By the CyberWire staff
At a glance.
- This week's activities in cyber gangland.
- Trends in ransomware.
- Rackspace works to remediate a ransomware incident.
- Blind spots in air-gapped networks.
- Updates on hybrid war activity.
- Third-party incidents in New Zealand and Belgium.
- Data breach at Amnesty International Canada linked to China.
This week's activities in cyber gangland.
Mobile security firm Zimperium has discovered an Android threat, the Schoolyard Bully Trojan. The Trojan has been active since 2018 and primarily targets Vietnamese readers. The Trojan has the ability to steal credentials from the Facebook accounts of victims, including email, phone number, password, ID, and name. For more on Schoolyard Bully, see CyberWire Pro.
Bitdefender has published a report describing a Chinese cyberespionage operation targeting telecom providers in the Middle East. The threat actor gained initial access by exploiting the ProxyShell vulnerability in Microsoft Exchange Server. After gaining access, the threat actor deployed multiple tools to establish persistence, move laterally, and escalate privileges. These included the Irafau and Quarian backdoors and the Pinkman Agent. Bitdefender suspects BackdoorDiplomacy, a China-linked APT discovered last year by researchers at ESET. ESET noted that the group primarily targets Ministries of Foreign Affairs in the Middle East and Africa, and less frequently, telecommunication companies. Bitdefender attributes this campaign to BackdoorDiplomacy based on the domains used for command-and-control. For more on BackdoorDiplomacy, see CyberWire Pro.
Secureworks Counter Threat Unit researchers investigated the Drokbk malware, found to be operated by a subgroup of Iran’s government-sponsored COBALT MIRAGE threat group, known as Cluster B. The malware uses GitHub as a dead drop resolver to locate its command and control (C2) infrastructure. GitHub allows for these threat actors to fly under the radar more easily. “The use of Github as a virtual dead drop helps the malware blend in,” says Secureworks’ Principal Researcher and thematic lead for research focused on Iran, Rafe Pilling, in a media release. “All the traffic to Github is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because Github is a legitimate service, it raises fewer questions.” This technique is also interesting, as it is unusual for Iranian malware, and represents a departure from past Iranian practice. For more on Cobalt Mirage's recent campaign, see CyberWire Pro.
Researchers at Google's Threat Analysis Group report that North Korean threat actor APT37 exploited a zero-day vulnerability in Microsoft Internet Explorer in a phishing campaign against South Korean targets. "On October 31, 2022, multiple submitters from South Korea reported new malware to us by uploading a Microsoft Office document to VirusTotal," Google writes. "The document, titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, references the tragic incident in the neighborhood of Itaewon, in Seoul, South Korea during Halloween celebrations on October 29, 2022. This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident."
Microsoft was quick to patch the issue after Google reported it. It's noteworthy that Internet Explorer continues to be a target for exploitation by threat actors, even after Explorer's replacement by Microsoft Edge.
MITRE points out that researchers commonly cover APT37, like other DPRK cyber units, under the umbrella name "Lazarus Group." Some of the operations associated with APT37 have been "Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018."
It's unclear what authorities were in play, but NBC News reports that a US Secret Service investigation has attributed a wave of COVID relief fund fraud to APT41, a threat actor that customarily works on behalf of the Chinese government.
Morphisec announced Thursday that it has observed a new version of Babuk ransomware in the wild. An infestation was detected at a large manufacturing company.
Threat Fabric researchers, tracking Android banking Trojans, have found a criminal service, "Zombinder," that offers to bind such Trojans to otherwise legitimate apps. "The latest campaign we identified while writing the blog involving Zombinder was distributing Xenomorph banking trojan under the guise of VidMate application."
At Raytheon, Intelligence & Space, if it’s not broken, we break it.
Somebody once said, “if it ain’t broke, don’t fix it.” That somebody didn’t work in cybersecurity. And that somebody didn't work at Raytheon, Intelligence & Space. Here we break the definition of cyber defense: Hiring the sharpest minds, actively hunting threats, and designing one-of-a-kind-never-been-done-before solutions. That’s how we shake up the future and uncover new thinking to protect our customer's most vital infrastructure and our way of life.
Trends in ransomware.
LookingGlass has published a report on attacks by organized ransomware gangs during the first half of 2022, finding that these groups continue to grow increasingly professionalized. The researchers also point out the similarities between ransomware gangs and legitimate technology businesses. “Groups have started to incorporate business practices such as finance departments, human resources, and even naming employees of the month," they say. "These are not the loosely affiliated groups of the past; rather, they are highly professionalized organizations with quarterly revenue targets and even customer service teams." The top players are the most organized. LookingGlass notes that the majority of targeted ransomware attacks in the first half of 2022 were launched by the top fifteen most active gangs. For more on trends in ransomware gangland, see CyberWire Pro.
However, not all threat actors are moving toward businesslike functions, and may be disorganized. Poor quality control causes the hoods as many problems as it would a legitimate business. A sample of open-source ransomware toolkit Cryptonite has been found to act as a wiper, Fortinet reports. Researchers say that the sample never offers the decryption window, causing it to act as a wiper, and say that they believe this was unintentional:
“[T]he ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly. The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes—or is even closed—there is no way to recover the encrypted files.
“This sample demonstrates how a ransomware's weak architecture and programming can quickly turn it into a wiper that does not allow data recovery. Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems. On the positive side, however, this simplicity, combined with a lack of self-protection features, allows every anti-virus program to easily spot this malware.” For more on criminals and quality control, see CyberWire Pro.
Rackspace works to remediate a ransomware incident.
Late last Friday afternoon cloud service provider Rackspace disclosed that its customers were experiencing difficulties with the company's Hosted Exchange environments. On Saturday the company explained, "On Friday, Dec 2, 2022, we became aware of an issue impacting our Hosted Exchange environment. We proactively powered down and disconnected the Hosted Exchange environment while we triaged to understand the extent and the severity of the impact. After further analysis, we have determined that this is a security incident." Through Sunday Rackspace was contacting customers and advising them on workarounds available to restore alternative services, but they remained unsure when the Hosted Exchange environments might return to normal. "Along with M365, a temporary solution allows mail destined for Hosted Exchange to be sent to external emails," Rackspace tweeted Sunday. Early Monday morning the company advised customers to restore email service by moving to Microsoft 365.
Rackspace Tuesday disclosed that the incident was in fact a ransomware attack that disrupted the company's Hosted Exchange environment. Rackspace continues to investigate what, if any, data may have been compromised.
Blind spots in air-gapped networks.
Pentera has published a report showing how attackers can use DNS tunneling to communicate with air-gapped networks. Organizations often use air-gapped networks to isolate their sensitive assets. Theoretically, these networks should be entirely cut off from the outside Internet. Pentera explains, however, “While air-gapped networks may not have direct access to the Internet, they still often require DNS services in order to resolve a company’s internal DNS records.... [M]any organizations often make the mistake of thinking that by routing communication over an internal DNS server they are preventing a potential breach. However, they are still susceptible as the internal DNS server can still connect with a public DNS server.”
If an attacker gains the owner rights to a root record within the organization, they can create a Name Server that can communicate with the air-gapped network over DNS. This isn’t trivial, since DNS traffic is usually sent over UDP and the attacker has “no control over the flow or sequence of data transmission.” These obstacles can be overcome, however. For example, if the payload is compressed before sending and decompressed after it’s received, the attacker can verify whether the data has been corrupted. For more on Pentera's report, see CyberWire Pro.
How did the internet respond to recent celebrity vulnerabilities?
When your business accelerates faster than your cybersecurity capabilities, responding to major vulnerabilities can be difficult. In the 2022 State of Risk & Remediation Report, the Censys Research Team examined recent celebrity vulnerabilities and observed how organizations reacted to each. What did we learn, and how can you apply these insights to your own organization?
Updates on hybrid war activity.
The Record reports that a threat actor with links to Russia is running phishing campaigns impersonating US defense, aerospace, and logistic companies. Recorded Future’s Insikt Group tracks the activity as TAG-53, and sees its operation as overlapping a threat actor other researchers follow as the Callisto Group, COLDRIVER, and SEABORGIUM. One of the threat actor's principal goals appears to be credential harvesting. Recorded Future isn’t sure if the impersonated entities are the specific targets of the operation, but the researchers note that most of these organizations “share a focus around industry verticals that would likely be of interest to Russia-nexus threat groups, especially in light of the war in Ukraine.” The companies being impersonated include US firm Global Ordnance, Polish defense company UMO Poland, the not-for-profit Commission for International Justice and Accountability (CIJA), US-based satellite communications company Blue Sky Network, logistics company DTGruelle, and Russia’s Ministry of Internal Affairs. Microsoft's research into (and disruption of) SEABORGIUM back in August concluded that the group's principal targets were NATO governments, military organizations, and think tanks, with Ukrainian organizations representing secondary targets. SEABORGIUM has been associated with Russia's SVR foreign intelligence service, and particularly with SVR disinformation efforts.
Chinese-government cyberespionage actor Mustang Panda has been, BlackBerry reports, using documents with a Ukrainian-war theme as lures in a phishing campaign actively prospecting targets in Europe, the Middle East, Africa, South and East Asia, and Latin America. The sectors the threat group seems most interested in include "Mining, Education, Telecoms, Financial, CDN Companies, Internet Service Providers, Internet Security Firms, [and] Web Hosting Companies." BlackBerry characterizes the phishbait as "well-thought-out." The payload is usually a version of PlugX, sometimes with minor changes intended to help the malware evade detection.
Kaspersky has described a newly observed wiper, "CryWiper", a pseudoransomware Trojan the researchers think is designed to destroy data. It seems unlikely, in their judgment, that CryWiper is being deployed for financial gain. Although it displays a ransom demand with the customary Bitcoin wallet address, files overwritten by CryWiper are permanently unrecoverable. It focuses on databases, archives, and user documents, not on the victim's operating system. Kaspersky said in its Friday notice that so far it had observed CryWiper in use only against targets in Russia. Citing reports in Izvestia, Ars Technica says that CryWiper seems to have affected mostly "judicial courts" and "mayoral offices." No one is offering attribution, but the selection of targets would seem circumstantially to point to Ukrainian cyber operations.
Scottish deception-as-a-service security firm Lupovis ran an exercise to see whether its honeytraps would attract Russian cyber operators. They did. The researchers found that "The most concerning finding from our study is that Russian cybercriminals have compromised the networks of multiple global organisations, including a Fortune 500 business, over 15 healthcare organisations and a Dam Monitoring System. These organisations were based in the UK, France, the US, Brazil and South Africa, and Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian [targets], which effectively means they are using these organisations to carry out their dirty work." A surprising fraction of the attacks targeted healthcare organizations. The findings reemphasize the important role cybercriminals continue to play in Russia's war effort.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Switching to a more secure password manager is easier than you think.
At 1Password, security isn’t just a feature - it’s our foundation. Are you currently looking to make the switch to a more secure password manager, but the thought of it seems like a daunting task?
Watch 1Password’s webinar “How to make the switch to 1Password” - and learn how to seamlessly make the switch in three easy steps. At the conclusion of this webinar, you will feel empowered to confidently switch to 1Password.
Third-party incidents in New Zealand and Belgium.
RNZ reports that New Zealand's Ministry of Justice and Privacy Commissioner are investigating an attack against Mercury IT, a third-party IT services provider, that's affected access to data collected and used by a range of healthcare organizations in that country. Te Whatu Ora (Health New Zealand) has disclosed that "A cyber security incident affecting an IT service provider has impacted access to some Te Whatu Ora data relating to bereavement and cardiac services." The data don't appear, the agency says, to have been compromised, but they have been rendered at least temporarily inaccessible. The Privacy Commissioner became aware of the incident on November 30th, and authorities continue to work on determining the scope of the problem.
BleepingComputer, citing sources in the local press, reports that the Belgian city of Antwerp is grappling with IT service outages that began Monday with a cyberattack--believed to be ransomware--against Digipolis, an IT provider that serves the city. There's no publicly available timeline for restoration of normal operations. In the meantime, many services (especially healthcare) have reverted to manual backups.
Data breach at Amnesty International Canada linked to China.
Canada's branch of Amnesty International was victimized in a data breach conducted by a group believed to be linked to the Chinese government, the Record reports. Amnesty Canada said in a statement that the breach was detected on October 5, after employees took notice of "suspicious" IT activity. Ketty Nivyabandi, secretary general of Amnesty International Canada, told TechCrunch that all organizational and email systems were taken offline for around three weeks, causing a “significant impact” to the operations of the organization. “As an organization advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work. These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority,” said Nivyabandi. Secureworks was brought on to examine the situation, with a final assessment that the attack was conducted by "a threat group sponsored or tasked by the Chinese state.” The conclusion was based “on the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups,” Amnesty Canada said in their release.
redacted's director of threat intelligence, Adam Flatley, says this incident seems par for the course for nation-state adversaries, saying, “This is not anything new or surprising. Threat actors, especially nation-state threat actors, have always conducted intelligence operations in addition to other more noticeable effects like deploying ransomware or leaking data. Sometimes those intelligence operations are of a counter-intelligence nature, with the goals of learning what an adversary is planning (or how much they know about what that threat actors is doing) in order to have forewarning of risk or to inform countermeasures. What we're seeing here with Amnesty International Canada is no different.”
Andrew Hollister, CSO of LogRhythm and VP of LogRhythm Labs, says that this attack comes comes at a time of increased activity from China-linked threat actors, possibly due to CISA's October advisory on the country's nation-sanctioned cybercriminals:
"Amnesty International Canada said in a Twitter post that they are 'speaking publicly about the attack to caution other human rights defenders on the rising threat of digital security breaches.' And indeed, the threat to NGOs overall is significant; Microsoft’s 2022 Digital Defense Report indicated that NGOs are among the second most targeted sector by nation-state actors. It’s a sad truth that is common with healthcare and other sectors. NGOs will have to consider diverting resources from their frontline mission to defend against cyber threats in order to continue with their mission.
"Interestingly, Microsoft’s report indicated that many state actors rely on relatively low-tech means, which suggests that their attacks may be mitigated by good cyber hygiene. Every organization should focus on doing the basics well, such as regular patching, backups and implementing two-factor authentication. They should also seek to gain overall visibility across their entire environment in terms of both assets and activity. All these elements will contribute to mitigating the risk from these actors.”
Add value to your lead generation strategy
The CyberWire can help you fill your funnel and build partnerships with valuable leads. With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust us to get their messages out. Feature your brand with the source that top security leaders choose. Learn more.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) Monday added CVE-2022-4262 to its Known Exploited Vulnerabilities Catalog. The issue is a type confusion vulnerability in Google Chromium V8. Agencies are expected to "apply updates per vendor instructions" no later than December 26th.
CISA also released three Industrial Control Systems (ICS) advisories on Thursday. They apply to Advantech iView, AVEVA InTouch Access Anywhere, and Rockwell Automation Logix Controllers. Operators should consult the advisories for appropriate remediations.
Crime and punishment.
Last Thursday US prosecutors asked to dismiss charges against Meng Wanzhou, the chief financial officer of Huawei Technologies, CBC News reports. The Huawei head struck a deal with the prosecutors last year for the charges against her to be dismissed on December 1, 2022, which marks four years from the date of her arrest in Canada on a US warrant. Meng was accused of bank fraud and other crimes for misleading global bank HSBC Holdings about Huawei's business in Iran in order to obtain banking services that would violate US sanctions. As part of her deal, Meng acknowledged that she had made false statements during a 2013 meeting with an HSBC executive. The dismissal marks the end of a case that negatively impacted China’s relationship with the US and brought Canada into the middle of the dispute. As the Register explains, China considered Canada's arrest of Meng a diplomatic affront, and Beijing’s later arrest of a pair of Canadian nationals accused of espionage was rumored to be payback. Though charges against Meng have been dropped, Huawei is still charged in the case and is accused of crimes including bank fraud, sanctions violations, and conspiracy to steal US trade secrets.
Dark Reading reports that three Nigerian nationals and one UK citizen have been arrested for a cyber tax refund scam. The group is accused of breaching US company servers, stealing personal information, and using that data to file fraudulent Internal Revenue Service tax documents in order to collect refunds. The four men purchased compromised services and users on underground forum xDedic Marketplace to purchase access to compromised servers and users, and they used the proceeds from their crimes to purchase prepaid debit cards for their personal use. The US Department of Justice says they now face extradition to the US, and if convicted, each man could be sentenced with up to twenty years in prison.
Courts and torts.
Apple likes to think of itself as a leader when it comes to user privacy, but the tech giant is currently facing claims that it’s anything but. Bloomberg reports that on Monday Apple was hit with a lawsuit connected to its popular AirTag devices. The devices are intended to help owners keep tabs on valuable personal possessions like keys or wallets, but the plaintiffs say the tags were used to track them without their consent. The ex-boyfriend of one of the plaintiffs hid an AirTag in her car in order to monitor her location, and the estranged husband of the other plaintiff planted an AirTag in her child’s backpack. Privacy advocates have warned that the devices could be used for nefarious purposes, and recent events have proven them right. A man in Ohio used the device to hunt down and shoot an ex-girlfriend, and in Indiana a woman followed an ex-boyfriend to a bar where she ran him over with a car. Apple claims AirTags are embedded with special “stalker-proofing” features, like a chimed notification to inform users if there is an AirTag within Bluetooth range, but users say these measures are ineffective when it comes to preventing abuse of the devices. Monday’s lawsuit claims, “While Apple has built safeguards into the AirTag product, they are woefully inadequate, and do little, if anything, to promptly warn individuals if they are being tracked.”
Meanwhile, a class-action lawsuit has been filed against Apple after two Californian developers stated that the company has been tracking users’ activity in the App Store with no way for users to disable the function. As Security Week explains, although Apple has made several moves supposedly in the interest of user privacy – for instance, making it easy for users to block apps from collecting their data – some rivals say such seemingly altruistic actions are really an attempt to push out the competition. Meta CEO Mark Zuckerberg said last week, "It's problematic for one company to be able to control what app experiences end up on a device. (The) vast majority of profits in mobile ecosystem go towards Apple."
Policies, procurements, and agency equities.
The US Cyber Safety Review Board (CSRB), established in February of this year, has announced that it's undertaking an investigation of the Lapsus$ Group, the international extortion gang many of whose members are teenagers. The Lapsus$ Group has had an impact on organizations far out of proportion to its perceived skills and resources. This represents the CSRB's second investigation since its founding: the first, completed in July, was an examination of the Log4j family of vulnerabilities.
Reuters reports that the Swiss government is planning to approve legislation making it mandatory to report cyberattacks impacting critical infrastructure. The new measure would also more clearly define the role of the National Cyber Security Centre (NCSC) as the central watchdog for cyberattacks. A statement from the Swiss Federal Council reads, "Successful cyberattacks can have far-reaching consequences for the availability and security of the Swiss economy. The general public, authorities and companies are exposed to the risk of cyberattacks on a daily basis. There is currently no overall picture of what attacks have taken place where, because reporting to the NCSC is voluntary.”