Albania explains its reasons for severing relations with Iran. Cashout scam targets forgotten crypto accounts. Next moves for Lapsus$?

By the CyberWire staff

At a glance.

Albania explains its reasons for severing relations with Iran.
Cashout scam targets forgotten crypto accounts.
Next moves for Lapsus$?
Cloud complexity and its effect on security.
Operation In(ter)ception: social engineering by the Lazarus Group.
Witchetty cyberespionage group: recent activity.
C2C access for sale: high-end auction houses and "flea markets."
Securonix describes an effective and carefully crafted cyberespionage campaign.
Novel malware discovered targeting VMware SXi hypervisors.
North Korean operators "weaponize" open-source software.
Fast Company's WordPress hijacking incident.
Deepfakes, and their evolution.
Unrest in Iran finds expression in cyberspace.
Developments in the Optus breach.
Leaked LockBit 3.0 builder used in ransomware attacks.
Meta takes down Russian disinformation networks.
Gray-hat support for Iranian dissidents.
SolarMarker info-stealer returns in watering hole campaign.

Albania explains its reasons for severing relations with Iran.

The Washington Post last weekend interviewed Albania's Prime Minister Edi Rama on his government's decision to sever diplomatic relations with Iran over Tehran's large-scale cyberattack against Albanian IT infrastructure. “Based on the investigation, the scale of the attack was such that the aim behind it was to completely destroy our infrastructure back to the full paper age, and at the same time, wipe out all our data,” Rama told the Post. “Our sense now is first, that they didn't succeed to destroy infrastructure. Services are back. Second, data. Yes, they took some but practically not of any particular relevance.” He characterized the cyberattacks as aggression, not as destructive, of course, as bombing, but of comparable intent, and comparably inadmissible under international norms. Background on Iran's cyber operations and Albania's response may be found in CyberWire Pro.

Attend Mandiant Worldwide Information Security Exchange (mWISE) Oct 18-20

Hear insights, gather intel, and learn about best practices from security practitioners to CISOs at Mandiant Worldwide Information Security Exchange (mWISE). A new event from security leader Mandiant for an evolving cybersecurity industry, focused on gathering bright minds from across the globe. Curated by a program committee of experts without vendor influence. Attend October 18-20 online or in-person in Washington, DC. Learn more or register now.

Cashout scam targets forgotten crypto accounts.

Sift has published a report finding that cybercriminals are targeting neglected cryptocurrency accounts amidst the drop in cryptocurrency’s value over the past few months: Brittany Allen, Trust and Safety Architect at Sift, said, “Account takeover attacks are proving to be a primary attack method among fraudsters in our challenging economic environment. Adding insult to injury, cybercriminals are leveraging automation via bots and scripts to launch ATO attacks at scale, often forcing businesses to choose between introducing excessive friction in their user experience or being consumed by fraud.” See additional coverage at CyberWire Pro.

Next moves for Lapsus$?

After the high-profile incidents at Uber and Rockstar Games, the Lapsus$ Group seems (again) to have been disrupted by an arrest, but it's unlikely they've been permanently disabled. Digital Shadows offers some speculation about where the group may be headed next. Researchers at Digital Shadows have published a report looking at the possible next moves for the cybercrime group Lapsus$. The group tends to carry out a combination of hacktivist and financially motivated crimes, although their tactics are generally opportunistic. There are also signs of an incipient but growing connection between the Laspsus$ Group and ransomware gangs, notably Yanluowang See more on Lapsus$ at CyberWire Pro.

1Password Presents: Cybersecurity Awareness Month 2022

Everyone deserves to be safe online. Join 1Password for Cybersecurity Awareness Month programming to learn best practices on what actions should be taken to secure your digital life both at home and at work. You’ll leave feeling empowered to make smart security decisions as you learn about the current state of digital security.

Cloud complexity and its effect on security.

A study by Venafi has found that 81% of organizations have sustained a cloud-related security incident within the past twelve months, while 45% experienced four incidents over the past year: “The underlying issue for these security incidents is the dramatic increase in security and operational complexity connected with cloud deployments," the report says. "And, since the organizations in this study currently host two fifths (41%) of their applications in the cloud but expect increase to 57% over the next 18 months, this complexity will continue to increase.” For more on the study's results, see CyberWire Pro.

Operation In(ter)ception: social engineering by the Lazarus Group.

Pyongyang's recent campaign seems to be a twofer, combining espionage with theft. Researchers at SentinelOne warn that North Korea’s Lazarus Group is using phony Crypto.com job offers to distribute macOS malware. The researchers aren’t sure how the lures are being distributed, but they suspect the attackers are sending spearphishing messages on LinkedIn. SentinelOne notes that this campaign “appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.” See CyberWire Pro for more on this Lazarus Group campaign.

Don't miss the opportunity to share your company's commitment to diversity and inclusion.

The CyberWire’s Women in Cybersecurity reception returns next month. Show your support of the premiere networking event that highlights and celebrates the value and successes of women in the cybersecurity industry to leaders from the private sector, academia, and government. Limited sponsorships are available. View our prospectus for available sponsorships and benefits.

Witchetty cyberespionage group: recent activity.

The Symantec Threat Hunter Team, part of Broadcom Software, released a blog detailing the Witchetty espionage group (also known as LookingFrog) and their updated toolset. Witchetty has been seen to be targeting the governments of two Middle Eastern countries, as well as the stock exchange for a nation in Africa. A backdoor Trojan known as Backdoor.Stegmap has been seen in use, utilizing steganography: a technique in which malicious code is hidden in an image. Symantec doesn't offer an attribution, but it does quote ESET's association of Witchetty with TA410, a group other researchers have associated with China's Ministry of State Security. See more at CyberWire Pro.

C2C access for sale: high-end auction houses and "flea markets."

Cybersixgill has published a report looking at network access for sale on underground markets: “There are two broad categories of access-as-a-service for sale on the underground: initial access brokers (IABs), which auction access to companies for hundreds to thousands of dollars, and wholesale access markets (WAMs), which sell access to compromised endpoints for around $10. WAMs are flea markets. The prices are low, the inventory is enormous (they listed access to ~4.3 million endpoints in 2021), and the quality is not guaranteed, as listings could belong to a random individual user or an enterprise endpoint.” Wholesale access markets have played a large role in providing initial access for ransomware attackers. For more information, see CyberWire Pro.

Securonix describes an effective and carefully crafted cyberespionage campaign.

Researchers at Securonix Threat Labs have issued a report on a cyberespionage campaign they're calling Steep#Maverick. They call it a "covert attack campaign," and they conclude that its targets have been "multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft." The PowerShell stager the threat actor used isn't particularly novel, but "the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code." Once installed the malware is unusually persistent. There's no attribution, but one circumstantial detail is suggestive. "If the system’s language is set to “*zh*” (Chinese) or to “*ru*” (Russian), then the code will simply exit and the computer will shut down," Securonix says in its report. For more on Steep#Maverick, see CyberWire Pro.

Novel malware discovered targeting VMware SXi hypervisors.

Mandiant has identified new malware that targets VMware ESXi, Linux vCenter servers, and Windows virtual machines. They're able to maintain persistent administrative access to the hypervisor, with all the capabilities that suggests. Mandiant has attributed this malware to UNC3886, suspecting that the motivation is cyber espionage, with a possible connection to China. VMware has used the information Mandiant developed to prepare guidance for its users. More information on the discovery may be found at CyberWire Pro.

North Korean operators "weaponize" open-source software.

Microsoft warns that the North Korean threat actor the company tracks as “ZINC” is targeting engineers and technical support employees working at “media, defense and aerospace, and IT services in the US, UK, India, and Russia.” The threat actor is using malicious versions of open-source applications, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording. Microsoft believes the campaign is “motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction.” For more on this cyberespionage campaign, see CyberWire Pro.

Fast Company's WordPress hijacking incident.

A breach of Fast Company’s WordPress systems allowed for a hacker to send obscene notifications via Apple News on Tuesday. The Verge reports that Fast Company was hacked and sent out a push notification via Apple News to many iPhones that was obscene in nature. Apple News addressed the hack on Twitter, saying, “An incredibly offensive alert was sent by Fast Company, which has been hacked. Apple News has disabled their channel.” There's no obvious motive behind the attack, beyond whatever slacker lulz it might have produced. For more on the incident, see CyberWire Pro.

Deepfakes, and their evolution.

Trend Micro has published a report looking at the current and future impacts of deepfakes. The researchers note that deepfakes have already been used in social engineering attacks, and these attacks will increase as the technology improves. They can now be used to fake the identities of real people, or create fictitious personae for people who never existed. The researchers see a particular urgency to securing biometric modalities. For more on the future of deepfakes, see CyberWire Pro.

Unrest in Iran finds expression in cyberspace.

Protests in Iran continue, the New York Times and others report, and they've been particularly sharp in Kurdish regions. The proximate cause of the unrest was the death of a young woman in the custody of the morality police: Mahsa Amini, 22, had been arrested on charges of violating hijab regulations. Many of the protests have been led by women, and some smaller cities are said to be outside of effective government control. The Washington Post's coverage includes video of street violence.

Tehran has responded with force, but also by imposing sharp restrictions on online activity. The Record reports that the government has organized outages of mobile networks, WhatsApp, and Instagram. The Record also reports that the Anonymous hacktivist collective last week disrupted some Iranian government websites. On Friday, in a gesture intended to offer support to Iran's dissidents, the US Treasury Department relaxed sanctions in ways calculated to make it easier for US tech firms to offer Iranians greater access to online communication.

Developments in the Optus breach.

Investigation of the breach suffered by Optus in Australia continues, and the US FBI is rendering assistance to the Australian Federal Police. Australia's Minister for Home Affairs and Cybersecurity called the attack "quite a basic hack," and criticized the telco for permitting it to happen, the Record says. For their part, the criminals have sought to increase the pressure on those being extorted by releasing some of the data taken, ABC reports. The hackers are also presenting some of the Robin-Hood schtick sometimes seen in other double extortion incidents: "Sorry too 10.200 Australian whos data was leaked" [sic].

Leaked LockBit 3.0 builder used in ransomware attacks.

BleepingComputer reports that the Bl00dy ransomware gang has been using the LockBit 3.0 builder, leaked last week by a disgruntled developed dissatisfied with the ransomware-as-a-service operation's leadership, in its own attacks. Bl00dy, a relatively new gang, doesn't seem to do much development of its own, preferring to repurpose tools leaked or abandoned by other groups. These have included Babuk, Conti, and, now, LockBit.

Meta takes down Russian disinformation networks.

Meta, corporate parent of Facebook, Instagram, and WhatsApp, announced Tuesday that it had taken down two networks, one Russian, the other Chinese, for engaging in coordinated inauthenticity. The networks are unrelated. The Russian disinformation operation, Meta said, was unusually large, well-constructed, and focused on disseminating Russian propaganda concerning the war against Ukraine. "The Russian network — the largest of its kind we’ve disrupted since the war in Ukraine began — targeted primarily Germany, France, Italy, Ukraine and the UK with narratives focused on the war and its impact through a sprawling network of over 60 websites impersonating legitimate news organizations." The legitimate news organizations impersonated included Spiegel and Bild in Germany, the Guardian in the UK. The impersonations were carefully and convincingly executed, and were done so at apparently considerable expense. It's noteworthy that the stories they pushed lacked legs: they did not achieve widespread acceptance, and they were generally dismissed soon after publication as disinformation.

Gray-hat support for Iranian dissidents.

Hacktivists and others are seeking to render aid to Iranian dissidents and protesters, Check Point researchers report. Much of the activity is directed at facilitating communication and coordination among groups opposed to the regime in Tehran, but there's also some direct hacking of government-related sites and data, with signs of some profit-taking on the side. "Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations," Check Point says of those latter operations.

SolarMarker info-stealer returns in watering hole campaign.

Researchers at eSentire reported Friday morning that the SolarMarker information stealer has resurfaced. "The SolarMarker threat actors," eSentire writes, "are now leveraging fake Chrome browser updates as part of watering hole attacks." This represents a change in tactics. SolarMarker's operators had been known for their reliance on search engine optimization (SEO) poisoning.

Patch news.

The US Cybersecurity and Infrastructure Security Agency has released three Industrial Control System (ICS) Advisories, for Hitachi Energy AFS ("Improper Input Validation"), Hitachi Energy APM Edge ("Out-of-Bounds Write and Improper Authentication"), and Rockwell Automation ThinManager ThinServer ("Heap-based Buffer Overflow").

The CISA has released six more Industrial Control System Advisories: ICSA-22-272-01 Hitachi Energy MicroSCADA Pro X SYS600_8DBD000106 ("Improper Input Validation, Improper Privilege Management, Improper Access Control, Improper Handling of Unexpected Data"), ICSA-22-272-02 Hitachi Energy MicroSCADA Pro X SYS600_8DBD000107 ("NULL Pointer Dereference, Infinite Loop"), ICSMA-22-251-01 Baxter Sigma Spectrum Infusion Pump (Update A) ("Missing Encryption of Sensitive Data, Use of Externally Controlled Format String, Missing Authentication for Critical Function"), ICSA-22-235-01 ARC Informatique PcVue (Update A) ("Cleartext Storage of Sensitive Information"), ICSA-22-244-01 Delta Electronics DOPSoft (Update A) ("Out-of-bounds Read"), and ICSA-21-182-03 Delta Electronics DOPSoft (Update B) ("Out-of-bounds Read").

Crime and punishment.

The City of London Police tweeted, "On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as part of an investigation supported by the @NCA_UK’s National Cyber Crime Unit (NCCU)." The police have been relatively closed-mouthed about the arrest, but as the Verge points out, circumstantially the alleged crime looks like the Uber and Rockstar hacks, and the suspect looks like a Lapsus$ operator. The Hacker News offers some informed speculation that the youth arrested was responsible for the Uber and Rockstar incidents.

Without revealing the hacker's real identity, Flashpoint reports that the hacker, "Teapotuberhacker," was outed in an underground online forum, but the security firm urges caution in accepting the doxing at face value. Flashpoint reviewed what it found in the "online illicit forum" and reported evidence that the person responsible for the Uber and Grand Theft Auto hacks may be the Lapsus$ hacker earlier known as "White" and "Breachbase." More on the arrest and some background on Lapsus$ may be found in CyberWire Pro.

Courts and torts.

The New York Times reports that the Securities and Exchange Commission (SEC) is fining multiple financial firms for failing to monitor employees' business communications on their personal devices. Fines imposed are close to $2 billion, and include eight major Wall Street banks. Bank of America, Barclays, Citigroup, Goldman Sachs and Morgan Stanley have all admitted wrongdoing, and will pay $125 million to the SEC. SEC chair Gary Gensler said in a statement, “As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications."

Policies, procurements, and agency equities.

In light of the protests raging in Iran over the killing of Mahsa Amini, a woman who died in police custody after violating the country’s headscarf rules, the US Department of Treasury announced it is amending its sanctions on Iran, allowing exceptions for technology companies that provide the country’s citizens with internet access, the Record by Recorded Future reports. The sanctions were issued to make it difficult for American businesses to operate in the country, but with the Iranian government shutting off various mobile networks and blocking WhatsApp and Instagram to prevent protesters from communicating with the outside world, the Treasury issued a new license allowing tech companies to offer the Iranian people secure internet services and platforms. Deputy Secretary of the Treasury Wally Adeyemo stated on Friday, “With these changes, we are helping the Iranian people be better equipped to counter the government’s efforts to surveil and censor them. In the coming weeks, [the Office of Foreign Assets Control] will continue issuing guidance to support the Administration’s commitment to promoting the free flow of information, which the Iranian regime has consistently denied to its people.” As the Taipei Times reports, a Treasury official explained that the new license includes social media platforms and video conferencing, and will broaden access to virtual private networks (VPNs), which allow users anonymity online, and other anti-surveillance tools.