North Korea-associated Lazarus Group could begin a global phishing campaign as early as June 20th.
Security Firm Cyfirma released analysis showing the Lazarus Group (associated with Dragos’ COVELLITE) may launch a phishing campaign globally starting as early as June 20th. The attack is expected to focus on countries which provided stimulus funding to combat COVID-19 caused economic damage. While not explicitly named, NERC entities and employees could be among those targeted and are at moderate risk.
The hackers are likely to impersonate government agencies tasked with disbursing financial aid and target persons/businesses likely to be in need of financial assistance. Cyfirma has identified several email addresses created by the threat actors meant to mimic legitimate email addresses of government agencies. Lazarus Group claims to have 1.4 million curated email IDs for the US alone with a plan to send a spoofed email luring targets with fake direct payment offers to incite them to provide personal data.
This is consistent with previous Lazarus Group activities, which have shown the capability to accomplish phishing campaigns as well as an interest in stealing funds. Lazarus Group is responsible for the 2014 cyber attack on Sony Pictures and various Bitcoin heists. Aside from disrupting adversaries, using intelligence and cyber activities to procure funds has been a longstanding staple of North Korean government policy to circumvent international sanctions, to the extent that a separate intelligence agency (known as Office 39) has been operating for decades with that specific mission.
The E-ISAC will continue to monitor this situation and provide relevant updates when necessary. If you have any questions or comments, please reach out to us at operations[@]eisac.com [mailto:operations[@]eisac.com] or at 202-790-6000.
Dragos, Inc. Covellite hXXps://www.dragos.com/resource/covellite/
MITRE Partnership Network. Group: Lazarus group, COVELLITE hXXps://collaborate.mitre.org/attackics/index.php/Group/G0008
John Walcott. Time. April 29, 2020. Cash, Yachts, and Cognac: Kim Yo-Jong’s Links to the Secretive Office Keeping North Korea’s Elites in Luxury hXXps://time.com/5829508/kim-yo-jong-money-office-39/
Matthew Carney. ABC News. January 05, 2018. Defector reveals secrets of North Korea’s Office 39, raising cash for Kim Jong-un hXXps://www.abc.net.au/news/2018-01-06/north-korea-defector-reveals-secrets-of-office-39/9302308
According to multiple sources, China is believed to be the nation behind ongoing cyber-attacks on Australian institutions, including hospitals and state-owned utilities. The ongoing cyber-attacks are targeting all levels of government institutions, as well as private businesses. Australian officials believe they are being targeted for banning Huawei and other companies from involvement in their 5G network, as well as Australia pushing for an international inquiry into the course and spread of COVID-19.While the Australia determined last March that China was responsible for a hacking attack on Australia’s parliament, the attacks have intensified in recent weeks. On Friday, China’s government rejected suggestions of a large-scale hacking attack. Scott Morrison, the Australian Prime Minister, would not take the formal step of publicly naming which state actor he believed to be behind the attacks, but senior sources confirmed China is believed to be behind the malicious attacks. The Prime Minister emphasized the attacks "hadn't just started", and were ongoing
The E-ISAC Watch Operations Team will continue to monitor and update the organization as information is received on this matter.
In May of 2020, cyber security firm Kaspersky reported a form of malware allegedly targeting the supply chains of industrial organizations in the energy sector in Italy, the UK and Germany.
Initial delivery is though a phishing email specifically catered to its target and contains a malicious MS Office document. When a user interacts with the document, a script is triggered that downloads an image which contains the new malware hidden in the image. Using steganography to hide code in images is known attack technique because of its effectivesness; code imbedded in images is difficult for antivirus and other IDS devices to detect. The image file then executes a PowerShell script that eventually leverages Mimikatz to steal Windows credentials.
Potential impacts from targeted malware of this nature can result in disclosure of legitimate network credentials to an adversary. Adversaries use these credentials to “live off the land” in a target’s environment in part because misuse of legitimate network credentials is difficult to detect.
MITRE ATT@CK Mapping:
What to Do:
A robust and ongoinig cyber security awareness program that includes training personnel on how to recognize and report phishing and suspicious emails can assist in stopping malicious emails from entering your envinronments. Additionally, evaluating and understanding the cyber security program at trusted suppliers is important in maintaining a relationship built on mutual trust.
Kovacs, Eduard (2020). Industrial Suppliers in Japan, Europe Targeted in Sophisticated Attacks. Retrieved May 28, 2020. Retrieved from hXXps://www.securityweek.com/industrial-suppliers-japan-europe-targeted-sophisticated-attacks?&web_view=true [hXXps://www.securityweek.com/industrial-suppliers-japan-europe-targeted-sophisticated-attacks?&web_view=true]
Goodin, Dan. (2020). An advanced and unconventional hack is targeting industrial firms. May 30, 2020. Retrieved from hXXps://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/ [hXXps://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/]
Steganography in Targeted Attacks on Indutrial Enterprises. Retrieved from hXXps://ics-cert.kaspersky.com/reports/2020/05/28/steganography-in-targeted-attacks-on-industrial-enterprises/ [hXXps://ics-cert.kaspersky.com/reports/2020/05/28/steganography-in-targeted-attacks-on-industrial-enterprises/]
The Centers for Disease Control and Prevention (CDC) has made a connection between COVID-19 and Multi-System Inflammatory Syndrome in Children (MIS-C).
The U.S. Centers for Disease Control and Prevention (CDC) on Thursday released guidance that schools, businesses, and other organizations can use as states reopen from coronavirus shutdowns.
CDC issued a health advisory to doctors across the country Thursday advising them to be on the lookout for a troubling new syndrome that may be associated with COVID-19 infection.
The syndrome, called multisystem inflammatory syndrome in children (MIS-C), has been seen in children across Europe and in at least 18 states, plus Washington, D.C.
"In early May 2020, the New York City Department of Health and Mental Hygiene received reports of children with multisystem inflammatory syndrome," the CDC health advisory said. "There is limited information currently available about risk factors, pathogenesis, clinical course, and treatment for MIS-C," it said.
"CDC is requesting healthcare providers report suspected cases to public health authorities to better characterize this newly recognized condition in the pediatric population," the advisory said.
Traditional Media Sources
On April 3, 2020, Mozilla announced that it had released security updates in order to patch critical vulnerabilities in found in both Firefox and Firefox Extended Support Release (ESR) by security researchers with JMP Security.
Both vulnerabilities allow for race conditions which can cause a use-after-free issue. The first vulnerability, CVE-2020-6819, allows for a race condition when running the nsDocShell destructor (under certain conditions). The second vulnerability, CVE-2020-6820, allows for a race condition when handling a ReadableStream (under certain conditions).
According to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s United States Computer Emergency Readiness Team (US-CERT) program, “an attacker could exploit these vulnerabilities to take control of an affected system.”
“Both bugs…allow remote attackers to execute arbitrary code or trigger crashes on machines running versions of Firefox prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1,” a researcher at ThreatPost said.
Mozilla said that they are aware of both vulnerabilities being used in targeted attacks by hackers.
One of the researchers who discovered the vulnerabilities, Francisco Alonso, tweeted that “there is still lots of work to do and more details to be published (including other browsers). Stay tuned.”
It is highly recommended that all Firefox users download and apply the latest patches in order to protect themselves from exploitation of these critical vulnerabilities.
For additional information, please see the following sources:
Mozilla. Mozilla Foundation Security Advisory 2020-11. April 3, 2020. hXXps://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Mozilla. Firefox Update. April 3, 200. hXXps://support.mozilla.org/en-US/kb/update-firefox-latest-release
DHS CISA US-CERT. Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR. April 3, 2020. hXXps://www.us-cert.gov/ncas/current-activity/2020/04/03/mozilla-patches-critical-vulnerabilities-firefox-firefox-esr
Tom Spring. Firefox Zero-Day Flaws Exploited in the Wild Get patched. April 4, 2020. hXXps://threatpost.com/firefox-zero-day-flaws-exploited-in-the-wild-get-patched/154466/The E-ISAC has not established any specified threat to the electricity community based upon these vulnerabilities. However, as the information above and in the links indicates, the likelihood of adversarial action based upon this vulnerability is high. If this or any other adversarial action is experienced, contact the E-ISAC Watch Operations Team [mailto:operations[@]eisac.com], and create a Portal Post for instant community awareness.
The Federal Bureau of Investigation (FBI) has released an article [hXXps://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic] on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.
The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date. See Understanding Patches and Software Updates [hXXps://www.us-cert.gov/ncas/tips/ST04-006].
CISA also recommends the following VTC cybersecurity resources:
- FBI Internet Crime Complaint Center (IC3) Alert: Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments [hXXps://www.ic3.gov/media/2020/200401.aspx]
- Zoom blog on recent cybersecurity measures [hXXps://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/]
- Microsoft Teams security guide [hXXps://docs.microsoft.com/en-us/microsoftteams/teams-security-guide]
Updated ESCC COVID-19 Resource Guide
This is an updated novel coronavirus (or COVID-19) Resource Guide for the electric power industry. This living document was developed under the direction of the Electricity Subsector Coordinating Council (ESCC), with participation from all segments of the industry and the natural gas sector. It provides information and options to consider when making localized decisions in response to the current global health emergency.
SANS WFH Deployment Kit
The spread of the global pandemic COVID-19 has resulted in many organizations adopting work-from-home policies. This professional change in shifting to an entirely remote workforce may be new for many businesses, which means they could lack the processes, policies, and technologies required for business continuity. In an effort to assist businesses in creating a secure remote workforce, SANS published a “Securely Working From Home Deployment Kit,” which can be found here [hXXps://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit?utm_medium=Email&utm_source=HL&utm_content=SANS+Resources+WFH+deployment+kit&utm_campaign=SANS+Resources].
On Friday, March 13, the President of the United States (POTUS) held a news conference regarding the global pandemic COVID-19 and declared a national emergency. This declaration will open up $60 billion to help the fight against the virus. Every state has been requested to set up Emergency Operations Centers and every hospital in the United States is activating emergency preparedness plans to meet the needs of Americans everywhere. The declaration also allows officials at the Department of Health and Human Services the ability to waive laws to enable telehealth so that remote doctor visits are feasible. The National Guard has said that it will deploy a maximum of 1,000 troops in six states by the end of the day (Friday). The Guard is also evaluating military bases across the country to use for “isolation housing” to stock medical supplies.
An announcement was made regarding a new partnership with the private sector to increase the capacity to test for COVID-19. 1.4 million tests are to be available next week and 5 million within a month. Pharmacies and retailers are planning to make drive thru tests available in critical locations so that individuals are able to get tested for the virus while remaining in their vehicles. Google is in the process of developing a website to determine whether or not a test is warranted and if so, to facilitate testing at a convenient location. Labs are to provide results within 24-36 hours after testing. On Sunday evening, the public will receive specific guidance on when the website will be operational.
The President also announced a few emergency Executive actions that have been implemented such as waiving interest in all student loans via helped from federal government agencies. Based on the price of oil, the Secretary of Energy has also purchased large quantities of crude oil for storage in the U.S. strategic reserve. Ultimately, these measures are aiming to save the American taxpayer billions of dollars, improve the oil industry, and help establish energy independence. When questioned about other specific targeted measures that the Administration is taking, the President stated that a report will be released in two hours regarding additional steps.
When questioned on the President’s photograph with an individual that was tested positive for COVID-19, he stated that he has no symptoms. When asked about how long the American people will have to remain in an emergency state, the President stated that it is impossible to predict the time element.
Microsoft issued a public advisory yesterday in light of the need for many companies to suddenly shift to an increase in employees working from home in response to the global pandemic COVID-19. The article highlighted the importance of remaining productive without increasing cyber security risk. Some considerations highlighted include implementing official chat tools to allow for a proper communication channel for the workforce, utilization of Azure AD Conditional Access [hXXps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview] to secure access to cloud applications, and the Azure AD Application Proxy [hXXps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-proxy] for publishing on-premises applications for remote availability.
Due to the increase in remote work, it is highly likely that organizations will also see an increase in the use of personal devices accessing company data. Therefore, using Azure AD Conditional Access and Microsoft Intune app protection policies [hXXps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-conditional-access] together can help manage and protect corporate data in approved applications on these personal devices. One of the best ways to improve security for employees working from home is to utilize multi-factor authentication by utilizing Windows Hello biometrics as well as smartphone authentication apps like Microsoft Authenticator.
For the full report by Microsoft, please visit: hXXps://www.microsoft.com/security/blog/2020/03/12/support-working-from-home-securely/