Friday, February 6, 2015

Department of Labor Website Launched Cyber Attack on Visitors

I have to admit, every so often I hear about something the government did which surprises even me.  I was shocked to read that in 2013, visitors to the Department of Labor "nuclear related" pages had malware downloaded onto their computers by the DOL.  I didn't even know the DOL had anything to do with nuclear things.  I thought that was all Department of Energy, and DOD, but apparently DOL has programs related to benefits for nuclear weapon and nuclear energy workers.
DOL’s “nuclear-related” web pages sent out a “Watering Hole” attack in April 2013. In a “Watering Hole” attack, the bad guys target a specific group of people and set malware traps on web pages that the group is likely to visit. So when visitors went on DOL’s nuclear pages, they received malware from the rogue Internet domain “dol.nso1.us.”
This was all openly discussed in computer security circles back 2013, on a Cisco Systems blog, which has details that someone at Borepatch's level could understand, but I don't.
   
It's a truism that we should "never attribute to malice that which can be explained by stupidity", and it may be stupidity that's going on here.  May be.  To borrow a key phrase (I think!) from the Cisco coverage,
An nmap TCP connection scan of the IP indicates a Windows box, it is interesting that the MSRPC service is not being firewalled. MSRPC is a very rich attack surface on unpatched/unmaintained machines. It is possible that this could be a compromised machine.
Which means that DOL may have just been idiots about handling their computers and the group that put it on their computer is someone else.  Why?  Again, Cisco:
AlienVault has reported that the web page hosting the exploit contained advanced reconnaissance techniques designed to gather information about the targeted systems which visited the page. This included antivirus and various browser plug-in information. This information will likely be used to facilitate and ensure the success of future attacks. Despite initial reports, CrowdStrike has not yet come to the conclusion that the command and control is related to DeepPanda. If it is, this could mean this is part of an advanced exploit kit.
The code name DeepPanda is used for a so-called, "known Chinese actor", and they're saying they hadn't concluded it was DeepPanda.  Checking the CrowdStrike page tonight shows no updates since 3 May 2013.  What if it was?  Does that mean the Chinese are interested in who is looking at the US Department of Labor computers?

I think it's the nature of this sort of report that we may never know.  The malicious domain that dropped the malware payload dol.ns01.us may look official, but in reality it belongs to a company named changeip.org. Changeip.org offers “Free Dynamic DNS” among other services. Essentially, a changeip.org customer pays for a base domain name, then if the third-level name is available, it’s included for free.  The "burner cellphone" of cyber attackers? 

  

2 comments:

  1. From cookies to malware everyone is doing it. If you download the "flashlight" app for yur smart phone it infects your phone with a trojan horse. I have a dumb phone and refuse to download any free programs or apps from the internet for my laptop. There is no defense to it and the legal community is powerless to stop it. There should be a price to pay for "infecting" my computer or phone with software intended to benefit someone else.

    I like the internet but it is a disaster today. Every government web site and every commercial web site is unable to protect their data. The fact that they have critical, secret or private data on their systems is stupid. It is not too different from a bank putting their money and valuables in the dumpster behind the bank instead of in the vault. We need some serious changes in policies and some changes in the internet to make it easier to identify hackers and attacks.

    ReplyDelete
  2. A good starting point is to realize that robbers go places where they can find lots of money. Bank robbers don't go to soup kitchens, they go to banks. If they can break into your bank they'll get access to hundreds or thousands of times what they get if they break into your computer. Banks are under constant attack 24/7/365.

    The other thing to remember is that the bad guys spend about $1000 to $1 we pay the good guys. Because they expect it to pay back.

    The flashlight apps (all Android, as far as I can tell; it's built into IOS so you don't need an app) are kind of in that category of "Free is internet speak for BOHICA" (Bend Over, Here It Comes Again). Or better yet, "if the application is Free, chances are YOU are what is being sold". They gather info on you and sell it to other places. Probably to target you with ads, but possibly to target you with other things.

    If you're interested in it, this is a good time to get training in security. Borepatch has written much on this, and how most people in the field are not requiring college degrees, just competence in the field. I believe it's a good paying field, and expect demand to be booming.

    ReplyDelete