New: The hackers behind a watering-hole campaign against targets in the Middle East may be using software from the Israeli spyware firm Candiru, recently targeted by U.S. export restrictions, according to @ESET: subscriber.politicopro.com/article/2021/1…
In research being presented today at @CYBERWARCON, ESET experts say an IP address linked to Candiru in a recent @citizenlab report has ties to two of the malicious domain names in the watering-hole attacks.
These watering-hole attacks spoofed websites of Yemen’s parliament & interior ministry, Iran’s foreign ministry, Syria’s electricity ministry, @MiddleEastEye, and Hezbollah-linked TV channels.
Fake sites delivered malware that exploited web browser vulnerabilities.
@MiddleEastEye But the hackers got smarter between their 2020 and 2021 watering-hole campaigns, according to ESET.
They configured their malicious code to scan victims' computers and look for specific targets before deploying.
This prevented researchers from acquiring the malware to analyze.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Attacks targeted Ukraine, Lithuania, Latvia, Poland, and Germany, as well as Belarusian journalists and dissidents.
In research presented at @CYBERWARCON, Mandiant said it's attributing these attacks to Belarus based on technical evidence and the fact that the targets are "most consistent with Belarusian interests."
Some Belarusians targeted before disputed 2020 election were later arrested.
Mandiant said it had “sensitively sourced technical evidence” that the operation was based in Minsk, as well as “separate technical evidence” specifically linking the Belarusian military to the campaign.
New: FBI Cyber Division chief Bryan Vorndran told House Oversight in written statement for the record that Biden admin is “troubled” that cyber incident reporting mandate doesn’t set up simultaneous reporting to CISA *and* FBI.
Going beyond what he said at the still-ongoing hearing, Vorndran's statement says the current legislation “fails to recognize the critical expertise and role” of DOJ/FBI.
Both CISA and the FBI “should immediately receive all information mandated to be reported,” Vorndran wrote.
Needless to say, this could throw a wrench into the plan to pass the painstakingly crafted incident reporting mandate that is in the House NDAA and is expected to be folded into the Senate NDAA soon.
I've asked the legislation's sponsors if they'll rework the provisions.
The House Oversight Committee is about to convene a hearing on ransomware attacks with @ncdinglis, CISA's Brandon Wales, and FBI's Bryan Vorndran: oversight.house.gov/legislation/he…
📅🎂🎉 It's @CISAgov's third birthday. "Cyber is, to a large extent, where it's at nowadays," then-President Donald Trump said as he signed the CISA establishment bill into law. subscriber.politicopro.com/article/2018/1…
@CISAgov Two years and one day after creating CISA (i.e. one year ago tomorrow), Trump fired CISA's director, @C_C_Krebs, for debunking his election fraud lies, throwing CISA into the partisan Trump-era turmoil that it had successfully avoided since its creation. politico.com/news/2020/11/1…
A year after Krebs' firing, CISA is on firmer footing and playing a key role in the implementation of Biden's sweeping cyber EO.
Just this morning, CISA released EO-mandated "playbooks" to guide agencies' responses to vulnerabilities and cyberattacks. cisa.gov/news/2021/11/1…
Scoop: Senate HSGAC is working on a bill that combines the House's industry-friendly cyber incident reporting legislation w/ a bunch of programs to tackle ransomware.
Raises Qs about what happens to Warner/Rubio/Collins bill, which industry doesn't like.
* The House Homeland incident reporting legislation, with some tweaks and additions
* "Due diligence requirement" for companies facing ransom demands
* Ransomware task force
* "Ransomware vulnerability warning pilot program"
Due diligence req:
Before paying a ransom, a company would have to determine whether it could recover from the attack “through other means,” including by seeing if experts have published a decryption tool that works for them.
Neuberger: "We want to take a moment to encourage organizations to be on guard for malicious cyber activity in advance of the holiday weekend. To be clear, we have no specific threat information or information regarding attacks this weekend, but what we do have is history."
Neuberger notes that history shows that hackers often target companies over holiday weekends, when security operations centers may be understaffed or otherwise unprepared.