Russia's SVR suspected in FireEye breach. Facebook attributes hacking campaigns. Mongolian government entities targeted.

Russia's SVR suspected in FireEye breach.

Security firm FireEye disclosed on Tuesday that a "highly sophisticated state-sponsored adversary" had stolen the company's proprietary red-teaming tools:

"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM. Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team.

"The Red Team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario."

The actor also attempted to steal information on some of the company's public-sector customers, although it's unclear if these efforts were successful. FireEye's CEO Kevin Mandia said in a blog post, "Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly."

The Wall Street Journal cites a source close to the matter as saying Russia's Foreign Intelligence Service, the SVR, is viewed as the top suspect. Cozy Bear (APT29) is the best-known SVR threat actor, although FireEye hasn't publicly named any particular group. While FireEye's arsenal might prove useful for various reasons, WIRED sees the theft of hacking tools as more of a statement, noting that the threat actor presumably has equivalent or better tools at its disposal.

FireEye hasn't released many technical details of the hack, but observers say that's consistent with what one would expect at this stage of an investigation. Despite the breathless quality of some reporting on the incident, FireEye has received more praise than criticism for its quick disclosure and transparent handling of the incident.

Cisco Talos has summarized the vulnerabilities most likely to be exploited by the stolen red-team tools, and Data Breach Today has published them alongside the products they affect: CVE-2019-11510 (Pulse Secure), CVE-2020-1472 (Netlogon (Windows)), CVE-2018-13379 (Fortinet FortiGuard FortiOS), CVE-2018-15961 (Adobe ColdFusion), CVE-2019-0604 (Microsoft SharePoint), CVE-2019-0708 (Microsoft Remote Desktop Services), CVE-2019-11580 (Atlassian Crowd and Crowd Data Center), CVE-2019-19781 (Citrix Application Discovery Controller and Citrix Gateway), CVE-2020-10189 (Zoho ManageEngine Desktop Central), CVE-2014-1812 (Group Policy implementation in Microsoft Windows), CVE-2019-3398 (Confluence Server and Data Center), CVE-2020-0688 (Microsoft Exchange), CVE-2016-0167 (Microsoft Windows), CVE-2017-11774 (Microsoft Outlook), CVE-2018-8581 (Microsoft Exchange Server), and CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus). Organizations that want to protect themselves against potential abuse of FireEye's tools can start there when they assess their patch management.

Facebook names names.

In a rare public attribution, Facebook has accused CyberOne Group, a Vietnamese IT company, of working for APT32 (also known as "OceanLotus"), a threat actor believed to be operating on behalf of Vietnam's government. According to Reuters, Facebook's head of cybersecurity policy Nathaniel Gleicher said the evidence included "online infrastructure, malicious code, and other hacking tools and techniques." Gleicher said Facebook isn't revealing the exact details because doing so would hamper the company's efforts to track the group's future operations. CyberOne's now-suspended Facebook page told Reuters, "We are NOT Ocean Lotus. It's a mistake."

Facebook says APT32's recent activity involved crafting fake personas across multiple social media sites posing as activists, business entities, or romantic interests. Some of the group's Facebook pages "were designed to lure particular followers for later phishing and malware targeting." The threat actor also used malicious apps in the Google Play Store and watering-hole sites to deliver malware. Facebook describes the campaign as "a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin."

In the same news release, Facebook also called out two Bangladeshi non-profits for targeting "local activists, journalists, and religious minorities, including those living abroad, to compromise their accounts and have some of them disabled by Facebook for violating our Community Standards." The two non-profits, Don’s Team (or "Defense of Nation") and the Crime Research and Analysis Foundation (CRAF), allegedly used coordinated reporting to get certain accounts and pages banned by the social media platform. Facebook also accuses them of hacking accounts: "On at least one occasion, after a Page admin’s account was compromised, they removed the remaining admins to take over and disable the Page. Our investigation suggests that these targeted hacking attempts were likely carried out through a number of off-platform tactics including email and device compromise and abuse of our account recovery process."

Mongolian government entities targeted.

Researchers at ESET and Avast have identified a state-sponsored operation targeting government entities in Mongolia, ZDNet reports. Avast attributes the campaign to the Chinese-speaking APT "LuckyMouse" with moderate confidence. According to ESET, the threat actor compromised the update mechanism of the chat application Able Desktop, which is widely used in Mongolia. The actor initially used Trojanized Able installers beginning in 2018, before compromising Able's update system directly in June 2020. The malware variants delivered included HyperBro backdoor, the PlugX Trojan, and another Trojan dubbed "Tmanger."

Avast states, "The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies."

Schools warned of increase in cyberattacks.

A Joint Cybersecurity Advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State ISAC warns that cybercriminals are increasingly focusing on Kindergarten-through-twelfth-grade (K-12) schools. The advisory names Ryuk, Maze, Nefilim, AKO, and Sodinokibi among the commonly observed ransomware strains. A rise in ransomware attacks against schools coincided with the beginning of the school year: "In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July."

The advisory also warns of Trojans (particularly ZeuS on Windows and Shlayer on MacOS), DDoS attacks, and video conference disruptions. The agencies offer advice for schools to defend themselves against each of these threats.

A look at the GRU's disinformation tactics.

The Free Russia Foundation this week released a report, "Aquarium Leaks," on disinformation tactics used by Russia's GRU. The authors of the report are interested in showing the continuity they perceive between Soviet-era propaganda and disinformation and the successor programs Russia has operated since the Soviet Union broke up in 1991.

The GRU's Unit 54777 has taken a leading role in operating disinformation campaigns. It's also done so in cooperation with a different intelligence organization, the SVR, which is the successor agency of the Soviet-era KGB’s foreign branch, the First Chief Directorate.

The report consists largely of translations of files obtained from various sources: defectors, leakers, and so on. The main lesson they teach is that psychological warfare occupies a significant place in Russian military doctrine, that its services are organized to conduct it, and that significant resources are expended on training for it.

For more, see the CyberWire Pro Disinformation Briefing.

AMNESIA:33 vulnerabilities in TCP/IP stacks.

Forescout uncovered thirty-three vulnerabilities across four open-source TCP/IP stacks (uIP, FNET, PicoTCP, and Nut/Net), affecting IoT, OT, and IT devices from at least 150 vendors. Like the Ripple20 vulnerabilities disclosed by JSOF in June, the full scope of AMNESIA:33 is difficult to quantify, since the stacks are widely distributed and implemented by individual vendors themselves. Many devices will likely remain unpatched for this reason.

26 of the flaws could trigger a denial-of-service condition, five could leak potentially sensitive information, two could lead to DNS cache poisoning, and four can be used to achieve remote code execution. Four of the flaws are deemed critical, although the researchers note that the consequences of the vulnerabilities vary widely depending on the circumstances. (A denial-of-service flaw, for example, can be much more serious in an OT environment.)

For more, see the CyberWire Pro Research Briefing.

Investment news.

Maryland-based industrial cybersecurity company Dragos has secured $110 million in a Series C round co-led by National Grid Partners and Koch Disruptive Technologies, with participation from Saudi Aramco Energy Ventures (SAEV), Hewlett Packard Enterprise, and existing investors AllegisCyber, Canaan, DataTribe, Energy Impact Partners, and Schweitzer Engineering Labs. Dragos's co-founder and CEO Rob Lee said the investment "will enable us to fully meet this moment for our customers by advancing the innovative technology at the center of our Dragos Platform, expanding our global footprint, and continuing to recruit the world’s most elite team of ICS/OT cybersecurity experts."

New York-based passwordless authentication provider Beyond Identity has raised $75 million in a Series B round led by New Enterprise Associates (NEA), with participation from Jim Clark and Koch Disruptive Technologies, VentureBeat reports. The company will use the funding "to fuel further innovation of its industry-leading, advanced passwordless identity platform and to build a global footprint, including the acceleration of distribution channels, OEM partners, and international sales and support."

Los Angeles-based cloud security provider Orca Security has raised $55 million in a Series B round led by ICONIQ Growth, with participation from existing investors GGV Capital, YL Ventures, and Silicon Valley CISO Investments. Orca stated that the funding will be used "further [expand] its cloud security and compliance capabilities. By the end of 2021, Orca Security plans to have nearly tripled its R&D team since its A round in May of 2020. It is also boosting its sales team to nearly 30 people to meet global product and customer demand. The company also plans to open new sales offices in the UK and Australia to serve the European and APAC markets."

Mountain View-headquartered cyber insurance company At-Bay has raised $34 million in a Series C round led by Qumra Capital, with participation from M12 and existing investors Acrew Capital, Khosla Ventures, Lightspeed Venture Partners, and Munich Re Ventures, TechCrunch reports.

For more, see the CyberWire Pro Business Briefing.

Patch news.

The US National Security Agency released an advisory on Monday warning that Russian state-sponsored actors are exploiting a VMware vulnerability (CVE-2020-4006) that was patched last Thursday. NSA stated:

"The National Security Agency (NSA) released a Cybersecurity Advisory today detailing how Russian state-sponsored actors have been exploiting a vulnerability in VMware® products to access protected data on affected systems. This advisory emphasizes the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware® identity management products and provides further details on how to detect and mitigate compromised networks.

"The products affected by this vulnerability are the VMware® Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, with specific product versions also identified in the VMware® advisory. The exploitation of this vulnerability first requires that a malicious actor have access to the management interface of the device. This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data. 

"NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible. If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update. In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation/compromise/attack."

Crime and punishment.

CyberScoop says a German court has ordered secure email company Tutanota to hack the account of a customer suspected of blackmail before the close of 2020. Tutanota said it plans to appeal the decision, but will have to comply with the order in the meantime.

Both Haaretz and the Guardian are reporting on Forbidden Stories’ Cartel Project, which describes the ways in which Mexican police, users of NSO Group’s lawful intercept products, have allegedly been reselling that technology to drug cartels, which in turn have used the spyware to monitor journalists and other third-parties. Some of the allegations are attributed to sources in the US Drug Enforcement Agency.

The Mirai incident, which in the Fall of 2016 took out the Internet in much of the US, had already resulted in three Federal guilty pleas. Another defendant, unnamed because a minor at the time of the offense, has become the fourth, copping a plea before the US Court for the District of New Hampshire.

Courts and torts.

The US Federal Trade Commission, along with forty-six states, Guam, and the District of Columbia are bringing antitrust lawsuits against Facebook, The Hill reports. Ian Conner, director of the FTC's Bureau of Competition, stated, "Facebook's actions to entrench and maintain its monopoly deny consumers the benefits of competition. Our aim is to roll back Facebook's anticompetitive conduct and restore competition so that innovation and free competition can thrive." Facebook's vice president and general counsel Jennifer Newstead stated, "This is revisionist history. Antitrust laws exist to protect consumers and promote innovation, not to punish successful businesses. The government now wants a do-over, sending a chilling warning to American business that no sale is ever final. People and small businesses don’t choose to use Facebook’s free services and advertising because they have to, they use them because our apps and services deliver the most value. We are going to vigorously defend people’s ability to continue making that choice."

The Wall Street Journal cites experts who see "years of engineering and legal work" if the suit does lead to a breakup of the company.

Policies, procurements, and agency equities.

The National Defense Authorization Act, which contains significant cybersecurity provisions, passed both the House and Senate this week by what are generally regarded as veto-proof margins. The bill reestablishes a White House cyber coordinator position, and the Cybersecurity and Infrastructure Security Agency (CISA) gains authority to issue administrative subpoenas to ISPs when the agency detects security vulnerabilities but can’t track the owner down. The law also gives CISA authority for extensive threat hunting within the Federal Government’s networks, directs it to establish a Joint Cyber Planning Office, and instructs the agency’s director to appoint a cybersecurity director for each state. That last provision is intended to improve coordination among state and Federal agencies.

The EU has selected Bucharest to house the European Cybersecurity Competence Center (ECCC), POLITICO reports. The Center will serve as a "hub to distribute EU and national funding for cybersecurity research projects across the bloc."

For more, see the CyberWire Pro Policy Briefing.