Cyber Threat Intelligence Briefing: 20 November 2020

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

CISA’s Krebs fired via tweet. US President Trump has fired Chris Krebs, Homeland Security’s top cyber official, who had publicly rejected allegations of election fraud peddled by the president.
New Chinese state-sponsored hacking group. With more than 200 systems across Southeast Asia infected by the new group named FunnyDream, this feels less like a dream and more like a nightmare.
In other news this week, new information regarding a global campaign exploiting the ZeroLogon vulnerability, Firefox released a fix for a zero-day vulnerability and Linux security is back in the spotlight.
Plus, informational spotlight: CMMC – what to expect if you hold a DoD government contract?

Security Round-up

CISA’s Krebs fired for rejecting election fraud conspiracy theories

US President Trump this week fired Christopher Krebs, director of the agency responsible for cyber security within the Department of Homeland Security. Krebs has been at the helm of the Cybersecurity and Infrastructure Security Agency (CISA) since November 2018, widely credited for the agency becoming a force to be reckoned with and an influential public sector body, paving a strong public-private security partnership.
The outgoing president’s action appears to be linked to Krebs’s refutation of theories alleging election fraud, widely touted by Trump and his supporters.
Krebs promoted a statement via Twitter last week from a coalition of election officials and bodies, including CISA, that advised the public that “the November 3rd election was the most secure in American history.”^[1]
CISA, under the auspices of Krebs, has been dedicating its efforts throughout the course of the election process to curtailing election misinformation, debunking election rumours via the website Rumor Control.

So what? The firing has come as little surprise – Krebs himself was reportedly stating in private last week that he expected to be fired by the president. Its impact on the future of CISA remains to be seen. The move is widely regarded as yet another example of President Trump replacing top officials with loyalists, as he continues to refuse to accept the results of the US presidential election.

Chinese state-sponsored hacking group FunnyDream responsible for infecting more than 200 systems

A report published by security vendor Bitdefender has detailed that a new potential Advanced Persistent Threat (APT) group, which they have named FunnyDream, has been targeting Southeast Asian governments.^[2]
The attacks have been happening over the last two years, infecting more than 200 systems in Malaysia, Taiwan, the Philippines, and Vietnam. The group is primarily interested in cyber-espionage, stealing confidential documents.
The attacks predominantly followed a pattern of combining malware payloads – Chinoxy, which acts as a backdoor for initial access, PCShare, a remote access Trojan for obtaining information about the host, and FunnyDream, which collects information and exfiltrates it.

So what? Companies with a global footprint and operations in Southeast Asia should pay attention to this threat, particularly if they process significant amounts of sensitive information. While detecting APT beaconing activity may be beyond the capabilities of many companies, implementing a robust information classification process that is supported by Data Loss Prevention (DLP) policies and rigorous reporting, is achievable. All sensitive information that could negatively impact the business, if lost, should be classified and protected with commensurate controls.

Linux security back in the spotlight

On 17 November, Microsoft showcased its endpoint detection and response (EDR) capabilities for users of Linux operating systems running Microsoft Defender for Endpoint. The capacity to detect and alert on malicious activity in real time on Linux servers is a significant improvement for an underappreciated attack surface.^[3]
From a threat actor’s perspective, Linux is a natural target as it is often used by system administrators to manage enterprise networks, databases and web services. There are existing threats in this space, with Tycoon ransomware – a sophisticated strain seen in attacks since December 2019 – which contains Java modules designed to target both Windows and Linux systems.^[4]

So what? A common theme we have observed during incident response cases is that a forgotten user account or network device can often be the source of the infection. While ransomware and other attack strategies do usually target Windows systems, Linux is often a critical operating system used in complex enterprise environments. However, as threat actors will continue to diversify and innovate their attack strategies, including targeting Linux systems, security teams will need to consider whether their Linux systems are adequately secured.

Firefighting a Zero-day: Firefox issues patch for vulnerability and new security features

Popular web browser Firefox issued a patch to mitigate a zero-day vulnerability as part of its Firefox 83 release.^[5]
The patch fixes a zero-day vulnerability identified by Google in October called CVE-2020-15999 which affected Chrome and any other software that used Freetype, including Firefox.^[6] The vulnerability has been actively used in attacks and is considered an urgent priority to patch.

So what for security teams? CVE-2020-15999 received significant media attention for the vulnerability posed to users of Google Chrome browsers. However, this threat is as pertinent to users of Firefox, given the actual vulnerability is found not in the browsers themselves but the software Freetype that both use. As such, it is important to ensure that any Firefox browsers are updated to Firefox 83 to avoid potential malicious exploitation of this vulnerability.

ZeroLogon vulnerability exploited in global campaign

New information released by security researchers discloses details of a global campaign, reportedly conducted by Cicada,^[7] allegedly a China-backed threat group, that has started to exploit the ZeroLogon vulnerability CVE-2020-1472.^[8]
Cicada has been pursuing the campaign since at least October 2019 and has recently added the capability to exploit the ZeroLogon vulnerability to their toolset. The threat group has reportedly been focusing their attacks on companies operating in the automotive, pharmaceutical, engineering, and managed service provider sectors.

So what for security teams? Although they are certainly not the only threat group exploiting the vulnerability, Cicada reportedly has significant resources and access to sophisticated tools and techniques that make the group especially dangerous. The ZeroLogon vulnerability was disclosed and patched by Microsoft in August this year and it is vital that organisations install the patch to protect themselves against the ongoing campaign.

INFORMATIONAL SPOTLIGHT

CMMC - What to expect if you hold a US Department of Defense government contract?

If you're a business that's planning to bid on or has previously held government contracts specifically for the Department of Defense (DoD), you will want to become intimately familiar with the CMMC, which stands for the Cybersecurity Maturity Model Certification. Much like its predecessor, the CMMI (Capability Maturity Model Integration), this framework will assess the maturity of an organisation based on its processes and practices on a scale of 1-5, with 1 being the most basic and 5 being advanced. The main purpose of this requirement is to ensure that a partner organisation has sufficient cyber hygiene and can protect Controlled Unclassified Information (CUI) on its networks. As with the CMMI, an organisation’s CMMC rating will need to be assessed by an independent third party.
The CMMC Accreditation Body (AB), a non-profit, independent organisation, will accredit CMMC Third Party Assessment Organisations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website https://www.cmmcab.org/.
The CMMC was released as of 31 January 2020 and requirements may appear in Requests for Information (RFIs) or Requests for Proposals (RFPs) for government contracts. Contracts will require a minimum score in order to bid or win that particular contract. Organisations should carefully review updates to upcoming renewals or when bidding for new contracts to make sure that they meet this requirement. Not all contracts will require CMMC certification due to delays caused by COVID-19 and its impact on on-site testing capabilities.
The initial implementation and requirement around CMMC is only for the DoD at the moment, but based on its success may also be adopted by other branches of government in the future. CMMC results themselves will not be made public; however, the DoD will have access to all participating organisations' certification levels. CMMC certificates are valid for a period of three years and then must be renewed.
Finally, a cyber security incident itself is not enough to necessarily lose a certification but may kick off a reassessment of the maturity level depending on the severity or impact of the incident.
More information on the CMMC can be found at the Office for the Security of Defense's website.

References:

[1] ‘Joint statement from elections infrastructure government coordinating council’, CISA, 12 November 2020.

[2] ‘More than 200 systems infected by new Chinese APT ‘FunnyDream’’, ZDNet, 17 November 2020.

[3] ‘Microsoft previews Linux endpoint detection and response capabilities’, Bleeping Computer, 17 November 2020.

[4] ‘This new ransomware is targeting Windows and Linux PCs with a 'unique' attack’, ZDNet, 4 June 2020.

[5] ‘Firefox 83 boosts security with HTTPS-only mode’, Bleeping Computer, 17 November 2020.

[6] ‘Firefox 83 boosts security with HTTPS-only mode’, Bleeping Computer, 17 November 2020

[7] Also tracked as APT10, Stone Panda, and Cloud Hopper.

[8] ‘Hacking group exploits ZeroLogon in automotive, industrial attack wave’, ZD Net, 18 November 2020.