PLA Unit has an interest in anti-virus products.
Recorded Future's Insikt Group has found procurement documents indicating that the PLA Unit has sought to purchase foreign antivirus programs. The Insikt Group thinks it likely that the intention is to use them for exploitation, either to use them as test environments for PLA-developed attack tools or to identify vulnerabilities that could be exploited for initial intrusion in zero-day attacks.
The tools for which PLA Unit 61419 sought subscriptions included some well-known names: Kaspersky Security Cloud Family, Kaspersky Security Cloud Personal, Kaspersky Endpoint Security for Business Select, Kaspersky Endpoint Security Cloud Plus, Avira Prime, Kaspersky Endpoint Security for Business ADVANCED, McAfee Total Protection, Dr. Web Enterprise Security Suite, Nod32 ESET Multi-Device Security, Norton Security Premium, Symantec Endpoint Protection Subscription, Trend Micro Worry-Free Services Advanced, Sophos Intercept X, and Bitdefender Total Security.
Using these anti-virus tools for test and development strikes the Insikt Group as a likely harbinger of supply chain attacks. “Given the pattern of Chinese state-sponsored exploitation of the global software supply chain described above,” their report says in its conclusion, “as well as China’s exclusion of foreign antivirus software as an option for government organizations, the brands and products indicated [above] should be monitored for future exploitation. Focus should be placed on adversarial simulations, penetration testing, patching known vulnerabilities, and monitoring for anomalous traffic related to these antivirus products.”
Last month Japanese authorities attributed a long-running cyberespionage campaign to Peoples Liberation Army Unit 61419. As the Japan Times and other outlets reported at the time, Japanese security services concluded that the “Tick” APT, which had been conducting cyberespionage against about two-hundred organizations, prominently including the Japan Aerospace Exploration Agency, was being run by China’s Peoples Liberation Army. Kyodo News characterized the unit as a “counterintelligence” outfit (although it actually appears to be a SIGINT unit) and said that a Chinese engineer and Communist Party member had been referred for prosecution.
DDoS hits a Belgian ISP and a US cyber news outlet.
A large distributed denial-of-service (DDoS) attack yesterday hit Belnet, the ISP that serves much of Belgium's public sector. Belnet has since restored service. Computing notes that the attack caused the cancellation of several Parliamentary meetings (the denial-of-service prevented streaming the meetings to external participants). Among the sessions disrupted was a hearing before the Foreign Affairs Committee that would have heard testimony on human rights in China's Xinjiang Uyghur Autonomous Region. As one Belgian MP remarked, attribution would be premature, but it would be naive to ignore the context of the attack.
Later in the week, shortly after it published the article on Chinese purchases of anti-virus technology discussed above, Recorded Future's Record came under a distributed denial-of-service attack.
Surveillance tools exploited bug discovered in a hackathon.
Other news about Chinese cyber operations suggests a motivation for Beijing’s interest in promoting autarkic hacking competitions and discouraging participation in international tournaments.
MIT Technology Review reports that US intelligence services have concluded that an iPhone exploit nicknamed "Chaos" disclosed by a researcher from Qihoo 360 during the inaugural Tianfu Cup hacking competition in 2018, was subsequently used by Chinese security services for surveillance of China's Uyghurs. The Tianfu Cup was established as a domestic Chinese alternative to such international hacking competitions as Pwn2Own.
Claims: more evidence that Russian gangs work under state control.
It's long been known that Russian cybercriminals tend to operate at the Russian government's sufferance, but Truesec reports that it's found evidence that the gangs may also be working for the state. Specifically there are signs that Evil Corp is operating under the security organs' direction. According to Radio Free Europe | Radio Liberty, similar evidence is emerging in the New York trial of an alleged Methbot ringleader.
Cyber threats to the Tokyo Olympics.
The Cyber Threat Alliance (CTA) has updated its assessment of the cyber threat to this summer's Olympic Games in Tokyo. They expect the ransomware activity burgeoning worldwide to present some degree of threat, and they expect that Russian, Chinese, and North Korean actors will take advantage of such opportunities as the Games may present for espionage and influence operations. CTA adds, "We assess that Russia poses the most significant threat to the Tokyo Games and affiliated entities based on APT28’s prior Olympics-related threat activity and WADA’s most recent anti-doping penalties levied against Moscow."
Three new malware families identified.
FireEye's Mandiant unit has identified three new malware varieties in a phishing campaign operated by a group it tracks as UNC2529, probably a criminal gang working for a direct financial take. The researchers call the group "capable, professional, and well resourced," and say that it researched its targets closely and tailored its phishbait to the intended catch. FireEye named the new malware families "Doubledrag" (a downloader), "Doubledrop" (a dropper), and "Doubleback" (a backdoor).
FiveHands ransomware and the exploitation of publicly available tools.
The US Cybersecurity and Infrastructure Security Agency (CISA) Thursday published an Analysis Report on the FiveHands ransomware campaign. "Threat actors used publicly available penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access Trojan (RAT), to steal information, obfuscate files, and demand a ransom from the victim organization," the report says. "Additionally, the threat actors used publicly available tools for network discovery and credential access." CISA adds that "[t]he initial access vector was a zero-day vulnerability in a virtual private network (VPN) product."
Threat actors work through sound security practices (which at least make them work harder).
Symantec describes the ways in which threat actors respond to improved security, in this case the widespread adoption of two-factor authentication. The researchers point out that one thing the recent SolarWinds compromise, the Microsoft Exchange Server ProxyLogon attacks, and the exploitation of vulnerabilities have in common is that they obviate the need to defeat multifactor authentication.
Pulse Secure yesterday issued patches to close vulnerabilities in its widely used VPN that have been undergoing active exploitation by an Advanced Persistent Threat Group. CISA, the US Cybersecurity and Infrastructure Security Agency, has warned that the VPN has been under attack since at least June of last year, and it urges "organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version, and investigate for malicious activity." FireEye believes some of the exploitation may be connected with the Chinese government.
Using free, cracked software leads to compromise of a research institute's network.
It wasn't the unnamed institute that was responsible, but a user who abused convenient but permissive access policies. ZDNet reports that a European biomolecular research institute lost a week's worth of data to a Ryuk ransomware infestation. The ransomware found its way in courtesy of a student who was looking for a free version of visualization software, settled for a cracked version, and (worse yet) disabled Windows Defender so as not to be bothered by its alerts. The cracked software executed a Trojan on the student's device which stole RDP credentials. The attackers then used their access to install Ryuk.
Cybercriminals continue to devote attention to alt-coin.
Android banking Trojans paid a lot of attention to cryptocurrency exchanges last year. A report from ThreatFabric assessed 2020 as a banner year for Android banking Trojans. Increased usage coincided with a rise in the sophistication of the criminal-to-criminal market that did much to commoditize this form of cybercrime. The Record notes that cryptocurrency apps received a particularly high share of criminal attention last year.
Trend Micro this week described Panda Stealer, an information-stealer spread by phishing that targets digital currency wallets. Panda Stealer has been most active against targets in the United States, Australia, Japan, and Germany. It’s apparently a financially motivated criminal operation interested in rifling wallets for alt-coin.
A shift in a ransomware gang's tactics may be a bellwether for the criminal sector.
The Babuk ransomware gang says, according to the Record, that it intends to give up ransomware attacks after its current caper directed against the Washington, DC, Metropolitan Police. This is not due to an attack of conscience, however, nor to any newfound sense of public spirit or civility. It's just that Babuk has found it easier to simply steal documents and extort money by threatening their release. Thus online extortion, which began by encrypted data to deny them to their owners and moved to a double extortion by not only encrypting information but also threatening to make it public, may be moving into a third, doxing-only, stage. In any case paying ransom may make less sense than ever. Forbes reports that only 8% of victims who pay get all of their files back.
Scripps Health struggles to recover from a cyber attack.
Scripps Health in Southern California is still recovering from the unspecified cyberattack it sustained last weekend, KPBS reports. The medical system is using workarounds as it continues to deliver care, and says that patient safety is uncompromised, but scheduling and other IT-dependent functions continue to see disruption.
Dell has fixed five serious vulnerabilities in its firmware update driver, the Record reports. The flaws, which were discovered and disclosed by researchers at SentinelOne, affect hundreds of millions of devices. Though the flaws have been present in the driver since 2009, the researchers haven't seen any evidence that they've been exploited. SentinelOne explains, "The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement."
Apple has patched four vulnerabilities that are being exploited in the wild, Naked Security reports. The vulnerabilities affected Safari's WebKit rendering engine, the Record says.
Google will soon begin switching on multifactor authentication as the default setting for its users, Motherboard reports. Mark Risher, Google's Director of Product Management, Identity, and User Security, said in a blog post on Thursday, "Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup). Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone."
Crime and punishment.
The United Nations and Group-IB have taken down 134 malicious websites impersonating the World Health Organization (WHO), the Record reports. The sites offered visitors €200 in exchange for filling out a survey and sharing the link with their WhatsApp contacts. Group-IB says that "when victims hit the share button and unknowingly involved friends in the scam, instead of receiving the promised reward they were redirected to third-party fraudulent resources that offered to take part in another lucky draw. By this time in the scam routine is no longer mentioned as users would visit a hookup website, inadvertently install a browser extension, or subscribe to paid services. In the worst-case scenarios, users would end up on a malicious or phishing website." The researchers also connected this network of phishing sites to at least 500 other sites impersonating a variety of popular brands. They concluded that the attackers are using commodity scam kits to set up the sites.
Courts and torts.
The AP says that the number of surveillance warrants issued in the US under the Foreign Intelligence Surveillance Act (FISA) fell off sharply during 2020. A report on FISA surveillance issued by the Office of the Director of National Intelligence attributes the decline in large part to the effects of the COVID-19 pandemic. The New York Times reports that the report listed just four-hundred-fifty-one targets of wiretaps and search warrants under FISA last year.
Policies, procurements, and agency equities.
The Washington Post reports that the US Justice Department has begun a 120-day review of its cybersecurity policies. The Post quotes Deputy Attorney General Lisa Monaco as stating last week, "We need to rethink and really assess, are we using the most effective strategies against this kind of new evolution, this pivot point that I think we're at today in the cyber threat? There is no time to lose on what can we be doing better working with our partners across borders to address these to address these threats." Monaco added, "What is the next ransomware that we're going to have to deal with? What is the next exploitation by bad actors of other technologies? The Justice Department has tools that it can use and we are working every day with our partners to disrupt, to deter and to hold accountable malicious cyber actors using these and exploiting these technologies. But we have got to move at the same speed that our adversaries are."
The US Department of Defense has opened all of its publicly accessible websites and applications to its Vulnerability Disclosure Program. Part of that program is the Hack the Pentagon invitation to outsiders to take a whack at finding vulnerabilities in the Defense Department’s networks, and, as CyberScoop points out, more of the Pentagon’s infrastructure will henceforth be whackable (in a controlled and approved way, of course).
Fortunes of commerce.
Disinformation isn't just for information warfare. Crunchbase observes that disinformation can hit businesses, too, harming brand reputation. This can occur in the context of stock shorting, short-squeezes, pump-and-dump scams, or even unfortunate "influencer" engagements.
Exercise equipment manufacturer Peloton is dealing with reports of a leaky API that could expose personal data of users, TechCrunch reports. Pen Test Partners, which disclosed the issue to Peloton in January, says the API permitted unauthenticated requests for user account data. It's unfortunate news for Peloton, which is also dealing with the recall, for safety reasons, of the company's treadmills.
And security innovation.
The SINET 16, well-known for having provided early recognition to innovative, early-stage cybersecurity startups, is now taking nominations for its class of 2021. Companies may nominate themselves, and there is no cost to apply. Eligible companies must:
- "Be a cybersecurity “product” company (not services only)."
- "Be completely autonomous (not part of a larger entity)."
- "Have annual revenues of $15 Million dollars or less."
- "Not have previously won the SINET 16 Innovator Award."
Past SINET 16 companies may be seen here. 95% of them are venture-backed with multiple rounds of financing, and 81% have seen a good exit either through acquisition or initial public offering. Companies who apply for the SINET 16, whether they make the final cut or not, benefit from exposure, during the two-month review process, to the CISOs, venture capitalists, and government executives who serve on the selection board. Participants have been able to connect to future advisors, customers, and investors. Applications close on June 1, 2021.