Feds Hit with Successful Cyberattack, Data Stolen:
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees' legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
"The cyber-threat actor had valid access credentials for multiple users' Microsoft Office 365 (O365) accounts and domain administrator accounts," according to CISA. "First, the threat actor logged into a user's O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization's virtual private network (VPN) server."
As for how the attackers managed to get their hands on the credentials in the first place, CISA's investigation turned up no definitive answer – however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.
"It is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," according to the alert. "CVE-2019-11510...allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government."
Check out the rest of the story for additional details on the attack.
(Score: 2, Interesting) by RandomFactor on Saturday September 26 2020, @02:23PM (5 children)
This is the raison d'etre for multi-factor authentication.
Mass O365 credential phishing and compromise of single factor authenticating tenant accounts became a major thing a few years ago and hasn't stopped.
Any major organization on O365 that hasn't told their user's to get over it and deal with multi-factor by this point is basically being professionally negligent.
For many (most?) organizations this is an existential requirement (oh your accounts keep sending me malware and phishing and spam...yeah, we're done I'll be at your competitor's website, kthxbai)
(admittedly this doesn't apply to federal organizations...sigh...I concede that point before someone makes it...)
Nor does being 'too small to bother with' work. Most attacks are highly automated and done in bulk. For any significant organization running single-factor O365, it is really just a matter of time.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 5, Insightful) by Thexalon on Saturday September 26 2020, @06:22PM
Also:
1. Why is the FBI doing running Office365? You know, a widely attacked platform? You'd think they'd have something a bit more sophisticated and secretive than that.
2. If they still can't figure out how risky this is, remember that all the OMG-Hillary-and-the-Democrats-were-hacked-by-the-Russians business from 4 years ago was due to a lack of MFA combined with some basic spear-phishing.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Saturday September 26 2020, @07:42PM
This is the fun/sad part. US Federal employees are required to use CAC (military) or PIV (civilian agencies) cards to login to computers, email, vpn, etc...
So either MFA was broken, someone's card/pin was stolen, or MFA was not actually required for specific individuals (EG Hillary style), agencies, or bureaus.
Wish they would say what agency. There is a big difference in concern depending on if it was: a Forest Service intern _OR_ a virologist at the CDC __OR__ a big cheese at the SEC __OR__ anybody at the Federal Election Commission.
(Score: 2) by corey on Saturday September 26 2020, @11:54PM (1 child)
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @04:57PM
oh please. The problem is we have a whole nation/world of retarded whores who suck up to power and do everything they can to fund the enemies of their own offspring as often as they can if it gets them a pat on the head. Fuck them. They are complicit.
(Score: 2) by fakefuck39 on Sunday September 27 2020, @07:26AM
It's cool, nothing to see here. This will all be fixed when like the government wants, all encryption has a backdoor. No need for credentials, since every country and every hacker in the world will work on breaking that government decryption key.
(Score: 1) by MIRV888 on Saturday September 26 2020, @02:25PM (6 children)
They just download the schematics from us.
(Score: 0) by Anonymous Coward on Saturday September 26 2020, @02:47PM (4 children)
If you could do this over and over again and keep getting away with it, why not? Counting military and private sector hacks, they probably saved themselves more than $1 trillion.
(Score: 1) by MIRV888 on Saturday September 26 2020, @03:21PM (2 children)
The Chinese J31 appears to be almost a direct rip off of the F22. That's either incredibly coincidental design, or not.
(Score: 0) by Anonymous Coward on Saturday September 26 2020, @05:06PM (1 child)
With so many copies it is easy to get them all mixed up. Supposedly the J-20 is a ripoff of the F-22, while the J-31 is a ripoff of the F-35.
The original design schematics for both of them were obtained by a Chinese national through industrial espionage. [popularmechanics.com]
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @05:01PM
That's because this is part of a supranational operation to bring about the NWO. Using national hostilities to build up a global military force for global control of the slaves.
(Score: 3, Insightful) by Grishnakh on Saturday September 26 2020, @07:19PM
Exactly. If someone keeps leaving their doors unlocked so you can go steal their stuff over and over and over, and they never figure out how to use a better lock, then why wouldn't you keep stealing their stuff?
(Score: 0) by Anonymous Coward on Tuesday September 29 2020, @05:39AM
So what, the ruling class should have more access to information than the working class? Let's keep the working class illiterate.
Forget that. Trade secrets suck. Keeping things secret from the working class sucks. I say release all the information to the masses so we can all have a fair shot at being equally educated.
(Score: 1) by fustakrakich on Saturday September 26 2020, @02:46PM (6 children)
Can anybody else give us a clue? Mass media is of no help here.
La politica e i criminali sono la stessa cosa..
(Score: 2) by Username on Saturday September 26 2020, @06:03PM (5 children)
There was a large leak of the propaganda side of the obama administration's arming and training of "moderate rebels" to overthrow the syrian government.
https://thegrayzone.com/2020/09/23/syria-leaks-uk-contractors-opposition-media/ [thegrayzone.com]
Maybe the CIA? I'm not sure what other branch would be into propaganda and arming rebels.
(Score: 2, Interesting) by fustakrakich on Saturday September 26 2020, @06:43PM (4 children)
That's very disappointing. CIA is already famous for that kind of stuff, that's not newsworthy.
How come these "hackers" can't get into the IRS and show us Trump's taxes? At least that way I could believe it's for real
La politica e i criminali sono la stessa cosa..
(Score: 2) by deadstick on Saturday September 26 2020, @07:13PM
Better yet, out Q.
(Score: 2) by Grishnakh on Saturday September 26 2020, @07:25PM (2 children)
It's quite likely hackers like these are state-sponsored (i.e. Russian and/or Chinese). Those are the hackers with the most resources and time to devote to hacking nation-states, and also who have immunity if they get caught (what's the US going to do, have them extradited? Hahaha!!). Domestic hackers are unlikely to have done anything like this. Domestic hackers usually do it for money, and there's not much money in hacking the government, and there's a ton of risk (if you get caught, you go to Federal "PMITA" prison). Much more profitable and safer to go after corporate targets, do ransomware, etc.
So if we assume these are hackers employed by US adversaries, what would they have to gain by releasing information damaging to the current Administration? Nothing really; if anything, it would help the nation overall. They don't want that; their goal is to weaken US power, and creating chaos in the country is very useful towards their goals, as well as supporting a President who's friendly with them (in the case of Russia).
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @01:39AM
Why Russians or Chinese? Jews are more likely, of whatever origin or affiliation. Just saying.
(Score: 2) by Pav on Sunday September 27 2020, @11:58PM
Russias ONLY foreign naval base is in Syria (Tatarus)... this allows them to maintain a fleet in the Mediterrainian without a friendly Turkey letting them through the Dardanelles. I think there are also rules limiting the size of warships going through the strait, but this may only be for non-local warships going into the Black Sea (I forget, but Caspian Report on YouTube is good to deep dive on this stuff). BTW, in Syria US and Russian troops are getting into brawls and Mad Max style road confrontations [youtube.com] which could lead to an escalation. Although jail for hackers and leakers is certainly a disincentive quite a few whistleblowers have come out during and since Obamas (and now Trumps) war on whistleblowers... and despite Assanges persecution there have been media organisations willing to publish, although granted no mainstream outlets unfortunately, so the leaks have been largely suppressed at least for those without access to alternative media. Actually, that's not entirely true... the mainstream media is more than willing to speak for "unnamed intelligence sources", and they spoke for the leaker that broke Ukrainegate, but those are probably in the service of approved narratives.
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @05:52PM
another good reason not to pay the income tax. they spend it on office 365.