Chafer APT Hits Middle East Govs With Latest Cyber-Espionage Attacks

Government and air transportation companies in Kuwait and Saudi Arabia were targeted in a recent attack tracked back to the Chafer APT.

Researchers have uncovered new cybercrime campaigns from the known Chafer advanced persistent threat (APT) group. The attacks have hit several air transportation and government victims in hopes of data exfiltration.

The Chafer APT has been active since 2014 and has previously launched cyber espionage campaigns targeting critical infrastructure in the Middle East. This most recent wave of cyberattacks started in 2018 and have lasted until at least the end of 2019, targeting several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used a bevy of custom-built tools, as well as “living off the land” tactics. Living off the land tools are features already existing in the target environment, which are abused by attackers to help them achieve persistence.

“Researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018,” according to a Thursday Bitdefender analysis. “The campaigns were based on several tools, including ‘living off the land’ tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor. Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East.”

Liviu Arsene, global cybersecurity analyst with Bitdefender, told Threatpost that researchers can’t specify how many companies have been targeted in each country. However, “it is safe to estimate that the cybercriminal group likely went after more than those we investigated,” he said.

The Campaigns

While the modus operandi behind the attacks against firms in Kuwait and Saudi Arabia shared “some common stages,” researchers noted that the attacks on victims from Kuwait were more sophisticated as attackers were able to move laterally on the network. Researchers believe the threat actors initially infected victims using tainted documents with shellcodes, potentially sent via spear-phishing emails.

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account,” said researchers.

Credit: Bitdefender

Once they gained a foothold inside the company, attackers then installed a backdoor (imjpuexa.exe), that was executed as a service on some machines. Attackers also deployed several network-scanning and credential-gathering tools used for reconnaissance and to help them move laterally inside the network.  For instance, attackers deployed CrackMapExec, a multi-purpose tool used for network scanning, credential dumping, accounts discovery and code injection.

Another custom tool of note that attackers utilized is a modified PLINK tool (called wehsvc.exe). PLINK is a command-line connection tool mostly used for automated operations. The PLINK tool used in the campaign preserves the original functionality, with some new key features such as the possibility to run as a Windows service or to uninstall the service.

“We believe this tool may have been used either to communicate with the [command and control server] C2 or to gain access to some internal machines, but found no conclusive evidence to support these scenarios,” said researchers.

While the attack on the victim in Kuwait achieved further lateral movement,  researchers said the attack on the victim in Saudi Arabia was not as elaborate, “either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.”

For these attacks, researchers said they believe “initial compromise was achieved through social engineering.” After initial compromise, a RAT was loaded and executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). The two executions were three minutes apart, leading researchers to believe that the user was tricked into running them.

Credit: Bitdefender

The RAT was written in Python and converted into a standalone executable: “Some RATs are very similar to tools that have been previously documented by security researchers, but have been customized for this particular attack,” Arsene told Threatpost. “It’s not uncommon for cybercriminal groups to tweak their tools based on either victim profile or immediate needs. For example, they might change the way the RAT communicates with the C2 server, or they can add other features that were not necessary in the past but currently prove useful.”

Researchers also found three different RAT components that were used at different times. One of these components (“snmp.exe”) was the same as the backdoor (“imjpuexa.exe”) used on the targeted attacks in Kuwait – leading researchers to link the two campaigns.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it,” they said. “Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

Of note, the threat actor also used “living off the land” tools extensively in both campaigns. This included the heavy use of the Non-Sucking Service Manager (NSSM), which is a legitimate service manager for Microsoft Windows. The NSSM utility manages background and foreground services and processes. Researchers believe the APT used NSSM for ensuring that its critical components, such as the RAT, are up and running.

“We estimate that attackers relied on NSSM to make sure that the services they were monitoring were actually running and not terminated or stopped,” Arsene explained. “It’s a way of ensuring persistence for malicious services and restarting them if they are inadvertently killed or stopped by various other applications.”

So far, all of the incidents that researchers uncovered have been stopped: “the investigation in both countries was stopped before concluding when or if the cyberattack had stopped,” Arsene said. “It’s likely that… local authorities were notified and decided to continue the investigation locally.”


Researchers linked these campaigns with Chafer because some of the tools used bear similarities to the tools used in previously-documented Chafer APT attacks. The C2 domains in these attacks have been previously associated with the same cybercriminal group, Arsene told Threatpost.

It’s only the latest campaign for the Chafer APT. Last year, the Iran-linked APT was spotted targeting various entities based in Iran with an enhanced version of a custom malware that takes a very unique approach to communication by using the Microsoft Background Intelligent Transfer Service (BITS) mechanism over HTTP. Another campaign in February, launched by two Iran-backed APTs who were possibly working together to compromise high-value organizations from the IT, telecom, oil and gas, aviation, government and security sectors in Israel, was loosely linked to the Chafin APT after researchers noted an overlap in approaches.

That said, cyber-espionage campaigns have spiraled downwards overall over the past year, according to the recent 2020 Verizon Data Breach Investigations Report (DBIR),  dropping from making up 13.5 percent of breaches in 2018 to a mere 3.2 percent of data breaches in 2019.

Crooks Tap Google Firebase in Fresh Phishing Tactic

Cybercriminals are taking advantage of the Google name and the cloud to convince victims into handing over their login details.

A series of phishing campaigns using Google Firebase storage URLs have surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.

Google Firebase is a mobile and web application development platform. Firebase Storage meanwhile provides secure file uploads and downloads for Firebase apps. Using the Firebase storage API, companies can store data in a Google cloud storage bucket.

The phishing effort starts with spam emails that encourage recipients to click on a Firebase link inside the email in order to visit promised content, according to Trustwave researcher Fahim Abbasi, writing in an analysis released Thursday. If the targets click on the link, they’re taken to a supposed login page (mainly for Office 365, Outlook or banking apps) and prompted to enter their credentials – which of course are sent directly to the cybercriminals.

“Credential phishing is a real threat targeting corporates globally,” noted Abbasi. “Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.”

In this case, that “innovative way” is using the Firebase link.

“Since it’s using Google Cloud Storage, credential-capturing webpages hosted on the service are more likely to make it through security protections like Secure Email Gateways due to the reputation of Google and the large base of valid users,” Karl Sigler, senior threat intelligence manager, Spiderlabs at Trustwave, told Threatpost. “The use of cloud infrastructure is rising among cybercriminals in order to capitalize on the reputation and valid uses of those services. They tend to not be immediately flagged by security controls just due to the URL.”

The campaigns were circulating globally, across a range of industries, but the majority of the “hits” have been in Europe and Australia, Sigler said.

“Most of the emails we saw were from late March through the middle of April, but we’ve seen samples as a part of this campaign as far back as February and as recently as mid-May,” he added. “While these tactics of piggy-backing on valid cloud services likely go back to the days those services were invented, this is a current and active trend.”

Major themes for the lures include payment invoices, exhortations to upgrade email accounts, prompts to release pending messages, urging recipients to verify accounts, warnings of account errors, change-password emails and more. In one case, “scammers used the Covid-19 pandemic and internet banking as an excuse to lure the victims into clicking on the fake vendor payment form that leads to the phishing page hosted on Firebase Storage,” according to the analysis.

An example of a phishing email using Firebase. Click to enlarge.

Overall, the phishing messages are convincing, according to Trustwave, with only subtle imperfections that might tip off potential victims that there’s something wrong, such as a few poor graphics.

“Cybercriminals are constantly evolving their techniques and tools to covertly deliver their messages to unwitting victims,” Abbasi said. “In this campaign, threat actors leverage the reputation and service of the Google Cloud infrastructure to conduct phishing by embedding Google firebase storage URLs in phishing emails.”

Using Google to lend an air of legitimacy is an ongoing trend. Earlier this year, an attack surfaced that uses homographic characters to impersonate Google domain names and launch convincing but malicious websites. And last August, a targeted spearphishing campaign hit an organization in the energy sector – after using Google Drive to get around the company’s Microsoft email security stack. The campaign impersonated the CEO of the targeted company, sending email via Google Drive purporting to be “sharing an important message” with the recipients.

“Again, because of the valid uses and large user base of these services, many of these phishing emails can slip through the cracks of the security controls we put in place,” Sigler added. “Educating users about these tactics helps provide defense-in-depth against these techniques when they hit a victim’s inbox.”

Adobe Patches Critical RCE Flaw in Character Animator App

A critical remote code execution flaw in Adobe Character Animator was fixed in an out-of-band Tuesday patch.

Adobe has issued an out-of-band patch for a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.

The flaw (CVE-2020-9586) is found in versions 3.2 and earlier and exists within the parsing of the BoundingBox element in PostScript. Specifically, it stems from a stack-based buffer overflow error, meaning the element lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer.

“Of the bugs fixed today, CVE-2020-9586 stands out as it could code execution if a user opens a malicious file or visits a malicious web page,” Dustin Childs, manager at Trend Micro’s Zero Day Initiative, told Threatpost. “An attacker can leverage this vulnerability to execute code in the context of the current process.”

Users are urged to update to version 3.3 for Windows and macOS. While the flaw is critical, the security bulletin is a Priority 3 update, which according to Adobe resolves vulnerabilities in a product that has historically not been a target for attackers. “Adobe recommends administrators install the update at their discretion,” according to the update.

Adobe on Tuesday also issued several updates addressing other flaws. While these other vulnerabilities are “important” in severity, they would all need to be combined with additional bugs to gain code execution, Childs told Threatpost.

One such flaw exists in Adobe Premiere Rush, its video editing software for online video creators. The software has an out-of-bounds read vulnerability (CVE-2020-9617) that could lead to information disclosure. Users are urged to update to Adobe Premiere Rush version 1.5.12 for Windows and macOS.

Another “important”-severity flaw exists in Adobe Premiere Pro, another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). Like Premiere Rush, Premiere Pro has an out-of-bounds read flaw (CVE-2020-9616) that could lead to information disclosure. Users can update to version 14.2 for Windows and macOS.

Finally, Adobe stomped out a flaw in Audition, which is its toolset offering for creating and editing audio content. The out-of-bounds read flaw (CVE-2020-9618) can enable information disclosure if exploited. A patch is available in Audition 13.0.6 for Windows and macOS.

For all of these flaws, “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to the alert. Mat Powell with ZDI was credited with discovering these flaws.

The unscheduled patches come a week after Adobe’s regularly-scheduled updates, which fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit – and addressed 36 CVEs overall.

Verizon Data Breach Report: DoS Skyrockets, Espionage Dips

Denial of Service (DoS), ransomware, and financially-motivated data breaches were the winners in this year’s Verizon DBIR.

Denial-of-service (DoS) attacks have spiked over the past year, while cyber-espionage campaigns have spiraled downwards. That’s according to Verizon’s 2020 Data Breach Investigations Report (DBIR) released Tuesday, which analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals.

Notably, this year DoS attacks increased in number (13,000 incidents) and were also seen as a bigger part of cybercriminals’ toolboxes (DoS attacks made up 40 percent of security incidents reported), beating out crimeware and web applications. While DoS attacks use differing tactics, they most commonly involve sending junk network traffic to overwhelm and crash systems. It doesn’t help that cybercriminals have been creating new and dangerous botnets to launch DoS attacks, like Kaiji or Mirai variants, over the past few years.

“While the amount of this traffic is increasing as mentioned, in DDoS, we don’t just look at the number of attacks that are conducted,” said researchers. “We also look at the bits per second (BPS), which tells us the size of the attack, and the packets per second (PPS), which tells us the throughway of the attack. What we found is that, regardless of the service used to send the attacks, the packet-to-bit ratio stays within a relatively tight band and the PPS hasn’t changed that much over time, sitting at 570 Mbps for the most common mode.”

Cyber espionage attacks meanwhile have seen a downward spiral, dropping from making up 13.5 percent of breaches in 2018 to a mere 3.2 percent of data breaches in 2019. That may come as a surprise given that espionage campaigns were actually on the rise in the 2019 Verizon DBIR. In addition, a slew of cyber espionage campaigns (such as ones targeting the WHOseveral governments in the Asia-Pacific region and more) were unearthed over the past year – but researchers say under reporting may be a factor in the dipping statistics.

“The drop in raw numbers could be due to either under-reporting or failure to detect these attacks, but the increase in volume of the other patterns is very much responsible for the reduction in percentage,” said researchers.

In fact, financially motivated breaches continue to not only be more common than espionage campaigns by a wide margin (making up 86 percent of all breaches), but also increasing over the past year, they said.

Breach Origins

When it comes to data breaches, almost half (45 percent) stemmed from actual hacks, while 22 percent used social attacks. Twenty-two percent breaches involved malware and 17 percent were created by errors. And 8 percent of breaches stemmed from misuse by authorized users.

verizon DBIR

In fact, internal actors were only behind 30 percent of breaches, with the majority (70 percent) actually coming from external actors. While researchers said that incidents stemming from “insider actors” have grown over the past few years, that’s likely due to increased reporting of internal errors rather than evidence of actual malice from these actors.

“External attackers are considerably more common in our data than are internal attackers, and always have been,” said researchers. “This is actually an intuitive finding, as regardless of how many people there may be in a given organization, there are always more people outside it. Nevertheless, it is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous.”

Malware Down

Malware has been on a consistent and steady decline as a percentage of breaches over the last five years,  researchers said, due in part to the increasing level of access by cybercriminals to credentials.

“We think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence,” said researchers.

Verizon DBIR

Accordingly, the top malware “varieties” in data breaches was topped by password dumpers (which are used to collect credentials), followed by capture app data and ransomware.

Ransomware attacks continue to grow over the past year and have created high-profile headlines and headaches for companies, such as Norsk Hydro. Ransomware is the third most common “malware breach” variety and the second most common “malware incident” variety. Part of this continued growth can be explained by the ease with which attackers can kick off a ransomware attack, researchers stressed.

“In 7 percent of the ransomware threads found in criminal forums and market places, ‘service’ was mentioned, suggesting that attackers don’t even need to be able to do the work themselves,” said researchers. “They can simply rent the service, kick back, watch cat videos and wait for the loot to roll in.”

Vertical-Specific Findings

The Verizon DBIR also broke down data breaches by vertical to show that cybercriminals are drastically changing how they are targeting industries. For instance, Point of Sale (PoS)-related attacks once dominated breaches in the accommodation and food services industry – however, they have been replaces by malware attacks and web application attacks.

verizon DBIR

“Instead, responsibility is spread relatively evenly among several different action types such as malware, error and hacking via stolen credentials,” said researchers. “Financially motivated attackers continue to target this industry for the payment card data it holds.”

The educational services industry saw phishing attacks trigger 28 percent of breaches, and 23 percent of breaches stem from hacking via stolen credentials. Ransomware is a top threat for the education space, with ransomware accounting for approximately 80 percent of malware infections in the incident data.

Ransomware attacks, triggered by financial motivations, also plagued the healthcare industry. Other top security issues leading to breaches include lost and stolen assets and basic human error. However, privilege misuse, which has topped data breach causes for healthcare in the past, for the first time this year wasn’t an issue in the “top three”.  In the 2019 report, privilege misuse at 23 percent of attacks, while in 2020, it has dropped to just 8.7 percent.

Despite that, “This year, we saw a substantial increase in the number of breaches and incidents reported in our overall dataset, and that rise is reflected within the Healthcare vertical,” said researchers. “In fact, the number of confirmed data breaches in this sector came in at 521 versus the 304 in last year’s report.”

Finally, financial and insurance industries were plagued by phishing attacks and web applications attacks that leverage the use of stolen credentials. The attacks in this sector are perpetrated by external actors who are financially motivated to get easily monetized data (63 percent), internal financially motivated actors (18 percent) and internal actors committing errors (9 percent).

The Positives

Breach timelines continue to show promising results. The number of companies discovering incidents in days or less is up, while containment in that same timeframe surpassed its historic 2017 peak.

Verizon DBIR

Researchers also warned to keep in mind that the positive incident response numbers are likely due to the inclusion of more breaches detected by managed security service providers (MSSPs) in the report’s sampling. Also, it still took a quarter of companies dealing with data breaches months or more.

“All in all, we do like to think that there has been an improvement in detection and response over the past year,” said researchers.

Hoax calls Botnet Exploits Symantec Secure Web Gateways

The fast-moving botnet has added an exploit for an unpatched bug in an unsupported version of the security gateway.

Cyberattackers are targeting a post-authentication remote code-execution vulnerability in Symantec Secure Web Gateways as part of new Mirai and Hoaxcalls botnet attacks.

Hoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it’s named after the domain used to host its malware, Two new Hoaxcalls samples showed up on the scene in April, incorporating new commands from its command-and-control (C2) server. These included the ability to proxy traffic, download updates, maintain persistence across device restarts, prevent reboots and launch a larger number of distributed denial-of-service (DDoS) attacks.

It also incorporated a new exploit for infiltrating devices – an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March. Now, researchers at Palo Alto Networks’ Unit 42 division have observed that same version of the botnet exploiting a second unpatched bug, this time in Symantec Secure Web Gateway version, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.

The Symantec bug was disclosed in March. Since it affects older versions of the gateway, it will remain unpatched.

“On April 24, I observed samples of the same botnet incorporating an exploit targeting the EOL’d Symantec Secure Web Gateway v5.0.2.8, with an HTTP request in the format: POST /spywall/timeConfig.php HTTP/1.1,” said Unit 42 researcher Ruchna Nigam, in a Thursday post. “Some samples reach out to a URL for a public file upload service (plexle[.]us) where the post-exploitation payload is hosted. The URL contacted for the update serves a shell script that downloads and executes binaries from attacker-controlled URLs.”

Meanwhile, Nigam also saw a Mirai variant campaign in May spreading using that same vulnerability; oddly, the malware itself lacks any DDoS capabilities, according to the researcher. As such, the binary seems to be a first-stage loader.

“Samples of this campaign surfaced early May, built on the Mirai source code, and are packed with a modified version of UPX by using a different 4-byte key with the UPX algorithm,” according to Nigam. “Another deviation from the Mirai source-code is the use of all of ten 8-byte keys that are cumulatively used for a byte-wise string encryption scheme.”

The vulnerability as mentioned is a post-authentication bug, meaning that the exploit is only effective for authenticated sessions. It’s also no longer present in the latest version of the Symantec Web Gateway, version 5.2.8, so updated devices are protected.

Researchers at Radware previously noted that Hoaxcalls operators seem very quick to weaponize newly discovered bugs, like the ZyXel vulnerability. Unit 42’s Nigam came to a similar conclusion:

“The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,” according to the researcher.

Iowa human rights group latest to endure a racist cyber attack

DES MOINES, Iowa (AP) — A Des Moines commission dedicated to protecting human rights is among the latest to endure racist and sexist messages from cyber attackers.

The Des Moines Civil and Human Rights Commission was forced to cancel a video-conference meeting Thursday night with the Des Moines City Council when the meeting was disrupted by racist, sexist and pornographic messages, officials said.

Commission Chairman Kameron Middlebrooks said the messages were directed at members of the commission.

“What occurred proves hate and ignorance is alive and well,” Middlebooks said in a written statement. “But I stand steadfast in my resolve to continue to be an agent of change.”

Officials say the meeting will be rescheduled.

Since the coronavirus pandemic this year forced many groups to meet via teleconferencing, there have been reports around the globe of teleconferences and online classrooms being disrupted by hackers displaying hate messages or shouting profanities.

Government cybersecurity commission calls for international cooperation, resilience, and retaliation

(The Conversation is an independent and nonprofit source of news, analysis and commentary from academic experts.)

Benjamin Jensen, American University School of International Service and Chris Inglis, United States Naval Academy

(THE CONVERSATION) The global commons are under assault in cyberspace. Ransomware attacks, including North Korea’s WannaCry and Russia’s NotPetya, have disrupted vital medical services and global transportation systems, costing billions of dollars. Iran and China have engaged in similar actions.

These cyberattacks are carried out by states and nonstate actors that seek to undermine global connectivity for their own interests. But like a pandemic, these attacks affect all of society. The world needs a new approach to combating how nations use cyberspace to advance their interests at the expense of people around the world.

The U.S. Cyberspace Solarium Commission was formed by Congress in 2018 to develop a strategic approach to defending the United States in cyberspace. It provided a road map for establishing cooperation and accountability in cyberspace. The commission consisted of four federal legislators, the deputies of the Department of Homeland Security, Department of Defense, office of the Director of National Intelligence and Department of Justice, and six private-sector experts. One of us, Benjamin Jensen, served as the commission’s senior research director.

The commissioners and staff conducted more than 400 interviews with cybersecurity professionals, researchers and officials in the private sector, academia and foreign governments. The commission’s final report, released in March, lays out a comprehensive plan of action based on a new strategy: layered cyber deterrence.

Layered cyber deterrence

The proposed strategy breaks new ground in two ways. First, it asserts that contrary to conventional wisdom, it is possible to deter cyberattacks. Second, the strategy calls for coordinating activities in three layers to secure cyberspace. This won’t eliminate all bad behavior in cyberspace any more than traditional law enforcement has completely banished crime in the physical world. But it will improve how the U.S. government and the private sector respond to cyberthreats.

The first layer calls for the U.S. government to shape behavior in cyberspace through diplomacy and establishing new norms. Too many states quietly condone hacking to steal, spy and threaten their rivals. These attacks rely on illicit marketplaces for malware. The key is promoting responsible behavior in cyberspace and assigning specific expectations for the roles and responsibilities of governments and the private sector.

The second layer calls for the U.S. government to make cyberattacks less effective by promoting national resilience. This approach requires securing critical networks in collaboration with the private sector. It also requires being able to conclusively identify the perpetrators of malicious actions in cyberspace. And it requires increasing the security of the cyber ecosystem. Actions in this layer include working to create more transparency in cyber insurance markets and ensuring economic continuity in the event of a catastrophic cyber incident.

The third layer calls for the U.S. government to impose proportional costs to malicious actions in cyberspace. This requires the U.S., in collaboration with allies, to maintain the capability and credibility needed to retaliate against nations and organizations that target the U.S. in and through cyberspace. The means to retaliate include legal, financial, diplomatic and cyber powers that, applied in combination, assure compelling and unavoidable consequences for transgressors.

Early action with diverse responses

The U.S. Department of Defense “defend forward” policy, laid out in its 2018 strategy, calls for detecting and responding to threats as early as possible. Early action increases effectiveness and minimizes disruption. The commission report calls for this emphasis on early detection and action to be extended to the use of all government powers. It also calls for collaborating with an international coalition that lends strength and legitimacy when responding to cyber attacks.

The three components of this proposed strategy are defined as layers because they need to be applied in combination rather than as separate remedies. In this manner the strategy brings together a diverse array of private and public capabilities, resources and authorities.

The commission’s report includes 80 recommendations for implementing the strategy. For the recommendations that require changes in law, the commission drafted legislative language to assist Congress. The recommendations set the stage for a series of public hearings and outreach to the public. Implementing the strategy will involve changes in procedure, authority, law and ultimately in the behavior of cyberspace stakeholders.

While the commission has transitioned its role to one of advocacy for the report’s recommendations, the work of transforming perceived costs and benefits in cyberspace lies ahead. It will require the work of governments, the private sector and citizens. If the strategy is implemented successfully, nations that contemplate aggression in cyberspace will get the message: if you want to beat one of us, you’ll have to deal with all of us.

[You need to understand the coronavirus pandemic, and we can help. Read The Conversation’s newsletter.]

This article is republished from The Conversation under a Creative Commons license. Read the original article here:

Anubis Malware Upgrade Logs When Victims Look at Their Screens

Threat actors are cooking up new features for the sophisticated banking trojan that targets Google Android apps and devices.

The Anubis malware, which threat actors use to persistently attack Google’s Android-based smartphones, is set to evolve once again, this time adding a feature that allows the malware to identify if a victim is looking at his or her screen.

The new feature is one of several that haven’t been released in the wild yet but are a part of an updated control panel for the malware that’s currently in development, researchers from security consulting firm Hold Security discovered, according to a report published online.

The panel is a web-based module that explores devices that have already been infiltrated by Anubis, researchers said. Threat actors use it to view and decide from which device they want to steal data as well as which services on devices to target.

The new control panel will add features that provide even more insight so attackers can fully take advantage of a device, Alex Holden, founder and chief information security officer of Hold Security, told Bank Info Security.

One key addition to the malware is a small eyeball icon included in the control panel that can be used to recognize whether a user of a device with Anubis installed is looking at the device or not. The idea is that an attacker won’t perform any nefarious activity on the device while the person is looking at it, he said.

The threat actors behind Anubis also are developing a way to integrate Yandex maps into the malware to show the location of infected devices, according to the report. However, this could be a superfluous addition, as the mobile network to which a device is attached is usually can tell a hacker where the phone is located, Holden noted in the report.

Anubis malware has been active since late 2017. The sophisticated malware originally was used for cyber-espionage and later repurposed as a banking trojan.

The most widespread campaign last seen using Anubis was in February, a new phishing campaign targeting more than 250 Android apps was aimed at using the trojan to steal user credentials, install a keylogger, and even hold a device’s data for ransom.

Meanwhile, Google historically has struggled mightily to keep malware off Android devices and apps on the Google Play Store. Anubis is one of the most widespread malwares plaguing these apps and devices, mainly targeting financial and banking apps available for the platform.

Last year, researchers discovered two malicious apps, Currency Converter and BatterySaverMobo, that were infecting devices with Anubis to steal user credentials. At the time, researchers noted the trojan had been distributed to 93 different countries, targeting the users of 377 variations of financial apps to farm account details.

Previous to that, IBM’s X-Force team spotted Anubis in a campaign that used 10 malicious downloaders disguised as various Google Play applications to fetch the mobile banking trojan and run it on Android devices.

CyberPatriot XII Nationals Champions Announced

ARLINGTON, Va., May 5, 2020 /PRNewswire/ — The Air Force Association’s CyberPatriot program announced this week the winners of the twelfth season of its National Youth Cyber Defense Competition.

CyberPatriot XII began in October 2019 with nearly 7,000 registered teams among the Open, All Service, and Middle School divisions of the competition.

An in-person National Finals Competition, originally scheduled for March 20-22, 2020 in Bethesda, Maryland, was cancelled due to COVID-19. The CyberPatriot Program Office quickly adapted the competition from an in-person event to a virtual event, which took place on May 2nd.

CyberPatriot worked with partners at the University of Texas at San Antonio’s Center for Infrastructure Assurance and Security to implement a virtual private network that allowed students to compete from their own homes. Each team competed in both the Network Security Master Challenge and the Cisco NetAcad Challenge.

Results were announced in a live-streamed awards ceremony on May 3rd where the following winners were announced:

CyberAegis Strange Quark II from Del Norte High School (San Diego, CA) won the national championship in the Open Division

TXPatriot Anime for All from the Engineering and Technologies Academy at Roosevelt High School Army JROTC (San Antonio, TX) won the national championship in the All Service Division

CyberAegis Polariton from Design 39 Campus (San Diego, CA) won the national championship in the Middle School Division.

“Although we were sorely disappointed to be unable to host our CyberPatriot National Finals in person, I am thrilled that we were able to offer national finalists an in-home national finals competition.  The students competed at the highest levels to determine our national champions,” said Bernie Skoch, AFA’s National Commissioner of CyberPatriot. “The finalists were able to adapt and remain flexible, and I applaud each of them for their hard work throughout the season.  We are grateful to our partners at CIAS and to our sponsors for their understanding and flexibility.”

The full list of winning teams for CyberPatriot XII is as follows:

National Champion: Team CyberAegis Strange Quark II from Del Norte High School (San Diego, CA)
Runner-Up: Team CyberAegis Charm from Del Norte High School (San Diego, CA)
Third Place: Team Troy Tech Support from Troy High School (Fullerton, CA)

National Champion: Team TXPatriot Anime for All from the Engineering and Technologies Academy at Roosevelt High School Army JROTC (San Antonio, TX)
Runner-Up: Team code%20purple from St. Augustine Composite Squadron Civil Air Patrol (St. Augustine, FL)
Third Place: Team TXPatriot Bears from the Engineering and Technologies Academy at Roosevelt High School Army JROTC (San Antonio, TX)

National Champion: Team CyberAegis Polariton from Design 39 Campus (San Diego, CA)
Runner-Up: Team CyberAegis Alpha from Oak Valley Middle School (San Diego, CA)
Third Place: Team CyberAegis Electron from Oak Valley Middle School (San Diego, CA)

Team CyberAegis Strange Quark II from Del Norte High School (San Diego, CA)

First place: CyberAegis Strange Quark II from Del Norte High School (San Diego, CA)
Runner-Up: Team Troy Tech Support from Troy High School (Fullerton, CA)
Third Place: CyberAegis Pentaquark from Del Norte High School (San Diego, CA)

First place: Team TXPatriot Anime for All from the Engineering and Technologies Academy at Roosevelt High School Army JROTC (San Antonio, TX)
Runner-Up: Team Subtle Cyber Traits from Troy High School Navy JROTC (Fullerton, CA)
Third Place: Team code%20purple from St. Augustine Composite Squadron Civil Air Patrol (St. Augustine, FL)

Team CyberAegis Polariton from Design 39 Campus (San Diego, CA)

Charissa Kim, Troy High School’s Navy JROTC unit (Fullerton, CA)

This CyberPatriot All-American award is given only to those students who qualify for the National Finals Competition for all four years of their high school careers. Kim is the first female to achieve this honor.

Northrop Grumman awarded $52,000 to the Open and All Service winners of CyberPatriot XII, bringing its total scholarship contribution to more than $500,000 since becoming Presenting Sponsor in 2011. Scholarships are awarded to each member of the first place, runner-up, and third place teams in the Open and All Service divisions.

Cisco Systems awarded $52,000 to Open and All Service winners of the Cisco NetAcad challenge of CyberPatriot XII.  Scholarships are awarded to each member of the first place, runner-up, and third place teams in the Cisco NetAcad Challenge in the Open and All Service divisions.

CyberPatriot, the nation’s largest and fastest growing youth cyber education program, is AFA’s flagship STEM program dedicated to strengthening cyber skills among youth. The program features the National Youth Cyber Defense Competition for high school and middle school students, AFA CyberCamps, an Elementary School Cyber Education Initiative, the Cyber Education Literature Series, and CyberGenerations, a program promoting senior citizen cyber awareness.

Supporters of CyberPatriot include the Northrop Grumman Foundation, CyberPatriot’s Presenting Sponsor, as well as Cyber Diamond sponsors AT&T, Boeing, Cisco, the U.S. Department of Homeland Security, and Microsoft; Cyber Gold sponsors Air Force Reserve, BNY Mellon, Facebook, Symantec, and the USAA Foundation; and Cyber Silver sponsors Air Force STEM, American Military University, Capital One, Embry-Riddle Aeronautical University, Leidos, Mastercard, University of Maryland Global Campus, and VMware.

To learn more about CyberPatriot’s programs and initiatives, and to sign up for CyberPatriot XIII, visit

Northrop Grumman and the Northrop Grumman Foundation are dedicated to expanding and enhancing sustainable science, technology, engineering and mathematics (STEM) education opportunities for students globally. In 2018, the organizations contributed nearly $20 million to diverse, STEM-focused organizations and programs. Our partnerships focus on engineering and technology-based initiatives that excite, engage and educate students and provide professional development opportunities for their teachers, with an emphasis on middle school and university level programs. Defending cyber networks, engineering autonomous vehicles and exploring space are some of the capabilities students develop as they experience the excitement of STEM through programs supported by Northrop Grumman and the Northrop Grumman Foundation. Initiatives such as the Northrop Grumman Foundation Teachers Academy provide professional development opportunities for STEM teachers, who inspire students to pursue STEM careers. 

Northrop Grumman is a leading global security company providing innovative systems, products and solutions in autonomous systems, cyber, C4ISR, space, strike, and logistics and modernization to customers worldwide. Please visit and follow us on Twitter, @NGCNews, for more information.

The Air Force Association is a non-profit, independent, professional military and aerospace education association. Our mission is to promote a dominant United States Air Force, a strong national defense, to honor and support Airmen and the Air Force Family, and to remember and respect our Air Force Heritage.

Oracle: Unpatched Versions of WebLogic App Server Under Active Attack

CVE-2020-2883 was patched in Oracle’s April 2020 Critical Patch Update – but proof of concept exploit code was published shortly after.

Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability patched last month.

Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote code execution flaw, CVE-2020-2883, that can be exploited by unauthenticated attackers to take over unpatched systems.

Eric Maurice, director of security assurance, said in a post last week that the flaw was addressed in Oracle’s April 2020 Critical Patch Update, which fixed 405 flaws, including 286 that were remotely exploitable across nearly two dozen product lines.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” according to Oracle’s security update. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”

Shortly before Oracle’s warning of the active exploits, proof of concept exploit code was also published by a researcher (under the alias “hktalent”) on GitHub for the flaw last week.

According to Trend Micro’s Zero Day Initiative, the flaw ranks 9.8 out of 10 on the CVSSv3 scale, making it critical severity. Two variants of the flaw were reported. The first variant of the flaw exists within the handling of the T3 protocol, which is used to transport information between WebLogic servers and other types of Java programs. According to ZDI, crafted data in a T3 protocol message can trigger the deserialization of untrusted data – allowing an attacker to execute code in the context of the current process.

The second variant of the flaw exists within the Oracle Coherence library, Oracle’s in-memory data grid and distributed caching solution.

“The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,” according to ZDI. “An attacker can leverage this vulnerability to execute code in the context of the service account.”

Affected versions of WebLogic Server include versions,, and

Oracle did not disclose further details about how many were targeted or the attackers behind the hacks.

Oracle WebLogic servers continue to be hard hit with exploits. In May 2019, researchers warned that malicious activity exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging – including to spread the “Sodinokibi” ransomware. In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server (CVE-2019-2729) was being actively exploited in the wild.