Center for Internet Security Cyber Monthly Update



Download 39.24 Kb.
Date20.10.2016
Size39.24 Kb.
#6070

UNCLASSIFIED//FOR OFFICIAL USE ONLY  Traffic Light Protocol: GREEN




Center for Internet Security

Cyber Monthly Update

Information current as of March 31, 2015











Insert your logo here


















Current Cyber Threats

(U//FOUO) TLP: GREEN Hacktivism update



Risk: State, local, tribal and territorial (SLTT) government entity/law enforcement: Low; Commercial financial sector: Low; (The Center for Internet Security US entity (CIS) believes the risk of hacktivist activity against a particular government entity is Low; if a controversial incident occurs within a jurisdiction, CIS believes that increases the risk to Medium-High. If a previous incident within the jurisdiction resulted in hacktivist attention, we estimate the risk of a hacktivist response to a current incident to be High.)

  • Threat: Hacktivists continue to conduct operations against SLTT government entities in support of previously identified agendas such as an end to alleged use of excessive force by law enforcement. Other hacktivist activity is associated with controversial incidents or appears to be opportunistic website defacements, doxing incidents, and distributed denial of service (DDoS) attacks.

  • Event(s): The following represents examples of recent hacktivist activity:

  • Since early March 2015 _Bitcoin_Baron_ (f.k.a. xBitCoin_Baronx) has targeted at least seven state and local level websites with distributed denial of service (DDoS). The majority of the websites are associated with law enforcement entities involved in instances of alleged use of excessive force by law enforcement.

  • On March 21, 2015, and again on March 28, Vikingdom2015 announced via Soundcloud.com that they would be attacking all 50 U.S. state websites. Since March 17, 2015, Vikingdom2015 claimed DDoS attacks against 43 SLTT websites in 28 different states. Many of these attacks have been reported as successful by victims who observed DDoS related activity in time periods concurrent with the claimed threat.

(U) Image from YouTube video

On March 8, 2015, an Anonymous-affiliated actor posted a YouTube video targeting a municipality in response to an incident of alleged excessive use of force by a law enforcement officer (LEO). The actor called for the immediate release of all audio and video recordings related to the incident, as well as the arrest of all officers responsible. Additionally, if the government did not meet these demands, the actor threatened to use cyber attacks. The video also stated that Anonymous and Anonymous-affiliated actors believe law enforcement used cell phone jammers to disrupt communications among protestors. CIS is aware of a single doxing incident and multiple DDoS attacks occurring under this operation, with activity conducted by both Anonymous and non-Anonymous affiliated actors.



  • Action: CIS continues to monitor hacktivist activities and will notify SLTT governments when it identifies potential intelligence regarding threats or compromises. CIS strongly recommends the following:

  • Following the DDoS recommendations in the “Guide to DDoS Attacks” for identifying and mitigating different types of attacks. http://msisac.cisecurity.org/documents/ GuidetoDDoSAttacks.pdf

  • Assessing websites for vulnerabilities, updating/patching software, especially content management systems (CMS), using a web application firewall, ensuring webpages are secured against SQLi attacks, and developing an approach for handling claims of compromise, including unsubstantiated claims and re-releases of previously compromised information.

  • Using complex passwords to protect social media accounts, using multi-factor authentication whenever possible, and monitoring the accounts for compromise. Additional recommendations are available at: http://iic.cisecurity.org/resources/ documents/CISPrimer-SecuringSocialMediaAccounts.pdf.

  • Law enforcement officers (LEOs) determine what information is available on the Internet regarding themselves, and their families, and remove it if possible.

  • LEOs are also advised to use separate, complex passwords for each online account, and where possible, implement two-factor authentication and other security precautions to limit information sharing.


Current News

(U) TLP: WHITE In late February TwitterU.S. entity announced a new abuse reporting system that allows individuals to request the takedown of a tweet that includes information that might be part of a dox, including contact information, financial information, and government ID photos or numbers.



CIS Analysis: This should assist agencies in removing doxed information posted by hacktivist actors. Hacktivists and other actors frequently dox victims, including law enforcement and government officials, by posting personal information, such as home addresses, online.

(U) TLP: WHITE Cisco’s U.S. entity Talos Group identified a recent upgrade to the Angler Exploit Kit. Angler, which grew in prominence in 2014, has begun using a technique referred to as “domain shadowing.” The malicious actors behind the Angler Exploit Kit are phishing domain registrant credentials from GoDaddyU.S. entity customers and using those credentials to create thousands of subdomains. Similar to fast flux botnets, which seek to avoid detection by associating a single domain with a rapidly changing set of IP addresses, domain shadowing cycles through several subdomains associated with a single domain in order to avoid detection.



CIS Analysis: Cyber criminals are constantly trying to stay ahead of security researchers. This is just one of several examples in which malicious actors have continued to upgrade and add new features to their malware.
(U) TLP: WHITE The Gurnee, IL, Police Department arrested a man for communicating a false bomb alarm and two counts of tampering with a secure communication, fire, or life system. The suspect hacked into a local mall’s radio system to transmit the false bomb alarm. He was previously charged with hacking into the Lake County Sheriff’s jail radio communication system.

CIS Analysis: Although communication system compromises are rare, they do occasionally occur and may cause the transfer of critical information to become delayed and/or potentially put the lives and/or safety of individuals at risk. Organizations that utilize radio communications should take steps to ensure radio communication equipment is properly secured, updated, and patched.
(U) TLP: WHITE According to the annual Office of Management and Budget (OMB) report on federal implementation of the Federal Information Security Act (FISMA) of 2002, 52% of all cyber intrusions at the federal level could have been prevented through the use of stronger authentication methods. According to the report, U.S. federal entities lack an ability to use strong authentication and PIV (Personal Identity Verification) credentials. The full report is available here: https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy14_fisma_report_02_27_2015.pdf.

CIS Analysis: Weak authentication is a consistent issue for both public and private entities. Attackers exploit this vulnerability by using a variety of credential capturing malware, social engineering techniques, and brute force attacks to defeat simple checks.

Relying exclusively on usernames and passwords is highly unlikely to prevent access to secure systems against a determined attacker. Multiple forms of authentication are highly encouraged for systems that containing sensitive information.
(U) TLP: WHITE The National Institute of Standards and TechnologyU.S. entity (NIST) released internal report 8023 “Risk Management for Replication Devices,” which discusses some of the threats and vulnerabilities to devices such as scanners, printers, and faxes, and provides steps for risk mitigation at all stages of ownership from procurement to disposal.

CIS Analysis: Duplication devices are one of several devices in professional environments that may contain embedded systems that are Internet-facing, exposing them to exploitation. CIS has identified several instances in which malicious cyber actors defaced embedded web servers on printers. The risks are highlighted in the NIST report and our July 2014 Cyber Intel Advisory “Increased Printer Defacements Highlight Network Vulnerabilities in Embedded Systems.”
(U) TLP: WHITE In late March 2015 the “Islamic State Hacking Division,” claiming affiliation with the Islamic State of Iraq and Syria (ISIS), doxed at least 100 members of the U.S. military and requested that supporters located in the U.S. use the information to murder the military members. The doxed information included names, addresses, and photographs.

CIS Analysis: The doxed information was likely gathered from open sources, and not from a system compromise. Doxing is already a common technique used by hacktivist actors targeting SLTT government employees and law enforcement officers. There is a slight chance that this activity indicates that another group of malicious cyber actors (terrorists) will begin using this technique, which may eventually affect SLTT governments, if employees are members of the military or activity occurs requiring a local law enforcement response. (Doxing incidents have previously led to SWATting and other malicious activity.)
Situational Awareness

(U) TLP: WHITE On February 27, 2015, the U.S. Federal Communications CommissionU.S. entity (FCC) voted that broadband is like a public utility and not subject to blocking, throttling, or prioritization. The vote also means that broadband is subject to greater government regulation.



  • No blocking: broadband providers may not block access to legal content and services;

  • No throttling: broadband providers may not impair or degrade access to legal content;

  • No paid prioritization: broadband providers may not weigh content differently, for example all content, regardless of whether it is from an affiliate organization or a competitor must be treated equally.

(U) TLP: WHITE On March 6, 2015, Director John BrennanU.S. person, Central Intelligence AgencyU.S. entity (CIA), announced a restructuring of the CIA. The restructuring is driven by the increase in the range, diversity, complexity, and immediacy of issues, and the unprecedented pace and impact of technological developments. Parts of the restructure include the creation of a Directorate of Digital Integration, responsible for integrating digital and cyber across all mission areas, and creates cross-programmatic Mission Centers.


(U) TLP: WHITE Open source reporting indicates a February 2015 spam campaign, primarily targeting Brazilian Internet users, contains a link to a malicious landing page that looks like the telecom provider’s webpage. The malicious landing page attempts a series of attacks against the user’s home routers, and tests to see if the routers use any of a series of default credentials. If successful in accessing the router through a default password, the attack modifies the router’s settings, allowing the malicious actor to hijack the user’s Internet access.
Reports

(U) TLP: WHITE On February 26, 2015, Director of National Intelligence James R. ClapperU.S. person testified to the Senate Armed Services Committee regarding the US Intelligence Community’s (IC) World Wide Threat Assessment. The security of the cyber world continues to be a main focus for the majority of the IC. iic:fc pilot:logos:odni.jpg



Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact. The ranges of cyber threat actors, methods of attack, targeted systems, and victims are also expanding... However, the likelihood of a catastrophic attack from any particular actor is remote at this time… We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security. –World Wide Threat Assessment, 2015
A CIS summary of his remarks and statement is below. This is a CIS summary provided for the benefit of the HSA Cyber Monthly Update reader, and not an official U.S. government summary.

  • The cyber threat risk continues to increase through the possibility of remote intrusions, supply chain threats, and human insiders. Interdependencies between different critical infrastructure sectors continues to pose a problem.

  • The cost of cyber attacks continues to escalate.

  • The government and private sectors have become better at detecting and assigning attribution.

  • The motivation to conduct attacks remains strong, while deterring factors are limited.

  • Politically motivated cyber-attacks are now a growing reality.

  • The leading state intelligence threats to U.S. interests will continue to be Russia and China based on their capabilities, intent, and broad operational scope. According to senior Russian officials, Russia is establishing its own cyber command, which will be responsible for conducting offensive cyber activities. Large government entities may expect to see an increase in cyber espionage from this actor over the next few years.

  • The technical capabilities of Iran and North Korea are lower, but they have a disruptive intent. Iran was responsible for the February 2014 cyber attack against the Las Vegas Sands CasinoU.S. entity and North Korea was responsible for the November 2014 cyber attack against Sony Pictures Entertainment.

  • Profit-motivated cyber criminals and ideologically motivated hackers or extremists continue to pose a threat. Terrorist groups continue to experiment with cyber techniques.

  • Destructive attacks continue to be a concern.

Confidentiality

Integrity

Availability

Attacks which target the integrity of data are a new concern in 2015. This would cause a significant issue as decision making by senior government officials, corporate executives, investors, or others may become impaired if they cannot trust the information they are receiving.
The full document is available at : http://www.dni.gov/files/ documents/Unclassified_2015_ ATA_SFR_-_SASC_FINAL.pdf.
(U) TLP: WHITE On March 11, 2015, the Industrial Control Systems Computer Emergency Response TeamU.S. entity (ICS-CERT) published the September 2014 – February 2015 ICS-CERT Monitor. According to the report ICS-CERT responded to 245 incidents during Fiscal Year 2014, with 79 (32%) incidents in the energy sector and 65 (27%) in the critical manufacturing sector. Approximately 55% of the incidents involved Advanced Persistent Threat (APT) actors. Of all the incidents reported with a known infection vector, spear phishing (42 incidents, 17%) was the most common vector. However, 94 incidents (38%) had an unidentified infection vector. The full report is available here: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf.


(U) TLP: WHITE On March 6, 2015, Kaspersky Labs reported on a newly discovered APT actor group, Animal Farm, which uses zero-day techniques and has been active since at least 2009. Animal Farm is associated with several individual malware packages previously identified by security researchers, including Babar, Bunny, and Casper. Animal Farm targeted several sectors including government organizations and military contractors in Syria, Iraq, and Malaysia. The blog post is available here: https://securelist.com/blog/ research/69114/animals-in-the-apt-farm/.




(U) TLP: WHITE According to the Safety and Shipping Review 2015 report by Allianz Global Corporate & Specialty, cyber risk is a major issue for the shipping industry, and a significant future threat to shipping safety. The report indicates that experts believe the shipping sector is increasingly vulnerable to a major cyber attack. The full report is available here: http://www.actuarialpost.co.uk/downloads/cat_1/Allianz%20Shipping-Review-2015.pdf.


(U) TLP: WHITE According to the Medical Identity Theft Fraud Alliances’ 2014 survey results the number of patients affected by medical identity theft increased by 22%, to affect approximately two million victims. Patients experiencing medical identity theft had valid insurance claims denied, lost health insurance, and/or had to pay out of pocket to restore the coverage. The full survey results are available here: http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/.
(U) TLP: WHITE The Federal Trade Commission (FTC) published descriptions of the top ten imposter scams reported to the FTC in 2014. That list is available here: http://www.consumer.ftc.gov/blog/grate-pretenders.

New Papers

(U//FOUO) TLP: GREEN Papers recently disseminated by CIS:



From CIS:

  • Monthly Situational Awareness Report (SAR), (TLP: AMBER) March 6, 2015;

  • CIS Cyber Alert “FREAK Attack: Improper Configuration of SSL/TLS,” (TLP: White) March 6, 2015;

  • CIS Cyber Alert “Actor @_Bitcoin_Baron_ Targeting SLTT Law Enforcement Agencies,” (TLP: AMBER) March 18, 2015;

  • CIS Cyber Alert “#OpExposeCPS Considered a LOW Threat to FBI, SLTT Governments, & CPS,” (TLP: AMBER) March 20, 2015;

  • CIS Cyber Alert “Actor @Vikingdom2015 Targeting State Government Websites,” (TLP: AMBER) March 23, 2015;

  • CIS Cyber Alert “#OpExposeCPS Considered a LOW Threat to FBI, SLTT Governments, & CPS,” (TLP: AMBER) March 26, 2015;

  • CIS Cyber Alert “Actor @Vikingdom2015 Targeting State and Local Government Websites,” (TLP: AMBER) March 30, 2015.

Please send topic suggestions and information requests to IIC@cisecurity.org.
(U//FOUO) TLP: GREEN CIS disseminated papers from other sources:

  • DHS Infrastructure Systems Overview – Water Systems, February 27, 2015;

  • FBI Updates on the Dyre Trojan, February 27, 2015;

  • NCCIC/US-CERT Malware Initial Findings Report (MIFR) 427799 “Point of Sale Malware Variant,” (TLP: GREEN) March 4, 2015;

  • Financial Sector Cyber Intelligence Group (CIG) Circular Reports 35 and 36 on Advanced Persistent Threat (APT) Actor Tactics, Techniques, Procedures (TTPs) and Indicators, (TLP: GREEN) March 4, 2015;

  • FBI Liaison Alert System (FLASH) A-000053-MW and Joint Intelligence Bulletin (JIB) 15-20040 regarding the compromise of sensitive business information through cyber espionage (TLP: GREEN) March 19, 2015;


This newsletter is distributed to the following entities:

  • U.S. Homeland Security Advisors

  • U.S. Fusion Centers

  • Multi-State Information Sharing and Analysis Center (MS-ISAC) members

  • Members of the Cyber Threat Intelligence Coordination Group (CTICG)

  • Members of the CIS Public-Private Working Group (PPWG)

Recipients are encouraged to further disseminate this newsletter to their membership.

UNCLASSIFIED//FOR OFFICIAL USE ONLY  Traffic Light Protocol: GREEN

Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations

as well as with peers within the broader community or sector.




Download 39.24 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page