AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/5/2020

1 – Chinese Security Firm Says CIA Hackers Attacked China Since 2008

Chinese security vendor Qihoo 360 says that the US Central Intelligence Agency (CIA) has hacked Chinese organizations for the last 11 years, targeting various industry sectors and government agencies. Qihoo 360 claims in the report that lacks any technical details that “the CIA hacking group (APT-C-39)” has targeted a multitude of Chinese companies between September 2008 and June 2019, with a focus on “aviation organizations, scientific research institutions, petroleum industry, Internet companies, and government agencies.” “We speculate that in the past eleven years of infiltration attacks, CIA may have already grasped the most classified business information of China, even of many other countries in the world,” Qihoo 360’s report says.


2 – French Firms Rocked by Kasbah Hacker?

A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products. In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East.


3 – Tuia 250 privacy breach: Tech boss signed off on government website with no testing

A top tech boss at the Ministry of Culture and Heritage (MCH) reviewed the Tuia 250 website’s security and declared it “fit for purpose” just two months before a major breach was uncovered, new correspondence shows. The security lapse – discovered by a member of the public in August 2019 – compromised the privacy of roughly 300 young people who had uploaded sensitive material while applying to take part in commemorations. The breach exposed copies of the applicants’ passports, birth certificates and drivers’ licences online, leaving them able to be found via a simple Google search.


4 – Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now

Ongoing scans for Apache Tomcat servers unpatched against the Ghostcat vulnerability that allows potential attackers to take over servers have been detected over the weekend. As cyber threat intelligence firm Bad Packets said on Saturday, “mass scanning activity targeting this vulnerability has already begun. PATCH NOW!” Ghostcat is a high-risk file read/include vulnerability tracked as CVE-2020-1938 and present in the Apache JServ Protocol (AJP) of Apache Tomcat between versions 6.x and 9.x. The Apache Tomcat developers have released versions 7.0.100, 8.5.51, and 9.0.31 to patch the vulnerability, however, users of version 6.x will have to upgrade to a newer version since this branch has already reached end-of-support and is no longer updated — the last update for 6.x was released on April 7, 2017.


5 – Downtown Las Vegas casinos suffer mysterious days-long computer outage, slot machines go dark

Two Las Vegas casinos appear to be recovering from a mysterious, days-long computer outage which left casino floors and slot machine chairs empty. The problems first appeared on social media and on popular twitter accounts such as Las Vegas Locally and Vital Vegas last week. Posts and videos showed many slot machines indicating a malfunction and digital signs indicated the machines were ‘out of service.’ The Nevada Gaming Control Board has confirmed that they are aware of the incident and are “actively monitoring the situation.”


6 – Digital Spring Cleaning

Most of us are so looking forward to spring! The landscape starts to take shape, flowers start to bloom, and, for many, there’s a desire to spring clean. While it might be easy to see the need to purge and tidy up, realizing the need to also digitally declutter isn’t so apparent. Here are some quick tips to get your digital life in order and establish new digital habits.


7 – Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack

Two Chinese nationals were charged with laundering over $100 million worth of cryptocurrency from a hack of a cryptocurrency exchange.  The funds were stolen by North Korean actors in 2018, as detailed in the civil forfeiture complaint also unsealed today. “These defendants allegedly laundered over a hundred million dollars worth of stolen cryptocurrency to obscure transactions for the benefit of actors based in North Korea,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division.  “Today’s actions underscore that the Department will pierce the veil of anonymity provided by cryptocurrencies to hold criminals accountable, no matter where they are located.” 


8 – How Terrorists Use the Internet for Weapons and Component Procurement

When Salman Abedi was buying material to build the bomb he would use to attack the Ariana Grande concert in Manchester in 2017, his cousin bought him some of the chemicals from Amazon. In the lead-up to his attack at a New Zealand mosque, Brenton Tarrant bought firearms and ammunition online. And when ISIS needed drones for bombings, they purchased drones and shipped them to Syria from a number of different online retailers. Terrorist use of online retailers to procure material for their attacks is not new, but it is increasingly common, and presents both challenges and opportunities for detecting how terrorists use funds, and what for. Online purchases can be a missed opportunity for suspicion to be detected, and can form part of terrorist financial tradecraft that obscures the totality of their level of preparation for an attack. On the other hand, online procurement activities increase the players with important financial intelligence. Exploiting this financial intelligence will require a fine balance between information sharing, regulation and public-private partnerships.


9 – Carnival Corp units say were hit by cyber attack last year

Two units of cruise operator Carnival Corp disclosed on Monday that they were the targets of a cyber attack, which they identified in May last year. The units, Holland America Line and Princess Cruises, said their investigation revealed unauthorized third-party had access to personal information, including mail accounts, names, Social Security numbers, and credit card information of some guests and employees. The units said they acted quickly to shut down the attack and prevent further unauthorized access. Holland America Line and Princess Cruises together accounted for 30% of Carnival’s capacity as of Nov. 30.


10 – How to gather cyber threat intelligence from dark markets without breaking US law

The U.S. Department of Justice’s Cybersecurity Unit has released guidelines for organizations that want to gather cyber threat intelligence from dark web forums/markets but, at the same time, want to stay on the right side of the (U.S. federal criminal) law. The document focuses on “information security practitioners’ cyber threat intelligence-gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold. It also contemplates situations in which private actors attempt to purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in Dark Markets.”


11 – Zynga faces class action suit over massive Words With Friends hack

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts. Zynga’s Draw Something was also targeted in the September breach. The threat actor known as GnosticPlayers went on to claim responsibility for the breach – yet another cache to add to the nearly one billion user records they’d already claimed to have stolen from nearly 45 popular online services earlier in 2019. Zynga admitted to the breach at the time, saying that hackers got their hands on “certain player account information” but that, at least during the early stages of its investigation, it didn’t think any financial information was accessed.

Related Posts