CyberSecurity Pulse 2017-06-12

CyberSecurity Pulse 2017-06-12

“Work on one thing at a time until finished.”
Henry Miller

Analyst Insight

Top Secret NSA Leaked Report Details Russian Hacking Effort Days Before US Elections

Russian military intelligence executed a cyberattack on at least one US voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November's presidential election, according to a highly classified intelligence report obtained by The Intercept. The top-secret National Security Agency document analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence effort against elements of the US election and voting infrastructure. The report, dated May 5, 2017, is the most detailed US government account of Russian interference in the election that has yet come to light.

CyberSecurity Pulse 2017-06-12As described by the classified NSA report, the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company, according to the NSA report. The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. Two months later, on October 27, they set up an "operational" Gmail account designed to appear as if it belonged to an employee at VR Systems, and used documents obtained from the previous operation to launch a second spear-phishing operation "targeting U.S. local government organizations". These emails contained a Microsoft Word document that had been "trojanized" so that when it was opened it would send out a beacon to the "malicious infrastructure" set up by the hackers.

However, the NSA is uncertain about the results of the attack, according to the report. "It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor". At the same time, it is also unclear what the effort achieved, but the NSA assessed that the Russians appeared intent on "mimicking a legitimate absentee ballot-related service provider". Anyway, the report does not indicate why the Russians targeted the tiny Pacific islands, a US territory with no electoral votes to contribute to the election.

» More information at The Intercept

Top Stories

Using Intel AMT Tool to Bypass Firewall

CyberSecurity Pulse 2017-06-12Microsoft has recently discovered that the cyberespionage group Platinum is now leveraging Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) channel as a file-transfer tool to steal data from certain targeted computers without beign detected. The Intel-based chipsets are shipped with the AMT embedded technology and are designed to permit IT administrators to remotely manage and repair PCs, workstations, and the servers of their organisations. The Intel AMT technology operates independently of the operating system and works even when the system is turned off if the platform is still connected to a power line and a network cable is also plugged. That is to say, whenever AMT is enabled, any packet sent to the PC's wired network port will be redirected to the Management Engine and passed on to AMT. This implies that neither the operating system, not any other network monitoring applications installed on it, will be capale of knowing what is going around.

» More information at The Hacker News

Kaspersky Accuses Microsoft of Unfair Competitive Practices

CyberSecurity Pulse 2017-06-12Kaspersky Lab told European antitrust regulators that Microsoft prevents third-party security software vendors from competing on equal footing with software products built into Windows operating system. "Microsoft uses its dominant position in the computer operating system market to promote its own security software (Windows Defender) at the expense of users' previously self-chosen security solution" says the co-founder of the security company, Eugene Kaspersky. In return to this issue, Microsoft has recently published a public statement, saying that the company has tried to reach out to Kaspersky Lab after the initial complaint filed in November 2016, but that no words between the two had been exchanged since then. However, it's still to be seen what EU regulators decide to do about this matter.

» More information at Kaspersky

Rest of the Week´s News

An Updated Firefox Extension Abusing Instagram

According to a report published by researchers from Eset, a recently discovered backdoor Trojan has been using comments posted to Britney Spears's official Instagram account to let the infected machines to locate the C&C server that sends instructions and offloads stolen data to and from the targeted systems. The innovation makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware as the information is being shared in an apparently innocuous connection.

» More information at We Live Security

Password Manager OneLogin Hacked, Exposing Sensitive Customer Data

In a brief blog post, OneLogin said that it was aware of unauthorized access to OneLogin data in our US data region. "The threat actor was able to access database tables that contain information about users, apps, and various types of keys", the company said. OneLogin has also advised customers to change their main passwords, to generate new API keys for their services and to create both, new OAuth tokens (used for logging into accounts) and new security certificates.

» More information at OneLogin

Linux Distros Patch Dangerous Vulnerability in Sudo Command

Several Linux distros have issued updates to fix a vulnerability in Sudo, a Linux app behind the sudo command, which can allow an unprivileged attacker to gain root privileges. Researchers say that an attacker that is in the position to run bash commands can create malformed sudo commands that will allow him to overwrite any file on the system, even root-owned content. In other words, the attacker gains the root-level privileges.

» More information at Bleeping Computer

Further Reading

Al-Jazeera Claims To Be Facing a Large-scale Cyberattack Due To Qatar Crisis

» More information at Security Affairs

A New Linux Malware Targets Raspberry Pi Devices To Mine Cryptocurrency

» More information at Security Affairs

WikiLeaks Says CIA's Pandemic Turns Servers Into Infectious Patient Zero

» More information at Ars Technica