Connect with us

Biz & IT

The FBI botched its DNC hack warning in 2016—but says it won’t next time

Published

on

Enlarge / By notifying hacking victims sooner and at higher levels, the FBI hopes to avert another high-impact communications breakdown.

Drew Angerer | Getty Images

On April 28, 2016, an IT tech staffer for the Democratic National Committee named Yared Tamene made a sickening discovery: A notorious Russian hacker group known as Fancy Bear had penetrated a DNC server “at the heart of the network,” as he would later tell the US Senate’s Select Committee on Intelligence. By this point the intruders already had the ability, he said, to delete, alter, or steal data from the network at will. And somehow this breach had come as a terrible surprise—despite an FBI agent’s warning to Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.

The FBI agent’s warnings had “never used alarming language,” Tamene would tell the Senate committee, and never reached higher than the DNC’s IT director, who dismissed them after a cursory search of the network for signs of foul play. That miscommunication would result in the success of the Kremlin-sponsored hack-and-leak operation that would ultimately contribute to the election of Donald Trump.

Four years later, the FBI and the community of incident response security professionals who often work with the bureau’s agents says the FBI has significantly changed how it communicates with hacking victims—the better to avoid another DNC-style debacle. In interviews with WIRED, FBI officials never explicitly admitted to a failure in the case of the DNC’s botched notification. But they and their private sector counterparts nonetheless described a bureau that has revamped its practices to warn hacking targets faster, and at a higher level of the targeted organization—especially in cases that might involve the upcoming election or the scourge of ransomware costing companies millions of dollars across the globe.

In December of last year, for instance, the FBI announced a new formal policy of immediately notifying state government officials when the bureau identifies a threat to election infrastructure they control. But the improvements go beyond warnings to state officials, says Mike Herrington, the section chief of the FBI’s cyber division. “I see a key change in practice and emphasis, getting our special agents in charge keyed up to gain the full cooperation of potential victims,” says Herrington, who says he’s personally notified dozens of victims of hacking incidents over his career.

Those “special agents in charge” are higher-ranking than the typical field agents who have notified victims in the past, notes Steven Kelly, the FBI’s chief of cyber policy. Kelly says that those special agents have also been instructed to aim their warnings further up the victim’s org chart. “We want them to be reaching out to the C-suite level, to senior executives,” says Kelly. “To make sure they’re aware of what’s going on and that they’re putting the right amount of calories into addressing the issues so that these things don’t get ignored or buried.”

First alert

Unlike practically every other crime the FBI deals with, the bureau is often in the strange position of being the first to tell a person or organization that they’re victims of a cyberattack. Often the warnings are based on evidence pulled from ongoing hacking campaigns—sometimes from intelligence agencies or even foreign governments—such as a common command-and-control server across different intrusions. “It is often a very significant event in that person’s career or life to have the FBI calling them and saying we believe you may be the victim of a crime,” Herrington says.

Over the last decade, though, the FBI’s role as messenger has shifted, as organizations become more adept at discovering their own intrusions. For the past several years, roughly half of hacker intrusions were discovered by the victims themselves, according to the M-Trends report on data breach responses published by incident response firm Mandiant. That’s a drastic change from 2011, when 94 percent of breaches were first detected by an outside organization, usually law enforcement.

Even so, the growth in the sheer number of hacking incidents means the FBI is notifying far more victims than in the past, says Jake Williams, a former NSA hacker and founder of the security consultancy Rendition Infosec, which often acts as an incident response firm for hacking victims. Williams says that in the last few years, he’s seen a doubling or tripling of the number of calls that his firm gets from hacking victims who were first notified by the FBI. The notifications still often provide just the bare minimum of information about the breach—such as the FBI’s observation that a computer on the victim’s network connected to a known malicious server—and victims are expected to call in their own incident response consultants to kick the hackers out, with little assistance from the FBI itself.

But Williams also says he’s found that the bureau now notifies victims sooner after its agents detect a breach; in years past, the FBI would sometimes warn victims only that they had been the victim of an intrusion, often well after the fact. “We’re getting more information on the front side,” says Williams. “Before it was commonly, ‘we can’t tell you exactly when and we don’t know if it’s still going on, but you should know.'”

By some accounts, at least, the scandalous failure of communication that allowed Russian hackers to run wild in the DNC’s networks is far less likely to occur today. One DNC official told WIRED that the organization has had regular meetings with FBI agents since 2016; if another incident occurs, the two organizations would already have relationships between senior officials on both sides. “Basically we’ve solved this problem and have really good, clear channels of communication,” the DNC official wrote in an email.

Dmitri Alperovitch, the former CTO of Crowdstrike, which handled the incident response for the DNC’s 2016 breach and many other incidents of state-sponsored hacking, agrees that the FBI’s practices have changed—specifically that it’s taking more care to reach senior executives or officials who will take its warnings seriously. Alperovitch points out that the FBI actually warned the DNC within days of the Russian hackers’ first breaching its network. The problem, he says, was that the agents working the case had settled for a warning to a low-level staffer. “They should have reached out to higher ups,” Alperovitch wrote in a message to WIRED. “I do see them going higher up the chain these days, so yeah, I think it’s better.”

Held for ransom

Elections aside, the epidemic of ransomware hitting US companies has also forced the FBI to improve and accelerate its warnings to hacking victims. For some of those cases, says special agent Tyson Fowler, the FBI has developed a so-called “emergency lead notification” process that bypasses the bureau’s usual internal consultations and immediately notifies a cybersecurity-focused agent in a field office who can warn a victim, hopefully before the hackers deliver their ransomware payload. “We’re leaning forward in terms of notifying victims as soon as possible and skipping all those steps,” says Fowler.

In one case in February, for instance, Fowler says he learned of a ransomware-focused intrusion into a Georgia-based multinational company’s network and, by the end of the day, had reached the CEO of the company to warn about the impending attack. The company took part of its network offline, disrupting the hackers’ access to their malware, Fowler says. “You have what could have been an extinction level event for the company, and we were able to avoid the financial impact and the privacy impact just by the quick response,” says Kevvie Fowler, an incident responder with Deloitte whom the company brought in to help remediate the breach.

None of that renewed urgency in victim notification guarantees that hackers won’t outrun defenders anyway. They may, in fact, be learning to operate faster inside of victim networks as the pace of response quickens. But at least in cases where the FBI gets wind of an ongoing intrusion, the period of free rein they enjoy before being hunted by network responders may no longer last for months, as in the DNC hack, but for days or hours.

This story originally appeared on wired.com.

Continue Reading

Biz & IT

Twitter deal leaves Elon Musk with no easy way out

Published

on

Enlarge / This illustration photo taken May 13, 2022, displays Elon Musks Twitter account with a Twitter logo in the background in Los Angeles. – Elon Musk sent mixed messages Friday about his proposed Twitter acquisition, pressuring shares of the microblogging platform amid skepticism on whether the deal will close.
In an early morning tweet, Musk said the $44 billion takeover was “temporarily on hold,” pending questions over the social media company’s estimates of the number of fake accounts or “bots.”
That sent Twitter’s stock plunging 25 percent. (Photo by Chris DELMAS / AFP) (Photo by CHRIS DELMAS/AFP via Getty Images)

Since the financial crisis, corporate lawyers have aspired to build the ultimate ironclad merger contract that keeps buyers with cold feet from backing out.

The “bulletproof” modern deal agreement now faces one of its biggest tests, as Elon Musk, the Tesla boss and richest person in the world, openly entertains the possibility of ditching his $44 billion deal for Twitter.

Musk said in a tweet this week that the “deal cannot move forward” until the social media platform provides detailed data about fake accounts, a request that Twitter seems unlikely to meet. Twitter’s board, meanwhile, has stated its commitment “to completing the transaction on the agreed price and terms as promptly as practicable.”

Simply abandoning the deal is not an option. Musk and Twitter have both signed the merger agreement, which states that “the parties… will use their respective reasonable best efforts to consummate and make effective the transactions contemplated by this agreement.”

With tech stocks falling—dragging down the price of the Tesla shares that form the basis of Musk’s fortune and collateral for a margin loan to buy Twitter—all eyes are on the mercurial billionaire’s next move.

Could Musk walk away for $1 billion?

The agreement includes a $1 billion “reverse termination fee” that Musk would owe if he withdrew from the merger agreement. However, if all other closing conditions are met and the only thing left is for Musk to show up at the closing with his $27.25 billion in equity, Twitter can seek to make Musk close the deal. This legal concept, known as “specific performance,” has become a common feature in leveraged buyouts since the financial crisis.

In 2007 and 2008, leveraged buyouts typically included a reverse termination fee that often allowed a company backing the acquisition to pay a modest 2 to 3 percent of a deal’s value to get out. Sellers believed at the time that private equity groups would follow through and close their transactions in order to maintain their reputations. But some did pull the plug on those agreements, leading to several court fights involving prominent companies such as Cerberus, Blackstone, and Apollo.

Since that era, sellers have implemented much higher termination fees as well as specific performance clauses that effectively require buyers to close. Most recently, a Delaware court in 2021 ordered private equity group Kohlberg & Co to close the buyout of a cake decorations business called DecoPac.

Kohlberg had argued it was allowed out of the deal because the DecoPac business had suffered a “material adverse effect” when the pandemic struck between signing and closing. The court rejected that argument and ruled that DecoPac could force Kohlberg to close—which it did.

Continue Reading

Biz & IT

How we learned to break down barriers to machine learning

Published

on

Dr. Sephus discusses breaking down barriers to machine learning at Ars Frontiers 2022. Click here for transcript.

Welcome to the week after Ars Frontiers! This article is the first in a short series of pieces that will recap each of the day’s talks for the benefit of those who weren’t able to travel to DC for our first conference. We’ll be running one of these every few days for the next couple of weeks, and each one will include an embedded video of the talk (along with a transcript).

For today’s recap, we’re going over our talk with Amazon Web Services tech evangelist Dr. Nashlie Sephus. Our discussion was titled “Breaking Barriers to Machine Learning.”

What barriers?

Dr. Sephus came to AWS via a roundabout path, growing up in Mississippi before eventually joining a tech startup called Partpic. Partpic was an artificial intelligence and machine-learning (AI/ML) company with a neat premise: Users could take photographs of tooling and parts, and the Partpic app would algorithmically analyze the pictures, identify the part, and provide information on what the part was and where to buy more of it. Partpic was acquired by Amazon in 2016, and Dr. Sephus took her machine-learning skills to AWS.

When asked, she identified access as the biggest barrier to the greater use of AI/ML—in a lot of ways, it’s another wrinkle in the old problem of the digital divide. A core component of being able to utilize most common AI/ML tools is having reliable and fast Internet access, and drawing on experience from her background, Dr. Sephus pointed out that a lack of access to technology in primary schools in poorer areas of the country sets kids on a path away from being able to use the kinds of tools we’re talking about.

Furthermore, lack of early access leads to resistance to technology later in life. “You’re talking about a concept that a lot of people think is pretty intimidating,” she explained. “A lot of people are scared. They feel threatened by the technology.”

Un-dividing things

One way of tackling the divide here, in addition to simply increasing access, is changing the way that technologists communicate about complex topics like AI/ML to regular folks. “I understand that, as technologists, a lot of times we just like to build cool stuff, right?” Dr. Sephus said. “We’re not thinking about the longer-term impact, but that’s why it’s so important to have that diversity of thought at the table and those different perspectives.”

Dr. Sephus said that AWS has been hiring sociologists and psychologists to join its tech teams to figure out ways to tackle the digital divide by meeting people where they are rather than forcing them to come to the technology.

Simply reframing complex AI/ML topics in terms of everyday actions can remove barriers. Dr. Sephus explained that one way of doing this is to point out that almost everyone has a cell phone, and when you’re talking to your phone or using facial recognition to unlock it, or when you’re getting recommendations for a movie or for the next song to listen to—these things are all examples of interacting with machine learning. Not everyone groks that, especially technological laypersons, and showing people that these things are driven by AI/ML can be revelatory.

“Meeting them where they are, showing them how these technologies affect them in their everyday lives, and having programming out there in a way that’s very approachable—I think that’s something we should focus on,” she said.

Continue Reading

Biz & IT

2 vulnerabilities with 9.8 severity ratings are under exploit. A 3rd looms

Published

on

Getty Images

Malicious hackers, some believed to be state-backed, are actively exploiting two unrelated vulnerabilities—both with severity ratings of 9.8 out of a possible 10—in hopes of infecting sensitive enterprise networks with backdoors, botnet software, and other forms of malware.

The ongoing attacks target unpatched versions of multiple product lines from VMware and of BIG-IP software from F5, security researchers said. Both vulnerabilities give attackers the ability to remotely execute malicious code or commands that run with unfettered root system privileges. The largely uncoordinated exploits appear to be malicious, as opposed to benign scans that attempt to identify vulnerable servers and quantify their number.

First up: VMware

On April 6, VMware disclosed and patched a remote code execution vulnerability tracked as CVE-2022-22954 and a privilege escalation flaw tracked as CVE-2022-22960. According to an advisory published on Wednesday by the Cybersecurity and Infrastructure Security Agency, “malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices.”

CISA said the actors were likely part of an advanced persistent threat, a term for sophisticated and well-financed hacker groups typically backed by a nation-state. Once the hackers have compromised a device, they use their root access to install a webshell known as Dingo J-spy on the networks of at least three organizations.

“According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,” Wednesday’s advisory stated. “The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.”

Independent security researcher Troy Mursch said in a direct message that exploits he’s captured in a honeypot have included payloads for botnet software, webshells, and cryptominers. CISA’s advisory came the same day VMware disclosed and patched two new vulnerabilities. One of the vulnerabilities, CVE-2022-22972, also carries a severity rating of—you guessed it—9.8. The other one, CVE-2022-22973, is rated 7.8.

Given the exploits already underway for the VMware vulnerabilities fixed last month, CISA said it “expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.

BIG-IP also under fire

Meanwhile, enterprise networks are also under attack from hackers exploiting CVE-2022-1388, an unrelated vulnerability with a 9.8 severity rating found in BIG-IP, a software package from F5. Nine days ago, the company disclosed and patched the vulnerability, which hackers can exploit to execute commands that run with root system privileges. The scope and magnitude of the vulnerability prompted marvel and shock in some security circles and earned it a high severity rating.

Within a few days, exploit code became publicly available and almost immediately after that, researchers reported ​​exploit attempts. It wasn’t clear then if blackhats or whitehats carried out the activity.

In more recent days, however, researchers captured thousands of malicious requests that demonstrate a significant portion of the exploits are used for nefarious purposes. In an email, researchers from security firm Greynoise wrote:

Given that the requests involving this exploit require a POST request and result in an unauthenticated command shell on the F5 Big-IP device, we have classified actors using this exploit as malicious. We have observed actors using this exploit through anonymity services such as VPNs or TOR exit nodes in addition to known internet VPS providers.

We expect actors attempting to find vulnerable devices to utilize non-invasive techniques that do not involve a POST request or result in a command shell, which are catalogued in our tag for F5 Big-IP crawlers: https://viz.greynoise.io/tag/f5-big-ip-crawler. This crawler tag did experience a rise in traffic correlated with the release of CVE-2022-1388.

Mursch said that the BIG-IP exploits attempt to install the same trio of webshells, malware for performing distributed denial-of-service attacks, and cryptominers seen in the attacks on unpatched VMware machines. The image below, for instance, shows an attack that attempts to install widely recognized DDoS malware.

Troy Mursch

The following three images show hackers exploiting the vulnerability to execute commands that fish for encryption keys and other types of sensitive data stored on a compromised server.

Troy Mursch

Troy Mursch

Troy Mursch

Given the threat posed by ransomware and nation-state hacking campaigns like the ones used against customers of SolarWinds and Microsoft, the potential damage from these vulnerabilities is substantial. Administrators should prioritize investigating these vulnerabilities on their networks and act accordingly. Advice and guidance from CISA, VMware, and F5 are here,
here, here, and here.

Continue Reading

Trending