Ransomware at the Sinclair Broadcast Group and Olympus attributed to Evil Corp. REvil disappears again. A Joint Advisory on BlackMatter.

Twitter suspends two North Korean catphishing accounts.

Twitter last week suspended two accounts that North Korean operators established for the apparent purpose of catphishing security researchers. The Record reports that the two accounts are part of an espionage campaign that began last year. A member of Google's Threat Analysis Group says the two accounts are part of a cluster, some of whose members were taken down in August. While the accounts were active for several months, neither had more than a thousand followers.

Ransomware at the Sinclair Broadcast Group and Olympus attributed to Evil Corp.

The Sinclair Broadcast Group, which operates one-hundred-eighty-five television stations with six-hundred-twenty channels in eighty-six US media markets, has disclosed that it determined last Sunday that it had been subjected to a ransomware attack. The media company detected what it regarded as "a potential security incident" on Saturday, and is now in the process of recovery. The Hollywood Reporter says that some service disruptions continued into the early part of the week. NY1 reports that the attack involved, as is now routine in such criminal operations.

To recap, Sinclair discovered a possible incident Saturday, identified it as a cyberattack Sunday, and issued a public statement Monday, which the Wall Street Journal calls quick disclosure. Attempts to isolate and contain the attack began almost immediately upon detection.

Bloomberg reported Thursday that the Sinclair Broadcast Group was hit by the Russian cybercriminal organization usually known as Evil Corp. The attackers are said to have used the Macaw strain of WastedLocker ransomware (Emsisoft calls Macaw simply a rebranded version of WastedLocker). Evil Corp has been under US sanctions since December of 2019, which would complicate any attempt to buy back access to infected systems by paying the ransom. One purpose of adopting rebranded malware strains may be obscuring the fact that payment of ransom to the sanctioned entity amounts to a violation of US law. The gang's two alleged leaders, Maksim Yakubets and Igor Turashev, were also indicted by the US at time sanctions were imposed. Sinclair's recovery from the attack remains a work in progress: according to the Daily Beast, disruptions to business and production systems have continued into the week.

Macaw ransomware (and thus its proprietor, Evil Corp) are also said, by TechCrunch, to be responsible for ongoing attacks against Olympus.

REvil disappears again: might it be gone for good?

The REvil ransomware gang appears to have again withdrawn from active operations, this time, BleepingComputer reports, because unknown parties hijacked the Tor sites the gang used for receiving payments and leaking stolen data. The data dump site had been known as “the Happy Blog.” REvil appears to have detected the hijacking this past Sunday.

Security firm Flashpoint posted a description of this latest occultation to its blog Monday morning. They note that the gang’s former spokesman, a known unknown who went by the predictable nom-de-hack “Unknown”--had private keys for access to the sites, and that the unknown hijackers had used Unknown’s private keys to take control of them. A different REvil representative, nom-de-hack “0_neday,” announced the hijacking on the Russophone forum XSS, made an ineffectual gesture in the direction of conciliating REvil’s criminal affiliates, wished everyone “good luck,” and signed off. Flashpoint sees the incident as “an unexpected turn in REvil’s attempt to reconstitute their operations, as the group had just begun recruiting new affiliates on the RAMP forum, and offering unusually high commissions of 90 percent to attract affiliates.”

XSS moderators reacted to the incident Monday by closing the thread in which REvil announced their troubles. The moderators also advised XSS users to block REvil accounts.

Digital Shadows joins other security firms in commenting on the reappearance and subsequent disappearance, again, of REvil. They note that the gang's successive versions appear to have grown less profitable. Why, then, the reboots? Apparently REvil thinks it retains some brand equity in the criminal-to-criminal markets.

Some speculated that law enforcement authorities may in fact be the hijackers. and observers think that this time the gang may be down for the count, although of course it's possible members will resurface in other criminal or privateering organizations. Some of the speculation about law enforcement involvement comes from REvil’s criminal competitors. ”Users on XSS were generally incredulous at this new announcement,” Flashpoint said, adding, “The spokesperson of the LockBit ransomware gang claimed this new disappearance is proof that the REvil re-emergence in September was part of an elaborate FBI plot to catch REvil affiliates. Several threat actors agreed with the LockBit representative and added that they believed that REvil will re-emerge again under a totally new name, leaving behind recent scandals without having to pay out old affiliates. Another threat actor added, paraphrasing Shakespeare, “Something is rotten in the state of ransomware.”

Such speculation that REvil's second disappearance may have been induced by law enforcement activity seems to have been borne out. Reuters reported on Thursday that REvil's difficulties in reestablishing itself, including its loss of keys and loss of control over its servers, were due to a concerted effort by law enforcement, intelligence, and military agencies, with the cooperation of private security companies, to knock the gang offline. One feature of the operation appears to have been the compromise of REvil's backups. A representative of the US National Security Council said only, Computing says, "a whole of government ransomware effort, including disruption of ransomware infrastructure and actors." It was also an international operation, with participation by other unspecified but "like-minded countries."

The cyber underworld will adapt, and is already showing signs of doing so, security firms note. Kaspersky researchers looked specifically at Russophone gangland, the criminal market leader, and found increased division of labor, commodification, and C2C marketing.

A Joint Advisory on BlackMatter.

With its partners in the FBI and NSA, the US Cybersecurity and Infrastructure Security Agency (CISA) has released a joint Cybersecurity Advisory that outlined the threat posed by BlackMatter, a criminal ransomware-as-a-service operation that may represent a rebranding of DarkSide. BlackMatter emerged in July of this year; DarkSide appeared in Russophone criminal circles in August or September of last year and was active through May of 2021. It's best known for the attack on Colonial Pipeline which disrupted fuel deliveries in much of the Eastern US this past May. Like DarkSide, BlackMatter has hit critical infrastructure, notably at least two targets in the Food and Agriculture Sector. CISA and its partners recommend a series of protective measures against attack and advise organizations to prepare for response and recovery. They strongly discourage victims from paying ransom.

CISA's caution against paying ransom may be familiar, but it isn't idle. A survey released this morning by CISOs Connect, Aimpoint Group, and W2 Research suggests that 80% of CISOs would at least consider paying ransom should they be attacked. More evidence suggesting that official admonitions against paying ransomware operators Danegeld may be falling on deaf ears comes from ThycoticCentrify's 2021 State of Ransomware study, which concludes that 83% of the victims paid their extortionists.

Threat actor targets Afghanistan and India.

Researchers at Cisco Talos have observed a state-sponsored threat actor targeting entities in Afghanistan and India. The threat actor set up phishing sites to deliver commodity malware, including dcRAT and QuasarRAT for Windows and AndroidRAT for mobile devices. While the researchers don't attribute the actor to any particular nation-state, they note that the attackers are using a Pakistani IT company as a front:

"The threat actor registered multiple domains with political and government themes. These domains hosted malware payloads that were distributed to their victims. Their malicious lures also contained themes related to Afghan entities, specifically diplomatic and humanitarian efforts. We assess with high confidence that the threat actor behind these attacks is an individual operating under the guise of a Pakistani IT firm called 'Bunse Technologies.'

"The infection chains consist of malicious RTF documents and PowerShell scripts that distribute malware to victims. We've also observed the usage of C#-based downloader binaries to deploy malware while displaying decoy images to victims to appear legitimate."

Harvester conducts cyberespionage against Afghanistan.

Symantec is tracking a previously unobserved threat actor dubbed "Harvester" that's targeting telecommunications, government, and IT entities in South Asia, particularly in Afghanistan. Symantec believes the threat actor is state-sponsored and is conducting cyberespionage using custom-made and publicly available malware.

"While we do not have enough evidence yet to attribute Harvester’s activity to a specific nation state, the group’s use of custom backdoors, the extensive steps taken to hide its malicious activity, and its targeting all point to it being a state-sponsored actor. Harvester’s use of legitimate infrastructure to host its C&C servers in order to blend in with normal network traffic is one example of the stealthy steps taken by this actor.

"The targeting of organizations in Afghanistan in this campaign is also interesting given the huge upheaval seen in that country recently. The activity carried out by Harvester makes it clear the purpose of this campaign is espionage, which is the typical motivation behind nation-state-backed activity."

LightBasin's long campaign against telecommunications infrastructure.

CrowdStrike has published a description of LightBasin, also tracked as UNC1945, an "activity cluster" that's been targeting global telecommunications infrastructure since 2016. LightBasin has been collecting user information on a large scale, showing a particular interest in call metadata and subscriber information. Why LightBasin is collecting the data isn't entirely clear, and while it appears to be an espionage operation, CrowdStrike says, "There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus." Circumstantial evidence includes strings in Pinyin, which suggests Chinese or at least Chinese-speaking operators, but this falls well short of what might be required for attribution. CyberScoop's discussion treats LightBasin as an espionage campaign; the Record, however, characterizes the operators as "crims."

Criminal-to-criminal markets.

In the criminal-to-criminal malware supply chain, one key player, the Russian gang Fin7, is representing itself online as a legitimate company, the Wall Street Journal reports in an exclusive. "Bastion Secure" (which the Journal archly notes uses the letters "BS" as its logo) claims to be a provider of cybersecurity services. The point of their online presence appears to be recruiting.

International efforts to curb ransomware find themselves up against pervasive corruption in Russia, as Mieke Eoyang, US deputy assistant defense secretary for cyber policy, told DefenseOne.

Magnitude exploit kit adds Chromium capabilities.

Avast reports that the Magnitude exploit kit has added capability against the Chromium family of browsers, exploiting the CVE-2021-21224 and CVE-2021-31956 vulnerabilities. Avast noted, "There is no malicious payload attached to these exploits yet, the attack just exfiltrates the victim's Windows build number. Since this is the standard way for Magnitude to test new CVEs, we believe these exploits could soon be used to deploy the #Magniber ransomware."

The Record finds it noteworthy that a moribund exploit kit obtained a relatively advanced capability. On the bright side, the exploit works against a relatively small range of targets.

Exploit broker looks for the goods on cloud-based VPNs.

The well-known exploit broker Zerodium is looking for exploitable flaws in ExpressVPN, NordVPN, and Surfshark. They're interested specifically in "information disclosure, IP address leak, or remote code execution," and say that "local privilege escalation is out of scope." The Record says the three VPN vendors haven't commented.

Patch news.

CISA warned Thursday that a GPS Daemon (GPSD) rollover bug will hit Network Time Protocol servers this Sunday, October 24th, rolling the date back 1024 weeks (it's a punning bug: ten twenty four, like Sunday's date) to March 2002, with predictable disruption to services using NTP. The problem affects only GPSD versions 3.20 through 3.22. The fix is an obvious one: upgrade systems to version 3.23 or later. CISA recommends that concerned users consult the SANS Institute's account of the bug for more background and information.

Crime and punishment.

The US Justice Department has charged eight Nigerian citizens with "multiple federal crimes relating to internet scams they perpetrated from South Africa." The individuals were arrested in Cape Town on Tuesday and are alleged to be members of the Nigerian mafia known as "Black Axe" or the "Neo Black Movement of Africa." The Justice Department stated, "From at least 2011 through 2021, the Black Axe defendants and other conspirators worked together from Cape Town to engage in widespread internet fraud involving romance scams and advance fee schemes. Many of these fraudulent narratives involved claims that an individual was traveling to South Africa for work and needed money or other items of value following a series of unfortunate and unforeseen events, often involving a construction site or problems with a crane. The conspirators used social media websites, online dating websites, and voice over internet protocol phone numbers to find and talk with victims in the United States, while using a number of aliases."

The US Justice Department has sentenced Pavel Stassi of Estonia to 24 months in prison and Aleksandr Skorodumov of Lithuania to 48 months in prison for providing bulletproof hosting services for criminals. Justice stated, "According to court documents, Stassi and Skorodumov were members of a bulletproof hosting organization founded and led by two co-defendants, Aleksandr Grichishkin and Andrei Skvortsov, both 34 and of Russia. The group rented IP addresses, servers, and domains to cybercriminal clients who employed this technical infrastructure to disseminate malware used to gain access to victims’ computers, form botnets, and steal banking credentials for use in frauds. Malware hosted by the organization included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, which attacked U.S. companies and financial institutions between 2009 and 2015 and caused or attempted to cause millions of dollars in losses to U.S. victims."

Courts and torts.

Facebook CEO Mark Zuckerberg has been added to a lawsuit filed by Washington, DC Attorney General Karl Racine over the Cambridge Analytica scandal, the Verge reports. Racine stated on Twitter, "Our continuing investigation revealed that he was personally involved in decisions related to Cambridge Analytica and Facebook’s failure to protect user data. My office filed our lawsuit in 2018, and since then, we’ve reviewed hundreds of thousands of pages of documents produced in litigation and completed a wide range of depositions including former employees and whistleblowers. This lawsuit is about protecting the data of half of all District residents and tens of millions of people across the country."

According to CNBC, Facebook spokesperson Andy Stone said in response, "These allegations are as meritless today as they were more than three years ago, when the District filed its complaint. We will continue to defend ourselves vigorously and focus on the facts."

Amazon has appealed an $865 million fine by the EU for allegedly violating GDPR, the Washington Post reports.

Policies, procurements, and agency equities.

Some security firms see, according to the Wall Street Journal, a middle ground in incident response between supine victimhood and aggressive (also probably illegal) hacking back. It involves both information-gathering and direct, legally menacing confrontation. Some members of the US Congress may be interested in encouraging the private sector to undertake more deterrence of cybercriminals.