Second-stage backdoor possibly linked to Solorigate campaign. Threat actors target India's critical infrastructure. Hafnium exploits Exchange Server vulnerabilities.

Second-stage backdoor possibly linked to Solorigate campaign.

FireEye has identified a second-stage backdoor dubbed "SUNSHUTTLE" that the security firm thinks may be linked to the threat actor they track as UNC2452. UNC2452 has been associated with the SolarWinds supply chain exploitation, but FireEye stresses that its researchers "have not fully verified" a connection with SUNSHUTTLE.

The backdoor was "uploaded by a U.S.-based entity to a public malware repository in August 2020," and the researchers say the malware was observed at an entity that had been compromised by UNC2452. The researchers summarize, "SUNSHUTTLE is written in GO, and reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution. Notably, SUNSHUTTLE uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic 'blend in.'"

FireEye adds, "The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications. SUNSHUTTLE would function as second-stage backdoor in such a compromise for conducting network reconnaissance alongside other SUNBURST-related tools."

Microsoft (which tracks the Solorigate threat actor as "NOBELIUM") has published its own analysis of the backdoor, along with two other tools the company calls "GoldFinder" and "Sibot." The researchers say the malware was used from August to September 2020, though it may have been placed on systems in June 2020. Microsoft states, "These tools are new pieces of malware that are unique to this actor. They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with TEARDROP and other hands-on-keyboard actions. These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication. In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence."

And WIRED says the known victims of the Solorigate cyberespionage campaign now include NASA and the US Federal Aviation Administration (FAA).

Suspected Chinese actors target India's critical infrastructure.

Recorded Future's Insikt Group describes an increase in suspected Chinese hacking activity directed against targets in India. The activity bears similarities to known Chinese threat actors, but it's distinct enough that the researchers are tracking it under the new moniker "RedEcho." Notably, this activity is targeted at Indian critical infrastructure, which Recorded Future believes may be a sign of potential preparation for cybersabotage. The researchers write:

"Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports."

Recorded Future adds, "The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives...Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation."

Following the report, Indian authorities investigated the possibility that October's electrical outages in Mumbai were deliberately induced by cyberattacks. On Tuesday, however, India’s Union Power Minister RK Singh said the blackouts were the result of human error, and not cybersabotage, the Times of India reports. He did confirm that there were attacks on load dispatch centers, but these were successfully contained and caused no outages. Singh declined to offer attribution for these attacks, stating, "We don't have evidence to say that the cyberattacks were carried out by China or Pakistan. Some people will say that the group behind the attacks is Chinese but we don't have evidence. China will definitely deny it."

For more, see the CyberWire Pro Research Briefing.

Hafnium exploits Exchange Server vulnerabilities.

Microsoft warns that a Chinese threat actor, "Hafnium," was observed exploiting zero-day vulnerabilities in Exchange Server, and the company urges users to apply the patches immediately:

"Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures."

Microsoft says Hafnium is a "highly skilled and sophisticated actor" that "primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."

Redmond adds, "The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network."

The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued Emergency Directive 21-02, "requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday." CISA requires all agencies to report completion by noon Eastern Standard Time this Friday.

Gab users outed in hacktivist breach.

On the heels of the Parler data breach and subsequent shutdown, social media platform Gab, also a gathering place for right-wing conservatives, has been hit by hackers, WIRED reports. Hacktivist "JaXpArO and My Little Anonymous Revival Project" infiltrated the platform by exploiting an SQL injection vulnerability and harvested data from Gab's backend databases. A group called Distributed Denial of Secrets is distributing what it’s calling "GabLeaks," over seventy gigabytes of data equaling about 40 million posts obtained in the attack. The leak comprises public posts and profiles as well as private messages and passwords. DDoSecrets co-founder Emma Best described the data as "everything someone needs to run a nearly complete analysis on Gab users and content," and the group will be sharing the data with researchers.

For more, see the CyberWire Pro Privacy Briefing.

Myanmar, surveillance, and Internet control.

Myanmar's ruling junta has extended its control over online activity, both managing content and, what's more worrisome to dissidents and disfavored people, expanded online surveillance. It had to buy the technology it uses for those purposes somewhere, and the New York Times this week reviewed cyber proliferation to Myanmar's junta. The report indicates the perennial difficulty of restricting the spread of dual-use technologies, that is, not only tech that has entirely legitimate civilian uses, but technology that has lawful military and law enforcement uses, but which should be kept away from governments likely to use it for illicit repression. 

Singled out for particular mention are field units produced by the Swedish firm MSAB that can download the contents of mobile devices and recover deleted items, and MacQuisition forensic software that extracts data from Apple devices. MacQuisition is made by BlackBag Technologies, a US company that was acquired last year by Israel's Cellebrite.

Both companies say the tech in question appears to represent legacy systems, and that they had suspended sales to Myanmar before this year’s coup. Some of the tools may have been provided by various middlemen. The report in the Times might be considered a useful case study of the sort of problem the Atlantic Council addressed in its report on initial access brokers and cyber proliferation earlier this week. The Atlantic Council's report recommends international action, specifically by the US and its allies, to: 

• “Understand and partner” with like-minded governments, elevating the issue and enacting appropriate controls.
• “Shape,” by developing lists of troublesome vendors, standardizing risk assessment, incentivizing corporate ethics moves, and controlling sales and assistance to states that deal with banned vendors..
• “Limit,” by widening the scope of vulnerability disclosure, restricting post-employment activities for former government cyber operators, taking legal action against access-as-a-service business, and encouraging “technical limits on malware payload jurisdiction.”

For more, see the CyberWire Pro Disinformation Briefing.

Mergers and acquisitions.

TPG Capital has signed a definitive agreement to acquire Washington, DC-based privileged access management (PAM) provider Thycotic for $1.4 billion, CRN reports. TPG plans to merge Thycotic with zero trust and PAM company Centrify. Centrify's CEO Art Gilliland will serve as CEO of the new company, while Thycotic's CEO James Legg will serve as President. Legg stated, "Combining these two synergistic platforms allows us to offer customers an expanded range of products to address their increasingly complex security requirements....Thycotic and Centrify together will help companies navigate this new environment with an innovative and intuitive product suite, backed by some of the most experienced operators in the identity security sector."

Tysons, Virginia-based risk analytics company QOMPLX is merging with Tailwind Acquisition Corp., a special purpose acquisition company (SPAC), to create a public company valued at $1.4 billion. The company added, "As part of the transaction, QOMPLX is acquiring cyber intelligence and analytics solutions provider Sentar and insurance modeling and actuarial platform Tyche to accelerate its leadership position in risk analytics."

Security awareness training company KnowBe4, based in Florida, has acquired MediaPRO, a security training firm headquartered in Bothell, Washington. KnowBe4 stated, "MediaPRO's customers will gain access to the additional benefits of KnowBe4's security awareness training and simulated phishing platform. The acquisition enables KnowBe4 to offer its customers a larger amount of privacy and compliance training modules."

Eden Prairie, Minnesota-based Data protection and recovery company Arcserve, of Eden Prairie, Minnesota, is merging with backup software provider StorageCraft (headquartered in Draper, Utah). They'll combine under the Arcserve brand. The companies stated, "With expanded geographic reach, the industry’s broadest product portfolio, flexible business models, and magnified innovation footprint, the merged companies will bring extensive market and revenue opportunities for MSPs, VARs, and distributors....Arcserve and StorageCraft will continue to fully support and invest in their existing solutions. In addition, both companies will increase investments in R&D and combined IP, which will strengthen both companies’ product portfolios."

More business news can be found in the CyberWire Pro Business Briefing.

Patch news.

CISA has issued ICS security advisories covering MB connect line mbCONNECT24, mymbCONNECT24, Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers, and Hitachi ABB Power Grids Ellipse EAM.

Google has released patches for 37 Android vulnerabilities, including a critical flaw that could lead to remote code execution, SecurityWeek reports. Google states, "The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process"

Crime and punishment.

A Swedish citizen, Roger Nils-Jonas Karlsson, has pleaded guilty to fraud charges that cost more than 3,500 victims more than $16 million. The US Justice Department states, "Specifically, the indictment explains that from Nov. 27, 2012, through June 19, 2019, Karlsson and EMS used www.easternmetalsecurities[.]com to make fraudulent representations and convince victims to send funds using a virtual currency exchange. During the same period, Karlsson and EMS used deceptive 'devices and contrivances' to sell securities and then tried to conceal the proceeds of the wire fraud and securities fraud. During the proceedings, Karlsson admitted that he used the website to invite potential investors to purchase shares of the plan for less than $100 per share, promising an eventual payout of 1.15 kilograms of gold per share, an amount of gold which as of Jan. 2, 2019, was worth more than $45,000. Karlsson advised investors that, in the unlikely event that the gold payout did not happen, he guaranteed to them 97% of the amount they invested. Karlsson admitted he had no way to pay off the investors. Instead, the funds provided by victims were transferred to Karlsson's personal bank accounts and he then used proceeds to purchase expensive homes and a resort in Thailand."

Courts and torts.

A US Federal judge of the Northern District of California has ruled that Facebook must pay $650 million to settle a class-action lawsuit concerning the company's alleged use of facial recognition for photo-tagging without obtaining users' permission, Computing reports. The ruling states, "By any measure, the $650 million settlement in this biometric privacy class action is a landmark result. It is one the largest settlements ever for a privacy violation, and it will put at least $345 into the hands of every class member interested in being compensated. At the Court’s request, the parties jointly developed an innovative notice and claims procedure that generated an impressive claims rate. The settlement attracted widespread support from the class, and drew only three objections out of millions of class members." According to the Guardian, nearly 1.6 million claimants will receive compensation.

Policies, procurements, and agency equities.

Virginia Governor Ralph Northam has signed the Commonwealth's Consumer Data Protection Act into law, Virginia Business reports. In many ways the omnibus bill follows the example set by the California Consumer Privacy Act. Its most immediate effect is expected to be easier ways for consumers to opt out of corporate data collection.

JDSupra reports that Florida is considering data privacy legislation that's expected to "mirror" the California Consumer Privacy Act.

The White House on Wednesday released an Interim National Security Strategy. The document mentioned cyber frequently (some sixteen times) often in the context of other categories of threats, but also in the course of discussing development of international norms for conduct in cyberspace and in expression of determination to enforce laws against cybercrime.

iTnews observes a "new appetite" among some US lawmakers and companies for Federal regulation of breach reporting. Microsoft President Brad Smith told a joint House Homeland Security and Oversight and Reform hearing, “Silence is not going to make this country stronger. So I think we have to encourage - and I think even mandate - that certain companies do this kind of reporting.” Current cyber incident disclosure laws primarily come into play when medical or financial information is exposed.

For more, see the CyberWire Pro Policy Briefing.