The following is an advisory for owners, managers and stakeholders in the hospitality industry, which highlights recent data breaches uncovered by the United States Secret Service (USSS). The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low-cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s information. The NCCIC and the USSS have provided some recommendations at the end of this document that may help prevent similar attacks on publicly available computers.
Since the 2006 signing of the National Military Strategy for Cyberspace Operations (NMS-CO), the emerging US cyber warfare community continues to mature and its capabilities increasingly compete for consideration when US forces plan operations. Computer network attack (CNA) and electronic attack (EA) technologies have progressed to the point where their use could be routinely considered in the context of existing and developing OPLANS. In order to effectively integrate and standardize use of these non-traditional weapons, the developers, testers, planners, targeteers, decision-makers, and battlefield operators require a comprehensive but flexible cyber lexicon that accounts for the unique aspects of cyber warfare while minimizing the requirement to learn new terms for each new technology of the future. Without a shared understanding of the accurate meanings of a significant number of frequently used terms, it will be difficult to make progress on the more complex and unresolved technical and operational issues for non-traditional weapons: actionable requirements, technical and operational assurance, effective mission planning techniques, and meaningful measures of effectiveness. In fact, the Secretary of Defense’s Information Operations (IO) Roadmap listed its first benefit to the combatant commanders as “a common lexicon and approach to IO, including support to integrated information campaign planning.” Although the focus of cyberspace operations is not the same as that of IO, they share some technologies and until now, no such lexicon (for IO, or any portion of IO) has been published.
(U//FOUO) Utah Fusion Center Bulletin: New Ransomware “CryptoWall” Rapidly Infecting Systems Across the U.S.
The FBI and NCIS believe a group of cyber actors have been using various social networking sites to conduct spear phishing activities since at least 2011. FBI and NCIS investigation to date has uncovered 56 unique Facebook personas, 16 domains, and a group of IP addresses associated with these actors. These personas typically would attempt to befriend specific types of individuals such as government, military, or cleared defense contractor personnel. After establishing an online friendship the actor would send a malicious link (usually through one of the associated domains) to the victim, either through e-mail or in a chat on the social networking site eventually compromising the target’s computer.
Today the Western District of Pennsylvania unsealed an indictment naming five members of the People’s Liberation Army of the People’s Republic of China on 31 counts, including conspiring to commit computer fraud (18 U.S.C. §§ 371, 1030), accessing a computer without authorization for the purpose of commercial advantage and private financial gain (18 U.S.C. § 1030(a)(2)(C), (c)(2)(B)), damaging computers through the transmission of code and commands (18 U.S.C. § 1030(a)(5)), aggravated identity theft (18 U.S.C. § 1028A), economic espionage (18 U.S.C. § 1831(a)(1)), and theft of trade secrets (18 U.S.C. § 1832(a)(1)). Each of the defendants provided his individual expertise to a conspiracy to penetrate the computer networks of six US companies while those companies were engaged in negotiations or joint ventures with or were pursuing legal action against state-owned enterprises in China. The following technical details are indicators released in the indictment related to these actors’ activity.
On 13 May 2014, FBI NY initiated a coordinated takedown focusing on individuals who purchased the Blackshades malware. Field offices across the United States, as well as foreign partners, engaged in subject interviews, searches, hardware seizures, and arrests. The FBI seized the primary domain utilized to purchase Blackshades products.
Improved information sharing is a critical component of bolstering public and private network owners’ and operators’ capacity to protect their networks against evolving and increasingly sophisticated cyber threats. As companies continue to adopt the newest technologies, these threats will only become more diverse and difficult to combat. Ensuring that information concerning cyber threats that U.S. companies detect on their domestic networks can be quickly shared will assist those companies in identifying new threats and implementing appropriate preventative cybersecurity measures. But sharing must occur without contravening federal law or the protections afforded individual privacy and civil liberties. In the interest of advancing discussions in this important area, DOJ has prepared this paper providing its views on whether the Stored Communications Act (18 U.S.C. § 2701 et seq.) (SCA) restricts network operators from voluntarily sharing aggregated data with the government that would promote the protection of information systems. We hope that this analysis will help companies make informed decisions about what information legally may be shared with the government to promote cybersecurity.
FBI Cyber Division Bulletin: Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions
Security researchers from Google Security recently discovered a vulnerability with the Heartbeat extension (RFC6520) to OpenSSL’s Transport Layer Security (TLS) and the Datagram Transport Layer Security (DTLS) protocols. According to open source reports, the vulnerability has existed within certain OpenSSL frameworks since at least 2012. The Heartbeat extension is functionally a “keep-alive” between end-users and the secure server. It works by sending periodic “data pulses” of 64KB in size to the secure server and once the server receives that data; it reciprocates by re-sending the same data at the same size. The out-of-bounds “read” vulnerability exists because the Heartbeat extension in OpenSSL versions 1.0.1 through and 1.0.2-beta (including 1.0.1f and 1.0.2-beta1) do not properly validate the data being sent from the end-user. As a result, a malicious actor could send a specially-crafted heartbeat request to the vulnerable server and obtain sensitive information stored in memory on the server. Furthermore, even though each heartbeat only allows requests to have a data size limited to 64KB segments, it is possible to send repeated requests to retrieve more 64KB segments, which could include encryption keys used for certificates, passwords, usernames, and even sensitive content that were stored at the time. An attacker could harvest enough data from the 64KB segments to piece together larger groupings of information which could help an attacker develop a broader understanding of the information being acquired.
Law enforcement continues to see reporting of malicious cyber actors using fake help desk scams, also known as technical support scams. These scams, if successful, seek to compromise and take control of computer systems. Malicious cyber actors send users an e-mail or they make cold calls, purportedly representing a help desk from a legitimate software or hardware vendor. The malicious cyber actors try to trick users into believing that their computer is malfunctioning—often by having them look at a system log that typically shows scores of harmless or low-level errors—then convincing them to download software or let the “technician” remotely access the personal computer to “repair” it.
Since at least January 2012, criminals are using telephony-based denial-of-service (TDoS) combined with extortion scams to phone an employee’s office and demand the employee repay an alleged loan. If the victim does not comply, the criminals initiate TDoS attacks against the employer’s phone numbers. TDoS uses automated calling programs—similar to those used by telemarketers—to prevent victims from making or receiving calls.
(U//FOUO) Committee on National Security Systems Recommendations for Implementing FICAM on U.S. Secret Networks
Threats to Federal information systems are rising as demands for sharing of information and intelligence between Federal Departments and Agencies increase. It is essential that the Federal Government devise an approach that addresses both challenges without compromising the ability to achieve either objective. Developing a common governance framework and set of Identity, Credential, and Access Management (ICAM) capabilities that enhance the security of our systems by ensuring that only authorized persons and systems from different Federal components have access to necessary information is a high priority. The Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance was developed to address the need for secure information sharing capabilities across the breadth of the Federal Government.
(U//FOUO) Committee on National Security Systems Gap Analysis Between the FICAM and U.S. Secret Networks
Over the past ten years, the Federal Government has made concerted advances in the development and implementation of Identity, Credential, and Access Management (ICAM). This progress includes capabilities designed to promote interoperability, assured information sharing, and efficiencies of scale across all agencies within the Federal Government. Recently, several high-visibility events have focused attention on classified networks with a renewed emphasis on information protection within the information sharing paradigm. Organizations must strive to ensure responsible sharing and safeguarding of classified information by employing advanced capabilities that enable a common level of assurance in information handling and sharing while ensuring the interoperability required to satisfy mission requirements.
This Note describes a new combination of tactics by cyber criminals that disrupts telephone systems of targeted organizations. This information is provided to assist and inform the Department and federal, state, local, territorial, tribal, and private sector partners in mitigation efforts regarding criminal activity that could affect their operations.
(U//FOUO) DHS National Cybersecurity and Communications Integration Center (NCCIC) Capabilities Guide
The National Cybersecurity and Communications Integration Center (NCCIC) Resource and Capabilities Guide is intended to enhance cross-sector cyber security efforts and collaboration by better informing our cybersecurity and communications partners of the NCCIC’s tools, assets, and collaboration mechanisms offered. This guide also identifies the Center’s resources and capabilities as well as describes the processes for accessing NCCIC information portals and products, incident reporting systems, and relevant point of contact information for our community of partners.
As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.
The following product is a coordinated effort between NCCIC, U.S. Secret Service and The Cyber Intelligence Network (CIN), provided to assist in prevention, detection and mitigation of a new ransomeware campaign. Ransomware is malware that restricts access to infected computers and requires victims to pay a ransom in order to regain full access. Cryptolocker is particularly interesting in that it functions by encrypting victims computer files with a combination of RSA-2048 and AES-256 encryption. Once encrypted, victims are provided a window of time in which they can pay the actors to receive the key needed to decrypt their files.
This Environmental Assessment (EA) has been prepared to analyze the potential environmental, cultural, transportation, and socioeconomic effects associated with the establishment and operation of a U.S. Army Cyber Command / 2nd Army (ARCYBER) Command and Control Facility at Fort George G. Meade, Maryland (hereinafter referred to as Fort Meade), or at Fort Gordon, Georgia. ARCYBER leads a corps of 21,000 soldiers and civilians who serve worldwide operating and defending all Army networks with supporting organizations such as the Army Network Enterprise Technology Command, 780th MI Brigade, and 1st Information Operations. ARCYBER plans, coordinates, integrates, synchronizes, directs, and conducts network operations and defense of all Army networks; when directed, ARCYBER conducts cyberspace operations in support of full spectrum operations to ensure U.S./Allied freedom of action in cyberspace, and to deny the same to our adversaries.
Android is the world’s most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture. Industry reporting indicates 44 percent of Android users are still using versions 2.3.3 through 2.3.7-known as Gingerbread-which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions. The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date.
Since June, advanced persistent threat (APT) actors have been targeting the aviation industry and attempting to extract confidential information by sending “spear-phishing” emails designed to trick recipients into opening malicious attachments or follow links to infected websites. According to an FBI Cyber Division bulletin from July 8, “individuals associated with the air travel industry” have received an increased number of spear-phishing emails often using spoofed senders “in an attempt to make the e-mail appear more legitimate.”
(U//FOUO) FBI Cyber Division Bulletin: Advanced Persistent Threat (APT) Actors Targeting Aviation Industry
Since June 2013, the FBI has observed advanced persistent threat (APT) actors’ increased interest in the aviation industry. APT actors have sent spear-phishing e-mails targeting individuals associated with the air travel industry. Some of the spear-phishing e-mails originated from a spoofed sender in an attempt to make the e-mail appear more legitimate. E-mail recipients should be aware of suspicious and potentially malicious e-mail attachments or links.