October 25, 2017
DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure – United States
The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly (aka Crouching Yeti and Energetic Bear). The alert was first distributed by email and is now published by US-CERT. It warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks.” The attack is considered to be ongoing. The alert does not itself attribute the attack to any specific attacker, but it does comment, “The report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.” Dragonfly's activities against western critical infrastructure -- and especially the energy sector -- have been known for many years. There have been many suggestions that the group operates out of Russia and may be connected to the Russian government. This new alert from DHS/FBI would, therefore, suggest either an increase in tempo or growing success in Dragonfly's activities. It describes the attacks in relation to the seven-stage kill chain; but noticeably stops short of the final stage, 'actions on objective'. The implication is that the attacker is seeking a position for possible action against the critical infrastructure in the future.
Senators Push Bill Requiring Warrant For U.S. Data Under Spy Law – United States
A bipartisan group of at least 10 U.S. senators plans to introduce on Tuesday legislation that would substantially reform aspects of the National Security Agency’s warrantless internet surveillance program, according to congressional aides. The effort, led by Democrat Ron Wyden and Republican Rand Paul, would require a warrant for queries of data belonging to any American collected under the program. The bill’s introduction is likely to add uncertainty to how Congress will renew a controversial portion of a spying law due to expire on Dec. 31. Section 702 of the Foreign Intelligence Surveillance Act is considered by U.S. intelligence officials to be among their most vital tools used to combat national and cyber security threats and help protect American allies. It allows U.S. intelligence agencies to eavesdrop on and store vast amounts of digital communications from foreign suspects living outside the United States. The surveillance program, classified details of which were exposed in 2013 by former NSA contractor Edward Snowden, also incidentally scoops up communications of Americans, including if they communicate with a foreign target living overseas.
LokiBot Banking Malware Triggers Ransomware if User Tries to Remove it – Global
A new variant of Android banking malware known as LokiBot triggers ransomware capabilities if a victim attempts to remove it from their infected device. The malware, which bears the same name as a Windows info-stealer that can exfiltrate credentials from over 100 software tools, is making its rounds as a kit sold on hacking forums. Interested parties can purchase a full license with updates for $2,000 in Bitcoin. LokiBot comes with a host of features enabling attackers to prey on suspecting users with Android 4.4 or higher. They can use the malware to read and send a victim’s SMS messages, a capability which they can abuse to send out spam email and try to infect additional users. If successful, they can upload the victims’ browser histories to the command and control (C&C) server or conduct an overlay attack on targeted banking apps. The baddie also comes with several unique features. First, it’s capable of starting a user’s web browser and opening a web page. Second, it can display notifications under the guise of legitimate applications with the intent of conducting an overlay attack. The ransomware tells a victim that law enforcement has locked their device “for viewing child pornography.” It then asks them to pay between $70 and $100 to regain access to their phone. Fortunately, the user can disable the locker by booting into Safe mode and removing the LokiBot admin and app.
FOR MORE INFORMATION:
To sign up for the complete daily G4S Corporate Risk Services Intelligence Bulletin, as well as regular intelligence and risk updates and news, click here to subscribe!