How the DarkSide got into Colonial Pipeline's networks.
Citing sources at Mandiant, Bloomberg reports that DarkSide ransomware operators gained access to Colonial Pipeline's networks on April 29th through a deactivated and disused virtual private network (VPN) account. The attackers are believed to have found the password in a batch of credentials posted to the dark web. It's unclear whether they obtained the username in a similar fashion or arrived at it by guessing. Mandiant's investigation found no evidence of phishing, although it doesn't discount the possibility of password reuse. The investigators saw no signs of an attack earlier than the 29th.
"Fancy Lazarus": a DDoS extortion racket, and not an espionage service.
Security firm Proofpoint on Thursday released a study of a criminal group that styles itself “Fancy Lazarus,” and that specializes in extortion by distributed denial-of-service. One might think Fancy Lazarus was either a Russian or a North Korean operator, but it’s not. Its chosen name is an apparent homage to Fancy Bear and the Lazarus Group, but Proofpoint discerns no connection whatsoever to either group. Instead Fancy Lazarus seems to be an ordinary criminal operation. In the past it’s borrowed the popular names of well-known state-run actors, including “Fancy Bear”, “Lazarus,” “Lazarus Group,” and “Armada Collective,” but that’s all apparently either misdirection or, more probably, an attempt to look more menacing than in fact they are.
Fancy Lazarus, Proofpoint says, is “taking aim at an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities, and retail sectors.” They threaten a crippling DDoS attack, but as often as not if they’re ignored they’re simply not heard from again. Some victims report demonstration DDoS attacks, and a few of them say they’ve experienced some degree of disruption, but in general Fancy Lazarus seems to be more talk than action.
"Backdoor Diplomacy": cyberespionage in Africa, Europe, and Southwest Asia.
Researchers at ESET, the Bratislava-based security company, have issued a report on a cyberespionage operation targeting charitable groups, diplomatic organizations, telcos, and others in Africa, Europe, and the Middle East. The threat actor is being called "Backdoor Diplomacy" for its use of the Turian backdoor and its preference for diplomatic targets. Turian appears to be a derivative of the Quarian backdoor, seen in earlier operations against targets in Asia. Backdoor Diplomacy is a cross-platform threat, afflicting both Windows and Linux systems. The targets were located in Albania, Armenia, Croatia, Germany, Ghana, India, Libya, Namibia, Nigeria, Poland, Qatar, Saudi Arabia, South Africa, Sri Lanka, Syria, the United Arab Emirates, and Uzbekistan.
ESET notes, "Several victims were compromised via mechanisms that closely matched the Rehashed Rat and a MirageFox-APT15 campaign documented by Fortinet in 2017 and Intezer in 2018, respectively."
Paying the ransom.
The Wall Street Journal Wednesday night reported in an exclusive that JBS paid its REvil attackers $11 million in Bitcoin to restore the systems and data affected by the gang’s ransomware attack. The payment was made after most of JBS’s plants had returned to operation. The company says it had all of its data backed up, and that as far as it could tell no customer, supplier, or employee data had been compromised. This has prompted questions about what might have been worth $11 million to protect, and it appears that JBS may have been hedging against re-attack. “It was insurance to protect our customers,” the CEO of JBS's US division said.
Bloomberg Quint reports on the reception Colonial Pipeline’s CEO Joseph Blount Jr. received from Congress during his testimony. It was chilly. The company’s failure to have adopted a stronger security posture was criticised, as was its decision to pay ransom, the FBI’s recovery of much of the money notwithstanding. First, The reception Colonial received renders more implausible speculation that the company paid DarkSide in cooperation with the FBI, the better to help the Bureau cripple the extortionists' infrastructure.
EA's source code is stolen in a cyberattack.
Electronic Arts, the popular game and e-sports company, disclosed yesterday that it had been breached. CNN reports that on June 6th cybercriminals claimed to have taken 780 gigabytes of data from EA, and that their haul included Frostbite source code. Frostbite is the game engine behind the widely played FIFA, Madden, and Battlefield franchises, as well as other, less well-known titles.
The incident seems to be an IP hack, and not an attempt to steal personal data. The criminals’ motivation appears to be sale of the code in various hacker souks. In posts on underground fora the hackers hawked their stolen code with a big dose of marketing braggadocio: "You have full capability of exploiting on all EA services,” Motherboard quotes them as writing. They posted screenshots to provide some evidence that they have what they claim to have, but they’re releasing the source code only to paying customers. Don’t bother contacting them unless you’re actually interested in buying. "Only serious and rep members all other would be ignored," they wrote.
EA told CNN, "We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen," adding reassurances that, "No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we've already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation."
McBreach.
The Wall Street Journal reports that McDonald's operations in South Korea and Taiwan have sustained a data breach. The attackers “stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan,” the Journal says. McDonald's said that some employee data in the US was also accessed, but none of it was either sensitive or personal. The incident wasn’t a ransomware attack. The burger giant has engaged the services of cybersecurity firms and notified the appropriate authorities.
Patch news.
On Patch Tuesday Microsoft addressed forty-nine issues, five of them rated “critical,” the rest assessed as “important.” Six of the vulnerabilities were zero-days that have been undergoing active exploitation in the wild. Adobe issued fixes for forty-one vulnerabilities across ten products: Connect, Acrobat and Reader, Photoshop, Experience Manager, Creative Cloud Desktop Application, RoboHelp Server, Photoshop Elements, Premiere Elements, and After Effects. Intel also patched, addressing seventy-three vulnerabilities in twenty-three advisories. Onapsis reports that SAP has issued twenty fixes to its products. Memory corruption issues are among the important vulnerabilities addressed.
Crime and punishment.
The US Justice Department announced Thursday afternoon that an international law enforcement operation had taken down Slilpp, an underground marketplace where stolen login credentials were sold. The joint action by police in Germany, the Netherlands, Romania, and the United States seized the servers that Slilpp used and the domains those servers hosted.
Justice explained that the seizure warrant under which it acted “since 2012, the Slilpp marketplace has been selling stolen login credentials, including usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts, and other online accounts... [T]he Slilpp marketplace allowed vendors to sell, and customers to buy, stolen login credentials by providing the forum and payment mechanism for such transactions; Slilpp buyers subsequently used those login credentials to conduct unauthorized transactions (such as wire transfers) from the related accounts.”
The US itself has arrested more than a dozen people connected to Slilpp. It’s the third such takedown in recent years. The Record observes that the first two credential markets seized in this fashion were r xDedic and Deer.io. “xDedic sold RDP (remote desktop protocol) logins while Deer.io served as a Shopify-like platform for hosting shops for criminal groups,” the Record explains. The Slilpp takedown was a righteous bust, but, as BleepingComputer points out, there are other souks out there where stolen credentials continue to be traded.
The US Federal Bureau of Investigation (FBI) on Monday seized 63.7 bitcoins currently valued at approximately $2.3 million. "The funds allegedly represent the proceeds of a May 8 ransom payment," as the Justice Department primly puts it, to the DarkSide gang in the course of their extortion of Colonial Pipeline. The recovered money amounts to a significant fraction of the 75 bitcoins, or $4.4 million, Colonial paid. The seizure warrant gives, in suitably redacted form, the FBI's tracking of the wallets through which the funds passed. The money was seized when it reached a wallet for which the Bureau held the key, which suggests that the Feds were leaning forward in the foxhole on this one. There's also some credible speculation, reported in Ars Technica, that Colonial paid not to gain access to the flawed and essentially worthless decryptor the gang offered, but rather to aid the FBI in its work against DarkSide.
Another law enforcement action, this one international and collaborative, has resulted in the arrest of some eight-hundred suspects and the seizure of drugs, cash, firearms, and other goods, Europol says. The operation, variously called "Trojan Shield," and "Ironside," used an encrypted platform developed by the Australian Federal Police (AFP) to run on top of Anøm (also "AN0M") which the US FBI began running after it took down Phantom Secure in 2018. The BBC says criminals were gulled into using the app by one Hakan Ayik, a fugitive and alleged drug "kingpin" who served as an unwitting Judas goat.
CoinDesk reports that Chinese authorities have just completed the fifth round of “Operation Card Breaking.” The Ministry of Public Security arrested more than 1100 people and shut down 170 allegedly criminal gangs. They’re charged with using cryptocurrencies to launder money.
Courts and torts.
Luxembourg’s data protection regulator has proposed a stiff fine for Amazon’s missteps in handling personal data. The Times of London puts it at more than €350 million. A draft of the proposed fine is circulating among EU governments.
Policies, procurements, and agency equities.
NATO General Secretary Jens Stoltenberg said this week that a significant cyberattack could trigger NATO’s Article 5, the collective defense provision under which the Atlantic Alliance treats an attack against one member as an attack against all members. He also pointed out that NATO exercises now include cyber operations as a routine part of their scenario.
US President Biden Wednesday morning issued an Executive Order that effectively rescinds his predecessor's bans of WeChat and TikTok. The new Executive Order, "Protecting Americans’ Sensitive Data from Foreign Adversaries," revokes President Trump's Executive Order 13942 of August 6, 2020 ("Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain"), Executive Order 13943 of August 6, 2020 ("Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain"); and Executive Order 13971 of January 5, 2021 ("Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies"). While acknowledging an ongoing emergency, the new Executive Order directs engagement, security reviews, and data protection instead of outright bans.
The Voice of America says that Chris Inglis and Jen Easterly, nominated respectively for the posts of US National Cyber Director and Director of the US Cybersecurity and Infrastructure Security Agency (CISA), both said yesterday during confirmation hearings before the US Senate Homeland Security and Government Affairs Committee that they favored a more active role for government in private sector cybersecurity. Neither markets nor voluntary standards nor enlightened self-interest strike the nominees as sufficient, and they both favor more regulation.
They’re likely to find sympathetic ears on Capitol Hill, where, Reuters reports, the US Senate is considering whether legislation is necessary to address the risk of cyberattacks, and particularly the ransomware threat.
One sign of that sympathy is a letter the chair and ranking member of the Senate Homeland Security and Governmental Affairs Committee sent yesterday to the Acting Director of the Office of Management and Budget and the Assistant to the President for National Security Affairs. The letter opens, “We write to you today with serious concern about the state of our nation’s cybersecurity and the threat of ransomware attacks directed at our critical infrastructure,” and goes on to say that they want information that can inform anti-ransomware legislation they’re in the process of drafting. They have three specific information requirements that suggest the lines along which they’re thinking. First, “Information on strategies that relevant federal agencies are developing and implementing to combat ransomware attacks; second, “Any new authorities, or revisions to existing authorities, that would further empower relevant federal agencies to combat ransomware attacks and respond when they do occur;” and third, “Suggestions for Congress to consider as we develop legislation and oversight plans to combat ransomware attacks.”
Reuters reports that the head of the US Internal Revenue Service recommended that Congress give the IRS statutory authority to collect information on cryptocurrency transactions that exceed the ten-thousand-dollar threshold. Commissioner Charles Rettig told the Senate Finance Committee yesterday that clarity in the matter is important, and that such large transactions, in the view of the IRS, frequently go unreported.
As Presidents Biden and Putin prepare for their June 16th summit, the US increasingly regards ransomware as a national security crisis, the Washington Post reports. TASS quotes the Russian Foreign Ministry to the effect that what we have with cyber tension between the US and Russia is a failure to communicate, the US having yet to take President Putin up on his offer of "full cooperation."
Sentinel Labs attributes the cyberattacks Russia's FSB and other organizations in that country sustained to China. The espionage group ThunderCats gets the credit, Sentinel Labs reports, and it bases its conclusions on what it regards as decisive code similarities to campaigns the APT has earlier used against targets in Southeast Asia.
According to Reuters, Italy plans to establish a national cybersecurity agency as it works toward a national cloud infrastructure plan.
The US Administration issued a fact sheet on its plans to improve supply chain security this week, a follow-up to, and a progress report on, the February Executive Order that directed a comprehensive review of critical supply chains.
And security innovation.
A good set of training data are to the AI race what LOX and kerosene were to the early space race. Artificial intelligence needs data to train on, and the sources of such data must be reliable and as reasonably free of invidious bias as any human product can be. The Wall Street Journal reports that the US Government is considering ways of making suitably sanitized data available to AI researchers.
The National Artificial Intelligence Research Task Force, a twelve-member body operating under the White House Office of Science and Technology, is working toward a strategy for doing just that. Much of the motivation for the program is economic: the US seems to be anticipating a Sputnik moment in AI, with China taking the role of Russia as principal strategic competitor.