now browsing by tag
The Department of Justice on Tuesday charged an Iranian national with hacking the computer servers of HBO and seeking to extort the company after stealing episodes and scripts of popular shows, including “Game of Thrones.”
Behzad Mesri, aka “Skote Vashat,” was charged with fraud, aggravated identity theft and interstate transmission of an extortionate communication, among other charges, according to a new unsealed indictment.
According to the U.S. Attorney’s Office in the Southern District of New York, Mesri is not in custody. The FBI released a “wanted” poster of Mesri Tuesday afternoon, and said he speaks Farsi, currently resides in Iran and is a flight risk.
The prosecutors’ office also said they were not aware of any U.S. lawyer for the defendant.
Assistant director in charge of the FBI’s New York field office Bill Sweeney said at a news briefing that Mesri “lurked in the alleyways of the Internet, identified the vulnerabilities of his victim, pickpocketed their information from thousands of miles away and sought a ransom. Today’s charges show that international cybercriminals are never beyond the reach of U.S. laws.”
Mesri, who was a “self-professed expert in computer hacking techniques,” according to the indictment, at one point worked on behalf of the Iranian military to “conduct computer network attacks that targeted military systems, nuclear software systems and Israeli infrastructure.”
The indictment also reveals Mesri defaced hundreds of websites in both the U.S. and globally under his pseudonym Skote Vashat.
Between May and August, Mesri began his hacking and extortion scheme of HBO, working to obtain “unauthorized access to HBO’s computer systems” and “steal proprietary data from those systems.”
Mesri then attempted to extort HBO for $6 million worth of Bitcoin, a form of digital currency.
The confidential and proprietary data belonging to HBO he stole included video files of unaired episodes of “Ballers,” “Barry,” “Room 104,” “Curb Your Enthusiasm,” and “The Deuce,” scripts and plots for “Game of Thrones,” cast and crew contact lists, financial documents, emails belonging to at least one HBO employee, and log in information for HBO social media accounts.
The extortion scheme began in July, the indictment alleges.
“Hi to All losers! Yes it’s true! HBO is hacked! … Beware of heart Attack!!!” an anonymous email sent to HBO personnel on July 23 included in the complaint reads. The email claimed 1.5 terabytes of data was stolen.
The indictment alleges starting around July 30 and continuing to at least August, the defendant leaked portions of the stolen data to the Internet on websites he controlled.
HBO, which is owned by Time Warner, struggled over the summer with numerous high-profile hackings. A group called OurMine hijacked HBO’s main Twitter account, as well as other HBO shows’ accounts.
View full post on National Cyber Security Ventures
The Central Intelligence Agency created and used code that pretended to be from Kaspersky Lab while hacking people, a big twist on what has been an ongoing saga of allegations of Kaspersky colluding with the Russian government, according to the latest release by Wikileaks of leaked top secret U.S. government files.
The Vault 8 release, issued Thursday, detailed the source code and development logs behind the CIA’s “Project Hive,” designed by the agency to implant malware to spy on targets outside the country. Within the released code was evidence that the CIA used fake certificates pretending to have been from Kaspersky Lab, meaning essentially that the agency was hacking people across the globe while impersonating Kaspersky.
“This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components,” WikiLeaks said in a statement. “Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention.”
Kaspersky Lab has been in the spotlight since June after the Federal Bureau of Investigation raided the company’s employees as part of an investigation into claims the company was colluding with the Russian government to hack and steal information from the U.S. government. Despite there being no solid evidence to date, the company has since been banned by The White House and Department of Homeland Security from use by U.S. government agencies.
In a surprising twist in a story that already reads like a poorly edited self-published spy drama in Amazon.com Inc.’s Kindle book store, Kaspersky claimed last month that it had indeed gained access to top secret spying tools used by the National Security Agency, but only because a contractor accidentally installed malware on his or her computer. The company then claimed that after being made aware that it had accidentally accessed the code, it immediately deleted it.
Although much of the story to date has appeared to be nothing more than a witch hunt against Kaspersky Lab, the fact that Wikileaks has now revealed that the CIA itself was pretending to be the company while hacking people may finally provide some relief to the company going forward.
The post Wikileaks release #reveals #CIA impersonated #Kaspersky Lab while #hacking people appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
President Donald Trump has broken with a host of Obama-era international agreements, from the Trans-Pacific Partnership to the Paris climate pact — but he’s showing every sign of sticking with a 2015 hacking accord with China.
Last month, the Trump administration quietly reaffirmed the agreement, which Republicans had initially greeted with skepticism. And business groups, cyber researchers and international policy experts say they see little reason for Trump to cancel the deal, especially as he’s pressing for China’s cooperation in curbing North Korea’s increasingly bellicose cyber and nuclear programs.
The hacking agreement is not expected to be a major talking point when Trump meets on Wednesday in Beijing with Chinese President Xi Jinping, whose country remains one of the most skilled and aggressive operators in cyberspace.
China appears to be largely complying with the 2015 deal, in which both countries pledged not to steal trade secrets from each other for the benefit of their domestic companies. That has helped calm the friction that once reigned between Washington and Beijing over cyber disputes, leaving Trump free to press his complaints with China on issues such as its protectionist regulations and unfavorable trade balance with the U.S.
“Having the cyber accord that we have helps to narrow the issues in dispute,” said Luke Dembosky, who worked on the 2015 U.S.-China cyber pact as a senior Justice Department official. “We need every bit of goodwill we can muster between our two countries on issues like North Korea. And we should, as a country, capitalize on the breakthrough that was achieved in fall of 2015.”
Perhaps most surprisingly to some, the deal has had its intended effect: Chinese-backed cyber theft of American trade secrets has dropped roughly 90 percent since the September 2015 accord, according to two leading digital security firms. Before then, analysts estimated that the thefts were costing the U.S. hundreds of billions of dollars a year.
“We saw the level of that activity drop off a cliff,” said Chris Porter, chief intelligence strategist at FireEye, which closely tracks major Chinese-linked hacking groups. “At or near zero levels.”
Those same researchers, though, caution that Chinese hacking tactics may have mutated in recent months, once again threatening American businesses through means that push the boundaries of the 2015 accord.
The Trump administration has not made strong public statements either way regarding the U.S.-China cyber pact despite jointly pledging with China in October to continue implementing the deal.
“President Trump believes strongly in protecting intellectual property rights, which are a key part of a fair and reciprocal trade policy,” White House spokesman Marc Raimondi wrote in an email. “We will be closely monitoring [China’s] adherence to both the letter and the spirit of the commitment.”
When Xi visited the White House in 2015, cyber tensions were at an all-time high between the two countries. It was widely believed that Beijing’s cyber spies had been behind the devastating theft that spring of more than 20 million sensitive U.S. government security clearance background-check files. And business groups were imploring the Obama administration to punish China over what they said was a pervasive hacking campaign to steal America’s trade secrets and erode the country’s competitive advantage, costing the U.S. up to $400 billion a year.
But instead of slapping Beijing with sanctions, Obama and Xi announced a mutual vow to end the type of theft that was enraging U.S. business leaders. Republicans — and even some Democrats — were immediately dubious that the diplomatic route would have any tangible effect on China’s behavior. And notably, the deal did not require either side to stop traditional cyber espionage, such as the theft of the U.S. background-check records.
However, just over two years later, the pact has held.
There has been a “massive reduction” in Chinese intrusions of American companies, said Dmitri Alperovitch, co-founder of the digital security firm CrowdStrike, which is working on a report analyzing China’s digital behavior since the agreement.
And it has allowed the two countries to focus more on their trade relationship, making it “a remarkable success” from that perspective, said Porter, of FireEye. “It shows that diplomacy can be used to reduce the cyber threat to Americans.”
Those who worked on the deal also believe it played a broader role in stabilizing U.S.-China relations and set a rare precedent for the international community on cyber norms, which have been notoriously difficult to pin down.
“These are two of the, if not the two, world leaders on cyber issues,” said Dembosky, now a partner at the law firm Debevoise & Plimpton. “So for them to reach any agreement on matters of cyberspace … has huge ripple effects in the international community in a positive way.”
China did not give up its expansive cyber efforts, though. Instead, the country shifted its focus to regional targets, training its digital spies on dissidents in Tibet and Hong Kong, as well as political, military and economic targets across Asia, CrowdStrike’s Alperovitch said. According to FireEye’s Porter, Chinese hackers were able to pilfer intellectual property — from other nations, like Japan — that was largely comparable to what they had been getting in the U.S.
At the same time, Xi was also restructuring his military. The increasingly powerful leader wanted to consolidate the country’s cyber army and rein in government-linked hackers moonlighting as rogue digital actors, a process FireEye detailed in a June 2016 report.
And there are recent signs that Beijing may be testing the limits of its 2015 promises.
In mid-2016, FireEye noticed that one prominent suspected Chinese hacking group had resurfaced, catching it infiltrating a U.S. information technology services firm in a likely attempt to gain access to the firm’s clients. Porter said FireEye had also discovered Beijing-linked hackers spying on corporate executives, giving them access to inside information that might eventually come in handy for Chinese investors looking to purchase an American firm or Chinese companies bidding on a U.S. project.
It’s unclear whether either strategy would technically violate the narrow terms of the 2015 agreement.
“I do think that it’s still too early to call victory here,” Alperovitch said.
Still, cyber watchers say that Trump should stick with the deal.
The U.S. gave up almost nothing in inking the agreement, they note, as it already had a long-established commitment to not steal corporate secrets for domestic economic gain. Plus, the deal established law enforcement channels to swap details on cybercrime, a valuable tool given China’s proximity to North Korea’s increasingly assertive cyber army. Researchers believe Pyongyang was behind a global malware outbreak earlier this year that froze tens of thousands of computer networks, costing businesses hundreds of millions of dollars. South Korea has also blamed its northern neighbor for the digital theft of war plans.
China may have enabled North Korea’s hacking operations by providing network bandwidth or even physical space for Pyongyang’s digital warriors, according to studies and media reports. Details are thin on what assistance China may currently provide.
“China may well be in a position to be able to provide information about North Korean cyber activities,” said Samir Jain, who helped craft the U.S.-China cyber deal as a senior director for cyber policy at the National Security Council. “To the extent that the Chinese can provide information about those actors or about servers or other infrastructure being used by North, then that would all be helpful.”
The White House also doesn’t appear eager to rock the boat over any possible noncompliance with the 2015 deal. A White House blog post about Trump’s upcoming visit to Beijing mentioned only the North Korea situation and “China’s unfair trade practices.”
Indeed, those “unfair trade practices” are where industry leaders’ concerns now lie. They worry that new Chinese cybersecurity regulations could force foreign technology companies to hand over software for “security” reviews before being allowed to enter China’s booming market. Trump recently ordered the U.S. trade representative to investigate the issue, setting up a potential showdown with Beijing on trade.
“We are at risk of a trade war,” Dembosky said. “It may be a cold trade war, but it’s certainly getting much hotter. If we don’t reach some understanding with China on the processes — and the fairness of the processes on both sides for evaluating these risks — then both counties will suffer.”
The post Why #Trump is #sticking with #Obama’s #China #hacking #deal appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A Chinese hacking operation is back with new malware attack techniques and has switched its focus to conducting espionage on western corporations, having previously targeted organisations and individuals in Taiwan, Tibet, and the Philippines.
Dubbed KeyBoy, the advanced persistent threat actor has been operating out of China since at least 2013 and in that time has mainly focused its campaigns against targets in South East Asia region.
The last publicly known actively by KeyBoy saw it target the Tibetan Parliament between August and October 2016, according to researchers, but following that the group appeared to cease activity — or at least managed to get off the radar.
But now the group has reemerged and is targeting western organisations with malware which allows them to secretly perform malicious activities on infected computers. They include taking screenshots, key-logging, browsing and downloading files, gathering extended system information about the machine, and shutting down the infected machine.
KeyBoy’s latest activity has been uncovered by security analysts at PwC, who’ve analysed the new payload and found it includes new infection techniques replacing legitimate Windows binaries with a copy of the malware.
Like similar espionage campaigns by other hacking operations, the campaign begins with emails containing a malicious document – in the case analysed by PwC, the lure was a Microsoft Word document named ‘ Q4 Work Plan.docx’.
But rather than delivering macros or an exploit, the lure uses the Dynamic Data Exchange (DDE) protocol to fetch and download a remote payload. Microsoft has previously described DDE as a feature, not a flaw.
In this case, Word tells the user there’s been an error and the document needs updating – if this instruction is run, a remote fake DLL payload is run, which in turn serves up a dropper for the malware.
Once the process has been run and the malware is installed, the initial DLL is deleted, leaving no trace of the malicious fake. As the malware also disables Windows File Protection and related popups, it therefore isn’t immediately obvious to system administrators that a legitimate DLL was replaced.
Once inside the target system, the attackers are free to conduct espionage campaigns as they please – although PwC researchers have listed possible indicators of compromisewhich organisations can use to discover if there are traces of KeyBoy in the network.
Similar techniques and attack capabilities have been observed in past KeyBoy campaigns, leading researchers to conclude that this campaign is by the same group.
Researchers have yet to uncover which specific organisations or sectors KeyBoy is targeting with its latest campaign, but say that the group has now turned its attention to conducting corporate espionage on organisations in the west.
Aside from knowing that they’re based in China, it’s not yet been possible to uncover the KeyBoy hacker group or identify their ultimate motives. While it has some of the hallmarks of a state-backed operation, previous research into the group says any type of criminal gangcould operate this style of campaign.
The post Chinese #hacking group #returns with new #tactics for #espionage #campaign appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
The FBI is making increasing use of an investigative technique that puts the public’s internet security at risk. This month, the ACLU filed amicus briefs in two cases to challenge the FBI’s use of this technique, which has significant cybersecurity implications for everyone.
The technique — government hacking — involves sending malware over the Internet to search computers remotely, often for information that is transmitted by or stored on anonymous targets’ computers. The malware can give investigators total control over a computer system. Absent extraordinary circumstances, courts should not grant this kind of power to law enforcement — much less with just a run-of-the-mill search warrant.
Malware — software designed to covertly damage a computer, take control of a system, or steal data — is not new to the federal government. The FBI has been deploying tools to search anonymous users’ computers since at least 2002. More recently, however, the FBI has expanded its use of this technique. Rather than deploying tailored malware against individual targets, the agency is now conducting “watering hole” operations that deliver malware to everyone who visits a particular webpage or pages. This can result in hundreds or thousands of computers being compromised, as well as the uncontrolled distribution of malware around the globe.
What the FBI didn’t disclose in court
This month, the ACLU filed briefs in the two cases pending before the Ninth Circuit Court of Appeals that involve the most recent publicly known malware investigation, aimed at users of the Playpen website. Playpen was a site primarily dedicated to disseminating child pornography, though it also hosted some lawful activities like chat and fiction forums. The FBI learned of Playpen, seized the server, and then actually ran the site out of its Virginia offices for two weeks. During that time, the federal government reportedly became one of the largest purveyors in the world of child pornography.
The FBI took this step in an effort to identify people who visited the site, since visitors were using a privacy-protective web browser called Tor to mask their IP addresses, and thus their identities. (Playpen was designed so that only people using Tor could visit it. The U.S. government originally funded Tor, which serves as an essential tool for activism and free speech across the world. Journalists, bloggers, whistleblowers, human rights workers, and other activists have relied on the Tor network to avoid surveillance by potentially repressive regimes.)
To obtain permission to deploy the malware — to which the government gave the anodyne name “Network Investigative Technique,” or “NIT” — the government sought a warrant from a magistrate in the Eastern District of Virginia. The warrant granted the FBI permission to send computer instructions from Playpen to anyone who logged in with a user name and password. These instructions, the magistrate was told, would gather identifying information from the activating computers and send it to the FBI.
In Playpen, the FBI sought to search as many as 158,000 computersaround the world with this malware. As a result, there are now approximately 140 Playpen prosecutions for possession of child pornography wending their way through the federal courts. The ACLU has filed several other amicus briefs with the Electronic Frontier Foundation challenging Playpen searches on the grounds that a single warrant cannot lawfully authorize a search of more than 100,000 people, and that the searches unconstitutionally violated Federal Rule of Criminal Procedure 41, which at the time limited magistrates’ ability to authorize searches to the district in which they operate — whereas the Playpen searches were global in scope. (Rule 41 has since been modifiedand now removes that procedural obstacle for the government to hack remotely.)
In the briefs we filed with several of our affiliates located in the Ninth Circuit this month — United States v. Tippens and United States v. Henderson — we argue that the FBI failed in its duty of candor to the magistrate judge, rendering the searches unconstitutional. What the FBI did not tell the magistrate judge, among other things, is that for its NIT to work, it had to force visitors’ computers to do something that Tor and every other web browser is not supposed to do — download, install, and run the code transmitted by a webpage. To get that to happen, the NIT used exploit code — software designed to take advantage of a flaw in the way the Tor browser works. Further, because the Tor browser runs on the Firefox Mozilla code, this exploit likely worked on millions of Firefox users.
In other words, the government became a hacker, sending exploit code around the country and the world, compromising browser security and searching computers for information. And astoundingly, it didn’t tell the court that this was how the NIT worked. It even kept secret from the magistrate the very fact that it was, through its exploit, planning to take advantage of a vulnerability in Tor (and likely Firefox).
While the public doesn’t know what the vulnerability was, it likely gave the government, in Mozilla’s words, “total control” over the users’ computers. The FBI may have chosen to use that power only to collect identifying information, as it represented in the search warrant affidavit. But it could have accessed far more — and more private — information.
Without knowing that the government’s malware contained an exploit, the court was not in a good position to closely supervise the computer searches that the FBI’s computer instructions conducted. The magistrate likely had no idea she should police the search to ensure that the government would not misuse its capabilities to search private data for which it had no probable cause. Where searches are particularly intrusive (and especially when they involve digital media like computers), Fourth Amendment case law recommends heightened standards of proof for issuing warrants, search protocols, destruction of unrelated materials, and more to ensure that legitimate government searches do not metastasize into fishing expeditions. The magistrate couldn’t have known that she might want to impose such safeguards in this case.
How FBI hacking can hurt the public
Beyond just the facts of this case, the government’s development, storage, and use of exploits create computer security risks for the public that cannot be mitigated by the warrant process. The government may lose control of malware if an insider leaks or sells the tools, if the government itself is hacked, or if a malware target identifies and publishes the code. Once a hacking tool has been disclosed outside the government, malicious actors have a window of opportunity to use it for their own nefarious purposes.
We know the risk that the government will lose control of exploits is real, because we’ve seen it happen a number of times:
In 2013, the FBI deployed malware on multiple websites hosted by a company called Freedom Hosting. This malware similarly took advantage of a Firefox security vulnerability to identify users of Tor. Innocent individuals who visited the targeted Freedom Hosting sites — which included TorMail, an encrypted email service used by all kinds of people all over the world to ensure privacy in their communications — noticed the hidden computer instructions embedded in the sites, and within days, the code was being “circulated and dissected all over the net.” Eventually, the same attack showed up “in the wild”, using essentially the same exploit the government used to compromise Freedom Hosting visitors to hack users of the Tor browser more widely.
The government’s exploits also can be stolen. In 2016, the public learned that an entity calling itself the Shadow Brokers obtained National Security Agency malware from an external NSA “staging server.” Following some initial attempts to sell the exploits, the Shadow Brokers dumped dozens of NSA hacking tools online for free in April 2017. One of the tools the Shadow Brokers released — called EternalBlue — exploited a flaw in Microsoft software. Once released, the tool was repurposed into a virulent piece of ransomware called WannaCry, which infected hundreds of thousands of computer systems worldwide in May 2017.
The very next month, another malware attack began spreading internationally after initially hitting critical infrastructure in Ukraine. Similar to WannaCry, the worm, dubbed NotPetya, made use of EternalBlue as well as another NSA exploit, called EternalRomance, also released by the Shadow Brokers. WannaCry and NotPetya infected such crucial systems as hospitals, power companies, shipping, and banking, endangering human life as well as economic activity.
Courts have said that dangerous tools used to effectuate otherwise lawful searches — tools like flashbang grenades and battering rams — can be unreasonable under the Fourth Amendment. Government malware is another such tool. Some investigative techniques are just too dangerous to use.
Cybersecurity is hard, and we are not doing a very good job of protecting the systems that we rely on. This task gets even harder if the government is an active attacker on the network with a vested interest in keeping computers insecure in case an investigator wants to conduct a search. If we aren’t careful, this powerful tool that the FBI now uses, like other powerful tools, will eventually trickle down to state and local police departments.
The government should be fighting to secure computers — not to hack them or to stockpile exploit codes that can be lost or stolen, and then misused and abused. As we told the Ninth Circuit, the Fourth Amendment needs to protect the public’s privacy and security. Secretive and unregulated government hacking endangers both.
The post Challenging #Government #Hacking: What’s at #Stake appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A former student at the University of Iowa was arrested on computer-hacking charges for accessing copies of exams in advance, and altering grades for himself and his classmates.
Chemistry major and wrestler Trevor Graves, 22, allegedly plugged keyloggers into university computers in classrooms and labs, allowing him to see whatever his professors typed, including their credentials to the university’s grading system.
In a criminal complaint submitted to an Iowa district court, the FBI claims Graves had access to the school’s grading system, Iowa Courses Online (ICON), for nearly 21 months – between March 2015 and December 2016.
During this time, Graves was able to modify grades more than 90 times on tests, quizzes and homework assignments for himself and at least five other students.
One of Graves’ professors first reported the incident to campus IT security officials after noticing changes in his assignments and quiz scores without her authorization.
An investigation led to a search of his off-campus apartment where authorities seized keyloggers, cellphones and thumb drives that contained copies of the stolen exams.
Grades were allegedly changed for a number of classes, including courses in business, engineering and chemistry.
According to the New York Times, Graves was arrested in Denver last Tuesday and released on bond pending an initial court appearance in Iowa two days later.
The Colorado native is charged with “intentionally accessing a computer without authorization and exceeding authorized access to obtain information, and knowingly transmitting a computer program to cause damage.”
Court documents state the IT expenses associated with the internal investigation, response to the breach and remedial steps to enhance IT security will cost the university roughly $68,000.
The post FBI #Charges 22-Year-Old #Student for #Hacking System to Change #Grades appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Chinese hackers, once some of the most careless and noisy hackers around, have become very careful and much more strategic at choosing the targets they go after.
The prototype of the Chinese hacker is well documented in the cyber-security industry. Chinese actors hack whatever they can, grab whatever they can, and sift through the data after the fact.
They also don’t care about stealth, rarely hide their tracks, and operate based on a set of general instructions that trickle down through a convoluted network of state agencies and private companies.
Nation-state cyber operations have been going on since the mid-90s, but it was only after the appearance of Chinese actors in the early 2000s that people started to pay more attention to the world of cyber-espionage.
While Russian and US groups were focusing on carrying out secret operations, putting most of their efforts in remaining hidden, Chinese hackers came like a flood and drove a truck through the front door with no regard to getting detected.
In fact, the term APT (advanced persistent threat) that is now used to describe hacker groups believed to be operating at orders and under the protection of local governments, initially stood for Asia-Pacific Threat, mainly because of the onslaught of Chinese hacks at the start of the 2000s.
US-China pact had a temporary effect on Chinese hacking operations
Their clumsiness and noisy actions eventually landed China at odds with the US, and political tensions rose so much that in the autumn of 2015, Chinese and US authorities had to meet and sign a mutual pact where neither government would “conduct or knowingly support cyber-enabled theft of intellectual property.”
The pact effectively limited nation-state hacking between the two countries to intelligence gathering operations only.
This agreement had an immediate result and after six months, cyber-security firm FireEye noted that the pact and a series of military reforms had visibly slowed down’s China’s cyber-espionage operations.
In reality, Chinese hackers didn’t stop hacking, but just started choosing their targets more carefully.
Chinese hackers become more careful
Instead of driving a truck through the front door, Chinese hacker groups started to pick locks and operate in the shadows.
For example, the clever hack and poisoning of the CCleaner app is believed to have been carried out by a Chinese APT codenamed Axiom. And let’s not forget the well-planned hacks of cloud providers so Chinese hackers could silently reach into organizations’ internal networks.
“There was indeed a decrease in activity of Chinese APTs following the pact,” Tom Hegel, Senior Threat Researcher at 401TRG, told Bleeping Computer.
“They became more strategic and operate with improved tactics since then,” Hegel added. “They were once very noisy with little care for operational security. These days it’s more strategically controlled.”
Three reports detail new Chinese hacking operations
This is why it’s so rare and most likely a coincidence that we’ve seen three reports released in the past two weeks describing various cyber operations, all linked to China.
“I personally wouldn’t say these reports are a resurgence [of Chinese hacking activity], but rather a continued increase in public reporting and identification,” Hegel said.
The first of these three new reports detailing Chinese APT activity was published last week by RiskIQ. The report details a new remote access trojan named htpRAT that was used against various targets in Laos.
The RAT comes with the ability to log keystrokes, take screenshots, record audio and video from a webcam or computer microphone, install and uninstall programs and manage files. Infrastructure reuse links the group behind this malware with PlugX, the decade-old favorite malware of multiple Chinese APTs.
A second report was released yesterday by Pwc’s cyber-security division. The report highlights new activity from a Chinese APT known as KeyBoy [1, 2], previously dormant for around four years.
The report also highlights a new RAT that can take screenshots, exfiltrate files, and download and run other malware. While previously the group targeted Taiwan, Tibet, and the Philippines, the group is now going after Western organizations. Parys says the group appears to currently be interested in corporate espionage.
Last but not least we have Check Point’s revised report on the IoT_Reaper botnet. New evidence reveals that command and control domains used by Reaper botnet were registered with an email address that is connected to the Black Vine Chinese APT, the group that breached health insurance provider Anthem in 2015.
It’s still a mystery why a cyber-espionage group would be building an IoT botnet. Some could say the group is creating a tool that could be used to launch DDoS attacks against targets the Chinese government would like to silence. Another theory is that Black Vine would use the botnet as a layer of proxies to hide future operations.
All in all, we’re seeing both a curb and maturation of Chinese hacking efforts, some of which can be attributed to the military reforms enforced by President Xi Jinping after he took power in 2012 when he said that government and military elements should stop using state resources for their own agendas.
The post Chinese #Hacking Efforts More #Strategic, Less #Noisy appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Ransomware is being used to hide an elaborate, targeted hacking campaign which went undetected for months before the attackers pulled the plug and encrypted hundreds of machines at once in an effort to remove stolen data while also covering their tracks.
The campaign targeted several Japanese organisations in attacks which lasted from three to nine before a ransomware attack used a wiper on compromised machines in an effort to hide the operation.
Forensic investigation of the infected machines by researchers at Cybereason has led them to the conclusion that the attacker made the attempt to wipe evidence of the operation and destroy any traces of attack.
The name of the ransomware comes from the .oni file extension of encrypted files as well as the email address in the ransom note, which translates to “Night of the Devil” – the name researchers have given to the operation. Researchers note that ONI shares much of its code with GlobeImposter ransomware.
Attacks using ONI ransomware have been carried out against Japanese targets for some time, but the investigation into the latest wave of attacks uncovered a new variant, MBR-ONI, a form of the ransomware which comes equipped with bootkit features.
The new bootkit ransomware is based on DiskCryptor, a legitimate disk encryption tool, the code of which has also been found in Bad Rabbit ransomware.
While MBR-ONI bootkit ransomware was used against a controlled set of targets, such as Active Directory server and other critical assets, ONI was used against the rest of the endpoints in an infected network.
The ONI-based attacks all begin in the same way, with spear-phishing emails distributing malicious Office documents which drops the Ammyy Admin remote access tool.
Once inside the system, attackers map the internal networks, harvesting credentials and moving laterally through the system – researchers suspect that the leaked NSA SMB exploit EternalBlue plays a role in enabling the attackers to spread through the network.
Ultimately compromise critical assets including the domain controller to gain full control of the network and the ability to exfiltrate any data deemed important.
Once the attackers are done with the infected network, ONI and MBR-ONI ransomware was run.
While ONI does provide a ransom note and the prospect of recovering encrypted data, researchers believe MBR-ONI is designed to never provide a decryption key, but rather as a wiper to cover the attackers’ footprints and conceal the true goals of the attack: espionage and removing data over a period of months.
During investigations of targeted organisations, it was found that some had been compromised since December 2016, indicating long-term planning and sophistication on behalf of the attackers.
While ONI and the newly discovered MBR-ONI exhibit all the characteristics of ransomware, our analysis strongly suggests that they might have actually been used as wipers to cover an elaborate scheme,” said Assaf Dahan, director of advanced security services at Cybereason
“The use of ransomware and/or wipers in targeted attacks is not a very common practice, but it is on the rise. We believe ‘The Night of the Devil’ attack is part of a concerning global trend in which threat actors use ransomware/wipers in targeted attacks,” he added.
Researchers haven’t been able to comprehensively conclude who is behind the campaign and Russian language in the code could provide a clue or a diversion in equal measure.
“The question of attribution is a tricky one. The Russian language traces found in the binary files could suggest that there is a Russian threat actor behind the attack. That being said, this kinda of data can also be easily manipulated by the attackers to throw researchers off track,” Dahan told ZDNet.
View full post on National Cyber Security Ventures
FOR THE LAST two years, America’s cybersecurity relationship with China has been held up as a triumph of digital diplomacy: Since the two countries signed an agreement not to hack each others’ private sector companies for commercial gain in late 2015, that pact has come to represent one of the most effective demonstrations in history of government negotiation to curtail state-sponsored cyberspying.
Yet under the surface of that deal, cybersecurity researchers suspect China’s intrusions of American companies continue—including one recent, brazen breach that used a backdoor in the popular CCleaner security to target US companies including Google, Microsoft, Intel and VMware, and left behind a few tell-tale indicators of Chinese involvement. And other researchers say they’ve seen signs of earlier Chinese intrusions designed to siphon exactly the sort of corporate intel the US-China cybersecurity agreement was meant to protect.
Earlier this month, the Trump administration’s Department of Justice and its Chinese counterparts agreed to formally reaffirm that agreement, renewing its promises for years to come. Whatever holes have appeared in the US-China hacking détente, a White House that otherwise wants to erase all sign of the previous administration believes it’s worth maintaining. All of which makes China’s behavior over the last two years—toeing the furthest edge of the agreement’s red line and occasionally crossing it entirely—a case study in the power and limits of diplomacy when applied to curbing secret, deniable, and often invisible digital misbehavior.
Pushing the Limits
“The total threat from China didn’t decrease, it just changed shape” in the two years since America’s cybersecurity agreement with China was first signed, says Chris Porter, the chief intelligence strategist for security firm FireEye, which has closely tracked Chinese hacking activity. For the most part, he says he’s seen China’s hacking groups shift their targeting to their own region, and move from pillaging US companies for intellectual property theft to a focus on traditional government-focused espionage, which falls outside the agreement’s tightly defined ban on hacking foreign companies to give domestic companies a business advantage.
“They’ve been careful to go after targets where you can’t clearly say what they’re taking, or where they can defend what they’re taking as permissible” under the agreement’s exceptions for traditional security-focused espionage, says Porter. “These groups are still taking data they can when they feel it won’t be held against them diplomatically.”
But China’s strategy—essentially doing everything it can get away with under the agreement-—isn’t limited to merely hacking American government targets in its recent spying campaigns. In the CCleaner attack that was uncovered in September, for instance, hackers used a backdoor in a popular security tool distributed by the security firm Avast to infect hundreds of thousands of computers, and tried to use that infection to plant malware on computers at 18 specific tech firms, according to researchers at Cisco’s Talos security division. They successfully planted that second, more targeted payload on machines owned by American companies including Intel, VMware, and DNS provider Dyn, among a longer list of largely Asian companies.
While the link to China remains far from certain, researchers found that the hackers’ server was set to the Chinese time zone, and both the initial malware and that targeted payload shared a significant portion of its code with tools used by a hacker group known as Axiom or APT17, long believed to be based in China.
If that operation were Chinese in origin, it might still not technically violate China’s agreement with the US, so long as those American companies were hacked as part of a traditional, government-focused espionage operation—say, to find hackable vulnerabilities in Intel chips that might allow Chinese operatives to spy on American intelligence agencies.
But FireEye’s Porter says the company’s analysts have tracked cases that edged closer to a violation of the US-China agreement, too, including Chinese hacking groups compromising American firms that were targets for Chinese investment or acquisition, possibly to gain an upper hand in negotiations. Even in those cases, however, Porter says that the motivations behind those thefts—and thus any violation of the US-China agreement—are very tough to prove.
FireEye notes two cases of specific Chinese hacker groups penetrating American private-sector targets with possible business intelligence goals: In April 2016, FireEye saw a suspected Chinese group known as Wekby penetrate a series of US, Canadian, and European targets in the petrochemical, tech, and insurance industries. A couple of months later, a suspected Chinese group known as APT10 restarted its hacking activities after a lull following the initial signing of the US-China agreement, hacking a US managed services provider to access a collection of victim companies.
Letting It Slide
Why, then, has the Trump administration renewed that Obama-era deal, even as China appears to nibble at its edges? The Justice Department didn’t respond to WIRED’s request for comment on its decision to reaffirm the Obama-era agreement. But some of the Obama administration officials who helped to architect the pact argue that the continuation of the deal makes sense. In the vast majority of cases, they say, it continues to accomplish its objectives.
“In broad terms, it was successful,” say J. Michael Daniel, who served as Obama’s White House cybersecurity coordinator. After all, despite the nagging exceptions, as much as 90 percent of Chinese hacking incidents targeting the US private sector did disappear following the agreement, according to numbers from both FireEye and security firm Crowdstrike. “I think it continues to be a success. It did what it was intended to do: It shifted Chinese thinking and behavior.”
And as for the remaining cases of US corporate penetrations that FireEye and other cybersecurity companies continue to point to? “There’s an understanding that you’re not going to reduce intrusions into private companies to zero,” Daniel says. “We never expected that every single instance of stealing intellectual property or trade secrets for commercial gain would go away.”
Daniel argues the few cases in which China has continued to hack American companies could be false flags or misattributions, where non-Chinese activity has been mistakenly pinned on Chinese. They could be traditional espionage, using companies as footholds to get into governmental targets. Or they could be rogue Chinese hacker groups moonlighting for private interests, conducting corporate espionage without the government’s involvement.
“The Chinese government doesn’t have complete and total control over all these Chinese hacker groups,” Daniel says. “Some of that activity may not be the Chinese government, but the companies that it would benefit, hiring those hackers to conduct these operations.”
But playing down violations of the agreement could be shrewd pragmatism as much as a lack of a smoking gun, says Robert Knake, a director of cybersecurity policy in the Obama administration who served until early 2015, before the US-China agreement was made. “It’s not always a bright-line bureaucratic decision,” Knake says. “Will you get the outcome you want by declaring someone in violation? Or do you get it by validating the agreement and then quietly pushing them?”
Knake notes it’s possible the Trump administration is focused on its escalating conflict with North Korea, and doesn’t want to ruffle its relationship with a key ally in the region. “The thinking could be, ‘let’s not start a fight with China too, we need them on North Korea,’” Knake says. “If this were the Obama administration, I would consider that a real possibility.”
The upshot for potential targets of that hacking, regardless, means that China’s teams of well-resourced spies remains a real, if now rarer, threat to corporate cybersecurity. America’s two-year old accord with China shows that diplomacy can indeed tamp down state-sponsored hacking. But it can’t stamp it out.
The post CHINA #TESTS THE #LIMITS OF ITS #US #HACKING TRUCE appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Moscow-based multinational cybersecurity firm Kaspersky Lab on October 25 said that it obtained suspected National Security Agency (NSA) hacking code from a personal computer in the U.S. During the review of file’s contents, a Kaspersky analyst discovered it contained the source code for a hacking tool later attributed to what it calls the Equation Group.
Kaspersky said it assumed the 2014 source code episode was connected to the NSA’s loss of files. The antivirus software-maker spokeswoman Sarah Kitsos was quoted saying as “we deleted the archive because we don’t need the source code to improve our protection technologies and because of concerns regarding the handling of classified materials”.
Another spokeswoman Yuliya Shlychkova told Reuters that removals of such uninfected material happen “extremely rarely.”
Meanwhile, Democratic Senator Jeanne Shaheen sent a letter to the Department of Homeland Security (DHS) acting Secretary Elaine Duke and Director of National Intelligence Dan Coats, urging the U.S. government to declassify information about Kaspersky products.
In October this year, the U.S. NSA contractor came under scanner, whose personal computer was equipped with Kaspersky anti-virus software and confidential details were shared with the Russian company. The unidentified NSA contractor had reportedly downloaded a cache of classified information from his workplace, even though he was aware of the consequences that moving such a classified and confidential data without approval is not only against NSA policy, but it also falls under criminal offence.
Kaspersky Lab repeatedly denied that it has any unethical ties to any government and said it would not help a government with cyber espionage or offensive cyber efforts. It also highlighted that more than 85% of its revenue comes from outside Russia. It maintains that it has no connection with Russian intelligence but it is registered with the Federal Security Service.
To restore people’s and government’s trust again, Kaspersky on October 23 allowed to have his company’s source code audited independently by internationally recognized independent authorities in the first quarter of 2018. As part of comprehensive transparency initiative, the firm plans to open three transparency centers across the U.S., Europe and Asia by 2020.
According to Wall Street Journal, it was reported earlier this month that hackers working for the Russian government appeared to have targeted an NSA worker by using Kaspersky software to identify classified files in 2015.
The New York Times reported on October 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.
Following allegations Russian hackers interfered in 2016 U.S. elections, the DHS had banned the Kaspersky Lab software in September 2017, citing concerns the company may be linked to the Kremlin and Russian spy agencies.
The post NSA #hacking #code lifted from a #personal #computer in #U.S appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures