At a glance.
- Verizon's 2022 Data Breach Investigation Report is out.
- Genealogy of Chaos ransomware.
- GuLoader in the wild.
- Security researchers targeted with fake proofs-of-concept.
- Hyperlocal disinformation in occupied Ukraine.
- FSB unit recons targets in Austria and Estonia.
Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware.
Verizon has published its 2022 Data Breach Investigation Report, finding that ransomware rose by 13% last year (a greater increase than the previous five years combined). 82% of breaches involved the human element, which encompasses phishing, stolen credentials, misuse, or error. The researchers also found that supply chain breaches were behind 62% of intrusions last year. "There are four key paths leading to your estate," Verizon writes, and lists them: "Credentials, Phishing, Exploiting vulnerabilities, and Botnets. All four are pervasive in all areas of the DBIR, and no organization is safe without a plan to handle each of them." And while the rise in ransomware features prominently in the report, Verizon notes that "ransomware by itself is, at its core, simply a model of monetizing an organization's access."
Origins of the Chaos ransomware operation.
Researchers at BlackBerry have published a report outlining the genealogy of the Chaos ransomware family, detailing six versions of the malware that have been released since it first surfaced in June 2021. BlackBerry found that Chaos has ties to the Onyx and Yashma ransomware strains, although Chaos initially (and unsuccessfully) claimed to be an offshoot of Ryuk. It wasn't. The false claim was evidently a reach for C2C credibility. Fortinet had earlier tracked Chaos's rise to prominence as its operators declared their adherence to the Russian cause in Moscow's war against Ukraine. BlackBerry notes that Chaos has advanced beyond its beginnings as a relatively basic operation and has now evolved into a flexible, widely available, and difficult-to-track malware operation.
GuLoader campaign uses bogus purchase orders as phishbait.
Fortinet reports that they have found a phishing email that drops GuLoader targeting a Ukrainian coffee company. GuLoader, which is also known as CloudEye and vbdropper, is used to drop other malware variants. The phishing email presented itself as a purchase order from an oil company in Saudi Arabia, with a PDF file containing an executable for GuLoader. This attack is distinctive in that it uses the less common NSIS (Nullsoft Scriptable Install System), a script-driven installer authoring tool for Windows, to deploy itself. FortiGuard Labs calls it a medium severity threat for Windows users.
Security researchers targeted in malware campaign.
BleepingComputer reports that security researchers were the target of a threat actor using fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. Cobalt Strike is an often abused, but legitimate pentesting tool. The threat actor took advantage of recently patched Windows remote code execution vulnerabilities CVE-2022-24500 and CVE-2022-26809, presenting themself as a security researcher who used the fix to inspire two proof-of-concept exploits for the flaw on GitHub. The exploits were quickly found to be fake, finding that the “exploits” installed Cobalt Strike beacons on the victim’s devices.
This sort of incident can serve as battlespace preparation for subsequent campaigns, KnowBe4’s James McQuiggan said. “Cybercriminals will target anyone to gain access to systems for data and exploitation. In this particular case, security researchers are another prime target as they can potentially have sensitive information, additional exploits and other sensitive material. This information can further add to the cybercriminals' arsenal to target additional organizations and use the exploited information as bait to catch a larger fish.”
“This is an important reminder to cybersecurity professionals to not blindly trust code simply because it is published on a well-known platform like GitHub. A cybersecurity practitioner can have access to sensitive data that an attacker could leverage to launch secondary attacks,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said. “An attacker leveraging that data effectively outsources the hard work or penetration testing and risk of reconnaissance detection to the good guys for free.”
The following notes concern the cyber phases of Russia's hybrid war against Ukraine. The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Hyperlocal sites have been marshaled by Russian influence operators to normalize the occupation of Ukrainian villages controlled by Russian forces, CyberScoop reports. They source their story to Detector Media, which says that the effort is being organized over Telegram. "We managed to find 88 newly created Telegram channels of the occupiers," Detector Media writes. "However, their list is growing. The vast majority of such channels were registered a few days after February 24th. A significant part of local channels was created long before the actual military occupation of the cities, and some of those are the ones that the Russians did not manage to occupy. Conventionally, such channels can be divided into two categories:
- "Those that can act as "official" sources of the occupiers. That is, such Telegram channels post on behalf of the occupiers. For example, inform about humanitarian aid or call for reporting on the movement of Ukrainian military equipment;
- "Those that mimic the media's behavior, i.e., publish news about the occupied city/village but are overfilled with propaganda and misinformation."
The content mirrors familiar Russian lines of disinformation: Ukrainian corruption and failure, the Western conspiracy behind the war, the promise of liberation, etc. The evidence of Russian creation and coordination Detector Media cites is circumstantial but convincing.
Turla reconnaissance detected in Austrian and Estonian networks.
BleepingComputer reports that the Russian threat actor Turla, also known as Snake or Venomous Bear, and associated with the FSB, has staged typosquatting domains for use against Austrian and Estonian targets. The activity so far represents a cyber reconnaissance phase of battlespace preparation. It is, as the Sekoia researchers who discovered it say, a phishing campaign:
"SEKOIA.IO Threat & Detection Research (TDR) Team have expanded the search on Russian-linked TURLA’s infrastructures from a Google’s TAG blog post. It exposes a reconnaissance and espionage campaign from the Turla intrusion set against the Baltic Defense College, the Austrian Economic Chamber which has a role in government decision-making such as economic sanctions and NATO’s eLearning platform JDAL (Joint Advanced Distributed Learning) pointing Russian Intelligence interest for defense sector in Eastern Europe and for topics related to the economic sanctions against the Russian Federation."