DHS Warns – Cybersecurity Endangered By Unmanned Aircrafts


Bildergebnis für cybersecurity

The Department of Homeland Security (DHS)/National Protection and Programs Directorate (NPPD)/Office of Cyber and Infrastructure Analysis (OCIA) assesses that unmanned aircraft systems (UASs) provide malicious actors an additional method of gaining undetected proximity to networks and equipment within critical infrastructure sectors. Malicious actors could use this increased proximity to exploit unsecured wireless systems and exfiltrate information. Malicious actors could also exploit vulnerabilities within UASs and UAS supply chains to compromise UASs belonging to critical infrastructure operators and disrupt or interfere with legitimate UAS operations.


UASs provide malicious actors an additional method of gaining proximity to networks and equipment within critical infrastructure sectors. Malicious actors could then use the proximity provided by a UAS to wirelessly exploit unsecured systems and extract information from systems they cannot otherwise access remotely or may not be able to access due to range limitations. This includes networks and devices within secured buildings, as well as networks and devices behind fencing and walls.

UASs can also allow a malicious actor to wirelessly exploit vulnerabilities from a distance (figure 1). The prevalent ownership and operation of UASs by the general public, the distance from which UAS can be operated, and a lack of tracking data can also provide malicious actors a level of anonymity that otherwise may not be available. UASs, in particular UASs, are typically more difficult to detect than a malicious actor attempting to trespass beyond physical barriers.


Malicious actors could utilize UASs in order to wirelessly exploit access points and unsecured networks and devices. This can include using UASs in order to inject malware, execute malicious code, and perform man-in-the-middle attacks. UASs can also deliver hardware for exploiting unsecured wireless systems, allowing malicious actors persistent access to the wireless system until the hardware is detected or runs out of power. While OCIA does not know of a confirmed incident utilizing UASs to exploit wireless systems, researchers have demonstrated this capability.


While UASs can be used as a tool for an attacker, they are also vulnerable to exploitation. Many commercial UAS variations, for example, currently communicate with ground stations and operators using unencrypted feeds. This can allow a malicious actor to intercept and review data sent to and from the UAS.

FBI – Hackers To Attack U.S. Defense Contractors Via Phishing/Hacking

APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.

Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.

Most companies publicly share their contact information and high-level management names on their corporate Web pages. Some corporate employees share other forms of personally identifiable information on various social media platforms. Adversaries may use this publicly-posted information to target individuals with the end goal of infecting a corporate network for intelligence collection.

Common techniques used by APT actors include sending well-crafted spear phishing messages tailored to the professional interests of the target, the use of watering holes to redirect visitors to malicious Web sites, and the use of stolen or weak user credentials to exploit a network vulnerability. After a successful compromise, APT actors attempt to expand their access in the network to multiple systems to facilitate information theft.

APT actors have increased their activity over the last several years. Cyber attacks such as WannaCry and NotPetya in the spring and summer of 2017 are examples of increasing APT activity. While WannaCry and NotPetya were not directed at the United States, both had inadvertent negative effects on US systems. The FBI advises companies to be mindful that similar attacks may likely occur in the near future. Previous attacks have coincided with national holidays of cyber targets, such as Constitution Day in Ukraine on 28 June.

For recent guidance on mitigation strategies against spear phishing and network infrastructure targeting, please refer to the following joint technical alerts:

Recommendations: The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:

Ensure anti-virus software and firmware is up-to-date

Monitor employee logins outside normal business hours and other anomalous activity

Close unused ports

Monitor employee logins outside normal business hours and other anomalous activity

Provide regular training to employees regarding current social engineering threats, scrutinizing e-mail links and attachments, and pop-ups from attachments requesting enabling certain functions (i.e., macros)

Brief executives at your company to be extra vigilant and report any suspicious email messages

Apply extra scrutiny to e-mail messages with links or attachments directed toward executives


TOP SECRET – Email Compromise Techniques Used To Steal Millions

The Office of Private Sector, in coordination with the Criminal Investigative Division, is providing this LIR to inform private sector partners about the increasing use of e-mail account compromise (EAC) techniques in the US real estate settlement industry. Consumer borrowers, settlement/title companies, real estate agents, real estate attorneys, builders, and others are being targeted by criminal actors netting millions in illicit proceeds. These proceeds are often directed initially to US banks then re-directed via money service businesses and international accounts to Mexico, Nigeria, South Africa, China, Ghana, Turkey, and India. The increased use of EAC techniques, as well as, the evolving expansion into previously unidentified countries indicates this fraud scheme is not slowing and puts additional strain on industry participants to be vigilant with their e-mail communications and identity verification processes.

Criminal threat actors diverted an estimated $19 million in fiscal year 2016 from real estate purchase transactions by manipulating e-mail communications of key participants to re-direct legitimate wire transfers, including down payments, earnest money, and settlement proceeds to criminally-controlled accounts. The increasing use of EAC techniques such as identifying realtors via real estate web sites, spoofing, phishing, social engineering, chat rooms, spam, and malware is attributable to positive real estate market indicators such as housing prices/supply, interest rates, the increase in well-publicized multi-million dollar land development contracts, and the proven ease in infiltrating the transaction process. This threat will likely continue on an upward trend as these conditions persist. Please see the below diagram for a step by step overview of a common EAC scam.

One of the most widely reported vulnerabilities identified by victims is that industry participants in real estate settlements – whether they involve all-cash or mortgage loan purchase transactions – may not be aware of the minute differences or changes in the e-mail accounts of parties with whom they routinely conduct business. Consequently, they are inadvertently participating in the illicit transfer of funds to criminal actors. As real estate settlement transactions occur on a regular and recurring basis and typically use long-established straightforward processes between known participants (brokers, financial institutions, real estate agents, title and escrow companies and attorneys), it is very likely criminal actors and organized groups will increasingly continue to target these businesses and individuals for illicit financial gain.


Cyber Hackers Attack U.S. State And Local Authorities


Bildergebnis für cyber attack


An unidentified cyber actor in mid-March 2018 used GrandCrab Version 2 ransomware to attack a State of Connecticut municipality network and a state judicial branch network, according to DHS reporting derived from a state law enforcement official with direct and indirect access. The municipality did not pay the ransom, resulting in the encryption of multiple servers that affected some data backups and the loss of tax payment information and assessor data. The attack against the state judicial branch resulted in the infection of numerous computers, but minimal content encryption, according to the same DHS report.

(U//FOUO) The unidentified cyber actor introduced the ransomware used against the judicial branch network through a vendor server/host; the ransomware then harvested cached credentials of high-level privileged accounts, according to the same DHS report. The actor then used the credentials to access two servers on the network and propagate the malware via server message block (SMB). Connecticut state cybersecurity officials were able to block the ransomware’s communication with external infrastructure, which prevented the encryption of additional hosts and data loss, according to the same DHS report.

(U) GandCrab Malware

(U) Released in late January 2018, GandCrab, also called “GrandCrab,” is a ransomware variant distributed by exploit kits that requires communication with the ransomware’s command-and-control (C2) server to encrypt files of an infected computer, according to an online technical support site. The developers of GandCrab recently upgraded the original version after Romanian police and BitDefender mitigated infections by recovering its decryption keys, according to a separate article from the same online technical support site. As of 6 March 2018, no free decryption key is available to victims of GandCrab version 2. GandCrab uses NameCoin’s .BIT as its top-level domain (TLD); therefore, variants of the ransomware using the .BIT TLD must also use a domain name server that supports .BIT, according to the same online technical support site. Upon infection, GandCrab will attempt to query the ransomware’s C2 servers on the .BIT domain to establish communication. GandCrab will not encrypt a host’s content with the .CRAB extension if communication is not established with the C2 server, according to the same online technical support site.

Director Of U.S. Intelligence Reveals Cyber Threat Frame

Goals for a Common Approach to Threat Frameworks

Following a common approach helps to:

• Establish a shared ontology and enhance information-sharing since it is easier to maintain mapping of multiple models to a common reference than directly to each other

• Characterize and categorize threat activity in a straightforward way that can support missions ranging from strategic decision-making to analysis and cybersecurity measures and users from generalists to technical experts

• Support common situational awareness across organizations

Key Attributes and Goals in Building a Cyber Threat Framework

• Incorporate a hierarchical/layered perspective that allows a focus on a level detail appropriate to the audience while maintaining linkage and traceability of data

• Employ Structured and documented categories with explicitly defined terms and labels (lexicon)

• Focus on empirical/sensor-derived ‘objective’ data

• Accommodate a wide variety of data sources, threat actors and activity

• Provide as a foundation for analysis and decision-making

The Common Cyber Threat Framework

• Since 2012, the Office of the DNI has worked with interagency partners to build and refine The Common Cyber Threat Framework reflecting these key attributes and goals

• The Common Cyber Threat Framework is not intended to displace or replace an organization’s existing model which is tailored to its specific mission and requirements; rather, it is intended to:

Serve as a viable Universal Translator (a cyber Esperanto or Rosetta Stone) facilitating efficient and possibly automated exchange of data and insight across models once each has been mapped to it and the mappings shared

Provide a Starting Point featuring a simple threat model and value-neutral concepts. It can be customized for any organization as needed—and any deviations from the common approach are readily apparent, facilitating mapping and data exchange.

Download The Full Document Here