By the CyberWire staff
Social engineering via call center.
Microsoft is tracking an active BazaCall campaign, ZDNet reports. Palo Alto Networks last month described how BazaCall backdoors vulnerable Windows systems with BazaLoader malware. A note on naming: Microsoft’s tweets have called the campaign and the malware "BazaCall" and "BazaLoader," respectively. Most others call the campaign and the malware "BazarCall'' and "BazarLoader." Either way, they’re the same threat.
The BazarCall operators use, in effect, a call center as a major link in their social engineering chain. The scam begins with a phishing email telling the recipient that their free trial subscription to some service is about to expire, and that, unless they call a number to cancel it, they’ll automatically be enrolled in, and of course charged for, the subscription. The examples of emails Microsoft shares screenshots of in their tweets are patently bogus: ZonerPhoto and Prepear Cooking are the two examples of phishbait they give. The names are close to those of legitimate services, who of course have no relation whatsoever to the phishers.
Should you be persuaded to call, the operator (who’s of course standing by) will direct you to a site where you’re supposed to download an Excel file you can use, the operator says, to cancel your subscription, or decline the upgrade to a premium service, or so forth. Should you be incautious enough to follow the operator’s instructions, you’ll be directed to a site that offers an Excel file as promised, but one with malicious macros designed to deliver the payload. That payload has been BazarLoader. More recently, Microsoft says, the gang has been using Cobalt Strike to steal credentials (including the victims’ Active Directory database) and exfiltrate data via rclone.
The campaign is tough to stop by technical means, Microsoft observes. The initial email contains no links and no attachments, which are the customary items that trip warnings.
Free White Paper: Ransomware in ICS
Ransomware has become an increasing threat to industrial organizations for both IT and OT environments. Since 2018, ransomware incidents against industrial infrastructure grew over 500%. Read this whitepaper to discover 9 recommendations from Dragos, the largest and most experienced industrial cybersecurity team in the industry, to secure your environment from ransomware attacks. Download the white paper here.
LV ransomware is warmed-over REvil.
Secureworks has taken a look at the LV strain of ransomware that’s in circulation, and they’ve concluded that LV is basically just warmed-over REvil, and not really a distinct strain at all. How LV came to share the same code structure as REvil isn’t entirely clear. REvil’s proprietors, whom Secureworks calls “Gold Southfield,” and who succeeded the GandCrab operators at the time of that gang’s retirement (or dispersal, or rebranding) in the spring of 2019, may have sold it, had it stolen, or traded it with some criminal partner for other considerations. There’s no immediate evidence that LV’s operators (whom Secureworks calls “Gold Northfield”) are running their own affiliate program, but Secureworks thinks it possible that one is in the offing.
ReverseRAT may be a Pakistani cyberespionage tool.
Lumen's Black Lotus Labs have described a new Trojan they're calling "ReverseRat." The malware is deployed in cyberespionage operations against government and energy sector targets in South and Central Asia. Its infrastructure is hosted in Pakistan, and Black Lotus Labs tentatively attributes the campaign to Pakistan's government. ReverseRat is regarded as unusually evasive, with low detection rates by monitoring software.
How the first stage of the attack is delivered isn’t entirely clear. It involves delivering malicious URLs that point to compromised sites, and Lumen conjectures that the baited documents probably arrive through some form of phishing or smishing. The phishbait is varied, but documents alluding to events or organizations in India have been common. Lumen has also seen COVID-19 phishbait, and topics likely to be of interest to people working in the energy sector. Most of the victims were in India, with a smaller set of targets in Afghanistan.
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown.
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Explore the program.
Purchased Google ads serve Redline Stealer.
eSentire reports finding malicious Google ads for the Signal and Telegram messaging apps that induce visitors to download Redline Stealer, information-harvesting malware whose take the criminals subsequently sell in various dark web souks.
It’s not just Signal and Telegram that are being faked to deliver malicious content. eSentire says others have seen similar activity pretending to be AnyDesk or Dropbox. In this case, the threat actors use convincingly forged download pages for the apps. Users who attempt to get those apps during their visit will be “socially engineered,” as eSentire puts it, into downloading and initializing Redline Infostealer. eSentire notes, "Although we do not know the total amount the cybercriminals spent on the Google ads, we do know that purchasing the keyword ‘Telegram’ can run .40 USD per click, while the keyword ‘Signal’ can cost up to $1.40 USD per click."
Supply chain concerns in the US Defense Industrial Base.
The Colonial Pipeline and JBS ransomware incidents raised concerns about two critical infrastructure sectors, and recent reports have suggested that the water and wastewater sector has also come under attack more often than had been thought. This morning BlueVoyant released a study of the US Defense Industrial Base that concludes that this sector, too, exhibits significant vulnerabilities, particularly among its smaller companies. Half of the three-hundred small and medium businesses studied were found critically vulnerable to ransomware; 28% fell short of CMMC requirements.
Should one of these firms become infected, there’s the possibility of disruptions to those supply chains in which the company figures. There’s also the possibility that the ransomware could be propagated from the initial victim to partners, prime contractors, and subcontractors. The assumption the attackers (whether criminals, spies, privateers, or saboteurs) seem likely to work from, the Washington Post writes this morning, is that smaller firms are inherently less likely to be well-protected against cyberattack than are the bigger outfits in the defense sector.
False warship position reporting.
Two NATO warships, the Dutch vessel Evertsen and the Royal Navy's HMS Defender, operating in the Black Sea and visiting the Ukrainian port of Odessa, were falsely reported to have moved to disputed waters in the vicinity of the Russian-claimed port of Sevastopol. The USNI News reports that it seems Automatic Identification System (AIS) signals were falsified to give the impression that the warships had engaged in what effectively would have been a provocation. In fact, both ships remained in Odessa. Whether the AIS reports were deliberately falsified and by whom, or whether the incident involved some malfunction, how the misreporting occurred remains unclear. (Should you be unfamiliar with AIS, the British electronics retailer ICOM has a useful overview of the system on its site.)
Most commercial vessels are required to be equipped with AIS, which is a valuable aid to collision avoidance, among other things. Warships also typically carry AIS, although for security reasons they may turn it off as necessary, since their locations are often sensitive. But navies too are interested in safe transit: in 2017, for example, following two deadly collisions between US Navy warships and commercial vessels, for example, the US Navy told its ships to turn their AIS on in heavily trafficked waters.
So there are several points in the electronic chain at which AIS positions for the two NATO warships in the Black Sea might have been faked, but it seems that both Evertsen and Defender were in Odessa, where they belonged, and had every right to be. Again, how the locations came to be misreported remains, for now, unknown, but the incident did occur in the course of a freedom-of-the-seas operation during which Russian forces challenged and harassed a British warship in disputed international waters. Defense One has a report on that incident, which it says shows Russian determination to claim waters around the Crimean peninsula, illegally seized from Ukraine in 2014.
Join Rick Howard and our team of experts for a live broadcast.
CyberWire Pro's Quarterly Analyst Calls is critical for anyone looking to enhance their cybersecurity awareness. Each discussion is led by Rick Howard and features two guests, where they discuss crucial cybersecurity events of the last 90 days. This quarters call takes place on Wednesday, June 30th at 2 pm ET. Joining Rick this quarter is Dr. Georgianna Shea from the Foundation for Defense of Democracies (FDD), and Benjamin Yelin from the UMD Center for Health and Homeland Security. Learn more.
Kimsuky believed responsible for breach at a South Korean nuclear research institute.
The South Korean Atomic Energy Research Institute (KAERI) disclosed at the end of last week that several unauthorized parties obtained access to KAERI’s internal networks. The Record reports that some of the infrastructure used in the intrusion was traceable to North Korea’s Kimsuky group. KAERI had initially denied that the incident had occurred. The institute apologized Friday for its earlier statements.
According to BleepingComputer, the intrusion took place on June 14th, and that the threat actor gained access through a VPN flaw.
Earlier this month Malwarebytes Lab published a report on Kimsuky, a threat actor generally believed to work for the Democratic Peoples’ Republic of Korea’s Reconnaissance General Bureau. Malwarebytes listed an extensive number of targets:
- the Ministry of Foreign Affairs, Republic of Korea, 1st Secretary,
- the Ministry of Foreign Affairs, Republic of Korea, 2nd Secretary,
- the Trade Minister,
- the Deputy Consul General at Korean Consulate General in Hong Kong,
- the International Atomic Energy Agency (IAEA) Nuclear Security Officer,
- the Ambassador of the Embassy of Sri Lanka to the Republic of Korea, and
- the Ministry of Foreign Affairs and Trade counselor.
Norway blames a 2018 breach of its government networks on China's APT31.
Norway has attributed a 2018 breach of its governmental IT network to China. Specifically, the Police Security Service (PST) said the cyberespionage incident was the work of APT31. “The investigation revealed that the actor succeeded in acquiring administrator rights that gave it access to centralized computer systems used by all state administration offices in the country,” the PST stated, adding that “The actor also succeeded in transferring some data from the offices’ systems. No reliable technical findings have been made of what information was transferred, but the investigation shows that there were probably usernames and passwords associated with employees in various state administration offices.”
Poland attributes cyber incident to Russian intelligence services.
Warsaw says its recent cyberattack was Moscow’s work, or at least the work of threat actors working from Russia. Senior members of Poland’s government met last week for a closed-door discussion of an email hacking incident. On Friday Deputy Prime Minister Jaroslaw Kaczynski said, as Reuters quotes him, "The analysis of our services and the secret services of our allies allows us to clearly state that the cyber attack was carried out from the territory of the Russian Federation. Its scale and range are wide.”
Emails belonging to members of parliament and government officials were accessed, as were some emails belonging to members of their families. The incident seemed to have no particular bias for or against any political party, as multiple parties were affected.
According to BleepingComputer, the attacks affected at least thirty members of parliament, officials, and journalists, with the campaign beginning last September. The Record says that Poland’s Internal Security Agency has notified its NATO allies of recent Russian cyberattacks, the goal of which, Polish officials say, has been “to hit Polish society and destabilize the country.“ An EU diplomat familiar with the incident told POLITICO that “On Friday, Poland handed over to the EU Member States, the European Commission and the Council a document on the details of cyber attacks carried out in recent days.” That diplomat also said that “operational and technical analysis carried out by Polish national cybersecurity incident response teams confirmed that the infrastructure and modus operandi used during cyberattacks were the same as those used by Russian-sponsored entities.”
Speculation in the press suggests that the email-theft may have been the work of Russia’s SVR. Polish authorities attribute the campaign to UNC1151, a threat actor associated with Russian intelligence services and generally regarded as responsible for the Ghostwriter campaign. According to The Hill, Polish intelligence services regard the campaign as part of a larger effort aimed at destabilizing Central European governments. “The findings of the Internal Security Agency and the Military Counterintelligence Service show that the UNC1151 group is behind the recent hacker attacks that hit Poland,” a spokesperson for the Polish Minister Coordinator of Special Services said.
Grow your brand, generate leads, and fill that sales funnel.
Each month our programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Contact us today to get our media kit and learn about sponsorship opportunities.
Crime and punishment.
SecurityWeek reports that French authorities have indicted four former and current executives of Nexa Technology, an intercept company formerly known as Amesys, on charges of complicity with torture carried out by Egypt and the Libyan regime of the late Muammar Gadaffi. The charges are "complicity in acts of torture” and “complicity in acts of torture and forced disappearances." Amesys had sold deep packet inspection tools to Colonel Gadaffi’s Libya, and the charges allege that the Libyan government used it for the surveillance and arrest of opposition figures who were subsequently tortured. After its rebranding as Nexa, the company is accused of selling a version of Amesys’s “Cerebro” software, capable of real-time message and call tracing, to the Egyptian government, which is alleged to have used it in a similarly repressive fashion. The problem lies in the selection of customer.
The US Justice Department Tuesday seized thirty-three websites used by the Iranian Islamic Radio and Television Union and three more run by Kataib Hezbollah. Aligned with the Iranian government, the media outlets were operating in violation of US sanctions against designated terrorist groups. The domains Justice seized were owned by a US corporation. Other sites based abroad were beyond the scope of the warrant. The immediate offense, note, is sanctions violations, not engagement in propaganda or disinformation.
Ambivalence in official US policy and regulation can complicate victims' responses to ransomware attacks. While the FBI discourages paying ransom, such payments may be tax deductible, the AP reports.
Reuters reports that commercial antivirus pioneer John McAfee died Wednesday in a Barcelona jail, an apparent suicide. Earlier that day a Spanish court had ruled that McAfee would be extradited to the US, where he faced charges of tax evasion. McAfee was 75.
Policies, procurements, and agency equities.
The Economist sees this convergence of cybercrime and state-directed hacking as a defining feature of next-gen bank robbery. Whether in the form of privateering, as observers have seen in the activities of Russian ransomware gangs, or in state toleration of cybercrime, a more charitable reading of the Russian gangs’ activities, or even in direct theft by the states themselves, as seen in the operations of North Korea’s Lazarus Group, the relationship can be close, complex, and deniable.
The communiqué NATO issued last week after its Brussels summit (and two days before Wednesday’s meeting between Russian President Putin and US President Biden) addressed cyber conflict. The Atlantic Alliance began by reiterating its commitment to Article 5, the collective defense agreement under which an attack on one member is regarded as an attack against all. It also called out the increasing tempo of Russian hybrid operations, specifically including cyber operations, disinformation, and the toleration of cybercrime. In the event of a cyberattack, the North Atlantic Council would decide on a case-by-case basis whether to invoke Article 5.
The Social reports that US Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang has told the Senate Armed Forces Subcommittee on Cyber that, despite complications involving international law, the history of piracy suppression holds valuable lessons for dealing with current ransomware attacks. She seems to have the Barbary Pirates in mind, tolerated and encouraged by Tripolitan authorities, and not the legal combatants who sailed under letters of marque and reprisal.
Reuters reports that the US NSA has opened a Cybersecurity Collaboration Center. The new Center aspires to closer ties with US companies. It’s hoped that sharing information on attacks will be mutually beneficial, especially as companies that operate portions of critical infrastructure increasingly come under attack.