APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.
FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.
Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.
Most companies publicly share their contact information and high-level management names on their corporate Web pages. Some corporate employees share other forms of personally identifiable information on various social media platforms. Adversaries may use this publicly-posted information to target individuals with the end goal of infecting a corporate network for intelligence collection.
Common techniques used by APT actors include sending well-crafted spear phishing messages tailored to the professional interests of the target, the use of watering holes to redirect visitors to malicious Web sites, and the use of stolen or weak user credentials to exploit a network vulnerability. After a successful compromise, APT actors attempt to expand their access in the network to multiple systems to facilitate information theft.
APT actors have increased their activity over the last several years. Cyber attacks such as WannaCry and NotPetya in the spring and summer of 2017 are examples of increasing APT activity. While WannaCry and NotPetya were not directed at the United States, both had inadvertent negative effects on US systems. The FBI advises companies to be mindful that similar attacks may likely occur in the near future. Previous attacks have coincided with national holidays of cyber targets, such as Constitution Day in Ukraine on 28 June.
For recent guidance on mitigation strategies against spear phishing and network infrastructure targeting, please refer to the following joint technical alerts:
Recommendations: The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:
Ensure anti-virus software and firmware is up-to-date
Monitor employee logins outside normal business hours and other anomalous activity
Close unused ports
Monitor employee logins outside normal business hours and other anomalous activity
Provide regular training to employees regarding current social engineering threats, scrutinizing e-mail links and attachments, and pop-ups from attachments requesting enabling certain functions (i.e., macros)
Brief executives at your company to be extra vigilant and report any suspicious email messages
Apply extra scrutiny to e-mail messages with links or attachments directed toward executives
The Office of Private Sector, in coordination with the Criminal Investigative Division, is providing this LIR to inform private sector partners about the increasing use of e-mail account compromise (EAC) techniques in the US real estate settlement industry. Consumer borrowers, settlement/title companies, real estate agents, real estate attorneys, builders, and others are being targeted by criminal actors netting millions in illicit proceeds. These proceeds are often directed initially to US banks then re-directed via money service businesses and international accounts to Mexico, Nigeria, South Africa, China, Ghana, Turkey, and India. The increased use of EAC techniques, as well as, the evolving expansion into previously unidentified countries indicates this fraud scheme is not slowing and puts additional strain on industry participants to be vigilant with their e-mail communications and identity verification processes.
Criminal threat actors diverted an estimated $19 million in fiscal year 2016 from real estate purchase transactions by manipulating e-mail communications of key participants to re-direct legitimate wire transfers, including down payments, earnest money, and settlement proceeds to criminally-controlled accounts. The increasing use of EAC techniques such as identifying realtors via real estate web sites, spoofing, phishing, social engineering, chat rooms, spam, and malware is attributable to positive real estate market indicators such as housing prices/supply, interest rates, the increase in well-publicized multi-million dollar land development contracts, and the proven ease in infiltrating the transaction process. This threat will likely continue on an upward trend as these conditions persist. Please see the below diagram for a step by step overview of a common EAC scam.
One of the most widely reported vulnerabilities identified by victims is that industry participants in real estate settlements – whether they involve all-cash or mortgage loan purchase transactions – may not be aware of the minute differences or changes in the e-mail accounts of parties with whom they routinely conduct business. Consequently, they are inadvertently participating in the illicit transfer of funds to criminal actors. As real estate settlement transactions occur on a regular and recurring basis and typically use long-established straightforward processes between known participants (brokers, financial institutions, real estate agents, title and escrow companies and attorneys), it is very likely criminal actors and organized groups will increasingly continue to target these businesses and individuals for illicit financial gain.
“GoMoPa”-Frontschwein Klaus-Jürgen Maurischat (vermutlich ein “Alias”)
An unidentified cyber actor in mid-March 2018 used GrandCrab Version 2 ransomware to attack a State of Connecticut municipality network and a state judicial branch network, according to DHS reporting derived from a state law enforcement official with direct and indirect access. The municipality did not pay the ransom, resulting in the encryption of multiple servers that affected some data backups and the loss of tax payment information and assessor data. The attack against the state judicial branch resulted in the infection of numerous computers, but minimal content encryption, according to the same DHS report.
(U//FOUO) The unidentified cyber actor introduced the ransomware used against the judicial branch network through a vendor server/host; the ransomware then harvested cached credentials of high-level privileged accounts, according to the same DHS report. The actor then used the credentials to access two servers on the network and propagate the malware via server message block (SMB). Connecticut state cybersecurity officials were able to block the ransomware’s communication with external infrastructure, which prevented the encryption of additional hosts and data loss, according to the same DHS report.
(U) GandCrab Malware
(U) Released in late January 2018, GandCrab, also called “GrandCrab,” is a ransomware variant distributed by exploit kits that requires communication with the ransomware’s command-and-control (C2) server to encrypt files of an infected computer, according to an online technical support site. The developers of GandCrab recently upgraded the original version after Romanian police and BitDefender mitigated infections by recovering its decryption keys, according to a separate article from the same online technical support site. As of 6 March 2018, no free decryption key is available to victims of GandCrab version 2. GandCrab uses NameCoin’s .BIT as its top-level domain (TLD); therefore, variants of the ransomware using the .BIT TLD must also use a domain name server that supports .BIT, according to the same online technical support site. Upon infection, GandCrab will attempt to query the ransomware’s C2 servers on the .BIT domain to establish communication. GandCrab will not encrypt a host’s content with the .CRAB extension if communication is not established with the C2 server, according to the same online technical support site.
Goals for a Common Approach to Threat Frameworks
Following a common approach helps to:
• Establish a shared ontology and enhance information-sharing since it is easier to maintain mapping of multiple models to a common reference than directly to each other
• Characterize and categorize threat activity in a straightforward way that can support missions ranging from strategic decision-making to analysis and cybersecurity measures and users from generalists to technical experts
• Support common situational awareness across organizations
Key Attributes and Goals in Building a Cyber Threat Framework
• Incorporate a hierarchical/layered perspective that allows a focus on a level detail appropriate to the audience while maintaining linkage and traceability of data
• Employ Structured and documented categories with explicitly defined terms and labels (lexicon)
• Focus on empirical/sensor-derived ‘objective’ data
• Accommodate a wide variety of data sources, threat actors and activity
• Provide as a foundation for analysis and decision-making
The Common Cyber Threat Framework
• Since 2012, the Office of the DNI has worked with interagency partners to build and refine The Common Cyber Threat Framework reflecting these key attributes and goals
• The Common Cyber Threat Framework is not intended to displace or replace an organization’s existing model which is tailored to its specific mission and requirements; rather, it is intended to:
Serve as a viable Universal Translator (a cyber Esperanto or Rosetta Stone) facilitating efficient and possibly automated exchange of data and insight across models once each has been mapped to it and the mappings shared
Provide a Starting Point featuring a simple threat model and value-neutral concepts. It can be customized for any organization as needed—and any deviations from the common approach are readily apparent, facilitating mapping and data exchange.
(U//DSEN/LES) The increasing demand for opioids in the United States coupled with the availability of fentanyl presents a significant public health risk and negatively impacts officer safety. In 2018, the Arizona High Intensity Drug Trafficking Area (HIDTA) Counter Narcotics Alliance (CNA) task force seized tablets that appeared to be Xanax® but actually contained a combination of cyclopropylfentanyl, methamphetamine, and a synthetic cannabinoid chemical.
(U//LES) This is the first seizure reported to the Arizona HIDTA of fake Xanax® tablets containing a cyclopropylfentanyl/methamphetamine combination, as well as being the first reported seizure containing a synthetic cannabinoid.
(U) Fake Xanax® Tablets
(U//LES) An investigation conducted by the Arizona HIDTA CNA task force resulted in the seizure of two plastic bags containing 76 rectangular white tablets imprinted with “XANAX” on one side and the number “2” on the reverse side. The tablet imprints and color were consistent with pharmaceutically manufactured 2 milligram Xanax® tablets. Upon closer examination, the tablets varied in thickness and from white to off-white in color. In addition, some of the tablets had an inverted “2” imprinted on the reverse side.