What is Russia's Objective in Purported Hack of DNC Emails Published By Wikileaks?

The FBI confirmed it has opened an investigation into allegations that the Wikileaks email dump of nearly 20,000 Democratic National Committee emails over the weekend might be linked to the Russian government. Hackers connected to Russian intelligence agencies allegedly have been working to help tilt the United States presidential election. Hillary Clinton's campaign manager, Robby Mook, made a bombshell allegation on Sunday, claiming that the hack of thousands of DNC emails that revealed efforts to undermine the Bernie Sanders campaign was the work of Russian intelligence. "The FBI is investigating a cyber intrusion involving the DNC and is working to determine the nature and scope of the matter," the agency said in a statement provided to the press.  "A compromise of this nature is something we take very seriously and the FBI will continue to investigate and hold those accountable who pose a threat in cyberspace." The theory that Moscow orchestrated the leaks to help Trump—who has repeatedly praised Russian President Vladimir Putin and practically called for the end of NATO—is fast gaining currency within the Obama administration because of the timing of the leaks and Trump’s own connections to the Russian government, the sources said on condition of anonymity because the investigation is ongoing and developing quickly.Does Russia truly favor a Republican president named Donald Trump over Democrat Hillary Clinton? Share your comments with the Cloud and Cyber Security Center.

Mandiant Issues New Report on Russia's Cyber Espionage Tactics

The role of nation-state actors in cyber attacks was perhaps most widely revealed in February 2013 when Mandiant released the APT1 Report which detailed a professional cyber espionage group based in China. Mandiant has released a new report entitled APT28: A Window Into Russia's Cyber Espionage Operations. The report focuses on a threat group that we have designated as APT28. While APT28’s malware is fairly well known in the cybersecurity community, our report details additional information exposing ongoing, focused operations that we believe indicate a government sponsor based in Moscow. In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government. The report also describes several malware samples containing details that indicate that the developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. FireEye analysts also found that APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts. Access the report at: https://www2.fireeye.com/apt28.html   Share your comments with the Cloud and Cyber Security Center.

Android.Fakebank.B Malware Compromises Banking Customer Care Centers

After Android malware that intercepts incoming calls to bypass two-factor authentication systems emerged earlier this year, Symantec researchers have now discovered a Trojan that prevents users from making outgoing calls to banks from their smartphones. Dubbed Android.Fakebank.B, the malware was observed to include call-barring functionality in March this year and to be targeting mainly customers of Russian and South Korean banks. The Trojan is dated back to October 2013, but the call-cancelling capabilities weren’t seen before this year. While analyzing the latest version of the Fakebank.B Android Trojan, Symantec's researchers discovered that, upon installation, the malware would register a Broadcast Receiver component. Given that this component is triggered each and every time that the user makes a call, the Trojan could then monitor the outgoing calls and dialed numbers on the infected device. Customers calling banking care centers through a registered mobile device are usually routed to an Interactive Voice Response (IVR) System, allowing them to cancel stolen payment cards in a timely manner. However, malware creators can block users from doing so, which also gives them more time to steal data from the compromised device, researchers say. How can the Android.Fakebank.B malware be mitigated? Share your suggestions with the Cloud and Cyber Security Center.

Can the xDedic Market on Tor Networks Be Conquered?

The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee. XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business. Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic. “The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,”  “The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” It’s a tricky balance marketing their services and hoping work of mouth will do the work for them.” Kaspersky Lab researchers worked with a European ISP to gather data used to analyze xDedic. Kaspersky Lab said the market began in 2014 and quickly grew to the 70,000 hacked servers from 173 countries it was advertising this spring. Which counter-measures can be taken to combat the xDedic market? Send your comments to the Cloud and Cyber Security Center.

The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee. XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business. Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic. “The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”

See more at: xDedic Hacked Server Market Resurfaces on Tor Domain https://wp.me/p3AjUX-v0F

The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee. XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business. Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic. “The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”

See more at: xDedic Hacked Server Market Resurfaces on Tor Domain https://wp.me/p3AjUX-v0F

The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee. XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business. Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic. “The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”

See more at: xDedic Hacked Server Market Resurfaces on Tor Domain https://wp.me/p3AjUX-v0F

SFG: Furtim’s Parent Malware Cyber Targets Energy Grid in Europe and the US

SentinelOne has found and analyzed the dropper framework of the Furtim malware  discovered last May. It describes this as the mother ship, and has named it SFG: Furtim's Parent. In a blog post, SentinelOne indicates it was discovered targeting 'at least one European energy company', and describes it as highly sophisticated malware that could be used "to extract data or insert the malware to potentially shut down an energy grid." Security researchers have discovered a new malware threat that goes to great lengths to remain undetected while targeting energy companies. The malware program, which researchers from security firm SentinelOne have dubbed Furtim’s Parent, is a so-called dropper -- a program designed to download and install additional malware components and tools. The researchers believe it was released in May and was created by state-sponsored attackers. The goal of droppers is to prepare the field for the installation of other malware components that can perform specialized tasks. Their priority is to remain undetected, gain privileged access and disable existing protections. These are all tasks that Furtim’s Parent does well. When it's first executed on a system, the malware tests the environment for virtual machines, sandboxes, antivirus programs, firewalls, tools used by malware analysts, and even biometrics software.How vulnerable is the US energy grid to Furtim’s Parent? And which mitigation tactics are most effective. Share your comments with the Cloud and Cyber Security Center.

Can Cyber Situational Awareness Effectively Combat OPSEC Viability?

Lapses in OPSEC can have significant implications for defenders and attackers alike. All too often organizations unknowingly expose confidential information that significantly increases risks. In some cases organizations leak details that are used to fuel social engineering attacks against their staff and, in other cases, sensitive documents are publicly exposed and put their brand at risk. Adversaries stand to lose from poor OPSEC as well. Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, providing law enforcement a valuable clue in their investigation. As a defender, you can capitalize on weak attacker OPSEC to strengthen your security posture. Cyber situational awareness can provide insights into the people, processes and technology your adversaries use and turn those into an advantage. As in the Dridex example, humans can represent the most challenging element of OPSEC; a careless error can reveal their identity. The processes attackers use to retain privacy and anonymity, such as adopting aliases or conducting reconnaissance and lateral movement staging, can also tip you off to suspicious behavior. Knowledge of the technologies adversaries adopt to conduct operations – secure operating systems such as WHONIX and TAILS, anonymization networks like TOR, email encryption using PGP, and digital currencies like Bitcoin and WebMoney – can also give you an edge. When combined and analyzed, these insights can help you prevent and detect malicious activity as well as accelerate investigations when a breach happens. Conversely, to prevent adversaries from gaining information about your organization that they can use to their advantage, a tailored, flexible OPSEC program should be the cornerstone of your strategy. The National Operations Security Program Process provides a five-step OPSEC program that defenders can use to mature their OPSEC capabilities. How effective can situational awareness be when combating OPSEC viability? Share your comments with the Cloud and Cyber Security Center.

HummingBad Malware Infects Some 10 Million Android Devices - How to Mitigate?

At least 10 million Android devices have been infected by malware called HummingBad, according to cybersecurity software maker Check Point. Check Point, which has been tracking the malware since it was "Yingmob has several teams developing legitimate tracking and ad platforms," Israel-based Check Point said in the analysis released Friday. "The team responsible for developing the malicious components is the 'Development Team for Overseas Platform' which includes four groups with a total of 25 employees." HummingBad began as a "drive-by download attack," in which phones were infected when people visited websites. "The first component attempts to gain root access on a device with...rootkit [software] that exploits multiple vulnerabilities. If successful, attackers gain full access to a device," Check Point said. "If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions." The bulk of victims are in China and India, with 1.6 million and 1.35 million cases respectively. The Philippines, Indonesia and Turkey are toward the top of the list, too. The US has 288,800 infected devices. The UK and Australia each have fewer than 100,000 devices affected. has published an analysis  of the threat. For months, the number of infections were steady but they spiked sharply in mid-May. What makes HummingBad particularly interesting is the group behind it, which according to Check Point is a team of developers at YingMob, an otherwise legitimate, multimillion-dollar advertising analytics agency based in Beijing. Which tactics can be used to mitigate HummingBad? Share your solution with the Cloud and Cyber Security Center.