State-sponsored activity (and defenses against it). Breaches, ransomware, and social engineering. SHA-1 retired.

At a glance.

• Developments in Russia's hybrid war against Ukraine.
• Recent Iranian cyber activity.
• NSA warns of Chinese cyber threats.
• Royal ransomware targets the healthcare sector.
• Uber sustains a third-party breach.
• InfraGard user data for sale.
• Predatory loan app discovered embedded in mobile apps.
• Facebook phishing.
• SHA-1 is retired.
• Patch news.
• Crime and punishment.
• Policies, procurements, and agency equities.

Developments in Russia's hybrid war against Ukraine. 

Mandiant on Thursday issued a report on a supply-chain attack in which Trojanized Windows 10 installers are being distributed to Ukrainian targets. The researchers track the activity as UNC4166, and while they’re commendably cautious in attribution, they do note that, significantly, there seems to be an overlap between this round of attacks and the target list of Ukrainian organizations against which the GRU deployed wipers early in the war. John Hultquist, Head of Intelligence Analysis at Mandiant, emphasizes that this is a supply chain attack, and in that respect at least reminiscent of the SolarWinds operation. He said in emailed comments, “Though it’s hardly as technically sophisticated as SolarWinds, this operation is similar in that it appears to be designed to compromise a large set of potential targets who can then be winnowed down for targets of interest. In this case those targets are the Ukrainian government. We can’t afford to ignore the supply chain. It can be used like a sledgehammer or it can be used like a scalpel.”

The State Service for Special Communications and Information Protection of Ukraine warned citizens to be alert for a phishing campaign. The phishing email misrepresents itself as being from the State Emergency Service of Ukraine. The phishbait in the subject line is "How to recognize a kamikaze drone," which shows an attempt to trade upon recent widespread fears of Russian drone attacks.

Wired reports that GPS signals are being jammed in some Russian cities. Russian electronic warfare operations have periodically disrupted GPS during the present war. The motive in this case may be interference with GPS-guided Ukrainian drones and missiles that have recently struck military targets inside Russia.

Both Check Point Research and Positive Technologies report renewed activity by Cloud Atlas, an APT of uncertain provenance that's also known as "Inception." There's a general consensus that Cloud Atlas is engaged in cyber espionage, and that it's at present collecting against targets related to Russia's war against Ukraine, notably in Russia and Belarus. Who Cloud Atlas is working for or what strategic interests the APT serves remain unclear. Neither Check Point nor Positive Technologies offer any attribution. In 2016 Kaspersky, writing in Virus Bulletin reported, very tentatively, that there were circumstantial signs of Chinese activity behind Cloud Atlas. But this was far from dispositive. It could equally well be evidence of code borrowing or false-flag operations.

A study, "Cyber Operations in Ukraine: Russia's Unmet Expectations," published by the Carnegie Endowment for International Peace offers the beginning of an answer to one of the most-discussed questions about Russia's war against Ukraine: why have Russian cyber operations fallen so far short of pre-war Western expectations? The essay offers three hypotheses to explain Russian failure in cyberspace: "the infancy and putative focus of the VIO, the preponderance of cyber talent in the Russian national security ecosystem, and the pivotal nature of the initial period of war." The common theme among the three hypotheses is Russian unreadiness.

Recent Iranian cyber activity.

Bleeping Computer reports that a new data wiper, "Fantasy," has been seen in use by the Agrius APT group in supply-chain attacks against targets in Israel, Hong Kong, and South Africa. The campaign reportedly began in February of this year and took hold in March, victimizing an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company. This new wiper is an evolution of the “Apostle” wiper, seen previously in use by the hacking group, according to analysts from ESET.

Iran-affiliated threat group MuddyWater has been observed by Dark Instinct researchers abusing a new remote administration tool, known as Syncro, against target devices, Dark Reading reports. Syncro is a managed service provider (MSP) platform that replaced the group’s other remote administration tool "RemoteUtilities," which was seen in use in September. The Hacker News says that the software allows for complete control of machines remotely, which allows for reconnaissance, backdoors, and the sale of access to outside actors. 

Proofpoint has released research on what it calls "aberrations" in operations of the Iranian threat actor TA453, a group whose activity overlaps that of Charming Kitten, PHOSPHORUS, and APT42. "A hallmark of TA453’s email campaigns is that they almost always target academics, researchers, diplomats, dissidents, journalists, human rights workers, and use web beacons in the message bodies before eventually attempting to harvest a target’s credentials. Such campaigns may kick off with weeks of benign conversations from actor-created accounts before attempted exploitation," the researchers say. 

Since 2020, however, TA453 has selected victims from a wide range of sectors (a disparate group that includes medical researchers, realtors, and travel agencies), and it's used "compromised accounts, malware, and confrontational lures" in pursuing them. Proofpoint thinks "with moderate confidence that this activity reflects a flexible mandate to the Islamic Revolutionary Guard Corps' (IRGC) intelligence requirements." There's also a sub-cluster of the activity that seems to support covert IRGC operations, including, disturbingly, apparent attempts to lure targets into kidnapping traps.

NSA warns of Chinese cyber threats.

NSA yesterday released "Citrix ADC Threat Hunting Guidance" that warns of activity by APT5. The advisory doesn't explicitly attribute APT5 to China (although it does link it to UNC2630 and MANGANESE), but as Reuters observes, APT5 has long been strongly suspected of being a Chinese intelligence threat group. (Mandiant is among those who've registered that suspicion.) NSA's advisory offers guidance on file integrity and behavioral checks, as well as YARA rules useful for detection.

Royal ransomware targets the healthcare sector.

The US Department of Health and Human Services (HHS) has warned of the threat the Royal ransomware poses to the Healthcare and Public Healthcare (HPH) sector. Royal first surfaced in September 2022. It appears to be operated by a single group rather than functioning as a ransomware-as-a-service model. A report from Microsoft found that the threat actor uses social engineering to distribute the ransomware.

Uber sustains a third-party breach.

BleepingComputer reports that Uber has sustained a breach. Over the weekend a group styling itself “UberLeaks” began dumping data it claimed to have stolen from Uber and Uber Eats. The data dumped online include what the attackers say is source code for mobile device management platforms and for third-party vendor services the company uses. BleepingComputer says, “The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM platforms.” The data compromised include, Uber believes, corporate and employee data, but not customer information.

This incident apparently originated in the compromise of a third-party vendor, and that there’s some evidence of Lapsu$ gang activity. Uber told BleepingComputer, “We believe these files are related to an incident at a third-party vendor and are unrelated to our security incident in September. Based on our initial review of the information available, the code is not owned by Uber; however, we are continuing to look into this matter.” 

Teqtivity says in its own statement, “We are aware of customer data that was compromised due to unauthorized access to our systems by a malicious third party. The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers. Teqtivity is still investigating the incident, but it believes that the information exposed in the attack includes:

• “Device information: Serial Number, Make, Models, Technical Specs.”
• “User Information: First Name, Last Name, Work Email Address, Work Location details.”

One safe bet is that Uber personnel should prepare themselves to withstand a wave of phishing and other social-engineering approaches that can be expected to make use of the data the attackers have dumped online. 

InfraGard user data for sale.

KrebsOnSecurity reports that someone using the nom-de-hack “USDoD” (and whose avatar is the US Department of Defense seal, but who's obviously unconnected with the Pentagon) is offering an InfraGard user database for sale in the criminal souk Breached. InfraGard describes itself (accurately) as "a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure." Thus any data it might hold are obviously of at least prima facie interest to a range of threat actors. The attacker gained access to InfraGard by applying for membership under a bogus identity. "USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership," KrebsOnSecurity explained. "The CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application." The FBI says it's aware of the matter, and that an investigation is ongoing.

Predatory loan app discovered embedded in mobile apps. 

Zimperium has found a novel predatory loan application, "MoneyMonger," embedded in mobile apps developed with Flutter. It's found in apps sold through third-party stores. MondeyMonger collects a large amount of personal information from its victims, and then uses that information in what Zimperium describes as "multiple layers of social engineering," ultimately seeking to extort even more money from the marks than the original conditions of their predatory loans imposed. Zimperium concludes that the code they've discovered forms "part of a more extensive predatory loan malware campaign previously discovered by K7 Security Labs." So predatory lending is bad enough, but in this case the criminals seek to enmesh the victims in a tangle of threats, pressure, and further extortion, with data theft on the side.

Facebook phishing. 

Researchers at Trustwave have observed a phishing campaign that informs recipients that their Facebook account will be locked within 48 hours for a copyright violation. The phishing emails themselves are very poorly written, but they contain a link to a fairly convincing Facebook post. The link in the Facebook post leads to a spoofed version of Facebook’s appeals page, hosted on a domain that impersonates Facebook’s parent company Meta. Once you’re there, thinking you’re about to get your account unlocked, you’ll be asked to enter some information. After the victims do so, they’ll be redirected to Facebook's real website, possibly none the wiser. Trustwave concludes, “These fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are advised to be extra careful when receiving false violation notifications and not to be fooled by the apparent legitimacy of the initial links.”

SHA-1 is retired. 

NIST urges those who still use it to move away from the venerable SHA-1 encryption algorithm, in service since 1995. "The SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life, according to security experts at the National Institute of Standards and Technology (NIST). The agency is now recommending that IT professionals replace SHA-1, in the limited situations where it is still used, with newer algorithms that are more secure," that is, with SHA-2 or SHA-3. SHA-1 has grown unacceptably vulnerable to collision attacks. 

Patch news.

In this week's Patch Tuesday several vendors patched widely used products. Some of the vulnerabilities addressed are undergoing active exploitation in the wild. Among the more notable patches are mitigations offered by SAP, Microsoft, Apple, Citrix, VMware, Mozilla, and Adobe.

In the course of issuing its updates, Microsoft also took steps to address the problem of legitimately signed Microsoft drivers being used in targeted attacks: "Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections to help protect customers from this threat." The issue was discovered and disclosed by SentinelOne and Mandiant, working in partnership with one another. The threat actors detected using the malicious drivers were doing so in an evident attempt to evade detection by security tools.

Crime and punishment.

The US Department of Justice announced yesterday that five Russian nationals had been indicted in connection with violations of sanctions and export controls. The five are charged with "conspiracy to defraud the United States as to the enforcement of export controls and economic sanctions; conspiracy to violate the Export Control Reform Act (ECRA); smuggling; and failure to comply with the Automated Export System relating to the transportation of electronics." The indictments are the result of work by Task Force KleptoCapture, an interagency group formed specifically to enforce sanctions and go after the corrupt oligarchs who are so often responsible for their violation. Four of those indicted remain at large, but one, Mr. Konoshchenok, whom Justice calls "a suspected officer with Russia’s Federal Security Service (FSB)," was arrested in Estonia last week and is awaiting extradition to the US.

Policies, procurements, and agency equities.

CISA this week published read-out of the second meeting of the Joint Ransomware Task Force. Six working groups have taken up various aspects of the ransomware challenge, and they’re worth quoting as they offer some insight into how the task force sees its mission:

• First, "Victim Support: Standardizing and synchronizing federal engagement with ransomware victims to offer services and assess any gaps to ensure that victims of ransomware incidents receive the necessary support to restore services and minimize damage."
• Second, "Measurement: Collecting data and metrics that will improve the cybersecurity community’s collective understanding of ransomware affecting U.S. organizations and trends associated with actors, victims, and impacts, which will in turn inform U.S. government actions to counter the threat, provide more actionable guidance, and evaluate progress."
• Third, "Partner Engagement: Expanding operational collaboration and multi-directional intelligence sharing between JRTF members and non-governmental partners including the private sector and the international community to more effectively prevent, detect, and respond to evolving ransomware campaigns."
• Fourth, "Continuous Improvement: Examining and compiling lessons learned from recent ransomware incidents in key sectors to address gaps in coordination, increase effectiveness of information sharing, and improve the federal government’s response and preparedness posture."
• Fifth, "Intelligence Integration: Leveraging the intelligence collection capabilities of all partners, process intelligence community analysis, and manage intelligence engagement with international partners to drive the planning and execution of synchronized JRTF operations." 
• And finally, "Campaign Coordination: Organizing existing interagency campaigns to disrupt ransomware actors and strengthen national cyber defense against ransomware operations, while also collaborating with relevant partners on new campaigns efforts.

US NSA Cybersecurity Director Rob Joyce warned against complacency about Russian cyber operations. CyberScoop quotes him as saying, during a press briefing on the release of NSA's 2022 retrospective, “I would not encourage anyone to be complacent or be unconcerned about the threats to the energy sector globally. As the war progresses there’s certainly the opportunities for increasing pressure on Russia at the tactical level, which is going to cause them to reevaluate, try different strategies to extricate themselves."