Tag: Detect | SpinSafe

Tag Archive for: Detect

23andMe Failed to Detect Account Intrusions for Months

January 27, 2024/in Computer Security

Police took a digital rendering of a suspect’s face, generated using DNA evidence, and ran it through a facial recognition system in a troubling incident reported for the first time by WIRED this week. The tactic came to light in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets. Meanwhile, information about United States intelligence agencies purchasing Americans’ phone location data and internet metadata without a warrant was revealed this week only after US senator Ron Wyden blocked the appointment of a new NSA director until the information was made public. And a California teen who allegedly used the handle Torswats to carry out hundreds of swatting attacks across the US is being extradited to Florida to face felony charges.

The infamous spyware developer NSO Group, creator of the Pegasus spyware, has been quietly planning a comeback, which involves investing millions of dollars lobbying in Washington while exploiting the Israel-Hamas war to stoke global security fears and position its products as a necessity. Breaches of Microsoft and Hewlett-Packard Enterprise, disclosed in recent days, have pushed the espionage operations of the well-known Russia-backed hacking group Midnight Blizzard back into the spotlight. And Amazon-owned Ring said this week that it is shutting down a feature of its controversial Neighbors app that gave law enforcement a free pass to request footage from users without a warrant.

WIRED had a deep dive this week into the Israel-linked hacking group known as Predatory Sparrow and its notably aggressive offensive cyberattacks, particularly against Iranian targets, which have included crippling thousands of gas stations and setting a steel mill on fire. With so much going on, we’ve got the perfect quick weekend project for iOS users who want to feel more digitally secure: Make sure you’ve upgraded your iPhone to iOS 17.3 and then turn on Apple’s new Stolen Device Protection feature, which could block thieves from taking over your accounts.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out…

Source…

What is a Botnet and How to Detect if I’m Affected

January 6, 2024/in Internet Security

In today’s interconnected digital landscape, the term “botnet” has become increasingly prevalent, sparking concerns about cybersecurity and individual online safety. This blog post aims to demystify the concept of botnets, shedding light on what they are, how they operate, and most importantly, how you can detect if you unknowingly find yourself entangled in one.

What is a Botnet?

At its core, a botnet is a network of compromised computers, or “bots,” that are under the control of a single entity, typically a cybercriminal. These bots can be any device connected to the internet, from personal computers to IoT devices.

How Botnets Operate

Botnets operate silently in the background, often without the user’s knowledge. Once a device is compromised, it becomes part of a larger network controlled by a central server, known as the “command and control” server. The cybercriminal orchestrating the botnet can then remotely command these compromised devices to perform various malicious activities.

Signs You Might be Part of a Botnet

A. Unusual Network Activity:

One of the key indicators of botnet involvement is unusual network activity on your device. This can include a significant increase in data usage, irregular patterns in internet traffic, or unexpected network slowdowns. Monitoring your network activity can help identify potential botnet activity.

B. Unexplained Resource Consumption:

Botnets often consume a significant amount of a device’s resources, leading to slower performance. If you notice a sudden decline in your device’s speed, increased CPU usage, or unexplained system crashes, it might be a sign that your device is part of a botnet.

C. Unexpected Pop-ups and Ads:

Botnets are frequently used to generate revenue for cybercriminals. If you start experiencing an influx of pop-ups, ads, or redirects while browsing, it could be an indication that your device is part of a botnet engaged in ad fraud or click fraud activities.

How to Detect if You’re Part of a Botnet

A. Use Antivirus and Anti-malware Software:

Regularly update and run reputable antivirus and anti-malware software on your device. These programs can detect and remove malicious software, reducing…

Source…

Wray defends FISA, says law used to ‘detect and thwart’ Chinese hacking of US critical infrastructure

July 21, 2023/in Internet Security

The FBI was able to “detect and thwart” Chinese hackers attempting to access U.S. critical infrastructure, as well as malign threats from other adversaries, under Section 702 of the Foreign Intelligence Surveillance Act, FBI Director Christopher Wray said Friday in a letter to Congress defending the law.

Fox News Digital obtained letters Wray sent to House Speaker Kevin McCarthy, R-Calif., and Senate Majority Leader Chuck Schumer, D-N.Y., on Friday highlighting the positives of the surveillance tool amid significant reforms the bureau has made under his leadership.

The letters come on the same day the FISA Court released its 2023 opinion, which said a U.S. senator and a state senator were queried under FISA Section 702 in June 2022, and a state judge was queried in October 2022 — demonstrating a “failure” to follow FBI policy.

The opinion, though, said “the FBI has been doing a better job in applying the querying standard,” and said its compliance rate with that standard is more than 98%, after the implementation of reforms.

FISA COURT OPINION REVEALS A US SENATOR, STATE SENATOR, STATE JUDGE GOT SWEPT UP IN 702 QUERIES

FBI Director Christopher Wray speaks during a news conference in Omaha, Nebraska, on Aug. 10, 2022. (AP Photo/Charlie Neibergall)

Wray’s letters highlighted the successes the bureau has had in combating threats, using the tool of Section 702, which will sunset on Dec. 31 and requires congressional reauthorization.

“Section 702’s critical importance to our national security has only grown with the evolution of technology and threats. Without Section 702 we would be unable to plug a critical intelligence gap — one that foreign threat actors regularly exploit as they traverse computer networks and electronic service providers to conduct cyberattacks, espionage campaigns, or coordinate with likeminded terrorists,” Wray wrote.

Wray called Section 702 “invaluable” to the FBI’s ability to “know what our foreign adversaries are doing and how they are doing it — intelligence without which we could not protect Americans or the homeland.”

Section 702 of Foreign Intelligence Surveillance Act (FISA) allows the government to conduct targeted surveillance of non-U.S. citizens…

Source…

Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

July 13, 2023/in Alerts

SUMMARY

In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.

Download the PDF version of this report:

TECHNICAL DETAILS

In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

LOGGING

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:

Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

GENERAL CLOUD MITIGATIONS

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications.

Apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA TRA Section 6.6].
Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems [SCuBA TRA Section 6.8.1].
Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
- Security controls the customer deems appropriate.
- Appropriate monitoring and logging of provider-managed customer systems.
- Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
- Notification of confirmed or suspected activity.

REPORTING SUSPICIOUS ACTIVITY

Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov.

RESOURCES

REFERENCES

[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

ACKNOWLEDGEMENTS

Microsoft contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.

Source…