At a glance.
- Iron Tiger's supply chain campaign.
- An update on RedAlpha.
- Cl0p gang hits English water utility.
- Microsoft identifies and disrupts Russian cyberespionage activity.
- Vulnerabilities in Zimbra undergoing widespread exploitation.
- DDoS attack against Energoatom's public website.
- New Lazarus Group activity reported.
- Iran suspected of cyber operations against four Israeli sectors.
- Cyber war clauses coming to cyber insurance policies.
- BlackByte is back, and calling itself BlackByte 2.0.
- Cozy Bear update.
- Criminal gang targets the travel and hospitality sectors.
Iron Tiger's supply chain campaign.
Trend Micro reported last Friday that Iron Tiger, a state-run threat actor associated with China (and also known as APT27, Emissary Panda, Bronze Union, and Luckymouse) has compromised the MiMi chat app with a view to attacking Mac OS systems, the first time, say the researchers, that this particular targeting has been used by the group.
"We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack. Further investigation showed that MiMi chat installers have been compromised to download and install HyperBro samples for the Windows platform and rshell samples for the Mac OS platform. While this was not the first time the technique was used, this latest development shows Iron Tiger’s interest in compromising victims using the three major platforms: Windows, Linux, and macOS."
MiMi ("Secret") is designed for Chinese users, who represent the greater part of its clientele. Trend Micro found in the course of its investigation that "in this instance Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack." The targets of the campaign were in Taiwan and the Philippines.
An update on RedAlpha.
Recorded Future Tuesday morning outlined recent activity by the Chinese government threat actor RedAlpha, an operation the company's researchers have been tracking since June of 2018. RedAlpha has recently been observed conducting large-scale credential theft. Its targets continue to be "humanitarian, think tank, and government organizations globally."
"Over the past 3 years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government," Recorded Future writes. RedAlpha, which researchers believe is run for Chinese intelligence and security services by contractor personnel, has shown an interest in domestic ethnic and religious minorities, especially Tibetan and Uyghur populations. Internationally, the group has been particularly but not exclusively interested in Taiwan. "Historically, the group has also engaged in direct targeting of ethnic and religious minorities, including individuals and organizations within Tibetan and Uyghur communities. As highlighted within this report, in recent years RedAlpha has also displayed a particular interest in spoofing political, government, and think tank organizations in Taiwan, likely in an effort to gather political intelligence."
Cl0p gang hits English water utility.
The Cl0p group, after a failed extortion attempt, published data stolen from South Staffordshire Water, a utility that supplies water to Staffordshire and the West Midlands. Computing reports that the gang published data that included "passport scans, screenshots of user interfaces and spreadsheets" to a dark web dump site. Cl0p apparently believed it had hit Thames Water, a different utility, which may offer a partial explanation of why the ransom attempt failed. The systems have continued to deliver water safely and reliably throughout the incident.
Microsoft identifies and disrupts Russian cyberespionage activity.
Microsoft Monday outlined recent activity of the Russian government threat actor Redmond calls "SEABORGIUM." The company's report begins, "The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft."
As is typically the case, different researchers track this (and possibly other, related activities) by different names. "SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association."
The group's targets have been found for the most part in the US, the UK, and other NATO allies who support Ukraine during the present war. “SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe," the report says. “Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine.”
What has Microsoft done to disrupt SEABORGIUM? "As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM’s activities."
Vulnerabilities in Zimbra undergoing widespread exploitation.
The widely used Zimbra Collaboration Suite, which the Stack and others describe as a lower-cost alternative to Microsoft Exchange, is being widely attacked. Small- and medium-sized enterprises and schools are Zimbra's primary users, but it's also used by some banks and multinational corporations. In all, the Stack says, Zimbra is used by more than two-hundred-thousand businesses in over a hundred-forty countries. (As an aside, one of those countries is Ukraine, where CERT-UA warned back in April that the CVE-2018-6882 vulnerability was undergoing active exploitation.)
Yesterday the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA22-228A) to the effect that "Threat Actors [are] Exploiting Multiple CVEs Against Zimbra Collaboration Suite." CISA's alert includes more CVEs than did CERT-UA's, specifying as it does CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 (chained with CVE-2022-37042), and CVE-2022-30333. All of these are known vulnerabilities for which Zimbra has issued patches. CISA urges all Zimbra Collaboration Suite administrators to immediately update their systems, scan for indicators of compromise, and take action to remediate any compromise they find.
DDoS attack against Energoatom's public website.
Russian nuisance-level attacks continue against Ukrainian targets, most recently taking the form of a distributed denial-of-service (DD0S) action against the website of Energoatom, the Ukrainian state corporation that operates the country's four nuclear power plants. Energoatom described the incident, which took place Monday, as "the most powerful hacker attack since the beginning of the full-scale invasion of the Russian Federation." The corporation said the attack was mounted from "the territory of the Russian Federation" and carried out by the Russian group Narodnaya Kiberarmya, the "popular cyber army," a hacktivist front organization. Energoatom said that the attack used 7.25 million bots and lasted for about three hours. It had, the corporation said, a negligible effect on visitors to the website. Energoatom's plants include the presently occupied and besieged Zaporizhzhya nuclear facility. The DDoS had no discernable effect on operations at this or any other plant. The immediate risk to Zaporizhzhya is shellfire, not DDoS.
New Lazarus Group activity reported.
ESET offers the latest in its ongoing reports on North Korean Lazarus Group activity. "A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil," the company's researchers tweeted yesterday. "This is an instance of Operation In(ter)ception by #Lazarus for Mac."
Iran suspected of cyber operations against four Israeli sectors.
Mandiant reports that UNC3890, "a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole," is playing a role in the low-level naval conflict currently observed between Iran and Israel. The attribution of UNC3890 to Iran is in part circumstantial, but Mandiant advances that attribution with "moderate confidence." The evidence falls into four categories:
- Linguistic. UNC3890 developers use Farsi words in their strings.
- Targeting. A focus on Israeli targets is consistent with Iranian interests.
- Program database (PDB) path. This is the same as has been observed in activity by UNC2448, attributed to the Islamic Revolutionary Guard Corps (IRGC), which itself is linked to APT35 (Charming Kitten).
- C2 framework. UNC3890 uses the NorthStar C2 Framework, which has been an Iranian favorite.
Cyber war clauses coming to cyber insurance policies.
Insurance Day reports that Lloyd's Marketing Association has mandated that all cyber insurance policies must, by March 31st of next year, contain an explicit clause "excluding liability for losses arising from state-backed cyber attacks." That clause would be in addition to the typical war clauses that have long excluded coverage of losses caused by action in a conventional war. The requirement for an explicit exclusion of liability for state cyber action seems to recognize the growing risk of gray zone conflict. Insurance Day quotes Lloyds as explaining, "It is important that Lloyd’s can have confidence that syndicates are managing their exposures to liabilities arising from war and state backed cyber-attacks. Robust wordings also provide the parties with clarity of cover, means that risks can be properly priced and reduces the risk of dispute. The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.”
BlackByte is back, and calling itself BlackByte 2.0.
BlackByte ransomware has reappeared, BleepingComputer reports, and represents an enhanced, double-extortion threat to personal data. The gang has launched a new data dump site with a focus on individual victims. "The data leak site only includes one victim at this time but now has new extortion strategies that allow victims to pay to extend the publishing of their data by 24 hours ($5,000), download the data ($200,000), or destroy all the data ($300,000)," BleepingComputer writes. "These prices will likely change depending on the size/revenue of the victim."
Cozy Bear update.
Mandiant reported Thursday on activity it's recently observed by APT29, the Russian SVR operation commonly referred to as Cozy Bear. "Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365. We are highlighting several newer TTPs used by APT29 in recent operations." Among its recent tactics has been the disabling of licenses in Microsoft 365 in ways that disable the important security functions performed for the suite by Purview Audit. "Mandiant has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection." The threat actor has also been observed to conduct successful password-guessing attacks that have enabled it to take over dormant accounts and exploit the access thereby obtained. In all of this Mandiant credits APT29 with an unusually high degree of operational security.
Criminal gang targets the travel and hospitality sectors.
Proofpoint reports that TA558, a criminal gang the researchers assess as a "financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations" has increased the tempo of its operations in 2022. "Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT." Its targets have for the most part been in Latin America; its emails generally written in Portuguese or Spanish. "TA558 is an active threat actor targeting hospitality, travel, and related industries since 2018," the report concludes. "Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses. Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of this actor’s tactics, techniques, and procedures." And Proofpoint has provided a guide to those tactics, techniques, and procedures.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released eight industrial control system (ICS) security advisories, for Yokogawa CENTUM Controller FCS ("mitigations for a Denial of Service vulnerability"), LS ELEC PLC and XG5000 ("mitigations for an Inadequate Encryption Strength vulnerability"), Delta Industrial Automation DRAS ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability"), Softing Secure Integration Server ("mitigations for Out-of-bounds Read, Uncontrolled Search Path Element, Improper Authentication, Relative Path Traversal, Cleartext Transmission of Sensitive Information, NULL Pointer Dereference, and Integer Underflow vulnerabilities"), BR Industrial Automation Automation Studio 4 ("mitigations for an Unrestricted Upload of File with Dangerous Type vulnerability"), Emerson Electric Proficy Machine Edition ("mitigations for Missing Support for Integrity Check, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Improper Verification of Cryptographic Signature, Insufficient Verification of Data Authenticity, and Path Traversal: ‘\..\filename’ vulnerabilities"), Sequi PortBloque S ("mitigations for Improper Authentication and Improper Authorization vulnerabilities"), and Siemens Industrial Products with OPC UA (Update B) ("mitigations for various Siemens Industrial Products with OPC UA products").
CISA has also released five industrial control system (ICS) advisories affecting Siemens Linux-based Products (Update J) ("mitigations for a Use of Insufficiently Random Values vulnerability"), Siemens Industrial Products LLDP (Update D) ("mitigations for Classic Buffer Overflow and Uncontrolled Resource Consumption vulnerabilities"), Siemens OpenSSL Affected Industrial Products (Update B) ("mitigations for an Infinite Loop vulnerability"), Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update A) ("mitigations for an Improper Resource Locking vulnerability"), and Mitsubishi Electric Multiple Factory Automation Products (Update A) ("mitigation for Infinite Loop and OS Command Injection vulnerabilities").
The US Cybersecurity and Infrastructure Security Agency (CISA) has made seven additions to its Known Exploited Vulnerabilities Catalog. As CISA reminds in its announcement, "Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats." The newly added vulnerabilities include:
- CVE-2022-22536, which affects multiple SAP products with an HTTP Request Smuggling Vulnerability. "An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches."
- CVE-2022-32894, an Apple iOS and macOS Out-of-Bounds Write Vulnerability "that could allow an application to execute code with kernel privileges."
- CVE-2022-32893, another Apple iOS and macOS Out-of-Bounds Write Vulnerability. This one "could allow for remote code execution when processing malicious crafted web content."
- CVE-2022-2856, a Google Chrome Intents Insufficient Input Validation Vulnerability that "allows for insufficient validation of untrusted input, causing unknown impacts." The full significance of this vulnerability remains under investigation, and CISA intends to release more information as it becomes available.
- CVE-2022-26923, a Privilege Escalation Vulnerability in Microsoft Active Directory Domain Services. "An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalation to SYSTEM."
- CVE-2022-21971, a Microsoft Windows Runtime Remote Code Execution Vulnerability that "allows for remote code execution."
- CVE-2017-15944, multiple unspecified vulnerabilities in Palo Alto Networks' PAN-OS that could permit "remote code execution when chained."
All of these are undergoing active exploitation in the wild, and US Federal Civilian Executive Branch agencies falling under CISA's oversight are required to check their enterprise software and apply vendor patches no later than September 9th, 2022.
Crime and punishment.
The US Department of Justice reported Wednesday in a press release that an alleged Russian money launderer was extradited from the Netherlands to the US, facing charges in Oregon. 29 year-old Denis Mihaqlovic Dubnikov is accused, along with co-conspirators, of laundering ransomware profits from Ryuk attacks on individuals and organizations both inside and outside the US. The press release states, "After receiving ransom payments, Ryuk actors, Dubnikov and his co-conspirators, and others involved in the scheme, allegedly engaged in various financial transactions, including international financial transactions, to conceal the nature, source, location, ownership, and control of the ransom proceeds. In July 2019, Dubnikov allegedly laundered more than $400,000 in Ryuk ransom proceeds. Those involved in the conspiracy laundered at least $70 million in ransom proceeds."
Courts and torts.
The Florida Orthopaedic Institute has agreed to pay $4 million dollars following a class action settlement that claimed that the Institute had failed to protect consumers in a 2020 data breach, Top Class Actions reports. The Institute informed involved patients (of which there were about 640,000) in June 2020 that their data may have been compromised. Involved data includes names, birth dates, Social Security numbers, medical information, insurance data and other sensitive health data. “As a result of Defendant’s failure to implement and follow basic security procedures Plaintiffs’ and Class Members’ PII is now in the hands of thieves and unknown criminals. Plaintiffs and Class Members now face a substantial increased risk of identity theft," the class action lawsuit reads. While the Institute agreed to pay the $4 million, they still have not admitted any wrongdoing.
Policies, procurements, and agency equities.
The US Cyber National Mission Force (CNMF), an element of Cyber Command, has concluded what it characterizes as a successful "hunt forward" mission in conjunction with Croatia, CyberScoop reports. "The CNMF team worked alongside the Croatian Security and Intelligence Agency’s Cyber Security Centre on the operation, 'hunting on the prioritized networks of national significance and looking for malicious cyber activity and vulnerabilities.'” US Cyber Command did not explicitly connect the operation with Russia's war against Ukraine, but, as the Record points out, the Command has said that it was giving priority in its hunt-forward operations to threats linked to Russia, and other recent deployments to Eastern Europe have been avowedly conducted for defense against Russian cyber operations.