SSL and internet security news

northkorea

Auto Added by WPeMatico

US Government Exposes North Korean Malware

US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February.

The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool (RAT) “used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities.”

This RAT is known for its capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.

TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator.

The trojan “downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

Last but not least, PEBBLEDASH is yet another North Korean trojan acting like a full-featured beaconing implant and used by North Korean-backed hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

It’s interesting to see the US government take a more aggressive stance on foreign malware. Making samples public, so all the antivirus companies can add them to their scanning systems, is a big deal — and probably required some complicated declassification maneuvering.

Me, I like reading the codenames.

Lots more on the US-CERT website.

Powered by WPeMatico

Russians Hacked the Olympics

Two weeks ago, I blogged about the myriad of hacking threats against the Olympics. Last week, the Washington Post reported that Russia hacked the Olympics network and tried to cast the blame on North Korea.

Of course, the evidence is classified, so there’s no way to verify this claim. And while the article speculates that the hacks were a retaliation for Russia being banned due to doping, that doesn’t ring true to me. If they tried to blame North Korea, it’s more likely that they’re trying to disrupt something between North Korea, South Korea, and the US. But I don’t know.

Powered by WPeMatico

Internet Security Threats at the Olympics

There are a lot:

The cybersecurity company McAfee recently uncovered a cyber operation, dubbed Operation GoldDragon, attacking South Korean organizations related to the Winter Olympics. McAfee believes the attack came from a nation state that speaks Korean, although it has no definitive proof that this is a North Korean operation. The victim organizations include ice hockey teams, ski suppliers, ski resorts, tourist organizations in Pyeongchang, and departments organizing the Pyeongchang Olympics.

Meanwhile, a Russia-linked cyber attack has already stolen and leaked documents from other Olympic organizations. The so-called Fancy Bear group, or APT28, began its operations in late 2017 –­ according to Trend Micro and Threat Connect, two private cybersecurity firms­ — eventually publishing documents in 2018 outlining the political tensions between IOC officials and World Anti-Doping Agency (WADA) officials who are policing Olympic athletes. It also released documents specifying exceptions to anti-doping regulations granted to specific athletes (for instance, one athlete was given an exception because of his asthma medication). The most recent Fancy Bear leak exposed details about a Canadian pole vaulter’s positive results for cocaine. This group has targeted WADA in the past, specifically during the 2016 Rio de Janeiro Olympics. Assuming the attribution is right, the action appears to be Russian retaliation for the punitive steps against Russia.

A senior analyst at McAfee warned that the Olympics may experience more cyber attacks before closing ceremonies. A researcher at ThreatConnect asserted that organizations like Fancy Bear have no reason to stop operations just because they’ve already stolen and released documents. Even the United States Department of Homeland Security has issued a notice to those traveling to South Korea to remind them to protect themselves against cyber risks.

One presumes the Olympics network is sufficiently protected against the more pedestrian DDoS attacks and the like, but who knows?

EDITED TO ADD: There was already one attack.

Powered by WPeMatico

NSA Links WannaCry to North Korea

There’s evidence:

Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other Western spy agencies. It states that the hackers behind WannaCry are also called “the Lazarus Group,” a name used by private-sector researchers.

One of the agencies reported that a prototype of WannaCry ransomware was found this spring in a non-Western bank. That data point was a “building block” for the North Korea assessment, the individual said.

Honestly, I don’t know what to think. I am skeptical, but I am willing to be convinced. (Here’s the grugq, also trying to figure it out.) What I would like to see is the NSA evidence in more detail than they’re probably comfortable releasing.

More commentary. Slashdot thread.

Powered by WPeMatico

Further Evidence Pointing to North Korea as Sony Hacker

The FBI has provided more evidence:

Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has “very high confidence” in the FBI’s attribution of the attack to North Korea. And he named several of the sources of his evidence, including a “behavioral analysis unit” of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own “red team” simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.

“In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.”

“They shut it off very quickly once they saw the mistake,” he added. “But not before we saw where it was coming from.”

Here’s the full text of the FBI director’s remarks. More news stories. Commentary from Just Security. Slashdot thread. Hacker News thread.

Powered by WPeMatico

Attack Attribution in Cyberspace

When you’re attacked by a missile, you can follow its trajectory back to where it was launched from. When you’re attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the US government’s claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI’s evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.

On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren’t convinced. This implies that there’s classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, “The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq’s weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.”

The NSA is extremely reluctant to reveal its intelligence capabilities — or what it refers to as “sources and methods” — against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government’s unequivocal attribution of the attack without seeing the evidence. Iraq’s mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.

Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don’t come with return addresses, and you can never be sure that what you think is the originating computer hasn’t itself been hacked. Even worse, it’s hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it’s usually because a lone hacker admitted it or because there was a months-long forensic investigation.

Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.

What this all means is that it’s in the US’s best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the US: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the US has been cagey about whether it caused North Korea’s Internet outage in late December.

It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.

The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we’re expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA’s sources and methods is going to have to take a backseat to the public’s right to know. And in cyberspace, we’re going to have to accept the uncomfortable fact that there’s a lot we don’t know.

This essay previously appeared in Time.

Powered by WPeMatico