| | | Effective PR

US Court authorises seizure of domain names used for criminal purposes.

Nigel Morris-Co...

Law enforcement can move fast - when the criminal conduct involves the reputation of governments. Reveals gaping hole in US government e-mail security - and one that, with hindsight, seems blindingly obvious.

On 27 May, software company Microsoft issued a statement saying that it had identified a "new sophisticated email-based (sic) attack) by a criminal group known as Nobelium.

On 28th May, the FBI and the Cybersecurity Infrastructure Security Agency issued a joint "advisory" - a warning notice.

On the same day, the Department of Justice obtained court orders to seize two internet domains which the FBI said were "command and control and malware distribution domains used in recent spear-phishing activity that mimicked e-mail communications from the US Agency for International Development (USAID).

While seizing the domain will protect those who have received but not yet responded to the e-mails, it will not protect those who clicked on links and who may have had malware downloaded and installed.

This whole thing happened fast: a Department of Justice press release says that on or about 25 May , suspicious persons commenced a wide-scale spear-phishing campaign using a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities."

Let's cut the crap, shall we? What this means is that the US Government created an e-mail address for distribution of its messages and gave full access to that account to a contractor. At that contractor someone - insider or not - gained access to that account and used it to send out a mass mail. While the content was fraudulent, the e-mail itself was not and therefore passed all security checks on delivery.

The domains theyardservice dot com and worldhomeoutlet dot com were used in links in the e-mails. Clicking the link led to the downloading and installation on the victim's machines of a "tool" called Cobalt Strike.

Cobalt Strike, of itself, does nothing bad: a core function allows the future downloading and installation of malware. It sits on the victim's computer waiting for an instruction or a trigger event. In short, it's a trojan created for defensive purposes and actively and consciously deployed by threat testers.

But all good things can be used for bad purposes.

What is the lesson from this?

The US Government allowed one of two things:

1. The use of a government e-mail address on a server outside its security perimeter; or
2. Access to the government's e-mail servers by a contractor.

Whichever it was, access was gained, through the agency of the contractor to send fully technically but not legally legitimate e-mails with unlawful (arguably illegal) content.

Whatever happened next was simply consequences of that initial failure.

CAVEAT: We referred to the download of malware - for the avoidance of doubt, Cobalt Strike, in its original form and properly licensed, is not malware, even though it pretends to be. Unlicensed, hacked and illegally installed copies are properly regarded as malware.

For more information, see "what is Cobalt Strike?"

---------------- Advertising ----------------