At a Glance.
- Attribution and motivation of "RedStinger" remain murky.
- DDoS "carpet bombing."
- Cyber agencies warn of BianLian ransomware.
- Chinese government-linked threat actors target TP-link routers with custom malware.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
- And security innovation.
Attribution and motivation of "RedStinger" remain murky.
The RedStinger campaign Malwarebytes described last week seems to have been active against both Ukrainian and Russian targets. A discussion in Cybernews notes that while the APT group (which the outlet refers to as "Red Stealer"), is known to have been active between 2020 and 2022 and seems to be Russian, its motivation is curious, as it has collected against targets on both sides of Russia's war with Ukraine. One possible explanation is that RedStinger was interested in quasi-domestic surveillance of officials in Ukrainian provinces illegally annexed by Russia. A report in SC Media observes "An example of the baffling diversity of the targets of Red Stinger’s attacks occurred in September last year when Russia held referendums in Luhansk, Donetsk, Zaporizhzhia and Kherson seeking support for its occupation. The group targeted several election officials involved in the Russian referendums, but during the same operation it also targeted a Ukrainian library in the city of Vinnytsia."
Malwarebytes has recently reported on a cyberespionage group of uncertain provenance, RedStinger, which appears to have selected targets on both sides of Russia's war against Ukraine. Kaspersky researchers this morning released a report on a group they call CloudWizard, and which they explicitly identify not only with RedStinger, but also with the groups responsible for earlier operations in the region going back as far as 2008. Kaspersky as a matter of policy doesn't attribute cyber operations to nation-states. Who's behind RedStinger (or CloudWizard) remains an open question. Whoever it turns out to be, WIRED points out, the ability to quietly mount offensive cyber campaigns over a fifteen-year period is remarkable.
DDoS "carpet bombing."
Corero this week released its 2023 DDoS Threat Intelligence report, detailing the DDoS landscape and its evolution in the past year. The research showed a 300% increase from 2021 to 2022 in what are known as “carpet-bomb” DDoS attacks; attacks which researchers define as “distribut[ing] traffic across large IP address spaces, challenging standard victim-oriented detection and mitigation techniques.” Botnet attacks that resemble the patterns of the Mirai botnet have spiked to over seven times the amount of traffic from 2021 to 2022. Domain Name System (DNS) services were also a much heavier target for DDoS attackers, seeing double the amount of attacks as occurred in 2020.
Cyber agencies warn of BianLian ransomware.
Australian and US agencies, specifically the Australian Cyber Security Centre (ACSC), the US Federal Bureau of Investigation (FBI), and the US Cybersecurity and Infrastructure Security Agency (CISA), have issued a joint warning about BianLian ransomware. The criminal group behind it has been especially active against targets in Australia, but it represents a general threat. "The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials," the advisory says, adding that it "uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega." BianLian had formerly used a double-extortion approach, but has recently shifted toward a model that relies solely on threats to release (as opposed to encrypt or destroy) the victim's data. "BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group."
Chinese government-linked threat actors target TP-link routers with custom malware.
A Chinese state-sponsored threat actor (“Camaro Dragon,” as the researchers call it) is using a custom backdoor named “Horse Shell” to infect TP-link routers. In a report released May 16th, Check Point Research found that this advanced persistent threat (APT) is using tailored access tools to infect TP-link routers specifically targeting European foreign affairs entities. “The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware.” The APT’s “Horse Shell” backdoor is a custom MIPS32 ELF implant that allows the organization to maintain persistence on the infected machine. Check Point writes, “The implant provides the attacker with 3 main functionalities: remote shell, file transfer, and tunneling.” The implant is not specific to TP-link routers: it can be configured to affect other firmware as well. The attack vector used to gain infiltration and infection is so far undetermined. There are significant code overlaps between Camaro Dragon's tools and those used by Mustang Panda, enough to suggest that the two APTs with pony-car-inspired names are related, but Check Point stops short of identifying them. More research remains to be done, and in the meantime they're tracking the groups separately.
Russia-Ukraine hybrid war update.
CISA, the US Cybersecurity and Infrastructure Security Agency, has published a compendium of its studies of "the Russian government’s malicious cyber activities." The most recent entry is last week's discussion of the Snake malware and its disruption by the Five Eyes. The oldest entry goes back to December 29, 2016, and covers the Grizzly Steppe operation conducted against US targets associated with the 2016 US elections. It's noteworthy that CISA's report addresses only Russian government malicious activity. The large and active Russian cyber underworld is outside the scope of the summary.
Ukraine isn't a NATO member, but it's now a "Contributing Participant" (along with Ireland, Iceland, and Japan) in NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE). Computing reports that progress toward that status began shortly after Russia's invasion last year. It's now a formal reality.
A study the Center for Strategic and International Studies (CSIS) published this week addresses various aspects of the war in cyberspace. One of the report's constituent essays, by Erica D. Lonergan, looks at the use of "proxies," that is, deniable hacktivist or criminal groups that serve as cyber auxiliaries under the direction of state authorities. That direction can be relatively loose or relatively stringent. The essay takes two representative and opposing groups, the IT Army of Ukraine (working in the interest of Kyiv) and KillNet (working for Moscow). It sees similarities in the effects they've achieved--nuisance-level hacking, for the most part--and it concludes that the proxies have had their most significant effect in terms of propaganda.
KillNet posted an approving link to an online psyop radio station centered around demoralizing Ukrainian and foreign troops fighting in Ukraine. On its website Radio Life (Radio Zhizn) explains that its mission is to “help Ukrainian military members to make the right choice, accept the only decision, which will help save their own lives and the lives of their loved ones.” In the five minutes we were able to listen to it, the radio station was blasting Quiet Riots’s “Cum on Feel the Noize,” but the broadcast abruptly fell silent. The station also broadcasts to the Kharkov and Kherson Oblasts in Ukraine via VHF radio channels.
Patch news.
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV). Vulnerabilities are added to the catalog based on evidence of active exploitation in the wild. US Federal civilian executive agencies have until June 2nd, 2023, to address them:
- CVE-2023-25717 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
- CVE-2021-3560 Red Hat Polkit Incorrect Authorization Vulnerability
- CVE-2014-0196 Linux Kernel Race Condition Vulnerability
- CVE-2010-3904 Linux Kernel Improper Input Validation Vulnerability
- CVE-2015-5317 Jenkins User Interface (UI) Information Disclosure Vulnerability
- CVE-2016-3427 Oracle Java SE and JRockit Unspecified Vulnerability
- CVE-2016-8735 Apache Tomcat Remote Code Execution Vulnerability
One of the more noteworthy vulnerabilities CISA added to its Known Exploited Vulnerabilities Catalog Friday was the critical remote code execution (RCE) issue affecting multiple Ruckus products. Bleeping Computer reports that the flaw concerns devices using the Ruckus Wireless Admin panel. The CVE-2023-25717 vulnerability, while first acknowledged in February, has probably not seen many patches on vulnerable Wi-Fi access points, which in these attacks have been targeted by AndoryuBot malware. The malware, once within the system, adds the compromised device to a botnet for use in distributed-denial-of-service (DDoS) attacks. Ruckus released a security bulletin in February that was updated last week, detailing the almost 60 devices impacted and patches available. Many end-of-life devices, however, have no patch available.
Crime and punishment.
Joseph Garrison, an 18-year-old from Wisconsin, was charged with hacking into approximately 60,000 DraftKings sports betting accounts in November of 2022. The complaint filed by the FBI explained that Mr. Garrison was able to purchase credentials from a third-party site and sell around 1,600 of the hacked accounts causing about $600,000 to be withdrawn from victims’ accounts. BleepingCoputer explains, “Garrison and his co-conspirators devised a method allowing buyers of the stolen accounts to withdraw all funds, instructing them to add a new payment method to the hacked accounts, deposit a nominal sum of $5 through the newly added payment method to verify its validity, and subsequently withdraw all existing funds from the victims' accounts to a separate financial account under the attackers' control.” Mr. Garrison is also accused of running a dark web trafficking site that sells hacked accounts. The complaint alleges, “On the Garrison Phone, law enforcement located an undated picture showing that Goat Shop had sold 225,247 products for total sales revenue of $2,135,150.09.”
Courts and torts.
The Supreme Court made decisions on two cases concerning the liability of social media platforms that contain terroristic content. Both cases, Twitter v. Taamneh and Gonzalez v. Google, were initiated by the families of ISIS victims in Paris and Istanbul. The case against Twitter raised the question of whether the platform can be accused of aiding in terrorism for hosting tweets from ISIS, CNN writes. The case against Google asks if their recommendation system is protected under Section 230 of the Communications Decency Act, which Article 19 explains “grants legal immunity to online platforms for content posted by third parties and allows platforms to remove objectionable content without exposing themselves to liability.” The Supreme Court unanimously ruled in favor of Twitter, and dismissed the case against Google.
Bloomberg reports that Meta Platforms inc., owner of Facebook, is going to be given a record breaking fine from Ireland’s data protection commission. The fine, which is said to “eclipse the previous record breaking fine given to Amazon ($809 million), is a punishment for “failing to heed a top court warning aimed at protecting users’ data from the prying eyes of US security services once it’s shipped to servers across the Atlantic, according to people familiar with the case, who spoke on condition of anonymity.” wrote Bloomberg. Representatives from Meta have declined to comment as of the writing of this article.
Policies, procurements, and agency equities.
Voting security has been a top concern for US lawmakers in recent years, and two US Senators last week introduced a bipartisan measure aimed at bolstering the cybersecurity of the nation’s election infrastructure, Nextgov.com reports.The Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (or SECURE IT) Act would require voting machines undergo penetration testing inorder to be certified for election use.
Health IT Security reports that two US Senators have introduced the Rural Hospital Cybersecurity Enhancement Act, a bill focused on improving the cybersecurity of rural healthcare facilities. The measure was proposed by Senators Josh Hawley, Republican of Missouri, and Gary Peters, Democrat of Michigan, after a recent Homeland Security and Governmental Affairs Committee (HSGAC) hearing highlighting the difficulties faced by rural hospitals lacking the budget and staffing to properly address cybersecurity.
CEO of OpenAI Sam Altman testified before US Congress this week to discuss ways to mitigate the potential perils of artificial intelligence. Wired reports that senators at the hearing from both sides of the aisle voiced their desire to create a federal agency devoted solely to regulating AI. Senator Peter Welch, a Democrat from Vermont, stated, “Unless we have an agency that is going to address these questions from social media and AI, we really don’t have much of a defense against the bad stuff, and the bad stuff will come. We absolutely have to have an agency.” Senator Richard Blumenthal, a fellow Democrat and chairman of the hearing, noted that an AI regulator would need sufficient financial support to keep up with the rapid developments in the AI sphere. “Without proper funding you’ll run circles around those regulators,” Blumenthal told Altman and Christina Montgomery, IBM’s chief privacy and trust officer. However, not everyone agrees a single regulating body is the solution. The think tank Center for Data Innovation released a letter after the hearing stating, “Just as it would be ill-advised to have one government agency regulate all human decision-making, it would be equally ill-advised to have one agency regulate all AI.” Instead, the Center advocates for updating current laws and encouraging existing federal agencies to engage in AI oversight.
Labor markets.
Akamai announced slashes to its workforce this week, cutting employee count back by 3%, GovInfoSecurity reports. 3% of the almost 10,000 employees staffed means cuts of around 299 positions, in an effort from the company to cut costs and shift resources from the delivery side of the company to cloud computing.
In addition to bringing Linda Yaccarino in as Twitter’s CEO this week, Elon Musk was calling those trying to continue working remotely “morally wrong,” CNBC reports. He compared the idea of work from home to the often misattributed Marie Antoinette quote, “Let them eat cake,” calling tech workers “laptop classes living in la-la land” because service workers are still expected to show up.
Mergers and acquisitions.
ReliaQuest has shared their acquisition of agent software assets as well as the engineering team from EclecticIQ. The security operations provider says that the acquisition will allow for enhanced capabilities within current GreyMatter integrations and growth into new integrations.
TechCrunch reports that Polar Security, an Israeli startup specializing in data security posture management, has been acquired by IBM. The company will reportedly be integrated into IBM’s Guardium unit, but no price was disclosed.
Data security software company Data443 Risk Mitigation has announced an agreement for the acquisition of assets from Cyren. The agreement will allow the Israeli company’s offerings to grow Data443’s security and cyber threat intelligence services. The transaction is expected to close in the third quarter of 2023.
Investments and exits.
One of the largest investments to date in cloud physical security was announced today; SECOM CO. made a primary equity investment of $192 million into two companies. The first company, Eagle Eye Networks, saw a $100 million investment, and the other, Brivo, received $92 million. Eagle Eye Networks specializes in cloud video surveillance, and Brivo focuses on cloud-based access control and smart tech.
Huntress has raised $60 million in a Series C funding round, led by Sapphire Ventures with participation from Forgepoint Capital and JMI Equity. The company says the funding will go toward their managed security platform. "There are 32 million SMBs in the United States alone. At Huntress, our mission is to ensure that all businesses, regardless of size, have access to the cutting-edge solutions they need to continuously operate free from cybersecurity threats,” said Kyle Hanslovan, CEO and Co-Founder of Huntress. “I’m inspired by the passion our investors share for protecting these companies. With Sapphire Ventures, Forgepoint and JMI at our side, I am confident that we can make a real difference.”
Virginia-based data startup Stardog has seen an investment from Accenture Ventures, the consulting company’s investment arm, Citybiz reports. This builds on $23.3 million in previous investments from companies including Core Capital Partners, Grotech Ventures, Tenfore Holdings, among others.
And security innovation.
The Electronic Frontier Foundation (EFF) shares a tutorial on activating Advanced Data Protection on Apple’s iOS. Prior to 2023, Apple offered end-to-end encryption for only some iPhone data like passwords or health data, but in January of this year the company globally released an added layer of security that also protects iCloud backups and other important files. In order to take advantage of this new feature, users must first enable two-factor authentication for your Apple account and update all Apple devices to iOS 16.3 or higher. Though not perfect (mail, contacts, and calendar events are not encrypted, and encryption isn’t always maintained when a document is shared with another user), Advanced Data Protection is a step in the right direction, and EFF hopes that Google, Microsoft, and other heavy-hitters will soon follow Apple’s example.
The US Transportation Security Administration (TSA) has begun testing the use of facial recognition technology at airports in sixteen cities including Baltimore, Washington, DC, Atlanta, Boston, and Los Angeles. Jason Lim, TSA’s identity management capabilities manager, explained to reporters, “What we are trying to do with this is aid the officers to actually determine that you are who you say who you are.” AP News explains that the facial recognition technology compares the passenger’s face to the image on their ID or passport in an effort to improve the efficiency of the identity verification process