By the CyberWire staff
At a glance.
- Adversarial activity.
- Risk and trend reports.
- Sandworm renews ransomware activity against Ukrainian targets.
- Internet service in Ukraine and Moldova interrupted by strikes against Ukraine's power grid.
- Google announces new support for Ukraine.
- DDoSing the Vatican.
- European Parliament sustains brief DDoS attack.
- Iran's Fars news agency reports cyberattack.
- Killnet claims to have counted coup against the White House.
- DDoS as a holiday-season threat to e-commerce.
- From criminals to hacktivists.
- Predictions for 2023.
Adversarial activity of the week.
Attackers are exploiting a popular TikTok challenge to distribute malware, according to researchers at Checkmarx. A trending TikTok challenge involves posing naked using a filter called “Invisible Body,” which (they say) replaces the user’s body with a blurred outline. Attackers capitalized on this by purporting to offer another filter that could remove the Invisible Body filter and expose the user’s naked body. This filter is fake, and will install the WASP stealer malware. (If you fall for this, you probably fell for the X-Ray Specs ads in the old comic books.) The researchers observed that more than 30,000 users have joined the attackers’ Discord server so far. BleepingComputer notes that the GitHub repo hosting the malicious code achieved a trending status on GitHub. For more on this cyber-version of X-Ray Specs, see CyberWire Pro.
Abnormal Security describes a business email compromise (BEC) gang dubbed “Lilac Wolverine” that’s launching widespread campaigns asking for gift cards. The threat actor begins by compromising a personal email account and copying its contact list. The attackers then set up an email account with the same address as the compromised account, but on a different provider (usually Gmail, Hotmail, or Outlook). They’ll then use this account to send emails to the compromised account’s contacts. If the recipient is reluctant to send the money, the attackers will explain that “the fictional birthday friend also has cancer or just lost loved ones to COVID-19—or both.” The researchers note that gift card requests are the most popular form of payment in BEC attacks, despite offering a lower payout per attack. For more on Lilac Wolverine, see CyberWire Pro.
Google’s Threat Analysis Group (TAG) has published a report on a commercial spyware framework developed by a Barcelona-based company, Variston IT. The framework, called “Heliconia,” exploited vulnerabilities in Chrome, Firefox, and Microsoft Defender. While the vulnerabilities have since been patched, TAG says “it appears likely these were utilized as zero-days in the wild.” An anonymous submission to the Chrome bug reporting program tipped the researchers off to three distinct frameworks. Heliconia Noise is a “web framework for deploying a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation,” while Heliconia Soft is “a web framework that deploys a PDF containing a Windows Defender exploit.” Heliconia Files offers “a fully documented Firefox exploit chain for Windows and Linux.” See CyberWire Pro for more on Heliconia.
Sophos Wednesday reported on its reverse engineering of LockBit 3.0 (also known as LockBit Black). It appears that the ransomware's operators are experimenting with making their malware wormable, that is, giving it functionality that would enable it to spread by itself through and across networks. Their research also offers some support to other security experts who've suspected a connection between LockBit and the BlackMatter ransomware family. They "found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter," especially in its anti-debugging, obfuscation, API resolution, printer-attack, and shadow-copy deletion features. There are other similarities as well, and Sophos points out that much of LockBit 3.0's tooling mimics what a legitimate penetration tester might use.
Mandiant reports that cyberespionage it associates with Chinese intelligence services is currently active against targets in Southeast Asia, particularly in the Philippines. The campaign uses compromised USB drives as a principal attack vector, thus counting on users delivering the malware across whatever protective air gaps may exist. The principal tools it uses are MISTCLOAK (a launcher written in C++, BLUEHAZE (another launcher, this one written in C/C++ "that launches a copy of NCAT to create a reverse shell to a hardcoded command and control"), DARKDEW (a dropper able to infect removable drives), and NCAT (useful to "upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls"). The campaign may have been in progress since September 2021, and Mandiant reads it as an example of Chinese determination to establish and maintain persistence in targets of interest.
The Cuba ransomware operations, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) warned Thursday, have taken in aggregate some $60 million from more than a hundred victims. The gang, which has no connection with the country, government, or island of Cuba, has recently been deploying RomCom malware. This is a custom remote access Trojan (RAT) used for command-and-control. The gang also seems to be "leveraging," as CISA and the FBI put it, Industrial Spy ransomware against its victims. An account of indicators of compromise and appropriate defensive measures appear in the alert.
Top 7 AWS security misconfigurations and how to fix them
Migrating to a cloud provider, like AWS, offers numerous benefits to its customers but setup must be done correctly to prevent potential security breaches.
Check out the top 7 AWS security misconfigurations you should be aware of to prevent potential security gaps in your infrastructure and discover remediations including:
- Use AWS SCP in AWS Organizations to define safety guardrails
- Limit access of Security Groups of AWS RDS instances to only known IPs
Risk and trend reports.
Moody’s Investors Service released a report detailing the security implications of the cloud for the telecommunications sector. The telecommunications industry was assessed to have a High risk categorization for cyber risk. However, the sector has been found to be more dedicated to cybersecurity, ensuring that human resources and funding is available. Telecommunications operators enable broadband internet access and communications, so they are vital to the digital economy. Zero trust frameworks are increasingly being implemented within the industry to increase security. Newer technologies, especially cloud-centric technologies, have brought new capabilities, but also bring with them a significant expansion of the attack surface. For more on Moody's assessment, see CyberWire Pro.
Moody’s has also released a sector comment on the not-for-profit and public healthcare sector, and associated cyber risk with the industry. The not-for-profit healthcare sector has a Very High risk categorization. Digitization and the use of third-party software are growing, keeping cyber risk elevated for the sector. The IBM Security Cost of a Data Breach Report is referenced, saying how the healthcare industry worldwide had the highest average cost of a data breach 11 years in a row, with an approximately 30% increase in average cost from 2020. 94% of survey respondents reported having standalone cyber insurance, but premiums continue to increase, and limits are being put in place, making the coverage less expansive. Vetting third-party vendors is also important; while most respondents (92%) said they assess new vendors, only 76% reassess current vendors. For more on Moody's assessment of cyber risk to the public and not-for-profit healthcare sectors, see CyberWire Pro.
NordPass has released its list of 2022's most commonly used passwords. It's so familiar as to be beyond depressingly familiar. The leaderboard will surprise no one: "Password" is number one, followed by "123456, then by "123456789" (presumably three digits better). "Guest" comes in at number four, with "qwerty" rounding out the top five.
Sandworm renews ransomware activity against Ukrainian targets.
Last weekend, ESET observed surging use of a ransomware variant the company calls "RansomBoggs" against targets in Ukraine. The malware is written in .NET and is being tracked as a new strain, but ESET says RansomBoggs's deployment is similar to what they've observed in past Sandworm. Sandworm has been associated with Russia's GRU. The researchers tweeted, "There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector." ESET also sees similarities between RansomBoggs and Iridium, Microsoft's name for the GRU operation the company detected in "Prestige" ransomware attacks against Polish and Ukrainian targets in October.
Internet service in Ukraine and Moldova interrupted by strikes against Ukraine's power grid.
Moldova's Vice Prime Minister Andrei Spînu tweeted last Wednesday morning, "Massive blackout in [Moldova] after today's Russian attack on [Ukraine's] energy infrastructure. Moldelectrica, [Moldova's] TSO, is working to reconnect more than 50% of the country to electricity." The Record reported over the weekend that the attacks against the power grid had also taken down Internet service in both Moldova and Ukraine. Ukrainian Internet service providers are using emergency generators as they work to restore online connectivity.
At Raytheon, Intelligence & Space, if it’s not broken, we break it.
Somebody once said, “if it ain’t broke, don’t fix it.” That somebody didn’t work in cybersecurity. And that somebody didn't work at Raytheon, Intelligence & Space. Here we break the definition of cyber defense: Hiring the sharpest minds, actively hunting threats, and designing one-of-a-kind-never-been-done-before solutions. That’s how we shake up the future and uncover new thinking to protect our customer's most vital infrastructure and our way of life.
Google announces new support for Ukraine.
There's been much discussion of assistance Western governments have rendered Ukraine in cyberspace, including hunt-forward operations by US Cyber Command. Kyiv also continues to receive support from the private sector. Google Thursday announced further measures it was taking to support Ukraine during the Russian invasion. Google and its employees are providing some direct financial support--some $45 million--as well as contributions of services in kind:
"We’re continuing to provide critical cybersecurity and technical infrastructure support by making a new donation of 50,000 Google Workspace licenses for the Ukrainian government. By providing these licenses and giving a year of free access to our Workspace solutions, including our cloud-first, zero-trust security model, we can help ensure Ukrainian public institutions have the security and protection they need to deal with constant threats to their digital systems."
Other assistance includes a range of cooperative cybersecurity services and help combating disinformation. The aid being rendered in information operations includes both action against Russian disinformation and measures taken to surface accurate information about the war.
DDoSing the Vatican.
Euronews reports that the Vatican sustained a significant distributed denial-of-service (DDoS) attack against its sites shortly after Pope Francis made public remarks interpreted as critical of Russia's war. (The pope had singled out some Russian conscript formations as exhibiting significant "cruelty" in their operations.) The DDoS attacks began Wednesday evening, and were described as "abnormal access attempts." A Vatican spokesman said, "Technical investigations are ongoing due to abnormal attempts to access the site.”
The Vatican offered no attribution, but Ukraine's ambassador to the Holy See wasn't shy about fingering Moscow's operators. Ambassador Andrii Yurash tweeted, "[Russian] terrorists reach today sites of CityStateVatican:many on-line Pages of Different structures of Roman Curia have Become inaccessible! [Russian] hackers one more time demonstrate real [Russian] Face of politics, directly define[d] by PA of CE as Terrorist: [Russia's] response on last important statements of @Pontifex."
European Parliament sustains brief DDoS attack.
A few hours after its vote Wednesday to declare Russia a state sponsor of terrorism, the European Parliament's websites were taken down for a short period of time by a distributed denial-of-service (DDoS) attack, which, the Wall Street Journal and others report, members of the EU's Parliament described as "sophisticated." It took about two hours to restore service, and since the incident appears to have been a relatively routine DDoS attack, it's difficult to see where the sophistication lay. The Russian auxiliary threat actor Killnet has claimed responsibility in a message posted to its Telegram channel. The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Iran's Fars news agency reports cyberattack.
Iran's state Fars news service says, according to AFP, that its operations have been disrupted since last Friday by cyberattacks. Fars called the incident a "complex hacking and cyberattack operation," and cautioned that disruptions might continue for some time. There's no attribution, but Fars did say that it was often under Israeli cyberattack. There's also the possibility of hacktivism, given Fars's role as an official source of information during ongoing protests in Iran over the death of Mahsa Amini.
How did the internet respond to recent celebrity vulnerabilities?
When your business accelerates faster than your cybersecurity capabilities, responding to major vulnerabilities can be difficult. In the 2022 State of Risk & Remediation Report, the Censys Research Team examined recent celebrity vulnerabilities and observed how organizations reacted to each. What did we learn, and how can you apply these insights to your own organization?
Killnet claims to have counted coup against the White House.
The cyber auxiliaries of the nominally hacktivist group Killnet have claimed, according to Trustwave's SpiderLabs researchers, to have mounted successful distributed denial-of-service attacks against Starlink, the White House, and a variety of British websites. The attacks don't appear to have risen to even the level of a noticeable nuisance. Trustwave's assessment concludes, "We should expect to see more of these low skill attacks from Killnet targeting an ever-growing list of targets that it considers to be in opposition to Russian interests. However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more than take down a website for a short period of time."
DDoS as a holiday-season threat to e-commerce.
While consumers look to protect themselves from scams when shopping online during the holidays, retailers face an additional threat: distributed denial-of-service (DDoS) attacks intended to make their sites unavailable to customers. Bloomberg Law reports that the motives for such attacks against e-commerce sites vary (it can be anything from extortion to economic disruption to hacktivist protest to the simple lulz), and that the threat actors can range from individuals to nation-state services. While such attacks are usually of relatively short duration, measured in minutes or at most hours as opposed to days, they can nonetheless exact a significant toll from affected merchants. And, unfortunately, victims seldom have any realistic legal recourse to DDoS attacks: the perpetrators are commonly out of reach.
From criminals to hacktivists.
The Wall Street Journal has an interview with Dmitry Smilyanets, a reformed Russian cybercriminal who, having served his US sentence, now works for security firm Recorded Future. He offers some insight into the nexus between the Russian underworld and Russia's security services, and on the ease with which criminal gangs shifted into nominal hacktivist mode during Russia's war against Ukraine.
The connection is close but complicated. “If we talk about financially motivated hackers, what happens is directly or indirectly," Smilyanets said, "they know someone from the government and they pass information or help in this or other cases. It doesn’t mean they’re employed [or] it doesn’t mean they’re on a paycheck with the state but there is a connection. Sometimes we see it clear, sometimes not.” And they needed little or no inducement to turn to patriotic hacktivism. The ransomware gangs found it an especially easy transition to make.
Predictions for 2023.
As the last month of 2022 begins, we offer a compendium of predictions from industry experts about the way cybersecurity, its challenges and opportunities, are likely to change in the coming year. Some of those changes are evolutionary, extrapolations of trends already visibly at work. Others are more surprising. See CyberWire Pro for a full discussion of what to expect in 2023.
The November issue of our women in cybersecurity newsletter, CreatingConnections, is out!
Our contributors include a CEO & a newbie to the cybersecurity industry. Read pieces from Bat El Azerad & Kalla Lavender, plus learn about a chance to pay-it-forward this holiday season with CyberWire Pro!
The US Cybersecurity and Infrastructure Security Agency (CISA) released three industrial control system (ICS) advisories Thursday, for BD BodyGuard Pumps, MELSEC iQ-R Series, and Horner Automation Remote Compact Controller.
Courts and torts.
The Irish Data Protection Commission has fined Facebook's corporate parent Meta €265 million over a breach that affected personal information of "hundreds of millions" (up to 525 million) of Facebook users, the BBC reports. The case is an unusual one in that most of the data obtained and subsequently dumped on an online forum had been scraped, and not hacked. The Data Protection Commission found Meta in violation of Article 25 of the General Data Protection Regulation (GDPR). The Commission noted in its decision that this wasn't Facebook's first brush with unwelcome and illicit data scraping. The BBC quotes a Facebook spokesman: "We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully." More on this story is available in Tuesday's edition of the CyberWire's Pro Privacy Briefing.
The Commission nationale de l'informatique et des libertés (CNIL) has fined the Électricité de France (EDF) €600,000 for breaching the General Data Protection Regulation by storing the passwords for over 25,800 accounts using the weak MD5 algorithm. As Hacker News explains, not only was the EDF found to be using the algorithm, which was found to be cryptographically broken back in 2008, but the electricity provider also failed to salt the passwords associated with more than 2 million customer accounts. The CNIL explained, "The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches."
Policies, procurements, and agency equities.
US Cyber Command Monday released a brief and general account that provides some additional insight into when US support for Ukraine's cyber defense began, and what the nature of that support was. The US Cyber National Mission Force (CNMF) deployed a large hunt forward team in December of last year to work with Ukraine's own Cyber Command; that initial deployment continued through March of this year. Despite the aggressive-sounding name, "hunt forward" operations are, US Cyber Command says, defensive in nature. The hunting is conducted in the networks being defended. "Hunt forward operations are purely defensive activities and operations are informed by intelligence."
While US Cyber National Mission Force personnel are no longer physically deployed in Ukraine, continued direct support of Ukraine's cyber defense continues. "CYBERCOM remains committed and continues to provide support to Ukraine, other allies and partner nations, with U.S. joint forces aligned and supporting the European Theater. This support included information sharing of threats and cyber insights, such as indicators of compromise and malware. For example, in July 2022, CNMF publicly disclosed novel indicators to cybersecurity industry partners in close collaboration with the Security Service of Ukraine."