Assessing Iranian cyberwarfare capabilities.
Researchers at IntSights have released a threat briefing on Iranian cyberwarfare tactics, techniques, and procedures to be aware of in the midst of high tensions between the US and Iran. The researchers believe it is "highly likely" that Tehran will launch cyberattacks against the US and its allies, but they don't expect any surprises in terms of Iran's cyber capabilities. They note that Iranian cyber operations are probably still recovering from devastating leaks in early 2019, in which someone going by "Lab Dookhtegan" publicly disclosed a wide variety of operational data and malware from Iran-linked APTs.
Threat groups associated with Iran include APT33, APT34, APT35, and APT39. APT33 (also known as "Elfin" or "Refined Kitten") primarily conducts espionage, but it's also been tied to potentially destructive wiper malware. APT34 (also known as "OilRig" or "Helix Kitten") is one of Iran's most sophisticated and well-known threat actors, but this group was hit particularly hard by the Lab Dookhtegan leaks. APT35 (also known as "Phosphorous" or Charming Kitten) "conducts long-term cyber operations to collect strategic intelligence." This group carries out cyber espionage and has been known to occasionally leak data from organizations it hacks, including HBO in 2017. APT39 focuses on credential theft to support surveillance, primarily against individuals in the Middle East. Hacktivists who support Iran also pose a threat, albeit a smaller one than Tehran's APTs.
Suspected front companies for Chinese APTs identified.
The anonymous group of analysts known as Intrusion Truth has published a series of new blog posts alleging that a number of Chinese companies and individuals are tied to Chinese APTs. Intrusion Truth didn't link these front companies to any specific group, but ZDNet notes that researchers at FireEye and Kaspersky have indicated that the companies are tied to APT40 (also known as "Periscope").
Intrusion Truth's first blog post outlines mostly circumstantial evidence based on overlapping details between companies seeking offensive cybersecurity skills. By searching for pentesting jobs at companies in China's southernmost province of Hainan, the researchers identified several different technology companies offering positions with identical text in their job descriptions. Some of the adverts contained the same contact information across different companies, as well as the same named individuals. The companies themselves also had extremely similar descriptions. The researchers acknowledge that this could be a coincidence, but the companies' registration details reveal a total of thirteen companies that fit this pattern. Many of these companies have shared office locations and contact details.
The second blog post describes ties between these companies and Hainan University, particularly involving a man who serves as a professor in the school's information security department. This professor is also a contact person for one of the companies described above (which incidentally has the same address as Hainan University). In 2013, the professor ran a password-cracking challenge for students in which he offered up to ¥500,000 (approximately $80,000 at the time) as a reward for finding new alternatives to traditional cracking techniques like brute-forcing and dictionary attacks.
The third blog post examines additional leads by searching for people who claim to work at the suspected front companies, although the researchers note that "[n]one of these leads are ground-breaking." The post also notes evidence that Chinese users have viewed the alleged front companies with suspicion due to their scant Internet presence.
The researchers emphasize at the outset that "we know that these companies are a front for APT activity." While the evidence presented in the blogs so far might not be enough to draw such a definitive conclusion, it's worth noting that Intrusion Truth does have a history of being reliable in its accusations. Two out of three of their previous investigations have resulted in the US Department of Justice bringing indictments against Chinese APTs, and ZDNet notes that a third indictment may still be in the works. Intrusion Truth also hints that more blog posts are forthcoming.
Fancy Bear targets Burisma Holdings.
Area 1 Security released research describing a successful phishing campaign aimed at Burisma Holdings and its subsidiaries and partners. The researchers attribute the campaign to Russia's military intelligence agency, the GRU, and they say the timing of the campaign is significant "because Burisma Holdings is publicly entangled in U.S. foreign and domestic politics." Burisma is the Ukrainian firm at the center of the impeachment inquiry directed at President Trump, who wanted Ukraine to investigate Hunter Biden's connections to the firm.
The phishing campaign against Burisma began in early November 2019, and it went after email credentials belonging to Burisma's employees. The attackers used convincing lookalike domains and spearphishing emails to achieve this. They also "ensured reliable phishing delivery by setting up appropriate email sender authentication records using SPF and DKIM."
Area 1 concludes that the GRU "applied verisimilitude in extensive masquerading of common business tools and productivity applications to steal account credentials, gain access to internal systems and data, impersonate employees through the unauthorized use of their accounts, and manipulate outcomes successfully."
NSA warns users to apply Windows patches immediately.
Brian Krebs noted on Monday that he was hearing reports of "an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows." The US National Security Agency confirmed on Tuesday in a press call that it had uncovered the vulnerability and reported it to Microsoft. Redmond issued a fix for the flaw on Tuesday, and users are strongly encouraged to apply the patch as soon as possible. Neither Microsoft nor NSA have observed the vulnerability being exploited in the wild, but NSA emphasizes that "sophisticated cyber actors will understand the underlying flaw very quickly."
Computing explains that the vulnerability, now dubbed CVE-2020-0601, is in the crypt32.dll file, which contains the functions used by Windows's CryptoAPI. Microsoft's advisory describes the flaw as a "spoofing vulnerability...in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates." The vulnerability can indirectly result in remote code execution by undermining trusted communication channels, including HTTPS as well as signed files and executable code. NSA recommends that systems be disconnected from the Internet if they can't be patched immediately. Aside from patching, there are no other known mitigations.
Cyberattack trends in 2019.
CrowdStrike published a report outlining trends it observed throughout 2019. The firm's incident response team found that the average dwell time in 2019 was 95 days, up from 85 days in 2018. 36% of these attacks resulted in business disruption (often caused by ransomware), 25% resulted in theft of data, 10% resulted in monetary loss, and 29% were classified as "Other." The researchers note that business disruption often has more damaging effects on an organization than pure monetary loss, even if the two categories overlap. Spearphishing was the most common initial attack vector throughout 2019, followed by compromised credentials and web attacks.
CrowdStrike highlights a dramatic increase in the use of the open-source Active Directory reconnaissance tool BloodHound, which has proved particularly useful for attackers seeking to identify valuable resources to target with ransomware.