By the CyberWire staff
Security researchers targeted by North Korean actors.
Google's Threat Analysis Group (TAG) warns that a North Korean state-sponsored actor is targeting security researchers via fake profiles on Twitter, LinkedIn, Telegram, Discord, and Keybase. The attackers purported to be analyzing a vulnerability and invited the researchers to work with them:
"The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains."
In one case, the actor made a YouTube video that appeared to show successful exploitation of the recently patched Windows Defender vulnerability CVE-2021-1647, although observant viewers determined that the video had been faked.
The attackers also set up a research blog that used an apparently unknown vulnerability to install backdoors on visitors' systems. Google's researchers note, "At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's Vulnerability Reward Program."
TAG has published a list of the attackers' social media accounts, infrastructure, and IOCs. The researchers advise, "If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties, and your own security research."
Cisco Talos confirmed that its researchers had been targeted by this campaign, although they "did not engage to the point where the malicious files were provided." Talos notes that "the attacker has a good grasp of the English language and made contact within the normal working hours for the researcher based on their time zone, denoting some care regarding the quality of the lure." ZDNet cites numerous other researchers who shared that they had been targeted.
On Thursday Microsoft attributed the recently exposed long-con social engineering of vulnerability researchers to the North Korean group Microsoft calls "Zinc" and most others know as the Lazarus Group. Their report confirms much of what Google’s researchers had concluded about the threat actors’ methods. “After building their reputation across their established social media accounts,” Microsoft writes, "the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs."
Redmond provided a set of indicators of compromise, and they offer some advice for those who might be affected. Should you have visited one of the blogs owned and operated by Zinc (Microsoft’s report has a list of them) you’d do well to run a "full antimalware scan and use the provided IOCs to check your systems for intrusion." If you find any of Zinc’s malware, assume your system is fully compromised and rebuild it. To avoid being hit by something like this, Microsoft advises security professionals to use a virtual machine when they’re building untrusted projects in Visual Studio, or when they’re opening links or files sent by parties unknown.
For more, see the CyberWire Pro Research Briefing.
See how budget-constrained security teams prevent ransomware in cost-effective ways.
Ransomware groups seek to make more money by expanding their attacks to a broader landscape of targets. This often means hospitals, schools, and local governments, who are the most resource-constrained segments of our societal infrastructure and the ones least able to accept downtime. Watch Morphisec’s on-demand webinar to see how businesses with limited resources are protecting themselves against this growing threat.
Emotet disrupted by Europol.
Europol on Wednesday announced an internationally coordinated disruption of the Emotet botnet. Two Ukrainian citizens have been arrested as part of the operation. Europol and Eurojust coordinated the operation with law enforcement agencies from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine:
"The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts."
"To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime."
ZDNet reports that Dutch police have found that two of Emotet's three primary command-and-control servers are located in the Netherlands, and the police have deployed an update that will uninstall the malware from all infected hosts on April 25th, 2021.
Randy Pargman, senior director at Binary Defence, told ZDNet that the disruption "will effectively reset Emotet" and force its operators to rebuild. Since Emotet is often used to install additional malware, Pargman says organizations should use the next three months to scour their networks for Emotet and look for evidence of these additional threats.
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more. Our new issue comes out on Tuesday, February 1, 2021.
Lebanon Cedar's activities outlined.
ClearSky researchers describe a cyberespionage campaign by Lebanon Cedar, a threat actor tied to the Lebanese government and aligned with Hezbollah. The researchers agree with Check Point's 2015 assessment that the group is politically and ideologically motivated.
The threat actor is using a new version of its custom-made Trojan dubbed "Explosive" as well as their Caterpillar WebShell. The group uses publicly available tools like Shodan to scan for vulnerable web servers, and exploits 1-day vulnerabilities such as CVE-2019-3396 in Atlassian Confluence Server, CVE-2019-11581 in Atlassian Jira Server and Data Center, and CVE-2012-3152 in Oracle 10g 18.104.22.168. The researchers have identified 254 servers compromised by the group. Most of the victims were telecommunications, IT, and hosting companies, with the primary targets located in the Middle East:
"Our report reveals a partial list of the companies that the group has attacked. The target companies are from many countries including: The United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel, and the Palestinian Authority. We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years."
ClearSky notes that Lebanon Cedar's patience and stealthiness has allowed it to operate nearly unnoticed for at least five years.
500 million Facebook users' phone numbers for sale.
A hacker is selling access to a database of approximately 533 million Facebook users' phone numbers, Computing reports. Facebook told Motherboard the numbers were obtained by way of a vulnerability the company patched in 2019. The data are now available via a Telegram bot that allows customers to pay $20 for a credit to look up a Facebook users' phone number, or look up someone's Facebook account using their phone number. They can also pay for credits in bulk, with 10,000 credits costing $5,000.
The bot was discovered by Alon Gal, CTO of Hudson Rock, who told Motherboard, "It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors."
For more, see the CyberWire Pro Privacy Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
Wall Street as a potential venue for monetizing influence operations.
A large swarm of individual investors, mobilized by influencers and motivated at least as much by lulz and resentment as by the usual fear and greed, have shown themselves able to move markets. Loosely organized around the Reddit forum WallStreetBets, individual investors drove shares of brick-and-mortar retailer GameStop very high, CNBC reports. It became a classic short squeeze as short-sellers, a lot of them hedge funds, had to cover their bets at a high price, taking large losses.
After some retail investing platforms suspended, then resumed, trading in GameStop and a few other heavily shorted stocks, it remains unclear what, if anything, the self-organized social-media book-talkers did that was improper. Criticism of the trading suspensions was in the US surprisingly bipartisan, CNBC says, with left- and right-wing members of Congress joining in.
Alex Stamos, of the Stanford Internet Observatory, tweeted that the incident has implications that go beyond whatever market disruption might trouble Wall Street:
"The WallStreetBets manipulation of $GME is now the best template for how one could monetize an influence operation. I don't know if any laws were broken this time, but Reddit now has a problem: it is the home for a community of hundreds of thousands of people who have demonstrated the ability to move billions of dollars based upon the urging of, at most, a couple dozen anonymous accounts. Reddit has some thoughtful policy people thinking through these issues, but I'm not sure they have a dedicated influence-ops-focused investigation team like TWTR/FB. If they leave WSB up, they will need one."
As Stamos points out, he's not stooging for the hedge funds: "People are incorrectly reading this as a defense of hedge funds. It is not (tax their carried interest as W-2 income!) Who do you think is going to be messaging everybody with well-followed YouTube channels and lots of Reddit Gold to drive the next rally?"
For more, see the CyberWire Pro Disinformation Briefing.
Students and members of the military, don't be left out of CyberWire Pro! We've got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Some investment news.
Santa Clara-California-based passwordless authentication platform provider Axiad has raised $20 million in growth financing from Invictus Growth Partners. The company stated, "The proceeds of the financing will be used to accelerate sales, marketing and development of its cutting edge multi-factor authentication platform, which protects more than 2.5 million enterprise credentials for hundreds of global customers. Invictus Co-founders and Managing Partners, John DeLoche and William Nettles, will join Axiad's board."
Valtix, a cloud-native network security platform provider based in Santa Clara, California, has secured $12.5 million in strategic funding from Cisco Investments, Northgate Capital, and The Syndicate Group. The company stated, "The new capital will be used to accelerate the company's go-to-market strategy that will help Valtix scale in 2021. Valtix will also leverage extensive channel relationships in partnership with The Syndicate Group (TSG), a boutique venture capital firm with deep channel relationships across an extensive network of VARs, integrators and consultancies."
Mission Secure, an ICS cybersecurity company headquartered in Charlottesville, Virginia, has raised $5.6 million in a Series B round led by IREON Ventures, Energy Innovation Capital, and Blue Bear Capital Partners, with participation from Chevron Technology Ventures and the University of Virginia LVG Seed Fund. The company says it "will use the new funding to advance the innovative technologies in its patented cyber-protection platform and to recruit additional ICS cybersecurity experts to support 24/7 managed services for its expanding global customer base in oil and gas, chemicals, maritime, manufacturing, smart cities, and defense organizations."
For more business news, see the CyberWire Pro Business Briefing.
Apple has patched three vulnerabilities that "may have been actively exploited." Two of the flaws affected WebKit, Safari's browser engine, and one affected the kernel. The WebKit vulnerabilities could have led to remote code execution, while the kernel flaw enabled privilege escalation. Users are urged to update to iOS 14.4. Apple says more details will be released soon; the Register believes the most likely scenario is that "someone chained these bugs...to take control of someone's handheld after tricking them to visit a booby-trapped website. The page would inject and execute a payload in Safari, which would then use the kernel vulnerability to gain the necessary privileges to commandeer the equipment, spy on its owner, snoop on communications, and so on."
Crime and punishment.
A joint US-Bulgarian operation has taken down dark web sites used by the Netwalker ransomware-as-a-service operation. The sites had been used by the attackers to communicate with their victims. The US Justice Department stated, "The NetWalker action includes charges against a Canadian national in relation to NetWalker ransomware attacks in which tens of millions of dollars were allegedly obtained, the seizure of approximately $454,530.19 in cryptocurrency from ransom payments, and the disablement of a dark web hidden resource used to communicate with NetWalker ransomware victims." The indictment adds, "According to an indictment unsealed today, Sebastien Vachon-Desjardins of Gatineau, a Canadian national, was charged in the Middle District of Florida. Vachon-Desjardins is alleged to have obtained at least over $27.6 million as a result of the offenses charged in the indictment."
Courts and torts.
The US Federal Trade Commission has fined three ticket-scalping companies for using bots, the Verge reports. This is the first-ever enforcement of the 2016 Better Online Ticket Sales (BOTS) Act, which prohibits the use of bots or other software to bypass limitations on online ticket purchases. The FTC stated that the defendants "allegedly using automated ticket-buying software to search for and reserve tickets automatically, software to conceal their IP addresses, and hundreds of fictitious Ticketmaster accounts and credit cards to get around posted event ticket limits. The defendants allegedly took in millions of dollars in revenues from the resale of the tickets they purchased using these unlawful means." The FTC has issued the following fines:
- "$16 million against Concert Specials, Inc. and Steven Ebrani, which is partially suspended due to an inability to pay. They will pay $1,565,527.41.
- "$11.2 million against Just In Time Tickets, Inc. and Evan Kohanian, which is partially suspended due to an inability to pay. They will pay $1,642,658.96.
- "$4.4 million against Cartisim Corp. and Simon Ebrani, which is partially suspended due to an inability to pay. They will pay $499,147.12."
Policies, procurements, and agency equities.
CyberScoop reports that Chris DeRusha, who directed cybersecurity for President Biden's campaign and worked on cybersecurity in the Department of Homeland Security during the Obama Administration, will be the new US Federal CISO. The Biden Administration has also appointed Federal Communications Commission veteran and net neutrality advocate Jessica Rosenworcel Acting Chair of the commission, according to Axios. At the moment, the FCC is “deadlocked along party lines,” with one vacancy. President Biden could promote Rosenworcel to permanent chair or nominate someone else. Axios also reports that Rebecca Slaughter has been appointed as Acting Chair of the Federal Trade Commission. And Law360 reports that the Administration will retain FBI Director Christopher Wray.
Russia’s FSB has issued an alert, "On the threat of targeted computer attacks," warning businesses of increased likelihood of US cyber attack. ZDNet characterizes the FSB's alert as a response to remarks by the new US Administration last Wednesday. Referring to Solorigate, White House Press Secretary Jen Psaki said, "of course we reserve the right to respond at a time and manner of our choosing to any cyberattack." US officials have attributed the cyberespionage campaign to Russia. Russia has denied any involvement.
For more, see the CyberWire Pro Policy Briefing.