Eleven men, believed to be part of the "Anonymous Malaysia" hacker group, have been detained following six raids conducted by Malaysian police in Pahang, Johor, Perak and the Klang Valley. The group was believed to be responsible for cyber attacks on websites belonging to the government and the private sector.
Deputy Inspector-General of Police Acryl Sani Abdullah Sani said the suspects, aged between 22 and 40, were detained following the group's recent threat to hack the government's computer system.
Among those arrested by the Commercial Crime Investigation Department of Malaysian police headquarters, he said, was the administrator of the Anonymous Malaysia Facebook page.
"We will investigate further and ascertain if there are other members of the group," he told reporters after visiting a Covid-19 police roadblock set up at a Selangor toll plaza.
Datuk Seri Acryl Sani said the group was believed to be responsible for cyber attacks on websites belonging to the government and the private sector.
"We are not ruling out the possibility of 17 websites having been hacked," he added.
It was learnt that the suspects were also responsible for hacking the systems belonging to the Johor and Sabah state governments as well as Malaysia's International Trade and Industry Ministry.
The National Security Agency (NSA) and CISA have released a Joint Cybersecurity Information (CSI) sheet with guidance on selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities.
CISA encourages users and administrators to consider the benefits of using a protective DNS service and review NSA and CISA’s CSI sheet on Selecting a Protective DNS Service for more information.
Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead (T1583.001); threat actors lace phishing emails with malicious links (T1566.002); a compromised device may seek commands from a remote command and control server (TA0011); a threat actor may exfiltrate data from a compromised device to a remote host (TA0010).1 The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.
Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as recommendations for provider selection. Users of these services must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.
DOD's network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks. However, GAO reported in 2018 that DOD was routinely finding cyber vulnerabilities late in its development process.
A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's implementation of cybersecurity for weapon systems in development. GAO's report addresses (1) the extent to which DOD has made progress in implementing cybersecurity for weapon systems during development, and (2) the extent to which DOD and the military services have developed guidance for incorporating weapon systems cybersecurity requirements into contracts.
Since GAO's 2018 report, the Department of Defense (DOD) has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. For example, GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs. It is important that DOD sustain its efforts as it works to improve weapon systems cybersecurity.
Contracting for cybersecurity requirements is key. DOD guidance states that these requirements should be treated like other types of system requirements and, more simply, “if it is not in the contract, do not expect to get it.” Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded. A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.
DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance that helps ensure that DOD appropriately addresses cybersecurity requirements in contracts.
GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD concurred with two recommendations, and stated that the third—to the Marine Corps—should be merged with the one to the Navy. DOD's response aligns with the intent of the recommendation.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday. It also requires agencies who are currently able to do so to collect forensic images. All agencies are also required to search for known indicators of compromise after patching, and if indicators are found, contact CISA to begin incident response activities. The directive is in response to observed active exploitation of these products using previously unknown vulnerabilities. CISA also issued an activity alert to provide additional information and to encourage other public and private sector organizations to take steps to protect their networks.
“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales. “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”
ED 21-02 reflects CISA’s determination that exploitations that pose an unacceptable risk to the federal civilian executive branch agencies require emergency action. CISA made this assessment on the basis of 1) current exploitation of these vulnerabilities, 2) the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.
CISA and the National Security Agency worked with Microsoft and security researchers to identify detection and mitigation approaches to these vulnerabilities, for which Microsoft released the patch this afternoon. Cloud services such as Microsoft 365 and Azure systems are not known to be affected by this vulnerability.
An INTERPOL report has highlighted the key cybercrime trends and threats confronting the Association of Southeast Asian Nations (ASEAN) region.
INTERPOL’s ASEAN Cyberthreat Assessment 2021 report outlines how cybercrime’s upward trend is set to rise exponentially, with highly organized cybercriminals sharing resources and expertise to their advantage.
It provides strategies for tackling cyberthreats against the context of the pandemic which has seen more people going online using mostly unprotected mobile devices, creating a surge in cybercriminal activities profiting from the theft of personal information and credentials.
The report further describes the essential collaboration on intelligence sharing and expertise between law enforcement agencies and the private sector, facilitated by INTERPOL’s global network.
The INTERPOL’s ASEAN Cybercrime Operations Desk (ASEAN Desk) with the support from law enforcement agencies in the region and INTERPOL’s private sector cybersecurity partners identify the region’s top cyberthreats:
- Business E-mail Compromise campaigns continue to top the chart with businesses suffering major losses, as it is a high-return investment with low cost and risk.
- Phishing. Cybercriminals are exploiting the widespread use of global communications on information related to COVID-19 to deceive unsuspecting victims.
- Ransomware. Cybercrime targeting hospitals, medical centers and public institutions for ransomware attacks has increased rapidly as cybercriminals believe they have a higher chance of success given the medical crisis in many countries.
- E-commerce data interception poses an emerging and imminent threat to online shoppers, undermining trust in online payment systems.
- Crimeware-as-a-Service puts cybercriminal tools and services in the hands of a wider range of threat actors – even non-technical ones, to the extent that anyone can become a cybercriminal with minimal ‘investment’.
- Cyber Scams. With the increase of online transactions and more people working from home, cybercriminals have revised their online scams and phishing schemes, even impersonating government and health authorities to lure victims into providing their personal information and downloading malicious content.
- Cryptojacking continues to be on the radar of cybercriminals as the value of cryptocurrencies increases.
“Cybercrime is constantly evolving. The COVID-19 pandemic has accelerated digital transformation, which has opened new opportunities for cybercriminals,” said Craig Jones, INTERPOL’s Director of Cybercrime.
“Through this report, INTERPOL strives to support member countries in the ASEAN region to take a targeted response against ever-evolving cybercrime threats to protect their digital economies and communities,” added Mr Jones.
Under the mandate of reducing the global impact of cybercrime and protecting communities, the INTERPOL Regional Cybercrime Strategy for ASEAN sets out INTERPOL’s key priorities and principles against cybercrime in the region.
Delivered through INTERPOL’s ASEAN Desk and ASEAN Cyber Capacity Development Project, the strategy is underpinned by four pillars: enhancing cybercrime intelligence for effective responses to cybercrime; strengthening cooperation for joint operations against cybercrime; developing regional capacity and capabilities to combat cybercrime; and promoting good cyber hygiene for a safer cyberspace.
Law enforcement and judicial authorities worldwide have this week disrupted one of the most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.
This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
EMOTET has been one of the professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top level criminal groups to deploy further illicit activities such as data theft and extortion through ransomware.
Spread via Word documents
The EMOTET group managed to take email as an attack vector to a next level. Through a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.
Attacks for hire
EMOTET was much more than just a malware. What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.
This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.
Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.
Disruption of EMOTET’s infrastructure
The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.
To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action where by law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.
How to protect oneself against loaders
Many botnets like EMOTET are polymorphic in nature. This means that the malware changes its code each time it is called up. Since many antivirus programmes scan the computer for known malware codes, a code change may cause difficulties for its detection, allowing the infection to go initially undetected.
A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET. Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs.
As part of the criminal investigation conducted by the Dutch National Police into EMOTET, a database containing e-mail addresses, usernames and passwords stolen by EMOTET was discovered. You can check if your e-mail address has been compromised at www.politie.nl/emocheck. As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs).
The following authorities took part in this operation:
- Netherlands: National Police (Politie), National Public Prosecution Office (Landelijk Parket)
- Germany: Federal Criminal Police (Bundeskriminalamt), General Public Prosecutor's Office Frankfurt/Main (Generalstaatsanwaltschaft)
- France: National Police (Police Nationale), Judicial Court of Paris (Tribunal Judiciaire de Paris)
- Lithuania: Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras), Prosecutor’s General’s Office of Lithuania
- Canada: Royal Canadian Mounted Police
- United States: Federal Bureau of Investigation, U.S. Department of Justice, US Attorney's Office for the Middle District of North Carolina
- United Kingdom: National Crime Agency, Crown Prosecution Service
- Ukraine: National Police of Ukraine (Національна поліція України), Prosecutor General’s Office (Офіс Генерального прокурора)
The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.
The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Active for over a decade, Safe-Inet was being used by some of the world’s biggest cybercriminals, such as the ransomware operators responsible for ransomware, E-skimming breaches and other forms of serious cybercrime.
This VPN service was sold at a high price to the criminal underworld as one of the best tools available to avoid law enforcement interception, offering up to 5 layers of anonymous VPN connections.
Law enforcement were able to identify some 250 companies worldwide which were being spied on by the criminals using this VPN. These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.
The service has now been rendered inaccessible.
Investigations are ongoing in a number of countries to identify and take action against some of Safe-Inet’s users.
International police cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.
Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy and to organise the intensive exchange of information and evidence needed to prepare for the final phase of the takedown.
In response to ongoing cybersecurity events, the National Security Agency (NSA) released a Cybersecurity Advisory Thursday “Detecting Abuse of Authentication Mechanisms.” This advisory provides guidance to National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to detect and mitigate against malicious cyber actors who are manipulating trust in federated authentication environments to access protected data in the cloud. It builds on the guidance shared in the cybersecurity advisory regarding VMware with state-sponsored actors exploiting CVE 2020-4006 and forging credentials to access protected files, though other nation states and cyber criminals may use this tactic, technique, and procedure (TTP) as well.
This advisory specifically discusses detection and mitigation of two TTPs to forge authentications and gain access to a victim’s cloud resources. While these TTPs require the actors to already have privileged access in an on-premises environment, they are still dangerous as they can be combined with other vulnerabilities to gain initial access, then undermine trust, security, and authentication. Initial access can be established through a number of means, including known and unknown vulnerabilities. The recent SolarWinds Orion ® code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.
Mitigation actions include hardening and monitoring systems that run local identity and federation services, locking down tenant single sign-on (SSO) configuration in the cloud, and monitoring for indicators of compromise. NSA remains committed to providing provide timely, actionable and relevant guidance, and is partnering across the public and private sectors in ongoing incident response efforts. Releasing this advisory with further technical guidance allows NSA’s customers to apply preventative measures to the fullest extent along with the detection and mitigation actions.
Malicious cyber actors are abusing trust in federated authentication environments to access protected data. An “on premises” federated identity provider or single sign-on (SSO) system lets an organization use the authentication systems they already own (e.g. tokens, authentication apps, one-time passwords, etc.) to grant access to resources, including resources in “off premises” cloud services. These systems often use cryptographically signed automated messages called “assertions” shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. When an actor can subvert authentication mechanisms, they can gain illicit access to a wide range of an organizations assets.
In some cases, actors have stolen keys from the SSO system that allow them to sign assertions and impersonate any legitimate user who could be authenticated by the system. On 7 December, NSA reported on an example where a zeroday vulnerability was being used to compromise VMware Access®1 and VMware Identity Manager®2 servers, allowing actors to forge authentication assertions and thus gain access to the victim’s protected data. In other cases, actors have gained enough privileges to create their own keys and identities such as “service principals” (cloud applications that act on behalf of a user) or even their own fake SSO system. According to public reporting, in some cases, the SolarWinds Orion code compromise provided actors initial access to an on-premises network which led to access within the cloud.
Note that these techniques alone do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services. The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access.
To defend against these techniques, organizations should pay careful attention to locking down SSO configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services.
Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services. While these techniques apply to all cloud environments that support on-premises federated authentication, the following specific mitigations are focused on Microsoft Azure federation. Many of the techniques can be generalized to other environments as well.
The European Union Agency for Cybersecurity (ENISA) released its Artificial Intelligence Threat Landscape Report, unveiling the major cybersecurity challenges facing the AI ecosystem. ENISA’s study takes a methodological approach at mapping the key players and threats in AI. The report follows up the priorities defined in the European Commission’s 2020 AI White Paper. The ENISA Ad-Hoc Working Group on Artificial Intelligence Cybersecurity, with members from EU Institutions, academia and industry, provided input and supported the drafting of this report.
The benefits of this emerging technology are significant, but so are the concerns, such as potential new avenues of manipulation and attack methods. The technology takes many steps across the supply chain and requires vast amounts of data to function efficiently. The AI Threat Landscape report underlines the importance of cybersecurity and data protection in every part of the AI ecosystem to create trustworthy technology for end-users.
Executive Director of the EU Agency for Cybersecurity Juhan Lepassaar said: “Cybersecurity is one of the bases of trustworthy solutions for Artificial Intelligence. A common understanding of AI cybersecurity threats will be key to Europe’s widespread deployment and acceptance of AI systems and applications.”
This new work by ENISA aims to serve as a baseline for initiatives to secure AI: both in terms of policies, as it frames the problem and provides guidance on cybersecurity threats, as well as in terms of technical controls, as it highlights specific threats for which action may be needed. The report is directed to policy makers when developing future guidance on secure AI deployments, to technical experts to support customised risk assessments and to standardisation bodies to support upcoming AI security standards.
The main highlights of the report include:
Definition of AI’s scope in the context of cybersecurity by following a lifecycle approach. The ecosystem of AI systems and applications is defined by taking into account the different stages of the AI lifecycle -- from requirements analysis to deployment.
- Identification of assets of the AI ecosystem as a fundamental step in pinpointing what needs to be protected and what could possibly go wrong in terms of the security of the AI ecosystem.
- Mapping of the AI threat landscape by means of a detailed taxonomy. This serves as a baseline for the identification of potential vulnerabilities and attack scenarios for specific use cases.
- Classification of threats and listing of relevant threat actors. The impact of threats to different security properties is also highlighted.
The ENISA AI Threat Landscape identifies the challenges and opportunities to deploy secure AI systems and services across the Union. The report highlights the need for more targeted and proportionate security measures to mitigate the identified threats, as well as the need for an in-depth look into AI’s use in sectors such as health, automotive and finance.
The EU Agency for Cybersecurity continues to play a bigger role in the assessment of Artificial Intelligence (AI) by providing key input for future policies.
Earlier this year, the Agency set up the ENISA Ad Hoc Working Group on Cybersecurity for Artificial Intelligence, which supports ENISA in the process of building knowledge on AI Cybersecurity. The group includes members from the European Commission Directorate-General Communications Networks, Content and Technology (DG CONNECT), the European Commission Directorate-General Joint Research Committee (DG JRC), Europol, the European Defence Agency (EDA), the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Telecommunications Standards Institute (ETSI), as well as academics and industry experts.