Russia operates in the grey zone against Ukraine.
Microsoft said last Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. The operation is being called "WhisperGate." Microsoft has given the threat actor the temporary tracking identifier DEV-0586.
The Wall Street Journal sees last week's cyberattacks against Ukrainian targets as pointing to a broader risk of more general cyberwar. WhisperGate was, like NotPetya a few years ago, a pseudo-ransomware attack that delivered a wiper behind defacements and spurious ransom demands. It was, however, less sophisticated than its predecessor, and in particular it lacked the self-propagating worm features that made NotPetya a general danger.
Security firm Mandiant has outlined the form it expects Russian cyber operations to assume. 'Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine."
Chinese cyberespionage campaign, with some apparently financially motivated attacks.
Trend Micro on Monday reported on an "elusive" threat actor it calls "Earth Lusca," and that it's been tracking since the middle of last year. Earth Lusca is assessed as a Chinese group, part of the "Winnti Cluster," although it represents a distinct operation. Its interests include "government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media," all predictable espionage targets, but Earth Lusca's activities are mixed: they also extend to some apparently financially motivated operations against gambling and cryptocurrency outfits. Trend Micro's technical analysis of the group's activity describes its infrastructure, a distinctive strain of malware, and its extensive social engineering.
Trend Micro notes, "The group has three primary attack vectors, two of which involve social engineering. The social engineering techniques can be broken down into spear phishing emails and watering hole websites." The third vector involves exploiting vulnerabilities in web-facing applications, including Microsoft Exchange ProxyShell and Oracle GlassFish.
Unpatched VMware Horizon servers attacked.
Researchers at Team Huntress, following up on warnings from the UK's NIH, have confirmed that unpatched VMware Horizon servers are now being actively attacked with Cobalt Strike implants. This activity amounts to "exploitation of Horizon itself and not the abuse of web shells" that were observed earlier.
The researchers stated, "Based on Huntress’ dataset of 180 Horizon servers, we’ve validated NHS’ intel and discovered 10% of these systems (18) had been backdoored with a modified absg-worker.js web shell. It’s important to note that ~34% of the 180 Horizon servers (62) we analyzed were unpatched and internet-facing at the time of this publication. the web shells on these 18 compromised systems established a timeline that started on December 25, 2021 and continued until December 29, 2021."
DoNot Team targets South Asia.
ESET offers an account of an APT (the "DoNot Team") which it regards as unsophisticated, but highly focused and tenacious. The researchers make no attribution, but they note that "a recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region." The DoNot Team's focused list of targeted countries is suggestive: Pakistan, Bangladesh, Nepal, and Sri Lanka.
ESET states, "According to ESET telemetry, Donot Team has been consistently targeting the same entities with waves of spearphishing emails with malicious attachments every two to four months. Interestingly, emails we were able to retrieve and analyze did not show signs of spoofing. Some emails were sent from the same organizations that were being attacked. It’s possible that the attackers may have compromised the email accounts of some of their victims in earlier campaigns, or the email server used by those organizations."
Cyberespionage targets renewable energy organizations.
A post at BushidoToken Threat Intel describes what appears to be a cyberespionage campaign against renewable energy organizations, industrial control system vendors, government agencies, non-governmental organizations, and university researchers in several countries. Attribution is unclear, beyond some circumstantial code similarities to tools used by Russian and North Korean intelligence services. The researchers note, "Attribution using these campaign artefacts and OSINT reports alone was not possible. However, it can be inferred that the adversary behind these attempts appears to be interested in Bulgaria, for starters, plus critical infrastructure, renewable energy, environmental protection agencies, and recycling technology. Supplemental targets such as ICS/OT organisations and educational institutions would complement this intelligence gathering campaign, if access could be obtained at these entities. From this it could be suggested that the adversary behind this campaign is potentially a major source of fossil fuels and is doing research on the renewable energy sector as a threat to its income."
New ransomware may be tied to FIN8.
Trend Micro has spotted a new, relatively evasive ransomware strain, "White Rabbit," which was used against a US bank last month. The researchers write that "[i]ts payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis." The malicious payload is small (about 100KB) and appears inactive and innocuous until it's activated. The researchers suspect that FIN8, a financially motivated threat actor that's been active against the retail and hospitality sectors since at least 2016, may be responsible for this ransomware:
"Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware. So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack.
"White Rabbit is thus likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods. As such, it is worth monitoring."
Tonga's Internet disrupted by volcano eruption.
Saturday's eruption of the Hunga-Tonga-Hunga-Ha'apai volcano disrupted Tonga's Internet connection (and many other modes of communication), providing an extreme test of response, resilience, and recovery. Apparently the nation's undersea cable was severed; MIT Technology Review has an account of what will need to be done to reconnect the Pacific nation with the rest of the world.
Prometheus TDS relies on Cobalt Strike.
Cobalt Strike has been seen frequently in recent criminal attacks. BlackBerry reports that a malware subscription service, Prometheus TDS ("TDS" would be "traffic direction system"), makes extensive use of Cobalt Strike in its offerings. The service is marketed in Russian-language criminal-to-criminal souks. Its principal use is to stage large-scale phishing campaigns that redirect victims to malicious landing pages. The researchers offer an analysis of the Prometheus TDS, stating that it "follows the typical TDS execution flow, but targets are funneled via a spam email that contains either an HTML file, a Google Docs page or a web shell redirector. These components each contain an embedded URL designed to redirect the user to a first stage payload, or to a website that has been compromised by the threat actor and hosts a PHP-based backdoor. The backdoor is used to glean various types of data from the victim, which gets sent back to the Prometheus TDS administrative panel. The admin panel could then choose to send instructions back to the compromised website/PHP backdoor, to serve the victim with malware, or redirect them to another page that might contain a phishing scam, etc."
Mirai botnet exploits Log4j vulnerability.
Akamai has found the Mirai botnet exploiting Log4j to attack SolarWinds and Zyxel devices. Microsoft warned of the potential problem, the Record reports. SolarWinds issued a patch on Tuesday, and Zyxel has also updated its products to address the issue. Akamai's Larry Cashdollar notes, "The interesting thing about this malware is if you have automated string extraction utilities for malware samples that log to a vulnerable Log4j instance, this payload could execute. Doing so could possibly, depending on your setup, infect your malware analysis system. Again, patching your vulnerable systems is the key here to protect your servers from compromise."
US Olympic Committee warns athletes to be wary of espionage.
If you're a bobsledder, a biathlete, a skeleton racer, or any other member of the US Olympic team competing in China this winter, the US Olympic Committee recommends you bring a burner phone in with you, and then burn it upon departure. SecurityWeek quotes the Committee as saying, "Assume that every device and every communication, transaction, and online activity will be monitored. Devices may also be compromised with malicious software designed to compromise the device and its future use."
New firmware bootkit.
Kaspersky reports finding the third known firmware bootkit, "MoonBounce," in the wild. Implanted in UEFI firmware, MoonBounce is, Kaspersky says, not only sophisticated, but difficult to detect and remove. The researchers attribute the activity, with high confidence, to APT41, a Chinese threat group also known as Barium, Winnti, and Wicked Panda. APT41 carries out state-directed espionage, but there's also good reason to think it runs an APT side hustle as well, engaging as it does in financially-motivated cybercrime. The US FBI has had five members of APT41 on its wanted list since 2019.
Mark Lechtik, senior security researcher with Kaspersky's Global Research and Analysis Team (GReAT), stated, "[T]his latest UEFI bootkit shows some notable advancements when compared to MosaicRegressor, which we reported on back in 2020. In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier. We predicted back in 2018 that UEFI threats would gain in popularity, and this trend does appear to be materializing. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted."
Patch news.
CISA has issued four industrial control system advisories. They cover ICONICS and Mitsubishi Electric HMI SCADA, Philips Vue PACS (Update A), Mitsubishi Electric GOT and Tension Controller (Update A), and Mitsubishi Electric GOT and Tension Controller (Update B).
Crime and punishment.
US officials have said, according to the Record, that one of the members of REvil arrested last week by Russian authorities may have been responsible for the ransomware attack on Colonial Pipeline last spring.
With more governments now requiring people to obtain, and under some circumstances present, evidence of vaccination against COVID-19, criminals are selling fraudulent PCR and test certificates. Check Point says the bogus certificates are for the most part being distributed by the Telegram messaging app, and that some regions have seen increases in such fraud of up to 600%.
Engineering & Technology describes how botnet scalping has become a preferred criminal method of money laundering. Netacea told the publication that scalper bots are, for now, legal, although there's some movement in the US Congress to outlaw them.
Courts and torts.
The US Treasury Department Thursday announced that it was bringing sanctions against four individuals for their role in advancing Russia's influence operations with the objective of "destabilizing" Ukraine. Treasury explained its rationale as follows:
"Today’s action is intended to target, undermine, and expose Russia’s ongoing destabilization effort in Ukraine. This action is separate and distinct from the broad range of high impact measures the United States and its Allies and partners are prepared to impose in order to inflict significant costs on the Russian economy and financial system if it were to further invade Ukraine.
"The individuals designated today act at the direction of the Russian Federal Security Service (FSB), an intelligence service sanctioned by the United States, and support Russia-directed influence operations against the United States and its allies and partners."
The individuals sanctioned include Taras Kozak and Oleh Voloshyn, two current Members of Ukraine's Parliament, Volodymyr Oliynyk, "a former Ukrainian official who fled Ukraine to seek refuge in Russia," and Vladimir Sivkovich, former Deputy Secretary of the Ukrainian National Security and Defense Council. The connection with the FSB is important, since that Russian agency is itself under sanction.
Policies, procurements, and agency equities.
Both sides in the dispute over Russian preparation for hybrid warfare against Ukraine bring firm lines with them to the talks now underway in Geneva, where US Secretary of State Blinken is meeting Russian Foreign Minister Lavrov. The Guardian reports that Secretary Blinken told his counterpart that the US would reply formally to Russian proposals (that is, the soft ultimatum issued last week) sometime next week, but that certain NATO positions, in particular the right to offer membership to Ukraine and other countries, were not up for negotiation. The Secretary also said that the US was open to a summit between Presidents Biden and Putin.
Canada's Communications Security Establishment (CSE) Wednesday warned critical infrastructure operators "to bolster their awareness of and protection against Russian state-sponsored cyber threats." The CSE cites earlier warnings by Britain's National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency (CISA), indeed the specific recommendations all three organizations offer track one another closely.
Ukraine has asked another one of the Five Eyes, Australia, for technical assistance to help defend it against cyberattack, the ABC reports, and Australia has said that it stands in solidarity with NATO in support of Ukrainian security.
US President Biden yesterday morning signed National Security Memorandum / NSM-8 (Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems) which specifies how Executive Order 14028, Improving the Nation’s Cybersecurity, will apply to National Security Systems (NSS) not under the purview of CISA. It brings these systems' cybersecurity under the supervision of the National Security Agency (NSA), and it gives NSA authority to issue Binding Operational Directives to the organizations that operate the systems. NSM-8 lays out a one-hundred-eighty-day timeline, with appropriate milestones, for NSA to formulate guidance and for the affected agencies to complete and report compliance.
Forensic News reports that US officials are concerned that the Russian company Infotecs has maintained a business presence in the US despite its place on the Commerce Department's Entity List.
Nextgov reports that the US Government is considering shifting responsibility for pipeline cybersecurity from the Transportation Security Administration (TSA) to the Department of Energy.
The UK Government has opened consultation on measures to formalize cybersecurity professional standards.