Renewed Five Eyes' warning of the threat of Russian cyberattacks.
The cyber authorities of the Five Eyes (that is, Australia, Canada, New Zealand, the United Kingdom, and the United States) have issued a joint Cybersecurity Advisory warning that there are indications of Russian preparations and intent to conduct significant cyberattacks against critical infrastructure in countries who have sanctioned Russia or otherwise supported Ukraine. In specificity and detail the Advisory goes well beyond the normal run of government alerts. The Five Eyes' agencies' warning is based upon actual intelligence, and not merely on grounds of a priori possibility:
"Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.
"Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive."
The explicit notice taken of Russophone criminal gangs suggests that privateering remains a prominent component of Russia's cyber armamentarium.
The Advisory includes a summary of risk reduction measures infrastructure operators should consider taking against the eventuality of Russian cyberattack: "For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, see the following resources:
It also contains a summary overview of the various Russian government organizations known to engage in offensive cyber operations. The threat actors whose techniques receive detailed attention include:
- "The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
- "Russian Foreign Intelligence Service (SVR)
- "Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
- "GRU’s Main Center for Special Technologies (GTsST)
- "Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)"
British Government devices infected with Pegasus spyware.
The University of Toronto's Citizen Lab reports that it's found multiple infestations of NSO Group's Pegasus intercept tool in British Government devices, specifically in phones used by the Foreign, Commonwealth and Development Office (FDCO) and the Prime Minister's office. "The suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus, and Jordan," Citizen Lab blogged. "The suspected infection at the UK Prime Minister’s Office was associated with a Pegasus operator we link to the UAE."
There is ongoing legislation in the UK revolving around cyber policy and spyware after a UK-based lawyer involved in a lawsuit against NSO Group was hacked with Pegasus in 2019.
Spyware campaign targets Catalonia.
Citizen Lab also describes "CatalanGate," a spyware campaign against targets associated with Catalonia. Targets include "Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations." Most of the targets were infected with Pegasus, a smaller number with Candiru. Citizen Lab has offered no "conclusive attribution," but "strong circumstantial evidence suggests a nexus with Spanish authorities."
The victims were targeted primarily between 2017 and 2020, with an incident of targeting in 2015. It was also found that since Spain has a high Android prevalence over iOS, the numbers are heavily undercounted due to forensic tools being more developed for iOS than Android.
Citizen Lab notes that Pegasus used a zero-click exploit against a previously undisclosed vulnerability affecting iOS versions before 13.2:
"We have identified signs of a zero-click exploit that has not been previously described, which we call HOMAGE. The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address. The WebKit instance in the com.apple.mediastream.mstreamd process fetched JavaScript scaffolding that we recovered from an infected phone. The scaffolding was fetched from /[uniqueid]/stadium/goblin. After performing tests, the scaffolding then fetches the WebKit exploit from /[uniqueid]/stadium/eutopia if tests succeed."
The Lazarus Group targets the blockchain and cryptocurrency industry.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday warned, in a joint alert issued in coordination with the FBI and the Department of the Treasury, that North Korea's Lazarus Group (also tracked as APT38, BlueNoroff, and Stardust Chollima) is conducting a campaign against "a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs)." The attacks begin with social engineering designed to induce victims to download trojanized cryptocurrency applications. The malware toolkit, which CISA calls "TraderTraitor," can infect both Windows and macOS systems. CISA offers an extensive set of indicators of compromise and recommended remediations. In this case, as in so many others, the Lazarus Group is financially motivated, seeking to redress Pyongyang's enduring financial shortfalls through direct theft. They're collecting information, but they're also, as BleepingComputer notes, rifling wallets.
Emotet malware spread through malicious phishing email attachments.
Fortinet looks at recent Emotet outbreaks and describes the way the malware is being distributed as the payload carried by malicious files (Excel spreadsheets and Word documents, for the most part) attached to phishing emails. Since last month, the most common phish hook has been a malicious Excel file "2021_NovW4." Fortinet says, "We believe that the authors prefer to use Excel files with Excel 4.0 Macro for malicious documents to reduce detection by antivirus engines."
The outbreak utilizes phishing emails and social engineering to be effective in tricking people into downloading malware onto their devices. The emails often include “Re:” or “Fw:” in the subject line to increase legitimacy. The attachments, once opened, ask the receiver to “enable content,” thus activating the malicious macros in the file. The Word documents contain malicious VBA code, while the Excel files contain Excel 4.0 Macro in addition to VBA code. It has been shown that all malicious documents detected after Christmas were Excel files, likely due to their flexibility in available macro types.
New criminal market opens trading stolen data.
A new criminal-to-criminal market has opened for business. BleepingComputer reports that the new criminal market souk, "Industrial Spy," trades in stolen data. Some of those data seem to have been culled from dumps associated with earlier ransomware attacks. The site markets its services, it claims, to businesses who compete with the victims whose data Industrial Spy trades. Despite how Industrial Spy markets itself, it is also possible that the data is being used to extort victims into buying their own data so competitors don’t.
Different tiers of data are offered, from individual files costing as little as $2, while premium data packages can cost millions of dollars. Some data offered in the “General” category is from companies known to have suffered from ransomware attacks, showing that those that uploaded it to Industrial Spy may have taken the data from ransomware gang leak sites to resell on the marketplace.
The Industrial Spy marketplace was discovered through malware executables that create README.txt files in every folder on the affected device advertising the site. The malware executables were found to be distributed through other malware downloaders, disguised as cracks and adware.
REvil is up and running once again.
REvil, the ransomware gang that sustained the arrest of fourteen members by Russia's FSB back in January, appears to be back in business, maybe or maybe not under new management. BleepingComputer reports that REvil's TOR sites are again in operation, and that security researchers have found in particular that the gang's new leak site, RuTOR, is being advertised in Russophone criminal-to-criminal markets.
The site is being hosted on a different domain, but redirects to the original domain used by REvil when they were active. Conditions for affiliates are shared on the leak site, promising better REvil ransomware and an 80/20 split on ransoms.
Conti blamed for attacks disrupting Costa Rican presidential transition.
Costa Rican authorities are also blaming Conti for attacks aimed at disrupting that country's presidential transition. Six public institutions have been affected.
Costa Rican President Carlos Alvarado says that the attacks seek to destabilize the county during the transition of power between himself and president-elect Rodrigo Chaves. It was said that taxpayer information that was “sensitive” was accessed. The platforms of tax and customs, as well as a few others, are still suspended. Bottlenecks in imports and exports are causing losses, with the exporters reporting losses of $200 million on Wednesday.
Analysts share and summarize Conti ransomware leaks.
BlueVoyant Monday morning offered a summary and analysis of the leaks that have emerged from the Conti ransomware gang since the onset of Russia's war against Ukraine. "CONTI is a ransomware-as-a-service (RaaS) group first noted by security researchers in May 2020," the analysts say. "It has since risen to be one of the largest and most active ransomware groups currently operating."
More_eggs malware spearphishing campaign targets corporate hiring managers.
eSentire reports a fresh infestation of More_eggs malware across various company networks. The credential-stealer is being distributed in a spearphishing campaign that targets corporate hiring managers with phishbait representing itself as resumes from (fictitious) job applicants. More_eggs last surfaced a year ago.
Phishing campaign targets Facebook users.
Abnormal Security has released the results of research into a credential phishing campaign underway that uses a phishing site on Facebook as part of an effort to induce users to give up their login information. As usual, the phishing appeal relies on urgency to induce credulity in its prospective victims: they're told that their Facebook account is about to be disabled because they've been reported for posting inappropriate content, but that they can appeal their suspension at the link provided.
This attack is unique because it utilizes a real Facebook URL in the initial phishing email, therefore validating and legitimizing it. The scam also seems to target those in charge of business Facebook pages, to whom losing access would be a greater detriment. If given the credentials for an account linked to a business page, not only could the business’ marketing, branding, and revenue be affected, but the reputation of the business could be on the line as well.
Cybercrime cartels more destructive than ever before.
VMware discerns "a fundamental restructuring of cybercrime cartels thanks to a booming dark web economy of scale." Gangs operate like multinational corporations, and they now engage in more destructive behavior than before.
Destructive attacks, that is, attacks launched with the intent to destroy, disrupt, or degrade systems, have gone up 17% in the last year, with 63% of financial institutions experiencing an increase in destructive attacks. It was also shown that 74% of financial security leaders experienced a ransomware attack, with 63% paying the ransom.
Gold Ulrick ransomware activity continues despite leaks.
Secureworks looks at Gold Ulrick, a prominent operator of what the researchers characterize as Conti ransomware's name-and-shame site, and describes how it's adapted to recent revelations and setbacks. Gold Ulrick data and communications were leaked on the @ContiLeaks Twitter account at the end of February. It was anticipated that Gold Ulrick would modify their communications, but operations have continued, even increased, without disruption.
The researchers note: "The Conti leak site added 11 victims in the first four days of April. If GOLD ULRICK operations continue at that pace, the group will continue to pose one of the most significant cybercrime threats to organizations globally."
FBI issues alert on BlackCat ransomware.
The US FBI has issued a FLASH alert on BlackCat ransomware, describing the indicators of compromise associated with this strain of double-extortion malware. The alert also describes the typical course of a BlackCat attack: "BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise." BleepingComputer reports that BlackCat has affected at least sixty organizations worldwide.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) released six industrial control system advisories on Wednesday. This round covers Interlogix Hills ComNav, Automated Logic WebCTRL, FANUC ROBOGUIDE Simulation Platform, Elcomplus SmartPPT SCADA, Elcomplus SmartPPT SCADA Server, and Multiple RTOS (Update E). Three more advisories were released Friday. The products affected include Delta Electronics ASDA-Soft, Johnson Controls Metasys SCT Pro, and Hitachi Energy MicroSCADA Pro/X SYS600.
CISA has also added to its Known Exploited Vulnerabilities Catalog. The specific entries are CVE-2018-6882 (a cross-site scripting issue in the Zimbra Collaboration Suite that could allow injection of arbitrary HTML or web script), CVE-2019-3568 (a stack buffer overflow vulnerability in Meta Platforms' WhatsApp voice-over-IP stack that could permit remote code execution through a "specially crafted series of RTCP packets sent to a target phone number"), and CVE-2022-22718 (a privilege escalation vulnerability in the Microsoft Windows Print Spooler. All three companies have fixes available. All Federal civilian agencies must patch by May 10th.
Crime and punishment.
A London court has ordered the extradition of WikiLeaks founder Julian Assange to the United States, moving him one step closer to being tried under the Espionage Act. He is wanted on eighteen criminal charges and could be facing up to 175 years in prison after WikiLeaks published thousands of classified files and diplomatic cables in 2010. He is currently in the high-security Belmarsh Prison in London.
The US State Department has offered a reward of up to $5 million for information on a range of Pyongyang's prohibited activities. State is asking for information under its Rewards for Justice program "that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support WMD proliferation."