At a glance.
- Worok cyberespionage group active in Central Asia and the Middle East.
- Prynt Stealer and the evolution of commodity malware.
- Sharkbot malware reemerged in Google Play.
- BlackCat/ALPHV claims credit for attack on Italian energy sector.
- US military doxed, possibly by Conti remnants.
- Los Angeles Unified School District hit with ransomware over the weekend.
- Albania attributes cyberattack to Iran.
- TikTok denies breach.
- New Linux malware.
- Ransomware targeting the education sector.
- Finland prepares to increase its cybersecurity capacity.
- Bronze President shows both enduring interests and adaptability.
- Lazarus Group targeting energy companies.
- Adapting anti-cheat engines to malicious purposes.
- Games also serve as bait.
Worok cyberespionage group active in Central Asia and the Middle East.
ESET has released research into a threat group it's calling "Worok." They characterize it as sophisticated, and while "sophisticated" is thrown around a lot, in this case ESET uses it with some justice. "Worok is a cyberespionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets." The motive is espionage. "Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities." It's unclear whom Worok is working for, despite some circumstantial overlap with other groups, some of them associated with Beijing. "Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence. Their custom toolset includes two loaders – one in C++ and one in C# .NET – and one PowerShell backdoor." And ESET invites contributions from other researchers. "While our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information about this group."
Prynt Stealer and the evolution of commodity malware.
Zscaler researchers report that Prynt Stealer, an infostealer being traded in the C2C market, turns out to have been designed to defraud the criminal customers who've bought and employed it. The malware itself has been developed from open sources and legacy malware, mostly AsyncRAT and StormKitty. "Many parts of the Prynt Stealer code that have been borrowed from other malware families are not used, but are still present in the binary as dead unreachable code," Zscaler's report says: malicious code present in Prynt Stealer as a kind of vestigial organ, like the human appendix. AsyncRAT gives Prynt Stealer a multifunctional remote access Trojan, and StormKitty contributes the information stealer. Code similarities suggest that Prynt Stealer's developers may also have been involved with WorldWind and DarkEye malware.
What the criminal customers don't count on getting with their purchase is a backdoor the developers inserted to funnel the stolen information back to themselves. "The backdoor sends copies of victims' exfiltrated data gathered by other threat actors to a private Telegram chat monitored by the builder’s developers. While this untrustworthy behavior is nothing new in the world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one or more large scale attacks to follow." The bad faith is interesting, but not particularly surprising. What's most striking about Prynt Stealer is the waypoint it marks in the continuing evolution of malware into a poorly-constructed but good-enough commodity suitable for operation and even development by relatively unsophisticated threat actors.
Sharkbot malware reemerged in Google Play.
NCC Group's Fox-IT unit reports that Sharkbot, has resurfaced in an improved form (versions 2 and 2.5), carried by two compromised apps that were made available in Google Play. “Mister Phone Cleaner” and “Kylhavy Mobile Security,” the two compromised security apps, between them attracted some 60,000 downloads before being removed from Google Play.
The newer versions of Sharkbot retain the malware's original functionality, including keylogging, SMS interception, overlay attacks that display a phishing site, and remote control over affected devices. To these version 2.5 adds a cookie stealer. The operators have also expanded their targeting to include victims in Spain, Australia, Poland, Germany, the United States, and Austria.
BlackCat/ALPHV claims credit for attack on Italian energy sector.
The BlackCat/ALPHV ransomware privateers have claimed responsibility for an attack against Italian renewable energy provider Gestore dei Servizi Energetici SpA (GSE). This is the most recent in a string of attacks against Western European energy-sector targets, BleepingComputer reports. It had earlier hit Eni SpA, the largest energy company in Italy, with minimal effect on the utility's operation, and has also claimed the attacks against natural gas pipeline and electrical grid operator Creos Luxembourg S.A., and the German oil supply company Oiltanking. BlackCat/ALPHV is a Russian gang widely believed to represent a rebranding of the BlackMatter/DarkSide group.
US military doxed, possibly by Conti remnants.
Someone, vx-underground claims, is posting "11.84GB of United States Military Contractor and Military Reserve data." The data were acquired in a 2022 breach of databases in Puerto Rico, and those who are advertising the data dump on Telegram say they're making the data available "in response to the atrocious acts that US has been involved with all these years without regard for human lives." It's unclear who's leaking, but vx-underground speculates, "We suspect (the now defunct) Conti ransomware group is distributing United States Military data they acquired when they breached Puerto Rico." So those responsible might be a Conti successor, Conti alumni, or even a revenant Conti itself.
Los Angeles Unified School District hit with ransomware over the weekend.
Details are sparse, but the Los Angeles Unified School District has disclosed a ransomware attack it discovered this past weekend. School remains in session and the District has called in lots of Federal help. "After the District contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies. At the District’s request, agencies marshaled significant resources to assess, protect and advise Los Angeles Unified's response, as well as future planned mitigation protocols."
Albania attributes cyberattack to Iran.
Reuters reports that Albania has attributed the extensive, disruptive cyberattack it sustained on July 15th, 2022, to Iran. "The in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression," Prime Minister Edi Rama said. Albania has severed diplomatic relations with Iran and ordered Iran's diplomats to leave the country. Prime Minister Rama acknowledged the stringency of the response, but said it was fully justified. "This extreme response ... is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyse public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country," he explained.
TikTok denies breach.
Social media giant TikTok says that a reported data breach on the platform may never have actually happened, Hot Hardware reports. Last week, a vulnerability in the TikTok app on Android was revealed by Microsoft that would have allowed threat actors to hijack accounts. The vulnerability was patched before its disclosure, but a Breach Forums user with the name “AgainstTheWest” reported shortly after Microsoft’s disclosure that they had access to a server containing 6.7TB of stolen data from TikTok and WeChat. TikTok denies the breach, saying in a statement to Forbes that “Our security team has found no evidence of a security breach. We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. The samples also appear to contain data from one or more third-party sources not affiliated with TikTok.” The Hacker News reports that Bob Diachenko, a threat intelligence researcher at Security Discovery, called the breach “real,” but said that it originated from "Hangzhou Julun Network Technology Co., Ltd rather than TikTok."
New Linux malware.
Researchers at AT&T Alien Labs describe "Shikitega," a stealthy strain of malware targeting "endpoints and IoT devices that are running Linux operating systems." The researchers state, "Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist."
Ransomware targeting the education sector.
Tuesday the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory warning that the Vice Society threat actor has recently been “disproportionately targeting the education sector with ransomware attacks.”
The advisory states, “The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”
Finland prepares to increase its cybersecurity capacity.
While the cyber phases of Russia's hybrid war have been relatively quiet as the week opened, and largely eclipsed by the risk of a major nuclear accident at Zaporzhzhya and the opening days of Ukraine's general counteroffensive, governments geographically close to Russia have continued to take measures to improve their cybersecurity posture. Finland, in the wake of attacks aimed at disrupting its parliament, is moving to offer grants to organizations deemed capable of hardening the country's attack surface.
Bronze President shows both enduring interests and adaptability.
Secureworks Counter Threat Unit researchers have discovered a PlugX malware campaign targeting government officials’ computers in Europe, the Middle East, and South America. The malware is embedded in RAR archive files that require the user to click a Windows shortcut file. The decoy documents are political in nature, suggesting that the targets are all government officials. This campaign can probably be attributed to the BRONZE PRESIDENT threat group that is likely to be operated by the Chinese government. BRONZE PRESIDENT has shown an enduring interest in such Chinese neighbors as Vietnam and Myanmar, but it's also been responsive to developing crises and emergent requirements, as seen in the interest it's taken in Ukraine as Russia's invasion has developed. "BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies."
Lazarus Group targeting energy companies.
The North Korean Lazarus Group has been found to be targeting US, Canadian, and Japanese energy providers, TechCrunch reports. The Cisco Talos group observed Lazarus using a Log4j vulnerability, known as Log4Shell, to compromise VMware Horizon servers. They then deploy “VSingle” or “YamaBot” malware to maintain long-term access. Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura said, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Adapting anti-cheat engines to malicious purposes.
Eclypsium warns that attackers are targeting gaming anti-cheat engines to reach below a device’s operating system and disable antivirus programs. Many modern game cheats are developed at the UEFI firmware level in order to avoid detection, and anti-cheat systems are increasingly being granted kernel-level privileges to combat them.
“[T]he anti-cheat engines in some games are more complex and powerful than the protections such as antivirus used to protect more traditional applications,” Eclypsium explains. “This is because games have more rigorous requirements. Any manipulation of game data such as modifying player stats, health, or inventory can fundamentally change the game.... Just in the past few weeks, researchers have uncovered ransomware operators using vulnerable anti-cheat drivers from the popular game, Genshin Impact. In this case, the attackers were able to use the anti-cheat drivers in order to disable antivirus services on a compromised host.”
Games also serve as bait.
Researchers at Kaspersky have found that Minecraft and Roblox are the most popular games used as lures for malware distribution, the Register reports. Kaspersky notes that both of these games are popular with children, who are more susceptible to fall for the attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released five industrial control system (ICS) advisories, for Triangle Microworks Library ("mitigations for Access of Uninitialized Pointer vulnerabilities"), AVEVA Edge 2020 R2 SP12020 R2 ("mitigations for Insufficient UI Warning of Dangerous Operations, Uncontrolled Search Path Element, and Deserialization of Untrusted Data, Improper Restriction of XML External Entity Reference vulnerabilities"), Cognex 3D-A1000 Dimensioning System ("mitigations for Missing Authentication for Critical Function, Improper Output Neutralization for Logs, and Client-side Enforcement of Server-side Security vulnerabilities"), Hitachi Energy TXpert Hub CoreTec 4 ("mitigations for Authentication Bypass Using an Alternate Path or Channel and Improper Input Validation, Download of Code Without Integrity Check vulnerabilities"), and Delta Electronics DOPSoft 2 ("mitigations for Stack-based Buffer Overflow, Out-of-Bounds Write, and Heap-based Buffer Overflow vulnerabilities").
Twelve more vulnerabilities were added to CISA’s Known Exploited Vulnerabilities Catalog (KEV). In accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal civilian executive agencies whose security CISA oversees have until September 29th, 2022, to take action to remediate them. Five of the vulnerabilities are in products that have reached their end-of-life, and whose use should be discontinued. For the other seven, agencies are directed to apply vendor-supplied updates. Michael Assraf CEO & Co-founder of Vicarius notes that a number of this week's entries into the Catalog are hardware issues. “Typically the CVEs we see added to the KEV are located in software, SaaS tools, web browsers, or Windows," he wrote in an email. "It is abnormal to see so many vulnerabilities in hardware, and in particular, routers -- as we do with this batch. Of the dozen vulnerabilities, 50% of them are in routers. D-Link, a networking equipment manufacturer based in Taiwan, has four vulnerabilities alone, all affecting products that are end-of-life. One of them, CVE-2011-4723, involves storing cleartext passwords. CISA only adds vulnerabilities to the KEV catalog if there is clear remediation guidance. In this case, the action is clear: disconnect the product if still in use.”
CISA has released four ICS Security Advisories this week. Two of the CISA Advisories are for Industrial Control Systems (ICS), one for MZ Automation GmbH libIEC61850 ("mitigations for Buffer Overflow, Access of Resource Using Incompatible Type, NULL Pointer Dereference vulnerabilities"), and one for PTC Kepware KEPServerEX (Update A) ("mitigations for Heap-based Buffer Overflow and Stack-based Buffer Overflow vulnerabilities").
The other two are for Medical Industrial Control Systems: Baxter Sigma Spectrum Infusion Pumps ("mitigations for Missing Encryption of Sensitive Data, Use of Externally Controlled Format String, Missing Authentication for Critical Function vulnerabilities") and Hillrom Medical Device Management (Update B) ("mitigations for Out-of-bounds Write, Out-of-bounds Read vulnerabilities").
Policies, procurements, and agency equities.
The National Security Agency has set a deadline of 2035 for national security systems to start using post-quantum algorithms, FedScoop reports. The agency recommended that vendors start getting ready for the new requirements, although they acknowledged that not all quantum-resistant algorithms can be used yet, as not all are approved. Rob Joyce, Director of NSA Cybersecurity, said in a release, “This transition to quantum-resistant technology in our most critical systems will require collaboration between government, National Security System owners and operators, and industry. Our hope is that sharing these requirements now will help efficiently operationalize these requirements when the time comes.”
The SINET 16 awards were announced this week, highlighting the 16 most innovative and compelling cybersecurity companies. The 16 companies given the award are:
- ArmorCode, an AppSecOps platform that reduces exposure and risk.
- Calamu, a cybersecurity company that protects and encrypts data itself to prevent ransomware attacks.
- Cycode, a software supply chain security solution that provides security and visibility across the entire software development lifecycle.
- Dazz, a company providing automated remediation for security vulnerabilities.
- DNS Filter, a DNS filter providing threat detection and content filtering capabilities.
- DoControl, a self-service platform providing automated tools for SaaS security.
- Halcyon, an anti-ransomware specific security platform.
- Netacea, a company focused on bot detection powered by machine learning.
- Noetic, a continuous cyber asset management and controls platform.
- Permiso, who provides cloud identity detection and response for cloud infrastructures.
- Phosphorus, a fully-automated internet of things (IoT) security company.
- RegScale, an API-centric SaaS platform helping companies keep up with regulatory requirements.
- Titaniam, a company providing encryption-in-use across the enterprise.
- Viakoo, a security platform providing vulnerability management for unmanaged and IoT devices.
- Xage Security, a zero-trust real world security company.
- 1Kosmos, a distributed identity multi-factor authentication solution.