Exchange Server exploitation continues. Suspected Chinese operation tied to RedDelta. US Intelligence Community's report on election interference.

Exchange Server exploitation continues.

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its advice on dealing with Microsoft Exchange Server exploitation to include notes on China Chopper web shells being used against victims. The UK’s National Cyber Security Centre (NCSC), like its counterparts in the US, Germany, and elsewhere, has urged all organizations, both public and private, to apply Microsoft's patches as soon as possible. They also recommend that all organizations look for signs of compromise by threat actors, whether Chinese intelligence services or criminal gangs, stating, "This advice applies irrespective of update status because a compromise may have occurred before updates were installed and installing the update will not remediate a previous compromise." Roughly half of the UK’s approximately eight-thousand exposed servers have been patched, according to Insurance Journal.

Microsoft continues to update guidance on protecting on-premise Exchange Servers from attacks. On Monday the Microsoft Security Response Center released a new, "one-click mitigation tool" to help users secure both current and out-of-support versions of Exchange Server.

Researchers at Check Point say they've "observed that the number of attempted attacks have increased tenfold from 700 on March 11 to over 7,200 on March 15." They add that the "[m]ost targeted industry sector has been Government/Military (23% of all exploit attempts), followed by Manufacturing (15%), Banking & Financial Services (14%), Software vendors (7%) and Healthcare (6%)."

Suspected Chinese operation tied to RedDelta.

McAfee has disclosed a cyberespionage campaign dubbed "Operation Diànxùn" that's targeting telecommunications companies. McAfee believes with "a moderate level of confidence" that this operation is run by the Chinese threat actor Mustang Panda, and that this is the same threat actor tracked by Recorded Future as RedDelta (known for targeting the Vatican).

"In this attack, we discovered malware using similar tactics, techniques and procedures (TTPs) to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. While the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection. We believe with a medium level of confidence that the attackers used a phishing website masquerading as the Huawei company career page to target people working in the telecommunications industry."

The researchers believe the actor is trying to steal information related to 5G technology (and they stress that they have no evidence that Huawei itself had any involvement in this campaign):

"By using McAfee’s telemetry, possible targets based in Southeast Asia, Europe, and the US were discovered in the telecommunication sector. We also identified a strong interest in German, Vietnamese and India telecommunication companies. Combined with the use of the fake Huawei site, we believe with a high level of confidence that this campaign was targeting the telecommunication sector. We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G roll-out."

McAfee has provided a full technical analysis of the campaign as well.

For more, see the CyberWire Pro Research Briefing.

US Intelligence Community's report on election interference.

The US intelligence community on Tuesday released the unclassified version of its report on foreign interference in the 2020 US elections. The investigation found no evidence of foreign attempts to manipulate vote counts or other technical aspects of the election. It did find evidence of an extensive Russian influence campaign aimed at denigrating then-candidate Biden to the advantage of then-President Trump, with a strong, overarching goal of eroding confidence in US elections. The investigation found that Iran conducted a similar influence effort aimed at damaging President Trump's candidacy. Both efforts were authorized at the highest levels, by President Putin in Moscow and by Supreme Leader Khamenei in Tehran.

Russia's efforts were marked by extensive preparation and the use of trolls, agents of influence, and influencers of the useful-idiot variety, with messaging amplified by online proxies and Russian official media outlets. In general, Russian policymakers, while not in every respect happy with President Trump, clearly preferred him to a President Biden, although they had made their peace with a possible Biden presidency by the closing weeks of the campaign, seeing a silver lining in President Biden's presumed interest in reviving arms control agreements perceived as working to Russia's advantage. Their long-standing goal, which the report says endures into the present, is to weaken the United States, and whatever is likely to accomplish that, particularly erosion of trust in US civil and political institutions, is a good bet.

Iran wasn't particularly in favor of President Biden, but the Islamic Republic was definitely opposed to President Trump. Their influence operation ran principally through social media and, interestingly enough, highly targeted email campaigns that spoofed the Proud Boys and threatened the recipients (for the most part, likely Democratic voters) with crude appeals to vote for Trump, hoping thereby to provoke a backlash against the former president. Tehran's efforts work to exploit and exacerbate fissures in American civil society, and the report warns that these efforts have continued, post-election. Iran chose what the report calls "cyber tools and methods" because they were cheap, scalable, deniable, and required no physical access to the US. 

The investigation considered the possibility of interference by other governments as well, but none of the others were as active as those of either Russia or Iran. China considered undertaking an influence campaign but, eventually, seems to have decided to sit the election out, apart from taking some minor shots at then-President Trump. In general, Beijing seems to have performed a cost-benefit analysis and decided that it saw no particular advantage to China in the election or defeat of either major party candidate and, in particular, no advantage that would outweigh the bad optics of getting caught. Traditional influence, such as lobbying and economics, were judged to be the best bet for advancing Chinese interests, and in any case, the view from Beijing sees bipartisan Sinophobic consensus in the US, and that anti-China sentiment is going to endure whichever party holds the major positions in government.

For more, see the CyberWire Pro Disinformation Briefing.

Interview with a REvil member.

The REvil ransomware group, also known as Sodinokibi, is known for using double-extortion tactics against its victims and for its robust ransomware-as-a-service operation, in which developers sell malware to "affiliates" in order to launch their own campaigns. Threatpost reports that the group is currently taking credit for attacks over the past two weeks on nine organizations: law firms, an insurance company, international banks, and a manufacturer, located in Africa, Europe, Mexico, and the US. As proof, REvil published some of the documents they claim to have stolen from the victims: computer file directories, customer lists, contracts, and employer and customer IDs. Rob McLeod, senior director of the Threat Response Unit for eSentire stated, "These attacks come directly on the heels of an extensive and well-planned drive-by-download campaign, which was launched in late December." Though it's unclear if payment has been requested, some of the documents disappeared after posting, indicating the victims might have paid up.

Shedding some light on the motivations behind the group's methods, the Record conducted an interview with an alleged REvil member who goes by the moniker "Unknown." While Unknown can see the potential of ransomware as a weapon (and alleges the group has affiliates with access to missile launch systems), the crook states that starting war is not a goal: "It's not worth it—the consequences are not profitable." The individual sees an organization's use of cyber insurance as a welcome challenge rather than a deterrent: "Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves." Unknown also warns that corporate negotiators might do the target more harm than good, as haggling will likely only compel the gang to increase their ransom demands to make up for lost time and resources.

For more, see the CyberWire Pro Privacy Briefing.

Investment news.

San Francisco-based cyber insurance and security company Coalition has secured $175 million in a funding round led by Index Ventures, with participation from General Atlantic and existing investors. The company says it plans to use the funding to:

• "Build the digital insurance company of the future. "The future of insurance will be defined by technology, and we will continue to invest in building a leading technology company focused on innovation across all aspects of the insurance value chain," said Motta.
• "Expand to new product lines. Following its explosive growth in cyber and technology insurance, Coalition plans to imminently launch new insurance products to address a range of risks facing the modern enterprise — many of which are not well covered by standard business insurance policies.
• "International expansion. Following its expansion into Canada in 2020, Coalition plans to expand its offerings into multiple new international markets."

Fremont, California-based data governance and privacy company Privacera has raised $50 million in a Series B round led by Insight Partners, with participation from Sapphire Ventures, Battery Ventures, and existing investors Accel, Cervin, and Point72. The company says the funding "will be used to fast-track its go-to-market strategy and further extend Privacera's investment in its unified system for data governance and privacy across multiple cloud services such as Databricks and Snowflake."

Tel Aviv-headquartered XDR firm Cynet has raised $40 million in a Series C round led by Greenfield Partners, with participation from existing investors Norwest Venture Partners, Vintage Investment Partners, BlueRed Partners, and Deutsche Telekom. The company says, "The investment will be used to meet the vigorous demand for Cynet’s Autonomous XDR Platform from companies of all sizes, including those with small security teams in need of more holistic and efficient cyber solutions. Following a steep rise in sales in North America during 2020, Cynet is poised to maintain its rapid expansion in the North American and European markets."

Cyware, a network security company based in New York, has raised $30 million in a Series B round led by Advent International and Ten Eleven Ventures, with participation from existing investors Emerald Development Managers, Mercato Partners' Prelude Fund, Great Road Holdings, and Zscaler, Crunchbase News reports. The company says it "will use the funds to double down on product innovation, increase hiring across all departments, and expand its global sales and channel programs."

Texas-headquartered SIEM provider Securonix has received a $24 million investment from Capital One Ventures. Securonix stated, "The strategic investment allows Securonix to continue to accelerate hypergrowth driven by demand for its Cloud SIEM platform. Through this partnership, Securonix will collaborate with the Capital One team to develop new product use cases for monitoring cyberattacks, insider threats, fraud, application security, and OT/IoT security, and drive wider adoption of its Cloud SIEM platform across financial services and other industry segments."

South Korea-based Samsung SDS has announced an investment in Israeli IoT security firm Karamba Security. The company stated, "Through the collaboration, Samsung SDS will extend the scope of its cyber security offerings to include protection of IoT devices against cyberattacks throughout the device lifecycle."

For more, see the CyberWire Pro Business Briefing.

Patch news.

CISA has issued eight advisories for industrial control system vulnerabilities, covering Becton Dickinson Alaris 8015 PC Unit, the Hitachi ABB Power Grids AFS Series, the GE UR family, Advantech WebAccess/SCADA, Rockwell Automation Logix Controllers, Hitachi ABB Power Grids eSOMS Telerik, Hitachi ABB Power Grids eSOMS, and Johnson Controls Exacq Technologies exacqVision.

Crime and punishment.

The Record reports that a Russian national charged with attempting to hack Tesla for purposes of extortion has pleaded guilty. Egor Igorevich Kriuchkov was accused of trying to recruit a Tesla employee to plant malware within the company's network. The plea agreement states, "The government and defendant agree that the offense level to which the parties stipulate is correct and that a sentence within Offense Level 9 (between 4 to 10 months' imprisonment) and a supervised release term of 3 years, no fine, restitution of documented costs incurred by the victim company, and the defendant's removal from the United States, is appropriate in this case." The Record notes that Kriuchkov would have to pay Tesla $14,824 in restitution.

The US Attorney's Office for the Western District of Washington has indicted Till Kottmann, a 21-year-old Swiss hacktivist, for allegedly stealing and leaking data from more than 100 entities. Kottmann most recently made the news for hacking into security camera management firm Verkada and gaining access to 150,000 live surveillance cameras. Acting U.S. Attorney Tessa M. Gorman stated, "Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud. These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud."

The FBI's Internet Crime Report says that more than $4.1 billion was lost to cybercrime in 2020. Business email compromise schemes alone caused $1.8 billion in losses, while other forms of phishing led to $54 million in losses. The FBI notes, "In 2020, the IC3 observed an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency. In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include Extortion, Tech Support, Romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account."

Courts and torts.

A California judge has ruled that a $5 billion class action lawsuit regarding Google's collection of user browser data in incognito mode will proceed, the Verge reports. A Google spokesperson told the Verge that the company is disputing the claims and "we will defend ourselves vigorously against them."

Policies, procurements, and agency equities.

The Federal Communications Commission has embargoed video surveillance and telecommunications tech from five Chinese vendors, according to Bloomberg Law, citing “an unacceptable risk to the national security.” The move falls under the Secure and Trusted Communications Networks Act of 2019. South China Morning Post notes that the list includes Huawei and ZTE. 

Last week a senior official in the Administration floated the idea of cybersecurity grades and standards for software and devices that would allow consumers to "make a market for cybersecurity," echoing Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger's comments at the ICS Security Summit. The official compared the measures to restaurant health grades and Singapore’s method of classifying IoT gadgets and said executive action towards the goals was in the works. Questions remain about whether the initiative will be voluntary.

For more, see the CyberWire Pro Policy Briefing.