SonarQube misconfigurations lead to source code leaks.
The US FBI last week made public an alert issued on a restricted basis back in October. The alert warned that “unknown actors” had exploited insecurely configured instances of the SonarQube code review tool to steal source code from companies and Government agencies:
"Beginning in April 2020, the FBI observed source code leaks associated with insecure SonarQube instances from US government agencies and private US companies in the technology, finance, retail, food, eCommerce, and manufacturing sectors. SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.
"In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks. This activity is similar to a previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository."
ZDNet summarizes the research into, and remediation of, the issue. While the industry has been rife with warnings of the ways in which MongoDB and Elasticsearch databases can be left exposed, the comparable problem of exposing SonarQube was often overlooked. But the consequences of an unsecured SonarQube instance are significant for the software supply chain, since the tool is used in checking code during development.
The typical problem is that organizations using SonarQube have left in place default configurations on port 9000 and default admin credentials. Those default credentials are "admin/admin," and those ought to be a red flag for anyone.
ICS-focused threat activity in the manufacturing sector.
Dragos sees an increase in cyber threat activity targeting the manufacturing sector, although the security firm hasn't seen this sector subjected to the types of sophisticated, destructive attacks that have targeted the energy sector. The researchers conclude that ransomware with ICS-focused capabilities represents the largest threat to the manufacturing sector (and they note that the use of ransomware isn't always restricted to criminal actors).
At least five threat actors associated with nation-states have exhibited interest in this vertical. These groups are CHRYSENE (APT34 or Helix Kitten), MAGNALLIUM (APT33 or Elfin), PARISITE (Fox Kitten or Pioneer Kitten), WASSONITE (linked to the Lazarus Group), and XENOTIME (best known for launching the TRISIS attack against a Saudi oil and gas facility). Dragos, as a company policy, doesn't offer attribution, but others have associated CHRYSENE, MAGNALLIUM, and PARISITE with Iran, WASSONITE with North Korea, and XENOTIME with Russia.
CISA's view of the US election.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued the following statement about the recent US elections:
"The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result.
"When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.
"Other security measures like pre-election testing, state certification of voting equipment, and the U.S. Election Assistance Commission’s (EAC) certification of voting equipment help to build additional confidence in the voting systems used in 2020.
"While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too. When you have questions, turn to elections officials as trusted voices as they administer elections."
Thus CISA’s conclusion is that voting systems themselves were uncompromised, and that recounts are proceeding as they would in any close election.
CostaRicto hacks for hire.
Researchers at BlackBerry have been tracking a hack-for-hire group dubbed "CostaRicto," which uses previously unobserved custom malware to launch sophisticated cyberespionage attacks against a wide range of targets, many of which are in the financial sector. BlackBerry says CostaRicto's "targets are scattered across different countries in Europe, Americas, Asia, Australia and Africa, but the biggest concentration appears to be in South Asia (especially India, Bangladesh and Singapore), suggesting that the threat actor could be based in that region, but working on a wide range of commissions from diverse clients." CostaRicto gains access to victims' networks using stolen credentials, then installs its custom remote access Trojan, dubbed "SombRAT."
Interestingly, one of the threat actor's domains was mapped to an IP address previously used in a campaign attributed to APT28 (Fancy Bear, a unit of Russia's GRU). The researchers believe the overlap is either coincidental or that APT28 outsourced its work to this mercenary group. (They deem it "highly unlikely" that the group is directly connected to APT28).
RagnarLocker uses Facebook ads to pressure a victim.
KrebsOnSecurity says the RagnarLocker ransomware gang used Facebook ads to display threats to disseminate data stolen from Italian beverage vendor Campari Group. The attackers bought the ads via a hacked Facebook account belonging to a DJ in Chicago, who told Krebs the ads had reached around 7,000 users and received 770 clicks. Facebook has removed the ads and is investigating the incident.
Campari was attacked by RagnarLocker on November 1st, and the attackers claim to have stolen two terabytes worth of data. They're demanding $15 million to refrain from publishing the data.
For more, see the CyberWire Pro Privacy Briefing.
GCHQ takes action against Russian vaccine disinformation.
The Times reports that Britain’s GCHQ has gone on the offensive against state-sponsored anti-vaccine propaganda, using techniques proved against Islamic State. According to Reuters, GCHQ is "taking down hostile state-linked content and disrupting the communications of the cyber actors responsible." The campaign against which GCHQ’s efforts are directed is Russian, Engineering and Technology reports. The Week suggests the motive for the disinformation is at least partly commercial, since Russia is interested in seeing widespread adoption of two vaccines developed in that country. The disinformation is directed against a COVID-19 vaccine developed in the UK by AstraZeneca and Oxford University: Moscow's tabloidesque spiel is that the vaccine will turn people into apes, since it uses a weakened version of a virus that infects chimpanzees.
For more, see the CyberWire Pro Disinformation Briefing.
Defray/RansomExx gets a Linux port.
Palo Alto Networks' Unit 42 describes a lesser-known threat group tracked as PyXie or GOLD DUPONT, which uses the Vatet loader and the PyXie Remote Access Tool to deploy the Defray777 ransomware (also known as "RansomExx"). Unit 42 believes this criminal group developed and maintains all three of these malware strains. The group has been using these three strains in attacks since 2018, but they've managed to keep a low profile until recently.
Notably, Unit 42 says Defray777/RansomExx is now capable of targeting Linux systems:
"During the course of our research, we found that Defray777 ransomware has been ported over to Linux. Before Defray777, ransomware that impacted both Windows and Linux operating systems was limited to being written in Java or scripting languages such as Python. These ransomware variants would be considered cross-functional since they were written in a single language that must be installed and supported by both operating systems. Defray777's port to Linux ensures that the ransomware has standalone executables for each platform with no external dependencies."
Kaspersky has also published a report on Defray777/RansomExx, highlighting the malware's Linux-focused capabilities. The researchers also note that attacks involving this malware are highly targeted: "Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name." We noted in last week's Research Briefing that this ransomware operator is one of the reprehensible gangs that intentionally targets healthcare providers.
For more, see the CyberWire Pro Research Briefing.
Updates on Trickbot disruption efforts.
Intel 471 outlines how the gang behind Trickbot has managed to work around disruption efforts launched by US Cyber Command and Microsoft, but the researchers conclude that these efforts did have a visible and possibly lasting effect on Trickbot itself:
"Between Oct. 28, 2020 and Nov. 6, 2020, we have not seen any new Trickbot infection campaigns in our monitoring nor in open source reporting. We observed the number of active and working Trickbot control servers being reduced over time and we were unable to identify any working Trickbot control servers as of Nov. 6."
The researchers note that ransomware operators, particularly those behind Ryuk, have continued launching targeted attacks using BazarLoader (a different Trojan associated with the Trickbot gang), but they conclude that, "At the very least, this disruption activity caused the actors behind Trickbot to spend time and effort setting up new infrastructure instead of impacting and ransoming victims." Intel 471 did spot a new version of Trickbot being distributed on November 9th, but the firm says it's still not clear if the gang will shift back to using Trickbot or if they'll simply stick with BazarLoader as their tool of choice from now on.
Ryuk operator rakes in $34 million from a single attack.
An organization paid $34 million in ransom after falling victim to a Ryuk ransomware attack, BleepingComputer reports. Vitali Kremez, a researcher with Advanced Intelligence, said the Ryuk gang’s average ransom demand is around $735,000, and they’ve raked in more than $150 million over the course of their careers. Kremez describes the Russophone criminal gang as a “tough negotiator” that rarely shows any leniency.
Ryuk's operators are well-known for their loathsome tendency to target hospitals, but the threat actors don’t discriminate when choosing their victims. Kremez says they’ve also targeted organizations in technology, energy, financial services, and government, with healthcare organizations making up about 13% of their victims.
SentinelOne closes $267 million Series F round.
Mountain View, California-headquartered endpoint security company SentinelOne has secured $267 million in a Series F round led by Tiger Globa Management, with participation from Sequoia Capital, Insight Partners, Third Point Ventures, and Qualcomm Ventures, TechCrunch reports. The round tripled the company's valuation to more than $3 billion, up from $1.1 billion this past February. Crunchbase News says "[t]he new money will mainly go toward the company becoming acquisitive, with it looking to both add talent as well as expand its platform, adding cloud modules and other features to address customer needs." SentinelOne's CEO Tomer Weingarten told Crunchbase that the company doesn't have a timeframe for an IPO, but it's watching the market and will go public when the time is right.
For more business news, see the CyberWire Pro Business Briefing.
Patch news.
For Patch Tuesday, Intel released forty security advisories for its Active Management Technology, wireless Bluetooth, and NUC products. Google addressed two Chrome zero-days. And Adobe took care of issues in Connect and Reader Mobile.
Microsoft fixed 112 flaws, including a Windows zero-day (CVE-2020-17087) uncovered by Google last month. KrebsOnSecurity notes that Microsoft has started using a new format for its vulnerability descriptions, mapping them to the Common Vulnerability Scoring System (CVSS). Krebs and others say the new format lacks some of the useful information and context provided by the company's previous model. Microsoft insists that the important information is still there, but in a more succinct and organized arrangement.
Crime and punishment.
A 26-year-old former Microsoft employee, Volodymyr Kvashuk, has been sentenced to nine years in prison for stealing more than $10 million from his employer. The US Justice Department says Kvashuk "was involved in the testing of Microsoft’s online retail sales platform and used that testing access to steal 'currency stored value' (CSV) such as digital gift cards." Mr. Kvashuk used the stolen funds to buy a $1.6 million dollar lakefront home and a $160,000 car.
Courts and torts.
POLITICO says the US Federal Trade Commission is likely to bring an antitrust suit against Facebook by the end of the month. The FTC's Chair Joe Simons reportedly wants to handle the case internally, which would prevent individual states from joining the lawsuit. POLITICO explains that such a move "may make it easier to win, but...would take years and likely anger attorneys general from dozens of states who have been pushing for a swift, nationwide effort to force change at the company."
The EU's European Commission has sent a Statement of Objections to Amazon, accusing the company of violating antitrust laws in the EU:
"The European Commission has informed Amazon of its preliminary view that it has breached EU antitrust rules by distorting competition in online retail markets. The Commission takes issue with Amazon systematically relying on non-public business data of independent sellers who sell on its marketplace, to the benefit of Amazon's own retail business, which directly competes with those third party sellers.
"The Commission also opened a second formal antitrust investigation into the possible preferential treatment of Amazon's own retail offers and those of marketplace sellers that use Amazon's logistics and delivery services."
And China's State Administration for Market Regulation released draft antitrust guidelines on Tuesday, which the South China Morning Post says is "the first clear sign that Beijing is seeking to curtail the expanding prowess of its home-grown tech champions." The Post says Alibaba Group Holding, Tencent Holdings, and Meituan saw their stocks plunge upon the news.
The US FTC has reached a settlement with Zoom over the company's claim that it offered end-to-end encryption when, in fact, it didn't. As part of the settlement, the FTC says the company has "agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base." The company must also "obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach." (WIRED notes that Zoom did begin rolling out end-to-end encryption in a technical preview late last month, although there are some usability tradeoffs.)
Huawei is challenging Sweden's telecoms regulator in court over its decision to ban the company from the country's 5G infrastructure, Reuters reports.
Policies, procurements, and agency equities.
Axios reports that US President Trump issued an executive order on Thursday banning American investment in thirty-one companies linked to Beijing’s People’s Liberation Army. The ban covers mutual funds containing the firms, and gives organizations and individuals until November of next year to sell their shares. The banned companies include China Mobile Communications, China Electronics Corporation, and China Telecommunications Corp. China’s CGTN calls the move a "stunt" and a "distraction," arguing that the money on the table is "peanuts."
For more, see the CyberWire Pro Policy Briefing.
