NSI Security NewsWatch 1/13/21

A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only. In this issue — January 13, 2021 FBI warns of plans for nationwide armed protests next week At Least 25 Under Terrorism Investigation in Connection with Capitol Riot Disgruntled Former VP Hacks Company, Disrupts PPE Supply, Gets Jail Capitol Hill Riot Exposes Congress's Operational, Cybersecurity Frailties Even Small Nations Have Jumped into the Cyberespionage Game Russian Hacker Sentenced to 12 Years for Role in Breaches of JP Morgan DOJ, Federal Court System Hit by Russian Hack Trump Orders Ban on Chinese Software Apps, Citing Potential Espionage Threat Sent to Air Traffic Controllers Vowed Revenge for Killing of Iranian General Agencies Jointly Blame Russia for SolarWinds Hack FBI warns of plans for nationwide armed protests next week (AP, 1/11/20) The FBI is warning of plans for armed protests at all 50 state capitals and in Washington, D.C., in the days leading up to President-elect Joe Biden’s inauguration, stoking fears of more bloodshed after last week’s deadly siege at the U.S. Capitol. An internal FBI bulletin warned, as of Sunday, that the nationwide protests may start later this week and extend through Biden’s Jan. 20 inauguration, according to two law enforcement officials who read details of the memo to The Associated Press. Investigators believe some of the people are members of extremist groups, the officials said. “Armed protests are being planned at all 50 state capitols from 16 January through at least 20 January, and at the U.S. Capitol from 17 January through 20 January,” the bulletin said, according to one official. The officials were not authorized to speak publicly and spoke to the AP on condition of anonymity. Army Gen. Daniel Hokanson, chief of the National Guard Bureau, told reporters Monday that the Guard is also looking at any issues across the country. More At Least 25 Under Terrorism Investigation in Connection with Capitol Riot (USA Today, 1/11/21) At least 25 people are under investigation on terrorism charges related to last week’s siege at the Capitol, according to a Defense official and a member of Congress. Rep. Jason Crow, a Democrat of Colorado and a former Army Ranger, said he spoke with Army Secretary Ryan McCarthy on Sunday and was told that "at least 25 domestic terrorism cases have been opened as a result of the assault on the Capitol." A defense official who was informed about the call initially confirmed that the cases involved troops but later corrected that statement. The official said some troops – active and reserve duty – may have been involved in the riot, and the military will investigate them as necessary. "There is concern that military members may have been involved in the riot," the official said. Those under investigation are suspected of taking part in the insurrection that shut down Congress as it formalized President-elect Joe Biden's Electoral College victory. More Disgruntled Former VP Hacks Company, Disrupts PPE Supply, Gets Jail (ZD Net, 1/7/21) A former vice president of a company in Georgia has been sent behind bars for sabotaging systems and causing delays in the shipment of Personal Protective Equipment (PPE). Christopher Dobbins once worked for Stradis Healthcare, a medical equipment packaging company that facilitates the delivery of PPE, supplies, and surgical kits. After being fired in March 2020, with final paycheck in hand, the 41-year-old accessed a secret, fake staff account he had created while still in Stradis' employ. The ex-employee, described as "disgruntled" by the FBI, was then able to maintain secret access to the company's systems, despite his legitimate account being revoked. Dobbins set about disrupting Stradis' electronic records by creating a secondary user account and both editing over 115,000 records and deleting over 2,300 entries. The FBI said the intrusion "disrupted the company's shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers" who are trying to cope with the pandemic. More **************************************************************************************** What’s the Number One Cause of Security Breaches and Insider Threats? It can blow through any firewall, defeat expensive technology controls, expose sensitive data, cause laptops and mobile devices to go missing, and leak corporate or national security secrets. What, you ask, is it? Employee negligence — the single most common cause of damaging insider threats. If there's a common thread the experts all agree on, it’s that poor training and unaware employees lie at the root of many if not most employee security breaches. So, how do you make sure that your company's information assets are protected? The first line of defense is employee awareness – the critical "humanware” component of your data security armor. NSI’s SECURITYsense awareness program gives your employees the tools and information they need to make security second nature. Don’t put your organization at risk. Get SECURITYsense and build awareness quickly and affordably. Click here https://www.nsi.org/securitysense/what-is-securitysense.shtml for more information. ************************************************************************************** Capitol Hill Riot Exposes Congress's Operational, Cybersecurity Frailties (Cyber Scoop, 1/7/21) The violent pro-Trump mob that stormed the Capitol last week exposed not only glaring weaknesses in the legislative body’s physical security but also its digital and operational security, according to experts. The intruders were able to roam the halls of Congress and at certain points had unfettered access to some lawmakers’ offices and computers. One rioter left a note in front of a computer in House Speaker Nancy Pelosi’s office saying, “We will not back down.” Sen. Jeff Merkley, D-Ore., said a laptop was stolen from his office. There is no public evidence that devices were tampered with. But some experts are hoping that, in addition to a likely investigation into the failures of physical security measures, lawmakers take the opportunity to review their own digital security practices, which have long been a concern. The insurrectionists who breached the Capitol were unsophisticated opportunists who were more interested in taking selfies than infiltrating computer networks. But someone with better resources and planning, and different motivations, could have planted malicious code on computers or left other surveillance tools behind. More Even Small Nations Have Jumped into the Cyberespionage Game (Dark Reading, 1/7/21) While the media tends to focus on the Big 5 nation-state cyber powers, commercial spyware has given smaller countries sophisticated capabilities, as demonstrated by a "zero-click" iMessage exploit that targeted journalists last year. Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto. In an analysis, the group detailed how nations of the Gulf Cooperative Council in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone. More** Russian Hacker Sentenced to 12 Years for Role in Breaches of JP Morgan, Others (Secretservice.gov, 1/7/20) Russian national Andrei Tyurin will serve 12 years in prison for his role in a global hacking campaign that pilfered personal information from more than 80 million JP Morgan Chase customers in the largest-ever breach of a financial institution in the US. Tyurin from 2012 to 2015 hacked multiple financial institutions, brokerages, and financial news publications, including JP Morgan, ETrade, Scottrade, and The Wall Street Journal, stealing personal data of more than 100 million customers of those organizations — all from his home in Moscow. He worked with co-conspirators including Gery Shalon, who together also perpetrated securities fraud and other nefarious activity. According to the US Secret Service, Tyurin made some $19 million from his crimes. He was extradited from the nation of Georgia in September 2018 and has been in US custody since then. More* DOJ, Federal Court System Hit by Russian Hack (AP, 1/6/21) The DOJ and the federal court system disclosed last week they were among the dozens of U.S. government agencies and private businesses compromised by a massive, months-long cyberespionage campaign linked to elite Russian hackers. The extent of the damage was unclear. The department said that 3% of its Microsoft Office 365 email accounts were potentially affected, but did not say to whom those accounts belonged. There are no indications that classified systems were affected, the agency said. Office 365 isn’t just email but a collaborative computing environment, which means that shared documents were also surely accessed, said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike. Separately, the Administrative Office of U.S. Courts informed federal judicial bodies across the nation that the courts’ nationwide case management system was breached. That potentially gave the hackers access to sealed court documents, whose contents are highly sensitive. More Trump Orders Ban on Chinese Software Apps, Citing Potential Espionage (NPR, 1/6/21) President Trump has signed an executive order banning business with several leading Chinese technology companies, claiming apps run by the companies have the ability to spy on Americans, including federal employees. The order seeks to prohibit transactions with eight companies including Alipay, owned by Chinese billionaire Jack Ma; the payment platform on the popular app WeChat; and a Chinese messaging service called QQ owned by the Chinese tech giant Tencent. Other software apps included in the order are CamScanner, QQ Wallet, SHAREit, VMate and WPS Office. It's the latest push by the administration to clamp down on ascendant Chinese technology companies over fears that authorities in China could use the apps to spy on Americans. In the order, the president suggested such software poses "an unacceptable risk to the national security, foreign policy, and economy of the United States." More Threat Sent to Air Traffic Controllers Vowed Revenge for Killing of Iranian General (CBS News, 1/6/21) Multiple air traffic controllers in New York heard a chilling threat last week: “We are flying a plane into the Capitol on Wednesday. Soleimani will be avenged." The threat refers to Qassem Soleimani, the Iranian general killed last year in a U.S. drone strike ordered by President Trump. It was made on the one-year anniversary of Soleimani's death, for which Iranian officials have long vowed revenge. It's unclear who sent the threat. While the government does not believe the warning of an attack is credible, it is being investigated as a breach of aviation frequencies. Sources said the Pentagon and other agencies were briefed about the digitized voice recording. The sources said they believe the threat was designed to suggest hitting the Capitol on the same day Congress counted the Electoral College results. More Agencies Jointly Blame Russia for SolarWinds Hack (CNet, 1/5/21) Key government intelligence agencies said last week that the SolarWinds hack is "likely Russian in origin," according to a joint statement from the FBI, NSA, CISA, and ODNI. It's the first time the four agencies have attributed the cyberattack to Russia. "This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the statement said. "At this time, we believe this was, and continues to be, an intelligence gathering effort." The hack started in March 2020 at the latest, when hackers compromised IT management software from Austin, Texas-based SolarWinds, which has thousands of customers in the public and private sectors. The hackers placed malicious code into a legitimate update to a widely used SolarWinds software product, and around 18,000 of the company's customers installed the tainted update. More Keep Getting This Newsletter To ensure delivery to your inbox (not bulk or junk folders), please add NSI@nsi.org to your address book. SUBSCRIBE: If you were sent this by a colleague and wish to subscribe to NSI's complementary Security NewsWatch e-newsletter, visit http://nsi.org/newsletter.html. UNSUBSCRIBE: Please feel free to share this e-mail with your colleagues and encourage them to sign up to get their own copy at http://nsi.org/newsletter.html ADVERTISERS: For information about sponsoring this e-letter, contact sburns@nsi.org or call 508-533-9099. National Security Institute 165 Main Street, Suite 215 Medway, MA 02053 Tel: 508-533-9099 Fax: 508-507-3631 Internet: http://nsi.org	*************************** Help Your Employees Become Cyber Aware Experts agree, well intentioned but careless employees pose just as much of a danger to your organization as faceless hackers on the outside. In fact, 95 percent of successful hack attacks or incidents are attributed to human error. Learn how to mitigate the accidental insider threat and empower your employees to think securely with these valuable lessons**: How to recognize and respond to social engineering attacks How to avoid spear-phishing and email scams How avoid becoming an easy target for hackers How to prevent human errors that cause security breaches How to protect sensitive data from hackers, spies and ID thieves

NSI Security NewsWatch Banner

A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only.

In this issue — January 13, 2021

FBI warns of plans for nationwide armed protests next week

At Least 25 Under Terrorism Investigation in Connection with Capitol Riot

Disgruntled Former VP Hacks Company, Disrupts PPE Supply, Gets Jail

Capitol Hill Riot Exposes Congress's Operational, Cybersecurity Frailties

Even Small Nations Have Jumped into the Cyberespionage Game

Russian Hacker Sentenced to 12 Years for Role in Breaches of JP Morgan

DOJ, Federal Court System Hit by Russian Hack

Trump Orders Ban on Chinese Software Apps, Citing Potential Espionage

Threat Sent to Air Traffic Controllers Vowed Revenge for Killing of Iranian General

Agencies Jointly Blame Russia for SolarWinds Hack

FBI warns of plans for nationwide armed protests next week (AP, 1/11/20)

The FBI is warning of plans for armed protests at all 50 state capitals and in Washington, D.C., in the days leading up to President-elect Joe Biden’s inauguration, stoking fears of more bloodshed after last week’s deadly siege at the U.S. Capitol. An internal FBI bulletin warned, as of Sunday, that the nationwide protests may start later this week and extend through Biden’s Jan. 20 inauguration, according to two law enforcement officials who read details of the memo to The Associated Press. Investigators believe some of the people are members of extremist groups, the officials said.

“Armed protests are being planned at all 50 state capitols from 16 January through at least 20 January, and at the U.S. Capitol from 17 January through 20 January,” the bulletin said, according to one official. The officials were not authorized to speak publicly and spoke to the AP on condition of anonymity. Army Gen. Daniel Hokanson, chief of the National Guard Bureau, told reporters Monday that the Guard is also looking at any issues across the country. More

At Least 25 Under Terrorism Investigation in Connection with Capitol Riot (USA Today, 1/11/21)

At least 25 people are under investigation on terrorism charges related to last week’s siege at the Capitol, according to a Defense official and a member of Congress. Rep. Jason Crow, a Democrat of Colorado and a former Army Ranger, said he spoke with Army Secretary Ryan McCarthy on Sunday and was told that "at least 25 domestic terrorism cases have been opened as a result of the assault on the Capitol."

A defense official who was informed about the call initially confirmed that the cases involved troops but later corrected that statement. The official said some troops – active and reserve duty – may have been involved in the riot, and the military will investigate them as necessary. "There is concern that military members may have been involved in the riot," the official said. Those under investigation are suspected of taking part in the insurrection that shut down Congress as it formalized President-elect Joe Biden's Electoral College victory. More

Disgruntled Former VP Hacks Company, Disrupts PPE Supply, Gets Jail (ZD Net, 1/7/21)

A former vice president of a company in Georgia has been sent behind bars for sabotaging systems and causing delays in the shipment of Personal Protective Equipment (PPE). Christopher Dobbins once worked for Stradis Healthcare, a medical equipment packaging company that facilitates the delivery of PPE, supplies, and surgical kits. After being fired in March 2020, with final paycheck in hand, the 41-year-old accessed a secret, fake staff account he had created while still in Stradis' employ.

The ex-employee, described as "disgruntled" by the FBI, was then able to maintain secret access to the company's systems, despite his legitimate account being revoked. Dobbins set about disrupting Stradis' electronic records by creating a secondary user account and both editing over 115,000 records and deleting over 2,300 entries. The FBI said the intrusion "disrupted the company's shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers" who are trying to cope with the pandemic. More

******************************************************************************************

What’s the Number One Cause of Security Breaches and Insider Threats?

It can blow through any firewall, defeat expensive technology controls, expose sensitive data, cause laptops and mobile devices to go missing, and leak corporate or national security secrets. What, you ask, is it? Employee negligence — the single most common cause of damaging insider threats. If there's a common thread the experts all agree on, it’s that poor training and unaware employees lie at the root of many if not most employee security breaches.

So, how do you make sure that your company's information assets are protected? The first line of defense is employee awareness – the critical "humanware” component of your data security armor. NSI’s SECURITYsense awareness program gives your employees the tools and information they need to make security second nature. Don’t put your organization at risk. Get SECURITYsense and build awareness quickly and affordably. Click here https://www.nsi.org/securitysense/what-is-securitysense.shtml for more information.

******************************************************************************************

Capitol Hill Riot Exposes Congress's Operational, Cybersecurity Frailties (Cyber Scoop, 1/7/21)

The violent pro-Trump mob that stormed the Capitol last week exposed not only glaring weaknesses in the legislative body’s physical security but also its digital and operational security, according to experts. The intruders were able to roam the halls of Congress and at certain points had unfettered access to some lawmakers’ offices and computers. One rioter left a note in front of a computer in House Speaker Nancy Pelosi’s office saying, “We will not back down.” Sen. Jeff Merkley, D-Ore., said a laptop was stolen from his office.

There is no public evidence that devices were tampered with. But some experts are hoping that, in addition to a likely investigation into the failures of physical security measures, lawmakers take the opportunity to review their own digital security practices, which have long been a concern. The insurrectionists who breached the Capitol were unsophisticated opportunists who were more interested in taking selfies than infiltrating computer networks. But someone with better resources and planning, and different motivations, could have planted malicious code on computers or left other surveillance tools behind. More

Even Small Nations Have Jumped into the Cyberespionage Game (Dark Reading, 1/7/21)

While the media tends to focus on the Big 5 nation-state cyber powers, commercial spyware has given smaller countries sophisticated capabilities, as demonstrated by a "zero-click" iMessage exploit that targeted journalists last year. Driven by the accessibility of commercial spyware and surveillance tools, sophisticated attacks using a variety of zero-click exploits — attacks that don't require user interaction — are increasingly within the reach of smaller nations, according to The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto.

In an analysis, the group detailed how nations of the Gulf Cooperative Council in the Middle East used the commercial Pegasus spyware sold by the NSO Group to hack three dozen phones and spy on journalists and news producers. The attacks used a "zero-click" iMessage exploit that uses a specially crafted message to download and execute code on the victim's phone. More

Russian Hacker Sentenced to 12 Years for Role in Breaches of JP Morgan, Others (Secretservice.gov, 1/7/20)

Russian national Andrei Tyurin will serve 12 years in prison for his role in a global hacking campaign that pilfered personal information from more than 80 million JP Morgan Chase customers in the largest-ever breach of a financial institution in the US.
Tyurin from 2012 to 2015 hacked multiple financial institutions, brokerages, and financial news publications, including JP Morgan, E*Trade, Scottrade, and The Wall Street Journal, stealing personal data of more than 100 million customers of those organizations — all from his home in Moscow. He worked with co-conspirators including Gery Shalon, who together also perpetrated securities fraud and other nefarious activity. According to the US Secret Service, Tyurin made some $19 million from his crimes. He was extradited from the nation of Georgia in September 2018 and has been in US custody since then. More

DOJ, Federal Court System Hit by Russian Hack (AP, 1/6/21)

The DOJ and the federal court system disclosed last week they were among the dozens of U.S. government agencies and private businesses compromised by a massive, months-long cyberespionage campaign linked to elite Russian hackers. The extent of the damage was unclear. The department said that 3% of its Microsoft Office 365 email accounts were potentially affected, but did not say to whom those accounts belonged. There are no indications that classified systems were affected, the agency said.

Office 365 isn’t just email but a collaborative computing environment, which means that shared documents were also surely accessed, said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike. Separately, the Administrative Office of U.S. Courts informed federal judicial bodies across the nation that the courts’ nationwide case management system was breached. That potentially gave the hackers access to sealed court documents, whose contents are highly sensitive. More

Trump Orders Ban on Chinese Software Apps, Citing Potential Espionage (NPR, 1/6/21)

President Trump has signed an executive order banning business with several leading Chinese technology companies, claiming apps run by the companies have the ability to spy on Americans, including federal employees. The order seeks to prohibit transactions with eight companies including Alipay, owned by Chinese billionaire Jack Ma; the payment platform on the popular app WeChat; and a Chinese messaging service called QQ owned by the Chinese tech giant Tencent.

Other software apps included in the order are CamScanner, QQ Wallet, SHAREit, VMate and WPS Office. It's the latest push by the administration to clamp down on ascendant Chinese technology companies over fears that authorities in China could use the apps to spy on Americans. In the order, the president suggested such software poses "an unacceptable risk to the national security, foreign policy, and economy of the United States." More

Threat Sent to Air Traffic Controllers Vowed Revenge for Killing of Iranian General (CBS News, 1/6/21)

Multiple air traffic controllers in New York heard a chilling threat last week: “We are flying a plane into the Capitol on Wednesday. Soleimani will be avenged." The threat refers to Qassem Soleimani, the Iranian general killed last year in a U.S. drone strike ordered by President Trump. It was made on the one-year anniversary of Soleimani's death, for which Iranian officials have long vowed revenge.

It's unclear who sent the threat. While the government does not believe the warning of an attack is credible, it is being investigated as a breach of aviation frequencies. Sources said the Pentagon and other agencies were briefed about the digitized voice recording. The sources said they believe the threat was designed to suggest hitting the Capitol on the same day Congress counted the Electoral College results. More

Agencies Jointly Blame Russia for SolarWinds Hack (CNet, 1/5/21)

Key government intelligence agencies said last week that the SolarWinds hack is "likely Russian in origin," according to a joint statement from the FBI, NSA, CISA, and ODNI. It's the first time the four agencies have attributed the cyberattack to Russia. "This work indicates that an Advanced Persistent Threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the statement said. "At this time, we believe this was, and continues to be, an intelligence gathering effort."

The hack started in March 2020 at the latest, when hackers compromised IT management software from Austin, Texas-based SolarWinds, which has thousands of customers in the public and private sectors. The hackers placed malicious code into a legitimate update to a widely used SolarWinds software product, and around 18,000 of the company's customers installed the tainted update. More

Keep Getting This Newsletter

To ensure delivery to your inbox (not bulk or junk folders), please add NSI@nsi.org to your address book.

SUBSCRIBE: If you were sent this by a colleague and wish to subscribe to NSI's complementary Security NewsWatch e-newsletter, visit http://nsi.org/newsletter.html.

UNSUBSCRIBE:

Please feel free to share this e-mail with your colleagues and encourage them to sign up to get their own copy at http://nsi.org/newsletter.html

ADVERTISERS: For information about sponsoring this e-letter, contact sburns@nsi.org or call
508-533-9099.

NSI Logo National Security Institute
165 Main Street, Suite 215
Medway, MA 02053
Tel: 508-533-9099
Fax: 508-507-3631
Internet: http://nsi.org