Chinese espionage in Southeast Asia. The C-suite's awareness of ransomware attacks. New cybercriminal group conducts data-theft extortion.

Summary

By the CyberWire staff

At a glance.

Chinese espionage in Southeast Asia.
The C-suite's awareness of ransomware attacks.
New cybercriminal group conducts data-theft extortion.

Chinese espionage in Southeast Asia.

Researchers at Recorded Future are tracking Chinese state-sponsored cyberespionage campaigns primarily targeting Malaysia, Indonesia, and Vietnam, as well as the Philippines, Laos, Cambodia, and Thailand. The operations appear to be in support of China's Belt and Road Initiative:

"The identified intrusion campaigns almost certainly support key strategic aims of the Chinese government, such as gathering intelligence on countries engaged in South China Sea territorial disputes or related to projects and countries strategically important to the Belt and Road Initiative (BRI). The activity highlighted includes a group we track as Threat Activity Group 16 (TAG-161), which has compromised several high-profile military and government organizations across Southeast Asia throughout 2021 using custom malware families such as FunnyDream and Chinoxy. Many of the governments targeted by TAG-16 are engaged in ongoing disputes with China over territorial claims in the South China Sea."

The C-suite's awareness of ransomware attacks.

(ISC)² has published a study looking at executives' view of ransomware and the ways in which security teams can improve communication with the C-suite:

"Respondents were asked to rate their awareness of ransomware prior to high-profile 2021 breaches. 55% described themselves as very aware, and 40% said they were only somewhat aware. 59% of executives rated the communications they received from their cybersecurity teams about ransomware threats and mitigation tactics as excellent or good. Nearly one in five respondents (18%) rated those communications as either poor or very poor. The executives were also asked how those communications have changed in the months following 2021’s high-profile wave of ransomware attacks. While the percentage of those who indicated that the updates are excellent or good increased by 5%, that is still fewer than two-thirds of executives (64%) who highly rate those interactions."

The study also found that most executives were interested in backup and recovery plans in case of a ransomware attack:

"When asked about the most critical information they need from the cybersecurity team, the biggest priority cited by 38% of respondents was for information on strategies to prevent ransomware from impacting data backup and restoration plans. Executives also want to know what it will take to restore minimal operations after compromise (33%), how prepared the organization is to engage law enforcement in the event of an attack (32%), and how prepared it is to engage cybersecurity investigators (30%)."

New cybercriminal group conducts data-theft extortion.

Accenture describes a newly-observed cybercriminal group calling itself "Karakurt" that's conducting data theft and extortion attacks. Notably, the threat actor doesn't deploy ransomware and typically targets "smaller companies or corporate subsidiaries versus the alternative big game hunting approach." Karakurt primarily uses stolen credentials for VPNs to gain initial access:

"Based on our collection sources, Accenture Security is currently aware of over 40 victims spanning multiple industry verticals and sizes. The Karakurt group does not appear to focus on a specific industry vertical or size. Of known victims, 95% are based in North America with the remaining 5% in Europe. From our investigations into the group’s activity, we determined that it typically uses credential access as the initial vector into victims’ networks and utilizes applications already installed to move laterally and exfiltrate data, if available. In addition, the threat group will typically contact the victim multiple times, using different communication methods, to apply additional pressure during extortion attempts."

Selected Reading

Log4shell is now undergoing active exploitation. (The CyberWire) Criminals continue scanning for the Log4shell vulnerability, and they've moved from cryptojacking to ransomware installation to data theft. Organizations have begun their long slog through a remediation that will take months (if you follow the Wall Street Journal) or years (if you believe CRN) or "months if not years" (as in ZDNet's headline). Remediation won't be easy or simple or quick, but it begins in situational awareness with respect to an organization's code.

Log4shell: risk and reaction. (The CyberWire) Log4shell is a serious vulnerability. It's being actively exploited in the wild, and there's unlikely to be any single quick fix for it. We take a look at reactions to the incident.

Explaining Log4Shell in Simple Terms (Cygenta) How to understand - and explain - the Log4Shell vulnerability - described as the most critical vulnerability of the last decade.

When Honey Bees Become Murder Hornets (Eclypsium) What do you do when two million cheap and powerful devices become the launchpad for one of the most powerful botnets ever? You stop treating the threat like a newly discovered and unexpected honey bee hive and you start remediating like you’ve discovered a Murder Hornet nest.

Law Enforcement Collaboration Has Eastern-European Cybercriminals Questioning Whether There Is A Safe Haven Anymore (Trustwave) Through the active Dark Web research that Trustwave SpiderLabs conducts for its clients, we have observed new communications on various Dark Web forums between Eastern-European cybercriminals.

Grinchbots strike again this holiday shopping season as bot traffic spikes 73% (Imperva) The days are getting chilly, holiday drinks are back on the menu at your favorite café and family gatherings are planned. In an almost pavlovian response, Grinchbots have also returned in record levels to ruin your online holiday shopping experience. In the State of Security Within eCommerce in 2021, Imperva Research Labs predicted that bad […]

Suspected Russian Activity Targeting Government and Business Entities Around the Globe (Mandiant) As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.

1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs (Wordfence) Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites. Over the past 36 hours, the Wordfence network ...Read More

MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability (Fortinet Blog) FortiGuard Labs encountered a malware sample that’s currently being distributed in the wild targeting TP-link wireless routers. Learn more on MANGA aka Dark Mirai-based Campaign.…

Karakurt Rises from Its Lair (Accenture) New threat group Karakurt begins operations. Learn about this financially motivated group, how it operates and how to mitigate its attacks. Learn more.

Ransomware in the C-Suite: An (ISC)² Study ((ISC)²) Ransomware in the C-Suite is an (ISC)² research study that provides insights for cybersecurity professionals into the minds of C-suite executives and how they perceive their organizations’ readiness for ransomware attacks.