the spotlight on business resilience and disaster recovery planning. Those organisations that have delayed implementing multi-factor authentication (MFA) appear to be facing challenges, as 32% of Singaporean respondents say the inability to implement MFA is the biggest threat to business resilience they are facing right now. Critical Industrial Control Systems on Target Again - Its Snake Ransomware This Time CyWare, 13 Jul 2020: Since the past few years, many threat actors have been focusing on developing specialized attack vectors to target specific industries rather than general-purpose malware. EKANS ransomware has been one such malware, that is being developed for targeting Industrial Control Systems (ICS) since January. Recently, a FortiGuard Labs report [ link ] analyzed Industrial Control Systems/Operational Technology as the latest industry targeted with Ekans (aka Snake) ransomware. The report also revealed the new techniques used to attack critical ICS systems. The GO programming language was used to write the two latest variants of this malware identified in May and June, which makes the malware analysis more difficult for the researchers. These variants perform high-level activities in sequence like target environment confirmation, host firewall isolation, public RSA Key decode, shadow copy deletion, file encryption, and then turning off the host firewall (the newest addition to the malware family’s functionality). Attackers have been frequently targeting ICS in the past several months. In March, Kwampirs (aka Orangeworm) threat group infected software supply chain vendors including products used to manage ICS assets and gained access to a large number of global hospitals. In February, EKANS malware targeted ICS and encrypted its data, displaying a ransom note demanding payment. The malware terminated 64 different software processes, allowing it to encrypt all files. Russian cyberattacks an 'urgent threat' to national security ZD Net, 21 Jul 2020: Russia's cyberattack capabilities -- and its willingness to use them -- pose an "immediate and urgent threat" to the UK's national security, according to a report from a committee of MPs. The long-awaited and much-delayed Russia report from the UK parliament's Intelligence and Security Committee (ISC) [ link ] describes how it sees Russia's abilities to use malicious cyber activities to further its aims. The report warned that Russia's hackers have been gaining access to the critical national infrastructure of other countries, which could later be used to disruptive effect. The report noted that there had been Russian cyber intrusion into the UK's critical infrastructure, although details of the affected sectors have been redacted. The report also said that Russian intelligence has orchestrated phishing attempts against government departments, including against the Foreign & Commonwealth Office Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info

UNCLASSIFIED Page 4 AmiBreached.com. People who’re concerned about their information exposure can register on the platform to query it to check if their data have been exposed. iPhone iOS 13.6 battery draining fast for no obvious reason? Try this fix ZD Net, 20 Jul 2020: Over the weekend, a reader, Keith, got in touch with me with what is these days is a common problem -- rapid battery drain. And this was really rapid. So fast that a fully-charged iPhone drained almost completely overnight doing pretty much nothing. It seems this problem had been ongoing for a while, and the reader had already upgraded, without any relief, to iOS 13.6. This was one of those interesting yet annoying problems because iOS didn't offer much in the way of insight into what was going on. The battery was in OK condition, and there wasn't any sign that an app had gone rogue and was doing donuts in the background. The reader decided to try something -- carry out a reset of the iPhones settings (Settings > General > Reset All Settings). This is not the complete nuclear option of wiping the whole handset and starting from scratch, but it's still quite a reset. Here's Apple's description of what it does: Reset All Settings: All settings -- including network settings, the keyboard dictionary, the Home screen layout, location settings, privacy settings, and Apple Pay cards -- are removed or reset to their defaults. No data or media are deleted. Did it work? Yes. What's going on here? It's hard to say, but a likely culprit is a network or Bluetooth setting gone bad. Another similar fix I've come across is to do a full reset and then recovery from a backup. If you're suffering poor battery performance, it's worth a try. Attackers Used Legitimate SurveyMonkey Domain to Bypass Security Filters Cyware, 14 Jul 2020: Hackers have been abusing legitimate survey forms to host credential harvesting sites on online platforms without the need for any external tool or phishing site, which is often termed as Living Off the Land (LOtL) attacks. Recently, phishers used the surveying site SurveyMonkey to host redirect links to a phishing webpage. The phishing emails in the campaign, containing a malicious link to steal Microsoft credentials of employees, hit almost 15,000 to 50,000 mailboxes. In this phishing campaign, Abnormal Security found [ link ] that the hackers sent the emails from a real SurveyMonkey domain (surveymonkeyuser[.]com) but changed the reply-to domain using a hidden redirect link. The redirect link was hidden as the text “Navigate to access statement” with a brief message. “Please do not forward this email as its survey link is unique to you.” Upon clicking, the link redirects to a site hosted on a Microsoft form submission page. The form tricks users into entering their Office 365 login credentials. Users may be primed to think that the login page is there to validate whether the responses are from the legitimate recipient of the email. However, if they provide their credentials, their user account would be compromised. Hacker breaches security firm in act of revenge ZD Net, 13 Jul 2020: A hacker claims to have breached the back end servers belonging to a US cyber-security firm and stolen information from the company's "data leak detection" service. The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches. The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm. A data leak monitoring service is a common type of service offered by cyber-security firms. Security companies scan the dark web, hacking forums, paste sites, and other locations to collect

UNCLASSIFIED Page 5 information about companies that had their data leaked online. They compile "hacked databases" inside private backends to allow customers to search the data and monitor when employee credentials leak online, when the companies, themselves, suffer a security breach. Earlier today, a hacker going by the name of NightLion (the name of Troia's company), emailed tens of cyber-security reporters a link to a dark web portal where they published information about the hack. The site contains an e-zine (electronic magazine) detailing the intrusion into DataViper's backend servers. The hacker claims to have spent three months inside DataViper servers while exfiltrating databases that Troia had indexed for the DataViper data leak monitoring service. The hacker also posted the full list of 8,225 databases that Troia managed to index inside the DataViper service, a list of 482 downloadable JSON files containing samples from the data they claim to have stolen from the DataViper servers, and proof that they had access to DataViper's backend. Furthermore, the hacker also posted ads on the Empire dark web marketplace where they put up for sale 50 of the biggest databases that they found inside DataViper's backend. Most of the 8,200+ databases listed by the hacker were for "old breaches" that originated from intrusions that took place years before, and which had been known and leaked online already, in several locations. However, there were also some new databases that ZDNet was not able to link to publicly disclosed security breaches. ZDNet will not be detailing these companies and their breaches, as we have requested additional details from the hacker, and are still in the process of verifying their claims. Additional reporting will follow throughout the week as ZDNet goes through the leaked data. Wells Fargo tells employees to delete TikTok from their company devices CNN, 13 Jul 2020: Wells Fargo has banned the social media app TikTok from company devices amid what it says are concerns about security. In a statement to CNN Business on Monday, a Wells Fargo spokesperson said the company had identified a "small number of employees with corporate-owned devices who had installed the TikTok application." "Due to concerns about TikTok's privacy and security controls and practices, and because corporate-owned devices should be used for company business only, we have directed those employees to remove the app from their devices," the statement said. The ban was first reported by The Information. TikTok told CNN Business on Monday it has not been contacted by Wells Fargo. The Wells Fargo announcement comes at a time of renewed scrutiny of TikTok -- including talk of a possible ban from the Trump administration -- due to its ties to China. The short-form video app, which has been downloaded 165 million times in the US, is owned by the world's most valuable startup, a Chinese company called ByteDance. On Friday, Amazon sent an email to employees to delete TikTok immediately from work phones or risk being cut off from corporate email. But hours later, Amazon said the email had been sent "in error." Separately, both the Democratic and Republican national committees warned their staffs about using the app [ link ]. Two more cyber-attacks hit Israel's water system ZD Net, 20 Jul 2020: Two more cyber-attacks have hit Israel's water management facilities, officials from the Water Authority said last week [ link ]. Officials said the attacks took place last month, in June, and didn't cause any damage to the attacked organizations. The first attack hit agricultural water pumps in upper Galilee, while the second one hit water pumps in the central province of Mateh Yehuda, local media reported last week. The two attacks come after Israel suffered a first cyber-attack on its water supply system in April. Initial reports played down the April attack, but a Financial Times report from June [ link ] citing Western intelligence sources claimed that hackers had gained access to some of Israel's water treatment systems and tried altering

UNCLASSIFIED Page 7 MGM hotel guests' data was offered as a free download on a hacking forum. At the time, MGM admitted to suffering a security breach, but the company didn't disclose the full breadth of the intrusion. An MGM spokesperson also pointed out that "the vast majority of data consisted of contact information like names, postal addresses, and email addresses."