Governments behaving badly.
The European Union a week ago Friday publicly attributed the GhostWriter cyberespionage and disinformation operation to Russia. "The European Union and its Member States strongly denounce these malicious cyber activities, which all involved must put to an end immediately. We urge the Russian Federation to adhere to the norms of responsible state behaviour in cyberspace." The attribution and warning didn't say which nations had received the attentions of GhostWriter, but, as the Washington Post notes, the timing of the communiqué suggests concern for Germany, which held elections last weekend.
Independently, Finland's Security and Intelligence Service called out both Russian and Chinese cyberespionage and influence operations as major continuing threats, Bloomberg reports.
According to Rest of World, Cambodian Prime Minister Hun Sen zoombombed an online conference held by the country's banned opposition party to tell participants that their communications were being monitored.
Microsoft on Monday released its study of a new, persistent, post-exploitation backdoor, "FoggyWeb," used by the Nobelium threat group. FoggyWeb is used both for exfiltration of victims' data (including configuration databases of compromised Active Directory Federation Service servers, decrypted token-signing certificates, and token-decryption certificates) and for deploying and executing additional malware payloads. Nobelium is Microsoft's name for the Russian government threat group others call Cozy Bear; it's associated with Russia's SVR foreign intelligence service (and sometimes with the FSB security service). Microsoft's report includes detailed mitigation advice, including the following:
- "Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
- "Reduce local Administrators’ group membership on all AD FS servers.
- "Require all cloud admins to use multi-factor authentication (MFA).
GriftHorse and a major premium service scam.
Zimperium late Wednesday described the activities of a massive Android scam campaign they're calling "GriftHorse." Around ten-million devices worldwide have been affected, and losses could amount to hundreds of millions of Euros. It's a premium services scam in which the crooks use malicious apps (and not the customary phishing) to enroll users in paid services they don't want.
The researchers say, "Forensic evidence of this active Android Trojan attack, which we have named GriftHorse, suggests that the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both Google Play and third-party application stores. Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories."
Notes on ransomware.
On Friday ZeroFox discovered and described a new ransomware strain they're calling "Colossus." Its one known victim is a US-based automotive dealership group, and the attack is the now familiar double-extortion that both encrypts data and then threatens their public release. Colossus hasn't shown much disposition to chatter on the dark web, but its operation suggests familiarity with the ransomware-as-a-service criminal market. ZeroFox notes, "these operators appear to be at least highly familiar if not directly associated with other existing ransomware-as-a-service (RaaS) groups based on their tactics, techniques, and procedures (TTPs). Their ransom note is similar in structure and content to other known ransomware products, including some EpsilonRed/BlackCocaine and REvil/Sodinokibi samples. This could indicate using a similar builder for the ransomware files, and follows a pattern of ransomware groups disappearing and reappearing with a rebranded name and similar toolsets."
The Record reports that the major European call-center operator GSS has sustained an attack with Conti ransomware. A source told the Record that "[a]mong the affected services are Vodafone Spain, the MasMovil ISP, Madrid’s water supply company, television stations, and many private businesses."
Bitdefender's latest monthly threat report, released yesterday, notes the resurfacing of REvil, under its familiar name. The report also counts some 250 active ransomware strains, which is a lot, especially given the challenges of survivor bias (duly noted by Bitdefender) and the difficulties of individuating things as slippery as bad actors. Anyway, their name is Legion, and, to draw a conclusion the report doesn't, a look at the countries targeted suggests that half to two-thirds of Legion probably have a letter of marque from 24 Kuznetsky Most (not far from Ulitsa Lubyanka).
A commodified information-stealer in the C2C market.
Kaspersky researchers have an account of "BloodyStealer," a Trojan currently being sold in darkweb souks catering to criminals. BloodyStealer is hawked as an information stealer useful for employment against gamers using a range of platforms, including Steam, Epic Games Store, and EA Origin. The Trojan is evasive and cheap, going for a monthly subscription of $10 or a lifetime subscription of only $40. BloodyStealer can be used against targets of many kinds, not just gaming platforms, but Kaspersky thinks gamers likely to figure high on the criminals' hit lists.
Kaspersky adds, "This malware also stands out to researchers because of several anti-analysis methods used to complicate its reverse engineering and analysis, including the use of packers and anti-debugging techniques. The stealer is sold on the underground market and customers can protect their sample with a packer they prefer or use it as part of another multi-stage infection chain. Kaspersky experts detected attacks using BloodyStealer in Europe, Latin America, and the Asia-Pacific region."
DDoS is growing in popularity as an extortion tool.
Distributed denial-of-service attacks appear to be returning as a significant if episodic nuisance. AtlasVPN puts the number of DDoS attacks in the first half of 2021 at a record 4.5 million. One recent victim is North Carolina-based voice-over-IP provider Bandwidth, which, BleepingComputer reports, began experiencing outages on Saturday.
Nexusguard describes a distributed denial-of-service attack technique, "BlackStorm," more effective and potentially damaging than the more familiar DNS amplification attacks. Nexusguard explains, "Hackers can achieve Black Storm attacks more easily than amplification attacks, which could quickly dominate the cyberworld. Black Storm attacks could be manifested by hackers employing a BlackNurse attack in a reflective manner (rBlackNurse attacks). By generating spoofed UDP requests to CSP devices’ closed UDP ports—a reflection of the ping replies returned to the CSP network ping sources in BlackNurse attacks—the devices respond with destination port unreachable responses. As more devices continue to respond to the spoofed IP source, the volume of responses completely overwhelms the target CSP network and creates the Black Storm attack."
NSA and CISA issue guidance on secure use of VPNs.
NSA and CISA on Tuesday released guidance on how to configure and use virtual private networks (VPNs) safely and securely. VPNs provide access to protected networks, and are therefore especially attractive targets for cyberattacks. The agencies' nine-page factsheet concludes, "Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity."
Azure Active Directory brute-force flaw.
SecureWorks has discovered a brute-force vulnerability affecting Azure Active Directory's Seamless Single Sign-On feature. The researchers state, "Threat actors can exploit the autologon usernamemixed endpoint to perform brute-force attacks. This activity is not logged in Azure AD sign-ins logs, enabling it to remain undetected. As of this publication, tools and countermeasures to detect brute-force or password spray attacks are based on sign-ins log events....The exploitation is not limited to organizations using Seamless SSO. Threat actors can exploit the autologon usernamemixed endpoint in any Azure AD or Microsoft 365 organization, including organizations that use Pass-through Authentication (PTA). Users without an Azure AD password are not affected."
Microsoft initially dismissed this behavior as being "by design," but on September 30th said that it would issue mitigations for the issue. A Microsoft representative told Secureworks:
"We are adding logging to the Seamless SSO endpoint to make sure that all steps of the authentication and authorization flow show up in the sign-in logs, including successful, failure, and abandoned sign-in attempts.
"We are adding the ability to have the Seamless SSO endpoint on/off only when Seamless SSO is enabled in the tenant and making it off by default, which should also be available to the customers in the coming weeks.
"Regarding Brute-Force password spray attacks, the endpoint mentioned is protected with Azure AD Smart Lockout and IP lockout capabilities. These measures will allow customers to be able to respond to such attacks."
Contactless Apple Pay proof-of-concept.
Researchers from the Universities of Birmingham and Surrey have discovered a way to complete large Apple Pay transactions from locked iPhones that have the Express Transit feature enabled, the BBC reports. The exploit only applies to transactions that use Visa. According to 9to5Mac, "Apple said the fault lies in Visa’s system, and that any unauthorized payments are covered by Visa’s zero liability policy. Visa said 'variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.'"
ChamelGang targets Russia's fuel, energy, and aviation sectors.
Positive Technologies has observed a new threat actor dubbed "ChamelGang" that's targeting Russia's fuel, energy, and aviation industries. The group has also been active against targets in nine other countries, including the United States, India, Nepal, Taiwan, and Japan. In some of these cases, ChamelGang compromised government servers. Positive Technologies hasn't attributed the actor to any specific country. The company stated, "One distinctive feature of ChamelGang's attacks is the use of new malware: ProxyT, BeaconLoader, and the DoorMe backdoor, which were not previously known. The latter is a passive backdoor, which significantly complicates its detection. The group also uses better-known variants such as FRP, Cobalt Strike Beacon, and Tiny shell."
The company's Head of Information Security Threat Response, Denis Goydenko added, "Among the malware samples we found, the most interesting is the DoorMe backdoor. This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed. Its principle of operation is unusual: the backdoor processes only those requests in which the correct cookie parameter is set. At the time of the incident investigation, DoorMe was not detected by antivirus tools, and although the technique of installing this backdoor is known, we haven't seen its use in recent times. The backdoor gives attackers wide opportunities in the captured systems: it can execute commands by using cmd.exe and creating a new process, write files in two ways, and copy timestamps. In total, six different commands have been implemented."
Russophone security researcher Habr, disappointed with his treatment by Apple's bug bounty program and Apple's failure to respond, has published, Forbes says, three zero-day vulnerabilities in iOS 14 and iOS 15. Vice reports that Apple is still investigating iPhone zero-days disclosed by frustrated researcher Habr, and that Cupertino has apologized for its dilatory response to his bug report.
Crime and punishment.
Russian authorities have detained Ilya Sachkov, founder and chief executive of cybersecurity firm Group IB on suspicion of "state treason," Reuters reports. Authorities searched Group IB's Moscow offices early this week. TASS was authorized to quote presidential spokesman Dmitry Peskov as saying the Kremlin was aware of the arrest from "media reports," but that he had no further information to offer. Group-IB is confident that Sachkov will be vindicated, and that Dmitry Volkov will run the company during Sachkov's detention. The company says it's continuing operations, and that customers' data are safe in its "decentralized infrastructure." The company has international headquarters in London, Singapore, Dubai, and New York; it regards Singapore as its primary headquarters.
TASS was subsequently authorized to disclose a bit more about the treason charges Russian authorities have brought against Group-IB's CEO Ilya Sachkov this week. A source tells the outlet that, "The investigation suspects Sachkov of handing over classified information on cybersecurity to foreign intelligence agencies." Which intelligence service "employed" him isn't being revealed, although TASS observes that there are a number of (unnamed) possibilities.
Huawei CFO Meng Wanzhou has returned to China after reaching a deferred prosecution agreement with the US Department of Justice. Hours after her release, two Canadian citizens, Michael Kovrig and Michael Spavor, were allowed to return to Canada after spending nearly three years in a Chinese prison on charges of espionage. While the Chinese government has maintained that the Canadian citizens' detention was unrelated to Ms. Wanzhou's arrest in Canada, Foreign Policy calls it a clear example of "hostage diplomacy."
The Wall Street Journal says a US cryptocurrency expert has pleaded guilty to illegal export of blockchain technology to North Korea. Audrey Strauss, US Attorney for the Southern District of New York, stated, "Griffith worked with others to provide cryptocurrency services to North Korea and assist North Korea in evading sanctions, and traveled to North Korea to do so. In the process, Griffith jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime."
Courts and torts.
A lawsuit has alleged that an Alabama hospital that delivered a baby while its systems were suffering from a ransomware attack missed a medical condition that resulted in the baby's death nine months later, Healthcare IT News reports. The baby's mother, Teiranni Kidd, says she was unaware that the hospital was dealing with a cyberattack when she arrived for a labor induction. The lawsuit alleges, "Upon information and belief, the only fetal tracing that was available to healthcare providers during Teiranni's admission was the paper record at her bedside. Because numerous electronic systems were compromised by the cyberattack, fetal tracing information was not accessible at the nurses' station or by any physician or other healthcare provider who was not physically present in Teiranni’s labor and delivery room. As a result the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated."
The hospital denies wrongdoing, stating, "We stayed open and our dedicated healthcare workers continued to care for our patients because the patients needed us and we, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so."
UC San Diego Health is facing a lawsuit over a phishing attack that may have exposed sensitive information belonging to nearly 500,000 patients and employees, the San Diego Union-Tribune reports. Among the data potentially exposed were "Full names, addresses, dates of birth, email addresses, fax numbers, claims information including dates and costs of care received, laboratory results, medical diagnoses and conditions, medical record numbers, prescription information, treatment information, Social Security numbers, government identification numbers, financial account numbers, student identification numbers, usernames and passwords."
Policies, procurements, and agency equities.
US President Biden will convene a thirty-country meeting in October to discuss the impact of ransomware on economic and national security, CNN reports. Biden said Friday that the purpose of the meeting will be "to accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically."