Search This Blog

Latest News

Microsoft Lures Populate Half of Credential-Swiping Phishing Emails

  According to the sources nearly half of the emails, phishing attacks in the year 2020 aimed to swipe credentials using Microsoft-rel...

All the recent news you need to know

Russian Hackers Sabotaging Critical U.S Infrastructure

Among every state-sponsored hacking group that has attacked the U.S power grid, and went beyond to compromise American Electric Utilities, only Sandworm, a Russian Espionage group, has been bold enough to activate real blackouts, compelling lights shutdown in Ukraine in 2015 and 2016. A firm that emphasizes grid security has issued a warning that a criminal group that has links to Sandworm's highly sophisticated hackers has been successfully attacking US energy systems and it's been years.

Wired reports, "Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany's electric sector in 2017." Recently, Dragos, an industrial cybersecurity firm issued its yearly report on the current state of industrial controls systems security. The report has identified four new foreign criminal groups which target these critical infrastructure systems. Three of these four groups have attacked US industrial control systems. 

However, the most notorious group is Kamacite, according to Dragos. The group, says Dragos, may have worked with Gru's Sandworm. In the past, Kamacite has worked as Sandworm's access team. Experts believe it emphasized getting a stronghold in the victim network before giving access to other Sandworm hacking groups. These groups, in turn, have performed the cyberattacks. As per cybersecurity agencies, Kamacite has targeted US electric utilities, gas and oil, and other organizations on various occasions. These attacks date back to 2017.  Experts believe that the group is continuously attacking the US electric utility sector to maintain a presence of a threat. 

In few incidents over the years, the group has successfully managed to breach US target networks, which allowed them to gain access to the utilities. Sergio Caltagirone, Dragos vice president of threat intelligence and former NSA analyst says that "if you see Kamacite in an industrial network or targeting industrial entities, you clearly can't be confident they're just gathering information. You have to assume something else follows. Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations."  

US Senate's Selection Committe Raises Some Serious Concerns Regarding SolarWinds Attack

 

The US Senate’s select committee has blamed Russia for the massive intelligence operation that infiltrated SolarWinds, a Texas-based software company, to steal data from various governments and nearly 100 companies. Threat actors exploited the vulnerabilities in SolarWinds and Microsoft programs to penetrate the companies and government agencies. 

Some key issues were raised during a hearing of US Senate’s select committee:

• Threat actors conducting a “dry run”; 
• The true motive behind an attack; 
• Threat actors exploiting Amazon Web services vulnerabilities; 
• Improvement in cyberthreat and intelligence information sharing.

Kevin Mandia, CEO of FireEye revealed the methodology used by threat actors for conducting a “dry run” in October 2019. He stated during his testimony that “they put an innocuous build in to make sure that it made it to the [production] environment,”. He also added that his company’s engineers have worked day in, day out, spending more than 10,000 hours to analyze the source of the data breach and how it led the threat actors to the SolarWinds server.

Many witnesses blamed the Russian-based hacking group for data breach, Microsoft’s President Brad Smith testified: “We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else.” 

Senator Marco Rubio, the vice chairperson of the intelligence committee said there is conclusive evidence to suggest that the attack was more than a cyberespionage campaign. Hence, to draw any conclusions at this point is not justified. “While I share the concern that an operation of this scale with a disruptive intent could have caused mass chaos, those are not the facts that are in front of us. Everything we have seen thus far indicates this was an intelligence operation – a rather successful one – that was ultimately disrupted.”

Senators slammed Amazon Web Services for declining to testify given the company’s infrastructure was used in the attack. Sen. Rubio stated that “we had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful. Apparently, they were too busy to discuss that here with us today, and I hope they’ll reconsider that in future.”

Sen. Richard Burr said, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack, which raised questions about how much Amazon and its executives have revealed about what they know. 

During the hearing, witnesses agreed with many of the committee members regarding the strengthening of cyberthreat and intelligence information sharing. Kevin Mandia, CEO of FireEye said that 2015 Cybersecurity Information Sharing Act should be updated which will make it easier to share intelligence and provide protection to data breach and gather the initial intelligence. Anne Neuberger, Deputy National Security Adviser said earlier this month that nine federal agencies and 100 private organizations, were compromised as part of the attack.

Nation States Are Using Cyber Crime Groups to Carry Attacks: States Blackberry Threat Report 2021

 

Nation-states are employing cybercriminals for hacking activities to perpetrate assaults in order to conceal their own presence. An e-security report by BlackBerry researchers indicates that the advent of advanced cybercrime – as – a – service schemes means that nations have the potential to cooperate more and more with organizations that can render attacks for them. 

Researchers at BlackBerry stated that Nation-state hacker organizations no longer have to do their work: they may recruit criminal cartels to break targets - with the extra advantage, analysts claim, that it really is difficult to monitor the attack back on them. 

Such cyber-criminal activity provides malicious hacking activities such as phishing, ransomware, or network violations and is compensated for their activities when information or access remains open to the nation-state that requested the operation. It also comes with the additional advantage that, since cybercriminals who use their own technology and tactics to carry out the attack, it is hard to reconnect the action with the state which had requested the operation. 

"The emergence, sophistication, and anonymity of crimeware-as-a-service means that nation-states can mask their efforts behind third-party contractors and an almost impenetrable wall of plausible deniability," warns the Blackberry 2021 Threat Report. 

Researchers are pointing out how advanced cyber-criminal campaigns have grown to the existence of extensive hacking operations, such as Bahamut. Bahamut used phishing, social engineering, malicious applications, modified malware, and zero-day attacks, originally defined by BlackBerry last year – and had been doing this for several years until it was discovered. 

Researchers note that Bahamut works with multiple consumers, who have an eye for work openings that give it more money—and some nation-states have the most money to spend on campaigning when it comes to funding—these are all just too diverse profiles and geographical areas of their victims to match their priorities with a single bad actor's interests. 

"Threat actor identification can be challenging for threat researchers due to several factors, such as overlapping infrastructure, disparate targeting, and unusual tactics. This is especially true when only part of a campaign is outsourced," said the report. 

Although networks can be difficult to defend against specific cyber-attacks, it is possible that companies apply cyber protection practices to help them keep out intrusions, such as having remote access for those who need them and always monitoring the network for unauthorized behaviors which are deemed suspicious.

Microsoft made CodeQL Queries Public for SolarWinds Attack Detection

 

Microsoft has won acclaim from security researchers by making its CodeQL queries public so any association could utilize the open-source tools to analyze if they encountered any vulnerabilities from the SolarWinds hack or similar supply chain attacks. "There is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant," Microsoft says. "These should be considered as just a part in a mosaic of techniques to audit for compromise." 

CodeQL queries code as though it were information, which allows developers to compose a query that discovers all the variations of a vulnerability, and afterward share it with others. CodeQL is an open-source semantic code analysis engine that works in two stages. First, as a feature of the compilation of source code into binaries, CodeQL fabricates a database that catches the model of the compiling code.

"For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database," Microsoft notes. 

In a blog post that details how it utilized the CodeQL technique, Microsoft alluded to the SolarWinds assault as Solorigate. For this situation, the attacker got into the remote management software servers of numerous organizations and infused a backdoor into the SolarWinds Orion software update. The attacker modified the binaries in Orion and dispersed them via previously legitimate update channels. This let the assailant remotely perform vindictive activities, such as credential theft, privilege escalation, and lateral movement to steal sensitive information. 

Microsoft said the SolarWinds incident has reminded associations to reflect not just on their readiness to respond to sophisticated attacks, but also the strength of their own codebases. In the blog, Microsoft clarifies its utilization of CodeQL queries to examine its source code at scale and preclude the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.