DHS and FBI Announce Threats to Energy and Critical Infrastructure

In what is an unusual move by the FBI and DHS, CERT released a security bulletin saying that attackers were going after government entities and critical infrastructure and had been doing so at least since May.

They said this is a multi-stage attack, going after low security and small networks and then moving inside those networks to attack other higher value assets.

Since at least May, the attackers have been going after critical targets like energy, water, aviation, nuclear and critical manufacturing.  In addition, they are also targeting government entities.

The attacks start by going after “staging targets” – possibly suppliers or other vendors with less secure networks and use those compromised networks to target the ultimate target.

Using the standard cyber kill chain attack model, there are five phases to the attack:

  1. Reconnaissance – gather information on the organization and potential weaknesses of, in this case, specific, targeted organizations.
  2. Weaponization – use spear phishing emails (in this case) get into the target’s organization
  3. Delivery – Once inside the organization, use the beach head they have created to create a persistent base for further attacks.
  4. Exploitation – Once the beach head is established, use the base to exploit the organization – such as stealing credentials.
  5. Installation – Now that the network is fully compromised, download additional tools to expand the attack and use that company to launch attacks against other companies.

The FBI admitted, with no details, that some of the attacks have been successful.  The fact that they are issuing a very public announcement as opposed to a much quieter memo, say via Infragard, says that (a) the attacks have been more successful than they might want to admit, (b) that the attacks are going after smaller, less sophisticated organizations that have less sophisticated defenses and (c) the attacks are ongoing.

This means that organizations need to be on higher alert than they might be otherwise.  To steal a term from the Department of Defense, if your organization was at Defcon 4 before (the second LOWEST level of alert), now might be a good time to go to Defcon 3 or 2 (the second highest level of alert).

The bulletin provides specific IOCs (indicators of compromise) for each target industry segment.

If you need assistance, please contact us.


Information for this post came from CERT.

Is Treasury Breaking the Law – The Jury Is Still Out

According to reports – and denied by the government – The US Department of the Treasury is either creatively stretching the definition of certain laws or outright breaking them.  It is likely that we will hear more about this over time.

The story goes like this.  There is a part of Treasury called FINCEN or Financial Crimes Enforcement Network, which, under law, receives reports of suspicious activity from banks and other financial institutions.  The purpose of these reports is to detect money laundering and other financial crimes.  This is all well within the law and FINCEN has been doing this for years.

There is another part of Treasury called the Office of Intelligence and Analysis or OIA.  This is a foreign intelligence group tasked with gathering intelligence on foreigners.

But, under certain circumstances and with certain privacy protections, OIA can access FINCEN’s data.

But what happens if Treasury placed OIA employees inside FINCEN and those employees searched for information on U.S. citizens, possibly in violation of the law.

Treasury first issued a one sentence denial and later Treasury issued a longer two sentence denial while at the same time said that OIA and FINCEN do share important information and operate within the bounds of the law.

The Treasury Inspector General has launched a review and said that they had no further content.

On the other side of the argument, a number of Treasury employees have said, off the record, that “this is domestic spying”.

Sources said that the spying had been going on under President Obama, but has continued under President Trump.

And sources also say that officials from CIA and Defense Intelligence Agency have come to work at OIA for as little as a week, at which time they got access to information on U.S. citizens that they could not get legally without this arrangement.

To turn this completely into a soap opera, apparently last year Treasury’s Office of Terrorism and Financial Intelligence proposed transferring much of FINCEN’s work to OIA, along with the budget and staff.  That certainly could upset FINCEN “whistle blowers”.  They said that OIA, part of the intelligence community, could not collect information on U.S. citizens unless it complied with Executive Order 12333 issued by President Reagan and reissued by President Bush, which sets rules on collecting intel on U.S. citizens, among other rules.  The EO requires certain privacy rules, approved by the Attorney General, and those rules did not exist at the time.   When FINCEN asked to review those guidelines, they were, they said, removed from the conversation.  These guidelines, apparently, have still not been approved by AG Sessions.

Some FINCEN employees have complained to Congress, but Congress doesn’t seem to have done much about it.  Possibly in light of some publicity, they may decide it should have a higher priority.

At this point it appears to be the stuff that prime time soap operas are made of and it is completely unclear what the truth is.

Information for this post came from Buzzfeed.

New Android Malware Encrypts Phone and Changes PIN

The Doublelocker malware is a new strain of Android malware.  Rather than finding some vulnerability in the Android OS, it ASKS the user politely, may I please install this malware on your computer.  It does this by pretending to be, for example, an Adobe Flash update.  Since Flash updates are so common, some people don’t think twice about installing the update.  At this point, the game is over and the attacker has won.

Without going into the details of how the malware works, it tricks the user into granting the permissions that the malware needs in order to infect your device.  Once it has the needed permissions, it does these two things –

First, it encrypts the data on the user’s phone.

Second, it changes the user’s security PIN, locking the user out of the encrypted phone.

Hence the term DOUBLE locker.  Belt and suspenders.

ESET says that the new PIN is neither stored on the device nor transmitted to the hacker, making it impossible for either the user or security to reset the PIN and unlock the phone.  They also say that if you can reset the PIN then you can delete the file with the new PIN, so it is not clear which is right.  However, if you have managed to reset the PIN using one of the possible methods, deleting the PIN file is kind of irrelevant.    The hacker, however, can reset the PIN remotely – assuming that the user pays the ransom.  The ransom is typically $54, so from the user’s standpoint, that might be a pretty easy choice.

ESET says that you can do a factory reset to regain control of the device, but if you do that, you will lose any files that are stored on it.  If you have backups, that may not be a big deal, but if you don’t have backups, well, that is a problem.

If you phone can be remotely managed, that is also a way to reset the PIN, but in this case, while your data is still there, it is also still encrypted so without paying the ransom, you still do not have access to your files.

Bottom line is that you may be able to reset the PIN and get access to the device, but getting your data back, well that is likely impossible without paying the ransom.

Information for this post came from Dark Reading.


Reporter Details “I Was Hacked”

John Biggs, a contributing writer for Tech Crunch described the details of a hacker’s attack on his online world.

John detailed the entire hack and it is very useful for everyone.  WHY he was attacked is not clear.  Was it a target of opportunity or was he specifically being attack?  It appears that it may have started as a random attack and morphed into a targeted attack after the hacker found some information about John.

Here is the story.

On Tuesday night August 22, 2017, a hacker swapped his own SIM card for John’s, effectively routing all phone calls and text messages destined for John’s phone to the hacker’s phone.

Moments later, the hacker used text messages from Google and Facebook sent to the rerouted phone to change John’s GMail account passwords and Facebook account password.  John was locked out of his phone, his email and Facebook.

Luckily for him, he noticed this within an hour and was able to get T-Mobile to return his phone number back to him.  He then set about recovering his online account access.

From stories I have heard in the past, in many cases, convincing the providers to return your own access to you is complicated.  You can’t exactly call Google on the phone and even if you could, what would you say?  I’m me and the guy that just changed my password using my phone number – that wasn’t me?  For most people, that process is pretty challenging.

John then went about “hardening” the two factor authentication set up on his accounts (Google just announced a new high security feature, but it comes with a price tag.  I just ordered it and it cost me about $50.  Still, compared to losing your digital life, for many people, that is cheap).

In the short time that the hacker had access to his account, the hacker rummaged though John’s digital life, discovered that he was from Ohio and that his dad was sick.  Since the hacker had access to John’s email and texts, he was able to send out messages to John’s friends saying that John needed to pay a hospital bill or the hospital was going to pull the plug on his dad and if his friends would give him cash in the value of 10 bitcoins (probably around $30-$40 thousand at the time), that John would pay them back 15 bitcoins the next day.

As John said, luckily his friends aren’t idiots and they didn’t fall for the bait.

Two of John’s friends were also hacked and targeted with the Bitcoin scam.  If you use a text message as the authentication mechanism for your bitcoin wallet, the attacker might be able to empty your bitcoin wallet as well.  This has already happened multiple times.  If your bitcoin wallet is emptied, that money is likely gone – no insurance, no government will be there to make you whole again.

There are things that you can do to protect yourself, but they all come with some cost or some convenience factor or both.  The article linked below lists some of the possible options and we can provide other suggestions as well.

I don’t know John but he seems like someone who is at least as technically sharp as most people and probably more technically skilled than many people.  Yet, he still got attacked.

Everyone needs to keep their guard up; their antennae tuned and be ready to respond.  At least in this case, because of how quickly John detected the hack, he was able to reverse it quickly and minimize the damage the hacker could do.  Depending what information exists in your online world – sensitive corporate information, personal financial information, pictures that you definitely don’t want to become public and probably ten other things – the amount of damage the hacker could possibly do varies.  One possibility is that the hacker could just delete information from your online world and even wipe some backups.  Time passing is your enemy – you must respond right away – remembering that you don’t have access to your digital life to help you.

Definitely, a challenge.

Information for this post came from Tech Crunch.

Tanker Seems To Be At The Airport

Sometimes when the Russians don’t want you to know where you are, they seem to be able to do it.

Wired is reporting of a number of tanker ships that seem to be miles from where they actually were.

In June the 37,000 ton tanker Atria was transiting the Marmara Sea along the Bosphorous strait and into the Black Sea.  A simple journey, done by ships thousands of times.

When the ship approached the port of Novorossiysk things started to go wrong.

Modern ships, especially big commercial ships are outfitted with sophisticated GPS navigation systems.  Multiple ones in case of a failure.  GPS systems can track the position of a ship to within a foot or two.

In this case, as the ship entered the port, all GPS tracking failed.  Then the ship’s GPS systems claimed that the ship was at the airport, about 30 miles from where it actually was.

Normally, the captain said, if the GPS goes crazy, it shows the ship’s position a couple hundred feet from where it actually is.  In this case it was more like 25 or 30 miles.

U.S. maritime officials have confirmed that at least 20 ships have been affected by this GPS issue, but that likely dramatically underestimates the truth.

At the same time that the GPS said that the ship was at the airport rather than the port, the ship’s collision avoidance system showed it had company.  20 to 25 large ships were, according to the system, also at the airport.

For some reason, the Russians were messing with GPS signals.  Likely, they were overpowering the real signal with a fake signal which the ship’s GPS receiver accepts as valid.

According to the security firm FireEye, GPS spoofing is used in a number of locations in Russia.

For the ships, they understand that the Russians like to do this so they don’t place unfailing trust in the system.  They use their paper maps and dead reckoning – like sailors did a hundred years ago.  It is hard to hack a paper map and a sextant.

U.S. military equipment (vehicles and planes) also use GPS systems, but since the satellites that transmit the GPS signals are owned by the U.S. Air Force, we do have a few tricks up our sleeves.  I was part of the team that built the very first GPS system for the Air Force and while those tricks are likely quite effective, at least some of them would disrupt your ability to navigate to the nearest Starbucks.  When it comes to a choice between finding a Starbucks and World War III, I have a pretty good clue which option the Air Force will choose.

Still, it is a pretty interesting situation.  You rely on a technology for commerce that your adversary has the ability to disrupt.  Not a great story.

Information for this post came from Wired.

KRACK – A WiFi Attack That Affects Almost Everyone

US CERT (Homeland Security’s Computer Emergency Response Team AKA Computer Emergency Readiness Team) released an alert today for an attack named KRACK for Key Reinstallation Attack.

While an article on ARS Technica says that this attack is especially dangerous for Android, Linux and OpenBSD (so much for open source being secure), the Homeland Security alert lists the following vendors: Aruba, Cisco, Expressif, Fortinet, FreeBSD, Google, HostAP, Intel, Juniper, Microchip, Microsoft, OpenBSD, Peplink, Redhat and Samsung.  Those are only the ones for which Homeland Security has information from the vendors.  There are probably hundreds of other vendors affected – some of whom either don’t know or don’t care.

The attack is a classic person-in-the-middle (MitM) attack that inserts traffic into the encrypted traffic stream which forces a reset and, at least in some cases, enables reuse of certain parameters that would enable an attacker to decrypt the data stream is it eavesdropping on.

According to some reports, the attack is relatively easy to execute – but you must be in WiFi range.  Visiting a Starbucks with your WiFi enabled might not be a great plan for a little while.

The attack does affect Windows, although Microsoft did release a patch on October 10th, so if you have installed the October Security Roll Up release, you should be good.

The other half of the problem is that it does affect WiFi access points, so you will likely need to re-flash the firmware on all of your WiFi access points.  The process for doing this will vary from vendor to vendor and even model to model.

Also likely affected are all of your smart light bulbs, smart refrigerators, smart door locks, webcams and every other smart Internet of Things device you own.  Most of which have not been patched.  Many of which will never be patched.

Sources are saying that the attack is easy enough to do that someone is bound to build a turnkey solution and distribute it – possibly for free, possibly for money – on the Internet.

The US CERT gave this attack 10 unique vulnerability IDs (CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087 and 13088).  That is pretty unusual for one attack.

Ultimately this is a problem with the WPA 2 WiFi PROTOCOL but luckily it can be patched, although it must be patched on both ends of the connection.  Sometimes protocol flaws cannot cannot be easily patched;  this one seems to be an exception.  The attack works against both WPA 2 PERSONAL and WPA 2 ENTERPRISE.

This also does not matter whether your WiFi is for guests or employees; in either case it may be vulnerable.

Over the next week or two, and as the researchers present a paper on this attack early next month, we will likely get more details.

IT organizations should contact your WiFi vendors right away to understand what it takes to patch the vulnerability.  After all that,  you will need to understand what it will take to patch all your end point devices.  That is likely a much more complicated problem than reflashing your WiFi access points.

While we have not – yet – seen any attacks using this vulnerability, now that it has been officially released, we likely will.  As we saw with WannaCry, many organizations will not install patches – until after they get attacks.  Don’t be one of those organizations.

Information for this post came from US CERT, ARS Technica and the paper’s authors.