At a glance.
- Albania reports more Iranian cyberattacks.
- RaidForums' successor.
- Charming Kitten and group-think in social engineering.
- The return of the (ShadowPad) alumni.
- Phishing from the Static Expressway.
- FBI warns of threats to medical devices.
- Joint warning of IRGC cyber activity.
- Webworm repurposes RATs.
- OriginLogger: the new Agent Tesla.
- SparklingGoblin APT.
- Royal funeral phishbait.
- Uber suffers a data breach.
- Large DDoS attack stopped in Eastern Europe.
- FBI observes increased cyberattacks against healthcare payment processors.
- Bravo, Bitdefender.
Albania reports more Iranian cyberattacks.
Albania reports that it sustained additional cyberattacks from Iran last weekend, evidently in response to Tirana severing of relations with Tehran over earlier cyber incidents. In the most recent attacks, CNN reports that the Total Information Management System (TIMS) used for border control was taken offline.
As the outlines of Iranian attacks against Albania's government networks become clearer, the US Treasury Department announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmail Khatib, in response to their involvement in cyberattacks on the NATO country. Mr. Khatib is singled out for his role in directing "several networks of cyber threat actors involved in cyber espionage and ransomware attacks in support of Iran’s political goals." Iran condemned the US action, Al Arabiya reports, with the Foreign Ministry saying, “America’s immediate support for the false accusation of the Albanian government... shows that the designer of this scenario is not the latter, but the American government.”
RaidForums' successor.
KELA released a report Monday describing BreachForums (also known as Breached), a cybercrime forum that’s risen in response to the closure and seizure of RaidForums. The site, launched by the threat actor whose nom-de-hack is “pompompurin,” offers database leaks, login credentials, adult content, and hacking tools. Breached launched only a few weeks after RaidForums was closed, and has quickly risen to become the new platform for database exchange, with 82,000 registered users, which continues to increase. Besides that, the forum is active with monthly posts, and with participation by known actors from RaidForums. "Breached is not only the successor of RaidForums, but in a very short timeframe has become a promising data leak marketplace. The increasing number of users, monthly posts on the forum, and the fact that known actors from RaidForums have chosen to join the platform shows pompompurin’s popularity and influence," KELA concludes. "It also seems that ransomware operators are allowed to post, which expands the possibilities for a wide range of cybercriminals. KELA believes that the forum will continue gaining popularity in the next months and could become bigger and even more sophisticated than RaidForums."
Charming Kitten and group-think in social engineering.
Proofpoint researchers Tuesday described a phishing campaign operated by the Iranian threat group TA453 (also known as Charming Kitten, PHOSPHORUS, or APT42). Associated with Iran’s Islamic Revolutionary Guard Corps, the threat group is using a range of impersonated personae including the policy think-tanks Chatham House, the PEW Research Center, and the Foreign Policy Research Institute, as well as the scientific journal Nature, to lend credibility to its phishing attacks. It's not simple spoofing, however: TA453 includes more than one persona in the phishing email thread. Proofpoint calls it "Multi-Persona Impersonation," and the use of more than one seemingly plausible persona may lend credibility to the approach. The targets of the campaign have been persons and organizations involved with nuclear security, especially in the Middle East.
The return of the (ShadowPad) alumni.
The Symantec Threat Hunter Team, part of Broadcom Software, has released a report detailing new espionage activity targeting governments and public entities. Attackers formerly connected with ShadowPad, a remote access Trojan, have been leveraging legitimate software packages in order to load their malware payloads, known as DLL side-loading. The attacks have been seen since 2021, with the intent for the threat actors to gather intelligence.
There's no attribution yet, but the target selection is suggestive. "The current campaign appears to be almost exclusively focused on government or public entities, including:
- "Head of government/Prime Minister’s Office
- "Government institutions linked to finance
- "Government-owned aerospace and defense companies
- "State-owned telecoms companies
- "State-owned IT organizations
- "State-owned media companies"
The targets are Asian states. While Symantec is reticent about attribution, the Record points out that the tactics, techniques, and procedures have a great deal in common with those used by Chinese intelligence services in earlier campaigns.
Phishing from the Static Expressway.
Avanan researchers reported Tuesday that they have discovered hackers exploiting the Facebook Ads manager for credential harvesting campaigns. The attackers have been seen sending phishing emails, posing as Facebook and threatening to disable a victim’s account for being reported or “violating our Terms of Use,” and providing what appears to be a Facebook link through which the victim can “appeal” to rectify the situation. The link is actually a lead-generation form from the hacker’s Facebook Ads manager, which is used to steal credit card numbers and other information. Avanan explains that this method is effective because of “The Static Expressway:” hackers using legitimate sites appearing on static Allow Lists to bypass filtering and make themselves more likely to reach the end target.
FBI warns of threats to medical devices.
The FBI has issued an advisory that warns of a growing risk to medical devices posed by a combination of unpatched software and increasing threat actor attention. "In addition to outdated software, many medical devices also exhibit the following additional vulnerabilities: Devices used with the manufacturer’s default configuration are often easily exploitable by cyber threat actors. Devices with customized software, require special upgrading and patching procedures, delaying the implementation of vulnerability patching. Devices not initially designed with security in mind, due to a presumption of not being exposed to security threats."
Joint warning of IRGC cyber activity.
The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners (in this case the US Federal Bureau of Investigation (FBI), the US National Security Agency, U.S. Cyber Command's Cyber National Mission Force, the US Department of the Treasury, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the United Kingdom’s National Cyber Security Centre) have added their warning to those that have drawn attention to Iranian cyber activity this week. The Islamic Revolutionary Guard Corps (IRGC) has "continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105 for initial access."
Webworm repurposes RATs.
The Symantec Threat Hunter Team, part of Broadcom Software, has released a report detailing the activities of a group they’re calling Webworm. Webworm uses three older remote access Trojans (RATs): Trochilus, Gh0st RAT, and 9002 RAT. Webworm is probably connected with the group identified as Space Pirates, active since 2017 against government agencies, IT services, aerospace, and electric power. Russia, Georgia, Mongolia, and other Asian countries have been hit.
OriginLogger: the new Agent Tesla.
Palo Alto Networks Unit 42 has released a report detailing OriginLogger. On March 4, 2019, well-known keylogger Agent Tesla shut down, but not without first recommending in its Discord server another keylogger known as OriginLogger, saying, “If you want to see a powerful software like Agent Tesla, we would like to suggest you [sic] OriginLogger. OriginLogger is an AT-based software and has all the features.” OriginLogger is a variant of Agent Tesla, sometimes tagged as “Agent Tesla version 3,” which means that tools meant to detect Agent Tesla should also detect OriginLogger.
SparklingGoblin APT.
Researchers at ESET warn that the Chinese APT SparklingGoblin is using a new Linux variant of its SideWalk malware. The researchers add that the Linux variant of the malware isn’t as evasive as its Windows counterpart.
Royal funeral phishbait.
As is usually the case with any high-profile event that touches many people, the funeral of Queen Elizabeth II has been exploited by criminals who are using it for phishbait. In a tweeted series of posts, Proofpoint describes a credential phishing campaign in which messages that misrepresent themselves as coming from Microsoft invite recipients to visit an "artificial technology hub" established in Her Majesty's honor. The url redirects to a credential-harvesting site. The threat actors are using the EvilProxy phishing kit.
Uber suffers a data breach.
Uber is investigating a breach of its systems, the New York Times reports. Thursday, the company said in a tweet from its @/Uber_Comms account, “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”
The Times reports that the breach looks to have compromised a multitude of Uber’s systems, with the hacker sending the Times images of “email, cloud storage and code repositories.” Sam Curry, a security engineer at Yuga Labs who was in contact with the hacker, says “They pretty much have full access to Uber. This is a total compromise, from what it looks like.” The threat actor reportedly compromised a worker’s account on the company’s internal messaging service, Slack, saying, “I announce I am a hacker and Uber has suffered a data breach.” Two employees who weren’t authorized to speak on the situation publicly have said that they were told not to use Slack, and that other internal systems were inaccessible. The breach utilized phishing and social engineering, through sending a text to a worker convincing them to send a password that would gain the hacker access. An Uber spokesperson says that the breach is under investigation by the company and that law enforcement officials are being contacted.
Large DDoS attack stopped in Eastern Europe.
Akamai says that it stopped a record-setting distributed denial-of-service (DDoS) attack against an unnamed Eastern European customer this week. "On Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic abruptly spiking to 704.8 Mpps in an aggressive attempt to cripple the organization’s business operations." The attacker's command-and-control was unusually supple. Akamai offers no attribution, but the target selection and the choice of DDoS as an attack technique are suggestive of recent Russian offensive activity.
FBI observes increased cyberattacks against healthcare payment processors.
The FBI reports that they’ve observed an increase in cybercriminal attacks against healthcare payment processors, redirecting victim payments. Threat actors rely on personally identifiable information (PII) that is public, along with social engineering, to impersonate the victims and gain access to “files, healthcare portals, payment information, and websites,” going so far as even changing direct deposit information to the attacker’s own. Security Week says that in February 2022, $3.1 million was redirected after the direct deposit was changed. The same thing happened again, and the actor stole $700,000.
Bravo, Bitdefender.
Bitdefender has, in conjunction with law enforcement, released a decryptor for LockerGoga.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released five Industrial Control Systems Advisories, for Hitachi Energy TXpert Hub CoreTec 4 Sudo Vulnerability ("mitigations for an Off-by-one Error vulnerability"), Honeywell SoftMaster ("mitigations for Uncontrolled Search Path Element and Incorrect Permission Assignment for Critical Resource vulnerabilities"), Delta Industrial Automation DIAEnergie ("mitigations for a Use of Hard-coded Credentials vulnerability"), Kingspan TMS300 CS ("mitigations for an Improper Authentication vulnerability"), and Paradox IP150 (Update A) ("mitigations for Stack-based Buffer Overflow and Classic Buffer Overflow vulnerabilities").
CISA released eleven more Industrial Control Systems Advisories later in the week. With active exploitation observed in the wild, CISA has added six new entries to its Known Exploited Vulnerabilities Catalog. Federal civilian Executive agencies falling under CISA's remit have until October 6th, 2022, to take action to identify and mitigate them.
Late Monday Cupertino released eight patches affecting iOS, MacOS, tvOS, and watchOS. The iOS 15.7 update, or the alternative upgrade to iOS 16, would be particularly important, since they address a zero-day flaw, CVE-2022-32917.
Onapsis reports that 16 new and updated SAP security patches have been released, including one SAP Business Client HotNews Note and six High Priority Notes. The High Priority notes affect SAP Business One, SAP BusinessObjects and SAP GRC.
In addition, Microsoft and Adobe have also rolled out patches and software upgrades. Consult the vendors for details.
Courts and torts.
Tuesday the US Senate Judiciary Committee heard testimony from Pieter “Mudge” Zatko, now familiarly known as “the whistleblower,” on his allegations of privacy and security problems at Twitter. The Senators were interested in a range of issues: privacy, espionage risk, content moderation, and the apparent inadequacy of regulations governing social media and other online platforms.
Zatko complained that the company’s executive team chose to disregard warnings of security problems, preferring instead to mislead the board, its employees, its customers, the public, and legislators. Perverse incentives operated to drive the executives in that direction, and enmeshed the company in two basic problems: inability to keep track of the data the company held, and executive incentives that "led them to prioritize profits over security."
Twitter didn't maintain a distinct development or testing environment, Zatko said, and this led the company to open up its data to far more employees than otherwise would have had access to them. This was part of a larger insider threat problem, in which agents of foreign intelligence services (notably those of India, China, and Saudi Arabia) found their way onto Twitter's payroll, where they remained for the most part undetected and undetectable.
Social media executives from Meta, Twitter, TikTok, and YouTube testified before the Senate Homeland Security Committee, TechCrunch reports. The hearing, intended to dive into the impact social media has on national security, took place on Wednesday, covering topics ranging from domestic extremism and misinformation, to connections with China. The testimony was, as it so often is before a Senate committee, guarded.
Policies, procurements, and agency equities.
The White House’s Office of Management and Budget (OMB) yesterday released a software supply chain security memorandum titled “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.” The document requires government agencies to comply with the guidance issued by the National Institute of Standards and Technology (NIST) in accordance with President Joe Biden’s executive order on Improving the Nation’s Cybersecurity, published in 2021 in the aftermath of the Solar Winds incident. Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, explains, “With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.” As the Federal News Network notes, the memo requires agencies to obtain a self-attestation from the software vendor that it has followed the NIST guidelines, and Cybersecurity and Infrastructure Security Agency is working on a standardized form for use by all agencies In cases where the vendor cannot meet NIST’s guidance, agencies will be allowed to accept a “plan of action and milestones” from the vendor. Agencies have been given ninety days to inventory all their third-party software, including a separate inventory for “critical software,” and they have 120 days to develop “a consistent process to communicate relevant requirements in this memorandum to vendors, and ensure attestation letters not posted publicly by software providers are collected in one central agency system.” OMB is also encouraging agencies to obtain Software Bills of Materials (SBOMs) from software vendors “that demonstrate conformance to secure software development practices, as needed.”
The Cybersecurity and Infrastructure Security Agency (CISA) reports that the agency, along with the Federal Bureau of Investigation (FBI), has held the first meeting of the Joint Ransomware Task Force (JRTF). The JRTF is an interagency body created by Congress to focus on ransomware threats. The task force will expand existing efforts where appropriate, and where necessary identify new initiatives across the government and private sector to protect against ransomware and stop threat actors.
The White House yesterday issued guidance for Federal agencies’ use of software security practices. The memorandum instructs agencies to obtain a self-attestation from software providers that their products are in line with NIST’s security guidelines.
Policymakers and federal agencies are considering new incentives for operational technology (OT) security, in hopes of getting critical infrastructure companies to prioritize cybersecurity and replace old technologies, SC Media reports. The House Homeland Security Committee held a hearing on the topic Thursday.