If anyone is to blame for global cyber attacks it’s the US whose negligence caused elite hacking tools and ransomware to be posted on the internet. No Russia Scare=No free US taxpayer cash for cyber companies.
“EternalBlue’s widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool [funded by US taxpayers] is now the people’s crowbar. It is also frequently used by an array of nation state hackers.”
…………………….
11/10/18, “ISIS Again Claims Cyber Attacks Which Were Falsely Blamed on Russia," Strategic Culture, Moon of Alabama
“Since late 2014 the Islamic State in Iraq and Syria (ISIS, terrorist organization, banned in Russia by court order) had its own hacking group. It waged cyber attacks against media and military targets. The group became known as United Cyber Caliphate (UCC).
Later on some “experts” attributed the UCC attacks to Russia. They claimed that the Cyber Caliphate did not exist but was a Russian false flag operation. There is now new evidence such claims are nonsense.
The attacks claimed by the Cyber Caliphate included:
- Jan 2015 – Twitter and Youtube account of the U.S. CentCom taken over and filled with pro-ISIS messages.
- Mar 2015 – United States Air Force’s pilots list with detailed personal information posted online.
- Apr 2015 – French TV5Monde live feed and social media hacked and defaced with the message “Je Suis ISIS”.
- Apr 2015 – Australian airport website defaced with ISIS message.
- Aug 2015 – United States’ military database hacked and data of some 1400 personnel posted online.
- Sep 2015 – British government emails hacked. Email addresses of top cabinet ministers published.
- Apr 2016 – UCC successfully hacks 20 Australian business websites, redirects them to ISIS content.
- Apr 2017 – UCC released a kill list of 8,786 people.
But then the ‘Russia scare’ nonsense took over. Suddenly each and every assumed computer attack, including those by the Cyber Caliphate, were attributed to Russia [Reuters, June 10, 2015]:
“Russian hackers linked to the Kremlin could be behind one of the biggest attacks to date on televised communications, which knocked French station TV5Monde off air in April, sources familiar with France’s inquiry said…
Hackers claiming to be supporters of Islamic State caused the public station’s 11 channels to temporarily go off air and posted material on its social media feeds to protest against French military action in Iraq…
U.S. cybersecurity company FireEye, which has been assisting French authorities in some cases, said on Wednesday that it believed the attack came from a Russian group it suspects works with the Russian executive branch…
Information about the TV5 attack was published on a website branded as part of the “Cyber Caliphate,” a reference to the Islamic State.
But the site was hosted on the same block of Internet Protocol addresses and used the same domain name server as the group called APT28 by FireEye and Pawn Storm by Trend Micro, another large security company.”
Similar claims were made over other attacks that ISIS claimed for itself. “The Russians did it!” screamed various snake-oil selling cyber security companies.
Soon it was said that the Cyber Caliphate did not exist at all [6/18/2016, Observer, Schindler]:
“[T]he Cyber Caliphate is a Russian intelligence operation working through what spies term a cut-out.
U.S. secret agencies, including the National Security Agency, which controls American cyber-espionage and works closely with CYBERCOM, came to similar conclusions “APT 28 is Russian intelligence, it’s that simple,” explained an NSA expert to me recently…
In other words, the Cyber Caliphate is a Russian false-flag operation.”
The snake-oil sellers and the writer above (intentionally) mistake methods for actors. The Advance Persistent Threat (ATP) number 28 describes a certain course of action taken during a hack. It is well know method that can be identified to some degree. But recognizing a method does not identify the persons that use it.
If a burgler once used a crowbar to open a window, further nearby break-ins that use a similar method might have been done by the same person. Or they might not. A different burgler could have used the same method. A home owner could have used it to scam his insurance. The method does not describe the actor.
Likewise the use of certain tools and methods to break into a computer does not define an actor. ATP 28 is not Russia. These tools and methods are publicly known. A spearphishing email is send to the target. When the receiver clicks a link in that email a malicious software is launched that creates a backdoor into the targeted computer. Anyone can find such tools online and initiate an attack. The often claimed attribution of ATPxyz to Russia always was and is sheer nonsense.
There is also new proof that the Cyber Caliphate indeed exists.
A few days ago a news outlet affiliated with ISIS published an obituary of a Canadian hacker who worked for ISIS.
The Montreal Gazette reports [11/7/18]:
“An Islamic State-linked media outlet says a Canadian man was behind the terror group’s highest-profile cyber attacks, including the embarrassing takeover of the Twitter account of the U.S. military’s Central Command [listed above, Jan. 2015]…
The Canadian fighter, who is said to have been killed by a drone strike in Syria, also allegedly penetrated bank computers and used the “spoils” to fund their fighting and hacked the U.S. Department of Defense, airports, international media organizations and the accounts of “hundreds” of U.S. soldiers...
The Toronto-born man “managed to bring blessed victories for the Caliphate state by carrying out electronic attacks that have made the enemies taste defeat and failure,” according the [Arabic-language] notice, ..
The “martyrdom” notice published by Al-Muhajireen Foundation, an outlet with known links to ISIL, identifies the Canadian jihadi hacker only by a nickname: Abu Osama Al-Kanadi…
The announcement says Al-Kanadi became a top computer specialist with ISIL, also known by the acronym ISIS, and praises his online exploits with the Caliphate Cyber Army.”
Abu Osama Al-Kanadi does not sound Russian to me. Nor were any of the hacks the Cyber Caliphate claimed in anyway useful to Russia.
But the damage is done. None of those “experts” who claimed that Russia was behind the Cyber Caliphate attacks will retract their claims and papers. Nor will there be any correction in those main stream media that repeated their nonsense.
The message is clear: Russia is bad. Every hack ever done is by Russia. Russia is the enemy. Don’t you ever forget that.”
moonofalabama.org
……………….
Added:
Since April 2017, NSA’s elite hacking tool EternalBlue has been “in every hacker’s toolbox.” “EternalBlue…a sophisticated, top-secret US cyber espionage tool…is also frequently used by an array of nation state hackers
networks. It will be years before enough computers are patched against EternalBlue.”…EternalBlue can hide or give false clues about geographic location of the hacker. “They use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three.“
3/7/18, “The Leaked NSA Spy Tool That Hacked the World,” Wired, Lily Hay Herman
“Leaked to the public not quite a year ago [April 2017], EternalBlue has joined a long line of reliable hacker favorites. The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003.
EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere. If anything, security analysts only see use of the exploit diversifying as attackers develop new, clever applications, or simply discover how easy it is to deploy….
EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers.
Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.
The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.
Microsoft released its EternalBlue patches on March 14 of last year [2017]. But security update adoption is spotty, especially on corporate and institutional networks. Within two months, EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks….As WannaCry hit, Microsoft even took the “highly unusual step” of issuing patches for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems.
In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected.
The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue’s profile, many attackers had already realized the exploit’s potential by then.
Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. “WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them,” says Jérôme Segura, lead malware intelligence analyst at the security firm Malwarebytes. “There are definitely a lot of machines that are exposed in some capacity.”
Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. “EternalBlue will be a go-to tool for attackers for years to come,” says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. “Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed.
There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms.”
At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker’s toolbox—much like the password extraction tool Mimikatz. But EternalBlue’s widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers including those in Russia’s Fancy Bear group, who started deploying EternalBlue last year [2017] as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.
New examples of EternalBlue’s use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”
And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms.
“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors,” says Vikram Thakur, technical director of Symantec’s security response. “To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three."
It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.”
............
....................
No comments:
Post a Comment