At a glance.
- Iranian steel mill suspends production due to cyberattack.
- Bumblebee rising.
- CISA adds to its Known Exploited Vulnerabilities Catalog.
- Distributed denial-of-service attacks against Lithuania.
- Dark Crystal RAT described.
Iranian steel mill suspends production due to cyberattack.
A cyberattack has struck one of Iran’s major steel companies on Monday, forcing it to halt production, SecurityWeek reports. The attack struck the state-owned Khuzestan Steel Co. and two other major steel producers. An anonymous hacking group, “Gonjeshke Darande” ("Predatory Sparrow," in the Jerusalem Post's translation), has claimed responsibility for the attack, saying that it was done to target the “aggression of the Islamic Republic.” The group shared alleged closed-circuit footage from the Khuzestan Steel Co. in which a piece of heavy machinery on a steel billet production line malfunctioned and caused a fire. The CEO of Khuzestan Steel, Amin Ebrahimi, claimed that the attack was thwarted, saying, “Fortunately with time and awareness, the attack was unsuccessful,” and noting that everything should return to normal by the end of Monday. Neither of the other steel producers targeted in the attack noted damage or production issues.
Predatory Sparrow has been heard from before, CyberScoop observes, notably in 2021's wiper attacks against Iran's rail system, and Check Point has obtained samples from the most recent incident that link it to the earlier attack. Relatively little is known about the group, beyond, that is, their self-presentation as hacktivist opposed to the Islamic Republic.
The Symantec Threat Hunter Team, part of Broadcom Software, this morning released a report on the Bumblebee loader. The researchers characterize it as "a recently developed malware loader" and say that it "has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced a number of older loaders, which suggests that it is the work of established actors and that the transition to Bumblebee was pre-planned." The rapidity with which Bumblebee has achieved a central position in criminal-to-criminal markets indicates not only the C2C market's relative efficiency, but the extent to which it's come to resemble the functioning of legitimate markets. "Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem," the Symantec Threat Hunter Team concludes. "Any organization that discovers a Bumblebee infection on its network should treat this incident with high priority since it could be the pathway to several dangerous ransomware threats." Their study includes a long set of indicators of compromise.
CISA adds to its Known Exploited Vulnerabilities Catalog.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog. The issues, which Federal civilian Executive Branch agencies falling under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities must address by July 18th, 2022, are:
- CVE-2022-29499, a Mitel MiVoice Connect Data Validation Vulnerability that "allows remote code execution due to incorrect data validation.
- CVE-2021-30533, a Google Chromium Security Bypass Vulnerability. "Insufficient policy enforcement in the PopupBlocker for Chromium allows an attacker to remotely bypass security mechanisms. This vulnerability impacts web browsers using Chromium such as Chrome and Edge."
- CVE-2021-4034, a Red Hat Polkit Out-of-Bounds Read and Write Vulnerability. "The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability which allows for privilege escalation with administrative rights."
- CVE-2021-30983, an Apple iOS and iPadOS Buffer Overflow Vulnerability. "Apple iOS and iPadOS contain a buffer overflow vulnerability that could allow an application to execute code with kernel privileges."
- CVE-2020-3837, Apple Multiple Products Memory Corruption Vulnerability. "Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges."
- CVE-2020-9907, Apple Multiple Products Memory Corruption Vulnerability. "Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions."
- CVE-2019-8605, Apple Multiple Products Use-After-Free Vulnerability. "A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges."
- CVE-2018-4344, Apple Multiple Products Memory Corruption Vulnerability. "Apple iOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability which can allow for code execution."
In all cases the remedy is "Apply updates per vendor instructions." While the private sector in the US (and elsewhere) of course isn't bound by BOD 22-01, it's prudent for all organizations to take a close look and consider remediating these vulnerabilities.
Distributed denial-of-service attacks against Lithuania.
Lithuania has said that the distributed denial-of-service attacks it's sustaining "probably" originate with Russia, SecurityWeek reports. According to CNN, the nominally hacktivist outfit Killnet has now claimed responsibility (the Cyber-Spetsnaz subgroup apparently having faded from the communiqués), and the Lithuanian government expects the attacks to continue, perhaps intensify, in coming days. “Part of the Secure National Data Transfer Network users have been unable to access services, work is in progress to restore it to normal,” Lithuania’s National Cyber Security Centre (NKSC) said. “It is highly probable that such, or even more, intense attacks will continue into the coming days, especially against the communications, energy and financial sectors.” Lithuania is attracting Russian attention because of its refusal to allow prohibited goods to be shipped over its rail lines to Russia's non-contiguous region of Kaliningrad, an enclave surrounded by Lithuanian and Polish territory.
Flashpoint, which has been following Killnet and related pro-Russian chatter, finds that chatter to be notably aggressive. "Flashpoint has identified chatter on various pro-Russian Telegram channels claiming that the current standoff between Russia and Lithuania could escalate to a full-fledged military confrontation, although no evidence of physical violence is yet to take place between Russia and Lithuania as of this publishing."
Dark Crystal RAT described.
CERT-UA earlier this month warned that Windows systems in Ukraine were under attack by Russian operators deploying the Dark Crystal RAT (DCRat). Fortinet's Fortiguard Labs yesterday issued a description of how DCRat (which they describe as "a commercial .NET Remote Access Trojan (RAT) commonly found being sold in underground forums") is being used. While the precise infection vector is unknown, it's believed to be a form of phishing. The payload is carried in malicious macros the victim is induced to run. The typical use to which DCRat is put has been data theft, but it also establishes persistence in victims' systems and can be used to stage a broad range of other attacks. The report concludes, "The RAT can be customized to the attacker’s needs by adding plug-ins. As the RAT primarily focuses on data exfiltration, stolen data will likely be used as a stepping stone for further activities against affected organizations. It can also lead to further damage such as a threat actor maintaining persistence in the long term, stealing personally identifiable information (PII), and confidential data. Targets of this attack are likely in Ukraine. Having a foothold in the compromised Ukrainian organization goes a long way towards inflicting long-term and unthinkable damage, due to the nature of this malware."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.