Today’s edition of the LookingGlass Cyber Monitor features hacktivist activity against airport websites, unpatched Microsoft zero days, the interagency’s take on cybersecurity surrounding elections, Treasury seeks feedback on a possible cyber insurance backstop program, the DIB under persistent long-term attack, the challenges of regulating social media in democratic countries, the US-UK data sharing pact, CISA releases another BOD, Chinese cyber ranges, and gaps between the US and China’s national vulnerability databases.
Major Hacks & Campaigns
Killnet claimed responsibility for cyber attacks on US airport websites, and called on other groups to launch similar attacks against American critical infrastructure, including marine terminals and logistics facilities, weather monitoring centers, and healthcare systems. On Monday, October 10, Killnet disrupted the websites of multiple US airports in a series of distributed-denial-of-service (DDoS) attacks. Up to fifteen airports were affected, including Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International, and Indianapolis International. These DDoS attacks did not appear to impact any airport operations. In a post, Killnet urged other pro-Russian groups to launch DDoS attacks against domains belonging to US civilian infrastructure. The post was shared by other Russian-speaking cyber collectives to include Anonymous | Russia, Phoenix, and We Are Clowns. Killnet just last week also claimed credit for DDoS attacks on government websites in multiple US states, and in July they claimed credit for a DDoS attack on the US Congress.
Analyst Comment: LookingGlass closely monitors hacktivist activity surrounding the war in Ukraine. KillNet and other pro-Russian hacktivists have lately increased their level of activity, but they often exaggerate the effects of their attacks. While LookingGlass analysts observed that some US airport websites have experienced downtime caused by the DDoS attacks that KillNet claimed responsibility for, these effects were short-term and did not appear to disrupt airport operations. This is typical for KillNet attacks. DDoS is a common technique utilized by hacktivists because it does not require a high level of technical skill and knowledge but provides a high level of visibility and can have psychological effects on the general public.
Vietnamese cyber firm GTSC reported two zero day vulnerabilities affecting Microsoft Exchange Server software, that were exploited in the wild and remain unpatched. Microsoft did not release security updates for both actively exploited vulnerabilities on this week’s Patch Tuesday, according to a Microsoft bulletin. The vulnerabilities were disclosed to Microsoft in late September and were expected to be fixed by this week. The company did provide mitigations in a separate blog post. Many have criticized the company for being responsible for many critical, widespread vulnerabilities in recent years. Just last week, Crowdstrike CEO George Kurtz said that Microsoft should place a higher priority on “creating secure software.” Further, CISA recently published a report that listed the top twenty CVEs exploited by China, of which Microsoft was responsible for four – or 20%. Microsoft vulnerabilities have been the target of several CISA Emergency Directives, which require all federal agencies to take immediate action upon discovery of a critical vulnerability that presents national security threats.
CISA and FBI released a joint public service announcement to address malicious cyber activity against election infrastructure, saying it is unlikely to disrupt or prevent voting. To date, both agencies lack any reporting to indicate that cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of ballots cast, or affected the accuracy of voter registration information. Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes. However, election systems that house voter registration information or manage non-voting election processes continue to be a target of interest for malicious threat actors. And cyber actors may also seek to spread or amplify false or exaggerated claims of cybersecurity compromises to election infrastructure. In the report, the agencies also provide a list of recommendations and resources with hyperlinks to report suspicious activity.
Analyst Comment: Voter machine manipulation and tampering has firmly been in the eyes of the computer security research and hacking communities since the 90’s and specifically since Dr Michael Shamos famously made his DRE Tampering Challenge in 1996. Many security conferences have tracks dedicated to voter machine research and exploitation, however “vote manipulation” has many layers and facets to it. Although as easy to hack as many other devices, the machines themselves are often on separate networks that are further segregated from the public internet and, as such, access to them for remote exploitation is not so easily obtained. There are other physical countermeasures employed that make direct exploitation of voter machines difficult to accomplish as well however as many systems move toward app-based voting this may become far easier to accomplish.
In a joint report, CISA, NSA, and FBI warned of custom infiltration tools being used against the defense industrial base. The report details TTPs that likely multiple APTs recently used to steal sensitive information from a major defense contractor. The report uncovers IOCs discovered at a single, unnamed major defense company. The agencies assess the actors had persistent, long-term access as early as January 2021. The actor initially gained access to the organization’s Microsoft Exchange Server, but the initial access vector remains unknown. During incident response, CISA discovered that the actors used Impacket, an open source Python toolkit, to move laterally across systems and installed China Chopper webshells to act as backdoors. Though the attackers successfully compromised the DIB network and stole sensitive data using a custom exfiltration tool called CovalentStealer, the techniques did not appear elaborate and could pose a potential risk to other enterprises.
Back to the top
The US Department of Treasury is seeking comment on how to structure a cyber insurance program. In a request for information published on September 29, the department said it is looking for views on the existential risks to the marketplace and policy measures that could help address such risks. Policy measures include the creation of a backstop program for cyber insurance risk akin to the Terrorism Risk Insurance Program, which was created after 9/11 to allow Wall Street to continue offering coverage for terrorism risk. The creation of a blacktop program would entail the Treasury taking risk off insurance companies’ balance sheets to support the market. It could also give the federal government greater access to insurers’ claims data including for ransomware attacks.The volume of cyber premieres written by insurance companies increased by 75% YoY to $4.8B in 2021. In a June report the agency also noted that the number of reported claims in the US cyber market had increased to nearly 26,000 during 2021, up from 22,000 in the prior year, and 6,000 in 2016. A 2020 DHS study estimates that the US could suffer between $2.8B and $1T in losses from one severe cyber incident. Treasury’s RFI comes on the heels of a high profile, potential cyber attack against the UK-based Lloyd’s of London on October 5, which the firm concluded on Tuesday did not result in any data compromise. The firm was vocal about its support for sanctions against Russia over the Ukraine conflict, which likely raised its concern over the incident.
Last week, the US and UK signed a data-sharing pact – authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the US – five years after it was proposed. The CLOUD Act is designed to help law enforcement combat serious crimes in both countries. Under the agreement, authorities in one country can request data from ISPs in the other country, as long as it’s related to preventing, detecting, investigating, and prosecuting serious crimes including terrorism, transnational organized crime, and child exploitation. US officials cannot submit data requests targeting people in the UK and vice versa – presumably the requests can either be used to assist domestic investigations into foreign nationals. Authorities also need to adhere to certain requirements, limitations, and conditions when they access and use data. Privacy advocates have blasted the CLOUD Act initiative in recent years, warning that it could create a dangerous precedent for other countries who may want to access information stores outside their own borders, including data stored in the US. The US is looking to forge pacts with other countries under the CLOUD Act. It signed a deal with Australia last December and entered negotiations with Canada earlier this year.
The Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 23-01 last week to improve asset visibility and vulnerability detection on federal networks. A BOD is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems (i.e. does not apply to the DoD or the IC). BOD 23-01 focuses on 1) asset discovery, or identifying what IP-assets reside on an agency’s networks and detecting their associated IP addresses and 2) vulnerability enumeration, or detecting and reporting vulnerabilities on those assets such as outdated software or missing updates. Automated asset discovery must be performed every 7 days. Vulnerability enumeration must be initiated every 14 days. All vulnerability detection signatures used must be updated no longer than 24 hours from the last vendor-released signature update. Vulnerability enumeration must also be performed on mobile devices. And Agencies must initiate automated ingestion of vulnerability enumeration results within 72 hours of discovery. While larger agencies may not be able to complete vulnerability assessments within 14 days, CISA said it expects those agencies to perform rolling assessments. Critics of the BOD say it places too much emphasis on vulnerability management as the be-all end-all for asset management, and that will create gaps in the visibility of assets. And, most organizations have multiple sources they must tap to get an accurate list of assets. This may create a new need for a streamlined tool that deduplicates findings to build a comprehensive and accurate asset inventory.
Back to the top
Trends & Research
Georgetown’s Center for Strategic and Emerging Technologies (CSET) published a report illuminating China’s cybersecurity ranges, which indicates a concerted effort on part of the government in partnership with industry and academia. China is rapidly building cyber ranges that allow cybersecurity teams to test new tools, practice attack and defense, and evaluate the cybersecurity of a particular product or service. 19 of China’s 34 provinces are building or have built such facilities. Their purposes span from academic to national defense. According to CSET, the presence of these facilities demonstrates a concerted effort to advance technological research and upskill its cybersecurity workforce – more evidence that China has entered near-peer status with the US in the cyber domain. As these facilities mature, network defenders who find themselves in the crosshairs of China’s hacking teams may be subject to attacks that have been rehearsed, tested, and sometimes practices on replicas of their own networks. Key findings from the report include:
- China’s cyber ranges facilitate joint exercises between the People’s Liberation Army (PLA) and civilians, one of which aims to duplicate a similar NATO exercise. These exercises demonstrate China’s implementation of military-civil fusion in the cyber domain.
- Some cyber ranges allow hackers to practice attacking and defending critical infrastructure systems. These ranges could allow rehearsals and testing of these types of attacks in the future.
- Peng Cheng Lab in southern China is using a supercomputer to research AI applications to cybersecurity.
Analyst Comment: There are many cyber security competitions across the US and globally. Some competitions start as early as the middle school level and continue up through the ranks of cybersecurity professionals. Although governments might not sponsor these cyber competitions and ranges, they reflect a worldwide notion for promoting a robust network and ecosystem of cybersecurity education, training, workforce development, and national defense. China has a history of competing against the West in cyberspace and is known for its military-civil fusion strategies in many fields.
The US is “drastically behind” China in recording software vulnerabilities in its National Vulnerability Database (NVD), and is missing key vulnerability reports that were included in China’s database. This gap could put US private and public sector organizations at risk of attack, according to a Sophos research investigation. Unlike the US, China’s vulnerability reporting landscape is complex. China operates two overlapping vulnerability databases: CNNVD and the CNVD. The former is run by the Ministry of State Security (MSS) and the latter is nominally run by a non-profit that does not have direct ties to the state (though that is always debatable in China). The two different databases have differences in their naming conventions and infrastructure, which gives China some obfuscation. China has been criticized for years over its handling of CNNVD, as it has been caught altering publicly available data about vulnerabilities it listed in the CNNVD on hundreds of occasions. Essentially, China has a history of hoarding vulnerabilities. The bigger issue may be, however, that the US government is not keeping abreast of reports coming out of foreign countries that run their own vulnerability databases to include China, Russia, Japan, and Germany. The US NVD, with more than 184,000 CVEs is more than 12,000 CVEs short of China’s CNNVD, with just over 196,000 total, according to Sophos’ count.
Analyst Comment: Although CNNVD has a larger volume of vulnerabilities than the NVD, merely comparing the vulnerability entries numerically is an incomplete comparison and could result in a misleading perception that the CNNVD might be more comprehensive. The US NVD and CNNVD employ different approaches when indexing Common Vulnerabilities and Exposures (CVEs) and have distinctive driving forces. Researchers in China are required by law to report vulnerabilities to the Ministry of Industry and Information Technology (MIIT) within two days; threat researchers in the US are incentivized to first submit their findings to software developers to work out patches. CNNVD may focus more on domestic products, while threat researchers in the US are likely to report vulnerabilities that have a wider range of effects on products. LGC analysts have observed a lag between CNNVD vulnerability submission and publication dates ranging from days to months. The delay may allow threat actors and APT groups to continue carrying out attacks. Additionally, some vulnerabilities published by CNNVD might not have patches available, possibly allowing the exploitation to spread in the wild and causing potential security supply chain issues.