Russian influence ops play defense; China plays offense. Ransom Cartel and a possible connection to REvil. Spyder Loader active in Hong Kong.

At a glance.

• Russian influence ops play defense; China plays offense. 
• BlackByte's new exfiltration tool. 
• Cyber attack against Tata Power. 
• "Prestige" ransomware sighted in attacks on Polish and Ukrainian targets. 
• Ransom Cartel has a possible connection to REvil. 
• Spyder Loader active in Hong Kong. 
• Vulnerability discovered (and patched) in Azure. 
• Misconfigured Microsoft storage endpoint secured. 
• Two looks at the state of ransomware. 
• Trends in social engineering, and the effects of phishing. 
• Zimbra exploited: advice from CISA.

Russian influence ops play defense; China plays offense. 

Mandiant has released the second issue of its Cyber Snapshot report, looking at the proliferation of information operations (IOs), threats to NFTs and cryptocurrency, and enterprise security best practices. The researchers note that Russian state-sponsored threat actors are currently “conducting widespread IO campaigns to bolster the positive perception of the Russian invasion of Ukraine to the Russian people.” Meanwhile, China-aligned actors are carrying out information operations to “sway public opinion against the expansion of rare-earth minerals mining and refining operations in the U.S. and Canada, likely as an attempt to protect China’s heavy investments in rare-earth production.” 

The Washington Post reports that the FBI has been alerting state Democratic and Republican Party organizations that they're the subject of increasing scans by Chinese intelligence services. The scanning, which the FBI was unwilling to discuss publicly, given the sensitivity of the matter, seems to be reconnaissance and target development.

For more on influence operations, see CyberWire Pro.

BlackByte's new exfiltration tool. 

Symantec warns that an affiliate of the BlackByte ransomware-as-a-service operation is using a new data exfiltration tool called “Exbyte.” The researchers state, “The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service. On execution, Exbyte performs a series of checks for indicators that it may be running in a sandboxed environment. This is intended to make it more difficult for security researchers to analyze the malware. To do this, it calls the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs.” BlackByte seems to be filling a gap left by the dissolution of other major ransomware offerings, and “[t]he fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.” For more on Symantec's research into BlackByte, see CyberWire Pro.

Cyber attack against Tata Power. 

Indian energy company Tata Power disclosed last Friday that it was hit by a cyberattack that affected some of its IT systems, the Record reports. The nature of the attack is unclear, but the company says its operational technology is still functioning. The Economic Times cites a “senior official from the Maharashtra Police's cyber wing” as saying that “an intelligence input had been received about threat to Tata Power and other electricity companies.”

"Prestige" ransomware sighted in attacks on Polish and Ukrainian targets. 

Last Friday Microsoft reported detecting a novel strain of ransomware the company is calling "Prestige." The campaign deploying Prestige has afflicted organizations in Poland and Ukraine, specifically targeting the transportation and related logistics sectors. "The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks," the researchers wrote, adding that, "The Prestige ransomware had not been observed by Microsoft prior to this deployment." Who's behind the effort is unclear, but Microsoft sees some circumstantial signs of a connection to Russia. "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)." HermeticWiper was used in the opening days of Russia's invasion of Ukraine against targets in that country and also in Latvia and Lithuania, Reuters observes. Microsoft is tracking the threat actor involved as "DEV-0960."

Ransom Cartel has a possible connection to REvil. 

Palo Alto Networks’s Unit 42 has published a report on the Ransom Cartel ransomware-as-a-service offering, finding that it has possible ties to the (probably) now-defunct REvil ransomware gang: “At this time, we believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments (see our Ransom Cartel and REvil Code Comparison for more details). This suggests there was a relationship between the groups at some point, though it may not have been recent." For more on REvil and its successors, see CyberWire Pro.

Spyder Loader active in Hong Kong. 

Researchers at Symantec (a Broadcom company) warn that the “Operation CuckooBees” campaign (first observed by Cybereason in May 2022) now appears to be targeting government entities in Hong Kong with the Spyder Loader malware:

“The victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.”

Symantec doesn’t attribute the campaign to any particular threat actor, but Cybereason tied the earlier activity to the Chinese APT Winnti. Symantec notes that the duration and focus of the campaign, which has persisted through several versions of the malware employed, indicates a determined and persistent threat actor. For more on Spyder Loader, see CyberWire Pro.

Vulnerability discovered (and patched) in Azure. 

Orca released a report detailing a vulnerability they discovered in Azure Service Fabric Explorer (SFX). The vulnerability has been reported to Microsoft, and the issue was designated CVE-2022-35829. A patch was released on Patch Tuesday earlier this month. The vulnerability, "FabriXss" (it’s pronounced “fabrics”), was found in Azure Service Fabric Explorer. Microsoft Azure Service Fabric is described as a “distributed systems platform for packaging, deploying, and managing stateless and stateful distributed applications and containers on a large scale,” and Service Fabric Explorer is “a tool for inspecting and managing Azure Service Fabric clusters.” For more on the vulnerability, see CyberWire Pro.

Misconfigured Microsoft storage endpoint secured. 

Microsoft has released the results of its investigation into a misconfigured Microsoft storage endpoint, which exposed “some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services.” Microsoft has since secured the server. The company was notified of the misconfiguration by researchers at SOCRadar. Microsoft thanked SOCRadar for bringing the issue to their attention, but criticized aspects of SOCRadar's disclosure. More information on the misconfiguration and its remediation may be found at CyberWire Pro.

Two looks at the state of ransomware. 

Digital Shadows has released its report on ransomware for the third quarter (Q3) of 2022. The researchers found that ransomware decreased as a whole in Q3 2022, despite notable attacks on high-profile targets. LockBit's activity declined, but its marketshare increased. Some of the general decline can be attributed to Conti's apparent exit from the criminal market. The researchers also distinguish financially from politically motivated threat actors, and note that the distinction is growing hazier. For more on Digital Shadows' report, see CyberWire Pro.

Intel 471 released a report highlighting ransomware activity in Q3 2022. 455 ransomware attacks were observed in this quarter, which is a decrease by 72 from Q2. North America, Europe, Asia, South America, Oceania, Africa and the Middle East were the most affected regions. The leading strains over the quarter were LockBit 3.0, BlackBasta, Hive, and ALPHV. For details see CyberWire Pro.

Trends in social engineering, and the effects of phishing. 

Cofense released a report detailing phishing intelligence trends in Q3 2022. Overall, malware-delivery dropped in July with the disappearance of Emotet, and the volume stayed at that level for the rest of the quarter. The top five malware strains in Q2 also topped Q3, with keyloggers and remote access Trojans recently gaining traction. Loaders, keyloggers, information stealers, remote access Trojans, and bankers were, in that order, the top five malware types, with Emotet/Geodo, Agent Tesla, FormBook, Remcos RAT, and QakBot taking prominence as the top malware families of each type. For more on the story, see CyberWire Pro.

Ironscales published a report this week conducted by Osterman Research that details the cost of phishing to business. The purpose of the study is said to investigate “direct costs borne by organizations in mitigating the phishing threat, and to explore expectations about how phishing will change over the next 12 months. Phishing costs to businesses are not just financial in nature, but many security and IT teams have to dedicate time to resolve phishing attempts and attacks. 70% of organizations report spending 16 to 60 minutes on each phishing email, from discovery of the email to removal. A composite IT and security professional was found by the research to cost $136,528 in salary and benefits, and the cost of a single phishing email averaged out to be about $31.32, as the average time spent on a phishing email is 27.5 minutes. For more on this study, see CyberWire Pro.

Researchers at Avanan have observed a rise in attacks that compromise legitimate college student accounts in order to carry out business email compromise (BEC) attacks. “We’ve seen a generous uptick in threat actors compromising student accounts, and then using them to send out BEC and credential harvesting messages," their report says. The phishing emails sent from the accounts misrepresent themselves as support messages informing the user that several emails are being held for review. The user is directed to click a link in order to view the blocked emails. Avanan notes that there are several red flags in the emails, “such as where the URL goes to and also the fact that a university account wouldn’t be used to send support messages.” For more on this BEC campaign, see CyberWire Pro.

Zimbra exploited: advice from CISA. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its advisory concerning the exploitation of several vulnerabilities in Zimbra, The update includes not only additional technical details on the malicious files being used in exploitation, but also a summary of best practices to mitigate the risk of attack. More on CISA's advisory may be found in CyberWire Pro.

Patch news. 

The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released two industrial control system (ICS) advisories, for Advantech R-SeeNet (mitigation for "Path Traversal, Stack-based Buffer Overflow"), and Hitachi Energy APM Edge (Update A) (mitigation for "Reliance on Uncontrolled Component).

CISA released three Industrial Control System (ICS) Advisories, for Bentley Systems MicroStation Connect (remediations for "Stack-based Buffer Overflow, Out-of-bounds Read"), B Braun Infusomat Space Large Volume Pump (Update A) (remediations for "Unrestricted Upload of File with Dangerous Type, Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, and Improper Input Validation"), and B. Braun SpaceCom Battery Pack SP with Wi-Fi and Data module compactplus (Update A) (remediations for "Cross-site Scripting, Open Redirect, XPath Injection, Session Fixation, Use of a One-way Hash without a Salt, Relative Path Traversal, Improper Verification of Cryptographic Signature, Improper Privilege Management, Use of Hard-coded Credentials, Active Debug Code, Improper Access Control").

Crime and punishment. 

Europol has announced thirty-one arrests as the result of an operation against a gang exploiting keyless cars produced by two French manufacturers. "As a result of a coordinated action carried out on 10 October in the three countries involved, 31 suspects were arrested. A total of 22 locations were searched, and over EUR 1 098 500 in criminal assets seized." France's Gendarmerie had the lead in the investigation.

Eugene Yu, CEO at election worker scheduling software maker Konnech, was arrested last week under suspicion of data theft. NPR.org reports that Yu has now been charged with conspiracy to embezzle public funds and grand theft by embezzlement of public funds. Prosecutors say that a massive data breach led Konnech to give its contractors in China access to sensitive data on election workers, and that in doing so, Konnech violated not only its contract with Los Angeles County, but also criminal law. It’s worth noting that the prosecution does not allege that Yu stole money, but rather that he misappropriated government funds. Konnech has come under fire from election conspiracy theorists who have circulated unfounded claims that Konnech has ties to the Chinese Communist Party, and the company’s defense attorney says the prosecution is relying on dubious information from these election deniers. A Los Angeles Superior Court judge has ordered Yu to remain in home confinement because he allegedly poses an "extensive flight risk" due to his "deep ties to China."

An Interpol-led operation has resulted in the arrests of 75 alleged members of the Africa-based Black Axe crime organization, the Register reports. Two of the suspects arrested in South Africa are accused of stealing $1.8 million through online scams: “Codenamed Operation Jackal, the joint law enforcement effort mobilized 14 countries across four continents in a targeted strike against Black Axe and related West-African organized crime groups.” INTERPOL regards the operation as a major strike against transnational cybercrime.“Operation Jackal marks the first time INTERPOL has coordinated a global operation specifically against Black Axe, which is rapidly becoming a major security threat worldwide. Black Axe and similar groups are responsible for the majority of the world’s cyber-enabled financial fraud as well as many other serious crimes, according to evidence analyzed by INTERPOL’s Financial Crime and Anti-Corruption Centre (IFCACC) and national law enforcement.” For more on the Black Axe takedown, see CyberWire Pro.

Courts and torts. 

US vision insurance provider EyeMed Vision Care has agreed to pay a $4.5 million penalty to New York State for violations related to a June 2020 data breach that impacted approximately 2.1 million individuals. After a successful phishing attempt, the threat actor gained access to a company email account containing consumer data including Social Security numbers and medical treatment info dating back as far as six years, Health IT Security explains. An investigation conducted by the Department of Financial Services (DFS) Cybersecurity Regulation determined that EyeMed had violated the DFS Cybersecurity Regulation by failing to implement multifactor authentication on its email network. “Moreover, EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox,” the DFS stated. The company previously reached a settlement agreement with the New York Attorney General’s Office to resolve allegations relating to the breach which required EyeMed to pay or $600,000 and beef up its cybersecurity stature by conducting regular penetration testing, encrypting sensitive consumer information, and updating its security protocols.

Policies, procurements, and agency equities.

Arne Schoenbohm has been relieved of his post as head of Germany, Spiegel reports. Under German labor law the removal is formally a suspension, the Washington Post writes, but few expect Mr. Schoenbohm to return to the BSI. An investigation was conducted into his connections with Russia via the Cyber Security Council Germany. His continued contact with the Council (a group he helped found) was controversial, the Post says, "because of the foundation membership of Protelion, reported to be a rebranded German arm of the Russian cybersecurity firm Infotecs, founded by a former KGB agent." Reuters quotes the Interior Ministry as saying the dismissal was in response to news that had "permanently damaged the necessary public confidence in the neutrality and impartiality of his conduct in his office as president of Germany's most important cybersecurity authority."

In an effort to quell concerns about China’s global tech influence, anonymous sources say the US Federal Communications Commission (FCC) is expected to expand its ban on telecommunications equipment produced by Chinese tech giants Huawei and ZTE, Ars Technica reports. The FCC has already prohibited the use of Huawei and ZTE equipment in telecom networks that receive subsidies from the Universal Service Fund, but Chairwoman Jessica Rosenworcel is proposing that Huawei and ZTE also be banned from receiving FCC approval on any future products. "The FCC remains committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” Rosenworcel stated. The proposal would also ban video surveillance equipment from Chinese companies Hytera, Hikvision, and Dahua, which develop products for police departments. The FCC circulated the proposed ban, titled "Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization Program,” last week, and the order's text will become public after it's approved.