UNM4SK3D: China, NotPetya, and Bitcoin
The Great Firewall just got stronger. China’s Ministry of Industry and Information Technology recently made it illegal to use or operate VPNs (Virtual Private Networks) without government permission in an effort to increase Internet censorship. Digital dumplings, fried.
Back up. You may or may not know that the ‘Great Firewall of China’ is “the nation’s Golden Shield project that employs a variety of tricks to censor Internet and block access to various foreign news and social media sites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay.” Because, total control. In order to access these blocked websites, Chinese citizens use VPNs which securely route Internet traffic through a distant connection, which protects your browsing, hides your location data and allows you to access restricted sites. GreenVPN and SuperVPN, two popular VPN services in the country were down over the weekend, and GreenVPN notified customers on July 1st that they would no longer be offering services due to ‘regulations.’
In similar news, an investigation by the Munk School of Global Affairs at the University of Toronto’s Citizen Lab found that attacks against China Digital Times, a California-based news website covering China, was targeted in a spying campaign. Their findings indicate this attack was similar to previous malware campaigns against a Tibetan radio station and the Thai government. In this case, the campaign utilized phishing lures and the use of the NetWire remote access Trojan. Why does this matter? Many researchers suspect this attack was state-sponsored by China, as Reuters, the Strait Times, The New York Times, Agence France Presse and other news organizations have reported past intrusions by alleged Chinese hackers looking to control news surrounding the country. No official connection has been made at this time.
These news websites report on issues sensitive to the government of China and are blocked in the country. However, this report does not conclusively attribute the campaign to a publicly reported threat actor or state sponsor. -Citizen Lab researcher
For a different approach to bypassing censorship, read: ‘Using Steganography and Cryptography to Bypass Censorship in Third World Countries.’
By this time, you’ve probably heard of the NotPetya malware attack that spread around the world, hitting Ukraine hardest of the affected countries. Now, a video was released by Ukrainian National Police which shows officers raiding M.E.Doc accounting software maker’s servers, as the company is believed to be the original source of the malware outbreak, despite saying ‘Not’ M.E.-Doc.
According to Yulia Kvitko, Cyber Police spokeswoman, there has been an ongoing investigation into M.E.Doc’s offices and new evidence indicated this malware was created for destruction rather than financial gain and was planned months prior by advanced attackers. Researchers at ESET, which detected the malware as DiskCoder.C, “found ‘a very stealthy and cunning backdoor’ that attackers injected into one of the modules in the M.E.Doc accounting software. Attackers likely needed access to M.E.Doc’s source code to do this.” Researchers have not yet performed forensic analysis on the M.E.Doc server, but believe there are signs the server was compromised. ESET reports the backdoor was built into at least three M.E.Doc software updates that were released between April and June of 2017. When a machine was updated it was hit with the attack, allowing the malware to rapidly spread throughout an organization. The attacker used stolen credentials to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server.
Despite denials of involvement from the company, it appears they could face charges. Meanwhile, investigators are urging users not to access M.E.Doc software and even shut down computer running the software, and cautions those with ties to Ukranian businesses to be especially careful. Ukraine officials believe Russia is responsible for the attack, but investigations are still ongoing.
While even the most thorough risk assessment can’t guarantee there’s no malware inside a vendor’s network, it can uncover red flags pointing to weak security controls that leave it vulnerable. -security researchers
To get the previous report on Petya, read last week’s UNM4SK3D.
Cryptocurrency enthusiasts beware- Bithumb, South Korea’s largest cryptocurrency exchange was hacked, resulting in loss of more than $1 million US after user accounts were compromised. Looks like it may be time to revert back to a good ol’ piggy bank.
To provide some context, cryptocurrency is “a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank.” Two popular types of cryptocurrency, Bitcoin and Ethereum, are both exchanged on Bithumb, and both types were compromised in this attack. Perhaps most alarming is that Bithumb provides 20% of global ether trades and roughly 10% of the global bitcoin trade. A survey of users who lost cryptocurrencies in the cyber attack reveals “it is estimated that hundreds of millions of won [worth of cryptocurrencies] have been withdrawn from accounts of one hundred investors. One member claims to have had 1.2 billion won stolen.”
In addition to having funds stolen, it appears 30,000 customers’ data has been compromised as well. Bithumb believes that one of its employee’s home computer was hacked but that this hack did not compromise the entire network. Luckily, no passwords were stolen, so it’s not possible for hackers to gain direct access to user accounts. Bithumb believes the loss of funds, however, is the result of using ‘disposable passwords’ in order to make digital transactions. BraveNewCoin reports some Bithumb users were victims of ‘voice phishing,’ where someone phoned them up saying they worked for Bithumb and scammed them out of funds. Reports indicate more than 100 Bithumb customers have already filed a complaint with the National Police Agency’s cybercrime report center, but the investigation by South Korean officials is just getting underway. This hack brings to light the uncertain nature of cryptocurrency, proving it is just another desirable target for hackers.
The employee PC, not the head office server, was hacked. Personal information such as mobile phone and email address of some users were leaked. However, some customers were found to have been stolen from because of the disposable password used in electronic financial transactions. -Bithumb statement
Not familiar with the cryptocurrency Ethereum? Read the ‘$60M Heist, the DAO Hack.’
A recent U.N. survey found that Singapore has a near-perfect approach to cyber security. Honorable mentions include the United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada.
Most organizations are mandated to log data and perform log analysis as part of their security and compliance regulations. Log analysis helps reduce problem diagnosis, resolution time and in the effective management of applications and infrastructure.
Test your log analysis knowledge in a revolutionary way and gain hands-on experience necessary to become a security professional. In the Log Analysis Capture the Flag, you will detect failed processes, network outages, or protocol failures, and determine data trends, among other tasks.
This skill assessment is especially useful if you’re interested in a security or audit compliance, forensics, security incident responses or system troubleshooting position.
Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.