placeholderCybersecurity News, Prevention and Tips

 

News (September 2022)

** Senate Intelligence Committee Releases Bipartisan Report Detailing Foreign Intelligence Threats
U.S. counterintelligence efforts are failing to keep pace with espionage, hacking and disinformation threats, according to a Senate report released on September 20, 2022. The bipartisan report by the Senate Intelligence Committee says that U.S. spy agencies are poorly equipped to combat threats from major powers such as China, transnational criminal organizations and ideologically motivated groups. These varied groups target not just U.S. national security agencies, but also other government departments, the private sector and academia in search of secret or sensitive data. The report, which is partially redacted, focuses on the little-known National Counterintelligence and Security Center, whose mission is to lead counterintelligence across the U.S. government. The center doesn’t have sufficient funding or authority, nor a clear mission, the Senate report says. 

**Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior 
The number of cyber operations launched from Russia over the last few years is astounding, ranging from the NotPetya malware attack that cost the global economy billions, to the SolarWinds espionage campaign against dozens of US government agencies and thousands of companies. Broad characterizations of these operations, such as “Russian cyberattack,” obscure the very real and entangled web of cyber actors within Russia that receive varying degrees of support from, approval by, and involvement with the Russian government.
The Atlantic Council’s Cyber Statecraft Initiative issue brief describes the large, complex, and often opaque network of cyber actors in Russia, from front companies to patriotic hackers to cybercriminals. It analyzes the range and ambiguity of the Russian government’s involvement with the different actors in this cyber web, as well as the risks and benefits the Kremlin perceives or gets from leveraging actors in this group. The issue brief concludes with three takeaways and actions for policymakers in the United States, as well as in allied and partner countries: focus on understanding the incentive structure for the different actors in Russia’s cyber web; specify the relationship any given Russian actor has or does not have with the state, and calibrate their responses accordingly; and examine these actors and activities from Moscow’s perspective when designing policies and predicting the Kremlin’s responses.

**Justice Department Announces Report on Digital Assets and Launches Nationwide Network
Sep 16, 2022: The Department of Justice today announced significant actions regarding digital assets, including the public release of its report, pursuant to the President’s March 9 Executive Order on Ensuring Responsible Development of Digital Assets,  on The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets; and the establishment of the nationwide Digital Asset Coordinator (DAC) Network, in furtherance of the department’s efforts to combat the growing threat posed by the illicit use of digital assets to the American public.

**Data Security at Risk: Testimony from a Twitter Whistleblower (Full Committee Hearing)
Twitter whistleblower Peiter Zatko told the Senate Judiciary Committee on Tuesday, September 13, 2022, that Twitter lacks the resources and motivation to search for and remove foreign intelligence threats within its operations. In his testimony, Zatko revealed how Twitter had received a specific warning from the FBI that the company may have had one or more Chinese spies within its ranks. The explosive detail linking the U.S. government warning to China had not been a part of Zatko’s publicly reported disclosure to the U.S. government. It remains unclear whether Twitter acted on the tip, but Zatko told Sen. Chuck Grassley that he and others inside Twitter understood that the company was a target for foreign intelligence agencies.

Peiter Zatko is before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13, 2022 (Sarah Silbiger for CNN)

**Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities The United States has imposed sanctions on Iran’s Ministry of Intelligence and Security (MOIS) as well as its Minister of Intelligence Esmail Khatib for engaging in malicious cyber efforts against the United States and its allies since at least 2007. According to the U.S. Treasury Department’s press release, one of the most recent attacks linked to the MOIS was a July cyberattack on Albanian computer systems that required the government to temporarily stop providing online services for citizens. As a part of the sanctions regime, all property and interests in property of Khatib and MOIS within U.S. jurisdiction are blocked, and “U.S. persons are generally prohibited from engaging in transactions with them.”

Russian and Chinese Cyber Threats

Mitigation and Recommendations:
  • Whenever possible, enable Multi-factor Authentication (MFA) on accounts. Users should not accept any MFA attempts (such as push notifications, phone calls, etc.) that they did not initiate themselves.
  • Use long, complex, and unique passwords for each account. Consider using a password manager, only for personal, non-official accounts.
  • Monitor accounts across all platforms for suspicious activity, and inspect messages for signs that they did not originate from a legitimate source. Be aware of common spear phishing lures, and exercise caution when clicking on links or attachments from external contacts. Cyber actors may compromise even known, legitimate contacts to target Department personnel.
  • Update software and apps over a secure connection to patch organizational and personal devices against known vulnerabilities.
  • Avoid connecting devices to public WiFi or public charging stations.
  • Use end-to-end encrypted messaging apps (we recommend Signal – Signal.org) and a paid VPN service (we recommend ProtonVPN – ProtonVPN.com) based in a trusted country on personal devices. System owners and network administrators should consider the following mitigations for non-enterprise managed networks:
  • Continuously monitor identity management environments for anomalous activity; review identity and access management policies; and audit for misconfigurations. Monitor successive failed login attempts across multiple users’ accounts.
  • Incorporate indicators of compromise (IOCs) to block known malicious infrastructure, websites, and malware. Check logs for known C2 patterns, and implement IP filtering.
  • Phase out legacy authentication protocols, and replace with solutions using modern authentication. Require, enable, and enforce MFA to access accounts and resources.
  • Continue testing and deploying patches enterprise-wide as quickly as possible, to mitigate potential exploitation.
  • Use email filtering; for example, prevent users from receiving EXE files, or disable links and attachments in email messages originating from outside the organization.
  • Close unused ports on internet-facing servers and devices.
  • Passwords for all accounts, especially for those with elevated privileges, should be strong and unique (at least 16 characters long), and should not be reused for other accounts. Ensure that default passwords are changed on all hardware and devices.
  • Ensure that credentials for enterprise systems and accounts are not stored in unsecured locations, such as file servers, email inboxes, cloud shares, or SharePoint libraries.
  • Ensure that network and system logging is enabled, including web logs for internet-facing resources.
  • Apply the principle of least privilege on all enterprise accounts, especially those with elevated privileges (e.g., administrative or service accounts).
The complexity of the PRC threat means that recommendations for personnel in China go beyond standard mitigation tactics. We recommend that all personnel traveling to or living in the PRC consider the following standard precautions:
  • Avoid connecting any device to personal or home networks upon return if the device has been to the PRC, including brief stops at airports for flight transfers. 
  • Use VPNs or internal organizational networks for any sensitive business, to include financial transactions, healthcare, and other handling of personal or proprietary information.
  • Maintain physical control of mobile devices and the associated charging equipment whenever possible, especially in foreign government buildings.
  • Use electrical outlets to charge mobile devices and avoid using USB ports, even on-premises at a private-sector facility.
  • Turn over any external media received as “gifts” or found on-premises to a security manager.

Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities Long before Putin’s invasion of Ukraine, the Kremlin, Russian security agencies, and their criminal networks had been successfully using complex cyber operations to exploit systemic vulnerabilities both in the West and closer to home for their own gain. However, the absence of significant cyberattacks in Ukraine has raised questions about how well we really understand how Russia’s cyber forces are organized.

By delving into the history and evolution of Russia’s cyber actors, the Russian cyber landscape, and the intricate web of those working on behalf of the Kremlin, this report reveals a remarkably fluid and informal Russian cyberspace. In addition, it provides a roadmap for how governments, civil society, and businesses can interpret and navigate this digital landscape and prepare more resilient cybersecurity and defenses for the future. 
This new report (September 8, 2022) is part of CEPA’s ongoing (CEPA) work on Russia’s cyber operations and below-threshold threats. The Center for European Policy Analysis  is a nonpartisan, nonprofit, public policy institution, based in Washington, DC.

Key Takeaways:

  • Despite the broad range of actors involved in cyber operations, Russia does not have a unified cyber command, instead, coordinating with political decision-makers at the Presidential Administration level via Russia’s Security Council.
  • There are no strict foreign and domestic divisions of labor for the security services in the cyber domain. Agencies traditionally focused on foreign targets have attacked domestic targets, and vice versa.
  • This informal structure results in significant overlap in mission and capability, often leading to competition for resources and sometimes to problems of coordination and conflict.
  • Russia’s cyber system is subject to a significant degree of informality and political maneuvering, as different actors report to the Presidential Administration and Security Council via distinct channels and with varying degrees of accountability.
  • Russia’s system of cyber operations follows the legacy of the Soviet Union’s signals intelligence bureaucracy but is heavily dependent on the private sector for training, recruitment, and technology.  ​​

This page provides an overview of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) assessment of the Iranian government’s malicious cyber activities. The overview leverages publicly available, open-source intelligence and information regarding this threat. This page also includes a complete list of related CISA publications, many of which are jointly authored with other U.S. government agencies (Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to Iranian government actors). Additionally, this page provides instructions on how to report related threat activity. 

US bolsters cyber alliance to counter rising Iran threat / On the sidelines of U.S. President Joe Biden’s visit to the kingdom of Saudi Arabia on July 15-16 2022, the Saudi National Cybersecurity Authority (NCA) announced the signing of a Memorandum of Understanding for Cybersecurity Cooperation with the U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA). This MoU, a move experts see as a direct response to the rising digital threat from Iran, aims to promote bilateral cooperation in the field of cybersecurity to safeguard the cyberspace and vital interests in the Kingdom of Saudi Arabia and the USA.

Ransomware

Ransomware infections occur in different ways, such as through insecure and fraudulent websites, software downloads and malicious attachments. Anyone can be a target – individuals and companies of all sizes. Fortunately, there are ways for you to be prepared and reduce the likelihood of finding yourself in front of a locked laptop or encrypted file. You can significantly reduce the chances of infection by applying security steps and paying attention online.

ENISA’s July 29, 2022 report (“Threat Landscape for Ransomware Attack”) aims to bring new insights into the reality of ransomware incidents through mapping and studying ransomware incidents from May 2021 to June 2022. Based on the findings, ransomware has adapted and evolved, becoming more efficient and causing more devastating attacks. The European Union Agency for Cybersecurity (ENISA) is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

The following EUROPOL guideline for regular users and mitigation steps for businesses will help you stay alert and ready. The guidelines also include steps to take if your device or system becomes infected.

NIST, the National Institute of Standards and Technology, has also published a more detailed fact sheet on how to stay prepared against ransomware attacks. You can find this material and more on ransomware at the NIST and CISA websites. These materials were produced by staff members in NIST’s Information Technology Laboratory and National Cybersecurity Center of Excellence.

September 8, 2022: CISA/FBI Alert (AA22-249A) #StopRansomware  
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSAto disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. The joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

——

Infected… what to do next?

  1. Always visit www.nomoreransom.org to check whether you have been infected with one of the ransomware variants for which there are decryption tools available free of charge.

  2. Don’t pay the ransom! You will be financing criminals and encouraging them to continue their illegal activities.

  3. Report it to your national police. The more information you provide, the more effectively law enforcement can disrupt the criminal enterprise.

National Security Agency Cybersecurity Technical Report

The National Security Agency (NSA) has released a new report in March 2022, that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA’s report ‘Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance‘ is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. 

‘;–have i been pwned? (HIBP)

HaveIBeenPwned (HIBP), is the free service for tracking credentials stolen and/or leaked through past data breaches. 

Check if your email or phone is in a data breach.

Check if your passwords have been leaked in previous breaches.

Hardening Signal (CERT-EU Team)

Signal is a well-known, secure, encrypted instant messaging service developed by the non-profit Signal Technology Foundation and Signal Messenger LLC. It uses standard cellular telephone numbers as identifiers and all communications between Signal users are secured with end-to- end encryption. Staff of public and private organisations, including senior management, may be using Signal sometimes to quickly coordinate and exchange information on work-related matters. Signal groups may also have been set up for business continuity reasons in case corporate instant messaging tools become unavailable. This March 3, 2022 document provides clear and pragmatic recommendations for hardening the configuration of Signal apps.

Cyber Incidents

The biggest data breaches, hacks of 2021 (ZDNet)
Here are some of the most notable security incidents, cyberattacks, and data breaches over 2021. 

Significant Cyber Incidents since 2006 (CSIS)
This timeline from the Center for Strategic and International Studies records significant cyber incidents since 2006, with a focus on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars. CSIS is one of the world’s preeminent, bipartisan and nonprofit international policy institutions. They focus on defense and security, regional study, and transnational challenges ranging from energy and trade to global development and economic integration.

Below is a summary of incidents during the month of August 2022. For the full list, click the download link above.

  • August 2022. Hackers used a DDoS attack to temporarily take down the website of Taiwan’s presidential office. The Taiwanese government attributed the attack to foreign hackers and stated normal operations of the website resumed after 20 minutes. Taiwan’s Foreign Ministry also noted hackers targeted their website and the main portal website for Taiwan’s government.

  • August 2022. Hackers targeted the Finnish Parliament with a DDoS attack that rendered the Parliamentary website inaccessible. A Russian group claimed responsibility for the attack on Telegram.

  • August 2022. Hackers targeted the website of Ukraine’s state energy agency responsible for the oversight of Ukraine’s nuclear power plants. The agency stated Russian hackers carried out the attack.

  • August 2022. Hackers targeted the website of the Latvian Parliament with a DDoS attack that temporarily paralyzed the website’s server. A Russian hacking group claimed responsibility for the attack on Telegram.

  • August 2022. Hackers targeted Greece’s largest natural gas distributor DESFA causing a system outage and data exposure.

  • August 2022. A Russian group claimed responsibility for breaching a privately owned UK water supply company South Staffordshire Water and leaking files in an extortion attempt.

  • August 2022. Hackers targeted Montenegro’s government institutions, breaching the computer systems of several state bodies. Montenegro’s Defense Minister stated there was sufficient evidence to suspect Russia was behind the attack.

  • August 2022. A DDoS campaign targeted the websites of both government and private Estonian institutions. Estonia stated that the attack was largely repelled, and the impact was limited.

  • August 2022. Hackers used phishing emails to deploy malware in government institutions and defense firms throughout Eastern Europe in January 2022. A report by Russian-based company Kaspersky linked the campaign to a Chinese hacking group.

Cybersecurity Incident & Vulnerability Response Playbooks (CISA)
The Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Produced in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” the playbooks provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting Federal Civilian Executive Branch networks.  “The playbooks we are releasing today are intended to improve and standardize the approaches used by federal agencies to identify, remediate, and recover from vulnerabilities and incidents affecting their systems,” said Matt Hartman, Deputy Executive Assistant Director for Cybersecurity. “This important step, set in motion by President Biden’s Cyber Executive Order, will enable more comprehensive analysis and mitigation of vulnerabilities and incidents across the civilian enterprise. We encourage our public and private sector partners to review the playbooks to take stock of their own vulnerability and incident response practices.” The Incident Response Playbook applies to incidents that involve confirmed malicious cyber activity and for which a major incident has been declared or not yet been reasonably ruled out.  The Vulnerability Response Playbook applies to any vulnerability that is observed to be used by adversaries to gain unauthorized entry into computing resources. This playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process that should be followed when responding to these vulnerabilities that pose significant risk across the federal government, private and public sectors. 
Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these two playbooks to strengthen cybersecurity response practices and operational procedures not only for the federal government, but also for public and private sector entities. The playbooks contain checklists for incident response, incident response preparation, and vulnerability response that can be adapted to any organization to track necessary activities to completion. 

Recent Cybersecurity Alerts (CISA)

These 2022 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2021 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2020 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2019 alerts provide timely information about current security issues, vulnerabilities, and exploits.
These 2018 alerts provide timely information about current security issues, vulnerabilities, and exploits.

——

News (August 2022)

**Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities The United States has imposed sanctions on Iran’s Ministry of Intelligence and Security (MOIS) as well as its Minister of Intelligence Esmail Khatib for engaging in malicious cyber efforts against the United States and its allies since at least 2007. According to the U.S. Treasury Department’s press release, one of the most recent attacks linked to the MOIS was a July cyberattack on Albanian computer systems that required the government to temporarily stop providing online services for citizens. As a part of the sanctions regime, all property and interests in property of Khatib and MOIS within U.S. jurisdiction are blocked, and “U.S. persons are generally prohibited from engaging in transactions with them.”

**Lloyd’s to Exclude Catastrophic Nation-Backed Cyberattacks From Insurance Coverage
By 2023, insurer groups must add clauses to cyber policies excluding state-backed hacks that severely affect target nation’s infrastructure, insurance marketplace says. Lloyd’s of London Ltd. will require its insurer groups globally to exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting next year.  Lloyd’s is a marketplace where roughly 75 syndicates of underwriters congregate to provide insurance coverage for businesses, organizations and individuals. As of March 31, when coverage begins or is renewed, syndicates must exclude state-backed cyberattacks from policies that protect against physical and digital damage caused by hacks, Underwriting Director Tony Chaudhry said in a bulletin dated Aug. 16, 2022.

**EU Cyber Proposal a Move in the Right Direction, But Should Avoid Protectionism
The EU’s recent move to update and harmonize the bloc’s government information security standards is an appropriate response to protect the increasing amounts of information that the public sector attains and shares. Though it gets most things right, the EU should drop its protectionist provisions requiring certain data to be stored locally. The EU’s threat landscape has become vast: Each of the Union’s institutions, bodies, agencies, and offices is spread across 27 countries and acts as a potential vector for a security breach. Several of the aims of the proposal to set up an EU-wide information security scheme are laudable attempts to reduce exposure and mitigate risks, including inter-institution cooperation and governance, a common approach to categorization, modernized standards for remote work, and greater compatibility between systems. Unfortunately, a key provision, Article 17(1)(c), misguidedly requires that sensitive non-classified (SNC) information, defined as data that must be protected due to legal obligations or harm that may be caused, should be “stored and processed in the EU.” Center for Data Innovation, August 26, 2022.

**Former security chief claims Twitter buried ‘egregious deficiencies’
Twitter: Peiter "Mudge" Zatko, the whistleblower who knew too much - Teller  ReportA former executive at Twitter said the company misrepresented its cybersecurity capabilities to the Federal Trade Commission and its board of directors. Peiter Zatko, a well-known hacker and Twitter’s former head of security, said that executives at the company failed to properly notify directors of data breaches and security vulnerabilities on the platform. The complaint made by Zatko also accused company executives of focusing on growth to the detriment of addressing spam. Zatko was fired by Twitter’s CEO in January due to what the company described as “ineffective leadership and poor performance.” See also “Mudge Blows Whistle on Alleged Twitter Security Nightmare” (DarkReading, August 23, 2022). Twitter’s former chief security officer is set to testify before the Senate Judiciary Committee next month. The hearing, announced for Sept. 13, is the first of likely numerous investigations expected by Congress in the coming months, as lawmakers probe the implications of the cybersecurity vulnerability claims Peiter Zatko made against his former employer.

**Developer Arrested Following OFAC Sanctions of Tornado Cash Protocol
Just days after OFAC issued sanctions against virtual currency mixer Tornado Cash, Dutch authorities arrested the protocol’s alleged developer on August the 10th, 2022. In a press release, the Treasury Department alleged that since 2019, Tornado Cash had been used to launder more than $7 billion in cryptocurrency, including more than $455 million stolen in the largest decentralized finance (DeFi) hack to date, on the Ronin Network, carried out by the North Korean-backed cybercrime syndicate the Lazarus Group. Dutch authorities have not released the identity of the developer and have not ruled out the possibility of further arrests related to Tornado Cash.

News (July 2022)

**John Scott-Railton Delivers Testimony to House Permanent Select Committee on Intelligence 

On July 27, 2022, Citizen Lab senior researcher John Scott-Railton was asked to appear before the House Permanent Select Committee on Intelligence. He was invited to provide expert testimony on a hearing devoted to combating threats to U.S. national security from the proliferation of foreign commercial spyware. The written submission of that testimony is here.