The Week that Was – The CyberWire

The Week that Was  The CyberWire

ESET published details on LightNeuron, a sophisticated backdoor developed by the Russian cyber espionage group Turla (WeLiveSecurity). The malware is …

The worm Uroburos returns. (Through the backdoor.)

ESET published details on LightNeuron, a sophisticated backdoor developed by the Russian cyber espionage group Turla (WeLiveSecurity). The malware is installed as a transport agent in victims’ Microsoft Exchange servers. ESET says this is a novel persistence technique which allows the malware to operate “at the same level of trust as security products such as spam filters.” As a result, LightNeuron can read, modify, or block any inbound or outbound email before it reaches its recipient. It can also create and send new emails from the server.

The attackers could control the Exchange server by sending commands steganographically hidden inside PDF and JPG email attachments. When an email containing one such file is sent to a compromised organization, LightNeuron will check for a signature. If it doesn’t find a match, the email is sent on to its destination. If the signature is met, the malware will decode and execute the attackers’ command in the attachment. The email is then blocked before leaving the server, so no one at the organization actually receives the message.

Kaspersky Lab briefly mentioned LightNeuron in July of last year, and attributed it to Turla with medium confidence (ZDNet). ESET says the two known victims of LightNeuron were a foreign ministry in Eastern Europe and a regional diplomatic organization in the Middle East. An unknown organization in Brazil also fell victim to the malware, as indicated by a sample uploaded to VirusTotal from that country (Dark Reading).

Buy Kratom Extracts

Left Coast Kratom is here to help you experience the freshest highest quality kratom powders and extracts at competitive prices.

The Middle Kingdom’s contractor strikes back.

A report by Symantec revealed Monday that the Chinese cyber espionage group Buckeye, also known as APT3 or Gothic Panda, was using Equation Group (generally thought to be an NSA operation) tools and exploits in 2016, at least a year before the Shadow Brokers leaks in 2017. Symantec researchers believe the most likely explanation is that Buckeye reverse engineered the tools after observing an Equation Group operation.

Specifically, what Buckeye got was the DoublePulsar backdoor and the Bemstour installation tool. It did not use them against US targets, either because Buckeye assumed the Americans would be wise to their own exploits or because Buckeye wished to avoid tipping its hand to Fort Meade. Instead, the threat actor targeted scientific research and educational institutions in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. In at least one case government networks were also attacked.

Buckeye is generally held to be a contractor in Guangzhou working for China’s Ministry of State Security. The company is the Guangzhou Bo Yu Information Technology Company, also known as Boyusec. Three Boyusec employees were indicted by the US in November 2017 on charges of “computer hacking, theft of trade secrets, conspiracy and identity theft directed at U.S. and foreign employees and computers of three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.” Boyusec went quiet after the Justice Department went noisy, and there has been speculation that the company had shut down. But as Symantec pointed out, if Boyusec is out of the business, then who’s using the tools? Either Boyusec is back, or it never went away, or it shared its tools with someone else. As a Symantec researcher put it, “People come and go. The tools live on.”

View Active Directory Permissions at a Glance

SolarWinds® Access Rights Manager (ARM) visualizes who can access a given resource at your organization. In a central view, you can see the group memberships from Active Directory® and the access rights given. Download ARM and get your free AD permissions assessment today.

So has NSA lost control of its tools?

Not really, unless using tools counts as losing control of them, which in a sense it does, but not in a readily avoidable or invidious way.

A few comments on Twitter offer some perspective. “If we’re going to yell at the NSA for making an exploit that an adversary saw in an intrusion and learned from as an example of ‘losing control of weapons’ then we should just argue that no one should make exploits ever because they can all be lost in that way,” Dragos CEO Robert M. Lee tweeted, adding, “If you lose control and things get leaked; that’s one thing. But proliferation and abuse through use? That’s not new nor unique to the NSA.” Georgetown University’s Matt Blaze tweeted, in a separate thread, that “Exploits are, in effect, ‘secret weapons,’ with all that implies: once deployed, they don’t stay secret for long.”

There’s disagreement over how long an exploit can remain secret, or be overlooked (although the LightNeuron experience suggests that this can be a matter of years) but as US Cyber Command’s Major General Karl H. Gingrich said Tuesday, “safeguarding [tools] is a priority for us, but when they are used in the cyber environment, once they are out there, they are out there” (New York Times).

The disquiet people feel here no doubt derives in part from the relative ease with which cyber tools can be proliferated through reverse engineering. It’s much more difficult to take apart a combat aircraft, for example, and then put it into production, and deploy it, than it is to do the same thing with attack code. But even combat aircraft have been copied, and there’s no easy fix to the inherent problem of an adversary picking up your weapons and flinging them back at you (Breaking Defense). The Roman legions did something along those lines with the pilum, their short javelin, which was made with a soft iron shank designed to deform after it hit its target, which made the pilum less useful to an enemy who might want to throw it back at Marius. There’s no obvious way of doing this with malware.

Need help adapting incident response & forensics to the cloud?

Read the 2019 SANS Cloud Security Survey to learn what works for your peers, including cloud security controls, implementation shortcuts, tool integration strategies, and more. Download your copy now!

Parties unknown continue to expose Iranian hackers.

There’s been another exposure of Iranian hacking operations. Last month an unknown actor going by “Lab Dookhtegam” dumped code and other information belonging to the OilRig APT. This week another actor, perhaps independently, but more probably acting in coordination with the earlier leakers, dropped information via Telegram and various websites that describe other Iranian cyber operations.

This new group calls itself, ZDNet says, the “Green Leakers.” The material released includes information on other Iranian cyber operators, specifically the MuddyWater APT and the Rana Institute. The latter has not hitherto been connected to Iranian hacking operations. This material doesn’t, as the earlier leaks did, include source code, but it does contain screen shots and some information about the threat actors and their victims.

Airstrikes against cyber operators.

The Jerusalem Post says a joint Shin Bet-IDF operation prevented a Hamas cyberattack with an airstrike on Hamas cyber operations headquarters in Gaza. Forbes calls it a significant first: kinetic retaliation for a cyber attack, or perhaps kinetic pre-emption of an imminent cyber attack. The nature of the prospective cyber attack isn’t clear.

Israel and Hamas have been engaged in active combat for the better part of a week, with Hamas firing an estimated six-hundred rockets into Israel, and Israel responding with “hundreds” of airstrikes. It would probably be more accurate to regard Hamas cyber headquarters as one target in a larger air campaign, and the combat itself as another round in a war that’s long had a cyber dimension. So to see the airstrike as exclusively a response to a cyber threat is a stretch. It was one strike in an extensive campaign. Nor is it a first, as ZDNet hints, at least not internationally: the US killed ISIS hackers with drone strikes in 2015, as Defense Systems observed in contemporary accounts of American action against the Caliphate.

Critics of the Israeli strike against a Hamas cyber operations center have called it criminal targeting of noncombatants, dangerous escalation that crosses a hitherto uncrossed threshold, and so on. One might ask, would they recommend similar immunity from attack for command posts and electronic warfare units on the battlefield?

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Securing elections and imposing costs.

US Cyber Command is expanding its efforts to help other countries defend their elections against Russian influence. In addition to ensuring election integrity, these missions are meant to impose costs on Russia by making their influence operations more resource-intensive. The deployments also allow US officials to gather intelligence on Russia’s new tools and tactics ahead of the 2020 US election cycle. Maj. Gen. Charles L. Moore, Cyber Command’s director of operations, said that “when we conduct operations, we gain more intelligence, which feeds back into the system” (New York Times).

Verizon’s 2019 Data Breach Investigations Report is out.

Verizon’s always interesting Data Breach Investigations Report is out. This 2019 edition offers some interesting takeaways: the C-suite is a prime target of social engineering, criminals have followed companies into the cloud, card-present fraud has declined sharply, and, encouragingly, general users appear to have grown more skeptical of phishing attempts. And widespread, commodified ransomware remains a problem.

Did you know that 91% of data breaches started with spear phishing?

With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.

Patch news.

WordPress 5.2 was released on Tuesday, and contains a variety of new security enhancements. The most significant of these new features is the addition of offline digital signatures for updates. This will make potential supply-chain attacks launched from WordPress’ core update server considerably more difficult to carry out (BleepingComputer).

Cisco patched two high-severity vulnerabilities in its TelePresence Video Communication Server and its ASA 5500-X Series Firewalls. Both vulnerabilities could allow attackers to launch denial-of-service attacks against the affected devices (Threatpost).

Crime and punishment.

A US State Department office manager, Candace Claiborne, pleaded guilty on Wednesday to covering up repeated contacts with two Chinese intelligence agents over the course of five years. The two agents gave Ms Claiborne and her family $20,000, along with trips, an apartment, and many other gifts in exchange for information (Washington Post).

The US Justice Department has indicted two Israeli nationals, Tal Prihar and Michael Phan, on charges connected with operating the DeepDotWeb, a general directory that linked prospective buyers with dark web sites dealing in contraband. Prihar and Phan are alleged to have made millions in kickbacks from black marketeers by providing a gateway to dark web souks and facilitating the sale of fentanyl, hacking tools, stolen credit cards, and other contraband. Both suspects are in custody. Authorities in several countries, including Brazil, France, Germany, Israel, the United Kingdom, and the United States, cooperated in the enforcement action: 

Daniel Everette Hale was arrested this week on US Federal charges of “obtaining and disclosing national defense information and theft of government property.” Hale had worked as an intelligence analyst for the US Air Force, and, after leaving the service, performed similar duties as a contractor for the National Geospatial Agency. The Government alleges that Hale provided highly classified information to a reporter over a period of several years, beginning in 2013.

The US Justice Department has unsealed an indictment of two Chinese nationals for the very large Anthem breach of 2015, in which the health insurance company was breached in an incident that affected the personal data of nearly eighty-million people. The alleged hackers, Fujie Wang (a/k/a “Dennis Wang”) and a John Doe who went by the names “Deniel Jack,” “Kim Young,” and “Zhou Zhihong,” are believed to be members of a “highly sophisticated Chinese group.” The indictment says they also breached three other US companies, identified simply as “Victim Businesses 1, 2, and 3,” but said to operate respectively in the technology, basic materials, and communications sectors. The indictments are intended in part as naming-and-shaming, with the goal of inhibiting future Chinese government cyber espionage (Washington Post).

Some job seekers can be too persistent, as one woman demonstrated in Langley over the past week. The CIA finally ran out of patience after several visits in which she requested entrance: there’s no “Agent Penis,” and therefore it follows a fortiori that Agent Penis didn’t have a job offer on the table for Ms Hernandez (Military Times). The Daily Caller wonders what the Company is hiding. XYZ, Langley: the truth shall make you free.

Courts and torts.

The US Federal Trade Commission’s enforcement action against Facebook remains up in the air. It’s likely to be severe, but the New York Times reports that the form such severity will take, especially the nature of the penalties (if any) to be directed against CEO Zuckerberg himself, are believed to remain the subject of partisan disagreement within the Commission. There’s bipartisan skepticism of Big Tech, but disagreement over details.

Policies, procurements, and agency equities.

French President Emmanuel Macron on Thursday said that Europe should pursue a regulatory middle ground between an overly permissive United States and an “over-centralized” China (Reuters).

Senator Angus King (I-Maine) and Representative Mike Gallagher (R-Wisconsin) will head the Cyberspace Solarium Commission (CSC), which launched on Wednesday (The Hill). The CSC is based on President Eisenhower’s Project Solarium, a 1953 commission charged with developing a strategy against the Soviet Union. Senator King said that the point of the CSC “is to develop a cyber doctrine for this country that will help us to cope with what we believe will only be an escalating risk” (Politico).

The US Government Accountability Office, in a report to Congress, has recommended that the Internal Revenue Service develop and enforce cybersecurity standards for third-party tax preparation services.

Fortunes of commerce.

Symantec CEO Greg Clark resigned Thursday as the company missed earnings targets and issued disappointing guidance. Clark had led Symantec for three years (Silicon Valley Business Journal). Among the troubles seen as precipitating his departure are an “internal accounting probe, activist investor unrest and enterprise sales struggles” (CRN). Board member Richard Hill will serve as interim CEO (MarketWatch).

Labor markets.

Companies are increasingly turning to workers with aptitude for cyber tasks but without the formal credentials (including education and experience) often associated with cyber job descriptions (Wall Street Journal).

Nextgov reports that the ratio of tech workers aged 60 to those in their 20s narrowed, a bit. It’s a small gain, but the first one observed since 2010.

Mergers and acquisitions.

Paris-based telecommunications giant Orange has acquired Netherlands-based cybersecurity services provider SecureLink for €515 million ($577 million) (Business Wire).

Proofpoint will acquire Tel Aviv-based network access vendor Meta Networks for $120 million (CRN).

Sectigo has acquired Icon Labs, which specializes in security solutions for OEMs and IoT device manufacturers (BusinessWire).

Email security shop Zix has acquired the assets of Cirius Messaging and its wholly owned subsidiary, DeliverySlip Inc, which provides email encryption, e-signatures, and secure file sharing (Yahoo).

Kaseya has purchased Maryland-base ID Agent for its dark web monitoring capabilities (CRN).

Investments and exits.

San Mateo-based SIEM company Exabeam raised $75 million in a Series E funding round led by Sapphire Ventures and Lightspeed Venture Partners, with participation from all of its existing investors (Exabeam).

Seattle-based zero-trust networking startup Tempered Networks has raised $17 million, which puts its total funding at $57 million from Ignition Venture Partners, Fluid Capital, Ridge Ventures, and Rally Capital (GeekWire).

Identity-verification shop Evident has raised $20 million, which it intends to invest in AI, machine learning, computer vision, and facial recognition (Yahoo).

HyperQube has closed a seed round of $500 thousand, which it intends to use to expand availability of its automated web-browser based virtualization services.

And security innovation.

ManTech has opened an innovation center in Orlando, Florida, where it will develop cyber training capabilities for the US military (West).