At a glance.
- Politically motivated Iranian group claims Port of London Authority DDoS.
- Someone claiming to be REvil is back.
- Frustrated bug bounty hunters?
- CISA advisories.
- Probable Chinese cyberespionage against Russian targets.
Politically motivated DDoS attack on Port of London Authority website.
An Iranian group has claimed responsibility for a distributed denial-of-service (DDoS) attack that interfered with the Port of London Authority's website. The Authority acknowledged the incident but said that operational systems were unaffected. The group that said it was behind the attack, the ALtahrea Team, is a nominally hacktivist group, HackRead says, that operates under the direction of the Iranian government.
Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors?
Akamai reports that one of its clients has fallen victim to a distributed denial-of-service (DDoS) attack at the hands of a threat actor claiming to be REvil. The attack contains a wave of HTTP/2 GET requests with demands for payment embedded in them, as well as a Bitcoin wallet. The attached Bitcoin wallet, however, has no history and no connection to REvil. Researchers noted that this attack seems smaller in scale than most REvil attacks, and seems to have a political purpose, which is something not seen before with the group. It’s also a DDoS attack, which is outside the old REvil playbook: REvil had been known for its ransomware-as-a-service offerings in the C2C market. Akamai thinks there are a number of possibilities here. Either the operation is an imposture, trading on REvil’s remaining reputational equity to spook its victims, or it’s REvil redivivus, back and looking into new approaches to crime. Or perhaps it’s a splinter group of REvil alumni, getting part of the band back together. In any case the recent attacks and the techniques they display are worth watching.
RansomHouse may be operated by frustrated bounty hunters.
RansomHouse, a new extortion gang, skips the data encryption customary with conventional ransomware operators and extorts victims by data theft and the threat of doxing, Researchers at Cyberint who've been tracking the group note that it claims an elevated purpose. RansomHouse objects to the way organizations don't devote enough resources to security, and hopes to shove them in the direction of better practices. RansomHouse also objects to what it views as a cheapskate tendency with respect to bug bounties, and this suggests to Cyberint that the members of the gang may be frustrated bounty hunters, white hats gone bad. Cyberint explains:
"Throughout their entire introduction process, RansomHouse sees themselves as the ones who do what’s right and makes excuses such as “the organizations are the ones to lead us to these actions” as they are avoiding taking any responsibility.
"RansomHouse is practically forcing “penetration testing services” on organizations that never used their services or rewarded bug bounties, and once they find any vulnerabilities, they fully exploit them to steal as much sensitive data as possible.
"Ironically, RansomHouse announced on their Onion site that they are pro-freedom and support the free market, but on the other hand, they punish organizations that choose to not invest in their protection systems."
CISA advisories, and updates to the Known Exploited Vulnerabilities Catalog.
Yesterday the US Cybersecurity and Infrastructure Security Agency (CISA) issued four industrial control system security advisories. They cover Rockwell Automation Logix Controllers, Matrikon OPC Server, Mitsubishi Electric FA Engineering Software Products (Update D), and Mitsubishi Electric Factory Automation Engineering Products (Update F).
And, for immediate action by US Federal civilian executive agencies, CISA yesterday added twenty issues to its Known Exploited Vulnerabilities Catalog, joining the twenty-one vulnerabilities added Tuesday. The agencies CISA oversees are expected to scan for and fix the vulnerabilities, and to report completion by, respectively, June 14th and June 13th.
The following notes concern the cyber phases of Russia's hybrid war against Ukraine. The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
More cyberespionage, probably of Chinese origin, targets Russian networks.
Malwarebytes researchers have posted more information on a cyberespionage campaign being run against Russian organizations. The operation implants a remote access Trojan (RAT) via phishing emails. The phishbait is a bogus security alert, "Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes,” and the emails caution recipients “not to open or reply to suspicious emails,” which seems a nice touch. A number of recipients appear to have been in the Russian media, notably working at RT TV. Malwarebytes is cautious about saying who's behind the campaign. There are some signs that point to Deep Panda, but there are also code overlaps with TrickBot and BazarLoader, and other "weak indicators" pointing to the Lazarus Group and Tropic Troopers, but some or all of these could be incidental, or even deliberate false flags. The researchers conclude, "Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor."