Kaspersky Software Ordered Removed From US Gov’t Computers

Anti-Malware , Cybersecurity , Technology

DHS: Russian-Owned Company Poses Risk to Federal IT

Kaspersky Software Ordered Removed From US Gov't Computers
Kaspersky Lab CEO Eugene Kaspersky

The Trump administration is ordering U.S. federal executive branch agencies to remove anti-virus software from Russian-owned Kaspersky Lab from their computers within 90 days.

See Also: How to Scale Your Vendor Risk Management Program

The Department of Homeland Security, in a statement issued Wednesday, says Kaspersky security products pose a risk to federal information systems because they provide broad access to files and elevated privileges on the computers where they’re installed that could be exploited by malicious cyber actors to compromise those IT systems.

“The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS statement says. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

The company’s founder, Eugene Kaspersky, has worked for the Russian military and was educated at a KGB-sponsored technical college.

Kaspersky Lab, in a statement posted on its website, says the company does not have inappropriate ties with any government and is disappointed with the decision to ban its products from U.S. government computers. “No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company,” the company statement says. “Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.”

‘Guilty Until Proven Innocent’

A Russian law that requires telecom companies and internet service providers to cooperate with the Kremlin does not apply to Kaspersky, the company contends. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues,” the company statement says.

The binding operational directive, issued by Acting Homeland Security Secretary Elaine Duke, calls on U.S. federal departments and agencies to identify Kaspersky products on their computers within the next 30 days. The directive gives the agencies 60 days to develop a plan to remove the software. .

DHS says it’s providing an opportunity for Kaspersky to submit a written response addressing the department’s concerns or to mitigate those concerns. ” The department wants to ensure that the company has a full opportunity to inform the acting secretary of any evidence, materials or data that may be relevant,” the statement says.

Kaspersky says it will take up DHS’s offer. “The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit,” the company statement says.

Arrests for Aadhaar-Related Fraud Raise Concerns

Breach Response , Data Breach , Fraud

Security Experts Again Question Whether ID System Is Reliable

Arrests for Aadhaar-Related Fraud Raise Concerns

The arrest of 10 men in Uttar Pradesh for allegedly cloning fingerprints of authorized Aadhaar enrollment officers is once again stirring debate over whether it’s wise for India to rely so heavily on Aadhaar for authentication.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The news comes in the wake of earlier reports of Aadhaar data leaks.

“The current incident is a problem at the enrollment end where fake Aadhaar identity may be created,” says Na. Vijayashankar, a cyber law expert. “There are even greater problems at the usage end, where existing Aadhaar users may face identity theft.”

Vijayashankar says the widespread use of Aadhaar poses significant risks. And a growing number of security experts say the government should find a replacement for Aadhaar as an ID and slowly migrate to a more secure digital ID system.

“But it is doubtful if the government is aware of what is to be done,” Vijayashankar says. “I guess we need to live with it, since the government doesn’t have a proper appreciation of the risk and hence no proper remedial action is being taken.”

Meanwhile, the latest Aadhaar-related incident has prompted the Unique Identification Authority of India, which administers Aadhaar, to ask states to ensure that all enrollments, even those by private agencies, shift to government or municipal premises from external sites by this month.

Cloning Technique Described

The investigation of the latest Aadhaar incident has revealed that fingerprints of authorized authorities were cloned using gelatin gel, laser and silicon, police say.

The arrests were made on the basis of a complaint filed by the Unique Identification Authority of India on August 16 this year. According to news reports, the UIDAI claimed that the attempt to generate fake Aadhaar cards was foiled by the UIDAI system.

To enroll a user for Aadhaar, an authorized enrollment operator has to access the UIDAI system using his fingerprints and a scan of his retina.

In the incident that led to the arrests, the gang acquired images of the fingerprints of Aadhaar enrollment operators and printed these scanned images on butter-papers. Thereafter, they placed these prints on a sheet of light-sensitive resin, which was then exposed to ultraviolet rays, according to news reports.

The cloned fingerprints obtained at the end of this process looked like an office rubber stamp that can be pressed down on a biometric reader. About 46 such fingerprint stamps were confiscated, police officials say.

The gang also apparently found a way to subvert the second step of authentication – the retina scan. Police are on the lookout for the software developer who allegedly helped the gang bypass the retina-scan requirement, a person closely associated with the case tells Information Security Media Group. The gang used fingerprint stamps and technical know-how to allow multiple logins and enrollments using the stolen credentials, the source says.

Other Fraud Incidents

Police officials says similar cases in other parts of the country came to UIDAI’s notice a few months ago. In fact, that is when UIDAI introduced the second step of authentication – the iris scan.

Despite this additional authentication step, issuance of fake Aadhaar numbers continued. “This is when they approached us and we started the investigation once they lodged a formal police complaint,” Triveni Singh, Uttar Pradesh’s additional superintendent of police, tells ISMG. “They provided us two or three Aadhaar numbers they suspected to be fake and we started our investigation from there.”

Singh claims that the members of the gang learned the tricks of fingerprint cloning from YouTube. “They did some tampering with the secure code and hence it wasn’t asking for iris scan. How they did this is not known yet,” he says.

Authorities do not yet know whether the cloned Aadhaar numbers were used for any criminal activities.

Hoping for a Crackdown

Security practitioners are hoping for a quick crackdown against Aadhaar-related fraud. But that may prove difficult, given limited resources.

“There might be several such cases across country. It’s easy to say we want culprits behind the bars,” says a police officer involved in the case who asked not to be identified. “Given the shortage of skilled cyber forensic experts or cops that have sound knowledge in this field, the task is cut out for us.”

The shortage of experts has resulted in a huge pileup of cases, says a forensics expert associated with the government, who asked to remain anonymous. “Most cases take a year to reach us,” he says.

There are only seven Central Forensic Science Laboratories in India, and every court accepts forensic reports only from CFSL. “Imagine the number of cases that are pending only because CFSL is yet to file a report. There just aren’t enough experts in the country,” the forensics expert says. The severity of the situation can be gauged by the fact that the expert is currently working on a case that came to the lab 17 months ago.

“Today every crime in India has digital evidence. There are handful of government-accredited forensic labs in the country and most labs don’t have experts,” the forensics expert says.

Finding professionals with the right skills could prove challenging, given that all sectors are grappling with building cybersecurity capacity.

Most professionals don’t see an immediate solution to this problem. According to Nasscom, a trade association of IT firms, India adds 40,000 cybersecurity professionals annually, whereas the demand is about 500,000 annually.

Some security practitioners recommend that the government design a framework to induct forensics experts and cybersecurity professionals into the police and government departments.

Equifax’s Colossal Error: Not Patching Apache Struts Flaw

Breach Notification , Data Breach , Data Loss

Confirmed: Hackers Behind Mega-Breach Exploited Struts Flaw; Patch Was Available

Equifax's Colossal Error: Not Patching Apache Struts Flaw

Equifax made an error that led to one of the largest and most sensitive data breaches of all time, and the mistake was elementary: The credit bureau failed to patch a vulnerability in Apache Struts – a web application development framework – in a timely manner.

See Also: How to Scale Your Vendor Risk Management Program

The company updated its breach notification on Wednesday, confirming security watchers’ speculations that Struts was involved in the breach, which had been based both on Equifax’s infrastructure as well as the timing of vulnerabilities in – and patches for – Struts that have come to light this year (see Is Unpatched Apache Struts Flaw to Blame for Equifax Hack?).

To understand the full scope of the attack and breach, Equifax retained a digital forensics investigation firm – reported by ZDNet to be FireEye’s Mandiant unit – and the investigation remains ongoing.

“We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise,” the company says in a statement on its website.

Update from Equifax issued September 13.

While the attack vector is known, Equifax has yet to discuss who may have hacked it. Of course, it may never know.

But Equifax says the unidentified hackers had access to the personal details of 143 million U.S. consumers, as well as an unspecified number of British and Canadian consumers. Names, addresses, Social Security numbers and in some cases, driver’s license numbers, are at risk. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000 people (see Equifax: Breach Exposed Data of 143 Million US Consumers).

Patch Was Available

Equifax’s disclosure is likely to increase the pressure now facing the company, which faces Congressional hearings, probes by at least 40 states and dozens of class-action lawsuits (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).

The Federal Trade Commission, which previously refused to comment on whether or not it has launched an investigation of any particular organization, now tells Information Security Media Group that it has made an exception in Equifax’s case. “The FTC typically does not comment on ongoing investigations,” says Peter Kaplan, the FTC’s acting director of public affairs. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

Security experts say that prompt patching of enterprise applications is a must-do practice, given the ease with which attackers can find and automatically exploit known flaws. Equifax has yet to explain why it delayed patching such critical software.

The exploited vulnerability, CVE-2017-5638, became public on March 6, when Apache released an updated version of Struts that fixed the flaw. Within a day, security analysts saw attacks against websites that were designed to exploit the flaw.

Equifax, meanwhile, says its breach began in mid-May but wasn’t discovered until July 29.

Apache Struts 2, which uses Java Enterprise Edition, is widely used by many organizations, including airlines, car rental companies, e-commerce sites, social networks and government agencies.

Remote Exploitation

The now-patched Struts flaw is among the most dangerous types of vulnerabilities because it allows hackers to remotely exploit the application and access the information that it stores. Given the severity of the flaw, the information security community had warned all users of the open source Apache Struts project software about the danger and severity posed by CVE-2017-5638 and urged them to upgrade to a patched version immediately.

Kevin Beaumont, a U.K.-based security researcher, writes on Wednesday that he repeatedly tweeted about the flaw when it was disclosed, warning of its severity.

“It doesn’t get more serious – with a single web request, people can remotely run code on the web server and access files, potentially (and probably) bypassing all security controls,” Beaumont writes in a blog post.

Just a few days after the flaw was disclosed, other researchers began spotting websites vulnerable to the same Struts flaw. Beaumont writes that the website Xss.cx, which tracks security issues, found that the one-stop credit report website, annualcreditreport.com, was vulnerable.

The website lets consumers obtain a credit report once a year for free from the big three providers – Experian, Equifax and TransUnion. The website was created in 2003 to comply with new federal credit report disclosure rules.

Three days after Xss.cx published its report publicly, annualcreditreport.com – managed by Montreal-based consultancy CGI Group – still hadn’t been fixed. Xss.cx showed how the flaw could be used to steal usernames and passwords for the site.

Beaumont blamed antiquated systems in desperate need of an overhaul – or replacement – for the problems. “The system is old,” he writes. “These servers are the gateways to consumer credit report services, which plug into the databases of the big three providers.”

Patch Faster

After rumors began circulating that a Struts exploit may have enabled the Equifax breach, the Struts Project Management Committee, which oversees the project, quickly responded.

“We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework,” wrote René Gielen, vice president of Apache Struts, in a statement issued Saturday.

The Struts team “puts enormous efforts in securing and hardening the software we produce and fixing problems whenever they come to our attention,” he writes.

But he stressed that users of any type of software – open source or not – must track which versions of frameworks or software libraries they are using in live systems and respond quickly and carefully to all security announcements. His recommendations have obvious relevance to Equifax’s failure to fix a flaw for more than two months after a patch was released, despite the flaw being actively exploited via in-the-wild attacks.

“Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons,” Gielen writes. “Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”

Report: North Korea Seeks Bitcoins to Bypass Sanctions

JP Morgan Chief Slams Bitcoin as Fit Only for Drug Dealers, Murderers, Regimes

Report: North Korea Seeks Bitcoins to Bypass Sanctions
North Korean leader Kim Jong-un, pictured earlier this month. (Photo: KCNA)

The government of North Korea has been turning to bitcoin exchange heists and cryptocurrency mining to evade sanctions and fund the regime, security experts say.

See Also: How to Scale Your Vendor Risk Management Program

Observers have reported that recent cryptocurrency heists appear to tie to the Pyongyang-based government of North Korea, officially known as the Democratic People’s Republic of Korea, which is led by Kim Jong-un.

“Since May 2017, we have observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds,” Luke McNamara, a threat researcher at cybersecurity firm FireEye, says in a blog post.

“The spear-phishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware – Peachpit and similar variants – linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016,” he adds.

Peachpit is a backdoor used to give attackers persistent access to a system. FireEye has previously reported that Peachpit has appeared in a limited number of attacks, which suggests that rather than being sold on underground sites, whichever attack group that developed the tool uses it exclusively. And the malware has been previously seen in attacks tied to North Korea.

The cryptocurrency-targeting attack assessment by FireEye’s McNamara mirrors a report, released in August, that said at least one or two South Korean digital currency exchanges had been targeted by North Korea. Simon Choi, an official at South Korea’s Cyber Warfare Intelligence Center, told Radio Free Asia – a non-profit Eastern Asian news agency – that the attacks used phishing emails to fool victims into executing a type of malware that had been seen in previous attacks tied to North Korea.

It was “not only one or two exchanges where attack attempts have been made,” Choi told RFA. “Startups that use blockchain, financial technology sector companies as well as others may have [also] been the target.”

North Korean Heists

If Pyongyang is attempting to steal bitcoins, it wouldn’t be the first time the regime has tried to bolster its coffers via illegal means. Indeed, DPRK watchers say the country continues to seek new ways to bolster its GDP and fund the regime, following years of sanctions by numerous countries as well as the EU and United Nations.

Current UN sanctions, for example, prohibit member states from selling coal, minerals, aviation fuel, jet fuel or rocket fuel to the DPRK. In addition, the sanctions require many DPRK individuals’ and organizations’ offshore holdings to be frozen and prohibit UN members from doing any banking business or maintaining any banking subsidiaries in the country. And this month, the UN Security Council agreed on new sanctions following DPRK’s Sept. 3 nuclear test, including banning textile exports – worth on average $760 million per year over the past three years – as well as capping the amount of crude oil the country is allowed to import.

North Korea has already been tied to attacks against banks and attempts to subvert the SWIFT interbank messaging system, including the attempted theft of $1 billion in February 2016 from the central bank of Bangladesh (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).

Following increased sanctions on the nation, furthermore, threat intelligence firm Cybereason has warned that the regime will likely authorize a greater number of online heist attempts and potentially also wreak a bit of havoc.

“Banking, financial institutions and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts,” Cybereason said in a recent report. “They will likely be focused on institutions in South Korea, the United States and Japan (to add a little political flavor to the currency generation). However, we could see the uptick also happen in countries where network security is largely weak – parts of South and Southeast Asia, the Baltics and potentially even parts of Africa.”

Bitcoin ‘Is a Fraud’

North Korea isn’t the only government that has been paying more attention to cryptocurrencies as a potential source of revenue, especially as the value of a bitcoin earlier this month hit an all-time high of $5,000.

“As bitcoin and other cryptocurrencies have increased in value in the last year, nation-states are beginning to take notice,” FireEye’s McNamara says. “Recently, an adviser to President Putin in Russia announced plans to raise funds to increase Russia’s share of bitcoin mining, and senators in Australia’s parliament have proposed developing their own national cryptocurrency.”

Bitcoin (USD) Price

A bitcoin’s dollar value, shown from Sept. 14, 2016, to Sept. 14, 2017. (Source: Coindesk)

But not everyone is bullish on bitcoin.

Speaking this week at a banking conference in New York, Jamie Dimon, chairman, CEO and president of financial services giant JP Morgan Chase, said that while he sees potential for blockchains, bitcoin “is a fraud.”

“The currency isn’t going to work,” Dimon said, according to news reports. “You can’t have a business where people can invent a currency out of thin air and think that people who are buying it are really smart.”

He suggested that the only users who might see upsides from bitcoin were the likes of drug dealers, murderers and pariah regimes. “If you were in Venezuela or Ecuador or North Korea or a bunch of parts like that, or if you were a drug dealer, a murderer, stuff like that, you are better off doing it in bitcoin than U.S. dollars,” he said. “So there may be a market for that, but it’d be a limited market.”

Bitcoins are not the only cryptocurrency to be embraced by potential criminal elements. Blockchain analysis firm Chainalysis, for example, estimates that criminals have amassed $225 million by stealing Ethereum cryptocurrency (see SEC Chairman Seeks More Cyber Risk Disclosure).

Pyongyang Mines for Bitcoin

DPRK does not appear to be trying to obtain bitcoins only through outright theft. In July, threat intelligence research firms Recorded Future and Team Cymru issued a report noting that they saw bitcoin mining commence for the first time on North Korean systems beginning in May.

“Before that day, there had been virtually no activity to bitcoin-related sites or nodes, or utilizing bitcoin-specific ports or protocols,” according to their report. “Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day.”

Bitcoin mining involves solving computationally intensive mathematical tasks, which are used to build the bitcoin blockchain – a public ledger of transactions. As an incentive, anyone who provides such mining has a chance of getting bitcoins back as a reward.

The timing of North Korea’s foray into bitcoin mining is notable, in that it came just days after the May 12 WannaCry outbreak.

Many security firms, and reportedly also British intelligence agency GCHQ, ascribed the WannaCry outbreak to the Lazarus group, a cyberattack team that has been tied to DPRK (see British Security Services Tie North Korea to WannaCry).

Due to apparent coding errors in the WannaCry ransomware, the malware defaulted to directing victims to pay a ransom using one of three preset bitcoin addresses. As a result, it would likely have been easy for intelligence and law enforcement agencies to track any attempts to cash out those bitcoins.

The report from Recorded Future and Team Cymru suggests that by May 17, the North Korean government would have realized that attempting to cash out bitcoins obtained via WannaCry ransom payments was too risky. “Actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack,” according to the report.

Any cryptocurrency mining being done in the DPRK is likely under direct government control. “It is not clear who is running the North Korean bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control,” according to the report.

While bitcoins are anonymizing, they are not anonymous. In 2014, for example, researchers reported being able to de-anonymize bitcoin traders 11 percent to 60 percent of the time, by correlating a bitcoin user’s pseudonym – which serves as a public key – with the IP address from which they trade bitcoins (see Tougher to Use Bitcoin for Crime?).

No doubt by now intelligence and law enforcement agencies are even better at correlating data and de-anonymizing cryptocurrency transactions. But just how effective they might be remains a closely guarded secret.

Surge in Bitcoin Mining

Bitcoin mining, however, allows an organization to use processing power to generate fresh cryptocurrency. And attacks aimed at giving cryptocurrency-mining criminal gangs access to victims’ processing power are on the rise, according to security firm Kaspersky Lab.

“The actual process of cryptocurrency mining is perfectly legal, though there are groups of people who hoodwink unwitting users into installing mining software on their computers, or exploiting software vulnerabilities to do so,” Kaspersky Lab researchers Evgeny Lopatin and Vladas Bulavas write in a recent blog post. “This results in threat actors receiving cryptocurrency, while their victims’ computer systems experience a dramatic slowdown.”

The researchers say that in just the past month, they’ve found “several large botnets designed to profit from concealed crypto mining,” as well as an increase in attacks that aim to sneak mining software onto servers.

The researchers do not ascribe the botnet to any particular individual, group or nation-state.

Number of Kaspersky Lab product users who encountered malicious cryptocurrency miner attacks, from 2011 through the first half of 2017.

But Recorded Future and Team Cymru say that after North Korea began mining bitcoins, they also saw a spike in the country’s research – and potential reconnaissance – against multiple “foreign laboratories and research centers,” especially in India and the Philippines.

Compromising systems run by those organizations could give attackers access to massive amounts of processing power to further any cryptocurrency mining efforts.