At a glance.
- Interpol coordinates international enforcement action against scammers.
- A new version of IceXLoader is observed.
- Exploiting versioning limits to render files inaccessible.
- Reflections on a large-scale hybrid war.
- The possibility of cyber escalation in Russia's war.
Interpol coordinates international enforcement action against scammers.
Interpol has announced that its Operation First Light 2022, directed against telecommunication fraud, business email compromise, and the money laundering associated with them, has yielded a significant haul. Results are still coming in, but so far, Interpol says, the operation's tally is:
- "1,770 locations raided worldwide"
- "Some 3,000 suspects identified"
- "Some 2,000 operators, fraudsters and money launderers arrested"
- "Some 4,000 bank accounts frozen"
- "Some USD 50 million worth of illicit funds intercepted"
Law enforcement organizations in seventy-six countries were involved, a remarkably large cooperative effort. Four countries conducted the raids: China, Singapore, Papua New Guinea, and Portugal. The crimes involved were varied, ranging from human trafficking to Ponzi schemes built around bogus job ads.
A new version of IceXLoader is observed.
Researchers at Fortinet describe a new version of IceXLoader being hawked in criminal-to-criminal markets. "IceXLoader is a commercial malware used to download and deploy additional malware on infected machines," the researchers write. "The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group." The new version is more evasive and difficult to detect than its predecessors, and, of course, successful infection exposes the victims to deployment of other, more damaging malware.
Exploiting versioning limits to render files inaccessible.
Proofpoint researchers have discovered a Microsoft 365 functionality that allows ransomware to encrypt SharePoint and OneDrive files and make them unrecoverable without backups or a decryption key. Researchers explain that threat actors can gain access to a user account through compromising or hijacking credentials, then can lower versioning limits on files on OneDrive and SharePoint down to something as low as 1, encrypt the files twice, and if they feel so inclined, can exfiltrate the unencrypted files, and ask for a ransom. Another option for encrypting the files doesn’t involve changing the versioning settings: the default version limit is 500, so a file can be edited 501 times, rendering the original unrestorable because, as the 501st version, it exceeds that limitation by one. The malicious actor could then encrypt the files after each of the 501 edits, and increasing the version limit post-attack cannot restore the file.
Proofpoint disclosed this information to Microsoft, which explained, first, that the versioning settings configuration workflow is working as intended, and, second, that older versions of files can be recovered and restored for forteen days by using Microsoft Support. While the versioning settings configuration functionality is working as designed, Proofpoint says that it can still be abused by malicious actors. The researchers also reported difficulty recovering older versions of some files through Microsoft Support.
Reflections on a large-scale hybrid war.
The Atlantic Council has an essay by Yurii Shchyhol, head of Ukraine’s State Service of Special Communications and Information Protection. Mr. Shchyhol discusses Russia's war against Ukraine as the first cyber war, that is, the first major war in which cyber operations have been integrated fully into planning and operations. One of its conclusions is that the war has rendered obvious what's long been known by close observers of cyber gangs: the place the Russian cyber underworld occupies in Moscow's order of battle. "The current war has confirmed that while Russian hackers often exist outside of official state structures, they are highly integrated into the country’s security apparatus and their work is closely coordinated with other military operations. Much as mercenary military forces such as the Wagner Group are used by the Kremlin to blur the lines between state and non-state actors, hackers form an unofficial but important branch of modern Russia’s offensive capabilities." Shchyhol also notes that the war has revealed Russian limitations as well as Russian capabilities. Ukraine's infrastructure has shown significant resilience under Russian cyberattack.
Computing has an essay arguing that in wartime nations now have as much to fear from cyberattacks as they do from kinetic attacks. At first look this seems to be overstated--after all, cyberattacks become lethal only when they have kinetic effects. A ransomware attack, for example, as such is very far from being an artillery barrage, and a corrupted database isn't the same thing, IRL, as an artillery preparation. Unless we've become gnostics who believe the physical world is less real than the information space, few would go that far. But reading past the headline, that's not the essay's point. Its argument, rather, is that modern infrastructure is now so inextricably intertwined with and dependent on information technology that cyberattack can and do have physical, kinetic effects. Computing quotes Ian Hill, director of cyber security at BGL Insurance, who said, at the magazine's conference last week, "The real world and the virtual world have become so interdependent. Our physical world, certainly in the context of Western society, has pretty much got to the point of no return, where our dependency on technology - and technology's dependence on the internet - that the economy cannot exist without them. If anything happens to the internet, or some connected technology, we've got a real problem."
The possibility of cyber escalation in Russia's war.
The Cyber Peace Institute has published a useful overview of operations in the fifth domain during Russia's war against Ukraine.
Observers continue to debate why Russian cyberattacks haven't been more widespread and more destructive than they've proved so far to be. If Shchyhol is correct, as he seems to be, that Russian cyber operators are about as concerned with abiding by the norms of proportionality and discrimination embodied in international laws of armed conflict as Russian infantry and artillery have shown themselves to be, then the apparent restraint Moscow has exhibited seems to require explanation. An essay in Cyber Security Hub concludes that a partial explanation can be found in deterrence. President Putin doesn't want a full war with NATO, and has been concerned to avoid attacks on critical infrastructure that would provoke a kinetic response from the Atlantic Alliance.
If Russia has maintained the complete conquest of Ukraine as its objective, as many observers think it has, can deterrence be expected to hold in cyberspace as the war inevitably escalates on the ground? An assessment in GIS concludes that it may not. "Russia’s red lines and escalation strategy could further change in the weeks and months ahead. How the military, political and economic aspects evolve, and war aims change will influence how the Kremlin decides to use its cyber capabilities in the conflict." Defense One reports that some US officials agree. They see the indiscriminate effects of NotPetya as foreshadowing the probable course of Russian escalation. “I do think there there is a risk that the deeper you get into this conflict that the Russians will…be pressed to resort to more aggressive operations,” Neal Higgins, the deputy national cyber director for national cybersecurity at the White House’s Office of the National Cyber Director, said this week at Defense One's Tech Summit. "If you're acting quickly and desiring a large impact, there is a risk that you lose control and that that did occur. It certainly is a risk that we continue to monitor across the government.”
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.