At a glance.
- Conti rebranding during ransomware campaign against Costa Rica.
- PayOrGrief is a rebranded DoppelPaymer.
- Indiscriminate and counterproductive hacktivism in Sri Lanka.
- BLE exploit proof-of-concept.
- Report: cyberattacks over Nile dam.
- Chaos declares for Russia.
- CISA warnings.
- Fraudulent liquidity mining.
- Chinese cyberespionage against Russian aerospace sector.
- Strapi vulnerability fixed.
- Cyrpters in the C2C market.
- Ransomware at Nikkei Asia.
- Crime and punishment.
- Policies, procurements, and agency equities.
Conti rebranding in the midst of Costa Rica ransomware attack.
BleepingComputer reports that Conti may be breaking into smaller gangs and rebranding itself in the process. Researchers at Advanced Intel Thursday tweeted that, while some of Conti’s public-facing sites (like the Conti News dump site and its negotiation portal) remain up, the group’s Tor infrastructure has been shuttered, in which case its attack on Costa Rica may amount to misdirection.
Reuters reports that the number of Costa Rican organizations affected by Conti's ransomware attack has now grown to twenty-seven. Recently elected President Rodrigo Chaves has said that nine institutions, most of them governmental, were heavily affected, and that the attacks were having an "enormous" impact on foreign trade and tax collection, and the country is also having difficulty paying its employees.
And, by the way, the ransom demand has gone up to $20 million, and (somewhat irrelevantly) US President Biden is a "terrorist." Costa Rica has refused to pay the ransom, but continues to work to restore services, as Conti woofs about seeking to foment an insurrection in Costa Rica to help force payment.
A communiqué from the group, reproduced by Tech Monitor, said, "We have our insiders in your government, I recommend that your responsible contact UNC1756, there is less than a week left when we destroy your keys, we are also working on gaining access to your other systems, you have no other options but to pay us, we know that you have hired a data recovery specialist, don't try to find workarounds, I communicate with everyone in this business, I have insiders even in your government! I once again appeal to the residents of Costa Rica to go out on the street and demand payment You're just forcing us to use terrible methods Another attempt to get in touch through other services will be punished by deleting the key."
The reference to UNC1756 is just made-up gasconade, since there's no record of activity under this particular classification, but CyberScoop reports that Costa Rica's President Rodrigo Chaves has led credence to the claim that Conti's getting some local help. “There are very clear indications that people inside the country are collaborating with Conti,” the president said, but, citing national security, declined to give details.
PayOrGrief is just a rebranding of DoppelPaymer.
Investigation of the ransomware attack against the city government of Thessaloniki, Greece, last July indicates that the attackers, PayOrGrief, were not in fact a new gang, but simply a rebranding of DoppelPaymer, Darktrace researchers report.
Anonymous action in Sri Lanka seems indiscriminate and counterproductive.
Anonymous hasn't confined its activities to #OpRussia. It's also declared its support of anti-government protesters in Sri Lanka (#OpSriLanka) by "declaring cyberwar against the government.” But, Rest of World reports, the effects of the action may not be entirely welcomed by those it's intended to support. The anarchist collective conducted distributed denial-of-service attacks against websites operated by the Ceylon Electricity Board, the Sri Lanka Police, and the Department of Immigration and Emigration. The hacktivists also doxed Sri Lanka Scholar (a private portal connecting students to universities) and the Sri Lanka Bureau of Foreign Employment (SLBFE). In both cases the names and email addresses of ordinary Sri Lankans were exposed, increasing their risk of falling victim to cybercrime.
Bluetooth vulnerabilities demonstrated in proof-of-concept.
NCC Group researchers have demonstrated that Bluetooth Low Energy (BLE) systems are vulnerable to link layer relay attack. The news has been generally reported with headlines that point out that crooks could now open and start your Tesla without so much as a by-your-leave, but the problem is more widespread than that. BLE is, NCC Group explains, "the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more." It's not the kind of problem that can be resolved with a patch. Rather, NCC Group argues, it's the kind of issue that arises when technologies are extended beyond their intended purposes, and BLE, they say, was never designed for use in critical systems. The researchers offer three recommendations, two for manufacturers, one for users:
- "Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer)
- "System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone)
- "Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed"
Claim: "international" cyberattack against Nile dam stopped.
Ethiopia says it stopped cyberattacks on its Nile dam and some financial institutions, the Addis Standard reports. Al-Monitor says that Egypt's government has not officially responded to Ethiopian accusations that it's behind any such cyberattacks. The Grand Ethiopian Renaissance Dam (GERD) and the Nile water rights it affects have been a point of contention between the two countries.
Chaos ransomware group declares for Russia.
Conti did so back in February, while the LockBit crew has tried to remain neutral ("apolitical"). Now another ransomware gang, the operators of Chaos, has declared for Russia, Fortinet researchers report. It's customary for ransomware to include a message that normally demands a ransom and tells the victims how they can recover their files (after paying). There's none of that here; this is the message Chaos has been displaying recently: "Stop Ukraine War! F**k Zelensky! Dont go die for f**king clown! You can see the truth here:" with a link that takes the recipient to a Russophone propaganda site, the "Information and Coordination Center.” That page (which leads with the motto "Victory will be ours") explains its purpose in a "Who we are section." The site's goal appears to be recruitment of hacktivists and influencers:
"Our priorities are:
"In connection with the full-scale information and economic war unfolding against the Russian Federation, the Information Coordination Center ... was created - a group of like-minded people whose main goal is to combat the spread of false information about the activities of the Russian Federation and the Russian Armed Forces.
"1. Blocking channels on Telegram, VK 2. Blocking propaganda sites,
"2. Blocking propaganda sites that disseminate false information
"3. Investigating violations of rights and civil rights and freedoms
"Current Targeting Guidelines
"In order to participate and contribute to the information confrontation, please see the Toolkit section, where you can learn how to work most effectively in each area.
"If you know of a fake news channel or website which is spreading false information, defaming Russia, or violating human rights and it is not on our list, please contact us."
It includes a list of resources "currently being coordinated," and it offers other items like names of Ukrainian soldiers killed in action, and the names of alleged Ukrainian war criminals.
Chaos, while it's a ransomware builder in the C2C market, clearly isn't a conventional ransomware gang. Fortinet concludes:
"The Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of providing a decryption tool or file recovery instructions for its victims to recover their affected files. Finding them is a tall order for non-technical victims, which pretty much makes the malware a file destroyer. Clearly, the motive behind this malware is “destruction.” The politically inclined messages also indicate that the attacker is pro-Russian and frustrated with the current situation. And with the Chaos ransomware builder now readily available, its options allow anyone to create destructive malware. And with no end to the war in sight, FortiGuard Labs expects more malware like this to emerge."
CISA and its international partners urge following best practices to prevent threat actors from gaining initial access.
The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners in Canada, the Netherlands, New Zealand, and the United Kingdom earlier this week issued Alert (AA22-137A) "Weak Security Controls and Practices Routinely Exploited for Initial Access." The Alert describes "common weak security controls, poor configurations, and poor security practices" that are used for initial access, and it recommends particular attention to seven best practices.
- "Control access.
- "Harden Credentials.
- "Establish centralized log management.
- "Use antivirus solutions.
- "Employ detection tools.
- "Operate services exposed on internet-accessible hosts with secure configurations.
- "Keep software updated."
F5 BIG-IP vulnerabilities undergoing active exploitation.
On Wednesday, CISA issued Alert (AA22-138A) "Threat Actors Exploiting F5 BIG-IP CVE-2022-1388," which warned that the flaw was being exploited in the wild, and advised users to either upgrade F5 BIG-IP software to patched and supported versions, or, should that not be immediately feasible, to implement the three temporary mitigations F5 has provided:
- "Block iControl REST access through the self IP address,"
- "Block iControl REST access through the management interface," and
- "Modify the BIG-IP httpd configuration."
Fraudulent liquidity mining.
Sophos describes the way the threat of fraudulent liquidity mining is shaping up in decentralized finance systems. "Legitimate liquidity mining exists to make it possible for decentralized finance (DeFi) networks to automatically process digital currency trades," Sophos explains, and criminals are using social engineering to abuse such systems to defraud cryptocurrency investors of their holdings.
More loosely regulated than conventional cryptocurrency exchanges, which use market makers and seek to ensure that sufficient reserves are on hand to back trades, DeFi exchanges use Automated Market Makers (AMMs). Sophos explains that "Smart contracts built into the DeFi network have to rapidly determine the relative value of the currencies being exchanged and execute the trade. Since there is no centralized pool of crypto for these distributed exchanges to pull from to complete trades, they rely on crowdsourcing to provide the pool of cryptocurrency capital required to complete a trade—a liquidity pool." Liquidity pool tokens, ("LP tokens") are used to represent the portion of the liquidity pool an investor contributed. But unethical DeFi operators can cancel the tokens (or simply not create a pool to back them in the first place), and this, Sophos observes, offers "ample opportunity for digital Ponzi schemes, fraudulent tokens, and flat-out theft."
"Space Pirates" interested in Russia's aerospace sector.
Security Affairs reports that a cyberespionage group, “Space Pirates,” is targeting the Russian aerospace industry. Active since at least 2017, the group is believed to be associated with China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Positive Technologies discovered the attacks in 2019 targeting a Russian aerospace enterprise. They've seen the malware reappear in 2020 against Russian government organizations, and again in 2021 against another Russian enterprise. Positive Technologies stops short of directly attributing the activity to Beijing, but circumstantial evidence points in that direction.
Check Point has also observed the activity, and they're not reticent about either attribution or identifying victims. A report Thursday "details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT. In the below blog, the researchers reveal the tactics and techniques used by the threat actors and provide a technical analysis of the observed malicious stages and payloads, including previously unknown loaders and backdoors with multiple advanced evasion and anti-analysis techniques." They think the activity bears significant similarities to earlier campaigns by Twisted Panda.
Lazarus Group undertakes new SolarWinds exploitation.
North Korea’s Lazarus Group is exploiting the Log4j vulnerability to target unpatched VMware Horizon Apache Tomcat servers, BleepingComputer reports. Researchers at ASEC observed the attacks last month, saying the attackers are deploying either the NukeSped backdoor or the Jin Miner cryptominer on the compromised servers. In the cases where NukeSped was used, the goal of the attack was assessed to be information gathering.
CMS vulnerabilities disclosed and patched.
The Synopsys Cybersecurity Research Center (CyRC) has identified two vulnerabilities in Strapi. Strapi is an open-source headless content management system (CMS) Javascript software that enables developers to quickly design and build content-rich APIs. Both vulnerabilities involve authenticated users with access to the Strapi admin panel having access to private and sensitive data, such as email and password reset tokens. The first vulnerability allows for the authenticated user to view private and sensitive data for other admin panel users that have a relationship with content accessible to the authenticated user. The second vulnerability allows for the authenticated user to view private and sensitive data for API users if content types accessible to the authenticated user contains relationships to API users. The vulnerabilities are fixed in newer, updated versions of Strapi, and Synopsys has commended Strapi for its quick response to the discovery.
Crypters in the C2C market.
IBM X-Force researchers have analyzed thirteen crypters created by cybercriminal group ITG23 that have been used with malware by ITG23 and its third-party distributors. Crypters are applications that encrypt and obscure malware so that it isn’t detected by antivirus software and malware analysts. One crypter has seen repeated use with the Qakbot banking Trojan, with one notable appearance with the Gozi banking Trojan. X-Force found evidence that ITG23 had been scaling up their crypter efforts by mid-2021, with some used by Emotet and IcedID malware, which suggests a possible link between ITG23 and Emotet and IcedID operators.
Nikkei Asia discloses ransomware attack.
BleepingComputer reports that media giant Nikkei’s Singapore headquarters fell victim to a ransomware attack on May 13. Nikkei disclosed that it had detected unauthorized server access on May 13. The company said it "immediately shut down the affected server and took other measures to minimize the impact." The company is investigating whether customer data were compromised, but says there’s so far no evidence of data loss.
Patch news.
VMware addressed issues in several of its products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. That these are more significant than the ordinary run of patches may be seen by the way the US Cybersecurity and Infrastructure Security Agency (CISA) has discussed them. Alert (AA22-138B), "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control" warns that "malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination." The Alert adds, "CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied." US Federal civilian agencies have until next Monday to identify and remediate the issues, and they're required to report completion no later than Tuesday.
Apple has issued fixes for multiple products, and the US Cybersecurity and Infrastructure Security Agency (CISA) urges users and admins to review the patches and "apply the necessary updates:" watchOS 8.6, tvOS 15.3, macOS Catalina, macOS Big Sur 11.6.6, macOS Monterey 12.4, iOS 15.5 and iPad OS 15.5, and Xcode 13.4.
CISA has also added two new entries to its Known Exploited Vulnerabilities Catalog, one for a code injection issue in the Spring Cloud Gateway library and the other for a command injection problem in Zyxel firmware for business firewalls and VPN devices. The Record summarizes the scope of the Zyxel vulnerabilities, and quotes expert opinion to the effect that small and medium businesses are likely to be particularly affected.
Finally, CISA issued an industrial control system (ICS) advisory for Circutor COMPACT DC-S BASIC, as well as an industrial control system advisory affecting Mitsubishi Electric MELSEC iQ-F Series.
Crime and punishment.
The US Department of Justice reported Wednesday that it has recovered just over $15 million taken in an international fraud scheme. The Record by Recorded Future reports that the scheme, “3ve” or “Eve,” used a botnet of infected computers that the actors remotely accessed, utilizing hidden browsers to falsify web traffic to sites involved in order to fraudulently bring in advertising payments from December 2015 through October 2018. The scheme was concocted by Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev. Ovsyannikov and Timchenko, both Kazakh citizens, were arrested in 2018 and pleaded guilty in 2019. Isaev, a Russian citizen, is still at large.
Policies, procurements, and agency equities.
Reuters reports that Canada will join the other members of the Five Eyes in banning Huawei from its 5G infrastructure. "We intend to exclude Huawei and ZTE from our 5G networks," Industry Minister Francois-Philippe Champagne said. "Providers who already have this equipment installed will be required to cease its use and remove it under the plans we're announcing today."
The US Department of Justice announced Thursday that it has revised its policy in reference to charging violations of the Computer Fraud and Abuse Act (CFAA). The DOJ won’t charge ethical hackers acting in good faith, stating that “Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”