Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

Normally you get this newsletter every Monday, Tuesday and Friday, but today you are also receiving the issue we send to just our premium subscribers. Today’s issue is going to everyone thanks to Meeting Owl. If you want to start receiving these premium issues, which feature my extensive analysis on a single infosec topic, please upgrade your subscription here

David Strom, editor of Inside Security


Last week, Mueller’s GRU indictment was announced. It named various individuals involved in the hacking of political organizations’ networks. The document makes for interesting reading and shows the lengths that Russian spies went to penetrate the DNC and the Clinton campaign. Here are just some of their techniques:

Spearphishing emails using URL shorteners to hide malware webpages, in one case using a phony email account that differed by a single character that mimicked a Clinton staffer email Spoofing Google security notification email messages Stealing account credentials to obtain emails from DNC and Clinton staffers Using the malware-infested document hillaryclinton-favorable-rating.xlsx that linked to a GRU-created website Entered the DNC network using open source tools to install various RATs and keyloggers to obtain additional credentials Copied and exfiltrated documents to a GRU computer in Illinois Using PowerShell scripting attacks to compromise their Exchange email servers Deleting log files and other traces deliberately to hide their presence Setting up various websites: some mimicked a typical political fundraising page, others that appeared to be news sites with negative stories on the DNC Making cloud-based site backups and then used them to create their own accounts to steal additional DNC data Creating fake Facebook and Twitter accounts to leak DNC data and promote the leakers' websites

It is pretty clear to me that this was an extended and deliberate effort to compromise our electoral processes. Many of these fake accounts, domains and servers were purchased using bitcoins to hide their identities, and some of these bitcoins were mined specifically for funding these transactions. The indicted members of the GRU were first seen in these networks in June 2016, at which point the DNC hired CrowdStrike to investigate further. However, the GRU spies continued to operate their RAT tools and persist on the DNC network until October 2016.

These efforts have been known for some time: Motherboard ran a story in April 2016, and then came out in July with this piece from Thomas Rid that offered a detailed technical explanation, saying that the forensic evidence about Russia is very strong. And a December 2016 story in the New York Times actually shows one of the rack-mounted servers breached by the GRU, sitting in the DNC offices. The Times documents the "series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack."

If we want to be accurate, there are actually 140 servers, according to The Daily Beast, which facetiously goes into detail, “The server is saying shut up. No machines are actually missing.”

As many security analysts well know, you don’t remove the physical servers anymore. That is strictly old school. Instead, forensic investigators make digital copies of their hard drives and memory so that they can preserve their state and detect in-memory exploits that would be gone if the machines are unplugged. This is called imaging and has been around for decades. I found a paper from the SANS Institute from 2001 that provides a nice overview here.

Part of the imaging process is to preserve the chain of custody of a server, and also useful in case an analyst destroys some part of the data by mistake. “It makes a secure forensically sound copy to media that can be retained” for future analysis. It is similar to the technologies that are used to make backup copies, only more thorough.

There are a number of imaging and other forensic tools that security researchers use, here are several lists of them:

A variety of digital forensic tools, not just disk imaging but others such as file, mobile device and email analyzers that are all available on open source. This list is fairly current and has brief descriptions of each tool. Another current list of 20 free digital forensics tools can be found here. One of them is CrowdStrike’s CrowdResponse, which is their free data collection tool. Forrester last did a study of digital forensic tools last September. They look at the major vendors in this market, including CrowdStrike Falcon, Mandiant, and others. Some of these tools are also used for endpoint detection purposes. I last did a review of them for Network World back in July 2016, where I looked at Encase and Falcon along with eight others.

Whatever the outcome of our elections this year, it's clear that every political campaign needs to ramp up their security measures and increase their investments in cybersecurity -- starting now.


Subscribe to Inside Security


Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 
   
   

The number of data breaches continues unabated today. There is news about Mega (credential stuffing), Telefonica (injection through bad website design) and Dahua webcams (a combination of errors). While these top our list today, there is a lot nastier stuff to tell, along with plea deals for a seller of Trojans and another criminal who broke into academic email accounts. Plus an update on the age-old Peanuts conflict of Lucy and the football.  

-- David Strom, editor of Inside Security


1. Over 26,000 mobile devices and laptops were lost on the Transport for London network between April 2017 and April 2018. About half were phones, the rest eReaders, tablets and laptops. The survey makes a number of suggestions to protect enterprises, given this statistic, such as better identity verification on mobiles, increased security training, and scraping trust as a valid policy element. -- PARLIAMENT STREET (PDF) 


HOOT HOOT! Meeting Owl celebrates Amazon Prime day with free Owls

Our favorite Meeting Owl is paving the way for better meetings...and giving away free Owls via its Amazon Prime day special.

Buy 5 Meeting Owls on Amazon and one will automatically be free. Get this deal by adding 5 Owls to your cart. A $799 discount will automatically appear during checkout.

(Go quick! Prime Day ends at midnight!)

Check out the Meeting Owl on Amazon


2. The infamous New Zealand file storage service Mega has had thousands of account credentials leaked online. The information was discovered by a security researcher and verified by reporters. Mega was the site once run by Kim Dotcom. The site was most likely compromised by duplicate credentials that were previously compromised on other sites. -- ZDNET


3. Spanish telecom Telefonica had a data breach yesterday, potentially exposing millions of its customers' data. It was quickly fixed and reported to authorities. Both identity and payment information was exposed. The breach happened through poor website security: a small change in a URL could access customer data. A Spanish consumer rights group notified the company after receiving a customer complaint. – THE INQUIRER


4. Login passwords for tens of thousands of Dahua networked cameras/DVR devices have been cached inside search results returned by ZoomEye. To make matters worse, these systems use a custom protocol that doesn’t require any authentication to access the video recordings. It also doesn’t help that many of these systems are running ancient firmware too. -- DEPTHSECURITY


5. Jonathan Powell pled guilty today to one count of fraud. This was in connection with his scheme to obtain unauthorized access to more than 1,000 email accounts maintained by a New York City area university in order to download sexually explicit photos and videos. Powell sent password reset commands to these accounts and then gained access to them. – US DOJ


6.  Security researchers have uncovered a "highly targeted" mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India. What makes this a bigger deal is that the hackers infected these phones with a custom mobile device manager that enabled remote access through compromised Telegram and WhatsApp apps. – CISCO TALOS BLOG


7. You need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes to read, but my guess is that you need to budget more time. There is a lot to unpack in his post, which contains some very practical suggestions on using email better, installing a password manager, and learning how to encrypt messages.


8. Colton Ray Grubbs is a 21-year-old Kentucky man who has plead guilty to authoring and distributing a popular hacking tool called “LuminosityLink” to more than 8,000 customers. For $40, buyers could install their own remote access Trojan on victim’s PCs. The plea was entered in US District Court in Kentucky. – KREBS ON SECURITY


9. A group of university researchers mounted a successful stealth-based GPS spoofing attack against road navigation systems. They were able to trick humans into driving to incorrect locations. The attack made use of a custom rig based on a Raspberry Pi to inject the real-time GPS location information. For safety’s sake, they installed these units on driving simulators and found almost all of their subjects followed the wrong directions. – MICROSOFT RESEARCH (PDF)


10.  If you like cyber attack maps, take a look at this post. They compare six different ones from Fortinet, Kaspersky, and FireEye (shown here), among others. Pretty pictures, yes. Informative and actionable information, dubious. -- SECUREWORLD


Remember Lucy and Charlie Brown? Here is an updated take on their war of wits, narrated by live actors, with some post-modern truthiness thrown in for good measure. It is all about perception and differing realities. Good grief! -- PAGET BREWSTER


We have lots of tips for you today: how to recognize social engineering, how to prevent DDoS attacks, and learning more about pass-the-hash exploits. I was one of the featured speakers on David Senf’s Threat Actions This Week podcast last week. I spoke with one of the engineers working on Mitre’s ATT&CK framework about how to best deploy this tool to help network defenders learn more about malware processes. I wrote about ATT&CK-based tools earlier this year for CSOonline.

-- David Strom, editor of Inside Security


1. A new report from Sonicwall’s telemetry shows that malware volume is on pace to double the rate from last year. Everything is up: ransomware has seen a 229 percent year-to-date increase and  encrypted threats are up 275 percent over last year. The company has sensors in just about every corner of the globe and collects hundreds of thousands of malware samples daily. – SONICWALL  (PDF)


2. Here are five of the more popular social engineering attack methods. This can better help you train your users to be on the lookout for them. They include ordinary phishing and asking for your private data in exchange for some service, such as free support. Also, there is the ever-popular tailgating, where hackers try to enter a building directly behind an employee. Given that the FBI has announced an increase in business email compromises, it is worth teaching these methods. – MSSP ALERT


3.  If you haven’t ever come across the pass-the-hash exploit, it is worthwhile to spend some time reviewing the various techniques and how to prevent this kind of attack. It has been around for many years, and you should follow the author’s recommendations. – MWR INFO SECURITY


load more stories