More Russian Hacking

Two reports this week. The first is from Microsoft, which wrote:

As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.

The second is from the NSA, CISA, FBI, and the UK’s NCSC, which wrote that the GRU is continuing to conduct brute-force password guessing attacks around the world, and is in some cases successful. From the NSA press release:

Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques also detailed in the advisory, allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.

News article.

Tags: , , , ,

Posted on July 2, 2021 at 6:26 AM16 Comments

Comments

Question July 2, 2021 9:31 AM

How is attribution assigned in the case of compromised credentials? Is it solely IP or is it more than that?

Also rather than just change passwords or rely on users to implement unique challenging passwords, why can’t authentication be used to thwart brute force attacks?

If brute force attacks are identified by repeated attempts to login, then why not automate a lock on the account once password fails numerous times (3x?) which kicks off an alert to the authentication app on another device that not only requires the user to validate that the login attempt was them, but if they respond it wasn’t them then their account is automatically locked which notifies their cyber blue team. If the user doesn’t action on the alert, then the account is locked and the blue team notified. Apps can work with complex logic.

It seems that automation is required to solve the preponderance of brute force attacks, instead of putting the onus on end users to protect the world. Wherever I hear a suggestion like that I cringe.

TimH July 2, 2021 9:53 AM

Per the NSA report, the Russia activity is ‘malicious’. What’s it called when one of 5-eyes does it? Thinking of the UN bugging, or the interception and modification of Cisco equipment as examples.

The good guys/bad guys justification is overused.

Clive Robinson July 2, 2021 10:20 AM

@ ALL,

With regards,

“… is continuing to conduct brute-force password guessing attacks…”

Well duh… Script Kiddy 101.

In fact password guessing attacks were treated as a joke back in the 1980’s when the BBC Micro Programe Live show where the Acorn ACN001 account on BT Gold was not just broken into but a little ditty call the “Hackers Song” poped up on the screen,

Hackers’ Song.

“Put another password in,
Bomb it out and try again,
Try to get past logging in,
we’re Hacking, Hacking, Hacking.
Try his first wife’s maiden name,
This is more than just a game,
It’s real fun, but just the same,
It’s Hacking, Hacking, Hacking.”

The NutCracker
( Hackers’ UK )
HI THERE, OWLETS, FROM OZ AND YUG (OLIVER AND GUY)”

That was back in October 1983… UK PM Maggie Thatcher became incandescent and did a Churchill “Action this day” to a bunch of civil servents on a Sunday afternoon…

A disinformation war was started as BT was one of the “Crown Jewels” Maggie wanted to sell off and froter the money away on finacial backers and the like.

Now over a third of a century ago, or a “working lifetime” it all seems a little funny if not quaint. But “Mad Maggie” wanted not just blood but scalps and trying entrapment and eventual miscarriages of Justice were just one part of her crazed blood lust.

But the point is nearly 40years later we are still using passwords, that are always going to be susceptible to,

1, Guessing attacks
2, Shoulder Surfing attacks
3, File stealing attacks

And variations there of. The NSA was trying to depreciate passwords back in the 1960’s if not earlier…

And here we are with them still being attacked successfully.

You’ld think people would learn from history…

Unfortunately many major services have used “password weakness” as a way to grab more Private Personal Information, which realy realy does not help get paswords consiged to the waste/garbage bin of history.

Question July 2, 2021 12:49 PM

I used to be in a technical support role. It was my responsibility to identity, solution and shepherd any trending issues to resolution. 99% of the time that meant an engineering change.

Perhaps compromised credentials can be stopped by using passwords in conjunction with:

  1. Enforcing existing CUI/PII laws in the EU and US
  2. Requiring regulated sectors use laptops and desktops purpose built for NIST 800-53 controls
  3. Pre-boot authentication card or keys part of standard build for laptops and desktops sold to regulated sector
  4. Key or card works like auto eject CD-Rom days of yore, or ATMs that hold onto your card during the transaction and auto eject the card when the transaction is done
  5. Dynamic lock or screen saver results in the key being ejected
  6. Ejected key is a VPN/network and ISP kill switch

Laptops are configured for office security. WFH need more than a screen saver. Laptops shouldn’t be connected to ISP when not in use. But this shouldn’t be left to users. I get that cards and keys are available from third parties but it really should be integrated into the standard build.

If the above existed then SolarWinds wouldn’t have happened. Cards can work for access to servers too. So even if Password123 was used, without a card bad actors wouldn’t have been able to access their code.

Perhaps CISA should maintain a database of attacks that is public facing and downloadable. Then we can perform trending to see what low hanging solutions are required. Most sensitive private sector won’t migrate to the cloud until they can secure their users. SolarWinds and the Microsoft attacks were access management failures, not cloud failure.

https://federalnewsnetwork.com/cybersecurity/2021/05/cisa-to-pilot-secure-cloud-instance-in-response-to-solarwinds-attack/

We cannot look at security as solely being solvable by software, users or administrators. It requires smart hardware too.

wumpus July 2, 2021 1:52 PM

@Clive Robinson

The issue with passwords is that the favorite replacement tends to be biometrics. Biometrics isn’t the answer, and tends to be worse than passwords.

Password managers seem to be a better idea. Granted, that’s a single point of failure and thus a great hacking target, but it works with the old infrastructure and sucks a great deal less than other options.

I recently was forced to switch to a “new, safer, not stored anywhere” PIN. Ah yes, Microsoft “security”. Nobody ever was fired for buying Microsoft, yeah even when they are actively destroying all security on computers with legally restricted data (this was about a week after same computer wouldn’t install Outlook unless I installed MSFT’s cloud drive service. All on a computer where I likely can’t legally store anything where a non-US citizen can read it.

I’d expect several more “cures” worse than the disease.

echo July 2, 2021 2:46 PM

Microsoft are a big target as is the US. It would be unusual if the attacks described did not happen. I can’t help feeling “So what?” It’s probably happening everywhere else too with everybody being everybody else’s threat. To affect surprise or make a scene about it is like complaining you got wet if you went for a walk in the rain without an umbrella.

Question July 2, 2021 2:49 PM

@wumpus

Why are you able to decide what software you want and install it yourself on a laptop where “I can’t legally store anything where a non-US citizen can read it.”?

Clive Robinson July 2, 2021 3:22 PM

@ wumpus,

I’d expect several more “cures” worse than the disease.

But which disease,

1, Lack of security from random attackers.

2, Lack of security from “vendor insiders” (Golden SAML etc).

3, Lack of privacy from “vendor insiders” (snooping cloud storage etc).

4, Lack of privacy from “vendor insiders” who force the use of de-anoymising “side channels” such as mobile phones, Single Sign On Services etc.

5, Lack of privacy from “tech support tools” that record every key stroke etc and send it off to some server in the cloud with minimal or no security (remember CarrierIQ debacle).

Oh and many more… All in effect designed so that the user get used and abused as a profit center one way or another.

And people wonder why I won’t upgrade my core machines to commercial OS’s and Apps that “demand connectivity” and throw tantrums if you block them from their motherships…

But there is something else to scratch your head about…

We’ve had four or more decades to find a secure, privacy protecting replacment for the password… Yet there is nothing that is not either flawed in some way, or not universal.

The closest we’ve got is “passwords” which are unmemorable thus the user needs the equivalent of “a piece of paper in their wallet” or in limited circumstances TAM lists or “Tokens”. The latter of which are not at all secure if an attacker can find or get access to the generator seed…

Which begs the question “Why?”

“Not Invented Here”(NIH) Syndrome and “backwards compatability” and similar are at the end of the day “nonsense reasons” pushed as excuses… For instance we know Facebook not long ago was grabbing and storing user passwords and all that was said was “mumble mumble research” or equivalent[1] on the same day as a major press story (Muller Report released). As a cynical British Government Worker Jo Moore once put it “A,Good day to bury bad news”[2].

[1] https://www.zdnet.com/article/facebook-admits-to-storing-plaintext-passwords-for-millions-of-instagram-users/

[2] https://www.theguardian.com/politics/2001/oct/16/Whitehall.uk1

Clive Robinson July 2, 2021 5:13 PM

@ Fed.up,

There is a lot of noise and very little fact.

Apparently she is on “administrative leave” whilst a “preliminary enquiry” into “what might have been an unauthorised release of classified information” apparentky sits on it’s thumbs and does nothing.

Other alledged facts are contested and there is no official word out of the DOD.

Some are saying she should never have got the job she has been suspended from as she is neither competent or qualified to hold the post.

Some have even said she is a “sleeper agent” put in place by Trump for his comeback.

All we realy know is she created a political upset, failed to capitalize on it and got put in post shortly there after.

If memory serves correctly she is not the first to be put in admibistrative limbo that got posts at the end of the previous administration. Others that got “administerative jobs” shortly after loosing out on political jobs have likewise been suspended for various reasons.

I guess we are just going to have to wait on that “Slow boat to China” the enquiry apparently might become if it ever ups anchor.

My own view is that political operators and appointees should not get real government administrative jobs for atleast half a decade of non political participation. As the “impartiality” requirment appears unlikely to be met in apperance or potentially in actual deed.

JonKnowsNothing July 2, 2021 6:05 PM

@Question @wumpus

@Question
re Pre-boot authentication card or keys part of standard build for laptops and desktops sold to regulated sector

A MMORPG online video game used a Pre-Load Authentication keyfob. The kind you press and have 30 seconds to enter the displayed code to launch the program.

Worked great except when logging for an insomnia fix and you cannot see the sent code in the dark. The slight OOPS when the non-replaceable battery failed and the source provider went out of business ’cause the fob wasn’t Light Saber Proof.

You might be surprised at the Off Market value for a fully geared max level toon when the account is stolen. Or worse, you log in and your toon is InTheRaw and AllGearGone.

Not all of that happens due to Bad Guys Elsewhere. Lots of Familial Surprises happen, generally resulting in Ex-Familial Togetherness.

@wumpus

re Password managers …a single point of failure

aka The Golden Egg. One Hack to Rule Them All.

At least make them have to type SOMETHING…

The same type Familial Togetherness resulting in Ex-Togetherness and zero Bank Balances.

Fed.up July 2, 2021 8:44 PM

@Clive

A CMMC Board Member resigned yesterday after being caught with his hands in the cookie jar.

Perhaps she was intelligence gathering. And who better to do that in such an environment than a woman who men viewed as unqualified.

Maybe she succeeded in her mission.

Snowden was only on the job a few weeks when he purloined troves of information. He claimed he couldn’t whistleblow through normal channels despite the US having Whistleblower protection laws. The Panama Papers, FinCEN files, Reality Winner and Chelsea Manning reinforce his claims. If Katie is a whistleblower and she cannot prevail having gone through appropriate channels, it is not possible to Whistleblow in the USA through prescribed process.

She is not the only person that knows what she knows. She just may be the only one brave enough at the DoD to do something about it. Hopefully not.

If they revoke her clearance then she’s publicly allowed to say she is a whistleblower experiencing retaliation. If they keep her in limbo she cannot.

echo July 3, 2021 11:14 AM

@Fed Up

Perhaps she was intelligence gathering. And who better to do that in such an environment than a woman who men viewed as unqualified.

Maybe she succeeded in her mission.

This is very true and something I take advantage of. This isn’t by choice. The upside of not being treated seriously is I am not treated seriously. Men (although not exclusively men) have a habit of saying all manner of things and revealing their inner thought processes and mistakes and errors and beliefs which when compared to the “state of the art” reveal all manner of actionable things.

Fed.up July 3, 2021 2:59 PM

@echo

Lots of female whistleblowers.

Colleen Rowley comes to mind. Like Katie no one took her seriously. As a result 9/11 happened.

Even after the attacks the FBI still ignored her. So she wrote Director Mueller that the FBI HQ had personnel working for Osama Bin Laden.

She was forced out of the FBI a year later.

She also ran for office and lost.

In 2002 she was Time Magazine’s Person of the Year along with 2 other female whistleblowers, including Sherron Watkins (Enron) and Cynthia Cooper (WorldCom). These 3 women actions resulted in the creation of the Department of Homeland Security, passing of Sarbanes Oxley and the Patriot Act.

Intelligence is measured by someone’s actions, not their appearance.

https://en.wikipedia.org/wiki/Coleen_Rowley

Security Sam July 6, 2021 6:41 PM

More Russian online hacking
And network resource sacking
They granted them free ropes
Lords are now just plain folks.

ADFGVX July 7, 2021 3:04 AM

hxxps://www.theatlantic.com/magazine/archive/2010/11/lies-damned-lies-and-medical-science/308269/

Dr. John Ioannidis has spent his career challenging his peers by exposing their bad science.

I suppose the good doctor continues an honorable tradition.

hxxps://en.wikipedia.org/wiki/Category:Ancient_Greek_physicians

Although that particular doctor is perhaps better known for working on IPsec and IPv6, which are perhaps better suited in certain respects for security against brute force password attacks and other DDoS.

Anyways, the NSA is particularly interested for certain statecraft reasons in the security of healthcare technology and information security under HIPAA and related federal laws.

hxxps://www.dw.com/en/russia-detains-estonian-consul-after-he-allegedly-received-classified-material/a-58179744

“The Russian Federal Security Service in St. Petersburg has detained Estonian diplomat — consul of the Consulate General of the Republic of Estonia in St. Petersburg Mart Lätte — caught red-handed while receiving classified materials from a Russian citizen,” the FSB’s Center for Public Relations (CPR) told Russian news agency Interfax.

Now recall the wholesale appropriation and theft of Finland’s national healthcare patient data by Estonia.

hxxps://www.euractiv.com/section/health-consumers/news/fri-estonia-and-finland-first-to-start-exchanging-healthcare-data-by-end-of-year/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.