By the CyberWire staff
North Korea continues targeting security researchers.
Google's Threat Analysis Group (TAG) has published an update on a North Korean cyberespionage campaign targeting security researchers. TAG warned in January that a threat actor was messaging researchers on various social media platforms asking to collaborate on vulnerability research. They also set up a watering hole site that posed as a phony research blog, using an Internet Explorer zero-day.
Now, Google says the actor is using a new website and social media profiles posing as a fake company called "SecuriElite." TAG writes, "The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action." Google also believes the attackers are using more zero-days.
Holiday Bear gained access to DHS emails.
The Associated Press reports that the suspected Russian hackers behind the SolarWinds attack gained access to the emails of former acting Department of Homeland Security Secretary Chad Wolf and other DHS officials. So far it doesn't appear that classified communications were compromised, but POLITICO says the number of emails stolen was in the thousands. A State Department spokesperson told POLITICO, "the Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time."
5 Top ICS Cybersecurity Recommendations in the Year in Review
Find out about the major ICS cyber threats, vulnerabilities and lessons learned from our field work in the just released Year in Review report. You’ll discover 5 recommendations to secure your industrial environment and the 4 new threat activity groups we’re tracking. Read the executive summary.
Charming Kitten is phishing for medical professionals.
Proofpoint reports that an Iran-linked threat actor, TA453 (also known as Charming Kitten or Phosphorous), is running a phishing campaign against "senior medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel." The operation, dubbed "BadBlood," used spearphishing emails with URLs that led to spoofed Microsoft 365 and OneDrive login pages.
The researchers state, "At this time, Proofpoint cannot conclusively determine the motivation of actors conducting these campaigns. As collaboration for medical research is often conducted informally over email, this campaign may demonstrate that a subset of TA453 operators have an intelligence requirement to collect specific medical information related to genetic, oncology, or neurology research. Alternatively, this campaign may demonstrate an interest in the patient information of the targeted medical personnel or an aim to use the recipients' accounts in further phishing campaigns."
Proofpoint also notes that the operation demonstrates a (possibly temporary) shift in targeting for Charming Kitten: "While TA453 has consistently demonstrated a desire to collect and exfiltrate the email mailbox contents belonging to typical intelligence targets of the Iranian government like the Iranian diaspora, policy analysts, and educators, this TA453 campaign demonstrated a desire to target medical researchers and providers. Further detection and analysis of TA453 campaigns will likely determine whether this targeting is an outlier or if targeting has evolved to support the medical sector becoming a consistent intelligence requirement and target for TA453."
MobiKwik allegedly suffers data breach.
TechCrunch reports that Indian mobile payments startup MobiKwik has apparently sustained a data breach that exposed the data of 99 million customers. Criminals on a dark web forum claim they've obtained 8.2 terabytes of MobiKwik user data, including hashed passwords, partial credit card numbers, and identification documents like government-issued Aadhaar card or PAN ID numbers belonging to 3.5 million users. The criminals are selling access to the database for $70,000.
MobiKwik, however, denies that the data are theirs or that a breach ever occurred. The firm told MoneyControl, "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses." The Free Software Movement of India (FSMI) has filed a complaint with the Indian Computer Emergency Response Team urging them to investigate the alleged breach, the Hindu Businessline reports. FSMI stated, "The data is available on the dark web. Mobikwik being a digital wallet, the breach would expose its customers to cyber security attacks."
Reuters reports that the Reserve Bank of India (RBI) has ordered MobiKwik to investigate the allegations immediately. Reuters cites a source as saying that the RBI was "not happy" with MobiKwik's initial response to the claims.
For more, see the CyberWire Pro Privacy Briefing.
APT10 targets Japanese entities.
Kaspersky describes a cyberespionage campaign that ran from March 2019 to the end of December 2020. The campaign targeted Japan and entities related to Japan, particularly the country's manufacturing industry. The researchers "assess with high confidence" that China's APT10 is behind the operation. The threat actor gained access by exploiting vulnerabilities in Pulse Connect Secure VPNs or by using previously stolen credentials.
Kaspersky says the actor used a unique loader dubbed "Ecipekac" to deliver fileless malware. The researchers explain, "This campaign introduced a very sophisticated multi-layer malware named Ecipekac and its payloads, which include different unique fileless malware such as P8RAT and SodaMaster. In our opinion, the most significant aspect of the Ecipekac malware is that, apart from the large number of layers, the encrypted shellcodes were being inserted into digitally signed DLLs without affecting the validity of the digital signature. When this technique is used, some security solutions cannot detect these implants. Judging from the main features of the P8RAT and SodaMaster backdoors, we believe that these modules are downloaders responsible for downloading further malware that, unfortunately, we have not been able to obtain so far in our investigation."
For more, see the CyberWire Pro Research Briefing.
You're already a reader of the CyberWire. Why not join our team?!
Want to be a part of a dynamic, fun-loving, hard working team? the CyberWire is the place for you! The CyberWire has an opening for a dynamic, goal-oriented sales person to join our sponsorship team. If that sounds like you, or someone you know, we would love to talk to you. Visit our Careers page to learn more or email us at careers@thecyberwire.com.
Bundestag members' email accounts breached.
Several members of Germany's Bundestag have had their personal email accounts breached, CyberScoop says. The BfV and BSI security services have briefed the federal legislative body and contacted affected members. German officials have provided few details, but Tageschau reports that the compromise was the work of Ghostwriter (a threat actor associated with Russian interests) and that spearphishing was the attack vector. It also suggests that Russia's GRU was responsible.
Der Spiegel is calling it a Russian operation, and also specifically attributing it to the GRU, the Russian military intelligence agency. Seven members of the Bundestag were affected, as were thirty-one members of Land parliaments, that is, parliaments belonging to the Federal Republic’s constituent states, roughly the equivalent of US state legislatures. "Several dozen" other political figures were also affected. Most of the targets were members of the two largest German political parties, the center-right CDU/CSU and the center-left SPD.
Security firm FireEye's 2020 account of Ghostwriter described it as a disinformation peddler. "The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe,” the company’s report said, “occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda." FireEye didn’t go so far as to identify the group as a unit of the Russian government, but objectively, as people say, Ghostwriter acted in the Russian interest.
For more, see the CyberWire Pro Disinformation Briefing.
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more. Our new issue comes out Thursday, April 1, 2021.
Investment news.
San Mateo, California-based financial crime prevention provider Feedzai has raised $200 million in a Series C round led by KKR, with participation from existing investors Sapphire Ventures and Citi Ventures. The funding round brings the company's valuation to more than $1 billion. The company stated, "[W]e’re ecstatic at the 'future-proof' capabilities this new investment will bring our team, products, and cloud platform. This is how we’ll birth advancements to our recently revealed, award-winning ethical AI innovation, Fairband, along with other customer-centric technologies that strive to ensure frictionless financial services."
Critical infrastructure cybersecurity company OPSWAT, based in Tampa, Florida, has received $125 Million in funding from Brighton Park Capital. The company says it "will use the new capital to accelerate its rapid growth, with a focus on additional global expansion of sales, marketing, customer success and business operations. The Company will also continue robust investment in R&D innovation and pursue strategic acquisitions."
Cloud backup and recovery company HYCU (with headquarters in Boston) has raised $87.5 million in a Series A round led by Bain Capital Ventures, with participation from Acrew Capital. The company says the funding "reinforces HYCU's leading market position and continued momentum, and will enable the company to hire more than 100 new employees in the Boston area to achieve rapid scale."
Palo Alto-based data integration platform provider Striim has secured $50 million in a Series C round led by Goldman Sachs Growth Equity, with participation from Summit Partners, Atlantic Bridge Ventures, Dell Ventures, and Bosch Ventures, Crunchbase News reports. Striim says the funding "will support the accelerating growth in Striim's global customer base and its data integration offerings delivered on-premises, in the cloud and as a managed service."
Israeli endpoint security provider Morphisec has raised $31 million in a funding round led by JVP, with participation from Orange and Deutsche Telekom Capital Partners. The company stated, "The investment will support an aggressive hiring push aimed at drastically increasing headcount across the U.S. and Israel. As Morphisec ramps up recruiting talent for every level of its organization, it is announcing today the appointment of Steve Bennett to its board of directors, effective immediately. Bennett formerly served as CEO of major software and security companies, including Symantec and Intuit."
San Francisco-based privacy management platform provider Ketch has emerged from stealth after raising $23 million in a Series A round led by CRV, super{set}, Ridge Ventures, Acrew Capital, and Silicon Valley Bank, TechCrunch reports.
For more, see the CyberWire Pro Business Briefing.
CyberWire Pro Interview Selects
CyberWire Pro subscribers have access to our Interview Selects podcast, a curation of our most engaging and informative interviews, featuring cyber security professionals, journalists, authors and industry insiders. Subscribe to CyberWire Pro to unlock access to this and much more exclusive content. Learn more and subscribe.
Patch news.
OpenSSL has received patches for two high-severity vulnerabilities, Naked Security reports. CVE-2021-3449 can lead to a crash or denial of service, while CVE-2021-3450 can make a client accept a phony TLS certificate. The latter is the more serious of the two flaws; the vulnerability's description states, "Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a 'purpose' has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application."
Crime and punishment.
The Record reports that a 22-year-old Kansas man, Wyatt Travnichek, has been charged by the US Justice Department with "one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access." The Justice Department stated, "The indictment alleges that on or about March 27, 2019, in the District of Kansas, Travnichek knowingly accessed the Ellsworth County Rural Water District’s protected computer system without authorization. During this unauthorized access, it is alleged Travnichek performed activities that shut down the processes at the facility which affect the facilities cleaning and disinfecting procedures with the intention of harming the Ellsworth Rural Water District No. 1, also known as Post Rock Rural Water District." CyberScoop says the incident did not affect customers' drinking water. It's worth noting that this incident is separate from a similar attack that recently affected a water facility in Oldsmar, Florida.
An Israeli citizen, Tal Prihar, has pleaded guilty in the US for his role in operating DeepDotWeb, a website that served as a portal to various criminal marketplaces. Nicholas L. McQuaid, Acting Assistant Attorney General of the Justice Department's Criminal Division, stated, "Tal Prihar served as a broker for illegal Darknet marketplaces — helping such marketplaces find customers for fentanyl, firearms, and other dangerous contraband — and profited from the illegal business that ensued. This prosecution, seizure of the broker website, and forfeiture send a clear message that we are not only prosecuting the administrators of Darknet marketplaces offering illegal goods and services, but we will also bring to justice those that aim to facilitate and profit from them." Prihar has pleaded guilty to conspiracy to commit money laundering, and will be sentenced on August 2nd.
Courts and torts.
Florida-based healthcare provider SalusCare has sued Amazon Web Services, alleging that AWS buckets are being used by a hacker to host stolen patient and employee data, HealthITSecurity reports. SalusCare states that the stolen data include Social Security numbers, financial information (including credit card numbers), as well as "extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment." Amazon has suspended the accounts that own the AWS buckets, but SalusCare is seeking for the suspension to be permanent and for the data to be erased.
The lawsuit states, "SalusCare has established that the threatened harm substantially outweighs any potential harm to Amazon or [the hacker] because SalusCare is likely to suffer irreparable harm, while the [individual] would suffer, at worst, a temporary loss of access to the information while it makes its case....Amazon would suffer no conceivable harm in a temporary freeze of the buckets. A temporary restraining order would simply allow the parties to maintain the status quo, thereby ensuring [the hacker] will not have an opportunity to access or use the subject information while it hypothetically pursued its legal rights."
Policies, procurements, and agency equities.
Reuters reports that the Biden Administration could issue an Executive Order (EO) this week that would enhance Government agencies' multi-factor authentication and encryption standards and impose new requirements on Government software vendors. The proposed EO would compel vendors to alert Government clients of data breaches, supply a "bill of materials" to those running "critical" functions, and collaborate with Government agencies on incident response.
US Secretary of Homeland Security Alejandro Mayorkas has announced a series of sixty-day security sprints, the Record reports. The announcement was made in conjunction with the Secretary's enunciation of a cybersecurity strategy that places a high priority on protecting critical infrastructure and defending against ransomware.
And SecurityWeek reports that President Biden has followed President Trump's lead in extending President Obama's 2015 Executive Order allowing property sanctions in response to cyberattacks. In announcing the decision, the Administration noted that foreign-sponsored attacks “continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
EU Commissioner for Justice Didier Reynders and US Commerce Secretary Gina Raimondo have issued a joint statement committing to "intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case."
For more, see the CyberWire Pro Policy Briefing.