Category Archives: government

Researchers find shift in monthly web traffic amidst pandemic

There have been shifts in total web traffic broken down by the world’s largest industries as the COVID-19 pandemic has unfolded over the past several weeks, according to Imperva. Based on a weekly average compared to Jan. 19, 2020 traffic, industries that experienced an increase in web traffic from March 1 through March 22, 2020 include: News (+64%) Food and beverages (+34%) Retail (+28%) Gaming (+28%) Law and government (+17%) Education (+17%) Industries that faced … More

The post Researchers find shift in monthly web traffic amidst pandemic appeared first on Help Net Security.

Now Is the Time to Get up to Speed with CMMC and SP 800-171 Rev 2

At the beginning of March 2020, Fifth Domain reported that Colorado-based aerospace, automotive and industrial parts manufacturer Visser Precision LLC had suffered a DoppelPaymer ransomware infection. Those behind this attack ultimately published information stolen from some of Visser’s customers. Those organizations included defense contractors Lockheed Martin, General Dynamics, Boeing and SpaceX. As the attack discussed […]… Read More

The post Now Is the Time to Get up to Speed with CMMC and SP 800-171 Rev 2 appeared first on The State of Security.

Canadian ICT spending could shrink by 5 per cent in 2020: IDC

As the world responds to the COVID-19 pandemic, Canada’s ICT spending is expected to shrink by up to five per cent in 2020, according to a new IDC report.

The IDC report predicted the optimistic, probable, and pessimistic scenarios.

Click to enlarge. Source: IDC

“The probable scenario assumes the coronavirus is broadly contained by June. The optimistic scenario assumes the virus is more rapidly contained, and business and investments recover quickly and accelerate in Q3. Finally, a pessimistic scenario that considers a less controlled, longer-lasting, virus ‘rebound’ effect through Q3 and Q4,” said Tony Olvet, group vice-president of research at IDC Canada, in a press release.

IDC wrote that in the probable scenario, a slowed ICT supply chain from China would disrupt market supply for consumer devices and semiconductors. It also expects the unemployment rate to spike to as much as 10 per cent.

In the other two ends, the optimistic scenario hopes to see the virus contained by May and the economy stabilizing by the second half of 2020. In the pessimistic scenario, mass unemployment could further erode business investments and ICT spending to fall by as much as 8.2 per cent, assuming the governments could not effectively restore economic progress.

IDC indicated in its report that the pessimistic scenario is not a worst-case scenario, in which the virus could not be contained. It did not evaluate the potential economic impact in such a case.

Last week, 90 per cent of new COVID-19 cases in Ontario were deemed to be community spread. In response, Ontario and Quebec’s provincial government ordered the closure of all non-essential businesses to prevent the virus from spreading through crowd gatherings. IDC predicts that manufacturing, consumer services, transportation, and hospitality industries will be heavily curtailed as social isolation increases.

Nigel Wallis, IDC research vice president, commented that it’s still too early to assess the overall impact on the Canadian IT market fully, but has recommended that businesses adopt new strategies to cope with the decline.

Click to enlarge. Source: IDC

On Wednesday, nearly one million Canadians filed for unemployment, accounting for five per cent of Canada’s total workforce.

The Globe and Mail this week reported that Rod Philips, Ontario finance minister, said it would be “impossible” to predict a multi-year projection at this time.

Constituting approximately 4.5 per cent of Canada’s total economy, Canada’s ICT sector has been growing steadily since 2018. Between 2012 to 2019, Canada’s ICT sector revenue grew from $156 billion to $193 billion, or by 23.4 per cent. Despite being a relatively small sector compared to the resources or production industry, the ICT sector had the highest R&D spending, totalling to $6.2 billion in 2018 alone.

Welcoming the USA Government to Have I Been Pwned

Welcoming the USA Government to Have I Been Pwned

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive notifications when they're impacted in subsequent data breaches.

Over the coming months I expect to continue expanding the scope of government support in HIBP. For now, it's a big welcome to the USA and I'm enormously happy to see HIBP able to support them in this fashion.

Telehealth Hazard? HHS Loosens HIPAA Standards for Telemedicine

The worldwide Covid-19 pandemic has created a massive strain on hospitals and medical facilities. In response to this, many medical professionals are taking elective and non-life-threatening appointments online.

“We’re really ramping up telehealth, especially for elderly patients to limit their exposure, while still taking care of their medical needs,” says Dr. Brian Christine, an Alabama-based surgeon.

“The current pandemic is pushing the entire medical industry to minimize risk,” he added.

While the transition to remote appointments may help flatten the curve of Covid-19 cases and provide much-needed relief to medical professionals, it does create a new set of cybersecurity concerns, especially regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA ). In response to this potential problem, the department of Health and Human Services has waived penalties and loosened some of the requirements of the act.

“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients,” the HHS said in a statement released on its website.

According to the HHS statement, the agency would be, “exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.”

The HHS specified that “public-facing” services for telemedicine would not be allowed, but that services such as Skype for Business, Zoom for Healthcare, Google G Suite Hangouts Meet were acceptable platforms for remote appointments.

The post Telehealth Hazard? HHS Loosens HIPAA Standards for Telemedicine appeared first on Adam Levin.

Authorities Eye Using Mobile Phone Tracking COVID-19’s Spread

Privacy advocates advise caution when tracking the movements of patients or those infected with the new coronavirus, as an effort to minimize the pandemic’s effect.

Four Important Steps to Secure the United States 2020 Election

It’s an unfortunate reality that cyber attacks on the U.S. 2020 election are likely to happen. However, while this is a potent threat to democracy, an even greater threat is to not take the necessary actions to prevent these attacks until it is too late. There are many different types of cyberattacks that the U.S. […]… Read More

The post Four Important Steps to Secure the United States 2020 Election appeared first on The State of Security.

Researchers Find Major Vulnerabilities in Voatz Voting App

MIT researchers have discovered several vulnerabilities in a mobile voting application, raising serious questions about election security. 

Voatz’s eponymous app has been used since the 2018 midterm elections in counties in West Virginia, Oregon, Washington, Utah and by overseas and military voters, and the company has touted blockchain-based security features as well as its remote identity verification technologies. 

Researchers have instead found a wide number of vulnerabilities capable of allowing hackers to alter, stop, or expose submitted votes.

“We find that Voatz is vulnerable to a number of attacks that could violate election integrity. For example, we find that an attacker with root access to a voter’s device can easily evade the system’s defenses, learn the user’s choices (even after the event is over), and alter the user’s vote,” stated the researchers in the introduction to the white paper.

“[E]xploitation would be well within the capacity of a nation-state actor,” the authors went on to state before flatly concluding that the Voatz application, “is not secure.”

Voatz posted a blog rebutting the findings, claiming that the version of the app studied was “at least 27 versions old… and not used in an election.” It went on to explain that no issues had been reported, and even accused the researchers of aiming “to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”

Election security experts and politicians including Oregon Senator Ron Wyden have criticized the company and its response to the paper.

“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe… Americans need confidence in our election system,” said Wyden.

Read the MIT researchers’ findings here

 

The post Researchers Find Major Vulnerabilities in Voatz Voting App appeared first on Adam Levin.

Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802.

HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.

Figure 1 shows the decoy used in the attack.


Figure 1: Decoy used in attack

The decoy file, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C), contains an OLE object that uses Equation Editor to drop the embedded shellcode in %TEMP% with the name 8.t. This shellcode is decrypted in memory through EQENDT32.EXE. Figure 2 shows the decryption mechanism used in EQENDT32.EXE.


Figure 2: Shellcode decryption routine

The decrypted shellcode is dropped as a Microsoft Word plugin WLL (MD5: D90E45FBF11B5BBDCA945B24D155A4B2) into C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP (Figure 3).


Figure 3: Payload dropped as Word plugin

Technical Details

DllMain of the dropped payload determines if the string WORD.EXE is present in the sample’s command line. If the string is not present, the malware exits. If the string is present, the malware executes the command RunDll32.exe < C:\Users\ADMINI~1\AppData\Roaming\Microsoft\Word\STARTUP\hh14980443.wll, DllEntry> using the WinExec() function.

DllEntry is the payload’s only export function. The malware creates a log file in %TEMP% with the name c3E57B.tmp. The malware writes the current local time plus two hardcoded values every time in the following format:

<Month int>/<Date int> <Hours>:<Minutes>:<Seconds>\t<Hardcoded Digit>\t<Hardcoded Digit>\n

Example:

05/22 07:29:17 4          0

This log file is written to every 15 seconds. The last two digits are hard coded and passed as parameters to the function (Figure 4).


Figure 4: String format for log file

The encrypted file contains a config file of 0x78 bytes. The data is decrypted with an 0xD9 XOR operation. The decrypted data contains command and control (C2) information as well as a mutex string used during malware initialization. Figure 5 shows the decryption routine and decrypted config file.


Figure 5: Config decryption routine

The IP address from the config file is written to %TEMP%/3E57B.tmp with the current local time. For example:

05/22 07:49:48 149.28.182.78.

Mutex Creation

The malware creates a mutex to prevent multiple instances of execution. Before naming the mutex, the malware determines whether it is running as a system profile (Figure 6). To verify that the malware resolves the environment variable for %APPDATA%, it checks for the string config/systemprofile.


Figure 6: Verify whether malware is running as a system profile

If the malware is running as a system profile, the string d0c from the decrypted config file is used to create the mutex. Otherwise, the string _cu is appended to d0c and the mutex is named d0c_cu (Figure 7).


Figure 7: Mutex creation

After the mutex is created, the malware writes another entry in the logfile in %TEMP% with the values 32 and 0.

Network Communication

HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5. The network request is formed with hard-coded values such as User-Agent. The malware also sets the other fields of request headers such as:

  • Content-Length: <content_length>
  • Cache-Control: no-cache
  • Connection: close

The malware sends an HTTP GET request to its C2 IP address using HTTP over port 443. Figure 8 shows the GET request sent over the network.


Figure 8: Network request

The network request is formed with four parameters in the format shown in Figure 9.

Format = "?t=%d&&s=%d&&p=%s&&k=%d"


Figure 9: GET request parameters formation

Table 1 shows the GET request parameters.

Value

Information

T

Initially set to 0

S

Initially set to 0

P

String from decrypted config at 0x68

k

The result of GetTickCount()

Table 1: GET request parameters

If the returned response is 200, then the malware sends another GET request (Figure 10) with the following parameters (Figure 11).

Format = "?e=%d&&t=%d&&k=%d"


Figure 10: Second GET request


Figure 11: Second GET request parameters formation

Table 2 shows information about the parameters.

Value

Information

E

Initially Set to 0

T

Initially set to 0

K

The result of GetTickCount()

Table 2: Second GET request parameters

If the returned response is 200, the malware examines the Set-Cookie field. This field provides the Command ID. As shown in Figure 10, the field Set-Cookie responds with ID=17.

This Command ID acts as the index into a function table created by the malware. Figure 12 shows the creation of the virtual function table that will perform the backdoor’s command.


Figure 12: Function table

Table 3 shows the commands supported by HAWKBALL.

Command

Operation Performed

0

Set URI query string to value

16

Unknown

17

Collect system information

18

Execute a provided argument using CreateProcess

19

Execute a provided argument using CreateProcess and upload output

20

Create a cmd.exe reverse shell, execute a command, and upload output

21

Shut down reverse shell

22

Unknown

23

Shut down reverse shell

48

Download file

64

Get drive geometry and free space for logical drives C-Z

65

Retrieve information about provided directory

66

Delete file

67

Move file

Table 3: HAWKBALL commands

Collect System Information

Command ID 17 indexes to a function that collects the system information and sends it to the C2 server. The system information includes:

  • Computer Name
  • User Name
  • IP Address
  • Active Code Page
  • OEM Page
  • OS Version
  • Architecture Details (x32/x64)
  • String at 0x68 offset from decrypted config file

This information is retrieved from the victim using the following WINAPI calls:

Format = "%s;%s;%s;%d;%d;%s;%s %dbit"

  • GetComputerNameA
  • GetUserNameA
  • Gethostbyname and inet_ntoa
  • GetACP
  • GetOEMPC
  • GetCurrentProcess and IsWow64Process


Figure 13: System information

The collected system information is concatenated together with a semicolon separating each field:

WIN732BIT-L-0;Administrator;10.128.62.115;1252;437;d0c;Windows 7 32bit

This information is encrypted using an XOR operation. The response from the second GET request is used as the encryption key. As shown in Figure 10, the second GET request responds with a 4-byte XOR key. In this case the key is 0xE5044C18.

Once encrypted, the system information is sent in the body of an HTTP POST. Figure 14 shows data sent over the network with the POST request.


Figure 14: POST request

In the request header, the field Cookie is set with the command ID of the command for which the response is sent. As shown in Figure 14, the Cookie field is set with ID=17, which is the response for the previous command. In the received response, the next command is returned in field Set-Cookie.

Table 4 shows the parameters of this POST request.

Parameter

Information

E

Initially set to 0

T

Decimal form of the little-endian XOR key

K

The result of GetTickCount()

Table 4: POST request parameters

Create Process

The malware creates a process with specified arguments. Figure 15 shows the operation.


Figure 15: Command create process

Delete File

The malware deletes the file specified as an argument. Figure 16 show the operation.


Figure 16: Delete file operation

Get Directory Information

The malware gets information for the provided directory address using the following WINAPI calls:

  • FindFirstFileW
  • FindNextFileW
  • FileTimeToLocalFileTime
  • FiletimeToSystemTime

Figure 17 shows the API used for collecting information.


Figure 17: Get directory information

Get Disk Information

This command retrieves the drive information for drives C through Z along with available disk space for each drive.


Figure 18: Retrieve drive information

The information is stored in the following format for each drive:

Format = "%d+%d+%d+%d;"

Example: "8+512+6460870+16751103;"

The information for all the available drives is combined and sent to the server using an operation similar to Figure 14.

Anti-Debugging Tricks

Debugger Detection With PEB

The malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged.


Figure 19: Retrieve value from PEB

NtQueryInformationProcess

The malware uses the NtQueryInformationProcess API to detect if it is being debugged. The following flags are used:

  • Passing value 0x7 to ProcessInformationClass:


Figure 20: ProcessDebugPort verification

  • Passing value 0x1E to ProcessInformationClass:


Figure 21: ProcessDebugFlags verification

  • Passing value 0x1F to ProcessInformationClass:


Figure 22: ProcessDebugObject

Conclusion

HAWKBALL is a new backdoor that provides features attackers can use to collect information from a victim and deliver new payloads to the target. At the time of writing, the FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat. We advise that all industries remain on alert, though, because the threat actors involved in this campaign may eventually broaden the scope of their current targeting.

Indicators of Compromise (IOC)

MD5

Name

AC0EAC22CE12EAC9EE15CA03646ED70C

Doc.rtf

D90E45FBF11B5BBDCA945B24D155A4B2

hh14980443.wll

Network Indicators

  • 149.28.182[.]78:443
  • 149.28.182[.]78:80
  • http://149.28.182[.]78/?t=0&&s=0&&p=wGH^69&&k=<tick_count>
  • http://149.28.182[.]78/?e=0&&t=0&&k=<tick_count>
  • http://149.28.182[.]78/?e=0&&t=<int_xor_key>&&k=<tick_count>
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)

FireEye Detections

MD5

Product

Signature

Action

AC0EAC22CE12EAC9EE15CA03646ED70C

FireEye Email Security

FireEye Network Security

FireEye Endpoint Security

FE_Exploit_RTF_EQGEN_7

Exploit.Generic.MVX

Block

D90E45FBF11B5BBDCA945B24D155A4B2

FireEye Email Security

FireEye Network Security

FireEye Endpoint Security

Malware.Binary.Dll

FE_APT_Backdoor_Win32_HawkBall_1

APT.Backdoor.Win.HawkBall

Block

Acknowledgement

Thank you to Matt Williams for providing reverse engineering support.