DoJ Indicts 9 Iranians for Hacking into Hundreds of Universities, FERC, Dept. of Labor, Others

“The numbers alone in this case are staggering, over 300 universities and 47 private sector companies both here in the United States and abroad were targeted to gain unauthorized access to online accounts and steal data. An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly equivalent of 8 billion double-sided pages of text,” said FBI Assistant Director William F. Sweeney Jr. “It is hard to quantify the value on the research and information that was taken from victims but it is estimated to be in the billions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law enforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely move was just limited to the virtual world only.”

According to the indictment, the Mabna Institute was under contract with the Iranian government as well as private entities for the operation, which began with a spear phishing campaign against more than 100,000 professors worldwide. They were able to infiltrate email accounts of some 8,000 of them, mostly in the US, but also in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the UK.

The hackers stole intellectual property from the universities, including academic journals, theses, dissertations, and electronic books.

Other US victims included three academic publishers, two media and entertainment companies, one law firm, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, a healthcare company, an employee benefits company, an industrial machinery company, a biotechnology company, a food and beverage company, and a stock images company.

Those private sector victims were targeted via “password-spraying” methods that the hackers used to pilfer their credentials.  

DoJ Deputy Attorney General Rod Rosenstein said in a statement: “The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants’ hacking operations and deter similar crimes,” Rosenstein said.

Related Content:

from Dark Reading – All Stories

Ransomware Attack Cripples Several Atlanta City Systems

The city of Atlanta is currently being targeted in a ransomware attack impacting several of its departments and crippling government websites that process payments and relay court information.

The attack first hit on Thursday morning, according to the City of Atlanta. In an email to Threatpost, an Atlanta government spokesperson said that there are no updates to share as of Friday morning.

The city, which is the ninth-largest metro area in the U.S.,  said on its Twitter account Thursday that it is facing outages on various internal and external customer-related applications, “including some that customers may use to pay bills or access court-related information.”

Atlanta Chief Operating Officer, Richard Cox said in a press conference Thursday evening that Atlanta is working with the Federal Bureau of Investigation and the Department of Homeland Security, as well as Microsoft and Cisco’s security emergency response teams, to address the attack.

Atlanta said that at this time several departments were affected by the attack. However, the Atlanta Public Safety department, airport, and water services operation “are operating without incident.” In addition, payroll for city employees won’t be impacted by the attack.

According to reports by CBS46, the attack included a ransom note that demanded 6 bitcoins for all computers (or $51,000 based on today’s valuation) in exchange for keys to decrypt systems.

In the press conference, Cox confirmed that the city received a written demand related to the attack, but did not confirm the contents of the demand. There was also no specification around how the attack was first launched.

Atlanta is still investigating whether personal, financial or employee data has been compromised. “As a precaution, we are asking that all employees take the appropriate measures to ensure their data is not compromised. The city advises to monitor or protect personal information,” said Cox.

According to a report by Atlanta local news site AJC, an note from the Atlanta information management team told City Hall employees not to use their computers unless previously cleared.

In the press conference, Atlanta’s mayor, Keisha Bottoms, wouldn’t specify whether Atlanta would pay the ransom.

Atlanta is only the most recent victim of ransomware attacks. In May 2017, a massive scale ransomware attack, WannaCry, paralyzed systems across various markets – including England’s health care system and one of Honda’s Japanese plants.

Rob Tate, security researcher at WhiteHat Security, told Threatpost that he predicts more ransomware attacks on government utilities in the coming year, especially as each year ransomware attacks have been launched on more publicly visible victims – like hospitals and local governments.

“One thing that strikes me about this incident is that it’s not too different than attacks we’ve seen before,” he said. “In some cases, and seemingly in a case like this, the attacker did their homework, and would pick a number that they know the victim can afford to pay.”

from Threatpost – English – Global – thr…

Looking Back to Look Ahead: Cyber Threat Trends to Watch

Looking Back to Look Ahead: Cyber Threat Trends to Watch

Data from the fourth quarter of last year shows the state of application exploits, malicious software, and botnets.

Organizations today face an unprecedented volume of increasingly sophisticated threats as they conduct online operations. As the potential attack surface expands and attack volumes increase, it is imperative to track the most popular and successful strategies of cybercriminals to stay ahead of their malicious intentions.

The quarterly Fortinet Global Threat Landscape Report gathers the collective intelligence drawn from FortiGuard Labs’ large array of sensors deployed in live production environments. The research data in the most recent report focuses on three aspects of the threat landscape: application exploits, malicious software, and botnets. It also examines important zero-day vulnerabilities and infrastructure trends to add context about the trajectory of cyberattacks affecting organizations over time.

What the Data Reveals
Below are the key findings from the latest “Threat Landscape Report” that organizations need to know about in order to prepare for what’s ahead.

Application exploits, malicious software, and botnets:

  • Historic Volume: The number of malware families detected in the fourth quarter of 2017 increased by 25% over the third quarter, to 3,317, and unique variants grew 19%, to 17,671. An average of 274 attacks per firm were also detected, a staggering increase of 82% over the previous quarter.
  • Mining for Cryptocurrency: Cryptomining malware increased in the fourth quarter, which seems to be intertwined with the changing price of bitcoin. Cybercriminals recognize the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser; nothing is installed or stored on the computer.
  • Everything Old Is New Again: Steganography is an attack that embeds malicious code in images. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit in the fourth quarter. It was found dropping multiple ransomware variants.
  • A Ransomware Explosion: Ransomware continues to grow in both volume and sophistication. Several strains of ransomware topped the list of malware variants. Locky was the most prevalent malware variant, and GlobeImposter was second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from only accepting bitcoin for payment to other forms of digital currency.
  • Swarm-Based Cyberattacks: The sophistication of attacks targeting organizations is accelerating at an unprecedented rate. For example, they are developing new Internet of Things (IoT)-based botnets with swarm-like capabilities that simultaneously target multiple vulnerabilities, devices, and access points.
  • An Increase in IoT Attacks: Three of the top 20 attacks identified in the quarter targeted IoT devices. New IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously. This multivector approach is much harder to combat. In addition, Reaper’s new flexible framework, built around a Lua engine and scripts, means that Reaper’s code can be easily updated to swarm faster by running new and more malicious attacks as they become available. Exploit volumes associated with Reaper exhibited an early October jump from 50,000 to 2.7 million over just a few days, before dropping back to normal.
  • Sophisticated Industrial Malware: An uptick in exploit activity against industrial control systems and safety instrumental systems suggests these under-the-radar attacks might be climbing higher on attackers’ radar. An example is an attack code-named Triton. It is sophisticated in nature and has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis. Because these platforms affect vital critical infrastructures, they are enticing for threat actors. Successful attacks can cause significant damage with far-reaching impact.

Infrastructure trends:
When it comes to the cyber threat landscape, infrastructure statistics offer a powerful overview because strong correlations exist between infrastructure usage and threat frequency. For example, firms that use a lot of peer-to-peer and proxy apps report seven to nine times as many botnets and malware as those that don’t use them.

In the fourth quarter of 2017, firms also appear to have used more bandwidth and encrypted more web traffic than ever before, but they are actually visiting fewer sites and using fewer applications. There is also a special interest in keeping tabs on the ratio of HTTPS traffic in the network. It’s continuing to trend up.

While helpful for maintaining privacy, higher encryption rates also present challenges to threat monitoring and detection. Inspecting Secure Sockets Layer traffic has a significant impact on the performance of firewalls, which means it can affect the amount of network traffic that is actually being inspected. And organizations — especially those with higher HTTPS ratios — cannot afford to ignore threats that might be lurking within encrypted communications.

Best Practices for Stronger Security
With the volume, velocity, and variety of modern threats increasing, standalone point devices and platforms are rapidly becoming inadequate and ineffective. Organizations need a more unified approach that makes it practical for security teams, large or small, to achieve and maintain a competent security posture.

To protect the network against application exploits, malicious software, botnets, and zero-day vulnerabilities, organizations need to stay abreast of and track popular and successful threats. In addition, automated security measures can help pit swarm against swarm in order to effectively counter and repel an attack.

A unified defense posture can also help companies by detecting known and unknown threats at multiple layers throughout the environment. Growing your capability to detect and sever botnet communications at key choke points in your network is another solid strategy. Additionally, an internal network segmentation strategy will help detect and automatically contain all kinds of threats.

Looking back at data from 2017 reveals that to effectively combat today’s ever-evolving threats, you need to break down siloes and bring many security tools together for a collaborative approach that can help you see everything that’s coming at your network.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 & save $200 .

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

More Insights

from Dark Reading – All Stories

Netflix, Dropbox promise not to sue security researchers, with caveats

Netflix and Dropbox have both noted recently that they won’t sue security researchers who find and disclose vulnerabilities in their products. The only caveat is: the researchers must conduct the research in line with their vulnerability disclosure policy and bug bounty program guidelines.

Netflix Dropbox vulnerability research


Dropbox Head of Security Chris Evans announced on Wednesday that they’ve updated their vulnerability disclosure policy to clearly say that the company will “not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations,” and that they “won’t bring a Digital Millennium Copyright Act (DMCA) action against a researcher for research consistent with the policy.”

“Anything that stifles open security research is problematic because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community,” he pointed out.

“Motivated by recent events and discussions, we’ve realized that too few companies formally commit to avoiding [legal threats, suits, inappropriate referral to authorities, public attacks on researchers’ character or motivation, and pressuring, gagging, or firing researchers by abusing law or business relationships to the detriment of scientific publication].”

The company will consider actions consistent with the policy as constituting “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), and if a third party initiates legal action, Dropbox will make it clear when a researcher was acting in compliance with the policy.

Dropbox is requesting researchers to give them a “reasonable time” to fix the issue before making it public, but Evans noted that that doesn’t mean that the company reserves the right to take forever to fix a security issue.

The policy and other details about the Dropbox’s bug bounty program can be found here.


Netflix has been operating a private bug bounty program since September 2016 and initially invited 100 of Bugcrowd’s top researchers to participate.

The initial scope of the program has been increased considerably since then, and now 700 researchers have been invited to participate in it.

Detailed information about what’s in scope of the program and what isn’t can be found on the here.

What’s important to point out is that the company promises to resolve reported issues quickly and not to bring a lawsuit against researchers or ask law enforcement to investigate them if their research and disclosure conformes to the set bug bounty guidelines.

Netflix allows “coordinated disclosure” for valid, remediated submissions, meaning researchers will have to get explicit permission from the company to disclose information about the found (and fixed) vulnerability.

from Help Net Security – News

Looking Back and Thinking Ahead on Cyberwar, Nation-State Attacks

Looking Back and Thinking Ahead on Cyberwar, Nation-State Attacks

In the domain of cyber warfare, the effective strategies for fighting yesterday’s cyberattacks will not work against tomorrow’s, Internet infrastructure expert says.

BLACK HAT ASIA – Singapore – Nation-state threats dominated the themes of this week’s keynotes at Black Hat Asia, where experts dug into past and current cyberattacks, efforts to mitigate nation-state attacks, and the broad and evolving realm of cyber warfare.

Bill Woodcock, executive director at Packet Clearing House, took attendees back to the 1980s and 1990s, when the Internet was a closed community of interests and hadn’t yet gained popularity. At the time, cyberattacks were few and far between, he said in his day one keynote.

“We were doing it because it was fascinating,” he said. “Nobody thought there was any money in it … and because there weren’t a lot of security incidents back then, we had time to investigate.” By the mid-1990s, he continued, nation-state attacks on Internet service providers started to appear, coming from the US and Russian military.

Over time, incidents continued to escalate with Russia attacking Estonia in 2007, for example, and the United States’ 2009 Stuxnet attack against Iran. Cyber offensive military personnel adopted the strategy of buying zero-days and getting their lawyers to say nothing would go wrong. Their idea was to focus on offensive strategies at the expense of ignoring defense.

“We see it play out over and over,” Woodcock explained: militaries thinking they’re the smartest people in the room; believing they’ll be able to use the attacks they purchased any nobody will ever put it on them. “But none of that works out the way they think,” he added.

Nation-state attacks escalated, often with players targeting private-sector trust in tech vendors and the relationship between businesses and consumers. In the 2010 Flame attack, the US government impersonated a Microsoft certificate to claim a fake Windows update was legitimate. China’s 2011 attack on RSA stole SecurID two-factor authentication tokens, he noted.

Woodcock pointed to the grave implications of cyberthreats in the physical world with the 2015-2016 power grid attack targeting Ukraine’s critical infratstructure.

“It’s the kind of thing that causes lives to be lost, through accident or poor preparation,” he said. “As a modern society we’re not prepared to live without power for extended periods of time … saying cyber has no consequence – it’s a little late for that.”

The rapid growth of back-and-forth cyber events drove efforts to curtail attacks. In 1998, Russia proposed a treaty on cyber conflict, which made people skeptical because Russia had been the principal instigator for the problem, Woodcock pointed out. Between 2004 and 2017, there were five efforts to come up with a consensus about how cybercrime should be addressed. By 2017 it was recognized that nothing was working, and a handful of countries were to blame.

The problem, he explained, was there were three nations, maybe four or five with the additions of Israel and Iran, which value their ability to attack other parts of the Internet more highly than the safety and economic stability of the Internet in their home countries.

“The US, Russia, and China don’t want to agree to any treaty that will limit their ability to conduct offensive cyber operations … because they would do it anyway, and then look bad for violating the treaty they signed,” Woodcock said. It’s tough to get countries to agree to a treaty, he continued, because they have to turn it into local law, which will be different in each place.

Changing the Game in Cyber Warfare

A reflection on past cyber operation efforts is interesting but does little to help build effective strategies for future attacks, said The Grugq, vice president of threat intelligence at Comae. “You can’t expect that what worked last time is going to work the next time,” he explained.

In his keynote on day two of Black Hat, the Grugq dug into the realm of cyber warfare, breaking several misconceptions people often have about fighting in cyberspace – for example, the idea that cybercrime is about skill. He compared cyber warfare with air warfare, noting how planes were created with maneuverability so skilled pilots could beat less-skilled pilots.

That’s not the way you win, he said. The way you win is showing up with more adversaries and overwhelming the target. “It’s not about skill. That doesn’t actually matter,” he emphasized.

Fighting cybercrime is a team effort, said The Grugq, and teams should prioritize adaptability, agility, speed, creativity, and cohesion. It’s more effective to operate in small teams than in large “megateams.” Small teams provie a “range of capacity,” from elite workers to whose who rely on simple offensive attacks like large-scale phishing campaigns.

“Adaptability is the ability to take a new technology and exploit it for cyber conflict,” he explained, pointing to the example of Facebook as a weapon. “The US has proven itself as very good at developing new technologies, but they have been fairly poor at adapting those technologies for offensive purposes.”

Agility is the ability to take your current situation and make it where you want to be. With respect to speed, the teams with fewer meetings will be the teams who get ahead. Creativity is the ability to create new attacks based on those that exist, and cohesion is the ability to collaborate. The Grugq framed these traits in the context of different nation-states.

The DPRK, for example, has low agility and adaptability; they typically use attacks used by others in the past. They’re cohesive because they all do what their leader wants but they fall short on creativity by reusing the same attacks and copying others’ attacks.

China is “complicated and changing,” he continued. It has loose cohesion for security and deniability reasons, with low adaptability, medium speed, and mixed creativity.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

from Dark Reading – All Stories

New Survey Illustrates Real-World Difficulties in Cloud Security

New Survey Illustrates Real-World Difficulties in Cloud Security

Depending on traditional models makes cloud security more challenging for organizations, according to a Barracuda Networks report.

Cloud security is not as simple as picking up traditional network perimeter appliances and converting them into cloud services, a new study shows. But security may ultimately be better for the change.

Barracuda Networks surveyed 608 participants from organizations around the world. A majority (57%) say that their on-premises security is superior to cloud security, with the percentage answering that way growing in lock-step with the size of their organization.

That’s a problem for many organizations when they begin planning for security in the cloud. 83% say they have concerns about deploying traditional firewalls in the cloud, with 39% naming “pricing and licensing not appropriate for the cloud,” and 34% citing “lack of integration prevents cloud automation” as their primary concerns.

The report is based on a survey conducted by Dimensional Research on behalf of Barracuda. 

Tim Jefferson, vice president of public cloud at Barracuda, says these organizations have reason to be concerned. “Companies that are trying to cut and paste into the public cloud are having trouble. Security has always been around the network and a lot of appliances are built around architectures centralized in the data center,” he says. “Firewalls tend to scale vertically and that’s an anti-pattern for the cloud, where best practice is to keep everything federated and elastic. The tools don’t fit.”

The bigger issue, Jefferson says, is that many of the tools that companies struggle to place into the cloud aren’t really needed for cloud security. “In a public cloud you don’t need a lot of those functions,” he says. “A next-generation firewall isn’t required in the cloud – you don’t have to match the user to the function and filter on that because a properly architected cloud application will do that for you.”

APIs Over Firewalls

Relying on the cloud applications – and to put a finer point on it, the cloud application APIs with their controls and logging capabilities – allows forward-thinking security professionals to have better security in the cloud than they have in their traditional data center architecture, Jefferson says. According to the report, 74% of respondents cite “Integration with cloud management, monitoring, and automation capabilities” as the most beneficial cloud-specific firewall capability.

Integration is key, but organizations are finding it difficult to fully integrate cloud security into their DevOps or DevSecOps, with 93% saying they have faced challenges integrating security into those practices. Jefferson is blunt when he talks about the changes needed for organizations to move past the current difficulties: “All the visibility that’s so difficult to instrument in the data center is built in with the public cloud. It’s all done by API and that can be instrumented to police and monitor security.”

He says it all depends on perspective. “It’s really the lens you look through,” he says. “The traditional enterprise architect has thought of visibility as the instrumentation to see into ports and packets.”

But the problem is that public cloud “can’t provide span ports and access to layer 2. So they see public cloud and say there’s no visibility,” he says.

The public cloud, however, provides a better management tool. The management plane of the cloud can allow a security professional to track every interface and every record – every query, every response. The hard part is that the security professionals must re-think the means to the end of infrastructure security.

Security Hurdles

There are two huge hurdles standing between organizations and security in the cloud. The first is a human component that lies between security professionals’ ears. “It makes the professional uncomfortable,” Jefferson says, referring to security using APIs. “They want the tools they’ve always used.”

The second hurdle may be higher because it involves money. Jefferson says that the traditional licensing model for firewalls and other network security appliances just doesn’t work in a cloud environment where best practice is to spin up many federated instances rather than a handful of highly vertical compute centers.

“Now that things are federated and people may want to deploy hundreds of firewalls, vendors can’t charge vast sums per license,” Jefferson says. If they do, they “end up deploying bad things because they feel they can’t afford the licenses.”

Ultimately, in order to move security to a point where companies feel that cloud security is on a par with or better than on-premises security, both the deployment model and the licensing structure must be based on what works best for the application – not just what the licenses force a company to do.

Following genuine best practices in the cloud provides better security for an organization than pure on-premise environments, he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

More Insights

from Dark Reading – All Stories

The bug that made free money

What would you do if you found a bug that could create money out of thin air?

Dutch web application boffins VI Company found one in popular cryptocurrency exchange Coinbase and used it to net themselves a cool $10,000.

Luckily for Coinbase, the bug finders earned their cash by reporting the issue to the exchange’s bug bounty program rather than by milking it’s broken code.

The trouble started when VI Company came up with the festive wheeze of giving out ether (the currency used by the Etherium platform and the world’s second most popular cryptocurrency) as Christmas presents.

…we had some wallets which returned an error when we tried sending Ethereum there. This, in turn, stopped the execution of the smart contract and reversed all transactions as we expected it to do.

… one of our colleagues, who decided to use Coinbase as his wallet, told us he received the Ethereum.

After a bit of testing the company confirmed that it wasn’t a one-off. Every time it attempted to add ether to Coinbase wallets then the money would arrive without ever being sent.

Lo and behold we could reliably reproduce this bug and add Ethereum to our Coinbase wallets without ever sending any.

Although little information about the bug itself has been disclosed it seems that if the Etherium-based smart contract hit a snag while it was running it would roll back any transactions it had run up to that point, a roll back Coinbase didn’t match.

The Etherium platform is a complex beast that’s hosted its fair share of bugs-with-consequences.

Etherium’s highlight reel includes a buggy wallet that froze $300 million, a flaw that was itself introduced by a smart wallet update designed to plug a hole that had been abused to extricate another $32 million.

That happened around a year after another theft of about $55 million from Etherium’s now infamous DAO (Decentralized Autonomous Organization) program.

They money-for-nothing bug found by VI Company didn’t exist in Etherium or one of the buggy smart-thingamies that runs in it though, this time the bug was in the Coinbase exchange.

Surprised? Probably not.

If there’s one thing that makes the hair-raising adventures of the Etherium platform look unexciting, it’s the febrile exchange ecosystem that supports the trading of cryptocurrencies.

Cryptocurrency trading is run through with accusations of insider trading, scams and thieving owners, and it’s punctuated by colossal thefts of surprisingly valuable digital widgets you’ve never heard of. Thefts like Coincheck’s recent loss of half a billion dollars worth of, er, NEMs.

Thankfully, and not by accident, this bug was stomped on before anyone lost their shift.

If cryptocurrency exchanges are going to improve their image, and the chance of users holding on to their cryptocash, then they have to take security seriously, and been to do so.

By running a HackerOne bug bounty program Coinbase offer an incentive for people to find bugs and a clear, open channel through which it can learn about them and act.

In this case it moved to fix the flaw within a few short hours of learning about it.

from Naked Security – Sophos