At a glance.
- Influence operation targets the rare earth marketplace.
- SOHO routers under attack.
- YTStealer discovered, out and active in the wild.
- CISA releases six ICS security advisories.
- Most dangerous software weaknesses.
- Response to Killnet.
Influence operations in the interest of national market share.
China has been engaging, Reuters reports, in an influence operation directed at arousing popular protests against Australian, Canadian, and US rare-earth mining companies. The sector is one in which China has a significant national interest, and the firms singled out for attention include Lynas Rare Earths Ltd, Appia Rare Earths and Uranium Corp, and USA Rare Earth. The campaign, "Dragonbridge," discovered and named by Mandiant, seems aimed at market dominance. It makes heavy use of inauthentic social media personae. "The campaign used inauthentic social media and forum accounts, including those posing as residents in Texas to feign concern over environmental and health issues surrounding the plant, including via posts to a public social media group predisposed to be receptive to that content," Mandiant said in its report. Dragonbridge doesn't seen, so far, to have been particularly effective, but Mandiant thinks the approach on display, particularly the microtargeting of the audience it seeks to reach, bears watching.
SOHO routers under attack.
Lumen's Black Lotus Labs report that small office/home office (SOHO) routers are under active attack by operators using the ZuoRAT remote access Trojan. The operators are after bigger fish than home offices. Remote work has made SOHO routers an attractive point-of-entry into larger networks, and that appears to be the case here. "The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations," Lumen's report says. "The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years."
YTStealer discovered, out and active in the wild.
Intezer this morning announced its discovery of malware it’s calling “YTStealer.” The malware has been aptly named, as the sole function is to steal authentication cookies from YouTube content creators. YTStealer is different from other malware, in that it only harvests credentials for YouTube and not any other service. If authentication codes are found in a browser's database files in the user's profile folder, the malware launches the browser in headless mode on the infected operating system and adds the cookie to the cookie store. The malware then uses a library called “Rod” to control the browser, and it navigates to the creator’s YouTube Studio page and steals information about the channel and encrypts it, sending it to a command and control center whose domain name is youbot[.]solutions. YouBot Solutions appears to be a company registered in New Mexico that describes itself by saying that it “provides unique solutions for getting and monetizing targeted traffic." YouBot may well be connected outside the American Southwest: its red eye logo that appears on its Google business listing could be found, Intezer points out, on aparat [dot] com, an Iranian video-sharing website.
YTStealer is a C2C play: the researchers say that YTStealer is probably sold to other threat actors. They note that YTStealer often isn’t the only dropped malware on a device: RedLine and Vidar have been seen alongside the YTStealer malware. Much of the dropped malware is disguised as pirated versions of video and image software and game mods and cheats. Using only legitimate versions of software is a good way to have better control over what ends up on your computer, researchers conclude. The Hacker News has a summary of Intezer's report.
CISA releases six ICS security advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday released six industrial control system (ICS) security advisories, for:
- ABB e-Design ("mitigations for an Incorrect Default Permissions vulnerability in ABB e-Design engineering software").
- Omron SYSMAC CS/CJ/CP Series and NJ/NX Series ("mitigations for Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, and Plaintext Storage of a Password vulnerabilities in Omron SYSMAC CS/CJ/CP Series and NJ/NX Series programmable logic controllers").
- Advantech iView ("mitigations for a SQL Injection, Missing Authentication for Critical Function, Relative Path Traversal, and Command Injection vulnerabilities in Advantech iView management software").
- Motorola Solutions MOSCAD IP and ACE IP Gateways ("mitigations for a missing authentication for critical function vulnerability in the Motorola Solutions MOSCAD IP and ACE IP Gateways products").
- Motorola Solutions MDLC ("mitigations for Use of a Broken or Risky Cryptographic Algorithm, and Plaintext Storage of a Password vulnerabilities in the Motorola Solutions MDLC protocol parser").
- Motorola Solutions ACE1000 ("mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit").
Most dangerous software weaknesses.
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The Institute explains, "This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working." The report includes recommended mitigations for the vulnerabilities listed, and it's those mitigations CISA particularly commends to organizations' attention.
NATO's response to Killnet's cyberattacks on Lithuania.
Sky News asks the inflammatory question, "Could the Russian cyber attack on Lithuania draw a military response from NATO?" and then gives the more irenic answer, "Not so fast." An opinion piece frames the issue like this: "A NATO member is under attack. Normally the meaning of this would be frighteningly clear, but this is an attack with a difference: not a physical attack, but a cyber attack; and working out what a cyber attack means is never simple."
The issues involve responsibility (Killnet presents itself as a patriotic hacktivist group operating independently of Russian government control) and proportionality (the cyberattacks haven't been particularly damaging, and in any case have fallen short of producing kinetic effects, consequences IRL, as the leetspeakers would put it).
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.