IT Security News Blast 6-15-2017

Purple Team: About Beacons

The purpose of this post is to investigate common Command & Control (C2) network traffic signatures, as well as identifying methods to evade blue team (network defenders) pattern analysis. This will not be an exhaustive list of tactics, techniques, and procedures (TTPs) but rather a small sample for education and training purposes.

https://criticalinformatics.com/purple-team-about-beacons/

From submarines to cyber warfare, Bremerton sticks to the mission and keeps its mouth shut

Hamilton leads me into a secure room he calls the Security Operations Center, or SOC. “Okay, so guys, this is Josh from KUOW. These are the guys.” “Hey,” the guys say. We don’t get to learn the guys’ names, Hamilton told me, because that could make them targets for espionage. These workers monitor threats to businesses and public infrastructure, including clients like maritime ports, local government, regional hospitals and banks. They look for evidence of hackers, hackers sponsored by criminal syndicates or hostile countries that want to destabilize countries like the United States.

http://kuow.org/post/submarines-cyber-warfare-bremerton-sticks-mission-and-keeps-its-mouth-shut

OCR Publishes Checklist and Infographic for Cyber Attack Response

  • First and foremost, fix the problem and mitigate any impermissible disclosures of protected health information (PHI)
  • Report the incident to appropriate law enforcement agencies
  • Report cyber threat indicators to information-sharing and analysis organizations (ISAOs)
  • Finally, determine if a reportable breach has occurred and report the breach to OCR as soon as possible

http://www.lexology.com/library/detail.aspx?g=81ad7dcb-03b2-4675-bf1e-4f5f98851cbc

SEC identifies adviser cyber security flaws

In specific, a relatively high percentage of advisers examined are failing to conduct continuous cyber-risk assessments, nor are they performing penetration or venerability tests. The shortcomings were far higher among investment advisers than among broker-dealers, and concerns raised by the WannaCry attack were particularly relevant to smaller firms.

http://www.reuters.com/article/bc-finreg-advisers-cyber-risk-idUSKBN1942KP

Fileless malware targeting US restaurants went undetected by most AV

Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.

https://arstechnica.com/security/2017/06/fileless-malware-attack-against-us-restaurants-went-undetected-by-most-av/

(ISC)2 CEO on cybersecurity workforce expansion and 2017 Congress

We’ve got to do better outreach and provide avenues for people that maybe have the backgrounds that wouldn’t traditionally be seen as cybersecurity. But once we start to look at the discussion of STEM [science, technology, engineering and mathematics], and we start to look at that from the concept of STEAM, adding arts into it I think there’s a whole left brain, right brain convergence discussion that we can have. It’s not just an analytical profession.

http://searchsecurity.techtarget.com/feature/ISC2-CEO-on-cybersecurity-workforce-expansion-and-2017-Congress

Proactive Resilience: The Future of Cybersecurity

Prosilience is resilience with consciousness of environment, self-awareness and the capacity to evolve, Fowler wrote on the Insider Threat Blog, a product of Carnegie Mellon’s Software Engineering Institute. It is not about being able to operate through disruption,” she says, it is about anticipating disruption and adapting before it even occurs.

https://www.govtechworks.com/proactive-resilience-the-future-of-cybersecurity/#gs.sVo0JuA

Three men in Thailand reportedly ran a clickfarm with over 300,000 SIM cards and 400 iPhones

Officers originally thought the men were running a fraudulent call center, but the suspects said they were being paid to operate a vast network of bot accounts on WeChat, China’s largest social network. According to the Post, the trio of men said a Chinese company (which they refused to name) supplied the phones and was paying them each 150,000 baht per month (about $4,403 USD) to artificially boost engagement on WeChat for products sold online in China.

https://www.theverge.com/2017/6/12/15786402/thai-clickfarm-bust-iphones

French Police Seize 6 Tor Relay Servers in WannaCry Investigation

“Cops raided OVH, Online.net and FirstHeberg hosting providers on the basis of a complaint filed by French Renault company that was one of the victims of the WannaCry infection,” Aeris told The Hacker News. “I went to court to have access to information about the seizer of my servers, but it refused to provide me with any information, and even the providers are under gag order.”

http://thehackernews.com/2017/06/wannacry-ransomware-tor-relay.html

Police body camera footage is becoming a state secret

North Carolina, for example, passed legislation last year excluding body camera video from the public record, so footage is not available through North Carolina’s Public Records Act. That means civilians have no right to view police recordings in the Tar Heel state unless their voice or image was captured in the video. Louisiana also exempts body camera video from public records laws. South Carolina will only release body camera footage to criminal defendants and the subjects of recordings. Kansas classifies body camera video as criminal investigation documents available only when investigations are closed.

https://www.theverge.com/2017/6/12/15768920/police-body-camera-state-secret

A Dark Web service claims to track any phone and read text messages

Telecoms have been using a private Signaling System Number 7 (SS7) network that has been vulnerable to cyber attacks. Now, a service on the Dark Web is asking users to pay $500 and in return, it will track the targeted smartphone for them. The tracking will include intercepting texts, track phones and even completely cut off the cellular service to other people. This service can be accessed at zkkc7e5rwvs4bpxm.onion to those who uses the Tor network. It’s called the Interconnector, and besides the $500-worth full access, it also offers deals for smaller fees.

https://www.hackread.com/dark-web-service-track-phones-read-texts/

Georgia’s lax voting security exposed just in time for crucial special election

According to a detailed report published Tuesday in Politico, Lamb wrote a simple script that would pull documents off the website of Kennesaw State University’s Center for Election Systems, which under contract with Georgia, tests and programs voting machines for the entire state. By accident, Lamb’s script uncovered a breach whose scope should concern both Republicans and Democrats alike.

https://arstechnica.com/tech-policy/2017/06/georgias-voting-system-is-uniquely-vulnerable-to-election-tampering-hackers/

DHS, FBI Warn of North Korea ‘Hidden Cobra’ Strikes Against US Assets

According to a United States Computer Emergency Readiness Team (US-CERT) bulletin, Hidden Cobra is leveraging malware called DeltaCharlie, which is the brains behind North Korea’s distributed denial-of-service (DDoS) botnet infrastructure being used against U.S. assets. Both the Department of Homeland Security and the Federal Bureau of Investigation were part of the Hidden Cobra research released Tuesday. They warn Hidden Cobra is actively targeting the media, aerospace, financial, and critical infrastructure sectors in the United States and other global assets.

https://threatpost.com/dhs-fbi-warn-of-north-korea-hidden-cobra-strikes-against-us-assets/126263/

US Cybersecurity in Need of Rapid Repair, Senators Told

The witnesses told the Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy that they believe a massive cyberattack is imminent unless the U.S. ratchets up its efforts to protect against and deter offensives from countries such as Russia, China, and North Korea.

http://www.rollcall.com/news/politics/u-s-cybersecurity-need-rapid-repair

Ex-CIA Director Brennan Warns of More Collaboration Between Nation-States and Cybercriminals

It’s not just Russia adopting this strategy. “That collaboration between intelligence services and private-sector startups is more and more a model that a lot of intel services and countries around the world are following for a variety of reasons,” Brennan said, pointing to China, Iran, North Korea, and “other countries as well.” “So that model of collaboration between organized crime, individual hackers, and intelligence services, I think, is going to increase over time,” said Brennan, who served as CIA director during the Obama administration.

https://www.darkreading.com/threat-intelligence/ex-cia-director-brennan-warns-of-more-collaboration-between-nation-states-and-cybercriminals-/d/d-id/1329137

US Army looks at cyber soldiers for front lines as battlefield changes

In addition to fielding troops to provide defensive and offensive cyber capabilities for units coming into NTC for training, the Army has also been arming its opposition force (the trainers) with cyber capabilities to demonstrate their impact. That impact was demonstrated clearly in May, when an armored unit staging a simulated assault at NTC was stopped dead in its tracks by jamming of communications. As the unit’s commanders attempted to figure out what was wrong, a simulated artillery barrage essentially took the unit out of action.

https://arstechnica.co.uk/information-technology/2017/06/us-army-cyber-soldiers/

Russia’s cyber trolls attack online as NATO troops gather in Latvia

Many in the region say the steady stream of disinformation aimed at manipulating public opinion and undermining Latvian society represents a more clear and present danger than an actual Russian military incursion. We are under constant attack here, trying to say that we are a failed state, that liberal democratic order has failed, that Russia is doing something really great by providing world order, said Latvian Foreign Minister Edgars RinkÄ“vičs. “That is a battle for our hearts and minds.

http://www.ctvnews.ca/world/russia-s-cyber-trolls-attack-online-as-nato-troops-gather-in-latvia-1.3458175

GAO-17-369, Department of Defense: Actions Needed to Address Five Key Mission Challenges

These include the need to (1) rebalance forces and rebuild readiness; (2) mitigate threats to cyberspace and expand cyber capabilities; (3) control the escalating costs of programs, such as certain weapon systems acquisitions and military health care, and better manage its finances; (4) strategically manage its human capital; and (5) achieve greater efficiencies in defense business operations.

http://www.military-technologies.net/2017/06/13/gao-17-369-department-of-defense-actions-needed-to-address-five-key-mission-challenges-june-13-2017/

Rare XP Patches Fix Three Remaining Leaked NSA Exploits

The worst of the bunch, an attack called ExplodingCan (CVE-2017-7269), targets older versions of Microsoft’s Internet Information Services (IIS) webserver, version 6.0 in particular, and enables an attacker to gain remote code execution on a Windows 2003 server. All three attacks allow an adversary to gain remote code execution[.] […] Microsoft said the patches are available for manual download.

https://threatpost.com/rare-xp-patches-fix-three-remaining-leaked-nsa-exploits/126256/

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>