Ukrainian security service identifies Russian FSB officers behind Primitive Bear. US sanctions four spyware firms, including NSO Group.

Ukrainian security service identifies Russian FSB officers behind Primitive Bear.

Ukraine's security service, the SSU, has identified five Russian FSB officers as operators behind the Gamaredon threat actor (also known as "Primitive Bear"). The group has specialized in targeting Ukrainian critical infrastructure and classified networks. The group is centered, geographically, in Russian-occupied Ukraine, and the FSB chatter the SSU intercepted includes a lot of whining about getting shafted out of awards and bonuses, recognition going to the undeserving, and everybody having to get tested for COVID at work.

US sanctions four spyware firms, including NSO Group.

The US Department of Commerce has sanctioned four companies for providing spyware to foreign governments. NSO Group and Candiru (both based in Israel) have been added to the Entity List, as have Positive Technologies (a Russian firm), and the Computer Security Initiative Consultancy PTE (headquartered in Singapore).

Of the two Israeli firms, Commerce said they “were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”

Positive Technologies and the Computer Security Initiative Consultancy were placed on the Entity List after, Commerce said, “a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

The sanctions, Commerce explains, represent a move in support of human rights. “This effort is aimed at improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities,” the Department’s announcement said.

Ransomware gangs' exits.

ZDNet says a major ransomware gang to recently close up shop, BlackMatter, has seen its affiliates migrate to a competitor, LockBit. BlackMatter said its decision to shut down was prompted by "recent events." ZDNet speculates that those events included not only the action against REvil, but also the Europol-coordinated round-up of twelve "high-profile" individuals involved in spreading ransomware including LockerGoga, MegaCortex, and Dharma.

The BlackMatter gang itself may or may not resurface in some form. Flashpoint looked at BlackMatter and predicted that its operators, the people behind the keyboard, will be back in some other, but still criminal, role. Other criminal gangs are proving similarly protean.

Flashpoint has also reported that the Groove gang now says its call for attacks against the US was a goof designed to embarrass Western media.

More has emerged on the events surrounding REvil's announced retirement. The Washington Post reports that US Cyber Command and an unnamed foreign government took action against REvil in a coordinated operation. The foreign government gained access to REvil's servers this summer. In October Cyber Command hijacked the Russophone gang's traffic, effectively denying access to the group's website. The experience apparently put the fear of Fort Meade into the gang's members, who took the better part of valor and dispersed. US Cyber Command is understandably reticent about sharing details, but according to CNN, US Cyber Command head General Nakasone said his command was engaged in a "surge" against ransomware operators.

Iran recovers from its gas station cyber sabotage.

Reuters and others report that Iranian officials have begun to fix blame for the nominally hacktivist attack that's afflicted the country's gasoline stations since last week. "We are still unable to say forensically, but analytically I believe it was carried out by the Zionist Regime, the Americans and their agents," Iran's head of civil defense said Saturday. According to the Tehran Times, the country's intelligence minister said the investigation remains in progress, and that full details will be disclosed once it's complete.

Ransomware targets: upscale and demotic.

Cybercriminals have hit two upscale brands. Sky News reports that the Russian Conti gang has begun doxing customers ("tycoons and celebrities," as Sky describes them) of the luxury jewelry brand Graff. The gang wants a large payment in exchange for a promise not to release more information. What's out so far seems relatively anodyne, but Conti promises worse to come. And the MCH Group says its high-end art dealer subsidiary, Art Basel, has also sustained a criminal data breach.

Fortinet reports that the Chaos ransomware gang, generally believed to operate from China, is targeting Minecraft gamers in Japan. Not to blame the victim, here, but we note that the malware hook is hidden in phishbait that purports to contain stolen game credentials which no honest player should touch.

Reuters reports that an apparent ransomware attack, detected on Sunday, has disrupted healthcare management services in the Canadian province of Newfoundland. The incident has forced cancellation of some appointments, and the Niagara Falls Review says that healthcare providers in the province have temporarily reverted to paper records.

France's ANSSI describes a new ransomware affiliate gang, "Lockean."

CERT-FR, the French national CERT operated under the direction of ANSSI, has identified a new ransomware gang, "Lockean," that's recently infested French companies in what CERT-FR characterizes as "big-game hunting." Lockean is connected with several ransomware-as-a-service operations, "including DoppelPaymer, Maze, Prolock, Egregor and Sodinokibi."

The investigation began when ANSSI took up a series of six QakBot infestations that began in 2020 and continued into 2021. Four of them shared a common QakBot naming convention. Five of the attacks involved deployment of CobaltStrike, and four of those spoofed Akamai and Azure domains. In three of the incidents the Rclone exfiltration tool was used.

These commonalities led ANSSI to believe that the incidents were the work of a single threat actor, and that the signs also seemed consistent with reports by security firms Intrinsec and The DFIR Report. Subsequent investigation convinced ANSSI that this was so. They’ve named the threat actor “Lockean,” and ANSSI’s full report contains extensive information on the gang’s tactics, techniques, and procedures.

Lockean appears to be an affiliate, a user of tools provided by other gangs in the C2C underground market. The Record points out that Lockean is the second big affiliate gang to be identified: the FBI described another such group, OnePercent, back in August.

Criminal tactics, techniques, and procedures.

Ransomware gangs continue to evolve their tactics. The Daily Beast reports that the Grief Gang has sought to ratchet up the pressure on the National Rifle Association, recently one of the gang's victims, by amplifying the threat of leaks with an army of Twitter bots created in August and September. And an FBI alert issued Friday warned that the HelloKitty ransomware gang had added a third threat, distributed denial-of-service attacks, to the now familiar double extortion threat of encryption followed by the threat of doxing.

The FBI also warned on Monday of a ransomware tactic that's familiar but remains prominent: gangs time their attacks to coincide with significant events. In this case the noteworthy events involve major financial news.

Trojan Source.

Researchers from the University of Cambridge have described a new attack method they're calling "Trojan Source" that affects most modern programming languages. The method abuses Unicode; the researchers explain, "Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts." Trojan Source places Bidi override characters into comments and strings from where they're moved into source code in ways that compilers accept, and that will appear unproblematic to human reviewers. The method amounts to a software supply chain vulnerability.

The definition of the vulnerability, tracked as CVE-2021-42574, is as follows:

"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers."

Third-party risk and a Labour Party "data incident."

Britain’s Labour Party has disclosed that it’s been affected by what it characterizes as a “data incident.” The incident affected Labour through a third-party that managed data on behalf of the party. The third-party, unnamed by Labour, notified its client on October 29th that “a significant quantity of Party data” had been “rendered inaccessible on their systems.” That description suggests a ransomware attack, although the party’s statement doesn’t characterize it as such.

An advance-fee sugar-daddy scam.

Avast has a warning out about a new scam. People are getting contacted over social media with pitches that read something like this: “Hey my name is Walker and I am looking for a sugar baby. I would like to pay you 1,500 Euro weekly.” Hey, hop to it, ladies. Or, actually, don’t. It’s just a hoary old advance fee scam, a riff on the familiar “I am the widow of the late Prince Mokele Mbeme” come-on.

Patch news.

This past Tuesday CISA issued two industrial control system advisories. One reports fixes in Sensormatic Electronics VideoEdge, the other describes an update to WECON PI Studio (Update A). The agency subsequently released three more industrial control system advisories on Thursday, one each for Philips Tasy EMR, VISAM VBASE Editor, and AzeoTech DAQFactory.

Crime and punishment.

The DarkSide gang may have announced their retirement from cybercrime, but the authorities don't seem willing to let them quietly disappear: the US State Department has announced a reward offer. "The U.S. Department of State announces a reward offer of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group. In addition, the Department is also offering a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident." There's no mention of DarkSide's presumptive successor BlackMatter, but since the reward is for information about the natural persons behind the keyboards, the omission probably doesn't matter.

The US Justice Department has charged a man in Atlanta, Georgia, for his alleged involvement in a cyber-fraud scheme. The Justice Department stated, "Christian Akhatsegbe, Emmanuel Aiye Akhatsegbe, and their conspirators allegedly engaged in a scheme that involved sending phishing emails to victim companies and organizations in the United States and Europe, stealing employee access credentials, and then harvesting the credentials on computer servers.  Some of the phishing emails contained a link to a webpage that was designed to resemble a login page for Microsoft Office but actually captured email account credentials. Using the stolen credentials, Christian Akhatsegbe, Emmanuel Aiye Akhatsegbe, and their conspirators then allegedly sent emails to other employees at the victim companies and organizations. The emails contained fake invoices that requested payment of hundreds of thousands of dollars into bank accounts connected to the conspirators."

Courts and torts.

Encrypted messaging app Signal has said it can provide only two timestamps in response to a grand jury subpoena for user data, SecurityWeek reports. The timestamps are from when the user's account was created and when the account last connected to the Signal service. Signal stated, "Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. Once again, this subpoena requested a wide variety of information we don’t have, including the target’s name, address, correspondence, contacts, groups, calls."

Policies, procurements, and agency equities.

Reuters has confirmed that this week’s high-level Russo-American talks in Moscow touched upon the activities of Russian cybergangs and privateers. US Director of Central Intelligence Burns spoke with SVR chief Sergei Naryshkin. He also talked with Nikolai Patrushev, secretary to Russia's Security Council and former head of the FSB. Any cooperation between the two countries remains a long-term work in progress, but it will be interesting to watch the aftermath of the conversations.

CISA has issued Binding Operational Directive 22-01, which requires US Federal agencies to address known, exploited vulnerabilities. The directive, which is accompanied by a new catalogue of vulnerabilities, will require affected agencies to fix almost three-hundred known flaws identified between 2017 and this year. The bugs on the list are evaluated as a “significant risk to the federal enterprise.” The directive applies essentially to all Federal civilian agencies other than the CIA and the Office of the Director of National Intelligence. The Defense Department also falls outside CISA’s authority. The directive, accompanied by a catalogue of vulnerabilities, will require affected agencies to fix almost three-hundred known flaws identified between 2017 and this year. The listed bugs are evaluated as a “significant risk to the federal enterprise.”

Language introduced into the US House version of the Defense Authorization Act would add four new eyes to the familiar Five Eyes intelligence-sharing group, Defense One reports. Germany, Japan, India, and South Korea would join the five anglophone powers in the current pact. It's not yet expansion, but a tentative move in that direction.

Fortunes of commerce.

NSO Group, now under US sanctions and best known for its Pegasus intercept tool, whose sale to and abuse by repressive governments has drawn criticism and provoked controversy, has shaken up its leadership. The company says its new strategic direction will include "analytics and defensive cyber."

And security innovation.

DataTribe held its fourth annual Cybersecurity Start-Up Challenge Wednesday, and we're pleased to announce the results. Grey Market Labs (a secure virtual enclave deployment platform), ContraForce (a security orchestration platform), and QuickCode (a data labeling technology for machine learning datasets) were the three finalists (and each came into the finals having already been awarded $20 thousand). ContraForce and QuickCode were named the winners, each receiving a $1 million investment, double what the competition had originally planned to award.

DataTribe is a global cyber foundry based in Maryland. It supports early-stage companies, and runs the annual competition "to identify and curate pre-series A, seed high-technology start-ups with a vision to disrupt cybersecurity and data science." (Disclosure: the CyberWire is a DataTribe portfolio company.) The judges of the competition were Bob Ackerman (Founder, AllegisCyber; Co-Founder, DataTribe), Shamla Naidoo (Head of Cloud Security, Netskope, Former Global CISO, IBM), Navin Maharaj (Director, Koch Disruptive Technologies), Ron Gula (President & Co-Founder, Gula Tech Adventures; Co-founder, Tenable), and Arno Van Der Walt (CISO, Marriott International).

It was good to get together for an in-person pitch event again after so many months of relative isolation. Those who attended received a special preview of the CyberWire's upcoming mini-series, "Hacking Humans goes to the movies." Watch for it on our site.

Congratulations to all the companies who competed, and especially to the three finalists and the two winners.