At a glance.
- Russian influence ops play defense; China plays offense.
- BlackByte's new exfiltration tool.
- Cyber attack against Tata Power.
- "Prestige" ransomware sighted in attacks on Polish and Ukrainian targets.
- Ransom Cartel has a possible connection to REvil.
- Spyder Loader active in Hong Kong.
- Vulnerability discovered (and patched) in Azure.
- Misconfigured Microsoft storage endpoint secured.
- Two looks at the state of ransomware.
- Trends in social engineering, and the effects of phishing.
- Zimbra exploited: advice from CISA.
Russian influence ops play defense; China plays offense.
Mandiant has released the second issue of its Cyber Snapshot report, looking at the proliferation of information operations (IOs), threats to NFTs and cryptocurrency, and enterprise security best practices. The researchers note that Russian state-sponsored threat actors are currently “conducting widespread IO campaigns to bolster the positive perception of the Russian invasion of Ukraine to the Russian people.” Meanwhile, China-aligned actors are carrying out information operations to “sway public opinion against the expansion of rare-earth minerals mining and refining operations in the U.S. and Canada, likely as an attempt to protect China’s heavy investments in rare-earth production.”
The Washington Post reports that the FBI has been alerting state Democratic and Republican Party organizations that they're the subject of increasing scans by Chinese intelligence services. The scanning, which the FBI was unwilling to discuss publicly, given the sensitivity of the matter, seems to be reconnaissance and target development.
For more on influence operations, see CyberWire Pro.
BlackByte's new exfiltration tool.
Symantec warns that an affiliate of the BlackByte ransomware-as-a-service operation is using a new data exfiltration tool called “Exbyte.” The researchers state, “The Exbyte exfiltration tool is written in Go and designed to upload stolen files to the Mega.co.nz cloud storage service. On execution, Exbyte performs a series of checks for indicators that it may be running in a sandboxed environment. This is intended to make it more difficult for security researchers to analyze the malware. To do this, it calls the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs.” BlackByte seems to be filling a gap left by the dissolution of other major ransomware offerings, and “[t]he fact that actors are now creating custom tools for use in BlackByte attacks suggests that it may be on the way to becoming one of the dominant ransomware threats.” For more on Symantec's research into BlackByte, see CyberWire Pro.
Cyber attack against Tata Power.
Indian energy company Tata Power disclosed last Friday that it was hit by a cyberattack that affected some of its IT systems, the Record reports. The nature of the attack is unclear, but the company says its operational technology is still functioning. The Economic Times cites a “senior official from the Maharashtra Police's cyber wing” as saying that “an intelligence input had been received about threat to Tata Power and other electricity companies.”