Russian cyberactivity against Ukraine.
CrowdStrike last Friday released its analysis of the probable course of Russian cyber action against Ukraine. They attribute most of the activity against Ukrainian targets to Voodoo Bear, a unit operating under the direction of Russia’s GRU military intelligence service. Voodoo Bear has a long history of servicing Ukrainian targets that goes back to 2014, the year Russia seized and annexed Ukraine’s Crimean region. The recent information operations in the campaign CrowdStrike calls WhisperedDebate are assessed as preparation. Should the conflict escalate, CrowdStrike expects Voodoo Bear to step up destructive wiper attacks.
Palo Alto Networks' Unit 42 reports that Gamaredon (or Primitive Bear), a threat actor associated with Russia's FSB, has been active against an unnamed Western government "entity" in Ukraine. The campaign relied on phishing for its initial access. The FSB's attentions to Ukraine are nothing new, and are likely to continue. "Gamaredon has been targeting Ukrainian victims for almost a decade," Unit 42 concludes. "As international tensions surrounding Ukraine remain unresolved, Gamaredon’s operations are likely to continue to focus on Russian interests in the region." For further background on Gamaredon's recent activity, Unit 42 recommends the study Estonia's CERT-EE published early last week.
Researchers at Symantec have also observed recent attacks by Gamaredon (which they track as "Shuckworm"), and they cite Ukraine's SSU on attribution of the group to Russia's FSB. The researchers stated, "Symantec observed Shuckworm activity on an organization in Ukraine, which began on July 14, 2021 and continued until August 18, 2021. The attack chain began with a malicious document, likely sent via a phishing email, which was opened by the user of the infected machine."
Lazarus Group impersonates Lockheed Martin.
North Korea's Lazarus Group has been using phony job notices that the threat actor represents as being from Lockheed Martin. The attack, described late last week by Malwarebytes, begins with malicious macros embedded in Word documents, and it abuses the Windows Update Client "to bypass security detection mechanisms." The researchers also note, "Rarely do we see malware using GitHub as C2 and this is the first time we’ve observed Lazarus leveraging it. Using Github as a C2 has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections."
Antlion targets Taiwanese financial organizations.
Symantec researchers on Thursday released a report on the recent activities of Antlion, a Chinese government-directed advanced persistent threat that's been working against financial services in Taiwan over the past eighteen months. Its attacks are marked by the installation of the xPack backdoor. The goal of the operation is espionage, and Symantec thinks the duration of Antlion's persistence in compromised networks is "notable." It's been able to spend months inside its targets, giving it ample time to survey and collect information. The researchers stated:
"The attackers also used a variety of off-the-shelf tools, as well as leveraging living-off-the-land tools such as PowerShell, WMIC, ProcDump, LSASS, and PsExec. The legitimate AnyDesk tool was also abused by the attackers for remote access in one of the victim organizations. The attackers were also observed leveraging exploits such as CVE-2019-1458 for privilege escalation and remote scheduled tasks to execute their backdoor. CVE-2019-1458 is an elevation-of-privilege vulnerability that occurs in Windows when the Win32k component fails to properly handle objects in memory."
Malicious OAuth apps target executives.
Proofpoint describes a "new malicious hybrid cloud campaign named OiVaVoii." The campaign targets board members and C-suites with malicious OAuth applications and a variety of social engineering ploys:
"At least three of these condemned third-party apps were created by two different 'verified publishers,' meaning the app’s owner was likely a compromised admin user-account within a legitimate Office tenant. Out of the remaining two apps, at least one was created by a non-verified organization, which could imply leveraging a (third) hijacked cloud environment or using a dedicated malicious Office tenant.
"Once these apps were created, authorization requests were then sent, via email, to numerous targeted users, including high-level executives. The seemingly benign identity of the publishing organization was a substantial advantage, causing multiple unsuspecting victims to authorize these applications. This enables the attackers to generate OAuth tokens on the compromised user’s behalf and complete the account takeover."
Facebook account hijacking campaign.
BleepingComputer reports that Finland's National Cyber Security Centre (NCSC-FI) warns of an ongoing campaign to hijack Facebook accounts. The attackers use social engineering in Facebook chats. Victims receive messages from operators pretending to be online acquaintances that ask for phone numbers and an SMS-delivered verification number. Once the attackers have these, they then establish control over the account for use in further scams.
Ramnit banking Trojan analyzed.
IBM has released a study of the well-known Ramnit banking Trojan, which has been in circulation for a decade. The researchers found that Ramnit was the top-ranking banking Trojan in 2021. IBM states, "Ramnit carries out simple yet effective operations on infected devices. While other cyber crime gangs have moved on to larger corporate bounties and ransomware/extortion attacks, Ramnit continues to focus on consumers. Once it is resident on an infected device, it monitors browsing to target websites and goes into information stealing mode. It typically snatches login credentials, but its web injections can also trick victims into providing payment card details or other personal data."
US Federal agencies issue alerts.
Three US Federal agencies have issued alerts this week. The FBI warned that the Olympic Games will afford hackers of many kinds attractive targets. More pointedly, the Bureau also advises those traveling to the Games that foreign intelligence services can be expected to attempt to compromise (via "mobile applications developed by untrusted vendors") any devices the travelers bring with them.
The Federal Trade Commission, according to the Wall Street Journal, reported that ad fraud in social media is a growing threat. Scammers “use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases,” the FTC says.
And the National Counterintelligence and Security Center warned that foreign intelligence services are attempting to gain access to individuals' medical information by requiring providers of diagnostic services to share such information with their governments.
White Tur targets Serbian organizations.
PwC describes a hitherto unknown threat actor they're calling "White Tur." (The "White," in PwC's naming convention, means that the researchers haven't yet determined the actor to be based in any particular geographical area.) PwC's study of the group began with a January 2021 investigation of a phishing campaign. White Tur is unusual insofar as it seems to have borrowed tactics, techniques, procedures, and code from several unrelated advanced persistent threats. White Tur targets defense, government, and research organisations in Serbia, but PwC has been unable to discern any unifying motive that would point to a particular threat group.
Charming Kitten uses a new backdoor.
Cybereason says the Iranian threat group Phosphorus (also called APT35 and Charming Kitten) has increased its activity and shown new capabilities, including modular malware and a newly observed PowerShell backdoor ("PowerLess Backdoor") that evades detection by running in a .NET application without launching the telltale powershell[.]exe. It's also using open-source tools and publicly available exploits. Cybereason finds that some of Charming Kitten's indicators of compromise overlap those associated with the Memento ransomware operation.
Hacktivists disrupt Iranian television.
Adalat Ali, a dissident Iranian hacktivist group, has resurfaced and hijacked Iranian state-owned television streams, the Record reports. The Record states, "During a live broadcast of the Iran-UAE soccer match, the Adalat Ali group hijacked the web stream and aired a short 50-second video in which it urged Iranians to rise up in nationwide protests against the ruling Khamenei regime during the Fajr Decade, an 11-day celebration of the 1979 Revolution that takes place each year between February 1 and February 11."
Arid Viper active against Palestinian targets.
Cisco Talos says Arid Viper is launching phishing attacks against Palestinian targets. Arid Viper strikes Talos as technically unsophisticated, but also as indifferent to stealth or misdirection, which suggests the group doesn't worry about public exposure. Arid Viper has been thought to be based in Gaza, which suggests that it's a party to intra-Palestinian disputes. Talos stated:
"This actor uses their Delphi-based Micropsia implant to target Palestinian individuals and organizations, using politically themed file names and decoy documents. The most recent wave uses content originally published on the Turkish state-run news agency Anadolu and on the Palestinian MA'AN development center to target activists and Palestinian institutions. The tactics, techniques and procedures (TTPs) used in the most recent samples found by Talos lead us to believe this is a campaign linked to the previous campaign we reported on in 2017. Meta exposed this actor in an April 2021 report that focused mainly on mobile targeting operations. However, that did not stop the group, as they've continued to target Windows-based systems. Although this group hasn't technologically evolved, it has the motivation and means to operate longstanding campaigns against the same targets. This level of motivation makes them particularly dangerous to organizations that may come into their crosshairs."
Ransomware disrupts operations in Europe.
As the effects of a cyberattack on two German petroleum distribution firms continue to disrupt operations (Royal Dutch Shell has begun rerouting fuel, Teiss reports) the nature of the attack has become clearer. According to ZDNet, Germany's BSI has determined that it was a ransomware attack, and that the BlackCat group was behind the incident.
Reuters reports that Belgian prosecutors have opened an investigation into a cyber incident that hit the Port of Antwerp on Friday. The attack seems to have centered on the port operator, Sea-Tank, but few details are publicly available.
Disruption of logistical choke points—petroleum distribution in Germany, port operations in Belgium and the Netherlands—continues to spread across Europe, Industrial Cyber reports. The Record says that officials in the Netherlands don't believe the attacks are related, and SecurityWeek quotes Dutch authorities as saying that the attacks were "probably committed with a criminal motive." The incidents are thought to be ransomware attacks, specifically with the Conti and BlackCat strains. According to Deutsche Welle, both Europol and national authorities are investigating. The consequences of the attacks against Belgian port facilities seem to have been contained and limited. Among the operators affected was SEA-Tank, which works in Antwerp. The BBC reports that SEA-Tank's corporate parent, SEA-Invest, has said that its operations worldwide have been affected by the incident, with terminals at Terneuzen, Ghent, and Malta particularly mentioned.
BlackCat ransomware described.
The BlackCat ransomware-as-a-service gang, described in detail last week by Palo Alto Networks Unit 42, is regarded as unusual for its peculiar way of using private access-key tokens. KrebsOnSecurity has an interesting account of contacts with criminal actors who may or may not be behind BlackCat. It's a Russophone criminal group, and there are a few suspects, but there's no definitive attribution. Unit 42 states:
"BlackCat has taken an aggressive approach to naming and shaming victims, listing more than a dozen on their leak site in a little over a month. The largest number of the group’s victims so far are U.S. organizations, but BlackCat and its affiliates have also attacked organizations in Europe, the Philippines and other locations. Victims include organizations in the following sectors: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals.
"Use of BlackCat ransomware has grown quickly for a variety of reasons (for comparison, AvosLocker had only listed a handful of victims publicly within two months of becoming known). Effective marketing to affiliates is a likely factor – in addition to offering an enticing share of ransom payments, the group has solicited affiliates by posting ads on forums such as Ransomware Anonymous Market Place (RAMP)."
Threats to industrial control systems.
Claroty's recent report on the global state of industrial cybersecurity notes that, of those who responded to their survey, about half reported an effect on operational technology and industrial control systems. The researchers stated, "On a global basis, a staggering 80% of respondents experienced an attack, and 47% said it impacted the OT/ICS environment. More than 90% of organizations that were attacked disclosed the incident to shareholders and/or authorities, and reported the impact was substantial or significant in almost half (49%) of the cases. Looking more closely at the distribution of attacks, in industries including IT Hardware, Oil & Gas, Water & Waste, and Automotive, 90% were impacted by ransomware and 87% in Heavy Industry and Electric Energy. Not surprisingly, the larger the organization, the more likely an attack, as that’s where the money is; far fewer (63%) SMBs (<$500M annual revenue) report being impacted by ransomware."
China-linked APT exploits Zimbra vulnerability.
Volexity reports that a Chinese APT is exploiting a cross-site-scripting vulnerability in Zimbra, an email platform organizations use as an alternative to Microsoft Exchange, against European governments. Volexity calls the campaign "EmailThief;" the initial infestations arrive through phishing. Volexity states:
"The campaigns came in multiple waves across two attack phases. The initial phase was aimed at reconnaissance and involved emails designed to simply track if a target received and opened the messages. The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link. For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook. Successful exploitation results in the attacker being able to run arbitrary JavaScript in the context of the user's Zimbra session. Volexity observed the attacker attempting to load JavaScript to steal user mail data and attachments."
Patch news.
CISA has issued six industrial control system advisories, for the Ricon Mobile Industrial Cellular Router, Advantech ADAM-3600, and Multiple Data Distribution Service (DDS) Implementations (Update A)m Sensormatic PowerManage, Airspan Networks Mimosa, and FANUC Robot Controllers (Update A).
Crime and punishment.
WIRED has an account of the internal chatter of the Trickbot gang, which does indeed seem to operate like a business. While Trickbot was briefly disrupted last October by US Cyber Command, it's back and operating from Russia with the familiar impunity Moscow has long conferred on privateers.
The Verge reports that the decentralized finance (DeFi) platform Qubit Finance was hit by thieves last week, losing some $80 million in the cryptocurrency it handled.
Policies, procurements, and agency equities.
Both the US and the UK are preparing new sanctions against Russia should it not pull back from its threatening posture with respect to Ukraine, Bloomberg reports. The most serious sanctions would be reserved as a response to an invasion. This round of sanctions will in all likelihood be designed to have a strong effect on individuals. In the US a bill introduced in the Senate is consistent with earlier Administration statements on sanctions, according to the Wall Street Journal.