1. A New Legislation Could Allow Americans to Sue Foreign Hackers
- The Homeland and Cyber Threat Act, introduced to the U.S. House of Representatives with bipartisan sponsorship, would grant American citizens the legal right to hold foreign governments responsible for malicious cyber activities. News comes as new hacks of Microsoft Exchange software overwhelms the cybersecurity community still recovering from suspected state-sponsored SolarWinds attacks last year.
- This new legislation would remove the immunity given to foreign nations (and their agents) and Americans would be able to file legal cases in U.S. federal or state court for damages resulting from a cyberattack.
- In a response to the recent high-profile cyberattacks, from China and Russia, against SolarWinds and Microsoft, the U.S. Congress is pushing back and giving American citizens the power to join in the fight against state-sponsored cyberespionage.
SME Comments: One of the major challenges that could befall this legislation would be the ‘attribution factor,’ meaning being able to ascertain the true perpetrators of malicious cyber activity. With state-sponsored actors displaying highly-sophisticated techniques in hiding their tracks, it will remain extremely difficult for everyday Americans or U.S.-based organizations to accurately pin-point the true sources of a cyberattack. Moreover, if this new legislation becomes law, it will most likely set a new precedent for other nations looking to curb the effects of state-sponsored threat actors.
2. FIN8 Hacking Group Resurfaces with Sophistication
- FIN8, a financially-motivated threat group, has resurfaced after going dark for almost a year and a half. It appears that during FIN8’s hiatus, they were working to improve their attack tactics, techniques, and procedures (TTPs), especially as it relates to systems backdoor development.
- One of the threat group’s new TTPs includes an updated backdoor technique, known as BADHATCH, which has been discovered to incorporate screen capturing, proxy tunneling, file less malware execution, and other credential-stealing capabilities. This adds to a host of common ransomware threats targeting banks and investment firms on regular basis.
- According to security researchers, throughout 2019, FIN8 was focused on exploiting trusted applications, such as Microsoft Word, as well as point-of-sale systems weaknesses in organizations in the retail, technology, insurance, and hospitality industries. Most of the threat actor’s exploits targeted organizations based in the United States, Canada, South Africa, Italy, and Panama.
SME Comments: FIN8 is known to be one of the most sophisticated, financially-motivated cybercriminal actors suspected to be operating out of North Korea. Although FIN8’s previously known exploits piggybacked off of other commercially-available payloads to steal credit-card data, their return to the cybercrime stage shows them exhibiting nation-state capabilities, such as unique efforts aimed at evading automated detection by leveraging TLS encryption to mask their Powershell commands.
3. Microsoft Exchange Attack Affects EU Banking Regulators
- A major financial regulator in the European Union, the European Banking Authority (EBA), disclosed that it was impacted by the latest state-sponsored cyberattack which targeted Microsoft email servers. According to Microsoft’s Threat Intelligence, the Exchange Server attack was perpetrated by a Chinese-sponsored threat group looking to wreak havoc for governments and businesses, on a global scale.
- Following several cyber-forensic investigations, the EBA found no data theft has occurred so far. In a concerted effort to maintain security resilience, the banking agency decided to take its email systems offline to eliminate any possibilities of a residual threat exploiting the incident.
- Although Microsoft has released a temporary patch for the affected email servers, it is highly unlikely that organizations around the globe will install the said patch in a timely manner as the average mean time to patch in the United States is between 60 days to 150 days.
SME Comments: European Banking Authority (EBA), an EU-backed agency, charged with identifying vulnerabilities in the capital structure(s) of European banks, so as to increase transparency and ascertain the business resiliency. The EBA is a prime target for state-sponsored cyberattacks due to its proximity to highly-critical data that upholds major financial institutions within the European government. With this disclosure, security experts are starting to understand the potential motivation and likely types of target that could be impacted by Hafnium’s malicious exploitation of Microsoft’s zero-day vulnerabilities.
4. Chinese Hackers Target Linux Systems with New Malware
- Security experts have uncovered a new and lethal malware strain, developed by Chinese-sponsored attackers (Winnti threat group), which appears to target Linux systems. This new malware strain, RedXOR, was designed to have low detection rates among major malware detection tools. Thus, it does not raise suspicion among malware hunters.
- The RedXOR malware was also designed with a barrage of sophisticated capabilities, including command execution with Linux system privileges; management of infected files on Linux VM boxes; hiding of active processes using Adore-ng open-source rootkit; remote updating its attack tool; proxying its malicious traffic; etc.
- In recent years, advanced persistent threat (APT) actors have been working tirelessly to exploit Linux infrastructures by attacking its kernel and other processes ascribed to data storage, data traffic management, and trusted Linux commands. In addition, the Winnti threat group has been observed incorporating offensive attack capabilities to steal specific data types that are in-line with the interests of the Chinese government.
SME Comments: For many years, Linux systems have been considered to be extremely resilient against cyberattack. However, in 2020 alone, security experts noticed a 40% increase in custom-made malwares designed specifically to compromise Linux-based infrastructures. Most of the threat actors that target Linux systems are heavily sponsored by rogue nation states, therefore they tend to exhibit new and sophisticated tactics, techniques, and procedures (TTPs) that are geared towards performing coordinated espionage operations. Therefore, organizations should expect the number of attacks against Linux-based systems to rise, as well as the sophistication level.
5. Security Cameras Exploited at Tesla and Other Sensitive Locations
- The physical security startup, Verkada, disclosed that threat actors (APT69420) gained unauthorized access to the live feeds of over 150,000 of its security camera systems. The tech startup provides and manages an army of web-based network CCTV cameras for high-profile clients.
- Based on reports from Verkada security professionals, the threat actors claim to have access to a lot of surveillance footage of sensitive areas at a Tesla manufacturing plant; Cloudflare’s computing areas; and other locations such as luxury gyms, schools, hospitals, law enforcement departments, and a prison.
- As evidence of this CCTV compromise, the threat actors shared a copy of one of the stolen live footage. This footage appears to show a Tesla factory located in Shanghai, China, where assembly line workers were performing their daily operations in automotive warehouses. APT69420 claims to have access to 222 CCTV cameras displaying sensitive activities inside of Tesla’s factories.
SME Comments: Following a forensic investigation, it appears that APT69420 gained unauthorized access into Verkada via lateral movement tactics – the hackers accessed a dormant ‘Super Admin’ account, using a username and password for an admin account that had been publicly disclosed online. Thus, the hacking group was able to access live footage belonging to the company’s clients. Although Tesla has indicated that none of its critical operations were impacted by this incident, it appears that the hackers behind this physical security exploit are semi-amateurs looking to showcase the extent of their capabilities – for notoriety and ‘brownie points.” As organizations continue to migrate physical security operations to the cloud via web-based infrastructures, there must be layered security countermeasures positioned to prevent unauthorized access to systems that could potentially expose sensitive and private video footages of business operations.