At a glance.
- Atlassian patches Confluence critical vulnerability.
- LockBit claims to have hit Mandiant, but their claim looks baseless.
- Effects of ransomware on businesses.
- Update on the cyber phases of a hybrid war: DDoS as a weapon.
- US officials continue to rate the threat of Russian cyberattack as high.
- Joint CISA/FBI warning of Chinese cyberespionage.
- Phishing for cryptocurrency.
- FakeCrack delivers a malicious payload to the unwary.
- Vacations are back. So is travel-themed phishbait.
- Emotet returns, in the company of some old familiar criminal collaborators.
- Another hacked broadcast, this time a Russian news program.
- Hunting forward as an exercise in threat intelligence collection and sharing.
- "Unpatchable" vulnerability in Apple chips reported.
- SentinelOne finds a Chinese APT that's been operating, quietly, for a decade.
- US NSA, FBI warn of nation-state cyber threats.
- Vice Society claims responsibility for Palermo cyberattack.
Atlassian patches Confluence critical vulnerability.
As promised, Atlassian released a patch for Confluence vulnerabilities last Friday. Atlassian's tools are widely used. The Record estimates that more than 200,000 enterprises use the company's products. The US Cybersecurity and Infrastructure Security Agency (CISA), which had on Thursday required all the US Federal agencies whose security it oversees to immediately mitigate the risk of compromise via the vulnerability by disconnecting affected versions of Confluence from the Internet, on Friday updated its direction: "per BOD 22-01 Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian’s Confluence Server and Data Center products AND either apply the software update to all affected instances OR remove the affected products by 5 pm ET on Monday, June 6, 2022."
LockBit claims to have hit Mandiant, but their claim looks baseless.
The LockBit gang, version 2.0, claims to have successfully hit Mandiant, but, CyberScoop and BleepingComputer both report, there seems to be nothing to those claims. Mandiant has seen no evidence of any successful attacks, and the purported evidence LockBit has been woofing seems to have been culled from earlier hits unrelated to Mandiant. Mandiant suggests an explanation for the imposture: "Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant's June 2nd, 2022 research blog on UNC2165 and LockBit." LockBit was especially exercised by Mandiant's association of the ransomware-as-a-service gang with Evil Corp, and by its suggestion that they operated in the interest of the Russian government. They're apolitical, says LockBit, and they've got affiliates all over the world.
Effects of ransomware on businesses.
Cybereason has released the results of a study detailing the effects of ransomware on business. It was found that 73% of respondents have been the target of a ransomware attack in the last 2 years, up from 55% in 2021. It was also found that paying the ransoms didn’t make for better outcomes, with 80% of respondents that paid noting that they were victims of a second attack. More than two-thirds of those surveyed report that their combined losses were between $1 million and $10 million, and some organizations reported significant boosts in their security programs and budgets as a result.
Palo Alto Networks' Unit 42 has also been looking at trends in ransomware. They see an increase in ransom payments. "The average ransomware payment in cases worked by Unit 42 incident responders rose to $925,162 during the first five months of 2022, approaching the unprecedented $1 million mark as they rose 71% from last year." And, as Cybereason also found, the damage extends beyond the direct cost of any ransom payment. "That’s before additional costs incurred by victims including remediation expenses, downtime, reputational harm and other damages."
Update on the cyber phase of a hybrid war: DDoS as a weapon.
Distributed denial-of-service (DDoS) attacks have become a defining feature of Russian cyber operations in its war against Ukraine. Search Security, quoting research by NetBlocks, notes that DDoS attacks have affected connectivity in Ukrainian cities (notably Kyiv, Luhansk and Mariupol), and have also spilled into countries sympathetic to Ukraine. Operators sympathetic to Ukraine (independent hacktivists, in the account Ukraine's SSSCIP Deputy Director Victor Zhora offered yesterday) have also conducted DDoS operations against targets in Belarus and Russia. In these operations the preferred targets have been media outlets. DDoS has been a nuisance-level threat, and not a decisive or even significant weapon.
US officials continue to rate the threat of Russian cyberattack as high.
US cybersecurity officials, speaking at the RSA Conference in San Francisco, urge businesses not to grow complacent about the continuing threat of cyberattack. The Wall Street Journal quotes CISA's Jen Easterly “I don’t think we are out of the woods in terms of a threat at this point in time. We’re only 100 days into this war,” she said. “We know that it’s part of the Russian playbook to use malicious cyber activity, whether it’s through a state-sponsored entity, whether it’s through criminally aligned groups," she said. “Given the kinetic nature of the fighting, the brutality and the atrocities, there has been a lot of focus on that aspect of it, but there has also been a huge amount of cyber activity from the Russians against Ukraine." NSA's cybersecurity director Rob Joyce concurred: “What I can say is, from intelligence, the threat was and is real. The Russians have a capability that we need to be cautious about, and they are at a decision point of if or when they choose to apply that." An op-ed by Easterly and National Cybersecurity Director Chris Inglis published this week in CyberScoop also emphasized the continuing threat of Russian cyber operations.
Russia, for its part, sees aggression in cyberspace as largely an American phenomenon. A Washington Post analysis summarizes recent statements from Moscow warning that the US must face the consequences if it continues what the Kremlin characterizes as a cyber campaign against Russia. “We do not recommend that the United States provoke Russia into retaliatory measures," Foreign Ministry cyber lead Andrei Krutskikh said. "A rebuff will certainly follow. It will be firm and resolute. However, the outcome of this ‘mess’ could be catastrophic, because there will be no winners in a direct cyber clash of states.”
Joint CISA/FBI warning of Chinese cyberespionage.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI Tuesday provided an overview of ongoing Chinese cyberespionage activity against US targets, Alert AA22-158A. Beijing's threat actors, the alert says, "continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure." Their typical approach is to compromise unpatched network devices, especially Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. Compromised SOHO routers and NAS devices can then serve as "additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities." The threat actors' initial targets are commonly telecommunications or network service providers, where they use the RouterSploit and RouterScan open-source frameworks to identify points of vulnerability. From there they look for "critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting," obtain appropriate credentials, and proceed to act like authorized users. The Alert recommends fourteen practices organizations should follow to render themselves harder targets, and the first of those is patching.
“This work is building the foundation that they can do all of their objectives,” NSA's Rob Joyce told the Record, as he characterized the Chinese activity. “This is their plumbing.” A podcast version of the alert may be found here.
Phishing for cryptocurrency.
Proofpoint published a study of criminal attempts against cryptocurrency holdings on Thursday morning. They divide the operations into three categories:
- "Cryptocurrency Credential Harvesting"
- "Cryptocurrency Transfer Solicitation"
- "Commodity Stealers that target Cryptocurrency Values"
As is so often the case, the tools for this kind of cybercrime are traded in the underworld's criminal-to-criminal markets. Phishing kits, "pre-packaged sets of files that contain all the code, graphics, and configuration files to be deployed to make a credential capture web page," are popular offerings.
FakeCrack delivers a malicious payload to the unwary.
FakeCrack, a criminal operation that distributes malware to its victims' devices, works by offering a shady come-on: "free, cracked software." Avast explains that the campaign is designed to compromise and steal two classes of sensitive data: personal information and cryptocurrency holdings. It's another reason to avoid grey market software.
Vacations are back. So is travel-themed phishbait.
Bitdefender reports that travel-themed spam has been seen hitting users since March 2022, and has been primarily seen targeting the United States, Ireland, India, and the United Kingdom. The spam can be found in the form of ads and phishing emails, with the emails containing buzzwords related to summer vacation and many well-known airlines. The researchers also found that malicious domains and URLs are in play. These are used to trick victims into downloading infected invoices and credit card transactions. The phishbait is topical. Not only is the summer travel season upon us, but the pandemic has abated enough to render vacation travel more feasible than it has been for the last two summers.
Emotet returns, in the company of some old familiar criminal collaborators.
Deep Instinct reported Thursday that Emotet has seen a resurgence in 2022. Emotet reemerged in late 2021, and has seen a 27-fold increase in detections in early 2022. Companies in Japan were targeted in phishing campaigns utilizing Emotet in February and March of this year, and more regions have been found to be targets in April and May, including Italy and the United States. The Trickbot gang has been observed helping Emotet deploy to infected devices to download the new variants of the malware. "The threat actors behind Emotet have been credited as one of the first criminal groups to provide Malware-as-a-Service (MaaS)," Deep Instinct writes. "They successfully utilized their MaaS to create a massive botnet of infected systems and sold access to third parties, an enterprise that proved so effective it was soon being used by criminal entities such as the Ryuk and Conti ransomware gangs. Emotet also has a history of collaborating with Trickbot, famous for their info-stealing trojan, and Qakbot, another well-known banking trojan."
Another hacked broadcast, this time a Russian news program.
This one is apparently the work of pro-Ukrainian hacktivists. BBC reporter Francis Scarr tweeted that a news broadcast carried by the Russian radio station Kommersant FM was interrupted to play the Ukrainian patriotic song “Oh, the Red Viburnum in the Meadow." The Washington Post adds that the feed was also interrupted with an anti-war song, "We Don't Need War" by the Russian rockers (and parodists) Nogu Svelo (that is, "Leg Cramp"). The station, owned by sanctioned oligarch Alisher Usmanov, has resumed normal operations and said it was investigating the incident.
Hunting forward as an exercise in threat intelligence collection and sharing.
Sky News, following up its interview with US Cyber Command's General Nakasone, concentrates on a discussion of what "hunt forward" means in the context of cyber conflict. It involves the collection of threat intelligence in friendly, cooperating networks, finding malware samples and other evidence of hostile activity, and sharing that intelligence to "inoculate" friendly networks against such attacks. General Nakasone said, "This ability for us to work at the behest of a foreign government to go and hunt with them on their networks, then releasing the information. We have released over 90 different malware samples to a series of private sector cybersecurity firms. What does that do? It provides inoculation for all of us that operate in the domain. And I think that's an example of where this public-private partnership so important."
General Nakasone also credited Ukraine with considerable resilience in cyberspace. "One of the things that we certainly learned is the importance that the Ukrainians have placed on having a resilient network. Of all that's said in terms of what's gone on in this conflict, one of the things that I think is sometimes missed is that the Ukrainians have maintained their internet and being able to communicate, and this is a great tribute to them."
"Unpatchable" vulnerability in Apple chips reported.
MIT researchers, TechCrunch reports, have found a hardware flaw in Apple's M1 chips. The researchers have found that point authentication codes (PAC), a hardware security measure that protects against code injection and buffer overflow attacks, can be bypassed in an exploit the researchers inevitably call "PACman." PACMan combines memory corruption and speculative execution to guess PAC values. There's a finite number of possible PAC values, which makes it possible in principle to brute force such values. But PACman also depends upon other exploits against which the M1 is protected, and so it may not be as serious as it sounds. That appears to be Apple's view. TechCrunch quotes the company's statement: "Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
SentinelOne finds a Chinese APT that's been operating, quietly, for a decade.
Researchers at SentinelOne have identified a Chinese cyberespionage threat group they're calling "Aoqin Dragon" that's been unobtrusively at work for the past decade. It's assessed as a small group that's been heavily active against Australian and Southeast Asian targets, mostly government, telecommunications, and educational organizations. The threat actor has used a variety of techniques to obtain access to its targets since 2013, including "document exploits and the use of fake removable devices." Aoqin Dragon has also used "DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection." One of the hallmarks of the group's activity insofar as social engineering is concerned has been a heavy use of pornographic phishbait. SentinelOne thinks there's a good chance that Aoqin Dragon has some association with the group Mandiant calls "UNC94."
US NSA, FBI warn of nation-state cyber threats.
Speaking at the RSA Conference, NSA cybersecurity director Rob Joyce reiterated and updated warnings of the threat posed by both Russian and Chinese state-directed cyber threat actors. Infosecurity Magazine says that Joyce paid particular attention to the wiper malware Russia deployed against Ukraine before and during its invasion. He also noted that Chinese cyberespionage had grown in aggressiveness and rapacity. Joyce has long warned of the threat Moscow and Beijing pose in cyberspace. He sees the Russian threat as immediate and acute, the Chinese threat as a long-term problem. At an earlier RSA Conference he compared Russian cyber operations to a hurricane, Chinese cyber ops to climate change.
The FBI added its own warnings of the cyber threat from China to the conference. The Record quotes Elvis Chan, assistant special agent in charge at the bureau’s San Francisco field office, as saying, "We’ve actually seen — here in the San Francisco area — an uptick in reconnaissance from Chinese advanced persistent threat actors, specifically.” The Chinese operators are particularly interested in industrial espionage. “They’re still looking to steal as much intellectual property as they can.”
Vice Society claims responsibility for Palermo cyberattack.
BleepingComputer reports that the Vice Society ransomware group has claimed responsibility for the cyberattack on Palermo. City services, websites, and all internet-related services remain unavailable in the Italian municipality, affecting over a million people. The group has threatened to publish all stolen documents if a ransom isn’t paid by Sunday.
Patch news.
Last week, CISA released an advisory on a voting system, specifically Dominion Voting Systems ImageCast X. "CISA recommends election officials continue to take and further enhance defensive measures to reduce the risk of exploitation of these vulnerabilities." The advisory includes thirteen specific steps CISA urges election officials to follow should they plan to use the Dominion system.
CISA has issued industrial control system security advisories for Mitsubishi Electric MELSEC and MELIPC Series (Update B) and Mitsubishi Electric Air Conditioning Systems.
Crime and punishment.
Three suspects were arrested in Lagos for attempting cyberattacks on 10 banks in the state, Punch reports. Spokesperson Eyitayo Johnson for the Police Special Fraud Unit in Lagos said that the suspects were attempting to recruit a bank worker to help them commit the crimes, with the intent to withdraw large amounts of money. Punch quotes him as saying, “The arrested members of the syndicate include Kehinde Oladimeji, 52, the mastermind; Olanrewaju Adeshina, 47; and Kolapo Abiodun, 42. Kolapo Abiodun is an ex-staff of the bank attached to the infotech department. He contacted and attempted to recruit a current worker of the bank’s infotech department with an offer of N200m and a visa out of Nigeria.” A fourth suspect, Chibuzor Holland, flew into the country with the intent of helping commit the attacks, but escaped before capture.
Courts and torts.
A warrant has been filed by US authorities to seize two planes owned by Roman Abramovich, a Russian oligarch. The warrant identifies the aircraft, a Boeing 787 Dreamliner and Gulfstream jet, as US-manufactured, and claims that as such, they are subject to sanctions. The Wall Street Journal reports that a Justice Department official said, “Those vessels are not today taken into U.S. custody, but they are now publicly known as wanted property, as tainted assets subject to forfeiture and under active pursuit.”
Policies, procurements, and agency equities.
Canada's Public Safety Minister Marco Mendicino told the House of Commons public safety committee yesterday to expect Russian cyberattacks at the Federal, provincial, and local levels. “I cannot emphasize enough how important it is that, in the current geopolitical environment in which we find ourselves, that we are very much on high alert for potential attacks from hostile state actors like Russia,” Global News quotes him as saying. The Public Safety Minister also noted that the private sector was equally at risk.
Montréal-based defense contractor CMC electronics, Global News reported in another article, came under attack by a Russophone ransomware group in May. The attackers were probably affiliated with the ALPHV/BlackCat ransomware-as-a-service operation. Canada has been a consistent strong supporter of Ukraine against Russia's war. Canada is the world center of the Ukrainian diaspora: more people of Ukrainian origin live in Canada than in any other country except Ukraine itself, and Russia.