Threat reports and trends. Misconfiguration risk to US government networks' security and compliance. CISA and election security.

By the CyberWire staff

At a glance.

Threat reports and trends.
Misconfiguration risk to US government networks' security and compliance.
CISA and election security.
Business email compromise and gift cards.
Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting.
Crimson Kingsnake BEC group impersonates law firms.
Cyberattacks and incidents.
DataTribe announces winner of annual cybersecurity startup challenge.
Former UK Prime Minister Truss's phone may have been compromised.
Emotet is back.
Black Basta ransomware linked to Fin7.

Threat reports and trends.

Three studies of threat trends appeared this week.

Deep Instinct has published its 2022 Interim Cyber Threat Report, outlining some of the top malware strains and exploited vulnerabilities between January and December of 2022. The majority (44%) of ransomware campaigns were launched by affiliates of the Lockbit ransomware-as-a-service offering, while 23% were carried out by the now-defunct Conti gang. Emotet retains its commanding place atop the banking Trojan leaderboard, with 67% of the observed attacks (NJRat is an also ran in second, at just 14%). For more on Deep Instinct's study, see CyberWire Pro.

Barracuda has published a report on the severity of threats over the course of 2022, finding that a larger number of serious attacks occur during the summer while many employees are on vacation. Microsoft 365 account compromises in particular were found to increase during the summer. 40% of attacks between June and September 2022 involved logins to Microsoft 365 accounts from suspicious countries. Barracuda classifies these attacks as “high risk.” For more on these threat trends, see CyberWire Pro.

Akamai’s DNS Threat Report for Q3 2022 has found that 14% of devices connected with a malicious destination at least once during the quarter. The researchers state, “Breaking down these potentially compromised devices further, 59% of the devices communicated with malware or ransomware domains, 35% communicated with phishing domains, and 6% communicated with command and control (C2) domains.” Akamai also notes that phishing campaigns will increase as the holiday season approaches, so this unfortunate trend will in all likelihood see a seasonal upturn. For more on this study, see CyberWire Pro.

Misconfiguration risk to US government networks' security and compliance.

Titania has released a study on US Federal security practices, “The impact of exploitable misconfigurations on the security of agencies’ networks and current approaches to mitigating risks in the U.S. Federal Government.” The research shows that network professionals report that they’re meeting their security and compliance requirements, but the data suggest that this self-reporting is optimistic. Federal agencies have a larger number of devices on their network, with over 1,000 on average. 59% of respondents say that they assess the configuration of network devices every year, with 12% doing it on a bi-montly cycle. 71% reported the effectiveness of their network security tools in categorizing and prioritizing compliance risks, which contrasts the 81% of respondents that reported that the inability to prioritize remediation based on risk is a top issue. Respondents reported an average of 51 misconfigurations in the past year, with 83% reporting at least one critical configuration issue in the past two years. For more on the study, see CyberWire Pro.

At Raytheon, Intelligence & Space, if it’s not broken, we break it.

Somebody once said, “if it ain’t broke, don’t fix it.” That somebody didn’t work in cybersecurity. And that somebody didn't work at Raytheon, Intelligence & Space. Here we break the definition of cyber defense: Hiring the sharpest minds, actively hunting threats, and designing one-of-a-kind-never-been-done-before solutions. That’s how we shake up the future and uncover new thinking to protect our customer's most vital infrastructure and our way of life.

CISA and election security.

Tuesday morning, the Center for Strategic and International Studies (CSIS) held a fireside chat with Cybersecurity and Infrastructure Security Agency (CISA) Director, Jen Easterly, and CSIS Senior Adviser Suzanne Spaulding.

Easterly discussed how CISA is the Sector Risk Management Agency for multiple sectors including election infrastructure, and notes how it’s local and state officials in charge of elections, not the federal government. “We ensure that they have the tools, the resources, the capabilities, and the information to be able to run safe and secure and resilient elections. And as you very well know, over the past several years we have been working hand in hand across the federal government with those election officials, with the vendor community. And I am very confident that we have done everything we can to make election infrastructure as secure and as resilient as possible. And we’ve been very clear that there is no information, credible or specific, about efforts to disrupt or compromise that election infrastructure.” For more on the discussion, see CyberWire Pro.

Business email compromise and gift cards.

Cofense released a report Wednesday in which they detail trends in Business Email Compromise and explain what would happen if you gave scammers traceable gift cards. Cofense researchers purchased $500 worth of trackable gift cards to see where they would go after the cards were given to a scammer. Scammers were found to prefer in-store cards, and tended to be flexible with what was available. The experiment showed how quickly scammers move funds, showing that in all but one case, the gift cards were stolen, re-sold, and used for purchases within a day. For more on BEC and gift cards, see CyberWire Pro.

Aware Force picks up where your cybersecurity training program leaves off.

From passwords to phishing, business email compromise to social engineering, Aware Force delivers timely cybersecurity content all year long. Aware Force videos, quizzes, phishing exercises, and cyber news are branded and tailored for your organization. Your organization’s employees and senior leadership will be blown away! Plus, we deliver monthly readership metrics that can help with cyber insurance and compliance. Get 2023 Aware Force pricing here.

Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting.

Avanan blogged this week about attempts by hackers to abuse Dynamics 365 Customer Voice, a Microsoft product used to gain feedback from customers. Threat actors were found to be using legitimate-appearing links from Microsoft notifications in order to send credential harvesting pages. One of the malicious emails looks like it’s from the survey feature from Dynamics 365: it informs the victim that a new voicemail has been received. Another email provides a legitimate Customer Voice link from Microsoft, but when “Play Voicemail” is clicked, which redirects to a phishing link of a lookalike Microsoft login page. The malice is in the button. For more information on what Avanan calls a "static expressway" campaign, see CyberWire Pro.

Crimson Kingsnake BEC group impersonates law firms.

Abnormal Security is tracking a threat actor it calls “Crimson Kingsnake” that’s launching business email compromise (BEC) attacks by impersonating attorneys, law firms, and debt recovery services. Crimson Kingsnake specializes in blind third-party impersonation attacks, a term Abnormal uses to describe BEC attacks in which the threat actor doesn’t have direct visibility into the targeted organization’s communications or business transactions. For more on Crimson Kingsnake see CyberWire Pro.

How to start your own internal security awareness program.

Cybersecurity training should be mandatory when building out your organization's security strategy. With more than 80% of data breaches being traced back to a human error, it is vital to empower your team to make smart and informed security decisions. This guide by 1Password walks you through how to create a successful internal security training program.

Cyberattacks and incidents.

Aurubis, Europe's largest copper smelting company, sustained a cyberattack last week, Reuters reports. SecurityWeek notes that the incident looks like a ransomware attack, although that hasn't yet been confirmed. The company believes it was targeted as part of a larger campaign against the metals sector. It responded by shutting down certain IT systems and isolating them from the Internet. Its core industrial processes have continued to function. "The production and environmental protection facilities at the smelter sites are running, and incoming and outgoing goods are also being maintained manually," Aurubis said. "Transitional solutions are being implemented to make the company's full services available to business partners again starting next week. Customers and suppliers can still reach their Aurubis contacts by phone."

ForceNet, which the Guardian describes as a kind of "internal social media platform" for Australia's military, has sustained a ransomware attack. ForceNet is maintained by an external contractor, ABC reports, and that vendor initially said that no personal information had been exposed. Since that initial disclosure, however, the Australian government has begun to suspect that "some private details such as dates of birth and dates of enlisting may have been stolen."

Boeing subsidiary Jeppesen has disclosed that its services were interrupted by a cyberattack this week. (Reuters describes Jeppesen as a provider of analytical and flight-planning services.) The company said, "We are currently experiencing technical issues with some of our products, services and communication channels. We are working to restore functionality as soon as possible." Among the services affected is the processing and distribution of NOTAMs (Notice to Air Missions). NOTAMs remain available from other official sources. Live and Let's Fly reports that the incident may have been a ransomware attack.

Train service interruptions in Denmark last Saturday have now been attributed, Reuters reports, to a cyberattack. Danish rail operator DSB said yesterday that an IT contractor, Supeo, had been hit by a criminally motivated cyberattack that led Supeo to shut down its servers as a precaution. This had a cascading effect on rail service.

Dropbox reported earlier this week that it was affected by a phishing campaign that impersonated CircleCI to gain access to GitHub repositories. Some code was compromised, and GitGuardian notes that user and employee emails were also compromised.

For many, a visit to home goods retailer Bed Bath & Beyond’s shower curtain department already inspires visions of Psycho’s infamous bathroom scene, but now shoppers could have a new reason for fear. Reuters reports that the alliteratively-named big-box store has disclosed it’s investigating a potential data breach. The linens seller says a third party, equipped with info acquired through a phishing scam, was able to gain unauthorized access to a company hard drive and several employee shared drives. The potentially exposed data are being reviewed to determine whether any sensitive information was compromised.

There are a number of reasons why more than half the cabinet-level agencies within the U.S. Federal Government and a third of Fortune 500 companies rely on GuidePoint Security.

With more than 70% of our workforce consisting of tenured cybersecurity engineers, architects and consultants, GuidePoint’s highly-certified security practitioners are business’s trusted advisors. They understand your business and its challenges, and they evaluate your ecosystem to expose risks, optimize resources, and then implement best-fit solutions–the right ones for you. Put GuidePoint’s elite team on your side. Learn more at guidepoint security dot com.

DataTribe announces winner of annual cybersecurity startup challenge.

Global cyber foundry DataTribe has announced Balance Theory as the winner of its Fifth Annual DataTribe Challenge, Business Wire reports. The DataTribe Challenge gives startups in the cybersecurity and data science fields the chance to compete to receive up to $2 million in seed capital, the foundry says. Balance Theory, the winner of the challenge, provides a knowledge sharing and collaboration platform built for security, and will move forward in the investment process with DataTribe. John Funge, Managing Director of DataTribe, said, “Every year we are astonished by the talent and innovation we see through the DataTribe Challenge. It’s humbling and reassuring the way founders are constantly pushing the boundaries of what is possible within cybersecurity and data science. This year proved to be no different. It was incredibly hard narrowing down to the Finalists. There are a tremendous number of amazing startups that don’t make it into the Finals. We are excited to move forward with Balance Theory. They are extremely impressive.”

Former UK Prime Minister Truss's phone may have been compromised.

Russian intelligence services are believed to have successfully compromised former British Prime Minister Liz Truss's personal smartphone, the Mail on Sunday reported in an exclusive last weekend. The compromise is thought to have occurred while Ms Truss was serving as Foreign Minister, and continued through the summer's Conservative Party leadership campaign, according to Reuters. The BBC says that Labour and Liberal Democrat members of Parliament have called for a government investigation. This would presumably extend to how any compromise was accomplished, what information would have been compromised, and the extent to which officials use personal devices to communicate about official business. Russia's government, however, has dismissed reports that its intelligence services hacked the former British Prime Minister's phone, Reuters reports. Kremlin spokesman Dmitry Peskov dismissed the incident as Fleet Street sensationalist nonsense. "Unfortunately, there is a shortage of material in the British media that can be perceived as serious. And we treat such publications as the yellow press," Peskov said. The possibility of Russian cyberespionage isn't, however, being taken lightly in the UK, where, according to the Independent, Tories have joined opposition MPs in calling for a full investigation of the incident.

Emotet is back.

Emotet, the notorious gang whose activities have been largely suspended for five months due to disruption by international law enforcement operations, has returned to action, BleepingComputer reports. Cryptolaemus researchers found that Emotet suddenly resumed spamming at 4:00 AM Eastern Time yesterday. The crime group is "back in Distro Mode," Cryptolaemus tweeted. Emotet had been associated with the Conti ransomware gang, but since Conti went into occultation this past June, there are signs that Emotet has begun collaboration with the BlackCat and Quantum gangs.

Black Basta ransomware linked to Fin7.

Researchers at SentinelLabs report finding links between Black Basta ransomware and the Russian criminal group Fin7. The evidence is circumstantial but regarded as convincing by SentinelLabs: "We assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with access to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection between the two groups." It can be difficult to individuate criminal organizations--their members are opportunistic, their organization fluid--but it seems that Fin7 may be at the very least closely cooperating with Black Basta.

Patch news.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control System (ICS) Advisory for Mitsubishi Electric Multiple Factory Automation Products (Update C). CISA also released three more Industrial Control Systems (ICS) advisories on Thursday. They include mitigations for ETIC RAS, Nokia ASIK 5G AirScale System Module, and Delta Industrial Automation DIALink.

On Tuesday, OpenSSL released a patch for a critical vulnerability in OpenSSL versions 3.0.0 and above. While the OpenSSL Project hasn’t released details about the flaw, Akamai notes that observers are taking it very seriously due to the rarity of a critical flaw in OpenSSL: Akamai sees an analogy with Heartbleed. “This vulnerability has caused concern in the security community because it is unusual for the OpenSSL team to rate a vulnerability as critical. There has only been one in the past, in 2014 – Heartbleed. When exploited, Heartbleed led to a memory leak from the server to the client or the other way around." Researchers at Nucleus point out that while the vulnerability may be severe, the threat may not be as widespread as some headlines suggest, since most organizations are still running OpenSSL 1.x or 2.x. OpenSSL has also patched two vulnerabilities, as promised. Both had been initially rated "critical." They've since been reassessed as "serious," but they still merit the prompt attention of users. For more on the implications of the OpenSSL vulnerability and its patch, see CyberWire Pro.

Crime and punishment.

Finnish psychotherapy center Vastaamo suffered a series of data breaches starting as early as 2018 that resulted in the exposure of sensitive patient data, which then ended up in the hands of an extortionist who attempted to blackmail not just the Centre, but Vastaamo’s individual clients with the threat of exposing their most intimate secrets. The breaches were the result of Vastaamo’s improper handling of patient data and therapy session notes, which were stored in an inadequately protected online database, and Naked Security offers details on the ramifications of the incident. Last month, the Helsinki Times reported that the former Vastaamo CEO Ville Tapio will face charges not just for mishandling the data, but also for neglecting to report the leak in an attempt to hide the incident from the authorities. As well, the Finnish National Bureau of Investigation on Friday announced that an arrest warrant had been issued for the alleged extortionist. Though the name of the suspect has not been released, authorities say that he is a Finnish citizen who lives abroad and has therefore been remanded in absentia. If arrested, he will be surrendered to Finnish officials.

Courts and torts.

The US Federal Trade Commission (FTC) has announced it’s taking action against California education technology provider Chegg Inc., which in the past five years has experienced four security breaches exposing sensitive customer and employee data. The FTC says the breaches were the result of Chegg’s poor data security practices and the company’s failure to remediate these issues. In one attack, an employee was tricked into giving a hacker access to employees’ direct deposit information, and in another, a former Chegg contractor accessed one of Chegg’s third-party cloud databases containing the personal data of approximately 40 million customers. The compromised data included student email addresses, passwords, and for certain users, sensitive scholarship data like parents’ income range, sexual orientation, and health conditions, as well as employee medical and financial data.

The US Supreme Court is set to hear a case that could have major repercussions for the way social media platforms operate. As the Wall Street Journal explains, the case concerns Section 230, a law that shields platforms like Facebook and Twitter from liability for content posted by their users. In Gonzalez v. Google, the plaintiffs allege the ISIS-linked murder of a woman in 2015 was motivated by terrorist videos recommended to users on YouTube. For platforms like the video-streaming giant, user-created content is their bread and butter, and if Section 230 is called into question, their whole business model could implode. The Biden administration and other lawmakers have pushed for changes to Section 230 and failed, but putting matters in the hands of the court could lead to a different outcome. Matt Schruers, president of trade group the Computer and Communications Industry Association, says, “I could foresee an outcome where the litigation and compliance risks stemming from an ill-considered decision are so great that many small firms exit the market.” The result, tech companies fear, could be that foreign-based platforms gain dominance, leaving the US behind.

Policies, procurements, and agency equities.

The White House has issued a fact sheet summarizing its second International Counter Ransomware Initiative (CRI) Summit, which concluded Tuesday. The CRI outlines the following goals for 2023:

"Establish an International Counter Ransomware Task Force (ICRTF), led by Australia as the ICRTF’s inaugural chair and coordinator, to coordinate resilience, disruption, and counter illicit finance activities in alignment with the ICRTF’s thematic pillars. ICRTF members will commit to contribute to joint work of the coalition through information and capability sharing, as well as joint action in the fields of resilience, disruption, and countering illicit finance.
"Create a fusion cell at the Regional Cyber Defense Centre (RCDC) in Kaunas, led by Lithuania, to test a scaled version of the ICRTF and operationalize ransomware related threat information sharing commitments. The RCDC will publish semiannual public reports on ransomware trends and mitigation measures. Through this effort, we will share technical information about ransomware (tools, tactics, and procedures) with a wide spectrum of stakeholders. Data provided by participating members will be aggregated and summarized by the RCDC.
"Deliver an investigator’s toolkit, including lessons learned and strategies for responding to significant ransomware events and proactively tackling major cybercriminal actors; resources to build capacity to effectively disrupt the threat of ransomware; and consolidated “tactics, techniques, and procedures” (TTPs) and trends for key identified actors. This will allow CRI partners to benefit from the breadth of expertise and technical capability brought together under the working groups.
"Institute active and enduring private-sector engagement based on trusted information sharing and coordinated action to improve our joint work towards operational disruption.
"Publish joint advisories outlining TTPs for key identified actors. Ransomware has impacts that extend far beyond the borders of CRI partners. Joint public advisories will offer warning and mitigation measures to the international community so that the global community is enabled to close vulnerabilities to these cyber criminals, amplifying our collective reach.
"Coordinate priority targets through a single framework, focused on hard and complex targets. We will translate these initiatives into concrete disruption results with law enforcement groups.
"Develop a capacity-building tool to help countries utilize public-private partnerships to combat ransomware. The tool will feature a series of case studies of public-private partnerships that have been used in the counter ransomware fight.
"Undertake biannual counter ransomware exercises to further develop, strengthen, and integrate our collective approach to combatting ransomware from resilience to deterrence."