More SVR activities.
Microsoft has identified extensive new activities by Russia’s SVR foreign intelligence service, which the company tracks as Nobelium and others know as Cozy Bear. The current operations, which Microsoft describes as “very large,” and “ongoing,” show no signs of abating. (NSA cyber director Joyce tweeted a link with approval, and advice.) Microsoft notes that this is the same actor that was behind the SolarWinds attacks last year.
Microsoft stated, "Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers. We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium. We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised."
Mandiant, which has been tracking software supply chain attacks of the kind Microsoft announced with such éclat at the beginning of the week, has offered advice on how organizations can remediate attacks and harden their systems against the threat.
Coup in Sudan, and the Internet and telecoms go dark.
NetBlocks confirms that Internet service has been disrupted in Sudan. A military coup has taken place, and fighting continues in many parts of the country. The US embassy in Khartoum has advised American citizens in Sudan to shelter in place.
NetBlocks explains, "Metrics corroborate user reports of network disruptions appearing consistent with an internet shutdown. The disruption is likely to limit the free flow of information online and news coverage of incidents on the ground. This class of internet disruption affects connectivity at the network layer and cannot always be worked around with the use of circumvention software or VPNs."
Iranian subsidized fuel sales disrupted, and regional tensions rise.
According to the Washington Post, subsidized fuel sales at Iranian gas stations were disrupted over the weekend in what the government in Tehran describes as a cyberattack. Investigation is in progress, and the incident isn't yet attributed to any particular threat actor. Observers compare the attack, if such it proves to be, with the disruption of rail service messaging earlier this summer, generally thought to have been the work of Iranian dissident hacktivists.
Iran has since continued its efforts to recover from an apparent cyberattack that crippled subsidized distribution of gasoline throughout the country, SecurityWeek reports. As of Wednesday, only two-hundred-twenty of the forty-three-hundred filling stations normally connected to the discounted fuel network had been reconnected. About three-thousand stations are able to sell fuel offline at unsubsidized market prices. Tehran has blamed an unspecified foreign government for the disruption, but according to the BBC another, nominally hacktivist, opposition group calling itself "Predatory Sparrow" has claimed responsibility. People claiming to represent the same group also said they were involved with the disruptions of Iran's passenger rail service earlier this year, but it's too early to consider anything "Predatory Sparrow" claims as authoritative for attribution purposes.
By Wednesday evening Iranian news services are calling the incident that disrupted fuel distribution in that country as an Israeli cyberattack. Asharq al-Awsat reports that officials intend to release results of their investigation within a few days. In the meantime Tehran has retaliated by doxing Israeli Defense Minister Benny Ganz and a number of Israeli soldiers. The Jerusalem Post says the doxing was accomplished by a threat actor calling itself "Moses Staff' (sic), and the Tehran Times suggests that more will be heard from Moses Staff as tension between Israel and Iran rises. Haaretz reports that Moses Staff has obtained Israeli troop deployment information.
SolarMarker described.
eSentire reports a marked upswing in SolarMarker infestations. Whereas the information stealer had hitherto relied upon Blogspot, Google Sites, and content delivery networks to host malicious files, the campaigns using SolarMarker have begun recently making increased use of compromised WordPress sites. eSentire believes the attackers have used more than one million vulnerable WordPress pages.
Menlo Security has also observed this activity, noting that attackers are using SEO poisoning to push their malicious websites to the top of search results. These websites serve PDF files that contain links to download the malware. Menlo's researchers add that "[a]ll the compromised sites hosting the malicious PDFs were observed to be WordPress sites."
New malware loader.
ESET announced its discovery of a hitherto unknown malware loader, "Wslink," that runs as a server and executes Windows binaries in memory. Who is operating Wslink and what it's used for remain unknown. ESET states, "We have seen only a few hits in our telemetry in the past two years, with detections in Central Europe, North America, and the Middle East. The initial compromise vector is not known; most of the samples are packed with MPRESS and some parts of the code are virtualized. Unfortunately, so far we have been unable to obtain any of the modules it is supposed to receive. There are no code, functionality or operational similarities that suggest this is likely to be a tool from a known threat actor group."
Update on the state of the ransomware underworld.
A study of ransomware released this week by Digital Shadows concludes that the exclusion of ransomware discussions from cybercriminal fora has had little effect on the gangs' operations. A number of forum operators had banned such discussions to avoid unwanted attention from law enforcement organizations.
KrebsOnSecurity discusses the Conti ransomware gang's decision to sell either victims' data or access to victims' networks. The communiqué (or threat) Conti posted is ambiguous with respect to what, precisely, is being offered for sale, but whatever the case may be, Conti hopes to punish uncooperative victims. Publicly naming the companies whose access one hopes to sell would seem to be self-defeating. Emsisoft speculated to KrebsOnSecurity that Conti may be considering an exit.
Conti's shift in strategy comes days after the gang issued a self-righteous and puerile valediction for REvil, taken down last week by a coordinated international law enforcement action. In Vice's account, Conti argues that ransomware is good, somehow, but their argument amounts to little more than an implausible tu quoque: the US, you see, is really pushing ransomware when it takes down criminal servers, which we suppose is one way of looking at it.
Other ransomware operators are exploiting known vulnerabilities in BillQuick billing software to distribute ransomware, BleepingComputer reports. Huntress has an account of the vulnerabilities; reports indicate that some are fixed, fixes are in progress for others.
The Record interviews a representative of the LockBit ransomware gang, formerly a bit player, now risen to prominence. LockBit thinks REvil's disappearance may have been an exit scam.
CSO reviews the Conti ransomware gang. For all of its preening Robin-Hood schtick, Conti is even less likely than other criminal organizations to restore victims' files or keep promises to not release stolen data. (And the other criminal organizations, remember, set a pretty low bar of good behavior.)
Morphisec has released research into a new ransomware strain they're calling "Decaf." It's noteworthy for its use of the Go language, increasingly popular among cybercriminals. (Babuk, Hive, and HelloKitty are other ransomware tools written in Golang.) Decaf appeared in September and its development has continued into this month.
Emsisoft has been able to take advantage of slovenly coding by the BlackMatter ransomware gang to damage the gang's operations by enabling victims to recover files without paying ransom.
Avast has released decryptors for ransomware strains including AtomSilo, Babuk, and LockFile.
The disruption of physical supply chains.
Proofpoint has identified a new criminal threat actor, tracked as TA2722, that impersonates agencies of the Philippine government in phishing operations designed to distribute Remcos and Nanocore RATs. TA2722 targets shipping, logistics, manufacturing, business services, pharmaceutical companies, and energy providers. Victims have been found in North America, Europe, and Southeast Asia. ZDNet points out that the target selection poses a risk to already stressed supply chains.
The Green Bay Press Gazette reports that Schreiber Foods has recovered sufficiently from the ransomware attack it sustained to resume plant operations.
Patch news.
CISA has issued a fresh set of industrial control system security advisories. There are three of them. Sensormatic Electronics, LLC, a subsidiary of Johnson Controls, Inc., has fixed hard-coded credentials in its victor product. Mitsubishi Electric has patched an uncontrolled resource consumption problem in its MELSEC iQ-R Series C Controller Module R12CCPU-V. And Delta Electronics has addressed a stack-based buffer overflow vulnerability in its DOPSoft HMI product.
Crime and punishment.
An international dragnet made 150 arrests taking down a darkweb contraband market. "Operation Dark HunTor" also seized, the Wall Street Journal reports, "234 kilograms of drugs, 45 guns and more than $31.6 million in cash and virtual currencies." The US Justice Department stated, "Operation Dark HunTor actions have resulted in the arrest of 150 alleged Darknet drug traffickers and other criminals who engaged in tens of thousands of sales of illicit goods and services across Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, the United Kingdom, and the United States. Prior to, but in support of Operation Dark HunTor, Italian authorities also shut down the DeepSea and Berlusconi dark web marketplaces which boasted over 40,000 advertisements of illegal products. Four alleged administrators were arrested, and €3.6 million in cryptocurrencies were seized in coordinated U.S.-Italian operations."
Europol Friday announced that it had “targeted” twelve individuals in Switzerland and Ukraine whom it believes are responsible for a range of cybercrimes that represented “a dangerous combination of aggressive disruption and high-stake targets.” The criminals' activities were complex, and Europol sums them up like this:
“The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.
“Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.
“The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others.”
Europol credits an international cooperative effort for the success of the enforcement operation. Norway’s National Criminal Investigation Service, the Public Prosecutor’s Office of Paris, the French National Police, the Netherlands National Police and National Public Prosecution Service, the Prosecutor General of Ukraine and the Ukrainian National Police, the UK’s Police Scotland and National Crime Agency, the Reutlingen Police (in Germany), Switzerland’s National Police and the Basel Police, the US Secret Service and FBI, and, of course, the European Cybercrime Center.
German authorities tell BR24 that they've identified the criminal kingpin of the once-and-future REvil gang. He goes by the nom-de-hack "Nikolay K." and represents himself online as a cryptocurrency trader. German Federal investigators and prosecutors from Baden-Württemberg have obtained an arrest warrant, but Nikolay K. is at large in Russia and unlikely to ever face German justice.
Courts and torts.
The Wall Street Journal has reported that the US Federal Trade Commission had opened an investigation into whether Facebook's internal research indicates that the company violated its 2019 settlement of privacy concerns with the FTC.
Policies, procurements, and agency equities.
French and Israeli diplomats may have agreed (as the Wire reports) that NSO Group's Pegasus intercept tool will no longer target French phone numbers, but Pegasus remains controversially active elsewhere. The University of Toronto's Citizen Lab has found that a device belonging to New York Times' Beirut Bureau chief Ben Hubbard was twice infected with Pegasus. The infections occurred after Hubbard complained to NSO Group that Saudi Pegasus operators had targeted him in June 2018, while he reported on Saudi Crown Prince Mohammed bin Salman. The subsequent infections occurred in July 2020 and June 2021. Responsibility for the last two incidents is unknown. Hubbard argues that such anti-terrorism tools are too easily abused.
The White House has published a Strategic Intent Statement for the Office of the National Cyber Director. The stated goal is a world in which "Americans are free to be enriched, empowered, and enlivened by digital connectivity instead of burdened by it." The document is striking in its recognition that cybersecurity is a complex set of many small problems, and not something addressable in a single moonshot.
Fortunes of commerce
The company formerly known as Facebook has announced that it will henceforth be known as "Meta." A founder’s letter says that the House of Zuckerberg is betting on the metaverse, a neologism that refers to an immersive experience in which people will live significant parts of their lives in virtual contact with others. Facebook is officially all-in on the metaverse, and, while Mr. Zuckerberg explains that the metaverse won’t be built by one company, but Facebook, we mean Meta, will play a major role in shaping it.
Reaction to the rebranding is cautiously mixed. There are the usual observations that "meta" is a naughty word in some languages, of course. WIRED says that companies typically rebrand for three reasons: new business ambitions, a new corporate organization, or an attempt to distance themselves from a name with bad associations. The piece argues that Facebook’s conversion to Meta has aspects of all three. The Drum’s roundup of industry reaction is also mixed, with some seeing the renaming as the bold planting of a flag in new technological territory, and others seeing as just a “PR-conscious reactionary move.” And the metaverse itself has come in for its own share of skepticism. The next phase of human evolution, or just Fortnite on steroids.
The Wall Street Journal reports that German auto parts manufacturer Eberspächer, based in Esslingen am Neckar, near Stuttgart had to close production while it dealt with a cyberattack that hit the company on Sunday. Workers are already collecting unemployment benefits from the Land, that is, the state, of Baden-Württemberg.
Labor markets.
Microsoft on Thursday announced a major initiative intended to redress shortfalls in the cyber labor force. It will focus on community colleges as sources of trained workers. Redmond will provide scholarships or other assistance to 25,000 students annually, and support to faculty at 150 two-year colleges across the US. The program hopes to fill a quarter of a million cybersecurity jobs over four years.