In August 2019, Proofpoint researchers reported that LookBack malware was targeting the United States (U.S.) utilities sector between July and August 2019. We then continued our analysis into additional LookBack campaigns that unfolded between August 21-29, 2019. These campaigns utilized malicious macro-laden documents in order to deliver modular malware to targeted utility providers across the U.S. At the same time as the LookBack campaigns, Proofpoint researchers identified a new, additional malware family named FlowCloud that was also being delivered to U.S. utilities providers.
FlowCloud malware, like LookBack, gives attackers complete control over a compromised system. Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command and control.
"Honda can confirm that a cyber-attack has taken place on the Honda network," the Japanese car-maker said in a statement.
It added that the problem was affecting its ability to access its computer servers, use email and otherwise make use of its internal systems.
"There is also an impact on production systems outside of Japan," it added.
Designated CVE-2020-0796 and also known as EternalDarkness, the bug can result in a wormable remote code execution attack on a targeted SMB server or client. Microsoft on March 12 issued an out-of-band patch for the vulnerability after an apparent error in the Microsoft vulnerability disclosure process led to at least two cyber companies prematurely posting information about the flaw before Microsoft had the opportunity to publicly disclose the bug.
In addition to patching the vulnerability, CISA recommends that users employ a firewall to block SMB ports from the internet.
Various news sources have reported that a researcher with the Twitter handle “Chompie” has shared SMBGhost RCE exploit code publicly on GitHub. Back in April, the cybersecurity company Ricerca Security similarly made PoC code available.
The report from the Senate’s Permanent Subcommittee on Investigations says the U.S. government “provided little-to-no oversight of Chinese state-owned telecommunications carriers operating in the United States for nearly twenty years.”
It faulted the Federal Communications Commission (FCC) and “Team Telecom” - an informal group comprised of officials from the Justice, Homeland Security, and Defense Departments - in their oversight of China Telecom (Americas) Corp 728.HK, China Unicom (Americas) (0762.HK), and Pacific Networks Corp, which all received FCC approval for U.S. operations about two decades ago.
“[T]he U.S. federal government — particularly the FCC, Department of Justice, and Department of Homeland Security — historically exercised minimal oversight to safeguard U.S. telecommunications networks against risks posed by Chinese state-owned carriers,” said the committee, chaired by Sens. Rob Portman, R-Ohio, and Tom Carper, D-Del. “This lack of oversight undermined the safety of American communications and endangered our national security.”
In one case, for instance, Team Telecom’s security review of just one state-owned firm, China Mobile USA, took seven years to conduct, the panel said. In another case, after allegations that state-owned China Telecom and its affiliates had hijacked and rerouted data through China, Team Telecom did not investigate for approximately nine years, the panel said.
A hack-for-hire group, called Dark Basin, has been outed after targeting thousands of individuals and organizations worldwide – including advocacy groups and journalists, elected and senior government officials, and hedge funds — over the course of seven years.
Dark Basin conducted commercial espionage on behalf of their clients, against customers’ opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy, according to researchers at Citizen Lab. In all, more than 10,000 victim email accounts were targeted, according to Reuters, who broke the news.
Canada's Citizen Lab laboratory has uncovered a hacks-for-hire phishing operation targeting anyone from political activists and oligarchs to lawyers and CEOs that hit more than 10,000 email inboxes over seven years.
The North American outfit claims to have traced the so-called Dark Basin campaign to an Indian firm called BellTroX InfoTech Services - which denies all wrongdoing. The University of Toronto institution said the campaign "likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy."
A U.S. federal criminal investigation into the matter is ongoing, according to the New York Times. BellTroX could not immediately be reached for comment Tuesday.
“Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry,” Citizen Lab researchers wrote in the report. “Hack-for-hire groups enable companies to outsource activities….which muddies the waters and can hamper legal investigations. Previous court cases indicate that similar operations to BellTroX have contracted through a murky set of contractual, payment, and information sharing layers that may include law firms and private investigators and which allow clients a degree of deniability and distance.”
Malicious attacks targeting the United States utilities sector last year were observed employing a previously unknown malware family that allows hackers to take over compromised systems, Proofpoint reports.
Dubbed FlowCloud, the remote access Trojan (RAT) was used by the same threat actor that used the LookBack malware in campaigns targeting U.S. utilities providers last year. In fact, it appears that the adversary used both malware families in different campaigns running at the same time.
The fact that both FlowCloud and LookBack are operated by the same threat actor, referred to as TA410, was evidenced by common attachment macros and malware installation techniques, as well as overlapping delivery infrastructure identified in an analysis of phishing campaigns carried out between July and November 2019.
On the one hand, security teams have to continuously address evolving threats and adversarial sophistication, and on the other, IT teams are continually adapting to change and making alterations to environments that can create security drift, some addressed, and some invisible.
At the end of the spectrum are high-visibility changes revolving around hot topics like Information Technology and Operational Technology (IT/OT) convergence – and these usually (though not always) get concurrent attention from cybersecurity teams.
At the other end of the security drift spectrum, it's day-to-day maintenance operations that may not get the deserved attention from security teams. These include routine activities such as software updates for new features, bug fixes, and vulnerability patching, and the upgrade or replacing of commodity software that does not require major planning.
No matter if the changes are happening to new systems going into production, or existing systems in production, the drift is created as the changes are made without security oversight or with insufficient security oversight.
No comments:
Post a Comment