Wednesday, June 28, 2017

Lurking Offshore: The Business Case Study for Working Together

Last week, the MPS-ISAO held a cybersecurity intelligence themed webinar, “Lurking Offshore: Active Cyber Threats Targeting Ports & Maritime”, with our partner, Wapack Labs. It’s a fascinating story about a financially motivated adversary using spear-phish to target Ports.I’m sure you are thinking, “Another scary cyber story… Why should I care?”By studying the data associated with this actor – how, when, why, and who, the case for Maritime and Port organizations working together to protect themselves from cyber adversaries is made. Cybersecurity silos need to be shattered - now.

Understanding the adversary.
Because Wapack has been tracking this adversary for some time, we have learned a lot by studying the intel.
First, this adversary is successful.  Our intel team sees an almost 100% success rate with a low detection rate (< 5%) through traditional security technology and vendor sourced data.  During the first six months of 2017, over 1,000 U.S. and European victims have been observed.
It’s a cost-effective, organized business operation. The malware being used only costs about $30 per month, and the adversary has developed a business model with specialized skills.  Also, there is high reuse between victims. So, if one Port is compromised, there is a good possibility that other Ports will be targeted using the same spear-phish email.
And, this adversary is persistent.  They improve odds of success by including supply chain partners in the scope of an attack.  In one instance where a Port was the intended victim, ten suppliers to this Port were targeted at the same time and with the same spear-phish email being used across all organizations.  The targeted suppliers were diverse too.  They included organizations who performed:   
  • Construction Consortium
  • Logistics Services
  • Oil & Gas Services
  • Consulting Services
  • Marine Transport
  • IT Services Provider
  • Multi-Modal Transport
  • Oil & Gas Engineering Services

Turning the tide.  
In 2015, The Obama administration issued two important pieces of Cybersecurity legislation.  A Presidential Executive Order (EO) was issued in February 2015 to promote private sector cybersecurity information sharing.  Section 2 of this EO states, “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).”  A few months later, the Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats.” CISA provides information sharing legal protections to organizations who participate in an ISAO.  

These two pieces of legislation led to the formation of the Maritime and Port Security ISAO, and its parent organization – the International Association of Certified ISAOs (IACI), to promote cyber resilience.   
If someone could tell you where the sharks were, wouldn’t you want to know?
The MPS-ISAO, headquartered at the Global Situational Awareness Center (GSAC) at NASA/Kennedy Space Center, is a non-profit private sector-led organization working in collaboration with government to advance Port and Maritime cyber resilience.  The core mission to enable and sustain a safe, secure and resilient Maritime and Port Critical Infrastructure through security situational intelligence, bi-directional information sharing, coordinated response, and best practice adoption supported by role-based education.
Port and Maritime organizations who subscribe to the MPS-ISAO’s cyber intelligence service have the advantage of early threat awareness provided via industry-specific, cross-sector, and global cyber intelligence along with countermeasure solutions.  They participate in a Maritime and Port community composed of stakeholders from across the industry sector who are interested in working together to achieve cyber resilience.  
Going back to the Lurking Offshore Case Study, we know that this adversary targets multiple victims within a Port’s supply chain using the same malicious email, and then reuses the email across another 8-10 Port victims.  When the email is shared into the MPS-ISAO Community, early threat awareness enables organizations to put protective measures in place.  
So, a single share can protect many.
And, the business case for working together was never stronger.
Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

Ransomware Affecting APM Terminals

27 June 2017, According to open source reporting, numerous high-profile organizations have released statements stating that they are affected by a SMB exploit. Merck & Co, Rosneft, Boryspil International Airport, Antonov State Company, Ukrenergo, and WPP are among victim companies. The Maersk Group, on behalf of their subsidiary APM Terminals, confirmed infections in APM facilities. At the time of this report, the bitcoin (BTC) wallet associated with the ransomware has thirty-one (31) received payments totaling 3.27744736 BTC ($7908.12 USD). Maersk has issued the following statement: “We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.” Open source reporting has confirmed that ports in Rotterdam, NL and Mobile, Alabama, US are affected and currently closed until network systems are restored. It is probable that all ports with APM facilities are affected due to the malware’s multiple lateral movement capabilities. PetrWrap ransomware is being spread using the EternalBlue SMB exploit. The malware will also leverage Windows Management Instrumentation Command-line (WMIC) and PsExec to spread internally across a network.

Wapack Labs has cataloged and reported extensively on maritime vulnerabilities and ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 23, 2017

The Darknet's Brickr Ransomware

Wapack Labs analysts observed an actor, on the darknet, advertising Brickr v1 Ransomware. Brickr v1’s purpose is “to be affordable, cheap and reliable product.” Buyers must contact the actor through Jabber or through the darknet forum's private messenger. Brickr v1 encrypts a user's personal files, if executed. To receive the decryption key, a ransom must be paid. As of 28 May 2017, Brickr v1 was for sale at $80.00 via Bitcoin (BTC). An article was published on how to remove Brickr Ransomware using task manager, which prompted the actor to include a new feature that will temporarily disable the task manager when executed. The actor revealed that Brickr v2 is under development and will include upgraded features. Wapack Labs will continue to monitor the forum, track all versions of this malware, and attempt to identify the actor.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, June 19, 2017

U.S. Corporate Concerns with China’s New Cybersecurity Law

On 1 June 2017, the Chinese government put an extensive new Cybersecurity law into effect. This law applies to all network operations in China, by Chinese citizens and foreign business operations alike. Many U.S. corporations operating in China have expressed concerns about how this law will impact their ability to operate under the more intrusive Chinese government control. The provisions with the potential for the greatest negative impact on foreign firms include:
  • Definition of network operators. The scope of the Cybersecurity Law provides control over not just telecom operators and internet firms but also banking institutions, insurance companies, securities companies, providers of cybersecurity products and services, and essentially any enterprise with a website in China or that provides network services. The American Chamber of Commerce in China has said the Law “will impact almost every company that operates in China.”
  • Requirements for “critical information infrastructure” operators. The Law defines these to include “public communications and information services, energy, finance, transportation, water conservation, public services, e-governance,” and other enterprises that could harm national security or the economy if damaged. Foreign corporations included in this category now face restrictions on equipment and services they can use, and they are vulnerable to inspection and intrusion by the Chinese government.
  • Restrictions on sending data outside China. The Law states that “personal information and other important data from operations within the PRC shall be stored within mainland China.” Business information and data on Chinese citizens cannot be transferred abroad without permission, and that would be contingent on intrusive “security assessments” by the Chinese government. Some U.S. analysis suggests that this could also prohibit the export of economic, technological, or scientific data considered to “pose a threat to national security or the public interest.”
The situation for foreign firms is uncertain at present because details on the scope of the Law and how it will be enforced are still unavailable. The initial impression among U.S. businesses is that the potential for intrusion and interruption is certainly considerable.

Wapack Labs has cataloged and reported extensively on China's cybersecurity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 16, 2017

OpIcarus2017, a Limited Risk

In June 2017, Wapack Labs Analysts observed a faction of the Anonymous collective attempting to launch OpSacred, which is the fifth phase of OpIcarus2017; a multiphase operation aimed to target central banks and other financial institutions (i.e.: International Monetary Fund and the World Bank). The campaign attracted hundreds of participants, yet failed to attract AnonOps support, create a dedicated IRC channel, attract experienced organizers, or followup after their initial start day - producing limited effects. While the operation has been badly organized, it may become a training ground for future hacker collaborations, especially since the Anonymous collective has been observed using GitHub to collect and share tools...READ MORE

Wapack Labs has cataloged and reported extensively on Anonymous' operations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, June 9, 2017

IBNS Malicious Infrastructure Targets Financial Institutions

In the last days of May, Wapack Labs identified a large email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs dubbed this network “IBNS”. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activities. The actors sell through channels, using resellers instead of selling direct, creating a level of separation between themselves and the users. Tactics Techniques and Procedures (TTPs) associated with the activity suggest attribution to a known Nigerian fraud group. 

+++++++++++++++++++++++++++++

I hear every day about the stupid users clicking through, and the CISO that talks about the problem being in the human. Honestly? I get kinda mad when I hear it. Why? These guys are using automated psychology to overwhelm, confuse and take advantage of unsuspecting users.

It means to me that the CISO who said it has never seen well crafted emails meant to slip past the goalie.  Or perhaps they don't understand the idea that users only have so much will power, or that my own out-of-band email account (an AOL account that I've had for probably 20 years) receives far more spam than it does legitimate email.

Bad guys are smart. They know that users have only a limited amount of will power, and after seeing hundreds of spam per day, the idea that some of them are going to be opened —out of sheer exhaustion and confusion, is 100%.

Overwhelm, confuse, create fatigue, repeat, add additional sources of confusion, repeat again.

ONE typosquat dump that we identified had over 17,000 domains that look a heck of a lot like credit card and payment company domains. CapitalOne? Capital1? CapitalONE? Capital-one? My typo squats are terrible but you get the idea. Imagine dozens of variations created programmatically and then used to overwhelm.

Folks, it's not about stupid users. It's about information security folks not understanding the strategy of fatigue and confusion and then how to protect those (your) lambs as they're being lead (by Nigerian scammers, Lazarus actors, or APT) to slaughter.  It's like the door to door salesman that keeps throwing features, prices, and deals at you until you sign just together the guy out of your house.  There's psychology involved.

…and you only need one to slip past the goalie to be infected, and many times, you'll have absolutely no idea that you've been p0wned.

Wapack Labs has been running this thing that we call the Cyber Threat Analysis Center. We scour primary sources to identify intended victims before they become victims. The graphic above is a sample of a report that we provide on a weekly basis to one of our folks. We give them normalized blacklists in periodic chunks of that they can drop into their defenses —either their intrusion prevention systems, SEIM, or whatever they have.  They can wait for us to give it to them or they can pull it programmatically via API on whatever frequency that they desire.

Want to know more? Drop us a note through the website, or at jmckee@wapacklabs.com.

OK folks.. it's our first nice day in a while up here in NH and that lawn (hay field?) isn't going to mow itself.

Oh, before I forget, if you're local, I hope to see some of you at our Granite State Security cookout Monday afternoon… nothing heavy, just burgers and beer but it's supposed to be nice. Let's have some fun! Here's the link to the meet up… I've invited the local Open Source community and security folks.

Have a great weekend!
Jeff




Wednesday, June 7, 2017

Russia is Considering Ethereum's Blockchain Technology

Russian president, Vladimir Putin, recently met with Ethereum Cryptocurrency founder, Vitalik Buterin. Russia, in the past, has effectively banned Bitcoin use by its companies and is now likely switching to "use and control" emerging Blockchain technologies. Bitcoin is the original blockchain-based cryptocurrency and has become very popular in black markets, including online drug sales and cybercrime. Ether (token for Ethereum), is one of the alternatives growing fast in general popularity. Besides the currency function, Ethereum provides much more functionality: it is an open-source, public, blockchain-based distributed computing platform that features smart contact (scripting) functionality, which facilitates online contractual agreements. This makes Ethereum technologies of interest for major financial institutions and IT companies. Blockchain technologies are not bad per se, and many Western financial institutions are attracted to its use, but Russia's history of protecting black-hat hackers and controlling some online black markets make this development worrisome...READ MORE

Wapack Labs has cataloged and reported extensively on Russia, blockchains, and cryptocurrency in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

NK Lazarus Threat to the Financial Sector Remains High

Newly discovered Command & Control (C2) Internet Protocols (IPs) confirm the geolocation of North Korean threat actors, Lazarus Group; despite their deliberate attempts at misdirection. They are known for their custom-tailoring and reuse of code between malware families and campaigns. Since 2009, Lazarus Group has targeted Asian-based financial institutions, European and South American financial institutions, and media companies, such as Sony Pictures. Recent financial and trading sanctions, levied on North Korea, will increase the likelihood of attacks on financial sectors; similar to the documented attacks, leveraging the Society for Worldwide Interbank Financial Telecommunications (SWIFT), to compromise central banks...READ MORE

Wapack Labs has cataloged and reported extensively on financial compromise and the Lazarus Group in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tuesday, June 6, 2017

Darknet Marketplace Exposes Financial Items on Global Scale

Wapack Labs Analysts are researching a Tor-based darknet marketplace that sells stolen financial items; credit cards, gift cards, and occasionally provides free dumps that exposed Personally Identifiable Information (PII) of individuals. New accounts are available every week and the marketplace's administrators claim they are 100% verified - how-to manuals are provided with transactions. The marketplace is operating on a global basis, their stolen products are from the US, EU, Oceania, and Russia. Further research is being conducted to identity the source of the stolen credit cards...READ MORE

Wapack Labs has cataloged and reported extensively on darknet marketplaces in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM