Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets' networks as a legitimate pentesting exercise.

Now, the UK's National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers through to VMware virtualization kit – and the well-known Pulse Secure VPN flaw, among others.

"In one example identified by the NCSC, the actor had searched for authentication credentials in mailboxes, including passwords and PKI keys," warned the GCHQ offshoot today.

Roughly equivalent to MI6 mixed with GCHQ, the SVR is Russia's foreign intelligence service and is known to infosec pros as APT29. A couple of weeks ago, Britain and the US joined forces to out the SVR's Tactics, Techniques and Procedures (TTPs), giving the world's infosec defenders a chance to look out for the state-backed hackers' fingerprints on their networked infrastructure.

"SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," said the poker-faced NCSC today, in an advisory detailing precisely what those changed TTPs are.

They include:

• A severe hole in Pulse Secure's Zero Trust Remote Access VPN software;
• An arbitrary code execution vuln in F5 BIG-IP app delivery controllers;
• An exploitable flaw in the Cisco RV320 WAN router (live code for the exploit exists in the wild);
• A critical vuln in Citrix (Netscaler) ADC load-balancers (publicly disclosed, ironically, by now-US-sanctioned Positive Technologies);
• A critical RCE vuln in VMware's HTML5 client for its vSphere hybrid cloud suite; and
• An exploitable hole in Oracle's WebLogic Server permitting remote code execution

On top of all that the SVR is also posing as legitimate red-team pentesters: looking for easy camouflage, the spies hopped onto GitHub and downloaded the free open-source Sliver red-teaming platform, in what the NCSC described as "an attempt to maintain their accesses."

There are more vulns being abused by the Russians and the full NCSC advisory on what these are can be read on the NCSC website. The advisory includes YARA and Snort rules.

Russian cyber-spies changed tactics after the UK and US outed their techniques – so here's a list of those changes

Plus: NCSC warns of how hostile powers may exploit smart city infrastructure

www.theregister.com

Ei voi olla muna tai kana tilanne. Eikä voida mennä takaisin tilanteeseen missä meitä rankaistaan bugien löytämisestä ja siitä ilmoittamisesta. Ei voi olla myöskään hiljaa näistä asioista kun siitä sitten kärsii jokainen.

 

[letkuspede]

Kyberhyökkäys polttoaineen jakeluverkkoon Yhdysvalloissa nostanee bensan hintaa, FBI nimesi hyökkääjäksi Darksiden â tämä iskusta nyt tiedetään

Yhdysvaltain suurin jalostetun polttoaineen kuljetuslinjasto jouduttiin sulkemaan lähes kokonaan perjantaina havaitun kyberiskun vuoksi. Linjastoa operoiva yhtiö kertoo joutuneensa kiristyshaittaohjelmalla tehdyn hyökkäyksen kohteeksi.

yle.fi

 

[ctg]

Many questions are still unknown such as, was the pipeline shut down as a precaution or as a result of the cyberattack? Who was behind the attack and how sophisticated were the attackers when it came to targeting and infecting critical Colonial Pipeline Company systems?

“It’s not yet clear whether they shutdown the pipeline out of an abundance of caution to stop the spread of the ransomware payload or they can’t operate the pipeline because either OT systems have been impacted or they are dependent on IT systems,” wrote Dave White, president of Axio, in an email to Threatpost.

Ang Cui, CEO of Red Balloon Security, who does advanced threat research for the DOD and DHS, focused on embedded devices and ICS, said it was likely a criminal not nation-state attack.

“Although Colonial shut down its operations, it doesn’t necessarily mean the ICS was compromised,” wrote Cui in an email statement regarding the Colonial cyberattacks. “It could be that they didn’t have enough separation between the IT and OT systems, so they pulled the plug before the attackers realized they had access to those sensitive systems – which would have significantly increased the cost of the ransom, in addition to jeopardizing physical controls.”

Major U.S. Pipeline Crippled in Ransomware Attack

Colonial Pipeline says it is the victim of a cyberattack that forced the major provider of liquid fuels to the East Coast to temporarily halt all pipeline operations.

threatpost.com

En olisi niin hirveän huolissani tuosta jenkkien putki-iskusta. Homma on vaiheessa ja häly on iso kun media nosti sen pinnalle. Se on enemmän auki siitä että antaako FBI esim luvan käyttää putkilinjaa taikka ruveta nostamaan niitä systeemejä takaisin backupeista jne. Isompi työ on sen päivitys luvan saaminen kun, "niihin systeemeihin ei saa koskea, vaikka mieli tekisi."

Kerta toisensa päälle on tilanteita missä legacy systeemit pyörii verkossa kun sitä lupaa niiden päivittämiseen taikka konfikuraation hardeniglle ei tule.

 

[ctg]

London-based security firm Digital Shadows said in September that DarkSide operates like a business and described its business model as "RaaC"—meaning Ransomware-as-a-Corporation.

In terms of its actual attack methods, DarkSide doesn't appear to be very different from smaller criminal operators. According to Digital Shadows, the group stands out due to its careful selection of targets, preparation of custom ransomware executables for each target, and quasi-corporate communication throughout the attacks.

DarkSide claims to avoid targets in medical, education, nonprofit, or governmental sectors—and claims that it only attacks "companies that can pay the requested amount" after "carefully analyz[ing] accountancy" and determining a ransom amount based on a company's net income. Digital Shadows believes these claims largely translate to "we looked you up on ZoomInfo first."

It seems quite possible that the group didn't realize how much heat it would bring onto itself with the Colonial Pipeline attack. Although not a government entity itself, Colonial's operations are crucial enough to national security to have brought down immediate Department of Energy response—which the group certainly noticed and appears to have responded to via this morning's statement that it would "check each company that our partners want to encrypt" to avoid "social consequences" in the future.

Hackers who shut down pipeline: We don’t want to cause “problems for society”

The attack paralyzed a pipeline that moves 2.5 million barrels per day.

arstechnica.com

Tämä on uusi Ransomware-as-a-Corporation.

 

[letkuspede]

Venäjä kiisti olevansa USA:ssa öljyputkeen kohdistetun kyberhyökkäyksen takana

Yhdysvaltojen tiedustelun mukaan kiristysohjelman alkuperä on Venäjällä.

yle.fi

 

[notareal]

Hackers who shut down pipeline: We don’t want to cause “problems for society”

The attack paralyzed a pipeline that moves 2.5 million barrels per day.

arstechnica.com

Tämä on uusi Ransomware-as-a-Corporation.

Tässä juttu DarkSide ransomware ryhmästä

A Closer Look at the DarkSide Ransomware Gang – Krebs on Security

krebsonsecurity.com

 

[Lunni]

Putki toimii taas.

While all indications are that the attack hit the IT portion of the company’s network and didn’t extend to the operational technology portion that controls pipeline operations, Colonial said on Saturday that it initiated the shutdown as a precautionary measure.

Colonial Pipeline resumes operations after ransomware prompted closure

Closure led to panic-buying, price hikes, and other disruptions in East Coast states.

arstechnica.com

 

[letkuspede]

Pian kun Biden ja Putin tapaavat, niin aivan varmasti esillä kyberrikollisuus ja sen torjunta. Tutkiiko Venäjä mahdolliset syytökset, mitä tulee rikolliseen toimintaan, joista Yhdysvalloilla ilmeisesti todisteita ja asetetaanko mahdolliset tekijät vastuuseen? Ja kyllä kaikki tietävät myös sen, että Venäjän valtio ostaa palveluita rikollisilta.

https://twitter.com/x/status/1392882802941702149

 

[Lunni]

Ilmankos putki aukesi, maksoivat $5M kiristäjille. Oikein hieno juttu että kiristysbisnes kannattaa... no eivät olleet ensimmäisiä maksajia, eivätkä varmaan viimeisiä..

Bloomberg - Are you a robot?

www.bloomberg.com

 

[magitsu]

Defence has begun stripping Israeli-developed technology from Army equipment because of fears it could be used to harvest sensitive data from military hardware and systems.
The company in question, Elbit Systems of Australia, has "strongly" rejected what it claims are "security rumours" connected to its multi-billion-dollar Battle Management System (BMS).

However, the ABC can reveal Army Headquarters last month issued a directive ordering Defence to "cease use" of the Elbit BMS Command and Control (BMS-C2) in preparation for a replacement system.

"The employment of the BMS-C2 system version 7.1 within Army's preparedness environment is to cease no later than May 15 2021," the order states.

Military sources have told the ABC that Defence believes the Elbit technology may compromise sensitive data, triggering a directive that it "not be configured or accessed" on certain Army systems.

Israeli company denies 'security rumours' as Defence removes multi-billion-dollar technology

Defence is stripping Israeli-developed technology from Army equipment, over fears it could be used to harvest sensitive data from military hardware and systems.

www.abc.net.au

 

[ctg]

An employee for the city of Oldsmar, Florida, visited a malicious website targeting water utilities just hours before someone broke into the computer system for the city’s water treatment plant and tried to poison drinking water, security firm Dragos said Tuesday. Ultimately, the site likely played no role in the intrusion, but the incident remains unsettling, the security firm said.

Florida water plant compromise came hours after worker visited malicious site

Researchers find watering-hole attack targeting water utilities.

arstechnica.com

 

[ctg]

“Cybercrime has matured so much there is a strange ‘People’s Court’ to dispute claims and wrongdoings in the underground syndicate,” Hammond explained. “If a scammer has been scammed, or a business agreement has turned sour, even a hacker can file a claim and have their time in front of a jury. There is no honor among thieves — but there is a “dark side” code of conduct. At least they have some ethical principles — albeit a bit twisted — guiding them.”

These darknet forums have provided RaaS providers with the infrastructure necessary to run mature, professional operations and sell their stolen data to the highest bidder. Ransomware tactics are becoming more potent, too.

Not content with settling for double extortion, where victims are threatened with losing access to their sensitive data, and also with having that data posted publicly, these ransomware gangs have decided to up the ante with triple extortion. That means not only is the victim’s data encrypted and potentially publicly disclosed, but the ransomware operators add a final twist by going after the victim’s customers and partners, demanding payments from them as well.

All of these leaks, in addition to recruitment, stolen data sales and more, are run on these Dark Web forums and overseen by a strict administration structure.

DarkSide Getting Taken to ‘Hackers’ Court’ For Not Paying Affiliates

A shadow court system for hackers shows how professional ransomware gangs have become.

threatpost.com

Tämä on uusi

 

[ctg]

If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this pattern:

https://r20.rs6[.]net/tn.jsp?f=

The user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:

https://usaid.theyardservice[.]com/d/<target_email_address>

The end result when detonating the LNK file is the execution of “C:\Windows\system32\rundll32.exe Documents.dll,Open”.

New sophisticated email-based attack from NOBELIUM | Microsoft Security Blog

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed...

www.microsoft.com

 

[inscout]

Ei tarvita koodia, kun on suora pääsy lähteelle:

Vakoilu | Macron ja Merkel vaativat selitystä USA:n ja Tanskan väitetystä vakoilusta

”Tätä ei voi hyväksyä liittolaisten välillä, ja vielä vähemmän liittolaisten ja eurooppalaisten kumppanien välillä”, Ranskan presidentti Emmanuel Macron toteaa.

www.hs.fi

U.S. spied on Merkel and other Europeans through Danish cables - broadcaster DR

The U.S. National Security Agency (NSA) used a partnership with Denmark's foreign intelligence unit to spy on senior officials of neighbouring countries, including German Chancellor Angela Merkel, Danish state broadcaster DR said.

www.reuters.com

 

[ctg]

For Russian software makers, Soldatov said, their government has become the best, and even the only, source of revenue.

So how do groups like Nobelium, or DarkSide, the Russian criminal group behind the Colonial Pipeline hack, arise? Says Soldatov, the members of such “criminal groups” very often have day jobs in Russian software companies. The Russian government subcontracts with individuals to hack Western targets. Often that subcontract is joined by a more conventional contract for the company for more benign products or services.

“You might have a company which is famous for writing software for defense, really good at DDoS prevention, right? That means they’re probably good at it,” said Soldatov. So Russian intelligence agencies can approach someone at that company and say “Look, there's a really good contract for you. Maybe you can help us with something? But it's kind of secret, off the books.”

In this way, the Russian government has become the only market for Russian coders. It’s part of the reason Russian coders who aren’t formally part of the military get caught up in Russian hacking campaigns and find themselves sanctioned or indicted by the U.S. Justice Department. And Russian coders, he said, aren’t afraid of being extradited to the United States. They’re much more afraid of the Russian government.

Russia’s Latest Hack Shows How Useful ‘Criminal Groups’ Are to the Kremlin

Russian coders have little choice but to work with their government, which in turn denies any knowledge of their activities. That’s why hacking activity shows no sign of slowing.

www.defenseone.com

Tässä on kiteytettynä koko homma. Koska he ovat yhtä hyviä kuin me matikassa ja tieteissä, vaihtoehto ratkaisu heidän "ongelmiinsa" on tarjota duunia lännessä, pois karhun ulottuvilta. Käytännössä kuitenkin helvetin vaikea ratkaisu.

 

[letkuspede]

Biden harkitsee vastatoimia Venäjää vastaan kyberiskun vuoksi

Venäjältä käsin toimiva rikollisjärjestö teki kyberhyökkäyksen maailman suurinta lihanjalostajaa vastaan.

www.iltalehti.fi

 

[ctg]

The FBI said it has seized $2.3 million paid to the ransomware attackers who paralyzed the network of Colonial Pipeline and touched off gasoline and jet fuel supply disruptions up and down the East Coast last month.

In dollar amounts, the sum represents about half of the $4.4 million that Colonial Pipeline paid to members of the DarkSide ransomware group following the May 7 attack, The Wall Street Journal reported, citing the company's CEO. The DarkSide decryptor tool was widely known to be slow and ineffective, but Colonial paid the ransom anyway. In the interview with the WSJ, CEO Joseph Blount confirmed that the shortcomings prevented the company from using it and instead had to rebuild its network through other means.

US seizes $2.3 million Colonial Pipeline paid to ransomware attackers

Funds seized after Justice Department IDs Bitcoin wallet and obtains its private key.

arstechnica.com

 

[ctg]

"Here we are, three decades later, and strong crypto is everywhere," writes PGP developer Phil Zimmermann in a blog post. "What was glamorous in the 1990s is now mundane. So much has changed in those decades. That's a long time in dog years and technology years. My own work shifted to end-to-end secure telephony and text messaging. We now have ubiquitous strong crypto in our browsers, in VPNs, in e-commerce and banking apps, in IoT products, in disk encryption, in the TOR network, in cryptocurrencies. And in a resurgence of implementations of the OpenPGP protocol. It would seem impossible to put this toothpaste back in the tube."

He continues: "Yet, we now see a number of governments trying to do exactly that. Pushing back against end-to-end encryption. [...] The need for protecting our right to a private conversation has never been stronger. Many democracies are sliding into populist autocracies. Ordinary citizens and grassroots political opposition groups need to protect themselves against these emerging autocracies as best as they can. If an autocracy inherits or builds a pervasive surveillance infrastructure, it becomes nearly impossible for political opposition to organize, as we can see in China. Secure communications is necessary for grassroots political opposition in those societies."

"It's not only personal freedom at stake. It's national security," says Zimmermann. "We must push back hard in policy space to preserve the right to end-end encryption."

PGP Turns 30 - Slashdot

prz writes: PGP just hit its 30th birthday. Before 1991, the average person had essentially no tools to communicate securely over long distances. That changed with PGP, which sparked the Crypto Wars of the 1990s. "Here we are, three decades later, and strong crypto is everywhere," writes PGP...

it.slashdot.org

 

[zlm]

Status page hosting with StatusCast

Status page and application status page provided by StatusCast.

status.fastly.com

Hupsistakeikkaa.

Full list of websites affected by mass internet outage across the world

A huge number of major names were affected, including the UK Government website.

metro.co.uk

A large number of websites across the world have gone down after a mass internet outage.


The mass web outage is believed to be caused by Fastly, a data centre provider, crashing earlier this morning.


Many websites are currently displaying a ‘503 error’ message and will not load. Others are having issues displaying images and emojis, or are extremely slow.


Fastly wrote on its website that in Europe, the incident is affecting Amsterdam, Dublin, Frankfurt and London.

In the US, Ashburn, Atlanta, Boston, Chicago, Dallas and Los Angeles have connection issues. Hong Kong, Tokyo and Singapore are affected in Asia.


At 10.58am UK time the website said it was ‘currently investigating potential impact to performance with our CDN services’, adding later that it was still investigating the issue.




At 11.44am Fastly wrote: ‘The issue has been identified and a fix is being implemented.’


At 11.57am the website said a fix has been applied, adding: ‘Customers may experience increased origin load as global services return.’

The websites which are down or having issues​

• AFR
• Age
• Amazon
• Boots
• BuzzFeed
• CNN
• Deliveroo
• Etsy
• Financial Times
• Giphy
• Horse and Hound
• IGN
• Imgur
• Independent
• Kickstarter
• Le Monde
• New York Times
• PayPal
• Pinterest
• Reddit
• Royal Mail
• SMH
• Spotify
• Taboola
• The Guardian
• The Verge
• Twitch
• Twitter
• UK Government website (including HM Revenue and Customs)
• Vimeo
• Weightwatchers

 

[ctg]

An advanced persistent threat that Russia found inside government systems was too crude to have been the work of a Western nation, says security researcher Juan Andrés Guerrero-Saade of Sentinel Labs, before suggesting the malware came from a Chinese entity.

Russian telco and IT services provider Rostelecom and the nation's National Coordination Center for Computer Incidents, an arm of the Russian Federal Security Service (FSB), in May published a joint report that detailed their assessment of attacks on several Russian government entities detected in 2020.

The report said the attacks were made using malware named "Mail-O" and asserted that attackers used cloud storage services provided by Russian companies Yandex and Mail.ru Group. The malware mimicked legitimate cloud storage management apps Disk-O and Yandex Disk.

Guerrero-Saade wrote that he feels the security industry has quickly defaulted to a view that Western actors were behind the attacks.

"I think we'll be relieved to find out that was most likely not the case – if solely because we've come to expect a higher standard for Western malware development," he wrote.

Guerrero-Saade reached that opinion after assessing samples of Mail-O and suggesting it is "a variant of a relatively well-known malware called PhantomNet or SManager used by a threat actor 'TA428'."

The researched makes that assertion because Mail-O, PhantomNet and SManager all share a function called "Entery" that he supposes is a misspelling of "Entry".

"Misspellings are a true gift for malware researchers," Guerrero-Saade wrote.

Security researcher says attacks on Russian government have Chinese fingerprints – and typos, too

Malware was too loose to have come from a Western nation, according to Sentinel Labs

www.theregister.com

The FBI has revealed how it managed to hoodwink the criminal underworld with its secretly backdoored AN0M encrypted chat app, leading to hundreds of arrests, the seizure of 32 tons of drugs, 250 firearms, 55 luxury cars, more than $148M, and even cocaine-filled pineapples.

About 12,000 smartphones with AN0M installed were sold into organized crime rings: the devices were touted as pure encrypted messaging tools — no GPS, email or web browsing, and certainly no voice calls, cameras, and microphones. They were "designed by criminals, for criminals exclusively," one defendant told investigators, Randy Grossman, Acting US Attorney for the Southern District of California, told a press conference on Tuesday.

However, AN0M was forged in a joint operation by Australian and US federal law enforcement, and was deliberately and surreptitiously engineered so that agents could peer into the encrypted conversations and read crooks' messages. After Australia's police broke the news that the messaging app had recorded everything from drug deals to murder plots — leading to hundreds of arrests — now the FBI has spilled its side of the story, revealing a complex sting dubbed Operation Trojan Shield.

FBI paid renegade developer $180k for backdoored AN0M chat app that brought down drug underworld

From hidden master keys to pineapples stuffed with Bolivian marching powder — this story has it all

www.theregister.com