By the CyberWire staff
Microsoft calls out Moscow, Beijing, and Tehran for targeting US election.
Microsoft has observed extensive Russian, Chinese, and Iranian efforts to target people and organizations associated with the upcoming US election. Redmond says these findings are consistent with the overview of these threats published last month by the US Office of the Director of National Intelligence.
Strontium (also known as Fancy Bear or APT28, the unit of Russia's GRU that hacked the DNC in 2016) has "attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants." Microsoft says the threat actor is using new tools and techniques this time around: "In 2016, the group primarily relied on spear phishing to capture people’s credentials. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity."
Zirconium (a Chinese state-sponsored threat actor, also tracked as APT31), is targeting "people closely associated with U.S. presidential campaigns and candidates." The group unsuccessfully tried to hack email accounts belonging to people affiliated with Joe Biden's presidential campaign, and "targeted at least one prominent individual formerly associated with the Trump Administration." Zirconium has also targeted "prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations including the Atlantic Council and the Stimson Center."
Phosphorous (an Iran-aligned group also known as APT35 or Charming Kitten) "has attempted to access the personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election. Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff."
Microsoft also concludes that additional Federal funding is needed to secure states' election infrastructure: "While the political organizations targeted in attacks from these actors are not those that maintain or operate voting systems, this increased activity related to the U.S. electoral process is concerning for the whole ecosystem."
[On-Demand Webinar] A Conversation with a CIO about Lowering Cost and Reducing Risk
Breach damage caused by hackers evading detection has accelerated in 2020, and the stakes are higher than ever. Watch this on-demand webinar to learn how Altra Industrial Motion, a leading manufacturer of motion control products, uses existing technologies and makes strategic decisions to lower risk and costs in tandem.
A look at website defacement enthusiasts.
Researchers at Comparitech, while investigating a recent surge in website defacements, discovered eighty-nine zero-day vulnerabilities in popular CMS platforms and their plugins. Additionally, the researchers looked at five popular website hacking tools and found that 154 of the 280 vulnerabilities they exploited had no CVE assigned. Comparitech identified more than 100,000 sites running vulnerable plugins, most of which were using WordPress and Joomla.
Comparitech also offers a look into the global "defacement community," amateur hackers who congregate online and vandalize websites to gain notoriety and respect among their peers. Many of these individuals don't seem particularly concerned about operational security, and the researchers found it easy to locate their social media profiles.
The hackers use commodity or open-source tools to scan for and infiltrate vulnerable websites, usually by uploading a shell script to the site's server. They then deface the site to their heart's content and create a mirror of the vandalized site to preserve the evidence of their success. These mirrors are posted on aggregator sites, where they're ranked based on the importance of the hacked website. Popular websites and sites belonging to governments and universities tend to rank the highest.
The researchers note that while this behavior certainly isn't good, it could be worse: "Many of the exploits could also be used to distribute malware, set up phishing pages, redirect users to other malicious pages, install card skimming malware, add the server to a botnet, install a cryptominer, encrypt site data with ransomware, or launch a number of other attacks on the site and its visitors."
[On-Demand Webinar] A Real Conversation About Post-Compromise with Dave Bittner
Learn more about the inevitability of compromises and how to stop attacks from escalating into a full-on data breach with Dave Bittner!
This webinar will also discuss:
- Trends that are complicating the job of security professionals today like work-from-home and cloud adoption
- Bigger threats on your network today and what to do to truly lower your risk
Watch Now!
Equinix discloses ransomware attack.
Data center giant Equinix disclosed that it sustained a ransomware attack against some of its internal systems. The company stated, "Our teams took immediate and decisive action to address the incident, notified law enforcement and are continuing to investigate. Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers. Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix."
BleepingComputer obtained a screenshot of the alleged ransom note from the attack, which indicates that the NetWalker ransomware was used. The note contains a link to a screenshot of what appears to be stolen corporate data, which the attackers threaten to publish unless the victim contacts them. Another link leads to a NetWalker payment site demanding $4.5 million worth of Bitcoin (doubling to $9 million on September 15th). Equinix itself hasn't confirmed any of these details, however.
More casualties in the long-running Blackbaud third-party data breach.
The University of Missouri has disclosed that its donors' personal information may have been compromised in the Blackbaud breach, Government Technology reports. Missouri S&T's disclosure is representative.
The AP reports that University of Nevada, Reno, alumni and donors may have had their data exposed in the Blackbaud breach. The information at risk includes contact information (names and addresses) and the individual's giving history. About 200,000 people may have had their information compromised.
Some healthcare systems were also affected: University of Kentucky Healthcare (according to the Louisville Courier-Journal), Boulder Community Health (as reported by the Longmont Times-Call) and Atrium Health (according to Government Technology). Inova Health System was also affected, and has warned that "the information removed by the threat actor may have contained certain personal information of some patients and donors, including full names, addresses, dates of birth, phone numbers, provider name(s), date(s) of service, hospital department(s), and/or philanthropic giving history such as donation dates and amounts."
Guthrie, a health system in New York and Pennsylvania, has determined that the attackers gained access to a backup file containing "information pertaining to some Guthrie patients, including patient name(s), contact information, age, gender, date(s) of treatment, department(s) of service, treating physician(s), and health insurance status."
And in Atlanta, Georgia, according to WSB-TV2, a number of schools and hospitals have been similarly affected, although the report names only two: the Georgia State University Foundation and the Morehouse School of Medicine. Georgia State believes a small number of donors' Social Security numbers may have been exposed, and the foundation is reaching out to these individuals.
The Blackbaud ransomware incident is clearly going to have repercussions for some time. It should be regarded as a cautionary tale of third-party risk.
For more, see the CyberWire Pro Privacy Briefing.
Ever wish you could pick pick the brain of a cybersecurity expert? Well, we did it for you!
Join Rick at the CSO Perspectives Hash Table as he and our table of experts discuss Identity Management, its role as a first principle idea, and what they worry about as authentication becomes an increasingly complex issue. To learn more and listen to the podcast, visit our CyberWire Pro page and click on the Contact Us button.
CISA's view of the upcoming US election.
US Cybersecurity and Infrastructure Security Agency Director Christopher Krebs sees no serious signs of attempts to hack, in the narrowly technical sense, US voting infrastructure. "The technical stuff on networks, we’re not seeing," Director Krebs said Wednesday during the Billington Cybersecurity Summit, adding, "It gives me a little bit of confidence." Reuters observes that this would seem to qualify remarks made a few weeks ago by US National Security Advisor Robert O’Brien, who warned of the likelihood of Chinese attempts against election infrastructure.
CISA has been receiving reports from state and local election officials, and Director Krebs hasn’t seen anything alarming there, at least not in this respect. Disinformation is another matter—DHS and its CISA unit are seeing enough of that.
One possibility Krebs brought up this week involved the likelihood that election results might well take longer to tabulate than the swift results Americans have become accustomed to over the last few decades. "This is probably going to take a little bit longer to do the counting because of the increase in absentee ballots," the Voice of America quoted him as saying. He made a plea for restraint and circumspection: "Have a little bit of patience. Democracy wasn't made overnight." The Washington Post reports that CISA is indeed seeing Russian attempts to sow doubt and suspicion around voting by mail.
CISA also sponsored a webinar on Thursday afternoon in which it outlined trends in disinformation. Among the more significant of these is the growing tendency of nation-states to outsource the conduct of disinformation campaigns to third parties, especially to public relations firms and other contractors with similar skill sets. This not only affords obfuscation and deniability, but it also gives the governments doing the hiring access to expertise they might well not have in-house.
For more, see the CyberWire Pro Disinformation Briefing.
Looking to impress your boss and colleagues with your cybersecurity know how?
The CyberWire recently launched a new podcast, Word Notes. It's a fun & informative infosec audio glossary hosted by CSO Rick Howard. This short-form podcast is easy to binge or listen to here & there, and we even include in-context example sentences! Have a listen and impress everyone with your vocabulary! Subscribe here today.
Thanos ransomware tries to overwrite Windows master boot record.
Palo Alto Networks' Unit 42 has observed a new strain of the Thanos commodity ransomware used against "two state-run organizations in the Middle East and North Africa," with the attackers demanding $20,000 in Bitcoin. Notably, this version has been designed with the ability to overwrite the master boot record (MBR), although this functionality failed in this case due to a simple bug in the code.
Unit 42 points out that this technique is unusual for financially motivated ransomware actors: "Overwriting the MBR is a much more destructive approach to ransomware than previously used by Thanos and would require more effort for victims to recover their files even if they paid the ransom." As a result, this tactic may be counterproductive for an attacker who has already compromised a system and is hoping to convince the victim to pay the ransom rather than recovering manually. Recorded Future's Allan Liska told CyberScoop, "The addition of overwriting the MBR is not something we have noted in other Thanos attacks, meaning these may be destructive attacks designed to look like ransomware attacks."
For more, see the CyberWire Pro Research Briefing.
Palantir's unusual proposed shareholder model.
TechCrunch notes that Palantir submitted an amended S-1 filing to the SEC last week. The new version specifies that the company's founders Alex Karp, Stephen Cohen, and Peter Thiel will hold 49.999999% of the company's ownership in perpetuity. TechCrunch explains that "While founders of startups in recent years have often had special shares with extra votes (typically 10 votes for their special shares compared to one vote for standard shares), those votes dissipate if the underlying shares are sold. Palantir's model is unique in allowing founders to have a commanding vote even if they were to sell their shares — in other words, voting power without underlying shareholder power, in direct contradiction to modern shareholder theory."
Patch news.
The Zero-Day Initiative has a summary of September's Patch Tuesday. Adobe’s three patches addressed Framemaker (out-of-bounds read and stack-based buffer overflow), InDesign (memory corruption problems), and Experience Manager (mostly cross-site scripting issues). Microsoft’s 129 fixes dealt with issues in Microsoft Windows, Edge, ChakraCore, Internet Explorer, SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive, and Azure DevOps.
Crime and punishment.
TribLIVE reports that a Pennsylvania man, Andrew Wolniak, has been sentenced to eighteen months of house arrest after pleading guilty to stealing $191,000 from his employer, Pittsburgh-based cybersecurity company Qintel LLC. Mr. Wolniak gained access to a company credit card and made 394 purchases on Amazon.
Courts and torts.
Livemint reports that India-based e-commerce company Paytm Mall has sent a legal notice to US cybersecurity firm Cyble Inc. over Cyble's claim that Paytm Mall had sustained a "massive data breach" at the hands of the John Wick hacking group. Paytm Mall has requested that Cyble retract its blog post and issue a correction within a week, or face further legal action. Graham Cluley says it's still not clear which side is correct, but notes that last week someone hacked the Twitter account of Indian Prime Minister Modi and tweeted, "Yes this account is hacked by John Wick (hckindia@tutanota[.]com), We have not hacked Paytm Mall."
Policies, procurements, and agency equities.
Ireland's Data Protection Commission has ordered Facebook to cease sending EU residents' personal data to the US, Independent.ie reports. It represents the beginning of an enforcement action under Schrems II, a July ruling by the European Court of Justice that invalidated the Privacy Shield arrangement that had previously governed data transfer between the EU and the US.
Meanwhile, Cooley reports, Switzerland's Federal Data Protection and Information Commissioner (FDPIC) has announced that the Swiss-US Privacy Shield does "not meet the requirements of adequate data protection" under Switzerland's Federal Act on Data Protection. Like the Schrems II ruling, the FDPIC criticized the lack of transparency surrounding how data can be collected and used by US authorities, stating that:
- "for persons concerned in Switzerland there is no enforceable legal remedy with regard to the data access by US authorities, especially since the effectiveness of the ombudsperson mechanism, which is intended to guarantee an indirectly enforceable legal remedy, cannot be assessed due to a lack of transparency;
- "that the decision-making powers of the ombudsperson vis-à-vis the US intelligence services and its actual independence cannot be assessed owing to a lack of clear and conclusive information."
Cooley notes that while the FDPIC itself doesn't have the authority to strike down the framework, the announcement "casts serious doubt on the viability of the Swiss-US Privacy Shield as a compliance mechanism for Swiss-US data transfers."
Japan has amended its 2005 Protection of Personal Information (APPI) Act in ways that bring it closer to the European Union's GDPR, according to the Daily Swig. Some aspects of the law now apply to foreign businesses handling Japanese residents' data, and Japanese subjects can now request that their data be corrected or deleted. The law also carries increased penalties for violations.
For more, see the CyberWire Pro Policy Briefing.
Fortunes of Commerce.
Momentum Cyber yesterday released its Cybersecurity Market Review for the first half of 2020. It represents a "tale of two quarters," with considerable growth in the first quarter but pandemic-driven retrenchment in the second. That second quarter also saw a tremendous increase in organizations' attack surfaces, and that has sensitized businesses to security needs they might have previously overlooked or deferred. In any case, it represents considerable latent demand for cybersecurity services and solutions that should provide large opportunities for companies in the sector as their customers emerge from their present fiscal caution. The report touches on some interesting trends in acquisitions and investment. Companies who are acquiring have been buying identity and access management firms, whereas investors, while also interested in identity and access management, are putting their money on risk and compliance and on data security.
SINET has released the names of the finalists in its annual Innovation Showcase. The firms recognized in this year's SINET 16 are ALSID, Axonius, Beyond Identity, Bolster, Cipher Trace, Cloud Knox, Cycognito, Keyfactor, Medigate, Orca Security, Ordr, Refirm Labs, Salt, Secure Code Warrior, Shift Left, and StackRox. The winner will be announced at the Showcase in Washington, DC, this November 4th and 5th.
We’ll have more on these stories in the CyberWire Pro Business Briefing.