State-sponsored coronavirus phishbait.
BAE Systems summarizes the APTs that are known to be using COVID-19-themed phishing lures to deliver various strains of malware. The threat actors include the Russia-aligned groups Sandworm and Gamaredon, the China-linked campaigns Operation LagTime and Mustang Panda, and the Pakistan-associated Transparent Tribe. Parties unknown have been impersonating the US Centers for Disease Control, pushing the Remcos RAT.
The Russian operators behind Gamaredon are impersonating the Ukrainian Foreign Ministry, delivering the Pterodo backdoor via malicious docx files. And the GRU's Sandworm is not to be left out—it’s spoofing Ukraine’s Ministry of Health to distribute a .NET backdoor.
Beijing's operators at Mustang Panda are using bogus news articles to push the Cobalt Strike stager. Operation LagTime IT, also a Chinese APT, is spoofing the Mongolian Ministry of Health to distribute a Poison Ivy stager.
The Pakistani operation Transparent Tribe (also known as APT36) is after Indian targets using malicious XLS files to deliver the Crimson remote access Trojan, all the while posing as an Indian training company. Malwarebytes has also seen a surge in coronavirus-themed phishing by Transparent Tribe, and they report the same deployment of the Crimson RAT against Indian targets.
Some ransomware operators pledge to refrain from targeting healthcare organizations.
BleepingComputer contacted the operators of several prevalent ransomware strains, including Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako, and asked them if they would keep targeting healthcare organizations during the coronavirus pandemic. Thus far, only DoppelPaymer and Maze have responded. DoppelPaymer's operators stated that they don't intentionally target medical facilities anyway, but they reassured BleepingComputer that they'll continue to avoid these organizations during the pandemic (although they added that the pharmaceutical industry is still in their crosshairs).
The Maze operators stated that they will "also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus." The Register is skeptical about these claims, saying that "a threat analyst from Emsisoft contacted us to note that Maze's operators had announced just a few days ago that it had hit a medical research company in London."
Security firms Emsisoft and Coveware are partnering to offer free assistance to healthcare organizations that suffer ransomware attacks during the pandemic. Coveware exhorts ransomware operators to think of their own families and loved ones, stating, "We ask for your empathy. If you attack a healthcare organization, you are taking lives not money. If you encrypt a health care provider unintentionally, please provide them with the decryption key at no cost as soon as possible."
It would be naive to take the gangs' promises of good behavior at face value, as convincing as some of the avowals may sound. But if there is a wave of (relatively) good behavior, Forbes probably has the best explanation: the restraint isn't a matter of honor or sympathy, still less of public spirit. It's a matter of self-preservation: the gangs think that during the pandemic law enforcement will pursue and prosecute them ruthlessly if ransomware gets into hospital systems. The Council on Foreign Relations blogs some advice to the cyber underworld. Pointing out that the US at least has shown the ability to identify the operators behind the keyboards at China's Peoples' Liberation Army, the CFR suggests that criminals consider being on the receiving end of such attention, and of what being doggedly pursued by Federal law enforcement would be like. An attack on a healthcare or public health organization would be regarded as particularly odious. "During a global pandemic, if cybercriminals impact the delivery of medical interventions, they should understand that they are playing a different game. When the U.S. government stands up from the table and flips over the board, there are no rules that protect you."
The Health and Human Services "cyber incident."
The widely reported cyberattack on the US Department of Health and Human Services seems, the New York Times reports, to have been an opportunistic and fairly crude probing of the Department’s networks for vulnerabilities. There was speculation that the incident represented a state-sponsored attack, but it also looks like the sort of preparatory distributed denial-of-service attack organizations see all the time. It might have been an unusually large number of visitors looking for reliable information on COVID-19, or even an artifact of the Department's Drupal instance. In any case, while according to the Associated Press the US Department of Justice is investigating, the incident seems to have been not much to worry about. A Department of Homeland Security source told the Washington Post, "on a scale of one to ten, it’s about a two."
Coronavirus-themed disinformation.
There’s also some disinformation circulating that attributes COVID-19 to 5G, CNET reports. The virus emerged in Wuhan, various Russian state outlets and their influencer dupes suggest, because there are so many 5G towers in China.
The US National Security Council says foreign influence operations are pushing the line that the US is under a national COVID-19 lockdown, Mother Jones, US News and others report. Much of the disinformation is being disseminated by email, text, WhatsApp, and TikTok, the Washington Post writes, often as images. The messages are harder to screen than would be similar campaigns over Twitter or Facebook.
Iran appears to have suffered particularly badly from COVID-19, with an acknowledged 17,361 cases, 1135 of which have proven fatal, Foreign Policy reports. (We wish everyone in Iran, as we wish everyone everywhere else, comfort and recovery.) The Islamic Revolutionary Guard Corps has mounted a domestic influence campaign to place responsibility for the pandemic on its two usual suspects: the US and Israel, the Great Satan and the Lesser Satan. The virus originated, the disinformation says, as a US biowar program that Zionists have moved the US to use in a campaign of biological terror against Iran.
The CyberWire Pro Disinformation Briefing has more information on these and other influence operations currently in progress.
Russia's knock-out punch?
The BBC's Russian service reported this week that "Digital Revolution," a hacking group of unclear provenance, released documents describing a program by Russia's FSB foreign intelligence service to develop an Internet-of-things attack tool that would be "capable of taking a small nation offline. Meduza called the program "Russia's Internet knockout punch."
Crises can distort behavioral baselines.
One consequence of the pandemic-driven spike in remote work is that many of the norms that inform behavioral anomaly detection may need re-evaluation and revision. Duo Security's Decipher blog points out that people will work at unusual times and unusual places. Or they may fumble VPN access or unfamiliar multifactor authentication to such an extent that multiple login attempts will no longer indicate that some form of credential-stuffing or brute-force attack is in progress. Evelyn from HR logging in from Chicken Gizzard Ridge or Blue Lick? Remote work. Fran from IT working at 4:00 AM? Needs to fit work from home around distractions of home. Remote work. The gang from sales engineering all in the office? Well, it may not be remote work, but they can’t be on the road any more--all those conferences have been cancelled. If you do use behavioral analytics in your security program, now might be a good time to talk to your vendor about whether and how behavioral baselines might need to be redrawn.
Crises also present opportunities (for organized crime).
Proofpoint reports that TA505, the Russian-speaking criminal gang Microsoft calls “Evil Corp” and others know as “Graceful Spider,” is back with a ransomware downloader it’s using against targets in the US healthcare, manufacturing, and pharmaceutical sectors. TA505 is best known for Locky ransomware and the Dridex banking Trojan. The phishbait is coronavirus-themed, and another criminal group, TA564, is doing much the same against Canadian citizens, in this case spoofing the Public Health Agency of Canada.
Another consequence of economic hardship occurring in tandem with telecommuting is an increase in the number of people being recruited as money-mules, KrebsOnSecurity reports. One of the larger operations Krebs describes, the "Vasty Health Care Foundation," strikes a high-minded tone about connecting causes with providers, tells prospective mules they're "hired," assigns busy work, and then has them "process donations"--that is, launder money. The busy work is a particularly nasty ploy. It weeds out lazy and unreliable slackers, for one thing, and thus it selects for the diligent, the reliable, and the trusting, whom it will immediately betray and exploit.
Patch news.
Adobe released, a week later than expected, patches for vulnerabilities in Acrobat and Reader, nine of which it rates critical, BleepingComputer reported.
Crime and punishment.
The US Justice Department has decided not to continue its prosecution of Concord Management and Consulting, a company which, despite its old-fashioned American-sounding name, is a Russian firm which does no business in the US. The company had been indicted for influence operations as a result of Special Counsel Mueller’s investigation of Russian operations during the US 2016 elections. The Washington Post reports that prosecutors cited a “change in the balance of the government’s proof due to a classification determination” in their filing for dismissal. This led them to conclude that proceeding would no longer be in the interest of either justice or national security. The prosecutors’ filing argues that Concord would use discovery and trial to further its own ends, and that the company was essentially beyond the reach of US punitive measures.
At the end of last week the US Department of Justice announced the arrest of twenty-four people on charges related to a range of online fraud and money-laundering schemes. The criminals are thought to have netted as much as $30 million from a surprisingly wide range of activities, from business email compromise, to retirement account fraud, to romance scams.
George Bell, a British man who at age 61 is old enough to know better, and who was even cleared to handle classified information at the official-sensitive level (with the customary regular reminders to straighten up and fly right that those so trusted receive) admitted to a Scottish court that he'd uploaded to an adult website photos and video of women he knew. Some of the material was modified; all of the posts were non-consensual. Mr. Bell's nom-de-hack was "Just a horny guy," the Courier reports.
Courts and torts.
The Brave Browser has filed a formal GDPR complaint against Google, alleging infringement of the "purpose limitation" principle.
Cooley notes that the US Federal Trade Commission seems to be following companies' reports to the Securities and Exchange Commission attentively. FTC actions seem to be tracking publicly traded companies' disclosures of cybersecurity and privacy incidents more closely than chance would account for.
Policies, procurements, and agency equities.
The US Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations use enterprise VPNs for remote work, and the agency offers advice on how to keep these solutions secure. First, ensure that VPNs are kept up-to-date with security patches. Second, tell your employees to expect an increase in phishing emails designed to steal their VPN credentials, and implement multifactor authentication on these accounts. Third, make sure your VPNs can handle increased bandwidth usage. Additionally, IT security workers should be "prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery."
CISA notes that attackers are aware that many more employees are now working remotely, so they'll be making it a priority to exploit unpatched vulnerabilities and steal credentials for these solutions. CyberWire Pro Policy has more description of CISA's guidance for the public and private sectors.
US Attorney General Barr on Monday sent a memorandum to US Attorneys urging them to give priority to prosecution of online coronavirus-themed scams.
More than thirty industry groups have petitioned California's Attorney General to postpone enforcement of the California Consumer Privacy Act until the coronavirus crisis is closer to resolution, the Association of National Advertisers says. They need time to implement the measures CCPA requires, and they believe implementation will be effectively impossible until the emergency is over
Fortunes of commerce.
Venture capital firm DataTribe offers insights into trends in early-stage venture investment activity and how the COVID-19 pandemic could impact investments going into 2020. DataTribe co-founder Mike Janke observes that all early-stage investment activity declined by 12.1% in 2019, while early-stage investments in cybersecurity companies fell by 12.9%. Janke attributes this largely to "U.S. – China trade negotiations, new geopolitical instability (Iran), and an increasingly tense political environment, particularly President Trump’s impeachment proceedings." He notes that while COVID-19 didn't trigger this decline, "the Coronavirus outbreak will add additional downward pressure to this trend." DataTribe concludes that this trend will probably last through 2020, but emphasizes that "[r]egardless of the potential decrease in investments for March, cybersecurity remains critical to governments, businesses, and consumers. Investors continue to fund strong companies – it just might take a little longer."
Labor markets.
Partying like it's 2019 during the pandemic? Don't expect Michael Dell to offer you a job, kids. Business Insider says the tech mogul doesn't like what he saw in a CBS tweet about students whooping it up as usual on the Florida beaches during spring break. Dell doesn't strike us as unreasonable or curmudgeonly, either: the reversed-hat youth CBS interviewed first would be enough to make Jack Kerouac think that maybe, after all, John D. Rockefeller had a few good points to make about the world of work. Another youth observes that we should get our priorities straight: this whole virus thing is way overblown, and we should address hunger and poverty, stuff like that (and inter alia not close the bars and beaches). A tip to students teetering on the edge of their job hunt: self-awareness and responsibility go a long way. Know thyself, as some old Greek god or totally baked oracle or philosopher or somebody like that said one time, we think we remember from college...
Mergers and acquisitions.
Israeli application security testing company Checkmarx is being acquired by private equity firm Hellman & Friedman at a $1.15 billion valuation, CRN reports.
Deloitte Australia has acquired Melbourne-based cybersecurity intelligence firm Zimbani, according to ARN. The terms of the deal were not disclosed.
Georgia-based risk management firm Riskonnect has acquired UK-based governance, risk, and compliance (GRC) software provider Xactium for an undisclosed amount.
Investments and exits.
Cupertino, California-based container management company Rancher Labs has raised $40 million in a Series D round led by Telstra Ventures, HarbourVest, and Telstra Corporation, Australia’s largest telecommunications company.
Virginia-based supply chain risk management company Interos has received $17.5 million in a Series B round led by Venrock, with participation from Kleiner Perkins.
San Mateo, California-based network security startup Axis Security has emerged from stealth with $17 million in funding from from CyberStarts, Ten Eleven Ventures's Alex Doll, Gili Raanan, a partner at Sequoia Capital, Dan Amiga, founder of Fireglass, and board of director member Michael Fey, former president of Symantec and Blue Coat.
Boston-headquartered risk-based vulnerability orchestration company ZeroNorth has raised $10 million in a Series A+ round led by Crosslink Capital, with participation from existing investors ClearSky, Rally Ventures, and Petrillo Capital.