At a glance.
- Rhysida malware: a warning and a description.
- Extending local breaches in Google Workspace.
- Protestware in open-source products.
- Donation scam: exploiting sympathy.
- Cyber safety for the holidays.
- Allocating resources for security.
- Using regulatory risk to pressure a ransomware victim.
- A call for regulatory action against a supply chain threat.
- GRU's Sandworm implicated in campaign against Danish electrical power providers.
Rhysida malware: a warning and a description.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory describing the Rhysida ransomware-as-a-service operation: “Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”
Fortinet has published an analysis of a Rhysida intrusion, noting, “The majority of the TTPs employed by the threat actor during this intrusion are typical for these types of ransomware intrusions, and no novel techniques were observed....While the threat actor may have had more sophisticated TTPs within their repertoire, in this case, they were able to achieve their outcomes using exclusively unsophisticated, known TTPs. As ransomware and extortion-based attacks continue to affect thousands of victims like this one across the globe every day, organizations should focus on ensuring they can detect more of the basic TTPs employed throughout this intrusion.” For more on Rhysida and its place in the C2C market, see CyberWire Pro.
Extending local breaches in Google Workspace.
Researchers at Bitdefender have uncovered “previously unknown attack methods for escalating a compromise from a single endpoint to a network-wide breach” in Google Workspace. The technique involves an OAuth 2.0 refresh token stored by Google Credential Provider for Windows (GCPW): “[T]he refresh token follows a two-step storage process. First, it's temporarily stored in the registry, and later, it finds a more permanent home under the user's Chrome profile. Decrypting it is possible from both locations, each with its own set of pros and cons. The registry approach is stealthier, offering a discreet way to access the token. However, it has a drawback—it's available for a limited time only. On the other hand, the profile-based storage method provides a more extended timeframe for access but is harder to conceal, making it a noisier option.”
Protestware in open-source products.
ReversingLabs today draws attention to the phenomenon of "protestware," that is, the practice of concealing scripts advocating some political position in NPM packages embedding in open-source software. The message is commonly displayed after a user installs or executes the software. "Although the latest packages are not malicious," ReversingLabs researchers say, "they underscore a persistent risk in open source software, in which unintended and malicious features can lurk undetected — even in widely used applications." The two campaigns discussed in the report are being run, separately, in the Palestinian and Ukrainian interest, and, while protestware tends to shadow current events, it's not confined to the fighting in Ukraine or Gaza.