Misconfiguration in the FBI's LEEP platform permits a hacker to distribute bogus alerts.
Messages that looked as if they were from the FBI early Saturday morning came from Bureau servers, specifically from the Law Enforcement Enterprise Portal (LEEP), a platform used to communicate with the FBI's partners in state and local law enforcement, but were in fact sent by hackers, not the FBI. The Bureau issued a terse, preliminary statement later Saturday, updated on Sunday:
"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."
Twitter threads (from SpamHaus and Kevin Beaumont) provided an interesting early account as the emails appeared. The emails originated from FBI servers: their headers show an origin verified by the Domain Keys Identified Mail (DKIM) system. SpamHaus reproduced the headers: "Sending IP: 153.31.119.142 (http://mx-east-ic.fbi.gov)" "From: eims@ic.fbi.gov" and "Subject: Urgent: Threat actor in systems." The bogus warning posted by the hackers read as follows:
"Our intelligence monitoring indicated exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fast flux technologies which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe."
And it's signed "U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group."
KrebsOnSecurity calls out poor coding on the FBI's Criminal Justice Information Services portal, a service used for sharing law enforcement information. The hacker who counted coup (nom de hack Pompompurin) told KrebsOnSecurity that he did what he did to show up poor security practices at the FBI, and indeed the Bureau has some digital egg on its virtual face.
There's also a gratuitous (and facially ridiculous) shot at Vinny Troia (founder of security firms NightLion and Shadowbyte) asserting that he's a known associate of the DarkOverlord criminal actor. (NightLion published an account of the DarkOverlord and the ShinyHunters back in January.) BleepingComputer points out that Troia has long been the object of taunts and defamation from some of the lulzsters over at RaidForums. They typically warn Mr. Troia when they're about to mess with him, and they did so this time as well. Troia retweeted their message: "@vinnytroia you're about to get lit up today.... Spam attack involving your name."
Pompompurin has also been offering to sell data leaked from Robinhood.
Not content with goofing on the FBI (and other actual grown-ups like security researcher Troia), hacker Pompompurin is offering the low-grade content of the Robinhood stock-trading platform for sale, SecurityWeek reports. The big, five-million figure quoted is for the most part simply user emails; about 310 had more data stolen, but even theirs fell short of fullz, including as they did name, date of birth, and zip code. It's not clear whether Pompompurin has the goods ("inconclusive," SecurityWeek's sources say), nor is it clear how valuable those goods would be in any case.
Ransomware operators discuss spending millions for zero-days.
Researchers at Digital Shadows have found that ransomware operators are discussing offering up to $10 million for zero-day exploits, Infosecurity Magazine reports. The researchers stated, "These prices can appear enormous but there‘s a key aspect to keep in mind. Whatever legitimate bug bounty programs offer (and we’ve often seen them offering multi-million dollar bounties before), cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering)."
The researchers also observed criminals mulling the possibilities of an "exploit-as-a-service" model. Digital Shadows explains, "This model would allow capable threat actors to 'lease' zero-day exploits to other cybercriminals to conduct cyberattacks. In fact, while a developer can generate large profits when selling a zero-day exploit, it often takes them a significant amount of time to complete such a sale. However, this model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer. Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis."
Philippines Civil Defense Twitter account hijacked.
The Twitter account of the Philippines Office of Civil Defense was briefly hijacked early Sunday and used to churn out "unusual messages" having nothing to do with civil defense or disaster preparation, the Manila Inquirer reports. The tweets mostly involved celebrity-themed Bitcoin speculation.
Iranian cyber operations.
Check Point on Monday released an update on the Iranian threat group MosesStaff. Hacktivist or government-directed, MosesStaff operates like a ransomware gang, but its motive appears to be purely political: it seeks to damage Israeli companies by stealing data, encrypting victims' files, and then releasing the data online. MosesStaff issues no ransom demands, and says it's interested only in exposing "Zionist crimes."
And at midweek the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory with the FBI, the Australian Cyber Security Centre (ACSC), and the UK’s National Cyber Security Centre (NCSC) that warned of Iranian-sponsored exploitation of vulnerabilities in Microsoft Exchange and Fortinet. The advisory includes advice on detection and mitigation.
Emotet resurfacing.
Researchers are seeing signs that Emotet, a botnet widely used to distribute spam that carried other payloads (including QakBot and Trickbot, which in turn were used to deliver initial access for ransomware infestations with Ryuk, Conti, ProLock, Egregor, and other strains) has resurfaced. Europol had disrupted Emotet's infrastructure back in January and arranged for general uninstallation of the malware in April. BleepingComputer reports that Trickbot has recently been observed dropping an Emotet loader into infected devices. GData blogged that on Sunday it detected a DLL that appeared to be Emotet; it subsequently confirmed the identification. The Record, which has been in touch with researchers at Cryptolaemus who've been tracking the reappearance of Emotet, writes that the comeback appears to be in its early stages.
Mirai used in large DDoS attack.
The Mirai botnet is back. Cloudflare says that last week it blocked a DDoS attack from approximately 15,000 IoT bots and unpatched GitLab instances running Mirai. The attack peaked at almost two terabytes per second.
SharkBot circulates in European bank accounts.
An Android banking Trojan researchers at Cleafy are calling "SharkBot" is affecting banking customers in Europe. According to the Record, SharkBot appears to be in a relatively early stage of development, but it's enjoying some success by using Automatic Transfer Systems to bypass protections normally provided by multifactor authentication.
Watering-hole campaign linked to spyware firm.
Researchers at ESET have discovered a large watering-hole campaign targeting users in the Middle East, particularly in Yemen. The researchers believe the campaign is being run by a customer of Candiru, an Israeli spyware firm that was recently sanctioned by the US Commerce Department for selling its products to repressive regimes. ESET has linked the campaign to a threat actor tracked by Kaspersky as Karkadann.
RAMP ransomware forum may be welcoming Chinese-speaking operators.
Flashpoint observes that the RAMP ransomware forum is back, but that it includes a lot of Chinese-speaking participants. It's not clear what they're up to: does it represent a serious criminal outreach, maybe even a serious privateering outreach, to Chinese actors? Or is it misdirection of the kind Flashpoint discerned earlier this month in Groove, apparently intended simply to darken counsel?
North Korean cyberespionage.
Proofpoint is following TA406, a North Korean state threat group associated with the activity against Western diplomatic and intelligence targets tracked as Kimsuky and Thallium, and with the Konni family of remote access Trojans. TA406 has engaged, the researchers say, in "espionage, cyber crime and sextortion" during 2021. It's moved from credential theft to attacks that involve distribution of malware. Thus, like other North Korean threat groups, TA406 engages in a mix of spying and financially-motivated cybercrime.
Patch news.
Intel has released firmware updates for a privilege-escalation vulnerability in some processors' BIOS. The chipmaker is also addressing, Ars Technica reports, an issue that could allow an attacker with physical access to backdoor some chips. Positive Technologies outlines the bug's implications.
CISA released three industrial control system advisories Tuesday afternoon, for FATEK Automation WinProladder, Mitsubishi Electric GOT products, and Mitsubishi Electric FA engineering software products (Update C). On Thursday the agency released an additional six, these for Philips IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX (PIC iX) and Efficia CM Series, Trane Symbio (Update A), Philips Patient Monitoring Devices (Update B), Mitsubishi Electric Factory Automation Engineering Products (Update E), and VISAM Automation Base (VBASE) (Update B).
Crime and punishment.
The US Attorney for the Southern District of New York on Thursday unsealed an indictment of two Iranian nationals, Musa Kazemi and Sajjad Kashian, on charges in connection with disinformation operations conducted during the last US election cycle that "sought to undermine faith and confidence in the US Presidential elections." They're each charged with one count of conspiracy (five years' maximum sentence), one count of voter intimidation (a maximum sentence of one year), and one count of transmission of interstate threats (which carries a maximum sentence of five years in prison). Mr. Kazemi also faces one count of unauthorized computer intrusion (with a maximum sentence of five years in prison) and one count of computer fraud: knowingly damaging a protected computer, (ten years' maximum sentence). Their campaign involved four distinct components: unauthorized downloading of voter information, impersonation of activists and transmission of "False Election Messages" alleging plans for fraud, transmission of threat messages to suppress voters, and, post-election, attempting to hijack a media company's accounts to disseminate fake news of election fraud. Neither suspect is in custody and both are presently inaccessible to US law enforcement, but the Justice Department has a long memory. The two and the company they worked for, Emennet Pasargad, have also been sanctioned by the US Treasury Department, and the US State Department is also offering a reward of $10 million under its Rewards for Justice Program in exchange for information about Messrs. Kazemi's and Kashian's activities.
Sometimes insider threats show the convergence of cyberespionage and traditional espionage. One such case, as close to a literal evil maid attack as one might wish to find, has surfaced in Israel, where, Haaretz reports, a cleaner working in the residence of Defense Minister Gantz is charged with espionage for having offered to assist the Iranian cyber threat group Black Shadow. According to SecurityWeek, the Israeli security service Shin Bet said that the accused spy failed to obtain any classified information. The accused, Omri Goren Gorochovsky, is said to be an ex-con with an appropriate criminal record, which has raised questions as to how he came to be hired in the first place. If you look at the three traditional motives for betrayal that counterintelligence officers remember by the acronym "MICE" (for Money, Ideology, Compromise, and Ego), Mr. Gorochovsky is said to have been motivated by Money with a capital "M." The Times of Israel reports that Shin Bet is reviewing the ways in which background checks are conducted. There are probably lessons to be learned for insider threat mitigation programs generally; whether they'll be new lessons of familiar ones remains to be seen.
The US is seeking the extradition of Denis Dubnikov, a Russian alt-coin entrepreneur who founded EggChange and Crypto Coyote, on charges of allegedly laundering money on behalf of the Ryuk ransomware gang, the Wall Street Journal reports. Mr. Dubnikov was vacationing in Mexico, where, on November 3rd, authorities seized him and put him on a flight to Amsterdam, where he's currently being held by Dutch authorities on a US warrant. It's the first arrest the US has sought in cases involving Ryuk. Much of the comment on Ryuk, and CNN's is representative, have mentioned Ryuk's involvement in attacks on healthcare facilities. Mr. Dubnikov is, of course, fighting extradition, and denies involvement in money laundering. He intends to plead not guilty because, his attorney, Arkady Bukh, says, "because he had no knowledge of someone engaging in criminal activity." Sputnik reflects the outrage of Russian cryptocurrency traders and (presumably) their licit, semi-licit, and illicit customers with a headline that says Mr. Dubnikov was "'practically kidnapped' by the FBI in Mexico." The semi-official Russian outlet quotes the aforementioned Mr. Bukh as their source for the kidnapping angle. "[Dubnikov] was detained in Mexico but expelled because Mexico doesn't have such an ideal extradition policy as the Netherlands. They have bought a ticket, in other words, they have in fact kidnapped him and sent him to the Netherlands because extradition from the Netherlands is in fact guaranteed. He is in fact held in jail in the Netherlands, he is accused of money laundering and may face up to 20 years in jail. We expect his extradition to the United States," Mr. Bukh said. They're thinking of cutting their extradition fight short, however, and just fighting the charges in the US, the attorney added. "So far, we do not agree to extradition, but we will probably give our consent later because the Netherlands is a country where the fight against extradition is statistically meaningless. We are studying: maybe it is worth agreeing to a quick extradition and sorting it out here."
Courts and torts.
What happens to cryptocurrency seized by authorities during investigation of crime and fraud? In the case of the BitConnect Ponzi scheme, the Justice Department is selling $56 million in alt-coin. CNBC reports that the funds will be used to compensate victims.
Policies, procurements, and agency equities.
On Thursday afternoon the US Federal Reserve issued its final rule on computer incident disclosures. Effective May 1, 2022. banks will have thirty-six hours to notify regulators that they've sustained an incident that has "materially affected—or are reasonably likely to materially affect—the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector." Banks are also required to notify customers "as soon as possible" of any incident likely to affect services for four or more hours.
