Monday, February 26, 2018

denying responsibility in the cyber age

4-18-17   Documents release by Edward Snowden revealed that the initial malware and exploits made public did originate from the NSA.  The files released by Snowden in 2013 contained some of the same code that was initially publicised by the Shadowbrokers group.  A string of numbers in malware called SecondDate-3021.exe appeared in both the Snowden documents and those released by the Shadow Brokers.  http://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers
...................................................................................................................................
5-17-17  In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee.  “It was like fishing with dynamite,” said a second.
(comment below article:)
The problem with fishing with dynamite is that eventually you will blow a hole in your boat.
https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.489aa211d48c
.....................................................................................................................................................
  Once TAO owns the environment, its goal may be data theft, destructive behavior, data corruption, or data modification.  Rob Joyce, hacker-in-chief of NSA' TAO, noted that nation-state attacks are persistent.   https://techbeacon.com/nsas-tao-leader-speaks-usenix-enigma-conference
.....................................................................................................................................................
  It looks like some recent NSA document leaks may suggest that the Cisco PIX and ASA firewalls have the ability to be compromised by the NSA.  It appears that a firmware implant for both the ASA and PIX devices called JETPLOW can be deployed on a firewall target with an exfiltration path to the NSA’s Remote Operations Center.  It seems that as long as DNT’s BANANAGLEE  software implant is on the Cisco PIX or ASA firewall, JETPLOW can be remotely installed and upgraded.  It’s backdoor is pretty far reaching from what we are hearing....
  The NSA seems to have a smorgasbord of options to take over remote devices. One of the ways is to even have he NSA to intercept a shipment of networking gear going from the vendor to customer and then the NSA will install its backdoor exploit on the device.  Another that has been mentioned is the NSA can even review the Windows crash dumps that are sent to Microsoft from your PC and use data from that to exploit a PC.  Other reports state that there are various exploits that are commonly used to remote controll iOS devices (iPhones and iPads) and any GSM based cell phone.  Finally, there is the NIGHTSTAND exploit which is for your WI-FI 802.11 setups that in a perfect scenario can be deployed from 8 miles away!      Now another piece of interesting news is that Cisco is stating that all US networking devices are required by law to have surveillance capabilities built-into them.  This is for legitimate court-ordered wiretaps and the such.  But the key here is it seems that Cisco is indicating that the NSA was not leveraging these features but the reported exploits that are noted above.  https://www.certificationkits.com/cisco-asa-5500-series-compromised-by-nsa/
...................................................................................................................................................
6-28-17   Developed by the U.S. National Security Agency (NSA), EternalBlue is an exploit that abuses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol....
MeDoc responds by denying any responsibility for the attacks in a Facebook post, noting it pushed out its last update starting on June 22 – five days before the attack occurred.  But some in the security community say they have the logs to prove that MeDoc was the source of the ransomworm campaign.  Among them, Malwarebytes releases a blog post later that afternoon reiterating security researchers’ belief that an update released by MeDoc at 10:30 GMT on June 27, 2017, allegedly installed the malware on the “victim zero” system.https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/notpetya-timeline-of-a-ransomworm/

.....................................................................................................................................
June 2017   The National Security Agency (NSA) began using a hacking tool called EternalBlue more than five years ago.  During that time, the agency discovered its unparalleled ability to breach networks, a flaw considered so dangerous within the NSA it considered revealing it to the company whose software it was exploiting, Microsoft....Let’s not forget, NotPetya was entirely preventable — if the NSA had the foresight.  https://thenextweb.com/security/2017/06/27/nsa-knew-about-the-vulnerability-exploited-by-notpetya-for-over-5-years/  
...........................................................................................................................
6-28-17   Microsoft tracked the infections to a software update from a program called "ezvit.exe" -- MEDoc's update process.  Through this method of infection, even if your computer system's have been patched, even a seemingly safe update could slip through, packed with malware.  "Software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense," Microsoft wrote in its blog.  
In a defense posted to its Facebook page, MEDocs denied that it was responsible for helping the ransomware spread. The company argued Microsoft was wrong because the source code for its software update does not contain the command "rulldll32.exe."  https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack
................................................................................................................................
10-26-17   Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims' into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.



According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame.

However, according to Cisco's Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently.   ... "EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space."...

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions.  https://thehackernews.com/2017/10/bad-rabbit-ransomware.html
.......................................................................................................................................
1-12-18    The (NotPetya) attacks reflect Russia’s mounting aggression in cyberspace as part of a larger “hybrid warfare” doctrine that marries traditional military means with cyber-tools to achieve its goal of regional dominance.   “It’s a pattern of more bold, aggressive action,” said Robert Hannigan, former head of Britain’s GCHQ intelligence agency. ...
The hackers used what is known as a “watering hole” attack.  They infected a website to which they knew their targets would navigate — in this case, a Ukrainian site that delivered updates for tax and accounting software programs.

It’s a tactic that Russian government hackers also have used to compromise industrial control system networks.  The goal here was “the disruption of Ukraine’s financial system,” said Jake Williams, founder of the cybersecurity firm Rendition Infosec.  https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?utm_term=.2b142e472e8e
.........................................................................................................................
12-18-17  At least some of the focus, they say, belongs on the National Security Agency, which built and then lost control of the code that was integrated into WannaCry, and without which its infections wouldn't have been nearly as devastating....
At least some of the focus, they say, belongs on the National Security Agency, which built and then lost control of the code that was integrated into WannaCry, and without which its infections wouldn't have been nearly as devastating.  https://www.wired.com/story/korea-accountable-wannacry-nsa-eternal-blue/
.................................................................................................................................
1-18-18   When F5’s threat researchers first discovered this new Apache Struts campaign dubbed Zealot, it appeared to be one of the many campaigns already exploiting servers vulnerable to the Jakarta Multipart Parser attack (CVE-2017-56381) that have been widespread since first discovered in March 2017.  It also exploits the DotNetNuke (DNN) vulnerability (CVE-2017-98222), disclosed in July 2017.  The Zealot campaign aggressively targets both Windows and Linux systems with the DNN and Struts exploits together.  When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits.
The Zealot campaign is currently mining the cryptocurrency Monero, however, attackers could use compromised systems to do whatever they want....Zealot seems to be the first Struts campaign using the NSA exploits to propagate inside internal networks. There were other malware campaigns like NotPetya and WannaCry ransomware, and also Adylkuzz cryptominer launching attacks by directly scanning the Internet for SMBs to exploit with the NSA tools the ShadowBrokers released. The Zealot campaign, however, seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders.  https://f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks
...........................................................................................................................
2-15-18    Once an organization’s machine was infected, the highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins.  The malware spread via trusted networks, rather than widely over the internet.  Therefore, it effectively bypassed the processes put in place to prevent ransomware attacks....
NotPetya used the EternalBlue and EternalRomance exploits, which the Shadowbrokers group released  (grabbed from NSA) in early 2017.   Microsoft issued a patch for both exploits.  https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack
..............................................................................................................................
2-16-18     However, the (NotPetya attack) virus quickly spread to multinational corporations like FedEx and Merck, costing them hundreds of millions of dollars apiece.  Tens of thousands of computers across multiple continents were permanently encrypted as the malware barreled through networks with the help of leaked National Security Agency hacking methods.     https://slate.com/technology/2018/02/after-officially-blaming-russia-for-the-notpetya-virus-u-s-officials-promise-consequences.html
........................................................................................................................................
2-10-09   key points from the report :
  • 92% of Critical Microsoft vulnerabilities are mitigated by configuring users to operate without administrator rights
  • Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights
  • By removing administrator rights companies will be better protected against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities
  • 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights  http://www.zdnet.com/article/report-92-of-critical-microsoft-vulnerabilities-mitigated-by-least-privilege-accounts/
..........................................................................................................................
        Casala said the hosting firm had antivirus installed on the server, but that the ransomware slipped past those defenses.  That’s because the crooks who are distributing ransomware engineer the malware to evade detection by antivirus software . For more on how cybercriminals achieve that, see Antivirus is Dead: Long Live Antivirus....One big reason that ransomware scams are becoming more prevalent has to do with the proliferation of plug-and-play tools and services that make it simple to start your own cybercrime syndicate.  Earlier this month, security firm Emsisoft published a fascinating look at a crimeware-as-a-service product being marketed in the underground called Ransom32, which allows anyone to start their own ransomware campaign just by providing a Bitcoin address to which victims will be asked to send the funds.    https://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-too/   .................................................................................................................................             

        Refusing to allow that either God or man has created the very conditions which they deplore, they (some clever people) conclude that these conditions do not exist.  Going one step further in their proud logic these individuals conclude that they are therefore not responsible for the world in which they live, for the karma they have made or for God’s energies which they have misqualified.  The manifold works of imperfection which are the heritage of the race exist through misunderstanding and error; their days shall be shortened because of the mercy and love of God.                           
                                            -Kuthumi:  Pearls of Wisdom 11:23

No comments:

Post a Comment