At a glance.
- 3CX is not the only victim in the recent supply chain attack.
- PaperCut critical vulnerability under active exploitation.
- KillNet is making moves to likely gain publicity and try to gain profits.
- Report: the alleged Discord Papers leaker shared earlier and more widely than previously known.
- Infostealer traded in the C2C market.
- Russia-Ukraine disinformation update.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
3CX is not the only victim in the recent supply chain attack.
The supply chain attack that affected 3CX didn’t end at the telecommunications company. The Trojanized X_Trader software which led to the 3CX attack was available for download in 2022, and it seems to have been downloaded by at least two critical infrastructure organizations. Symantec reported that “The process for payload installation is almost identical as that seen with the Trojanized 3CX app.” Given the financial nature of the initially infected software, it seems that this could be a financially motivated attack. Symantec explained that there are probably more victims as this breach is indicative of a complex and “successful template for software supply chain attack.” For information on this supply-chain attack, see CyberWire Pro.
PaperCut critical vulnerability under active exploitation.
Last Friday CISA added three vulnerabilities to its Known Exploited Vulnerabilities Catalog, most notably CVE-2023-27350, the PaperCut MF/NG Improper Access Control Vulnerability. PaperCut blogged details of a critical level vulnerability (9.8 out of 10 CVSS score) CVE-2023-27350 affecting servers running the software. The company explained, “The PaperCut application is popular with the State, Local, and Education (SLED) type organizations, where just education makes up 450 of those results.” PaperCut released a security patch on 8 March 2023 to address this vulnerability, and updated its patch bulletin today advising its users to urgently update their servers with the most recent patch as they believe some servers are actively being exploited.
Microsoft tweeted Wednesday that they had attributed two campaigns exploiting vulnerabilities on PaperCut printers to Cl0p and BitLock. Microsoft explained that they traced the infections back to a period before the vulnerabilities were discovered on April 13th. Microsoft said, “We’re monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment. More threat actors could follow suit. It’s critical for orgs to follow PaperCut’s recommendation to upgrade applications and servers.” BleepingComputer, who’s periodically in touch with the Cl0p operators, reports, “The Clop ransomware operation confirmed to BleepingComputer that they were behind the attacks on PaperCut servers, which they started exploiting on April 13th… In reply to our questions about the LockBit attacks, Microsoft said they had nothing further to share.”
KillNet is making moves to likely gain publicity and try to gain profits.
In addition to creating its own virtual community college, KillNet has been advertising various malign tools. Specifically, the hacktivist auxiliary announced on 16 April that it had partnered with operators of Titan Stealer, an accomplice in the nuisance attack against NATO School Oberammergau. Titan Stealer is billed as “a universal instrument for those who possess professional knowledge in their field as well as amateurs.”
Looking, apparently, for a bigger payday, yesterday the Russian cyber auxiliary KillNet announced that they would become Russia’s “Private Military Hacker Company (PMHC).” What this means for their operational tempo is unclear, but they promised they would continue distributed denial-of-service (DDoS) attacks against NATO sites as they pursue their current objective of “destroying NATO infrastructure.” The group says it will now also accept jobs from private individuals and from governments. They will still work to defend Russian interests. They explained in their post that they will no longer be making money from donations and promised sponsorships (and they included an emoji that indicated the sponsorships fell short of expectations).
Earlier this month KillMilk, the group’s nominal leader, had explained that he was tired of waiting for government personnel and businessmen to fund his group’s cyber escapades. Shortly after their announcement they changed their channel name to PMHC KillNet. This could be just a publicity stunt, as the ramifications of a cybercriminal group sanctioned by Moscow attacking NATO websites are unknown but probably severe. KillNet has yet to release any information on pending contracts (either governmental or private) to conduct cyber warfare. Early this Friday the group announced that they would be unavailable for 72 hours while they reorganized, presumably to structure themselves to better suit the role as a private military hacking company.
Additionally, Anonymous Russia launched their new DDoS tool kit today. The KillNet subgroup claimed it used the tool to shut down Defense.gov earlier in the week, but the site still seems to function normally.
Report: the alleged Discord Papers leaker shared earlier and more widely than previously known.
The New York Times reports that its found signs that Airman Jack Teixeira, who faces US Federal charges in the Discord Papers case, began sharing highly classified intelligence about Russia's war against Ukraine earlier than had hitherto been reported, and that he appears to have done so in a second Discord channel that was larger than the Thug Shaker Central group he's been associated with. "In February 2022, soon after the invasion of Ukraine," the Times writes, "a user profile matching that of Airman Jack Teixeira began posting secret intelligence on the Russian war effort on a previously undisclosed chat group on Discord, a social media platform popular among gamers. The chat group contained about 600 members." The Times also reports that the Airman also direct-messaged foreign members of the group offering to tell them more about the information he had available: “DM me and I can tell you what I have.” The evidence connecting Airman Teixeira with the recently discovered Discord group is circumstantial but suggestive. Neither his defense attorney nor the FBI and the US Justice Department were willing to comment to the Times on the story.
Infostealer traded in the C2C market.
Security Week reports that researchers at threat-intelligence company Cyble have analyzed an infostealing malware tracked as “Atomic macOS Stealer,” or AMOS, for short. The malware incorporates an array of data theft capabilities. One of its authors claims on Telegram that AMOS can steal “all passwords from the Keychain, full system information, and files from the compromised computer.” The malware has been offered to the criminal-to-criminal trade by subscription on Telegram for $1,000 a month. AMOS is also allegedly capable of stealing passwords, cookies, crypto wallets, and payment information from a multitude of browsers. “The malware is delivered as a .dmg file and, when first executed, it displays a fake prompt to trick the victim into handing over their macOS system password.” This is notable, because Security Week highlights that while macOS-based malware may boast many capabilities, getting it to run on the system can prove difficult. The outlet also reports that a Trellix researcher noticed an IP address in use by the malware that could potentially be linked to Raccoon Stealer, a malware used by threat actors in Ukraine and Russia.
Russia-Ukraine disinformation update.
The UK's Ministry of Defence (MoD) devoted Saturday morning's situation report to the difficulty Moscow is having maintaining narrative control over its war against Ukraine. "The Russian state is struggling to maintain consistency in a core narrative that it uses to justify the war in Ukraine: that the invasion is analogous to the Soviet experience in the Second World War. On 18 April 2023, Russian state media announced the cancellation of this year’s Immortal Regiment ‘Great Patriotic War’ remembrance marches on ‘safety’ grounds. In reality, the authorities were highly likely concerned that participants would highlight the scope of recent Russian losses."
KillNet released a statement yesterday warning Russian citizens to be aware of disinformation campaigns from Ukraine and "The West." Specifically, the hacktivist auxiliary explains that, “The Ukrainians and NATO will use the talks between China and Zelenskyy as a catalyst for information attacks and influence towards the citizens of Russia and its military.” Regarding the expected Ukrainian counter offensive KillNet gave three possible scenarios:
- The counteroffensive could be called off due to the heavy Ukrainian casualties in Bakhmut.
- The counteroffensive will take place as expected, and the Ukrainian forces will use Western-supplied equipment to take back a small amount of land.
- The attack is a bluff to intimidate Russia and its military.
Speaking at RSAC this week, Illia Vitiuk, Ukraine's head of the Department of Cyber Information Security in the Security Service of Ukraine, urged that cyberattacks against civilian infrastructure should be treated as war crimes. “I do believe that military commanders that are in charge of special forces and special services like the [Russian] GRU or SVR who are responsible for cyber-attacks on civilian infrastructure should also be convicted as war criminals,” Infosecurity Magazine quotes him as saying.
Vitiuk also presented the case, CyberScoop reports, that there are no genuine hacktivists working in the interest of Russia. “More than 90% of all cyber attacks targeting Ukraine are either conducted by special services or by state sponsored groups,” Vitiuk said. “I do believe that there is no so-called ‘hacktivism’ in Russia at all.” He described a brief wave of pre-war Russian arrests of cybercriminals as effectively an intimidation campaign: work for the security organs or face the consequences. The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Crime and punishment.
Bank Info Security reported on the arrest in Ukraine of a man accused of selling the personal data of over 300 million individuals. The Cyber Police of Ukraine allege that the man used closed groups and channels in Telegram to target customers “using currencies prohibited on the territory of Ukraine" in order to steal personal information including Ukrainian and European passport details, taxpayer and driver's license numbers, bank account data, and birth certificates.
Troy Hunt, the founder and maintainer of the data breach alerting website Have I Been Pwned, says he was informed that hackers infiltrated two dating websites. The attackers made off with email addresses, direct messages, profile pics, sexual orientation, dates of birth and other personal data from users on sites CityJerks and TruckerSucker. User passwords were also among the stolen data, scrambled with a weak algorithm that could potentially be decrypted by cybercriminals. Hunt told TechCrunch, “It’s really just a typical forum breach, albeit with super sensitive content.” This content, which includes graphic messages sent by users, has been advertised for sale on a hacking forum, and the seller says it includes info on 8,000 TruckerSucker users and 77,000 CityJerks users. The platform administrators have so far ghosted reporters seeking comment.
Courts and torts.
Google this week explained steps they’re taking to disrupt the CryptBot malware gang’s infrastructure after securing a court order against the malware’s operators. The tech giant has filed litigation against the CryptBot distributors, who they believe operate out of Pakistan and run what they call a “worldwide criminal enterprise.“ The legal complaint Google filed is based on multiple claims, which include “computer fraud and abuse and trademark infringement.” The company has been granted a temporary restraining order, Bleeping Computer reports, that allows for them to take down domains both now, and in the future that are linked to the malware. Google says that this will hinder CryptBot’s growth and decelerate the infection rate (which Google estimated at about 670,000 last year). “Lawsuits have the effect of establishing both legal precedent and putting those profiting, and others who are in the same criminal ecosystem, under scrutiny.” For more on Google's action against CryptBot, see CyberWire Pro.
Policies, procurements, and agency equities.
China’s Standing Committee of the 14th National People's Congress (NPC) will be starting off the week by reviewing the third draft of a Counter-Espionage Law Amendment. The original law was established in 2014, and the amendment‘s goal is to adapt to the modern digital landscape by focusing on the regulation of cyber espionage. As the Global Times explains, the legislation classifies digital activities like cyberattacks and interference targeting government organizations or information infrastructure as espionage. The amendment also states that if a cyberattack takes down critical infrastructure, the related authorities have the power to make decisions to resume information transmission and services in a timely fashion. Zang Tiewei, spokesperson for the Legislative Affairs Commission of the NPCSC, said at a Friday press briefing that in recent years espionage and intelligence activities have grown more complex, expansive, and covert, and the amendment is aimed at addressing these challenges.
Legislators in the state of Wisconsin are considering a law that would limit teenagers’ social media consumption. Representative David Steffen is sponsoring a bill that would place control of children's social media accounts in the hands of their parents, and it would impose a social media curfew for anyone under eighteen years of age. The measure would give parents full access to their children's accounts, and would inactivate the accounts of minors from 10pm to 7am. It would also limit targeted ads shown to minors, and would make it easier for parents to file a legal complaint against a social media company. Wisconsin Public Radio notes that not everyone agrees such legislation is necessary, and some experts say social media can even have a positive impact on social development and creativity. University of Wisconsin-Madison researcher Heather Kerkorian explained, "If we look at individual kids, some kids might benefit a lot from social media, some might be harmed by social media and most of them are not affected much.”
While speaking at the RSA Conference this week, Acting National Cyber Director Kemba Walden said that a plan to enact the US’s recently released national cyber strategy could be unveiled by early summer. As the Record explains, Walden’s office, in collaboration with the Office of Management and Budget, will be overseeing implementation of the strategy, which came out just last month. After explaining that officials had been working on assigning roles and responsibilities, Walden stated, “When this implementation plan is published, it's not going to be sexy. It's really going to be about who's accountable for what, who's responsible for what in the policy making process.” She went on to say that creation of the implementation plan would be inclusive of voices outside government, and that it would be “dynamic and interactive,” changing as tasks are completed.
Labor markets.
In this week’s cybersecurity labor market news, WatchGuard Technologies has announced plans to grow within India, intending to double the work force to 200 employees within the next year and open a new office in Noida. MoneyControl shares that the global company will be seeing growth across several vectors in 2023. CRN Australia reports that cloud firm F5 is slashing its workforce by 9%, and that senior executives will be seeing cuts to bonuses in order to lower costs. The Information reports that last Wednesday saw the beginning of notifications of layoffs at Meta in their second round of cuts since November of last year. The cuts reportedly impact about 4,000 people in technical roles across various parts of the company. For more on business news see CyberWire Pro.
Mergers and acquisitions.
Washington’s ZeroFox has completed its acquisition of external attack surface management and threat intelligence provider LookingGlass Cyber Solutions. This follows the initial announcement of the acquisition earlier this month.
TIM has acquired Italian TS-Way, a cyber threat intelligence prevention and analysis provider. Capacity reports that the transaction was completed through Telsy, a company under TIM Group focused on cybersecurity.
Investments and exits.
PricewaterhouseCoopers LLP (PwC) has shared plans to invest $1 billion in generative artificial intelligence technology over the next three years into its US operations, the Wall Street Journal reports. The consulting firm has said it will be working with Microsoft and OpenAI for the automation of some of its services.
Texas-based cyber resilience platform provider Halcyon has raised $50 million in a Series A funding round led by SYN Ventures, with participation from Dell Technologies Capital, Corner Ventures, among others. The company plans to use the funding for the development of their platform and implementation.
Secure wearable provider Token has raised $30 million in financing from Grand Oaks. The funding comes in the form of a $20 million secured note, as well as a $10 million convertible note. The company intends to use the funding to invest in product development and the launch of their multifactor authentication solution.
XIoT security company NetRise has raised $8 million in funding in a round led by Squadra Ventures, with participation from Miramar Digital Ventures, Sorenson Ventures, and DNX Ventures. "Firmware security is not a problem that is relegated to a particular vertical or industry. We have built our platform in such a way that support for automotive, networking equipment, consumer IoT, industrial control systems, and medical device firmware alike are all supported." said Tom Pace, co-founder and chief executive of NetRise. "While working at the Department of Energy, I saw firsthand how little insight we had into the vulnerabilities and risks embedded in technology critical to every aspect of our daily lives. Our vision is that every technology user understands the ingredients in their tools and the potential implications of those components, no matter the source."