Threats and trends. US midterms see no cyber disruption. Microsoft says China weaponizes vulnerability disclosure.

At a glance.

• Sandworm goes to war.
• Threats and trends.
• US midterm elections proceed without cyber disruption.
• Microsoft accuses China of using vulnerability disclosure to develop zero-days.
• Layoffs abound in the tech industry.
• RanHassan decryptor available.
• Details on the OPERA1ER threat activity.
• Communications security lessons learned.
• New APT41 subgroup identified.
• A look at Cozy Bear's use of credential roaming.

Sandworm is back in Russia's hybrid war.

As Russian forces complete their withdrawal from the southern Ukrainian city of Kherson (a major strategic defeat for Moscow), a familiar GRU cyber unit makes its presence felt in the war. Researchers at Microsoft report that Sandworm, the GRU threat actor the company tracks as Iridium, has deployed a new strain of ransomware, "Prestige," against targets in Poland and Ukraine. Prestige announced itself in a series of coordinated attacks against targets in the transportation and related logistics sectors.

Microsoft, which acknowledges the cooperation of CERT-UA, Ukraine's cybersecurity organization, in the research, writes: "The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war."

The attacks show a renewed willingness on the part of a Russian intelligence service to attempt disruption in addition to collection. Ransomware as a tactic is well-adapted to do both. The Washington Post quotes Mandiant researchers who see this approach as an attempt by the GRU to "have its cake and eat it, too." Mandiant senior analyst John Wolfram told the Post, “What that shows us is that the GRU was able to maintain access to a network of their specific choosing; launch an attack and have an effect on that network; maintain that access despite the wiper operation; and launch another wiper operation at a moment of their choosing." Russia had used wipers with some success early in the war, but those attacks soon ebbed. They may be returning.

The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here. 

Threats and trends.

Researchers at DTEX have published a study on insider threats, finding that unsanctioned third-party work on corporate devices has risen by nearly 200% over the past twelve months. The researchers warn that workforce engagement declines by up to 50% in the weeks before the holiday season. Additionally, engagement is affected during the first week back after the holidays. Departing employees represent a distinct challenge. DTEX observed that research and creation of resignation letters increased by 20% in the first half of 2022, increasing the potential for disgruntled employees to cause harm to the business. The study also found that 12% of departing employees take sensitive information with them when they leave the company. For more on the DTEX study, see CyberWire Pro.

Wallarm released its Q3 2022 API ThreatStats Report Thursday morning, giving a look into this quarter’s API vulnerabilities and exploits. Among the more interesting findings was how compressed the time has become between CVE disclosure and proof-of-concept exploit publication: they now tend to occur, the report says, on the same day, which should affect organizations' mitigation planning. More on API security issues may be found in CyberWire Pro.

A study by Tessian has found that 94% of organizations in the US reported being targeted by spearphishing attacks in 2022. The majority of phishing attacks involved attempts to impersonate legitimate email addresses. And ransomware remains high on the list of what the spearphishing delivers. 92% of organizations reported that they’d been targeted by phishing emails that attempted to launch ransomware attacks, and 10% of respondents said their organizations had “received over 450 email-based ransomware attacks since January 2022.” For more on phishing trends, see CyberWire Pro.

US midterm elections proceed without cyber disruption.

Reuters reports that that US midterm elections proceeded without unusual difficulty. A review of voting the morning after election showed little evidence of cyberattacks and even less evidence of disruption. The FBI's assessment last week of the dropping effect of distributed denial-of-service (DDoS) operations seems to have been borne out. WAPT reported some intermittent DDoS incidents late yesterday that had a minor impact on the Mississippi Secretary of State's public website, but these had no effect on voting and were in any case quickly remediated.

One county, Champaign County in downstate Illinois, reported outages and computer "performance issues," but said, NBC Chicago reports, that the issues were quickly remediated without significant effect on voting. The tabulation machine outage in Maricopa County, Arizona, seems to have been a malfunction (A senior CISA official said yesterday evening that the agency had quickly investigated the Maricopa incident and found “no indication of malfeasance.") To put Champaign and Maricopa Counties into proper perspective, consider that there are well over three-thousand counties in the United States.

Counting the votes and certifying the results will take time. That's not unusual; it's part of the normal process.

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA) said Wednesday, “We have seen no evidence that any voting system deleted or lost votes, changed votes, or was any way compromised in any race in the country." Minor distributed denial-of-service (DDoS) incidents were reported in a few jurisdictions, the PBS NewsHour reports, but these seem in no case to have affected the voting infrastructure itself. For more on the cybersecurity of the US midterms, see CyberWire Pro.

Microsoft accuses China of using vulnerability disclosure to develop zero-days.

Zero-days' value drops quickly: once they're used they're blown, and they fall in value as organizations patch. Microsoft reported last Friday that China seems to be using its vulnerability disclosure law to gain access to vulnerabilities before they're generally disclosed. This enables Chinese intelligence services, Microsoft suggests, to develop and deploy zero-day exploits during their brief window of opportunity. Beijing's interests remain focused on espionage and intellectual property theft.

Layoffs abound in the tech industry.

The tech sector as a whole is expecting rounds of layoffs this winter, Crunchbase reports, and some cyber companies, Varonis being the most recent, are also reducing their headcount. The most prominent recent layoffs, of course, took place at Twitter on Friday. The Verge puts the number of employees let go at around half of Twitter's pre-layoff 7500 personnel. By Sunday, however, Twitter was asking "dozens" of fired employees to return. They'd either been let go in error, Bloomberg reports, or, in other cases, Twitter belatedly realized they'd be essential to developing the new features envisioned for the platform.

Computing reported this week that Meta is firing 11,000 employees, or about 13% of its workforce. Zuckerberg is holding himself accountable for the extensive layoffs, Wall Street Journal reports. “This is a sad moment, and there's no way around that. I got this wrong, and I take responsibility,” said Zuckerberg in a letter to employees. Crunchbase has a tracker detailing the current state of tech layoffs.

RanHassan decryptor available.

Bravo, Bitdefender, which has developed and released a decryptor for RasHassan ransomware.

Details on the OPERA1ER threat activity.

Group-IB has published a detailed account of the threat group OPERA1ER, which has used "off-the-shelf" tools to steal between $11 million and $30 million from its victims, mostly located in Francophone regions of Africa since 2019. The researchers include advice on defense, and their account affords an interesting look at what a determined criminal operator can do with commodity tools traded in the C2C market.

Communications security lessons learned.

BlackBerry looks at the war against Ukraine and draws some lessons for communications security. They're old lessons, the kind that every war re-teaches (BlackBerry opens with a quotation from the Roman historian Suetonius describing Caesar's use of substitution ciphers), but they're worth reviewing nonetheless. The central lesson is that one should expect one's communications to be intercepted. Whether the opposition can read them in time to use them depends upon the effectiveness (and the general use) of your encryption. BlackBerry points out that businesses as well as armies should keep this in mind.

New APT41 subgroup identified.

Researchers at Trend Micro have identified a new subgroup of APT41, the threat actor associated with the Chinese government. They're calling the group "Earth Longzhi," an attribute two long-running campaigns to it. "Since it first started being active in 2020, Earth Longzhi’s long-running campaign can be divided into two based on the range of time and toolset. During its first campaign deployed from 2020 to 2021, Earth Longzhi targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China. In its second campaign from 2021 to 2022, the group targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine." Spearphishing has been the primary attack vector.

A look at Cozy Bear's use of credential roaming.

Mandiant describes a cyberespionage campaign carried out earlier this year by APT29, Cozy Bear, a unit of Russia's SVR foreign intelligence service. Cozy Bear phished its way into a European diplomatic organization's networks and subsequently abused Windows' Credential Roaming feature. "The use of Credential Roaming in an organization allows attackers (and Red Teams) to abuse the saved credentials for the purposes of privilege escalation," Mandiant says.

Patch news.

The US Cybersecurity and Infrastructure Agency (CISA) Tuesday added seven new entries to its Known Exploited Vulnerabilities Catalog. They include four issues in Microsoft products: CVE-2022-41091 (a Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability), CVE-2022-41073 (a Microsoft Windows Print Spooler Privilege Escalation Vulnerability), CVE-2022-41125 (a Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability), and CVE-2022-41128 (a Microsoft Windows Scripting Languages Remote Code Execution Vulnerability). The other three entries were for Samsung products: CVE-2021-25337 (a Samsung Mobile Devices Improper Access Control Vulnerability), CVE-2021-25369 (a Samsung Mobile Devices Improper Access Control Vulnerability), and CVE-2021-25370 (a amsung Mobile Devices Memory Corruption Vulnerability).

In accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, US Federal civilian Executive agencies have until November 29th to review their systems and "Apply updates per vendor instructions."

Also on Tuesday, Microsoft released fixes to address sixty-eight issues in its products. By the SANS Institute's tally, "of these, 10 are critical, 1 was previously disclosed, and 4 are already being exploited."

Lenovo has patched three vulnerabilities in the UEFI firmware of several versions of Lenovo Yoga, IdeaPad and ThinkBook. Security firm ESET discovered the issues and disclosed them to Lenovo.

Crime and punishment.

The Department of Justice announced Monday that law enforcement seized $3.36 billion in cryptocurrency that was "unlawfully obtained" from the Silk Road dark web market in 2012. The US Attorney for the Southern District of New York, Damian Williams, said that James Zhong from Gainesville, Georgia pled guilty on Friday, almost a year after the seizure of the Bitcoin, to committing wire fraud in September 2012. “James Zhong committed wire fraud over a decade ago when he stole approximately 50,000 Bitcoin from Silk Road. For almost ten years, the whereabouts of this massive chunk of missing Bitcoin had ballooned into an over $3.3 billion mystery. Thanks to state-of-the-art cryptocurrency tracing and good old-fashioned police work, law enforcement located and recovered this impressive cache of crime proceeds. This case shows that we won’t stop following the money, no matter how expertly hidden, even to a circuit board in the bottom of a popcorn tin," said Williams.

Courts and torts.

SolarWinds may be facing SEC enforcement action over a 2020 state-sponsored hack, TechCrunch reports. SolarWinds said in an 8-K filing with the US Securities and Exchange Commission (SEC) that an agreement has been reached with shareholders that sued the company over allegations of being misled about the hack, and that the company will pay $26 million. However, mentioned also in the filing is SolarWinds' receipt of a "Wells Notice" from the SEC saying that the regulators intended to recommend enforcement action, Dark Reading reports. SolarWinds said that their "disclosures, public statements, controls, and procedures were appropriate," and said it would prepare a response for the SEC enforcement staff.

Policies, procurements, and agency equities.

Last Friday Japan officially became a member of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in a move to help the Ministry of Defence (MoD) bolster its collaboration with international partners. Prime Minister Shinzo Abe announced Japan’s intention to join the CCDCOE while visiting the center, located in Tallinn, Estonia, back in 2018. East Asian cyberespionage and cybersecurity policy analyst Jiro Minier, told The Record by Recorded Future Japan’s choice to join the CCDCOE is “just one of many milestones during a busy period” for Japan’s cybersecurity efforts.

Amidst mounting accusations that the Greek government targeted politicians, journalists and businessmen with spyware, Prime Minister Kyriakos Mitsotakis on Monday announced that Greece will ban the sale of spyware, the New York Times reports. “We will be the first country to tackle this problem and enact legislation that will explicitly ban the sale of such software in our country. No other country has done it. All countries have the same problem,” Mitsotakis stated. Indeed, countries all over the globe have been grappling with recent revelations that citizens' devices have been infected with spyware like NSO Group’s Pegasus, or in the case of the Greek targets, Pegasus’s less expensive (and less regulated) cousin Predator, which are intended for use by governments and law enforcement engaged in criminal investigations.