At a glance.
- Knotweed: a PSOA operation.
- Bringing private-sector offensive actors to heel.
- Follina exploitation update.
- Ransomware hits email marketing provider.
- Internet disrupted in Kherson.
- SSSCIP and CISA sign memorandum of cooperation.
Private-sector offensive actors.
Microsoft late yesterday released a report (compiled by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and RiskIQ) that describes the activity of a threat group it tracks as "Knotweed." Knotweed is regarded as responsible for Subzero malware, which it provides to, or deploys on behalf of, its customers. The group has also exploited Windows and Adobe zero-days. The report explains why Microsoft views this threat actor as particularly egregious. In brief, it's a private company hiring out cyberattack services:
"PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement."
The company behind Knotweed and its Subzero tool is a Vienna-based outfit, DSIRF. DSIRF's landing page displays a simple quotation: "A lie can run round the world before the truth has got its boots on," but without further elaboration. It's unclear whether that's a sideswipe at researchers who characterize the company as a mercenary operation. The company describes itself as an "Austria based company with offices in Vienna and Lichtenstein, providing mission-tailored services in the fields of information research, forensics as well as data- driven intelligence to multinational corporations in the technology, retail, energy and financial sectors." They stress that they offer, fundamentally, research: "Our tightly integrated team provide sophisticated intelligence products which are individually tailored to each client. [sic]" Exploiting zero-days would seem to be taking an expansive view of business intelligence.
Microsoft explains their attribution:
"Multiple news reports have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common."
A comprehensive set of indicators of compromise and defensive advice is included in Microsoft's report.