CISA and its partners warn about the Karakurt extortion group. Clipminer is out in the wild.

At a glance.

• Cyber phases of Russia's hybrid war.
• Microsoft shuts down Tehran-directed threat actor.
• CISA and its partners warn about the Karakurt extortion group.
• Clipminer is out in the wild.
• Microsoft issues mitigations for Follina zero-day.
• Notes from the underworld.
• Costa Rica's healthcare system comes under renewed ransomware attack.
• US FBI attributes last year's attack on Boston Children's Hospital to Iran.
• Charity fraud exploits sympathy for Ukraine.
• Elasticsearch databases hit by extortionists.

Cyber phases of Russia's hybrid war.

While the crippling Russian cyberattacks against infrastructure that were widely feared haven't materialized, the US Justice Department remains focused on the cyber threat from Russia. "At DOJ, we’re particularly focused right now on the cyberthreat from Russia," the Voice of America quotes Matthew Olsen, head of the Justice Department's National Security Division. "And we are bracing for the possibility of more attacks." A great deal of the Russian combat load in cyberspace is being carried by Moscow-aligned (and tolerated, and enabled) cybercriminal gangs, especially extortionists.

The Western private sector has also made contributions to defense against Russia's threat to Eastern and Central Europe. Google today published an overview of the steps it's taken to help improve security in the region. The company's announcement expresses gratitude for the peace prize it received from Ukraine's government at Davos, and then discusses its activity elsewhere: "To build on our efforts, we are expanding our cybersecurity partnerships and investment in Central and Eastern Europe. Last month, a delegation of our top security engineers and leaders met with organizations and individuals in Czechia, Poland, Lithuania and Latvia - they trained high risk groups, distributed security keys, engaged in technical discussions with government experts, and supported local businesses in shoring up their defenses."

In addition to the intelligence reporting by Google's Threat Analysis Group, the company has also provided direct security support to individuals and organizations at particular risk:

"To help address these threats, our high-risk user team conducted workshops throughout the region for dozens of non-governmental organizations (NGOs), publishers and journalists, including groups and individuals sanctioned by the Kremlin. We distributed around 1,000 security keys - the strongest form of authentication - and trained over 30 high risk user groups on account security. We also launched, in collaboration with Jigsaw, the Protect Your Democracy Toolkit, which provides free tools and expertise to democratic institutions and civil society.

"We heard directly from high-risk organizations like the Casimir Pulaski Foundation, the International Center for Ukrainian Victory, NGOs supporting refugees and exiled activists, and leading publishers across Europe who told us just how critical Google's no-cost security tools, like the Advanced Protection Program and Project Shield, are to keeping them safe online. We are grateful for their valuable insights to inform future product development."

Tehran-sponsored cyber ops.

Microsoft announced late Thursday that it had disrupted a cyber operation against Israeli organizations mounted by the Lebanon-based group Redmond tracks as Polonium and associates with Iran’s Ministry of Intelligence and Security. The campaign targeted OneDrive users, and Microsoft says it "suspended more than 20 malicious OneDrive applications created by Polonium actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by Polonium operators."

CISA and its partners warn about the Karakurt extortion group.

CISA, the Federal Bureau of Investigation (FBI), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory (CSA) on the Karakurt data extortion group, a gang that extorts its victims by threatening to dox them with stolen information. Karakurt is opportunistic, and gives no appearance of favoring any particular sectors as it selects its victims. The gang is also a player in the C2C market, where it either purchases stolen login credentials, relies on the cooperation of criminal partners who've already compromised victims; or buys access from third-party intrusion broker networks. The data compromises Karakurt uses to threaten its victims are sometimes genuine, but often smoke-and-mirrors, sometimes recycling data from old, known compromises. The payments Karakurt demands can be as high as $13 million, the Record reports. CISA and its partners advise against paying the ransom. Apart from the general good sense of avoiding feeding a bandit economy, in this case CISA thinks Karakurt isn't close to being as good as its word: the gang seems to hang onto the information it steals, and doesn't destroy the data as it promises.

Clipminer is out in the wild.

Symantec’s Threat Hunter Team, a part of Broadcom Software, has released a blog post detailing their discovery of a cybercriminal operation utilizing malware tracked as Trojan.Clipminer. The threat actors behind this operation have made an illicit profit of at least $1.7 million from the use of this malware in cryptocurrency mining and theft via clipboard hijacking. The malware is believed to spread through Trojanized downloads of cracked or pirated software. Researchers suggest that Clipminer may be a copycat or evolution of another crypto-mining Trojan called KryptoCibule, as there are many similarities between the two.

Microsoft issues mitigations for Follina zero-day.

Malwarebytes researchers describe a zero-day vulnerability that could allow attackers to achieve remote-code execution in Windows systems. Exploitation of "Follina," as the researchers call the bug, "circumvents Microsoft’s Protected View and anti-malware detection. The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt protocol URI scheme to load some code, and then execute some PowerShell." Microsoft addressed the issue this week. "On Monday May 30, 2022," Malwarebytes says, "Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. The workaround offered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol."

Notes from the underworld.

NCC Group has been tracking the return of CL0P ransomware, which last month emerged from its temporary occultation to hit twenty-one targets. "The most targeted sector for CL0P was industrials," NCC Group noted, "which made up 45% of CL0P’s attacks, followed by technology with 27%. This is roughly along the lines of the target selection NCC Group observed on the part of Conti and Lockbit, although CL0P is a bit more interested in the tech sector than are its criminal competitors. BleepingComputer reports that CL0P exploited Accellion's legacy File Transfer Appliance (FTA) to exfiltrate large quantities of data from the companies it victimized.

Mandiant researchers on Thursday described efforts by criminal gangs, for the most part Russophone gangs, and notably Evil Corp, to rebrand themselves in an effort to evade sanctions imposed by the US Government. The Wall Street Journal explains that US sanctions have made it more difficult for victims to pay ransom without themselves violating the law, and the gangland hope is that rebranding will amount to sufficient misdirection to keep the ransom payments flowing.

And Eclypsium researchers have an account of an attempt by Conti operators to develop ways of exploiting the firmware of Intel processors. "In addition to classical attacks that target UEFI/BIOS directly, attackers are now targeting the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME). ME is a physical microcontroller that is part of the chipset of modern Intel-based systems. It supports a variety of capabilities such as out-of-band management." Eclypsium found evidence of the attempt as it sifted through Conti chatter obtained and leaked early in Russia's war against Ukraine by disaffected Ukrainian collaborators with the cybergang.

Costa Rica's healthcare system comes under renewed ransomware attack.

Costa Rica, continuing to struggle with its recovery from a ransomware attack by Conti, has now seen its healthcare system subjected to cyberattack. Reuters reports that the Costa Rican Social Security Fund (CCSS), the country's public health agency, has been forced to shut down its digital record-keeping system. This has affected about 1200 hospitals and clinics, with possible consequences for thousands of patients. At the time Reuters filed no group had claimed responsibility for the incident, but since then BleepingComputer has reported that the Hive ransomware operators were behind the attack.

It has generally been thought that Conti's earlier attacks against Costa Rican targets represented a kind of misdirection intended to cover the group's reorganization and rebranding, and to afford it an opportunity, KrebsOnSecurity noted, to figure out how better to evade the sanctions that were interfering with its receipts. And indeed the gang's calls for insurrection were unusual. Conti does indeed seem to be connected with Hive, and with a range of other groups as well. In BleepingComputer's account, "While Conti is now slowly shutting down operations, it has partnered with numerous well-known ransomware operations, including Hive and HelloKitty, AvosLocker, BlackCat, BlackByte, and others. Its members have now splintered into smaller semi-autonomous and autonomous groups that have infiltrated the other RaaS groups. They've also created independent groups focused on data exfiltration and not data encryption (e.g., Karakurt, BlackByte, and the Bazarcall collective)."

US FBI attributes last year's attack on Boston Children's Hospital to Iran.

CNN reports that FBI Director Wray has publicly attributed a cyberattack on Boston Children's Hospital to a threat actor run by the Iranian government. It was, he said, “one of the most despicable cyberattacks I’ve ever seen,” and he used the occasion to point out that the attack, which was for the most part unsuccessful, should serve as a reminder that the Russian government isn't the only bad actor in cyberspace. Moscow, Tehran, Beijing, and Pyongyang are the familiar four regimes given to hostile action in cyberspace. That said, Director Wray emphasized that the FBI is currently most concerned about Russia. Since the Russian invasion of Ukraine, the Bureau has operated at "combat tempo," he said. “When it comes to Russia today, we’re focused on acting as early – as far ‘left of boom,’ as they say – as we can. We’re watching for their cyber activities to become more destructive as the war keeps going poorly for them.”

Charity fraud exploits sympathy for Ukraine.

International conflict can be exploited by ordinary, financially motivated criminals, and that appears to be happening with respect to Russia's war against Ukraine. The US FBI warns that scammers are trading on widespread sympathy for Ukraine as they frame their come-ons to prospective victims. "Criminal actors are taking advantage of the crisis in Ukraine by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations." Unfortunately, this isn't new, as the Bureau points out. "Scammers similarly have used past crises as opportunities to target members of the public with fraudulent donation schemes."

The Bureau would like anyone who's encountered one of these scams to let them know. "Please file a report with the FBI’s Internet Crime Complaint Center at www.ic3.gov. If possible, include the following:

• "Identifying information about the individuals or charity, including name, phone number, address, and email address.
• "Financial transaction information such as the date, type of payment, amount, account numbers involved, the name and address of the receiving financial institution, and receiving cryptocurrency addresses.
• "Describe your interaction with the individual, including how contact was initiated, such as the type of communication, purpose of the request for money, how you were told or instructed to make payment, what information you provided to the criminal actor, and any other details pertinent to your complaint."

Elasticsearch databases hit by extortionists.

The Secureworks Counter Threat Unit reported Wednesday that they have found that a threat actor has replaced data in 1,200 Elasticsearch databases with a ransom note, and a contact email address. 450 individual ransom requests were found by researchers, and despite the wide span of this campaign, the ransom requests have been pretty low, averaging around $620. The money is payable to one of two Bitcoin wallets, but as of the publication of the report, there are no transactions. Researchers say that while this campaign may be considered “unsuccessful” due to a lack of payments, this shows that the risk to companies and individuals with unsecured infrastructure is high.

Patch news.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued seven industrial control system advisories Tuesday. Two of them were for medical systems: BD Pyxis and BD Synapsys. The remaining five are for general industrial controls: Fuji Electric Alpha7 PC Loader, Mitsubishi Electric MELSEC iQ-F Series, Mitsubishi Electric FA Products, Mitsubishi Electric Multiple Products (Update D), and Mitsubishi Electric Factory Automation Engineering Software (Update B). On Thursday CISA also released two industrial control system (ICS) security advisories, covering Carrier LenelS2 HID Mercury access panels and Illumina Local Run Manager.

On Thursday CISA added a Confluence Server and Data Center remote code execution vulnerability (CVE-2022-26134) to its Known Exploited Vulnerabilities Catalog. CISA explains that "versions of Confluence Server and Data Center contain a remote code execution vulnerability that allow[s] for an unauthenticated attacker to perform arbitrary code execution." This one requires immediate action under Binding Operational Directive (BOD) 22-01. CISA has told US Federal Executive Civilian Agencies to "immediately block all internet traffic to and from Atlassian's Confluence Server and Data Center products until an update is available and successfully applied." They have until close-of-business today to do so and report compliance, the shortest deadline we've seen CISA impose under BOD 22-01.

Atlassian, which credits Volexity researchers with finding and reporting the issue, rates the vulnerability as "critical." The company's website last night said, "There are currently no fixed versions of Confluence Server and Data Center available. In the interim, customers should work with their security team to consider the best course of action. Options to consider include:

• "Restricting Confluence Server and Data Center instances from the internet.
• "Disabling Confluence Server and Data Center instances."

This is substantially the same mitigation strategy CISA required the agencies it oversees to adopt. Atlassian, in an update Friday morning that a patch would be available by the end of the day.

Crime and punishment.

Recorded Future reports that 37-year-old John Telusma has been sentenced to four years in federal prison for his involvement with the Infraud Organization. The cybercrime cartel is known to have stolen over four million credit and debit card numbers, costing victims over $568 million. The Department of Justice describes Telusma’s involvement as “mass acquisition and sale of fraud-related goods and services, including stolen identities, compromised credit card data, computer malware, and other contraband.”

Courts and torts.

The Wall Street Journal reports that the Supreme Court has blocked a new Texas law regarding free speech on social media. The law in question aims to stop social media outlets from suppression of its users’ speech. Bloomberg Law reports that the emergency request was made by tech industry groups that represent the social media platforms, asking that the law be put on hold while they challenge it in court. While the law was blocked, 4 justices dissented. Matt Schruers, president of the Computer & Communications Industry Association, one of the groups involved in the case, said that the emergency order “means that private American companies will have an opportunity to be heard in court before they are forced to disseminate vile, abusive or extremist content under this Texas law.”

Policies, procurements, and agency equities.

The commander of US Cyber Command, General Paul Nakasone, told Sky News this week that, “We’ve conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations," and that clearly was not an off-the-cuff remark, or a case of a senior officer thinking with his mouth open: there's been no clarification along the lines of what-the-general-meant-was, still less any retraction. CNN reports that "A spokesperson for the command did not dispute the accuracy of the article but declined to elaborate on what the command’s operations in Ukraine have entailed." A senior US official, speaking anonymously with CNN, said that the US was comfortable letting Moscow know that the US was active against Russian interests in cyberspace. It complicates an already difficult war for Russia, and it induces considerable uncertainty into Russian planning. They're not sure what the US is capable of or willing to do, and they're uncomfortable with not knowing.