Rapid7 will pay approximately $335 million to acquire IntSights and provide customers with a unified view into threats, attack surface monitoring, relevant insights, and proactive threat mitigation for organizations of any size or level of security maturity. This acquisition also enhances Rapid7’s industry-leading, cloud-native extended detection and response (XDR) offering, InsightIDR, by enabling high-quality, high-fidelity alerts to ensure efficient security operations, earlier threat detection, and accelerated response times. Learn more about the acquisition here.
The CyberWire is pleased to announce that Microsoft Security's popular podcast, "Security Unlocked," is joining the rapidly growing CyberWire Podcast Network. Each week, the hosts of the show, Nic Fillingham and Natalia Godyla, examine the latest innovations in threat intelligence, security research, and data science, with a special focus on understanding the use of artificial intelligence and machine learning in cybersecurity.
The SolarWinds campaign successfully hit accounts in twenty-seven US Attorneys' offices, the US Department of Justice said late last week. Among the offices most affected were the Eastern, Northern, Southern, and Western Districts of New York, where 80% of employees' Office 360 accounts were compromised. The US has attributed the campaign to Russia's SVR.
Justice stated, "The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts. The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020. The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time."
Cybereason on Tuesday described a major cyberespionage campaign against Southeast Asian telecommunications providers in five unnamed countries. The researchers identified three "clusters" of activity, run by SoftCell, Naikon, and (possibly) Emissary Panda. The operators exploited Microsoft Exchange vulnerabilities against telcos with a view to facilitating espionage against other, high-value targets. "These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government." Cybereason describes the following three clusters of activity:
Last month, MITRE Engenuity released its First ATT&CK® Evaluations for ICS to examine how cybersecurity products from five vendors detected the threat of Russian-linked Triton malware. Watch our on-demand webinar to hear highlights of what it was like to participate in this 5-day simulation from the Dragos team who took part, including:
A cyberattack on Sunday took down COVID-19 vaccination scheduling capabilities in the Italian region of Lazio. CNN reports that local authorities say they'd received a general, non-specific ransom demand. Accounts are confusing, but it appears that the incident was a ransomware attack. Italian authorities have offered assurances that those who've already scheduled their vaccination should expect to be able to receive it on schedule.
AT&T Alien Labs has published a report on FatalRAT, which, as its name suggests, is a remote access Trojan. FatalRAT has recently spread through Telegram via links that appear to be software downloads or news articles. Its capabilities include evasion, system persistence, keylogging, collection of system information, and exfiltrating data via encrypted command-and-control channels.
The LemonDuck botnet, once known as a small-potatoes cryptojacking operation, has outgrown its origins, the Record reports. It's become "massive," and shows signs of expanding its capabilities to include "hands-on-keyboard intrusions into hacked networks." This suggests a possible move into ransomware or destructive attacks in the near future.
Ophir Harpaz, a malware analyst at Guardicore, told the Record, "What is different about the LemonDuck group is their persistence – and for once, I’m not talking about persistence on infected machines, but persistence in the landscape of botnet campaigns. They started in March 2019 and literally never stopped since. There was not a single month where we didn’t observe a LemonDuck attack hitting our threat sensors. With such consistent campaigns, threat actors must up their game to stay powerful. It is, therefore, no surprise that LemonDuck, which has been running for more than two years, evolves into a much more aggressive campaign with multiple variants and infrastructures."
ThreatConnect SOAR combines threat intelligence, analytics, and orchestration into one place to enable faster, more informed decisions. Because threat intelligence is baked in, there’s no need for complicated data manipulation or time-intensive look-ups: it’s all converted to a predictable and easily understood format while still preserving the source’s attribution information and reputation details. Is your SOAR smart enough to do that? Learn more about the industry’s smarter SOAR.
Group-IB describes a significant entrant in the criminal-to-criminal marketplace, the Prometheus TDS (Traffic Direction System), which distributes malicious files and directs victims to malicious sites:
"Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites. This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users' geolocation, browser version, and operating system.
"To prevent victims of malicious campaigns from interacting with the administrative panel directly, which may result in the attacker's server being disclosed and blocked, Prometheus TDS uses third-party infected websites that act as a middleman between the attacker's administrative panel and the user. It should also be mentioned that the list of compromised websites is manually added by the malware campaign's operators. The list is uploaded through importing links to web shells. A special PHP file named Prometheus.Backdoor is uploaded to the compromised websites to collect and send back data about the user interacting with the administrative panel. After analyzing the data collected, the administrative panel decides whether to send the payload to the user and/or to redirect them to the specified URL."
The researchers note that this service is being used to distribute Hancitor, Campo Loader, IcedID, QBot, SocGholish, Buer Loader, and others. The most active malware campaign observed by Group-IB targeted users in Belgium, while others targeted "US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance)."
Positive Technologies on Tuesday reported widespread activity by APT31 (also known as Zirconium, Judgment Panda, and Hurricane Panda), a Chinese cyberespionage group associated with collection against governments in pursuit of Beijing's strategic goals. Between January and July of this year the campaign used phishing emails to prospect targets in Mongolia, Canada, Belarus, the United States, and, unusually, Russia. Positive Technologies, close to the Russian government and a participant in the GosSOPKA information-sharing system Russia's CERT oversees, intends to keep Russian organizations in particular apprised of APT31's activities. The company believes this marks Hurricane Panda's first significant effort against Russian targets.
CrowdStrike on Wednesday published a description of Prophet Spider, a criminal gang that's been active since at least 2017. Active against both Windows and Linux systems, the gang has recently been observed exploiting CVE-2020-14882 and CVE-2020-14750 to gain access to unpatched Oracle WebLogic servers and thence to victims' environments. CrowdStrike sees Prophet Spider as opportunistic in its choice of targets, which have included energy, financial services, manufacturing, retail, and technology companies. The gang has also been selling initial access to a variety of ransomware operators.
CrowdStrike notes, "Since PROPHET SPIDER gains access via web servers or other public-facing servers, they will often initially compromise a Linux-based system. Once initial access is obtained on a Linux system, PROPHET SPIDER typically deploys a webshell, reverse shell binary or a perl reverse shell script (commonly named bc.pl) as their initial persistence mechanism. PROPHET SPIDER demonstrates a good understanding of the Linux command shell and uses a wide range of commands to enumerate system process, account and networking information."
The company adds that administrators "should watch for a large number of failed logins, or anonymous logons, originating from the Linux system targeting Windows systems. Special attention should be paid to any legacy systems such as Windows Server 2003 that may exist in the environment, as these can be easier targets for initial lateral movement."
We are proud to share that Microsoft Security's popular podcast Security Unlocked has joined CyberWire's rapidly growing Podcast Network. Each week hosts Nic Fillingham and Natalia Godyla examine latest innovations in threat intelligence, security research, & data science. Be sure to check it out.
Recorded Future talked with someone claiming to represent BlackMatter, presumptive ransomware successor to DarkSide. BlackMatter attributes its predecessors' occultation to "the geopolitical situation." Chainalysis says that tracing money through the blockchain has enabled it to confirm that BlackMatter is indeed a rebranding of DarkSide, and not merely a newly formed group that's learned from its predecessors' best practices.
The Record reports that US Deputy National Security Advisor Neuberger sees BlackMatter's policy of not hitting critical infrastructure (described during the same interview in which the gang said it wasn't merely warmed-over DarkSide) as a hopeful sign that the US message about prohibited targets is getting through. Neuberger's remarks have been greeted with some skepticism (by NBC's Kevin Collier, for example, who regards them as reposing unwarranted trust in the word of a criminal). Her remarks, however, seem more measured than naive. DarkMatter said they were acting out of self-interested concern over government countermeasures, and Neuberger did say that the "proof would be in the pudding."
We're offering a large discount for CyberWire Pro to military members, both active duty and reservists, and to students. What can you do with a Pro subscription? Glad you asked. Many cybersecurity professionals subscribe to and rely on CyberWire Pro to stay up-to-date on developments in the field, and you can enjoy full access to Pro for actionable reporting, analysis and insight concerning the global information security industry. Contact us today to receive your discount, Or to get a personalized tour of CyberWire Pro.
Kela tracks the recent fortunes of initial access brokers (IABs) in a report released on Monday. The researchers note that, "With RDP and VPN-based access being the most common offer, IABs find new attack vectors and accommodate the changing software targets of ransomware gangs, including network management software and virtual servers." Kela also found that the average price for network access during the past year was $5,400.
The company adds that these actors are growing more organized, stating, "IABs have become professional participants of the RaaS economy. They constantly find new initial access vectors, expanding the attack surface, and follow their customers’ demands. It requires network defenders to track IABs activities and all other actors who have formed around ransomware."
While port services have resumed, the effects of the cyberattack on South Africa's Transnet continue to linger. Asiafruit reports that deliveries of fresh produce have been significantly disrupted, and Automotive Logistics sees shortages in auto parts. The container terminals affected were located in Durban, Ngqura, Port Elizabeth, and Cape Town, according to CNBC.
vpnMentor reports finding an unsecured database maintained by business-to-business marketing firm OneMoreLead. The database included personal data on between 63 million and 126 million people in the US. OneMoreLead secured the data after vpnMentor contacted them. How the data were collected in the first place remains unclear.
Forescout and JFrog on Wednesday disclosed their discovery of fourteen vulnerabilities in the NicheStack TCP/IP stack, widely used in OT and industrial IoT environments. The vulnerabilities, collectively dubbed "INFRA:HALT," could be exploited for remote code execution, denial-of-service, information theft, TCP spoofing, or DNS cache poisoning. Forescout and JFrog state, "General recommended mitigations for INFRA:HALT include limiting the network exposure of critical vulnerable devices via network segmentation and patching devices whenever vendors release patches. Some of the vulnerabilities can also be mitigated by blocking or disabling support for unused protocols, such as HTTP."
Huawei CFO Meng Wanzhou's extradition hearings have entered their final stages, Bloomberg reports. Wanzhou's defense has alleged that the US acted "in bad faith" and presented misleading reasons for her extradition. According to the Associated Press, Canadian Justice Department lawyer Monika Rahman stated on Thursday, "Such allegations require cogent evidence to be proven, evidence of a quality that is not before this court." The US has accused Wanzhou of violating sanctions against Iran. She's been detained in Canada since December 2018 (though she is free on bail).
The US Justice Department has unsealed an indictment of six individuals—three in the US and three in Africa—who have been charged with stealing more than $1.1 million from a businessperson seeking to fund the construction of a children's school in Qatar. The six defendants were allegedly involved in the scheme with Ramon Olorunwa Abbas (also known as "Hushpuppi"), a Nigerian national who pleaded guilty to his involvement on April 20th.
The Justice Department stated, "According to the indictment, Abbas allegedly conspired with Abdulrahman Imraan Juma, a.k.a. 'Abdul,' 28, of Kenya, and Kelly Chibuzo Vincent, 40, of Nigeria, to defraud the Qatari businessperson by claiming to be consultants and bankers who could facilitate a loan to finance construction of the planned school. Juma allegedly posed as a facilitator and consultant for the illusory bank loans, while Abbas played the role of “Malik,” a Wells Fargo banker in New York, according to court documents. Vincent, in turn, allegedly provided support for the false narratives fed to the victim by, among other things, creating bogus documents and arranging for the creation of a fake bank website and phone banking line. Yusuf Adekinka Anifowoshe, a.k.a. 'AJ,' 26, of Brooklyn, New York, allegedly played a role in the fraud, assisting Abbas with a call to the victim posing as 'Malik.' Special agents with the FBI arrested Anifowoshe in New York on July 22."
Amazon has been hit with a €746 million ($887 million) fine by Luxembourg's National Commission for Data Protection (CNPD) for alleged GDPR violations concerning the processing of personal data, the Wall Street Journal reports. The Journal notes that this is "by far the largest-ever fine under the EU’s data-protection law." Amazon says it will appeal in court, stating, "The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation."
Zoom has agreed to pay $85 million to settle a class-action lawsuit regarding the company's data sharing practices, misleading claims about end-to-end encryption, and allegedly shoddy security practices (particularly those which led to "Zoombombing"), the Register reports. In addition to the payment, Zoom has also agreed to implement additional security protections. The company said in a statement, "The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us."
The US Senate Committee on Homeland Security and Governmental Affairs staff report “Federal Cybersecurity: America’s Data Still at Risk” concludes, “Large-scale cyber incidents…make the longstanding vulnerabilities repeatedly documented by Inspector Generals all the more concerning.” The report notes that seven agencies—State, Housing, Transportation, Agriculture, Health, Social Security, and Education–“still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.” The agencies failed to fully deploy EINSTEIN, maintain asset inventories, protect PII, manage access, apply patches, and update unsupported software.
The US Coast Guard has updated its Cyber Strategic Outlook, FedScoop reports. The new additions seek to protect newer systems that track shipping and automate operations in ports.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday released a Cybersecurity Workforce Training Guide for "for current and future federal, state, local, tribal, and territorial (SLTT) staff looking to expand their cybersecurity skills and career options." The agency states, "With over 100 training resources and certification prep courses, CISA’s new Guide can help cybersecurity professionals of all levels stay current and advance their careers."
Today's issue includes events affecting Belarus, Canada, China, Italy, Mongolia, Russia, South Africa, the United Kingdom, and the United States.
