Tag Archive for: Homeland

SolarWinds hackers accessed the emails of the former head of Homeland Security

/in


Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff, whose jobs included hunting threats from foreign countries, it has emerged.

Chad Wolf, who served as acting Homeland Security Secretary, had his emails accessed, and a second Cabinet member – Dan Brouillette, the Energy Secretary – had his schedules compromised. 

The intelligence value of the hacking of Wolf and his staff is not publicly known, the Associated Press reported, but the symbolism is stark. 

Their accounts were accessed as part of what is known as the SolarWinds intrusion, and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it cannot protect itself.

Chad Wolf, former acting Homeland Security Secretary, was among those targeted in the hack

Chad Wolf, former acting Homeland Security Secretary, was among those targeted in the hack

Wolf, pictured in July, has not commented on what the hackers had access to in his emails

Wolf, pictured in July, has not commented on what the hackers had access to in his emails 

‘The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,’ said Senator Rob Portman of Ohio, the top Republican on the Senate’s Homeland Security and Governmental Affairs Committee. 

‘We are talking about DHS’s crown jewels.’

The Biden administration has tried to keep a tight lid on the scope of the SolarWinds attack as it weighs retaliatory measures against Russia. 

But an inquiry by the AP found new details about the breach at DHS and other agencies, including the Energy Department, where hackers accessed top officials’ schedules. 

The vulnerabilities at Homeland Security, in particular, intensify the worries following the SolarWinds attack and an even more widespread hack affecting Microsoft Exchange’s email program, especially because in both cases the hackers were detected not by the government but by a private company.

In December, officials discovered what they describe as a sprawling, months-long cyberespionage effort done largely through a hack of a widely used software from Texas-based SolarWinds Inc. 

The SolarWinds hack was uncovered in December and targeted at least nine federal agencies

The SolarWinds hack was uncovered in December and targeted at least nine federal agencies

At least nine federal agencies were…

Source…

Phishing Scheme Used to Download TrickBot Malware – Homeland Security Today

/in


The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.

TrickBot—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.

Click here for a PDF version of this report.

TrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which—if enabled—execute malware (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system.

Attackers can use TrickBot to:

  • Drop other malware, such as Ryuk and Conti ransomware, or
  • Serve as an Emotet downloader.[1]

TrickBot uses person-in-the-browser attacks to steal information, such as login credentials (Man in the Browser [T1185]). Additionally, some of TrickBot’s modules spread the malware laterally…

Source…

Mayorkas Sets Out Steps to Elevate Cybersecurity – Homeland Security Today

/in


Secretary Alejandro N. Mayorkas has today announced the many ways the Department of Homeland Security (DHS) will carry out President Biden’s vision to elevate cybersecurity across the government. DHS will lead efforts to mitigate risks to the United States, further strengthen its partnerships with the private sector, and expand its investment in the infrastructure and people required to defend against malicious cyber attacks as part of a whole-of-government effort.

 “Cybersecurity is more important than ever, and we will build on the Department’s excellent work as we transform our whole-of-government approach to tackle the challenge we face as a nation,” said Secretary Mayorkas.  “This week is just the beginning of a series of actions DHS will pursue nationally and internationally to improve cybersecurity at all levels.”

DHS plays a key role in protecting the American people from threats in cyberspace.  The Department’s Cybersecurity and Infrastructure Security Agency (CISA) is charged with securing Federal civilian government networks and our nation’s critical infrastructure from physical and cyber threats. Congress, in the recent National Defense Authorization Act (NDAA), further empowered CISA to execute this mission, including by providing authorities for CISA to “hunt” for cyber threats in federal agency networks and to more effectively identify vulnerable technologies used by critical infrastructure sectors. Over the past months, CISA has honed its capabilities and furthered the Department’s effort to advance national cybersecurity by:

  • Leading the national effort to secure the 2020 election, including by sharing timely cybersecurity information with state and local election officials;
  • Driving urgent remediation of risks posed by the exploitation of commonly used network management software and providing incident response assistance to compromised entities;
  • Collaborating with government and private sector partners to disrupt and help protect against malicious activity perpetrated by North Korean actors against financial institutions, including the distribution of technical alerts to help network defenders protect against these threats;
  • Issuing a…

Source…

ISIS IT Group Warns of Vulnerability of Google Play Store Messaging App – Homeland Security Today

/in


An ISIS-supporting cybersecurity group warned followers of the terror group that installing a Google Play app would leave them vulnerable to surveillance by intelligence agencies.

The alert was issued by the Electronic Horizons Foundation, which launched in January 2016 as an IT help desk of sorts to walk ISIS supporters through how to encrypt their communications and otherwise avoid detection online while coordinating with and recruiting jihadists.

EHF released a 24-page cybersecurity magazine for ISIS supporters last May that walks jihadists through step-by-step security for smartphones — while encouraging them to use a computer instead for more secure terror-related business — and warns of “nightmare” Microsoft Windows collecting user data from geolocation to browsing history.

The new EHF “important warning” distributed online told supporters that “spies of intelligence agencies are using a new method to track down supporters through Google Play Store.”

“One of the spies,” EHF said, uploaded a custom app that “collects identifiable information of android phones.”

“Then he targets and communicates with supporters by claiming that they have received a money transaction, and they need to install the application in order to receive it,” the alert continued. “Beware of installing or using suspicious apps promoted by unknown individuals, whether it’s an APK file or uploaded to app stores. Intelligence mercenaries are trying to use users’ trust in the app store in order to target supporters using malicious apps uploaded to the app store.”

The app named by EHF is advertised on Google Play as a highly secure messaging app with end-to-end encryption. Concerned about the security of their information on social media and Telegram messenger, EHF recently has been trying to steer ISIS followers toward using the Element messenger.

EHF last year urged followers to use alternate operating systems such as Qubes, Tails or Whonix. The ISIS cyber group has also highlighted “wrong security practices” including browsing the internet without Tor or VPN, downloading apps from third-party sources, failing to encrypt the device or storage devices, neglecting to…

Source…