At a glance.
- Ukraine claims to have taken down a massive Russian bot farm.
- Cyberattacks affect three official sites in Taiwan.
- Major cryptocurrency thefts.
- Campaign against Albanian government networks attributed to Iran.
- A descendant of the Mirai botnet malware.
- DSIRF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries.
- CISA and ACSC issue a joint advisory on 2021's top malware.
Ukraine claims to have taken down a massive Russian bot farm.
The Security Service of Ukraine (SSU) says it dismantled a large Russian botnet operation that was being used to spread Russian propaganda and disinformation. The bots, about a million strong, were herded from locations within Ukraine itself, in the cities of Kyiv, Kharkiv, and Vinnytsia, BleepingComputer reports. Their output took the form of social media posts from inauthentic accounts associated with fictitious personae. The SSU describes the operation as follows: "Their latest ‘activities’ include the distribution of content on the alleged conflict between the leadership of the President’s Office and the Commander-in-Chief of the Armed Forces of Ukraine as well as a campaign to discredit the first lady. To spin destabilizing content, perpetrators administered over 1 million of their own bots and numerous groups in social networks with an audience of almost 400,000 users. In the course of a multi-stage special operation, the SSU exposed the leader of this criminal group. He is a russian citizen who has lived in Kyiv and positioned himself as a ‘political expert.’"
On the other side of the information war, BleepingComputer also reported earlier this week that Ukrainian hacktivists, "Torrents of Truth," were bundling instructions on how to bypass Russian censorship into movie torrents whose intended audience would be Russian viewers.
Cyberattacks affect three official sites in Taiwan.
On Tuesday, as the US Speaker of the House, Representative Nancy Pelosi (Democrat, California 12th District), prepared for her visit to Taiwan, cyberattacks briefly took down at least three Republic of China websites. The New York Times reports, "The official website of Taiwan’s presidential office was attacked around 5 p.m., according to a statement from the office, several hours before Ms. Pelosi’s landing. The site’s traffic shot up to 200 times that of a normal day, leaving the website unable to display any content for 20 minutes. It resumed normal operation after the problems were fixed, according to the statement. Taiwan’s Foreign Ministry website and the main portal website for Taiwan’s government also experienced cyberattacks on Tuesday, according to Joanne Ou, spokeswoman for Taiwan’s Foreign Ministry. Early Wednesday, the websites appeared to have resumed operation, though Ms. Ou said they were still fixing the problems."
The incidents were all distributed denial-of-service (DDoS) attacks, and POLITICO cites various experts who assess them as patriotic hacktivism, not operations carried out directly by the Chinese government. The attacks were consistent with official Chinese expressions of strong and clear disapproval of the Speaker's visit to Taipei, and of vaguer threats of retaliation, but that's also consistent with patriotic hacktivism, as the SANS Internet Storm Center points out. The Washington Post dismisses the incidents as no big deal, saying that the attacks "were probably not all they were cracked up to be."
Major cryptocurrency thefts.
Bloomberg reports that Nomad, which provides a bridge over which crypto tokens may be shifted to different blockchains, was hit yesterday by an attack that's caused the loss of nearly $200 million in cryptocurrency. PeckShield, which has been following developments over its Twitter account, is credited with noticing the caper. Researcher samczsun describes how the theft was carried out. "It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign." Apparently there was a flaw in the platform's blockchain contract that allowed users to withdraw more than they'd deposited. After the initial exploit, around forty other copycat attacks followed.
We heard from Comparitech's Head of Data Research, Rebecca Moody, who ranked this attack as the ninth largest of this kind. “Overnight, Nomad Bridge was drained for over $190 million in the third-biggest crypto heist of 2022 and the ninth-biggest of all time, according to Comparitech's worldwide cryptocurrency heist tracker," she said. "But in a unique twist, the hack on Nomad appeared to be carried out by numerous copy-and-paste actors. Experts suggest that the initial hacker found a fatal flaw in the platform's Replica contract, meaning anyone (including those with zero coding knowledge) could locate a transaction that worked, use their address to replace the user's address, and re-broadcast it. Over the space of a few hours, almost all of the bridge's $190.7 million was drained with just $651.54 left." It's unclear how much, if any, of the currency lost will be recovered. Moody says, "There are suggestions that white hat hackers removed some of the funds to safeguard them, but it remains to be seen just how much of the $190 million is recoverable.”
Separately, approximately 9,000 cryptocurrency wallets attached to the Solana blockchain ecosystem have been robbed of at least $4 million in total, the Verge reports. Solana says the attack has been linked to accounts using the Slope mobile wallet app. Slope is still investigating, and said in a statement, "[W]e recommend ALL Slope users do the following: Create a new and unique seed phrase wallet, and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope. If you are using a hardware wallet, your keys have not been compromised."
Campaign against Albanian government networks attributed to Iran.
In the middle of last month the Albanian government disclosed that a range of government sites and services had come under cyberattack, and the campaign had succeeded in disrupting operations. The Albanian National News reported at the time that the National Agency of the Information Society (AKSHI) had shut down government systems as it worked to neutralize what AKSHI characterized as a sophisticated and coordinated foreign attack on the country's IT infrastructure.
On Thursday Mandiant released a report on the incident that attributed the campaign to Iran. The company's researchers identified the strain of ransomware used in the attack as a member of the "Roadsweep" family. The operation was conducted with the pretense of being the work of a front group, "HomeLand Justice," which was concerned to disrupt a conference of the Iranian opposition organization MEK. It also aimed to punish Albania's government for its willingness to connive with the Iranian opposition by permitting the conference, the World Summit of Free Iran (organized by the opposition group MEK), to meet on its territory.
Mandiant sees the operation as unusually brazen. "This activity is a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests."
A descendant of the Mirai botnet malware.
Fortinet's FortiGuard Labs has been tracking RapperBot, which it describes as a "rapidly evolving IoT malware family" since mid-June. The researchers published an update on the current state of the malware, which makes heavy use of old Mirai botnet source code. RapperBot departs from its ancestor in its "built-in capability to brute force credentials and gain access to SSH servers." (Mirai had exploited Telnet.) Indeed, the brute-force capability seems to be RapperBot's core functionality, as it has only limited potential as a distributed denial-of-service (DDoS) tool. RapperBot's operators, whoever they are, seem more interested in establishing persistence in compromised systems than they are in propagating to other targets. And the malware's rump DDoS potential, which the researchers say was removed, then restored, may be there as a form of misdirection. What the operators are after is unclear: so far FortiGuard Labs says that the motives of RapperBot's masters remain unclear. In the meantime, FortiGuard Labs offers some advice for mitigation: "Regardless, since its primary propagation method is brute forcing SSH credentials, this threat can easily be mitigated by setting strong passwords for devices or disabling password authentication for SSH (where possible)."
CyberFront Z's failed influence operation.
Facebook's corporate parent Meta released its Adversarial Threat Report for the second quarter of 2022 yesterday. Prominently featured in the report is Meta's account of its monitoring of, and action against, a large Russian troll farm that had been marshaled to support Moscow's narrative concerning Russia's war against Ukraine. It's connected to the notorious Internet Research Agency, itself connected with Russian attempts at influence operations during recent US elections. (It's also one of the enterprises in the empire of Yevgeniy Prigozhin, who also runs the Wagner Group of contract combat units. Early this week the US State Department offered a $10 million reward for information on Mr. Prigozhin and his activities, should any of his associates or employees be interested in ratting him out.) In this case the flagship of the influence operation is "CyberFront Z."
In all, Meta evaluates CyberFront Z as a fizzle, explaining, "This appeared to be a poorly executed attempt, publicly coordinated via a Telegram channel, to create a perception of grassroots online support for Russia’s invasion by using fake accounts to post pro-Russia comments on content by influencers and media.... This deceptive operation was clumsy and largely ineffective — definitely not 'A team' work."
DSIRF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries.
Reuters quotes a statement by the Austrian firm DSIRF, whom Microsoft had described as cyber mercenaries selling Subzero spyware to customers who abused it. "Subzero is a software of the Austrian DSIRF GesmbH, which has been developed exclusively for official use in states of the EU. It is neither offered, sold nor made available for commercial use," DSIRF said in an emailed statement. "In view of the facts described by Microsoft, DSIRF resolutely rejects the impression that it has misused Subzero software." Reuters says it's not clear who DSIRF's legitimate European Union customers are. Microsoft identified DSIRF as the threat group it tracked as Knotweed.
CISA and ACSC issue a joint advisory on 2021's top malware.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) have issued a joint advisory describing the most significant strains of malware observed in 2021. The list of top malware is comprised of some familiar names: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader. None of these came out of nowhere. "Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years," the agencies say, and "Malicious cyber actors have used Qakbot and Ursnif for more than a decade." The malware strains are under continuing criminal development, which accounts for their longevity.
On Tuesday CISA released five Industrial Control Systems Advisories, for Mitsubishi Electric Factory Automation Products Path Traversal (Update C) ("mitigations for a Path Traversal vulnerability in various Mitsubishi Electric Factory Automation products"), Mitsubishi Electric Factory Automation Engineering Products (Update H) ("mitigations for an Unquoted Search Path or Element vulnerability in various Mitsubishi Electric Factory Automation Engineering products"), Mitsubishi Electric FA Engineering Software Products (Update F) ("mitigations for Heap-based Buffer Overflow and Improper Handling of Length Parameter Inconsistency vulnerabilities in various Mitsubishi Electric FA Engineering Software products that communicate with MELSEC, FREQROL, or GOT products"), Delta Electronics DIAEnergie (Update C) ("mitigations for Use of Password Hash with Insufficient Computational Effort, Authentication Bypass Using an Alternate Path or Channel, Unrestricted Upload of File with Dangerous Type, SQL Injection, Cross-site Request Forgery, Cross-site Scripting, and Cleartext Transmission of Sensitive Information vulnerabilities in Delta Electronics DIAEnergie, an industrial energy management system"), and Delta Electronics DIAEnergie (Update C) ("mitigations for Path Traversal, Incorrect Default Permissions, SQL Injection, and Uncontrolled Search Path Element vulnerabilities in Delta electronics DIAEnergie, an industrial energy management system").
And on Thursday, CISA released two more ICS advisories: Digi ConnectPort X2D ("mitigations for an Execution with Unnecessary Privileges vulnerability in Digi ConnectPort X2D, a connection gateway") and Inductive Automation Ignition (Update A) ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software").
Crime and punishment.
The Australian Federal Police (AFP) has charged a 24-year-old Melbourne man with developing and selling the Imminent Monitor remote access Trojan. The man allegedly developed the malware in 2013, when he was fifteen. The AFP claims he made up to $400,000 selling the malware, and spent most of it on food deliveries. Imminent Monitor is most notable for its use by domestic abusers, who have used it to track their victims:
"The AFP identified there were 201 individuals in Australia who bought the RAT. A statistically high percentage of Australia-based PayPal purchasers of IM RAT (14.2%) are named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register. Of the 14 individuals, 11 bought the RAT during the active period of their domestic violence order (DVO) or within two years a DVO was issued."
German prosecutors have issued an arrest warrant for a Russian national described as "Pawel A" in connection with the Berserk Bear hacking group within Russia’s Federal Security Service (FSB), the Record reports. Pawel is accused of assisting in an attack on Netcom BW in 2017, the company that manages the routers for the EnBW energy company, as well as an attack on electric company E.ON. The Record notes that an FSB member named "Pavel Aleksandrovich Akulov" was indicted by the US Justice Department in June 2021 for allegedly launching cyberattacks against "hundreds of entities related to the energy sector," but it's not yet clear if this is the same person.
Policies, procurements, and agency equities.
The US Senate on Wednesday conducted its nomination hearing for Nathaniel Fick, President Joe Biden’s pick for ambassador-at-large for the State Department’s new Bureau of Cyberspace and Digital Diplomacy. Defense One explains that the new bureau was established in April with the goal of directing future international cyber policies, and the ambassador role is intended to foster relationships with the Department of Defense and other agencies in order to strengthen interdepartmental coordination.
The Hill reports that during the hearing, Senator Rob Portman of Ohio expressed his concerns that the introduction of the new position represents what he considers an overabundance of cyber positions in the federal government. Fick responded that he understands some lawmakers’ concerns about added bureaucracy, but feels his role is essential: “It is always easy to add, but it's hard to subtract. And so I come to this role with a heightened sense of concern about the issue that you raise. And that said, I have a strong conviction that this role actually fills a gap that has existed in our government.”
Newsroom reports that New Zealand’s 2022 budget included a $30 million investment in cyber resilience. Among other things, the budget has been used to create the “cyber resilience measurement framework” initiative, which takes a broad view of cyber resilience, and attempts to measure it. A prototype framework has been developed, revealing difficulty in quantifying certain aspects of cyber resilience