APT41 launches broad cyberespionage campaign.
FireEye disclosed a wide-ranging cyberespionage campaign launched by the China-linked actor APT41 against a variety of sectors in at least twenty countries. The operation ran from January 20th to March 11th, but FireEye observed a pause between January 23rd and February 1st, which coincides with the Chinese Lunar New Year holidays (those ran from January 24th to January 30th). APT41 is associated with China's intelligence services, but it's also been known to conduct financially motivated operations more in line with criminal groups.
In the recent campaign, the threat actor exploited vulnerabilities in Citrix ADC and Gateway devices, Cisco routers, and Zoho ManageEngine Desktop Central products. FireEye says this operation "shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage." The hackers exclusively used publicly available tools like Cobalt Strike and Meterpreter for their initial exploitation attempts.
The sectors targeted included "Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility." FireEye calls this activity "one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years."
Reuters reports that other cybersecurity firms have observed "a recent uptick in cyber-espionage activity linked to Beijing." Secureworks told the publication that it's tracking new infrastructure being used by APT41.
South Korea-aligned group used at least five zero-days against North Korean targets.
Google’s Threat Analysis Group (TAG) published a blog post outlining trends in state-sponsored hacking operations. Most interestingly, TAG found that in 2019 a single APT used five zero-day vulnerabilities in a campaign that primarily targeted North Korea and "individuals who worked on North Korea-related issues." Three of the vulnerabilities affected Internet Explorer, one was located in the Windows Kernel, and one was found in Google Chrome.
Google didn't attribute the operation to a specific group or country, but Kaspersky informed WIRED that the campaign was linked to the threat actor known as DarkHotel. Kaspersky's researchers said they saw two of the zero-day flaws exploited to deploy DarkHotel's bespoke malware before the existence of the vulnerabilities was made public. Kaspersky similarly refrained from attributing DarkHotel to any country, although WIRED notes that DarkHotel is suspected of operating in the interests of the South Korean government.
Kaspersky researcher Costin Raiu told WIRED that the group had also been using three zero-days in addition to the five observed by Google. Raiu observed that "[t]hey're probably one of the actors that’s the most resourceful in the world when it comes to deploying zero days. They seem to be doing all this stuff in-house, not using code from other sources. It says a lot about their technical skills. They're very good."
DarkHotel is also suspected in an unsuccessful attack that targeted the World Health Organization (WHO) in early March, according to Reuters. Two unnamed sources who were briefed on the incident told the publication they suspected the group, although they didn't disclose the reasons for their suspicion. The WHO's Chief Information Security Officer, Flavio Aggio, told Reuters, "There has been a big increase in targeting of the WHO and other cybersecurity incidents. There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled."
Tracking Sandworm's targeting.
Google also published a chart showing the Russian APT Sandworm's month-by-month targeting efforts over the past three years. In 2017, the group targeted anti-corruption organizations, the Orthodox Church, and Russian lawyer and activist Alexei Navalny. In 2018, the actor went after software developers, cryptocurrency, and the hospitality industry. In 2019, it focused on the Russian government, charities, and the maritime sector. Sandworm also targeted Ukraine every single month. Other targets throughout the years included the media, IT and managed service providers, EU and Russian finance organizations, the Russian real estate sector, South Korea, Syria, and at least one incident targeting water treatment.
Silence and TA505 linked to attacks in Western Europe.
Group-IB says it observed "successful attacks" launched in late January 2020 against at least two Western European companies in the pharmaceutical and manufacturing industries. The malware used in the attacks was linked to the Russian-speaking financially motivated groups Silence and TA505. The two groups have been connected in the past, but Group-IB believes "with moderate confidence" that Silence carried out these latest attacks. The researchers note, however, that this would mark a shift in targeting for the group, since Silence has exclusively gone after financial entities in the past. As a result, the researchers leave open the "possibility that Silence’s tools could have been sold to another threat actor or borrowed by TA505." The nature of the attacks is unknown, but Group-IB suspects that if Silence was indeed responsible, then the incidents were either ransomware attacks or supply-chain compromises.
Ryuk continues attacking hospitals.
BleepingComputer reports that the operators of the Ryuk ransomware are still targeting healthcare entities in the midst of the coronavirus pandemic. SentinelOne's Vitali Kremez told BleepingComputer that he's observed Ryuk launch attacks against ten healthcare organizations in the past month, including two independent hospitals and a network of nine hospitals in the US. Kremez said "[n]ot only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic." At least one of those hospitals, BleepingComputer says, "is located in a state that is being heavily affected by the Coronavirus at this time."
Hackers are modifying DNS settings in home routers.
Bitdefender and BleepingComputer discovered that hackers are gaining access to Linksys and D-Link home routers in order to tamper with their DNS settings. It's not clear how the attackers are compromising the routers, but Bitdefender suspects they're brute-forcing weak passwords to Linksys cloud accounts or the routers' online management consoles.
The purpose of the attacks is to redirect users to a malicious website that unsurprisingly instructs them to download an app, supposedly from the World Health Organization, that contains "the latest information and instructions about coronavirus (COVID-19)." If users install this file, they'll be infected with the Oski infostealer.
BleepingComputer advises users who find themselves being redirected to such a site to login to their routers and ensure there are no servers manually configured. Your DNS settings should say "Automatic" or "ISP assigned." You should also change your password and disable remote administration. Bitdefender says users should also " change their Linksys cloud account credentials."
US government websites give less-than-fully-successful security advice.
KrebsOnSecurity reports that many US government websites are giving misleading security advice by telling visitors, "The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely." The second part of this statement is partially correct, but Krebs points out that HTTPS doesn't indicate anything about the legitimacy or the security of the site itself, only that communication between the client and the site is encrypted. SSL certificates are free and easily obtained, and the majority of phishing sites now use them.
WildPressure carries out targeted attacks in the Middle East.
Kaspersky researchers are tracking an ongoing campaign they call "WildPressure" that's targeting entities in an unnamed Middle Eastern country with a new Trojan. The researchers found "three almost unique samples" of the malware, which they've dubbed "Milum," all three of which were used to target organizations in a single country. The operation has been running since "at least the end of May 2019." Kaspersky isn't sure who's behind the campaign or what their ultimate goal is, stating that they "haven’t observed any strong code- or victim-based similarities with any known actor or set of activity." They note that some of the operation's victims included industrial organizations.
Secure cloud provider exposes AWS bucket.
vpnMentor discovered an unsecured AWS S3 bucket with data belonging to secure cloud storage provider Data Deposit Box. Approximately 270,000 files were exposed in the incident, including usernames and plaintext passwords, IP addresses, and email addresses. vpnMentor's researchers gave Data Deposit Box high marks for responsiveness, although they criticized the firm for failing to encrypt users' passwords.
Check out the CyberWire Pro Privacy Briefing for more insight into this incident.
Patch news.
ProtonVPN disclosed a medium-severity VPN bypass vulnerability in the latest version of iOS that leaves some traffic unencrypted. The problem stems from iOS's failure to kill all existing internet connections when a VPN is turned on, which can lead to IP address exposure. ProtonVPN says Apple is working on mitigations. In the meantime, ProtonVPN suggests turning on airplane mode after connecting to the VPN server to disconnect all internet connections, and then switching airplane mode off. This should cause all connections to reconnect through the VPN server, but ProtonVPN stresses that it's not guaranteed to work.
Apple released iOS 3.4, which contains patches for thirty security flaws, according to Naked Security.
Adobe patched a critical vulnerability in its Creative Cloud Desktop Application for Windows that "could lead to arbitrary file deletion."
Hewlett Packard Enterprise rolled out firmware patches to prevent some solid-state drives (SSDs) from bricking when they reach 40,000 hours of operation, ZDNet reports.
Crime and punishment.
Naked Security reports that the FBI Tuesday shuttered Deer.io, a Russian platform that hosted thousands of popular cybercrime markets. Deer.io's alleged administrator, Kirill Victorovich Firsov, was arrested in New York City earlier this month; his court date is April 16th. FBI Special Agent in Charge Omer Meisel said, "Deer.io was the largest centralized platform, which promoted and facilitated the sale of compromised social media and financial accounts, personally identifiable information (PII) and hacked computers on the internet. The seizure of this criminal website represents a significant step in reducing stolen data used to victimize individuals and businesses in the United States and abroad."
Russia's FSB arrested twenty-five people for allegedly operating a black market website called "BuyBest," CyberScoop reports. BuyBest was known for selling stolen payment card numbers, debit card PINs, and PII. The FSB shuttered the website along with about ninety backup sites. CyberScoop notes the rarity of Russian law enforcement taking action against cybercriminals in the country, and says it isn't clear why this group was singled out. Russia does prosecute local cybercriminals if they go after Russian targets, and this seems to be the case here. The FSB stated that it "stopped unlawful activity of an organized group of persons that specialized in the sale of stolen credit and payment card data of Russian and foreign financial institutions."
The US Department of Justice announced its first enforcement action against coronavirus scammers. The Department filed an injunction against the operators of a website that claimed to be selling COVID-19 vaccine kits for $4.95. A Federal court supplied a temporary restraining order compelling the website's registrar to shut down the site immediately. Jody Hunt, Assistant Attorney General of the Department of Justice’s Civil Division, stated, "We will use every resource at the government’s disposal to act quickly to shut down these most despicable of scammers, whether they are defrauding consumers, committing identity theft, or delivering malware."
Courts and torts.
Massachusetts Attorney General Maura Healey has requested that a state appeals court reject Facebook's bid to delay releasing a list of app developers who may have misused user data, Reuters reports.
Policies, procurements, and agency equities.
The White House on Wednesday released the US National Strategy to Secure 5G, which lays out "four lines of effort: (1) facilitating the rollout of 5G domestically; (2) assessing the cybersecurity risks to and identifying core security principles of 5G capabilities and infrastructure; (3) addressing risks to United States economic and national security during development and deployment of 5G infrastructure worldwide; and (4) promoting responsible global development and deployment of secure and reliable 5G infrastructure." Rather than simply banning risky 5G providers, the strategy states that "[t]he United States Government will work with the private sector, academia, and international government partners to adopt policies, standards, guidelines, and procurement strategies that reinforce 5G vendor diversity to foster market competition. The United States Government will join private sector and international partners in designing market-base incentives, accountability mechanisms, and evaluation schemas to assess diversity, component transparency, fair financing, and competition across the 5G technology landscape as a means to better secure the global network and protect American values of openness, security, and interoperability." Our CyberWire Pro Policy Briefing has more information.
The Washington Post reports that several states, including Georgia, West Virginia and Ohio, are rushing to boost their mail-in voting capabilities as they plan to send absentee ballots to all of their voters due to the coronavirus pandemic.
Nation-states have found the pandemic an occasion for disinformation campaigns—see the CyberWire Pro Disinformation Briefing for an update.
Fortunes of commerce.
Numerous security firms, including Emsisoft, Coveware, Awake Security, and CynergisTek, are offering free ransomware assistance and other services to healthcare providers for the duration of the pandemic, Health IT Security reports.
There have also been executive and board shifts in the sector, which the CyberWire Pro Business Briefing summarizes.
Mergers and acquisitions.
Private equity firm Thoma Bravo has called off its auction for Massachusetts-based healthcare security company Imprivata due to current market uncertainties, CRN reports. Imprivata was expected to sell for more than $2 billion.
Egypt-based cybersecurity consulting company SecureMisr has been acquired by Texas-based SOC-as-a-service company Cysiv, SME10X reports. Cysiv was spun out of Trend Micro in 2018.
Washington, DC-based cybersecurity firm ShorePoint, Inc has acquired Chantilly, Virginia-based big data analytics company Cyberyllium.
Maryland-based business management consultancy Freedom Consulting Group (FCG) has acquired St. Louis, Missouri-based geospatial IT startup Geodata IT for an undisclosed amount.
Canada-based media conglomerate Thomson Reuters has acquired Folsom, California-based machine learning company Pondera Solutions for an undisclosed amount, according to Government Technology. Pondera's tools are used to identify fraud, waste, and abuse in government-funded programs.
Norwegian electrical equipment safety testing company Nemko Group has acquired cybersecurity assessment firm System Sikkerhet, which is also based in Norway, Help Net Security reports.
Investments and exits.
San Francisco-based online fraud prevention company Arkose Labs has secured $22 Million in a Series B round led by Microsoft's venture fund M12, with participation from existing investors PayPal and US Venture Partners (USVP).
Singapore-based application and cloud security company Horangi closed a $20 million Series B round led by Provident Growth, with participation from Monk's Hill Ventures, Right Click Capital, and Genesis Alternative Ventures.
London-headquartered log management platform provider Humio received $20 million in a Series B funding round led by Dell Technologies Capital, with participation from existing investor Accel, SecurityWeek reports.
South Korean malware analysis firm SecuLetter has raised $8 million in a Series B funding round led by Riyadh Valley Company (RVC), Korea Development Bank (KDB), Korea Investment Partners (KIP), and UTC Investment.
Maryland-headquartered rouge device mitigation company Sepio Systems has added another $4 million to the $6.5 million Series A funding it received in November 2019, SecurityWeek reports. The latest funding was provided by Munich Re Ventures and Hanaco Ventures.