Almost 180 organizations are still vulnerable to the Go-Anywhere MFT vulnerability.
The Record reports that “Dozens of organizations are still exposed to cyberattacks through a widely-abused vulnerability in GoAnywhere MFT — a web-based tool that helps organizations transfer files — according to new research.” The exploit CVE-2023-0669 was patched in February, but as Censys reports, “Over 2 months after this zero day was disclosed, Censys continues to observe almost 180 hosts running exposed GoAnywhere MFT admin panels, with 30% of these showing indications of remaining unpatched and potentially vulnerable to this exploit. A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals.” The number of vulnerable instances is trending slowly downward, but ransomware in general is on the rise, with all of its attendant threat.
CACTUS, a new ransomware leveraging VPNs to infiltrate its target.
Researchers at Kroll have discovered a new ransomware family called CACTUS, BleepingComputer reports. “CACTUS has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access,” Kroll wrote in a report emailed to CyberWire. The ransomware uses a novel encryptor requiring a key to decrypt it for implementation, which likely allows it to remain undetected until the threat actors implement the ransomware attack. CACTUS is a new ransomware, and as of yet hasn’t been used enough to gather metrics regarding ransom prices or the consequences of not paying ransom. Kroll said, “As of the writing of this bulletin, Kroll had not yet identified a ‘shaming site’ or victim identification-related blog authored by CACTUS for purposes of sharing victim data if a ransom was not paid.”
CISA and FBI release a joint report on PaperCut NG/MF vulnerability exploitation.
CISA and the FBI have released a joint report detailing the PaperCut NG and PaperCut MF vulnerability CVE-2023-27350. The FBI has observed the Bl00dy ransomware gang attempting to exploit the vulnerability on PaperCut servers belonging to education sector targets. “Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to the FBI, the Bl00dy Ransomware Gang gained access to victim networks across that subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.”
More bad bots out there than anyone would like.
Imperva’s 10th edition of the Bad Bot report, regarding autonomous bot traffic on the internet, found that in 2022 almost 50% of all internet traffic was from automated bots marking a 5.1% increase in automated traffic. The report also showed that “good bots” are increasing in prevalence with 17.3% of all traffic, and “bad bots” (those used by bad actors to troll for vulnerabilities) increased to 30.2%. Imperva writes, “As bad bot evasion techniques become increasingly sophisticated, we are observing a fascinating trend, where advanced bad bot levels (51.2%) are growing at the expense of moderate ones (15.4%).” For more on Imperva's report, see CyberWire Pro.
Russia-Ukraine disinformation update.
The Five Eyes took down the Snake infrastructure Russia's FSB has used for espionage and disruptive activity for almost twenty years. Operation MEDUSA involved not only technical disruption of Snake malware deployments but lawfare as well. Operation MEDUSA was the work of an international partnership whose principal members were, in the US, the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Cyber National Mission Force (CNMF), and in the other Four Eyes the Canadian Cyber Security Centre (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ). The Joint Cybersecurity Advisory these agencies issued describes Snake as "the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets." The malware is stealthy, readily tailored to specific missions, and well-engineered.
Malwarebytes reports on a cyberespionage group it's calling "RedStinger." The group has been quietly active for at least three years, and Malwarebytes identifies it with the operation Kaspersky has been tracking as "Bad Magic." Malwarebytes says that RedStinger has pursued targets on both sides of Russia's war against Ukraine, and that the victimology renders attribution complex and unclear. Indeed, there is no credible attribution, yet. "In this case, attributing the attack to a specific country is not an easy task. Any of the involved countries or aligned groups could be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine," Malwarebytes writes. "What is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different layers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities."
In other cyberattack news, CERT-UA warns that the "financially motivated" Russian criminal group UAC-0006 is pushing SmokeLoader malware in a phishing campaign. CERT-UA describes UAC-0006's track record and its customary aims: "A typical malicious intent is to compromise accountants' PCs (which are used to support financial activities, such as access to remote banking systems), steal authentication data (login, password, key/certificate) and create unauthorized payments (in some cases using HVNC bot, directly from the affected computer)." The phishing emails are staged from compromised accounts, and they often misrepresent themselves as billing documents. The payload is carried in an attached zip file.
Russia's Victory Day celebrations on May 9th were brief and small, scaled down for a number of reasons. President Putin used the occasion to double down on his implausible claim that Russia's war against Ukraine was in fact a defensive war, that the actual aggressor is the West, acting through Ukrainian terrorist puppets. The Telegraph quotes him as saying, "We have repulsed international terrorism, we will protect the inhabitants of Donbas, we will ensure our security."
The UK's Ministry of Defense (MoD) sees in this week's remarks a retreat from an earlier triumphalism. "In February 2022 Putin announced the Special military operation," The MoD tweeted, "Today he addressed his nation to say 'A real war has once again been launched against our Motherland.' The description of the conflict as a defensive ‘war’ has grown more frequent as his situation has worsened."
Microsoft released 40 security updates affecting various products, and they also republished 9 non-microsoft CVEs. Simply updating your machines might not solve the problem as Adam Barnett pointed out, “While a patch enables the configuration options necessary for protection, administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets - Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.”
SAP released 25 updates and security patches which fixes 26 vulnerabilities which was given a cumulative CVSS value of 9.8. Onapsis reported that “Version 112.0.5615.121 was an emergency security update by Google that fixes a critical vulnerability tracked as CVE-2023-2033. Google confirmed that “an exploit for CVE-2023-2033 exists in the wild”. Based on NIST's description of the flaw, the vulnerability allows "a remote attacker to potentially exploit heap corruption via a crafted HTML page."
CISA released a Cyber Advisory Alert stating that Mozilla has released two security advisories, one for Firefox 113, and another for FireFox ESR 102.11. The Firefox 113 advisory reported that 13 vulnerabilities were patched with six being of high impact, five being moderate, and one being of low impact. Firefox ESR fixed eight vulnerabilities five of which were of a high impact, two of moderate impact, and one of low impact.
Adobe patched Substance 3D Painter fixing 14 vulnerabilities. Adobe Substance 3D Painter versions 8.3.0 and earlier are vulnerable to various memory leaks and arbitrary code execution attacks and should be updated to version 8.3.1 which fixes these vulnerabilities. As SecurityWeek writes, “There is no indication that these flaws have been exploited in the wild. The priority rating assigned by the company also suggests that they are unlikely to ever be exploited for malicious purposes. All of the vulnerabilities were reported to Adobe by researcher Mat Powell through Trend Micro’s Zero Day Initiative (ZDI).”
Crime and punishment.
Joe Sullivan, former security chief at ride-sharing company Uber, has been sentenced to three years of probation for his involvement in the coverup of a 2016 data breach. As Security Week explains, Sullivan was accused of obstructing the US Federal Trade Commission’s investigation into a data breach Uber experienced in 2014. It was while that incident was being investigated in 2016 that Sullivan decided not to disclose a newer breach that was even larger than the first. In this second incident, the data of over 50 million Uber users and drivers were stolen, and the hackers extorted the company, receiving $100,000 through Uber’s bug bounty program. Sullivan allegedly instructed the attackers to sign non-disclosure agreements to keep silent about the stolen data. It wasn’t until a year later, when the company brought on a new CEO, that Sullivan’s actions were discovered. As the Washington Post reports, Sullivan became the first corporate executive to be convicted of crimes related to a data breach carried out by external hackers when he was found guilty of obstruction of justice and hiding a felony. While prosecutors pushed for Sullivan to be sent to prison for fifteen months, US District Judge William Orrick decided on probation and community service, noting Sullivan’s past record for protecting individuals from previous breaches, and the actions he took to prevent the stolen data from being released.
Courts and torts.
As concerns about the risks of recent advancements in artificial intelligence mount across the globe, Sam Altman, CEO of AI leader OpenAI, is scheduled to testify before US Congress next Tuesday. As head of the company that developed the hugely popular AI-fueled chatbot ChatGPT, Altman will appear before a Senate panel to discuss government efforts to keep AI in check. As the Washington Post explains, the rapid growth of AI tools has legislators concerned about the massive amounts of data used to train such products, as well as the possibility that AI could be used to spread misinformation or cause other harm to users.
Facebook Users can now claim settlement money which stems from several lawsuits asserting that Facebook had mishandled users’ private data by giving it to third party organizations. Facebook’s parent company, Meta, settled for $725 million after many years of litigation which began in 2018. CBS news reports “The litigation began after Facebook was embroiled in a privacy scandal in 2018 with Cambridge Analytica, which scraped user data from the site as part of an effort to profile voters. Meta denied any liability or wrongdoing under the settlement, according to the recently created class-action website. However, the agreement means that U.S. residents who used Facebook between May 24, 2007, and December 22, 2022, can file a monetary claim as long as they do so before August 25, 2023”
Policies, procurements, and agency equities.
The European Union Agency for Cybersecurity (ENISA) has released a draft proposal outlining an EU certification scheme that will verify the cybersecurity of cloud services being considered for use by EU governments and businesses. The document states that non-EU cloud service providers who wish to handle sensitive data from EU users must be part of a joint venture with an EU-based company. "Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values," the document said. Employees handling the data must be located in the EU and will have to undergo a screening process. As well, all cloud service customer data must be stored and processed in the EU, and EU data laws will override any non-EU rules. Reuters predicts that US tech giants like Google and Microsoft may be less than pleased with the certification scheme, as it could make it far more difficult for them to engage with the European market, particularly the government cloud market, which has been seen as a potential growth opportunity for these firms. The draft is scheduled for review by EU member states later this month, and then the European Commission will adopt a final version.
The US government has been vocal in discouraging ransomware victims from meeting their attackers’ demands, but has fallen short of implementing an official ban. A top US cybersecurity official says the White House is now considering officially prohibiting ransomware payments. Speaking at the Institute for Security and Technology’s Ransomware Task Force event last Friday, Anne Neuberger, the US’s deputy national security advisor for cyber and emerging technologies, said, “Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision.” Neuberger went on to say that in certain cases the government could grant a waiver to the ban, allowing the victim to pay if, for instance, an attack disrupts critical services.
In February the Australian Attorney General’s office released the Privacy Act Review Report, an examination of the country’s current privacy law, the Privacy Act of 1988. Through one hundred sixteen proposals, the report recommends an overhaul of the decades-old legislation to bring it into the digital era and make it more comparable to the EU’s General Data Protection Regulation (GDPR). JDSupra discusses the proposals most likely to impact businesses, and while some of the changes will streamline privacy practices, others will result in increased regulation. The report recommends expanding the scope of the Privacy Act by changing the definition of the term “personal information” to be more in line with the GDPR’s definition of “personal data.”
Mergers and acquisitions.
London’s data and tech solutions company, CACI Limited, has acquired national security service provider Bitweave Limited. Bitweave is said to provide “software engineering, data analysis, and cyber services” within the national security sector, and will work within CACI’s national security business.
Cybersecurity and cloud service provider DartPoints has acquired Louisiana’s Venyu. Venyu was a provider of data center infrastructure and cloud services, and will expand on DartPoints’ existing coverage, adding locations in Baton Rouge and Shreveport.
Investments and exits.
Colombian telecommunications company Claro Colombia announced last week a $165 million investment in its digital transformation, business intelligence, and cybersecurity. This investment is intended to support further development of digital ecosystems.
Human risk security management platform CultureAI has raised £7 million in seed funding from a multitude of sources, including Conviction VC, Passion Capital, and Senovo, with investments from angel investors Paul Forster and Guntram Friede, among others. The funding will be used to develop the UK company’s nominal platform, which is used to detect, measure, and respond to workforce cyber risk.
Singaporean consumer cybersecurity protection provider SquareX has emerged from stealth, raising $6 million in a seed round, led by Sequoia Capital Southeast Asia. The browser-based product in development will see boosts in research and development engineering, and go-to-market strategies with this investment.
California-based fraud prevention company Moonsense has raised $4.2 million in seed funding, co-led by XYZ Ventures XYZ Ventures and Race Capital, with contributions from TheGP, Foothill Ventures, and angel investors. “Our vision is to deliver a next-level data management and AI/ML solution for personalized fraud detection,” said Andrei Savu, Moonsense CEO and Co-founder. User interaction amounts to a behavioral biometric modality, like gait, or, to take an earlier example, a telegraph operator’s “fist.”
Data protection company Optery has raised $2.7 million in seed funding, led by Bayhouse Capital with contributions from Goodwater Capital, Global Founders Capital, Pioneer Fund, Soma Capital, TRAC, and Y Combinator. The California company says the funding will be used for the acceleration of product, enhancements and expansion of the team. This round brings Optery’s total funding to date to $6 million.