FBI warns of global DDoS extortion campaign.
New Zealand’s NZX stock exchange has continued to sustain distributed denial-of-service (DDoS) attacks, Reuters reports, but has resumed trading after arriving with the Financial Markets Authority at an alternative way of releasing market announcements. According to Reseller News, NZX has brought in Akamai to help mitigate the effects of further DDoS attacks. NZX's Chief Executive Mark Peterson is quoted by Reuters as saying, "NZX has been advised by independent cyber specialists that the attacks last week are among the largest, most well-resourced and sophisticated they have ever seen in New Zealand."
ZDNet says the attack against NZX is connected to a wave of extortionist DDoS attacks being tracked by Akamai and Radware. These attacks are targeting the finance, travel, and e-commerce sectors. The cybercriminals send ransom notes purporting to be from well-known APTs such as Fancy Bear, Cozy Bear, and the Lazarus Group (the criminals don't appear to have any actual connection to a nation-state operator). The ransom demands vary, but Radware says most start at ten bitcoin (approximately $113,000) and then increase by an additional ten bitcoin for each missed deadline. Radware's advisory states, "In many cases the ransom threat Is followed by cyberattacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods."
ZDNet also reports that a wave of DDoS attacks targeting the DNS infrastructure of numerous European Internet service providers this week. It's not clear if these attacks are connected to the extortionist campaign, but the publication observes that "the DDoS attacks against financial services subsided right as the attacks against European ISPs got underway." Radware also took note of these attacks in its advisory, but likewise concluded that there's currently no evidence of a link between the two campaigns.
The FBI issued a flash alert concerning the DDoS extortion campaign to US companies last week, saying that thousands of organizations around the world have received ransom notes threatening imminent attacks, according to BleepingComputer. The Bureau advises companies not to pay the ransom, in order to avoid encouraging and funding future attacks. Akamai and Radware echo this advice, with Radware pointing out that paying the ransom also marks the victim organization "as one that is willing to pay under threat."
Chinese threat actor resumes targeting Tibetans.
Proofpoint says the Chinese state-sponsored group TA413 has resumed deploying its custom malware family, "Sepulcher," against the Tibetan diaspora. The threat actor had been targeting European governments, nonprofits, and economic organizations with COVID-19-themed lures earlier this year. The researchers write, "While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year."
Iran-aligned cyberespionage group sells network access on the side.
CrowdStrike has published a report on a threat actor dubbed "Pioneer Kitten" that seems to be a contractor working for the Iranian government. The group "appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government." Pioneer Kitten is described as "highly opportunistic," and targets entities in the technology, government, defense, and healthcare verticals.
Interestingly, CrowdStrike spotted the actor selling access to compromised networks on a criminal forum, in an apparent attempt at "revenue stream diversification." The researchers don't believe this activity is approved by the Iranian government, because the compromised networks "would be of significant intelligence value to the Iranian government," and "the commercial sale of such access would have significant negative impacts on potential intelligence collection operations."
New South Wales driver's licenses found exposed online.
Researcher Bob Diachenko tweeted that he'd found an exposed folder containing more than fifty-thousand scans of driver's licenses issued by the Australian state of New South Wales. The folder was discovered in a misconfigured AWS S3 bucket, which has since been secured. Also exposed were toll notice statutory declarations from NSW Roads and Maritime Services. Who owned the bucket and collected the data is unclear. Transport for New South Wales told CarAdvice that the data didn't belong to them, nor did they belong to any other government agency. An investigation is in progress. Troy Hunt noted to CarAdvice that while many companies request driver's licenses for identification, "the presence of toll notices [in the leak] is probably a bit of a clue and suggests it's more likely that it's a toll operator, or a fleet operator."
For more, see the CyberWire Pro Privacy Briefing.
ISIS propaganda trove discovered.
Researchers at the Institute of Strategic Dialogue (ISD) last October discovered a massive trove of ISIS propaganda and training materials hosted across a decentralized network, WIRED reports. The cache is a simple storage drive containing 4,000 folders with more than one-and-a-half terabytes of content, and it receives approximately 10,000 unique visitors per month. While much of the material could probably be found in other locations of the Internet, Mina al-Lami from BBC Monitoring told WIRED that "this cache stands out in terms of the size, the amount of the data stored on it, the range of the material and the fact that it's simply been resilient online."
The storage drive is set up using the open-source software Nextcloud, which WIRED says allows "users to synchronise files across a group in a way that avoids any centralised hosting or control." Mina al-Lami told the BBC, "The attraction for jihadists of these platforms is that the developers of these decentralised platforms have no way of acting against content that is stored on user-operated servers or content that's shared across a dispersed network of users."
Warner Music sites compromised in suspected Magecart attacks.
Warner Music Group disclosed that several of its US-based e-commerce sites hosted by an external service provider were compromised between April and August of 2020, ZDNet reports. The company stated, "Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorized third party. This could have included your name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV and expiration date). Payments made through PayPal were not affected by this incident."
Warner Music didn't name which stores were compromised and a spokesperson told BleepingComputer that the company "isn’t commenting further than the statement." The company said it's "in the process of notifying potentially affected customers," and it's offering twelve months of free credit monitoring to victims.
Facebook's August takedowns.
The social network identified three networks of coordinated inauthentic accounts.
- "Russia: We removed a small network of 13 Facebook accounts and two Pages linked to individuals associated with past activity by the Russian Internet Research Agency (IRA). This activity focused primarily on the US, UK, Algeria and Egypt, in addition to other English-speaking countries and countries in the Middle East and North Africa. We began this investigation based on information about this network’s off-platform activity from the FBI. Our internal investigation revealed the full scope of this network on Facebook."
- "US: We removed 55 Facebook accounts, 42 Pages and 36 Instagram accounts linked to US-based strategic communications firm CLS Strategies. This network focused primarily on Venezuela and also on Mexico and Bolivia. We found this activity as part of our proactive investigation into suspected coordinated inauthentic behavior in the region."
- "Pakistan: We removed 453 Facebook accounts, 103 Pages, 78 Groups and 107 Instagram accounts operated from Pakistan and focused on Pakistan and India. We found this network as part of our internal investigation into suspected coordinated inauthentic behavior in the region."
The Russian activity was marked by plenty of QAnon and COVID-19 chatter. Graphika says much of this network’s activity involved redirection to Peace Data, which represents itself as a progressive, independent news service (and which has denounced reports that it's a destination for troll farmers as "slander" pushed by "corporate media"). Graphika's report on this round of IRA influence operations observes that the campaign is smaller, more carefully targeted, and quieter than the large-scale efforts deployed in earlier elections.
BuzzFeed reports that CLS Strategies didn’t respond directly to a question about coordinated inauthenticity, beyond briefly stating its corporate mission. The line the accounts took were in Venezuela pro-opposition, in Bolivia pro-regime, and in Mexico anti-MORENA (MORENA is a leftist political party). Facebook did note that CLS as a whole wasn’t banned, since much of the firm’s activity was legitimate. There's been no word on whose behalf the CLS campaigns may have been mounted.
The Stanford Internet Observatory characterizes the goal of the Pakistani operation as countering criticism of either Islam or Pakistan’s government.
For more, see the CyberWire Pro Disinformation Briefing.
Apple accidentally approves Shlayer malware as legitimate app.
A Shlayer malware sample used in an adware campaign was inadvertently notarized by Apple, TechCrunch reports. College student Peter Dantini found the adware campaign hosted on a malicious website spoofing the legitimate site of Homebrew, a popular macOS package management system. Patrick Wardle of Objective-See says the malicious site would prompt the user to install a Flash update, which would deliver the well-known Shlayer malware. Shlayer would then decode and execute adware on the infected system. While adware is a common threat facing Macs, in this case the Shlayer sample had passed Apple's inspection process and was allowed to run on the latest versions of macOS.
Apple promptly revoked the notarization certificates after the matter was brought to their attention. Two days later, however, on August 30th, Wardle said the site was serving new malicious payloads that were also notarized. Apple has since blocked these payloads as well.
It's not clear what happened on Apple's side that allowed the malware to be notarized. Thomas Reed at Malwarebytes took a look at the Shlayer sample used in the campaign and found that it had only minor differences from older versions of Shlayer.
"This leaves us facing two distinct possibilities, neither of which is particularly appealing," Reed writes. "Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point."
Reed concludes that the incident reinforces that "you must be just as careful with what you do with your Apple devices as you would be with your Windows or Android devices."
For more, see the CyberWire Pro Research Briefing.
Oracle, Microsoft, and Walmart pursue TikTok acquisition.
Oracle is now seen as a serious contender to acquire TikTok. The Wrap reports that Oracle offered a total of $20 billion ($10 billion in cash and $10 billion in stock) for the app. Business Insider and Seeking Alpha explain what Oracle stands to gain from the deal. The social media app could help improve Oracle's marketing and advertising products by giving the company access to the type of behavioral data used by other tech giants like Google, Amazon, and Facebook. Additionally, Seeking Alpha says Oracle "has to compete aggressively to get bookings for its idle compute and storage resources," while Business Insider notes that paying for cloud services is one of TikTok's largest expenses.
Meanwhile, Walmart has teamed up with Microsoft to make a joint bid to acquire TikTok's operations in the US, Canada, Australia, and New Zealand. The Wall Street Journal reports that this bid is considered the front-runner for the acquisition. The Wrap says Walmart is "interested in the e-commerce aspect of the social app."
But some recent developments in China may have placed an obstacle in the path of anyone's bid to acquire any piece of TikTok. The Wall Street Journal reports that Beijing has enacted restrictions on the export of artificial intelligence technology, including "text analysis, content recommendation, speech modeling, and voice-recognition." It appears that the controls may have been designed with TikTok's algorithms in mind. If they do indeed fall within the scope of the restrictions, it's difficult to see how any suitor would be attracted to what remains.
More business news can be found in the CyberWire Pro Business Briefing.
Crime and punishment.
A 16-year-old high school student arrested in Miami on Thursday has admitted to launching at least eight DDoS attacks against the online learning platform used by Miami-Dade public schools, EdScoop reports. The attacks prevented up to 170,000 teachers and students from logging in. The high school junior has been charged with "felony computer use in an attempt to defraud and misdemeanor interference with an educational institution."
A 53-year-old British citizen, Habeeb Audu, has been extradited to the US for his alleged involvement in business email compromise and fraud schemes, the Register reports. The man, who lived in London, has been charged in the US District Court of the Southern District of New York with bank and wire fraud, money laundering, conspiracy, and aggravated identity theft. Mr. Audu and his co-conspirators allegedly used stolen personal information, spoofed phone numbers, and voice-altering software to impersonate individual customers of banks, enabling them to gain access to personal checking accounts. They're also accused of launching business email compromise attacks, including one in which an Ohio-based restaurant chain was defrauded of nearly $2 million.
Courts and torts.
Massachusetts-based e-voting company Voatz filed an amicus brief in the CFAA-related US Supreme Court case Van Buren v. United States arguing that security researchers should be required to obtain permission before probing for vulnerabilities, CNET reports. The company asserts that independent, unauthorized research can lead to inaccurate findings or irresponsible disclosures, and creates a burden on the targeted organizations: "Because it is impossible for an organization to know in real-time the identity or motives of those attempting to exceed authorized access to their systems, they must treat every student 'researcher' the same as they would a Russian hacker." Instead, Voatz believes the same purpose can be better accomplished through bug bounty programs and private consultancies.
Voatz's stance was not well-received by many in the security industry. HackerOne CEO Mårten Mickos tweeted, "For anyone reading the amicus brief by Voatz: HackerOne was not consulted and we vehemently disagree with their argument. We support the opposing arguments made by the Electronic Frontier Foundation."
Reuters reports that the US Court of Appeals for the Ninth Circuit ruled on Wednesday that warrantless surveillance of US citizens' telephone calls, the practice exposed by Edward Snowden's 2013 leaks, was in fact illegal. The Court held that the collection violated the Foreign Intelligence Surveillance Act and may have violated the Fourth Amendment to the US Constitution.
The US Justice Department intends to bring an antitrust case against Google as early as this month, according to the New York Times.
Policies, procurements, and agency equities.
India's IT Ministry banned 118 more apps deemed to have ties to China, TechCrunch reports.
For more, see the CyberWire Pro Policy Briefing.