Nobelium hits USAID.
Microsoft on Thursday announced its discovery of a new campaign by the Russian threat actor Redmond calls "Nobelium," the group others know as Cozy Bear and which has been associated with both Russia's SVR and the SolarWinds compromise. Nobelium this week compromised a Constant Contact email marketing service account belonging to the US State Department's international assistance agency, USAID. The threat actor then used that account to send phishing emails to more than 3000 accounts at over 150 organizations. The emails contained a link that installed the NativeZone backdoor (Microsoft has provided technical details about the attack). US organizations were most heavily targeted, but entities in at least twenty-three other countries were also affected.
Volexity, which has also tracked this new campaign, points out that the phishbait in the emails was frequently election-themed. "USAID Special Alert: Donald Trump has published new documents on election fraud" is a representative sample.
Belgium identifies long-running Chinese cyberespionage campaign.
Reports out of Belgium say that the country’s Federal Home Affairs Ministry came under attack as far back as April of 2019. The apparent goal, the Brussels Times says, was information theft in the service of espionage. The incident is under investigation, but sources connect it with Hafnium, the Chinese threat actor believed to have exploited Microsoft Exchange Server vulnerabilities.
Colonial Pipeline: recovery and investigation.
Colonial Pipeline continues to investigate the DarkSide ransomware attack it sustained on May 7th. It's still not known, publicly, exactly what vulnerabilities, either human or technical, were exploited during the incident, CNN reports, but government and private sector organizations have been looking to shore up defenses that might prevent them from becoming victims of similar attacks. An op-ed in The Hill argues that the attack should serve as a "wake-up call for hardening our cyber defenses," a conclusion few would dispute. It urges three areas deserving increased attention: intelligence and deterrence, post-attack recovery and resilience, and more attention to security training.
Other sectors look at Colonial Pipeline's experience with DarkSide's ransomware attack and look to their own defenses. FreightWaves sees a similar attack against the trucking industry as "likely," but also preventable.
Responses to the Colonial Pipeline security incident.
Requirements have been imposed as part of a response to the DarkSide ransomware attack that disrupted Colonial Pipeline’s operations earlier this month. While control systems were not, apparently, directly affected by the attack, Colonial’s ability to track what it was delivering through its lines was affected. Some sources have represented Colonial’s decision to halt operations as a coarsely commercial one—they couldn’t bill for the product, so they stopped delivering it. But this seems misleading. Not being able to determine what’s moving through your system with high confidence isn’t just a business issue, but probably a safety problem as well.
The Wall Street Journal reports that Colonial last year passed up a TSA security audit of its systems, offering instead of the in-person audit TSA proposed a virtual inspection instead. TSA said that this happened with several other pipeline operators as well, who were, with the pandemic at its height, limiting their employees’ exposure to in-person interactions. As such restrictions eased, operators began rescheduling TSA inspections. Colonial was doing so as the DarkSide attack hit them.
The US Transportation Security Administration (TSA) issued new standards for pipeline security this week. Prompted by the Colonial Pipeline ransomware attack, the new regulations will, according to the Wall Street Journal, have teeth for enforcement. Earlier standards were guidelines that relied upon voluntary compliance. In this respect the new system will resemble regulations under which the electrical power industry currently operates.
Voluntary standards aren't being ignored, either. The World Economic Forum has published a white paper, Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers, that offers sector executives guidelines for handling threats like the one that disrupted Colonial Pipeline. The white paper was prepared with significant input from security companies.
Disclosure and decryptors.
DarkSide may have benefited from security researchers' public airing of some flaws in DarkSide's own code. DarkSide, in any case, woofed that a security firm's release of a free decryption tool had simply helped the gang with its own quality control. MIT Technology Review urges security researchers to find ways of helping victims of cyberattack that don't wind up helping the attackers by flagging issues with malware. It's difficult to see an easy way of doing this—at some point, after all, the criminals will get wise to ways in which the effects of their attacks can be circumvented—but the challenge seems worthy of some thought.
MIT Technology Review early this week complained about the way in which security firms who provide free decryptors make their tools publicly available, and particularly excoriated Bitdefender's release of a DarkSide decryptor early this year, saying that the gang benefited from the announcement to fix issues in their code. That seems strong. After all, a gang might realize that something was wrong when its victims appeared able to return to normal without paying for decryption. And while a free decryptor might well make it easier for a gang to find and fix problems with its malware, the Washington Post reports that Bitdefender has said (with arguable justice) that publishing a decryptor enabled them to help a lot more victims a lot faster than a more discreet, more selective disclosure would have allowed.
Bitdefender replied to critics and made its case for releasing ransomware decryptors publicly, as opposed to providing them quietly only to affected organizations. The company argues that because many victims are small and lack dedicated security teams, and because many organizations don't disclose the attacks they suffer, the benefits of a general release of a decryptor outweigh the risks that the criminals will use the decryptor to improve their attack code.
Emsisoft takes the more targeted approach to decryption, and has offered to help Waikato DHB recover from the ransomware attack the New Zealand healthcare agency sustained. Emsisoft gives itself even odds of being able to deliver a decryptor, Stuff reports.
Conti and other ransomware threats.
The Wall Street Journal observes that ransomware gangs appear to be scuttling away from recent light on their activities. But they've remained active, and probably are simply regrouping, not exiting (still less reforming). Shortly before announcing its (skeptically received) intention to shut down, the DarkSide gang hit British insurer One Call, according to Computing.
The head of Germany's BSI independently warned that ransomware in general is a growing threat, especially to the healthcare sector, Heisse writes. He pointed out that healthcare facilities have been hit before: Lukaskrankenhaus in Neuss in 2016, Krankenhäuser Rheinland-Pfalz and Saarland in 2019, and the Universitätsklinik in Düsseldorf in 2020.
The US FBI has warned that Conti ransomware is a current threat, especially to healthcare and emergency response organizations. The Bureau counts more than four hundred Conti attacks worldwide. Some two-hundred-ninety of those targets were based in the US, including law enforcement agencies, emergency healthcare networks, and 911 dispatch centers.
The highest profile Conti incident currently in progress is the ransomware attack on Ireland's HSE healthcare agency. According to the Irish Times, Dublin is working to resolve HSE's problems and has ruled out paying the ransom. The Conti gang has threatened to begin releasing sensitive data, the Irish Examiner reports, if their extortion demand isn't met.
The Irish Times also said that the HSE is happy with the decryptors it's obtained, and that some suspended services would resume this week. But full recovery still remains some weeks away.
New Zealand's healthcare system and ransomware.
The Guardian reports that New Zealand’s Waikato district health board, which was hit with ransomware last Tuesday, continues to struggle with its own recovery from what an official has characterized as the biggest cyberattack in the country’s history. RNZ said that about twenty percent of elective procedures are being rescheduled, and that the system is not expected to return to normal until next week.
Reuters reports that the group claiming responsibility for the cyberattack against the Waikato District Health Board has begun releasing what seems to be private patient information. Authorities in New Zealand have been relatively tight-lipped about the incident, but it's widely taken to have been a ransomware attack. RNZ says the government has stated that it won't pay any ransom, and that the national Privacy Commissioner has directed all District Health Boards to address the vulnerabilities the attackers exploited against the Waikato DHB.
Phishing campaign targets Uyghurs, both in China and in the Uyghur diaspora.
Security firms Check Point and Kaspersky report another campaign targeting China’s Uyghur minority with messages and sites that impersonate UN and human rights groups. “Attackers use fake United Nations (UN) documents and human rights websites to spread malware that has the ability to exfiltrate information and take control of victims’ PCs,” the report says, adding that the threat actor baited its attacks in two ways:
"They created documents that appear to be from the UN, using real UN information to ensure these looked authentic." The organization principally impersonated was the Office of the High Commissioner for Human Rights. They also “set up websites for non-existent organizations claiming to fund charity groups.” Prominent among the NGOs impersonated was the Turkic Culture and Heritage Foundation—the Uyghur are a Turkic people.
The campaign appears to have been highly targeted, prospecting a relatively small number of individuals, both Uyghurs living in China and some members of the Uyghur diaspora, mostly resident in Pakistan.
The report is reticent about its code-based attribution, saying, "Although the researchers were unable to find code or infrastructure similarities to a known threat group, they attribute this activity, with low to medium confidence, to a Chinese-speaking threat actor. When examining the malicious macros in the delivery document, the research team noticed that some excerpts of the code were identical to VBA code that have appeared in multiple Chinese forums, and might have been copied from there directly.”
That said, the target list is suggestive. It’s difficult to come up with a Chinese-speaking threat actor interested in compromising Uyghur targets who wouldn’t be working on behalf of Chinese security services, but that, of course, is merely circumstantial. That, however, is basically the way MIT Technology Review reads the evidence.
CryptoCore campaign attributed to the DPRK's Lazarus Group.
ClearSky has reported its conclusions that the CryptoCore campaign (which hit alt-coin exchanges in Japan, Israel, Europe, and the US) was run by North Korea's Lazarus Group, known for state-directed financial crime.
The CryptoCore operation began in 2018 and is thought to have been responsible for at least five attacks on cryptocurrency exchanges. The campaign’s total take over its career is believed to have been somewhere north of $200 million. When CryptoCore first surfaced, it was attributed to a criminal gang thought to be operating from Eastern Europe or perhaps Russia. But F-Secure published some evidence suggestive of a Pyongyang connection, and ClearSky has taken a deeper look and now attributes the campaign, with “medium to high confidence,” to the DPRK's Lazarus Group.
Privateering in cyberspace.
Speculation has placed the relationship between the DarkSide ransomware operators and the Russian government on a spectrum that runs from inattention through toleration, permission, and encouragement all the way to direction. The reality probably lies somewhere in the middle. There's a convergence of interests: Russia sees a rival embarrassed and inconvenienced, and the gang gets a payoff (in this case a bit more than $4 million). With this incident in mind, Cisco's Talos Group has introduced a new threat category in recognition of what appears to be an emerging trend. They call the threat actors "privateers," and describe them as "actors who benefit either from government decisions to turn a blind eye toward their activities or from more material support, but where the government doesn't necessarily exert direct control over their actions." The researchers also distinguish privateers from "mercenaries," operators whom a government hires for specific purposes.
Talos is a bit starchy about the government role in all of this, saying that the distancing with deniability (whether plausible or implausible) "in itself does not diminish the responsibility these governments share with these groups."
Patch news.
The US FBI on Thursday warned that foreign actors were exploiting unpatched Fortinet VPNs to compromise US municipal governments.
Crime and punishment.
The AP reports that US District Judge Miranda Du passed sentence on Egor Igorevich Kriuchkov, a Russian national, and gave him ten months. Since he’s already been in custody for nine months, and that detention counts, the sentence amounts to time served. He’ll be deported back to Russia soon. Judge Du said she took into account both Mr. Kriuchkov’s plea agreement with the US Attorney and the fact that, after all, his attempt to hack the Reno-area battery plant failed. It’s worth noting that US authorities have not alleged the Russian government had anything to do with Mr. Kriuchkov’s crime. He seems to have been just a crook on the lookout for the main chance.
An FBI analyst has been arrested and charged with mishandling classified material. Kendra Kingsbury, 48, of Dodge City, Kansas, who had worked for the FBI’s Kansas City Division, was arrested last Tuesday and charged with two counts of “Willful Retention of National Defense Information,” material classified at the SECRET level she’s said to have removed from her office and taken home with her between 2004 and 2017.
Naked Security says Britain’s Dedicated Card and Payment Crime Unit has collared eight suspects in a home delivery scam, one in which the phishbait is a notice that appears to be from a trusted courier service asking for help in making a delivery. The phish hook is a link that takes the victims to a page where they’re invited to make a very small payment, but of course that payment is not the goal. What the scammers are after is the victims’ paycard details.
Fortunes of commerce.
Insurance firms are, Dark Reading says, growing increasingly skittish about underwriting the risk of ransomware, and seem to be moving away from providing the sort of coverage that might encourage or permit ransomware payments. BankInfoSecurity points to trending evidence that suggests both more limited coverage and higher premiums.
The underwriters aren't misreading the risk. Ransomware attacks continue, with audio-system manufacturer Bose disclosing to authorities that it had suffered an incident it first detected in March. The Record says the company's statements haven't indicated whether it paid the ransom. Recovery has sometimes proven protracted, even after an attack has been detected and contained. The San Diego Union-Tribune reports that Scripps Health, which was hit on May 1st, is still in the process of remediation, but hopes to be back to normal operations by the end of this week. And the city of Tulsa, Oklahoma, which on May 10th disclosed the attack it sustained, shut down many city systems to contain the infestation and prevent data loss, also hopes to have recovered by week's end, SecurityWeek reports.