Updates on the Russia-Ukraine crisis.
False flags, information operations, and cyberattacks continue to mark Russia's hybrid war against Ukraine. Whether Moscow will escalate the conflict with a large conventional campaign remains to be seen, but both the US and UK have continued to warn that a large-scale invasion could be imminent.
Russia continues to disclaim any intention of preparing a further invasion of Ukraine, Bloomberg reports. The US continues to say that the risk of intensified ground combat remains high. “We have reason to believe they are engaged in a false-flag operation to have an excuse to go in,” President Biden said Thursday. "False flag" operations are provocations staged as outrages that can be more-or-less plausibly attributed to an adversary. According to the Washington Post, US Secretary of State Blinken, speaking on Thursday at the United Nations, enumerated three possible false-flag provocations: “'fabricated so-called terrorist bombing inside Russia,' a fake mass grave, a staged drone attack on civilians, or a 'fake, even a real, attack using chemical weapons.'”
Warnings that Russian cyber operations could affect countries beyond Ukraine continue. The Voice of America reports US concerns about the possibility of cyberattack, and it cites the often-mentioned case of NotPetya, which spread beyond its Ukrainian targets to affect commerce globally. Media in the UK are retailing similar warnings, although they focus on the possibility of a direct cyberattack against British assets.
TA2541 targets the transportation sector.
Proofpoint has published research that tracks the activity of TA2541, a threat actor that has targeted the "aviation, aerospace, transportation, manufacturing, and defense industries for years." Its preferred tactic is phishing, using malicious files to dangle a remote-access Trojan phish hook in front of its intended marks. The group has evolved beyond familiar email phishing with malicious attachments and now sends victims links to cloud services like Google Drive where the payload resides. The researchers describe TA2541 as "criminal," but offer little other attribution or characterization. CyberScoop reports that it may have a geographical connection with Nigeria.
Proofpoint notes that, "Unlike many cybercrime threat actors distributing commodity malware, TA2541 does not typically use current events, trending topics, or news items in its social engineering lures. In nearly all observed campaigns, TA2541 uses lure themes that include transportation related terms such as flight, aircraft, fuel, yacht, charter, etc."
ShadowPad analyzed.
SecureWorks describes ShadowPad, an advanced remote access tool that's been used since 2017 by "threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA)." Secureworks stated, "The malware was likely developed by threat actors affiliated with BRONZE ATLAS and then shared with MSS and PLA threat groups around 2019. Given the range of groups leveraging ShadowPad, all organizations that are likely targets for Chinese threat groups should monitor for TTPs associated with this malware. Organizations with operations in or connections to geographic regions covered by the regional theater commands should specifically monitor for known TTPs associated with threat groups likely affiliated with the relevant theater command."
QR codes' risks.
Coinbase's Super Bowl commercial drew a great deal of attention. The ad presented a minute's worth of empty screen with a QR code ricocheting across the TV with an implicit invitation to scan it and go to the company's site. If judged by viewer response, the commercial was a hit. Security Magazine says that the landing page where the QR code sent those who responded received more than twenty-million hits in a minute. This quickly amounted to a kind of auto-DDoSing, since Coinbase's site crashed under the traffic, but the company was pleased with the results. The commercial also prompted some discussion of the ways in which QR codes lend themselves to abuse by malicious actors. Help Net Security notes that the codes don't lend themselves to easy user inspection. Even the minimalist cues a URL or an email address might contain are absent, and it's wise to treat them by default with suspicion.
Swissport investigates alleged stolen data.
Aviation services provider Swissport is investigating claims by the BlackCat ransomware operators that they've leaked stolen data, SecurityWeek reports. Swissport told SecurityWeek, "While conducting our investigation, we learned that an unauthorized party posted data online that they claim to have stolen from Swissport. We take these allegations seriously and are analyzing the files that were posted online as part of our ongoing investigation into the incident. “When we learned of the incident, we promptly took the affected systems offline, launched an investigation, notified law enforcement, and engaged leading cybersecurity experts to help assess the scope of the incident. At this point in time, we cannot provide any further information."
Russian cyberespionage campaign targets cleared defense contractors.
On Wednesday the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and NSA issued a Joint Cybersecurity Advisory, “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” It describes an ongoing Russian cyberespionage campaign in progress since early 2020 that's targeted US cleared defense contractors (CDCs). The tactics used are “common but effective,” including “spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security.”
The alert states, "In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data. These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future."
Red Cross data breach.
The International Committee of the Red Cross (ICRC) on Wednesday released an update on the incident it sustained in which threat actors obtained sensitive information about refugees and other vulnerable populations. The ICRC suspects "state-sponsored" actors, but declines to further identify them. They are believed to have gained access to the ICRC's systems by exploiting an unpatched vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService. The ICRC released the following findings:
- "The attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors.
- "The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs. This requires a high level of skills only available to a limited number of actors.
- "We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).
- "The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected."
KrebsOnSecurity reports informed speculation that the incident was an Iranian influence operation.
Ice phishing.
Microsoft describes a new style of blockchain-centric attack, "ice phishing." Microsoft explains, "The ‘ice phishing’ technique we discuss in this post doesn’t involve stealing one’s private keys. Rather, it entails tricking a user into signing a transaction that delegates approval of the user’s tokens to the attacker. This is a common type of transaction that enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens (e.g., swaps)....In an ‘ice phishing’ attack, the attacker merely needs to modify the spender address to attacker’s address. This can be quite effective as the user interface doesn’t show all pertinent information that can indicate that the transaction has been tampered with....Once the approval transaction has been signed, submitted, and mined, the spender can access the funds. In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all victim’s wallets quickly."
Iranian threat actors continue to exploit Log4j vulnerabilities.
While the general push to address the risk posed by Log4j vulnerabilities seems to have limited the damage organizations might otherwise have sustained, exploitation of vulnerable systems continues. SentinelLabs researchers describe the activities of an Iranian-aligned threat actor they're calling "TunnelVision," and which is hitting vulnerable instances of VMware Horizon. SentinelLabs notes overlap between TunnelVision activity and the operations Microsoft ascribes to Phosphorus and CrowdStrike to Charming Kitten or Nemesis Kitten. Whether these represent activities of the same unit or distinct groups remains unclear.
Cyberattacks against Iranian entities.
Check Point looks into recent incidents affecting Iranian state television. Their surface motivation seemed straightforwardly hacktivist, designed to denigrate the regime and urge assassination of Tehran's supreme leader. But an examination of the malicious files finds that the unknown threat actors also deployed wiper malware against their targets.
Check Point explains, "Inspecting the targets, it appears that each one was carefully selected to send a tailored message. In August 2021, the hacktivist group Tapandegan, previously known for hacking and displaying protest messages on the electronic flight arrival and departure boards in the Mashad and Tabriz international airports in 2018, released security camera footage from the Evin prison, a Tehran facility in which many political prisoners are held. The videos, which show prisoner abuse, were acquired by a group called Edalat-e Ali (‘Ali’s justice’) in protest against human rights violations. In October 2021, every gas station in Iran was paralyzed by an attack that disrupted the electronic payment process. The incident led to extremely long queues at gas stations for two days and prevented customers from paying with the government-issued electronic cards used to purchase subsidized fuel. When the card was swiped for payment, the Supreme Leader office phone number appeared on the screen, taunting the highest ranking office in the regime yet again. Iranian officials claimed that foreign actors, such as Israel and the US, were behind the attack. However, Predatory Sparrow claimed responsibility for this attack as well."
Young botnet shows development.
ZeroFox has published an update to its research on the Golang-based botnet its researchers described last October. It's called "Kraken," but it's not to be confused with the botnet that appeared in 2008 and had the same name; the two are unrelated. The current Kraken spreads via SmokeLoader, and, while it's still under development, it "already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim’s system." While it's still maturing, Kraken nets its operators a small but interesting sum of around $3000 a month. Its most recent infestations show signs of deploying an information-stealer, but to what end is unknown.
Android malware campaign spreads to Germany and France.
Kaspersky warns that a smishing campaign dubbed "Roaming Mantis" has spread to Germany and France:
"Our latest research into Roaming Mantis shows that the actor is focusing on expanding infection via smishing to users in Europe. The campaign in France and Germany was so active that it came to the attention of the German police and French media. They alerted users about smishing messages and the compromised websites used as landing pages. Typically, the smishing messages contain a very short description and a URL to a landing page. If a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices."
The researchers add, "Regarding the updates to the Wroba.g/Wroba.o payload, Kaspersky experts only observed two minor updates in the payload part. One of them is the feature for checking the region of the infected device in order to display a phishing page in the corresponding language. In the old sample, it checked for three regions: Hong Kong, Taiwan and Japan. However, Germany and France were added as new regions. From this update, together with the map above, it is clear that Germany and France have become the main targets of Roaming Mantis with Wroba.g/Wroba.o."
The malware also has two new backdoor commands that allow the attackers to steal photos from infected devices.
Doxxing anti-vaccine mandate protesters.
MIT Technology Review describes the activist-on-activist "borderline doxxing" some are using to expose anti-vaccine mandate protesters who've disrupted traffic and other activities in Canada. The disinhibition that many people experience online seems, the essay speculates, to have led some to approach vigilantism without fully realizing that's what they're doing.
Patch news.
One of the US Cybersecurity and Infrastructure Security Agency’s (CISA) most recent additions to its Known Exploited Vulnerabilities Catalog, a Windows privilege-escalation flaw variously called “HiveNightmare” or “SeriousSam,” is held particularly likely to be exploited, SecurityWeek reports. CISA has directed US Federal agencies to address HiveNightmare by next Thursday, February 24th.
CISA on Thursday released an industrial control system security advisory for Schneider Electric IGSS.
Crime and punishment.
Whatever action Russian security authorities have taken against cyber gangs recently seems not to have affected the Russophone underworld's position in the global criminal marketplace. A study by Chainalysis concludes that about three-quarters of ransomware payments are going to Russian criminal groups. Evil Corp alone accounts for some ten percent of the global total. Chainalysis also notes that such attacks continue to avoid targeting members of the Commonwealth of Independent States, an organization of former Soviet Republics that have remained more-or-less friendly to Russia.
A St. Louis Post-Dispatch reporter who found personal information exposed on a website operated by the Missouri Department of Elementary and Secondary Education will not, after all, be prosecuted for a computer crime. The Cole County prosecutor, to whom the case was referred at the insistence of Missouri Governor Parsons, has declined to file charges. CISA Director Easterly tweeted approval of the Cole County prosecutor's decision. It makes, she says, responsible disclosure easier.
Courts and torts.
The Wall Street Journal and others report that US Senators Ron Wyden (Democrat of Oregon) and Martin Heinrich (Democrat of New Mexico), both members of the Senate Intelligence Committee, have asked the CIA to declassify and release information on a bulk collection program that may have extended to some domestic surveillance. The news, Fortune observes, is likely to have an unwelcome effect on US tech companies operating in Europe, as it’s likely to arouse suspicion of GDPR violations.