At a glance.
- Lilith enters the ransomware game.
- ChromeLoader makes a fresh appearance.
- An overview of the cyber phase of Russia's hybrid war.
- Smartphones as sources of targeting information.
- A guilty verdict in a high-profile CIA leak case.
Lilith enters the ransomware game.
Researchers at Cyble describe a new ransomware operation, "Lilith," and BleepingComputer reports that the group not only operates a new strain of malware, but that it's already posted the first victim to its double-extortion dump site. Cyble notes, "Throughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of this are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent threats."
ChromeLoader makes a fresh appearance.
Palo Alto Networks' Unit 42 describes new variants of the ChromeLoader malware now making their appearance in the wild. "This malware is used for hijacking victims’ browser searches and presenting advertisements," the researchers write, "two actions that do not cause serious damage or leak highly sensitive data. However, based on the wide distribution the attackers gained in such a short time, they were able to inflict heavier damage than the damage inflicted by the two primary functions of the Chrome Extension." The extension serves as adware and as an information stealer, pulling in the victim's browser searchers.
The gang using ChromeLoader seems to have clear ideas about what it's up to. Unit 42 writes:
"Additionally, the authors were quite organized, labeling their different malware versions and using similar techniques throughout their attack routines. This probably made their lives easier while developing their attack framework and maintaining their attack chains, but unintentionally, this also made the investigation process significantly easier. In fact, it improved the research ability so much that we were able to detect two new versions of this malware – the first one and the latest, which have never been linked to this malware family before. Finally, this attack chain demonstrates two rising trends among malware authors that security products and even common users should be aware of – the use of ISO (and DMG) files and the use of browser extensions."
Honda acknowledges that Rolling-PWN is real (but says it's not as serious as some think).
Honda has acknowledged, SecurityWeek reports, that the Rolling-PWN proof-of-concept does indeed work against the carmaker's remote keyless system. It is in fact possible for someone to unlock the car and even start it. But, Honda says, they couldn't just drive the car away, since that requires the key fob to be present. The Record quotes Honda's statement: "“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away.” The 2022 and 2023 models are said to be proof against Rolling-PWN, and Honda is making other security upgrades to mitigate the vulnerability.
An overview of the cyber phase of Russia's hybrid war.
The State Service for Special Communications and Information Protection of Ukraine (SSSCIP) has issued a report on the current state of the cyber phases of Russia's war as they unfolded during the second quarter of the year. It sees Russia as concentrating on, first, espionage, second, network disruption, third, data wiping, and fourth, disinformation. Of these four, the network disruption and disinformation have come to represent a relatively greater fraction of Russian cyber operations. "Comparing to the first quarter of 2022, the number of critical IS events originating from Russian IP addresses decreased by 8.5 times. This is primarily due to the fact that providers of electronic communication networks and/or services that provide access to the Internet blocked IP addresses used by the Russian federation." The SSSCIP considers the nominal hacktivists who've been recently active as simple front groups for the Russian intelligence services. "By attribution, the absolute majority of registered cyber incidents is related to hacker groups funded by the Russian federation government. In particular, these are UAC-0082/UAC-0113 (related to Sandworm), UAC-0010 (Gamaredon) and others, mentioned in the report. In the second quarter of 2022, the main targets of hackers from the Russian federation were the Ukrainian mass media, the government and local authorities sectors. Most information security events can be associated with APT groups and hacktivists activities."
Smartphones as sources of targeting information.
Traditionally targeting cells distinguish between "targets" (something sufficiently identified and located to be hit with an attack) and "target indicators" (information that provides a lead that may, with further investigation, be developed into a target). Sometimes the process is quick (as it might be with data from weapons-locating radar), at other times protracted (as it might be with spot reports from the field). The commodification and ubiquity of smartphones, on the battlefield and elsewhere, have not only given armies a new operational security challenge, but they've also provided targeting cells with a wealth of battlefield information that can develop targets with a hitherto unprecedented immediacy. An analysis Mike Fong, CEO of Privoro, published in HelpNetSecurity explains the risks and opportunities the smartphone presents on the battlefield:
"Of all the signals given off by smartphones in the normal course of operation, location data is perhaps the most valuable during battle. Unlike captured conversations or call metadata, location data is actionable immediately. Location data can reveal troop movements, supply routes and even daily routines. A cluster of troops in a given location may signal an important location. Aggregated location data can also reveal associations between different groups.
"The obvious risk to soldiers is that their location data can be used by the enemy to direct targeted attacks against them. Notably, it has been reported that a Russian general and his staff were killed in an airstrike in the early weeks of the invasion after his phone call was intercepted and geolocated by the Ukrainians."
It's worth noting that targeting a general's smartphone is a far more discriminating way of war than designating a city for destruction.
Thus monitoring phones can yield not only intelligence, but targets. Fong's conclusion is that how an army handles smartphones and the data they throw off can be a difference-maker on the battlefield: "Smartphones are so ubiquitous that their presence on the battlefield is inevitable, even when they’ve been prohibited or otherwise discouraged from use due to lethal consequences. But each location ping gives the enemy another signal that may ultimately culminate in a targeted missile strike or an improved defensive posture. The side that can best fight this information battle very likely has the upper hand in winning the war."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
A guilty verdict in a high-profile CIA leak case.
The second trial of Joshua Schulte has ended in a guilty verdict. Mr. Schulte, a former CIA employee, was arrested after WikiLeaks' 2017 disclosure of the "Vault 7" classified documents that outlined Langley's methods of penetrating networks operated by its intelligence targets, the New York Times reports. His first trial had resulted in convictions for contempt of court and lying to Federal investigators, but the jury had been unable to reach a verdict on the more serious charges of which he has now been convicted. The US Attorney for the Southern District of New York, who prosecuted Mr. Schulte, offered a brief statement on the outcome of the trial:
"Joshua Adam Schulte was a CIA programmer with access to some of the country’s most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe. When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public – and therefore, our adversaries. Moreover, Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm. Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history."