At a glance.
- US Commission on International Religious Freedom reportedly hacked.
- Sophistication of NSO exploit on par with nation-state tooling.
- Conti ransomware actors exploit Log4Shell.
- TinyNuke targets French users.
US Commission on International Religious Freedom reportedly hacked.
Avast has discovered "a new targeted attack against a small, lesser-known U.S. federal government commission associated with international rights." Avast doesn't name the affected entity, but the Record reports that it was the United States Commission on International Religious Freedom (USCIRF). Avast isn't sure what the attackers were after, but they note that the threat actor had significant access within the network:
"While we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the files in question, we believe it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization. This could include information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights. We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control. Taken altogether, this attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply."
Avast is releasing its research after notifying the affected entity and receiving no response:
"After initial communication directly to the affected organization, they would not respond, return communications or provide any information. The attempts to resolve this issue included repeated direct follow up outreach attempts to the organization. We also used other standard channels for reporting security issues directly to affected organizations and standard channels the United States Government has in place to receive reports like this. In these conversations and outreach we have received no follow up or information on whether the issues we reported have been resolved and no further information was shared with us."
Sophistication of NSO exploit on par with nation-state tooling.
Researchers at Google's Project Zero have analyzed an iOS exploit developed by spyware vendor NSO Group, concluding that, "Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states." The exploit, dubbed "FORCEDENTRY," takes advantage of an integer overflow vulnerability that was patched by Apple in September 2021. The exploit allows an attacker to infect a victim's phone by simply sending a text message. The researchers credit the University of Toronto's Citizen Lab for discovering the exploit after it was used to target a Saudi activist earlier this year.
Conti ransomware actors exploit Log4Shell.
"On December 12, through deep visibility into adversarial collections, AdvIntel discovered that multiple Conti group members expressed interest in the exploitation of the vulnerability for the initial attack vector resulting in the scanning activity leveraging the publicly available Log4J2 exploit. This is the first time this vulnerability entered the radar of a major ransomware group. The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit. Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions."
TinyNuke targets French users.
Proofpoint says the TinyNuke banking Trojan is targeting users in France via phishing emails that impersonate logistics and transportation companies:
"Proofpoint observed dozens of TinyNuke campaigns targeting French entities in 2018. After only observing a handful of TinyNuke campaigns in 2019 and 2020, Proofpoint observed TinyNuke reappear in January 2021 in one campaign distributing around 2,000 emails. Subsequent campaigns appeared in low volumes in May, June, and September. In November, Proofpoint identified multiple TinyNuke campaigns distributing around 2,500 messages and impacting hundreds of customers. In the most recent campaigns, the threat actor uses invoice-themed lures purporting to be logistics, transportation, or business services entities."