The Week that Was: The fall of Silicon Valley Bank and its aftermath. Threat actor movements. Crime and punishment.

At a glance.

• The fall of Silicon Valley Bank and its aftermath.
• LockBit counts coup against an aerospace supply chain.
• Telerik exploited, for carding (probably) and other purposes.
• Threat actor movements observed and reported over the week.
• Latest trends and reports.
• Updates on cyber activity in the hybrid war against Ukraine.
• Patch news.
• Crime and punishment.
• Courts and torts.
• Policies, procurements, and agency equities.
• Research developments this week.

The fall of Silicon Valley Bank and its aftermath.

Last Friday saw the closure of Silicon Valley Bank (SVB) by the US Federal Deposit Insurance Commission (FDIC). The CyberWire over the weekend summarized the events surrounding the collapse. After a bank run by depositors that drove SVB into insolvency, the FDIC has placed the bank in receivership and is working to find buyers. This significant institution’s failure is anticipated to cause blowback for big tech, particularly for the startup ecosystem that surrounds it. And that includes the cybersecurity sector as well. BankInfoSecurity reported Friday that what is being called the “second-largest bank failure in US history“ is anticipated to cause future troubles for startups in financing. The Information reported Monday afternoon that approximately 1,000 firms, from venture firms such as Sequoia Capital to crypto investors, had seen SVB’s involvement in their capital. This mass of firms is now going to have to find new banks to provide loans and lines of credit for their endeavors, which may likely prove difficult given the distinctive needs of firms that used SVB. Business Insider explained Saturday that the pressure caused by sudden hikes in interest rates on the economy could lead to instability in institutions thought to be immune, or at least somewhat stable against the tumultuous economy. For more on the effect of SVB's failure on the cyber sector in particular, see CyberWire Pro.

Security experts are also warning that cybercriminals are gearing up to take advantage of the disruption surrounding the collapse and shutdown of Silicon Valley Bank. Johannes Ullrich from the SANS Institute is tracking a spike in newly registered SVB-related domains, including “login-svb[.]com,” “svbbailout[.]com,” “svbcertificates[.]com.” It’s not clear how many of these domains were created by scammers, but Ullrich expects to see business email compromise (BEC) attacks taking advantage of the situation. For more on Silicon Valley Bank themed fraud, see CyberWire Pro.

LockBit counts coup against an aerospace supply chain.

The LockBit ransomware gang claims to have compromised Maximum Industries, a supplier of components to SpaceX, SecurityWeek reports. The prize LockBit claims to have obtained includes some three-thousand engineering drawings, said to be "certified by SpaceX engineers." The text of LockBit's communique makes it clear that the target is SpaceX, not its supplier, said the gang in an announcement on its dark web page. SecurityWeek observes that LockBit's announcement should be regarded with cautious skepticism. LockBit has given the victims a deadline of March 20th to pay.

Telerik exploited, for carding (probably) and other purposes.

Multiple threat actors, including at least one APT group, were able to compromise a US Federal civilian agency via a known Progress Telerik vulnerability in an IIS server, according to a joint advisory released by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The advisory notes that the vulnerability allowed the attackers to execute code on the agency’s web server.

CISA notes that a nation-state actor and a cybercriminal group both exploited the vulnerability. CyberScoop says the criminal gang, known as “XE Group,” is known for card skimming. For more on Telerik exploitation, see CyberWire Pro.

Threat actor movements observed and reported over the week.

eSentire says the operators of the BatLoader malware downloader are continuing to abuse Google Search Ads to redirect users to malicious webpages. The malware is being distributed via phishing sites that impersonate ChatGPT, Adobe, Spotify, Tableau, and Zoom. BatLoader is used to deliver an assortment of malware, including the Redline Stealer, Ursnif, and the Vidar Stealer. The researchers note that Microsoft late last year linked BatLoader to Royal Ransomware infections.

Emotet’s re-emergence last week had the goal of infiltrating corporate networks via malicious emails in order to sell access to ransomware groups, SC Magazine reports. Deep Instinct researcher Simon Kenin shared in a post that Emotet has now been observed sending malware in Microsoft Word files. The payload’s large size of over 500 megabytes “drastically” decreases detection and subsequent neutralization of the malicious files: many security products and sandboxes don’t scan or isolate the files due to their size. Kenin says products that aren’t solely reliant on static detection and analysis are more effective against attacks like Emotet’s most recent campaigns.

BleepingComputer reports that the Medusa ransomware gang has been stepping up its double-extortion racket over the past several months. The threat actor has launched its “Medusa Blog” to leak data from victims who refuse to pay up, which gives victims an option to pay a lower sum to advance the deadline by one day. The Medusa gang last week released a lengthy video showing data allegedly stolen from the Minneapolis Public Schools (MPS) district, and demands $1 million in ransom.

BlackBerry has been monitoring a campaign by Russia's SVR. The researchers say that the new observed campaign "creates lures targeted at those with interest in the Ministry of Foreign Affairs of Poland’s recent visit to the U.S., and abuses the legitimate electronic system for official document exchange in the EU called LegisWrite." The objective appears to be cyberespionage, accomplished by penetration of European diplomatic organizations interested in aid to Ukraine.

Avanan, a Check Point Software Company, this morning released a report detailing an attack that threatens deletion of personal files for the purpose of credential harvesting. The attack begins with a phishing email that says that the user’s cloud storage is full, and provides a link to get 50 more gigabytes for free. Of course, the link does not go to a legitimate cloud file storage site, rather it is a malicious link to a credential harvesting site. This site tells users to “validate“ their account by inputting their credit card number, which will be charged by the threat actors and taken if entered. For more on re-upping, see CyberWire Pro.

Researchers from security firm [redacted] say the ransomware gang BianLian has shifted its primary focus to data theft extortion rather than encryption. As part of this pivot, the gang has been putting more effort into tailoring their ransom notes to specific victims.

Akamai is tracking a new Go-based botnet the company calls “HinataBot,” which is designed to launch DDoS attacks. The malware is still under development, and the researchers believe its creators are attempting to imitate elements of the Mirai botnet.

Armorblox Thursday released a report detailing a vishing (or “voice phishing”) attack impersonating the US Social Security Administration. Researchers report that the attack begins with a phishing email. The email purports to be from a sender under the name of “Social Security Administration-2521.” The email utilizes a sense of urgency to get the victim’s attention, claiming that the user's Social Security number was suspended due to “erroneous and suspicious activities.” Included is an attached PDF file claiming to be a “letter of suspension“ that appears when opened to be on the letterhead of the SSA. Included at the bottom of the file is a phone number for “contact information” if the user requires help. The hacker’s end goal of the vishing attack is to get the victim to call the fraudulent number and reveal sensitive information.

Netskope has published a report on the BlackSnake ransomware-as-a-service (RaaS) operation, which first surfaced in August 2022. A new version of the ransomware was observed on February 28th, containing a clipper module designed to steal cryptocurrency information. The malware appears to be targeting home users rather than corporations, since it asks for ransom amounts as low as $20. As a result, the researchers suspect “that BlackSnake is perhaps still under development or that they don’t have affiliates at this point.”

INKY describes a phishing campaign that’s impersonating Silicon Valley Bank (SVB) with phony DocuSign notifications. The recipients receive notification of two documents from ‘KYC Refresh Team’ requiring a signature. ‘KYC,’ short for ‘Know Your Customer’ or ‘Know Your Client.’ is used by banks to verify an account holder’s identity. If the recipient clicks the link, they’ll be taken to a spoofed Microsoft login page designed to steal their credentials.

Latest trends and reports.

Akamai Technologies this morning released its State of the Internet report titled “Attack Superhighway: Analyzing Malicious Traffic in DNS,” detailing the global spread of malware. Researchers report that around 10-16% of organizations have shown potential signs of a breach last year. Attackers are reportedly using the QSnatch botnet to abuse network-attached storage devices, with 36% of devices affected linked to QSnatch-affiliated C2 domains. For more on the attack superhighway, see CyberWire Pro.

Devo Technology this morning released a study they commissioned from Wakefield Research detailing unauthorized use by security professionals of artificial intelligence (AI) tools. 96% of IT security professionals admit to knowing that someone in their organization is using external, unauthorized AI tools, with a surprising 80% admitting to the use of these tools themselves, the researchers report. These pros report the use of these unauthorized AI tools because 96% report dissatisfaction with their organization’s implementation of automation in the SOC. For more on unauthorized software in the workplace, see CyberWire Pro.

IBM's Security Intelligence takes a quick look at the cyber underworld, as does Kaspersky's January study of the same, finding that the criminal labor market resembles the legitimate labor market in a number of respects. A criminal career can be well-compensated, with some gangs offering around $240 thousand a year to applicants looking for a career betraying trust. To get hired, you have to pass certain screens: test assignments account for about 82% of the hiring decision, your CV and portfolio for 37%, and, finally, the interview counts for roughly 26%.

Barracuda has published a report looking at three novel phishing tactics being leveraged by cybercriminals. Attackers are using Google Translate links, image attachments, and special characters to evade detection. The researchers found that during January 2023 13% of organizations received phishing attacks that abused Google Translate by using Google-hosted URLs in phishing emails. Google Translate is said by the researchers to not be the only observed search engine in use, though it is the most widely used. For more on this trend, see CyberWire Pro.

Updates on cyber activity in the hybrid war against Ukraine.

Estonia has successfully conducted its elections (where a majority of voting is done online) despite extensive distributed denial-of-service (DDoS) attacks by Russian threat actors on election infrastructure and other government services, the Record reports. The attempts didn't succeed in disrupting voting, but Estonia's Prime Minister Kaja Kallas said there are clear signs the Russians are trying to adapt. BleepingComputer reports that the Ukrainian game developer GSC Game World, whose STALKER 2: Heart of Chornobyl has been widely anticipated, has come under cyberattack by Russian hacktivists who claim to have stolen game-specific material which they threaten to release unless their demands are met. The hacktivists, on the VK channel, write that they want GSC to change its attitude toward players from Belarus and Russia, lift the ban on a player who's been booted from the game's Discord channel, and permit Russian localization for STALKER 2. Games Industry reports that GSC Game World is hanging tough.

The State Service of Special Communications and Information Protection of Ukraine reviews trends in Russian cyber activity and notes the continuing close connection between cyberattacks proper and influence operations. The FSB's Gamaredon remains the most "persistent" of the Russian threat groups. Episodic lulls in Gamaredon's activity last summer seem to have been due to a lower operational tempo during reconnaissance phases of its campaigns. Gamaredon, however, is very far from being the only player, and a range of state groups and hacktivist auxiliaries have remained active throughout the war. These groups organize their operations around general goals and themes, without much evidence of direct command and coordination.

Ukraine has also drawn hacktivists to its cause. Newsweek's Shaun Waterman has an account of how Ukraine's government is moving to bring the IT Army in particular toward status as a properly regulated cyber reserve. The motivation for doing so would be to bring clarity to the volunteer hacktivists' status under international law, and to provide the sorts of controls over their activity that the laws of armed conflict suggest are appropriate.

Russia is looking in the Black Sea for the wreckage of the US drone Russian fighters forced down in international airspace on Tuesday, the Telegraph reports. The incident has cyber implications. Should Russia be able to recover the MQ-9's wreckage, it would look for ways of extracting and exploiting data and data management systems the drone carried. US operators are said, the Washington Post reports, to have wiped the MQ-9's systems before bringing it down some fifty-six nautical miles off the Crimean coast. Getting to the wreckage will be difficult, as the drone sank in water that's between 4000 and 5000 feet deep.

Microsoft reports that, while Russian cyber operators have underperformed during the hybrid war, there are signs of a spike in both espionage and influence operations. Influence operations have shown an interesting shift in attention toward Moldova. In a longer report on lessons learned over the first year of Russia's war, Microsoft concludes with a warning that future Russian operations are likely to fall into two categories, one of espionage and another of potential hack-and-leak operations.

Wired has a profile of Colonel Evgenii Serebriakov, the GRU officer who's running the Russian military intelligence service's Sandworm unit. Sandworm has been a problem, with wipers, attacks on power distribution networks, and other capers, but it's also, Wired sniffs, a record of noisy stumbling around. "But after half a decade of the spy agency's botched operations, blown cover stories, and international indictments," Wired writes, "perhaps it's no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face."

APT28, the GRU's Fancy Bear, has made considerable use of an Outlook vulnerability against its targets. Cybersecurity Dive reports that attacks using the exploit have been used against organizations in Ukraine, Turkey, Romania, and Poland since last April. Deep Instinct offers a detailed account of how the exploitation has played out in the GRU's cyber operations, and notes that while attacks were observed to begin in April of last year, they may have been exploited earlier, and could’ve had a greater scope of targets. A Russian-based threat actor was attributed to the attacks by Microsoft, but another threat actor may have exploited the vulnerability as well. The firm recommends those using Outlook to patch their systems, and run the PowerShell script provided by Microsoft to find past malicious emails.

The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.

Patch news.

Microsoft issued a total of eighty patches Tuesday, eight of which are classed as critical. One of these, CVE-2023-23397, is an elevation-of-privilege bug affecting Microsoft Outlook that’s currently being exploited by attackers. Russia’s APT28 (also known as Fancy Bear, an arm of the GRU) has been exploiting CVE-2023-23397 since at least April 2022 to target European “government, military, energy, and transportation organizations.” Microsoft has credited Ukraine’s CERT-UA for the discovery of the vulnerability. Another actively exploited bug, CVE-2023-24880, is a security feature bypass vulnerability impacting Windows SmartScreen.

Adobe has issued 106 patches for a variety of its products. Firefox has patched eleven security bugs with version 111.0, Naked Security reports. For more on Patch Tuesday, see CyberWire Pro.

Crime and punishment.

Authorities in Croatia last Thursday arrested a person whom they believe to be the administrator of worldwiredlabs[.]com, a domain used to distribute the NetWire remote access Trojan (RAT), Help Net Security reported Friday. Swiss law enforcement also reportedly seized the computer behind the Trojan’s infrastructure. NetWire was simultaneously advertised on hacking fora, as well as in legitimate markets, where it was offered as a legitimate remote administration tool, TechCrunch wrote Thursday. Used as a remote access Trojan (RAT), NetWire allowed cyber criminals to remotely access and control devices, as well as lift sensitive data from victims.

The US Attorney's Office in the Central District of California said in the press release announcing the site’s seizure that the FBI’s investigation into the site began in 2020. TechCrunch reports that in the FBI’s investigations, the Bureau found that the site “never required the FBI to confirm that it owned, operated, or had any property right to the test victim machine that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose).” KrebsOnSecurity has an account of what the domains used by NetWire suggest about its operators.

Courts and torts.

The Lehigh Valley Health Network (LVHN), a healthcare system located in the US state of Pennsylvania, was recently hit with a BlackCat ransomware attack, and the cybercriminal gang followed up by publishing stolen photos of cancer patients on the dark web. Yahoo News reports that a proposed class action lawsuit has been filed over the breach, and the plaintiffs allege that LVHN failed to sufficiently secure patient data, despite knowledge that national hospital systems are being targeted by hackers. Philadelphia attorney Patrick Howard states in the suit, “While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims. Rather than act in their patients' best interest, LVHN put its own financial considerations first." The lead plaintiff, a female victim of the attack who has chosen to remain anonymous, says she was not aware that her photo had been taken or that it would be stored on the LVHN’s servers. The suit seeks damages on five counts, including negligence and breach of contract and privacy.

Policies, procurements, and agency equities.

On Monday the British government announced it will be establishing the The National Protective Security Authority (NPSA), a new arm of MI5 that will advise companies and other organizations on protecting themselves from “state-sponsored attempts at stealing sensitive research and information.” As the Record by Recorded Future reports, the new security agency was introduced in an update to the government’s Integrated Review on defense and security policies (IR23), an update motivated by “emerging geopolitical threats like Russia’s invasion of Ukraine and China’s attempts at cyber espionage. Computer Weekly explains that the NPSA will work in collaboration with existing agencies like the Government Communications Headquarters including GCHQ’s National Cyber Security Centre and the National Counter Terrorism Security Offices and will absorb the responsibilities of the Centre for the Protection of National Infrastructure, but with a broader purview that extends beyond critical infrastructure operators.

Also on Monday CISA announced the launch of the Ransomware Vulnerability Warning Pilot (RVWP), a support program designed to help critical infrastructure entities protect themselves against ransomware attacks. The announcement explains, “CISA recently initiated the RVWP by notifying 93 organizations identified as running instances of Microsoft Exchange Service with a vulnerability called “ProxyNotShell,” which has been widely exploited by ransomware actors. This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations.” Authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. The RVWP will help CISA detect vulnerabilities susceptible to exploitation by ransomware and alert critical infrastructure operators so that the flaws can be mitigated before attacks occur. As Bleeping Computer notes, the RVWP is part of the US’s wider initiative to defend against the rising threat of ransomware that began after a wave of cyberattacks on critical infrastructure operators and government agencies. Interested organizations can email CISA at vulnerability@cisa.dhs.gov to enroll. 

Research developments this week.

In cybersecurity research this week, Cisco Talos is tracking a new threat actor the company calls "YoroTrooper," which has been conducting cyberespionage campaigns against Europe and CIS countries since at least June 2022. The threat actor primarily targets "government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS)." Secureworks describes a spearphishing campaign that's targeting researchers who are documenting the oppression of women in Iran. The researchers believe the campaign is being run by the Iranian government APT COBALT ILLUSION (also known as Charming Kitten, APT42, or Phosphorous). Sophos is tracking a new version of the PlugX USB Trojan. The researchers say the “novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.” Researchers at HYAS have developed a proof-of-concept strain of polymorphic malware that they've called "BlackMamba," which uses OpenAI’s API to evade detection. For further reading on this week's research news, check out this week's edition of the CyberWire Pro Research Briefing.