Suspected Emissary Panda campaign.
Palo Alto Networks' Unit 42 has released a description of a targeted cyberespionage campaign against ManageEngine ADSelfService Plus. The vulnerability undergoing exploitation is the same one, Palo Alto says, that the Cybersecurity and Infrastructure Security Agency (CISA) warned against back on September 16th, but the campaign itself is distinct from the efforts cited in CISA's alert. In the case Palo Alto describes, the payload installs a Godzilla webshell, and, in some cases, an NGLite backdoor. They also detected deployment of an uncommon credential stealer, KdcSponge. Attribution remains preliminary and circumstantial, but Palo Alto Networks thinks the tactics, techniques, and procedures look a lot like those used by the Chinese espionage group Threat Group 3390 (also known as APT27, Emissary Panda).
Unit 42 stated, "As early as September 17, the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on September 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries."
China says a foreign intelligence service accessed passenger travel records.
China's Ministry of State Security (MSS) says that an unnamed foreign intelligence service had accessed passenger travel records in 2020, the Record reports. The MSS said in a press release, "After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency." A public statement by the MSS about a cyberespionage incident is unusual: naming and shaming haven't been Chinese practice.
Conti apologizes (sort of).
The Conti gang, who stole and dumped personal information from the upscale London jeweler Graff, now says they're sorry. Not sorry in general, just sorry for stealing Arab royalty's personal data. They still intend to expose the "US-UK-EU Neo-liberal plutocracy," but Conti said, Vice reports, that “Our Team apologizes to His Royal Highness Prince Mohammed bin Salman and any other members of the Royal Families whose names were mentioned in the publication for any inconvenience.”
Robinhood discloses data breach.
Stock-trading platform Robinhood Markets on Monday disclosed that it sustained a data breach on November 3rd. A customer support employee was inveigled ("socially engineered") into granting an unauthorized outsider access to certain company data. The data exposed include email addresses for about five-million Robinhood users, the full names of a different set of roughly two-million users, and more extensive personal information (name, date of birth, and zip code) for some three-hundred users. The company stressed, "Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident. "
The data theft apparently represented an extortion attempt. The Wall Street Journal reports that Robinhood has brought in Mandiant to investigate the incident.
MediaMarkt hit by ransomware.
Germany-based multinational electronics retailer MediaMarkt has seen operations disrupted by a ransomware attack, according to BleepingComputer. Retail Detail says that store employees in Belgium, Germany, and the Netherlands have been told to take point-of-sale systems offline. The ransomware strain is said to be Hive, and the criminal operators' opening position was to demand $240 million. That's high and probably represents an opening negotiating position. Hive is a relatively new ransomware operation, surfacing in June of this year. It's acquired a reputation for indiscriminate targeting, even by the ruthless and careless standards that prevail in the criminal underground.
MediaMarkt told BleepingComputer in a statement, "The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services. MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible. The company will provide information on further developments on the topic."
Cyberespionage from Tehran.
Accenture and Prevailion describe the recent activities of the Iranian threat group Lyceum. It's concentrated on installing backdoors in ISPs and telecommunications companies located in Israel, Morocco, Tunisia, and Saudi Arabia. An unnamed foreign ministry in Africa has also been targeted. The companies stated, "ACTI/PACT assess that Lyceum is likely updating its backdoors in light of recent public research into its activities to try and stay ahead of defensive systems. The group has continued its targeting of companies of national strategic importance. Lyceum will likely continue to use the Shark and Milan backdoors, albeit with some modifications, as the group has likely been able to maintain footholds in victims’ networks despite public disclosure of IOCs associated with its operations."
TA505 exploits SolarWinds Serv-U flaw to deploy ransomware.
NCC Group researchers are tracking an uptick in Clop ransomware attacks leveraging a remote code execution vulnerability in SolarWinds Serv-U (CVE-2021-35211). The vulnerability was disclosed by Microsoft in July. NCC Group attributes these attacks to the cybercriminal actor TA505, noting, "We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach."
NCC Group advises that users update systems running SolarWinds Serv-U software to the most recent version. The researchers note that, as of October, 66.5% (2,784) of Serv-U instances around the world remained vulnerable.
Forbes describes the activities of the RocketHack Russian criminal group, which it characterizes as a "cyber mercenary" operation specializing in gaining access to targeted individuals' Gmail, Protonmail, and Telegram accounts. RocketHack is described as occupying essentially the same space as lawful intercept vendors like NSO Group.
Forbes writes, "for the last four years, the Russian-speaking RocketHack crew has quietly infiltrated email and Telegram accounts, PCs and Android phones of as many as 3,500 individuals. The targets range from journalists, human rights activists and politicians through to telecommunications engineers and IVF doctors across a few dozen clinics." Many of the targets were either prominent politicians or government officials. The countries affected were Belarus, Uzbekistan, Ukraine, Slovakia, Russia, Kazakhstan, Armenia, Norway, France and Italy. Journalists were also targeted.
Trend Micro is tracking RocketHack's cyber mercenary operation as connected to "Void Balaur," whose activities they say initially seemed to be associated with the GRU’s APT28. Void Balaur has been advertising in underground souks since 2017 at least. As far as Trend Micro can tell, the group has an exclusively Russophone clientele. The researchers state, "We have uncovered more than 3,500 of the group’s targets, some of whom have suffered long-lasting and repeated attacks. Our research revealed a clear picture: Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it."
For what it’s worth, the criminal word-of-mouth about Void Balaur is pretty favorable. Trend Micro says, “The feedback that Void Balaur receives on underground forums is unanimously positive. Posters mention that the hacking service delivers the requested information on time, while others commented positively on the quality of the delivered information from mailboxes.”
Watering-hole targets Hong Kong.
Google's Threat Analysis Group has outlined a watering-hole campaign exploiting a MacOS vulnerability to spy on Hong Kong democracy advocates. The researchers stated, "In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor. As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks. Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code."
Rising tensions in Eastern Europe.
Tensions in Eastern Europe rise over Russian troop movements (Bloomberg quotes US Secretary of State Blinken as saying the deployments resemble the run-up to the 2014 invasion of Crimea). Belarus's push of migrants over the Polish, Latvian, and Lithuanian borders (which Foreign Policy calls "exporting instability") and Minsk's threats to stop natural gas deliveries to the EU (should the EU sanction Belarus, the Washington Post says) and are additional, and in Poland's view, the BBC reports, coordinated sources of friction. Bloomberg writes that the US has warned the EU of the possibility of a Russian attack against Ukraine, but Russia's ambassador to the UN, according to the Military Times, says there will be no invasion unless Russia is "provoked" (and then cites alleged instances of provocation). Expect cyber tensions to rise accordingly.
Microsoft addressed fifty-five vulnerabilities on Patch Tuesday. KrebsOnSecurity says two of the bugs are being exploited in the wild.
CISA on Monday released advisories on eight industrial control system vulnerabilities, along with information on patches and mitigations. CISA also released eighteen industrial control system advisories on Thursday.
Crime and punishment.
The US Justice Department on Monday unsealed indictments against two operators of the REvil ransomware. US Attorney General Merrick Garland said a Ukrainian developer and operator of REvil ransomware, Yaroslav Vasinskyi, was arrested in Poland and is expected to be extradited to the U.S. for prosecution. The Justice Department says Vasinskyi was involved in the July attack against IT management software provider Kaseya. The Justice Department has also seized $6.1 million worth of cryptocurrency belonging to another alleged REvil operator, a Russian national named Yevgeniy Polyanin. The Justice Department said Polyanin has carried out 3,000 ransomware attacks.
The Justice Department's press release states, "Vasinskyi and Polyanin are charged in separate indictments with conspiracy to commit fraud and related activity in connection with computers, substantive counts of damage to protected computers, and conspiracy to commit money laundering. If convicted of all counts, each faces a maximum penalty of 115 and 145 years in prison, respectively. The $6.1 million seized from Polyanin is alleged to be traceable to ransomware attacks and money laundering committed by Polyanin through his use of Sodinokibi/REvil ransomware. The seizure warrant was issued out of the Northern District of Texas. Polyanin is believed to be abroad."
Europol announced Monday the arrest of two suspected REvil operators in Romania. Europol stated, quote, "On 4 November, Romanian authorities arrested two individuals suspected of cyberattacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries, Europol, Eurojust and INTERPOL. All of these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by the Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab," end quote.
Europol added, "In October, one affiliate was arrested in Europe. Additionally, in February, April and October 2021, authorities in South Korea arrested three affiliates involved in the GandCrab and Sodinokibi/REvil ransomware families, which had more than 1,500 victims. On 4 of November, Kuwaiti authorities arrested another GandCrab affiliate, meaning a total of seven suspects linked to the two ransomware families have been arrested since February 2021. They are suspected of attacking about 7,000 victims in total," end quote.
The US Treasury Department sanctioned Chatex (which describes itself as "a full-fledged cryptobank”) for its role in processing cryptocurrency transactions allegedly on behalf of the gangs. Three other firms that supported Chatex were also sanctioned. Treasury added, "Complementing this action, the Department of State announced a Transnational Organized Crime Reward offer of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group (22 U.S.C. §2708(b)(6)). The Department of State also announced a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident."
The US Department of Justice announced the conviction of Yanjun Xu, China’s Deputy Division Director of the Sixth Bureau of the Jiangsu Province Ministry of State Security. Xu, the first Chinese intelligence officer to be extradited to the US for trial, is accused of conspiring and attempting to commit economic espionage and theft of valuable innovation data from leading US aviation tech companies. Xu was not extradited from China, but was taken into custody by Belgian authorities during travel to that country. Xu tricked industry experts into traveling to China for what they thought was a presentation at a Chinese university. In reality, Xu was attempting to get his hands on trade secrets, including details about GE Aviation’s highly coveted composite aircraft engine fan.
Courts and torts.
In a 3-0 decision rendered Monday, the 9th US Circuit Court of Appeals rejected NSO Group's movement to dismiss a suit brought by WhatsApp and Facebook. According to Lawfare, WhatsApp alleges that NSO Group “sent malware [that is, the Pegasus surveillance tool] through WhatsApp's server system to mobile devices." That suit will now proceed, and the Daily Beast writes that NSO Group is likely to be required to disclose much about its controversial dealings with governments who have abused the company's intercept tools. NSO Group sought to have the case dismissed on the grounds that it should enjoy sovereign immunity.
Policies, procurements, and agency equities.
The US House of Representatives has approved a $1.2 trillion infrastructure bill that includes a $1 billion grant devoted to state and local government cybersecurity, the Hill reports. The Hill explains, "The funds are set to be allocated over four years, with $200 million made available in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025." The bill also incorporates the Cyber Response and Recovery Act, which will give $100 million to support federal response to cyber incidents, allowing the Homeland Security Secretary to declare a significant cyber incident and CISA to oversee the response. National Cyber Director Chris Inglis will also be granted $21 million to establish his new office, previously dependent on a White House contingency budget for its operation.
The US and the EU have announced that they'll join the Paris Call for Trust and Security in Cyberspace, agreeing to support the Call's nine principles.
Fortunes of commerce.
The CEO-designate of controversial intercept vendor NSO Group has stepped down before formally assuming leadership of the company, Reuters reports. Isaac Benbenisti explained in his letter to NSO Group's chairman that "special circumstances" arising from the company's placement on a US blacklist render it impossible for him to carry out his vision for the firm's future.