Western governments remain on alert for Russian cyberattacks as hybrid war continues in Ukraine.
Western governments continue to warn that Russian cyberattacks remain a real possibility, and that organizations should prepare to defend themselves. US Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly put it this way to CNN over the weekend: "All businesses, all critical infrastructure owners and operators need to assume that disruptive cyber activity is something that the Russians are thinking about, that are preparing for, that are exploring options, as the President said. That’s why we are so focused on making sure that everybody understands the potential for this disruptive cyber activity. And it’s not about panic. It’s about preparation."
Citing research by Malwarebytes, BleepingComputer describes a large-scale phishing campaign directed against potential Russian dissidents. It seems to be an internal security measure intended to keep an eye on dissatisfaction with the war and to offer a measure of insurance against the possibility of insurrection or coup d'etat. A malicious RTF file attached to a phishing email carries either a CobaltStrike or PowerShell payload. Employees of certain agencies are of particular interest to the organs carrying out the campaign, and it's interesting to see how many of them work for either educational organizations or regional authorities.
Defense One reports that Ukrainian operators, hacktivists of the CyberPan Ukraine group, say they've found weaknesses in Russian tactical battle management systems that render them susceptible to disruption by interfering with their ability to use GLONASS signals. (GLONASS is the Russian equivalent of the more familiar US GPS.) They also hint that they're exploring ways of directly interfering with Russian artillery computers, and that they've identified some possibly exploitable weaknesses in those systems. This wouldn't be surprising: Russia did it to the Ukrainians a few years ago. During the early stages of the Donbas insurrection Russia fomented and supported, CrowdStrike reported that Russian operators were able to gain access to Ukrainian fire direction systems.
Viasat terminals were hit by wiper malware.
Viasat has provided more information on the cyberattack against ground terminals that knocked its satellite Internet service offline in Ukraine (and in other parts of Europe) during the early stages of the Russian invasion. The company says it's working to fully restore service to affected customers, and that it's taking other steps to shore up its resilience. Those steps it's prudently not sharing, since it doesn't wish to give the attackers insight into Viasat's own defenses.
SentinelLabs researchers have concluded that Russian wiper malware, specifically a variant they call AcidRain, was deployed against Viasat modems, and Viasat has substantially confirmed SentinelLabs' analysis. "AcidRain is an ELF MIPS malware designed to wipe modems and routers," the researchers explain. "We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government." AcidRain is the seventh wiper deployed against Ukraine since the beginning of its hybrid war, the others being WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. The Viasat attack is noteworthy because it alone had significant spillover into operations outside Ukraine proper. It's regarded as the most serious cyberattack of Russia's war so far, and the most likely suspect is the GRU's Sandworm APT.
Distributed denial-of-service in the Marshall Islands.
Last Wednesday Internet service in the Republic of the Marshall Islands began to sustain rolling distributed denial-of-service attacks. RNZ reports that “Home, business and government DSL and dedicated lines as well as mobile 4G services became intermittent or non-functional, forcing the National Telecommunications Authority (NTA) to repeatedly issue messages updating customers about ‘intermittent disruptions’ and ‘urgent maintenance’ needed to restore service.” Marianas Variety reports that the attacks are over and service has been restored to normal.
Okta follows up on the Lapsus$ Group attack it sustained.
Okta has published a detailed timeline of the attack it sustained in January from the Lapsus$ Group. The company traced the incident to a compromised account belonging to a Sitel employee, and the company also acknowledged that it was a mistake to have delayed notification of its own customers.
IcedID Trojan is being distributed in the wild.
Fortinet and Intezer independently report criminal campaigns to deliver IcedID, a Trojan that's been observed in the wild since 2017. Fortinet describes spearphishing emails with attached (and bogus) invoices that carry IcedID as their malicious payload. Intezer reports that IcedID distributors have also turned to conversation hijacking as the means to deploy the Trojan.
Rates of employment fraud remain high.
Proofpoint researchers report that employment fraud continues to appear at a high level, and that it disproportionately affects students at colleges and universities. "There are many variations of this threat including job offers as caregivers, mystery shoppers, administrative assistants, models, or rebate processors." The goal of employment fraud isn't usually direct theft from the victims, but rather either theft of identities or credentials, or the recruitment of victims into criminal activity as (for example) a money mule.
Software supply chain attacks at scale.
Checkmarx has been tracking the activities of the Red-Lili threat actor, which has been engaged in using "anonymous disposable NPM account[s]" as one-time distribution vectors for malicious packets. Red-Lili has developed the ability to mount these software supply-chain attacks at scale: "the attacker has fully-automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages batch harder to spot." As Checkmarx notes, they're not the only researchers to have observed the activity. Both JFrog and Sonatype have reported on the malicious NPM activity. Red-Lili's allegiances and purposes remain obscure, but the actor represents a clear threat to software supply chains.
Emergency data requests and subpoena phishing.
Bloomberg reported on Thursday that forged "emergency data requests" last year induced Apple and Meta to surrender "basic subscriber details, such as a customer’s address, phone number and IP address." Researchers suspect that some, perhaps all, of those responsible for the caper were minors in the UK and the US, some of whom may also be involved with the Lapsus$ group. The incidents have led Senator Ron Wyden (Democrat of Oregon) to begin an investigation of the emergency data request system as such. Law enforcement surely needs quick ways of getting data in an emergency, but there should be, the Senator suggests, some checks and balances that will enable companies to distinguish real requests from subpoena fraud.
The resilience of the script kiddies?
Lapsus$ (or someone claiming to be Lapsus$), may have returned from the "vacation" it took after seven of its alleged leaders were arrested last week. TechCrunch describes the group's attack on software consultancy Globant. Lapsus$ has pushed a 70 gigabyte torrent file in its Telegram channel that the gang claims to have stolen from Globant. The hackers also say their take included Globant's corporate customers’ source code.
The Remcos Trojan is back.
Morphisec has discerned a resurgence in the Remcos Trojan. The phishing emails represent themselves as payment remittances from financial institutions (including Wells Fargo, FIS Global, and ACH Payment). The phish hook is in a malicious Excel file.
Deep Panda's exploitation of Log4shell.
Fortinet shares an analysis of how the Chinese APT Deep Panda exploited Log4shell vulnerabilities to gain access to its targets' systems. The researchers state:
"The Milestone backdoor is actually the same Infoadmin RAT that was used by Deep Panda back in the early 2010s, referenced in blogs from 2013 and 2015. Although many backdoors are based on Gh0st RAT code, Milestone and Infoadmin are distinguishable from the rest. Besides having profoundly similar code, both backdoors incorporate identical modifications of Gh0st RAT code not seen in other variants.
"Both backdoors share a XOR encryption function for encrypting communication and have abandoned the zlib compression of the original Gh0st RAT. Both also modified Gh0st RAT code in an identical way, specifically the CMD and screen capture functions. Moreover, the backdoors share two commands that are not present in other Gh0st RAT variants: the session enumeration command and the command to execute as an administrative user.
"Additional evidence indicates affiliation to Winnti. The rootkits are digitally signed with certificates stolen from game development companies, which is a known characteristic of Winnti. Searching for more files signed with one of the certificates led to a malicious DLL uploaded to VirusTotal with the name winmm.dll. Further examination revealed it as the same tool referenced in a blog about Winnti that was published in 2013. Yet another connection to Winnti is based on a C2 domain. Two of the newdev.dll loaders are configured with the server gnisoft[.]com, which was attributed to Winnti in 2020.
Calendar phishbait.
INKY describes how criminals have been able to abuse Calendly, "a freemium calendaring hub," by inserting malicious links into event invitations. The crooks are using brand impersonation to distribute a credential-harvesting link. Many of the invitations are arriving from compromised email accounts, which has enabled them to slip by some defenses. Calendly is working on ways of protecting its users from this sort of social engineering.
We have met the caller, and the caller is us?
Some Verizon customers have been receiving spam texts that include a link to a Russian television provider. "Free Msg," the spam begins. "Your bill is paid for March. Thanks; here's a little gift for you." And the phish hook is a shortened url that directs those who click to content provided by Russia's 1TV, a channel whose majority owner is the Russian state. The spam is interesting in that it seems to come from the recipient's own number. Verizon says, according to the Verge, that "bad actors" are responsible, and that it's cooperating with law enforcement investigation.
Russia's aviation authority, Rosaviatsia, is reported to have lost some 65 terabytes of data in an incident it sustained this week, Mentour Pilot reports. Business systems and records, including aircraft registration records, are said to have been affected. It's not clear exactly what the incident was, even whether it was a cyberattack or an accident. Some sources in Russia are connecting the incident to IT problems induced by a recent change in agency leadership.
Another aviation target was hit, this one in the US state of Connecticut: Bradley International Airport, which serves Hartford, was affected by a distributed denial-of-service attack against its public website. In neither the Russian nor the US incident was safety of flight at risk.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added sixty-six entries to its Known Exploited Vulnerabilities Catalog. If you’re responsible for a US Federal civilian agency, take note: your organization is expected to remediate each vulnerability by the deadline specified in the Catalog.
CISA on Tuesday released six industrial control systems advisories, for Philips e-Alert, Rockwell Automation ISaGRAF, Omron CX-Position, Hitachi Energy LinkOne WebView, Modbus Tools Modbus Slave, and Delta Electronics DIAEnergie.
CISA on Thursday released nine more industrial control system advisories. They include: Schneider Electric SCADAPack Workbench, Hitachi Energy e-mesh EMS, Fuji Electric Alpha5, Mitsubishi Electric FA Products, Rockwell Automation Logix Controllers, General Electric Renewable Energy MDS Radios, Rockwell Automation Studio 5000 Logix Designer, PTC Axeda agent and Axeda Desktop Server, and Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update C).
Crime and punishment.
A 37-year-old Estonian citizen, Maksim Berezan, has been sentenced to five and a half years in prison after pleading guilty in the US to assisting in ransomware attacks. The US Justice Department stated, "Berezan was an active member of an exclusive online forum designed for Russian-speaking cybercriminals to gather safely and exchange their criminal knowledge, tools, and services. From 2009 through 2015, Berezan not only furthered the criminal aims of the forum, but he also worked closely with forum members and other cybercriminals for purposes of obtaining and exploiting stolen financial account information.... According to court documents, following Berezan’s arrest, investigators uncovered within his electronic devices evidence of his involvement in ransomware activities. The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, seven of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled. Berezan used his ill-gotten gains to purchase two Porsches, a Ducati motorcycle, and an assortment of jewelry. In addition, authorities recovered from Berezan’s residence currency worth more than $200,000 and electronic devices storing passphrases to bitcoin wallets that contained bitcoin worth approximately $1.7 million, which has been forfeited."
The US Attorney for the District of Maryland has announced the indictment of an NSA employee, Mark Robert Unkenholz, with thirteen counts of unlawful retention of classified material and thirteen counts of unlawful transmission of classified material. He's alleged to have used his personal email account to send classified information to someone who worked at different times for two unnamed companies. Mr. Unkenholz, who was arraigned Thursday in Baltimore, is said by the Military Times to have worked for an office responsible for engaging private industry.
Policies, procurements, and agency equities.
A meeting this week of the United Nations' "open-ended working group for security and the use of information and communications technologies" continued its deliberation concerning international norms of conduct in cyberspace. Bloomberg says the sessions were dominated by sharp Western criticism of Russian cyber misconduct and Russian rejoinders to the effect that it's really the injured party in cyberspace.
The US Treasury Department Thursday announced new sanctions against Russian actors implicated in the war against Ukraine. Most are directed against Russian sanctions-evasion networks, several of which involve connections through shell companies to front corporations based abroad, is striking, but Treasury is also including those responsible for earlier cyberattacks, notably the Triton attack against a Saudi petrochemical plant. It singles out the State Research Center of the Russian Federation (FGUP) Central Scientific Research Institute of Chemistry and Mechanics (Russian acronym "TsNIIKhM") for particular mention as the source of the tools used in the Triton attack.
The US Federal Communications Commission (FCC) has added Kaspersky to its list of communications service and equipment providers who pose a threat to US national security, Reuters reports. US concerns derive from Kaspersky's obligation, under Russian law, to provide certain kinds of cooperation with the Russian government. Kaspersky's official statement Friday deplored the FCC's action as "unconstitutional" and baseless, adding, "Kaspersky will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate with US government agencies to address the FCC’s and any other regulatory agency’s concerns."
Fortunes of commerce.
Controversial German spyware vendor FinFisher filed for insolvency last month, Bloomberg reports. The company was being investigated by the German government over allegations that it illegally sold its spyware to Turkey. A spokesperson for the German insolvency administrator told Bloomberg, "Employees are no longer employed in the companies. The business premises were abandoned in the course of the opening of insolvency proceedings and the location of the companies in Munich was dissolved, as there was no perspective of continuing business operations."