Congress is tightening security by controlling its users’ access to certain cloud services. This includes blocking Yahoo Mail and applications running on Google’s appspot.com domain.
A letter from IT staff to ‘all House staff’ dated 30 April warns of an increase in phishing attacks aimed at delivering ransomware. Obtained by Gizmodo the letter goes on to say, “The House Information Security Office is taking a number of steps to address this specific attack. As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.”
The ransomware is delivered as zipped .js attachments with email that appears to come from known senders and primarily via Yahoo Mail.
“The problem with many phishing attacks,” explains Spamhaus Commercial Director, Simon Forster, “is that they can be, and frequently are, initiated from a compromised email account at a big email provider. Compromised, legitimate email accounts make the phishing problem more difficult to address. Few organizations receiving email have the moxie to block all email from a large freemail provider, but,” he told SecurityWeek, “effectively that’s the final solution to mass phishing attacks from compromised accounts.”
The House letter calls on staff to “Please do your part to help us address this recent attack and protect the House Network going forward by following proper cyber practices at all times.”
Nothing in this letter suggests whether any phishing attempts were successful, nor what type of ransomware was being used. However, a separate report from Reuters yesterday adds a little detail: “Two individuals fell victim to ransomware by clicking on infected Word document email attachments, sources familiar with the hacking said. The infected files were able to be recovered without paying any ransom, the sources said.”
There is no indication on what ransomware was involved, how it was contained, nor the manner in which files were recovered. If it was constrained to the individual workstations concerned, then recovery could have been effected from back-ups. It is also possible that the IT staff were able to crack the encryption, depending on what ransomware was used – but this is less likely.
The Reuters report claims that the House is also blocking users’ access to Google’s cloud based appspot. “We began blocking appspot.com on May 3 in response to indicators that appspot.com was potentially still hosting a remote access trojan named BLT that has been there since June 2015,” one of the sources, a House staffer with direct knowledge of the situation, told Reuters.”
The FBI had warned, “Trojan.BLT will test network connectivity by establishing a connection with a legitimate website. This malware is capable of bypassing dyndns categorization by using a proxy through Google AppProxy’s hosted on appspot domains.”
It would seem that there is no blanket ban on access to webmail nor cloud apps on the House network. Many organizations seek to keep such traffic within a separate ‘guest’ network firewalled away from the ‘corporate’ network. “Having a guest network is a nice way to allow users to access non approved services,” Aftab Afzal, SVP at NSFOCUS IB told SecurityWeek.
F-Secure’s Sean Sullivan believes that this is the official set-up. “Congressional staff need to go to another building and/or computer for campaign related activities,” he told SecurityWeek. “Government machines are used for government business only.
I suspect access to Google and Yahoo! mail is done by staffers seeking to communicate with family members – personal business during a break.”
The risk is likely happening, said Rich Barger, chief Intelligence officer at ThreatConnect, “because lawmakers and their staff are introducing risks – such as ransomware – from their personal Google and Yahoo accounts into U.S. House of Representatives infrastructure.” Adversaries are keen on targeting the vulnerable user versus the vulnerable asset. “Our nomadic usage of personal email services can unknowingly introduce risks into our employer’s enterprise,” he added.
“If webmail or web serves were being used as business tools,” commented Afzal, “then separating them on a guest network would have been hard to manage and would have been counterproductive. It is better to enable and empower people to use latest tools by having a list of approved services / applications that is constantly reviewed and revised in line with current vulnerabilities. From the [Reuters] report this is exactly what happened and is the best approach.”
Both Yahoo and Google have said they are working with the House to resolve the issues.