Excited about Microsoft and Games? What about Other Issues? Like, Uh, Security?

January 25, 2022

We learn of a recent complaint against SolarWinds from GitHub contributor jaybobo, who helpfully shares both the full filing and key highlights. The case was filed in Delaware’s Court of Chancery by shareholders, including the Construction Industry Laborers Pension Fund and the Central Laborers’ Pension Fund. In light of the Sunburst hack, the plaintiffs assert the company failed to appropriately secure their investments against cybersecurity risks. The complaint alleges:

“SolarWinds: (i) used weak passwords for its software download webpages such as ‘solarwinds123;’ (ii) did not properly segment its IT network; (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software; (iv) cut investments in cybersecurity; and (v) listed its sensitive and high-value clients on its webpage for anyone to see.”

Oof—these are indeed the opposite of security best practices. The parties insist this alleged negligence allowed the Sunburst attack to succeed, tanking their investments. The filing describes the impact:

“In the days following the Company’s initial public disclosure of SUNBURST in December 2020, SolarWinds’ stock lost nearly 40% of its value. As of today, the stock trades at more than a 30% discount to its pre-revelation trading price. For the six months ended June 30, 2021, the Company incurred $34 million in direct expenses related to SUNBURST, stemming from, inter alia, costs to investigate and remediate the cyber attack; legal, consulting, and other professional service expenses; and public relations costs. In the first six months ended June 30, 2021, the Company also experienced a 27% decline in its license revenue relative to the previous year. SolarWinds explained that this decline was ‘primarily due to decreased sales of our licensed products as a result of the Cyber Incident [i.e., SUNBURST]’ (among other factors). The Company’s net increase in cash and cash equivalents for the same period was down over 74% relative to the previous year, which the Company also attributed, in part, to SUNBURST.”

The plaintiffs go on to note several ongoing investigations and lawsuits now facing SolarWinds as a result of the debacle. Then there are the related insurance rate hikes, finance charges, and compliance activities. They estimate these factors add another $20 million a year in expenses that will also diminish their investments. The filing requests several measures from the court, like requiring the company to implement better security and, of course, awarding damages.

We want to point out the information in “Microsoft Discovers Undisclosed Bug in SolarWinds Server.” That write up which we spotted on January 22, 2022 (a Saturday by the way) states:

During the sustained monitoring of threats taking advantage of the ‘Log4j2’ vulnerabilities, the Microsoft Threat Intelligence Centre (MSTIC) team observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds ‘Serv-U’ software. “We discovered that the vulnerability is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,” Microsoft said in its security update. SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

Worth monitoring security, but the metaverse more zippy.

Cynthia Murrell, January 25, 2021

A Sporty Cyber Centric Write Up with Key Information Left Out

January 10, 2022

I read “Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers.” The main point of the write up is that some clever cyber people have been working to figure out how a particular exploit works. The exploit is called DanderSpritz, which is a full featured framework for obtaining useful information from a target system. The Shadow Brokers leaded the software in 2017. It took the folks writing the article four years to figure out the method. Non US outfits figured it out more quickly. What’s left out of the write up?

I noted these omissions:

  1. Details of the DanderSpritz methods incorporated into other exploit tools
  2. Explanation of who and what the Equation Group is. The Web site link does not provide substantive information.
  3. Why do long between the release of the exploit and a public analysis?

Personally I would not get too frisky when it comes to the Equation Group. I apply this type of thinking to any outfit conveniently located near an NSA facility. In the case of Shadow Brokers, my recollection is that this outfit found a way to obtain Equation Group code. My hunch is that this is a sore point for the Equation Group, and the embarrassment of the DanderSpritz dump may still cause some red faces.

Stephen E Arnold, January 7, 2022

The Price of a Super Secure Mobile for Questionable People

December 29, 2021

Criminals are sometimes the smartest people in the world, but other times they are the dumbest. The Sydney Morning Herald reported a story on some of the latter in, “‘Invulnerable To Law Enforcement’: More Alleged Drug Criminals Outed By Encrypted App.” Australian criminals Duax Ngakuru and Hakan Ayik were used an encrypted phone platform that was surreptitiously created by law enforcement.

Australian and New Zealand law enforcement teamed together on Operation Ironside and they infiltrated the encrypted AN0M phone network. Authorities monitored Ngakuru and Ayiks’ drug activity for three years:

“The work of Australian and New Zealand authorities has – especially since Operation Ironside was unveiled publicly in June with sweeping arrests and raids across the globe – made the Ngakurus and Ayik among the most wanted men on the planet, crippling the drug syndicates the trio helped operate.

The police files also reveal how the AFP’s infiltration of the encrypted AN0M phone network suggest the Ngakurus and Ayik successfully imported many drug shipments into Australia and New Zealand over many years. On May 17, Shane Ngakuru was covertly recorded using his AN0M phone device to describe sending “methamphetamine to New Zealand, Melbourne, and Perth” from his base in Thailand.”

The bad actors believed they were invulnerable and the most powerful men in Turkey if not Oceania. While their drug operations were cleverly planned, the stupidity surfaces when they did not research their communication networks. Their so-called invulnerability comes about when they thought AN0M could not be hacked. They did not check up on updates or in other bad acting communities to see if there were hints of police crackdowns.

The US FBI, CIA, and other law enforcement organizations never shared information in the past, but they discovered it was mutually beneficially to do so. Criminals often do the same. Unfortunately Ayik and Ngakurus’ egos got the best of them.

Whitney Grace, December 29, 2021

DarkCyber for December 28, 2021, Now Available

December 28, 2021

This is the 26th program in the third series of DarkCyber video news programs produced by Stephen E Arnold and Beyond Search. You can view the ad-free show at this url. This program includes news of changes to the DarkCyber video series. Starting in January 2022, Dark Cyber will focus on smart software and its impact on intelware and policeware. In addition, Dark Cyber will appear once each month and expand to a 15 to 20 minute format.

What will we do with the production time? We begin a new video series called “OSINT Radar.” OSINT is an acronym for open source intelligence. In a December 2021 presentation to cyber investigators, the idea surfaced of a 60 second profile of a high value OSINT site. We have developed this idea and will publish what we hope will be a weekly video “infodeck” in video form of an OSINT resource currently in use by law enforcement and intelligence professionals. Watch Beyond Search for the details of how to view these short, made-for-mobile video infodecks. Now when you swipe left, you will learn how to perform free reverse phone number look ups, obtain a list of a social media user’s friends, and other helpful data collection actions from completely open source data pools.

Also, in this DarkCyber program are: [a] the blame for government agencies and specialized software vendors using Facebook to crank out false identities. Hint: It’s not the vendors’ fault. [b] why 2022 will be a banner year for bad actors. No, it’s not just passwords, insiders, and corner-cutting software developers. There is a bigger problem. [c] Microsoft has its very own Death Star. Does Microsoft know that the original Death Star was a fiction and it did not survive an attack by the rebels?, and [d] a smart drone with kinetic weapons causes the UN to have a meeting and decide to have another meeting.

Kenny Toth, December 28, 2021

A Covid Consequence? Cybercriminals Grow in Sophistication, Organization

December 23, 2021

Prompted by a recent report, an article at BetaNews draws a conclusion that seems like old news to us: “Identity Fraud Gets More Sophisticated, Pointing to Organized Crime Involvement.” Writer Ian Barker tells us:

“In the last year, 47 percent of all identity document fraud was classed as ‘medium’ sophisticated, a 57 percent increase over the previous 12 months. A report from identity verification and authentication company Onfido says this points to organized groups attempting to create ‘verified’ accounts with fake documents before using them to embark on other types of fraud.”

See the write-up for more numbers that show identity theft expanding during the pandemic. But yes, much online crime is well organized. In fact, as ThreatPost reports, they even have their own justice system: “When Scammers Get Scammed, They Take It to Cybercrime Court.” When one bad actor breaks a contract or fails to pay another bad actor, the complainant can appeal to a justice system built into any number of underground forums. Instead of time served, those found guilty of wrongdoing pay with their reputations. And fines, hefty fines—as much as $20 million. Reporter Becky Bracken cites a recent report from cybersecurity firm Analyst1 as she writes:

“‘The plaintiff will submit qualified evidence, including any chat logs, screenshots, crypto currency transactions, and similar relevant information,’ the report explained. The defendant then can present their side of the claim, followed by a ‘cross examination’ by the assigned arbiter, who is typically one of the forum operators or administrators, Analyst1 added. ‘Like in real litigation processes, the trial can end with different verdicts,’ the report said. ‘In a case that the defendant is innocent or there is not enough material for a hearing, the case will be closed with no money or currency exchanging hands.’ Failure to comply with the verdict will lead to the cybercriminal getting banned from the forum, the researchers said.”

The article goes on to detail a few noteworthy cases, so navigate there for those details. To be sure, organized online crime is “organized” much like the Godfather films explain.

Cynthia Murrell, December 23, 2021

DarkCyber for December 14, 2021, Now Available

December 14, 2021

The December 14, 2021, Dark Cyber video news program is now available on the Beyond Search Web log and YouTube at this link.

Program number 25 for 2021 includes five stories.

The first is that a list of companies engaged in surveillance  technology and specialized software for law enforcement and intelligence professionals is available without charge. The list is not comprehensive, but it is one of the first open source documents which identifies companies operating “off the radar” of many analysts, law enforcement professionals, private detectives, and would-be investigative journalists.

The second story adds another chapter to the chronicle of missteps by a company doing business as NSO Group. The Israel company develops and licenses specialized software to government agencies. However, the use of that software has become problematic. This edition of Dark Cyber reports about the alleged use of the Pegasus mobile phone data collection system to obtain information from US diplomats’ mobile  devices. The consequences of MBA thinking have roiled the specialized services market worldwide.

The third story extracts pricing information made public by the Brennan Center. The documents obtained via a FOIA request to California were prepared by the Los Angeles Police Department. Although redacted, the documents contained what appears to be trade secret pricing information about the Voyager Labs’ surveillance data analytics system marketed worldwide.  The Dark Cyber story reveals how to download the document
collection and additional details about a very low profile company’s technology and methods.

The fourth story describes new digital cameras which are the size of a grain of salt. Dark Cyber then reveals that
a small roll up drone has been developed. The form factor is similar to a seed which spins as it floats to the
ground. Combining the miniature cameras with the seed-like phone factor creates opportunities for a new approach to video surveillance.

The final story announces a new Dark Cyber service. The weekly Instagram post will provide specific information about Web sites now used by law enforcement, analysts, and intelligence professionals to gather data about persons of interests, the social media activities, their location, and other high-value facts. The new service goes live in January 2022.

Dark Cyber is produced by Stephen E Arnold, who publishes the Web log called Beyond Search and available at this link.

Kenny Toth, December 14, 2021

Rising Cyber Crimes Mean High Prevention Costs

December 13, 2021

The COVID-19 pandemic forced organizations to institute remote work. Many organizations were not prepared, because they lacked secure networks and other necessary security measures to prevent cyber crimes. It is not surprising when Read Write explains in “Lessons Learned From The Skyrocketing Cost Of Cyber Crime” are loss of revenue, obvious preventable issues, and that cyber security and cyber crimes are burgeoning industries.

The pandemic spurred a rise in cyber crime, especially in ransomware, phishing, malware, island hopping, and hyper-targeted nation state attacks. (Does spreading of misinformation count as a cyber crime?). Cloud computing company Iomart recorded that data breaches rose by 273% in the first quarter of 2020 compared to 2019. Cyber crime cost the US an estimated $3.5 billion and the UK $1.8 billion, but it could be more as many crimes are unnoticed.

The cost of cyber crimes are projected to rise exponentially and cause more economic damage than natural disasters. It is important that organizations take preventative measures:

“With all the realistic threats that lurk in the digital space, it’s imperative for companies to deploy best practices in cybersecurity to protect their data and other digital assets. Plus, companies need to do everything they can to avoid the burdensome financial costs associated with cybercrime. While we can’t always prevent cyber attacks, we can learn from them and apply tangible steps to protect ourselves and our businesses.”

Good cyber security practices include implementing and enforcing identification, robust encryption policies, strong data hygiene, patch management programs, using blockchain and crypto currency solutions, and use traditional measures like firewalls, antivirus software, and anti-spyware.

Whitney Grace, December 13, 2021

Heads Up, Dark Overlord: Annoying the FBI May Not Be a Great Idea

November 19, 2021

Well this is embarrassing. The New York Post reports, “FBI Server Hacked, Spam Emails Sent to Over 100,000 People.” Writer Patrick Reilly tells us:

“The FBI’s email server was apparently hacked on Friday night to send threatening spam emails to over 100,000 people, the agency said. Authorities have not determined the sender or motive behind the rambling, incoherent emails, filled with technological nonsense. The emails warned receivers that their information may be under attack by Vinny Troia, famous hacker and owner of cybersecurity company Night Lion Security, in connection with notorious cybersecurity group TheDarkOverlord. The FBI confirmed the incident on Saturday, but said the hacked systems were ‘taken offline quickly,’ after it had been reported. ‘The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account,’ the agency said in a statement. ‘This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity ic3.gov or cisa.gov.’”

First reported by European nonprofit the Spamhaus Project, the emails came from an FBI server. Readers may recall TheDarkOverlord stole Netflix videos in 2017 and released them online as torrents after the streaming platform refused to pay the ransom. A year before that, the same outfit stole patient information (though, thankfully, not medical records) from three medical databases. Those groups also refused to give in to demands, so the hacker(s) sold the data from hundreds of thousands of patients on the Dark Web. If this attack is indeed the work of TheDarkOverlord, we wonder what the outfit expects will happen when annoying a quite capable entity. I have an anecdote for my lectures. That’s a plus for me.

Cynthia Murrell November 19, 2021

DarkCyber for November 16, 2021, Now Available

November 16, 2021

DarkCyber, Program 23, is now available at this link. The mid-November 2021 DarkCyber (Number 23 in the 2021 series) includes six stories.

There are two cyber “bytes”. The first reports about the legal pressure being applied to Signal, a maker of secure messaging software. The second explains that an international team of police arrested more than 100 people in Operation HunTor. Sixty-five of these bad actors resided in the United States.

Malware is tough to stamp out. In fact, Rootkits, a well-known method of compromising targets is returning, is regaining popularity. Plus, bad actors have begun placing malware in computer source code. The targets are unaware that their systems have been compromised. The program provides a link to a report about the Trojan Source method. the US government has blacklisted the NSO Group, a developer of specialized software and systems. What’s interesting is that three other firms have been blacklisted as well. One of the organizations responded to the US action with a sign and indifference. Amazon and Microsoft have learned that their customers/users have been subject to somewhat novel attacks. For Amazon, the Twitch “bit” reward system was used for money laundering. Google ads were used to distribute malware via a old-fashioned spoofed pages which looked legitimate but weren’t.

The drone news in this program reveals that Russia presented more than 200 war fighting technologies at a recent trade show in Lima, Peru. The point DarkCyber makes is that Russia perceives South America as a market ripe for sales. DarkCyber is produced every two weeks by Stephen E Arnold, publisher of the Beyond Search blog at www.arnoldit.com/wordpress and subject matter expert in some interesting technical specialties.

Kenny Toth, November 16, 2021

Encouragement for Bad Actors: Plenty of Targets Guaranteed

November 2, 2021

If the information in the Silicon Valley-esque business news service Venture Beat is accurate, 2022 is going to be a good year for bad actors. “Report: 55% of Execs Say That SolarWinds Hack Hasn’t Affected Software Purchases.” Now “purchase” is a misleading word. Vendors like users to subscribe, so the revenue projections are less fraught. Subscriptions can be tough to terminate, and paying that bill is like a bad habit, easy to fall into, tough to get out of.

The article states:

According to a recent study by Venalfi, more than half of executives (55%) with responsibility for both security and software development reported that the SolarWinds hack has had little or no impact on the concerns they consider when purchasing software products for their company. Additionally, 69% say their company has not increased the number of security questions they are asking software providers about the processes used to assure software security and verify code.

This statement translates to status quo-ism.

The Microsoft products are targets because Microsoft’s yummy software is widely used and is like a 1980s Toys-R-Us filled with new Teddy bears, battery powered trucks, and role-model dolls.

What’s the fix for escalating cyber attacks? Different business policies and more rigorous security procedures.

To sum up, a potentially big year for bad actors, some of whom practice their craft from prison with a contraband smartphone. The Fancy Bear types will be dancing and some of the APT kids will be wallowing in endless chocolate cake.

Digitally speaking, of course.

Stephen E Arnold, November 2, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta