By the CyberWire staff
At a glance.
- Cranes as a security threat.
- Ransomware attack becomes a data leak.
- Data breach at Acer exposes intellectual property.
- Proof-of-concept: AI used to generate polymorphic keylogger.
- Threat actor movements on the radar this week.
- Reports and trends.
- Developments in Russia's hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Policies, procurements, and agency equities.
- Labor markets: looking into the paradox of layoffs and the cyber workforce shortage.
- Research news.
Cranes as a security threat.
The US government is concerned that Chinese-made ship-to-shore cranes could pose a national security threat, the Wall Street Journal reports. The cranes in question are manufactured by the Chinese company ZPMC, which a US official said makes around 80% of ship-to-shore cranes used at US ports. The Journal explains that these cranes “contain sophisticated sensors that can register and track the provenance and destination of containers,” prompting concerns about China’s potential ability to capture information about US military shipments. The government doesn’t point to any instances of cranes actually being used for these purposes, but the defense policy bill passed by the US Congress at the end of last year requires the Transportation Department’s maritime administrator to conduct a study to determine whether these cranes could pose cybersecurity threats.
Ransomware attack becomes a data leak.
A ransomware attack early last month on the city of Oakland, California may have resulted in a data leak of the stolen information. The Play ransomware group, who have staked their claim to the attack, shared Thursday on their leak site plans to release the stolen data on Saturday, the Record reports. The group now seems to have made good on its threat. Bleeping Computer wrote Saturday that Play was releasing stolen data, and the San Francisco Chronicle says that the gang has in fact dumped some of the data online.
Following the initial ransomware attack, Oakland decided to declare a state of emergency, Infosecurity Magazine wrote. The outlet aptly observes that the city’s disruptions from the attack, as well as its engagement in “workstation restoration” efforts, indicates that the gang probably hasn't received any ransom payments.
Data breach at Acer exposes intellectual property.
Computer manufacturer Acer has confirmed that it sustained a data breach that resulted in the theft of company data. A hacker is offering 160GB of the stolen data for sale on a criminal forum, SecurityWeek reports. According to BleepingComputer, the hacker claims “the stolen data contains technical manuals, software tools, backend infrastructure details, product model documentation for phones, tablets, and laptops, BIOS images, ROM files, ISO files, and replacement digital product keys.” Acer said in a statement to SecurityWeek, “We have recently detected an incident of unauthorized access to one of our document servers for repair technicians. While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server.” For more on the Acer data breach, see CyberWire Pro.
Proof-of-concept: AI used to generate polymorphic keylogger.
Researchers at HYAS have developed a proof-of-concept strain of polymorphic malware that uses OpenAI’s API to evade detection. The malware, which the researchers call “BlackMamba,” is a keylogger delivered as an apparently benign executable. Once executed, however, BlackMamba will reach out to OpenAI and request that the AI generate keylogging code: “It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory. Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry leading EDR which will remain nameless, many times, resulting in zero alerts or detections.” The researchers can then exfiltrate the captured data via legitimate communication and collaboration tools (in this case Microsoft Teams). For more on the proof-of-concept, see CyberWire Pro.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Threat actor movements on the radar this week.
Lumen's Black Lotus Labs report identifying a campaign they're calling "Hiatus," which has been active since June 2022 targeting “business-grade routers.” The malware converts compromised devices into covert proxies, and enables the threat actor to remotely monitor router traffic, Black Lotus Labs says. Most of the victims so far identified have been in Europe and Latin America, and the researchers, seeing no significant overlap with other threat activities, see HiatusRAT as "a unique cluster." It constitutes both a staging mechanism for subsequent attacks and threat to information transiting affected routers.
A ransomware attack against the Hospital Clinic de Barcelona Sunday has severely disrupted the clinic’s computer operations and forced multiple appointment cancellations, the AP reported early this week. The attack has been attributed to Ransom House gang actors outside of Spain. The Sunday attack on the center impacted computer systems at the “facilities, laboratories, emergency room, and pharmacy at three main centers, and several external clinics,” Security Week wrote Monday. The attack left approximately 150 elective surgeries, 500 extractions, and around 300 consultations unscheduled, writes EuroWeekly News. Urgent cases were said to be redirected to other locations. Hospital director Antoni Castells said in a Monday news conference that they “can’t make any prediction” on a timeline of recovery. For more on the Ransom House attack on the Hospital Clinic de Barcelona, see CyberWire Pro.
Sophos is tracking a new version of the PlugX USB Trojan. The researchers say the “novel aspects of this variant are a new payload” that weren’t thought to have strong connections to the worm. PlugX can spread via USB sticks, which can sometimes allow it to access air-gapped systems. The malware is currently spreading in African countries, with infections observed in Ghana, Zimbabwe, and Nigeria. The new variant was also observed in Papua New Guinea and Mongolia. Sophos believes this campaign is linked to the Chinese APT Mustang Panda. For more on this PlugX variant, see CyberWire Pro.
Avanan warns that an ongoing phishing campaign has abused comments in Google Workspace documents to target nearly a thousand companies over the past two weeks. The researchers explain that an attacker can create a free Google account, then simply mention the targeted user in a Google sheet. The target will then receive a legitimate notification from Google informing them that they’ve been mentioned in the document, which, if clicked, will redirect to a phony cryptocurrency site. For more on this business email compromise tendency, see CyberWire Pro.
Bleeping Computer writes that Emotet has been observed sending emails once again. Cybersecurity firm Cofense reports that malicious activity from the Emotet malware family was observed beginning again on Tuesday morning. Cofense told Bleeping Computer that the campaign resumed at 7:00AM EST, saying “Volume remains low at this time as they continue to rebuild and gather new credentials to leverage and address books to target.” The method of distribution is different, as the emails in the newer campaign purport to be invoices, rather than reply chain emails. For more on the return of Emotet, see CyberWire Pro.
A new version of the IceFire ransomware is targeting Linux systems within enterprise networks, according to researchers at SentinelOne. The ransomware was previously limited to Windows systems. The threat actors behind IceFire launch double extortion attacks against large technology, media, and entertainment enterprises, specifically targeting entities in Turkey, Iran, Pakistan, and the United Arab Emirates. The Linux version of IceFire is deployed via CVE-2022-47986, a recently disclosed vulnerability in IBM’s Aspera Faspex file-sharing software. The Record notes that IBM issued a patch for the flaw on January 18th.
Deep Instinct says the malware operation tracked as “DUCKTAIL” resurfaced at the beginning of February 2023 with an updated set of malware. The goal of the operation is to install malware that will steal browser cookies, with a particular focus on session cookies for Facebook Business accounts. The researchers note that it’s not entirely clear what the threat actor does after they gain access to these Facebook accounts: “While it might be possible to get the credit card information that is used for paying for ads in the compromised accounts this doesn’t seem plausible. There are far better, cheaper, and easier ways to gain credit card information.”
Researchers at Secureworks discovered a campaign from the Iranian Cobalt Illusion threat group that leverages the death of Mahsa Amini as bait, Dark Reading wrote Thursday. Cobalt Illusion is also known as Charming Kitten and APT42, among others. The threat group uses a bogus Twitter handle and represents itself as working with the Atlantic Council, Cybernews reports. Secureworks researchers say the account’s engagement with posts related to Mahsa Amini is intended to help them appear "sympathetic to protesters' interests and demands and create an illusion of shared interests.”
Mandiant researchers have been tracking a campaign from suspected North Korean espionage group UNC2970, seen to be targeting media and tech companies in the Western world, the cybersecurity firm reports. The suspected North Korean threat actor is linked with “high confidence“ to UNC577, a group also known as Temp.Hermit, in action since 2013 at least. UNC577 was seen targeting primarily South Korean companies, with some attacks by the group on a global scale, whereas the probably related UNC2970 has been primarily targeting entities in the West. For more on LIGHTSHOW, see CyberWire Pro.
Don’t pay consulting firm prices for cyber workforce development solutions.
When seeking potential cybersecurity talent from non-tech or non-traditional backgrounds, you should ask yourself three things:
- What baseline cybersecurity skills does the candidate already have?
- Do our current JDs discourage non-traditional but capable talent from applying?
- What training opportunities do we have to elevate them throughout their careers?
If these questions give you pause, CyberVista can help get you started. CyberVista's Professional Services solutions provide evidence-driven insights to transform your workforce.
Reports and trends.
Dark Reading reports an odd result from Cyberhaven, who's blocking a fair number of interactions with large language models in its clients' networks. The interactions are troubling because employees are feeding sensitive corporate data into what are, for the most part, third-party data aggregators and processors. An executive has been observed inputting his firm’s 2023 strategy document into ChatGPT to create a PowerPoint, and a doctor was seen using ChatGPT to pen a letter to a patient's insurance company. This emergent class of risk is being called "exfiltration via machine learning inference." In hindsight, it's the sort of thing one might have expected. Who wouldn't want someone else to prepare your slide deck, or take care of routine correspondence? Or, to add an example we've seen ourselves, hear how the Dude from the Big Lebowski might explain zero trust?
BitSight has published research finding that “one in 12 BitSight-tracked organizations with Internet-facing webcams or similar IoT devices are susceptible to video and/or audio compromise.” The researchers were able to access cameras monitoring access-controlled spaces, and in some cases could have eavesdropped in sensitive business areas. Most of the exposed organizations are in the education sector, and the researchers note that the “increased presence of minors at these educational organizations could present additional challenges to personal privacy and security.”
Predictive analytics to ensure your team passes the CISSP the first time.
Other CISSP certification training providers don't have a way to determine exam readiness until a practitioner passes (or fails) their certification exam. CyberVista's online CISSP course includes predictive analytics to show who is ready, who needs more time, and where to focus training. Through diagnostic exams, custom quizzes, a mock Computer Adaptive Test (CAT) Exam, and more, employers and practitioners alike feel confident in passing their CISSP the first time with CyberVista.
Developments in Russia's hybrid war against Ukraine.
Activity between Russia, Ukraine, and those working on behalf of both nations, has not ceased as of late. Anonymous said last Thursday that they’ve resumed hacktivist actions against Russia. The Daily Beast reports that the Russian government site kremlin.ru and five other government sites were down briefly Monday. The action appears to have been the now-customary nuisance-level hacktivist work of distributed denial-of-service (DDoS) and website defacements. Halychyna FM, a radio station in western Ukraine, was inaccessible briefly on March 2nd, also due to a distributed denial-of-service (DDoS) attack claimed by the hacktivists of Russia's Narodnaya Cyber-Armiya, the International Press Institute reports. A free leak of some two-million paycard numbers on the Russophone dark web criminal souk cheekily named "BidenCash" seems to be a loss-leader intended to draw attention to its wares. Many of the cards are nearing their expiration date, there's still time left for criminals to use them. The Record notes that stolen cards are often used to buy goods for subsequent resale, an activity that's grown increasingly attractive as the Russian economy has labored under the twin burdens of war and international sanctions.
US Cyber Command and NSA chief General Paul Nakasone told the US Senate Armed Services Committee Tuesday that "Russia remains a very capable adversary.” C4ISRNet reports that he told the Senators US Cyber Command was monitoring the war "very carefully." Representatives of General Nakasone's two commands also shared a warning with the media. The Voice of America writes that “‘The weight of this conflict remains significant,' a spokesperson for U.S. Cyber Command told VOA, sharing information on the condition of anonymity due to the nature of the ongoing fight.” The spokesperson anticipates bolder cyber activity, as well as broader targeting by the nation. An NSA spokesperson speaking on the condition of anonymity told the outlet that continued poor performance in the war by Russia could result in “increasingly brazen in its cyberattacks on civilian infrastructure.” The US Director of National Intelligence, Avril Haines, Wednesday predicted to the Senate Intelligence Committee that Russia could be expected to turn to alternative forms of military power as its conventional forces continue to fail on the battlefield. Insider quotes her as saying Russia will rely on “nuclear, cyber, [and] space capabilities, and on China.” Such alternatives, especially cyber, have seen their own challenges. Bloomberg reviews, again, the difficulty Russia has had mounting effective cyber offensives against Ukraine and Ukraine's allies. Some of this is due to deterrence, but much of the failure is credited to effective Ukrainian defenses.
Check Point reports seeing the Remcos remote access Trojan (RAT) as the payload in phishing messages being sent to Ukrainian government organizations. Remcos was first seen in 2016, and distributes itself through malicious Microsoft Office documents.
The Record also reviewed a year's worth of action by Sandworm, the familiar GRU-run threat actor. Sandworm's most prominent contribution to the cyber phases of Russia's war against Ukraine has been deployment of wiper malware, which has challenged Ukrainian defenses but fallen short of expectations. Sandworm has not carried out the attacks against infrastructure, particularly Ukraine's power grid, that had been widely expected. The group has used ransomware against targets of interest to Russia, notably in reprisal against organizations that have rendered material assistance to Ukraine.
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three entries to its Known Exploited Vulnerabilities Catalog. Presently undergoing active exploitation are:
US Federal civilian Executive agencies have until March 28th to inspect their systems and apply mitigations. CISA also released five Industrial Control Systems (ICS) advisories on Thursday:
Crime and punishment.
Bleeping Computer reports that two alleged members of the DoppelPaymer group were targeted in a joint effort between German and Ukrainian law enforcement. Europol, the FBI, and Dutch police also saw involvement. Europol said in a press release that officers in Germany on February 28 “raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware group.“ Ukrainian police, despite the ongoing war with Russia, were able to interrogate an alleged member of the gang apprehended in Ukraine. Law enforcement is actively seeking out three more actors that they believe were core members of the gang, Computing says, naming lgor Olegovich Turashev, Irina Zemlianikina, and Igor Garshin/Garschin as members of Europol’s most wanted list. Turashev is said to be the IT administrator for the group, Zemlianikina looked after the chat and leak sites, and Garshin was said to be involved in spying on victim companies. Eleven suspects altogether have been said to be identified, with the three listed based out of Russia, Security Week explains. For more on the enforcement operation against DoppelPaymer, see CyberWire Pro.
Policies, procurements, and agency equities.
The US Environmental Protection Agency (EPA) last Friday issued a memorandum “stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water.” The memorandum requires that states include cybersecurity when they conduct audits of water systems. The agency said in a statement that many public water systems have not strengthened their cybersecurity posture enough, and may be at risk of cyberattacks. For more on the EPA's memo, see CyberWire Pro.
The President's Budget for Fiscal Year 2024 has been published, addressing cybersecurity across the spectrum of the Federal Government's operations, and will now go to Congress. The Budget throughout ties appropriate spending requests to the National Cybersecurity Strategy. Much of that funding will go not only to counter the work of adversaries like China and Russia in cyberspace, but also to more enforcement actions against cybercrime, to the countering of "malign influence," and to "bolstering Federal cybersecurity." The US Cybersecurity and Infrastructure Security Agency (CISA) would receive, under the plan, a budget of $3.1 billion, an increase of $145 million over current funding. For more on cybersecurity and the US budget, see CyberWire Pro.
The United States Department of Defense (DoD) released their 2023-2027 Cyber Workforce Strategy Thursday. “The strategy will enable the DoD to close workforce development gaps, resource workforce management and development initiatives, stay at the forefront of technological advances, securely and rapidly deliver resilient systems, and transform into a data-centric enterprise with optimized workforce analytics,” the agency wrote in a press release. The strategy contains four “human capital pillars” centered around identifying, recruiting, developing, and retaining cyber talent, Breaking Defense writes. The foundational strategy is intended to make cybersecurity roles in the government more attractive to potential employees, as it has struggled to compete with private sector roles and their offerings, Axios reports.
Labor markets: looking into the paradox of layoffs and the cyber workforce shortage.
We've been regularly tracking the layoffs and greater cyber and tech labor markets every week. Big tech companies have been seeing layoffs left and right, at places like Amazon, Microsoft, and Meta (who continue to see layoffs, even into today). Cybersecurity companies, like Zscaler, Sophos, Okta, and Secureworks, are seeing layoffs themselves, but the news keeps discussing a consistent shortage in cybersecurity professionals. What could be behind this paradox?
Clearance Jobs in late January discussed one possible perspective on the cybersecurity and greater big tech labor markets, saying that while big tech layoffs may still continue, the layoffs are more a result of overspending and overhiring at companies over the course of the pandemic by executives. As of the time of the article, there were 530,000 cybersecurity job listings in the United States alone, with a worldwide shortage of upwards of three or four million workers. Dice added in early February that the addition of almost 500,000 employees did not even make a dent in the cyber workforce shortage; rather, the gap continues to grow, with a 26.2% year-over-year increase observed. Forbes emphasizes the importance of cybersecurity teams, which may be keeping the industry more safe from layoffs as well, citing a global survey of CISOs from Heidrick, that shared that over half of the CISOs surveyed were experiencing burnout, with 60% feeling job-related stress. Ger Doyle, a Senior Vice President at Experis, noted that the future may be looking up, highlighting the drop in tech unemployment from 1.8% to 1.5% in January of this year, citing only problems with lack of talent that is qualified to work in the field. For a deeper look into mergers, executive moves, and other cyber business news, check out this week's edition of the CyberWire Pro Business Briefing.
Research news.
In developments in cybersecurity research this week, Proofpoint warns that the Russia-linked threat actor the company tracks as "TA499" (also known as "Vovan" or "Lexus") is launching phishing campaigns in an attempt "to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats." Check Point describes a Chinese cyberespionage operation that's targeting government entities in several Southeast Asian countries, including Vietnam, Thailand, and Indonesia. The threat actor is delivering a new version of the Soul malware framework. ESET says the suspected Pakistan-based threat actor Transparent Tribe appears to be targeting Indian and Pakistani military and government officials with romance scams. And Vade has published its annual Phishers' Favorites report for 2022, finding that Facebook, Microsoft, and Google were the most impersonated brands last year. For a more comprehensive view into this week's research developments, take a gander at this week's CyberWire Pro Research Briefing.