By the CyberWire staff
At a glance.
- Developments in Russia's hybrid war against Ukraine.
- Recent DPRK cyber operations: spying and theft.
- Ransomware attacks, and their implications, observed far and wide.
- Breaches victimize multiple sectors.
- The PurpleUrchin freejacking campaign.
- PyTorch framework sustains supply-chain attack.
- CircleCI customers should "rotate their secrets."
- Bluebottle activity against banks in Francophone Africa.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
Developments in Russia's hybrid war against Ukraine.
The government of Poland (specifically, the Government Plenipotentiary for the Security of Information Space of the Republic of Poland) warned over last weekend that Russian cyberattacks against third-party countries that have supported Ukraine during Russia's war can be expected to increase. As one would expect, the statement draws particular attention to the Russian threat to Poland in cyberspace. The Russian target list is expansive, covering a range of sectors, and hacktivist auxiliaries continue to play a significant role in the Russian offensive. The motivation is retaliatory. "Such incidents in cyberspace are retaliatory actions typical of Russia, which are a response to steps taken by other countries, that are unfavorable and inconvenient for the Russian Federation. Hacker groups linked to the Kremlin use ransomware, dDos and phishing attacks, and the goal of hostile actions coincides with the goals of a hybrid attack: destabilization, intimidation and sowing chaos."
The threat group GhostWriter has resurfaced in phishing campaigns against Polish targets, according to authorities in Warsaw. BleepingComputer reports that "the Russian hackers set up websites that impersonate the gov.pl government domain, promoting fake financial compensation for Polish residents allegedly backed by European funds." The goals of the campaign are believed to be intelligence collection and disinformation. The EU has linked GhostWriter to Russia's GRU military intelligence service. Mandiant has also discerned a connection to Belarusian services. GhostWriter has long specialized in impersonation.
Mandiant has found that Turla, a familiar threat actor associated with Russia's FSB, is piggybacking offensive cyber operations on some old commodity malware. Turla is using Andromeda malware distributed through infected USB drives to selectively install the Kopiluwak reconnaissance utility and the QuietCanary backdoor in Ukrainian targets. Re-registration of old, expired ANDROMEDA domains has proven particularly useful. As Wired points out, Andromeda is a commonplace banking Trojan criminals use for credential theft. The researchers conclude, "As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts."
The campaign represents the first time Mandiant has seen Turla in operation against Ukrainian targets during the present war. The group seems to be using earlier battlespace preparation to pick targets of strategic interest to Russia, but Turla also seems to be acting in haste, and with the necessary disregard for operations security haste normally exacts in trade for quick results.
Reuters describes a cyberespionage campaign carried out by the hitherto little-known threat group researchers track as "Cold River." The group is circumstantially but convincingly linked to Russian intelligence services (possibly the FSB, although that's unclear) through its Russophone operations and the location of at least one of its personnel in the northern city of Syktyvkar, capital of the Komi region. The effort involved attempted social engineering of US nuclear researchers at the Department of Energy's Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The campaign peaked in August and September, as Russian President Putin's nuclear threats reached their peak. It's unknown whether the campaign enjoyed any success: Reuters says that both the Department of Energy and the FSB declined to comment.
The extent to which cellphone signals have been used for geolocation and then targeting in any particular case remains unclear, but the devices represent a persistent operations security challenge for both sides. The phones make it possible to collect combat information that would formerly have been difficult to come by, from unguarded conversations to revealing photos shared in social media. The New York Times summarizes the problem that simple phone conversations pose. Russian commanders have ordered the troops to give up their phones, but such orders have been widely evaded. It's also not only the words that matter, but the signals themselves. "But the soldiers did not appear to know that cellphone data alone could potentially betray them, giving Ukrainians enough to pinpoint a phone’s location down to an apartment building." Metadata can be as lethal as data.
The Carnegie Endowment for International Peace notes that Russia has an understanding of information security that's quite different from the one that prevails in Western and especially US circles. It's more concerned with influence, with controlling a narrative, than it is with the confidentiality, integrity, and availability of data. This view is significantly inward-looking and inclined to view information operations as deterministic. Mistakes may be made, but nothing happens by chance.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Software supply chain management: A new podcast with lessons learned from SolarWinds
Tune in to hear CyberWire’s Chief Analyst and Senior Fellow Rick Howard’s conversation with Hash Table experts as they discuss the lessons learned about software supply chain management and a “Secure-byDesign” approach to securing software environments, dev processes, and products. Rick also has a chat with SolarWinds CISO Tim Brown. Check out the episode here.
Recent DPRK cyber operations: spying and theft.
Researchers at Kaspersky warn that North Korea’s BlueNoroff group is using several new methods to deliver malware. BlueNoroff began using .iso and .vhd files to deliver their malware, which allows them to bypass Mark-of-the-Web flags. The threat actor also seems to be testing out other file formats for malware delivery. The threat actor set up multiple domains that impersonated venture capital firms, most of which were located in Japan. The impersonated firms included Beyond Next Ventures, ANOBAKA, Z Venture Capital, ABF Capital, and Angel Bridge. BlueNoroff also impersonated Bank of America. For more on BlueNoroff, see CyberWire Pro.
Ransomware attacks, and their implications, observed far and wide.
Portugal’s Port of Lisbon sustained a cyberattack that took its website offline, CyberNews reports. The extent of the attack is unclear, though port officials stated that operational activity was not compromised. The LockBit gang has claimed responsibility, and also claims to have stolen financial reports, cargo and crew information, customer data, mail correspondence, and contracts. The gang is threatening to publish the stolen data if the ransom isn’t paid by January 18th.
LockBit’s operators also claim they’re selective, and avoid hitting targets like hospitals. Thus, BleepingComputer reports, the gang released, without charge, a decryptor for the ransomware used against SickKids, that is, the Toronto Hospital for Sick Children. The gang blamed an affiliate. “We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," they said. For more on LockBit's recent activity, see CyberWire Pro.
Thursday morning Trustwave SpiderLabs released a roundup report of what they’ve assessed as the most active threat groups within the ransomware space last year. They are, in order, LockBit (which runs like a business), Black Basta (newer, and with apparent links to Conti, REvil, and Fin7), Hive (a ransomware-as-a-service operation), and BlackCat (also known as ALPHV, which has possible links to the Darkside and BlackMatter gangs). Also on Thursday FortiGuard Labs released their first Ransomware Roundup of 2023, detailing variants that they've observed gaining traction as the year begins. Those are Monti, BlackHunt, and Putin ransomware strains. For an extended discussion of the ransomware leaderboard and incoming threats as the new year sets off, see CyberWire Pro.
The Guardian continues to recover from the ransomware attack it disclosed on December 21st, and the news outlet expects recovery to take at least a month. ComputerWeekly shares widespread speculation that the Guardian's coverage of Russia's war in Ukraine prompted the attack: "It can also be fairly said that reporting on major international incidents such as Russia’s war on Ukraine may leave a title exposed to malicious actions by Russia-backed or aligned groups."
Add value to your lead generation strategy
The CyberWire can help you fill your funnel and build partnerships with valuable leads. With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust us to get their messages out. Feature your brand with the source that top security leaders choose. Learn more.
Breaches victimize multiple sectors.
Estonia-based cryptocurrency trading service 3Commas fell victim to a breach at the hands of an anonymous Twitter user that obtained 100,000 API keys belonging to users of 3Commas. Decrypt reports that $22 million in crypto had been stolen through 3Commas API keys that were compromised, and the company confirmed that it was the source of the leak on Wednesday of last week.
The company insisted that the issue lies within phishing attacks that caused users to give up their data. Yuriy Sorokin, co-founder of 3Commas, pushed this idea until Wednesday, when he confirmed on Twitter that the hacker’s data is accurate and that “We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation." CoinDesk reports that the anonymous Twitter user identifying themselves as the hacker published more than 10,000 of the API keys last Wednesday, and says that “will be published full [sic] randomly in the upcoming days.” For more on the 3Commas incident, see CyberWire Pro.
Password manager LastPass has been victimized in a data breach that included customer data, including password vaults. SecurityWeek reports that the breach occurred in August of last year, when hackers got into the LastPass network and returned later to hijack customer information. The threat actor is said to have copied a backup of customer vault data, which is said to contain “both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” LastPass CEO Karim Toubba said. HackRead reports that the threat actor also stole technical data and source code from the development environment.
British news site Which says that LastPass customers should ensure that their master password isn’t used elsewhere, and is more complex than the passwords they customarily use, as LastPass doesn’t store master passwords and asserts that only “brute force” will allow threat actors access to users’ master passwords. “LastPass does not know users' master passwords and they are not stored or maintained by LastPass. If you're a LastPass user, only you know your master password. The company describes this as its 'zero knowledge architecture',” Which explains, saying that the information can only be decrypted with encryption keys derived from master passwords. The company also recommends changing passwords on websites that had stored passwords through the manager. For more on the LastPass incident, see CyberWire Pro.
At the end of December it emerged that the data of millions of Twitter users have been stolen and were held for ransom. The hacker who claimed responsibility (nom-de-hack "Ryushi”) claims to be selling data of over 400 million Twitter users obtained in 2021, Bleeping Computer reports. The data were accessible because of a since-patched API vulnerability. Spiceworks reports that the hacker demanded $200,000 in ransom from the social media outlet for the data to be deleted, or if not bought by Twitter, would be sold to buyers willing to fork out $60,000 a copy. Bloomberg reports that Ireland’s Data Protection Commission began a probe into Twitter on Friday, December 23rd. As Gizmodo reports, the data stolen from Twitter over a year ago was this week posted for sale on dark web marketplace Breached for the crypto equivalent of $2 (so essentially for free) by a hacker known by the flippant handle “StayMad.” As Bloomberg notes, experts believe the database dates back to 2021, and it contains the email addresses and usernames of approximately 235 million Twitter users.
With Twitter’s popularity with everyone from regular citizens to world leaders, the breach’s impact has had a far reach, and the victims in the database include household names like Sundar Pichai, Donald Trump Jr., SpaceX, CBS Media, the NBA, and the World Health Organization. Chris Heaton-Harris, the Northern Ireland secretary, has disclosed that hackers temporarily gained access to his account and used the opportunity to post controversial messages. The Guardian reports that although the tweets were quickly removed, one of the posts allegedly read, “Why are black people so poor?” and another stated, “We are passing a new law soon, all transgenders and homosexuals will now serve 10 years behind bars.” Shortly after, Heaton-Harris posted an apology stating, “I’m afraid my Twitter account was hacked overnight and someone posted some deeply unpleasant stuff on my account for which I can only apologise.” It’s worth noting that Heaton-Harris is the second cabinet member to have recently suffered a Twitter account hijacking; education secretary Gillian Keegan also had her account hacked over Christmas.
Forbes notes that some experts feel the initial cause of the breach, vulnerabilities in Twitter’s Application Programming Interface (API), is not getting the attention it deserves. "API security is the real story here," Sammy Migues, principal scientist at Synopsys Software Integrity Group. He continues, "As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices.” For more on the Twitter incident, see CyberWire Pro.
1Password Webinar: Why your business needs a password manager in 2023.
With more than 82% of data breaches involving a human element, it is now more important than ever for your business to implement easy to use, human-centric security solutions for your employees. Whether you are at the beginning of your security journey, or are focused on improving security measures, watch this webinar to learn about the importance of implementing a password management solution in 2023 and beyond.
Watch the webinar.
The PurpleUrchin freejacking campaign.
Researchers from Palo Alto Networks’ Unit 42 released a report Thursday morning on threat actor group Automated Libra, the gang behind the PurpleUrchin freejacking campaign. Automated Libra is based in South Africa and targets cloud platforms in what is known as “freejacking,” or, “the process of using free (or limited-time) cloud resources to perform cryptomining operations.” Heroku, Togglebox, and GitHub were observed to be cloud service platforms utilized by the actors, but data traced threat actor activity back to August of 2019, which showed activity spread among a multitude of cloud providers and crypto exchanges. For more on PurpleUrchin, see CyberWire Pro.
PyTorch framework sustains supply-chain attack.
A threat actor carried out a supply chain attack against the open-source machine-learning framework PyTorch, BleepingComputer reports. The attacker uploaded a dependency to the Python Package Index (PyPI) that had the same name as one of PyTorch’s dependencies. PyTorch said in a statement that the malicious package was live between December 25th and December 30th: “At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch nightly package index. Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default.” For more on this supply-chain attack, see CyberWire Pro.
CircleCI customers should "rotate their secrets."
Continuous integration and continuous delivery platform CircleCI has disclosed a security incident that began on December 21st, BleepingComputer reports. The company hasn’t released many details about the incident, but customers are asked to “rotate any and all secrets stored in CircleCI” as soon as possible. CircleCI also says that it’s confident that the risk has been eliminated, and the company is working with third-party investigators to “validate the steps and actions of our investigation.” CircleCI concluded, “While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days.” For more on the CircleCI disclosure, see CyberWire Pro.
Bluebottle activity against banks in Francophone Africa.
Researchers at Symantec, a division of Broadcom Software, released a report this morning detailing the continuation of cybercrime group Bluebottle’s activity in Francophone countries, most recently observed against banks in French-speaking parts of Africa. Symantec says “Bluebottle” seems to be a continuation of activity tracked by Group-IB as “OPERA1ER”, most recently documented in a report from the group in November of last year. The cybercriminal gang, Symantec says, “makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.” Three different financial institutions in three different African countries were victimized according to Symantec, with activity first observed in mid-July with impact on multiple machines at all affected organizations. For more on Bluebottle, see CyberWire Pro.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two new entries to its Known Exploited Vulnerabilities Catalog: CVE-2018-5430 (an information disclosure vulnerability in TIBCO's JasperReports Server that "may allow any authenticated user read-only access to the contents of the web application, including key configuration files") and CVE-2018-18809 (another TIBCO issue, this one a directory-traversal vulnerability that allows "web server users to access contents of the host system). In both cases the remediation is to "apply updates per vendor instructions." Under Binding Operational Directive (BOD) 22-01, US Federal civilian Executive agencies have until January 19th, 2023, to check and fix their systems.
CISA also released three industrial control system (ICS) advisories on Thursday. They affect Hitachi systems: Hitachi Energy UNEM, Hitachi Energy FOXMAN-UN, and Hitachi Energy Lumada Asset Performance Management.
Crime and punishment.
Wired tells the tale of how EU police secretly infiltrated EncroChat, a European-based mobile encrypted communication platform popular among criminals seeking a secure way to discuss drug deals, kidnappings, and even murders. Led by French and Dutch forces, authorities compromised the network in 2020 by infecting it with malware, gaining access to over 100 million user messages. One of the largest hacks perpetrated by police, the operation resulted in the hundreds of arrests and thousands of kilograms of drugs seized. Fast forward to now, over two years later, and lawyers are claiming the investigations were flawed. They say the clandestine nature of the operation means data-sharing rules were violated and that the hacked messages should not have been admissible in court.
A challenge to a German case was recently sent to Europe’s highest court, and if successful, it could lead to arrest reversals and have far-reaching implications for the future of message encryption. “Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” Christian Lödden, a German criminal defense lawyer who has represented many EncroChat users. “We’re not defending criminals or defending crimes. We are defending the rights of accused people.”
Courts and torts.
Meta's advertising practices have drawn a €210 million (roughly $223 million) fine from European authorities. Meta is the corporate parent of Facebook, Instagram and WhatsApp. The Wall Street Journal reports that what's at issue was Meta's "behavioral ads," which pitched specific ads to users based upon Meta's tracking of the users' online activity.
Ireland's Data Protection Commission (DPC), which oversees activities of US companies on behalf of the larger European Union, announced the conclusion of its two investigations, and the fines. The DPC summarized its findings as follows:
"1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.
"2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis."
The New York Times reports that Meta disputes the finding. It maintains its targeted advertising is properly respectful of GDPR, the EU's General Data Protection Regulation, and that the terms of service it asks its users to accept constitute proper consent to tracking.
Policies, procurements, and agency equities.
The US Department of Homeland Security (DHS) last week announced its latest round of solicitations under the Small Business Innovation Research (SBIR) program. Five of them are relevant to cybersecurity:
- DHS231-001 – Accurate and Real-time Hardware-assisted Detection of Cyber Attacks
- DHS231-004 – Machine Learning Based Integration of Alarm Resolution Sensors
- DHS231-005 – Mission Critical Services Server-to-Server Communication, voice communications, 3GPP-Standards
- DHS231-006 – Reduced Order Modeling of Critical Infrastructure Protect Surfaces
- DHS231-007 – Theoretical Classification Methodologies to Enable Detection with Predicted Signatures
As the war in Ukraine rages on, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly says the US should remain vigilant against the threat of Russian cyberaggression. Fears of Russian retaliation for the US’s support of Ukraine were at top of mind when the war began last year. As the Hill notes, so far there have been no attacks, but Easterly says that’s no reason to get complacent. Speaking on a panel at the CES 2023 tech event on Thursday, Easterly said, “It looks like it’s not going to end anytime soon. We need to continue to be vigilant, keep our shields up, and ensure that we are putting all those controls in place.” As the Hill explains, Easterly speculates the reason Russia has not yet attacked the US could be because Moscow realizes that a strike against the US would be considered “very escalatory.” She also noted that the current security structure in the private sector leaves too much responsibility on the consumer, who is the least knowledgeable about the threats they could face, and she highlighted the need for incentives that would make companies push cybersecurity up on their list of priorities.
At the same event, Easterly also highlighted the need for the tech industry, consumers, and government to collaborate to protect the interconnected network of technology that touches all sectors of the economy. “We live in a world…of massive connections where that critical infrastructure that we rely upon is all underpinned by a technology ecosystem that unfortunately has become really unsafe,” Easterly told Yahoo Finance. She also addressed the rise in cyberattacks targeting learning institutions and healthcare facilities, which are often the entities least prepared to protect themselves. “We cannot have the same sort of attacks on hospitals and school districts that we've been seeing for years,” Easterly stated. “We have to create a sustainable approach to cyber safety, and that's the message that I'm bringing to CES.” She also sent a message to Big Tech, noting that the companies that provide the world’s computers should be held to a higher standard of security.