By the CyberWire staff
Fancy Bear shows interest in the US energy sector.
WIRED reports that APT28 (also known as Fancy Bear), a unit of Russia's GRU military intelligence agency, has been running "a broad hacking campaign against US targets" from December 2018 until at least May 2020. An FBI notification obtained by WIRED stated that the threat actor has been targeting "a wide range of US based organizations, state and federal government agencies, and educational institutions." The FBI didn't disclose which entities were targeted, but researchers at Dragos observed that one of APT28's IP addresses listed in the alert also appeared in a Department of Energy advisory issued earlier this year. That advisory said the IP address had been used to probe login portals belonging to a US energy entity on Christmas Eve last year.
WIRED notes that, while another GRU unit (tracked as "Sandworm") has historically been very active against the energy sector, APT28 hasn't previously focused on this area. Dragos's Joe Slowik told the publication, "Just given what we understand about how APT28 operates and its typical victimology, identifying that group interacting with the US energy sector would be substantially different from how this group has behaved previously." He added, "This is a concerning data point. It’s the first time in a while that this group has targeted US critical infrastructure."
Lazarus Group refines its capabilities.
Researchers at Kaspersky say North Korea's Lazarus Group has put "significant resources" into improving its toolset over the past two years, CyberScoop reports. The security firm analyzed an "advanced malware framework," dubbed "MATA," which the Lazarus Group has used against various industries in Poland, Germany, Turkey, South Korea, Japan, and India. Specific targets have included "a software development company, an e-commerce company, and an internet service provider." The group has been using MATA since at least April 2018.
MATA is designed to run on Windows, macOS, and Linux. The malware seems to be primarily used for exfiltrating databases, but in at least one case it was observed delivering the VHD ransomware to a victim's network, suggesting that the attackers are using the tool for both espionage and financial gain.
Kaspersky researcher Seongsu Park told CyberScoop, "This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted — particularly in hunting for both money and data. Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on."
A Real Conversation to Discuss Post-Compromise with Cyberwire's Dave Bittner
We’ve all heard that “it’s not if you’ll be compromised, it’s when.” Join us on Tuesday, July 28th, as we sit down with Dave Bittner from The Cyberwire to discuss not only how to prevent attacks from becoming full-on data breaches, but also some new complications to security strategies as organizations improvise remote work and cloud-based operations. We'll also discuss some of the biggest threats to networks today and how to effectively minimize risk.
US indicts two Chinese hackers.
The US Department of Justice issued an indictment against two Chinese nationals, Li Xiaoyu and Dong Jiazhi, for allegedly conducting extensive hacking operations "lasting more than ten years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom." Interestingly, the indictment claims that the two hackers "in some instances acted for their own personal financial gain, and in others for the benefit of the MSS or other Chinese government agencies." As a result, Assistant Attorney General for National Security John C. Demers stated, "China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state."
While the Justice Department didn't link the hackers to any specific threat actors, observers noted similarities between the behaviors outlined in the indictment and those associated with APT41.
Observers see a difference in national styles between Russian and Chinese employment of cybercriminals. The Washington Post spoke with experts who tended to see the Russians as turning a blind eye to cybercrime as long as the criminals keep their hands off the wrong targets (that is, domestic and well-connected targets), and as long as they’re willing to do favors for the government when asked. The Chinese treat the criminals more like contractors, and are content to let them profit on the side. China also has more control over its domestic Internet, which gives the government greater visibility into what cybercriminals are up to and how they can be recruited when necessary.
For more, see the CyberWire Pro Disinformation Briefing.
CSO Perspectives w/ Rick Howard returns for season 2!
Catch up on the full first season & dive into season 2 of the CSO Perspectives podcast, available exclusively on CyberWire Pro. Join the CyberWire's Chief Analyst, Rick Howard, as he discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis. Visit https://thecyberwire.com/pro/cso-perspectives to learn more and subscribe.
Ransomware with OT-specific targeting capabilities.
FireEye says at least six ransomware families—DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE (also known as "Snake" or "Ekans")—are using the same process kill list consisting of more than 1,000 processes, including "a couple dozen processes related to OT executables." This kill list was observed and described by Dragos and others earlier this year, and raised concerns that attackers were increasingly incorporating OT-specific capabilities into their toolsets.
Notably, however, FireEye has discovered an entirely separate process kill list being used by the CLOP ransomware that targets more than 1,425 processes, at least 150 of which are related to OT software suites. FireEye stresses that stopping these processes "may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision."
The researchers don't believe the operators of these ransomware families are explicitly seeking out OT environments, and they think the process kill lists are "the result of coincidental asset scanning in victim organizations." However, the presence of the OT-related processes on the list "suggests that sophisticated financially motivated actors, such as FIN6, have had at least some visibility into a victim’s OT network." While exploiting these systems doesn't seem to be a priority for them at the moment, ransomware operators are growing increasingly sophisticated and well-funded, and opportunistically targeting an organization's most critical systems is central to their strategy. As a result, FireEye expects to see more criminal hackers displaying an interest in gaining access to operational environments, particularly as IT and OT systems converge.
For more, see the CyberWire Pro Research Briefing.
NSA and CISA warn of threats to OT systems.
The US National Security Agency and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Thursday recommending that operators of critical infrastructure take "immediate actions" to secure OT assets and industrial control systems. The agencies stress that "Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance....It is important to note that while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high."
The alert adds, "Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet...are creating a 'perfect storm' of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks."
SecurityWeek summarizes the six primary mitigations outlined in the report: "creating an OT resilience plan, creating and exercising an incident response plan, hardening the OT network, creating an accurate and detailed map of OT infrastructure, understanding and evaluating cyber risk, and implementing a continuous monitoring program for detecting anomalies."
How'd you like to be the office cybersecurity hero?
With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape, save some money, and look like a hero at the same time. To learn more, visit our CyberWire Pro page and click on the Contact Us link in the Enterprise box.
Twitter hacker accessed some accounts' DMs.
Twitter continues to investigate the security breach it sustained last week. The company disclosed on Wednesday that the attackers were able to login to 45 accounts and send tweets, and they accessed the DM inboxes of 36 of the accounts. Twitter said one of the accounts whose DMs were accessed belonged to an "elected official in the Netherlands." The Dutch elected official turned out to be Geert Wilders, who confirmed to Yahoo that the attacker "indeed also got full access to my DM's which of course is totally unacceptable in many ways." Wilders added that in addition to posting tweets, the attackers also sent fraudulent DMs from his account.
Twitter also said that for eight of the compromised accounts, the attackers were able to download the account history via the platform's Your Twitter Data tool.
The attack seems increasingly certain to have been a criminal operation involving social engineering. Reuters reports that more than a thousand Twitter employees and contractors had access to the company tool that was abused by the attackers.
Cloud provider pays ransom for stolen data.
Blackbaud, a US-based cloud provider that primarily serves educational institutions and nonprofits, disclosed that it sustained an attempted ransomware attack in May during which the attackers were able to exfiltrate some customer data, the BBC reports. While the ransomware component of the attack was thwarted, Blackbaud paid the criminals a ransom after they threatened to leak the stolen data, and the company says it has "no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."
Many of the affected customers are universities and nonprofits in the UK, the US, and Canada. The BBC has confirmed that the victims include the University of York, Oxford Brookes University, Loughborough University, the University of Leeds, the University of London, the University of Reading, University College Oxford, Ambrose University, Human Rights Watch, Young Minds, and the Rhode Island School of Design. The stolen data included personal information of students, staff, and alumni.
Blackbaud apparently didn't notify its customers of the breach until July 16th, the same day it publicly disclosed the incident, and it's not clear why the company waited so long to do so. The University of York said in a statement that it's "working with Blackbaud to understand why there was a delay between them finding the breach and notifying us." The BBC also notes that observers are skeptical that Blackbaud can be confident that the extortionists actually deleted the stolen information after receiving payment.
Motive behind database-wiping attacks is unclear.
A wave of destructive "Meow attacks" appears to use an automated tool to find and wipe exposed ElasticSearch and MongoDB instances. According to BleepingComputer, there are no ransom notes, no threats, no crowing, and no explanation for the attacks. One possible motive is that the attacks represent tough love from vigilantes pushing admins to secure their databases, but that’s speculation: "meowing" could represent anything from misdirection, to preparation for protection rackets, to the lulz.
Dell thinks about spinning off VMware.
Dell Technologies has confirmed reports that it's "in an early stage" of considering spinning off its 81% stake in VMware, according to CRN. The company said in an SEC filing that its goal in spinning off VMware "would be to (1) maintain VMware’s credit rating of investment grade and (2) improve Dell Technologies’ credit rating at, or shortly following consummation of, the spin-off." CRN also cites sources to the effect that in the case of a spin-off, "Dell Technologies CEO and VMware Chairman Michael Dell and his private equity partner Silver Lake will retain approximately 53 percent majority stake in VMware," although Michael Dell and Silver Lake declined to comment on this.
More business news can be found in the CyberWire Pro Business Briefing.
Patch news.
Adobe released out-of-band patches for critical vulnerabilities affecting Photoshop, Bridge, and Prelude, Threatpost reports.
Zoom has fixed an issue disclosed by Check Point that could have enabled attackers to exploit the platform's "vanity URLs" to launch convincing phishing attacks and draw victims into fake Zoom meetings, the Daily Swig reports.
Adobe will implement mandatory two-factor authentication for Magento administrator accounts beginning with the release of Magento Commerce 2.4, BleepingComputer reports. Adobe says its security team has found that around three-quarters of Magecart card-skimming attacks are a result of an attacker compromising an administrator account.
Crime and punishment.
The US State Department on Wednesday announced "rewards of up to $1 million each for information leading to the arrests and/or convictions of Ukrainian nationals Artem Viacheslavovich Radchenko and Oleksandr Vitalyevich Ieremenko for participating in transnational organized crime, specifically cybercrime." The two men were charged in January 2019 for their alleged roles in a large-scale securities fraud scheme. BleepingComputer explains that the men are accused of hacking into the US Security and Exchange Commission’s (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system and stealing thousands of confidential files, including draft earnings reports, which they then sold before the data were made public.
The US Attorney’s Office for the Northern District of California has charged Shaukat Shamim, founder of artificial intelligence startup Mountain AI, with one count of securities fraud and one count of wire fraud for allegedly lying to investors about his company's revenue as well as making false statements about what the company's technology was capable of. Mr. Shamim claimed the software could analyze videos to extract marketing trends. In reality, the Justice Department says he was paying workers in India to watch videos and record their impressions.
Courts and torts.
The New York State Department of Financial Services (DFS) last Wednesday charged First American Title Insurance Co. (a subsidiary of First American Financial Corp) with exposing millions of sensitive customer records due to a misconfiguration on the company's website, the Wall Street Journal reports. Reuters notes that this is the financial regulator's first enforcement action under its cybersecurity regulations, which went into effect in March 2017. DFS alleges that the company was aware of the flaw for months and failed to act before it was reported on by Brian Krebs in May 2019. The charges could result in significant fines, since each instance of exposed information is considered a separate violation carrying a penalty of up to $1,000. First American stated that it "strongly disagrees" with the charges and will contest them.
Policies, procurements, and agency equities.
The US State Department ordered that China close down its consulate in Houston by 4:00 PM yesterday, stating that the closure was necessary in order "to protect American intellectual property and Americans' private information." US Secretary of State Mike Pompeo said Thursday that the consulate was "a hub of spying and intellectual property theft." The South China Morning Post reports that Beijing will shut down the US consulate in the southwestern city of Chengdu in retaliation.
The UK's Intelligence and Security Committee of Parliament issued its report on Russian espionage and cyber operations on Tuesday. The redacted report concludes that Russia's aims are primarily negative ("fed by paranoia" and "fundamentally nihilistic"), seeking to disrupt and damage rivals. Moscow's positive goals "are relatively limited," and include sustaining its prestige as a great power and preserving its rulers' privileged positions. The Committee also outlines extensive Russian disinformation operations against the UK, which have pursued goals observed elsewhere, including the opportunistic exploitation of existing social fissures to erode trust in civil society and the institutions that serve it.
For more, see the CyberWire Pro Policy Briefing.