Satori Botnet Awakens with Zero-Day Powers and Over 280,000 Bots in 12 Hours

The satori botnet is a mirai variant, and within its first twelve hours of life satori has compromised over 280,000 endpoints and is wielding powerful zero-day exploits:

A new massive IoT botnet dubbed Satori has emerged, which security researchers fear, can launch crippling attacks at any time.

The botnet has reportedly already infected over 280,000 IP addresses in just 12 hours, enslaving hundreds of thousands of home routers by exploiting a recently discovered zero-day vulnerability.

Satori, which reportedly means “Awakening” in Japanese, is actually the infamous Mirai botnet’s successor.

According to a new report by security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself, which essentially makes it an IoT worm.

Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet has already infected two widely-used types of home routers by exploiting the recently-discovered zero-day flaw.

Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that there are some clues that hint at the possibility of Satori being linked to yet another Mirai-based botnet discovered last month.

Drew reportedly warned that Satori botnet’s operators could launch an Internet-crippling DDoS attack at any time.

12 Predictions for ICS Cyber Security in 2018

This article about twelve ICS cyber security predictions for 2018 seems fairly practical:

More details about ransomware damage cost predictions for the 5 year period will be revealed in a report that Cybersecurity Ventures intends to publish in 2018.

Two cybersecurity specialists, Eddie Habibi, CEO of PAS and Edgard Capdevielle, CEO of Nozomi Networks share with us their predictions ICS Security in 2018.What does 2018 hold for ICS cybersecurity?

Expect to see more comprehensive ICS cybersecurity policies offered.

Edgard Capdevielle, CEO of Nozomi Networks outlines his predictions for ICS cybersecurity in 2018.

Organizations grappling with ICS cybersecurity staffing and skills shortages are turning to AI solutions to achieve security and productivity goals.

The shortage of ICS cybersecurity skills will open the door for vendors to provide full security services.

ICS Insecurity Will Manifest Itself – Organizations are nowhere near as ready to combat critical infrastructure threats and will realize many truths: they don’t have a clear understanding of what assets they own; proper ICS cybersecurity hygiene is much harder to achieve than in IT networks; air-gapping is a fallacy; and organizations don’t possess the necessary personnel skills, their teams aren’t talking to one another and they aren’t currently monitoring their networks the way they should.

Homeland Security Team Remotely Hacked a Boeing 757

Well this sure is interesting. a Department of Homeland Security team acknowledged remotely hacking into a Boeing 757 via the airplanes RF communications system:

During a keynote address on Nov. 8 at the 2017 CyberSat Summit, a Department of Homeland Security official admitted that he and his team of experts remotely hacked into a Boeing 757.

While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757’s “Radio frequency communications.”

We’ve been hearing about how commercial airliners could be hacked for years.

The same year, security researcher Chris Roberts ended up in hot water with the feds after tweeting about hacking the United Airlines plane he was traveling on.

At a technical meeting in March 2017, several shocked airline pilot captains from American Airlines and Delta were briefed on the 2016 Boeing 757 hack.

As CBS News pointed out, Boeing stopped producing 757s in 2004, but that aircraft is still used by major airlines, such as American, Delta and United.

Boeing told CBS that it firmly believes the test “Did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.”

Of course Boeing said that. Just because their official statement denies any identification of vulnerabilities does not mean they do not exist.

He Perfected a Password-Hacking Tool, Then the Russians Came Calling

This story is a good example of why a comprehensive, detailed, layered cyber defense is necessary for an organization:

In the years since, Delpy has released that code to the public, and Mimikatz has become a ubiquitous tool in all manner of hacker penetrations, allowing intruders to quickly leapfrog from one connected machine on a network to the next as soon as they gain an initial foothold.

“Mimikatz wasn’t at all designed for attackers. But it’s helped them,” Delpy says in his understated and French-tinged English.

Mimikatz first became a key hacker asset thanks to its ability to exploit an obscure Windows function called WDigest.

Delpy saw Chinese users in hacker forums discussing Mimikatz, and trying to reverse-engineer it.

As the use of Mimikatz spread, Microsoft in 2013 finally added the ability in Windows 8.1 to disable WDigest, neutering Mimikatz’s most powerful feature.

Delpy says, if systems administrators limit the privileges of their users, Mimikatz can’t get the administrative access it needs to start hopping to other computers and stealing more credentials.

“If Mimikatz has been used to steal your passwords, your main problem is not Mimikatz,” Delpy says.

Although Mimikatz can be used to steal passwords, the tool in and of itself is not the problem. Rather than taking shortcuts and the fastest route to deployment, it is necessary for an organization to take its time to properly configure its Active Directory environment, networking gear, and installing the correct cyber defense tools.

Cyber security is tough, but there are a lot of common sense approaches to the problem to decrease the risk to exposure.

OceanLotus APT Group Unfolds New Tactic in Cyber Espionage Campaign

OceanLotus appears to have modified its tactics and is now using compromised web sites for its targets in their ongoing espionage campaign:

The group has begun using compromised websites to profile and target entities of interest to the Vietnamese government, Volexity says.

OceanLotus, an APT actor that over the past few years has been conducting a sophisticated digital surveillance campaign aligned with Vietnamese state interests, has built out a massive attack infrastructure of compromised websites.

OceanLotus, aka APT32, has compromised over 100 websites, the vast majority of which belong to organizations and individuals critical of the government in Vietnam.

The use of compromised websites to lure victims is a new development for OceanLotus and shows how sophisticated threat actors manage to stay a step ahead of defenders by constantly switching tactics.

Once a website has been compromised, OceanLotus has used different methods to identify site visitors and drop different payloads on their systems.

In addition to building out a big network of compromised websites to stage and deliver malware to selected victims, OceanLotus has also managed to build a massive backend infrastructure to facilitate its core data collection activities.

Maturing malicious actors are a huge risk to organizations in their crosshairs.

Security Breach and Spilled Secrets Have Shaken the NSA to Its Core

I am always intrigued by stories about the esoteric NSA and its cyber expertise. On the one hand, NSA appears to be extremely talented. On the other, there appears to be a lot of internal shortcomings when it comes to preventing insider attacks. Certainly it is important to trust employees who hold TS/SCI clearances. However, there is a point when too much trust becomes an unacceptable risk. NSA seems to have not yet been able to find the right balance.

It is with great interest that the Shadow Brokers breach continues to confuse the NSA and has it reeling to determine the exact cause:

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both.

There is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach.

“Is NSA chasing shadowses?” the Shadow Brokers asked in a post on Oct. 16, mocking the agency’s inability to understand the leaks and announcing a price cut for subscriptions to its “Monthly dump service” of stolen N.S.A. tools.

There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.

N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.

The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

American officials believe Russian intelligence was piggybacking on Kaspersky’s efforts to find and retrieve the N.S.A.’s secrets wherever they could be found.

Watching how Russia has been leveraging cyber security for its geopolitical ambitions has been educational, but the successful attacks on the NSA are the most intriguing. It will be interesting to see how things play out over the coming months and years, and if there will ever be a story confirming exactly how the Shadow Brokers were able to compromise such a huge treasure trove of the most dangerous cyber weapons on the planet.

Which of Your Employees Are Most Likely to Expose Your Company to a Cyber Attack?

Many of the cyber security issues companies face today are a result of human error. Not all breaches, mind you, but the vast majority do begin with a phishing campaign. Which of your employees are the most at risk for allowing a cyber attack to occur?

Many of these defenses are often compromised by errant or lax human behavior, which makes employee training even more critical.

The standard memo on security often fails to capture the nuances presented by more dynamic security threats, which are often internal.

For the more resistant users, one can employ a variety of creative training techniques that involve employee interaction, feedback, and discussion.

Take the method of gamification: one could supplement a cybersecurity presentation with a game of spotting suspicious activity, which compels employees to develop responsive skills.

Engaging employees in hands-on training encourages buy-in and accountability.

Given the constant influx of new employees in any organization and the constant change in security threats, periodic training should be mandatory.

Technology and improved practices can help you identify those employees who are most at risk of exposing your company to a cyberattack – before it becomes a major problem.

‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs

Mailsploit is a Metasploit-like toolkit targeting vulnerabilities in email programs as a means of compromising an endpoint:

Now one researcher has dug up a new collection of bugs in email programs that in many cases strip away even the existing, imperfect protections against email impersonation, allowing anyone to undetectably spoof a message with no hint at all to the recipient.

On Tuesday, security researcher and programmer Sabri Haddouche revealed Mailsploit, an array of methods for spoofing email in more than a dozen common email clients, including Apple Mail for iOS and macOS, Mozilla’s Thunderbird, Microsoft Mail, and Outlook 2016, as well as a long list of less common clients including Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail.

Over the years, administrators of email servers have increasingly adopted authentication systems, most recently one known as Domain-based Message Authentication, Reporting and Conformance, which blocks spoofed emails by carefully filtering out those whose headers pretend to come from a different source than the server that sent them.

By crafting email headers to take advantage of flawed implementation of a 25-year-old system for coding ASCII characters in email headers known as RFC-1342, and the idiosyncrasies of how Windows, Android, iOS, and macOS handle text, Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.

Haddouche’s full list of affected email clients and their responses to his Mailsploit research is here.1.

Blaming the server, rather than the email client, may be more than just a lazy dodge: Haddouche tells WIRED that email providers and firewalls can also be set to filter out his attack, even if email clients remain vulnerable.

Beyond the specific bugs Mailsploit highlights, Haddouche’s research points to a more fundamental problem with email authentication, says Kaminsky.

The Environmental Case Against Bitcoin

With the recent surge in bitcoin price I have been paying a lot of attention to cryptocurrency, especially the granddaddy of them all. This article makes an interesting, and thoughtful case that even those who are not participating in bitcoin mining are going to feel negative effects of the computational power required to mine the coins:

No one may be using Bitcoin, but we’re all paying for them.

Bitcoin analyst Alex de Vries, otherwise known as the Digiconomist, reports that the coin’s surge caused its estimated annual energy consumption to increase from 25 terawatt hours in early November to 30 TWh last week-a figure, wrote Vox’s Umair Irfan, “On par with the energy use of the entire country of Morocco, more than 19 European countries, and roughly 0.7 percent of total energy demand in the United States, equal to 2.8 million U.S. households.” Just one transaction can use as much energy as an entire household does in a week, and there are about 300,000 transactions every day.

Some Bitcoin enthusiasts claim that it will eventually become a mainstream currency, and that the cryptogovernance system upon which it’s built could actually help the environment.

The Bitcoin market is volatile, its future murky.

We don’t have time or resources to waste on Bitcoin.

Unlike cash, a Bitcoin cannot be printed or otherwise “Made” by a human.

In order to create one, a computer must access the Bitcoin network and solve a complicated math problem, a process known as “Mining.” But there are a finite number of Bitcoins that can be mined-21 million, to be exact-and as more Bitcoins are mined, the math problems get more challenging.

Trump Administration Says It Does Not Need Secret Court’s Approval to Ask for Encryption Backdoors

The Trump Administration today stated the US government does not need FISA court approval to ask for encryption backdoors to be built into software developed by the technology industry:

The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.

The government made its remarks in July in response to questions posed by Sen. Ron Wyden (D-OR), but they were only made public this weekend.

The implication is that the government can use its legal authority to secretly ask a US-based company for technical assistance, such as building an encryption backdoor into a product, but can petition the Foreign Intelligence Surveillance Court (FISC) to compel the company if it refuses.

In its answers, the government said it has “not to date” needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption.

The government would not say, however, if it’s ever asked a company to add an encryption backdoor.

Unbelievable yet unsurprising.

Deception: Why It’s Not Just Another Honeypot

Using deception as part of organizational cyber defense in not the same as just deploying a basic honeypot:

Almost 15 years ago, Honeyd was introduced as the first commercially available honeypot and offered simple network emulation tools designed to detect attackers.

Deception is still a fairly new technology, so it is not surprising that seasoned security professionals will ask, “Isn’t deception just a honeypot or honeynet?” In fairness, if you consider that they are both built on trapping technology, they are similar.

Gene Spafford, a leading security industry expert and professor of computer science at Purdue University, originally introduced the concept of cyber deception in 1989 when he employed “Active defenses” to identify attacks that were underway, designed to slow down attackers, learn their techniques, and feed them fake data.

Deception technology has made monumental strides in evolving from limited, static capabilities to adaptive, machine learning deception that is designed for easy operationalization and scalability.

Based on our own internal testing and from others in the emerging deception market, deception is now so authentic that highly skilled red team penetration testers continually fall prey to deception decoys and planted credentials, further validating the technology’s ability to successfully detect and confuse highly skilled cyberattackers into revealing themselves.

Get Ready for More Hacks in 2018

CNET on what potential security incidents to expect in the next year:

If you’ll permit me to be Debbie Downer for a moment, our security situation is likely to get worse, not better in 2018.

In the WannaCry attack, hackers used NSA hacking tools that leaked into the criminal underworld, repurposing them to launch ransomware at regular computer users.

That’s because hackers are coming up with ransomware attacks that are harder for consumer security products to detect.

The passwords you and I use daily are a terrible security tool that we only rely on because nothing better has come along.

Password manager LastPass patched a big security flaw, and OneLogin got hacked.

Security software will continue to be a target for hackers, who would love to trick you into downloading a malicious tool with high-level access to your computer or phone.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

One recommendation: use a password manager, and use 1Password. I have been using them for the better part of seven years, and the product is the both the safest and the best on the market.

No Brainer: Do Not Use Russian Anti-Virus on Secret Government Systems

ZDNet on the UK National Cyber Security Center recommendation to stay far away from Kaspersky anti-virus and other Russian cyber security companies and their products:

The UK’s cybersecurity agency has issued a warning to government departments on the potential risks of using Russian antivirus or security software because of fears the Kremlin could use it to conduct espionage.

The advice from the National Cyber Security Centre comes as Russian cybersecurity firm Kaspersky Lab is facing accusations that its software helped with the theft of NSA hacking tools on behalf of the Russian government.

Kaspersky Lab has denied any wrongdoing and CEO Eugene Kaspersky has said he’d remove his company from Moscow if the Kremlin asked it to carry out spying.

The National Cyber Security Centre (NCSC) has warned that Russian cyberattacks are a threat to the UK and that the Russian government could potentially compromise Russian software deployed within organisations for its own ends.

China’s A.I. Advances Help Its Tech Industry, and State Security

There are so many unintended consequences of artificial intelligence I feel as if we are nowhere near the tip of the iceberg. Consider how Chinese company iFlyTek is leveraging AI in multiple industrial and commercial applications, but also has a close working relationship with the Chinese government. There are many dark ways the government may utilize the data companies like iFlyTek can provide:

As China tests the frontiers of artificial intelligence, iFlyTek serves as a compelling example of both the country’s sci-fi ambitions and the technology’s darker dystopian possibilities.

The Chinese company uses sophisticated A.I. to power image and voice recognition systems that can help doctors with their diagnoses, aid teachers in grading tests and let drivers control their cars with their voices. Even some global companies are impressed: Delphi, a major American auto supplier, offers iFlyTek’s technology to carmakers in China, while Volkswagen plans to build the Chinese company’s speech recognition technology into many of its cars in China next year.

At the same time, iFlyTek hosts a laboratory to develop voice surveillance capabilities for China’s domestic security forces. In an October report, a human rights group said the company was helping the authorities compile a biometric voice database of Chinese citizens that could be used to track activists and others.

Those tight ties with the government could give iFlyTek and other Chinese companies an edge in an emerging new field. China’s financial support and its loosely enforced and untested privacy laws give Chinese companies considerable resources and access to voices, faces and other biometric data in vast quantities, which could help them develop their technologies, experts say.

Here’s the NSA Agent Who Inexplicably Exposed Critical Secrets

This detailed article explaining how the Shadow Brokers acquired some of the most coveted and sophisticated cyber attack weapons ever developed is quite interesting:

The Justice Department Friday announced that Nghia Hoang Pho, a 67-year-old from Ellicott City, Maryland, has admitted to willful retention of national defense information.

Pho illegally mishandled classified information in spite of being an agent in the NSA’s elite Tailored Access Operations foreign hacking group from 2006 to 2016.

Though it’s somewhat astonishing that someone with his position and training would cause such a basic breach, Pho brought classified data and paper documents to his home between 2010 and 2015.

“In connection with his employment, Pho held various security clearances and had access to national defense and classified information. Pho also worked on highly classified, specialized projects,” the DoJ said in a statement on Friday.

Pho stands out among recent NSA leak culprits in that he specifically worked as a developer for TAO, which would have brought him into contact with a diverse array of sensitive NSA data, systems, and materials.

The case documents don’t give much indication of what types of data and materials Pho took and left on his personal computer.

The frantic investigation into valuable NSA tools stolen by Russian spies indicates that Pho may have exposed more than just resume materials.

This story is about the NSA employee who had installed Kaspersky anti-virus on their home computer, which was then allegedly compromised by Russian operatives.

In a number of presentations I have given about the NSA TAO tools stolen by the Shadow Brokers, I hypothesized the agency was hesitant to publicly comment on the Kaspersky link because of the embarrassment it would cause the NSA. Why one of the NSA’s top TAO operatives thought it was safe to use Kaspersky anti-virus, a product created by a Russian company, is extremely curious. It really makes me wonder what he knows that the rest of us do not.

Disclaimer: I work for McAfee, a Kaspersky competitor.

Security Finally Got the Awareness it Needed in 2017. Now What?

There were a lot of security incidents in 2017 leading towards more awareness of the dangers and risk. But now that this knowledge is being presented in mainstream media, what comes next?

The National Cyber Security Alliance, where Kaiser serves as executive director, helped create the awareness campaign in 2004, but nothing has been more effective than the hacks of 2017 at making security a household word.

“It was my job to be responsible for things like raising awareness of cybersecurity risk,” said Reitinger, CEO of the Global Cyber Alliance and a former cybersecurity director at the Department of Homeland Security.

Yahoo gave the public 3 billion reasons to worry about security.

“Pretty much everybody was affected. That’s what brought security into the mainstream lexicon.”

Remember, Equifax was completely aware of its security flaws, but it didn’t fix them.

There are just so many moving parts to the security equation, it is an exceedingly difficult problem to solve. I do not know we will ever reach security enlightenment; there will always be security issues to tackle. What we can do is collectivity lower the risk by being more cognizant of the dangers involved in using online tools.

Ex-U.S. Marine Gets Life for Rape, Murder in Japan

Good riddance:

A Japanese court on Friday convicted a U.S. military contractor of murder and rape charges in the death of an Okinawa woman and sentenced him to life in prison.

The Naha District Court also found Kenneth Shinzato, a former Marine, guilty of abandoning the victim’s body, court officials said.

Half of about 50,000 American troops stationed in Japan are on Okinawa.

The U.S. military says the crime rate among its ranks in Japan is lower than among the general public.

Prime Minister Shinzo Abe’s government wants Japan to play a greater military role internationally and in Japan-U.S. security alliance amid escalating missile and nuclear threats from North Korea.

There is no place in the world, much less Japan, for people like Shinzato.

This is How to Prepare for a Cyber Attack

I was one of the team leaders for a tabletop exercise held during the November 2017 Cyber3 Conference at Keio University in Tokyo. The following are some of the lessons learned from a joint task force tabletop exercise:

The most effective participants communicated rapidly with domestic and international partners, shared information, and formed conclusions that helped mitigate the DDoS attacks and the power grid disruption. Other teams chose not to make key recommendations to higher authorities because they questioned their legality. Some players tried to send requests directly up the chain of command to lead agencies, instead of sharing horizontally.

Aside from the importance of sharing information and communicating across regulatory jurisdictions, one of the most important lessons gained from the TTX is that participants need to develop situational awareness as events unfold. This involves understanding how the individual pieces fit into the bigger picture, as well as being aware of the timeline of phishing attacks transitioning to power grid disruptions. The same will hold for any large cyber incident.

Operation Rugby Daemon showed that Japan must develop a series of TTXs to raise awareness about cybersecurity for the upcoming sports events. It must develop experienced game veterans who can offer useful recommendations in real-world situations. Japan also needs experts with the ability to make decisions based on incomplete information – a stressful experience that can only be prepared for during TTX exercises like the Rugby World Cup scenario. Book knowledge and checklists are no match for the ability to coordinate, share information and make quick decisions that can have a huge impact in a crisis.

The exercise was quite enjoyable and an interesting exercise in seeing how representatives from disparate agencies can collaborate in real-time on important issues potentially impacting an important event. My team was a tough one. They were more concerned with the legality of some of the questions rather than taking quick action to resolve a situation.

It was quite eye opening, and actually more terrifying than anything. If the task force actually took these actions during the event the outcome would most likely have been catastrophic.

New Senate Bill Includes Jail Time for Executives Who Conceal Data Breaches

Senator Bill Nelson, ranking Democrat on the Commerce Committee, has revived the Data Security and Breach Notification Act, a bill calling for jail time for corporate executives who conceal data breaches:

If it becomes law, then it would overrule the many statewide laws regulating breach notifications by establishing a nationwide standard.

There’s a requirement for companies to notify customers within 30 days, along with the potential criminal penalties.

It also directs the FTC to develop standards businesses must follow if they collect customer information, like naming a person in charge of information security, establishing a process to identify vulnerabilities, have a process for the disposal of information, and other items in that vein.

In a statement, Nelson said “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”

In 2015 Nelson’s bill was one of several introduced to deal with the issue of protecting customers from these leaks and it’s likely that it will again have company.

It is doubtful the bill goes anywhere, and this is likely all just for show for Nelson’s constituents. The bill is a pipe dream and will almost certainly never become law.

The Billion-Dollar Company Helping Governments Hack Our Phones

I bet you did not know there is a billion-dollar company helping governments around the world hack mobile phones for various, likely unnecessary, reasons:

“Mexico and the UAE aren’t the only countries where commercially made, government-only cyberweapons have been aimed at activists and lawyers, and NSO isn’t the only company making this kind of software: Citizen Lab has also helped investigations into abuse of spyware made by the Italian company Hacking Team and the Munich-based Gamma Group.

The Panamanian government has also been caught using Pegasus to hack citizens’ smartphones, alongside a similar weapon by the Italian company Hacking Team called RCS. In 2015, the government of Panama opened an investigation into its former president, Ricardo Martinelli, for running a personal NSO deployment out of a secret office, from which he spied on a number of opponents, including Americans.

The investment firm didn’t comment on the letter or the reasons for its decision not to invest in NSO. But when asked by a reporter for Israel’s Haaretz last month if NSO would have still sold its technology to Mexico in retrospect, one unnamed executive affiliated with the company was emphatic: “No,” they said.

When asked by Reuters about abuses of NSO software in Mexico and elsewhere, he said, “I think people believe that NSO is a company that does good. understand the value that this company has generated for the world. I am extremely proud of NSO.”

Site Footer