63,000 Dutch police officers' sensitive data was exposed in a shocking cyberattack by a Russian-backed group. How did this breach reveal such critical vulnerabilities in government cybersecurity?

https://thedefendopsdiaries.com/the-dutch-police-breach-a-case-study-in-cybersecurity-vulnerabilities/

#dutchpolicebreach
#voidblizzard
#cybersecurity
#stateactor
#databreach

Thinking about hybrid tactics, the targets for cyber attacks are not only nation states but targeted at brands as well. #stateActor or not, does not apply.
#howdidido

Duiding en Mitre ATT&CK mapping TK brief PolitieHack

"Zoals gemeld in mijn brief van 27 september"

• 2024-09-27 First reported

"is een politieaccount gehackt"

• Credential Access TA0006 https://attack.mitre.org/tactics/TA0006/
• Initial Access > Valid Accounts T1078 https://attack.mitre.org/techniques/T1078/

"Het lijkt te gaan om de global address list"

• Collection TA0009 https://attack.mitre.org/tactics/TA0009/
• Exfiltration TA0010 https://attack.mitre.org/tactics/TA0010/

"De AIVD en MIVD hebben de politie geïnformeerd over het cyberincident"

• Lijkt er op te duiden dat er geen (of te laat) eigen detectie was.

"[AIVD & MIVD] achten het zeer waarschijnlijk dat een statelijke actor verantwoordelijk is"

• "Zeer waarschijnlijk" is het hoogste niveau van waarschijnlijkheid van de diensten. Uit een recent stuk "Anti institutioneel extremisme in Nederland" (https://www.aivd.nl/onderwerpen/extremisme/documenten/publicaties/2023/05/25/anti-institutioneel-extremisme-in-nederland-een-ernstige-dreiging-voor-de-democratische-rechtsorde):

De AIVD geeft de onzekerheden in deze inschattingen aan door gebruik te maken van ‘waarschijnlijkheidstermen’. Van minst tot meest waarschijnlijk zijn dit: ‘onwaarschijnlijk’, ‘twijfelachtig’, ‘mogelijk’, ‘waarschijnlijk’ en ‘zeer waarschijnlijk’.

Next steps

Concrete duidelijkheid over alle punten waar we nu alleen de algemene "TA" duiding hebben, is relevant voor verdere detectie bij eventuele andere, en toekomstige slachtoffers.

Mitre ATT&CK (https://attack.mitre.org/tactics/enterprise/) heeft voor zover ik kan nagaan zwakke of geen goede adversary technieken en/of mitigatie technieken voor dit type aanval. Die stappen toevoegen gaat het model ook verder helpen.

Bronnen:

• Tweede Kamer brief: https://open.overheid.nl/documenten/dpc-6bb8e12115dcff7c81a03663a4e340f79fb2ec2f/pdf
• Interview met Corpschef Nationale Politie: https://npo.nl/start/serie/nieuwsuur/seizoen-2024/nieuwsuur_4863/afspelen

#infosec #dataleak #politiehack #StateActor #mitreattack

🚨 Cybersecurity Alert: Unveiling COATHANGER Malware 🚨

A recent advisory from the Dutch #MIVD & #AIVD has exposed a new threat lurking within #FortiGate appliances: the #COATHANGER malware, a remote access trojan (RAT) that's as elusive as it is persistent. Here are the highlights taken from their released TLP-CLEAR advisory:

• Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances.
• refer to the malware as COATHANGER based on a string present in the code.
• It hides itself by hooking system calls that could reveal its presence.
• It survives reboots and firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
• high confidence that the malicious activity was conducted by a statesponsored actor from the People’s Republic of China
• The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
• initial access occurred through exploitation of the CVE-2022-42475 vulnerability
• Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices.
• MIVD & AIVD refer to this RAT as COATHANGER. The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’.
• Please note that second-stage malware like COATHANGER are used in tandem with a vulnerability: the malware is used for persistence to a victim network after the actor gained access.
• The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
• It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It does so by replacing them for any process that is forced to load preload.so.
• Section 3.2 of the PDF has a detailed description of how COATHANGER malware behaves and interacts.
• Communication to the C2 server is done over a TLS tunnel. COATHANGER first sends the following request to the HTTP GET request to the C2 server: GET / HTTP/2\nHost: www.google.com\n\n

The COATHANGER malware drops the following files;

/bin/smartctl or /data/bin/smartctl
/data2/.bd.key/authd
/data2/.bd.key/httpsd
/data2/.bd.key/newcli
/data2/.bd.key/preload.so
/data2/.bd.key/sh
/lib/liblog.so

Several methods have been identified to detect COATHANGER implants. A script was released by them for automated detection HERE These include a YARA-rule, a JA3-hash, different CLI commands, file checksums and a network traffic heuristic.

• Two YARA rules are provided for detection on the COATHANGER samples.
• The COATHANGER implant communicates to the C2 server using TLS. This TLS connection is fingerprintable using the following JA3-hash: 339f6adf54e6076d069dcaac54fddc25

With access to the CLI of a FortiGate device, the presence of COATHANGER can be detected in three ways.

1. Check if the files /bin/smartctl or /data/bin/smartctl exist and inspect the timestamps of smartctl and other files in the same directory. If smartctl was modified later than the majority of other files or is not a symlink, it is likely that the smartctl binary was tampered with.

Use the following command:

fnsysctl ls -la /bin
fnsysctl ls -la /data/bin

1. The following command shows a list of active TCP sockets. Whenever the FortiGate device has internet access and the malware is active, the outgoing connection will appear in the results. Check the reputation of all outgoing contection IP's.diagnose sys tcpsock

The specific version of COATHANGER that this report describes uses the process name 'httpsd' to obfuscate itself. Therefore, any suspicious outgoing connections to external IP addresses from a process called httpsd is a strong indicator of the presence of COATHANGER:

<device_IP>:<device_port>-><c2_IP>:<c2_port>-
>state=established err=0 socktype=1 rma=0 wma=0
fma=0 tma=0 inode=<inode> process=<PID>/httpsd

1. The specific version of COATHANGER that this report describes uses the process name httpsd to obfuscate itself. All active processes can be listed using the following command:fnsysctl ps

Running the following command returns all PID's named 'httpsd'

diagnose sys process pidof httpsd

Using the retrieved process IDs from the previous command yields process information for the processes named httpsd.

diagnose sys process dump <PID>

When the process has a GID set to 90, the device is infected with COATHANGER.

#CTI #trojan #malware #stateActor #APT #China #Netherlands

Excellent #infographic on #phishing techniques released by #CISA

https://www.cisa.gov/sites/default/files/publications/phishing-infographic-508c.pdf

#infosec #security #hacking #blackhat #stateactor

Holla!
„USA: Betrieb von Ölpipeline nach Hackerangriff eingestellt”

Die größte Pipeline der USA versorgt etwa 50 Millionen Verbraucher.

Laut CNBC wohl #Ransomware und kein #stateactor, aber könnte noch spannend werden. 😕

https://www.deutschlandfunk.de/usa-betrieb-von-oelpipeline-nach-hackerangriff-eingestellt.1939.de.html?drn:news_id=1257056
https://www.cnbc.com/2021/05/08/colonial-pipeline-shuts-pipeline-operations-after-cyberattack.html

#colonial #hack