Category: CYBERCRIME

Website Defacement Activity Indicators of Compromise and Techniques Used to Disseminate Pro-Iranian Messages

Website Defacement Activity Indicators of Compromise and Techniques Used to Disseminate Pro-Iranian Messages

Following a week ago’s US airstrikes against Iranian military initiative, the FBI watched expanded revealing of site ruination movement spreading Pro-Iranian messages. The FBI accepts a few of the site disfigurement were the consequence of digital on-screen characters misusing realized vulnerabilities in content administration frameworks (CMSs) to transfer ruination documents. The FBI exhorts associations and individuals worried about Iranian digital focusing on be acquainted with the markers, strategies, and procedures gave in this FLASH, just as strategies and methods gave in as of late spread Private Industry Notification “Notice on Iranian Cyber Tactics and Techniques” (20200109-001, 9 January 2020).

Specialized Details:

The FBI recognized malevolent on-screen characters utilizing known vulnerabilities in CMSs to transfer ruination pictures onto injured individual sites. The FBI trusts one on-screen character utilized realized vulnerabilities permitting remote execution by means of treat and remote establishment. The FBI likewise distinguished that one of the records utilized in a destruction was presented on a site where the server facilitating the undermined site was designed so outer clients could direct HTTP POSTs. The FBI watched the utilization of a HTTP PUT direction to transfer a destruction document to an injured individual server.

The FBI notes various on-screen characters directed site mutilation movement with genius Iranian messages. Accordingly, the IP locations and procedures utilized will change. The FBI distinguished the underneath groupings of destruction movement.

One lot of mutilation action utilized the beneath record:

Filename MD5

Default.aspx

87b3b80bb214c0f5cfa20771dd6625f2

The accompanying connections, contact data, and strings were remembered for a disfigurement record:

http://yon%5B.%5Dir/6YL2X

https://t%5B.%5Dme/ZetaTech_iR2

https://instagram%5B.%5Dcom/Mrb3hz4d

hackedbymrb3hz4d(at)gmail[.]com

The accompanying IP addresses are related with the on-screen character connected to the disfigurement action with the above referenced connections, contact data, and strings:

IP Address

83.123.83[.]61

196.64.50[.]13

A second arrangement of destruction movement was distinguished utilizing the underneath record:

Filename

hardrevenge11.html

The FBI takes note of the above mutilation picture was transferred by means of a HTTP PUT order. The accompanying IP address is related with the on-screen character connected to this arrangement of ruination action:

IP Address

2.182.188[.]39

A third arrangement of mutilation action was distinguished utilizing the underneath IP address:

IP Address

212.92.114[.]228

The FBI notes for this mutilation action, the on-screen character had the option to direct a HTTP POST of a document utilized in a destruction.

Best Practices for Network Security and Defense:

Utilize customary updates to applications and the host working framework to guarantee insurance against known vulnerabilities.

Set up, and reinforcement disconnected, a “known decent” adaptation of the pertinent server and an ordinary change-the board arrangement to empower checking for modifications to servable substance with a document honesty framework.

Utilize client input approval to confine nearby and remote record incorporation vulnerabilities.

Execute a least-benefits approach on the Webserver to:

o Reduce foes’ capacity to raise benefits or turn horizontally to different hosts.

o Control creation and execution of records specifically catalogs.

If not effectively present, consider sending a peaceful area (DMZ) between the Web-confronting frameworks and corporate system. Constraining the communication and logging traffic between the two gives a technique to recognize conceivable noxious movement.

Guarantee a protected arrangement of Webservers. Every single pointless assistance and ports ought to be incapacitated or blocked. Every essential assistance and ports ought to be confined where plausible. This can incorporate whitelisting or blocking outside access to organization boards and not utilizing default login qualifications.

Utilize a switch intermediary or elective support of limit available URL ways to known authentic ones.

Direct customary framework and application weakness sweeps to build up regions of hazard. While this strategy doesn’t secure against multi day assaults, it will feature potential zones of concern.

Convey a Web application firewall, and direct ordinary infection signature checks, application fluffing, code audits, and server arrange examination.

Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication

The FBI has watched digital entertainers bypassing multifaceted verification through normal social building and specialized assaults. This Stick clarifies these techniques and offers relief procedures for associations and elements utilizing multifaceted confirmation in their security endeavors. Multifaceted validation keeps on being a solid and compelling safety effort to secure online records, as long as clients play it safe to guarantee they don’t succumb to these assaults.

Multifaceted validation is the utilization of an assortment of strategies to affirm a client’s personality rather than just utilizing a username and secret phrase. Regularly this sort of verification utilizes an optional token which changes after some time to give a one-time password, yet numerous organizations currently utilize biometrics or social data, for example, time of day, geolocation, or IP address—as a type of validation.

Danger Diagram

FBI detailing distinguished a few strategies digital on-screen characters use to go around prevalent multifaceted verification systems so as to acquire the one-time password and access ensured accounts. The essential techniques are social building assaults which assault the clients and specialized assaults which target web code.

In 2019 a US banking establishment was focused by a digital assailant who had the option to exploit a blemish in the bank’s site to evade the two-factor confirmation actualized to ensure accounts. The digital assailant signed in with taken injured individual accreditations and, when arriving at the optional page where the client would typically need to enter a Stick and answer a security question, the aggressor entered a controlled string into the Internet URL setting the PC as one perceived on the record. This enabled him to sidestep the Stick and security question pages and start wire moves

from the exploited people’s records.

In 2016 clients of a US banking establishment were focused by a digital assailant who ported their telephone numbers to a telephone he possessed—an assault called SIM swapping. The aggressor considered the telephone organizations’ client care delegates, discovering some who were all the more ready to give him data to finish the SIM swap. When the aggressor had command over the clients’ telephone numbers, he called the bank to demand a wire move from the unfortunate casualties’ records to another record he possessed. The bank,

perceiving the telephone number as having a place with the client, didn’t request full security questions yet mentioned a one-time code sent to the telephone number from which he was calling. He additionally mentioned to change PINs and passwords and had the option to connect unfortunate casualties’ charge card numbers to a versatile installment application.

Through the span of 2018 and 2019, the FBI’s Web Wrongdoing Grievance Center and FBI unfortunate casualty grumblings watched the above assault—SIM swapping—as a typical strategy from digital culprits trying to go around two-factor validation. Casualties of these assaults have had their telephone numbers taken, their financial balances depleted, and their passwords and PINs changed. A large number of these assaults depend on socially building client care agents for significant telephone organizations, who offer data to the assailants.

In February 2019 a digital security master at the RSA Gathering in San Francisco, exhibited a huge assortment of plans and assaults digital on-screen characters could use to dodge multifaceted validation. The security master exhibited ongoing instances of how digital entertainers could utilize man-in-the-center assaults and session capturing to block the traffic between a client and a site to lead these assaults and keep up access for whatever length of time that conceivable. He likewise showed social building assaults, including phishing plans or fake instant messages implying to be a bank or other help to make a client sign into a phony site and surrender their private data.

At the June 2019 Hack-in-the-Crate gathering in Amsterdam, digital security specialists exhibited a couple of devices—Muraena and NecroBrowser—which worked pair to robotize a phishing plan against clients of multifaceted confirmation. The Muraena instrument captures traffic between a client and an objective site where they are mentioned to enter login qualifications and a token code not surprisingly. When validated, NecroBrowser stores the information for the casualties of this assault and seizes the session treat, permitting digital on-screen characters to sign into these private records, take them over, and change client passwords and recuperation email addresses while keeping up access as far as might be feasible.

Moderation Systems

Guarding against multifaceted confirmation assaults requires consciousness of the assaults which evade the security and consistent watchfulness for social designing assaults.

Instruct clients and heads to distinguish social building deceit—how to perceive counterfeit sites, not tap on maverick connections in email, or square those connections altogether—and show them how to deal with basic social designing strategies.

Consider utilizing extra or progressively complex types of multifaceted validation for clients and overseers, for example, biometrics or conduct verification strategies, however this may add burden to these clients.

FBI Cyber Unit Identifies Campaigns Against Students

Image result for fbi cyber crimes

The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. In general, the spearphishing emails request students’ login credentials for the University’s internal intranet. The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.

Threat

In February 2018, the FBI received notification of a spearphishing campaign targeting students at an identified University in the south eastern United States. The campaign occurred in January 2018 when an unidentified number of students attending the University received an email requesting their login credentials for the University’s internal intranet. Using the University’s intranet portal, the cyber criminals accessed a third-party vendor that manages the disbursement of financial aid to students and changed the direct deposit information for 21 identified students to bank accounts under the cyber criminal’s control. The threat actor stole approximately $75,000 from the 21 students. The student accounts were accessed by at least 13 identified US Internet Protocol (IP) addresses.

On 31 August 2018, the Department of Education identified a similar spearphishing campaign targeting multiple institutions of higher education. In this campaign, the cyber criminals sent students an email inviting them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, the cyber criminals changed the students’ direct deposit destinations to bank accounts under the threat actor’s control.

The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance of the target institutions and understand the schools’ use of student portals and third-party vendors for processing student loan payment information. In addition, the timing of the campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide with periods when financial aid funds are disseminated in large volumes.

Recommendations

The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:

Notify all students of the phishing attempts and encourage them to be extra vigilant
Implement two-factor authentication for access to sensitive systems and information
Monitor student login attempts from unusual IP addresses and other anomalous activity
Educate students on appropriate preventative and reactive actions to known criminal schemes and social engineering threats
Apply extra scrutiny to e-mail messages with links or attachments directed toward students
Apply extra scrutiny to bank information initiated by the students seeking to update or change direct deposit credentials
Direct students to forward any suspicious requests for personal information to the information technology or security department

Czech Republic – Cyber & Security Warning on Huawei and ZTE

Executive Summary

The National Cyber and Information Security Agency, registered office at Mučednická 1125/31, 616 00 Brno, pursuant to §12 paragraph 1 of the Act No. 181/2014 Coll. on Cyber Security and Change of Related Acts (Act on Cyber Security), as amended, issues this

w a r n i n g :

The use of technical or program tools of the following companies, including their subsidiary companies, poses a threat to the cyber security.
– Huawei Technologies Co., Ltd., Shenzhen, People’s Republic of China
– ZTE Corporation, Shenzhen, People’s Republic of China

R E A S O N I N G

1) On the basis of the facts found during the execution of its competence, the National Cyber and Information Security Agency (hereinafter referred to as “NCISA”) has found that the use of the technical or program tools of the aforementioned companies poses a threat to the cyber security and therefore, pursuant to §12 paragraph 1 of the Act on Cyber Security, issues this warning.

2) NCISA’s competence to issue this warning is embedded within the provisions of §22, b), of the Act on Cyber Security, which empowers it to issue measures. Pursuant to §11 paragraph 2 of the Act on Cyber Security, these measures also include a warning under §12 of the Act on Cyber Security.

3) This warning has been issued based on the following findings.

4) The legal and political environment of the People’s Republic of China (“PRC”) in which the companies primarily operate and whose laws are required to comply with, requires private companies to cooperate in meeting the interests of the PRC, including participation in intelligence activities etc. At the same time, these companies usually do not refrain from such cooperation with the state; in this environment, efforts to protect customers’ interests at the expense of the interests of the PRC are significantly reduced. According to available information, there is an organizational and personal link between these companies and the state. Therefore, this raises concerns that the interests of the PRC may be prioritized over the interests of the users of these companies’ technologies.

5) The PRC actively promotes its interests in the territory of the Czech Republic, including a conduct of influence and espionage intelligence activities (see, for example, Security Information Service Annual Report for 2017).

6) The security community’s findings on the activities of these companies in the Czech Republic and around the world, which are available to NCISA, raise reasonable concerns about the existence of potential risks in using the technical or program tools they provide to their customers in order to support the interests of the PRC.

7) The technical and program tools of the aforementioned companies are being supplied to the information and communication systems that are or may be of strategic importance from the national security standpoint. Disruption of information security, i.e. disruption of the availability, integrity, or confidentiality of information in such information and communication systems can have a significant impact on the security of the Czech Republic and its interests.

8) These facts, in their entirety, lead to reasonable concerns about possible security risks in the use of these companies’ technologies. The degree of potential risk due to the possible impact of information security breaches on information and communication systems relevant to the state is not negligible.

9) NCISA points out that the authorities or persons required to implement security measures under the Act on Cyber Security in connection with risk management pursuant to §5 paragraph 1 h) article 3 of the Decree No. 82/2018 Coll. on Security Measures, Cyber Security Incidents, Reactive Measures, Cyber Security and Data Disposal Submission Requirements (Cyber Security Regulation) in risk assessment and risk management plan shall take into account measures pursuant to §11 of the Act on Cyber Security. One of these measures is also a warning pursuant to §12 of the Act on Cyber Security.

10) NCISA points out that the authorities or persons required to implement security measures under the Act on Cyber Security in connection with risk management pursuant to §4 paragraph 1 c) and paragraph 2 c) of the Decree No. 316/2014 Coll. on Security Measures, Cyber Security Incidents, Reactive Measures, and Cyber Security Submission Requirements (Cyber Security Regulation) shall take into account threats and vulnerabilities. With regard to the transitional provision in §35 of the Decree No. 82/2018 Coll. on Security Measures, Cyber Security Incidents, Reactive Measures, Cyber Security and Data Disposal Submission Requirements (Cyber Security Regulation), these are the administrators and operators of the Critical Information Infrastructure information systems and the administrators and operators of the Critical Information Infrastructure communication systems, in case these systems were designated before May 28, 2018, as well as the administrators and operators of important information systems that met the criteria before May 28, 2018.

11) NCISA further points out that, pursuant to §4 paragraph 4 of the Act on Cyber Security, the authorities and persons referred to in §3 c) to f) of the Act on Cyber Security are required to take into account requirements arising from security measures during the selection of a supplier for their information or communication system, and include these requirements in a contract concluded with the supplier. Taking into account the requirements arising from security measures under the first sentence to the extent necessary to meet the obligations under the Act on Cyber Security cannot be considered an unlawful restriction of competition or an unjustified obstacle to competition.

 

Home Security – Removal Of Kaspersky Products in American Institutions

DEPARTMENT OF HOMELAND SECURITY

(U//FOUO) DHS Final Decision on Removal of Kaspersky-Branded Products

The following assessment was included in court filings made by Kaspersky in their case against the U.S. Government for banning the use of Kaspersky products.

Financial Decision on Binding Operational Directive 17-01, Removal of Kaspersky-Branded Products

Page Count: 25 pages

Date: December 4, 2017

Restriction: For Official Use Only

Originating Organization: Department of Homeland Security, Office of Cybersecurity and Communications

File Type: pdf

File Size: 504,629 bytes

File Hash (SHA-256): 6F6A660D2CFCD36CBDFAE3675E6F7C76CEEF404DB26736D44AD196A139592100

BOD 17-01 requires all federal executive branch departments and agencies to (1) identify the use or presence of “Kaspersky-branded products” on all federal information systems within 30 days of BOD issuance (i.e., by October 13); (2) develop and provide to DHS a detailed plan of action to remove and discontinue present and future use of all Kaspersky-branded products within 60 days of BOD issuance (i.e., by November 12); and (3) begin to implement the plan of action at 90 days after BOD issuance (i.e., December 12), unless directed otherwise by DHS in light of new information obtained by DHS, including but not limited to new information submitted by Kaspersky.

The Secretary of Homeland Security is authorized to issue BODs, in consultation with the Director of the Office of Management and Budget, for the purpose of safeguarding federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk. I recommended issuing the BOD in the Information Memorandum, and the rationale for issuance of the BOD was summarized in your Decision Memorandum. As described further below, your decision to issue BOD 17-01 was based on three interrelated concerns that rested on expert judgments concerning national security: the broad access to files and elevated privileges of anti-virus software, including Kaspersky software; ties between Kaspersky officials and Russian government agencies; and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting between Kaspersky operations in Russia and Kaspersky customers, including U.S. government customers. Because of these interrelated concerns, you determined that Kaspersky-branded products present a “known or reasonably suspected information security threat, vulnerability, or risk.” In addition, you found that these risks exist regardless of whether Kaspersky-branded products have ever been exploited for malicious purposes. The BOD is a tool for protecting federal information and information systems from any “known or reasonably suspected information security threat, vulnerability, or risk,” and the Department’s authority to issue it does not depend on whether Kaspersky-branded products have been exploited by the Russian Government or Kaspersky to date.

BRG evaluated specific Kaspersky products according to the following objectives:

(1) To evaluate whether it is feasible for an intelligence agency to passively monitor and decrypt traffic between users of Kaspersky-branded products and the Kaspersky Security Network (“KSN”), a cloud-based network that receives and analyzes information about possible threats from installed Kaspersky software;

(2) To determine whether turning KSN off ― or using the Kaspersky Private Security Network (“KPSN”) ― can reliably prevent potentially sensitive data from being transmitted inadvertently to Kaspersky; and

(3) To evaluate whether a malicious actor leveraging KSN can conduct targeted searches of Kaspersky users for specific information.

As explained in the NCCIC Supplemental Assessment, the BRG analysis not only is largely unresponsive to DHS’s security concerns, but also supports DHS’s concerns in certain areas. For example, on objective (1), BRG analyzed only to the security of the connection between the antivirus software and the KSN; BRG did not address the security of communications within the KSN or between KSN and Kaspersky’s non-KSN IT infrastructure, such as Kaspersky offices and datacenters. BRG also evaluated the potential for “passive” interception of communications by intelligence agencies, but DHS is concerned about “active” operations involving access by Russian intelligence to Kaspersky offices and servers in Russia, as discussed in Section III.A.4 below and Part III.E of the Information Memorandum.

3. Kaspersky Ties to the Russian Government

In the Information Memorandum, I described certain ties, past and present, between Kaspersky officials and Russian government agencies. Kaspersky concedes key aspects of this account, such as Eugene Kaspersky’s former studies at an institute overseen by the KGB and other state institutions and his service as a software engineer at a Ministry of Defense institute. It also admits that its officials might have “acquaintances, friends, and professional relationships within the [Russian] government,” although Kaspersky states that, “in itself,” does not mean that these connections were or are “inappropriate” or “improper.” Furthermore, Kaspersky does not deny various connections to Russian intelligence described in the Information Memorandum, including that Eugene Kaspersky has saunas with a group that usually includes Russian intelligence officials; that Kaspersky’s Chief Legal Officer Igor Chekunov manages a team of specialists who provide technical support to the FSB and other Russian agencies; that the team can gather identifying information from individual computers; and that this technology has been used to aid the FSB in investigations

Professor Maggs makes a number of significant conclusions. Specifically, Professor Maggs

concludes that:

(a) Russian law requires FSB bodies to carry out their activities in collaboration with various entities in Russia, including private enterprises, and thus including Kaspersky.

(b) Private enterprises, including Kaspersky, are under a legal obligation to assist FSB bodies in the execution of the duties assigned to FSB bodies, including counterintelligence and intelligence activity.

(c) Russian law permits FSB service personnel to be seconded to private enterprises, including Kaspersky, with the consent of the head of the enterprise and with the FSB personnel remaining in FSB military service status during the secondment.

(d) Kaspersky qualifies as an “organizer of the dissemination of information on the Internet” and, as such, is required (1) to store in Russia and provide to authorized state bodies, including the FSB, metadata currently and content as of July 1, 2018; and, based on this or other laws, (2) to install equipment and software that enables the FSB and potentially other state authorities to monitor all data transmissions between Kaspersky’s computers in Russia and Kaspersky customers, including U.S. government customers.

Exclusive – Homeland Security’s Cyberstrategy 2018 Revealed




DEPARTMENT OF HOMELAND SECURITY
Department of Homeland Security Cybersecurity Strategy 2018
May 20, 2018

U.S. Department of Homeland Security Cybersecurity Strategy
Page Count: 35 pages
Date: May 15, 2018
Restriction: None
Originating Organization: Department of Homeland Security
File Type: pdf
File Size: 278,548 bytes
File Hash (SHA-256): 65DED01F461679F5028AFE8C2B0FE08CBFE0EE17BD530F4815D12EF738FB3656

Download File below

https://info.publicintelligence.net/DHS-CybersecurityStrategy-2018.pdf

 


The American people are increasingly dependent upon the Internet for daily conveniences, critical services, and economic prosperity. Substantial growth in Internet access and networked devices has facilitated widespread opportunities and innovation. This extraordinary level of connectivity, however, has also introduced progressively greater cyber risks for the United States. Long-standing threats are evolving as nation-states, terrorists, individual criminals, transnational criminal organizations, and other malicious actors move their activities into the digital world. Enabling the delivery of essential services—such as electricity, finance, transportation, water, and health care—through cyberspace also introduces new vulnerabilities and opens the door to potentially catastrophic consequences from cyber incidents. The growing number of Internet-connected devices and reliance on global supply chains further complicates the national and international risk picture. More than ever, cybersecurity is a matter of homeland security and one of the core missions of the U.S. Department of Homeland Security (DHS).

At DHS, we believe that cyberspace can be secure and resilient. We work every day across the Department and with key partners and stakeholders to identify and manage national cybersecurity risks. We do this by adopting a holistic risk management approach. Like every organization, no matter how big or small, we must minimize our organizational vulnerability to malicious cyber activity by protecting our own networks. DHS also has broader responsibilities to protect the larger federal enterprise and improve the security and resilience of other critical systems. At the same time, we seek to reduce cyber threats by preventing and disrupting cyber crimes, and to lessen the consequences of cyber incidents by ensuring an effective federal response when appropriate. Finally, we work to create conditions for more effective cyber risk management through efforts to make the cyber ecosystem more fundamentally secure and resilient. This strategy sets forth our goals, objectives, and priorities to successfully execute the full range of the Secretary of Homeland Security’s cybersecurity responsibilities.

During the last several decades, advances in technology have fundamentally changed the world. Substantial growth in Internet access, use of Internet-enabled devices, and the availability of high speed information technology systems and large datasets have facilitated productivity, efficiencies, and capabilities across all major industries. The proliferation of technology also presents new cybersecurity challenges and leads to significant national risks. More than 20 billion devices are expected to be connected to the Internet by 2020. The risks introduced by the growing number and variety of such devices are substantial.

The United States faces threats from a growing set of sophisticated malicious actors who seek to exploit cyberspace. Motivations include espionage, political and ideological interests, and financial gain. Nation-states continue to present a considerable cyber threat. But non-state actors are emerging with capabilities that match those of sophisticated nation-states. Criminal actors are increasingly empowered by modern information and communications technologies that enable them to grow in sophistication and transnational reach. Transnational criminal organizations also increasingly collaborate through cyberspace. Complicating the threat picture, nation-states are increasingly using proxies and other techniques that blur the distinction between state and non-state cyber activities. In a number of cases, malicious actors engaged in significant criminal cyber activity appear to have both criminal and nation-state affiliations.

These diverse threats can impact federal and nonfederal information systems. Attempted incursions into government networks occur on a daily basis; the number of cyber incidents on federal systems reported to DHS increased more than ten-fold between 2006 and 2015. In 2015, a high-profile intrusion into a single federal agency resulted in the compromise of personnel records of over 4 million federal employees and ultimately affected nearly 22 million people. The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences; for example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power. Ransomware incidents such as WannaCry and NotPetya demonstrate how the rapid growth of the internet-of-things further complicates the threat as everyday devices can be targeted by malicious cyber actors with potentially far-reaching consequences.

Guiding Principles

DHS advances our mission and will accomplish our cybersecurity goals by aligning departmental activities according to the following guiding principles:

  1. Risk prioritization. The foremost responsibility of DHS is to safeguard the American people and we must prioritize our efforts to focus on systemic risks and the greatest cybersecurity threats and vulnerabilities faced by the American people and our homeland.
  2. Cost-effectiveness. Cyberspace is highly complex and DHS efforts to increase cybersecurity must be continuously evaluated and reprioritized to ensure the best results for investments made.
  3. Innovation and agility. Cyberspace is an evolving domain with emergent risks. Although the proliferation of technology leads to new risks, it also provides an opportunity for innovation. DHS must lead by example in researching, developing, adapting, and employing cutting-edge cybersecurity capabilities and remain agile in its efforts to keep up with evolving threats and technologies.
  4. Collaboration. The growth and development of the Internet has been primarily driven by the private sector and the security of cyberspace is an inherently cross-cutting challenge. To accomplish our cybersecurity goals, we must work in a collaborative manner across our Components and with other federal and nonfederal partners.
  5. Global approach. Robust international engagement and collaboration is required to accomplish our national cybersecurity goals. DHS must engage internationally to manage global cyber risks, respond to worldwide incidents, and disrupt growing transnational cyber threats as well as encourage other nations and foreign entities to adopt the policies necessary to create an open, interoperable, secure, and reliable Internet.
  6. Balanced equities. Cyberspace empowers people and enables prosperity worldwide. Cybersecurity is not an end unto itself, and efforts to mitigate cybersecurity risks must also support international commerce, strengthen international security, and foster free expression and innovation.
  7. National values. DHS must uphold privacy, civil rights, and civil liberties in accordance with applicable law and policy. The Department empowers our cybersecurity programs to succeed by integrating privacy protections from the outset and employing a layered approach to privacy and civil liberties oversight.

Joint Chief – Cyberspace Operations Revealed

Cyberspace operations (CO) is the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.

This publication focuses on military operations in and through cyberspace; explains the relationships and responsibilities of the Joint Staff (JS), combatant commands (CCMDs), United States Cyber Command (USCYBERCOM), the Service cyberspace component (SCC) commands, and combat support agencies; and establishes a framework for the employment of cyberspace forces and capabilities.

The Nature of Cyberspace Relationship with the Physical Domains.

Cyberspace, while part of the information environment, is dependent on the physical domains of air, land, maritime, and space.

CO use links and nodes located in the physical domains and perform logical functions to create effects first in cyberspace and then, as needed, in the physical domains. Actions in cyberspace, through carefully controlled cascading effects, can enable freedom of action for activities in the physical domains.

Cyberspace Layer Model. To assist in the planning and execution of CO, cyberspace can be described in terms of three interrelated layers: physical network, logical network, and cyberpersona. Department of Defense (DOD) Cyberspace. The Department of Defense information network (DODIN) is the set of information capabilities and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, whether interconnected or stand-alone, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems.

Connectivity and Access. Gaining access to operationally useful areas of cyberspace, including targets within them, is affected by legal, policy, or operational limitations. For all of these reasons, access is not guaranteed. Additionally, achieving a commander’s objectives can be significantly complicated by specific elements of cyberspace being used by enemies, adversaries, allies, neutral parties, and other United States Government (USG) departments and agencies, all at the same time.

The operational environment (OE) is a composite of the conditions, circumstances, and influences that affect the employment of capabilities and impact the decisions of the commander assigned responsibility for it. The information environment permeates the physical domains and therefore exists in any OE. The information environment is the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.

Given that cyberspace is wholly contained within the information environment and the chief purpose of information operations (IO) is to create effects in the information environment, there is significant interdependency between IO and CO.

Integrating Cyberspace Operations with Other Operations

During joint planning, cyberspace capabilities are integrated into the joint force commander’s (JFC’s) plans and synchronized with other operations across the range of military operations. While not the norm, some military objectives can be achieved by CO alone. Commanders conduct CO to obtain or retain freedom of maneuver in cyberspace, accomplish JFC objectives, deny freedom of action to the threat, and enable other operational activities.

Cyberspace Operations Forces

Commander, United States Cyber Command (CDRUSCYBERCOM), commands a preponderance of the cyberspace forces that are not retained by the Services. USCYBERCOM accomplishes its missions within three primary lines of operation: secure, operate, and defend the DODIN; defend the nation from attack in cyberspace; and provide cyberspace support as required to combatant commanders (CCDRs). The Services man, train, and equip cyberspace units and provide them to USCYBERCOM through the SCCs.

Challenges to the Joint Force’s Use of Cyberspace

Threats. Cyberspace presents the JFC’s operations with many threats, from nation-states to individual actors to accidents and natural hazards. Anonymity and Difficulties with Attribution. To initiate an appropriate defensive response, attribution of threats in cyberspace is crucial for any actions external to the defended cyberspace beyond authorized self-defense.

Geography Challenges. In cyberspace, there is no stateless maneuver space. Therefore, when US military forces maneuver in foreign cyberspace, mission and policy requirements may require they maneuver clandestinely without the knowledge of the state where the infrastructure is located.

Technology Challenges. Using a cyberspace capability that relies on exploitation of technical vulnerabilities in the target may reveal its functionality and compromise the capability’s effectiveness for future missions.

Private Industry and Public Infrastructure. Many of DOD’s critical functions and operations rely on contracted commercial assets, including Internet service providers (ISPs) and global supply chains, over which DOD and its forces have no direct authority.

Globalization. The combination of DOD’s global operations with its reliance on cyberspace and associated technologies means DOD often procures mission-essential information technology products and services from foreign vendors.

Mitigations. DOD partners with the defense industrial base (DIB) to increase the security of information about DOD programs residing on or transiting DIB unclassified networks.

Cyber Hackers Attack U.S. State And Local Authorities

 

Bildergebnis für cyber attack

 

An unidentified cyber actor in mid-March 2018 used GrandCrab Version 2 ransomware to attack a State of Connecticut municipality network and a state judicial branch network, according to DHS reporting derived from a state law enforcement official with direct and indirect access. The municipality did not pay the ransom, resulting in the encryption of multiple servers that affected some data backups and the loss of tax payment information and assessor data. The attack against the state judicial branch resulted in the infection of numerous computers, but minimal content encryption, according to the same DHS report.

(U//FOUO) The unidentified cyber actor introduced the ransomware used against the judicial branch network through a vendor server/host; the ransomware then harvested cached credentials of high-level privileged accounts, according to the same DHS report. The actor then used the credentials to access two servers on the network and propagate the malware via server message block (SMB). Connecticut state cybersecurity officials were able to block the ransomware’s communication with external infrastructure, which prevented the encryption of additional hosts and data loss, according to the same DHS report.

(U) GandCrab Malware

(U) Released in late January 2018, GandCrab, also called “GrandCrab,” is a ransomware variant distributed by exploit kits that requires communication with the ransomware’s command-and-control (C2) server to encrypt files of an infected computer, according to an online technical support site. The developers of GandCrab recently upgraded the original version after Romanian police and BitDefender mitigated infections by recovering its decryption keys, according to a separate article from the same online technical support site. As of 6 March 2018, no free decryption key is available to victims of GandCrab version 2. GandCrab uses NameCoin’s .BIT as its top-level domain (TLD); therefore, variants of the ransomware using the .BIT TLD must also use a domain name server that supports .BIT, according to the same online technical support site. Upon infection, GandCrab will attempt to query the ransomware’s C2 servers on the .BIT domain to establish communication. GandCrab will not encrypt a host’s content with the .CRAB extension if communication is not established with the C2 server, according to the same online technical support site.

Director Of U.S. Intelligence Reveals Cyber Threat Frame



Goals for a Common Approach to Threat Frameworks

Following a common approach helps to:

• Establish a shared ontology and enhance information-sharing since it is easier to maintain mapping of multiple models to a common reference than directly to each other

• Characterize and categorize threat activity in a straightforward way that can support missions ranging from strategic decision-making to analysis and cybersecurity measures and users from generalists to technical experts

• Support common situational awareness across organizations

Key Attributes and Goals in Building a Cyber Threat Framework

• Incorporate a hierarchical/layered perspective that allows a focus on a level detail appropriate to the audience while maintaining linkage and traceability of data

• Employ Structured and documented categories with explicitly defined terms and labels (lexicon)

• Focus on empirical/sensor-derived ‘objective’ data

• Accommodate a wide variety of data sources, threat actors and activity

• Provide as a foundation for analysis and decision-making

The Common Cyber Threat Framework

• Since 2012, the Office of the DNI has worked with interagency partners to build and refine The Common Cyber Threat Framework reflecting these key attributes and goals

• The Common Cyber Threat Framework is not intended to displace or replace an organization’s existing model which is tailored to its specific mission and requirements; rather, it is intended to:

Serve as a viable Universal Translator (a cyber Esperanto or Rosetta Stone) facilitating efficient and possibly automated exchange of data and insight across models once each has been mapped to it and the mappings shared

Provide a Starting Point featuring a simple threat model and value-neutral concepts. It can be customized for any organization as needed—and any deviations from the common approach are readily apparent, facilitating mapping and data exchange.

Download The Full Document Here

 

 

 

Chinese Cyber Hackers Launch Malicious Bot

Chinese Cyber Hackers Launch Malicious Bot

In March 2018, an identified financial services corporation received a thumb drive infected with the bank credential-stealing Qakbot malware variant, targeting information from networked computers and financial institution web sites. The financial services corporation purchased bulk thumb drives from a US online retailer of computer hardware. The thumb drives were originally manufactured in China. According to FBI forensic analysis, the Qakbot malware was on the infected thumb drive before the drive arrived in the United States. Qakbot is extremely persistent and requires removal of all malware from every device. Failure to remove even one node of malware may result in re-infecting previously sanitized systems possibly costing the victim hundreds of thousands of dollars in malware removal and system downtime.

Threat

Qakbot is an information stealing worm—originally discovered in 2007 with a major update in 2017—that propagates through removable drives, network shares, and Web pages. The most common vector of intrusion for Qakbot is malicious attachments to phishing emails. Once executed, Qakbot spreads to other shared folders and uses Server Message Block (SMB) protocol to infect other machines. Qakbot has keylogging capabilities, and is able to propagate across network environments through a single instance within that network. It is capable of remaining on a device through the use of registry keys and by scheduling recurring tasks to run at timed intervals. Every device connected to the network and every piece of removable media which has been attached needs to be scanned for the malware and cleaned of the infection before it can be reconnected. The most recent updates in 2017 allows Qakbot to lock users out of the active directory, preventing them from being able to work. It also deploys malicious executables into network shares, registering them as services.

Cyber actors have the capability to infect devices with malware at nearly any point in the manufacturing process. The FBI has historically seen cases of infection with malware capable of stealing credentials, gathering data on the users of a computer or network, dropping other types of malware, and serving as a “backdoor” into a secure network. It is difficult to know at which point the malware infection occurred or whether the infection was intentional, due to the international nature of hardware manufacturing.

Recommendations

To mitigate the threat of a potentially infected thumb drive, the following measures should be taken at a minimum:

Ensure the use of approved, trusted vendors for hardware purchases.

Scan all hardware, especially removable storage media, on an external system prior to its insertion into a network environment.

For signature-based intrusion detection systems, ensure that the hash value for known Qakbot variants are included. The MD5 value for the variant identified in this PIN was: ff0e3ec80faafd04c9a8b375be77c6b6. This hash value can change, so be prepared to use other advanced detection systems.

Users should protect themselves and organizations by practicing good browsing habits, ensuring they do not respond to or click on unsolicited email, and to not plug unknown USB devices into
their workstations.

If you don’t have the expertise to properly handle or identify potential cyber threats please seek out an expert who can provide the expertise needed to secure your organization.