Category Archives: News

Prison for Dark Overlord Collaborator

Read Time:1 Minute, 51 Second

Prison for Dark Overlord Collaborator

A Canadian man has been sentenced to prison in the United States for trading in stolen identities and collaborating with the Dark Overlord cyber extortionist group.

Using the screen name GoldenAce, Slava Dmitriev bought and sold hundreds of illegally obtained IDs on the dark web. The 29-year-old resident of Vaughn, Ontario, traded in Social Security numbers and other personally identifiable information, including names and dates of birth belonging to American citizens. 

Between May 2016 and July 2017, Dmitriev made approximately $100K by selling 1,764 items (mostly stolen identities) via the darknet marketplace AlphaBay.

An investigation into Dmitriev’s cyber-criminal activities revealed that he aided the Dark Overlord with their illegal activities on multiple occasions. On June 16 2016, Dmitriev sent access credentials to the group for a New York-based dentist he had purchased on a criminal marketplace. The dentist subsequently became the victim of a cyber extortion attack perpetrated by the group. 

A month later, Dmitriev received a spreadsheet from the Dark Overlord containing approximately 200,000 stolen identities. Investigators also determined that in May 2017, Dmitriev sold data stolen by the group containing the identity of a victim residing in La Quinta, California.

Dmitriev was arrested in Greece in September 2020 through the coordinated efforts of the Federal Bureau of Investigation (FBI) and the Hellenic Police. When Greek police searched the residence where Dmitriev was staying, they located a computer containing emails discussing the buying and selling of identities and Social Security numbers, as well as a video about how to commit identity theft.

Dmitriev was extradited to the United States in January 2021 to face a charge of fraud and related activity in connection with access devices. On Wednesday, he was sentenced to three years in federal prison, followed by three years of supervised release.

“Dmitriev stole the identities of hard-working citizens of the United States and thought he was safe from prosecution while overseas,” said Phil Wislar, acting special agent in Charge of FBI Atlanta.  

He added: “This sentence will serve as a reminder that the FBI will always work diligently with International Law Enforcement partners to bring justice to citizens who have been victimized.”

Read More

Outdated IoT healthcare devices pose major security threats

Read Time:38 Second

More than half (53%) of the IoT (internet of things) and internet of medical things (IoMT) devices used in healthcare contain critical cybersecurity risks, according to The State of IoMT Device Security report by Cynerio, which analyzed devices from more than 300 hospitals in the US.

Cynerio makes IoT and security systems for heathcare providers. For the report, more than 10 million IoT and IoMT devices were scanned. Cynerio used a connector which, when connected to a SPAN (switched port analyzer) port on the core switch of a network, collects device traffic information for each device connected to the network. This information was then analyzed by an in-house AI algorithm to help identify vulnerabilities and threats.

To read this article in full, please click here

Read More

Securing Critical Infrastructure: The Essential Role of Public-Private Partnerships

Read Time:4 Minute, 30 Second

Government collaboration with industry can help drive strategic planning and tactical operations to address cyberthreats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) states, “Public-private partnerships are the foundation for effective critical infrastructure security and resilience strategies, and timely, trusted information sharing among stakeholders is essential to the security of the nation’s critical infrastructure.” We couldn’t agree more.

Critical infrastructure is highly susceptible to cyberattacks, as seen with the SolarWinds attack in late 2020, which impacted global governments and critical infrastructure providers, and in the ransomware attacks on Colonial Pipeline and JBS Meat last year. However, with the proper IT infrastructure security in place, organizations can mitigate the risk of cyberattacks and protect their vulnerable data.

We believe it’s imperative for global governments to leverage the combined resources and expertise of government, industry and other stakeholders to enhance cybersecurity. Public-private partnerships play a critical role in establishing the strategic frameworks and tactical operational mechanisms necessary to secure data and IT infrastructure.

In the U.S., there are many federal agencies involved in public-private partnerships. For example, CISA and other government agencies are partnering with the information technology and communications industries to identify and to develop strategies to help address supply chain risk management challenges. Additionally, the National Cybersecurity Center of Excellence (NCCoE) leverages expertise from both the public and private sectors to develop cybersecurity guidance and solutions, aligned with international standards and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to address real-world sector-specific and cross-sector cybersecurity challenges. For example, the NCCoE has announced a project on Implementing a Zero Trust Architecture, which will develop “how-to” guides and example approaches to help organizations on their journey to adopt zero trust strategies.

The President’s National Security Telecommunications Advisory Committee (NSTAC) and the Joint Cyber Defense Collaborative (JCDC) are critical public-private partnerships that should be further advanced over the next year. The NSTAC and JDCD allow for agencies to join efforts on combating cyberthreats through strategic planning and proactive defense measures.

How NSTAC supports public-private cybersecurity initiatives

NSTAC aims to assist agencies dealing with telecommunications that affect national security and emergency preparedness. The NSTAC brings together IT and communications sector industry leaders and executives from many of our country’s largest and most influential companies, as well as cybersecurity experts from the White House, CISA and other government agencies to provide advice on securing telecommunications and digital technologies to protect the nation. I have the privilege of supporting Tenable co-founder Jack Huffard, who serves as a member of the NSTAC.

The NSTAC is currently working on a multi-phase project for improving internet resilience. Under the initial phase of this project, the NSTAC released a report to the President on Software Assurance in the Information and Communications Technology and Services Supply Chain. For the second phase, the NSTAC is currently developing a report on recommendations for adopting zero trust architectures. In the next couple of months, NSTAC will launch the third phase of this project, focused on addressing cybersecurity challenges associated with the convergence of Information Technology and Operational Technology, which is vital to further protect industrial control systems and other critical infrastructure from cyberattacks.

How the JCDC supports public-private cybersecurity initiatives

The JCDC was established by CISA to create a collaborative environment for federal agencies and the companies involved to prevent cyber intrusions and implement national cyber defense plans. The JCDC joins forces with federal agencies, state and local governments, and private-sector companies to protect our nation’s critical infrastructure. CISA Director Jen Easterly noted that the JCDC allows for “a shared situational awareness of the threat environment, so that we understand it better to develop whole-of-nation comprehensive cyber defense plans to deal with the most significant threats to the nation to include significant threats to our critical infrastructure.”

Tenable was recently named as an Alliance Partner for the JCDC, meaning we will be collaborating with CISA across a range of cybersecurity issues and challenges, to provide strategic insights and operational response acumen. Managing vulnerabilities is essential to secure critical IT infrastructure and the work done by JCDC and CISA promotes the prioritization of network security. Federal agencies across the nation need to adopt initiatives put forth by the JCDC to ensure their networks are protected from vulnerabilities, like the recent Apache Log4J flaw, which has impacted billions of devices worldwide. The JCDC and CISA have been quick to respond and help protect the nation’s infrastructure from this vulnerability, a vital effort, especially given that recent research from Tenable shows that nearly 30% of organizations hadn’t begun scanning for Log4J as of late December.

Conclusion

As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors is crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats.

In order to complete many large-scale projects, the expertise and technology from private-sector entities, as well as the resource support and convening power of global governments, are what permit public-sector proposals to come to fruition.

Learn More

Log4Shell: 5 Steps The OT Community Should Take Right Now
CISA’s Binding Operational Directive on Managing Unacceptable Risk Vulnerabilities in Federal Enterprises Is Key to Stopping Federal Cyberattacks
Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure

Read More

Twelve-Year-Old Linux Vulnerability Discovered and Patched

Read Time:49 Second

It’s a privilege escalation vulnerability:

Linux users on Tuesday got a major dose of bad news — a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running most major distributions of the open source operating system.

Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.

It was discovered in October, and disclosed last week — after most Linux distributions issued patches. Of course, there’s lots of Linux out there that never gets patched, so expect this to be exploited in the wild for a long time.

Of course, this vulnerability doesn’t give attackers access to the system. They have to get that some other way. But if they get access, this vulnerability gives them root privileges.

Read More

Stories from the SOC – WannaCry malware

Read Time:3 Minute, 35 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

WannaCry malware was first discovered in May 2017 and a patch was released roughly two months prior to its public release. However, 230,000 computers were globally affected by WannaCry as of 3/31/2021. It is unfortunate to hear, but many companies remain vulnerable to this attack due to unpatched systems. We often see that by the time some companies update their systems, they have already experienced a breach.

The Managed Threat Detection and Response (MTDR) SOC analyst team received 56 alarms related to the suspicious use of port 445 within a 24-hour timeframe. Given the high influx of alarms, our team created an Investigation to reveal which assets were using port 445, the destinations that were being communicated with, and the frequency of the connections. The customer quickly identified that the source assets were unpatched Windows 7 production servers affected by WannaCry. They were able to segment the infected computers, block SMB port 445, use Trend Micro’s Anti-Threat Toolkit to clean the machines, and then return the assets to the network.

Investigation

Initial alarm review

Indicators of compromise (IOC)

The initial alarms that triggered this investigation were created from a custom alarm. The MTDR team can create custom alarms specific to the customers environment to help improve time to response. The alarms were triggered when events from Trend Micro showed assets using Server Message Block (SMB) port 445 in which a single source was communicating with multiple destinations.

This initial alarm was one of many that was generated. The alarms came in with a priority of “Low” because use of SMB port 445 is common within the customer’s organization. Our team and the customer began to suspect that a breach had occurred due to the high volume of internal connections as well as those connections attempting to reach external IP’s.

Expanded investigation

Events search

Upon further investigation, we searched for events “CnC Callback” and “Suspicious Connection”. The team then analyzed these events over a 24-hour period. This analysis revealed all of the internal assets and their events’ sources and destinations. These assets were communicating over port 445 and were likely compromised systems.

Event deep dive

Continuing with the investigation, we learned that the affected assets were communicating with unknown external IP’s. Many of these outbound connections were blocked at the firewall; however, at this point, we were able to pivot from the external IP’s to look for more affected assets.

Reviewing for additional indicators

We then made a complete list of all potentially affected internal assets. After individually inspecting the assets, we discovered the following event: “Ransom_WCRY.SM2” on a few of the assets. This particular event confirmed our suspicion that this was, indeed, the WannaCry malware.

Response

Building the investigation

Within minutes of the team creating the investigation, the customer escalated the case. The customer noticed that all of the associated assets were part of a single subnet isolated to one sector of their business. The customer then isolated the subnet of potentially affected assets from the rest of the network in order to begin reviewing the machines.

While the assets were being scanned for further indicators of compromise, we involved the customer’s Threat Hunter (TH). The TH helped generate additional reports of all internal assets that were associated with the malicious events.

At this point, the customer blocked port 445 on the assets, used Trend Micro’s Anti-Threat Toolkit to clean the machines, and then returned the assets to the network.

We continued to closely monitor the customer’s network for further signs of compromise from the WannaCry malware. We maintained this vigilance until the team ensured the situation had been fully resolved.

Customer interaction

Our team worked closely with the customer to ensure we were up to date with any changes being made to their systems. Because of the close communication between our team and the customer, we were able to quickly assess the situation, investigate appropriate assets, and resolve the issue before any systems could be encrypted for ransomware.

Read More

US Revokes China Unicom’s License

Read Time:1 Minute, 35 Second

US Revokes China Unicom’s License

The US government has effectively stripped another Chinese telecoms player of its license to operate in the country on national security grounds.

The new Federal Communications Commission (FCC) order ends the ability of China Unicom Americas to provide telecoms services within the US.

It follows a March 2021 finding by the FCC in which it said the Chinese vendor had “failed to dispel serious concerns” about its continued operations.

In its ruling late last week, the FCC claimed that, as a state-owned enterprise, China Unicom “is subject to exploitation, influence and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.”

It said this is more likely today than two decades ago when the firm’s license was first approved. The FCC is particularly concerned about Beijing’s ability to “access, store, disrupt and/or misroute US communications” and therefore conduct state-backed cyber-espionage via China Unicom.

“China Unicom Americas’ conduct and representations to the commission and Congress demonstrate a lack of candor, trustworthiness, and reliability that erodes the baseline level of trust that the Commission and other US government agencies require of telecommunications carriers given the critical nature of the provision of telecommunications service in the United States,” the FCC added.

According to the FCC order, “mitigation” would not address these national security concerns.

The firm now has 60 days to stop providing its services within the US.

China Unicom Americas is the latest of several Chinese state-owned telecoms firms caught in the middle of escalating hostility between Beijing and Washington.

Last year, China Telecom Americas also had its license revoked. In contrast, several years before that, the Trump administration blocked China Mobile USA’s application to enter the US market.

China Telecom is currently appealing the revocation of its license.

Read More

Crypto Finance Firm Offers $2m Bug Bounty to Hackers

Read Time:1 Minute, 37 Second

Crypto Finance Firm Offers $2m Bug Bounty to Hackers

A decentralized lending platform that lost $80m to hackers has offered them an astonishing multimillion-dollar bug bounty in return for the stolen funds.

Qubit Finance revealed at the end of last week that an attacker had exploited a vulnerability in its QBridge deposit function.

In doing so, they managed to get away with a large amount of Ethereum, which they converted to Binance coins with a value of tens of millions of dollars. In effect, they were able to exploit a mistake in Qubit Finance’s code to withdraw Binance tokens without depositing any Ethereum.

The firm pleaded with its attacker to return the funds, addressing them on Twitter as “dear exploiter.”

“We propose you to negotiate directly with us before taking any further action,” it wrote on Friday. “The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty is now what you are looking for, we are open to have a conversation. Let’s figure out a solution.”

A follow-up note confirmed the firm would offer a “maximum” bug bounty and not seek to press charges if the attacker returned the funds.

Subsequent messages over the weekend then increased this ‘maximum’ bounty to $1m and then on Sunday to $2m.

It’s unclear whether the tactic was merely intended to buy investigators ADDITIONAL time or if the firm was genuinely prepared to hand over a considerable bug bounty to a cyber-criminal.

A new post issued hours ago revealed the firm is working on a new site that will enable affected users to access their digital wallets to file reports with local police. However, they have little hope of getting their money back unless the cyber-thieves decide to cooperate with Qubit Finance.

A report from Chainalysis last week claimed that decentralized finance (DeFi) protocols were attacked most last year, losing over $2bn.

Read More

QNAP Ransomware: Thousands Infected with DeadBolt

Read Time:1 Minute, 26 Second

QNAP Ransomware: Thousands Infected with DeadBolt

Thousands of QNAP users have been infected by a new ransomware variant flagged by the network-attached storage (NAS) vendor last week, according to a security vendor.

Taiwan-headquartered QNAP said last week that customers should urgently upgrade their systems to the latest version of its QTS operating systems and take steps to disconnect devices from the internet to mitigate the campaign.

Dubbed “DeadBolt,” the new ransomware variant demands a 0.03 Bitcoin ($1100) payment in return for a decryption key.

“This is not a personal attack,” reads the notice. “You have been targeted because of the inadequate security provided by your vendor (QNAP).”

Inventory firm Censys last week claimed there were around 5000 such devices impacted by the ransomware, although this is out of a total of 130,000 globally.

Interestingly, the vendor observed that the number fell sharply between January 26 and 27.

“Overnight, the number of services with the DeadBolt ransomware dropped by 1061, down to a total of 3927 infected services on the public internet,” it wrote.

“The exact reason for this drop is unknown at the moment, and we are continuing to monitor the situation. But earlier today, Malwarebytes reported that QNAP released a forced automatic update for their Linux-based operating system called QTS to address the vulnerability. This update reportedly removed the ransomware executable and reverted the web interface changes made by the ransomware.”

QNAP’s extorters had given it the opportunity to pay a flat rate of 50 BTC ($1.8m) to decrypt all customer data, but it does not appear to have acceded to these demands.

Some users have reported that decryption keys they were given following payment did not work.

Read More