What the [BLEEP] is the FBI Doing?

For the second time, the FBI wiped malware off of user’s systems without asking and maybe without telling them. The first time was during last year’s Microsoft Exchange attack.

This time they targeted the Russian Cyclops Blink malware. It is attributed to Sandworm, also known as Fancy Bear and APT28. Sandworm is believed to be part of Russia’s military intelligence group.

Cyclops Blink is a modular bit of malware that goes after routers and firewalls. I don’t just mean cheap knock-off home firewalls, but enterprise grade ones like Watchguard.

Cyclops Blink is thought to be a replacement for VPNFilter, which infects a lot of home network gear such as Linksys, Microtik, QNAP and others.

The feds were able to disable VPNFilter by taking over its command and control server.

In the case of the Watchguard cleanup, the FBI followed these 5 steps:

  1. Confirm the presence of the malware binary on a device
  2. Log the serial number of the device
  3. Retrieve a copy of the malware
  4. Remove the malware from the device
  5. Add a firewall rule to block remote access to the management interface

One important thing. They did not save the configs, so if the owner was unhappy, all the had to do is reboot the device. Assuming they could get to the device after step 5.

They could do all this because they seized control of the C2 servers and those servers “owned” the infected firewalls.
This was similar to what they did last year when they cleaned out the Hafnium malware from Exchange servers.

The Federal Rule of Criminal Procedure requires officers to make “reasonable efforts to serve a copy of the warrant and receipt on the person whose property is searched” when dealing with remote access to electronic storage and the seizure of electronically stored information. However, such notifications can be accomplished by any means, including electronic ones, that have a “reasonably calculated” chance of reaching that person. To comply with this requirement, the FBI sent emails, including a copy of the warrants, to the email addresses associated with the domain names associated with the IP addresses of the infected devices. If the domains used a privacy service that hid the associated email address, the FBI contacted the IP owners’ domain registrars and ISP and asked them to notify their customers.

But here is the problem.

What if they take down the firewall and something bad happens (like this is a firewall that protects a steel furnace and when it loses control the furnace goes into an emergency shutdown). In some cases, when this happens, the furnace actually needs to be replaced (its complicated).

If they disable remote access and that is the only way the device can be maintained, well, that is a problem too.

At least they tried to tell people what they were doing.

But this is very risky and I hope they don’t try it too often because they will screw up.

If their wonderful plan goes awry and it costs the company money – maybe a lot of money – who gets to pay for that? It is really hard to sue the government.

Credit: CSO Online

Russia-Ukraine War – Kinetic and Cyber

As this war continues to grind on and the toll on people’s lives and civilian infrastructure is incalculable, the cyber war continues as well.

Here are just a couple of recent Russian cyber-losses.

Petrovsky Fort owns the largest office complexes in Saint Petersburg, Russia’s second largest city. Anonymous hacked over 300,000 of their emails and a total of about 244 gigabytes of data.

The second company hacked was Aerogas. There, hackers leaked 145 gigabytes of data including 100,000 emails. Aerogas is an engineering firm that supports Russia’s oil and gas industry. Do you think that shutting them down might be of interest to some folks? Among their clients are Rosneft, Russia’s largest oil producer and Novatek, their largest natural gas producer.

To make this a little more embarrassing, both companies are owned by the government.

The last announced hack this week is Forest, who is in the logging industry. Hackers released about 40 gigabytes of data including more than 350,000 emails.

What is interesting here is that they are not trying to extort these companies.

They are giving away the data for free to anyone.

Please take the data and do some damage to Russia, they say.

And, Anonymous says they are not done. Hacking into companies is in their wheelhouse and, I suspect, at least in some cases, they have inside help.

So far the list of publicly announced and dumped for free company hacks from Russia is 11. That doesn’t mean that is all their is – just that this is all that Anonymous has announced so far.

I am pretty confident that there will be more. What we don’t know is how damaging some of these will be. So far, they have not turned off the power or blown up a pipeline – like the Russians have done to Ukraine in the past. But that doesn’t mean that they won’t.

Credit: Hackread

Security News for the Week Ending April 8, 2022

Hackers Hack Russia’s Largest State Owned Media Corporation

Hackers stole 20 years of communications including almost a million emails from the All-Russia State Television and Radio Broadcasting Company (VGTRK). Those emails were published by DDoSecrets. VGTRK runs 5 national TV stations, 5 radio stations and numerous propaganda outlets. The data is available for download as an almost 1 terabyte torrent. The hackers say they did this because of Russia’s attack on Ukraine. This is part of the ongoing cyber war between Ukraine and Russia. Credit: Daily Dot

Apple AirTags Are Useful for Stalking

Motherboard asked dozens of police departments for reports that included Apple Airtags. They received 150 reports that mentioned Airtags. Remember that they asked for reports from something like less than one half of one percent of the departments. In 50 cases women called the police because they were being notified by THEIR iPhones that they were being stalked. Many of these women thought that either former or current intimate partners were to blame. Only one report came from a man. A few of the reports talked about robbery or theft as the potential reason. In any case, Apple has a challenge for which there is no easy fix. Credit: Motherboard

Russia’s Great Firewall has Some Holes in It

Russian citizens are turning to a variety of tools to bypass Russia’s attempt to block citizens from accessing western media. From VPN tools, to Telegram to Cloudflare’s WARP, they are effectively bypassing Russian controls and accessing French, British and U.S. newspapers. Credit: Bleeping Computer

Hotels Are Now Prime Targets for Hackers

As hotels use more tech and create more apps, they have more data for crooks to steal. And, since data is king, the crooks go after it. The Marriott/Starwood hack, back in the old days of 2014, netted the hackers information on a half billion people. With new laws like state privacy laws in the U.S. and GDPR in Europe, the stakes for breaches are just going to get a lot more expensive. Luxury hotels are particular targets as London’s Ritz recently found out. If you have to give information to a hotel, do what you can to minimize it. Credit: Financial Times of London

Government Sponsored Hacks not Limited to Russia-Ukraine

China continues to target India’s power grid, a year after the start of the attack campaign. Security researchers say the purpose right now is to gather intelligence to enable future attacks. They say the attackers would attempt to compromise the grid’s load management system. If it succeeds, it could cause cascading blackouts with no way to stop the dominoes until the country is dark. The FBI says that hundreds of U.S. critical infrastructure companies have been attacked as well, so this is not limited to India. Credit: The Hacker News

If You Accept Credit Cards Get Ready for New Security Rules

The Payment Card Industry (PCI) council is an industry group that includes the large credit card issuers and they have, for years, owned a standard called the PCI Data Security Standard or PCI DSS. While complying with it is not a law (except in a couple of states), complying with it is a contractual requirement for businesses that accept credit cards everywhere and often times customers want to know that you, as a vendor that accepts credit cards, is compliant with the PCI DSS before they will do business with you. Insurance companies also want to know if you are compliant before they will cover you with a policy. Okay, enough with the history lesson.

The current version of the PCI DSS is version 3.2.1 was released in 2018. It is a minor upgrade from 3.2, which was released in 2016 and 3.1, which was released in 2015. Version 3.0 was released in 2013.

That means that fundamentally, the standard has not been substantially rewritten in the last 9 years. That is a long time for a security standard.

PCI DSS 4.0 has been a work in progress for the last 3 years. The council got over 6,000 comments during that time.

Version 3.2.1 is currently scheduled to sunset on March 31, 2024. For some companies, the transition will be be relatively simple, but for others, especially smaller ones, this would be a good time to outsource credit card processing. If you keep it in house, you will likely need to spend some money, possibly on hardware and/or software and on staffing. Start planning now.

New requirements include:

  • Updated firewall requirements
  • Enhanced requirements for multi-factor authentication everywhere in the cardholder data environment
  • increased flexibility in meeting some requirements but this will require a mature IT and governance environment
  • increased requirement for tying a risk assessment to the implementation of security controls

Now is the time to look at the new requirements and make some decisions.

If you need help, contact us.

Credit: CSO Online

We’re From the Government and We’re Here to Let Your Information Get Hacked

All software has bugs. But some software has more bugs than others.

And some organizations are better at finding and fixing those bugs.

Just not those in the public sector.

Veracode, the code scanning tool/defect finding tool vendor scans a lot of apps a lot of times. Here is a bit of data that should scare you.

Veracode looked a twenty million scans of a half million apps and while what they discovered doesn’t surprise me, it does scare me a bit.

Their research says that the public sector has the highest percentage of applications with security flaws.

82% of the public sector applications scanned had security flaws.

On top of that, it takes the public sector twice as long to fix flaws once they are detected.

They also said that 60% of the flaws in third-party libraries that are used by public sector apps remain vulnerable after two years. That is double that of other sectors and is slower than the average by 15 months.

Last but not least, they only fix about 20% of bugs -ever.

Given that most of us do not have a choice to use or not use government apps, these statistics are alarming.

Given the government’s lack of IT resources, it is highly unlikely that things will get better any time soon.

Sorry, I don’t have a happy ending. Credit: Helpnet Security

State Department Announces Cyber Bureau

The Trump administration effectively eliminated the cybersecurity role in the State Department several years ago by eliminating its leader and burying the function in the State Department bureaucracy. Their theory was that the White House National Security function could assume the diplomatic role for cyberspace. Ultimately, that strategy failed and towards the very end of the administration they attempted to undo the damage.

The State Department announced the Bureau of Cyberspace and Digital Policy (CDP) began operations today. The creation of the bureau was announced late last year.

The new cybersecurity bureau reflects the growing importance of cybersecurity in national policy, economy, and defense.

It includes three policy units:

  • International Cyberspace Security,
  • International Information and Communications Policy, and
  • Digital Freedom,

The State Department hopes to have 100 people working at the bureau by the end of the year.

The head of the bureau will be an ambassador-at-large and will need to be confirmed by the Senate. Jennifer Bachus, a career foreign service official, will fill the acting role until the Senate confirms a permanent leader.

The State Department has announced acting heads of each of the policy units:

  • Michele Markoff, as Acting Deputy Assistant Secretary for International Cyberspace Security. Markoff has been the senior State Department subject matter expert overseeing the development and implementation of foreign policy initiatives on cyberspace issues since 1998.
  • Stephen Anderson, as Acting Deputy Assistant Secretary for International Information and Communications Policy. Anderson will lead development of international Internet, data, and privacy policies and related negotiations with foreign governments.
  • Blake Peterson, as Acting Digital Freedom Coordinator. Peterson previously served as the advisor on Internet governance in the Bureau of Economic and Business Affairs and as a Senior Policy Advisor in the Office of the Secretary.

Given the current war in Ukraine and Russia’s attempt to get the UN to create a cyberspace policy, it seems very important that US diplomatic activity in the space ramps up and it looks like it will. Credit: Nextgov