House Of Representatives Tech Team Blocks All Google Appspot Apps Because Of A Single Trojan
from the well-that's...-something dept
We started receiving reports of this last week, but I wanted to track down some details. You may have seen a few other reports, noting that the tech team at the House of Representatives recently started blocking YahooMail because of a big phishing attempt targeted at Congress. On April 30th, the House's "Technology Service Desk" sent around an email stating:In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network using third party, web-based mail applications such as YahooMail, Gmail, etc. The attacks are focused on putting “ransomware” on users’ computers. When a user clicks on the link in the attack e-mail, the malware encrypts all files on that computer, including shared files, making them unusable until a “ransom” is paid. The recent attacks have focused on using .js files attached as zip files to e-mail that appear to come from known senders. The primary focus appears to be through YahooMail at this time.Obviously, it's worth being careful and concerned about this kind of thing. Those encrypted ransomware attacks have become quite popular lately, and you can imagine why some would think it would be fun to target Congress specifically. Still, blocking all of YahooMail seems... like overkill? Yes, obviously, warn everyone to be careful, and highlight the details and what to watch out for. Perhaps institute some other kinds of protections. But a blanket ban on YahooMail just seems odd.
The House Information Security Office is taking a number of steps to address this specific attack. As part of that effort, we will be blocking access to YahooMail on the House Network until further notice. We are making every effort to put other mitigating protections in place so that we can restore full access as soon as possible.
Please do your part to help us address this recent attack and protect the House Network going forward by following proper cyber practices at all times. Phishing e-mails can look very legitimate and appear to come from known senders. Be very careful about clicking on attachments or links in e-mails, particularly when you are using non-House e-mail systems.
But... that's not all. Because a few days after that happened, the same tech staff also started blocking all of appspot.com. That's where a ton of apps actually live for things like Google's App Engine. Once again, this seemed like total overkill, so I reached out to people at the House to find out what was going on, and was given the following statement:
We began blocking appspot.com on May 3 in response to indicators that appspot.com as potentially still hosting a remote access Trojan named BLT that has been there since June 2015.Now, this is kind of interesting for a variety of reasons. The Trojan.BLT has been "associated with a major APT [Advanced Persistent Threat] campaign." Furthermore, there has been some speculation connecting it to the Office of Personnel Management (OPM) hack that was exposed last year, based on a timely warning from the FBI about "cyber actors" using a series of exploits -- including BLT -- to gain access to personally identifiable information from the government. As the FBI noted:
Trojan.BLT- a RAT that is executed from its export CreateInstance, the mutex HFRM_ is created and a process instance of cmd.exe is launched to execute the command “ipconfig/all” to collect the victim system’s MAC address. Trojan.BLT will test network connectivity by establishing a connection with a legitimate website. This malware is capable of bypassing dyndns categorization by using a proxy through Google AppProxy’s hosted on appspot domains.So, yes, as I was told, Trojan.BLT was first discovered making use of Google's appspot domains last June -- so it's a little unclear why there's suddenly a renewed focus on it, and why it's cause to shut down access to appspot entirely -- especially since it appears that there are tools that can detect this particular trojan.
Trojan.BLT will validate the connection by checking the HTTP header “Service:IIS”. Trojan.BLT will then conduct further C2 activity.
So, on the one hand, you can understand why the House's IT staff has pulled out the nuclear option in both these cases, first banning YahooMail and then banning access to basically all of Google's hosted 3rd party apps. Ransomware or an OPM-level hack on Congress would be a massive black eye for the House's tech staff. So it must feel a lot safer to just block entirely. Of course, it's also not that likely to be effective. Ted Henderson, the creator of a social network solely for Congressional staffers called Cloakroom, and who first alerted me and many other reporters to this, was pretty clearly frustrated by this move, which obviously cut off the vast majority of his userbase from actually being able to use the app. But, he's already found a workaround (which I know because I once did an AMA on the platform and still receive notifications from the app). All users received a notification on their phones to turn off their WiFi and use their cellular connections if they wished to use Cloakroom while on Capitol Hill.
And, of course, this shows the futility of just blocking all access to an entire ecosystem like Appspot. It's not going to stop people. It's just going to frustrate people and send them looking for other paths to get that info, which may actually be more dangerous. Instead, it seems worth asking why the House IT staff isn't focused on providing better protection against the actual threat, rather than just trying to bury access to massive platforms, just because lurking somewhere on those platforms there may be something harmful.
Remember, too, that the people in the House are the same ones legislating technology issues today, and they're getting a very warped idea of how technology works thanks to the House's tech desk. A small potential problem that could be avoided with some basic precautions? Shut down the whole damn thing. This seems like exactly the wrong lesson that our elected officials and their staffers should be learning right now about technology. Protecting their computers and devices is obviously important, but it seems like the House is resorting to overkill, and hopefully this does not lead out of touch Representatives to assume that similar overkill solutions -- such as entire site blocking -- are sensible for American citizens. The House Of Representatives is blocking all apps using Google%u2019s appspot.com
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: appspot, congress, cybersecurity, google appengine, house of representatives, ransomware, trojans, yahoomail
Companies: google, yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
1. APT is pretty nasty stuff to have to deal with. You don't want that getting into your environment.
2. One cannot selectively block yahoo accounts in yahoo mail, gmail or Hotmail for that matter. You either allow access to the whole domain or no access at all.
3. This is not going nuclear as you call it. Going nuclear is shutting down all access to the internet completely.
4. Users in any government office are granted access to personal mail websites as a courtesy. It is not their right. They are made well aware of this in the form of an network acceptable usage agreement they must read and sign prior to being given access to the corporate network. They have no right to bitch.
5. Obviously you're some kind of expert in holistic Security and Threat management if you can deem this situation is a case of over-reaction without any knowledge of the tools at their disposal, or their processes and procedures.
5a. Hell you don't even know if they've already encountered infected systems at this point.
5b. Anyone with a shred of IT security knowledge will tell you anti-malware is always behind the detection curve. Any IT manager worth the paper their resume is printed on is going to operate their shop from that stand-point and err on the side of caution. BECAUSE...
5c. While you likely don't have any accountability for anything you write, the IT Security Manager at the House of Representatives probably will have to answer to his boss for the entire environment getting hosed with a zero-day APT.
5d. I will also guarantee there is a threat and risk assessment in said manager's hands that says the House of Representative's network is a target rich environment with a whole list of hostile actors with high motivation. See where I'm going with this? No you don't because you're not an IT security expert. See point 6.
6. If we replace the words "it seems odd to me" in this article with "Now I don't know anything about this field other than what I just read in Wikipedia ten minutes ago" that pretty much sums up the content.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
https://static.spiceworks.com/shared/post/0001/7663/In_This_Corner_We_Have_Dave.jpg
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I think that a government organization should ALWAYS err on the side of caution, especially when it comes to systems that may contain sensitive data bout the public. To do otherwise would be shameful.
Somehow Mike seems to think that they should be more nuanced, magically coming up with exactly the perfect balance that gives all the access possible and still stops the near endless attempts to phish, fake out, and sneak in viruses to the government network.
You can imagine the Techdirt story calling out the incompetent IT staff if they had just let the thing get through. You can picture the whining about billions of dollars and no security.
The story is a perfect example of a no-win situation, and how Techdirt can turn any story into an anti-government one. Think about it the next time they are slamming someone for failing to do X or Y to secure a network.
[ link to this | view in chronology ]
Re: Re:
Not only that, but I'm pretty sure that someone could get in trouble for even posting that FBI Flash document in a public forum.
[ link to this | view in chronology ]
Let's fix the blame where it belongs
And that problem is that a number of large operations -- including Yahoo -- do an absolutely miserably poor job of dealing with abuse that they emit or facilitate. The House IT staff -- and millions of other operations around the world -- would not have to contemplate drastic measures like this if Yahoo's staff did its job.
It is the first responsibility of all Internet-connected operations to ensure that they're not an operational menace to the entire rest of the Internet. This trumps all other considerations at all times, and anyone who doesn't embrace it and practice it is unfit to run so much as a single server.
However...not only has Yahoo failed to do this, and as a result, become a chronic and systemic hazard to not only its own users, but to everyone else on the Internet, they can't even be bothered to accept, read, analyze, act on, and respond to abuse reports even when someone else does their job for them for free. To wit: RFC 2142 - Mailbox Names for Common Services, Roles, and Functions, which dates from 1997, mandates the existence and support of the "abuse" address, e.g., abuse@example.com, for all domains. Every responsible and professional operation on the entire Internet not only has a working abuse address, but pays close attention to what shows up there and acts on it expeditiously.
And then there's Yahoo (among others, sadly). I gave up filing abuse reports with Yahoo over a decade ago (except for the occasional experiment) because responses were either nonexistent, wrong, clueless, or incoherent. Yahoo personnel are apparently incapable of recognizing things as simple as garden-variety spam sent by a Yahoo user using a Yahoo account on a Yahoo server on Yahoo's network.
So it's not surprising that Yahoo is now teeming with malware and spam, phishers and scams, and everything else: they've done their best to ignore and deny the problem for YEARS. As a result, the Bad Guys have noticed and flocked there: why not? And thus operations like the House IT staff, faced with the impenetrable wall of Yahoo's deliberate malfeasance, can either (a) waste their time trying to get someone, anyone, at Yahoo to actually deal with this or (b) put in a blacklist/firewall/block and remove Yahoo from their view of the Internet.
The worst part of this is that Yahoo is far from alone: some of the largest operations on the Internet are some of the most incompetent and negligent when it comes to abuse control. And everyone else pays for that, since the costs are externalized: e.g., if you're phished via AOL, they're not going to compensate you, or if your ISP needs to spend big bucks on larger mail server to handle all the spam, none of the operations sending that spam will help fund it.
So let's cut the House IT staff a break: this is probably their best available option. And let's keep in mind that Yahoo could have prevented this problem years ago by deploying only a tiny fraction of its enormous financial and personnel resources...but chose not to.
[ link to this | view in chronology ]
Re: Let's fix the blame where it belongs
Regardless, their license agreement is pretty clear: use our services at your own risk.
The IT Security guy at the House can only assume that those sites are "mostly harmless" for the most part until evidence presents itself which points to the contrary. Thus he will take precautions accordingly to mitigate the risk.
He can't hold them accountable for malware infecting the House network any more than I can blame my ISP for my home computer being infected by my 10 year old.
[ link to this | view in chronology ]
Re: Let's fix the blame where it belongs
Presumably because there is no immediate profit motive to address the issue. Pretty much any company that size doesn't care about being a good citizen (though they might care about whether people think they're a good citizen), they just care about the money, so why have people working on stuff that doesn't make money?
[ link to this | view in chronology ]
Re: Re: Let's fix the blame where it belongs
[ link to this | view in chronology ]
With respect to those users who elected to turn off their wifi to bypass the website block.
If they were using their own personal phones, then they are doing so at their own risk. If they are not using them to access corporate data then the best case scenario is their personal phones get hit with malware and they have only themselves to blame.
On the other hand, if they were using corporate phones and opted to turn off their wifi so they could access the blocked site, that opens up a whole can of worms.
Because if they were notified that the site was being blocked and still went ahead and bypassed the network security AND that turns out to be a vector by which the corporate network gets infected, then those employee risk losing their jobs.
If they did so after reading Ted Henderson's message which gave them instructions on how to bypass their network security, --- see the language I'm using here, yes that's exactly what might have just happened --- he may be held liable. Techdirt might also be partially liable thanks to your sage advice Mike. We'll let the lawyers figure it out.
If Ted Henderson is reading this, he better damn well be writing an email to all his users that reads:
"FOR THE LOVE OF ALL THAT IS HOLY IN THIS WORLD, PLEASE LISTEN TO YOUR CORPORATE IT SECURITY STAFF AND DO WHAT THEY TELL YOU."
Because that's what I would be doing right now if I were him.
[ link to this | view in chronology ]
Re: Rant
But you aren't, this is IT for the loony bin of liars and thieves aka Our Congress. So trust them explicitly, ah no. The FBI and the CIA and NSA all have their hooks into the system anyway. Tell them to clean all the W* systems.
Also, I didn't almost forget, this is the year of the Linux desktop. /snark
[ link to this | view in chronology ]
hatracks?
But, congressional representatives have to go to their phone to receive messages from their districts? So their phone goes out instead of their computer? Cool!
Sending you reps thru a less secure environment is not what we are paying the it people there to do. They are failing at their job, why, manpower? Or spying? That's sad.
But the assessment of the advert and malware software was correct.
[ link to this | view in chronology ]
1). They are probably responding to the threat at the speed of government. Never fast and usually only as responsive as it is checked up on.
2) there are technical difficulties for working on government IT systems that we probably don't see yet that only the house IT staff have privilege to see.
3) look at Kisama's post for more.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A clue for the House of Representatives
Here's a clue for the Representatives themselves. (And the Senate)
Maybe you should be working to STRENGTHEN internet security instead of UNDERMINE security. Internet security works both ways you know.
Maybe the FBI should give up the exploit it has used in its Evidence Laundering (aka "parallel construction") as a network investigative technique?
I would also point out, imagine if the House of Representatives network encryption had a back door, (euphamism: "golden key") and the hacker got hold of the back door. If such a back door exists, the hackers WILL find it. Everyone else would like to keep their networks safe just as you do.
[ link to this | view in chronology ]
If I ran that network,
Really Congress shouldn't be using anything that hasn't been source code audited by the NSA. Further the software that would have resulted from such a responsible activity, should have been released into the public domain.
Instead we've had security products installed in critical federal institutions that were developed by FOREIGN intelligence agencies. (yep, I helped rack one)
The reality is that consumer infosec is a sieve. Software vendors and ISP's have been playing fast and loose for a while, and the current situation is beyond recoverable without some re-engineering of the lower layers.
So to say that ANYBODY is over reacting is a little ludicrous. Really putting any popular http client on a public wire at this point is a recipe for getting pwnd. It is no longer a matter of if or when, but how much.
[ link to this | view in chronology ]
House of Reps Tech Team
[ link to this | view in chronology ]