Special Weekend Edition: Strange NY Post Article Serves as Coda for CISA's Turbulent Week
Russian, N. Korean threat groups are targeting COVID-19 research, North Face suffers credential stuffing attack, Oz warns health care sector about ransomware, UK hits Ticketmaster with tiny fine, more
Rupert Murdoch-owned New York Post got a strange scoop yesterday that serves as a coda to this week’s drama surrounding Chris Krebs's once and future firing. Krebs is the highly respected head of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) who has warned America not to fall for election conspiracy theories, many of which Donald Trump has trumpeted. The Post’s Steve Nelson says that the White House on Wednesday evening instructed Homeland Security’s acting Secretary Chad Wolf to fire Krebs but Wolf purportedly refused to do so. On Twitter, experts in government law jumped in to say they believe that Wolf doesn’t have the authority to fire Krebs, so it’s unclear how Trump could legally issue the order or how Wolf could refuse it.
Steven Nelson @stevennelson10SCOOP: DHS boss Chad Wolf defies President Trump's order to fire cyber chief Chris Krebs Krebs dismissed Trump's claims of voter fraud https://t.co/ssgTY19mlV
“Chad is carrying Krebs’ water,” an anonymous source told Nelson. Painting the backdrop, Nelson wrote that Kreb’s “foes” say he’s close to former DHS chief of staff Miles Taylor, who recently outed himself as administration critic “Anonymous,” with the implication that Krebs is by association a Trump adversary. The source also accuses Wolf of once having been a “lackey” to former DHS Secretary Kirstjen Nielsen, who was fired by Trump but is widely considered by most Americans to be the architect of Trump’s babies-in-cages program.
The Post piece also implies that an official working for Krebs at DHS, Matt Masterson, is tainted by the Obama administration and, therefore, somehow a political adversary. But as some commenters pointed out, Masterson is a Republican.
Twisting the knife further, the piece also accuses Krebs of having some election night watch party at which staffers of Dominion Voting Systems were present. Trump has pushed a baseless conspiracy theory all week that Dominion’s systems deleted 2.7 million Trump votes nationwide. However, from the sounds of it, Krebs operated a war room to oversee any kinds of last-minute disruptions that could occur and invited public and private partners (along with what appears to be an off-the-record press contingent) to attend.
Whatever inaccuracies or politically damaging insinuations the article intended to convey, its strange emergence at the end of a week that showed Krebs to be a defender of election integrity by standing up to the Trump administration is highly suspect. Some commenters think that Wolf was the leaker to the Post’s Nelson, but that seems like a stretch since the Trump loyalist, like the Post article itself, likely ends up looking bad for Trump.
Microsoft: Three Threat Groups Have Targeted Seven Companies Conducting COVID-19 Research
Microsoft said it detected three advanced persistent threat groups, including one Russian and two North Korean groups, that have launched cyberattacks on at least seven prominent companies involved in COVID-19 vaccines research and treatments. The companies are located in Canada, France, India, South Korea, and the United States. The Russian group, known as Strontium (also known as Fancy Bear or APT28), has used password spraying and brute-force login attempts to obtain login credentials, break into victim accounts and steal sensitive information.
The first North Korean group, called Zinc, but better known as the Lazarus Group, has mostly relied on spear-phishing email campaigns by sending messages with fabricated job descriptions, pretending to be recruiters, and targeting employees working at the targeted companies. The second North Korean threat actor, known as Cerium, appears to be a new group that has launched spear-phishing attacks with email lures using Covid-19 themes while pretending to be representatives from the World Health Organization.
Microsoft’s president Brad Smith participated in the Paris Peace Forum, where he urged governments to do more to protect health care facilities and enforce laws against groups that attack them.
Related: CNET News, NBC News Top Stories, AP Top News, Tech Xplore, StarTribune.com, CTVNews.ca, The Independent, SecurityWeek, Bloomberg, Wall Street Journal, POLITICO, TechCrunch, CNET News, TORONTO STAR, The Hill: Cybersecurity, Neowin, Jerusalem Post, South China Morning Post, Channel News Asia, Microsoft
Five ICS Threat Groups are Targeting the Manufacturing Sector
According to a report issued by ICS security firm Dragos, the manufacturing sector has been attacked by five threat groups that have been known to target industrial environments. The five groups are CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME. MAGNALLIUM is an Iran-linked group that has been active since at least 2013 and is known to use destructive malware.
PARISITE is a separate group that helps MAGNALLIUM gain initial access to targeted systems. WASSONITE is connected to North Korea but doesn’t seem to have any special capabilities to harm industrial environments. CHRYSENE has been known to target industrial networks in the Middle East and the UK. It has been tied to OilRig and Greenbug, two threat actors involved in the notorious Shamoon attacks that wiped out the computer systems at Saudi Aramco and RasGas. Dragos has also seen a growing number of ransomware attacks against manufacturers and believes ransomware is the most common threat to manufacturing. (Eduard Kovacs / Security Week)
Outdoor Clothing Giant North Face Suffered Credential Stuffing Attack
Outdoor retail clothing company North Face has reset the passwords of an undisclosed number of customers following a successful credential stuffing attack on October 9th. The attackers could gain access to various types of personal information stored on customers' accounts at thenorthface.com. The data that may have been accessed are customers' names, birthdays, telephone numbers, billing and shipping addresses, purchased or favorited products, and email preferences. North Face disabled all passwords from accounts that were accessed during the attack timeframe and deleted all tokens associated with customer payment cards for all thenorthface.com accounts. Impacted users will have to enter their payment information again and create new passwords next time they visit the company's online store. (Sergiu Gatlan / Bleeping Computer)
Australian Government Warns Health Sector to Watch Out for Ransomware Attacks
On the heels of similar warnings by the U.S. government, the Australian Cyber Security Center (ACSC) issued a security alert urging health sector organizations to check their cyber-security defenses, especially their controls for detecting and stopping ransomware attacks. In the alert, the ACSC says it "observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT)." The SDBBot RAT has almost always been used by a cybercrime group known as TA505, and the ACSC says that "SDBBot is [also] a known precursor of the Clop ransomware,” one of the most aggressive ransomware groups out there, best known for “big game hunting” ransomware. (Catalin Cimpanu / ZDNet)
DarkSide Ransomware Operation Plans to Offer Distributed Storage System in Iran to Store and Leak Stolen Data
The DarkSide ransomware operation, which is run as a Ransomware-as-a-Service (RaaS), says they are creating a distributed storage system in Iran to store and leak data stolen from victims, cybersecurity intelligence firm Kela reports. The gang has deposited $320,000 on a hacker forum as a sort of good faith offering. DarkSide developers receive a 10-25% cut, and an affiliate gets 75-90% of any ransom payments they generate. (Lawrence Abrams / Bleeping Computer)
Related: Security News | Tech Times
UK Fines Ticketmaster Around $1.65 Million for for 2018 Breach
The UK Information Commissioner’s Office fined Ticketmaster UK £1.25 million (or around $1.65 million) related to a data breach on the Ticketmaster UK website in 2018. An investigation found that the cyber attacker exploited a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. After the Ticketmaster breach, 60,000 Barclays bank customers were victims of fraud, and online bank Monzo had to replace 6,000 payment cards due to fraud. Those companies, along with Commonwealth Bank of Australia, Barclaycard, Mastercard, and American Express, warned Ticketmaster of a problem on its website. Still, Ticketmaster waited for nine weeks to monitor the situation. (BBC News)
Hackers Stole $2 Million From Cryptocurrency DeFi Protocol Akropolis.
In the latest attack to hit the nascent decentralized finance industry (DeFi), DeFi protocol Akropolis said it was hacked for $2 million in digital currency dai. The attackers pilfered the platform’s Ycurve pool in batches of $50,000 in the stable coin DAI. This particular pool allows investors to trade stablecoins and earn interest. Akropolis revealed that the hack was executed across a body of smart contracts in its “savings pools.” Akropolis says it is looking at ways to reimburse users. (Jeffrey Gogo / Bitcoin News)
Photo by Monika Flueckiger, World Economic Forum - originally posted to Flickr as Rupert Murdoch - World Economic Forum Annual Meeting Davos 2009, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=8546057