By the CyberWire staff
At a glance.
- The takedown of Genesis Market.
- Preventing abuse of the Cobalt Strike pentesting tool.
- Update on the 3CX incident.
- Western Digital discloses cyberattack.
- Threat actor movements observed and reported over the week.
- Latest trends and reports.
- Developments in the cyber phases of Russia's hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Cybersecurity's latest business developments.
- Research developments this week.
The takedown of Genesis Market.
Genesis Market, a popular online cybercriminal shop, was seized by the FBI in an action that resulted in a takedown on Tuesday. The criminal operation, Bleeping Computer reports, has been linked to millions of cyber incidents across the world, with over 80 million stolen credentials and fingerprints present on the site. CNN reports that Operation Cookie Monster was broad in scope, with many international law enforcement agencies participating. It followed a series of law enforcement operations involving coordinated arrests and raids.
Europol Wednesday reported that Tuesday’s seizure of the Genesis Market criminal marketplace was a combined operation involving 17 countries. 119 people were arrested, 208 properties were searched, and a reported 97 “knock and talk measures” took place. This combined effort was spearheaded by the US Federal Bureau of Investigation (FBI) and the Dutch National Police (Politie). A Wednesday US Department of Justice (DoJ) press release discloses that law enforcement seized 11 domain names that were in support of the Genesis Market infrastructure. For more on Operation Cookie Monster, see CyberWire Pro, and for more on the Genesis Market arrests, check out our coverage here.
Preventing abuse of the Cobalt Strike pentesting tool.
Microsoft’s Digital Crimes Unit (DCU), in collaboration with cybersecurity company Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), is taking legal and technical measures to disrupt illicit versions of Cobalt Strike and abused Microsoft software. Microsoft says the cracked software has been used in more than 68 ransomware attacks targeting healthcare institutions around the world, which “have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments.” For more on Cobalt Strike, see CyberWire Pro.
Update on the 3CX incident.
The 3CXDesktopApp attacks increasingly look like the work of North Korea’s Lazarus Group, the Record reports. CrowdStrike initially disclosed “suspected nation-state involvement” by the Lazarus Group (or “Labyrinth Chollima,” as CrowdStrike tracks it). The outlet reports that Sophos on Friday also linked some evidence from the attacks to Lazarus, reporting that a shellcode loader used had previously been seen only in Lazarus Group operations. Computing reports that the attack likely was ultimately intended to deploy information-stealing malware, with a particular focus on browsing history. Given the likely attackers, espionage makes sense as an ultimate goal. Computing also notes that it’s not yet publicly known how the attacker entered 3CX’s systems, and whether or not they still have access. Fortinet released threat research on Thursday detailing the supply chain attack, which has been assigned the designation CVE-2023-29059. They note that the primary targets have been organizations in Europe and North America, and they provide indicators of compromise.
Western Digital discloses cyberattack.
California-based data storage provider Western Digital has disclosed a breach in which an unauthorized third party gained access to its systems, the Register reports. Computing reports that the company has shut down its My Cloud consumer cloud and backup service while it investigates the incident. The company hasn’t disclosed the nature of the attack, and the investigation is still in its early stages. Western Digital said in a statement that it detected an incident on March 26th, initiated its incident response plans, and began taking steps to remediate the issue. For more on the effects of the attack against Western Digital, see CyberWire Pro.
Predictive analytics to ensure your team passes the CISSP the first time.
Other CISSP certification training providers don't have a way to determine exam readiness until a practitioner passes (or fails) their certification exam. CyberVista's online CISSP course includes predictive analytics to show who is ready, who needs more time, and where to focus training. Through diagnostic exams, custom quizzes, a mock Computer Adaptive Test (CAT) Exam, and more, employers and practitioners alike feel confident in passing their CISSP the first time with CyberVista.
Threat actor movements observed and reported over the week.
Palo Alto Networks’ Unit 42 late last week spotted a new strain of ransomware that’s calling itself “Cylance, though there is no relation to the security firm. The malware is targeting Windows and Linux systems. The ransom note instructs victims to email the attackers to begin negotiations. HackRead reports that the ransomware has already compromised several victims.HackRead reports that the ransomware has already compromised several victims. For more on this ransomware campaign, see CyberWire Pro.
Sysdig reports a wave of proxyjacking against devices vulnerable to Log4j exploitation for remote code execution. It's a criminal-to-criminal play, an illicit version of legitimate proxysharing arrangements in which users agree to rent out their bandwidth. In proxyjacking the arrangement is not only uncompensated, but it's also forced into a device without the owners' consent. There's an obvious analogy with cryptojacking. As Sysdig explains, “Proxyjacking...is a foil to cryptojacking, in that it mainly aims to make use of network resources, leaving a minimal CPU footprint." And, of course, the resources can be resold on the criminal market.
A formerly unnamed cybercrime group, APT43, was named and described by Mandiant in a report last week. It was also shown to have ties to the Democratic People’s Republic of Korea. Mandiant explains that after five years of tracking the activities of APT43 they can attribute the group to the Democratic People’s Republic of Korea because their “collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service.” Mandiant also highlights how APT43 acquires and launders stolen cryptocurrency to fund its own espionage operations. For more on Archipelago and APT43, see CyberWire Pro.
Add value to your lead generation strategy.
Broaden the reach of your ads, fill your funnel, and build partnerships with valuable leads. Having the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, means companies trust us to get their messages out. Feature your brand with the source that top security leaders choose. Learn more.
Latest trends and reports.
Trend Micro Monday released a report discussing the variances in criminal group behavior based on their sizes. The researchers share that knowledge of the size of a criminal organization can aid in the discovery of cybercrime. In smaller criminal businesses, most are staffed by moonlighters who also have a day job. Mid-sized businesses tend to be structured as pyramids, with one boss at the top. Lower management and supervisory management are king in large criminal enterprises, with the overarching leadership well-versed in cybercrime. The larger cybercriminal businesses tend to be run like corporations, containing familiar departments with benefits, performance reviews and the other impediments of legitimate business. For more on the organization of the cyber underworld, see CyberWire Pro.
Team Cymru published a report looking at the challenges faced by cybersecurity analysts in hunting threats. 59% of the respondents said their organizations’ threat hunting program was only somewhat effective, and 38% said their biggest challenge was a lack of appropriate threat hunting tools. Nearly half (47%) said their main goal is to identify threats before an intruder is able to cause damage. One of the top concerns among threat hunters is the inability to measure the success of their efforts. For more on the threat hunting study, see CyberWire Pro.
Vade released a report detailing a newly identified phishing campaign that utilizes YouTube attribution links and a CAPTCHA in order to fly under the radar. The victims receive a fake email alerting them that their Microsoft 365 password has expired. In reality, this email comes from a hacker that utilizes display name spoofing in order to feign legitimacy. The email contains Microsoft’s logo and branding, and provides a button with a link for the user to keep their same password. The link redirects to a YouTube URL, and later a page with a Cloudflare CAPTCHA. Once the capture is completed, the user will be redirected to a phishing page that auto-populates the email address of the user, and provides a space to enter a password.
Google released a report, “Perspectives on Security for the Board,” highlighting how corporate boards can best navigate cybersecurity and cyber risk. First, cyber risk should be viewed through the lens of business risk. Google references the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), which can be useful for Boards in reference to cyber. The framework comprises five core tenets: Identify, Protect, Detect, Respond, and Recover. Google also notes that it is imperative to “understand the connection between threat intelligence and risk mitigation.” To do this, Google advises boards to ask CISOs three questions: how good are we at cyber security, how resilient are we, and what is our risk? Overall, Google recommends getting up to speed, being engaged, and staying in the loop as sound practices for board members overseeing the management of cyber risk.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Developments in the cyber phases of Russia's hybrid war against Ukraine.
Cyber Resistance, a pro-Ukrainian hacktivist group, is reported to have inveigled the spouses of officers in the Russian 960th Assault Aviation Regiment into participating in a bogus morale-building calendar photoshoot, in the course of which the identities of the regiment's officers were revealed. The regiment was responsible for killing some six-hundred civilians who had taken shelter in a Mariupol theater last year, as well as having hit hospitals. The wife of Colonel Sergey Valeriyvich Atroschenko, the regiment's commander, was duped into organizing the photoshoot, the Telegraph writes. HackRead reports that the information obtained included a great deal of sensitive data.
The Cyber Resistance group also took control of an AliExpress account organized by the Russian milblogger Mikhail Luchin to solicit donations for Russian forces. Numerama reports that the hacktivists then used the pirated account to spend about €23,000 on tacky erotic novelties. InformNapalm explained the motive, saying that Cyber Resistance hacktivists were punishing Luchin for intending to use the money on drones for the Russian army. The hacktivists themselves counted coup in their own Telegram channel. First Post says that Mr. Luchin attempted to return the items but found that all sales were final, so he'll try reselling the marital aids to raise even more money for Russia's cause.
The Russian hacktivist auxiliaries of Killnet have attempted to disable a recently established German government website devoted to the economic reconstruction of Ukraine. The distributed denial-of-service (DDoS) attacks "have so far successfully been repelled," a representative of the Federal Ministry for Economic Cooperation and Development told Spiegel. TVP World reports that the attacks began last week when the ministry established the site and continued into Tuesday.
It's Russia's turn to chair the United Nations Security Council, and it used its first week in that role to convene a meeting to share its own view of the widespread abduction of Ukrainian children. It featured a video presentation by the director of Russia's child protection agency, Maria Lvova-Belova, presently wanted by the International Criminal Court for war crimes involving the kidnapped children. Ms Lvova-Belova said she welcomed the opportunity to “dispel the fakes and show the opposite side.” She added that Russia did not recognize the jurisdiction of the International Criminal Court, and claimed that Russia's custody of the children was protective, and that Moscow stands ready to help reunite the children with their families. Several Western members of the Council walked out on the presentation, returning once it was over to denounce Russian disinformation.
The New York Times reports that US authorities are investigating an apparent leak of sensitive information concerning plans for US support of Ukraine. The files have been circulated in Twitter and Telegram by Russian accounts. A significant fraction of the information seems genuine (although some at least of that could be inferred from publicly known open sources), and genuine enough to prompt an investigation. Other data, notably casualty estimates, appear to have been falsified in the Russian interest (with Russian casualties understated, and Ukrainian casualties exaggerated) and these seem to represent an admixture of disinformation, which may be the principal point of their publication.
The CyberWire's continuing coverage of Russia's war against Ukraine, with focus especially on the war's cyber phases, may be found here.
Patch news.
Proofpoint's report last week on Winter Vivern described the Russian threat actor's exploitation of a Zimbra vulnerability, CVE-2022-27926, to gain access to Zimbra-hosted webmail portals from which the threat actor can gain access to NATO organizations involved with support for Ukraine. Winter Vivern, known also as TA473, impersonates Western organizations to conduct highly targeted, carefully prepared phishing operations against its targets. On Monday CISA, the US Cybersecurity and Infrastructure Security Agency, added CVE-2022-27926 to its Known Exploited Vulnerabilities (KEV) Catalog. US Federal Civilian Executive Branch organizations have, under Binding Operational Directive 22-01, until April 24th to check their systems and secure them.
On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) released seven Industrial Control Systems (ICS) advisories:
Crime and punishment.
The FSB's arrest of reporter Evan Gershkovich is widely regarded in Western media as official hostage-taking, and his arrest has been denounced as such by the US State Department and the White House. The AP reports that US Secretary of State Anthony Blinken called his Russian counterpart, Foreign Minister Lavrov, to demand the journalist's immediate release. Russian state television takes a different line, as commentators on a Rossiya 1 news show say that Gershkovich was never a journalist and filed no stories from Russia. That's an easy charge to debunk. The Wall Street Journal has published eleven stories with Gershkovich's byline in just March of this year, and the paper is justifiably outraged at Russia's conduct.
Courts and torts.
As nations across the world consider banning TikTok, Britain's Information Commissioner's Office (ICO) announced Tuesday that it is fining the social media platform 12.7 million pounds for violating child data protection laws. The data watchdog says the video-streaming giant allowed up to 1.4 million British children under 13 to use the platform in 2020, despite the fact that this goes against TikTok’s minimum age requirements. As well, Reuters reports, the data of these minors may have been used without parental consent to track their activities and present them with potentially inappropriate content. Information Commissioner John Edwards stated, "There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws." Politico notes that TikTok senior staff have recently expressed concerns about minors using the app. Edwards added, “TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had.” TikTok says it disagrees with the ruling, stating "We invest heavily to help keep under 13s off the platform and our 40,000 strong safety team works around the clock to help keep the platform safe for our community. We will continue to review the decision and are considering next steps." However, a TikTok spokesperson did say they were grateful that the fine was reduced from the 27 million pounds initially estimated by the ICO in September after the commissioner removed one of its provisional findings that TikTok had unlawfully used “special category data.” Nonetheless, the fine is among the largest the ICO has ever issued.
The US Federal Trade Commission (FTC) on Thursday announced that online mental health counseling company BetterHelp has agreed to pay $7.8 million to settle charges that it improperly shared customers’ sensitive data, the Verge reports. Despite the fact that BetterHelp’s sign-up process “promised consumers that it would not use or disclose their personal health data except for limited purposes,” the FTC alleges the platform shared user info including email addresses and health questionnaire answers with companies including Facebook, Snapchat, Criteo, and Pinterest for “advertising purposes.” The regulator also claims BetterHelp intentionally misled users by giving its customer service representatives false scripts indicating that they weren’t sharing customer data, and by placing a HIPAA seal on its website despite the fact that “no government agency or other third party reviewed [BetterHelp]’s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.” In addition to the settlement charges, the FTC’s proposed order would require BetterHelp to improve its customer handling protocols, including asking all third parties to delete the data in question, and establishing a “comprehensive privacy program” that includes enlisting an independent third party to conduct privacy assessments.
Policies, procurements, and agency equities.
The US government continues to warn about the imminent threats of TikTok, the US Department of Defense reports. John F. Plumb, US Assistant Secretary of Defense for Space Policy and Principal Cyber Advisor to the Secretary of Defense, says TikTok is a “potential threat vector” to America. Plumb and General Paul M. Nakasone – commander of US Cyber Command, director of the National Security Agency, and chief of the Central Security Service – testified before Members of the House Armed Services Committee's subcommittee on cyber, information technologies, and innovation this week to discuss the risks posed by the popular video-streaming service. Nakasone noted that the app’s unprecedented reach is what makes it particularly dangerous, stating, "If you consider one-third of the adult population receives their news from this app, one-sixth of our children are saying they're constantly on this app, if you consider that there's 150 million people every single day that are obviously touching this app, this provides a foreign nation a platform for information operations, a platform for surveillance, and a concern we have with regards to who controls that data." He went on to urge policy makers to establish rules that can rein in the power of TikTok, noting that TikTok’s ties to China make it more dangerous than American platforms. TikTok is owned by Chinese company ByteDance, and Nakasone pointed out that Chinese officials said they would "touch the data at any time they want to touch this data. This concerns me.”
The US government is providing $25 million to Costa Rica to help the country build up its cybersecurity defenses, Moody’s reports. The money will be used to “support new training, equipment, and a collaboration between the US and the Costa Rican government to establish a Security Operations Center to oversee and address future cyber threats.” The financial assistance comes after a series of cyberattacks affected Costa Rican government institutions over the course of 2022 and early 2023.
Cybersecurity's latest business developments.
In this week's business news and developments, KPMG has created a spin-out company specializing in AI security that they're calling Cranium, the company reports. KPMG's startup incubator reportedly fostered the creation of the company, and worked in conjunction with the firm's AI security experts.
In labor market news, previously untouched technology giant Apple has decided to make staff cuts, saying that a small number of companies in the corporate retail team would be let go, but allowed to apply to other roles within the company, Computing reports. IBM is also letting go of about 100 people on their IT team in North America, as well as slashes to some positions in finance, development, and operations roles. The Information also reports that the recently-announced Meta layoffs have created what the affected employees call "paralysis" within the company, as those destined to be laid off may not be notified until later this month, or even in May. For an in-depth foray into this week's cybersecurity business news, check out this week's edition of the CyberWire's Pro Business Briefing.
Research developments this week.
In this week's updates on cyber research, Check Point has observed a new strain of ransomware the company is calling "Rorschach," which "is one of the fastest ransomware observed, by the speed of encryption." Recorded Future's Insikt Group outlines the activities of "RedGolf," a Chinese state-sponsored threat actor that exhibits close overlaps with APT41. A new strain of Chromium-based browser malware, “Rilide,” has been uncovered by Trustwave SpiderLabs. Symantec, a Broadcom company, discovered that Mantis (aka Arid Viper, Desert Falcon, APT-C-23) is now mounting attacks against Palestinian targets with a new set of tools. SentinelOne describes “AlienFox,” a toolset designed to steal credentials and API keys from at least eighteen cloud service providers. The toolset is being sold on Telegram, and is under active development. Researchers at Orca Security discovered a Cross-Site Scripting (XSS) vulnerability affecting Azure Service Fabric Explorer (SFX). For a deeper look into this week's updates on cybersecurity research, take a peek at this week's CyberWire Pro Research Briefing.