Royal Army accounts hijacked. A hacktivist group claims to have hit Iranian sites. Very large database of PII for sale on the dark web.

At a glance.

• Royal Army accounts hijacked.
• A hacktivist group claims to have hit Iranian sites.
• Very large database of PII for sale on the dark web.
• Rogue employee makes off with bug reports.
• Threats and vulnerabilities surrounding cryptocurrency wallets.
• DPRK using Maui ransomware against healthcare targets.
• Quantum computing and security standards.
• Cyber incidents, risk, and credit.
• FBI and MI-5 warn of Chinese industrial espionage.
• Cozy Bear sighting.
• NPM compromise updates.
• Free decryptors for AstraLocker and Yashma ransomware released.

Royal Army accounts hijacked.

Sunday afternoon the British Ministry of Defence Press Office tweeted a terse announcement that the MoD was aware of a cyber incident: "We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until their investigation is complete it would be inappropriate to comment further." The Army's own feed took an apologetic line towards any disappointed followers: "Apologies for the temporary interruption to our feed. We will conduct a full investigation and learn from this incident. Thanks for following us and normal service will now resume." It took the British Army about five hours to wrest back control of its Twitter account, the Telegraph reports.

It's unknown who hijacked the accounts or why, and the MoD isn't saying anything until it understands what happened. The Telegram, quick to suspect the worst of the Russians, asked if the incident was a Russian operation, but the MoD had no comment--as they've said, they're not jumping to conclusions until they know more. Bitdefender notes that many have jumped to the conclusion that the incident must have been the work of a nation-state's espionage services, but it has an alternative explanation, arguably more probable: it was possibly crypto bros working an NFT scam. They note that the hijacked YouTube account featured an NFT come-on with the inevitable bogus Elon Musk attribution.

A hacktivist group claims to have hit Iranian sites.

According to reports last weekend, the group “Ghiam Sarnegouni” ("Uprising till Overthrow," apparently a group of anti-Tehran hacktivists), conducted a large operation against Iran's Islamic Culture and Communication Organization (ICCO). Six sites were hijacked and fifteen others were defaced with pictures of Iranian Resistance leaders Massoud Rajaivi and Maryam Rajavi. Forty-four servers, a large number of endpoints, and at least thirty-five ICCO databases were wiped. Before the systems were wiped, the hacktivists are believed to have obtained ICCO data that include information about money laundering, front groups, and espionage and terrorist networks. The operation is said to have begun in the last week of January.

In an apparent response to recent nominally hacktivist actions, not only those by Uprising till Overthrow, but also operations attributed last week to Predatory Sparrow, Iran Wire reports that Tehran has temporarily suspended Iranians' ability to access bank accounts from abroad. It's a measure whose purpose, the authorities say, is “preventing cyber attacks.”

Very large database of PII for sale on the dark web.

Last Sunday, Binance's threat research team found a very large database of personally identifiable information exposed in the dark web. "Our threat intelligence detected 1 billion resident records for [sale] in the dark web, including name, address, national id, mobile, police and medical records from one Asian country. Likely due to a bug in an Elasticsearch deployment by a gov agency. This has [an] impact on hacker detection/prevention measures, mobile numbers used for account take overs, etc. It is important for all platforms to enhance their security measures in this area. @Binance has already stepped up verifications for users potentially affected."

Binance is reticent about the source of the data, but others say it came from the Shanghai National Police. It's not clear who's obtained the information, but according to Bloomberg the data are being offered for ten bitcoin, roughly $200,000. HackRead reports that the data include the following kinds of information:

• Name
• Address
• Birthplace
• Mobile number
• National ID Number
• All crime and case details

As Binance's tweet suggests, the data exposure appears to be traceable to a misconfiguration, and not a compromise or a breach proper. Reuters put the total number of people affected by the data exposure at about one billion, but this is in any case based on the claims of someone offering the data for sale. Someone using the nom-de-hack "ChinaDan" posted this message to Breach Forums late last week: "In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen. Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details. [sic]" Reuters sensibly points out that these claims are so far unverified. The data offered for sale are said to amount in the aggregate to some twenty-three terabytes. It's obviously difficult to confirm the legitimacy of the sample data "China Dan" posted to show that he had the goods, but the Wall Street Journal spot-checked a few of the items by calling some people whose phone numbers appeared in the tease. The Journal found that in that tiny fraction of a billion or so people, the data were indeed genuine. Chinese authorities have issued no statement so far on the incident.

Rogue employee makes off with bug reports.

HackerOne disclosed last Friday that a rogue insider, "a then-employee," as the company puts it, had been improperly accessing the bug-bounty platform's vulnerability disclosures with the aim of collecting "additional bounties" from HackerOne customers. Alerted to the problem by a customer (who reported an implausible disclosure, offered with uncharacteristically threatening language), HackerOne investigated and found that an employee had "improperly accessed security reports for personal gain." The improper access ran from April 4th through June 23rd of this year. HackerOne fired the employee, upgraded its security, and is considering referring the former employee for criminal prosecution.

Threats and vulnerabilities surrounding cryptocurrency wallets.

Vade has observed a phishing scam consisting of a wave of more than 50,000 emails sent from a malicious Zendesk account. In one campaign, the hacker is seen to be impersonating TrustWallet, an ethereum wallet and cryptocurrency wallet store. The email contains the TrustWallet official logo along with a support link, as well as Zendesk’s legitimate footer. The email says that an NFT update requires the wallet to be verified and that inaction will result in account suspension. The link provided says “Verify your wallet,” and is shortened with s.id., which hides the malicious link and provides the phisher with a dashboard of analytics. The page, when opened, displays a 10-second countdown to “open their secure internet environment,” in order to intentionally appear as a legitimate safety precaution, but rather, leads to the malicious site. The victim is then tasked with entering their recovery phrase to unlock the wallet, accepting both 12 and 24-word variations. The phishing email isn’t marred by extensive grammatical errors, as many phishing emails are, but it’s also not perfect.

DPRK using Maui ransomware against healthcare targets.

The US Cybersecurity and Infrastructure agency (CISA), the FBI, and the US Department of the Treasury have issued a joint alert, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector," warning of a North Korean ransomware campaign that's been in progress since at least May of 2021. "North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods." How the threat actor obtained initial access is unclear, but the warning recommends that organizations pay particular attention to the dangers of phishing, and that they train their personnel to recognize it, which suggests that social engineering has played a significant role in the Maui campaign.

Quantum computing and security standards.

The US National Institute of Standards and Technology (NIST), at the end of a six-year competitive search, has announced the four winners in its program to develop "quantum-resistant encryption algorithms." This represents a milestone en route to NIST's publication of standards for post-quantum cryptography, expected in 2024. The algorithms are:

"For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

"For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections."

Taking note of NIST's announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) outlines some steps organizations can take now, as they prepare for developments over the next two years:

"Although NIST will not publish the new post-quantum cryptographic standard for use by commercial products until 2024, CISA and NIST strongly recommend organizations start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which includes:

• "Inventorying your organization’s systems for applications that use public-key cryptography.
• "Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
• "Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:
• "Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
• "Decommissioning old technology that will become unsupported upon publication of the new standard; and
• "Ensuring validation and testing of products that incorporate the new standard.
• "Creating acquisition policies regarding post-quantum cryptography. This process should include:
• "Setting new service levels for the transition.
• "Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.
• "Alerting your organization’s IT departments and vendors about the upcoming transition.
• "Educating your organization’s workforce about the upcoming transition and providing any applicable training."

Cyber incidents, risk, and credit.

Moody’s Investors Service released a report detailing the credit implications of Conti’s early April ransomware attack on the government of Costa Rica. The attack impacted the government’s two largest revenue streams–income taxes and customs duties, and impacted the international trade and healthcare sectors most heavily. The report notes that this attack provides insights on the government’s strength, saying that while the attacks weren’t prevented, they were handled with effective solutions. Moody’s anticipates the fiscal deficit to remain close to 4.8% GDP, and expects to see GDP growth of 4% in 2022. 

In another report, Moody’s discusses the recent cyberattack on Clarion Housing Group in the United Kingdom, and its implications for housing associations as a whole. On June 23, Clarion reported a cyberattack on their IT systems that impacted IT operations, such as scheduling repairs and maintenance. This attack comes on the heels of a number of other cyberattacks on housing associations in the past few years, and highlights the need for cyber risk mitigation. According to a recent cyber survey conducted by Moody’s, cyber risk remains small in the housing sector, but is growing strongly, with 25% spending growth from 2018 to 2020.

FBI and MI-5 warn of Chinese industrial espionage.

In a joint appearance Wednesday at the London headquarters of MI-5, the British counterintelligence organization, the directors of MI-5 and the US FBI issued an unusually direct and bluntly worded warning about the threat of Chinese industrial espionage, much of it cyberespionage. The effort is extensive, focused, and marked by both close attention to detail and an unusually wide net. “The Chinese government is set on stealing your technology—whatever it is that makes your industry tick—and using it to undercut your business and dominate your market,” FBI Director Wray told an audience the Wall Street Journal described as composed of "business people." “They’re set on using every tool at their disposal to do it.” China disagrees. A representative of Beijing's embassy in Washington, Liu Pengyu, complained of “U.S. politicians who have been tarnishing China’s image and painting China as a threat with false accusations.”

Cozy Bear sighting.

CobaltStrike is often mentioned in dispatches as a penetration testing tool that threat actors often turn to malign use. Other such tools are also susceptible to abuse. Palo Alto Networks' Unit 42 reports that Cozy Bear, generally regarded as a unit of Russia's SVR, is deploying Brute Ratel C4, a pentesting tool in use since December 2020, in a range of cyberespionage campaigns. Unit 42 doesn't formally attribute the campaign to Cozy Bear or even Russia, but it does offer circumstantial evidence that points in that direction:

"This unique sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. Specifically, this sample was packaged as a self-contained ISO. Included in the ISO was a Windows shortcut (LNK) file, a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking. However, while packaging techniques alone are not enough to definitively attribute this sample to APT29, these techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRc4."

The tools used in the campaign are regarded as unusually evasive and difficult to detect.

NPM compromise updates: IconBurst...

Researchers at ReversingLabs detailed their discovery of a widespread supply chain attack against the NPM repository earlier this week, publishing an update on Wednesday. Though the exact scope of the attack wasn't initially clear, researchers say the packages are potentially used by thousands of mobile and desktop applications and websites, and in one instance a malicious package had been downloaded over 17,000 times. ReversingLabs called the campaign "IconBurst." Their conclusion is that IconBurst represents a major software supply chain attack "involving more than two dozen NPM modules used by thousands of downstream applications, as indicated by the package download counts." Application developers should be particularly alert to the problem, which appears to represent an organized, cooperative criminal effort. "Analysis of the modules reveals evidence of coordination, with malicious modules traceable to a small number of NPM publishers, and consistent patterns in supporting infrastructure such as exfiltration domains."

IconBurst "marks a significant escalation in software supply chain attacks," ReversingLabs says. The firm communicated its findings to the NPM security team on July 1st, 2022: "Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data. The NPM modules our team identified have been collectively downloaded more than 27,000 times. As very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks persisted for months before coming to our attention. While a few of the named packages have been removed from NPM, most are still available for download at the time of this report." Developers, ReversingLabs says, should "assess their own exposure" to the threat, and the researchers have provided information that should assist them in doing so.

...and CuteBoi.

And there's been another attack on the NPM supply chain, this one described by researchers at Checkmarx. "Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts," the security firm says. "This was done using automation which includes the ability to pass NPM 2FA challenge." The operators, whom the researchers call "CuteBoi," are using what Checkmarx calls a "fake identity-as-a-service provider:" "Looking at the domains with which CuteBoi is creating NPM users, we can deduce that they are using mail.tm - a free service providing disposable email addresses with REST API, enabling programs to open disposable mailboxes and read the received emails sent to them with a simple API call. This way CuteBoi can and easily defeat NPM 2FA challenge when creating a user account."

And so far the operation seems to represent an initial, experimental phase of a larger campaign. "This cluster of packages seems to be a part of an attacker experimenting at this point." The researchers think that CuteBoi is preparing a large-scale cryptojacking campaign using XMRig derivatives. Checkmarx has also released information to help users identify the malicious activity. They also warn that further exploitation of NPM can be expected. "CuteBoi is the second attack group seen this year using automation to launch large-scale attacks on NPM. We expect we will continue to see more of these attacks as the barrier to [launch] them is getting lower."

Free decryptors for AstraLocker and Yashma ransomware released.

Bravo, Emsisoft. The company has released, BleepingComputer reports, free decryptors for the AstraLocker and Yashma ransomware strains. Emsisoft tweeted, "The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys. The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys." BleepingComputer points out that AstraLocker, itself derived from Babuk Locker, has gained a reputation for being both buggy and effective. The operators of AstraLocker early this week released some decryptors as they announced they were exiting the ransomware business, saying that they had decided to turn to cryptomining. They were probably kidding about getting into coin-mining. Not only did they close their announcement with an "LOL," but there's also some reason to think they were feeling the approach of law enforcement.

Patch news.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an entry to its Known Exploited Vulnerabilities Catalog: CVE-2022-26925, an issue with Microsoft Windows Local Security Authority (LSA) that amounts to "a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM." The prescribed mitigation is to apply Microsoft's June patch, which agencies under CISA oversight must do by close-of-business, July 22, 2022.

CISA, the US Cybersecurity and Infrastructure Security Agency, released three Industrial Control Systems Advisories Thursday, for Rockwell Automation MicroLogix ("mitigations for an Improper Restriction of Rendered UI Layers or Frames vulnerability in the Rockwell Automation MicroLogix controllers"), Bently Nevada ADAPT 3701-4X Series and 60M100 ("mitigations for Use of Hard-coded Credentials and Missing Authentication for Critical Function vulnerabilities in the Bently Nevada ADAPT 3701-4X Series and 60M100 machinery monitors"), and Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update B) (a follow-up to ICSA-21-280-04 Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update A) published October 28, 2021, this "contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R Series C controller module products").

Apple has released a new, highly secure Lockdown Mode to protect users at risk of targeted attacks, Computer World reports. Lockdown Mode significantly limits the functions of an enabled device, which aids in protecting the user from "mercenary" surveillance threats. The addition of this feature closely follows the company's suit against NSO Group, which was filed in November to "hold it accountable for the surveillance and targeting of Apple users," according to a press release. The company added a new category to the Apple Security Bounty program, offering up to $2 million to researchers that can find bypasses for Lockdown Mode, as well as making a $10 million grant to support organizations involved in investigating, exposing, and preventing targeted cyberattacks, which will be given to the Ford Foundation's Dignity and Justice Fund.

Courts and torts.

Reuters reports that mercenary hackers are being used to sway litigation battles. Indian hackers attempting to steal documents via password-stealing emails from companies involved in litigation have been identified by Reuters 35 times since 2013. At least 75 US and European companies, three dozen advocacy and media groups, and numerous Western business executives have been targeted in these campaigns. At least 11 groups of victims had emails publicly leaked or submitted into evidence, and it was found that stolen documents often shaped the verdict. Lawyers of targets often also fell victim to the hackers, with around 1,000 attorneys at 108 different law firms found to be targeted. The FBI has been investigating the hacks since at least 2018, with the goal of finding who hired these hackers.

Policies, procurements, and agency equities.

The United Kingdom is trying to nip foreign disinformation in the bud, Bloomberg reports. The UK is amending its upcoming new online safety law, requiring social media apps and search engines to curb "state-linked disinformation" or face fines. The Department for Digital, Culture, Media and Sport said in a statement that "social media platforms, search engines and other apps and websites allowing people to post their own content will have a legal duty to take proactive, preventative action to identify and minimise people’s exposure to state-sponsored or state-linked disinformation aimed at interfering with the UK." Security Minister Damian Hinds also said in the statement, "Disinformation is often seeded by multiple fake personas, with the aim of getting real users, unwittingly, then to ‘share’ it. We need the big online platforms to do more to identify and disrupt this sort of coordinated inauthentic behaviour. That is what this proposed change in the law is about."