Mediaboss Marketing

The National Security Agency has linked the North Korean government to the creation of the WannaCry computer worm that affected more than 300,000 people in some 150 countries last month, according to U.S. intelligence officials.

The assessment, which was issued internally last week and has not been made public, is based on an analysis of tactics, techniques and targets that point with moderate confidence to North Koreas spy agency, the Reconnaissance General Bureau, according to an individual familiar with the report.

The assessment states that cyber actors suspected to be sponsored by the RGB were behind two versions of WannaCry, a worm that was built around an NSA hacking tool that had been obtained and posted online last year by an anonymous group calling itself the Shadow Brokers.

[NSA officials worried about the day its potent hacking tool would get loose. Then it did.]

It was the first computer worm to be paired with ransomware, which encrypts data on victims computers and demands a ransom to restore access.

WannaCry was apparently an attempt to raise revenue for the regime, but analysts said the effort was flawed. Though the hackers raised $140,000 in bitcoin, a form of digital currency, so far they have not cashed it in, the analysts said. That is likely because an operational error has made the transactions easy to track, including by law enforcement.

As a result, no online currency exchange will touch it, said Jake Williams, founder of Rendition Infosec, a cybersecurity firm. This is like knowingly taking tainted bills from a bank robbery, he said.

[Clues point to possible North Korean involvement in massive ransomware attack]

Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other Western spy agencies. It states that the hackers behind WannaCry are also called the Lazarus Group, a name used by private-sector researchers.

One of the agencies reported that a prototype of WannaCry ransomware was found this spring in a non-Western bank. That data point was a building block for the North Korea assessment, the individual said.

The linkage shows that despite the Obama and Trump administrations efforts to deter North Korean aggression, the country does not appear to have been discouraged from launching one of the most wide-ranging cyberattacks the world has seen.

What it really confirms is that ... you dont have to be the best in the business to cause a lot of disruption, said Michael Sulmeyer, director of the cybersecurity project at Harvards Kennedy School. And thats what they showed they were willing and able to do.

The NSA declined to comment.

North Korea is one of the worlds most isolated countries, with very little computer infrastructure. Yet it has managed to deploy cyber capabilities to harass and annoy its rival, South Korea, and to generate revenue for the authoritarian regime.

Last year, security researchers identified North Korea as the culprit behind a series of cyber-enabled heists of banks in Asia, including one in Bangladesh that netted more than $81 million by manipulating the banks global payments messaging system.

The fact of a nation-state using cyber tools to rob banks, then-NSA Deputy Director Richard Ledgett said in March, represented a troubling new front in cyberwarfare. He did not name North Korea, but the allusion was clear. This is a big deal, he said.

North Korea in 2014 hacked Sony Pictures Entertainment and demanded that the movie studio pull a film that satirized the countrys leader, Kim Jong Un. The hackers disabled computers and released embarrassing company emails. But what tipped the scale for President Barack Obama was the threat to do more damage if the studio did not yank the movie a move that the administration viewed as an assault on free speech. The administration publicly blamed Pyongyang for the attack and imposed new economic sanctions on the regime.

The NSA cyber tool at the base of WannaCry was an exploit dubbed EternalBlue by the agency. It took advantage of a software flaw in some Microsoft Windows operating systems and enabled an attacker to gain access to those computers.

Although Microsoft, after being notified by the NSA, issued a patch for the software flaw in March, many companies around the world and some in the United States failed to update their machines and fell victim to the virus. Michael Daniel, president of the Cyber Threat Alliance, a nonprofit group devoted to improving cyberdefenses through data sharing, said there were a reasonable number of victims in the United States.

Microsoft declined to comment for this report.

Williams, who has closely studied the code, said he is convinced that the ransomware accidentally got loose in a testing phase. That would explain some of its shortcomings, such as an inability for the attacker to tell who has paid the ransom or not, he said.

Nonetheless, he said, this is a case where youve got a weaponized, government-sponsored exploit [or hacking tool] being used to deliver ransomware. If North Korea goes unchecked with this, I would expect other developing nations to follow suit. I think that would change the cyberthreat landscape quite a bit.

Daniel, who was Obamas cybersecurity coordinator, said there needs to be a broad-based approach to deterring North Korea across the board in the physical world and in cyberspace.

Federal prosecutors have been probing North Koreas role in the Bangladesh bank theft, and indictments could be issued. The Justice Department in recent years has used indictments as a tool to try to hold accountable hackers from other nation states, including China and Iran.

Rep. Adam B. Schiff (Calif.), the top Democrat on the House Intelligence Committee, which is investigating Russian interference in the 2016 election, has said that the Obama administrations response to North Korea after the Sony attack was not bold enough. I ... think the Russians were watching and decided that, well, we didnt respond to that. They could get away with a cyberattack, he said at a recent public discussion with Washington Post columnist David Ignatius.

When the South Koreans want to respond to North Korea, Schiff said, they use a form of information warfare. They do it with loudspeakers, he said. They do it by telling people in the North what a terrible regime they live under thats starving their own people.

See the rest here:
The NSA has linked the WannaCry computer worm to North Korea ... - Washington Post

The leaders of a key Senate panel are pressing the federal government for information about the security clearance of a government contractor recently accused of passing classified material to a news outlet.

Reality Leigh Winner was arrested by the FBI in early June and charged in federal court with violating a section of the Espionage Act. Her arrest has been linked to The Intercepts publication of a purported classified National Security Agency document detailing Russian hacking efforts aimed at U.S. election and voting infrastructure.

Winner, an Air Force veteran, had worked as a contractor at Pluribus International Corporation, was assigned to a government facility in Georgia and held a top-secret clearance, according to the criminal complaint.

The leaking of classified information jeopardizes our national security, McCaskill said in a statement. We need to determine if Ms. Winners security clearance process was handled correctly or if we missed any red flags.

Together, Johnson and McCaskill lead theSenate Homeland Security and Governmental Affairs Committee.

The letter was sent to Kathleen McGettigan, acting director of OPM. The lawmakers also asked the agency to explain the process by which a member of the military has a security clearance reactivated or transferred in order to be employed by the intelligence community, given Winners previous service in the Air Force.

Additionally, the senators asked what OPM is doing to comply with with a provision included in an appropriations measure passed last year that mandated a review of the federal governments enhanced security clearance program.

Winner was arrested at her home in Georgia on June 3 and the Department of Justice announced the charges days later. Winner allegedly printed and improperly removed classified intelligence in early May and later sent it by mail to an online news outlet.

Winners arrest was the latest in a string of leak incidents, an issue that has attracted attention since ex-NSA contractor Edward Snowdens disclosures to news publications in 2013.

In February, former NSA contractor Harold Martin was indicted for stealing thousands of intelligence files, including classified documents from the NSA, CIA and U.S. Cyber Command.

See the rest here:
Senators seek answers on alleged NSA leaker's security clearance - The Hill

The unusual decision Microsoft made to release patches on Tuesday for unsupported versions of Windows was prompted by three NSA exploits that remained unaddressed from Aprils ShadowBrokers leak.

The worst of the bunch, an attack called ExplodingCan (CVE-2017-7269), targets older versions of Microsofts Internet Information Services (IIS) webserver, version 6.0 in particular, and enables an attacker to gain remote code execution on a Windows 2003 server.

All three attacks allow an adversary to gain remote code execution; one is EsteemAudit, a vulnerability in the Windows Remote Desktop Protocol (RDP) (CVE-2017-0176), while the other is EnglishmanDentist (CVE-2017-8487), a bug in OLE (Object Linking and Embedding). Microsoft said the patches are available for manual download.

ExplodingCan merits a closer look because of the wide deployment of IIS 6.0.

Generally, when you put a Windows machine on the internet, its going to be a server and its going to run a webserver, so there are production machines on the internet running IIS 6.0 right now, said Sean Dillon, senior analyst at RiskSense and one of the first to analyze the NSAs EternalBlue exploit that spread WannaCry ransomware on May 12.

Its probably already been exploited for months now, Dillon said. At least now theres a fix thats publicly available.

Microsoft released a hefty load of patches for supported products and services on Tuesday as part of its normal Patch Tuesday update cycle. Normally, patches for unsupported versions of Windows are available only for Microsoft customers on an expensive extended support contract. The companys decision to make all of those fixes public on Tuesday, it said, was prompted by an elevated risk for destructive cyber attacks.

Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt, said Adrienne Hall, general manager of Microsofts Cyber Defense Operations Center.

In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations, Hall said. To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available toallcustomers, including those using older versions of Windows.

The ShadowBrokers leak in April unleashed a number of powerful Windows attacks into the public, allegedly belonging to the Equation Group, which is widely believed to the U.S. National Security Agency. Criminals and other nation states have already been leveraging the attacks to spread not only WannaCry ransomware, but also crytpocurrency mining utilities and other types of malware.

Microsoft said customers should not expect this type of patch release for unsupported products to become the norm. Some experts have been critical of Microsot, which also made a similar update available for unsupported products hours after the WannaCry outbreak.

I wish MS would stop releasing patches for xp/2003 it really harms efforts to get rid of legacy in the corporates

Quentyn Taylor (@quentynblog) June 13, 2017

Oh no. Take Windows XP off life support. Though it cannot die with dignity, it must be allowed to die. It will be messy. But this is cruel. https://t.co/euZVdTLC0z

Katie Moussouris (@k8em0) June 13, 2017

It was the right move by Microsoft, Dillon said. We saw the damage it can cause with WannaCry. Some of the most-used infrastructure, like SCADA systems, still run on XP whether theyre getting patches or not. When you have critical things [running on XP], its a good thing they released, but it should only be looked at as a temporary solution and people should look to upgrade off of legacy versions.

Some third-party services such as 0patch have provided micro-patches for some of these vulnerabilities on legacy versions, even before the ShadowBrokers leak, Dillon said. Hopefully people who are running legacy systems have looked into other means of patching beside official fixes, he said. Although, this is great that theres an official fix.

The remaining two vulnerabilities are a lesser severity but should be patched nonetheless on legacy systems.

EsteemAudit affects RDP, but only on XP and did not require a patch for modern versions of Windows. According to Microsoft, the vulnerability exists if the RDP server has smart card authentication enabled.

EnglishmanDentist, meanwhile, is triggered because Windows OLE fails to properly validate user input, Microsoft said.

Theres a whole wide assortment of exploits that were leaked, and weve only seen a few of them actively used at a mass scale. This is just plugging a hole before it becomes a bigger problem, Dillon said.

See the original post here:
Rare XP Patches Fix Three Remaining Leaked NSA Exploits - Threatpost

Fridays, when driving home from the airport, I sometimes drive by the seven NSA concrete fortress abominations in Draper, Utah.

Are the employees inside utilizing supercomputers to vacuum up billions of e-mails, social media posts and phone calls from American heroes or deplorable violators of our rights? Without oaths and warrants based on probable cause that a crime has been committed to justify their vacuuming of our private information dont they continuously and daily violate the 4th Amendment prohibitions against such a vast collection of private data from Americans?

Are we all comfortable with their vast fishing expedition seeking information that could be used against any one of us by a federal government that has long ago escaped its Constitutional cage?

The collected data, stored in the 702 database (Section 702, 2008 Amendment Act of the 1978 Foreign Intelligence Surveillance Act) awaits the mining and use of bureaucrats who make up their own rules, doesnt it?

Your political observations, financial information, or complaints about politicians made in your e-mail, phone call, or on social media are there awaiting some future use you cant predict arent they?

Bliss W. Tew, Orem

Read the original post:
Tew: NSA site troubling for personal freedom - Daily Herald

On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of "destructive" exploits developed by, and later stolen from, the National Security Agency.

Tuesday's updates, this updated Microsoft post shows, include fixes for three other exploits that were also released by the Shadow Brokers. A Microsoft blog post announcing the move said the patches were prompted by an "elevated risk of destructive cyberattacks" by government organizations.

"In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations," Adrienne Hall, general manager of crisis management at Microsoft, wrote. "To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows."

The down-level patches come in addition to the normal Patch Tuesday releases. Normal releases are delivered automatically through the Windows Update mechanism to devices running supported Windows versions, including 10, 8.1, 7, and post-2008 Windows Server releases. The down-level patches, by contrast, must be manually downloaded and installed. They are available in the Microsoft Download Center or, alternatively, in the Update Catalog and can be found here.

In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, said the move was designed to fix "vulnerabilities that are at [heightened] risk of exploitation due to past nation-state activity and disclosures." He went on to urge users to adopt new Microsoft products, which are significantly more resistant to exploits, and not to expect regular security fixes in the future.

"Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies," he wrote. "Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly."

The only other time in recent memory Microsoft has patched an unsupported version of Windows was in 2014, when it issued a critical update for Windows XP during the same week it decommissioned the version. Tuesday's move suggests Microsoft may have good reason to believe attackers are planning to use EsteemAudit, ExplodingCan, and EnglishmanDentist in attacks against older systems. Company officials are showing that, as much as they don't want to set a precedent for patching unsupported Windows versions, they vastly prefer that option to a potential replay of the WCry outbreak.

See the article here:
Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers - Ars Technica