Cybersecurity figured prominently at the Russo-American summit.
Cyber privateering, Russian toleration (perhaps active encouragement) of criminal cybergangs, was expected to be a major topic at Wednesday's Russo-American summit, as indeed it proved to be. Russian President Putin prepared the ground, an interview on NBC indicates, with a preemptive tu quoque: Russia does nothing that America doesn't also do. The Guardian's pre-summit take was widely shared: expectations were generally modest.
The American side raised Russian complicity in cybercrime. The Russian side offered extradition of criminals to the US if the US will honor similar Russian extradition requests. (The New York Times observes that summits are now about cyber the way they were once about nuclear weapons.)
The summit concluded after three hours of face-to-face talks. Reuters calls them "professional" as opposed to "friendly," with some expressions of a willingness to pursue matters of arms control and cybersecurity going forward. Computing reports that President Biden said that critical infrastructure should be off-limits to cyberattack, and made a not particularly veiled reference to US retaliatory capabilities. Recent ransomware attacks came up, the New York Times writes (characterizing the two countries as remaining "profoundly divided' on this and other matters) with President Biden requesting an explanation and President Putin denying any Russian involvement.
In a post-summit media availability (the two presidents did not hold a joint press conference), Mr. Biden described the discussion: "I looked at him and said: 'How would you feel if ransomware took on the pipelines from your oil fields?' He said: 'It would matter.' I pointed out to him that we have significant cyber capability. And he knows it." The New York Times reports that Russian media are calling President Biden “a man we can do business with,” and that it’s gratifying to see him recognizing Russia as a great power.
Ferocious Kitten's domestic surveillance.
A report by Kaspersky Labs details a six-year record of domestic surveillance by an Iranian APT, "Ferocious Kitten." As suggestive as the circumstantial evidence may be, Kaspersky doesn't explicitly attribute the operations to Iran's government, but, CyberScoop reports, FireEye does.
Chinese cyberespionage and Chinese cybercrime: maybe but probably not under the same management.
The AP, building on work Group-IB issued late last week, reports that Chinese exploitation of Pulse Connect Secure (patched some time ago) was more extensive than previously believed. It remains unclear what data were extracted in the course of the attacks.
Secureworks describes the tactics of the Hades ransomware operators in a report out this morning. The researchers call the threat actor "Gold Winter," and they say the gang appears to be financially motivated. It's a "big game hunter" that finds and pursues high-value targets, notably in the North American manufacturing sector. Secureworks says its findings don't support others' conclusion that Hades is being run by the Chinese state-sponsored actor Microsoft calls "Hafnium," best known for its exploitation of vulnerable Exchange servers. Secureworks also disputes attribution of Hades to the Gold Drake gang. While Hades and WastedLocker share some similar code, Secureworks believes they're run by distinct threat actors.
EA cyberattack was enabled by stolen cookies.
The cyberattack against EA was apparently enabled, the hackers explained to Motherboard, by stolen cookies containing login details. The attackers got into the company's Slack channel, contacted IT personnel, said they'd lost their phone at a party, and asked for a multifactor authentication token so they could reestablish access to EA networks. From there they pivoted to the information they wanted.
Avaddon going out of business?
BleepingComputer on Friday received an emailed tip containing Avaddon ransomware decryption keys. This and other evidence suggest the gang is either going out of business or doing some defensive rebranding.
Trends in ransomware: sextortion, succession, Monero, and initial access brokers.
Motherboard reports that a ransomware gang, left nameless to avoid encouraging them, has turned to sextortion in addition to encryption and data theft. The hoods are threatening to release nude images of people associated with the organization they've targeted.
Proofpoint discerns a trend among ransomware gangs: they're relying less upon phishing and more on the services of initial access brokers to obtain a foothold in victims' networks.
Monero, viewed as less easily tracked than Bitcoin, is gaining criminal marketshare at the expense of its better-known rival, CNBC reports.
BleepingComputer confirms that Paradise ransomware source code has been leaked online to participants in the XSS hackers' forum.
Cyber vigilantes resurface?
Sophos describes what appears to be a strain of vigilante malware apparently designed to prevent infected computers from visiting pirate sites. The malware has been distributed through BitTorrent and Discord, disguised as pirated copies of games and other software products. "Vigilante" is a reasonable first guess, but the operators' ultimate purpose remains murky.
Hardware phishing.
Hot for Security, reminding readers that almost three-quarters-of-a-million customers of the hardware wallet Ledger had their email and physical addresses compromised last December, thinks we now know why. It appears to have been the onset of an elaborate phishing effort. Some Ledger users have received what appear to be replacement wallet hardware units. They are, however, bogus, and represent an attempt to steal keys and cryptocurrency. BleepingComputer has pictures of the devices and an account of the poorly written scam text that accompanied them.
Volkswagen discloses third-party breach affecting North American customers.
Volkswagen has warned customers it’s experienced a third-party data breach. On Friday Daniel Weissland, President of Audi America, sent affected Volkswagen Group customers in North America a letter warning them that their personal data may have been exposed in a third-party data breach. The company did not name the vendor who left the data exposed. The company stated:
"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.
The data also included more sensitive information relating to eligibility for a purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers."
CVS Health discloses vendor breach.
WebsitePlanet says it discovered an unsecured database that contained over one billion records belonging to CVS Health. WebsitePlanet researcher Jeremiah Fowler stated in a blog post, “CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs. I was informed that this was a contractor or vendor who managed this dataset on behalf of CVS Health, but it was confidential as to who the vendor was.”
The data consisted of search records for CVS’s website, including medications and other products. It also contained some email addresses, which the researchers theorize may have been the result of users confusing the search bar with a login form.
Website Planet concludes, “The logging system used a mixed case alpha-numeric visitor ID that appears to ensure that shoppers were anonymous. It should be noted that email addresses for the visitor’s profile or shopping cart were not collected to this database. Unfortunately, only human error can be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar.”
CVS told WebsitePlanet in a statement, “Thank you again for contacting us about this. We were able to reach out to our vendor and they took immediate action to remove the database. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”
Carnival sustains data breach.
Cruise ship line Carnival disclosed that it sustained a data breach in March. The company told BleepingComputer that the attackers accessed “limited portions of its information technology systems.” Some customer, employee, and crew information is believed to have been exposed, but Carnival thinks the probability that the data have been misused is low.
And so does Wegmans.
Two unsecured cloud databases used by the US grocery chain Wegmans may have exposed customers' names, home and email addresses, phone numbers, birth dates, Shoppers Club numbers, and hashed passwords to their store accounts, WCVB reports. Wegmans stated, "This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021. We then worked diligently with a leading forensics firm to investigate and determine the incident’s scope, identify the information in the two databases, ensure the integrity and security of our systems, and correct the issue."
The company added, "Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password. It is generally a good idea to use a unique password for each online account you may have."
Microsoft disrupts BEC infrastructure.
Microsoft said Monday it had disrupted a major criminal enterprise that exploited multi-cloud infrastructure to deploy automated tools that staged a very large business email compromise scheme at scale. The researchers note, "Our analysis revealed that the attack was supported by a robust cloud-based infrastructure. The attackers used this infrastructure to automate their operations at scale, including adding the rules, watching and monitoring compromised mailboxes, finding the most valuable victims, and dealing with the forwarded emails." They conclude that "The resulting takedown of this well-organized, cross-cloud BEC operation by multiple cloud security teams stresses the importance of industry collaboration in the fight against attacks and improving security for all."
Southwest Airlines recovers systems.
Southwest Airlines has resumed normal operations after overcoming connectivity problems induced by "system issues." The Wall Street Journal reports that the incident appears to have been an IT system glitch, not a cyberattack.
Brief Internet interruptions traced to issues with content delivery platform.
Akamai is working to resolve issues with its content delivery platform that have caused brief, intermittent outages in airline and financial services sites, CNN reports.
Patch news.
CISA's weekly vulnerability summary included eleven given a rating of “high severity." Among the alerts CISA issued was one concerning a vulnerability in ThroughTech's P2P Software Development Kit, a supply chain risk for networked camera vendors who use the P2P SDK. The risk the vulnerability poses is unauthorized viewing of video. Nozomi has published an account of the issue: it's difficult for users to determine the provenance of the software in their systems.
Crime and punishment.
Ukrainian police have arrested six alleged members of the Clop ransomware gang. The Record reports that law enforcement agencies from the Republic of Korea and the United States rendered assistance. The police seized not only servers, but a lot of cash and some gaudy luxury cars.
Russian national Oleg Koshkin has been convicted in the US for operating crypter websites, including Crypt4U, to help malware evade detection by antivirus programs. In particular, Mr. Koshkin worked with the operator of the Kelihos botnet, Peter Levashov, to crypt the Kelihos malware several times per day. Justice said, "Koshkin provided Levashov with a custom, high-volume crypting service that enabled Levashov to distribute Kelihos through multiple criminal affiliates. Levashov used the Kelihos botnet to send spam, harvest account credentials, conduct denial of service attacks, and distribute ransomware and other malicious software. At the time it was dismantled by the FBI, the Kelihos botnet was known to include at least 50,000 compromised computers around the world."
South Korean police have charged nine employees of a computer repair shop for developing and installing ransomware on their customers' computers, the Record reports.
Courts and torts.
The US Securities and Exchange Commission (SEC) has reached a settlement with First American Financial Corporation over its 2019 data breach that exposed sensitive customer information, CyberScoop reports. The SEC maintains that First American's IT team had discovered the vulnerability several months before being tipped off by a cybersecurity journalist, but didn't fix it or inform senior management.
The SEC stated, "The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission....The SEC’s order charges First American with violating Rule 13a-15(a) of the Exchange Act. Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty."
Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, added, "As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures"
Policies, procurements, and agency equities.
The US House Judiciary Committee announced its “anti-monopoly agenda” last Friday, the result of sixteen months of deliberation by the House Judiciary Committee. The Committee calls the five draft measures, collectively, “A Stronger Online Economy: Opportunity, Innovation, Choice."
Reuters reports that Russian lawmakers on Thursday passed legislation that would require US tech companies to set up local offices in Russia by January 2022. Reuters says the new law “requires foreign sites with more than half a million daily users in Russia to set up a local branch or Russian legal entity....Websites that do not comply would be marked as being non-compliant on search engines, they could be excluded from search engine results, and banned from advertising in Russia and for Russians.”
Eric Geller tweeted that the Senate Homeland Security Committee has voted to send the nominations of Chris Inglis and Jen Easterly to the full Senate for confirmation. Inglis is prospective National Cyber Director, Easterly in line to direct CISA. POLITICO reported that the Senate confirmed Inglis on Thursday.
Poland's prime minister held closed-door sessions with members of parliament to discuss recent cyberattacks against high-profile government officials, the Washington Post reports.
Fortunes of commerce.
The Washington Post summarizes the effects that ransomware attacks are having on the cyber insurance industry. Citing research by Chainalysis, the Post notes that ransom payments increased 341% last year, reaching a total of $412 million. Insurers are now raising premiums for damages caused by hacks, with prices for many buyers rising by 20% in 2020.
Additionally, James Turgal, a vice president at Optiv, told the Post that ransomware operators sometimes intentionally target companies because they have insurance, since it means the companies will be more willing to pay up. Turgal said, “I’ve worked cases where they’re actually providing a snapshot of your cyber insurance cover page from your own system showing you, ‘Hey, you have cyber insurance, so there’s no reason not to pay.’”
