By the CyberWire staff
ANSSI discloses suspected Sandworm campaign.
France's information security agency ANSSI on Monday disclosed a hacking campaign that targeted users of an older, open-source version of Centreon IT monitoring software. The agency stated, "The first victim seems to have been compromised from late 2017. The campaign lasted until 2020. This campaign mostly affected information technology providers, especially web hosting providers."
ANSSI added that the campaign bore the hallmarks of previous operations attributed to the Russian state-sponsored APT Sandworm. The threat actor deployed Exaramel, a backdoor believed to be used exclusively by Sandworm, and relied on command-and-control infrastructure tied to the APT.
Centreon released a statement stressing that its current customers weren't affected, and that around fifteen users of an outdated, unsupported version of its software were compromised:
"It is confirmed by ANSSI that no Centreon customers were impacted. According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years. Centreon is currently contacting all of its customers and partners to assist them in verifying their installations are current and complying with ANSSI's guidelines for a Healthy Information System....The ANSSI report and our exchanges with them confirm that Centreon did not distribute or contribute to propagate malicious code. This is not a supply chain type attack and no parallel with other attacks of this type can be made in this case."
2021 Security & Identity Trends
60% of companies have experienced a cyber attack during the pandemic. Is your organization prepared to take on this risk? Learn how to prepare for another year of remote work with our 2021 Security & Identity Trends eBook.
Microsoft concludes Solorigate investigation.
Microsoft has concluded its internal investigation into the Solorigate cyberespionage campaign. The company found no evidence that threat actors gained access to either production servers or customer data, and concluded that Microsoft systems weren't used to attack third parties. Microsoft also provided further details on which of its systems were viewed by the threat actor:
"As we previously reported, we detected unusual activity in December and took action to secure our systems. Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts. We continued to see unsuccessful attempts at access by the actor into early January 2021, when the attempts stopped.
"There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search.
"For a small number of repositories, there was additional access, including in some cases, downloading component source code. These repositories contained code for:
- a small subset of Azure components (subsets of service, security, identity)
- a small subset of Intune components
- a small subset of Exchange components
"The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials."
Microsoft concludes that, "For us, the attacks have reinforced two key learnings that we want to emphasize —embracing a Zero Trust mindset and protecting privileged credentials."
Oh, and did we mention that we have great deals on CyberWire Pro for your entire enterprise too?
From front-line staff to the Board room, making your entire staff more situationally aware makes them more prepared to tackle their roles. Be the office hero and keep your staff informed with CyberWire Pro for your enterprise. Find out more.
North Korean operators target COVID-19 vaccine data.
South Korea's National Intelligence Service (NIS) stated that Pfizer was hacked by North Korean operators seeking information on COVID-19 vaccines, Reuters reports. Reuters cites health experts to the effect that North Korea's hackers "may be more interested in selling the stolen data than using it to develop a homegrown vaccine." Pfizer didn't immediately respond to Reuters' request for a comment.
Jamaica's COVID-19 data exposed.
TechCrunch discovered that JamCOVID19, the Jamaican government’s COVID-19 tracking website created by web contractor Amber Group, inadvertently exposed user test results in an unprotected cloud storage server. As the site also coordinates travel application approvals, the compromised data (which included more than 70,000 lab results, 425,000 immigration documents, and 440,000 images of travelers’ signature) belongs not only to Jamaicans, but also to travelers from other countries. Though a statement from the Jamaican government asserts that "At present, there is no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified," the permissions on the server would allow anyone to download or even delete the data.
For more, see the CyberWire Pro Privacy Briefing.
Exploiting dependency confusion.
Security researcher Alex Birsan describes how he exploited "dependency confusion" to hack into Apple, Microsoft, Netflix, PayPal, Uber, Yelp, and others (under the companies' bug bounty programs). Birsan took advantage of the fact that organizations often use a combination of open-source and custom-made packages in their code, and package managers will default to installing public packages. When he registered his own public dependencies with the same names as the private ones, the package manager would install those instead of the private ones.
Birsan first found a Node.js file from PayPal in a public GitHub repository that contained "a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal." He then created his own packages using the names of PayPal's non-public packages, and uploaded them to the public npm registry. As a result, Birsan's packages, which could run arbitrary code, overwrote PayPal's packages on the company's servers. Birsan then used DNS exfiltration to gather information about the compromised servers.
Birsan then searched for the names of private packages used by other companies, and found many of them exposed in package.json files used by JavaScript projects. Other sources included GitHub, major package hosting services, and posts on Internet forums:
"This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations.
"Due to javascript dependency names being easier to find, almost 75% of all the logged callbacks came from npm packages — but this does not necessarily mean that Python and Ruby are less susceptible to the attack. In fact, despite only being able to identify internal Ruby gem names belonging to eight organizations during my searches, four of these companies turned out to be vulnerable to dependency confusion through RubyGems."
Birsan received $30,000 bug bounties from PayPal, Apple, Shopify, and a $40,000 bounty from Microsoft.
For more, see the CyberWire Pro Research Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
Commercial dis- and misinformation.
The BBC reports that Trustpilot, a Danish firm that specializes in offering customers an opportunity to review businesses, thinks it's got a handle on one form of commercial disinformation: bogus reviews, whether positive or negative. The company's transparency report outlines ways in which it culls phony reviews. It uses a mix of automated tools, crowdsourced moderation, and human review. "Reviews can be flagged by both consumers and businesses where they:
- "contain harmful or illegal content;
- "contain personal information;
- "contain advertising or promotional content;
- "are not based on a genuine experience;
- "are about a different business (only businesses can report for this reason)."
The automation is interesting, if only because it seems to confirm that certain forms of labor-saving coordinated inauthenticity are easier to recognize and check than are other things that mark problems. "It's very difficult for humans to spot a fake review [unless they are] badly done," Trustpilot's Carolyn Jameson told the BBC. "But the machines look at multiple data points, like the number of times an IP [internet protocol] address has posted a review in quick succession, and patterns in language that might look natural to the human eye but have been repeated too many times in other reviews by the same person."
For more, see the CyberWire Pro Disinformation Briefing.
Students and members of the military, don't be left out of CyberWire Pro! We've got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Investment news.
Red Canary, a managed detection and response firm based in Denver, Colorado, has raised $81 million in a Series C round led by Summit Partners, with participation from existing investors Noro-Moseley Partners and Access Venture Partners. The company stated, "The new funding brings the security company’s total investment to more than $125 million and will help support continued investment in both product and team expansion as the company works to meet rapidly growing customer demand and builds on its leadership position in the security operations and managed detection and response (MDR) market."
Los Altos, California-based application relationship management firm vArmour has raised $58 million in an oversubscribed funding round co-led by existing investors AllegisCyber Capital and NightDragon, with participation from Standard Chartered Ventures, Highland Capital Partners, Telstra, Redline Capital, and EDBI.
1Kosmos, a passwordless authentication startup headquartered in Somerset, New Jersey, has secured $15 million in Series A funding from ForgePoint Capital. The company says the funding will be used "to accelerate the company’s growth and product roadmap."
Boulder, Colorado-based identity orchestration firm Strata Identity has raised $11 million in a Series A round led by Menlo Ventures, with participation from ForgePoint Capital. The company stated that it "will use the funds to scale research & development, go-to-market, sales, marketing, and customer success for its Maverics platform. Strata also announced that Venky Ganesan, Partner at Menlo Ventures, has joined the company’s board of directors."
More business news can be found in the CyberWire Pro Business Briefing.
Patch news.
Microsoft has pulled one of its Patch Tuesday fixes for Windows 10, version 1607, and has issued an update to replace it. Threatpost says "This particular defective update (KB4601392) applied to Windows 10 users (version 1607 for 32-bit and x64-based systems) and Windows Server 2016 users."
CISA has issued four new Advisories on control systems.
Crime and punishment.
The US Justice Department unsealed an indictment of three North Korean operators belonging to Pyongyang's Reconnaissance General Bureau. The individuals are accused of "participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform." The suspects are alleged to have been involved in the following "schemes":
- "Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
- "Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
- "Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
- "Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
- "Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
- "Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
- "Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
- "Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions."
ZDNet reports that a joint French and Ukrainian police operation has resulted in the arrests of Egregor ransomware operators in Ukraine. The suspects appear to be affiliates of the ransomware-as-a-service operation, not the owners. The law enforcement operation hasn't been publicly announced, but Recorded Future's Allan Liska told ZDNet, "Recorded Future has observed that Egregor infrastructure, including their extortion site and command and control (C2) infrastructure, has been offline since at least Friday. While there has been no police banner, as there often would be in this case, it is unusual for ransomware actors as well-resourced as Egregor to have all of their infrastructure go offline at the same time."
Three Maryland men were charged with conspiracy to commit wire fraud for allegedly running a phony website purporting to sell COVID-19 vaccines.
Courts and torts.
North Carolina-based medical group Wilmington Surgical Associates is facing a lawsuit from its patients after the entity suffered a NetWalker ransomware attack in October, Health IT Security reports. The attackers stole and later leaked 13 GB of sensitive patient information.
Policies, procurements, and agency equities.
ZDNet flags Myanmar's draft cybersecurity legislation, put forward by the new military State Administration Council, as "repressive" and "draconian." The law would direct in-country platforms to preserve user information for years in government-specified locations, grant officials easy access to the data, and allow the state to terminate accounts. Onlookers are concerned about both human rights and foreign investment, given the data security implications of the bill and its transgression of international laws like the GDPR.
CyberScoop quotes Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger as stating Wednesday that "we're at the beginning stages of understanding" the Solorigate campaign, and remediation will likely take months. She added that "Many of the private sector compromises are technology companies including networks of companies whose products can be used to launch other intrusions" and stressed that the attackers were largely "focused on the identity part of the network, which is the hardest to clean up."
CyberScoop also reports that Carnegie Endowment for International Peace Cyber Policy Initiative Director Tim Maurer will serve as Homeland Security Secretary Mayorkas' Senior Counselor for Cybersecurity, a post previously held by former Cybersecurity and Infrastructure Security Agency (CISA) Director Krebs and current CISA Acting Director Wales.
For more, see the CyberWire Pro Policy Briefing.