Taiwan blames Chinese APTs for hacking campaign.
Authorities in Taiwan have blamed four Chinese government hacking groups—Blacktech, Taidoor, Mustang Panda, and APT40—for running cyberespionage campaigns against ten Taiwanese government agencies since at least 2018, the South China Morning Post reports. The Taiwan Investigation Bureau's Cyber Security Investigation Office said the actors placed backdoors on email servers and gained access to around six-thousand government email accounts. In some cases, the attackers first compromised Taiwanese tech companies that worked as contractors for the government, using these to obtain footholds within government networks. Taipei isn't sure exactly what information was stolen, since the attackers erased evidence of their activities.
Beijing called Taiwan's accusations "malicious slander," Reuters reports.
GoldenSpy's operators are trying to cover their tracks.
Trustwave's SpiderLabs reports finding five versions of an uninstaller for the GoldenSpy backdoor carried by tax software whose use is required of companies doing business in China. The uninstaller was dropped by an update module to erase GoldenSpy before deleting itself. Trustwave believes the uninstallers were deployed by those behind the GoldenSpy backdoor to cover their traces. The actors also issued modified versions of the uninstallers which Trustwave says were "specifically designed to evade our YARA rules we published."
The researchers conclude that their findings "should serve as a wakeup call for organizations because it proves any actions including implanting and extracting malware can be taken covertly and at the will of the attacker with the help of the updater module without impacting the functionality of the Golden Tax software."
Researchers found a (now patched) kill-switch in Emotet.
ZDNet reports that researchers at Binary Defense discovered a bug in Emotet in February that enabled them to develop what they describe as a combination of a kill switch and a vaccine for the Trojan. The flaw was introduced by Emotet's developers on February 6th, and it involved the way the malware used a Windows registry key for persistence as well as for various code checks during its execution. This key was predictable since it was based on each device’s volume serial number.
Binary Defense researchers wrote a PowerShell script dubbed “EmoCrash” that generated a malformed version of this registry key and triggered a buffer overflow vulnerability during Emotet's installation, which would crash the malware before it finished installing. The crash also generated two easily detectable event logs, enabling defenders to identify systems where Emotet was incapacitated.
Binary Defense worked with security research non-profit Team Cymru to distribute the tool to national Computer Emergency Response Teams around the world. The various CERTs in turn provided it to local companies via non-public channels. Emotet's developers patched the flaw on August 6th, which is why Binary Defense is revealing the operation now.
The researchers don’t know how many organizations deployed their tool since they intentionally didn’t collect telemetry, but they believe EmoCrash had a substantial impact on Emotet's operations over the past six months.
Vishing attacks spike following Twitter hack.
The phone-based phishing caper that enabled takeover of more than a hundred high-profile Twitter accounts is apparently serving as a template for other attacks. WIRED reports that a growing number of organizations are experiencing similar, copycat approaches, with varying but disturbing degrees of success. Like the Twitter hack, these attacks seem to be launched by young, English-speaking troublemakers organizing on Discord and shady forums, but researchers at ZeroFOX say their techniques are so effective that organizations should prepare to see these tactics deployed by more sophisticated criminals and state-sponsored groups.
Likewise, Allison Nixon, chief research officer at Unit 221b, told WIRED, "Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries. I've seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn't think are soft targets. And it's happening repeatedly, like the companies can't keep them out."
Voice phishing, also called "vishing," isn’t new, but in the past it’s primarily been used against mobile carriers in SIM-swapping attacks. This recent wave of vishing attacks is more wide-ranging and often involves convincing a victim to enter their credentials on a spoofed login page.
ZeroFOX recommends a mix of training, policy, and technical defenses: "training and education, monitoring and pre-emptive blocking of problem domains, SSO auditing, and employing role-based access best practices for internal panels."
A look at North Korea's hacking units.
A US Army report, summarized by ZDNet, offers an in-depth look at North Korea's military and cyber capabilities. The report says the nation's Cyber Warfare Guidance Unit, also known as “Bureau 121,” had more than six-thousand members in 2015, up from one-thousand in 2010. The US Army believes the number is probably much higher than six thousand by now. Additionally, many of these hackers operate from locations in other countries, including Belarus, China, India, Malaysia, and Russia.
The report also details the organizational structure of Bureau 121. The Unit has four subdivisions: three are focused on cyber warfare, while one is responsible for traditional electronic warfare, such as jamming equipment. The three cyber-focused subdivisions are known in the industry as the Andariel Group, the Bluenoroff Group, and the Lazarus Group. Andariel is made up of approximately sixteen-hundred members and primarily focuses on reconnaissance of targeted networks and identifying exploitable vulnerabilities. Bluenoroff consists of around seventeen-hundred members who are tasked with conducting "financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities." Lazarus consists of an unknown number of operators and is the group the government uses to "create social chaos by weaponizing enemy network vulnerabilities and delivering a payload if directed to do so by the regime." (ZDNet clarifies that the cybersecurity industry often uses "Lazarus Group" as an umbrella term to refer to any hacking associated with North Korea.)
US Senate releases fifth and final report on Russian interference with 2016 election.
The US Senate Select Committee on Intelligence has released the final volume of its report on Russian interference with the 2016 election. It found that President Putin directed the campaign and set its goals (generally disruptive, but specifically anti-Clinton), that despite troubling behavior by sometime Trump consigliere Paul Manafort there was no collusion between the Trump campaign and Russian intelligence services, and that the FBI made loose and careless use of the retrospectively implausible Steele dossier. Democrats emphasize Manafort's counterintelligence problems; Republicans point out that the FBI didn’t exactly cover itself with glory in the investigation.
For more, see the CyberWire Pro Disinformation Briefing.
RedCurl conducting corporate espionage.
Group-IB describes a previously undisclosed Russian-speaking APT dubbed "RedCurl," which has been conducting corporate espionage since at least 2018. The security firm has observed twenty-six attacks against fourteen victim organizations distributed across Russia, Ukraine, Canada, Germany, the United Kingdom, and Norway.
The group sends well-crafted spearphishing emails, often posing as real HR employees and targeting specific departments within the companies. The emails contain links to download the group’s custom Trojan, which is hosted on legitimate cloud infrastructure. RedCurl's Trojan propagates to other hosts on the network by seeking out shared network drives and replacing all files with the extensions .jpg, .pdf, .doc, .docx, .xls, and .xlsx with LNK shortcut files. Whenever a device opens one of these files, the malware's dropper will run in the background.
Group-IB thinks RedCurl is a hired gun, possibly working to collect business intelligence on behalf of victims' competitors. The researchers say, "In all campaigns, RedCurl's main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction."
For more, see the CyberWire Pro Research Briefing.
FritzFrog P2P botnet is cryptomining, for now.
Guardicore has found a peer-to-peer Linux botnet, "FritzFrog," which it describes as sophisticated, fileless, evasive, proprietary, and aggressive. It's attempted to brute-force tens of millions of IP addresses using an extensive dictionary, and has succeeded in breaching "over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe, and a railway company."
The FritzFrog malware operates completely in-memory and doesn't attempt to survive reboots, but it leaves a public SSH key as a backdoor, enabling the attackers to return at their leisure. The malware could potentially be used to deliver a range of payloads, but so far seems to have for the most part been engaged in cryptojacking systems to mine Monero.
The botnet seems to be unique, which is why the researchers call its code "proprietary," although it bears some minor similarities to another P2P botnet known as "Rakos." Ars Technica explains that P2P botnets are harder to identify and shut down since they use a decentralized administration scheme instead of a few conspicuous command-and-control servers.
COVID-19-themed phishing on the decline.
Recorded Future reports that phishing attempts explicitly themed with COVID-19 phishbait have recently fallen off sharply, based on data obtained from "sources including hacker forums, threat feeds, news reports, and code repositories." One of the company's researchers said, "These scams feed on emotion, and we've seen a decline in COVID-19 related phishing lures because it's not something people are struggling to get information on anymore — it's something we're all living with."
Recorded Future expects election-themed phishing to increase in the US over the next few months. The firm has spotted more than three-hundred domain registrations that seem to be related to the upcoming election and could be used for phishing.
Carnival discloses ransomware attack and data theft.
Cruise line company Carnival Corporation and Carnival PLC disclosed a "data incident" to the US Securities and Exchange Commission in an August 15th 8-K filing. The company says the incident was "a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems." The incident also involved exfiltration of some of the company’s data. The attack was discovered on August 15th, the same day the company reported it to the SEC, and the investigation is ongoing. Carnival’s subsidiaries include Princess Cruises, Carnival, the Holland America Line, Seabourn, P&O Cruises, Costa Cruises, AIDA Cruises, P&O Cruises, and Cunard.
Carnival’s SEC filing states that, while the company doesn't expect the incident to have a material impact on its business, operations, or financial results, "[W]e expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies."
For more, see the CyberWire Pro Privacy Briefing.
Palantir plans to go public in September, moves to Denver.
Bloomberg reports that Palantir is planning to go public in late September through a direct listing of its shares. Bloomberg explains that a "direct listing would allow the company’s current investors to sell their shares on the first day of trading rather than having to wait for a lock-up period to expire, as would be required in a traditional initial public offering. Unlike an IPO, though, the company doesn’t raise capital in a direct listing."
Palantir has also quietly decamped from its Palo Alto headquarters, forsaking Silicon Valley for real estate more to its liking in Denver, as both the Denver and Silicon Valley Business Journals report. CNBC notes CEO Alex Karp's view that Silicon Valley’s "increasing intolerance and monoculture" and high cost-of-living have made it a less desirable place from which to do business.
More business news can be found in the CyberWire Pro Business Briefing.
Patch news.
Researchers from Trustwave discovered a shared memory vulnerability (CVE-2020-4414) in IBM's Db2 data management software that could allow local users to obtain sensitive information or launch denial-of-service attacks. IBM released patches for the flaw on June 30th.
Threatpost warns that a proof-of-concept exploit for two known bugs in Apache Struts 2 was published to GitHub on Friday. One of the vulnerabilities can lead to remote code execution, and users of Struts 2 are urged to update to the latest version.
Crime and punishment.
The US Attorney for the Northern District of California has filed a criminal complaint charging former Uber Chief Security Officer Joseph Sullivan with "obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated." The complaint alleges that Mr. Sullivan arranged a $100,000 payment in Bitcoin through the company's bug bounty program and had the attackers sign non-disclosure agreements falsely claiming that no data were stolen.
Mr. Sullivan is a former Federal prosecutor and currently serves as Chief Information Security Officer of Cloudflare. This case is believed to represent the first prosecution of a CSO on charges of concealing a data breach. Reuters observes that the case should serve as a reminder that companies that suffer ransomware attacks involving data theft still need to disclose the data breach, even if they pay the attackers to refrain from releasing the data.
Courts and torts.
The Associated Press reports that Ireland's Data Privacy Commission (DPC) had been ready to issue its decision on a fine for Twitter, but delayed its decision until it can address and resolve objections raised by other European national privacy authorities. The case involved a bug in Twitter's Android app (now patched) that exposed protected tweets, and Twitter's alleged failure to report the issue within seventy-two hours of discovering it. The Irish DPC didn't disclose the nature of the objections raised by its counterparts in other countries, simply saying that "following consultation a number of objections were maintained and the (Irish Data Privacy Commission) has now referred the matter to the European Data Protection Board." The AP says the European Data Protection Board now has up to two-and-a-half months to reach a conclusion.
Policies, procurements, and agency equities.
The US Commerce Department on Monday announced more restrictions on Huawei’s access to US-made semiconductors. A new amendment to the foreign-produced direct product rule applies the restrictions to any transactions "where U.S. software or technology is the basis for a foreign-produced item that will be incorporated into, or will be used in the 'production' or 'development' of any 'part,' 'component,' or 'equipment' produced, purchased, or ordered by any Huawei entity on the Entity List; or 2) when any Huawei entity on the Entity List is a party to such a transaction, such as a 'purchaser,' 'intermediate consignee,' 'ultimate consignee,' or 'end-user.'" The amendment also adds thirty-eight additional Huawei affiliates from twenty-one countries to the Entity List.
According to the Wall Street Journal, the new US measures are expected to make it much harder for Huawei to obtain chips made with American technology. The Washington Post sees the new measures as evidence of the difficulties in stopping an inherently complex trade. Huawei has continued acquiring chips that contain US technology despite increasingly tight restrictions, but the Commerce Department’s new restrictions are thought to be broad enough to cut Huawei off from these workarounds. The Post cites an anonymous industry executive as saying, "This kills Huawei. Any chip made anywhere in the world by anyone is subject to this."
For more, see the CyberWire Pro Policy Briefing.