No, there’s no evidence (yet) the feds tried to hack Georgia’s voter database

Enlarge / Georgia politician Brian Kemp reads at a Holocaust remembrance ceremony in the state. (credit: Georgia.gov)

Accusations that the US Department of Homeland security tried to hack Georgia's voter registration database are running rampant. But until officials from that state's Secretary of State office provide basic details, people should remain highly skeptical.

The controversy erupted after Georgia Secretary of State Brian Kemp sent and publicly released a letter addressed to DHS Secretary Jeh Johnson. In it, Kemp made a series of statements so vague in their technical detail that it's impossible to conclude any kind of hacking or breach—at least as those terms are used by security professionals—took place.

"On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State's firewall," Kemp wrote. "I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall."

Read 9 remaining paragraphs | Comments

Obama asks intel community to conduct “full review” of election-related hacks

(credit: Tom Lohdan)

At an event today hosted by the Christian Science Monitor, White House terrorism and homeland security advisor Lisa Monaco announced that President Barack Obama had ordered a "full review" of the campaign of cyber-attacks against the Democratic Party, the campaign organization of Hillary Clinton, and other politicians and state election officials' websites during the 2016 presidential campaign. Monaco said that the results of the review would be released to Congress before President Obama left office.

"The president has directed the intelligence community to conduct a full review of what happened during the 2016 election process," Monaco said, "and to capture lessons learned from that and to report to a range of stakeholders, to include the Congress."

The announcement comes after a call from both Republicans and Democrats on December 7. At a Heritage Foundation event on Wednesday, House Homeland Security Chairman Michael McCaul, (R-Texas) called for "consequences" for Russia's interference in the election. “If we don’t respond and show them that there are consequences," he said, "the bad behavior will continue… our democracy itself is being targeted.”

Read 3 remaining paragraphs | Comments

Shamoon Rebooted in Middle East, Part 2

Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver.

The language of these three components—PKCS12 (wiper), PKCS7, and X509—is lang:9217, which translates to Yemeni Arabic. We also see both 32- and 64-bit versions.

The malware spreads over the network using the IPC$ share and embedded administrator credentials from the targeted organization, so we can assume that the attackers already had a beachhead to gather these credentials from one of the samples. The password was also very strong, another indicator that the attackers might have had network access to compromise passwords and accounts. Indeed, our Foundstone team, which has conducted significant work on both campaigns, has confirmed individuals (not related to the attacks) who have shown off their technical prowess by publicizing the compromised credentials on public forums.

The malware tries to disable the user account control, verifies if it is connected with admin credentials, and drops the payload in the System32 folder. Another run option is to use the AT command and schedule a job to execute the payload.

Wiping function

The wiper component was hardcoded to start Thursday, November 17 at 20:45, after the beginning of Saudi Arabia’s Friday holiday, when most employees have left and after the evening prayer time.

The wiper component verifies the date and extracts the wiper component to System32 using the same random names as generated by the Shamoon code from 2012. The wiper has three options for deletion: F, E, and R. The F option wipes the data with the JPEG of the Syrian refugee boy Alan Kurdi lying drowned on the beach. The E and R option wipe using random values. Shamoon 1 used a JPEG of a burning US flag.

Also during the mass deletion, the wiper uses the Eldos RawDisk driver to change the system time to August 2012, probably to not allow the expiration of the trial period of the temporary license for the software.

We have found many similarities between the 2012 attack and this recent campaign. There are a few alterations to the code and political themes, but overall we see a similar framework and process.

Detection

In cooperation with McAfee Labs we can confirm that all related samples of this attack are detected by the signature DistTrack![partial-hash].

The driver used for the wiper is legitimate software. Thus this threat carries the on-screen warning Possibly Unwanted Program. We will continue our analysis, particularly as our Foundstone team identifies additional indicators.

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

Fancy Bear ramping up infowar against Germany—and rest of West

Enlarge / The bear is back. It never went away.

US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials' systems. But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany's chief of domestic intelligence warned yesterday.

In a press release issued on December 8, Germany's Bundesamt für Verfassungsshutz (BfV)—the country's domestic intelligence agency—warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of "extremist groups and parties" in Germany and destabilizing the German government. In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of "spear phishing attacks against German political parties and parliamentary groups" using the same sort of malware used against the Democratic National Committee in the US.

The statement from the BfV came on the same day that Alex Younger, the chief of the United Kingdom's Secret Intelligence Service (MI6) made more veiled references to disinformation and hacking campaigns. In remarks Younger delivered at Vauxhall Cross, MI6 headquarters, he warned of the mounting risks posed by "hybrid warfare."

Read 6 remaining paragraphs | Comments