By the CyberWire staff
At a glance.
- Cl0p goes everywhere exploiting GoAnywhere.
- Hacktivist auxiliary hits Indian healthcare records.
- Effects of cyberattack on Latitude persist.
- Latest updates on threat actor operations.
- Fresh, up-to-date trends and reports.
- Latest cyber developments in the hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- RSA Innovation Sandbox finalists announced.
- Research developments this week.
Cl0p goes everywhere exploiting GoAnywhere.
A ransomware campaign in which the Cl0p gang has exploited Fortra’s GoAnywhere managed file transfer (MFT) tool has caused the compromise of data from a wide range of victims. Major financing firms, energy companies, and even governments worldwide have seen breaches due to the gang’s exploitation of the zero-day vulnerability.
Many organizations have come forward revealing that they were victimized in this series of breaches. The Record reports that the government of the city of Toronto, Canada, and British conglomerate Virgin UK’s rewards club, Virgin Red, all experienced data exposure. Bleeping Computer wrote Thursday that another British organization, the United Kingdom’s Pension Protection Fund, was impacted by the zero-day. Several victims were located in Canada, with the Financial Post reporting Thursday that Canadian movie chain Cineplex Inc. said that it was hit in the attacks, and SC Magazine also confirming that major Canadian financing firm Investissement Qubec was impacted. Procter & Gamble was added to the gang’s leak site, and Saks Fifth Avenue confirmed an attack, according to TechTarget. These may be added to previously disclosed incidents at Hitachi Energy and Rio Tinto. For more on Cl0p's recent activity, see CyberWire Pro.
Hacktivist auxiliary hits Indian healthcare records.
CSO, citing observations made by security firm Cloudsec, reports that the Russian hacktivist auxiliaries of the Phoenix group have compromised healthcare information in India. Phoenix claimed to have obtained sensitive data and posted samples in confirmation of their attack. Cloudsek writes, "An analysis of the samples shared concluded that the affected entity is the Health Management Information system belonging to the Indian Ministry of Health." Phoenix, a group associated with KillNet, indicated that the attack was retaliation for India's agreement to the sanction and oil-price cap the G20 imposed over Russia's invasion of Ukraine.
Effects of cyberattack on Latitude persist.
Australian fintech provider Latitude has taken its systems offline as the cyberattack it sustained last week "remains active," Reuters reports. The company says that both the Australian Federal Police and the Australian Cyber Security Centre were investigating, and that it intends to restore service "gradually" over the next few days. ABC describes the effects the incident has had on a representative group of consumers.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Latest updates on threat actor operations.
Developers of the SIESTAGRAPH malware family, REF2924, have been observed shifting their focus from data theft to persistent access, Elastic reported early this week. A new executable, Wmdtc.exe, is written in C# and referred to as “NAPLISTENER.” The malware is said to evade “network-based forms of detection.” NAPLISTENER is capable of processing incoming Internet requests, reading submitted data, decoding data from base 64 format, and executing it in memory. Researchers shared that the REF2924 attacker is reliant on code from open sources and public repositories.
Abnormal Security describes an attempted vendor email compromise attack (VEC) that tried to steal $36 million from a commercial real estate company. The attackers posed as a trusted contact at an insurance firm, sending the phishing emails from a domain that ended in “.cam” instead of “.com.” The phishing emails contained phony invoices.
The German Constitutional Protection Agency (BfV) and the Republic of Korea’s National Intelligence Service (NIS) have issued a joint advisory describing a spearphishing campaign by North Korea’s Kimsuky threat actor, said to be targeting “experts on the Korean Peninsula and North Korea issues” via a malicious Chrome extension and malware-laden Android apps. According to BleepingComputer, the attackers use spearphishing emails to trick their victims into installing the Chrome extension, which can then exfiltrate emails from the victim’s Gmail account. For more on Kimsuky's recent activity, see CyberWire Pro.
North Korea’s APT37 threat group, known also by the monikers Reaper, ScarCruft, and RedEye, has been observed in activity against South Korean targets. The AhnLab Security Emergency Response Center analysis team has observed activity from the APT37 threat group, conducting cyberespionage against individuals within South Korean organizations in February and March of this year. Researchers from Sekoia report that the group distributes the Chinotto PowerShell-based backdoor, which gives the actors “fully fledged capabilities to control and exfiltrate sensitive information from the victims.” For more on APT37, see CyberWire Pro.
A phishing campaign is impersonating Microsoft with emails that alert the recipient of an unusual sign-in to their Microsoft account, according to Avanan. The emails inform the user that their account has been logged into from an IP address in Moscow, and encourage the user to click a button to report the suspicious activity. The hacker will respond and ask for credentials in the name of safeguarding the account, when in reality they are stealing the data. The scam's deceptive simplicity and the easy interaction make it effective.
Add value to your lead generation strategy.
Broaden the reach of your ads, fill your funnel, and build partnerships with valuable leads. Having the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, means companies trust us to get their messages out. Feature your brand with the source that top security leaders choose. Learn more.
Fresh, up-to-date trends and reports.
In its Cybersecurity Readiness Index, Cisco sheds light on organizations’ ability to safeguard against cyber threats. The results suggest that an alarming number of companies are not at a strong enough, level of protection against threats posited in cyber security today. The research found that only 15% of global organizations have what is defined as a “Mature” level of readiness, meaning that they have implementations in place that are strong enough to defend against current cyber threats. 82% of the survey’s respondents report expectations of a cybersecurity incident against their company in the next 1 to 2 years. Those surveyed also report bearing high costs due to underpreparedness, with 41% of organizations that reported an incident in the last year disclosing costs of at least $500,000. For more on Cisco's study, see CyberWire Pro.
Researchers at crypto wallet provider ZenGo discovered vulnerabilities in leading transaction simulation solutions. Transaction simulations are used to perform sandbox emulations to “evaluate the potential outcome of the intended transaction” before executing them, primarily to combat theft and scams. The researchers found that malware could detect that it was operating in a sandbox, and then “reveal its true malicious nature only when actually executed in a real environment.” For more on transaction simulation exploits, see CyberWire Pro.
Mandiant researchers have observed a trend in which hacktivist groups are increasingly claiming to have successfully attacked operation technology (OT, technology that monitors or controls industrial equipment, processes and events). The trend crosses political commitments and allegiances, but in general Mandiant finds that the claims of success have been exaggerated, as have claims on the part of hacktivists to disinterested independence of state influence or direction. On the other hand, there do seem to be signs that hacktivist groups are trading information on OT systems, and that they've exhibited a growing technical familiarity with such systems' vulnerabilities.
Tune in to the Q1 Analyst Call
If you’re looking to enhance your cyber awareness, don’t miss the first Quarterly Analyst call of 2023. This live broadcast will take place on Thursday, March 30th at 2pm EST. Join our team of experts in their conversation about crucial cybersecurity events from the last 90 days. This quarter’s call is hosted by our CSO, Chief Analyst, & Senior Fellow, Rick Howard, joined by Principal Partner Solution Architect of Amazon Web Services, Jenn Reed, and Senior Director of Security Strategy at Cato Networks, Etay Maor. This event is exclusively for CyberWire Pro subscribers, so don’t miss it and subscribe today if you haven’t already! Learn more.
Latest cyber developments in the hybrid war against Ukraine.
Citing reports in the Russian media outlet Kommersant, the Register says that members of President Putin's staff have been told to get rid of their iPhones, replacing them with Android devices, or with phones using either Chinese operating systems or Russia's homegrown Aurora. The Daily Star says that the word around Moscow is that Apple products are particularly susceptible to monitoring by American intelligence services. Users have been told that, by the end of the month, they should either toss their iPhones or "give them to the kids."
Kaspersky reported Tuesday that it had discovered a new advanced persistent threat (APT) operating against "government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions." The attacks begin with phishing emails whose payload is carried in malicious attached Word files that purport to be government documents. Once the phish hook is set, it installs the PowerMagic backdoor and then the CommonMagic framework. Kaspersky says the campaign is thus far unattributed. The organizations, government and otherwise, that Kaspersky refers to in its report appear to be Russian occupation and separatist organizations, and thus the suggestion would be that the APT is acting either for Ukraine or at least against Russian interests, but Kaspersky (a Russian company) carefully avoids either claim. Circumstantially, the campaign's purpose seems to be cyberespionage.
Someone using the nom-de-hack "Denfur" has claimed, to CyberScoop, that he is a Russian patriot who breached D.C. Health Link and obtained personal data of many of the systems' users, including members of the US Congress. It was, Denfur said, “was an idea born out of Russian patriotism.” When asked by CyberScoop to provide proof of Russian nationality, Denfur told the publication they'd simply have to take his word for it. CyberScoop is properly reticent in its story, and Denfur's claims should be at best regarded as not proven.
The Ghostwriter threat group has resumed a campaign in which bogus emails misrepresenting themselves as originating with the governments of Latvia, Lithuania, or Poland are hitting the in-boxes of organizations working with Ukrainian refugees. The content of the emails warns that the Ukrainian government is about to undertake mass conscription of military-age men with the intent of feeding the conscripts into combat against Russia. Bloomberg writes, "Ukrainian men of military age, the emails warned, were scheduled to be rounded up and sent home. They would then be forced to fight against Russian troops, according to a supposed agreement between Ukraine and its allies. People who received the emails should immediately provide personal information and any known whereabouts of Ukrainians living nearby, the messages said." The goal is to inspire fear and mistrust. Mandiant attributes Ghostwriter to Belarus, Russia's one reliable ally in its war against Ukraine.
Starlink terminals used by Ukrainian forces are proving increasingly vulnerable to focused application of traditional electronic warfare by Russian forces. Defense One reports that Ukrainian units employing the system are being subjected to both jamming and geolocation by Russian electronic warfare units.
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
Tune in to the Q1 Analyst Call
If you’re looking to enhance your cyber awareness, don’t miss the first Quarterly Analyst call of 2023. This live broadcast will take place on Thursday, March 30th at 2pm EST. Join our team of experts in their conversation about crucial cybersecurity events from the last 90 days. This quarter’s call is hosted by our CSO, Chief Analyst, & Senior Fellow, Rick Howard, joined by Principal Partner Solution Architect of Amazon Web Services, Jenn Reed, and Senior Director of Security Strategy at Cato Networks, Etay Maor. This event is exclusively for CyberWire Pro subscribers, so don’t miss it and subscribe today if you haven’t already! Learn more.
Patch news.
CISA Tuesday released eight Industrial Control Systems (ICS) advisories:
On Thursday, CISA released six more:
Users and administrators are urged to review the advisories, assess their systems, and apply to recommended upgrades and mitigations.
Crime and punishment.
Nineteen-year-old Conor Brian Fitzpatrick, nom de hack "Pompompurin," has been arrested in New York by the FBI for his alleged role in BreachForums. BreachForums is generally regarded as the successor to RaidForums, a criminal souk taken down by the FBI in 2022. BreachForums in general and Pompompurin in particular have been, KrebsOnSecurity writes, "a thorn in the side of the FBI" for the last several years. In November of 2021, for example, Pompompurin took credit for a caper in which thousands of bogus emails were sent from FBI and associated email addresses. Following the arrest of alleged BreachForums proprietor, another figure expeditiously stepped up to claim ownership of the criminal forum, the Record reports. The forum, however, will remain inaccessible, despite one "Baphomet" saying he would be bringing it back online. The Record reports that Baphomet changed his mind about bringing back BreachForums, posting Tuesday, "This will be my final update on Breached, as I've decided to shut it down." He feared the FBI had established persistent access to the forum. For more on the demise, resuscitation, and second demise of BreachForums, see CyberWire Pro.
Courts and torts.
Forbes reported last Friday that the Fraud Section of the US Department of Justice Criminal Division, working with the Office of the U.S. Attorney for the Eastern District of Virginia, has been investigating ByteDance for attempts some of its employees made to use TikTok in collecting location information and other personal data pertaining to journalists. ByteDance has distanced itself from the employees' actions, saying "We have strongly condemned the actions of the individuals found to have been involved, and they are no longer employed at ByteDance. Our internal investigation is still ongoing, and we will cooperate with any official investigations when brought to us.” The Wall Street Journal has an overview of the internal investigation ByteDance opened into the incident this past December. That internal investigation is still in progress, but ByteDance's TikTok subsidiary says it's taken some steps to prevent a recurrence. "TikTok has said it was restructuring its Internal Audit and Risk Control department, and removed all user data access and permissions for the department," the Journal reports.
Policies, procurements, and agency equities.
On March 21st the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released, as part of their Enduring Security Framework (ESF), Identity and Access Management Recommended Best Practices Guide for Administrators. The ESF's IAM best practices are organized into five categories: Identity Governance, Environmental Hardening, Identity Federation and Single Sign-On, Multi-Factor Authentication, and IAM Monitoring and Auditing. Each class is accompanied by an explanation of what it is, why it matters, and how it's implemented, with notes on the threat landscape interspersed in the discussion. For more on NSA and CISA's recommended set of IAM best practices, see CyberWire Pro. And for a discussion of identity and access management, see CyberWire's Word Notes.
CISA has updated its Cybersecurity Performance Goals. These are cross-cutting goals intended to be applicable across all critical infrastructure sectors. "Originally released last October, the CPGs are voluntary practices that businesses and critical infrastructure owners can take to protect themselves against cyber threats. The CPGs have been reorganized, reordered and renumbered to align closely with NIST CSF functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF."
The Joint Cyber Defense Collaborative (JCDC), part of the US Cybersecurity and Infrastructure Security Agency, is cultivating its pre-ransomware notification capability. JCDC states, “With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom.” The JCDC is a public-private sector information-sharing organization established by CISA in 2021. JCDC Associate Director Clayton Romans explained in a blog post Thursday that pre-ransomware notifications are possible due to “tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.” For more on JCDC, see CyberWire Pro.
CISA has released a tool to help detect malicious activity in Microsoft Azure, Azure Active Directory, and Microsoft 365 environments, dubbed the “Untitled Goose Tool.”
RSA Innovation Sandbox finalists announced.
RSA Conference has announced the ten finalists for its Innovation Sandbox, to be presented at RSAC on April 24th. RSAC's press release offers overviews of each company, which includes AnChain.AI, Astrix, Dazz, Endor Labs, HiddenLayer, Pangea, Relyance AI, SafeBase, Valence Security, and Zama. For a deeper foray into this week's cybersecurity mergers, acquisitions, and other business news, check out this week's CyberWire Pro Business Briefing.
Research developments this week.
In cybersecurity research this week, Palo Alto Networks' Unit 42 describes Trigona, a strain of ransomware that was first spotted in late October 2022. The ransomware's operators compromised at least fifteen entities during December, with the victims spanning the "manufacturing, finance, construction, agriculture, marketing and high technology industries." Check Point is tracking an Android Trojan called "FakeCalls," which "can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees." Netskope has published a report on the BlackSnake ransomware-as-a-service (RaaS) operation, which first surfaced in August 2022. A new version of the ransomware was observed on February 28th, containing a clipper module designed to steal cryptocurrency information. Barracuda has published a report looking at three novel phishing tactics being leveraged by cybercriminals. Attackers are using Google Translate links, image attachments, and special characters to evade detection. And finally, Palo Alto Networks’ Unit 42 has published its 2023 Ransomware Threat Report, finding that threat actors have significantly escalated their extortion tactics. For further reading on this week's research news, check out this week's edition of the CyberWire Pro Research Briefing.