Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.

By the CyberWire staff

At a glance.

Russian and Chinese cyber activity in Latin America.
Greenwashing influence operations.
Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.
Russian cyber operations reported in Southeastern Europe.
Cyberespionage around the South China Sea.
Russian streaming platform sustains a data leak.
Chrome extensions steal browser data.
Business email compromise attack under investigation in Kentucky.
Belarusian Cyber Partisans claim to have a complete Belarusian passport database.
The BianLian ransomware gang is better at coding than at the business of crime.
Ragnar Locker's current interests.
REvil (or an impostor, or successor) may be back.
Paris-area medical center continues to work to recover from cyber extortion.

Russian and Chinese cyber activity in Latin America.

Dialogo Americas reports increased Russian and Chinese efforts to establish a cyber beachhead in Latin America. Those efforts have been marked by Spanish-language disinformation campaigns and, in the case of Russia, a stepped-up tempo of privateering activity, for the most part by well-known ransomware gangs. Chinese efforts have been marked by an attempt at developing influence through technology exports: ZTE has been used to induce a dependence on Chinese tech in Venezuela, where it finds a welcome audience in the Maduro regime. “'There is growing evidence that the [Venezuelan] regime is using the Carnet de la Patria to exercise control over the population. For example, numerous testimonies say that the Carnet de la Patria was used to verify citizens’ votes in the 2017 and 2018 elections,' the Organization of American States said in a report on the Venezuelan migrant and refugee crisis in the region."

Russian military cyber personnel deployed to Venezuela in May of 2019 in the overt role of helping the country recover from the collapse of its power grid. Many of those personnel have remained.

Free Whitepaper | 10 Ways Asset Visibility Builds the Foundation for OT Cybersecurity

Asset visibility is at the foundation of an effective operational technology (OT) cybersecurity strategy. Many core cybersecurity program pillars depend on having rich and complete asset visibility with intelligence-driven context. This whitepaper provides insight into 10 distinct ways that asset visibility helps inform a broader strategy for OT visibility. Download now →

Greenwashing influence operations.

Bloomberg reports that a bot-driven Chinese influence campaign has been running against Lynas Rare Earths Ltd., an Australian mining company engaged in the extraction and processing of rare earth metals in Australia and Malaysia. Bogus social media accounts circulate accusations of environmental irresponsibility on the part of Lynas with a view to influencing Australian and US public opinion. Rare earths are essential to the electronic and green energy sectors; dominance of both sectors is a key, longstanding objective of Chinese policy.

Don't miss the opportunity to share your company's commitment to diversity and inclusion.

The CyberWire’s Women in Cybersecurity reception returns next month. Show your support of the premiere networking event that highlights and celebrates the value and successes of women in the cybersecurity industry to leaders from the private sector, academia, and government. Limited sponsorships are available. View our prospectus for available sponsorships and benefits.

Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.

Microsoft reports that the Iranian state cyber threat actor it tracks as Mercury (and which others know as MuddyWater, Seedworm, and Static Kitten) is exploiting Log4j 2 vulnerabilities in SysAid applications. All the targets have been organizations in Israel.

"In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

"While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now. After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack."

Solve your IAM problems through Identity Orchestration | Get a demo & receive AirPods Pro

With multi-cloud, your apps and identities are distributed across clouds and IDPs making them hard to manage and secure. Strata’s Identity Orchestration platform helps you get all your existing identity systems to work together without ever needing to refactor an app or feeling locked in to your IDP. Have an IAM mess you thought was too big, too complicated, or too expensive to fix? Let us solve it for you with no-code Identity Orchestration.

Russian cyber operations reported in Southeastern Europe.

Last Friday and Saturday, respectively, Montenegrin and Bulgarian officials accused Russia of conducting cyber attacks against their countries' infrastructures. "Montenegro’s National Security Agency (ANB) said on August 26 that several Russian agencies were behind a cyberattack on key IT systems of state institutions earlier in August. Outgoing Prime Minister Dritan Abazovic said that Montenegro was at the peak of a hybrid war," BNE Intellinews reports, adding, "The following day, Bulgaria’s former ruling Gerb party said it was attacked by Russian hackers who aimed at publications on three specific topics on its social media pages." Earlier attacks, also attributed to Russian threat actors, had hit Albanian government services. All three countries have generally supported the cause of Ukraine in the present war, with Albania and Montenegro being particularly vocal in their support of extensive sanctions against Russia. Reuters describes the effects of the cyberattack against Montenegro: "'Certain services were switched off temporarily for security reasons but the security of accounts belonging to citizens and companies and their data have not been jeopardised,' Public Administration Minister Maras Dukaj said on Twitter." The state-owned power utility was among the services affected, and has switched some automated services to manual operation as a precaution.

Montenegro continues to work to recover government systems, and have now, Reuters reports, called the incident ransomware. Dukaj said that no ransom demand had yet been received, but that some stolen data had been spotted online. Dukaj said, "We have already got an official confirmation, it can also be found on the dark web where the documents that were hacked from our system's computers will be published." Thus the attack, which has substantially disrupted public services in the Balkan country, seems to be a double-extortion attack.

Cyberespionage around the South China Sea.

Proofpoint Tuesday released a report on a cyberespionage campaign against nations with regional interests centered on, but not confined to, the South China Sea. The researchers call the responsible threat group TA423 or Red Ladon, and say that it shows an overlap with APT40, a Chinese government unit, also known as Leviathan, that operates from Hainan. Red Ladon has a close interest in the Australian government and in anyone's wind turbines in the South China Sea. The threat actor typically achieves initial access by phishing. "Beginning on 12 April 2022, and continuing through mid-June 2022, Proofpoint identified several waves of a phishing campaign resulting in the execution of the ScanBox reconnaissance framework, in part based on intelligence shared by PwC Threat Intelligence related to ongoing ScanBox activity. The phishing campaign involved URLs delivered in phishing emails, which redirected victims to a malicious website posing as an Australian news media outlet." The phishing campaign has been long-running, and the cyberespionage serves Beijing's long-range economic interests.

Russian streaming platform sustains a data leak.

The Record reports that the Russian streaming service START, which supplies content to users in at least one-hundred-seventy-four countries, disclosed this past Sunday that it has sustained a data leak. How serious that leak was START hasn't said, but the Russian Telegram channel Information Leaks, which published screenshots purporting to be proof-of-hack, says the leak amounted to seventy-two gigabytes and included data on forty-four-million customers. According to the Record, "The leaked information includes usernames, email addresses, hashed passwords, IP addresses, users’ countries of registration, subscription start and end dates, and the last login to the service." Most of the affected users are thought to be in Russia, but substantial minorities are from Kazakhstan, China, and Ukraine. Those responsible for the incident (and it's unclear who they are, and whom they might be working for, other than themselves) claim they got the information from an exposed MongoDB database.

Chrome extensions steal browser data.

Researchers at McAfee have found five "cookie-stuffing" Chrome extensions that together have found almost a million-and-a-half users. The extensions, which collect the victim's browser activity, are:

Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads

BleepingComputer reports that two of the extensions--the Netflix-branded apps--have been removed from Google Play. As of the time of their writing the other three remain online. As McAfee points out, an app's having a large install base is no guarantee that it's benign.

Business email compromise attack under investigation in Kentucky.

The Lexington (Kentucky) Police Financial Crimes Unit is investigating the "electronic theft of approximately $4 million in federal rent assistance and transitional housing funds," the city announced. The Record says the FBI and Secret Service have been brought in to assist with the investigation. Lexington's description of the theft indicates that it was a business email compromise caper. "Police believe a person or persons outside the government directed an electronic funds transfer into a private account. The transfer was originally intended for Community Action Council," the city said. "Initial information shows no criminal involvement of City or Community Action Council employees." The city's financial system wasn't compromised, but city employees were inveigled into sending the funds into what proved to be a private bank account. That account has since been frozen by the financial institution that holds it.

Belarusian Cyber Partisans claim to have a complete Belarusian passport database.

The Belarusian Cyber Partisans, a dissident group opposed to the continued rule of President Lukashenka, claimed Tuesday to have obtained a complete database of all Belarusian passports. They describe their caper like this: "For the 1st time in human history a #hacktivist collective obtained passport info of the ALL country's citizens. Now we're offering you an opportunity to become a part of this history. Get a unique digital version of #lukashenka passport as #NFT https://opensea.io/collection/cpartisans-passports." Opensea has since taken down the passports. The Cyber Partisans elaborate on their motives: "The dictator has a birthday today - help us ruin it for him! Get our work of art today. A special offer - a New Belarus passport for #lukashenka where he's behind the bars. Make it happen sooner while he's still alive. We also offer passports of his closest allies and traitors of the people of #Belarus and #Ukraine. All the funds will go to support our work in hitting bloody regimes in #minsk & #moscow."

The BianLian ransomware gang is better at coding than at the business of crime.

Security firm [redacted] ("[redacted]" is the company's name, not an editorial bowdlerization) Thursday released a study of a ransomware operation they've been tracking. The gang calls itself "BianLian," and uses custom malware written in the Go language. That malware is resistant to reverse engineering, [redacted] says, but not completely uncrackable. BianLian has tended to use the ProxyShell vulnerability to gain initial access to its targets, and it has shown a preference for targeting servers that provide remote access. As a double-extortion operation, BianLian maintains a dumpsite where it can post data stolen from its victims. The gang chooses its victims largely from companies based in North America, Australia, and the United Kingdom; the companies range in size from small businesses to big multinationals.

BianLian seems unrelated to the Android banking Trojan that's been referred to by the same name. And, while many ostensibly new ransomware groups in fact represent rebrandings of existing groups, or have formed from the remnants of gangs disrupted by law enforcement, [redacted] thinks that BianLian is actually a new group. "While there is a long history of seemingly new ransomware groups rising from the ashes of defunct and/or rebranded groups, we do not have any indications at this time to suggest that is the case with BianLian. For all intents and purposes, the BianLian group appears to represent a new entity in the ransomware ecosystem." They're better at coding than at the business of crime. "Furthermore, we assess that the BianLian actors represent a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business."

Ragnar Locker's current interests.

Cybereason Thursday published an account of the Ragnar Locker threat actors. Their key findings confirm much of what's long been known or suspected about the operation, and adds details on the group's evolution. Ragnar Locker has joined other ransomware actors (like Cuba and the former Conti group) in paying particular attention to the energy sector. Ragnar Locker has claimed, for example, the Greek natural gas delivery company DESFA as one of its victims.

Active for at least three years, Ragnar Locker has become increasingly evasive. Its ransomware now "checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions and IT remote management solutions." And, of course, it's aligned with Russia. "Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS)." The CIS is an association of former Soviet Republics that have remained in a more-or-less uneasy with the Russian heir to the USSR.

Mobile app supply chain vulnerabilities.

The Symantec Threat Hunter Team, part of Broadcom Software, released a blog Wednesday detailing mobile app supply chain vulnerabilities. The team says that issues with the supply chain in relation to mobile apps include:

“Mobile app developers unknowingly using vulnerable external software libraries and SDKs,”
“Companies outsourcing the development of their mobile apps, which then end up with vulnerabilities that put them at risk,”
“Companies, often larger ones developing multiple apps across teams, using cross-team vulnerable libraries in their apps”

Over 1,800 apps were identified to contain hard-coded AWS credentials, of which 98% were iOS apps. 77% contained valid AWS tokens that allow access to AWS cloud services, and 47% included tokens that gave access to numerous files via the Amazon Simple Storage Service. Interestingly, over half of the AWS tokens discovered were found to be used in other apps, even from differing developers and companies, and were traced to shared components within apps.

REvil (or an impostor, or successor) may be back.

The ransomware group behind REvil may have returned, Cybernews reports. The gang had been in occultation for some months, and many concluded that it had disbanded. That may still be true, but someone claiming to represent REvil has said they successfully attacked the Midea Group, a major Chinese manufacturer of electrical appliances, and they've revived a version of the REvil dumpsite to post a proof-of-hack. The story is still developing, and what's been reported so far is as consistent with imposture and rebranding as it is with the gang's return.

Paris-area medical center continues to work to recover from cyber extortion.

The Centre Hospitalier Sud Francilien (CHSF), hit in August by an extortion attack that reduced the medical center's ability to deliver patient care, is still in the process of recovering from the cyberattack. RFI reports that the Gendarmerie's GIGN has come to the assistance of the hospital (located south of Paris) and is both investigating and negotiating with the criminal attackers. CHSF continues to refuse to pay ransom. BleepingComputer reviews grounds for thinking the attack involved a LockBit variant. The effects of the incident have been unusually protracted.

Patch news.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released twelve Industrial Control Systems Advisories, for Hitachi Energy FACTS Control Platform (FCP) Product ("mitigations for Inconsistent Interpretation of HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, [and] Observable Discrepancy vulnerabilities"), Hitachi Energy GWS ("mitigations for HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, [and] Observable Discrepancy vulnerabilities"), Hitachi Energy MSM ("mitigations for a Reliance on Uncontrolled Component vulnerability"), Hitachi Energy RTU500 series ("mitigations for an Improper Input Validation vulnerability"), Fuji Electric D300win ( "mitigations for Out-of-bounds Read and Write-what-where Condition vulnerabilities"), Honeywell ControlEdge ("mitigations for a Missing Authentication for Critical Function vulnerability"), Honeywell Experion LX ("mitigations for a Missing Authentication for Critical Function vulnerability"), Honeywell Trend Controls ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability"), Omron CX-Programmer ("mitigations for a Use After Free vulnerability"), PTC Kepware KEPServerEX ("mitigations for Heap-Based Buffer Overflow and Stack-Based Buffer Overflow vulnerabilities"), Sensormatic Electronics iSTAR ("mitigations for a Command Injection vulnerability"), and Mitsubishi Electric Multiple Factory Automation Products (Update B) ("mitigations for Infinite Loop and OS Command Injection vulnerabilities").

The US Cybersecurity and Infrastructure Security Agency (CISA) has released two more Industrial Control Systems Advisories. One, for Contec CMS8000 addresses "Improper Access Control, Uncontrolled Resource Consumption, Use of Hard-Coded Credentials, [and] Active Debug Code vulnerabilities" in an ICU/CCU Vital Signs Patient Monitor. The other, for Delta Electronics DOPSoft, mitigates "an Out-of-bounds Read vulnerability in versions of Delta Electronics DOPSoft, a software supporting the DOP-100 series HMI screens."

Courts and torts.

Sephora has been fined $1.2 million in a settlement following a breach of the California Consumer Privacy Act (CCPA), Cosmetics Business reports. Customers reportedly were not informed of the beauty giant selling their data. Yotam Segev, Cyera, co-founder and CEO, wrote to say, “What I find most interesting about the Sephora settlement is that it started with a spot-check audit of more than 100 retailers. This is the sort of thing that keeps security and risk professionals up at night. Business leaders are tasked with finding ways to leverage data to create new revenue streams. Especially with the shift to remote work, permissive access and applications like Google Drive or Slack make it easy to access and spread information across a business. The people or teams involved may have believed they were permitted to monetize this data. How many businesses are prepared for this kind of action? Security and risk teams need a simple way to answer basic questions like: What data do I have? Where is it now? Who is accessing it? How should it be governed and secured? Those are questions you need answers to at your fingertips, not something to be found after a lengthy audit process following a security incident."

The US Federal Trade Commission has filed a lawsuit against Idaho-based data broker Kochava for allegedly "selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations." The FTC stated, "Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected."

According to TechCrunch, Kochava said in response: "This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. Prior to the legal proceedings, Kochava took the proactive step of announcing a new capability to block geo data from sensitive locations via Privacy Block, effectively removing that data from the data marketplace, and is currently in the implementation process of adding that functionality."