OMIGOD vulnerability in OMI application has been under active exploitation.
Linux servers running on Microsoft’s Azure cloud remain under distributed denial-of-service or cryptojacking attacks by botnets exploiting the OMIGOD vulnerability in the Open Management Infrastructure (OMI) application. OMI, installed by default in most Azure Linux virtual machines, is a Linux equivalent to Windows Management Infrastructure. The Record describes the issue (CVE-2021-38647) as a remote code execution vulnerability. Researchers at Wiz, who've described the exploitation, also have a review of available remediations. At least one botnet exploiting OMI is a familiar one: BleepingComputer reports that Mirai is working actively against vulnerable instances.
Ransomware notes: a curious definition of "critical infrastructure," and criminal-on-criminal swindling.
WIRED notes that the dip in the frequency and consequence of ransomware attacks early this summer was a false dawn and not an enduring trend. The gangs and the intelligence services that abet them seem simply to have taken time to adjust to Western, mostly US, policy and law enforcement tactics, and have returned with even greater intensity.
The BlackMatter ransomware gang, which claims to be the successor to the (nominally, maybe, possibly not) retired groups REvil and DarkSide, has hit the Iowa-based US farm services provider NEW Cooperative, Reuters and others report. NEW Cooperative, which operates grain elevators, trades crops, and provides other support to farms, says it's taken its systems offline as a precaution, and that it's working with law enforcement. BlackMatter has demanded $5.9 million in ransom, BleepingComputer says, a figure that will rise to $11.8 million if the gang isn't paid within five days. The timing is unfortunate, coming as it does at the beginning of the US grain belt's harvest.
Subsequently another ransomware hit a second US Midwestern farm cooperative. The Crystal Valley Cooperative disclosed the September 19th attack Tuesday; since then its website went offline until service was restored Thursday The company's Facebook page remained available. The incident has disrupted business operations, notably the co-op's ability to process credit card payments. Iowa's NEW Cooperative was hit by BlackMatter last week, but it's unknown, BleepingComputer says, which strain of ransomware hit Mankato-based Crystal Valley.
The BlackMatter ransomware privateers are currently active against several targets worldwide, Computing says. The gang's activities aren't confined to the high-profile attack against the NEW Cooperative agricultural organization in Iowa (which according to the Washington Post continues its efforts to recover). One prominent infestation is affecting media-marketing organization Marketron, BleepingComputer reports.
REvil, whose alumni may be operating the BlackMatter ransomware (if indeed BlackMatter isn't simply a rebranding of the older gang), appears, Threatpost reports, to have been cheating its own criminal affiliates. A backdoor and double-chat functionality enabled REvil to communicate directly with victims, bypassing its affiliates. The backdoor and chats have been "cleaned out," perhaps as part of a rebranded REvil's attempt to restore its reputation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning (with the FBI and NSA) against Conti ransomware. Conti will exploit common vulnerabilities to gain access to its targets, but most of its infestations can be traced to some variety of social engineering.
FamousSparrow: an APT of unknown origin, is actively engaged in cyberespionage.
ESET Thursday morning published its study of a hitherto unremarked cyberespionage Advanced Persistent Threat, probably working on behalf of a nation-state. Which nation-state is unknown, but ESET calls the group "FamousSparrow" and says it's been active since 2019. It's recently exploited the ProxyLogon vulnerability to collect data from hotels especially (useful in tracking human targets of interest). FamousSparrow used some tools associated with the Chinese APT SparklingGoblin, but ESET considers them to be distinct groups.
Spammy ads, even on US Government sites.
Vice notices that over the past year some US Federal Government sites have been serving up the sorts of "spammy" ads for, say, male enhancement products that one would be likelier to find on commercial sites that use relatively indiscriminate ad servers. Security researcher Zach Edwards traces the redirects to a vulnerability in the widely used Laserfiche Forms.
Indonesia finds no evidence of Chinese cyberespionage, but Lithuania finds plenty.
Indonesian authorities tell the AP that they've found no evidence in their systems of cyberespionage by China's Mustang Panda, dismissing reports to the contrary by Recorded Future's Insikt Group as "rumors."
An audit by Lithuania's Defense Ministry of three Chinese-manufactured smartphones found security issues with two of them, the Huawei P40 5G and the Xiaomi Mi 10T 5G. The Ministry recommended that users avoid the devices: "Automated sending of messages and its concealment by means of software pose potential threats to the security of the device and personal data; in this way, without the user’s knowledge, device data can be collected and transmitted to remote servers." The Xiaomi phone had a particularly intrusive "censorship mode," the Record reports, which could detect and censor content based on keywords it found there. Censorship mode could be enabled remotely, without the user's knowledge or consent. The audit found no security issues with the third device tested, the OnePlus 8T 5G.
Investigation finds Pegasus infestations in French Ministers' smartphones.
Mediapart reports that investigation confirms at least five French Ministers' phones were infected with Pegasus spyware. National Education Minister Jean-Michel Blanquer, Territorial Cohesion Minister Jacqueline Gourault, Agriculture Minister Julien Denormandie, Housing Minister Emmanuelle Wargon and Overseas Minister Sebastien LeCornu were all affected. At whose instigation the spyware was installed remains unclear. The Washington Post notes that Mediapart has suggested the government of Morocco was behind the installation, but Morocco for what it’s worth has both denied involvement and brought a lawsuit against Mediapart, alleging defamation.
Port of Houston discloses cyberattack.
The Port of Houston Authority said Thursday in a brief announcement that it had “successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”
CNN reports that on August 19th attackers believed to be associated with a foreign intelligence service gained access to a server in the Port of Houston, planted malware, and stole Microsoft credentials. Defenders were able to isolate the compromised server within about an hour and a half of the initial attack.
Whichever nation-state was responsible for the Houston attack (and there's no attribution, yet) the Record reports that the attack was accomplished by exploiting a zero-day in a Zoho authentication appliance. A week ago the US Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Advisory with the FBI and the Coast Guard, warning that CVE-2021-40539, a vulnerability in Zoho's password manager and single-sign-on solution ManageEngine ADSelfService Plus, was being actively exploited in the wild. Zoho had addressed the bug on September 6th, and CISA urged users to apply the patch as soon as possible. The Port of Houston incident would seem to explain both the urgency of, and the Coast Guard's involvement in, the Advisory.
And a container ship company sustains a ransomware attack.
The large French container shipping firm CMA CGM S.A. today disclosed, according to MarketWatch, that it had sustained a data breach whose evident aim is extortion. The attackers claim to have obtained almost five-hundred-thousand individual records of customers. CMA CGM says that what it characterized as “limited customer information” included “names, positions, emails and phone numbers.”
The Loadstar reports that customers are awaiting formal notification from the box ship company, and that this is expected to come this evening. It’s the second information security incident CMA CGM has sustained over the past year, and, should personal information in fact be involved, as it appears to be, the company will be obligated under GDPR to render a prompt report to French authorities.
Advance-fee scams accompany the iPhone 13 launch.
Zscaler has observed a surge in scams surrounding the iPhone 13 launch. As is so often the case, the grifters' come-on is a bogus cryptocurrency give-away.
Autodiscover flaw can leak app passwords.
Guardicore has discovered a flaw in Microsoft Exchange's Autodiscover feature: it can leak passwords.
Cyber commanders reflect on lessons learned during the pandemic.
Senior US cyber officials spoke Thursday at the Joint Service Academy Cybersecurity Conference, sponsored by Palo Alto Networks, to discuss “Lessons Learned from a Global Pandemic.”
Lieutenant General Stephen Fogarty, Commanding General, US Army Cyber Command, emphasized that DISA and the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) played a central role in enabling the shift to remote work with the Defense Department’s Commercial Virtual Remote (CVR) telework platform.
“We went through a variety of different solutions until CyberCom, NSA, and DISA provided CVR,” Fogarty said. “So that really became, I think, the turning point for us. So, it addressed the mobility challenge and it actually enabled ease of use particularly for those who didn't have government-furnished equipment – so, a government cell phone or a government laptop – and that was absolutely critical. So, everything I just described would not have happened without the capability of DISA and JFHQ-DODIN, and so when I look back at the single most important player in this, it actually was DISA and JFHQ-DODIN, because they enabled really a very rapid transition.”
Lieutenant General Charles Moore, Deputy Commander, US Cyber Command, stated that their use of the CVR “was actually stood up and put into use within just a few short weeks – from beginning to end, we ended up with about 1.4 million people that were using that capability, and then of course have since burned that down and transitioned over to Microsoft 365.”
Likewise, Lieutenant General Timothy Haugh, Commander, Sixteenth Air Force; Commander, Air Forces Cyber, and Commander, Joint Force Headquarters-Cyber, noted that the Air Force “increased from 7,000 to 300,000 remote workers in a couple of weeks.”
Lieutenant General Robert Skinner, Director of DISA and the Commander of JFHQ-DODIN, stated, “The biggest lesson learned was the force was not very mobile. If you look at the ability of the entirety of the force to do the missions that they've been assigned at the unclassified and the classified level, the higher up classification level you went, the less opportunity individuals had to continue that work that was not happening within the location and in the office space. And so the ability to increase the virtual private networks thousands of percent, the ability to have more circuits, because now your bandwidth is a little bit different than what it was sitting from the office location versus at your home –that was significant work across the board.”
Crime and punishment.
European police have rounded up about a hundred mobsters—and these are traditional, Al-Capone-esque gangsters associated with the Neapolitan Camorra— for alleged cybercrimes that include SIM-swapping, business email compromise, and the like. Most of the hoods were collared in Spain, others in Italy, the Register reports, as it also observes that the mob is now apparently just as much into remote work as the rest of us are. Europol’s press release announcing the raids puts the tally of alleged mobsters taken into custody at 106.
Huawei CFO Meng Wanzhou will soon be able to leave Vancouver, where she’s been fighting extradition to the United States over charges related to alleged violations of sanctions against Iran. The US Department of Justice is said, the Wall Street Journal reports, to have reached a deferred prosecution agreement with her that was expected to be entered late Friday, when she appeared (remotely, from Canada, before a court in Brooklyn). “The agreement...will require Ms. Meng to admit to some wrongdoing in exchange for prosecutors deferring and later dropping wire and bank fraud charges.” Ms. Meng was arrested in the Vancouver airport in December 2018, Reuters reminds us, on a US warrant alleging bank fraud and wire fraud charges in connection with what the US indictment characterized as misleading a banking partner and financial services partner, HSBC, about Huawei’s involvement with Iran.
Courts and torts.
There have been some US moves against the infrastructure that supports the ransomware underworld. The US Treasury Department this morning announced that it was taking steps to disrupt the financial structures that sustain the ransomware criminal economy. Cryptocurrency exchanges engaged in money laundering and processing ransom payments are being singled out for special attention. The first of those to come under sanction is SUEX. As Treasury notes, most cryptocurrency exchanges and transactions are "licit"—Treasury's after the ones engaged in specifically criminal conduct.
Policies, procurements, and agency equities.
The US response to continued privateering by Russophone ransomware gangs remains under preparation. US President Biden's address to the United Nations' General Assembly yesterday touched on cybersecurity, and by implication on ransomware. The President expressed a commitment to building international norms in cyberspace, while also asserting that "We reserve the right to respond decisively to cyberattacks that threaten our people, our allies, or our interests."
Setting a precedent during elections for Russia's Duma that WIRED calls "troubling, Apple and Google acceded to the Kremlin's request that they remove opposition “voting apps” prepared by Navalny’s Smart Voting project from their stores. The app in question was a voting guide, not a mechanism for casting votes. “Created by associates of imprisoned opposition leader Aleksei Navalny, it offered recommendations across each of Russia’s 225 voting districts for candidates with the best shot of defeating the dominant United Russia party in each race.”
Radio Free Europe reports that Telegram has done likewise, blocking chat bots Smart Voting had used for endorsing candidates. Telegram said that it was following Russian “election silence” laws, represented as similar to laws in other countries that restrict various forms of campaigning during the elections themselves. But, according to Radio Free Europe, Telegram’s founder significantly said that developer outfits like his own had little choice but to follow the lead of Apple and Google, so the decision taken in Silicon Valley seems to have flowed to other outlets. The Atlantic Council summarizes the issue as follows:
“The Russian government has reacted to this voter guide as if facing a serious national security threat—a reaction that has stirred international controversy. The furious (and ultimately successful) efforts to suppress this voter guide not only demonstrate the Russian government’s determination to assert broad control over both the outcome of Russian elections and the information Russian citizens can access online, but also how the underlying dynamics of Russia’s censorship agenda can become an international problem, forcing companies based outside its borders into complicity with domestic repression.”
Barron's reports that Hungary has delayed its first opposition party primary until September 28th. According to Yahoo News, the opposition says the delay is due to a cyber attack for which it blames Prime Minister Orban's government (with the possible involvement of Chinese operators). The Journal says that Orban's Fidesz party dismisses the incident as due to the opposition alliance's "incompetence."
Fortunes of commerce.
On October 4th, FireEye will rebrand itself as Mandiant, taking its subsidiary's name. The move comes as the company sells FireEye's products line to private equity investors led by Silverlake Group, GovCon Wire reports.