<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Thu, 17 Jun 2021 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2021 3600 <![CDATA[Reworked Data Protection Act Hits Senate]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/reworked-data-protection-act-hits-senate https://duo.com/decipher/reworked-data-protection-act-hits-senate Thu, 17 Jun 2021 00:00:00 -0400

Sen. Kirsten Gillibrand is reintroducing legislation that would create a federal Data Protection Agency to oversee the privacy and protection of Americans’ data and bring some order to what is currently a chaotic regime of state and industry laws and regulations.

Gillibrand (D-N.Y.) first introduced the Data Protection Act in February 2020, but it did not make much in the way of progress. In an effort to move the legislation along, Gillibrand has reworked it and added several new provisions, including language that would enable the DPA to protect against privacy harms and discrimination, oversee the use of high-risk data practices, and to look at and propose solutions for the social, ethical, and economic effects of data collection. The DPA would be a federal executive agency headed by a director to be appointed by the president. The agency would have both rulemaking and enforcement powers and would also have the ability to issue subpoenas and carry out investigations.

The Data Protection Act of 2021 is designed specifically to rein in some of the data collection and usage practices of large platform providers, and Gillibrand specifically called out the way that those companies design their business models to monetize consumers’ data.

“The tech giants — Google and Facebook among them — have been the clear winners of our transition to the digital age. These companies have built major empires of data with information about our private lives. They’re processing that information with increasingly complex and sophisticated algorithms. And they’re making a whole lot of money off of it,” Gillibrand said.

“Meanwhile, major data breaches and ransomware attacks are exposing the sensitive data from tens of millions of Americans because the companies responsible for safeguarding it continue to face limited consequences for their failures. Bad actors use powerful data collection and processing techniques to target older Americans and other vulnerable citizens through robocalls and misinformation scams.”

"Congress’ ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike."

The notion of a federal agency to oversee data privacy and protection has been circulating in Washington for many years, but it is especially relevant in the current environment, with more companies collecting more data than ever before. The United States is one of the few large nations that does not have an independent data protection agency, a fact that is doubly concerning given the lack of a national data breach law, as well. Most people have little if any idea of the amount of data that platform providers and other companies collect about their activities online, let alone what they do with that information, and Gillibrand’s bill would address that by directly regulating the collection and use of consumer data.

“Even the savviest consumers of technology cannot fully understand how companies use their data, where their data goes, how far companies are willing to go to profit from that data, and whether the companies’ business practices encroach on their privacy and freedom,” Gillibrand said.

“Moreover, companies have declared that this data is theirs for the taking, and they’ve repeatedly rejected responsibility and accountability for the greater impacts of any bad behavior.”

The reworked bill has garnered support from privacy and digital rights groups, as well as security experts.

"It’s time for America to catch up with the rest of the world and create a Data Protection Agency. Congress’ ongoing failure to modernize our privacy laws imposes enormous costs on individuals, communities, and American businesses alike. We need a new approach. Senator Gillibrand’s Data Protection Act creates an agency dedicated to safeguarding the personal data of individuals and ensuring that data practices are fair and non-discriminatory. The Data Protection Act is the game-changing proposal we need in order to ensure adequate oversight over what has become a massive sector of our economy and affects the daily lives of all Americans,” said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center.

The full text of the bill is available here.

<![CDATA[Ukrainian Police Arrest Suspected Cl0p Ransomware Operators]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/ukrainian-police-arrest-suspected-cl0p-ransomware-operators https://duo.com/decipher/ukrainian-police-arrest-suspected-cl0p-ransomware-operators Wed, 16 Jun 2021 00:00:00 -0400

Federal police in Ukraine have arrested several people who allegedly operated the Cl0p ransomware, which has been responsible for some of the larger ransomware infections of the last few years in the United States and other countries.

The Cl0p ransomware is tightly coupled with TA505, a cybercrime group that’s known for gaining initial access to large corporate networks and then selling that access to third parties for further exploitation. The Cl0p operators are among the subset of ransomware groups that not only demand a ransom for decrypting compromised machines, but also steal sensitive data and extort an additional payment in return for not publicly leaking the information.

On Tuesday, Ukrainian police announced that they had conducted 21 separate searches, arrested six people, and seized cash, cars, computers, and other devices as part of a cooperative operation with authorities in the U.S. and South Korea. They said the group was responsible for about $500 million in losses.

“It was established that six defendants carried out attacks of malicious software such as ‘Ransomware’ on the servers of American and Korean companies. For deciphering the data, they demanded a ‘ransom’, and in case of non-payment, they threatened to disclose the confidential data of the victims,” Ukraine’s Cyberolice Department said in a statement.

The Cl0p operators have targeted a wide range of companies, including technology providers, aviation companies, and others. Like some other ransomware operators, the Cl0p group runs a site that lists its current victims and portions of stolen data as a form of leverage to incentivize victims to pay.

“CL0P maintains two online presences to support its Big Game Hunting operations. The first presence is their leak portal called ‘CL0P^-LEAKS’. Its purpose is to frighten future victims by hosting sensitive data of past victims that didn’t pay the ransom. The second presence is their negotiation portal. This serves as a “customer support” for victims that are willing to come to an agreement and pay the ransom,” Thomas Barabosch, a senior cyber security analyst at Deutsche Telekom, wrote in an analysis of the group’s activities in January.

“CL0P is one of the ransomware gangs that adopted the double extortion technique."

“CL0P is one of the ransomware gangs that adopted the double extortion technique. Before they deploy their ransomware, they exfiltrate up to terabytes of sensitive data from the victim’s network. In case the victim had proper backups setup and is not willing to pay the ransom, they still can threaten to publish this data on their leak portal ‘CL0P^-LEAKS’.”

The Ukrainian police said the Cl0p operators had targeted companies in South Korea, as well as Stanford University, the University of Maryland, and the University of California.

“In 2019, four Korean companies attacked by the Clop encryption virus, as a result of which 810 internal servers and personal computers of employees were blocked. Hackers sent e-mails with a malicious file to the mailboxes of company employees. After opening the infected file, the program sequentially downloaded additional programs from the distribution server and completely infected the victims' computers with a remote managed program Flawed Ammyy RAT,” the police statement said.

“Using remote access, the suspects activated malicious software Cobalt Strike, which provided information about the vulnerabilities of infected servers for further capture.”

The Cl0p arrests come during a period of intense scrutiny of ransomware groups by law enforcement agencies in the U.S. and other countries, following several high-profile intrusions, including the Colonial Pipeline and JBS USA attacks. Congress has held a number of hearings on ransomware activity recently, and the FBI has recently sharpened its focus on operators, including an operation that recovered $2.3 million of the ransom paid by Colonial Pipeline Co. to the DarkSide ransomware actors.

<![CDATA[Decipher Podcast: Derek Manky]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-derek-manky https://duo.com/decipher/decipher-podcast-derek-manky Tue, 15 Jun 2021 00:00:00 -0400

<![CDATA[Microsoft Disrupts Broad Cloud-Based BEC Campaign]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-disrupts-broad-cloud-based-bec-campaign https://duo.com/decipher/microsoft-disrupts-broad-cloud-based-bec-campaign Tue, 15 Jun 2021 00:00:00 -0400

Microsoft researchers have disrupted a major phishing and business email compromise campaign that used infrastructure hosted on several different cloud providers and attacker-installed forwarding rules in compromised inboxes to systematically steal information from organizations.

The campaign affected an unknown number of target companies, but Microsoft said that during investigations by its 365 Defender team, researchers saw hundreds of compromised inboxes. The attackers behind the operation began with a simple phishing campaign that used messages with file attachments purporting to be voice mail recordings. If a victim executes the attachment, it will run some embedded JavaScript that displays a fake Microsoft login prompt, which already has the username entered. When the victim enters the password, the JavaScript will eventually display an error message while the credentials are sent to the attacker through a redirect.

“Having already gained access to mailboxes via the credential phishing attack, attackers gained persistent data exfiltration channel via email forwarding rules. During the course of our investigation of this campaign, we saw hundreds of compromised mailboxes in multiple organizations with forwarding rules,” Stefan Sellmer and Nick Carr of Microsoft said in a post on the campaign.

“These forwarding rules allowed attackers to redirect financial-themed emails to the attacker-controlled email addresses ex@exdigy.net andin@jetclubs.biz. The attackers also added rules to delete the forwarded emails from the mailbox to stay stealthy.”

The rules looked for messages with keywords such as invoice, payment, or statement, ensuring that they would gather sensitive financial data. This is a more persistent twist on the typical BEC scam, which usually employs highly targeted emails that aim to trick the recipient into sending a large amount of money to the attacker through a fake invoice or urgent business deal. Those messages often use time as the catalyzing factor, but in the campaign that Microsoft uncovered, the attackers went a step further and stole the victims’ usernames and passwords and set up rules to maintain persistent access to those inboxes.

The second unique aspect of this campaign is its reliance on infrastructure hosted on a number of separate cloud platforms. More and more attack groups are utilizing cloud platforms for their operations, as they offer cheap, disposable infrastructure. The use of several cloud platforms as the additional advantage of making life more difficult for defenders trying to track their activities.

“The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” Sellmer and Carr said.

Microsoft researchers were able to correlate the activities of the attackers from across the disparate cloud platforms and disrupt the campaign.

<![CDATA[Google Gives Enterprises Control of Workspace Encryption Keys]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-gives-enterprises-control-of-workspace-encryption-keys https://duo.com/decipher/google-gives-enterprises-control-of-workspace-encryption-keys Mon, 14 Jun 2021 00:00:00 -0400

Google is readying a new set of security protections for enterprises that use its Workspace suite of tools, including the ability for organizations to enable client-side encryption of their data and have direct control of the keys.

Once the feature rolls out, when users create a new document, spreadsheet, or other file in Google Workspace, they can choose to create it as an encrypted file. To enable the feature, which will be coming out in beta form in the next few weeks, customers will need to choose one of four key-management companies that Google has partnered with: Thales, Virtru, Flowcrypt, or Futurex.

“With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally. When combined with our other encryption capabilities, customers can add new levels of data protection for their Google Workspace data,” Karthik Lakshminarayanan and Erika Trautman of Google said in a post.

“Client-side encryption is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data.”

“Client-side encryption is especially beneficial for organizations that store sensitive or regulated data."

The way that the new feature is set up ensures that the key-management service, and not Google, controls the encryption key and the access to it. And, Google will be publishing an API in the near future that will allow enterprises to build their own internal key-management services if they’d rather not trust that to a third party.

In addition to the client-side encryption, Google is also adding a feature that allows administrators to create granular rules for sharing files internally. The feature enables the creation of policies for file-sharing among specific groups inside an organization that take into account the way that business units and partners work together.

“With these new rules in place, admins can enforce restrictions that limit internal and external sharing. Specific rules can even be set for organizational units and groups, allowing a more granular approach than enforcing blanket policies on every user,” Lakshminarayanan and Trautman said.

Google also is adding enhanced malware and phishing protection for Workplace users, a feature that allows for the detection and quarantine of malicious or otherwise unwanted files created internally. It’s an analog to the protections that Google provides customers from malware from external sources.

“If abusive content is found, the relevant file is flagged and made visible only to admins and the file’s owner. This prevents sharing and reduces the number of users potentially impacted by the abusive content,” Lakshminarayanan and Trautman said.

The beta rollout for the new features will start in the next few weeks.

<![CDATA[Law Enforcement Agencies Disrupt Slilpp Underground Marketplace]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/law-enforcement-agencies-disrupt-slilpp-underground-marketplace https://duo.com/decipher/law-enforcement-agencies-disrupt-slilpp-underground-marketplace Fri, 11 Jun 2021 00:00:00 -0400

A coalition of international law enforcement agencies, including the FBI, has disrupted the operations of Slilpp, which is considered the largest underground criminal marketplace for stolen credentials.

The marketplace has been in operation since at least 2021, and the Justice Department alleges that the stolen credentials sold on the site have caused more than $200 million in losses to victims in the United States alone. Working with law enforcement agencies in Germany, the Netherlands, and Romania, the FBI identified servers that hosted the Slilpp infrastructure and domains, and then seized them. More than a dozen people have been charged or arrested by law enforcement in the U.S.

“The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located.”

The Slilpp marketplace was one of a number of similar sites that allow users to buy and sell login credentials for a variety of different account types, such as banks, payment systems, and mobile phone providers. The Justice Department said at the time of the disruption, there were more than 1,400 sets of credentials for sale on the site. Cybercrime marketplaces like Slilpp have been around for about as long as the web has existed, and they often don’t last very long before law enforcement takes notice. But many marketplaces will disappear and then pop up again in a different guise a few weeks later.

The Internet is awash in stolen credentials, username and passwords dumped after data breaches, stolen in targeted attacks, or gathered in other ways. Some of those credential sets aren’t valid for long, as users change passwords if they’re notified of a breach of compromise. But plenty of them remain useful long enough for criminals to access the affected account and take advantage of it.

“American identities are not for sale,” said Assistant Director in Charge Steven M. D’Antuono of the FBI Washington Field Office. “The FBI remains committed to working with our international partners to dismantle global cyber threats.”

This has been a nig week for the FBI’s anti-cybercrime efforts. In addition to the Slilpp disruption, on Monday the bureau announced that it had seized about $2.3 million of the $4.4 million ransom that the Colonial Pipeline Co. had paid after an intrusion by DarkSide ransomware actors.

<![CDATA[JBS Paid $11 Million Ransom]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/jbs-paid-usd11-million-ransom https://duo.com/decipher/jbs-paid-usd11-million-ransom Thu, 10 Jun 2021 00:00:00 -0400

JBS USA. the huge meat and food producer that was the victim of a ransomware attack in late May, said it has paid $11 million in ransom, even though most of its systems had been restored from backups and were already back up and running at the time of the payment.

The attack hit JBS on May 30 and just four days later the company announced that it had fully restored the affected systems and that its global production operations were back to normal. The company did not say at that time that it had paid any ransom, but simply stated that it had used its encrypted backup servers to restore its production systems. The FBI attributed the attack to REvil, one of many ransomware-as-a-service offerings available to attackers. REvil actors are known for huge ransom demands and also for stealing sensitive data before encrypting compromised systems.

“Thanks to the dedication of our IT professionals, our operational teams, cybersecurity consultants and the investments we have made in our systems, JBS USA and Pilgrim’s were able to quickly recover from this attack against our business, our team members and the food supply chain,” said CEO Andre Nogueira on June 3. “The criminals were never able to access our core systems, which greatly reduced potential impact.”

"We felt this decision had to be made to prevent any potential risk for our customers.”

But on Wednesday, Nogueira said that JBS had in fact paid a ransom, and a significant one at that. The $11 million payment is one of the larger known ransomware payments in recent memory, and it’s even more unusual for the fact that the company had already recovered most of its affected systems. But, it fits with the way that attacks by REvil ransomware actors often go. REvil actors often demand a ransom for the decryption of encrypted systems, and then an additional payment not to release data publicly that was stolen during the intrusion. This double extortion tactic has become more and more popular in the last few months, as actors have looked for new ways to extract as much money as possible from their victims.

“This was a very difficult decision to make for our company and for me personally,” said Nogueira. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

Nogueira did not say whether the REvil actors had actually demanded a payment not to release data, but in the statement released Wednesday, the company said the payment was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

The disclosure of JBS’s ransom payment comes just two days after the Department of Justice announced that it had seized $2.3 million of the $4.4 million ransom that Colonial Pipeline Co. had paid to DarkSide ransomware actors last month.

<![CDATA[Microsoft Fixes Six Zero Days Used in Attacks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-fixes-six-zero-days-used-in-attacks https://duo.com/decipher/microsoft-fixes-six-zero-days-used-in-attacks Wed, 09 Jun 2021 00:00:00 -0400

Six of the vulnerabilities that Microsoft fixed in its June Patch Tuesday update have been exploited in the wild, including two that were used along with a Chrome flaw as part of an exploit chain in targeted attacks in April.

Those attacks affected a small number of companies and researchers at Kaspersky dug into the details of the exploits and discovered the two Windows flaws, one of which is an information disclosure (CVE-2021-31955) and the other is an elevation of privilege (CVE-2021-31956). The flaws affect all of the current versions of Windows, and the attacks that Kaspersky observed in April used a separate Chrome zero day to gain initial access to victims’ computers.

“All of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.

“On April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public,” Kaspersky researchers wrote in a post.

“This newly published exploit used a vulnerability from issue 1195777, worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021. We suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.”

The Kaspersky researchers were not able to retrieve the Chrome exploit, but they identified four separate modules that are installed on compromised machines after the exploit chain is used. There is a stager, a dropper, a service, and a remote shell module, and all of the stager modules downloaded the other pieces from site that’s designed to look like a legitimate news site.

“The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn’t find any similarities between this and other known malware,” the Kaspersky researchers said.

In addition to the two vulnerabilities used in those attacks, Microsoft patched a vulnerability discovered by a researcher from Google Project Zero that has been used in attacks, as well. That flaw (CVE-2021-33742) is in the Windows MSHTML browser engine, and Google researchers said there are indications that it was sourced from a commercial exploit broker.

“More details will be on CVE-2021-33742 will come from the team, but for context this seem to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting,” Shane Huntley, director of Google’s Threat Analysis Group, said on Twitter.

“I'm happy we are getting better at detecting these exploits and the great partnerships we have to get the vulnerabilities patched, but I remain concerned about how many are being discovered on an ongoing basis and the role of commercial providers.”

The three other vulnerabilities patched in June that have been exploited are CVE-2021-33739, CVE-2021-31199, and CVE-2021-31201, but no details are available about the exploitation.

<![CDATA[Colonial Pipeline CEO Says Ransom Payment 'Right Thing to Do' For Country]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/colonial-pipeline-ceo-says-ransom-payment-right-thing-to-do-for-country https://duo.com/decipher/colonial-pipeline-ceo-says-ransom-payment-right-thing-to-do-for-country Tue, 08 Jun 2021 00:00:00 -0400

Within hours of realizing that a ransomware attack had hit the Colonial Pipeline network on May 7, with the company’s IT network mostly offline and the fuel pipeline itself shut down, Colonial Pipeline’s CEO had already decided to begin the negotiation process with the actors to pay the ransom, reasoning that an extended outage of the pipeline could affect fuel distribution not just at gas stations, but also at airports for months to come.

Had the company not shut down the pipeline when it did, preventing the ransomware from potentially spreading to the operational technology network that controls it, and started the ransom payment process, things could have gone much worse than they did, CEO Joseph Blount Jr. said.

“The attack forced us to make difficult choices in real time that no company ever wants to face. I made the decision to pay and keep the payment confidential. I put the interests of the country first. I kept the information closely held because I was concerned about operational security and safety. I believe with all my heart it was the right choice to make,” Blount said during a hearing of the Senate Committee on Homeland Security and Governmental Affairs Tuesday.

“We’d already seen pandemonium and panic buying. The concern would be what would happen at the airports, where we supply a lot of jet fuel? In the early hours of May 7, we didn't know exactly what we had. We didn’t know if it was just a cyber attack. We had to make sure it wasn’t an attack on our physical infrastructure, too.”

The effects of the attack on Colonial Pipeline are still emerging, and Blount said not all of the company’s systems are back online yet, a month after the initial intrusion. The company paid a $4.4 million ransom to the actors the day after the attack and then received the decryptor tool to begin the recovery process. Though the tool worked as intended and decrypted the systems directly compromised by the DarkSide ransomware, that’s just one piece of the recovery, Blount said, noting that several of the company’s finance systems are just coming back online this week.

“It takes months and months and months and in some cases years to restore these systems. Our focus that first week was to restore the critical systems and bring the pipeline back up,” Blount said.

“The remediation is ongoing. The keys are useful and we did take advantage of them, but they’re not perfect.”

In addition to installing ransomware, the DarkSide actors also stole some of the company’s data, which Blount said Colonial Pipeline had retrieved from the actors. However, he said he’s not sure what specific information was taken.

“But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country."

“It was retrieved very quickly. It was brought back in. We don’t fully understand everything that’s in it, because of where it’s been held since it was retrieved,” he said.

Blount’s testimony came the day after the Department of Justice announced that it had seized $2.3 million of the ransom that Colonial Pipeline had paid. The seizure was the end result of the FBI tracing the Bitcoin payment through a series of digital wallets to its eventual destination, which happened to be on a computer in California. The recovery is an unusual outcome for these investigations, and Blount said that the decision to call the FBI as soon as technicians discovered the ransomware attack was a key factor in limiting the damage.

“Our engagement with those federal authorities helped us achieve meaningful milestones in our response process to address the attack and restore pipeline operations as quickly as possible,” Blount said.

Blount told the committee that while he and his team were aware of the FBI’s stated guidance against paying ransoms, the bureau did not give the company any specific advice after the intrusion, and the decision to pay the ransom was Blount’s. The company and its lawyers and negotiators also checked to ensure that the actors to whom they paid the ransom were not sanctioned entities by the Office of Foreign Asset Control.

“But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country. We took steps in advance of making the ransom payment to follow regulatory guidance and we have explained our course of dealings with the attackers to law enforcement so that they can pursue enforcement options that may be available to them,” he said.

<![CDATA[Attacks Target Critical VMware vCenter Flaw]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/attacks-target-critical-vmware-vcenter-flaw https://duo.com/decipher/attacks-target-critical-vmware-vcenter-flaw Mon, 07 Jun 2021 00:00:00 -0400

Two weeks ago, VMware released a patch for a critical vulnerability in several versions of its vCenter Server product and urged customers to update as quickly as possible. Now, attackers are targeting unpatched servers, some using publicly available exploits, and installing webshells on compromised systems.

The vulnerability in vCenter (CVE-2021-21985) can give an attacker complete control of a target machine, and there are public proof-of-concept exploits available for it. In the days after VMware published the advisory, security vendor Rapid 7 saud it had identified about 6,000 vulnerable servers that were exposed to the Internet. Late last week, security researchers and companies that monitor scanning activity began reporting opportunistic exploit attempts against the vulnerability from a variety of sources. On June 3, Bad Packets, which monitors mass scanning activity, identified scans from an IP address in the Netherlands looking for vulnerable servers, and GreyNoise is showing scans and exploit attempts from a number of locations, including China, Germany, and the United States.

On June 4, researcher Kevin Beaumont mentioned on Twitter that a honeypot he maintains had been compromised with an exploit for the vCenter vulnerability and a webshell was installed afterward. The activity has picked up over the weekend, and on Saturday, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about the exploitation activity and again encouraged customers to update their installations of vCenter.

“CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system,” the CISA advisory says.

Although the Rapid 7 data showed nearly 6,000 vulnerable vCenter servers exposed to the Internet, that’s not the recommended configuration, and security experts advised enterprise teams not to connect those servers to the public Internet if at all possible.

“Don’t connect vCenter directly to the internet by design, especially the appliance version. The appliance version is closed box Linux with no AV; somebody drops a webshell on box and now it’s permanently backdoored (even if patched) with no way to know, and it has ESXi access,” Beaumont said.

The vulnerability affects versions 6.5, 6.7, and 7.0 of vCenter Server, as well as versions 3.x and 4.x of Cloud Foundation. VMware has advised customers that the threat of exploitation against this vulnerability is quite serious and encouraged them to install the updates immediately if they had not done so already.

“With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,” VMware said in an FAQ.

CC By 2.0 license image from Flickr.

<![CDATA[U.S. Seizes $2.3 Million From DarkSide Actors Who Targeted Colonial Pipeline]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/u-s-seizes-usd2-3-million-from-darkside-actors-who-targeted-colonial-pipeline https://duo.com/decipher/u-s-seizes-usd2-3-million-from-darkside-actors-who-targeted-colonial-pipeline Mon, 07 Jun 2021 00:00:00 -0400

The Department of Justice has recovered a significant portion of the Bitcoin ransom that the Colonial Pipeline Co. paid to the DarkSide ransomware actors who targeted the company last month.

The department obtained a seizure warrant to remove about 63.7 Bitcoin from wallet housed on a computer in Northern California, a sum that’s equivalent to about $2.3 million at the time of the seizure. The operation was the work of the Ransomware and Digital Extortion task force, which includes members from the FBI, the Executive Office of United States Attorneys, and the Department of Justice, and it’s the first incident in which the task force was able to trace and recover ransom funds.

Colonial Pipeline officials notified the FBI on May 8 that the DarkSide actors had demanded a payment of 75 Bitcoin, which it later paid. The FBI was able to trace the payment and identify the wallet in which about 63 of the Bitcoin eventually wound up. The bureau was able to get the private key for the wallet and on Monday used the warrant to seize the funds.

“The old adage, follow the money still applies. When they target critical infrastructure, we will spare no effort in our response. Today we turned the tables on DarkSide by going after the entire ecosystem that fuels this and we will continue to increase the cost of doing business for these attackers,” Deputy Attorney General Lisa Monaco said during a press conference Monday.

The attack on Colonial Pipeline’s network disrupted the distribution of fuel in several southern states in early May, and it seems to have marked something of a turning point for the way that the federal government approaches ransomware attacks in general and intrusions on critical infrastructure networks in particular. The attack drew the attention of the White House, and last week Monaco issued a memorandum instructing all federal prosecutors to file urgent notifications for any new ransomware incident in their jurisdictions. The U.S government is now treating ransomware as a whole as a national security threat, and Monaco advised enterprises to consider it an existential threat to their business.

“We may not be able to do this in every instance."

“Pay attention now. Invest resources now. Failure to do so may be the difference between being secure now and being attacked later,” she said.

“There is no higher priority for the Department of Justice than using all of our available tools to protect our nation from threats.”

Disrupting the payment ecosystem is one of several tactics that researchers, law enforcement, and government agencies have been pursuing as a way to deter ransomware actors and break their business model. But that is much easier said than done given that essentially all ransoms are paid in cryptocurrency, and law enforcement agencies have historically had a hard time tying specific payments to specific wallets. But that has been changing of late, and in the Colonial Pipeline case the FBI seems to have caught a break when the ransom eventually landed in a wallet housed on a computer in the U.S. Much of the infrastructure used in ransomware attacks and payments is located outside of the U.S., as are the vast majority of the actors, which makes it quite difficult for U.S. officials to reach them. The Colonial Pipeline case was the rare exception.

“Today we deprived a cybercriminal enterprise of the object of their conspiracy. Cutting off access to revenue is one of the most impactful consequences we can impose,” said Paul Abbate, deputy director of the FBI.

However, relying on attackers’ mistakes is not a long-term solution to the ransomware problem, as Monaco acknowledged.

“We may not be able to do this in every instance,” she said.

<![CDATA[Finding Badness in AWS With Patrolaroid]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/finding-badness-in-aws-with-patrolaroid https://duo.com/decipher/finding-badness-in-aws-with-patrolaroid Fri, 04 Jun 2021 00:00:00 -0400

Finding malicious behavior in cloud instances is no easy task, especially given the instability and overhead issues that agent-based malware scanners can cause. A pair of security researchers have written a new open-source tool that’s designed to address those problems by taking a snapshot of an AWS instance and then scanning that for malware rather than doing scanning in the production environment.

The tool, called Patrolaroid, is designed to scan both EC2 instances and S3 buckets for malware, cryptominers, backdoors, and other malicious code, and it’s the work of Kelly Shortridge and Ryan Petrich. The pair wanted to create a tool that didn’t require an agent and wouldn’t cause any static with users’ AWS production workloads. So rather than using the existing approach of installing an agent just in time, running it, and then deleting it after the scan is finished, Patrolaroid takes a snapshot of each instance, scans it against a set of YARA rules and then deletes the snapshot volumes afterward.

“It is a little weird that the cloud providers themselves don’t provide something like this. There are a bunch of tools that make bold claims about finding scary 0-days or malware in the cloud, but for the most part, those traditional approaches aren’t going to be OK running in production,” Shortridge said.

"We felt it’s important to have a no-brainer tool that won’t crash prod or steal cycles from prod.”

Patrolaroid simply requires access to an AWS instance that it on the same account as whichever instances or S3 buckets the user wants to scan. Because the tool takes a snapshot and scans that, rather than the instance or bucket as it’s running, there’s no danger of it causing stability problems or robbing the server of any cycles.

"There are more ways to access data on an instance than just by being on it. I’ve always figured that if you’re going to do anything dangerous, take a snapshot in case anything goes wrong,” said Petrich.

"If you could just not put the agent alongside the thing that it could damage, then it could fall on its face and it wouldn’t matter.”

Patrolaroid comes with a basic set of YARA rules that will identify some known malware, webshells, cryptominers, and backdoors, but Shortridge said users could add their own, as well.

“The rules we wrote are for something that’s very wrong and shouldn’t be happening. Even if you’re a total newbie, you can run this anyway. It’s not complicated,” Shortridge said.

“Given that malware scanning is such a part of compliance efforts we felt it’s important to have a no-brainer tool that won’t crash prod or steal cycles from prod.”

Patrolaroid is free and open source.

<![CDATA[Van Buren Decision Narrows CFAA Interpretation]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/van-buren-decision-narrows-cfaa-interpretation https://duo.com/decipher/van-buren-decision-narrows-cfaa-interpretation Fri, 04 Jun 2021 00:00:00 -0400

In its first ever decision on a Computer Fraud and Abuse Act case, the United States Supreme Court has clarified some of vague language in the law and specified that websites and online service providers can’t use the law to limit how people use their services.

The ruling in Van Buren v. United States delivered Thursday narrows the interpretation of the CFAA, which is the main federal law used to prosecute computer crimes and has been the subject of much criticism by the technical legal community and security researchers. The ruling is the first time the CFAA has been addressed by the court and it’s considered a significant step in curbing some of the overly broad usage of the law that has plagued the security research community for many years.

“The Van Buren decision is especially good news for security researchers, whose work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene terms of service. Under the Department of Justice’s reading of the law, the CFAA allowed criminal charges against individuals for any website terms of service violation. But a majority of the Supreme Court rejected the DOJ’s interpretation,” wrote Aaron Mackey and Kurt Opsahl, attorneys at the Electronic Frontier Foundation, which has pushed for CFAA reform.

“And although the high court did not narrow the CFAA as much as EFF would have liked, leaving open the question of whether the law requires circumvention of a technological access barrier, it provided good language that should help protect researchers, investigative journalists, and others.”

"The good news is that security researchers would seem to have greater leeway to conduct research."

The case involved the actions of Nathan Van Buren, a former police officer in Georgia who allegedly ran a license plate check on his department’s computer in exchange for a payment, which was part of an FBI sting operation. Van Buren had the authority to access the database and run the check, although the purpose for which he was doing so was not authorized.

“Van Buren’s conduct plainly flouted his department’s policy, which authorized him to obtain database information only for law enforcement purposes,” the Supreme Court opinion says.

But when it came to the question of whether Van Buren had violated the CFAA, the court ruled that he had not.

“This provision covers those who obtain infor- mation from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them,” the opinion says.

The CFAA has cast a long shadow over the security research community since its passage in 1986, and while the Van Buren ruling provides a narrower interpretation of the law, it does not completely reform it.

“When it comes to cybersecurity, there is good news and bad news. The good news is that security researchers would seem to have greater leeway to conduct research on computers or information to which they have authorized access, such as scraping data from publicly accessible websites even if the website TOS prohibits scraping or using the website information for security research. However, the ruling will also be perceived to exacerbate the “insider threat” problem, such as employees misusing sensitive data which they are authorized to access,” said Harley Geiger, an attorney and senior policy director at Rapid 7.

<![CDATA[Securing the Open Source Software Supply Chain]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/securing-the-open-source-software-supply-chain https://duo.com/decipher/securing-the-open-source-software-supply-chain Thu, 03 Jun 2021 00:00:00 -0400

The rash of supply chain attacks that have emerged in the last year hit some of the largest commercial software companies on the planet, causing widespread ripple effects for tens of thousands of organizations. But beyond the huge headline-grabbing incidents such as SolarWinds, there is a low hum of constant, smaller attacks on open source software projects that can cause serious issues for not just a given project’s maintainers and users, but also the maintainers and users of downstream projects that depend upon it.

The most recent example of this problem is the attack that compromised the Codecov code-coverage tool’s bash uploader script. That incident affected not just the companies that relied on the tool itself, but also many of the countless downstream open source projects that use it. The attacker had access to the script for more than two months and had the ability to steal sensitive data from customers’ environments.

“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Jerrod Engelberg, CEO of Codecov, said in a statement.

There are plenty of other quieter incidents that stay below the radar, including simple typosquatting attacks that try to impersonate popular packages, and more complex attempts to insert backdoors into projects.

“There are two problems with open source software security. First, it’s open source, and second, it’s software. All software has bugs, whether it’s written by me or by you or by someone you’ve never met,” said Dan Lorenc, a software engineer at Google, during a talk at the company’s Open Source Day of Security event Thursday.

“Sometimes, just because it's free doesn’t mean it’s free to use. It can cause more problems than it’s worth. Anyone who’s spent time on the Internet knows not everyone is nice, there are people out there trying to insert bugs. Very few people are looking at the source code. The source code is transparent, but the way that people use it is opaque.”

The tree of dependencies in any supply chain can be complex, even for the simplest pieces of software, and discovering what those dependencies are can be difficult, if not impossible. That lack of transparency makes it hard for organizations to understand the security risks that a piece of open source software may bring with it, a problem that Google is trying to address with a new tool called Open Source Insights. The site displays a visualization of the dependencies for a given package, lists any security advisories affecting it, other packages that depend upon that project, and allows users to compare the various versions of the package. It’s an experimental project, but Open Source Insights could provide enterprises with a deeper understanding of what risks they may be taking on.

“The software packages that a large project depends on might update too frequently to keep a clear picture of what is happening. And those packages, in turn, can change their dependencies to provide new features or fix bugs. Security problems and other issues can arise unexpectedly in your project as a result, and the scale of the problem can make it all difficult to manage. Even a modest OSS project might depend on hundreds of packages,” Google said.

Looking at the dependencies for open source projects is just one step toward understanding the security impact they can have and improving the security of the open source supply chain. Enterprises need to understand exactly what open source applications they’re using and what the potential risks for each one are.

“Know what you use. This sounds obvious, but it’s not always that easy. Look through the vendor tree and check the dependencies. You might trust those dependencies, but if you don’t trust the whole transitive tree of their dependencies, it can get out of control,” Lorenc said.

He also encouraged users of open source software to contribute upstream whenever possible by helping with patches or other fixes.

“Security isn’t a priority for open source developers or the average developer in general. It’s an afterthought. We need to make it easier,” Lorenc said. “We need to build new tooling and crypto and gather more data to secure the open source supply chain.”

<![CDATA[Deciphering Real Genius]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/deciphering-real-genius https://duo.com/decipher/deciphering-real-genius Wed, 02 Jun 2021 00:00:00 -0400

<![CDATA[House Bill Would Ban States From Weakening Encryption]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/house-bill-would-ban-states-from-weakening-encryption https://duo.com/decipher/house-bill-would-ban-states-from-weakening-encryption Tue, 01 Jun 2021 00:00:00 -0400

As federal law enforcement agencies and some legislators continue to push for access to encrypted apps and devices, renewed efforts are underway to prevent states and municipalities from passing their own measures to hamper the design and sale of devices and software that provide strong encryption.

A group of four members of the House of Representatives have reintroduced a bill that would stop state and local governments from doing an end-run around Congress and enacting laws to weaken or ban strong encryption. The bill is known as the Ensuring National Constitutional Rights for Your Private Telecommunications Act and it’s designed to ensure that if Congress is unsuccessful in passing legislation to weaken encryption, states won’t have the ability to do so on their own. That scenario would mirror what has happened in the absence of a national data breach law, a situation that has led to inconsistent individual laws in every state and a lack of clarity for businesses.

Only, in the case of encryption systems or encrypted devices such as iPhones, it would dictate where Apple or Google or Signal could sell their products.

“Having a patchwork of 50 different mandatory state-level encryption standards creates cyber vulnerabilities, threatens individual privacy, and undermines the competitiveness of American innovators,” said Rep. Ted Lieu (D-Calif.), one of the sponsors of the bill. “Strong encryption standards are vital to protecting our nation’s security and Americans’ privacy – and cybersecurity is a national issue that requires a national response. Our legislation is a crucial step toward securing strong encryption for all Americans.”

The bill is short and to the point, with three key provisions that address the potential ways in which states might try to legislate access to encrypted devices or apps. If passed, the bill would prevent states from passing measures that force a vendor of a product or service to “design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any of a agency or instrumentality of a State, a political subdivision of a State, or the United States”.

“Robust encryption is critical for protecting the online privacy and security of all Americans."

The bill would also prevent states from instituting measures to force the creation of backdoors or other decryption methods into products or “prohibit the manufacture, sale or lease, offering for sale or lease, or provision to the general public of a covered product or service because such product or service uses encryption or a similar security function.”

The last few years have seen a renewed effort by the FBI and other law enforcement agencies to gain access to encrypted communications platforms. Those efforts date back to the early 1990s, but the newest wave coincides with the rise of apps such as Signal, WhatsApp, and others that offer strong encryption for the masses with no special security knowledge needed. The widespread availability of these apps, along with the default device encryption on iPhones and Android devices, has made it far more difficult for law enforcement agencies to access information on suspects’ devices. However, companies such as Cellebrite have stepped in to fill that void, providing custom software and hardware platforms to extract data from locked devices.

Apple, Google, Signal, and many other providers of encrypted services or products consistently have resisted calls for backdoors or other programmatic methods for accessing encrypted communications. That has not stopped those calls from coming and the House bill is meant to quiet some of that noise.

“Robust encryption is critical for protecting the online privacy and security of all Americans and it’s essential for national security. I’ve long opposed government attempts to mandate backdoors,” said Rep. Anna Eshoo (D-Calif.).

<![CDATA[U.S. Seizes Domains Used in Nobelium Phishing Campaign]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/u-s-seizes-domains-used-in-nobelium-phishing-campaign https://duo.com/decipher/u-s-seizes-domains-used-in-nobelium-phishing-campaign Tue, 01 Jun 2021 00:00:00 -0400

The day after Microsoft and Volexity exposed a spear-phishing campaign by actors suspected to be connected to Russia’s Foreign Intelligence Service, the Department of Justice seized two domains used by the attackers for command-and-control with compromised machines.

The seizure is designed to disrupt the communications between the attackers and the computers of anyone who opened the phishing emails and eventually had the malicious payload installed. The infection chain involved in the campaign is complex and involved several separate stages, but the final payload in many cases is a Cobalt Strike Beacon. The domains that the Department of Justice seized were used for C2 communications with the Cobalt Strike Beacons. The campaign that Microsoft and Voilexity investigated involved the actors gained access to a legitimate email marketing account used by the United States Agency for International Development and then sending phishing emails from the account to a select group of potential victims. The emails looked quite authentic and didn’t bear any of the hallmarks of phishing messages, such as grammatical or spelling errors.

“Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network,” the Department of Justice announcement says.

“The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order.”

“As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public."

Microsoft attributed the campaign to a group it calls Nobelium, which is the same set of actors blamed for the SolarWinds intrusion late last year. The group is aligned with the Russian SVR and is also known as the Dukes and APT29. Volexity did not directly attribute the attack to any actor, but identified some similarities in the infrastructure and techniques between this campaign and known APT29 campaigns. However, other elements of the campaign are unique and bear no resemblance to earlier operations by APT29 or other Russian actors.

“After the extensive revelations of Russian state-sponsored cyberespionage activities over the past five years, teams like APT28 (aka FancyBear, STRONTIUM) and APT29 (aka CozyBear, The Dukes) have retooled and reorganized extensively to avoid easy tracking by Western governments and security vendors alike. The operations of ‘APT29’ no longer look anything like they did in the past half decade. At this point our preconceptions about these groups are doing more to cloud our judgment than they elucidate,” said Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne, who has been tracking APT actors for many years.

The spear-phishing campaign carried out by Nobelium began in January and included a few different evolutions, with most recent one using the compromised USAID email account and targeting government agencies and various non-profits.

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia.

“As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

<![CDATA[Nobelium Phishing Campaign Targets Government Agencies, NGOs]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/nobelium-phishing-campaign-targets-government-agencies-ngos https://duo.com/decipher/nobelium-phishing-campaign-targets-government-agencies-ngos Fri, 28 May 2021 00:00:00 -0400

A new phishing campaign conducted by the same Russian group responsible for the SolarWinds intrusion has been ongoing for several months and in some cases leveraged access to the legitimate email marketing account for the United States Agency for International Development and targeted more than 150 government agencies, humanitarian organizations, and NGOs in more than 20 countries.

The campaign began in January and has evolved several times since then, with the most recent wave using the Constant Contact account of USAID to send spear-phishing emails to a subset of targets. The messages include a lure related to election fraud documents and if the victim clicks on the link, the eventual result is the installation of several malicious payloads that give the actors persistent access to the system. The phishing attacks are the work of APT29, the group that the U.S. government blamed for the SolarWinds intrusion last year. The group is called Nobelium by Microsoft and is thought to be associated with Russia’s Foreign Intelligence Service, or SVR. The new activity is separate from the operation that targeted SolarWinds and other companies last year, and researchers at Microsoft Threat Intelligence Center and Volexity found that the group was using some clever methods to get the malware payloads past detection systems.

The first wave of the campaign in January essentially was a test phase, with the attackers only sending the tracking section of the emails to see who was clicking on them.

“In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” Microsoft’s team said in a post on the campaign.

Neither Microsoft nor Volexity identified any of the agencies or organizations that were targeted in the campaign, but the phishing lure and the sectors of the targets suggest that the actors were specifically after access to government and government-adjacent networks. In the months following the disclosure of the SolarWinds intrusion, the Biden administration took a number of actions designed to punish and deter the Russian government, including formally attributing the operation to the SVR and expelling several Russian diplomats. But those actions don’t appear to have moved the group off its agenda.

“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said.

“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.”

The Volexity researchers did not directly attribute the new campaign to APT29, but said that it does share quite a few characteristics with past campaigns by that group.

“After a relatively long hiatus with no publicly detailed spear phishing activity, APT29 appears to have returned with only slight changes to its historical TTPs. In this instance, the attacker purports to be from USAID, enticing victims into clicking an embedded file to download and execute a malicious ISO file. In doing so, the CobaltStrike Beacon implant is executed, providing remote access to the attackers,” Volexity researchers said.

“At the time of writing, all files involved have relatively low static detection rates on VirusTotal. This suggests the attacker is likely having some success in breaching targets.”

<![CDATA[Chinese Cyber Espionage Actors Continue to Zero In on Pulse Secure Bugs]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/chinese-cyber-espionage-actors-continue-to-zero-in-on-pulse-secure-bugs https://duo.com/decipher/chinese-cyber-espionage-actors-continue-to-zero-in-on-pulse-secure-bugs Thu, 27 May 2021 00:00:00 -0400

Two separate groups of adversaries aligned with the interests of the Chinese government are conducting cyberespionage campaigns against U.S. government agencies, tech companies, financial services firms, and other targets, using exploits for known vulnerabilities in Pulse Secure VPNs.

The campaigns have been ongoing for several months, and researchers at FireEye Mandiant disclosed some of the details of one of the groups’ intrusions in late April. The adversaries are targeting Pulse Secure VPN appliances for exploitation and then inserting webshells on compromised devices in order to maintain persistent access. In the days leading up to Mandiant’s initial disclosure last month, one of the groups, known as UNC2630, went into many of the previously compromised appliances and removed the webshells, an odd move, given the timing and the fact that Chinese cyberespionage operators usually aren’t much concerned with being outed.

“It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity,” Mandiant researchers said in a new analysis on Thursday.

Despite the public exposure, both UNC2630 and UNC2717 have continued to target Pulse Secure VPN appliances and Mandiant investigators have identified 16 separate malware families used in these operations. The attackers are using a handful of previously disclosed vulnerabilities in Pulse Secure VPN devices for initial access, including CVE-2021-22893. After the initial compromise, the attackers often change timestamps and other forensic artifacts in order to hamper incident response investigations.

“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration. They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date,” Mandiant researchers said.

“In some cases, Mandiant observed the actors create their own Local Administrator account outside of established credential management controls on Windows servers of strategic value. This allowed the actor to maintain access to systems with short-cycle credential rotation policies and provided a sufficient level of access to operate freely within their target environment.”

Once inside a target network, the adversaries use a variety of techniques and tools to steal credentials, perform reconnaissance and move laterally. Mandiant’s researchers collaborated with analysts at BAE Systems Applied Intelligence to identify several dozen organizations in Europe and the U.S. that have been compromised through weaknesses in Pulse Secure VPN appliances by these adversaries.

“Notably, compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives as outlined in China’s 14th Five Year Plan. Many manufacturers also compete with Chinese businesses in the high tech, green energy, and telecommunications sectors. Despite this, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement,” Mandiant said.

“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicates that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to US and European commercial entities.

<![CDATA[Ingredient List Only Part of the Recipe to Fix Supply Chain Security]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/ingredient-list-only-part-of-the-recipe-to-fix-supply-chain-security https://duo.com/decipher/ingredient-list-only-part-of-the-recipe-to-fix-supply-chain-security Wed, 26 May 2021 00:00:00 -0400

The concepts of software security and supply chain security have become intertwined and something of an overnight sensation on Capitol Hill, thanks mainly to the SolarWinds breach and its continuing fallout. That intrusion, which had repercussions across the technology industry and federal government, brought to the public’s attention something that people in the software and security fields have known for a long time: Most buyers have no idea what goes into the software they’re using.

For the most part, software products, especially enterprise-grade applications, are black boxes, and intentionally so. Much of the inherent value of commercial software is the proprietary code that each application is based on, and most vendors guard that code fiercely and share the details with few outsiders. As a result, even the most sophisticated buyers have no real visibility into what exactly is in the code that’s running their networks. Part of the Biden administration’s response to the SolarWinds intrusion and other recent major attacks is the executive order that the president signed two weeks ago, an order that includes a wide range of new initiatives for federal agencies to address the issue of software supply chain risk. One of the requirements in the order is that the National Institute of Standards and Technology (NIST) issue guidelines for “identifying practices that enhance the security of the software supply chain.”

Among the components of the NIST guidance, which is set to be released in July, is the requirement that every vendor selling apps to federal agencies provide a software bill of materials (SBOM) for each app. SBOMs are meant to give prospective buyers a clear picture of the components that are in a given application, and because many commercial apps use third-party libraries and open source components, they can provide a view of the potential attack surface of the software, too. During a hearing of the House Committee on Science, Space and Technology’s Subcommittee on Investigations and Oversight and Research and Technology Tuesday, lawmakers touted the inclusion of SBOMs as a major key to improving the security of the software supply chain, but security experts worry about the details of how the guidance will be implemented.

“The SBOM requirement has yet to be defined and adopted even in some of the largest organizations, and like rolling out Multifactor Authentication (MFA) across the federal government and its suppliers, it will be a huge, industry-wide undertaking. Unlike the ambitious timelines for MFA adoption, SBOM does not have a well-understood model for the people, process, and technology needed for a successful rollout,” Katie Moussouris, CEO and founder of Luta Security, said in her written testimony for the hearing.

There existing tools and templates for producing SBOMs and major software vendors generally understand how to do so, but seeing a list of what code components and libraries are in a piece of software does not tell the whole story. It doesn’t explain, for example, how a given library is used or whether the known vulnerable part of an open source component in the application is ever accessed. The risk profile can change considerably in those cases.

“That’s the one thing we need to work out is how vendors can put statements in SBOMs to say we know this is vulnerable but we don't use it."

“A vulnerable library doesn’t automatically make the software vulnerable, because people don't use every function or library in an application. You have naive consumers asking if you’re using the vulnerable version, and if so when you’re going to patch it,” said Chris Wysopal, CTO and co-founder of Veracode, a security firm that performs automated testing for applications.

“That’s the one thing we need to work out is how vendors can put statements in SBOMs to say we know this is vulnerable but we don't use it. This is why vendors don’t want to give customers a lot of information. The information may not be at the precision level that rules something in or out as vulnerable.”

Moussouris agreed, saying that even if vulnerable code is present in a piece of software, that doesn't mean it’s reachable or even exploitable by an attacker.

“An ingredient list of software alone is not useful to determine risk quickly without additional analysis. Neither is the addition of vulnerability data, which would at a minimum include what known vulnerabilities affected each software ingredient. This is because from a technical standpoint, a bug in a software ingredient may not be exploitable in all products that contain that software ingredient,” she said.

“Exploitability would be determined in what code paths are taken via the product, and what other countermeasures may be in place in the overall product that obviate or mitigate the underlying software supply chain vulnerability.”

The appetite in Washington for change and improvement in software supply chain security is real and growing, and Biden’s executive order is just the start of what will likely be a years-long effort. How quickly those improvements start to take effect will be a function not just of the technical or process changes, but also of the amount of money and personnel applied to the problem.

“The NIST framework is a good starting point but we obviously have a long way to go and a lot of work to do. We cannot continue to allow foreign adversaries and criminals, often working together, to take advantage of weaknesses in our software supply chains,” said Rep. Haley Stevens (D-Mich.).