Search This Blog

Showing posts with label NSA. Show all posts

UK Issued New Cybersecurity Guidelines on Emerging Supply Chain Attacks

A surge in the number of instances has prompted cyber security experts to issue a fresh warning about the danger of supply chain hacks. Businesses have been advised by the UK's cybersecurity agency to take additional precautions against supply chain assaults. In response to what it claims to be a recent increase in supply chain threats, the National Cyber Security Center (NCSC) has produced fresh advice for enterprises.

Although the advice is applicable to businesses in all industries, it was released in collaboration with the Cross-Market Operational Resilience Group (CMORG), which promotes the enhancement of the operational resilience of the financial sector. The advice, which is intended to assist medium-sized and larger enterprises, evaluates the cyber risks of collaborating with suppliers and provides confirmation that mitigation techniques are in effect for vulnerabilities related to doing business with suppliers.

The 2020 hack on SolarWinds' software build system, the 2021 ransomware attack on Kaseya clients, and the 2017 NotPetya attack via a Ukraine accounting program are a few notable recent incidents. President Joe Biden of the United States issued an executive order to improve cybersecurity in response to SolarWinds.

In a document titled 'Defending the Pipeline' published by NCSC in February, the agency recommended businesses and programmers use continuous integration and delivery (CI/CD) to automate software development. The CEO of NCSC ranked ransomware as the top cyber danger in October of last year, while also warning that supply chain concerns will persist for years.

The new guidance is assisted medium and bigger enterprises in "evaluating the cyber risks of collaborating with suppliers and gaining assurance that mitigations are in place," according to NCSC in an announcement.

According to the UK government's report on security breaches in 2022, more than half of companies, big and small, contract out their IT and cybersecurity needs to outside companies. However,  s evaluated the dangers posed by immediate suppliers. These respondents claimed that the importance of cybersecurity in procurement was low.

According to Ian McCormack, NCSC deputy director for government cyber resilience, supply chain attacks represents a significant cyber danger to organizations and incidents can have a significant, ongoing effect on companies and customers.

The advice is broken down into five stages that address why businesses should care about supply chain cybersecurity, how to identify and protect one's private data when developing an approach, how to apply the approach to new suppliers, how to apply it to contracts with current suppliers, and continuous improvement.

The US intelligence agency, NSA, released its software supply chain recommendations last month with a focus on developers. New standards for the purchase of software were also released in the same month by the US Office of Management and Budget.

China's Attacks on Telecom Providers Were Exposed by US

 

Since 2020, US cybersecurity and intelligence agencies have cautioned about state-sponsored cyber attackers located in China using network vulnerabilities to target public and private sector enterprises.

Chinese hacking gangs have used publicly known vulnerabilities to infiltrate everything from unpatched small office/home office (SOHO) routers to moderate and even big enterprise networks, according to a joint cybersecurity alert released on Tuesday by the NSA, CISA, and the FBI. 

Several servers are used by China-linked APTs to create new email accounts, host command and control (C&C) domains, and connect with target networks, using hop points as an obfuscation strategy to mask its true location."Once within a telecommunications organization or network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, including systems critical to ensuring the stability of authentication, authorization, and accounting," as per the report. 

These threat actors are continually altering their techniques to avoid detection, according to US authorities, including watching network defenders' actions and adjusting current attacks to remain undiscovered. 

They were also seen changing the infrastructure and tools when the campaigns were made public. After stealing credentials to access underlying SQL databases, the attackers utilized SQL commands to discard user and admin credentials from key Remote Authentication Dial-In User Service (RADIUS) servers. The three US agencies have revealed that Chinese threat actors primarily exploit vulnerabilities in: 
  • Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652)
  • Citrix (CVE-2019-19781) 
  • DrayTek (CVE-2020-8515) 
  • D-Link (CVE-2019-16920) 
  • Fortinet (CVE-2018-13382) 
  • MikroTik (CVE-2018-14847) 
  • Netgear (CVE-2017-6862) 
  • Pulse ( (CVE-2020-29583) 

Open-source tools such as RouterSploit and RouterScan (vulnerability scanning framework) are used by threat actors to scan for vulnerabilities and conduct reconnaissance, allowing them to identify brands, models, and known problems that can be attacked. 

"Once within a network service provider, PRC state-sponsored cyber actors identified essential users and infrastructure, particularly systems critical to maintaining the security of authentication, authorization, and accounting," as per the joint advisory.

Lastly, the attackers altered or deleted local log files to eliminate proof of its presence and avoid discovery. Security updates should be applied as quickly as feasible, unneeded ports and protocols should be disabled to reduce the attack surface, and end-of-life network infrastructure which no longer receives security patches should be replaced, according to federal agencies.

Segmenting networks to prevent lateral movement and enabling robust monitoring on internet-exposed services to discover attack attempts as soon as possible are also recommended.

NSA Employee Indicted for 'Leaking Top Secret Info' To a Woman

 

Recently, the United States Department of Justice (DoJ) has claimed that an NSA employee has been sharing highly sensitive data of national security with an individual who allegedly is a private sector employee. 

According to a DoJ announcement and the indictment, an NSA staffer named Mark Unkenholz "held a TOP SECRET/Sensitive Compartmented Information (SCI) clearance and had lawful access to classified information relating to the national defense." 

The indictment has been unleashed on Thursday in U.S. District Court in Baltimore, which has accused Mark Unkenholz, 60 years old employee of the NSA office that engages with private industry, sent 13 unauthorized emails to the woman who was referred to as “RF” from February 2018 to June 2020, each email was containing top secret information relating to national defense. 

Following the incident, the court said that "reason to believe [the info] could be used to the injury of the United States or to the advantage of any foreign nation." Further, the justice departs reported that the RF also had a TOP SECRET/SCI clearance from April 2016 until approximately June 2019 through the company she was working for which was named Company 1, however when she switched the company 1 to company 2 her clearance lapsed. 

According to the indictment's timeline, Unkenholz sent the files to RF when she was working at Company 1 and at Company 2. It shows that RF's clearance was not sufficient for these sensitive materials. 
 
Also, Unkenholz used his personal email address for this act and according to the regulations, the personal email address is not considered as an authorized storage location for sensitive data. In this case, Unkenholz has been charged with 13 counts of willful retention of national defense information on top of the 13 counts of “willful transmission.” Each charge approves 10 years in federal prison.

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug

 

The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.

New Trojan Attack Campaign Prompted by Pegasus Spyware

 

An unexplored Sarwent Trojan is being distributed by a threat organization via a bogus Amnesty International website that claims to protect customers from the Pegasus smartphone spyware. 

The operation is intended towards those who feel they have been attacked by the NSO Group's Pegasus spyware and thus are tied to nation-state action, according to Cisco Talos security analysts, but Talos is yet to identify the exact threat actor. 

Pegasus is a piece of spyware created by the Israeli cyber arms firm NSO Group which can be loaded secretly on smartphones (and other devices) running most versions of iOS and Android. According to the disclosures from Project Pegasus 2021, the existing Pegasus program can attack all recent iOS versions up to iOS 14.6. Pegasus could intercept text messages, track calls, gather passwords, monitor position, access the target device's camera and microphone, and collect data from apps as of 2016. 

Despite the claims regarding authorized utilization, Pegasus - a contentious surveillance software technology has been allegedly used by tyrannical governments in operations targeting journalists, human rights activists, as well as other opponents of the state. 

Soon after the release of a comprehensive Amnesty International report on Pegasus in July of this year, as well as Apple's dissemination of updates for the ForcedEntry zero-day exploit, several users started exploring ways of protecting themselves from the spyware that was exploited by adversaries. 

On a bogus website that I identical to Amnesty International, the malicious actors claim to be delivering "Amnesty Anti Pegasus," an anti-virus tool that can allegedly guard against NSO Group's malware. 

Alternatively, customers are given the Sarwent remote access tool (RAT), which allows attackers to easily upload and run payloads on compromised PCs, as well as extract relevant and sensitive data. 

Despite its low intensity, the attack has struck individuals in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine, as per Cisco Talos. 

“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why,” according to Cisco Talo. 

The campaign's adversary seems to be a Russian speaker who has been using Sarwent to target patients from different walks of life all across the globe since at least January 2021. The malicious actors have been using the Trojan and one with a comparable backdoor since 2014, according to security experts.

NSA Issues FAQs on Quantum Computing and Post-Quantum Cryptography

 

As concerns regarding quantum computing and post-quantum cryptography are overtaking the forefront of cryptographic discussions, especially in areas associated with national defense, the National Security Agency (NSA) has published a document comprising of the most frequently asked questions about Quantum Computing and Post-Quantum Cryptography, in which the agency studied the probable ramifications for national security in the event of the introduction of a "brave new world" far beyond the traditional computing domain. 

This 8-page report provides a summary of quantum computing, its connection with cryptography, the Commercial National Security Algorithm Suite, Commercial Solutions for Classified (CSfC), and the National Information Assurance Partnership (NIAP), as well as forthcoming techniques and cryptography. 

With the advancements the competition for quantum computing also heats up, with a slew of players vying for quantum dominance via diverse, eccentric scientific inquiry avenues, the NSA document examines the possible security risks raised by the establishment of a “Cryptographically Relevant Quantum Computer” (CRQC). 

"NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist," it stated. 

A CRQC is the emergence of a quantum-based supercomputer strong and sophisticated enough to bypass conventional encryption techniques developed for classical computing. Whereas these strategies are practically uncrackable with existing or even prospective supercomputers, a quantum computer does not abide by the same rules given the nature of the beast, as well as the superposition, asserts readily accessible to its computing unit, the qubit. 

Considering that governments and labs are striving to develop crypto-busting quantum computers, the NSA stated it was developing “quantum-resistant public key” algorithms for private suppliers to the US government to employ, as part of its Post-Quantum Standardization Effort, which has been in operation since 2016. 

The world depends on public cryptography for strong encryption, such as TLS and SSL, which underpins the HTTPS protocol and help to safeguard user browsing data against third-party spying. 

Eric Trexler, VP of global governments at security shop Forcepoint, told The Register: "Progress on quantum computers has been steadily made over the past few years, and while they may not ever replace our standard, classical computing, they are very effective at solving certain problems. This includes public-key asymmetric cryptography, one of the two different types of cryptosystems in use today." 

Consequently, an agency such as the NSA, which guarantees the security of the United States' technological infrastructure, must cope up with both current and future risks - as one would assume, updating organizations as large as an entire country's key government systems requires an incredible amount of time. 

The NSA wrote, in theory, quantum computers can perform some mathematical calculations tenfold quicker than traditional computers. Quantum computers use “qubits” instead of regular bits, which react and interact as per the laws of quantum mechanics. This quantum-physics-based characteristic might allow a reasonably large quantum computer to do precise mathematical calculations that would have been impossible for any conventional computer to execute. 

According to the NSA, "New cryptography can take 20 years or more to be fully deployed to all National Security Systems (NSS)". And as the agency writes in its document, "(...) a CRQC would be capable of undermining the widely deployed public key algorithms used for asymmetric key exchanges and digital signatures. National Security Systems (NSS) — systems that carry classified or otherwise sensitive military or intelligence information — use public-key cryptography as a critical component to protect the confidentiality, integrity, and authenticity of national security information. Without effective mitigation, the impact of adversarial use of a quantum computer could be devastating to NSS and our nation, especially in cases where such information needs to be protected for many decades." 

In its document, the NSA rests the decision of which post-quantum cryptography would be deployed by the United States' national infrastructure solely on the shoulders of the National Institute of Standards and Technologies (NIST), which is "in the process of standardizing quantum-resistant public key in their Post-Quantum Standardization Effort, which started in 2016. This multi-year effort is analyzing a large variety of confidentiality and authentication algorithms for inclusion in future standards," the NSA says.

NSA Issues Warning Concerning Public Wi-Fi Networks

 

National Security Agency cautioned public servants against hackers that can benefit from public Wi-Fi in coffee shops, airports, and hotel rooms. 

NSA stated, “The Biden administration would like you to get a vaccine and wear a mask. Oh, and one more thing: It has just proclaimed that it’s time for government employees and contractors to get off public Wi-Fi, where they can pick up another kind of virus.” 

The National Security Agency released a strangely specific warning late last week cautioning that logging in for public Wi-Fi Network “may be convenient to catch up on work or check email,” in a notification to every federal employee, leading defense companies and the 3.4 million uniformed, civil and reserves personnel serving on the military. In an eight-page report, the agency describes how the click on the local coffee shop's network caused problems in a year highlighted by ransomware attacks on pipelines, meatpackers, and even police forces in Washington, DC. 

“Avoid connecting to public Wi-Fi, when possible,” the warning read, stating that even Bluetooth connections can be compromised. 

Officials affirmed that they are completely aware that it is as likely that individuals will listen to the advice as they can be fully veiled outside in a baseball game. However, the message marks a turning moment, with the nation's primary signal intelligence agency aiming to throw on the brakes after a decade in which every restaurant, hotel, or airline has experienced competing for pressures to enhance its free Wi-Fi. 

This risk is not theoretical but is openly recognized and used for various malevolent approaches. The caution lies with readers on videos showing how easy is the use of an unsecured Wi-Fi network, which demands no passwords, yet the password collecting, and mobile phone content is for hackers which they can easily take access of. 

The alert by NSA, without mentioning specific occurrences, includes a warning that criminals or foreign intelligence agencies can generate open Wi-Fi infrastructures that look like they are from a hotel or a coffee house, but certainly are “an evil twin, to mimic the nearby expected public Wi-Fi.” 

Although the sudden surge in a crime or national adversaries exploiting public internet to rob data or to orchestrate hacks did not trigger the National Security Agency's cautions, Officials said. It instead seemed to be part of a much-increased US government's efforts in recent months to make people aware of a variety of technological vulnerabilities. 

Lately, President Biden had signed an Executive Order establishing several Cybersecurity criteria for software firms that sell to the federal government. Federal agencies must implement two-factor authentication as customers receive a text message, with a code, from their bank before entering their account details.

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative

 

As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.

NSA and FBI Blame Russia for Massive ‘Brute Force’ Attacks on Microsoft 365

 

American intelligence and law enforcement agencies have accused a Kremlin-backed hacking group for a two-year campaign to breach into Microsoft Office 365 accounts. 

In a joint report with British intelligence, the NSA, FBI, and DHS blamed Fancy Bear for the broad "brute force" attacks. Fancy Bear is most known for hacking the Democratic National Committee in the run-up to the 2016 Presidential Elections. 

Fancy Bear, according to the agencies, was actually the 85th Main Special Service Center (GTsSS), a group within the Russian General Staff Main Intelligence Directorate (GRU), and that it had been carrying out its brute force attacks on a variety of sectors, which include government and military departments, defense contractors, political parties, energy companies, and media outlets. The majority of the targets were based in the United States and Europe. 

The joint statement stated, “These efforts are almost certainly still ongoing. This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.” 

“This lengthy brute force campaign to collect and exfiltrate data, access credentials, and more is likely ongoing, on a global scale,” said Rob Joyce, the NSA's director of cybersecurity. 

At the time of writing, neither Microsoft nor the Russian embassy in London had replied to requests for comment. Fancy Bear used a technique known as "password spraying," in which computers attempt as many login attempts as feasible on a particular system as possible. The devices' traffic is routed through virtual private networks or the Tor network, both conceal a system's actual IP address by routing it through a variety of servers. 

According to the US report, they did it by utilizing Kubernetes, an open-source platform built by Silicon Valley tech giant Google for managing computer processes. Users of Microsoft 365 and other targeted cloud products should utilize multi-factor authentication, which requires a one-time code in addition to the login and password to get access to an account. It also suggests that if a user makes many unsuccessful tries to log into an account, the user should be locked out or put on a waiting list before trying again. 

The allegations follow President Biden's meeting with Russian President Vladimir Putin, during which the US leader urged his Russian counterpart to assist America in stopping the flow of destructive cyberattacks plaguing organizations throughout the world. 

In recent months, ransomware attacks on gas company Colonial Pipeline and meat supplier JBS, as well as thefts of US federal agency emails via a breach of IT supplier SolarWinds, have prompted concern. 

The current attacks look to be one of Fancy Bear's "classic military intel mission that is their major emphasis," according to John Hultquist, vice president of intelligence analysis at cybersecurity firm FireEye. 

Hultquist added that their bread and butter is good old-fashioned spy vs. spy activity that has been carried over into the cyber arena. He expressed concern that the organization may target the next Olympic Games in Japan, citing Russia's prior involvement in assaults on the 2018 Winter Olympics in South Korea.

Cyber Threat U.S. Spy Agency Collaborates with Private Sector to Counter Threat

 

The U.S. National Security Agency, which is renowned globally for its secrecy, on Tuesday opened its arms to the private sector with the aim of strengthening relations and learning about hacking campaigns from the U.S. firms that are repeatedly targeted by hacking groups. 

"I think it is really important for NSA to take a stance where we are engaging and figuring out how to make the environment more secure and everyone is learning from the lessons of the past," he said at a media roundtable,” said NSA Director of Cybersecurity Rob Joyce.

The U.S. law denies NSA from accessing American computer networks, so the agency hopes that increasing partnerships with defense, technology, and telecommunications companies will provide insights the agency can’t get on its own, he further added. However, he denied disclosing the name of the companies the NSA is working with and didn’t expand on what information private companies would share with the agency. 

The NSA’s publicity tour comes after a series of high-profile hacks over the last year, including a massive cyberattack that penetrated numerous federal agencies and another that crippled a major U.S. gas pipeline. 

The center, which started in January 2020, is unique in the NSA's history because it is located in a nondescript office park in suburban Maryland next to defense contractors, including Northrop Grumman Corp., Raytheon Technologies Corp., and General Dynamics Corp., and is across the street from NSA headquarters. But the center doesn’t have the same barbed wire fencing and armed guards as the NSA. 

U.S. officials admitted the lack of total visibility on the cyber threat due to legal restrictions that prevent the NSA and other federal spy agencies from collecting data on domestic computer networks. Foreign hackers know about the controls, former U.S. officials say, so they often stage attacks on U.S. based servers. 

"U.S. companies will also be benefitted from the NSA's vast experience and analytical capability. Cybersecurity is a team sport and NSA is really just stepping up to play its position. Providing services to the defense industrial base and national security systems and a large U.S. market share is what we focus on from a selection criteria," said Morgan Adamski, chief of the center.

NSA and CISA Jointly Issued Guidance On Protective DNS Services


America’s chief security departments The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) have released a joint information sheet on Thursday which provides information regarding the positive outcomes of using a Protective Domain Name System (PDNS).
 
How Protective Domain Name System (PDNS) works? 

Its (PDNS) service uses present Domain Name System (DNS) protocols and its structure to analyze DNS queries and mitigate threats. It leverages many open sources, such as non-profit organizations, and various governmental threat feeds to categorize domain information and block queries to identified hackers' domains. 

According to The National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA), the service (PDNS) presents threat prevention measures against network exploitation, includes various kind of online threats such as addressing phishing attacks, malware distribution, domain generation algorithms, command and control, and content filtering. 

Additionally, a PDNS can log in and save suspicious data and can give a blocked response to the malicious activities into a system– such as ransomware locking victim files – while letting institutions using those logged DNS information data. 

The information sheet gave a list of providers, but NSA and CISA explicitly stated, “We, the federal agencies do not endorse one provider over another”. The listed six companies are BlueCat, Akamai, Cisco, EfficientIP, Nominet, and Neustar. 

How NSA and CISA made their recommendations? 

The recommendations are based on the learned lessons from an NSA PDNS pilot. The NSA partnered with the Defense Cyber Crime Center (DDCCC) department to offer PDNS-as-a-service to its members of the defense industrial base. Alongside, the PDNS studied over 4 billion DNS queries and participating networks, and successfully blocked millions of connections identified as malicious domains. 

Oliver Tavakoli, chief technology officer at Vectra stated, “Like other preventive approaches, they are useful in protecting organizations from known bads, but ultimately fall short in blocking the early stages of a new attack or more sophisticated attacks...”

“...So it makes sense to implement PDNS to reduce the attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.” She added. 

Ray Kelly, a principal security engineer at WhiteHat Security, added that “DNS exploitations are still incredibly rampant and require some attention because they are such an effective technique used by malicious actors”.

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

National Crime Agency Detained the Operator of SMS Bandits for Phishing Message Services

 

The National Crime Agency of the United Kingdom has announced the arrest of the Service 'SMS Bandits' operator. However NCA did not disclose the suspected fraudster's identity, the cybercrime department of the Metropolitan Police has announced the detention of a Birmingham citizen who is linked to the company offering illicit phishing services. The aforementioned platform was used to send large amounts of phishing SMS. The fraudster had sent out a humungous number of fake messages by spoofing organizations like PayPal, some telecom providers, COVID-19 pandemic relief organizations, etc. 

SMS Bandits, including the man detained, got access to account credentials from numerous popular web pages, offered on dark web platforms that they controlled by sending fake SMSs by millions. Among other pseudonyms, Bamit9, Gmuni, and Uncle Munis are also used by the fraudulent service providers on the dark web. For mass transmission of texts intended to collect account credentials on various common websites and to steal personal and financial information, SMS bandits supplied an SMS phishing service for the mass transmission of text messages. 

Angus, a researcher at the Scylla Intel, a cyber intelligence firm, stated that the SMS Bandits sent phish lures that always made it possible to detect a fake message uncommonly, well done, and clean of syntax or orthographer's errors. “Just by virtue of these guys being native English speakers, the quality of their phishing kits and lures were considerably better than most,” Angus further added. 

According to Scylla Intel, the SMS Bandits made a variety of organizational security errors that made it relatively easy to figure out who they are in actuality. Scylla Intel further collected evidence against the SMS Bandits' and figured out that the SMS Bandits used the email addresses and passwords stolen from its services to validate the credentials. 

According to the sources, the SMS Bandits are also related to a dark web criminal program named, “OTP Agency”, a service that is designed to intercept the one- time- password which is required while logging into various websites. The modus operandi involves the customer entering the target’s phone number and name, and then the OTP Agency initiating an automated phone call to the target that alerts them about unauthorized activity on their account. 

SMS Bandits has also offered its patented "bulletproof hosting," which has been marketed as a "freedom of communications" portal, where clients can "host any content without restrictions." The content inevitably shapes the sites on which users of different web platforms are entitled to phish credentials.

According to a new survey, the amount of SMS phishing grew by over 328% in 2020. As a consequence of this, we do not see any feeling of terror among the fraudsters.

NSA Issues Guidelines for Eliminating Obsolete TLS Protocols

 

The National Security Agency is a US-based agency on which America highly relies on to collect and process foreign signals, understand them and share them with US Officials, and to take any action against dubious acts. These signals are not comprehensible by common men instead a team of mathematicians, technical experts, or analysts is required to decode the encrypted signals to comprehensible format. 

The NSA has distinctly recommended replacing antiquated protocols configuration of TLS (Transport Layer Security). This has been done because of the obsolete protocols that were harming the sensitive information of those using it. With time new deleterious dimensions of the TLS authentication and configuration have been discovered by the NSA. Such flaws are not acceptable as they breach the wall of privacy between the client and the server by incapacitating the encrypted data that is easily accessible by the hackers. 

The exchange of communication between the server and the client is sensitive information and valuable data that needs protection and for this purpose, strong protection channels and electronic systems like TLS and Secure Sockets Layer (SSL) were developed. 

Considering TLS, it’s a protocol to secure communication between the client and the server. It uses encrypted signals and authentication to protect the information. Nevertheless recently some new attacks against TLS and its authentication have been discovered. Network connections employing obsolete protocols are at an elevated risk of exploitation by the opponents. For the aforementioned sitch, the NSA has issued strict guidelines that need to be enforced as soon as possible. They claimed that the obsolete and incapacitated TLS protocol implementation was being observed recently, which is a threat to the country’s intelligence. Furthermore, they stated, “nation-state of sufficiently resourced actors are able to exploit these weak communications”. 

As a solution, the NSA recommended that only TLS 1.2 and TLS 1.3 should be used and that SSL 2.O , SSL 3.0 , TLS 1.0, and YLS 1.1 should not be used. They said that all the TLS implementations should be up to date and configuration should be in accordance with the CNSS and NIST guidelines. 

NSA urged the public to follow the guidelines and implement the new TLS protocol as they are familiar with the dangerous consequences of using obsolete encryptions which includes delivering a false feeling of security because of a distorted sense of trust we have in the functioning of the system. However, updating the TLS protocols and configuration will be in our best interests as it will now provide stronger encryption and authentication. 

Russian Hackers Use Linux Malware Drovorub, NSA and FBI Finds Out


The NSA and FBI released a joint report today, which told about a new kind of Linux malware. According to these two intelligence agencies, state-sponsored military Russian hackers are using this new malware. These hackers used Drovorub to plant backdoors inside breached networks. Fancy Bear and Sednit (APT28) are behind these attacks. The NSA and FBI have notified major private and public companies to stay aware of the malware and implement protective measures to keep safe. The malware comes with an implant and is a multi-component system. It comes with a file transfer kit, a C2 server, a kernel module tool, and a port-forwarding module.


The malware is a kind of Swiss army knife. Using Drovorub, hackers can do many things like controlling the target's systems and stealing data and personal files. Besides this, Drovorub is designed to work in stealth mode. It uses rootkit technologies to stay undetected. It allows hackers to deploy malware at different places and systems, which allows attack at any given instant. Regarding the cyberattacks issue, the US has always been a primary target for cybercriminals due to its sophisticated technology environment.

There's no substantial evidence as to the motive behind this attack. However, experts believe that the purpose might be espionage or tampering the upcoming presidential elections. The joint report of FBI and NSA says, "The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, is deploying previously undisclosed malware for Linux® systems, called Drovorub, as part of its cyberespionage operations. GTsSS malicious cyber activity has formerly been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and various other identifiers."

To stay safe, the agency has recommended US companies updating Linux systems to the latest update kernel version 3.7. "To prevent an order from being susceptible to Drovorub's hiding and persistence, system administrators should upgrade to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system," says the US intelligence agencies' report.

NSA tool used for hacking in Baltimore ransomware attack






According to the reports of New York Times, An important component of the malware to disrupt U.S cities, paralyzing local governments and residents was developed by the National Security Agency (NSA).

Reportedly, NSA lost the control of the tool in 2017, it was called Eternal Blue.

Eternal Blue has been used around the world including countries like Russia,China,North Korea and it has affected huge numbers of ATMs, hospitals, Airports, shipping operators around the globe.

Recently there was high-profile ransomware attack on Baltimore in which computers were hacked and health alerts, water bills, real estate sales and other public services are disrupted. 

On May 7th, city’s workers computers screens were locked and were displayed a message of ransom demanding $100,000 to free city’s files. 

In the similar manner various U.S cities have been attacked. 

The NSA and FBI declined to comment to the Times, but according to the reports the theft of the EternalBlue was carried out by group, which calls itself the Shadow Brokers.


The group is either made up of disgruntled federal employees or foreign spies.

Ransomware tool causing chaos in Baltimore was developed by NSA



A recent spate of ransomware attacks in Baltimore and other U.S. cities has been executed using a tool developed by the National Security Agency (NSA). Thousands of people in Baltimore have been locked out of their computers in the past three weeks, causing disruption across the city. And this has been enabled by a piece of software created by the NSA, according to a report in the New York Times.
The EternalBlue exploit takes advantage of a vulnerability in Microsoft Windows machines to infiltrate target computers. The software was stolen from the NSA and leaked by hackers in 2017, and since then has been used in a wide variety of cybercrinimal schemes. 2017’s WannaCry attack used the software, as did Russia’s NotPetya attack on Ukraine last year.
Now the same software is being used against U.S. citizens, causing particular problems for local governments with machines which have been disrupted. Many local governments do not regularly update their computers, leaving them vulnerable to exploits. In Baltimore, hospitals, airports, ATMs, shipping operators, and vaccine-producing factories have all been effected in the last few weeks.
The software locks the target computer’s screen, then shows a message demanding a payment of around $100,000 in Bitcoin for the target to regain access to their files. “We’ve watching you for days,” the message says, according to The Baltimore Sun. “We won’t talk more, all we know is MONEY! Hurry up!”
The NSA has never acknowledged the theft of the software or its responsibility for the cyberattacks conducted using it.
“The government has refused to take responsibility, or even to answer the most basic questions,” Thomas Rid, a cybersecurity expert at Johns Hopkins University, said to the Times. “Congressional oversight appears to be failing. The American people deserve an answer.”
EternalBlue may have been developed with good intentions to protect national security, but this event shows the problems with law enforcement or intelligence agencies having tools which allow them access to computers and phones. When such a tool is leaked, it can no longer be controlled.

Buckeye APT hackers stole the NSA hacking tools before Shadow Brokers leaked these tools




Buckeye APT hackers, a Chinese State sponsored group employed the tools of Equation Group which were leaked by the Shadow Brokers in 2017, a year earlier than the leaks.

Shadow Brokers is a mysterious assemblage of hackers who stole malware, hacking tools and zero-day exploits from the Equation group which is a branch under the NSA and is one of the most advanced and futuristic cyber attack groups across the world.

Conducting operations since 2009, Buckeye group, also known by the name of APT3, exploited these tools earlier for carrying out multiple attacks on to a number of organizations on their list, they did so in order to gain unauthorized access to these organizations mainly based in the United States.

Besides being responsible for exploiting zero-day vulnerabilities in 2014, the Buckeye group, a couple of years later, used 'Trojan.Bemstour', a custom exploit tool in order to reach the targets.

With the intent to attain remote kernel code execution on victims' computer systems, Bemstour exploited the following zero-day vulnerabilities on Windows – (CVE-2019-0703),(CVE-2017-0143). These were later employed by EternalRomance and EternalSynergy, two NSA owned exploit tools,

Referenced from the findings of Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”






List Of Enemy Hackers Revealed By An NSA Leak


When the arcane group calling itself the Shadow Brokers spilled a collection of NSA tools onto the web in a progression of leaks beginning in 2016, they offered an uncommon look into the interior activities of the world's most exceptional and stealthy hackers. Be that as it may, those leaks haven't quite recently given the outside world the access to the NSA's secret abilities.

They may likewise give us a chance to see whatever remains of the world's hackers through the NSA's eyes. A bit of NSA software, called "Territorial Dispute," seems to have been intended to identify the malware of other country state hacker groups on a target computer that the NSA had infiltrated.

The Hungarian security researcher Boldizsár Bencsáth trusts that the particular antivirus tool was premeditated not to expel other spies' malware from the victim machine, yet to caution the NSA's hackers of a foe's ubiety, allowing them to pull back instead of conceivably reveal their traps to an adversary.

Bencsáth, a professor at CrySys, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics contends that the Territorial Dispute tool may offer clues of how NSA sees the broader hacker scene.

He's intending to present a paper on the CrySys website on Friday and requesting others to contribute and approaching the security research community to go along with him in investigating the software's clues.

In view of some matches he's set up between components of Territorial Dispute's agenda and known malware, he contends that the leaked program conceivably demonstrates that the NSA knew about some gathering's a very long time before those hackers' activities were uncovered publicly.

"The idea is to find out what the NSA knew, to find out the difference between the NSA viewpoint and the public viewpoint," says Bencsáth, arguing that there may even be a chance of uncovering current hacking operations, so that antivirus or other security firms can learn to detect their infections. "Some of these attacks might even still be on-going and alive."

He trusts that the tool exhibits the NSA's information of some outside malware that still hasn't been openly revealed.

At the point when the leaked version of Territorial Dispute keeps running on a target computer , it checks for signs of 45 distinct sorts of malware—perfectly marked SIG1 through SIG45—via looking for unique documents or registry keys those programs leave on victim machines. SIG2 is malware utilized by another known Russian state hacker group, Turla.

The last and  the latest passage on the list is a bit of malware found openly in 2014, and furthermore attached to that long-running Turla group. Different entries on the list range from the Chinese malware used to hack Google in 2010, to North Korean hacking devices.

Bencsáth believes that the entries in the list show up generally in chronological order, apparently in light of when each was initially known to be deployed. An accumulation of malware known as "Cheshire Cat" is listed before the Chinese malware utilized as a part of the 2010 attack on Google, and specialists believe the components of the campaign goes back as early as 2002. In any case, that code was just uncovered publicly in a discussion at the Black Hat Conference in 2015.

Another situation, the Territorial Dispute lists the malware known as the Dark Hotel, known to have been utilized by North Korean hackers to keep an eye on targeted hotel guests as SIG25.

To be reasonable, the correct order of Regional Question's malware list is a long way from affirmed. A few entries on the list do appear to show up as out of order. Also, regardless of whether the NSA kept its learning of progressing attacks a mystery, that would fit its typical modus operandi, says Matthew Suiche, the founder of security firm Comae technologies, who has closely followed the Shadow Representatives' leaks.

He additionally notes limitations in the information that can be gathered from the Territorial Dispute code. But as the other Shadow Brokers leaks, it might likewise be a year old piece of code.
Withal by putting a call out for different researchers  to crowd source the issue of coordinating those Territorial Dispute entries with past malware tests, Bencsáth hopes that it may very well prompt the identification and blocking  of state-sponsored hacking tools that the NSA has kept a track of for quite a long time.

Canadian Spy agency with help of NSA tracked passengers who used free airport WiFi


Image Credits: Kaspersky
Here is another example why public WiFI networks pose a potential risk to your data.

A report from CBC News based on newly leaked secret document by former U.S. security contractor Edward Snowden reveals that Canadian spy agency was spying on the passengers who used free WiFi service in airports.

The Communications Security Establishment Canada (CSEC) is prohibited from spying on Canadians without a warrant.  However, they have collected metadata about all travelers passing through Airport including Canadians.

The document presented to the CBC shows the captured information from travelers' devices was then helped the spy agency to track them for a week or more as their wireless devices connected to any other Wi-FI hot spots in locations around Canada and event at US airports.

According to CBC, the leaked document suggests that operation was a trial run of a new software developed by CSEC with the help US's National security Agency(NSA).

Two largest Canadian airports - Toronto and Vancouver - and Boingo, a largest independent WiFi services supplier at other airports, have denied the involvement in providing any information of WiFi users.