At a glance.
- Belgium accused China of cyberespionage.
- LockBit ransomware spreading through compromised servers.
- Vulnerabilities in popular automotive GPS tracker.
- Report: password stealing and impersonation risks in identity management product.
- Current Russian cyber operations.
- Russia's cyber operations appear to focus on espionage.
- Cyber escalation and spillover.
- CISA releases ICS advisories.
Belgium accuses China of cyberespionage.
Belgium's Foreign Ministry has accused China of an extensive cyberespionage campaign against numerous Belgian targets, including the country's Ministries of Interior and Defense. The specific threat groups singled out include APT27, APT30, APT31, and Gallium, this last group also tracked as Softcell and UNSC 2814. "Belgium strongly denounces these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behaviour as endorsed by all UN member states," the Foreign Ministry's statement said in part. "We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation."
BleepingComputer reports that China says, in effect, prove it, and by the way, you can't, because China is the real victim here. The full response of the Chinese embassy in Brussels is familiar stuff: "We have taken note of the statement. It is extremely unserious and irresponsible of the Belgian side to issue a statement about the so-called "malicious cyberattacks" by Chinese hackers without any evidence. On the one hand, the Belgian side refuses to provide the factual basis and, on the other hand, it makes groundless accusations and deliberately denigrates and smears China. We express our strong dissatisfaction and our firm opposition. On the issue of cybersecurity, China is square, frank and open. China has always been a strong advocate of cybersecurity and one of the main victims of cyberattacks."
LockBit ransomware spreading through compromised servers.
Researchers at the Symantec Threat Hunter Team, part of Broadcom Software, this morning reported that threat actors are targeting servers with LockBit ransomware. Their goal is to spread the ransomware through compromised networks. One attack utilizing LockBit has been seen identifying domain-related information, creating a group policy, and executing a "gpupdate /force" command to update the group policy. The threat actors behind LockBit, which Symantec tracks as Syrphid, first appeared in September 2019 and quickly expanded its operations through a network of affiliates.
This version of LockBit delivers a double-extortion attack, both encrypting files and threatening public exposure of stolen data. LockBit is selective in its targeting, sparing Russia and a small selection of countries in the near abroad. It runs a language check, and, should it detect Azeri, Kazkh, Kyrgyz, Russian, Tajik, Turkmen, or Uzbek, the malware terminates.
LockBit is a ransomware-as-a-service operation, and it’s replaced the now-possibly defunct Conti atop the C2C market leaderboard. Its rise is thus partially opportunistic, but Symantec sees other keys to its success. “LockBit’s success is also due to its developers and affiliates continued evolution of features and tactics, which include the malware’s fast encryption speed, ability to target both Windows and Linux machines, its brash recruitment drives, and high-profile targets. In addition, as previously mentioned, the launch of a rewards program for vulnerabilities in LockBit’s code and for suggestions on improving the RaaS operation will no-doubt help the ransomware remain a serious threat to organizations.”