SolarWinds campaign compromised US Attorneys' offices.
The SolarWinds campaign successfully hit accounts in twenty-seven US Attorneys' offices, the US Department of Justice said late last week. Among the offices most affected were the Eastern, Northern, Southern, and Western Districts of New York, where 80% of employees' Office 360 accounts were compromised. The US has attributed the campaign to Russia's SVR.
Justice stated, "The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts. The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020. The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time."
China-aligned threat actors target telecommunications companies.
Cybereason on Tuesday described a major cyberespionage campaign against Southeast Asian telecommunications providers in five unnamed countries. The researchers identified three "clusters" of activity, run by SoftCell, Naikon, and (possibly) Emissary Panda. The operators exploited Microsoft Exchange vulnerabilities against telcos with a view to facilitating espionage against other, high-value targets. "These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government." Cybereason describes the following three clusters of activity:
- "Cluster A: Assessed to be operated by Soft Cell, an activity group in operation since 2012, previously attacking Telcos in multiple regions including Southeast Asia, which was first discovered by Cybereason in 2019. We assess with a high level of confidence that the Soft Cell activity group is operating in the interest of China. The activity around this cluster started in 2018 and continued through Q1 2021.
- "Cluster B: Assessed to be operated by the Naikon APT threat actor, a highly active cyber espionage group in operation since 2010 which mainly targets ASEAN countries. The "Naikon APT group was previously attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). The activity around this cluster was first observed in Q4 2020 and continued through Q1 2021.
- "Cluster C: A “mini-cluster” characterized by a unique OWA backdoor that was deployed across multiple Microsoft Exchange and IIS servers. Analysis of the backdoor shows significant code similarities with a previously documented backdoor observed being used in the operation dubbed Iron Tiger, which was attributed to a Chinese threat actor tracked by various researchers as Group-3390 (APT27 / Emissary Panda). The activity around this cluster was observed between 2017 and Q1 2021."
Disruptive cyberattack affects COVID-19 vaccination booking in Italy.
A cyberattack on Sunday took down COVID-19 vaccination scheduling capabilities in the Italian region of Lazio. CNN reports that local authorities say they'd received a general, non-specific ransom demand. Accounts are confusing, but it appears that the incident was a ransomware attack. Italian authorities have offered assurances that those who've already scheduled their vaccination should expect to be able to receive it on schedule.
FatalRAT distributed via Telegram.
AT&T Alien Labs has published a report on FatalRAT, which, as its name suggests, is a remote access Trojan. FatalRAT has recently spread through Telegram via links that appear to be software downloads or news articles. Its capabilities include evasion, system persistence, keylogging, collection of system information, and exfiltrating data via encrypted command-and-control channels.
LemonDuck botnet expands.
The LemonDuck botnet, once known as a small-potatoes cryptojacking operation, has outgrown its origins, the Record reports. It's become "massive," and shows signs of expanding its capabilities to include "hands-on-keyboard intrusions into hacked networks." This suggests a possible move into ransomware or destructive attacks in the near future.
Ophir Harpaz, a malware analyst at Guardicore, told the Record, "What is different about the LemonDuck group is their persistence – and for once, I’m not talking about persistence on infected machines, but persistence in the landscape of botnet campaigns. They started in March 2019 and literally never stopped since. There was not a single month where we didn’t observe a LemonDuck attack hitting our threat sensors. With such consistent campaigns, threat actors must up their game to stay powerful. It is, therefore, no surprise that LemonDuck, which has been running for more than two years, evolves into a much more aggressive campaign with multiple variants and infrastructures."
New malware distribution service.
Group-IB describes a significant entrant in the criminal-to-criminal marketplace, the Prometheus TDS (Traffic Direction System), which distributes malicious files and directs victims to malicious sites:
"Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites. This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users' geolocation, browser version, and operating system.
"To prevent victims of malicious campaigns from interacting with the administrative panel directly, which may result in the attacker's server being disclosed and blocked, Prometheus TDS uses third-party infected websites that act as a middleman between the attacker's administrative panel and the user. It should also be mentioned that the list of compromised websites is manually added by the malware campaign's operators. The list is uploaded through importing links to web shells. A special PHP file named Prometheus.Backdoor is uploaded to the compromised websites to collect and send back data about the user interacting with the administrative panel. After analyzing the data collected, the administrative panel decides whether to send the payload to the user and/or to redirect them to the specified URL."
The researchers note that this service is being used to distribute Hancitor, Campo Loader, IcedID, QBot, SocGholish, Buer Loader, and others. The most active malware campaign observed by Group-IB targeted users in Belgium, while others targeted "US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance)."
APT31 targets Russia and others.
Positive Technologies on Tuesday reported widespread activity by APT31 (also known as Zirconium, Judgment Panda, and Hurricane Panda), a Chinese cyberespionage group associated with collection against governments in pursuit of Beijing's strategic goals. Between January and July of this year the campaign used phishing emails to prospect targets in Mongolia, Canada, Belarus, the United States, and, unusually, Russia. Positive Technologies, close to the Russian government and a participant in the GosSOPKA information-sharing system Russia's CERT oversees, intends to keep Russian organizations in particular apprised of APT31's activities. The company believes this marks Hurricane Panda's first significant effort against Russian targets.
Prophet Spider goes after web servers.
CrowdStrike on Wednesday published a description of Prophet Spider, a criminal gang that's been active since at least 2017. Active against both Windows and Linux systems, the gang has recently been observed exploiting CVE-2020-14882 and CVE-2020-14750 to gain access to unpatched Oracle WebLogic servers and thence to victims' environments. CrowdStrike sees Prophet Spider as opportunistic in its choice of targets, which have included energy, financial services, manufacturing, retail, and technology companies. The gang has also been selling initial access to a variety of ransomware operators.
CrowdStrike notes, "Since PROPHET SPIDER gains access via web servers or other public-facing servers, they will often initially compromise a Linux-based system. Once initial access is obtained on a Linux system, PROPHET SPIDER typically deploys a webshell, reverse shell binary or a perl reverse shell script (commonly named bc.pl) as their initial persistence mechanism. PROPHET SPIDER demonstrates a good understanding of the Linux command shell and uses a wide range of commands to enumerate system process, account and networking information."
The company adds that administrators "should watch for a large number of failed logins, or anonymous logons, originating from the Linux system targeting Windows systems. Special attention should be paid to any legacy systems such as Windows Server 2003 that may exist in the environment, as these can be easier targets for initial lateral movement."
BlackMatter ransomware updates.
Recorded Future talked with someone claiming to represent BlackMatter, presumptive ransomware successor to DarkSide. BlackMatter attributes its predecessors' occultation to "the geopolitical situation." Chainalysis says that tracing money through the blockchain has enabled it to confirm that BlackMatter is indeed a rebranding of DarkSide, and not merely a newly formed group that's learned from its predecessors' best practices.
The Record reports that US Deputy National Security Advisor Neuberger sees BlackMatter's policy of not hitting critical infrastructure (described during the same interview in which the gang said it wasn't merely warmed-over DarkSide) as a hopeful sign that the US message about prohibited targets is getting through. Neuberger's remarks have been greeted with some skepticism (by NBC's Kevin Collier, for example, who regards them as reposing unwarranted trust in the word of a criminal). Her remarks, however, seem more measured than naive. DarkMatter said they were acting out of self-interested concern over government countermeasures, and Neuberger did say that the "proof would be in the pudding."
A look at initial access brokers.
Kela tracks the recent fortunes of initial access brokers (IABs) in a report released on Monday. The researchers note that, "With RDP and VPN-based access being the most common offer, IABs find new attack vectors and accommodate the changing software targets of ransomware gangs, including network management software and virtual servers." Kela also found that the average price for network access during the past year was $5,400.
The company adds that these actors are growing more organized, stating, "IABs have become professional participants of the RaaS economy. They constantly find new initial access vectors, expanding the attack surface, and follow their customers’ demands. It requires network defenders to track IABs activities and all other actors who have formed around ransomware."
Effects of the cyberattack against South African ports.
While port services have resumed, the effects of the cyberattack on South Africa's Transnet continue to linger. Asiafruit reports that deliveries of fresh produce have been significantly disrupted, and Automotive Logistics sees shortages in auto parts. The container terminals affected were located in Durban, Ngqura, Port Elizabeth, and Cape Town, according to CNBC.
B2B marketing firm data breach.
vpnMentor reports finding an unsecured database maintained by business-to-business marketing firm OneMoreLead. The database included personal data on between 63 million and 126 million people in the US. OneMoreLead secured the data after vpnMentor contacted them. How the data were collected in the first place remains unclear.
Forescout and JFrog on Wednesday disclosed their discovery of fourteen vulnerabilities in the NicheStack TCP/IP stack, widely used in OT and industrial IoT environments. The vulnerabilities, collectively dubbed "INFRA:HALT," could be exploited for remote code execution, denial-of-service, information theft, TCP spoofing, or DNS cache poisoning. Forescout and JFrog state, "General recommended mitigations for INFRA:HALT include limiting the network exposure of critical vulnerable devices via network segmentation and patching devices whenever vendors release patches. Some of the vulnerabilities can also be mitigated by blocking or disabling support for unused protocols, such as HTTP."
Crime and punishment.
Huawei CFO Meng Wanzhou's extradition hearings have entered their final stages, Bloomberg reports. Wanzhou's defense has alleged that the US acted "in bad faith" and presented misleading reasons for her extradition. According to the Associated Press, Canadian Justice Department lawyer Monika Rahman stated on Thursday, "Such allegations require cogent evidence to be proven, evidence of a quality that is not before this court." The US has accused Wanzhou of violating sanctions against Iran. She's been detained in Canada since December 2018 (though she is free on bail).
The US Justice Department has unsealed an indictment of six individuals—three in the US and three in Africa—who have been charged with stealing more than $1.1 million from a businessperson seeking to fund the construction of a children's school in Qatar. The six defendants were allegedly involved in the scheme with Ramon Olorunwa Abbas (also known as "Hushpuppi"), a Nigerian national who pleaded guilty to his involvement on April 20th.
The Justice Department stated, "According to the indictment, Abbas allegedly conspired with Abdulrahman Imraan Juma, a.k.a. 'Abdul,' 28, of Kenya, and Kelly Chibuzo Vincent, 40, of Nigeria, to defraud the Qatari businessperson by claiming to be consultants and bankers who could facilitate a loan to finance construction of the planned school. Juma allegedly posed as a facilitator and consultant for the illusory bank loans, while Abbas played the role of “Malik,” a Wells Fargo banker in New York, according to court documents. Vincent, in turn, allegedly provided support for the false narratives fed to the victim by, among other things, creating bogus documents and arranging for the creation of a fake bank website and phone banking line. Yusuf Adekinka Anifowoshe, a.k.a. 'AJ,' 26, of Brooklyn, New York, allegedly played a role in the fraud, assisting Abbas with a call to the victim posing as 'Malik.' Special agents with the FBI arrested Anifowoshe in New York on July 22."
Courts and torts.
Amazon has been hit with a €746 million ($887 million) fine by Luxembourg's National Commission for Data Protection (CNPD) for alleged GDPR violations concerning the processing of personal data, the Wall Street Journal reports. The Journal notes that this is "by far the largest-ever fine under the EU’s data-protection law." Amazon says it will appeal in court, stating, "The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation."
Zoom has agreed to pay $85 million to settle a class-action lawsuit regarding the company's data sharing practices, misleading claims about end-to-end encryption, and allegedly shoddy security practices (particularly those which led to "Zoombombing"), the Register reports. In addition to the payment, Zoom has also agreed to implement additional security protections. The company said in a statement, "The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us."
Policies, procurements, and agency equities.
The US Senate Committee on Homeland Security and Governmental Affairs staff report “Federal Cybersecurity: America’s Data Still at Risk” concludes, “Large-scale cyber incidents…make the longstanding vulnerabilities repeatedly documented by Inspector Generals all the more concerning.” The report notes that seven agencies—State, Housing, Transportation, Agriculture, Health, Social Security, and Education–“still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.” The agencies failed to fully deploy EINSTEIN, maintain asset inventories, protect PII, manage access, apply patches, and update unsupported software.
The US Coast Guard has updated its Cyber Strategic Outlook, FedScoop reports. The new additions seek to protect newer systems that track shipping and automate operations in ports.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday released a Cybersecurity Workforce Training Guide for "for current and future federal, state, local, tribal, and territorial (SLTT) staff looking to expand their cybersecurity skills and career options." The agency states, "With over 100 training resources and certification prep courses, CISA’s new Guide can help cybersecurity professionals of all levels stay current and advance their careers."