Zerologon exploited in the wild. Tyler Technologies sustains ransomware attack. Facebook shuts down coordinated inauthenticity.

Zerologon exploited in the wild.

Microsoft warned on Wednesday that attackers are actively exploiting the Zerologon elevation-of-privilege vulnerability (CVE-2020-1472). "We have observed attacks where public exploits have been incorporated into attacker playbooks," the company said, adding, "We strongly recommend customers to immediately apply security updates for CVE-2020-1472." Several samples named after the public exploit SharpZeroLogon have been uploaded to VirusTotal over the past week. Threatpost says 0patch has issued a micropatch for Windows servers that no longer receive support, particularly Windows Server 2008 R2. Certain configurations of Samba are also affected by Zerologon, and the service released an advisory outlining mitigations.

Late last week the US Cybersecurity and Infrastructure Security Agency (CISA) directed all Federal agencies to apply August’s patch to Microsoft Windows Server. Emergency Directive 20-04 required that mitigations of Zerologon be applied by midnight this past Monday, and that all agencies report completion by midnight Wednesday. The directive applied to Federal agencies under CISA’s oversight (which is most of them, but with certain national security exclusions). As Forbes notes, if the matter is serious enough for CISA to take this action, then the private sector would be wise to do the same.

Tyler Technologies sustains ransomware attack.

Dallas News reports that Texas-based Tyler Technologies, a large US public sector software vendor, has confirmed that the cyberattack it reported earlier in the week indeed involved ransomware, as many observers had suspected. BleepingComputer cites sources close to the incident as saying the malware used was RansomExx, a relatively new strain based on the Defray777 ransomware.

Tyler Technologies stated, "At this time and based on the evidence available to us to-date, all indications are that the impact of this incident is limited to our internal network and phone systems. We currently have no reason to believe that any client data, client servers, or hosted systems were affected." KrebsOnSecurity notes, however, that the company is still in the early stages of investigating.

Facebook shuts down coordinated inauthenticity.

Facebook announced Tuesday that it had taken down a Chinese disinformation network that sought to engage public opinion in the US and (even more so) in the Philippines; they also took down a Philippine-based network that may have some connection to the government in Manila. On Thursday, Facebook said it had also shut down three networks based in Russia for "coordinated inauthentic behavior (CIB) on behalf of a foreign or government entity."

TechCrunch summarizes the first two examples of coordinated inauthenticity as involving "155 Facebook accounts, 11 pages, nine groups and seven Instagram accounts connected to the Chinese activity and 57 accounts, 31 Pages and 20 Instagram accounts for the activity in the Philippines." Graphika calls the Chinese campaign "Operation Naval Gazing" because it has to do with navies, and with supporting Beijing’s expansive territorial claims in the South China Sea. The campaign is noteworthy for its use of AI to generate photos for account profiles. Expect to see more of this in future inauthenticity. It’s also worth noting that, while the provenance of Operation Naval Gazing seems clearly to have been Chinese, the precise connection to the government in Beijing remains obscure.

Among the targets of the networks Facebook flagged as inauthentic was the media organization Rappler, which has been one of the current Philippine administration’s gadflies. Reuters reports that the Armed Forces of the Philippines (AFP) and the Philippine National Police (PNP) have both stated that they had nothing to do with any of the material Facebook removed.

The three Russian networks targeted a wide range of countries with fake personae that posted about news and current events. Facebook says these operations had two primary objectives: "1) creating fictitious or seemingly independent media entities and personas to engage unwitting individuals to amplify their content and 2) driving people to other websites that these operations control." WIRED quotes Facebook's Head of Security Policy Nathaniel Gleicher as saying, "The good news about this is that both of these techniques are difficult, they are slower, and they are less guaranteed to be successful than the techniques we saw them use in 2016."

The Russian networks didn't appear to have a primary focus on the upcoming US election, but Facebook notes that "they are linked to actors associated with election interference in the US in the past, including those involved in 'DC leaks' in 2016." Specifically, the company stated that its investigation connected the first operation to "the Russian military including military intelligence services." The second operation had "links to individuals associated with past activity by the Russian Internet Research Agency (IRA)." The third campaign was tied "to individuals in Russia, including those associated with Russian intelligence services."

All of these operations were relatively small and failed to attract large followings by the time they were shut down, according to Graphika. Observers including WIRED take that as an indication that Facebook is paying closer attention to the problem of coordinated inauthenticity.

For more, see the CyberWire Pro Disinformation Briefing.

Cerberus attacks on the rise.

The release of Cerberus source code has, as predicted, been followed by an increase in attacks using the banking Trojan, Kaspersky reports. Apparently despairing of getting their reserve price in an online auction that didn’t work out to their satisfaction, and faced with the difficulty of maintaining the malware as the gang broke up, the managers of Cerberus last week released their source code online. 

Kaspersky said, "The result has been an immediate rise in mobile application infections and attempts to steal money from consumers in Russia and across Europe, as more and more cybercriminals acquire the malware for free." Researchers are seeing the same sort of jump in functionality and usage they observed when Anubis went public last year.

US Federal agency hacked.

CISA says an unnamed US Federal agency was successfully hacked. The attacker used compromised credentials for Office 365 and domain administrator accounts to deploy "sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall." CISA doesn't know for sure how the attackers obtained the credentials, but the agency suspects the actor exploited CVE-2019-11510 in an unpatched Pulse Secure VPN. The attacker was interested in exfiltrating data, and it seems they were successful.

RedDelta continues targeting the Holy See.

Recorded Future's Insikt Group says the China-affiliated threat actor RedDelta has continued targeting the Vatican and the Catholic Diocese of Hong Kong, in spite of the security firm's July report exposing the group's operations. The group changed out some of its C2 infrastructure the day after Recorded Future's publication, indicating that it was aware of the report, but many of its servers remained live. The researchers say this "highlights the group’s willingness to continue to use publicly known infrastructure as long as access is maintained." They note that RedDelta probably doesn't feel the need to switch to new infrastructure, since many of the group's targets—primarily religious organizations and NGOs—lack the necessary security resources to identify the malicious activity.

For more, see the CyberWire Pro Research Briefing.

TikTok deal grows clearer, but uncertainty persists.

US bans on transactions involving TikTok and WeChat scheduled for last Sunday didn't happen. The Commerce Department postponed the TikTok ban for a week "[i]n light of recent positive developments," and a US judge granted a temporary injunction stopping action against WeChat, CNBC reports.

Ars Technica summarizes TikTok's current situation. As it stands now, ByteDance will spin off TikTok's operations in the US and most other countries to form a new company, TikTok Global, which will be based in the US. Oracle will hold a 12.5% stake in TikTok Global, Walmart will own 7.5%, and ByteDance will hold 80%. Since approximately 40% of ByteDance is owned by US investors, proponents of the transaction argue that about 53% of TikTok Global will technically be controlled by US investors. TikTok Global will also aim for an IPO by the end of 2021.

However, there seems to be disagreement about who will actually own the new company. Oracle's Executive Vice President Ken Glueck stated Monday, "Upon creation of TikTok Global, Oracle/Walmart will make their investment and the TikTok Global shares will be distributed to their owners, Americans will be the majority, and ByteDance will have no ownership in TikTok Global." ByteDance, however, says TikTok Global will be a wholly-owned subsidiary in which Oracle and Walmart hold minority stakes.

Regardless of who owns TikTok Global, Axios believes the end result of the deal will grant the US extensive security oversight of the company. Oracle will be able to review the source code of the US version of TikTok as well as all updates, although ByteDance currently doesn't plan on giving Oracle its "algorithms and technologies." TikTok in the US will also have its own board, subject to approval by the US government, and this board will include "an independent data security expert with national security credentials." This board will apparently be separate from TikTok Global's board; Axios explains that "TikTok Global will own TikTok's operations around the world, including the U.S. operation, which will have the extra security measures and its own governance."

The Wall Street Journal reports that ByteDance has applied to obtain an export license from commerce authorities in Beijing and is awaiting their decision. NBC quotes China's Global Times as saying the "unfair" deal is unlikely to receive approval.

For more business news, including executive moves, see the CyberWire Pro Business Briefing.

Ransomware numbers for Q2 2020.

Emsisoft has published a report on ransomware activity during the second quarter of 2020. Ransomware operators continued to incorporate data exfiltration into their attacks, and the chances of a ransomware incident involving data theft are now higher than one in ten. The researchers also note that while some ransomware operators have stated that they don't target hospitals, at least twelve healthcare providers in the US fell victim to ransomware in Q2. India was the country with the most submissions to ID ransomware in Q2, and the US jumped from number four to number two on the list.

Crime and punishment.

The Aachener Zeitung reports that investigators have identified DoppelPaymer as the ransomware implicated in a woman's death in Nord-Rhein Westfallen. The victim died when University Hospital Düsseldorf had to divert her ambulance to another facility because its own admission systems had been rendered unavailable. Newsweek observes that DoppelPaymer, a fork of Evil Corp's BitPaymer ransomware, is associated with the Russian cyber underworld, and German prosecutors are accordingly looking east. Their investigation is focused on negligent homicide, and, as the Aachener Zeitung points out, to make that case the prosecutors will have to establish that the woman had a chance of survival had she been treated in Düsseldorf. That’s not yet known.

The DoppelPaymer infestation is said to have affected thirty servers at the hospital, and to have gained entrance months ago, possibly in late 2019, by exploiting a now-patched Citrix VPN vulnerability. The New York Times says Düsseldorf police responded to the gang’s ransom note to explain that they'd hit a hospital. At that point the attackers stopped the attack and turned over a decryption key, and then stopped responding.

The US Justice Department on Tuesday announced the success of Operation DisrupTor, an international dragnet that's collared one-hundred-seventy Darknet contraband merchants who’d been hawking their wares in such disreputable souks as AlphaBay, Dream, WallStreet, Nightmare, Empire, White House, DeepSea, and Dark Market. One-hundred-nineteen arrests were made in the United States, with two more made in Canada on American warrants. Forty-two people were arrested in Germany, eight in the Netherlands, four in the United Kingdom, three in Austria, and one in Sweden. The lead law enforcement agencies were the US Federal Bureau of Investigation and Europol, but it was a big multinational operation. The individual agencies are too numerous to mention, but they included organizations in Austria, Cyprus, Germany, Canada, Portugal, the Netherlands, Sweden, the United Kingdom, and Australia.

The US Treasury Department on Wednesday issued sanctions against entities and individuals working for Yevgeniy Prigozhin, the Russian businessman behind the Internet Research Agency. The sanctions target two mining companies and affiliated individuals "working on behalf of Prigozhin to advance Russia’s influence in the Central African Republic," (CAR) as well as two companies (one in Russia, one in Finland) accused of assisting Russia's FSB or participating in sanctions evasion. Treasury stated that it's "exposing Prigozhin's exploitation of African countries’ natural resources and highlighting the role of the Russian government in coordinating Prigozhin's operations. Prigozhin has ties to mining, security, and logistics companies in CAR, and his operations in CAR are reported to be coordinated with the Russian Federation’s Ministry of Foreign Affairs and the Ministry of Defense."

A 39-year-old UK citizen, Nathan Francis Wyatt, was sentenced to five years in prison and ordered to pay just under $1.5 million in restitution after pleading guilty in a US Federal court to conspiring to commit aggravated identity theft and computer fraud. According to Sky News, Mr. Wyatt was a "key member" of The Dark Overlord hacking group, which is known for hacking dozens of companies and organizations, including healthcare providers, and then selling or publishing stolen data. Mr. Wyatt apologized in court and said, "I don't want to see another computer for the rest of my life."

Egor Igorevich Kriuchkov, a Russian citizen accused of offering a Tesla employee $1 million to plant malware on Tesla's networks, has pleaded not guilty in the US District Court of Nevada, Teslarati reports. His trial is scheduled for December 1st.

Courts and torts.

Bank Info Security says at least ten potential class-action lawsuits have been filed against Blackbaud thus far, variously alleging invasion of privacy, negligence, breach of contract, and transgressions of state law. The legal exposure isn't confined to American institutions, either: the vendor's business extended to much of the English-speaking world. BirminghamLive reports that, in the UK, the University of Birmingham finds itself among an unspecified number of institutions against whom solicitors from Simpson Millar are preparing possible lawsuits. The extent of Blackbaud customers’ liability remains an open question. It's third-party exposure, but when people sue, they try not to leave anyone out.

Policies, procurements, and agency equities.

Sources tell the Washington Post that a CIA assessment completed at the end of August concluded that high-level Russian leaders, including President Putin, were directly involved in attempts to influence the US Presidential election. The Post reports that President Putin, while interested in disruption and fissure generally, is seeking to "denigrate" former Vice-President Biden. This is consistent with either a desire to see President Trump re-elected (and with an outraged opposition) or a desire to see former Vice-President Biden take office (in a severely weakened political condition).

Reuters reports that President Putin on Friday said the US and Russia should agree not to meddle in one another’s elections, calling for a comprehensive treaty that would amount to a cyber non-aggression pact.

For more, see the CyberWire Pro Policy Briefing.