Feb 26 2021

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack

In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released aĀ joint statementĀ that blames Russia for theĀ SolarWindsĀ supply chain attack.

The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.

The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor,Ā likely Russian in origin.

According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert theĀ Sunburst backdoorĀ into the supply chain of the SolarWinds Orion monitoring product.

Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released theĀ source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated withĀ Solorigate.

ā€œIn this blog, weā€™ll share our journey in reviewing our codebases, highlighting one specific technique: the use ofĀ CodeQLĀ queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.ā€ reads theĀ blog postĀ published by Microsoft. ā€œWe are open sourcing theĀ CodeQL queriesĀ that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.ā€

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Tags: CodeQL, Solorigate compromise


Feb 22 2021

NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Category: APT,Cyber Espionage,Cybercrime,HackingDISC @ 10:51 am

The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.

Check Point Research teamĀ discovered that China-linkedĀ APT31Ā group (akaĀ Zirconium.) used a tool dubbed Jian, which is a clone ofĀ NSA Equation GroupĀ ā€˜s ā€œEpMeā€ hacking tool years before it was leaked online by Shadow Brokers hackers.

In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with  sophisticated zero-day malware.

The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware. 

Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.

Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ā€˜s arsenal for years before it was addressed by the IT giant. 

In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.

One of these zero-day flaws, tracked asĀ CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,

ā€œIn this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to aĀ Chinese APT, was replicated based on anĀ Equation GroupĀ exploit for the same vulnerability that the APT was able to access.ā€ reads theĀ analysisĀ published by CheckPoint. ā€œā€œEpMeā€, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 ā€“ four years before APT31 was caught exploiting this vulnerability in the wild.ā€

Source: NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Tags: Chinese hackers, NSA Equation Group tool, Spy war, Tiger trap


Feb 15 2021

Chinese Supply-Chain Attack on Computer Systems

Category: Cyber Attack,Cyber Espionage,Cyber SpyDISC @ 11:41 am

Bloomberg News has aĀ major storyĀ about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. Itā€™s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:

Chinaā€™s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under theĀ Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.

Thereā€™s lots of detail in the article, and I recommend that you read it through.

Tags: Chinese espionage, Supply-Chain Attack


Jan 26 2021

Cyber Espionage Report

Category: Cyber EspionageDISC @ 4:16 pm


Dec 13 2020

Suspected Russian hackers spied on U.S. Treasury emails

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury Department and an agency that decides internet and telecommunications policy, according to people familiar with the matter.

Three of the people familiar with the investigation said Russia is currently believed to be behind the attack.

Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.

ā€œThe United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,ā€ said National Security Council spokesman John Ullyot.

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.

Source: Suspected Russian hackers spied on U.S. Treasury emails – sources


    Active Exploitation of SolarWinds Software

    Emergency directive: Global governments issue alert after FireEye hack is linked to SolarWinds supply chain attack

    SolarWinds Security Advisory

    Massive suspected Russian hack is 21st century warfare

    The government has known about the vulnerabilities that allowed the SolarWinds attack since the birth of the internetā€”and chose not to fix them.

    WATCH: Trump refuses to acknowledge that Russia meddled in US elections



RUSSIAN GOVERNMENT HACKING GROUP ‘APT29’ BEHIND CYBER HACK ON US GOVERNMENT
httpv://www.youtube.com/watch?v=FM66FgFk6Ls



U.S. Agencies Hit in Brazen Cyber-Attack by Suspected Russian Hackers
httpv://www.youtube.com/watch?v=vlVGnu7i0tY



#Sandworm: A New Era of #Cyberwar and the Hunt for the #Kremlin’s Most #Dangerous #Hackers Paperback




Tags: APT29, cyber hacking, FireEye, Greenburg, Russian cyber attack, Russian espionage, Russian hackers, Sandworm, U.S. Treasury


Nov 08 2020

FBI: Hackers stole source code from US government agencies and private companies

FBI blames intrusions on improperly configured SonarQube source code management tools.

FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.

Officials provided two examples of past incidents:

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.”

Source: FBI: Hackers stole source code from US government agencies and private companies | ZDNet






Jun 16 2020

Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found

The publication of ā€˜Vault 7ā€™ cyber tools by WikiLeaks marked the largest data loss in agency history, a task force concluded.

The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agencyā€™s elite computer hackers ā€œprioritized building cyber weapons at the expense of securing their own systems,ā€ according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.

Source: Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found.

Wikileaks Vault 7: What’s in the CIA Hacking Toolbox?
httpv://www.youtube.com/watch?v=X45Bb8O-gMI

CIA Hacking Tools Released in Wikileaks Vault 7 – Threat Wire
httpv://www.youtube.com/watch?v=5LYSjLwkAo4

Download a Security Risk Assessment steps paper!

Download a vCISO template

Take an awareness quiz to test your basic cybersecurity knowledge

Subscribe to DISC InfoSec blog by Email





Jun 13 2020

Lamphone attack lets threat actors recover conversations from your light bulb | ZDNet

Category: Cyber Espionage,Cyber Threats,Threat detectionDISC @ 12:13 pm

Academics record light variations in a light bulb to recover the sound waves (speech, conversations, songs) from a room 25 meters (80 feet) away.

Source: Lamphone attack lets threat actors recover conversations from your light bulb | ZDNet

Download a Security Risk Assessment steps paper!

Download a vCISO template

Subscribe to DISC InfoSec blog by Email





Jun 27 2019

Western intelligence hacked Russia’s Google Yandex to spy on accounts

Category: Cyber Espionage,MalwareDISC @ 2:15 pm

Exclusive: Western intelligence hacked ‘Russia’s Google’ Yandex to spy on accounts – sources

Source: Western intelligence hacked ‘Russia’s Google’ Yandex to spy on accounts


Enter your email address:

Delivered by FeedBurner




Tags: cyber espionage, cyber spy


May 22 2019

China, Leverage, and Values

Category: Cyber Espionage,Cyber War,Digital cold warDISC @ 5:12 pm

If there is a new tech cold war, it is one with shots fired over a decade ago, largely by China. The questions going forward are about both leverage and values.

Source: China, Leverage, and Values

5G is a war the US is about to lose warns DoD

more on Cyber War

 

Image result for Digital Cold War

Jack Goldsmith: “The United States is Losing the Digital Cold War” | Talks at Google





Tags: digital cold war, Tech cold war


Mar 11 2019

Chinese hacking group backdoors products from three Asian gaming companies | ZDNet

Category: Cyber EspionageDISC @ 1:58 pm

ESET suspects that tens or hundreds of thousands of users have been infected already.

Source: Chinese hacking group backdoors products from three Asian gaming companies | ZDNet

Cyber Security Espionage Titles






« Previous Page