AFP reports that four Airbus suppliers suffered "major attacks" by hackers trying to steal trade secrets. The victims included British engine manufacturer Rolls-Royce and French technology consultancy Expleo, along with two other unidentified French companies. The four attacks reportedly targeted the VPN services the victims used to connect to Airbus. In Expleo's case, AFP says the attack occurred "long before" it was discovered at the end of 2018. AFP's sources said the attackers seemed to be going after "technical documents linked to the certification process for different parts of Airbus aircraft."
None of the attacks provided enough evidence for definitive attribution, but Chinese state-sponsored hackers are the most probable suspects, based on past attacks and motivation. Some of AFP's sources suspect China's APT10, but another mentioned JSSD, an hacking outfit linked to the regional security ministry in Jiangsu which is known for targeting the aerospace industry.
Chinese APT suspected in tech company hacks.
BlackBerry Cylance describes stealthy attacks against southeast Asian technology companies carried out by a threat actor using an open-source Chinese backdoor known as "PcShare." The attackers have modified PcShare to be side-loaded by a legitimate NVIDIA application, after which they replace the legitimate Windows utility "Narrator" with a Trojanized version in order to achieve SYSTEM-level access. The Trojanized Narrator allows the attackers to run any executable with SYSTEM privileges from the login screen without providing credentials.
BlackBerry Cylance says the attacks aim at "persistent exfiltration of sensitive data, as well as local network reconnaissance and lateral movement." They suspect a Chinese actor is behind the campaign. It may be the Tropic Trooper threat group, based on that group's prior use of PcShare. However, since PcShare is an open-source tool, the researchers refrain from making a firm attribution.
Dragos and CrowdStrike Partner to Provide Early Visibility of OT Threats
Dragos is proud to announce the launch of the Dragos ICS/OT Threat Detection app on the CrowdStrike Store. This new application bridges the IT and OT security divide for customers by providing early visibility and detection of ICS (industrial control systems) / OT threats found on IT endpoints, using data leveraged from the CrowdStrike Falcon® platform. Learn more.
LookBack RAT sent to US critical infrastructure providers.
Proofpoint analysts have published additional details on a suspected state-sponsored phishing campaign targeting the US utilities sector with the LookBack remote access Trojan. At least seventeen utilities entities have been targeted by the group since April 2019. Following Proofpoint's first analysis posted on August 1st, the threat actor continued sending phishing emails concerning online exams that would interest employees across the utilities industry. Sherrod DeGrippo, Senior Director of Proofpoint's Threat Research and Detection team, told ZDNet that "these were sophisticated spear-phishing attacks, credibly impersonating an industry licensing association and targeted at people who would be familiar with the impersonated organization."
The new phishing template imitates the Energy Research and Intelligence Institution and invites the recipient to take the Global Energy Certification (GEC) exam. The attackers attach a harmless PDF file containing a study guide from the legitimate GEC site, along with a Word document containing malicious macros. The PDF file is a new addition to the phishing campaign, and the researchers believe its purpose is to gain victims' trust before they open the Word document. After a victim opens the Word document and enables its content, a macro will install several encoded text files which are decoded to become LookBack's modules.
Proofpoint doesn't attribute the campaign to a specific threat actor, but China is generally believed to be the prime suspect. In their August analysis, Proofpoint researchers noted similarities between this campaign and an earlier one detected by FireEye in July 2018 which targeted Japanese media entities and was attributed to China's APT10. In particular, the VBA macros used in the recent campaign contained obfuscated versions of the same text and file names observed in the 2018 campaign. Additionally, both campaigns used a similar proxy mechanism for command-and-control. Proofpoint stressed, however, that LookBack is a new strain of malware and the two campaigns didn't appear to share any additional code or infrastructure.
Tortoiseshell targets US veterans with fake hiring website.
Researchers at Cisco Talos have observed the threat actor tracked by Symantec as "Tortoiseshell" using a website called "Hire Military Heroes" to induce victims to download a malware installer. Talos describes this tactic as "a massive shift for Tortoiseshell," because it "has the potential to allow a large swath of people to become victims of this attack." Symantec first revealed the threat actor's activities last week, describing relatively targeted supply chain attacks against IT providers in Saudi Arabia.
The malicious website asks users to download a free desktop app for Windows. The download is a malware installer which presents a fake installation process for the app, then tells the user that their security solution has terminated the connection. Meanwhile, two pieces of malware are downloaded. One is a reconnaissance tool for gathering information about the system, and the other is a Remote Administration Tool which can execute commands, download files, and delete itself.
Talos observed varying degrees of sophistication in the malware, which may suggest that multiple teams contributed to its development.
Cybersecurity Fabric: The Future of Advanced Threat Response
Today, it is not enough to protect your assets by collecting high quality threat intelligence – organizations need inline detection & mitigation at line-speed to protect themselves from incoming or existing threats on the network. As cyber strategy shifts towards a “Zero Trust” model, your organization needs to ensure that every device, user, workload, or system is being monitored with a Cybersecurity Fabric. Join LookingGlass for our upcoming webinar October 2, 2pm EST to learn more.
Tibetans targeted with mobile spyware.
The University of Toronto's Citizen Lab has outlined efforts by a threat actor called "Poison Carp" to infect Android and iOS devices belonging to senior members of the Tibetan community. The targets included "the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, and the Tibetan Parliament." The attackers used WhatsApp to initiate conversations with the targets while posing as "journalists, staff at international advocacy organisations, volunteers to Tibetan human rights groups, and tourists to India." After establishing rapport with the targets, they would send a link that would compromise a vulnerable device with one click. Of the fifteen attempted attacks, eight succeeded in convincing the target to click the link, although all eight of these targets were running up-to-date software and therefore weren't infected.
The researchers have linked the exploits, malware, and infrastructure used in this campaign to a surveillance operation targeting China's Uyghur minority, which was described by Google's Project Zero, Volexity, and others late last month.
Citizen Lab says the campaign "represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community." They believe this escalation is a response to an improved security posture exhibited by Tibetans.
Possible cyber activity against Iranian targets?
There were reports over last weekend that Iranian petrochemical operations had been affected by a cyberattack. Iran took the social media chatter seriously enough to issue an official denial that there had been any successful attacks.
Much Gulf-regional conflict has involved cyber operations, CNBC observes, some in retaliation for kinetic actions like Iran’s shootdown of a US surveillance drone. The US is looking to cyber operations as an approach to deterrence. The New York Times says that US Cyber Command has been considering cyberattacks to disrupt Iranian oil production, but the story at week's end is approximately where it began.
Meet the team of leading experts dedicated to making the world a safer place.
If cybersecurity is important to your business (and of course it is), work with the team whose entire mission is to make the world a safer place for everyone. Based on years of law enforcement and military experience, our team pulls and analyzes the best data and delivers it in the most actionable format. Get human-curated, in-depth analysis, layered on top of the most comprehensive, exclusive sets of data from the Deep and Dark Web
Fancy Bear sighted, again.
Fancy Bear returns, resuming its use of the Zebrocy toolkit against a familiar range of targets, for the most part embassies and foreign ministries in Eastern Europe and the Middle East. ESET, which says renewed activity dates to late August, notes that Zebrocy's suite of downloaders, droppers, and backdoors has evolved into marginally more effective forms. Fancy Bear is also known as Sednit, Sofacy, Group 74, Strontium, and APT28, but Russia's GRU military intelligence service is the man behind the curtain.
Mapping Russian APT malware.
Check Point has published joint research with Intezer describing Russia's government threat groups. After analyzing some 2,000 malware samples tied to Russian APTs, researchers identified 22,000 connections and 3.85 million pieces of shared code. Most code reuse was internal to each group. The researchers think each Russian APT has its own malware development team, and that they seldom share code. Check Point and Intezer offer a map of the malware ecosystem. One explanation for the isolation may be a commitment to operational security that takes "an enormous amount of money and man-power." Another contributing factor, as ZDNet notes, is the extremely competitive relationship among the agencies: they have their equities, too.
xHunt goes after Kuwaiti shipping and transportation.
Palo Alto Networks' Unit 42 is tracking a threat group responsible for an attack campaign that targeted Kuwaiti shipping and transportation companies between May 2019 and June 2019. The campaign, dubbed "xHunt," used four custom backdoors called Sakabota, Hisoka, Netero and Killua, all of which seem to be authored by the same person. It also involved the use of two post-exploitation tools with the filenames "Gon" and "EYE." The researchers aren't sure how exactly the attacker first gained access to the targeted systems, but they observed the malware using a "rather uncommon" method of command-and-control using saved email drafts in a Microsoft Exchange account. The attacker and the malware both have access to the same Exchange account, so they can communicate by reading each other's email drafts without actually sending any emails. Unit 42 determined that xHunt is probably related to another campaign that targeted Kuwait between July and December of 2018. The researchers also identified infrastructure overlap with the suspected Iranian group OilRig, as well as with a DNS hijacking campaign described by CrowdStrike in January, although Unit 42 says it doesn't have enough evidence yet to confidently attribute xHunt to either of those operations.
Setting the Trap with Kevin Mitnick: Crafty Ways the Bad Guys Use Pretexting to Own Your Network
Today’s phishing attacks have evolved beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization to set the perfect trap. And pretexting is the key.
Join us for this exclusive webinar where Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, will show you how the bad guys craft such cunning attacks. And he’ll share some hacking demos that will blow your mind.
Not malware, not even potentially unwanted, just...fleeceware.
Sophos calls it "fleeceware:" Android apps that provide functionality freely available elsewhere, and that hit users with big fees after expiration of a trial period. It's not malicious, and it really does things people want done, but fleeceware charges for what usually comes for free.
The vBulletin web forum software received a patch on Wednesday for an extremely severe vulnerability. An unknown researcher anonymously published a remote code execution (RCE) exploit for the vulnerability on Monday, and Imperva observed attacks against vBulletin users within hours after the exploit was released. Ars Technica advises vBulletin users to take their forums offline until they've applied the patch.
Cisco on Wednesday patched 29 vulnerabilities in a variety of its devices, including thirteen that were rated high-severity, Threatpost reports.
Crime and punishment.
The BBC reports that Elliot Gunton, a British 19-year-old who was sentenced to twenty months in prison for hacking TalkTalk, now faces US Federal charges of allegedly stealing from hundreds of customers of the EtherDelta cryptocurrency exchange in 2017. US citizen Anthony Tyler Nashatka was also charged. ZDNet says Nashatka bought personal details of EtherDelta's CEO, Zachary Coburn; then reached out to Gunton for assistance. The two allegedly collaborated to hijack Coburn's EtherDelta accounts by impersonating him, then used the administrative access to lock other employees out and intercept the company's Gmail traffic. This let them obtain the password reset link for EtherDelta's Cloudflare account, which allowed them to reconfigure EtherDelta's DNS records to point to a spoofed credential harvesting site. Finally, they used the stolen credentials to access users' accounts and steal their cryptocurrency. The total amount of money stolen hasn't been disclosed, but the BBC says one victim lost $800,000. Gunton and Nashatka each face up to twenty years in prison if found guilty.
Courts and torts.
Google said on Wednesday that it won't pay royalties to French news outlets in order to include their articles in search results, Ars Technica reports. Google blogged "we sell ads, not search results," and that accepting payment for inclusion in searches would erode users' trust in the service's impartiality and relevance.
Bloomberg reports that the US Department of Justice will open its own antitrust investigation into Facebook, in addition to the antitrust inquiry already being carried out by the FTC. Gizmodo believes the investigation may be part of the Justice Department's antitrust review of online platforms, which was announced in July.
Policies, procurements, and agency equities.
As the United Nations General Assembly’s annual summit meets, some twenty-seven countries (including all Five Eyes) have issued a brief “Joint Statement on Advancing Responsible State Behavior in Cyberspace.” It calls for bringing cyberspace into the framework of international law (particularly by applying the principles of proportionality and discrimination that inform the law of armed conflict). CNN and others see it as directed implicitly against Russia and China: the Statement condemns attempts to "undermine democracies" (that would be Russia) and "undercut fair competition" (they're looking at China).
NPR has an account of US Cyber Command and NSA's cyber operations against ISIS. In November 2016, a task force formed by the two agencies called "ARES" launched an operation to dismantle ISIS's online presence. The task force had determined that ISIS used only ten primary accounts and servers to manage its entire media operation, and ARES operators gained access to these accounts via phishing and other techniques. They then caused chaos by changing passwords, deleting data, and changing network settings. Next, the task force focused on a long-term demoralization campaign by causing ISIS fighters to experience all manner of technological disruptions. This strategy eventually led ISIS's Dabiq magazine to cease publication, and apparently caused the mobile app for the group's news service, Amaq, to shut down as well. There were also intelligence and combined arms dimensions to these operations. They helped track ISIS, and they were integrated with kinetic combat operations against ISIS in theater. Such operations continue. One interesting point the article makes is that a similar organization has more recently been established: the Russia Small Group. It's name suggests its interests and responsibilities.
Fortunes of commerce.
Biometric security company BIO-key International has received a continued listing deficiency notice from Nasdaq after its share price failed to reach the $1.00 minimum closing bid price for thirty trading days in a row, the company announced on Friday. BIO-key has 180 days to reach the $1.00 minimum, which it must maintain for ten consecutive days.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.