Tag Archives: Iran

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

Security News for the Week Ending February 7, 2020

Iran Expands Oil & Gas Attacks to Electric as Well

According to researchers, Iran linked APT33 has expanded its attack surface.  Initially they were going after the global oil and gas industry but now they have added the electric grid to the mix.  Right now, they say, the goal is reconnaissance – gathering information to use later.  They also are trying to establish a foothold inside the infrastructure to use at a time of their choosing.  Source: Threat Post


In the Wake of the Iowa Caucus Voting Mess – Are We More Secure Now Than 2016?

Clearly the Iowa voting software issue does not instill confidence in the election process.  Was that a Russian hack?  No, I don’t think so.  Just software quickly thrown together with not much planning.  Apparently, they only paid $63,000 for it.  Given how important it was, it seems like a LOT more testing was needed.  That did not happen.

But more concerning this this week’s McAfee report.  They say that 84% of county websites did not have a .Gov domain name.  This is important because there is more verification done on those domains.

In addition, 46% of county web sites were not encrypted – with Texas being the worst with less than 25% of their county web sites being encrypted.

If we are not taking basic security measures like these, why would anyone think that they are doing a better job at protecting your vote.  Source: Help Net Security


GAO Says That CISA is Behind on Election Security Plans

The GAO says that DHS’s CISA is behind on its plans for election security.  CISA became responsible for election security when elections were declared critical infrastructure in 2017.

Unfortunately, CISA’s budget is less than JP Morgan Chase’s security budget.  Given the lack of funding, this is not a surprise.

Given the challenges with tech (non-hacking related) at the Iowas Caucuses, this is not a good sign.

The House has passed a number of bills to fund election security but the Senate has not taken up any of them and none of them have been submitted to the White House.  More than likely, this is due to partisan politics.  However, if there are problems during this election, voters are likely not going to be happy.

The GAO listed three recommendations for the CISA:

  • Urgently finalize the strategic plan and the supporting operations plan for securing election infrastructure for the upcoming elections.
  • Ensure that the operations plan fully addresses all lines of effort in the strategic plan for securing election infrastructure for the upcoming elections.
  • Document how the agency intends to address challenges identified in its prior election assistance efforts and incorporate appropriate remedial actions into the agency’s 2020 planning.

Source: CNBC


Experts Say the Software Used at Iowa Caucuses Looks Like a Student’s Class Project

Multiple Android app development experts and cybersecurity pros who took about the app that the IDP tried to use to report the Caucus results had the quality similar to what a college student might turn in for a programming class.

The software was based on React Native, a cross platform app development framework released as open source by Facebook.  That in itself is not a problem.

One expert said that the developers took an off the shelf skeleton project and added some stuff to it.  One expert said that it was clearly done by someone who had just read a tutorial on how to do it.  Another expert said the app looks like it was “hastily thrown together”.

It also appears that user training was inadequate.  The development team only started gathering requirements 6 months ago.  Homeland Security had offered to test the security of the app, but the Iowa party officials declined.

The IDP says that this app was not supposed to be the final arbiter of results but only a way to get quick, unofficial numbers.  The caucuses all collected their data on paper and were supposed to transfer the results to the app.  Source: Motherboard

Sources also say that the version of the app planned to be used in Nevada (plans which have been cancelled) also had errors.  Source: Motherboard



Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.


This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.

DHS Issues Emergency Directive 19-01 (DNS)

Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.

The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.

CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.

Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world.  Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.

The hackers redirect the users to the legitimate web site after stealing their credentials.

DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.

There are no consequences if the agency blows off DHS, which many do on normal day.  Under the current circumstances, likely even more with do so.  This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.

DHS is admitting to at least 6 agencies who have had their DNS records hijacked.  Likely there are more;  some of whom do not know that they have been hijacked for a variety of reasons.

If you are not a government agency (or even if you are), here are some things that you should do:

  • Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings.  Examples of big domain registrars are Go DaddyWixHostgator1&1 IONOS, Network Solutions and others.
  • Verify that existing DNS records for domains and sub-domains have not been altered for any resources. 
  • Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person.  These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
  • Conduct an investigation to assess if attackers gained access to your environment.
  • Validate the source IPs in OWA/Exchange logs.


Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.

Iran (?) Attacks Saudi Central Bank and Other Saudi Agencies

Starting in mid November, someone, possibly Iran, wiped many computers at a number of Saudi government agencies, including the Saudi Civil Aviation Agency .  A total of 6 agencies were attacked; 4 were compromised; 2 agencies repelled the attack.

The attack was made to look identical to an attack attributed to Iran in 2012 where tens of thousands of computers at the Saudi Aramco oil company were destroyed.

How “destroyed” is also unclear.  In the case of the Aramco attack, the oil company chose to be ultra cautious and replaced the disk drives in those 35,000 computers, causing a spike on the global market for disk drives.  We don’t know what they plan to do regarding this attack or how many computers were affected.

This is kind of similar to the attack on Sony, attributed to North Korea and the less successful attack 6 months before Sony on Sheldon Adelson’s Sands Hotel chain.

Since the Aramco attack is pretty public, someone wanting to cast a shadow of guilt on Iran (such as the CIA, KGB or Mossad) could have certainly planted the malware to stir up trouble.  We just don’t know.

For the soon-to-be-president Trump, this could get messy.  If he decides that it was Iran and that the U.S. needs to retaliate (big IF), then this escalates things.  It is pretty clear that the Iranians and their allies could certainly attack U.S. infrastructure – whether it is the San Francisco Metro or Gorilla Glue, if all they want to do is cause mischief, there are certainly plenty of soft targets.  If they want to get ugly, they could try for a critical infrastructure attack like the Russians did in Ukraine last year.  That could really get ugly.

The Saudis have not released much information about the attack; likely more will leak out over time, but how much and when is unknown.

Was it the Iranians?  Were they testing Trump?  Who knows, but get some buttered popcorn and stay tuned for the show.

Information for this post came from Bloomberg.



Duqu2 Malware Trail – From Kaspersky Labs to Iranian Nuclear Talks

Gene Kaspersky, head of the Russian anti-malware vendor and security research labs reported yesterday that the malware that infected his labs last year was also found … drum roll … at the hotels for the delegates to the Iranian nuclear talks (see article).

Gene Kaspersky
Gene Kaspersky, head of Kaspersky Labs

Kaspersky reported yesterday (see article) that their lab was the victim of a sophisticated attack that they detected in the early spring.  They said that the attack used three different zero day (previously unknown) vulnerabilities.

This malware, that they labelled Duqu2, does not write to disk, so anti-malware software that scans the disk cannot detect it.

The earlier version of Duqu used a bug in Microsoft Word.  This version uses a bug in the Microsoft Installer.

Gene said that while the attackers did get some material off their systems, they were detected early and they are confident that they removed the malware and that their customers are safe.

Fast forward to yesterday.  In the report, Kaspersky says that after they found this malware, they decided to do a little “spying” of their own to see where else this malware might be.

Given that their anti-malware software is loaded on tens of millions of computers, all they need to do is add a test for this particular malware and have the software tell them if it found it.

After scanning millions of computers, including thousands of hotels, they found it – on three luxury hotels in Europe.  What these hotels have in common is that each had hosted negotiations between Iran and the rest of the world over nuclear issues.

Hmmm.  Who might have an interest in that?  Russia?  United States?  Israel?  Kaspersky is not naming names – he doesn’t do that – but there are hints that he thinks it is Israel.  While Israel denies spying on the U.S. and other allies (except for those times where they got caught at it), they don’t deny that they spy on Iran.  However, they responded with a ‘no comment’ type of response when asked if this bug was theirs.  Assuming it was, there goes some valuable intel.

So what does Duqu2 do?  It is composed of 100 distinct modules that do different things.  One, for example, compresses video feeds – like you might get from a CCTV security camera.  Other modules targeted communications from phones to WiFi.  Another allowed them to eavesdrop on microphones in elevators, alarm systems and computers.

The FBI is reviewing Kaspersky’s report and said while they have not confirmed the report, it doesn’t surprise them that someone would attempt to attack those hotels.

U.S. officials said “We’re trying to keep as much security as we can, but nothing ever stays completely secret in this world we live in these days,”.   The British, German and French said ‘no comment’.

In today’s world, with as high stakes as these negotiations are, this is not much of a surprise.

Kaspersky says that the attack on them likely started when an employee in a satellite office in Asia clicked on an attachment and loaded the malware.  No doubt, they are running some anti-malware software 🙂 , so they detected the outbreak pretty quickly.

Pretty amazing stuff.