Information Security News
by Sean Gallagher
Shortly after intelligence officials delivered a highly-classified briefing on the Russian government’s alleged interference in US politics to President-elect Donald Trump, the Office of the Director of National Intelligence (ODNI) published an unclassified version of the report. This version outlines the majority of the joint conclusions of the Central Intelligence Agency, National Security Agency, and Federal Bureau of Investigation. While it contains no major new hacking revelations, what is new is its focus on the role of Russia’s state-funded media organization, known as RT, and its international satellite media operations.
Ars is still preparing a more thorough analysis of the report and its findings. But the gist of the CIA, NSA, and FBI analysts’ findings is that the Russian Federation’s president, Vladimir Putin, directly ordered intelligence agencies to collect data from the Democratic National Committee, the Hillary Clinton presidential campaign, and other organizations, and he orchestrated an effort to discredit Clinton, the Democratic party, and the US democratic political process through “information operations.”
We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgements.
In an appendix to the report, the agencies laid out a detailed, publicly-sourced analysis of RT’s alleged propaganda operations, including television programming that promoted the Occupy Wall Street movement and focused on information countering US government domestic and foreign policy. RT, in the agency’s assessment, used coverage of the Occupy Movement to promote the notion that change wasn’t possible within the US democratic system and that only “revolutionary action” could affect real change.
On Friday, US Homeland Security Secretary Jeh Johnson designated election systems to be part of the nation's critical US infrastructure. He said this move would better protect elections from increasingly sophisticated hacking.
"Now more than ever, it is important that we offer our assistance to state and local election officials in the cybersecurity of their systems," Johnson wrote in a statement published late Friday afternoon. "Election infrastructure is vital to our national interests, and cyber attacks on this country are becoming more sophisticated, and bad cyber actors—ranging from nation states, cyber criminals and hacktivists—are becoming more sophisticated and dangerous."
The designation came the same day that US intelligence officials published an unclassified version of a report concluding that Russian Federation president Vladimir Putin directly ordered intelligence agencies to collect data from the Democratic National Committee, the Hillary Clinton presidential campaign, and other organizations. The agencies then oversaw an effort to discredit Clinton, the Democratic party, and the US democratic political process through “information operations," according to the report, which was jointly written by the Central Intelligence Agency, the National Security Agency, and the FBI.
More than 10,000 website databases have been taken hostage in recent days by attackers who are demanding hefty ransoms for the data to be restored, a security researcher said Friday.
The affected data is created and stored by the open source MongoDB database application, according to researchers who have been tracking the ongoing attacks all week. On Monday, Victor Gevers, co-founder of the GDI Foundation, reported finding 200 such databases that had been deleted. By Tuesday, John Matherly, founder of the Shodan search engine increased the estimate to 2,000 databases, and by Friday, fellow researcher Niall Merrigan updated the count to 10,500.
Misconfigured MongoDB databases have long exposed user password data and other sensitive information, with the 2015 breach of scareware provider MacKeeper that exposed data for 13 million users being just one example. With the surge in ransomware-style attacks—which threaten to permanently delete or encrypt data unless owners pay a fee—hacks targeting MongoDB are seeing a resurgence. Many poorly secured MongoDB databases can be pinpointed using Shodan, which currently shows 99,000 vulnerable instances.
bambenek \at\ gmail /dot/ com
Like many security researchers, I employ a variety of OPSEC techniques to help detect if I have been targeted by something for whatever reason. One of those techniques I use in Virustotal is basically a vanity Yara rule that looks for a variety of strings that would indicate malware was specifically targeting me or some data was uploaded that references me. Virustotal Intelligence is a useful too for doing that and many researchers have paid for access which allows you to also download samples that have been uploaded.
Recently, my vanity Yara rule has been bombarding me with samples that are flagging on some of those keywords. Whats interesting is that those files werent malware or anything even capable of being infested with malware. It turns out they are actually SQLite databases of a cookie story (and flagging off some relevant domains I" />There isnt anything special about the database per se (except there are some domains in there I care about), what makes this interesting is that someone was sending ALOT of SQLlite cookie databases to Virustotal making those cookies available for anyone with a paid account to download. Plenty of tracking cookies and things of minimal consequence, but there were cookies for Gmail, Facebook, etc and as many readers know, those cookiesnever expire,meaning operational login credentials are out in the wild (the example file I chose above, if you could figure out the hash, only has cookies from 2011).
This begs the question ofwhythese files were uploaded in the first place. This goes back to research I presented at THOTCON in Chicago last year (a great conference, you should go). You can read the slides here. What that research showed was there were tons of SSH private keys, GPG private keys (most of which had no passwords), config files with database authentication information and so on. All of those files are text which have no reason ever to be sent to a sandbox (you cant execute text). The same is true for a SQLlite database, what exactly are you going to sandbox?
The reality is, there is some automated solutions out there that submit EVERYTHING they see to Virustotaland use that information to make security decisions. Its been known this happens and Virustotal doesnt like it one bit. For organizations, however, that are using those solutions, everything that passes through that solution is being sent to Virustotal and able to be downloaded by many researchers, and not just myself. That means if you have sensitive documents that you dont want others to see, your security solution may be sending it automatically to Virustotal as part of routine scanning (call it machine learning if you like) to see if its bad but in so doing,they are exposing and sending your sensitive information to third parties.This includes sensitive documents (which have some reason to be sandboxeddue to macros), but in many cases its just scanning things no reason to ever be sandboxed.
The takeaway for your organizations is to check if you have security tools that are sending your internal files out to the cloud and then making it available to others. There is no felony if I download trade secrets from my competitor if they are freely available on Virustotal. Good news is that its easy to look for (search for tons of things being sent to Virustotal). The bad news is, despite the dust-up last year, its still happening.
bambenek \at\ gmail /dot/ com
UK Law Enforcement authorities released an alert on Wednesday about a new tactic to install ransomware. There are generally two approaches to ransomware attacks, napalm the earth and what I call high-interaction ransomware attacks that involve some layer of victim communication. Napalm the earth favors quantity over quality, where high-interaction employs some targeting, lures and direct communication with the victim. In short, the attackers have some preparation before the attack.
In this case, the attackers would cold call schools under the guise of being from the Department of Education and request the direct email address of the head teacher or head financial officer. Sometimes it was to send testing guidance, others it was to send mental health assessment forms. They would then send a zip file with a document file and, if opened, start the chain of infection to install ransomware. So there are several interesting things going on.
The cold call is an attempt to claim legitimacy so the recipient is not only expecting an email but that the email is relevant to them and requires their attention.
The attack is targeted to those in the administrative level in a school, so odds are if there are access controls, those individuals probably have complete rights to everything. Even if they dont, they do have access to the most sensitive and valuable information.
Once infected, the victims would have to pay up to8,000 to recover their files.
Their are some mistakes the attacker has made that might help the attentive listener (they say Department of Education when its the DepartmentforEducation in the UK) that indicate the attacker was likely not from the UK. In high-interaction attacks, it is these subtle mistakes that provide the essential clues that something is not right. One of the most successful phishes I have seen by success rate was the infamous fake subpoena phish. Even there, you can recognize the use of British English which would never be in US legal process.
Other key ransomware defenses would help here too: strong backups, updated endpoint protection and up-to-date patches.
In the end, the best defense is an attentive and security-conscious user.
bambenek \at\ gmail /dot/ com
bambenek \at\ gmail /dot/ com