Blog

Blog

Common pitfalls in attributing cyberattacks

Articles, Blog, Cyber Security, cybersecurity
featured image

Attack attribution is always difficult as criminal groups often share code and techniques, and nation-state actors excel at deception. Here, security researchers share their techniques and common pitfalls.

Attributing cyberattacks to a particular threat actor is challenging, particularly an intricate attack that stems from a nation-state actor, because attackers are good at hiding or erasing their tracks or deflecting the blame to others.

The best method for arriving at a solid attribution is to examine the infrastructure and techniques used in the attack, but even then, researchers can often get it wrong, as Paul Rascagneres and Vitor Ventura of Cisco Talos illustrated in a talk at the VB2020 conference on September 30.

Researchers typically rely on three sources of intelligence, Rascagneres said: open-source intelligence (OSINT), which is publicly available information on the internet, technical intelligence (TECHINT) that relies on malware analysis, and proprietary data available only to the organizations involved in the incident.

Nation-state intelligence agencies serve as another source of intelligence because they have more information and additional resources than the private sector, but intel agencies are often secretive about their methods. “In public sectors, they don’t give everything,” Rascagneres said. “They don’t explain how they get all the detail. How does it make the link?”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Kaitlyn Baker on Unsplash

 

Late-game election security: What to watch and watch out for

Articles, Blog, Cyber Security, cybersecurity, Defense Department, elections, Trickbot
featured image

Despite disruption of the Trickbot botnet network, last-minute leaks of stolen documents and post-election undermining of trust in the election system remain big concerns.

As we head into the final inning of what has been a dramatic US presidential election season, it’s clear the country has so far been spared the kind of high-stakes hacking and disinformation campaigns that marred the 2016 election. Still, US intel and cyber defense organizations are on the lookout for last-minute ransomware attacks and have been joined by their private sector counterparts while social media companies appear to be clamping down on disinformation efforts.

The most striking evidence that the US  may be better prepared than it was in 2016  is the extraordinary actions taken by US CyberCommand (CyberCom) to meddle with the Russian-language Trickbot botnet network, used to deliver malware, including ransomware, and frequently exploited by Russian military intelligence for plausible deniability. Following a scoop by journalist Brian Krebs that an unknown actor was meddling with Trickbot, news leaked over the weekend that CyberCom was the meddler.

CyberCom’s goal was to thwart any possible ransomware attacks on selected or strategically important jurisdictions. The military cyber arm might have also been pushed into action by a Trickbot-enabled ransomware attack on top healthcare provider Universal Health Services (UHS), which was forced to shutter digital operations when 400 of its computer systems were locked up by Ryuk ransomware.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

 

How SilentFade group steals millions from Facebook ad spend accounts

Articles, Blog, Cyber Security, cybersecurity, Facebook
featured image

SilentFade steals credentials and ad spend account information and sells the information to other bad actors. The group returned with improved malware after Facebook’s initial mitigation efforts.

Facebook is a magnet for scammers, thieves and other bad actors looking to swindle and manipulate the social media giant’s vast pool of users. One group discovered by Facebook’s in-house researchers took such a sophisticated approach to bilking Facebook users that it walked away with $4 million in an elaborate ad fraud scheme that went undetected by its victims.

Sachit Karve, speaking both for himself and fellow Facebook security researcher Jennifer Urgilez, offered more details about this scheme at the VB 2020 conference last week. Facebook insiders call the group behind it SilentFade and discovered that it came from a Chinese malware ecosystem that used different types of malware in its cybercrime sprees.

Facebook discovered the malware family near the end of 2018 but traced its origins back to 2016. SilentFade has a keen focus on social media targets. “SilentFade is interesting to us as it explicitly targets users of social networks and more recently services with social components like Amazon,” Karve said.

The name SilentFade comes from “Silently running Facebook ads with exploits.” “The malware is capable of running ads on Facebook, without the user’s knowledge, by exploiting a bug on the platform,” Karve said at the conference.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Brett Jordan on Unsplash

 

New FBI strategy seeks to disrupt threat actors, help defenders through better coordination

Articles, Blog, Coronavirus, Cyber Security, cybersecurity, DHS, FBI
featured image

The FBI sharpens its focus on collaboration among US and foreign government agencies and the private sector. It will acting as a central hub to deal with cybersecurity threats.

Last week, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint announcement about the potential threat that foreign-backed online journals pose in spreading misinformation ahead of the crucial 2020 US presidential election. This alert, intended to raise public awareness based on government intelligence, reflects a new strategic direction by the FBI to work with partners across the federal landscape to better protect the American public and its allies from cyber threats.

“It’s a complex threat environment where our greatest concerns involve foreign actors using global infrastructure to compromise US networks,” Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division said during a conference at Auburn University’s McCrary Institute organized to debut the Bureau’s new strategy.

Ugoretz said that among the many factors the FBI must now juggle in dealing with cyber threats are:

  • The increased attack surfaces stemming from widespread work-at-home arrangements due to the COVID-19 crisis
    Attackers’ growing willingness to exploit the increased vulnerabilities the wider attack surface make possible
    The increase in availability of tools that threat actors use to launch attacks
    Growth in the number of both criminal and nation-state threat actors.
[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Jack Young on Unsplash

 

CIOs say security must adapt to permanent work-from-home

Articles, Blog, Coronavirus, Cyber Security, cybersecurity, DHS, Insider Threat
featured image

Both private- and public-sector CIOs see many more employees permanently working remotely, and say security needs to adapt to new threats and how they communicate.

The entire US economy and government were forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organizations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.

COVID has resulted in a lot of forward-looking changes, Jim Weaver, CIO of Washington State, said at the second day of the annual Cybersecurity Summit hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). “COVID has been our chief innovation officer. Now as a state we’re pivoting to change our service methodologies while in the middle of a pandemic and economic downturn.” Washington was the first state with a positive COVID case on January 14.

“Governor Inslee has been a big proponent for remote work for a lot of reasons and so we did have a culture and mindset in place already enabled to support it,” Weaver said. Washington had to jump from an average of 3,000 to 4,000 remote concurrent connections to 65,000 to 70,000 almost overnight. “That went pretty flawlessly, I’m pleased to say.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Charles Deluvio on Unsplash

 

Preventing insider threats: What to watch (and watch out) for

Articles, Blog, Insider Threat
featured image

Understanding human behaviors that precede malicious actions from an insider is the best way to avoid data loss or disruption, experts say.

September is officially National Insider Threat Awareness Month (NIATM) and the theme of this year’s NIATM is resilience. Of all the digital threats facing organizations, the insider threat can be the most vexing to tackle given how uncomfortable it can feel to suspect one’s own colleagues of wrongdoing. It’s challenging to set up systems and processes that might catch well-regarded peers or superiors in a harmful act.

At last week’s inaugural Insider Risk Summit, experts at corporations and cybersecurity firms gathered to talk about the top trends driving insider security threats and what security officers should know in trying to combat those threats. “There’s not one type of threat but there is a common aspect, which is that [insiders] are looking to get at critical assets of the organization — people, information, technology and facilities,” Michael Theis, chief engineer, Strategic Engagements at the US Community Emergency Response Team’s (CERT’s) National Insider Threat Center, said during his keynote talk.

Theis based most of his talk on the fraud model that CERT’s threat center has built on a data set of 2,500 verified insider incidents that resulted in sabotage or corporate threat. It’s important to define what exactly an insider threat is, Theis said. “[It’s] the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally to act in a way that could negatively affect the organization.” The people who could be considered insiders encompass a wide range of individuals from current or former full-time employees, part-time employees, temporary employees, contractors, and trusted business partners.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Austin Distel on Unsplash

FEATURE – The Mysterious Case of the Missing 250-Ton Chinese Power Transformer

Articles, Blog, DOE, Industrial Control System Security
featured image

In May, the Trump administration seized a $3 million transformer on its way to Colorado. What happened to it, and where is it now?

In May, the Trump administration seized a 250-ton, $3 million Chinese high-voltage transformer that was on its way to Colorado. It was taken to Sandia National Labs in New Mexico for reasons unknown. What happened to it still remains a mystery.

On May 1, the Trump Administration issued a surprise Executive Order (EO), “Securing the United States Bulk Power System.” The directive aims to keep critical equipment supplied by foreign adversaries out of the nation’s power grid due to supposed supply chain security threats. It requires the Secretary of Energy to work with other agencies in identifying the specific equipment from adversarial suppliers, particularly Chinese suppliers, that the government should bar from the bulk-power system.

The Department of Energy (DOE) has to issue relevant rules on the matter within 150 days, or by September 28. Shortly after the EO’s release came the surprising revelation that a federally owned utility managed by DOE, the Western Area Power Administration (WAPA), hijacked a nearly $3 million Chinese-manufactured transformer initially intended for one of its substations in Colorado. WAPA instead diverted it to one of DOE’s national laboratories, Sandia National Labs, in New Mexico.

The manufacturer of the high-voltage 500,000-pound transformer was Chinese company JiangSu HuaPeng Transformer Co., Ltd., or JSHP, which shipped the transformer from Shanghai to the Port of Houston in August 2019.JSHP’s North American representative Jim Cai told Motherboard his company planned to spend a couple of hundred thousand dollars to transport the high-grade steel using a particular kind of railroad car to WAPA’s Ault substation in Colorado, where JSHP would then install it. Like all electric substations, the Ault facility’s main purpose is to “step down” high-voltage electricity, typically above 1,000 volts, to lower, more manageable levels that can be distributed safely to homes and businesses.

Before the ship docked in Texas, WAPA told JSHP to cancel its plans to transport and install the transformer and to forget about selling a warranty on the equipment, which is almost always mandatory for highly specialized, expensive electrical system equipment. The utility then transported the transformer itself to Sandia. Since then, WAPA and DOE have been silent on this odd development, which has sparked confusion and concerns among utilities and industrial control system (ICS) security specialists.

[This article appeared in Vice News. To read the rest of the article please visit here.]

Photo by ETA+ on Unsplash

Ransomware attacks growing in number, severity: Why experts believe it will get worse

Articles, Blog, Cyber Security, cybersecurity, DHS, ransomware
featured image

Law enforcement and federal experts discuss recent ransomware trends and challenges of fighting the attacks.

Ransomware has become the most chronic and common threat to digital networks. At a time when 41% of all cybersecurity insurance claims flow from ransomware attacks, it’s no surprise that ransomware is top of mind for leading security experts, government officials and law enforcement leaders.

“I think ransomware is going to get worse and I hate to say it, but it’s almost the perfect crime,” Mark Weatherford, chief strategy officer and board member of the non-profit National Cyber Security Center, told attendees at the third annual Hack the Capitol event. “It’s easy to pull off and it’s almost impossible to get caught.”

While major ransomware events grab all the headlines, Weatherford worries about the smaller victims of ransomware attackers. “Small- and medium-sized businesses simply don’t have the resources or the technical acumen to understand the threat environment that they live in,” he said.

Sometimes it can seem like a ransomware attack is inevitable. “A lot of my friends in companies that I talk to on a regular basis literally are waiting for that shoe to drop when they are the victim of a big ransomware event,” Weatherford said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Michael Geiger on Unsplash

Election security status: Some progress on ballot integrity, but not on Russian interference

Articles, Blog, cybersecurity, DHS, elections
featured image

With the election less than two months away, government and election officials say voting itself is more secure, but Russian disinformation remains largely unaddressed.

The presidential election in 2016 was a wake-up call that the security of the country’s election infrastructure can never again be considered a sure thing. During the last presidential campaign, Russia hacked into the Democratic National Committee’s network and stole emails from Clinton campaign officials while also breaking into at least two county voting systems in Florida. Those digital security attacks took place alongside destructive disinformation campaigns that ran on vulnerable and unprepared social media networks.

At this year’s Billington Cybersecurity Summit, 55 days before the next presidential election, experts weighed in on the progress, or lack thereof, that the US has made in securing America’s elections since 2016.

Chris Krebs, head of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), told attendees that three-and-a-half years after he joined the agency it has “turned the corner in a really meaningful way” on cybersecurity. “We’re working in all 50 states on a regular basis to share information, to secure their systems, to ensure that they have all the resources they need to be prepared, whether it’s a COVID environment or non-COVID environment.”

Matthew Masterson, senior cybersecurity advisor at CISA, says his group is hard at work on supporting the more than 8,800 officials who run the country’s elections. Many of the voting jurisdictions are small but many election offices represent the largest IT operations in their counties in terms of total number of assets.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by Kari Sullivan on Unsplash

CMMC bakes security into DoD’s supply chain, has value for all businesses

Articles, Blog, Defense Department
featured image

The Cybersecurity Maturity Model Certification provides a means for the Department of Defense to certify the security capabilities of its contractors, but it’s a good way to assess the cybersecurity maturity for all companies.

Just as the coronavirus pandemic was getting underway in January, the Department of Defense (DoD) launched an ambitious cybersecurity certification and compliance process called the Cybersecurity Maturity Model Certification (CMMC). This framework has five certification levels of maturity that are designed to ensure that the Pentagon’s 300,000 contractors can adequately protect sensitive information.

The CMMC embraces existing well-known federal cybersecurity frameworks including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, as well as compliance procedures from the Federal Information Security Management Act (FISMA). One of the most significant changes for DoD contractors under the CMMC is the need to undergo external security audits.

“There were some simple things that our communities weren’t doing and we needed to find a way to make them repeatable, accountable and to provide metrics and make them auditable,” Katie Arrington, CISO for acquisition and sustainment, DoD, said at the 10th Annual Billington Cybersecurity Summit, which was held virtually this year. “So, we created this model with collaboration with industry and academia.”

The CMMC “is one piece of a massive cultural reform that’s been going in the department since 2018,” Arrington said, pointing to something called the Adaptive Acquisition Framework, a set of policies designed to introduce innovation into what has long been the sluggish thicket of the federal acquisition process. “It’s refreshing to see that acquisition is now understanding the new emerging capabilities and how we need to move through those.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Photo by İsmail Enes Ayhan on Unsplash