By the CyberWire staff
At a glance.
- The GRU and cyber gangs.
- Cyber mercenaries.
- TeamTNT may be back.
- Risky piracy sites.
- Developments in the Uber breach, and tentative attribution.
- Rockstar and 2K Games sustain criminal attacks.
- Emotet and other malware delivery systems.
- Trends in resilience.
- Readiness for quantum security.
- Leveraging Netflix for credential harvesting.
- The LastPass incident.
- Gootloader's malicious blogging.
- Metador's unattributed cyberespionage.
- Malicious NPM packets.
- Pay card theft ring unmasked.
- Patch news.
- Criminal and civil cases.
CISA warns of Iranian cyber activity.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint warning with the FBI outlining the conduct of the cyber campaign Iran waged earlier this month against Albania. The warning includes recommended protections and mitigations should the campaign spill over to targets outside Albania. Listen to CISA's warning on the CyberWire.
The GRU's close coordination with cyber criminals.
A report in the Wall Street Journal, citing research by Google's recently acquired Mandiant unit, describes the "unprecedented" ways such sufferance and toleration have evolved into active coordination and direction. The relationship has apparently developed well beyond the familiar permissive privateering the gangs have been encouraged to undertake. Mandiant's report focuses on the GRU, which is organizing the activities of nominally hacktivist groups and supplying them with GRU tools to attack Ukrainian networks. Killnet is among the hacktivist front groups probably associated with the GRU.
Cyber mercenaries.
SentinelLabs has published an update on the Void Balaur cyber mercenary group. The hack-for-hire operation, which has operated in the criminal-to-criminal market since 2016, has expanded its activities. "New targets include a wide variety of industries, often with particular business or political interests tied to Russia. It's not generally clear who the group's customers are, but SentinelLabs points to some indications that a Russian security service may be among them. "A unique and short-lived connection links Void Balaur’s infrastructure to the Russian Federal Protective Service (FSO), a low-confidence indication of a potential customer relationship or resource sharing between the two."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Attend Mandiant Worldwide Information Security Exchange (mWISE) Oct 18-20
Hear insights, gather intel, and learn about best practices from security practitioners to CISOs at Mandiant Worldwide Information Security Exchange (mWISE). A new event from security leader Mandiant for an evolving cybersecurity industry, focused on gathering bright minds from across the globe. Curated by a program committee of experts without vendor influence. Attend October 18-20 online or in-person in Washington, DC. Learn more or register now.
TeamTNT may be back.
Aqua Security reported at the end of last week that a threat actor hitting its honeypots looked a lot like TeamTNT, a criminal group specializing in attacking cloud environments. TeamTNT had announced its retirement last November, but may now be quietly reappearing.
Risky piracy sites.
The Digital Citizens Alliance, in partnership with White Bullet and Unit 221B, released a report detailing piracy sites and advertising. Malware has also been found on piracy sites in advertisements targeting users. Researchers found that those who visited piracy sites were exposed to an estimated 321 million malicious ads in the span of one month. See CyberWire Pro for more information.
Manage Risk, Automate Compliance and Create Custom Controls in One Platform
Stop wasting time on manual evidence collection, jumping between tools to manage risk and compliance, and making subpar platforms work for you. Instead, go for G2’s highest rated cloud compliance software. Drata automates compliance for 14+ standards including SOC 2, ISO 27001, and GDPR. It allows you to create custom frameworks mapped to automated tests and manage end-to-end risk programs with continuous monitoring to resolve issues quickly. Request a demo for 10% off.
Developments in the Uber breach, and tentative attribution.
Uber's initial disclosure of the breach, on September 15th, was terse. "We are currently responding to a cybersecurity incident," the company tweeted. "We are in touch with law enforcement and will post additional updates here as they become available." On the 16th it offered the following amplification. "While our investigation and response efforts are ongoing, here is a further update on yesterday's incident:
- "We have no evidence that the incident involved access to sensitive user data (like trip history).
- "All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
- "As we shared yesterday, we have notified law enforcement.
- "Internal software tools that we took down as a precaution yesterday are coming back online this morning."
Someone claiming to be the threat actor responsible for the intrusion (and the claims are generally being taken at face value as authentic) counted coup in the company's Slack channels. "Hi @here," the hacker posted, "I announce i am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrivers [sic]." Employees who saw the post thought it was a goof, the Verge reports, and many cheerfully played along until it became clear that in fact the breach was real, and potentially serious.
An update on the breach was published by Uber on Monday, and they've developed an idea of who was responsible: Lapsus$. "We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts." See CyberWire Pro for more information on the investigation, an early take on lessons learned, and tentative attribution.
Compete to win prize money plus the chance to be DataTribe’s next big investment with the 2022 DataTribe Challenge.
We put real firepower behind every idea! If you're part of an entrepreneurial technology team with a vision to disrupt cybersecurity and data sciences - we want to enhance your growth prospect. Plus, possible millions more in a Series A Venture Capital Round. Three finalists will split $20,000 in prize money, and one winner will be eligible to receive up to $2 million in seed capital from DataTribe. Learn More.
Rockstar Games suffers leak of new Grand Theft Auto footage. 2K Games hack threatens user data and company IP.
The AP and others have been reporting a network intrusion at Rockstar Games in which the company suffered the leak of some aspects of its new Grand Theft Auto game, currently in early development. Someone claiming to be the hacker apparently posted ninety clips from the theft and claimed also to have source code for the game, which they want to sell for at least upwards of $10,000. The Video Games Chronicle reports that Rockstar has released a public comment on its social media channels, noting that they were “extremely disappointed” that details of the game were shared by the hacker, and they say that there will not be delays in the project. For more on the intrusion and leak, see CyberWire Pro.
A second Take-Two Interactive brand, 2K Games, has sustained a compromise. Family-friendly 2K's edgier corporate sister Rockstar Games had seen an intrusion (possibly by the Lapsus$ Group) that compromised some games under development. 2K's compromise was in some respects more serious in that it represents a threat to users and not simply a disclosure of intellectual property. 2K Support tweeted a warning this week that explains what it's determined about the incident. "Earlier today we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers. The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account." The goal of the compromise was distribution of the RedLine information stealer. Techradar reports. There's no firm attribution of this second attack on a Take-Two brand, but BleepingComputer speculates on the basis of victimology and the method of approach that this attack, too, is the work of the Lapsus$ Group. More information may be found on CyberWire Pro.
Don't miss the opportunity to share your company's commitment to diversity and inclusion.
The CyberWire’s Women in Cybersecurity reception returns next month. Show your support of the premiere networking event that highlights and celebrates the value and successes of women in the cybersecurity industry to leaders from the private sector, academia, and government. Limited sponsorships are available. View our prospectus for available sponsorships and benefits.
Threat actors have their insider threats, too.
The builder for LockBit's new encryptor, version 3.0 or "LockBit Black," released just this past June in the criminal-to-criminal market, has been leaked online, BleepingComputer reports. Researcher "3xp0rt" tweeted early this morning that "Unknown person @ali_qushji [which account has been temporarily restricted due to "unusual activity"] said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. After 3xp0rt's tweet, VX-Underground reported that they were contacted on September 10th by a user named 'protonleaks,' who at that time had shown them a copy of the builder. It's unclear whether protonleaks and ali_gushji are one person or two people, or whether perhaps their name is really legion. LockBit reached out to VX-Underground to deny that they had been hacked, that the leak was the work of a disgruntled developer unhappy with LockBit's leadership.
Kaspersky has a useful overview of LockBit that includes the ransomware-as-a-service group's history and some observations about its place in the C2C market. CyberWire Pro has more on this most recent incident.
Emotet and other malware delivery systems.
Researchers at AdvIntel have observed more than 1.2 million Emotet infections since the beginning of 2022. Most of the infections (35.7%) are located in the United States. The researchers also warn that the Quantum and BlackCat ransomware groups are now using the malware distribution botnet following the breakup of Conti in June 2022: “The observed botnet taxonomy attacker flow for Emotet is Emotet -> Cobalt Strike -> Ransomware Operation. What this means is that currently, the way that threat actors primarily utilize Emotet is as a dropper, or downloader for a Cobalt Strike beacon, which deploys a payload allowing threat actors to take over networks and execute ransomware operations.” BleepingComputer adds that significant spikes in Emotet activity were observed by both AdvIntel and ESET in 2022. See CyberWire Pro for more on the current place of Emotet in the underworld.
Trends in resilience.
Druva and IDC released a report Tuesday on trends in data resilience. 77% of those surveyed indicated that data resilience, defined for the purposes of this survey as “the practice of making data available within the organization. As such, it is central to any sort of disaster or cyber-recovery and requires a coordinated effort of people, process, and technology,” was a top three priority, with 19% indicating that it’s a priority, but not top three. 85% of respondents said that they had a formal “cyber-recovery playbook,” with 92% saying that their data resiliency tools are “efficient” or “highly efficient.” See CyberWire Pro for more information.
Readiness for quantum security.
Deloitte has published the results of a survey on awareness of cybersecurity risks related to quantum computing. The survey found that just over half (50.2%) of respondents are aware of “harvest now, decrypt later” attacks. These attacks involve stealing encrypted data and storing it until a quantum computer is developed that can break the encryption. 26.6% of respondents said their organization has already conducted a risk assessment on quantum computing risks, while 18.4% plan to conduct an assessment within one year. See CyberWire Pro for more information.
Leveraging Netflix for credential harvesting.
INKY on Wednesday blogged about a phishing scheme that impersonates Netflix. Researchers report that between August 21 and August 27 of this year, Netflix customers were the target of a personal identifiable information (PII) data harvesting campaign. The campaign used a malicious HTML attachment compressed in a zip file. The campaign is noteworthy because it shows that criminal social engineering is being conducted with greater polish, without some of the clumsy diction and non-standard language that once made it easy to spot. The phishing emails targeted Netflix customers, and were spoofed to look as if they came from Netflix’s actual domain. The emails originated from a virtual private server in Germany, and then moved to an abused mail server from a Peruvian university, which allowed the email to receive a DKIM pass and make it to the recipient. For more on this phishing campaign, see CyberWire Pro.
The LastPass incident.
LastPass has published an update on the security breach it sustained last month, Naked Security reports. LastPass found no evidence that the attacker gained access to customer data. The threat actor was able to steal some source code, but the company found “no evidence of attempts of code-poisoning or malicious code injection.” For more on the LastPass incident, see CyberWire Pro.
Gootloader uses blogging and SEO poisoning to attract victims.
Deepwatch describes how Gootloader uses well-planned and targeted blogs (with translation services and suggested links) in a search-engine-optimization (SEO) poisoning campaign. The operators appear to be trawling for users interested in topics related to "government, legal, healthcare, real estate, and education." Geographically, many countries are targeted, but most attention seems to be paid to the Five Eyes: Australia, Canada, New Zealand, the United Kingdom, and the United States. The operation looks like one run on behalf of a nation-state intelligence service, but Deepwatch offers no attribution.
Metador: a so-far unattributed threat actor.
SentinelLabs yesterday reported another threat actor that looks like the work of a nation-state. "Metador" is described as targeting "telecommunications, internet service providers, and universities in several countries in the Middle East and Africa." It's not known who Metador is, nor whom the group is working for, but they show a high degree of operational security and situational awareness of the environments in which they operate. "Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references including British pop punk lyrics and Argentinian political cartoons." Researchers say the evidence is consistent with Metador being either an intelligence service or a mercenary group working under contract.
An unidentified threat actor deploys malicious NPM packets.
In another instance of a software supply chain attack, ReversingLabs researchers outline the placement of a malicious NPM package in a widely used components library. Specifically, they've discovered a malicious NPM package posing as Material Tailwind, a components library for Tailwind CSS and Material Design. "In most of these cases, the malware in question is fairly simple Javascript code that is rarely even obfuscated. Sophisticated multistage malware samples like Material Tailwind are still a rare find," ReversingLabs notes. "The malicious package also successfully implements all of the functionality provided by the original package.” For additional coverage, see CyberWire Pro.
A large-scale pay card theft operation.
ReasonLabs describes a Russophone gang using bogus dating and customer support sites to induce its marks to cough up pay card details. Researchers at ReasonLabs describe a major online credit card scheme that’s been active since 2019. The threat actor has used at least 200 phony dating websites and 75 fake customer support sites to trick users into signing up for fraudulent subscriptions. The dating sites inform users that the credit card statement will be unrelated to the adult industry, in order to be discreet. The researchers believe the campaign is being run by an organized crime group based in Russia. More information may be found at CyberWire Pro.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday issued eight Industrial Control System (ICS) Advisories, for Medtronic NGP 600 Series Insulin Pumps ("mitigations for a Protection Mechanism Failure vulnerability"), Hitachi Energy PROMOD IV ("mitigations for an Improper Access Control vulnerability"), Hitachi Energy AFF660/665 Series ("mitigations for a Stack-base Buffer Overflow vulnerability"), Dataprobe iBoot-PDU ("mitigations for OS Command Injection, Path Traversal, Exposure of Sensitive Information to an Unauthorized Actor, Improper Access Control, Improper Authorization, Incorrect Authorization, and SSRF vulnerabilities"), Host Engineering Communications Module ("mitigations for a Stack-based Buffer overflow vulnerability"), AutomationDirect DirectLOGIC with Ethernet (Update A) ("mitigations for Uncontrolled Resource Consumption and Cleartext Transmission of Sensitive Information vulnerabilities"), AutomationDirect DirectLOGIC with Serial Communication (Update A) ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability"), and MiCODUS MV720 GPS tracker (Update A) ("mitigations for Use of Hard-coded Credentials, Improper Authentication, Cross-site Scripting, and Authorization Bypass Through User-controlled Key vulnerabilities").
More advisories were issued on Thursday, these for Measuresoft ScadaPro Server ("mitigations for an Improper Access Control vulnerability"), Mitsubishi Electric Multiple Products (Update E) ("mitigations for a Predictable Exact Value from Previous Values vulnerability"), and Mitsubishi Electric Factory Automation Engineering Software (Update D) ("mitigations for a Permission Issues vulnerability").
Crime and punishment.
Darnell Kahn, serving twenty-five years in South Carolina for voluntary manslaughter and attempted armed robbery, has been convicted in a US court on Federal sextortion charges. Mr. Kahn obtained an illegal smart phone and used it to set up a fictitious woman’s dating profile online. He would strike up a relationship with lovelorn US Servicemen, catphishing them into sharing their own not-safe-for-work selfies, and then “reveal” the fictitious line that the person they thought was an adult woman was in fact an underage girl, and that the person they were now communicating with was either the catphish’s father or a private detective. If the victim failed to wire money to Mr. Kahn, they would face prosecution and a dishonorable discharge, or so Mr. Kahn’s persona said. He’s believed to have victimized forty Servicemen between January and July of 2017. Sextortion seems, the Stars and Stripes reports, to have become something of a cottage industry in South Carolina prisons, and Mr. Khan hasn't been alone in pursuing this particular line of crime.
Courts and torts.
The US Securities and Exchange Commission z(SEC) has agreed to settle charges against Morgan Stanley Smith Barney (MSSB, now known as Morgan Stanley Wealth Management) for a recent breach that exposed the data of 15 million customers. MSSB has agreed to pay $35 million to settle claims it neglected to properly dispose of hard drives and servers containing the customers’ data in what the SEC described as an “astonishing” failure to safeguard the personal identifying information. The breach was the result of Morgan Stanley’s hiring of a moving and storage company with “no experience or expertise in data destruction services” to dispose of the equipment, which later landed on an internet auction site. Morgan Stanley has not admitted any wrongdoing, but a spokesperson told TechCrunch that they are pleased with the resolution of the charges, adding, “We have previously notified applicable clients regarding these matters, which occurred several years ago and have not detected any unauthorized access to, or misuse of, personal client information.”
T-Mobile has agreed to pay $350 million to settle a lawsuit resulting from a 2021 cyberattack that potentially exposed the data of nearly 80 million customers. CNET notes that If approved, the settlement will be the second largest of its kind in the US, beaten only by Equifax’s 2019 breach settlement for $700 million.
Becker’s Hospital Review reports that five US health systems are facing lawsuits linked to recent data breach incidents: Salinas Valley Memorial Healthcare System, the University of California San Francisco Medical Center, Dignity Health with Facebook parent Meta Platforms, Northwestern Memorial Hospital, and Lamoille Health Partners.
Policies, procurements, and agency equities.
Experts are worried that the US Bureau of Industry and Security (BIS) – the arm of the Commerce Department charged with approving sensitive US technology exports – doesn’t have the intelligence resources necessary to understand the full impact of selling advanced US tech equipment and software to China. Derek Scissors, a senior fellow at Washington, DC think tank the American Enterprise Institute, told CyberScoop, “They could use better intelligence, there’s no doubt about it. They have not made the transition to China being a national security problem.”
A new study released by the US Senate Intelligence Committee indicates that the National Counterintelligence and Security Center (NCSC), in charge of coordinating US’s spy agencies’ intelligence efforts, is lacking a clear mission and adequate authority. As concerns about foreign disinformation and interference in US elections grow, the report warns that efforts to prevent China, Russia, and other adversaries from nabbing national secrets are being slowed by miscommunication, inadequate staffing, and a lack of funding at NCSC.
The US Cyberspace Solarium Commission (CSC) is on track to have 85% of all of its recommendations for improving the country’s cyber posture implemented, with the remaining 15% facing hurdles or “significant barriers.” More than half of its recommendations have already been implemented, and the Washington Post reports that some of the CSC’s recommendations, like creating legislative language to identify the nation’s most vulnerable computer systems, remain top priorities for Congress.