By the CyberWire staff
New Lazarus backdoor.
Researchers at ESET describe "Vyveva," a previously undiscovered backdoor attributed to North Korea's Lazarus Group. The malware was discovered on two servers belonging to a South African freight logistics company and has been in use since 2018, although its delivery mechanism is still unknown.
The researchers explain, "The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that the intent of the operation is most likely espionage."
ESET attributes the backdoor to Lazarus "with high confidence," stating, "Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus."
Myanmar shuts down Internet.
Myanmar's junta last Friday shut down Internet access across the entire country, WIRED reports. The Associated Press says the authorities are also confiscating satellite dishes used to access international news sources. Reuters notes that Internet access in the country has been sporadic ever since the military coup on February 1st, and it's not clear how long the shutdown will last.
How far is too far, and how should the U.S. respond?
The U.S. faces severe threats from its adversaries via cyberspace, a domain for which the rules of engagement remain ambiguous. Join a world-class gathering of experts and policy leaders from the military, federal government, academia, and industry on April 15-16 for in-depth discussion at the crossroads of cybersecurity and national security at the third event in The Great Power Competition Conference Series, Cybersecurity: The Fifth Domain.
Russia uses novel techniques to throttle Internet.
The Russian government's recent attempt to throttle traffic to and from Twitter down to 128kbps demonstrated throttling capabilities that could affect the use of VPNs and Tor, Ars Technica reports. Researchers at Censored Planet explain, "Contrary to blocking, where access to the content is blocked, throttling aims to degrade the quality of service, making it nearly impossible for users to distinguish imposed/intentional throttling from nuanced reasons such as high server load or a network congestion. With the prevalence of ‘dual-use’ technologies such as Deep Packet Inspection devices (DPIs), throttling is straightforward for authorities to implement yet hard for users to attribute or circumvent."
Ars Technica's Dan Goodin explains that the Russian government is using "middleboxes"—servers running custom software—to throttle certain domains, and that this technique may be able to block the use of VPNs and Tor:
"The middleboxes inspect both requests sent by Russian end users as well as responses that Twitter returns. That means that the new technique may have capabilities not found in older Internet censorship regimens, such as filtering of connections using VPNs, Tor, and censorship-circumvention apps. Ars previously wrote about the servers here.
"The middleboxes use deep packet inspection to extract information, including the SNI. Short for “server name identification,” the SNI is the domain name of the HTTPS website that is sent in plaintext during a normal Internet transaction. Russian censors use the plaintext for more granular blocking and throttling of websites. Blocking by IP address, by contrast, can have unintended consequences because it often blocks content the censor wants to keep in place."
Goodin adds that seven workarounds are currently available, although these workarounds simply "exploit bugs in Russia's current throttling implementation."
CSO Perspectives season 1 is coming to all soon.
In CSO Perspectives, a CyberWire Pro exclusive, Rick Howard discusses the ideas, strategies, and technologies that senior cybersecurity executives wrestle with on a daily basis. CyberWire Pro subscribers are about to start season 5, but starting Monday, April 19th, we are making season 1 available for all to enjoy. In this season, Rick talks about cybersecurity first principles, metrics and risk models, Dark web intelligence and even his favorite cybersecurity novels. Mark your calendars and look for the CSO Perspective Public podcast on our podcast page.
Facebook user data resurfaces on hacking forum.
Business Insider reports that data belonging to 533 million Facebook users were publicly posted on a hacking forum. The data were originally scraped in 2019 via a flaw that Facebook fixed in August 2019. The data dump includes phone numbers, Facebook IDs, full names, locations, birth dates, bios. 2.5 million of the records also contained email addresses. Have I Been Pwned notes that "The primary value of the data is the association of phone numbers to identities." BleepingComputer observes that much of the information is probably still relevant.
Reuters cites a Facebook spokesperson as saying that the platform has no plans to notify users since the company isn't sure if it will be able to determine which users were affected. Facebook stated on Tuesday:
"On April 3, Business Insider published a story saying that information from more than 530 million Facebook users had been made publicly available in an unsecured database. We have teams dedicated to addressing these kinds of issues and understand the impact they can have on the people who use our services. It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.
"Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this. The methods used to obtain this data set were previously reported in 2019. This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services. As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists. But since there’s still confusion about this data and what we’ve done, we wanted to provide more details here.
"We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.
"When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users. Through the previous functionality, they were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords."
Business Today notes that Facebook CEO Mark Zuckerberg's own information was included in the leak, and his phone number indicates that he uses chat app Signal, a competitor to the Facebook-owned WhatsApp.
For more, see the CyberWire Pro Privacy Briefing.
Facebook's March report on coordinated inauthenticity.
Facebook's March 2021 Coordinated Inauthentic Behavior Report describes the social platform's actions against coordinated disinformation campaigns in Albania, Egypt, Israel, Georgia, Mexico, El Salvador, Argentina, Spain, and Comoros.
The action against the group in Albania is in many respects the most interesting. ZDNet describes Facebook's action against what it characterizes as a "troll farm" operated by expatriate Iranian dissidents from that southeast European country. Its operations were directed at influencing Iranian opinion against the regime in Tehran and in favor of the Mojahedin-e Khalq (MEK), a dissident militia opposed to the Islamic Republic.
"Most of its accounts were run by operators in Albania who routinely shared technical infrastructure," Facebook writes, adding notes on how you can recognize a troll farm: "This meant that the same operator was able to run multiple accounts; conversely, multiple operators were able to run the same account. These are some of the hallmarks of a so-called troll farm -- a physical location where a collective of operators share computers and phones to jointly manage a pool of fake accounts as part of an influence operation."
The MEK enjoyed its periods of greatest success in 2017 and 2020 but seems to have fizzled since then. It remains to be seen if its troll farming will be able to recover from last month's takedown, but it's certainly been dealt a setback.
For more, see the CyberWire Pro Disinformation Briefing.
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more. Our new issue comes out Thursday, April 1, 2021.
Malware droppers posing as video game cheats.
Video game company Activision has published research describing a malware dropper that poses as a cheat tool for Call of Duty: Warzone. The dropper's developer began advertising the tool on hacking forums in March 2020, and the dropper has since made appearances on cheat sites and YouTube.
The researchers explain, "While there likely are hundreds of guides covering RAT distribution methods this one relies not on sophisticated tactics but on the victim’s willingness to disable several security settings on their own systems. The actor’s suggested method for convincing the victims to disable their protections is made significantly easier by advertising their RAT as a video game cheat. It is common practice when configuring a cheat program to run it with the highest system privileges. Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc." They add, "The dropper itself is a .NET application that downloads and executes an arbitrary executable. Unless already disabled, UAC (User Account Control) will prompt the user to agree to allow the downloaded executable to run with administrative privileges."
And researchers at Cisco Talos describe a new malware crypter that's being used to obfuscate malware that masquerades as video game cheats, mods, or patches. The researchers have observed the crypter being used in multiple different malware campaigns. Talos writes, "This threat used a complex VisualBasic-based cryptor to hide its final payload. The dropper injected code into a new process to hide its final payload against simple anti-malware tools."
For more, see the CyberWire Pro Research Briefing.
Students and Educators: Get 75% off CyberWire Pro
Many educators and students rely on CyberWire Pro to access valuable and quality cybersecurity news content. Save time while staying up to speed on key cybersecurity issues and topics relevant to your classes. We also offer discounts for military and large groups. Contact us to get started.
Investment news.
Darktrace is expected to announce its intention to float in the coming days, Sky News reports. The company is seeking a £3 billion (US$4.1 billion) listing on the London Stock Exchange, and sources told Sky that the company is "confident" that shares will begin trading around the end of April.
WhiteSource, an open source security management company headquartered in Tel Aviv and Boston, has raised $75 million in a Series D round led by Pitango Growth, with participation from existing investors M12, Susquehanna Growth Equity, and 83North. Crunchbase News says WhiteSource "plans to use the new funding to expand its offerings and capabilities to reach beyond the open source code it currently secures and move into finding vulnerabilities in the proprietary code."
Reston, Virginia-based threat intelligence company ThreatQuotient has raised $22.5 million in funding from an investment syndicate that includes New Enterprise Associates (NEA), Adams Street Partners, Escalate Capital, Blu Ventures, Cisco Investments, and Gaingels. The company says it "plans to leverage this financing to accelerate execution of new innovations currently in development."
San Francisco-based synthetic data technology company Synthesis AI has emerged from stealth with an additional $4.5 million in funding from existing investors Bee Partners, PJC, iRobot Ventures, Swift Ventures, Boom Capital, Kubera VC, and Leta Capital. Synthesis AI stated, "The new capital will allow Synthesis AI to add to its world-class R&D teams and continue leading the industry in the development of synthetic data technologies." The company added, "In addition to securing new funds, Synthesis AI is also launching their FaceAPI product, enabling the on-demand generation of millions of perfectly labeled human images to train more capable computer vision models."
Clinton, New Jersey-based data protection company Calamu has secured $2.4 million in an oversubscribed seed round. The company stated, "Joining the Board of Directors as investors in the round are Lou Ryan, a serial cybersecurity entrepreneur and former CEO & Chairman of Edgewave, and John N. Stewart, former SVP, Chief Security & Trust Officer, Cisco Systems, Inc. The impressive list of Advisors includes Robin Matlock, former CMO of VMware, David Schneider, former President of ServiceNow and previously of EmC, David K. Holland, former SVP & Treasurer of Cisco Systems and previously of Apple, and Marla Crawford, General Counsel of Compliance and previously of Goldman Sachs."
For more, see the CyberWire Pro Business Briefing.
Patch news.
The FBI and the CISA have warned that "APT actors are using multiple CVEs to exploit Fortinet FortiOS vulnerabilities. The FBI and CISA believe the APT actors are likely exploiting these Fortinet FortiOS vulnerabilities—CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591—to gain access to multiple government, commercial, and technology services networks. The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use other CVEs or common exploitation techniques—such as spearphishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks." CISA and the FBI recommend that organizations "[i]mmediately patch CVEs 2018-13379, 2020-12812, and 2019-5591."
Crime and punishment.
Europol has announced the arrest of an Italian citizen accused of hiring a hitman to kill his ex-girlfriend (the plot was thwarted before anyone was hurt). Europol stated, "The hitman, hired through an internet assassination website hosted on the TOR network, was payed about €10 000 worth in Bitcoins to kill the ex-girlfriend of the suspect. Europol carried out an urgent, complex crypto-analysis to enable the tracing and identification of the provider from which the suspect purchased the cryptocurrencies. The Italian police then reached out to the identified Italian crypto service provider, who confirmed the information uncovered during the investigation and provided the authorities with further details about the suspect. The timely investigation prevented any harm to be perpetrated against the potential victim."
The Record reports that a 46-year-old Missouri man, Jason William Siesser, has been sentenced to twelve years in prison after twice attempting to buy a deadly neurotoxin on the dark web. The Record says FBI agents found writings in Siesser's home "expressing heartache, anger, and resentment over a breakup, along with statements suggesting Siesser might intend to harm or murder the former lover."
Policies, procurements, and agency equities.
According to Breaking Defense, US NSA Executive Director Wendy Noble says NSA plans to publish new 5G security guidance this spring. Noble stated, "Looking out on the 5G security horizon, [NSA’s internal] research organization is investigating the role of artificial intelligence and machine learning in mitigating security risks. They are developing data analytics to define expected behavioral patterns, identify anomalies, and implement the zero-trust model. We look to data analytics to provide insight into network automation and orchestration, given the large amount of data that will traverse 5G networks and overwhelm network managers."
CSO Online says industry experts are doubtful that President Biden's upcoming cybersecurity Executive Order will address the nation’s most pressing cyber needs. Some worry that reporting and build requirements will be overly burdensome, especially given the high rate of false positives, and will draw focus from designing for security and coding securely.
The UK’s Home Office is speaking out against end-to-end encryption (E2EE) as Facebook prepares to expand encrypted messaging options, according to Wired. Secretary Priti Patel will call for tighter rules around the technology at a National Society for the Prevention of Cruelty to Children (NSPCC) roundtable next month, where the NSPCC will share a report claiming that “increased usage of end-to-end encryption would protect adults’ privacy at the expense of children’s safety.” Facebook officials have acknowledged that encrypted messaging expansions will limit visibility into child exploitation networks.
Will Cathcart, Head of WhatsApp at Facebook, argues in Wired that “governments encroach more on our privacy” the more we connect digitally, and “[n]o matter how well-meaning the motivation, surrendering our privacy would paralyze us.”
For more, see the CyberWire Pro Policy Briefing.