May 2020 – Page 5 – Law Enforcement, Military, and Terrorism News

APT Groups Target Healthcare and Essential Services

This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC)

CISA and NCSC continue to see indications that advanced persistent threat Advanced Persistent Threats (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations.

This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.

The joint CISA-NCSC Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups.

This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19.

For a graphical summary of CISA’s joint COVID-19 Alerts with NCSC, see the following guide.

COVID-19-related targeting

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that align with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

Targeting of pharmaceutical and research organizations

CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit.

Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.

These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets.

Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1],[2] and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3],[4]

COVID-19-related password spraying activity

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.

Technical Details

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then “spray” the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL).

The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns.

APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.

Mitigations

CISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action.

Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:

Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. See CISA’s guidance on enterprise VPN security and NCSC guidance on virtual private networks for more information.
Use multi-factor authentication to reduce the impact of password compromises. See the U.S. National Cybersecurity Awareness Month’s how-to guide for multi-factor authentication. Also see NCSC guidance on multi-factor auth entication services and setting up two factor authentica tion.
Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See the NCSC blog on protecting management interfaces.
Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See the NCSC introduction to logging security purposes.
Review and refresh your incident management process. See the NCSC guidance on incident management.
Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See the NCSC guidance on obsolete platform security.
Further information: Invest in preventing malware-based attacks across various scenarios. See CISA’s guidance on ransomware and protecting against malicious code. Also see the NCSC guidance on mitigating malware and ransomware attacks.

Contact Information

CISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing CISAServiceDesk@cisa.dhs.gov.

The NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: https://report.ncsc.gov.uk/.

Disclaimers

This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

References

[1] CISA Alert: Detecting Citrix CVE-2019-19781

[2] NCSC Alert: Actors exploiting Citrix products vulnerability

[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability

[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide

US-Cert.gov (May 2020) APT Groups Target Healthcare and Essential Services

B-1B Lancers return to Indo-Pacific for bomber task force deployment

The U.S. Air Force B-1B Lancers have returned to the Indo-Pacific region on May 1 to conduct bomber task force operations out of Andersen Air Base, Guam.

Four bombers and approximately 200 Airmen from the 9th Bomb Squadron, 7th Bomb Wing, Dyess Air Force Base, Texas, deployed to support Pacific Air Forces‘ training efforts with allies, partners and joint forces; and strategic deterrence missions to reinforce the rules-based international order in the Indo-Pacific region.

Three B-1Bs flew to Andersen AFB while one split off and flew down east of Japan to conduct training with U.S. Navy assets operating in the region before heading to Andersen AFB.

“Deployments like this allow our Airmen to enhance the readiness and training necessary to respond to any potential crisis or challenge across the globe,” said Col. Ed. Sumangil, 7th BW commander. “It also provides a valuable opportunity to better integrate with our allies and partners through joint and combined operations and exercises.”

In line with the National Defense Strategy objectives of strategic predictability and operational unpredictability, the Bomber Task Force enables a mix of different types of strategic bombers to operate forward in the Indo-Pacific region from a broader array of overseas and continental U.S. locations with greater operational resilience.

“The B-1 provides all of the training opportunities which the B-52 (Stratofortress) provided, plus the ability to train to advanced standoff, anti-surface warfare with (Long Range Anti-Surface Missiles),” said Lt. Col. Frank Welton, PACAF’s chief of operations force management.

The B-1 can carry the largest conventional payload of both guided and unguided weapons in the U.S. Air Force.

“The B-1 is able to carry a larger payload of Joint Air-to-Surface Standoff Missiles and a larger payload of 2,000-pound class Joint Direct Attack Munitions,” Welton said. “Additionally, the B-1 is able to carry the LRASM, giving it an advanced standoff, counter-ship capability. It also has an advanced self-protection suite and is able to transit at supersonic speeds to enhance offensive and defensive capabilities.”

The last time the B-1s were deployed to the region was in 2017. Bombers from the 9th Expeditionary Bomb Squadron supported missions from Andersen AFB, conducting multiple sequenced bilateral missions with the South Korean air force and the Japan Air Self-Defense Force.

“Our wing has conducted, and participated in, a variety of exercises over the last year to ensure we are primed for large-scale missions such as this one,” Sumangil said. “We’re excited to be back in Guam and proud to continue to be part of the ready bomber force prepared to defend America and its allies against any threat.”

The last BTF deployed to the Pacific was in January 2019 when three B-2 Spirits and approximately 200 Airmen from the 393rd Bomb Squadron from Whiteman AFB, Missouri, deployed to Hawaii.

The squadron conducted 37 sorties for a total of 171 hours. Eight of the missions were integration operations with F-22 Raptors from the 199th Fighter Squadron, 154th Wing, and Hawaii Air National Guard.

AF.mil (May 2020) B-1B Lancers return to Indo-Pacific for bomber task force deployment

Not every COVID-19 testing site is legit

You probably know that COVID-19 tests are in short supply. But did you know there’s no shortage of scammers setting up fake COVID-19 testing sites to cash in on the crisis?

The fake sites can look real, with legitimate-looking signs, tents, hazmat suits, and realistic-looking tests. And the damage these fake testing sites can cause is very real.

They aren’t following sanitation protocols, so they can spread the virus.

They’re taking people’s personal information, including Social Security numbers, credit card information, and other health information – all of which can be used for identity theft and to run up your credit card bill. Worst of all, they’re not giving people the help they need to stay healthy. In other words, these testing sites are bad news.

Here are a few things to keep in mind when looking into testing sites.

If you think you should get tested, ask your doctor. Some people with COVID-19 have mild illness and are able to recover at home without medical care. They may not need to be tested, according to the CDC. Not sure if you need to get tested? Try the CDC’s self-checker.
Get a referral. Testing sites are showing up in parking lots and other places you wouldn’t expect to get a lab test. Some of these are legit – and some are not. The best way to know is to go somewhere you have been referred to by your doctor or state or local health department’s website. In other words, don’t trust a random testing site you see on the side of the road.
Not sure if a site is legit? Check with your local police or sheriff’s office. If a legitimate testing site has been set up, they should know about it. And, if an fake testing site is operating, they’ll want to know.

Spotted a fake COVID-19 testing site? We want to hear about it. Report it at ftc.gov/complaint.

FTC.gov (May 2020) Not every COVID-19 testing site is legit

CBP Goes 4 for 4, Seizing Undeclared Currency, Firearms, and Ammunition while Conducting Outbound Inspections at Eagle Pass Port of Entry

U.S. Customs and Border Protection, Office of Field Operations (OFO) interdicted a steady stream of undeclared currency, firearms and ammunition this week in four enforcement actions at the Eagle Pass Port of Entry.

“Our front-line officers continue to demonstrate the effectiveness of blending inspection skills and experience with the use of technology in these enforcement actions,” said Port Director Paul Del Rincon, Eagle Pass Port of Entry.

On Monday April 27, 2020, at Camino Real Bridge while inspecting a GMC 3500 truck, CBP officers discovered a Taurus Armas GC2 9 mm. pistol and two Pro Cal 9 mm magazines hidden within a DVD player. Pistol and magazines were seized and a $500 penalty was issued.

Also on April 27, CBP officers conducting an outbound examination of a Chevrolet Silverado discovered 28 .22-caliber rounds. The ammunition was seized.

On Tuesday, April 28, 2020 at the International Bridge 1 while conducting an examination of a Chevrolet 2500 truck, CBP officers discovered a Smith and Wesson SD40 Crimson Trace pistol, a Winchester 190 .22-calber long rifle, three Smith and Wesson SD40 14-round magazines, one Pro Mag Smith and Wesson .40-caliber 25-round magazine and 319 rounds of ammunition of varying calibers. The pistol, rifle, magazines and all ammunition were seized.

On Wednesday, April 29, 2020, CBP officers inspected a 2008 Saturn Astro XR traveling outbound at the Camino Real Bridge driven by a 35-year-old male Mexican citizen accompanied by a 45-year-old male Mexican citizen. During the inspection officers discovered $12,247 of unreported currency.

The undeclared money was seized and both subjects were arrested and turned over to Maverick County Sheriff’s Office for further investigation.

CBP.gov (May 2020) CBP Goes 4 for 4, Seizing Undeclared Currency, Firearms, and Ammunition while Conducting Outbound Inspections at Eagle Pass Port of Entry

Florida Man Pleads Guilty to Racially-Motivated Interference With Election in Charlottesville, Virginia and Cyberstalking in Florida

Daniel McMahon, 31, pleaded guilty on Thursday in federal court in the Western District of Virginia to one count of threatening an African-American Charlottesville City Council candidate identified by the initials D.G. because of his race and because he was running for office, and to one count of cyberstalking a separate victim through Facebook messenger.

“Racially motivated threats of violence have no place in our society and will not be tolerated by the Department of Justice,” said Assistant Attorney General Eric Dreiband for the Civil Rights Division. “The defendant in this case violated the civil rights of his victims through intimidation and we are grateful for all the work and collaboration our partners have done on this case.”

“Although the First Amendment protects, without qualification, an individual’s right to hold and express abhorrent political views, it does not license threats of violence,” said U.S. Attorney Thomas T. Cullen for the Western District of Virginia. “The Department of Justice is committed to investigating and prosecuting those who weaponize social media to harm others.”

“Peaceable protest is a core American value protected by law,” said U.S. Attorney Maria Chapa Lopez for the Middle District of Florida. “This defendant violated the law by threatening violence against an African-American individual who planned to announce his candidacy for City Council and an autistic child merely because the child’s mother opposes his extreme racially motivated views. This collaborative prosecution demonstrates that the Department of Justice as a whole will not tolerate these types of threats and intimidation.”

“This investigation underscores the FBI Joint Terrorism Task Forces and the U.S. Attorney’s Offices continued commitment to aggressively investigate and prosecute individuals engaging in racially-motivated threats and violent extremist activities. It also exemplifies the seamless information sharing between FBI Divisions in eliminating potential threats to our communities,” said Special Agent in Charge of the FBI Tampa Division Michael F. McPherson.

“Protecting the civil rights of all Americans is a high priority for the FBI and is a mission to which we are fully committed. In this case, the defendant used racially-motivated threats of violence to disrupt an election,” said David W. Archey, Special Agent in Charge of the FBI’s Richmond Division. “In addition, he used a social media account to stalk and terrorize another victim and a minor child. We will continue to prioritize and aggressively investigate violations of these kinds. We are grateful for the partnership and efforts of FBI Tampa Division, the U.S. Attorney Offices in Virginia and Florida, and the Department of Justice, and for their assistance on this case.”

At the plea hearing, the defendant admitted that he uses the online pseudonyms “Jack Corbin,” “Pale Horse,” “Restore Silent Sam,” and “Dakota Stone,” to promote white supremacy and white nationalist ideology, and to express support for racially-motivated violence.

The defendant admitted that in January 2019, upon learning that D.G., an African-American resident of Charlottesville, Virginia, planned to announce his candidacy for City Council, the defendant used his Jack Corbin account on the social media platform Gab to threaten violence against D.G. because of D.G.’s race and because D.G. was running for office. The defendant admitted that his posts used racial slurs and invoked long-standing racial stereotypes, and that he intended for D.G. to understand his posts as threats to his safety.

In addition to this, the defendant also admitted to cyberstalking Victim 2 using his “Restore Silent Sam” Facebook account. In connection with this charge, the defendant admitted that he used Facebook to send Victim 2 numerous intimidating and threatening messages that placed Victim 2 in reasonable fear of harm to Victim 2’s minor child.

The defendant acknowledged that Victim 2 has been active in countering white nationalist rallies in her community. The defendant admitted that, because of Victim 2’s activism, he began an online campaign to intimidate her and to extort information from her about her fellow activists. This included sending Victim 2 numerous messages over the course of twelve days in which he threatened to sexually assault Victim 2’s minor daughter, who has autism.

The defendant admitted that, at around the same time that he sent these messages, he also used the internet to conduct searches relating to sexual contact with girls who have autism. The defendant admitted that his messages reasonably caused Victim 2 serious emotional distress and fear for Victim 2’s child’s safety.

McMahon will be sentenced on July 23, 2020. He faces a maximum sentence of one year in prison for threatening D.G. and five years in prison for cyberstalking Victim 2.

This case is being investigated by the FBI and is being prosecuted by U.S. Attorney Thomas T. Cullen of the Western District of Virginia; Assistant U.S. Attorney Christopher Kavanaugh of the Western District of Virginia; Assistant U.S. Attorney Daniel George of the Middle District of Florida; and Trial Attorney Risa Berkower of the U.S. Department of Justice’s Civil Rights Division.

Justice.gov (April 2020) Florida Man Pleads Guilty to Racially-Motivated Interference With Election in Charlottesville, Virginia and Cyberstalking in Florida