Eliana Willis

The Justice Department announced a controversial deal with three former US intelligence operatives that allows them to pay a fine after breaking multiple laws through their offensive hacking for the repressive government of the United Arab Emirates.The DOJ said 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud and access device fraud laws.”The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians and dissidents opposed to the government. The three even hacked into US companies, creating two exploits that were used to break into smartphones.Both Reuters and The Intercept conducted an in-depth investigation into the work of Project Raven and a UAE cybersecurity firm named DarkMatter after members of the team raised concerns about the kind of hacking they were being asked to do by UAE officials. 

ZDNet Recommends

Despite the accusations listed in the court filing, the DOJ said Baier, Adams and Gericke — all former NSA employees or members of the US military — reached an agreement on September 7 to pay the fines in addition to other restrictions on their work. Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and relinquish any foreign or US security clearances. They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles or providing defense services.

The DOJ said the three were senior managers at a UAE company from 2016 to 2019 and continued to hack for the UAE despite being told they were violating rules that say people need a license from the State Department’s Directorate of Defense Trade Controls to do such work. “These services included the provision of support, direction and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems — i.e., one that could compromise a device without any action by the target,” the Justice Department explained in a statement. 

“UAE CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by US companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”Acting Assistant Attorney General Mark Lesko for the Justice Department’s National Security Division said the agreement was a “first-of-its-kind resolution” of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States. “Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” Lesko said. Acting US Attorney Channing Phillips noted that the proliferation of offensive cyber capabilities undermines privacy and security worldwide when left unregulated. Phillips claimed the US government was trying to ensure that US citizens only provide defense services “in support of such capabilities pursuant to proper licenses and oversight.” Despite the lack of prison sentences, Phillips said the agreement with the three hackers was evidence that a person’s “status as a former US government employee certainly does not provide them with a free pass in that regard.”Other government officials reiterated that message, warning other former US government hackers to avoid using their skills to benefit foreign governments. The three ignored orders from the US government that they abide by US export control laws, obtain preapproval from a US government agency prior to releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” and not “target or exploit US citizens, residents and companies.” The DOJ added that over an 18-month period, the three created two similar “zero-click” computer hacking and intelligence gathering systems that leveraged servers in the US belonging to a US technology company “to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a US Company-provided operating system. “The defendants and other CIO employees colloquially referred to these two systems as ‘KARMA’ and ‘KARMA 2,'” the DOJ explained. “CIO employees whose activities were supervised by and/or known to the defendants used the KARMA systems to obtain, without authorization, targeted individuals’ login credentials and other authentication tokens (i.e., unique digital codes issued to authorized users) issued by US companies, including email providers, cloud storage providers, and social media companies. CIO employees then used these access devices to, again without authorization, log into the target’s accounts to steal data, including from servers within the United States.”The company was forced to create Karma 2 after the US company updated its smartphone system to protect against Karma 1. By 2017, the FBI interjected again, telling the US company that Karma 2 was being used against them. Even after another update, both exploits were effective against older devices sold by the company. Reuters reporter Chris Bing noted on Twitter that Gericke previously served as CIO of ExpressVPN, the largest VPN in the market. Casey Ellis, CTO at Bugcrowd, said he believed $1.68 million was enough of a penalty to sting those involved and to act as a deterrent for others considering doing likewise. “However, the fact that it was settled means we can only speculate on the equities that were weighed up here,” Ellis said. “As the value and use of offensive cyber capability becomes more obvious, and as the lines of international relations continue to shift, I would expect to see more of these ‘slightly oddball’ outcomes in the future.”BreachQuest CTO Jake Williams added that while it is obvious Project Raven crossed a legal boundary, what is less clear is whether the US persons involved knew the project would be used to target other US persons and US organizations. “Given that the original mission was slated as counter terrorism, a mission that is very loosely defined by its nature, it was foreseeable that might be the eventual outcome. The second US companies and US persons were targeted under the program, every US person involved likely knew it was only a matter of time before some legal action was taken,” Williams said. “As for the fines and restrictions, it’s hard to evaluate whether those were appropriate without knowing the full situation. But taken at face value, they do appear sufficient to deter future behavior of this type and that’s really the goal. The US government certainly wanted to avoid any trial, which would undoubtedly involve the use of the State Secrets Protection Act — something that never sits well with the public.” More

A re-implementation of Cobalt Strike has been “written from scratch” to attack Linux systems.

Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions.  Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan.  Cobalt Strike’s source code for version 4.0 was allegedly leaked online, however, most threat actors tracked by cybersecurity teams appear to rely on pirate and cracked copies of the software. Until now, at least. In August, Intezer uncovered the new ELF implementation of Cobalt Strike’s beacon, which appears to have originated from Malaysia.  When the researchers reported Vermilion Strike, it went undetected on VirusTotal as malicious software. (However, as of the time of writing, 24 antivirus vendors have now registered the threat.)

Built on a Red Hat Linux distribution, the malware is capable of launching beacons, listing files, changing and pulling working directories, appending and writing to files, uploading data to its C2, executing commands via the popen function, and analyzing disk partitions.  While capable of attacking Linux builds, Windows samples have also been found that use the same C2 server and contain the same functionality. The researchers worked with McAfee Enterprise ATR to examine the software and have come to the conclusion that Vermilion Strike is being used in targeted attacks against telecoms, government, IT, advisory, and financial organizations worldwide. “The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.  This is not the only unofficial port of Cobalt Strike, however. There is also geacon, an open source project based on the Golang programming language. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Two-thirds of cloud security incidents could have been avoided if the configuration of apps, databases, and security policies were correct, new research suggests.

On Wednesday, IBM Security X-Force published its latest Cloud Security Threat Landscape report, spanning Q2 2020 through Q2 2021.  According to the research, two out of three breached cloud environments observed by the tech giant “would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems.” While sampling scanned cloud environments, in every case of a penetration test performed by X-Force Red, the team also found issues with either credentials or policies.  “These two elements trickled down to the most frequently observed initial infection vectors for organizations: improperly configured assets, password spraying, and pivoting from on-premises infrastructure,” IBM says. “In addition, API configuration and security issues, remote exploitation and accessing confidential data were common ways for threat actors to take advantage of lax security in cloud environments.” The researchers believe that over half of recent breaches also come down to shadow IT, which may include apps and services that are not managed or monitored by central IT teams. Misconfiguration, API errors or exposure, and oversight in securing cloud environments have also led to the creation of a thriving underground market for public cloud initial access. According to IBM, in 71% of ads listed — out of close to 30,000 — Remote Desktop Protocol (RDP) access is on offer for criminal purposes. 

In some cases, cloud environment access is being sold for as little as a few dollars, although depending on the perceived value of the target — such as for information theft or potential ransomware payments — access can fetch thousands of dollars.IBM’s report also states there has been an increase in vulnerabilities impacting cloud applications, with close to half of over 2,500 reported bugs being disclosed in the past 18 months. 
IBM
Once an attacker has obtained access to a cloud environment, cryptocurrency miners and ransomware variants were dropped in close to half of the cases noted in the report. There is also evolution in the payloads being dropped, with old malware strains focused on compromising Docker containers, whereas new code is often being written in cross-platform languages including Golang. “Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premise, which leads to a fragmented and more complex security environment that is tough to manage,” IBM says. “Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back.”In other cloud security news, Apple paid a bug bounty hunter $28,000 after he accidentally wiped out Shortcuts functionality for users while testing the firm’s apps and CloudKit. The issue was caused by a misconfiguration on the iPad and iPhone maker’s part and allowed the researcher to — albeit unintentionally — delete default zones in the Shortcuts service. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

KrebsOnSecurity is often the target of disgruntled cybercriminals and has now been targeted by a large and powerful botnet. 

The website, operated by security expert Brian Krebs, was subject to an assault by the “Meris” botnet on Thursday evening.  Meris is a new botnet on the scene which is powered by Internet of Things (IoT) devices. IoT products, PCs, home gadgets — including cameras, VCRs, TVs, and routers — that are hijacked become slave nodes in a botnet’s network and are then can be used to conduct distributed denial-of-service (DDoS) attacks, among other functions.  In this case, Meris is composed of a huge number of MikroTik routers. According to Qrator Labs and Yandex, Meris first appeared in late June and is still growing.  Meris may bring Mirai to mind, a botnet famous for taking down large swathes of the internet in 2016, but the team says this may not be the right comparison to make at this time. “Some people and organizations already called the botnet “a return of Mirai,” which we do not think to be accurate,” Qrator Labs says. “Mirai possessed a higher number of compromised devices united under C2C, and it attacked mainly with volumetric traffic.” Mirai’s source code was later leaked, causing many variants to appear that are still in operation.

Krebs says that the DDoS attack, albeit “mercifully brief,” was larger than the one launched against KrebsOnSecurity in 2016 by a Mirai operator. The attack was large enough that Akamai, which had fended off past attacks against Krebs pro-bono, had to unmoor the domain in light of the potential ramifications for other clients.  The security expert says the volume of junk traffic launched by the botnet was more “than four times” that of Mirai, reaching over two million requests-per-second.  The domain is now protected under Google’s Project Shield.  It is also suspected that Meris is behind two other major attacks this year, that of search engine Yandex last week, and a substantial attack against Cloudflare in July, clocking in at 17.2 million request-per-second. MikroTik has issued a statement on the botnet, noting that the compromise of its devices appears to stem from a vulnerability patched in RouterOS in 2018, rather than a zero-day or new vulnerability.  “Unfortunately, closing the vulnerability does not immediately protect these routers,” the company said. “If somebody got your password in 2018, just an upgrade will not help. You must also change [your] password, re-check your firewall [so] it does not allow remote access to unknown parties, and look for scripts that you did not create. We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

It is not often in the cybersecurity realm that an indicator is headed in a happy direction, but that is what the overall incident number in the ACSC Annual Cyber Threat Report is doing. For the 2020-21 fiscal year, the Australian Cyber Security Centre (ACSC) responded to 1,630 incidents, which works out to around 31 a week. Compared to the previous financial year, the total number of cybersecurity incidents in the 2020–21 financial year decreased by 28%.Other good news included ACSC not having to respond to any incidents in the top third of its six incident grading categories. In the year prior, it reported a single category 1 incident and four category 2 incidents.Now for the bad news that typically make up these reports. In total, ACSC is seeing a higher category grade being the most reported, with category 4 replacing category 5. Category 4 accounts for 49% whereas last year it accounted for 35% of all incidents. “The highest proportion of incidents the ACSC responded to related to low-level malicious activity such as targeted reconnaissance, phishing, or non-sensitive data loss, accounting for more than half of the cybersecurity incidents,” the report said. The report highlighted the increasing amount of financial losses related to business email compromises (BEC) despite the number of BEC incidents heading lower. Total losses hit to AU$81.5 million, an increase of 15%, and the average loss for each successful BEC transaction jumped 54% to AU$50,600.

ACSC highlighted the bankruptcy of the hedge fund Levitas after false invoices saw it transfer AU$8.7 million to malicious actors. “While the business recovered the majority of its funds, it suffered significant reputational damage and its main client withdrew,” the report said. “This forced the hedge fund to go into receivership and resulted in its bankruptcy. This was likely Australia’s first bankruptcy case as a direct result of a cybercrime incident.” See also: Get patching: US, UK, and Australia issue joint advisory on top 30 exploited vulnerabilitiesThe establishment of a multi-agency BEC taskforce under the Australian Federal Police dubbed Operation Dolos was able to prevent AU$8.5 million being lost to business email compromises. “Despite the headlines, many of the compromises experienced by Australians will continue to be fuelled by a lack of adequate cyber hygiene. This delivers a significant advantage to adversaries and lowers the technical barrier to targeting victims in Australia, highlighting the need to uplift cybersecurity maturity across the Australian economy,” the ACSC said. “Given the prevalence of malicious cyber actors targeting Australian networks — which is often under-reported to the ACSC — there is a strong need for greater resilience, and for Australian organisations and individuals to prepare to respond to and recover from any cyber attack to their networks.” In an area that the Australian Labor Party enjoys banging on about — ransomware — the report said there was a 15% increase to almost 500 ransomware reports for the year. Shadow Assistant Minister for Cyber Security Tim Watts took the opportunity to have another whack at the government. “The Morrison-Joyce Government has utterly failed to take meaningful action to prevent ransomware attacks on Australian organisations despite twelve months of warnings,” he said. “But while the Morrison-Joyce government never misses an opportunity for a dramatic press conference on cybersecurity, it’s missed every opportunity to take the basic actions needed to combat the urgent threat of ransomware despite growing warnings. “Instead, it’s simply blamed the victims, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.” In total terms, ACSC said it experienced a 13% increase in cybercrime reports over 2020-21 to 67,500, with its report per minutes metric dropping from one report every 10 minutes down to every 8 minutes. “A higher proportion of cybersecurity incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline,” the report said. “The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services — such as ransomware-as-a-service — via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.” Going against the population distribution in Australia, Queensland led the way on cybercrime reports followed by Victoria, New South Wales, Western Australia, and South Australia. Although trailing on the absolute numbers, WA and SA reported higher average financial losses. Overall, self-reported financial losses topped AU$33 billion. The report was also far from rosy on the outlook of supply chain compromises like those involving SolarWinds and Microsoft Exchange, describing them as “the new norm”. “Over the next 12 months, additional supply chain compromises will likely come to light, major vulnerabilities will continue to emerge and Australia will experience more major financially motivated cyber incidents, some of which could disrupt critical services,” it said. Related Coverage More

Image: Wiz.io
Users of Azure who are running Linux virtual machines may not be aware they are have a severely vulnerable piece of management software installed on their machine by Microsoft, that can be remotely exploited in an incredibly surprising and equally stupid way. As detailed by Wiz.io, which found four vulnerabilities in Microsoft’s Open Management Infrastructure project, an attacker would be able to gain root access on a remote machine if they sent a single packet with the authentication header removed. “This is a textbook RCE vulnerability that you would expect to see in the 90’s — it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz security researcher Nir Ohfeld wrote. “Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root.” If OMI externally exposes port 5986, 5985, or 1270 then the system is vulnerable. “This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager. Fortunately, other Azure services (such as Log Analytics) do not expose this port, so the scope is limited to local privilege escalation in those situations,” Ohfeld added. The issue for users, as described by Ohfeld, is that OMI is silently installed when users install log collection, has a lack of public documentation, and runs with root privileges. Wiz found over 65% of Azure customers running Linux it looked at were vulnerable.

In its advisory on the four CVEs released today — CVE-2021-38647 rated 9.8, CVE-2021-38648 rated 7.8, CVE-2021-38645 rated 7.8, and CVE-2021-38649 rated 7.0 — Microsoft said the fix for the vulnerabilities was pushed to its OMI code on August 11 to give its partners time to update before detailing the issues. Users should ensure they are running OMI version 1.6.8.1, with Microsoft adding instructions in its advisories to pull down the OMI updates from its repositories if machines are not updated yet. “System Center deployments of OMI are at greater risk because the Linux agents have been deprecated. Customers still using System Center with OMI-based Linux may need to manually update the OMI agent,” Wiz warned. The vulnerabilities were part of Microsoft’s latest Patch Tuesday. Like many vulnerabilities these days, a catchy name must be attached to them, in this case, Wiz dubbed them OMIGOD. Related Coverage More