Ransomware and force majeure at South African ports.
The South African ports of Cape Town and Durban a week ago this past Thursday disclosed that operations had been disrupted by an unspecified cyberattack, Reuters reports. According to IOL, the disruptions appear to be connected to problems at Johannesburg-based and state-owned intermodal transportation company Transnet, with road transportation to the port of Durban also seeing the effects of the attack. Splash 24/7 says that Transnet has identified and isolated the source of the incident, but that it's released no details of the cyberattack itself. Services are resuming manually, with priority going to refrigerated containers.
Moneyweb reports that South Africa's Transnet has declared force majeure (and thus claimed relief from liability) in a letter to its customers, acknowledging that what was initially described as "disruption on an IT network" amounted to “an act of cyber-attack, security intrusion and sabotage.” The letter explains, “Investigators are currently determining the exact source of the cause of compromise and extent of the ICT data security breach/sabotage. Transnet is implementing all available and reasonable mitigation measures to limit the impact of this compromise." According to Bloomberg, operations at South Africa's six major container ports have been disrupted.
By Wednesday Reuters had reported that South Africa's Ministry of Public Enterprises had announced that service is being restored at ports operated by the state-owned logistics organization Transnet. The ports of Durban, Ngqura, Port Elizabeth and Cape Town were all affected by ransomware. Durban is fully operational; Eastern Cape ports are expected to return to normal capacity soon. The condition of force majeure should be lifted soon.
Alleged abuse of lawful intercept tools.
Morocco World News claims that French President Macron was not spied on by Moroccan intelligence services using NSO's Pegasus, but rather by other parties using tools from the UAE company Dark Matter.
Amnesty International published more criticism of NSO Group's alleged role as an enabler of surveillance by repressive regimes.
Israel's Ministry of Defense tweeted Wednesday that "Representatives from a number of bodies came to NSO today to examine the publications and allegations raised in its case." NSO Group confirmed to Motherboard that they had indeed been visited, that they welcomed the visit, which had been conducted by prior arrangement, and that the company expected any investigation to clear them of the allegations surfacing in the Pegasus Project.
Kaseya's recovery.
Where Kaseya got the decryptor for REvil ransomware remains unclear. CNN reports that Kaseya is requiring businesses that want to receive the key to sign a non-disclosure agreement before the decryptor is released to them. Emsisoft has verified that the key works, but it's not disclosing where it came from, either. It's worth noting, as Threatpost does, that decrypting locked files still leaves open the possibility that REvil could sell, publish, or otherwise abuse data stolen over the course of the attack. Kaseya's most recent update on the incident came Friday afternoon, and simply said that the company was supplying the key and helping customers decrypt affected files.
On Monday Kaseya responded to widely circulated speculation that it had paid off the REvil gang to obtain a decryptor with a categorical denial that it had either paid ransom or negotiated with the extortionists. There's no word on reasons for the non-disclosure agreement (NDA) Kaseya asked customers to sign, and which prompted much of the speculation that ransom had been paid, but, as experts interviewed by ZDNet note, there's nothing inherently nefarious about an NDA.
Islamic Revolutionary Guard Corps' (apparently) leaked staff notes on cyberattack techniques.
Sky News has obtained and published documents it believes represent planning by the Shahid Kaveh unit of Iran's Revolutionary Guard Corps for cyberattacks against ships and oil facilities. The documents also indicate an interest in satellite communication systems, especially as they're used in maritime operations, and in building control systems. Western firms, particularly companies in the UK, the US, and France, figure among the intelligence targets.
Haaretz looked at the documents Sky News obtained that appear to be Iranian studies of cybersabotage operations, and points out that the documents are based on readily available open sources. They aren't, in themselves, offensive planning documents, and could be equally relevant to defensive measures. There’s a term-paperish quality about them that falls well short of what an actual operations plan might look like. Still, the possibility of cybersabotage is worth keeping an eye on.
MeteorExpress and a wiper attack against Iran's rail system.
The cyberattack that affected rail operations in Iran early this month is now believed, the Record reports, to have been a wiper attack as opposed to the ransomware originally suspected. There's no attribution so far, although some political taunting on train station message boards (along the lines of "send your complaints to Supreme Leader Khamenei’s office") may suggest at least a partial motive. SentinelOne, which has obtained a copy of the malware and analyzed the attack chain, says it's been unable to associate the attack with any known group. They call the campaign "MeteorExpress," and think that the wiper deployed ("Meteor") was designed to be reused.
Cozy Bear command-and-control servers identified.
RiskIQ yesterday morning reported having identified more than thirty active APT29 command-and-control servers delivering WellMess and WellMail malware, espionage tools CISA identified last year as particularly active against COVID-19 vaccine development efforts in the UK, Canada, and the US. APT29, also commonly known as Cozy Bear, is of course generally associated with Russia's SVR.
Bloomberg sees the discovery as evidence that Russia isn't taking US complaints of cyber activity targeting critical sectors particularly seriously. Indeed, the Russian embassy in Washington was positively blasé, simply referring inquirers to their earlier statement that people should avoid “sweeping accusations,” and saying that further discussions with the US would surely “improve the security of the information infrastructure of our countries.”
“Often when an APT group receives a lot of public attention, either in security research or politically, it goes to ground for a bit until the heat is off,” Kevin Livelli, RIskIQ’s director of threat intelligence, told Bloomberg. “Our findings show that APT29 is back to business as usual, despite widespread exposure in the SolarWinds episode, and a high-level summit where President Biden leaned on President Putin to be less aggressive in cyberspace. In fact, APT29 is using the same malware they used to steal Covid-19 research a year ago, despite the fact that the U.S., U.K., and Canadian governments called them out on it. They haven’t missed a beat.” As RiskIQ’s own report puts it, “The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin.”
Beijing One Pass is spyware.
Recorded Future's Insikt Group has evaluated Beijing One Pass, an employee benefits application the Chinese government provides companies doing business in that country. The app appears to be spyware. "[T[he installed application exhibits characteristics consistent with potentially unwanted applications (PUA) and spyware.... Some notable suspicious behaviors relate to several dropped files and subsequent processes initiated from the primary application. These behaviors include a persistence mechanism, the collection of user data such as screenshots and keystrokes, a backdoor functionality, and other behaviors commonly associated with malicious tools, such as disabling security and backup-related services."
At the time of writing, it is unclear if the spyware features were added inside the Beijing One Pass software on purpose or if they were inserted after a compromise of the company’s software development pipeline.
Recorded Future called BJCA, the state-owned enterprise that makes Beijing One Pass, but they were unwilling to comment.
“While information about how the spyware functionality made it inside the app is still shrouded in mystery, [its] presence is undeniable. Furthermore, companies doing business in China may not have an option and may be forced to install the software,” Recorded Future writes. And if you are, isolate the app, and keep it away from systems that handle sensitive information.
Beijing One Pass isn’t the first time an app whose installation the Chinese authorities pressure foreign companies to install has exhibited troubling behavior. As Recorded Future gracefully points out, a little more than a year ago Trustwave Labs found that a Chinese bank was requiring foreign companies operating in the country to install an app to file taxes with local governments. That app was backdoored.
Ransomware rebranding?
REvil may have reconstituted and rebranded itself as BlackMatter, although it's difficult to be sure. Forcepoint has found chatter on the "high-tier Russian-language illicit forums XSS and Exploit" that suggests BlackMatter is REvil's successor. BlackMatter registered itself on July 19th; two days later they advertised for people willing to sell access to large Western corporations. Recorded Future says that BlackMatter claims to have incorporated the best (in a criminal sense) of both REvil and DarkSide.
REvil announced its occultation on July 13th, the same day XSS banned REvil's spokesman from the forum. BlackMatter doesn't openly claim to be either REvil redux or a ransomware operation, and so keeps narrowly within the forum terms and conditions, but the wink-and-nod circumlocution in BlackMatter's chatter suggests to Forcepoint that that's indeed who the new group may be.
Another ransomware gang that may be the successor of older, notorious groups is Haron, whose emergence is described by S2W Lab. Harron's approach incorporates features of both Thanos and Avvadon. So far Haron has publicly claimed only one victim.
And, finally, Zscaler says that DoppelPaymer, which had been quiet for a bit, seems to have re-emerged as “Grief.” All of this rebranding constitutes a low-order form of misdirection--the criminal equivalent of the magician’s “nothing up my sleeve”--and probably should by now be considered a regular phase of the criminal-to-criminal market’s business cycle.
Patch news.
There's speculation (see the Register and 9-to-5 Mac) that this week's iOS fix addressed vulnerabilities exploited by NSO Group's Pegasus spyware.
Crime and punishment.
The US Justice Department has dropped visa fraud charges against five Chinese researchers accused of gathering intelligence at US universities, the Wall Street Journal reports. The Journal explains, "A senior Justice Department official said the punishment for the crimes the researchers were charged with usually amounted to around a few months in prison, and the defendants had all been detained or under other restrictions in the U.S. since their arrest a year ago. That led the agency to determine that further litigation in the group of cases would unnecessarily prolong their departure from the U.S. and that their situations since their arrests amounted to sufficient punishment and deterrence."
An Estonian citizen has pleaded guilty in the District of Alaska to operating a proxy botnet, the Record reports. The Justice Department stated, "According to court documents, Pavel Tsurkan, 33, operated a criminal proxy botnet by remotely accessing and compromising more than 1,000 computer devices and internet routers worldwide, including at least 60 victims in Alaska. He used the victims’ devices to build and operate an Internet of Things (IoT)-based botnet dubbed the “Russian2015” using the domain Russian2015.ru. He modified the operation of each compromised internet router so it could be used as a proxy to transmit third-party internet traffic without the owners’ knowledge or consent. He then sold access to global cybercriminals who channeled their traffic through the victims’ home routers, using the victims’ devices to engage in spam campaigns and other criminal activity. The Alaska victims experienced significant data overages even when there were no home computers connected to the victims’ home networks. The data overages resulted in hundreds to thousands of dollars per victim."
A 60-year-old Tennessee man, Mark Herring, died of a heart attack last year after being swatted by someone who wanted his Twitter handle, "@Tennessee," the Guardian reports. Shane Sonderman of Tennessee and an unnamed British minor are accused of harassing Herring before calling the police on him in April 2020. Sonderman pleaded guilty to conspiracy and was sentenced to five years in prison.
A 22-year-old UK citizen, Joseph O’Connor, has been arrested in Spain on US charges of involvement in the July 2020 Twitter hack. The US Justice Department stated, "According to court documents, in addition to the July 15, 2020, hack of Twitter, O’Connor is charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts. O’Connor is also charged with cyberstalking a juvenile victim. O’Connor is charged with three counts of conspiracy to intentionally access a computer without authorization and obtaining information from a protected computer; two counts of intentionally accessing a computer without authorization and obtaining information from a protected computer; one count of conspiracy to intentionally access a computer without authorization and, with the intent to extort from a person a thing of value, transmitting a communication containing a threat; one count of making extortive communications; one count of making threatening communications; and two counts of cyberstalking."
Joshua Schulte, a former CIA software engineer facing espionage charges in US Federal court, has received permission to represent himself in his upcoming trial, the Washington Post reports.
Courts and torts.
In a landmark ruling, a US federal judge has decided that the investigative report resulting from Rutter’s convenience store’s 2019 data breach is not considered privileged information, the Legal Intelligencer reports. The breach, which was the result of a malware attack on the Pennsylvania-based convenience store, compromised customer payment card information and led victims to wage a class-action lawsuit. Rutter’s counsel enlisted Kroll Cyber Security to conduct a forensic investigation into the breach, and while the plaintiffs requested that the report be submitted as evidence, Rutter’s argued the report was protected by the attorney-client and work product privileges. The decision from US Magistrate Chief Judge Karoline Mehalchick allows the plaintiffs to compel the document, as the language in Rutter’s contract with Kroll indicates “the purpose of the investigation was to determine whether data was compromised, and the scope of such compromise if it occurred. Without knowing whether or not a data breach had occurred, defendant cannot be said to have unilaterally believed that litigation would result.” The ruling could set a precedent for future data breach litigation.
Policies, procurements, and agency equities.
US President Biden Wednesday morning issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Among other goals, the Memorandum seeks to initiate development of "baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems."
Fortunes of commerce.
Reuters reports that a British court has rejected an attempt by Darktrace founder Mike Lynch to block his extradition to the US related to seventeen counts of alleged conspiracy and fraud. Reuters notes, "The potential extradition threat was clear in Darktrace’s April stock market float. Lynch may be forced to sell his 4.5% stake if he is convicted and the 4.5 billion pound cyber firm warned in its prospectus that a prosecution could put the company and prospective shareholders at risk of money-laundering charges."