Category Archives: dhs

DHS and FBI published a joint alert on SamSam Ransomware

The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.

The SamSam hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.

According to the joint report, most of the victims were located in the United States.

“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.

“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”

SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.

According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.

After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.

“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.

According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.

The alert also technical details and the following recommendations to mitigate the threat:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.

That Bloomberg Supply-Chain-Hack Story

Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to -- among others -- Apple and Amazon. Pretty much everybody has denied it (including the US DHS and the UK NCSC). Bloomberg has stood by its story -- and is still standing by it.

I don't think it's real. Yes, it's plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHS

The U.S. House of Representatives passed the CISA bill that creates a new cybersecurity agency at the Department of Homeland Security (DHS).

The U.S. House of Representatives passed the CISA bill that creates a new cybersecurity agency at the Department of Homeland Security (DHS).

In October, the Senate passed the Cybersecurity and Infrastructure Security Agency (CISA) Act (H.R. 3359), now the Congress passed the legislation unanimously and it is going to be signed by the President.

When the bill will be signed the National Protection and Programs Directorate (NPPD) will become the Cybersecurity and Infrastructure Security Agency (CISA) with the responsibility for cyber and physical infrastructure security.

“The National Protection and Programs Directorate of the Department shall, on and after the date of the enactment of this subtitle, be known as the `Cybersecurity and Infrastructure Security Agency’ (in this subtitle referred to as the `Agency’).” reads the bill.

“Today’s vote is a significant step to stand up a federal government cybersecurity agency,” said Secretary Kirstjen M. Nielsen. “The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical.  It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.  I thank Chairman Michael McCaul and Ranking Member Bennie Thompson for recognizing our critical role and both starting and completing this transformation in the House of Representatives.  I also thank Chairman Ron Johnson and Ranking Member Claire McCaskill for their tireless support of the CISA Act in the Senate.”

The bill aims at securing federal networks and protecting critical infrastructure from cyber and physical threats. 

“The CISA Act passing Congress represents real progress in the national effort to improve our collective efforts in cybersecurity,” said NPPD Under Secretary Christopher Krebs. “Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms.  The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

Pierluigi Paganini

(Security Affairs – Cybersecurity and Infrastructure Security Agency, DHS)

The post Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHS appeared first on Security Affairs.

DHS cybersecurity rhetoric offers contradictions at DEF CON

The Vote Hacking Village at Defcon 26 in Las Vegas was an overwhelming jumble of activity — a mock vote manipulated, children hacking election results websites, machines being disassembled — and among it all were representatives from local and federal government, learning and sharing information and in the case of Jeanette Manfra, assistant secretary for the office of cybersecurity and communications in the Department of Homeland Security (DHS), deflecting the reality of the situation.

In her DEF CON  keynote address, Manfra discussed government cybersecurity in general as well as the ways election security could be improved, but she contradicted herself by refusing to acknowledge the value of the work done by DEF CON and deflecting actions to bring about real change.

The old standby arguments

“The way the government runs, naturally it’s somewhat more complicated. We don’t do IT [in] government particularly well,” Manfra said as an explanation of the DHS’ role. She said DHS was responsible for the cybersecurity of 99 different federal agencies, which have traditionally been isolated in terms of managing security. “We’re trying to get to think about enterprise risk and think about the government as a whole.”

This is a good example of the tone Manfra tried to establish: self-deprecating, but honest about the situation, even if she omitted key pieces of information — such as the challenge of having a holistic view of federal cybersecurity when so many infosec leadership roles in government remain empty — which would contradict the point she made.

Manfra continued to bring up the fact that we live in confusing times in terms of cybersecurity, especially because “the internet has challenged everything when it comes to how we think about the role of government in defending and securing its citizens and its infrastructure.”

“For the first time in a national security space, the government is not on the front lines. Our companies are on the front lines; our citizens are on the front lines; all of you are on the front lines,” Manfra said and concluded this means everyone — government, the intelligence community and the private sector — needs to think differently about their roles in cybersecurity and how to work together. “Our adversaries have been taking advantage of us for a long time. They’ve been taking advantage of our traditional principles for a really long time. And, we’ve got to come up with a way to turn it back on them.”

The idea that the roles of government and the private sector are in flux because of changes in technology is arguably accurate, but the situation is more complex than Manfra portrays. One could just as easily point to the privatization of critical infrastructure and lack of regulations surrounding necessary security and system upgrades in that infrastructure as contributing risk factors.

Manfra’s call for more cooperation between the public and private sectors in terms of security has been a common theme from the government for the past few years. However, the government’s appeal to the private sector to cooperate out of the pride of helping the country has largely fallen on deaf ears, because as was true with Manfra’s speech, the government often fails to make a compelling case.

The government wants to share, but the private sector has little incentive to do so, and experts have said the private sector doesn’t necessarily trust it would benefit from such cooperation, nor that security would improve. Despite the continued reluctance from the private sector and the lack of specifics from the government about what such cooperation would look like, the government seems ready to continue pushing the idea.

Election deflection and contradictions

Once Manfra got to the topic of election security, she began to combine omissions of information with statements that contradicted and attempts to deflect suggestions to make meaningful improvements to security.

“Elections are more than just the voting machines … The complexity is actually a benefit,” Manfra said. “Going back to 2016 when we first started to understand that the Russians were attempting to undermine and sow chaos and discord and undermine our democracy in general — which by the way, they’ve been trying to do for decades, it’s just the technology has allowed them to do it at a better scale.”

Despite acknowledging that attempts to undermine our democracy have been happening “for decades,” Manfra failed to explain why efforts to investigate risk factors and offer aid to improve security did not begin until 2016.

Manfra went on to claim the research the government has done led to the conclusion that it is “really really difficult to try to manipulate the actual vote count itself.” She said there were a lot of reasons for this, including that election machines are “physically secured.” This claim garnered chuckles from the DEF CON crowd, who have little respect for things like padlocks.

Manfra said that while misinformation on social media was an issue, DHS was focused on manipulation of voter rolls and the systems that tally the votes. She gave an example of voters becoming disenfranchised with the system because their names weren’t on the rolls at their polling places. She admitted the local officials running these systems are often under-resourced and need help because they could be using old systems.

“They’re trying to undermine our democratic process and confidence that we have in the democratic process,” Manfra said. “There’s a lot of ways to do that without actually manipulating the vote. We’re very much focused on the state and local process that you and I all participate in — I hope — all the time.”

Manfra explicitly mentioned the effect in undermining the trust in the election that could occur if an adversary were to manipulate the unofficial tally being reported by states. However, Manfra contradicted herself by discounting the efforts by DEF CON — where an 11 year old girl hacked into a mock reporting website in 10 minutes and changed the results — telling reporters after the keynote, “If all you’re saying is ‘Look, even a kid can hack into this.’ You’re not getting the full story which could have the impact of the average voter not understanding.”

Manfra admitted the DHS has begun researching more experimental security technologies, like blockchain, to see what their effects could be on election security. But, it’s unclear how serious the DHS is about making changes that would improve security because she also shied away from mandating proven election security measures such as risk-limiting audits.

“I’m not there yet in terms of mandatory requirements,” Manfra told reporters. “I think mandatory requirements could chill, so then people are only about the compliance with the requirement and not the intent.”

Ultimately, it’s unclear if the DHS has real, actionable plans to improve election security beyond the nebulous idea of helping local officials — assuming those officials ask for help in the first place. DEF CON showed vulnerable areas (reporting websites) and ways to improve security (paper trails and risk-limiting audits), but DHS seemed more interested in waiting and watching than learning from the event.

The post DHS cybersecurity rhetoric offers contradictions at DEF CON appeared first on Security Bytes.