Cyber Campaign Launched Against U.S. Critical Infrastructure and Defense Industries


Dozens of major companies, including in the nuclear industry, were targeted in a cyber espionage campaign that began in late October according to a spokesperson at McAfee.

According to Raj Samani, chief scientist at McAfee, 87 firms were enmeshed in the cyber assault. Individuals at the affected companies received information through social media related to job recruitment. These materials directed them to Microsoft Word documents via a Dropbox link. The documents contained malware which allowed hackers to access their systems.

A report from McAfee said that the hackers “tried to penetrate the computer networks of at least 87 companies in the nuclear, defense, energy and financial industries.”

“We don’t know what their ultimate purpose is,” said Samani, adding it is “quite likely” they were able to penetrate the company networks.

The code used in the malware is a signature of the so-called Lazarus Group, associated with the North Korean government’s intelligence services. However, McAfee also cautioned about a false flag operation.

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.




Cozy Bear Returns Via Heather Nauert

Cozy Bear, the Russian hacking group tied to the break-in of the Democratic National Committee, made an appearance on November 4, attacking U.S. officials via email files purportedly from Heather Nauert. On the same day, officials in Germany also reported intrusions by the same group.

Nauert was subsequently named as the U.S. ambassador to the United Nations, replacing Nikki Haley.

Reuters said the hacking group was an arm of the SVR Russian Foreign Intelligence Service. The group goes by various names including Cozy Bear, CozyDuke, the Dukes, Power Dukes, Fancy Bear and APT29.

“The attackers first compromised a hospital and a consulting company, then used their infrastructure to send phishing emails that appeared to be secure communication from the State Department, FireEye researcher Nick Carr told Reuters.”

The State Department did not release information on numbers of compromised computers.

Security company FireEye said the phishing attempt targeted more than 20 of their customers, including in defense, law enforcement, media, and pharmaceuticals.

On the same day, German authorities told Der Spiegel magazine they had detected an attack targeting email accounts belonging to the country’s lawmakers, military, and embassies.



Email Hacked at National Republican Congressional Committee


Politico broke a story that four email accounts of senior aides at the National Republican Congressional Committee (NRCC) were surveilled for several months, and top GOP leadership was unaware of the intrusion until contacted by the news service.

The hack occurred during the 2018 midterm election campaigns and was discovered by a NRCC vendor. Thousands of “sensitive emails” were exposed to an outside intruder. The spying was discovered in April and then reported to the organization’s security arm and the FBI. An internal investigation was initiated.

At the time of Politico‘s report in early December, House Speaker Paul Ryan, incoming Minority Leader Kevin McCarthy and Majority Whip Steve Scalise were all in the dark about the hack as well as other members of the party.



Massive Marriott Hack Breaches Reservation Data of 500M Guests


A historically large cyber attack against a company revealed today involved the Starwood hotel properties of the global Marriott hotel chain.

The breach affected the guest reservation database of the Starwood hotels which includes the Westin and Sheraton among others. Company officials admit that 500 million guests who booked rooms through the system had their private information accessed.

Marriott purchased the Starwood chain in 2016. The breach occurred two years before the purchase and continued for four years, magnifying the depth and the numbers affected.

According to CBS, the breach included a wide swath of personal data:

For about 327 million of that number, the compromised information includes data such as names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

Marriott responded to its guests by setting up a web page dedicated to the security incident with FAQs and a detailed report while its stocks took an immediate nose dive. Marriott is working with law enforcement. There is no indication of the actors behind the cyber attack.



Update on VPNFilter

The Cyber Threat Alliance (CTA) posted an update on the perilous VPNFilter malware first reported in May 2018. According to its blog, the combined efforts of federal law enforcement, members of the CTA and affected networks diluted the most dangerous aspect of the multilevel malware.

Here is an excerpt from the report by Neil Jenkins:

… the destructive module of VPNFilter was never employed. So that’s a good thing. Based on our collective visibility it appears that VPNFilter activity has been severely degraded since the release of information in May and operational coordination actions with law enforcement, intelligence organizations, and CTA and its members. Talos has seen no signs of the actor trying to reconnect with the devices that still have the Stage 1 malware, and most C2 channels for the malware have been mitigated. While it is highly unlikely that the highly capable actor behind VPNFilter has stopped their activities, it does appear that they were forced to abandon the VPNFilter framework due to these coordinated actions.

Facebook Breach Takes Control of 30 Million User Accounts


A few weeks ago, Facebook reported a breach of unknown origins that exposed private information of 50 million users. Today, in an update, the social media icon reduced that number down to 29 million accounts.

According to a report, the attackers exploited bugs in the site’s “View As” feature, which lets users see what information other people can view about them. The feature was built to give users move control over their privacy. This newest attack gave hackers complete control over a Facebook users account.

“We’re taking it really seriously,” Mr. Zuckerberg, the chief executive, said in a conference call with reporters.

Facebook logged out 90 million users from their accounts the morning of 12 October while patching the vulnerabilities and posted a message to these accounts. Third party apps connected to Facebook, including Spotify, Airbnb and Tinder, may have been breached. Zuckerberg states that Facebook is working with the FBI to identify the source of the attack.

Mark Warner, the Democrat Senator from Virginia, called for an immediate Congressional investigation.

This breach piles on the heap of troubles from the 2016 election when Facebook exposed 87 million of its users to disinformation sponsored by the Russian-backed UK firm of Cambridge Analytica.

Of more immediate significance, the breakdown in security comes just weeks before the Midterm elections.


Sofacy Botnets Present Frightening Kill Capacity to Affected Network Routers

On 23 May, the US Dept. of Justice announced a global botnet attack on home and office (SOHO) routers by an adversarial group known as the Sofacy Actors and other monikers. These botnets have infiltrated networks since 2007.

The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”). The group, which has been operating since at least in or about 2007, targets government, military, security organizations, and other targets of perceived intelligence value.

The US-CERT followed up with Alert TA18-145A which gives additional details and solutions.

FBI and cyber security agents refer to the malware as “VPNFilter.” This has several stages which target SOHO routers and network-access storage (NAS) devices. The second stage of malware can be cleared from a device by rebooting it. However, the first stage of malware persists through a reboot, making it difficult to prevent reinfection by the second stage.

Coordinating with DOJ is Talos, a partner in the Cyber Threat Alliance, which released its technical assessment of VPNFilter and its frightening capabilities.

… this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable. This command is present in many of the stage 2 samples we’ve observed, but could also be triggered by utilizing the “exec” command available in all stage 2 samples. In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have. We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months. [Emphasis added]


API Tool Reveals Location of Millions of Cell Phone Users

LocationSmart, a Southern California company, is under scrutiny by the Federal Communications Commission for a service which provides the location of cell phone users.

Those affected included anyone who is connected to AT&T, Sprint, T-Mobile or Verizon. The potential invasion of privacy was worsened when it was reported that its demo tool gave access to anyone without determining whether the user was using the service for legitimate purposes.

The LocationSmart demo is no longer available. The matter has been referred to the enforcement arm of the FCC for review.