Chinese cyberespionage for the Belt and Road Initiative.
Recorded Future's study of Chinese cyberespionage outlines the ways in which the intelligence effort is designed to support Beijing's Belt and Road initiative. The principal targets of the campaign are Malaysia, Indonesia, and Vietnam. The Philippines, Laos, Cambodia, and Thailand are also being prospected.
Recorded Future stated, "The identified intrusion campaigns almost certainly support key strategic aims of the Chinese government, such as gathering intelligence on countries engaged in South China Sea territorial disputes or related to projects and countries strategically important to the Belt and Road Initiative (BRI). The activity highlighted includes a group we track as Threat Activity Group 16 (TAG-161), which has compromised several high-profile military and government organizations across Southeast Asia throughout 2021 using custom malware families such as FunnyDream and Chinoxy. Many of the governments targeted by TAG-16 are engaged in ongoing disputes with China over territorial claims in the South China Sea."
Russophone criminal actors seem ill at ease.
Trustwave's SpiderLabs sees signs of uneasiness in Russophone criminal circles. Recent enforcement actions have put them on guard, and chatter suggests that their sense of being protected by the Russian government may be eroding. The researchers conclude, "We will likely see groups toggle ‘offline’ and ‘online’ – as we’ve seen with REvil before – in order to cover their tracks when law enforcement gets too close. We may also see some gangs go dark and close their business, and other groups emerging to pick their share. We anticipate that these organized gangs will likely physically stay put in their home countries because even though it is not as ‘safe’ as it once was for cybercrime, cyber gang members are still less likely to be caught on their ‘home turf’. Many of these cybercriminals want to stay where they belong, where their families and friends reside, and where the local language is familiar, and many of their contacts exist. Also, the corruption in many Eastern European countries means cybercriminals have a better chance of escaping even if they do get into trouble."
Conti continues operations.
But the Russophone Conti ransomware gang doesn't appear to have been inhibited by those anxieties recently circulating in the underworld. Over the weekend CS Energy, a major electrical utility in the Australian state of Queensland, sustained a ransomware attack that was initially widely attributed to Chinese state actors. Not so: it turns out, Reuters says, that the Conti gang was responsible. On the other side of the world, Intelligent CIO reports that Nordic Choice Hotels has also disclosed that it was hit by Conti.
Russian cyberespionage.
Russian government activity in cyberspace retains the high tempo it reached during the SolarWinds compromise, Mandiant reported on Monday. The company outlines several cyberespionage campaigns tied to the group. Mandiant stated, "In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts."
The researchers also describe how the threat actors are able to bypass some multifactor authentication solutions:
"Mandiant has also observed the threat actor executing multiple authentication attempts in short succession against accounts secured with multi-factor authentication (MFA). In these cases, the threat actor had a valid username and password combination. Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account."
Grinchbot scalpers target holiday shopping.
As the holiday season advances toward Christmas, Imperva reports increased Grinchbot activity. Imperva explains, "A close relative of Ticket Bots and Sneaker Bots, Grinchbots are a part of the notorious scalping bots family. These sophisticated bots aim to acquire high-demand, limited-quantity items using automation to gain a significant advantage over legitimate users. What differentiates them is their love (or shall we say hatred?) for the holiday season. The bot operators target the holiday shopping season and the sales events and limited product launches associated with it. These computer programs are run by very real humans, designed to automatically query online inventories and purchase desired goods. Because the automation is faster and more efficient than a human, legitimate human users don’t stand a chance at getting their hands on the latest, most desired commodities."
NSO Group's software used to target US personnel.
Reuters reported last Friday that the phones of US State Department personnel in Uganda were infested with Pegasus surveillance software. NSO Group has said that Pegasus will not run on phones registered with the characteristic +1 US country code, but the affected State Department personnel used phones registered with host nation codes. It's unclear which customer deployed the tool in this incident. The Israeli embassy in Washington said that, "if these claims are true, it is a severe violation" of Israeli cyber export control law. NSO Group says it's investigating allegations of Pegasus abuse.
NSO Group is "in debt and under pressure," Vox reports. A Haaretz analysis concludes that Jerusalem is unlikely to carry NSO Group's water in this case, and that the incident might represent "a death knell" for the company.
Microsoft seizes Chinese threat actor's domains.
Pursuant to a court order the company obtained, Microsoft has seized websites operated by the Chinese government threat actor Redmond calls "Nickel" and others APT15. Microsoft stated, "[A] federal court in Virginia has granted our request to seize websites Nickel was using to attack organizations in the United States and 28 other countries around the world, enabling us to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks. We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations."
Cryptocurrency exchange suffers breach.
Alt-coin exchange BitMart suspended deposits and withdrawals Saturday, the company's CEO tweeted, after the exchange identified "a large-scale security breach" affecting two of its hot wallets. BitMart attributes the incident to a stolen private key, and it hopes to gradually begin resuming normal trading tomorrow. The blockchain security firm PeckShield estimates total losses at about $196 million. BitMart's CEO says the exchange intends to compensate affected depositors from the company's own funds.
Karakurt ransomware gang targets smaller companies.
Accenture on Friday published a description of the still relatively unknown Karakurt ransomware gang active since this June. The researchers stated, "Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities."
Sophisticated Black Cat ransomware launches.
The Black Cat ransomware affiliate program, the MalwareHunterTeam tells BleepingComputer, is deploying a sophisticated executable written in Rust. Black Cat came to prominence in late November, and it's being hawked in Russophone criminal souks. The ransomware itself, also known as ALPHV, seems constructed from scratch, without the use of templates or other pre-existing code. BleepingComputer notes that Black Cat "could be the most sophisticated ransomware of the year, with a highly-customizable feature set allowing for attacks on a wide range of corporate environments."
A look at the Hive ransomware-as-a-service operation.
Group-IB has been looking into the workings of the Hive ransomware operation. The rise of ransomware-as-a-service (RaaS) offerings in the C2C market has driven the increased commodification of this form of criminal activity during 2021, and Hive has been a prominent player in the RaaS market. Group-IB's researchers took advantage of errors in Hive's API to gain some insight into the gang's activities. "By October 16, Hive's API held records of 312 companies that most likely fell victim to Hive's operators."
The researchers note that Hive didn't appear on the surface to be particularly menacing, the threat actors are quite aggressive:
"As the entire world was watching REvil's forced rebranding, the victim count of ransomware Hive, which appeared in June 2021, continued to surge. If one tried to evaluate Hive's private affiliate program based on the number of victims whose data was released on DLS (48), they wouldn't be impressed. On closer examination, this RaaS program turns out to be one of the most aggressive ones, with Hive operators using the most urgent methods of pressure on the target organizations and distinctive TTPs, which are worth being examined."
Botnets use MikroTik routers.
Eclypsium describes how vulnerable MikroTik routers and ISP devices have become popular among bot-herders. The MikroTik devices are plentiful, powerful, and, where vulnerable, relatively easy to incorporate into botnets. (Trickbot reverted to them when US Cyber Command disrupted its operations.)
The researchers conclude, "Enterprise security teams should take steps to identify any vulnerable or compromised MikroTik devices in their environment and take appropriate action to mitigate their risk. Eclypsium customers can use the platform to automatically identify MikroTik devices and check them for vulnerabilities or threats. However, we are also providing access to a free tool that anyone can use to check devices for the presence of a scheduler or CVE-2018-14847."
Shoulder surfing still works.
Shoulder surfing is banal, but effective. ESET has posted a how-to Snapchat shoulder-surf demo as a warning. The hacker looks over the user's shoulder, obtains their phone number, uses it on their own phone to tell Snapchat they've forgotten their password, then looks back over the victim's shoulder to see the confirmation code appear as a drop-down. So use two-factor authentication and stay aware of your surroundings.
Magecart activity.
RiskIQ reports finding three Magecart skimmers deployed in WooCommerce checkout pages. WooCommerce is a WordPress plugin widely used by e-commerce sites. The researchers stated, "RiskIQ detected the first Magecart skimmer across five domains using a compromised WooCommerce theme. The skimmer, dubbed the WooTheme skimmer, is relatively simplistic and makes its functionality reasonably easy to understand. Operators obfuscated the skimming code in all discovered iterations, except one. However, this one instance appears to be in error, as RiskIQ detected the obfuscated skimmer on the same compromised domain before the clear text version appeared."
The second skimmer was a modified version of a generic skimmer, while the third one was "piled high with multiple layers and steps by the actor to hide and obfuscate processes."
AWS sustains major outage.
Amazon Web Services sustained a major outage on Tuesday that centered on the US East Coast but had geographically wide-ranging effects. Quartz argues that the incident, which was by all accounts an accidental outage and not the result of an attack, shows how dependent on AWS both the Web and the IoT have become.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued three industrial control system advisories, for Hitachi Energy XMC20 and FOX61x, Hitachi Energy RTU500 OpenLDAP, and FANUC Robot Controllers. CISA on Thursday released three more ICS advisories: Hillrom Welch Allyn Cardio Products, Hitachi Energy GMS600, PWC600, and Relion, and WECON LeviStudioU. CISA also urges organizations to apply the updates Cisco has made available for multiple vulnerabilities in Apache HTTP Server affecting the company's products.
Crime and punishment.
The US Justice Department and authorities in Canada have charged a Canadian man for allegedly launching ransomware attacks, Threatpost reports. The Justice Department stated, "According to court documents, Matthew Philbert, 31, of Ottawa, Ontario, Canada, conspired to and did damage a computer belonging to the State of Alaska in April 2018. In a separate and parallel investigation, the Canadian authorities today also announced cyber charges against Philbert. He was arrested on Nov. 30 by Ontario Provincial Police where he remains in custody. Philbert is charged with one count of conspiracy to commit fraud and related activity in connection with computers and one count of fraud and related activity in connection with computers. This indictment in the District of Alaska is part of an ongoing national effort by the Department of Justice to address cybercrimes that target U.S. citizens from abroad."
WikiLeaks impresario Julian Assange may be approaching extradition to the US, where he faces eighteen counts of espionage and conspiracy to illicitly access a military computer. The Wall Street Journal reports that the High Court has overturned a lower court's stay of extradition. Mr. Assange is expected to seek relief from the UK's Supreme Court.
Kremlin toleration and (arguably) encouragement of ransomware gangs is increasingly an open secret. The New York Times says that extortion payments are passing through Federation Tower East, the tallest building in Moscow and the choicest business address in the city's financial district.
Researchers at Analyst 1 have found that the cyber underground has its own courts, fora for resolving disputes among criminals. The process is generally referred to as "arbitrage," and the plaintiffs typically ask for compensation ranging from hundreds to thousands of US dollars.
Policies, procurements, and agency equities.
A video call on Tuesday between Russian President Putin and US President Biden took up, among other topics, cybersecurity issues. Tensions over Ukraine figured prominently in the discussion. (Russia has dismissed US complaints of aggression with a tu quoque.) Reports from the Russo-US summit indicate that both sides held their basic positions. Bloomberg quotes Russian sources as calling the tone "frank and businesslike." President Putin demanded an end to US activity Russia regards as threatening. President Biden warned that Russian invasion of Ukraine would draw severe economic sanctions, and additional military aid to Kiev. Reuters reports that Russian sources say the two Presidents committed to further talks, and that Russia's principal interest lies in obtaining assurances that NATO won't deploy "offensive strike weapons" in the Near Abroad.
The Guardian reports that Latvia's foreign minister has warned NATO to prepare a swift response should Russia invade Ukraine: forward deployment of troops, cancellation of the Nord Stream 2 natural gas pipeline to Europe, and the stiffest available economic sanctions. According to the Record, a senior unnamed administration official yesterday said that a Russian offensive might well be a cyber as opposed to a kinetic campaign. The principal US leverage appears to be economic as opposed to military; Bloomberg reviews the range of sanctions available. The New York Times ran live updates on the meeting as details become available.
According to Reuters, the Russian government has extended its increasingly autarkic control over information transiting its Internet precincts by blocking the private service Tor. Tor has responded by offering affected users a workaround.