By the CyberWire staff
A GRU brute-forcing campaign is reported.
NSA and its US and British partners (the UK's NCSC and the US FBI and CISA) on Thursday released an advisory detailing a Russian campaign ("almost certainly ongoing") to brute-force access to cloud and enterprise environments. The campaign is global in scope, NSA says, but focused on American and European targets. The campaign is targeting "government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks." Attribution is specific: the threat actor is placed on the GRU's org chart as the 85th Main Special Service Center (GTsSS).
The Advisory summarizes the implications of the campaign:
“This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion. The actors have used identified account credentials in conjunction with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks. After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks.”
While brute-forcing isn't new, the GTsSS's approach is: it's "uniquely leveraged software containers to easily scale its brute force attempts." The Advisory comes with indicators of compromise and a set of recommendations. NSA urges Department of Defense, National Security Systems, and Defense Industrial Base system administrators to immediately review them and apply the recommended mitigations.
Other Russian cyberespionage activity...
Microsoft has found a new cyberespionage campaign by Nobelium, a threat actor associated with Russian intelligence services. The campaign has featured password-spraying and brute-force attacks, and, while assessed as having been largely unsuccessful, will bear watching.
As Microsoft points out, “This type of activity is not new.” The attempts were highly targeted, broken down into “primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services. The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted.”
Much of the reporting on the activity connects it to the SolarWinds supply chain compromise, but the connection lies only in a common attribution to Nobelium, a group associated with Russia’s SVR.
...and one case that's apparently a false alarm.
Responding to a screamer in German tabloid newspaper Bild about a massive Russian cyberattack on German infrastructure, the country’s federal information security service, the BSI, says it never happened. Instead, some criminal activity was thwarted, Bloomberg and Golem report. Bild had cited unnamed Western intelligence services as its sources, and variously named the purported Russian threat actor “Fancy Bear” and “Fancy Lazarus.” The outlet also associated the attack that wasn’t with tensions arising over Belarus and the airliner it forced down so it could take a dissident into custody.
If you believe NSA, NCSC, the Secret Service, and the FBI (we do), the GRU has been up to no good in European and North American networks, but this case doesn’t appear to be one of those misdeeds. It was apparently an ordinary and not particularly successful attempt at cybercrime.
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown.
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Explore the program.
Cyberespionage in Central Asia.
Researchers at Check Point have observed a “Chinese-speaking” threat group tracked as “IndigoZebra” engaged in a long-running cyberespionage operation against the Afghan government. IndigoZebra used Dropbox to gain access to the Afghan National Security Council, and then use that position to phish their way further into the government. The goal is to access desktop files, deploy scanner tools, and execute Windows built-in networking utility tools.
The Hill reports that Check Point is struck by IndigoZebra’s effective use of ministry-to-ministry deception, since the messages staged through Dropbox appear to originate at the highest levels of government.
The latest targets may be in Afghanistan, but IndigoZebra has, according to Check Point, long shown an interest in Central Asian governments since at least 2014, pursuing targets in Kyrgyzstan and Uzbekistan.
Official attribution of Exchange Server exploitation expected.
The US Government expects to issue a formal attribution of Microsoft Exchange Server hacks "in the coming weeks," The Hill reports Anne Neuberger, Deputy National Security Advisor for Cyber, as saying on Tuesday. Microsoft announced the discovery of that campaign back in March; Redmond has attributed the hostile activity to Hafnium, a Chinese-government-run threat actor.
10 Reasons Why Industrial Organizations Need Better Asset Visibility
Industrial asset owners can’t secure their environment without full visibility of their network assets. So we developed an infographic that visualizes 10 ways OT asset visibility can lay the foundation for your industrial cybersecurity strategy. Get it today!
Inadvertently signed malicious rootkit under investigation.
GData a week ago this past Friday announced that it had found a malicious rootkit inadvertently signed by Microsoft. The company notified Microsoft, who, as GData puts it, "promptly added malware signatures to Windows Defender and are now conducting an internal investigation."
GData noticed that a Microsoft-signed driver called “Netfilter” was communicating with Chinese command-and-control IPs that contributed no obvious legitimate functionality, and that raised their suspicions. Their investigation led them to conclude that Netfilter was malware.
Microsoft’s Security Response Center said, “Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.”
The problems seem confined to the gaming sector, and specifically to the gaming sector in China. Redmond also says the risk is a post-exploitation one: "an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf." Microsoft thinks the hackers' goal was to spoof geolocation and thus enable themselves to play from anywhere. The hackers also seem likely to be able to gain an advantage in certain games over other players, and may be interested in compromising their competitors’ accounts by using commodity hacking tools like widely available keyloggers.
How threats to industrial control systems are taking shape.
Trend Micro this week released a study of ransomware's growing infestation of industrial control systems. "Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%) and LockBit (10.4%) variants" accounted for a majority of the incidents Trend Micro investigated. The researchers wrote “Ransomware in ICS could lead to loss of view and control of physical processes, since such attacks encrypt a variety of files, including image and configuration files, that are necessary for rendering the interface. This in turn leads to loss of revenue due to disrupted operations. Victims could also lose money from extortion schemes as more ransomware operators also threaten to publicize stolen data.”
Their report led with ransomware, which seems right, given the current prominence that particular kind of threat now has, but they also discussed coinminers. These can have a bad effect on the operation of ICS endpoints, rendering them slow and unresponsive, particularly when those endpoints are running old operating systems or have limited CPU capacity. Both of these conditions are common enough in ICS environments.
Industrial countries are infected in different ways and at different rates. China is the leading sufferer of legacy malware, the US has to put up with the highest rates of ransomware infections, and India is the unfortunate leader in the tally of coinjacking victims.
Announcing our Independence Day sale.
For a limited time only, subscribe to get three free months when you sign up for an annual subscription! That’s three months of free access to all our premium content that keeps you ahead of developments in cyber. Subscribe today.
Developments in the cybercriminal underworld.
Proofpoint has concluded that Cobalt Strike, the well-known legitimate penetration-testing tool, is becoming increasingly popular as an initial access payload deployed by threat actors. It's become a commodity tool, more often used by cybercriminals than by state-run advanced persistent threats. Criminal activity using Cobalt Strike peaked in 2019 and 2020 and has fallen off somewhat since, but it remains a problem.
Crediting research by Accenture, CyberScoop reports that the Hades ransomware gang is coming into sharper focus. It's recently been targeting "consumer goods and services, insurance and manufacturing and distribution industry sectors." It's also added Phoenix Cryptolocker to its arsenal. Unlike other ransomware groups, Hades does not appear to use an affiliate network. Attribution remains murky, with various researchers calling it a new group, and others linking Hades to either Russian or Chinese threat actors.
Criminal markets continue to develop similarities with legitimate markets. LIFARS has shared a new wrinkle in this trend with Fast Company: cybercriminal groups are investing in promising new ransomware enterprises in much the way venture capital firms invest in tech start-ups. In exchange for financial support, the criminal backers receive a cut of future profits. Criminal operations like ransomware are, for the most part, self-funded, but they have their start-up expenses, too, and even hoods need to eat while they’re waiting for the victims to pay up.
Some of those start-up costs may include hiring skilled coders who can build or modify the ransomware, they need infrastructure to process payment and distribute decryptors, and they need access to deep-pocketed targets. They could phish for that access themselves, but increasingly they find that it’s easier to buy that from criminal initial access brokers who’ve already phished, stolen, or brute-forced compromised systems.
As far as investors are concerned, LIFARS CEO Ondrej Krehel says it's a way of spreading your risk around. “You can put all your money in one basket or you can diversify,” he told Fast Company.
Of course, like Cobalt Strike, cryptocurrency is far from being inherently nefarious. It has plenty of legitimate uses. But cryptocurrency has undeniably acquired a bad reputation. FireEye’s CEO Kevin Mandia told CNBC that “it’s an enabler that you can break in anonymously and be paid anonymously, and now you can commit crime from 10,000 miles away in a safe harbor.”
Not everyone agrees, it’s important to note. CNBC also quotes Katie Haun, a partner at venture capital firm Andreessen Horowitz, an investor in crypto start-ups, who says it’s a “myth that bitcoin is good for criminal activity.” “Crypto is a step-level function improvement above the existing financial system in terms of traceability,” Haun said, drawing on her former experience as a prosecutor. “The fact is, when crypto is used for illicit activity it leaves ... digital bread crumbs, and I can tell you that, firsthand, I used blockchain technology to actually solve crimes.”
Thus it seems not so much the alt-coin as the criminals’ base of operations that presents the problem. If the extortionists work with the tacit or explicit permission of a host government, it’s difficult to bring them to book, which is what Mandia appeared to have in mind when he told CNBC that governments had an important role to play in suppressing ransomware: “We have to consider all the tools of diplomacy to back the desired outcome we want, which is quite frankly to make sure that there’s risks imposed to those who take advantage of cyberspace and the anonymity it offers,” he said.
REvil expands to Linux machines.
AT&T’s Alien Labs, working from a tip it received from the MalwareHuntingTeam, has been tracking new samples of REvil ransomware that indicate the gang’s expansion into new fields of activity. REvil has hitherto concentrated on attacking Windows machines. But Alien Labs has confirmed, with at least four samples, that REvil has branched out into the Linux world. In this REvil is following the lead of other ransomware outfits, notably DarkSide. The first confirmed REvil activity against Linux systems appears to date to this past May.
Grow your brand, generate leads, and fill that sales funnel.
Each month our programs reach over a quarter of a million unique listeners that care about cybersecurity, including some of the most influential leaders and decision-makers in the industry. From the Fortune 10 to emerging startups, we have options to help you reach your goals and to fit your budget. Contact us today to get our media kit and learn about sponsorship opportunities.
Crime and punishment.
DoubleVPN, a service based in Russia that catered to cybercriminals by helping them obscure both their physical location and originating IP address, was taken down in an international law enforcement operation, BleepingComputer reports. As its name suggests, DoubleVPN double encrypted (at least) data that transited its service. The takedown notice on what’s left of doublevpn dot com says:
“On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN’s owners failed to provide the services they promised.
The cooperating agencies who took DoubleVPN down list themselves as Germany's BKA, the Netherlands's Politie, the US FBI, the UK National Crime Agency, the US Secret Service, the Royal Canadian Mounted Police, Eurojust, Switzerland's Polizia Cantonale, Europol, Bulgaria's GDBOP, and the Swedish National Police.
Britain’s NCA, which credited the Netherlands with leading the effort, tweeted that “DoubleVPN was advertised on both Russian and English-speaking cyber crime forums as a service which provided anonymity to those seeking to carry out cyber attacks. Its cheapest virtual private network (VPN) connection cost as little as £19.” NCA assessed the action as “extremely significant,” adding that “Not only have we successfully effected the takedown of DoubleVPN, but it is the first time law enforcement has been able to take direct action against a criminal enabling service of this type.”
And, in another law enforcement action, Colombian authorities have arrested the alleged distributor of the Gozi virus, the Washington Post reports. Mihai Ionut Paunescu was taken into custody as he was passing through the airport in Bogota. He faces the prospect of extradition to New York, where US authorities intend to try him for computer intrusion and bank fraud. Mr. Paunescu is alleged to have provided the bulletproof hosting service used to distribute Gozi and other malware.
The US Secret Service has revived its most-wanted list of suspected cybercriminals. As suits a remit narrower than the FBI's, the Secret Service's list is confined to cases of financial fraud under investigation by its Cyber Fraud Task Forces. They welcome tips; if you've got any, email them to firstname.lastname@example.org.
Policies, procurements, and agency equities.
The International Institute for Strategic Studies (IISS) has published a long research paper ranking the world’s major cyber powers. “Cyber Capabilities and National Power: A Net Assessment,” says the US is number one. “What sets the US apart on offensive cyber is its ability to employ a sophisticated, surgical capability at scale,” the report says.
It didn’t consider all the states it might have. Four of the Five Eyes are in the assessment, but they left out New Zealand, which seems a curious omission. Three states IISS calls “close cyber allies of the Five Eyes were included: France, Israel and Japan, whereas others, notably Germany, the Netherlands, the Nordic countries, and former Warsaw Pact members now aligned with NATO were left out. The familiar four adversaries (China, Russia, Iran and North Korea) are in the study. And they included four “developing cyber states,” namely India, Indonesia, Malaysia and Vietnam.
Mergers, acquisitions, investments, and exits.
SecurityWeek looked back at June and counted thirty-seven mergers and acquisitions across the sector last month.
One of the most significant business events, of course, was SentinelOne's initial public offering. Seeking Alpha says the company is now valued higher than expected, at $11 billion. The company raised $1.2 billion, which the Times of Israel notes is being "touted as the largest ever initial share offering by a cybersecurity firm."