By the CyberWire staff
The Taliban sifts seized data.
Reuters reports that the Taliban is actively seeking access to the emails of former government officials, and that Google has, temporarily at least, locked down access to such accounts. Google didn’t directly confirm their move to deny the Taliban access to the accounts, saying only it was monitoring events and was "taking temporary actions to secure relevant accounts." The concern over email accounts and other data belonging to the fallen government coming into the possession of the Taliban is that the information gained would be used to track and arrest former government officials or, indeed, anyone else of suspect loyalty.
Ghostwriter hits Bundestag targets.
The German Foreign Ministry lodged a complaint with Russia over ongoing attempts to stage cyberespionage and influence operations against the Bundestag during the run-up to national elections, Deutsche Welle reports. The activity, which is reported to have successfully compromised some Federal networks, is part of the long-running and often described Ghostwriter campaign against Central and Eastern European targets.
German prosecutors have opened an investigation into the Ghostwriter campaign Berlin has attributed to Russian intelligence services, Der Spiegel reports. Germany's Foreign Ministry has warned, an Agence France Presse story says, that Russia will face unspecified consequences should the cyberespionage and election-related disinformation persist.
Does Your SOAR Platform Move Like a DinoSOAR? Embrace the Smarter SOAR.
ThreatConnect SOAR combines threat intelligence, analytics, and orchestration into one place to enable faster, more informed decisions. Because threat intelligence is baked in, there’s no need for complicated data manipulation or time-intensive look-ups: it’s all converted to a predictable and easily understood format while still preserving the source’s attribution information and reputation details. Is your SOAR smart enough to do that? Learn more about the industry’s smarter SOAR.
The gangs may have taken Labor Day off, but they're back.
So it turns out that Labor Day weekend was more a day off than a doorbuster for ransomware gangs, but now that the holiday's passed, the hoods have returned to business as usual. The Washington Post is prepared to call the quiet holiday an "anomaly." CISA, the FBI, and the White House had all warned organizations to be on the alert, sound advice on form, but the expected wave of attacks didn't materialize.
Ragnar Locker warns victims they'd better not go to the cops.
BleepingComputer reports that the operators of Ragnar Locker ransomware have warned their victims, whom the hoods cynically refer to as “clients,” that they’ll promptly dump stolen data should they get a whiff of the victims’ going to law enforcement or indeed any third-party for help: "So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie. Dear clients if you want to resolve all issues smoothly, don’t ask the Police to do this for you. We will find out and punish with all our efforts.”
Bad guys are watching for new openings in your cloud, are you?
You see the headlines, and perhaps, ‘thank goodness it wasn’t us’ flickers through your mind. An overly permissive web server exposes 100 million+ consumer credit applications, or an S3 bucket leaves hundreds of millions of user records open to the public. But how do you stay on top of misconfigurations in the world of the cloud? Learn how to manage risk with the continual changes that are a reality in the cloud.
REvil's unquiet grave, and the future of Russian privateering.
There was some stirring this week in the unquiet grave of REvil, the gang also known as Sodinokibi that appeared to bring itself to an end after its high-profile attack against Kaseya. REvil was last heard from in its own voice when it was demanding first $70 million, then a discounted $50 million in exchange for a master decryption key. The gang disappeared, and shortly thereafter Kaseya received a decryption key from what it characterized as reliable source, reliable in the sense that it delivered the goods. BleepingComputer reports speculation that Russian intelligence services quietly comped Kaseya with the decryptor.
REvil may be among the ransomware gangs that's resurfacing. BleepingComputer reports that, after an absence of almost two months, the group's dark web servers have reappeared. Researchers with both Emsisoft and Recorded Future have tweeted that among the restored presence is the gang's Happy Blog. But there’s so far nothing new on the Happy Blog, which seems to have resurfaced with the same stuff on deck that was there when it submerged back on July 13th.
And the blog’s return was incomplete. While the dump site returned much as it had been, the Tor portal used to negotiate payment was up but inaccessible—victims weren’t able to log in.
All of this revenant activity could mean any number of things. KnowBe4 wrote us to observe that cybercriminals operate for awhile as distinct, recognizable gangs, then break up, reform, and operate again. "With this recent activity,” KnowBe4’s James McQuiggan wrote, “it is most likely possible that they are collecting files, data, zero-days or other malware to use in their next group.” It’s also possible that some law enforcement agency or agencies are rummaging what they can from the remains to see what forensic analysis will yield.
Steve Moore, Exabeam’s chief security strategist, wrote that REvil is itself probably a reincarnation of an earlier group. It’s likely that there are further, incipient campaigns already under preparation against organizations that were vulnerable to the old version of REvil. He thinks that, "Directly, REvil took time to refit, retool, and take a bit of a holiday over the summer. The fact their sites are back online means they are, again, ready for business and have targets in mind.”
Recorded Future's Insikt Group Thursday issued a report on what it calls the "dark covenant" between Russian intelligence services and cybercriminals. The security organs aren't directing the criminals, but the gangs operate at their sufferance and shape their operations and target selection to conform to their understanding of what those services want. It's too soon to tell whether US carrots-and-sticks will inhibit the privateering: US cyber czar Chris Inglis sees deterrence as complicated, and that this is not a problem "we're going to shoot our way out of."
Bad guys are watching for new openings in your cloud, are you?
Bulletproof hosting and the underworld economy.
Security firm RiskIQ complains that bulletproof hosting services continue to play a major role as enablers of the underground criminal economy. Their researchers today are drawing attention to Flowspec, which they call “a one-stop-shop for threat groups, facilitating phishing campaigns, malware delivery, Magecart skimmers, and large swaths of other malicious infrastructure.” At least nineteen Flowspec domains are, RiskIQ says, associated with Magecart, and the researchers alleged that the well-known ransomware gangs that have used Flowspec include Ryuk, Genasom, Ergop, Ymacco, Sodinokibi, Gandcrab, and Crysis.
DDoS at Yandex and ANZ.
Yandex is the latest big commercial organization to sustain a major distributed denial-of-service incident, Reuters reports. The Russian multinational tech firm says it successfully parried the attack.
By Thursday, some clarity was forming around the distributed denial-of-service attacks that have hit organizations including Russia's Yandex, New Zealand's ANZ bank (which went down again Thursday, according to the New Zealand Herald), and other targets in the US and the UK. Qrator Labs today released a description of Meris, an IoT botnet with a quarter-of-a-million devices. There have been larger botnets (Mirai, for one, had in excess of three-hundred-thousand) but unlike its well-known predecessors, Meris relies on transmitting a high number of requests per second. Most of the devices exploited to form the botnet were networking gear from the Latvian vendor MikroTik. The Record reports that sources tell it the target of the Yandex DDoS attack wasn't Yandex itself, but rather a bank that used Yandex's cloud services to host its e-banking portal.
A revived AlphaBay may have difficulty resuming its old place in the contraband market.
Digital Shadows subjects the revived version of the contraband market AlphaBay to analysis and concludes that, while there's an underworld opportunity for a revival, the latest edition may have trouble building on the original marketplace's street cred. Potential users suspect the new AlphaBay's admin may be compromised and they mistrust the absence of exit-scam protection.
Developments in the C2C market.
Researchers at McAfee and Intel471 jointly describe a "shake-up" in the criminal-to-criminal ransomware affiliate market being led by the Groove Gang. Whereas earlier ransomware-as-a-service programs had prioritized control over the code and a systematically hierarchical organization of the affiliates, the Groove Gang is proving more fluid and opportunistic. It prizes not the affiliates' skills, but simply their networks.
Avast describes a new underworld offering: Instagram-bans-as-a-service. You can ban or harass someone for just $50.
Are you registered for the Insider Risk Summit?
Join cybersecurity leaders like Chris Krebs and speakers from Crowdstrike, DUO Security, Code42 and Microsoft at the Insider Risk Summit on September 14 and 15 - it’s totally free and totally virtual. Learn what it means to Rethink Resilience for security in the context of risk and evolving workforce culture. Register for the free event and earn 20+ CPE credits.
Patch news.
Microsoft warned Tuesday that "targeted attacks" are exploiting a vulnerability in MSHTML by using malicious ActiveX controls in Word documents for remote code execution. There's no patch, yet, but Redmond is working on it. In the meantime Microsoft has made some mitigations and workarounds available (notably disabling ActiveX), and CISA "encourages users and organizations to review" them. There's no attribution of the attacks yet, but SecurityWeek thinks that the wording of Microsoft's disclosure strongly hints that a nation-state is behind them.
Zoho has patched its ManageEngine ADSelfService Plus against an authentication bypass vulnerability that's currently being exploited in the wild. CISA urges users to apply the fix.
Crime and punishment.
ProtonMail has acceded to a "legally binding order from the Swiss Federal Department of Justice'' that required it to turn over the IP address and information about devices “Youth for Climate” (described as “anti-gentrification activists”) used to access ProtonMail. The information led to the arrest of some members of the group in France, Hacker News reports.
A man suspected of writing code for the criminal enterprise that runs TrickBot has been arrested by authorities in Seoul on a US warrant, the Record reports. The alleged criminal coder, referred to so far only as “Mr. A,” had been unable to leave the Republic of Korea for the past year and a half, stranded by COVID-19 travel restrictions. Mr. A is expected to contest extradition on the grounds that American justice would impose a disproportionate penalty on him, should he be convicted. This is the second alleged TrickBot coder to be taken into custody, the first being Alla Witte, a Latvian national arraigned in a US Federal District Court on June 4th.
A cybercriminal associated with North Korean hackers, Ghaleb Alaumary, a native of Ontario, and thirty-six years young, has been awarded an eleven year sabbatical courtesy of the US Bureau of Prisons. Mr. Alaumary, who holds both US and Canadian citizenship, took a guilty plea to two Federal counts of money laundering.
Courts and torts.
The US Securities and Exchange Commission, best known by its acronym SEC, is investigating the SolarWinds incident, and Reuters reports that the inquiry is spooking some large US companies, who fear that the results of the probe will expose them to liability. Reuters says, “The SEC is asking companies to turn over records into ‘any other’ data breach or ransomware attack dating back to October 2019 if they downloaded a bugged network-management software update from SolarWinds Corp (SWI.N), which delivers products used across corporate America, according to details of the letters shared with Reuters.”
DuPage Medical Group has been hit with a lawsuit after disclosing a potential breach of 600,000 patients’ protected health information (PHI), the Chicago Tribune reports. The lawsuit, which is seeking class-action status, alleges that DuPage “failed to properly monitor the computer network and systems housing the private information.” DuPage Medical Group stated that it hadn’t received the lawsuit yet, and that “We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises.”
Guntrader, a UK-based online firearms marketplace, is facing a lawsuit after 111,000 of its users had their data stolen and leaked by animal rights activists, FarmingUK reports. The data included users' home addresses, which were uploaded to the Internet in a Google Earth-compatible file.
Policies, procurements, and agency equities.
Germany’s federal police, the Bundeskriminalamt (BKA), are reported to have been among the customers of NSO Group, quietly purchasing its controversial Pegasus intercept tool. Tagesschau says that authorities will report on the purchase to a watchdog Bundestag committee today. There are no specific allegations of the BKA having abused the tool, but Pegasus has been in such bad odor due to its abuse by repressive regimes that suspicion inevitably accompanies its adoption by any law enforcement agency. Die Zeit reports that the capabilities of Pegasus outrun the kinds of surveillance permissible under German law. When the tool was purchased German authorities are said to have insisted that only such functions as were compatible with the law be activated, but Die Zeit says it’s unclear not only how, but even if, such selective enablement would have been possible.
Fortunes of commerce.
Influenced by adverse reaction from privacy hawks, Apple has decided to suspend its plans to incorporate screens for child sexual abuse material, CSAM, in iCloud. The company told TechCrunch on Friday, “Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”
And security innovation.
The SINET 16 were announced this week. This annual competition has for years brought some of the most promising start-ups in cybersecurity into the spotlight. This year’s winners, in reverse alphabetical order, are:
- Valtix, specialists in multicloud network security whose solution promises both simplicity and adaptability.
- Strata, which delivers enterprise identity management, also for multicloud environments.
- Sevco Security, provider of asset inventory necessary for the dynamic self-awareness necessary to security.
- Securiti, with a final “i,” offering artificial intelligence solutions for security, privacy, governance, and compliance for multicloud, SaaS, and self-managed data systems.
- Perimeter 81, which has a Secure Access Service Edge platform designed to support a remote workforce.
- Pentera, formerly known as PCYSYS, an automated pentesting shop for safe emulation of attacks.
- JupiterOne, an asset management company that provides security context to cloud users.
- INKY, the Maryland-based anti-phishing company whose cloud-based artificial more-than-intelligence spots fraud and social engineering in email.
- Greynoise, whose solution tells security practitioners what they don’t have to worry about, saving labor by cutting down on false alerts and security noise, while highlighting the issues they need to pay attention to.
- GrammaTech, developer of software-assurance tools and advanced cyber-security solutions designed to ease the challenges of devsecops.
- ForAllSecure, which offers application testing intended to make developers’ lives easier.
- Ermetic, whose solution offers multicloud continuous protection for users of AWS, Azure, and Google Cloud.
- Cequence Security, who offers a complete API inventory and data leak protection solution.
- Baffle, a cloud data protection shop that offers data tokenization, de-identification, and database encryption to protect data from source to destination.
- Axis Security, a zero-trust, secure access service edge provider whose agentless solution enables secure employee access.
- AppOmni, whose SaaS Security Management platform delivers visibility into security configurations, user permissions, and third-party apps.
This year SINET singled out three companies to watch, early stage start-ups it regards as alreading adding value:
- Scythe, an adversary emulation platform.
- DeepFactor, which offers continuous appsec observability.
- Corsha, multi-factor authentication for machine-to-machine communications.
Congratulations to all of them, winners and honorable mentions alike. The SINET 16 companies have over the years assembled an enviable record of success and a reputation for successful innovation, and the Class of 2021 are likely to continue that tradition.