At a glance.
- ToddyCat APT discovered (but not yet attributed).
- ICEFALL ICS vulnerabilities described.
- CISA issues ICS vulnerability advisories.
- Fancy Bear sighted in Ukrainian in-boxes.
- Why Russian cyberattacks against Ukraine have fallen short of expectations.
ToddyCat APT is active in European and Asian networks.
Kaspersky describes ToddyCat, a hitherto unremarked APT active against "high-profile" European and Asian targets. The threat actor works against vulnerable Microsoft Exchange instances, has been active since late 2020, and deploys at least two distinctive tools, the Samurai backdoor and the Ninja Trojan. It's not clear whom ToddyCat is working for, and its disparate target list offers few obvious suggestions. The threat actor is said to have been active against Taiwan, Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, Kyrgyzstan, Uzbekistan, and Indonesia.
ICEFALL ICS vulnerabilities described.
Researchers at Forescout describe "OT:ICEFALL," which they characterize as "a set of 56 vulnerabilities affecting devices from 10 OT vendors." Forescout rather sternly calls the affected systems "insecure by design," and divides the vulnerabilities into five categories:
- "Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code."
- "Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function."
- "File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device."
- "Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely."
- "Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device."
Completely mitigating the ICEFALL vulnerabilities will require vendor-delivered patches, in the meantime network isolation (particularly isolation of OT and industrial control systems from business networks and the wider Internet), restricting network connections to specifically selected engineering workstations, and, of course "focusing on consequence reduction."
CISA issues ICS vulnerability advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday released six industrial control system (ICS) security advisories, for Mitsubishi Electric MELSEC Q and L Series (with "mitigations for an Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC Q and L Series CPUs"), JTEKT TOYOPUC ("mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller"), Phoenix Contact Classic Line Controllers ("mitigations for an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Controllers"), Phoenix Contact ProConOS and MULTIPROG (addressing "an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact ProConOS and MULTIPROG software development kit"), Phoenix Contact Classic Line Industrial Controllers ("mitigations for a Missing Authentication for Critical Function Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Industrial Controllers), and, finally, Siemens WinCC OA (with "mitigations for a Use of Client-side Authentication vulnerability in the Siemens SIMATIC WinCC OA software management platform").
Fancy Bear sighted in Ukrainian in-boxes.
CERT-UA warns that APT28, the GRU operators familiarly known as Fancy Bear, have opened a renewed campaign of exploitation against systems still vulnerable to Follina, the Microsoft Microsoft Diagnostic Tool vulnerability tracked as CVE-2022-30190. Fancy Bear is running two distinct campaigns, Ukraine's SSSCIP warns, both of which use phishing as their mode of access. The phishbait appeals to two very different sets of fears. The first campaign, which Malwarebytes has also described, counts on an email recipient's fear of nuclear war (topical, given the ongoing Russian nuclear saber-rattling described by the Telegram). The malicious document, "Nuclear Terrorism A Very Real Threat," carries CredoMap malware as its payload, CERT-UA says. The other campaign uses a more proximate if less existential dread to induce the recipient to click: fear of the taxman. Anyone in wartime might be forgiven an understandable lapse of memory where paying taxes is concerned. The phishbait sample CERT-UA shares is sternly entitled "Imposition of penalties." and the malicious document carries a CobaltStrike beacon as its payload. The email's subject is "Notice of non-payment of tax." The goal of both campaigns appears to be espionage, although it's worth noting that CERT-UA sees the tax-themed campaign as directed against critical infrastructure.
Why Russian cyberattacks against Ukraine have fallen short of expectations.
An op-ed in the Washington Post summarizes what's becoming consensus opinion about Russia's failure to deliver the devastating cyberattacks that were generally expected during the run-up to war: Ukrainian resilience, with appropriate and well-applied assistance from the private sector, was able to fend the Russian operators off. "The close partnerships that have emerged between U.S. technology companies and Western cybersecurity agencies is one of the unheralded stories of the war. The public-private rift in the tech world that followed Edward Snowden’s revelations in 2013 appears largely to be over — because of the backlash against Russia’s attacks on the 2016 and 2020 U.S. presidential elections and, now, its unprovoked invasion of Ukraine."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.