By the CyberWire staff
TrickBot turns its attention to firmware vulnerabilities.
The TrickBot banking Trojan now has a module that probes for UEFI vulnerabilities on infected machines, researchers at Advanced Intelligence and Eclypsium have found. The malware hasn't been observed actually installing bootkits yet, but the researchers believe this is imminent. They explain that "the malware already contains code to read, write, and erase firmware. These primitives could be used to insert code to maintain persistence, as has been seen previously with the LoJax or MosaicRegressor. Attackers could also simply erase the BIOS region to completely disable the device as part of a destructive attack or ransomware campaign." The researchers also note that "[i]t is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets."
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more.
Phishing campaign targets COVID-19 vaccine supply chain.
IBM's X-Force discovered a spearphishing campaign targeting the COVID-19 vaccine "cold chain," the link in the supply chain responsible for maintaining the vaccine's temperature during storage and transit. The campaign began in September and focused on organizations affiliated with the Vaccine Alliance's Cold Chain Equipment Optimization Platform (CCEOP) program. IBM says the "targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan."
The spearphishing emails impersonated an employee at the legitimate cold chain supplier Haier Biomedical, and contained HTML attachments designed to harvest credentials. IBM's Claire Zaboeva told Reuters that the attackers expended "an exceptional amount of effort" in crafting the phishing lures, noting that "Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic."
The researchers don't offer attribution, but they suspect a nation-state actor is responsible. The immediate motive would seem to be espionage related to vaccine distribution (and that may turn out to be the case), but Reuters cites some experts who think the campaign may be "a subset of activity" in a much broader operation.
AstraZeneca targeted by suspected North Korean operators.
Reuters reported late last week that AstraZeneca, one of the leading COVID-19 vaccine developers, had been targeted by suspected North Korean intelligence operators. The attackers approached AstraZeneca employees with bogus job offers on LinkedIn and WhatsApp, then sent them documents loaded with malicious macros. The attempts are thought to have been unsuccessful. The Washington Post reports that the Kim regime is under increasing stress from both COVID-19 directly and from the pandemic's effects on the DPRK's already strained economy.
Criminals are also taking an interest in COVID-19 vaccines.
One reason for thinking espionage against the cold chain is state-directed is, as we’ve mentioned, the absence of any obvious way in which criminals could cash out their take. But there are strong criminal motives for vaccine-fraud, too. Vice points out the dark web drug dealers are pushing bogus COVID-19 vaccines, including counterfeits of legitimate emerging treatments. The Wall Street Journal adds that vaccines will be attractive targets of theft, too: they're "liquid gold."
Data exposure at Brazil's Ministry of Health compromises 234 million citizens' data.
Personal information belonging to more than 243 million Brazilians was accessible online for six months after web developers left the password to a government database in the public source code of the Brazilian Ministry of Health's website, ZDNet reports. The database, Sistema Único de Saúde (SUS), stored information on all citizens, living and deceased, who had signed up for public healthcare in the country. The data exposed included names, medical details, home addresses, and phone numbers.
For more, see the CyberWire Pro Privacy Briefing.
The Shadow Academy takes an interest in US, UK, Australian universities.
RiskIQ this Wednesday released a report on a threat actor it calls the "Shadow Academy." While it walks and quacks like the Iran-linked Mabna Institute and Silent Librarian, and shares a number of their targets, researchers don't think the overlap in TTPs and targeting sufficient for definitive attribution. The name "Shadow Academy" alludes to the group's use of domain shadowing to gain access to its victims' networks, and to the fact that its targets were universities. The attacks hit twenty institutions in Australia, the United States, and the United Kingdom.
Turla's Crutch is found in an EU member's foreign ministry.
ESET reported finding a backdoor and information stealer in the systems of a European Union member country’s foreign ministry. The malware’s not new, as it seems to have been in use between 2015 and 2020, but it had been undocumented. ESET calls the backdoor “Crutch,” and they’re confident it belongs to the threat group Turla, which has been using it to pull stolen files into a Dropbox account Turla controls. Crutch isn’t a first-stage backdoor, but is installed into a previously compromised network.
Turla, of course, is also known as Uroboros, and Venomous Bear. It’s a Russian cyberespionage outfit that’s specialized in former Soviet Republics, and former members of the Warsaw Pact.
Foreign attempts to influence US elections appear to have enjoyed little success.
There's been some speculation that one of the reasons for the relative lack of success that influence operations enjoyed during this election cycle is that intense domestic partisanship may have produced enough noise to drown out the foreign operations. Some of the domestic misinformation appears to have seen foreign interference where Government investigators have seen nothing.
Speaking on CBS’s 60 Minutes, former CISA Director Krebs was particularly concerned to debunk claims of foreign manipulation of US voting systems and vote counting. He said, "We spent something on the order of three and a half years gaming out every possible scenario for how a foreign actor could interfere with an election… countless scenarios…" There has been one theory in circulation that software used in Dominion Voting Systems was developed in Venezuela under the direction of the late strongman Hugo Chavez, and that such software is designed to corrupt and manipulate US vote tallies. Krebs says it’s all hooey: votes aren’t being counted offshore, and there’s no evidence in either initial counts or recounts that the US election was stolen by any combination of foreign intelligence services or transnational groups. "So again, there's no evidence that any machine has been manipulated by a foreign power, period."
At week's end the Washington Examiner reported that Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency, is standing by his predecessor's conclusion that the US elections were secure. He told the Aspen Institute's Cyber Summit, "There are times that our statement has kind of been misconstrued to say that there were no problems with the election and that it was fraud-free, and that's just not the case. We do believe that it was secure from external interference, which is our mandate, and we're proud of the work we did to get to that point."
For more, see the CyberWire Pro Disinformation Briefing.
Read the latest Women in Cybersecurity newsletter by the women of the CyberWire.
The CyberWire's newsletter, Creating Connections, focuses on connecting women in the cybersecurity field across the globe! The latest edition released on December 7th, and new issues publish monthly on the first Monday of each month. Brought to you by women in the industry, you are invited to join our league of cyber ladies and create lasting connections. Learn more or subscribe here.
APT uses cryptominers as distractions.
Microsoft says the nation-state actor BISMUTH (associated with Vietnam's OceanLotus or APT32) deployed cryptomining malware in espionage-focused attacks against private-sector and government entities in France and Vietnam. Redmond believes the cryptominers were primarily meant to deflect attention from the group's stealthier actions, since cryptomining activity is generally perceived as more of a nuisance than a grave threat. The coin miners also provided the added benefit of generating revenue for the threat actor: the attackers in this case made more than a thousand US dollars worth of Monero.
The threat actor initially gained access to victims' networks via well-crafted spearphishing attacks. Microsoft explains, "The use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of blending in. This pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain."
Once the attackers gained a foothold, they used PowerShell scripts to move laterally and install additional tools. They eventually dropped Cobalt Strike to maintain persistence, then installed the cryptominer while using Mimikatz to steal credentials.
Microsoft concludes, "Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks."
For more, see the CyberWire Pro Research Briefing.
How'd you like to be the office cybersecurity hero?
With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape, save some money, and look like a hero at the same time. To learn more, visit our CyberWire Pro page and click on the Contact Us link in the Enterprise box.
Some investment news.
Amsterdam-headquartered threat intelligence company EclecticIQ has raised €20 million (US$24 million) in a Series C round led by Ace Management, with participation from Capricorn Digital Growth Fund and Quest for Growth, Invest-NL, Arches Capital, and existing investors INKEF Capital, KEEN Venture Partners, and KPN Ventures. The company says the funding "will go towards deepening the company's commitment to government, large enterprises and service providers, expanding its portfolio and increasing the company's global footprint."
Paris-based XDR platform provider Tehtris has secured €20 million (US$24 million) in a Series A round led by Ace Management, with participation from Open CNP, Nouvelle-Aquitaine Co-Investissement (NACO), and angel investors. The company's CTO Laurent Oudot stated, "To support our international expansion and to sustain our strong growth, we are announcing the creation of several hundred jobs in the next 3 years."
Alpharetta, Georgia-based banking cybercompliance provider DefenseStorm has raised $12 million in a Series B round led by Georgian, with participation from TTV Capital. The company stated, "This round of funding will accelerate several of DefenseStorm's strategic growth initiatives including technical and user-facing product changes and establishing greater platform efficiency and scalability."
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.
Black market offering could facilitate business email compromise.
A threat actor is selling access to Office 365 and Microsoft accounts belonging to hundreds of senior executives at a variety of organizations, ZDNet reports. The criminal is selling credentials for the accounts for between $100 and $1,500. The individual claims the accounts belong to CEOs, COOs, CFOs, CMOs, CTOs, presidents, vice presidents, and various senior employees responsible for finances.
Patch news.
Drupal has rolled out an emergency patch to fix critical vulnerabilities that could lead to arbitrary code execution, BleepingComputer reports. Drupal users are encouraged to update as soon as possible. The vulnerability can also be mitigated by preventing untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
Crime and punishment.
The US State Department is offering rewards under its Rewards for Justice program "for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity, and actions that support WMD proliferation." Individual rewards can amount to up to $5 million for a productive tip.
One prominent member of "the Apophis Squad" (remember them? we do) was one Timothy Dalton Vaughn. On Monday Mr. Vaughn received a sentence of eight years in prison for conspiracy, conducting computer attacks, and possession of child pornography. Mr. Vaughn and the other malign losers of the Apophis Squad specialized in website defacements, bogus threats of school violence, false reports of airline hijacking, and so on. Their motives ranged from lulz to money: bomb threats were done for the lulz, and distributed denial-of-service attacks for money (payable by the victims as ransom).
Courts and torts.
The US Supreme Court on Monday heard arguments in a case challenging the broad scope of the Computer Fraud and Abuse Act (CFAA). JD Supra summarizes the Court's deliberations over the law's definition of "exceeding authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter":
"First, much of the argument centered around the government's claim that the word 'so' in the statutory definition of 'exceeds authorized access' dictates an interpretation that the CFAA should be construed broadly. Justice Sotomayor was audibly frustrated with this argument, telling the government that it was 'giving definitions that narrow the statute that the statute doesn’t have. You're asking us to write definitions to narrow what could otherwise be viewed as a very broad statute and dangerously vague.' Justice Kagan similarly pressed the government as to the meaning of 'so' in the statute, pointing out that both parties had different interpretations of the word, and asking the solicitor general, 'why is it that we should pick your choice … rather than [Van Buren's] choice … ?' The newest addition to the Court, Justice Barrett, also raised questions about the government’s reliance on the word 'so' to support its position. Most likely, the decision will include some discussion about the potential ambiguity of the statute’s language—whether it is in the majority decision or a dissenting one."
A decision in the case is expected by the end of June 2021.
Policies, procurements, and agency equities.
CyberScoop reports that the 2021 National Defense Authorization Act (NDAA) will establish a new White House cybersecurity advisor and coordinator at the recommendation of the Cyberspace Solarium Commission. In contrast to the position President Trump axed, the National Cyber Director will be independent of the National Security Council and Senate-confirmed, thus representing the force of both the legislative and executive branches.
Senator Mike Rounds (Republican of South Dakota) who chairs the Senate Cybersecurity Subcommittee said that the position has bipartisan and bicameral backing, and that it “will strengthen our nation’s cybersecurity planning and coordination at all levels of government as well as between the public and private sectors."
In keeping with additional Cyberspace Solarium recommendations, the bill will set up a new office at CISA, and commission a Cyber Mission Force force structure assessment. It will also tell the President to plan for economic continuity in the face of a catastrophic cyberattack, and allow DHS to subpoena internet service providers when CISA needs to disclose vulnerabilities to hard-to-reach clients. Congress should have enough votes to overrule a possible presidential veto.
Looking ahead to the next Administration, President-elect Biden's Administration is likely to “build on” the Trump Administration’s cyber successes, deviating only in military strategy, according to The Record. CISA, Cyber Command, election security, and cross-sector cooperation will continue to be key players. Former DHS official Tom Warrick hopes the incoming Administration doubles CISA’s budget, while a Third Way VP wants the Administration to take a close look at Cybercom’s (classified) expanded powers. Cyberspace Solarium Commission executive director Mark Montgomery commented, “We have a much more agile and speedy process for the execution of offensive cyber operations. And I hope that the Biden administration takes advantage of the effort and the risk taken by the Trump administration establishing that.”
For more, see the CyberWire Pro Policy Briefing.