By the CyberWire staff
A LockBit resurgence.
The Australian Cyber Security Centre (ACSC) warns of a coming spike in LockBit 2.0 ransomware and offers recommendations on mitigating risk. LockBit is an affiliate program offered through Russophone criminal markets; it's known for using double extortion. LockBit’s ads on criminal-to-criminal fora provide some suggestions as to how they’re likely to operate. They’ve sought partnerships with other criminals who might offer credential-based access to Remote Desktop Protocol or Virtual Private Network solutions. They’ve also shown an interest in recruiting CobaltStrike and Metasploit jockeys.
The ACSC says that the sectors affected so far have been professional services, construction, manufacturing, retail, and food, but the Centre sensibly points out that any sector is in principle vulnerable to ransomware, and that no one should take the earlier targeting patterns as a reason to drop their guard.
On Tuesday Le Parisien reported that LockBit's operators claim to have executed a ransomware attack against Accenture. According to CNBC Washington correspondent Eamon James, the attackers said they would shortly release some of the files they obtained, and have offered to sell unspecified “insider Accenture information” to interested buyers. LockBit operators claimed to have hit Accenture, and to have obtained some of the company’s data in the course of their attack. The gang threatened to leak the files if they weren’t paid, and as their deadline expired began doing so. The Record has published a screenshot of some of the files that have been dumped, but their assessment is that the data they contain don’t appear to be particularly sensitive.
Since these early reports emerged, Accenture Wednesday morning told ZDNet that, "Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up. There was no impact on Accenture's operations or on our clients' systems."
Does Your SOAR Platform Move Like a DinoSOAR? Embrace the Smarter SOAR.
ThreatConnect SOAR combines threat intelligence, analytics, and orchestration into one place to enable faster, more informed decisions. Because threat intelligence is baked in, there’s no need for complicated data manipulation or time-intensive look-ups: it’s all converted to a predictable and easily understood format while still preserving the source’s attribution information and reputation details. Is your SOAR smart enough to do that? Learn more about the industry’s smarter SOAR.
Home router vulnerabilities exploited in the wild.
Less than a week after disclosure, a vulnerability in home routers from some twenty different vendors is under widespread attack, Threatpost reports. The flaws, discovered and disclosed by Tenable, could allow unauthorized remote actors to bypass authentication on routers running Arcadyan firmware. Juniper Networks says attackers are adding the affected routers to a Mirai botnet suitable for conducting distributed denial-of-service operations. Naked Security has a guide on how to determine whether your device is affected, and what to do about it. A good place to begin is Tenable's list of vulnerable devices.
Child protection and privacy.
Apple has announced child protection features that have aroused suspicion among privacy advocates. The measures involve, among other things, scanning iCloud content for objectionable imagery. Some critics see a slippery slope to intrusive surveillance of users; others see Apple as having taken some careful steps toward protection against child exploitation.
The Wall Street Journal yesterday published a story featuring interviews with Craig Federighi, Apple’s senior vice president of software engineering, who said that the simultaneous announcement of two distinct tools probably led to confusion. iCloud storage won't be continuously monitored for objectionable content. Instead, Apple will be notified when a certain threshold of known child exploitation pictures is reached, and “multiple levels of audit” on Apple's part will guarantee users' privacy.
Own your entire attack surface, inside and out | Rapid7 + IntSights
Rapid7 will pay approximately $335 million to acquire IntSights and provide customers with a unified view into threats, attack surface monitoring, relevant insights, and proactive threat mitigation for organizations of any size or level of security maturity. This acquisition also enhances Rapid7’s industry-leading, cloud-native extended detection and response (XDR) offering, InsightIDR, by enabling high-quality, high-fidelity alerts to ensure efficient security operations, earlier threat detection, and accelerated response times. Learn more about the acquisition here.
Division of labor and advertising in the C2C market.
A study by the cyber intelligence shop IntSights sketches the criminal-to-criminal market, and why it exists in the first place. True vertical integration is as rare in the underworld as it is in legitimate markets. No gang is likely to be able to do it all, hence the emergence of affiliate programs, initial access brokers, and so on.
The criminal-to-criminal fora are polyglot, but the Russian-language sites appear to be the leaders. IntSights writes:
“The Russian-language forums tend to have the most unique and sophisticated offerings, and often display higher standards of professionalism. English-language forums include not only North American and other native Anglophone criminals but also non-native speakers of English from around the world, including former British colonies. Other language-specific forums serve geographically concentrated communities, such as the Romanian speakers of Romania and Moldavia and the Portuguese speakers of Brazil, both of which are also significant hubs for cybercrime. Forums also exist in other widely spoken languages, such as Spanish and German.”
The initial access brokers form a thriving subsector of the criminal economy, and buying access makes economic sense to the criminal gangs who are the purchasers.
The C2C marketplace also sees a range of marketing ploys. AllWorld Cards, a relative newcomer to the carding market—the underworld souks where paycard information is traded—is seeking to make a name for itself by dumping about a million stolen cards online. BleepingComputer reports that Livorno-based security firm D3 Lab has looked at the dump and believes about half the cards are current and valid, which is an unusually high fraction for any carder offering. And security company Cyble told BleepingComputer that the data on offer includes credit card numbers, expiration dates, CVVs, names, countries, states, cities, addresses, zip codes for each credit card, and email addresses or phone numbers.
Major heist hits DeFi provider Poly Network.
A cross-chain attack has hit decentralized finance provider Poly Network, with more than $600 million in alt-coin stolen. The Block assesses the total theft as greater than $611 million. The BBC puts the losses at $267 million of Ether, $252 million of Binance, and about $85 million in USDC. Poly Network appealed to the thieves to return the stolen coin, and their "Dear Hacker" plea appears to have fallen on mildly repentant (or at least slightly fearful) ears. Poly Network tweeted that "So far, we have received a total value of $4,772,297.675 assets returned by the hacker." (So $599,227,702.33, thus still remained in the wind.)
Decentralized finance providers (or DeFi for short) enable users to shift tokens from one chain to another. The theft from Poly Network is probably the largest theft from a Defi organization to date. Why the crooks would have returned even a fraction of their take, assuming it wasn’t clawed back through misconfigured criminal wallets, is unclear, especially since it amounts to just a fraction of the total haul. There’s plenty of speculation in Twitter—Poly Network told the crooks they know who they are, etc.—but really nothing is known for sure so far. The Block, which keeps tabs on this sort of thing, says the blockchain security outfit SlowMist said it knows the attacker’s” email address, IP information and device fingerprint,” and that it’s offered to share these with Poly Network in the hope of achieving what SlowMist calls “a happy ending.” In the meantime efforts are underway to block the stolen funds.
According to Reuters, as the situation developed, the hoods who stole from DeFi provider Poly Network by Thursday had returned more than half of what they took, about $324 million, leaving some $268 million still outstanding. The Block reports that the attacker or attackers created a token saying, "The hacker is ready to surrender," and shortly thereafter began returning the coin they’d taken.
Why the criminals are returning their swag is unclear, but people claiming to be the attackers have begun saying that they hacked Poly Network to make a point about security, or that they did it for the lulz, or for some other more-or-less good reason. Security firm Elliptic, which has been keeping an eye on this incident, has been tweeting an auto-interview the apparent hackers have been posting--they ask their own questions which they proceed to answer. It will surprise no one that the questions are softballs pitched to be easily knocked out of the park with a big swing of self-congratulation. He, she, or they did it, first of all, for “FUN” (caps lock in the original), because “CROSS CHAIN HACKING IS HOT.” So, if you credit the auto-interview, they did it for the hack value.
One exchange quoted in the Wall Street Journal exhibits a lofty disinterest in wealth combined with a didactic urge to educate the victims, effectively the hacker’s students, for their own good. “I am not very interested in money!” they said. “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?” Another post said the attackers “would like to give them,” that is, Poly Network and its partners, “tips on how to secure their networks.”
Reuters suggests a more self-interested reason may have been in play: the hoods bit off more than they could chew. They may just have found that so much money was simply too difficult to launder. The BBC quotes expert opinion to the effect that the crooks have also have been spooked by the amount of attention their heist attracted. SlowMist's investigation may have been particularly threatening.
Are you a student or member of the military?
We're offering a large discount for CyberWire Pro to military members, both active duty and reservists, and to students. What can you do with a Pro subscription? Glad you asked. Many cybersecurity professionals subscribe to and rely on CyberWire Pro to stay up-to-date on developments in the field, and you can enjoy full access to Pro for actionable reporting, analysis and insight concerning the global information security industry. Contact us today to receive your discount, Or to get a personalized tour of CyberWire Pro.
Coordinated inauthenticity, with foreign and domestic audiences for disinformation.
Facebook reported in its July report on coordinated inauthenticity that it had taken down two major cases of coordinated inauthenticity.
One originated in Myanmar, where the company removed seventy-nine Facebook accounts, thirteen Pages, eight Groups, and nineteen Instagram accounts linked to Myanmar's military. The intent was to influence a domestic audience, and Facebook sees some continuity between this effort and similar activity it bopped back in 2017.
The company also took down sixty-five Facebook and two-hundred-forty-three Instagram accounts. These were multinational in an interesting way, originating in Russia but using the services of the UK-based marketing firm Fazze, which had been trying to recruit influencers to spread COVID vaccine information. (Fazze itself is now also unwelcome on Facebook's platforms.)
The effort apparently enjoyed only indifferent success, but the concentration on influencers was an interesting development, a tribute to the place influencers have assumed in the marketing and advertising racket generally. That concentration was also in this case the campaign's downfall. Reuters reports that Fazze approached various influencers with offers to pay them for distributing anti-vaccine content, and two of the influencers, one French, the other German, blew the gaffe by complaining publicly about the approach. That prompted investigation and, eventually, ejection.
8 out of every 10 CyberWire listeners and readers...
Did you know that over 80% of the CyberWire audience is a part of the purchasing decision-making process at their company? And this is where they can see your message. Contact us to find out how sponsorship of the CyberWire's briefings and podcasts can help get your word out to an influential audience.
The PrintNightmare vulnerability remains surprisingly resistant to patching. CrowdStrike reports that the operators of the Magniber ransomware have "weaponized" the twice- or thrice-patched PrintNightmare remote code execution vulnerability that afflicts Windows systems, and are using it in the wild, for the most part against South Korean targets. The Record notes that two vulnerabilities are known as "PrintNightmare;" CrowdStrike's talking about CVE-2021-34527. Microsoft says that unpatched remain, and recommends disabling Print Spooler.
Crime and punishment.
A Canadian government lawyer told the Vancouver court hearing Huawei CFO Meng Wanzhou’s extradition case that Meng had committed fraud. The US is seeking her extradition, and court proceedings are now entering their final phases. The AP reports that China’s sentencing of Canadian entrepreneur Michael Spavor to eleven years in prison for spying, and the imposition of a death sentence on Canadian Robert Schellenberg (convicted of drug trafficking) are widely viewed as retaliatory attempts to pressure Canadian authorities into releasing Meng.
In another high-profile extradition case, the Washington Post reports that Britain’s High Court granted the US broader grounds on which to appeal a lower court’s earlier denial of a request to extradite WikiLeaks proprietor Julian Assange to face espionage charges in the States. That case also continues.
Mexican prosecutors continue to investigate their country's corner of the NSO scandal, seeking to determine who authorized using Pegasus intercept tools against ordinary citizens and government critics. Reuters reports that so far there's no joy: they've come up with no arrests and prompted no firings.
Watchdog organizations have been critical of the investigation’s progress, complaining that the office conducting the probe is effectively itself implicated in the use of Pegasus. The investigators point out that it’s a difficult and complicated investigation. Ricardo Sanchez Perez del Pozo, head of the Special Prosecutor for Crimes against Freedom of Expression, defending his investigative team, said they were close to bringing the first case to court. “This is a really complex investigation,” he told Reuters. “It has advanced significantly.” Mexico was the first significant international Pegasus customer, spending $160 million on the intercept tool since 2011.
Courts and torts.
The Washington Post reports that Apple has dropped its intellectual property lawsuit against Corellium, a company that sells virtualized iOS devices to researchers. The companies reached a settlement outside of court less than a week before the case was scheduled for trial. While the terms of the settlement were confidential, Corellium has confirmed that it's still selling its iOS products. The Post notes that the case was controversial because "many in the security research community saw the lawsuit as having a chilling effect on independent research."
Policies, procurements, and agency equities.
The US continues its efforts to persuade friendly governments to avoid Huawei-manufactured equipment. Reuters describes a recent US approach to Brazil, during which the US observed that Huawei's supply chain difficulties would end up with it leaving Brazil's telecommunications infrastructure "high and dry." Those supply chain difficulties, of course, have been induced by worldwide concern over the security risks Huawei equipment may carry with them. And, of course, due to US sanctions that have restricted Huawei’s access to the technology it needs to develop and produce its products.
China's embassy in Brazil has protested what it characterized as American "smears" and "coercion." The state-run media outlet Global Times says the embassy put it this way: "We express strong discontent and vehement objection to such behaviors of publicly coercing and intervening in other countries' 5G construction and sabotaging normal China-Brazil cooperation.”
The US Cybersecurity Solarium Commission has issued its 2021 Annual Report on Implementation. The report is broadly encouraging. “Last year we concluded that attaining meaningful security in cyberspace requires action across many coordinated fronts” the Commission wrote. “We have seen a great deal of progress in implementing the original 82 recommendations from that report, as well as the recommendations we added in white papers along the way.”
Some of the recommendations remain works in progress, including “Codifying the concept of Systemically Important Critical Infrastructure... and establishing a Joint Collaborative Environment.” These are complex and challenging goals, the Commission says.
Some of the recommendations are being addressed in legislation that remains pending in Congress. ”The Cyber Diplomacy Act..., which has yet to pass the Senate, would implement the Commission’s recommendation for a cyber-focused bureau at the State Department.”
And some have yet to gather enough support, specifically the establishment of permanent Select Committees on Cybersecurity in the House and Senate and the passage of a National Data Security and Privacy Protection Law, “are unlikely to move forward in the near future.” But the Commission says it remains hopeful, and that it intends to ensure that its recommendations “are ready when the time comes.”
Fortunes of commerce.
VNExpress said that an offer of source code for some of Bkav's security products has been posted to Raidforums, where those who claim to have obtained the code are offering to sell it for $250,000. Bkav says it's investigating.