UNM4SK3D: CIA, Dark Web, and China

#wikileaks (they just keep coming).

You know that feeling you get when your favorite artist continues dropping singles but doesn’t release an album? The same can be felt for Wikileaks, but instead of anticipation, their releases cause anxiety. The latest series of documents from the Vault7 project was released on March 31st.

These documents detail what the CIA referred to as the “Marble Framework.” This framework could obscure text strings within CIA malware so forensic experts can’t trace its source back to the CIA. According to Wikileaks, they say, “Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators in attributing previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015.”

The Marble leak is extensive, with 676 source code files shared in total. Unlike previous documents, this notes that the framework is used for obfuscation only and does not contain any security holes or exploits by itself. In press reports, some security experts have called it the most ‘technically damaging’ dump so far. Wikileaks discloses Marble has test examples in multiple languages, meaning it is possible for a person creating malware to set their spoken language as being Chinese, Russian, Korean, Arabic and Farsi. So CIA created malware could potentially be developed to appear as if it was emanating from another country. Since the Marble framework is now public, forensic investigators would be able to connect patterns to reveal wrongly attributed previous cyber attacks and viruses.

As for a reaction to this recent leak? The CIA expressed its’ outrage to The Post saying “Dictators and terrorists have no better friend in the world than Julian Assange, as theirs is the only privacy he protects… Such disclosures not only jeopardize US personnel and operations but also equip our adversaries with tools and information to do us harm.” The White House mirrored their disapproval, saying “those responsible for leaking classified information from the agency should be held accountable by the law.”

Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA -Wikileaks

ObserveIt thinks the Vault7 leaks reveal the need for user activity monitoring and analytics. Do you agree? Read their blog and decide.

#edu

If you’ve been clinging onto your college days by still using your .edu address for personal emails, it may be time to make a change. A recent report from the Digital Citizens Alliance shows 14 million .edu email addresses and email passwords from the 300 largest higher educational institutions in the U.S. were available for sale on the Dark Web.

Of that 14 million, 11 million were reportedly uncovered within the last year, reports Campus Technology. It is more than likely that the student, teacher, and faculty usernames and passwords were compromised when users accessed them in non-academic settings where .edu credential-holders used .edu user names. Or, the credentials could have been fraudulently created in the first place. Targeted institutions with the most stolen credentials? University of Michigan (122,556), Penn State (119,350), University of Minnesota (117,604), and Michigan State (115,973) to name a few, with prices for this information ranging from $3.50 to $10 apiece. Buyers can use those stolen credentials to cash in on university discounts in some cases, such as software and Amazon Prime memberships, for example.

At this time, researchers cannot determine how many of the stolen passwords are valid because legally they can’t confirm that. Some of the emails are most likely spoofed or phony, which can still be dangerous since spoofed emails are often used in phishing attacks. Hacker ‘Dead-Mellox’ from the hackivist organization Team GhostShell shared why .edu domains are so valuable. Among the reasons being that “higher ed institutions tend to have more data than leading commercial businesses or governmental entities and their assets, including intellectual property and research, offer bigger prizes for hackers.”

I’ve been scraping the Dark Web since 2009. There were 2.2 million .edu [emails] there back in 2015, 2.8 million in 2016, and now almost 14 million a year later. That’s a significant spike -Brian Dunn, managing partner at ID Agent

Dig deeper into the Dark Web with this blog. Just don’t venture alone! Read ‘Exploring the Dark Web.’

#APT10

If there was a contest running for most consecutive hacks, APT10 just might win. The Chinese hacking group has been incredibly busy lately. Fidelis Cybersecurity published a report this week saying they implanted a piece of malware on the ‘Events’ page of the US National Foreign Trade Council (NFTC) website in February. In another report from PwC UK and BAE Systems, also published this week, they say APT10 is behind a widespread campaign known to be targeting managed service providers (MSPs) in at least fourteen countries.

Both of these reports come ahead of the trade summit on April 6th between US President Donald Trump and China’s President Xi Jinping. Perfect timing. The attack against the NFTC site is being considered an attempt to conduct surveillance on the main industry players and lobbyists closely associated with U.S trade policy activities. Referred to as ‘Operation TradeSecret,’ the malicious link invited the organization’s board of directors to register for a meeting in Washington DC on March 7. Clicking on the link actually deployed a spying tool called ‘Scanbox.’ Previously used by nation-state threat actors associated with the Chinese government, Scanbox has the ability to record the type and versions of software a victim is running and run keyloggers on compromised computers. What may be most concerning, is who was targeted in this attack. The NFTC’s board represent many influential people and companies, including executives from Google, Amazon, IBM, Coca-Cola, Microsoft, KPMG, Pfizer, Visa, and Walmart. Malware has since been removed from the site, but the world is holding its’ breath as this meeting takes place.

Operation Cloud Hopper which uses a mixture of unique hacking tools and open-source software in attacks against service providers around the world, contains historical evidence pointing to an overlap in malware used in attacks previously attributed to APT10. The researchers detail domain registration timing evidence that suggests operation comes from within China’s time zone. While the authors do not suggest that APT10 is state-controlled, but they do believe it is at least state-sponsored. In this report, they describe a campaign that uses phishing to primarily compromise MSPs. Once the MSP has been compromised, they obtain legitimate credentials to access the MSPs’ client networks that align to APT10’s typical targeting profile. APT10’s motives are alledgely to gain information that aligns with China’s current five-year plan (FYP) for economic growth.

The problem in these cases is attribution, and how heavily we can rely on circumstantial evidence. Two of the biggest takeaways gleaned from these reports: Organizations are still not adequately securing their supply chain and most likely the US/China and UK/China agreements to curb economic espionage are now invalid.

The notion that China has decreased its efforts since 2015 to conduct economic espionage is preposterous. China is known for using cutouts and sympathetic agents to collect information on their behalf. China, Russia and other nation states frequently outsource wholesale hacking operations to individual groups and companies. -Israel Barak, CISO of Cybereason

APT10 aren’t the only fraudsters working overtime. Read ‘SMiShing’ for another Chinese scam.

#factbyte

A new research project will look into whether the perceived link between cybercrime and “autistic-like personality traits” really exists. The joint University of Bath’s Centre for Applied Autism, National Crime Agency (NCA) Cyber Crime Unit and Research Autism project, are behind the research, saying “Autism and traits of the condition appear to be more prevalent among cyber criminals than for other types of crime but the link remains unproven.”

#certspotlight

Cyber security’s progressive nature must be addressed by policies that are equally as progressive. These policies, likewise, must recognize a continually growing list of threats while remaining closely aligned to a business’ goals and objectives.

Security policy is a critical component of the design and further implementation of information systems. It outlines a set of rules and procedures that specify how the system should manage and safeguard sensitive information. The objective of policies is to educate by guiding design, development, implementation, testing and maintenance across an organization.

In order to provide the basis for a company-wide information system, you must first learn to develop policies that address the confidentiality, integrity, and availability of critical information. The Policy Development Micro Certification addresses areas to protect your organization’s reputation, resources and employees while ensuring compliance with all industry, regulatory, Federal, and international standards.

This issue of UNM4SK3D was originally posted on the Cybrary.it blog and has be republished with permission. To access the original version, click here.

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.