At a glance.
- Motivations: criminal, hacktivist, and strategic.
- Backdoor-like issue found in Gigabyte firmware.
- New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices.
- Mitiga discovers “significant forensic discrepancy” in Google Drive.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
Motivations: criminal, hacktivist, and strategic.
Trend Micro describes the recent activity of Void Rabisu, "a malicious actor believed to be associated with the RomCom backdoor." It's a Russian or at least a Russophone gang, and until the last few months its activities and motivations have generally been assumed to be straightforwardly criminal, motivated by financial gain and on the lookout for the main chance. Also known as "Tropical Scorpius," Void Rabisu has been associated with the Cuba ransomware operation (closely linked with Russian intelligence services), and since late 2022 the gang's targeting has increasingly matched Russian state interests. Trend Micro writes, "Void Rabisu’s associated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and military: In a campaign in December 2022, a fake version of the Ukrainian army’s DELTA situational awareness website was used to lure targets into installing the RomCom backdoor." The target selection is that of an intelligence service; the TTPs are those of a criminal gang. "Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime." Trend Micro thinks that Void Rabisu's targeting has been connected to Russian strategic goals since October of 2022. The group's evolution shows the continued blurring of lines between hacktivists, intelligence services, and criminal gangs. Of those three, in Russia's case, the intelligence services are clearly in the saddle.
Backdoor-like issue found in Gigabyte firmware.
Researchers at Eclypsium have discovered a firmware backdoor in motherboards sold by Taiwanese hardware manufacturer Gigabyte. The feature appears to be intended to automate firmware updates, but Eclypsium says it could be abused by threat actors via man-in-the-middle attacks. The researchers compare the vulnerability to other firmware backdoors such as LoJax, MosiacRegresser, MoonBounce, and Vector-EDK.
The researchers explain, “The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.” For more on this firmware issue, see CyberWire Pro.
New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices.
Palo Alto’s Unit 42 discovered a new variant of Mirai that targets IoT devices, using several vulnerabilities to propagate itself and add machines to its botnet. This variant, which Unit 42 calls IZ1H9, exploits four vulnerabilities: CVE-2023-27076 (Tenda G103 command injection vulnerability), CVE-2023-26801 (LB-Link command injection vulnerability), CVE-2023-26802 (DCN DCBI-Netlog-LAB remote code execution vulnerability), and CVE-2023-28771 (Zyxel remote code execution vulnerability). Researchers at Unit 42 explain that the infected machines then become a part of Mirai’s botnet and can be used to conduct such further actions as distributed denial-of-service (DDoS) attacks. The researchers note that this Mirai strain has been seen in several campaigns, and they assess that these were all conducted by the same threat actor due to the fact that the botnet samples they analyzed all used the same decryption key and infrastructure. Unit 42 recommends that IoT devices be updated as soon as possible once patches are available. They write “The vulnerabilities used by this threat are less complex, but this does not decrease their impact, since they could still lead to remote code execution. Once the attacker gains control of a vulnerable device, they can include the newly compromised devices in their botnet.”
Mitiga discovers “significant forensic discrepancy” in Google Drive.
Mitiga released a comprehensive report regarding a “significant forensic deficiency in Google Workspace.” This deficiency allows threat actors to exfiltrate data using Google Drive with no trace. The problem lies in the fact that Google Drive logs, which would allow these activities to be traced, are only active in its premium service “Google Workspace Enterprise Plus.” If an organization is not paying for the service, or an employee is not using a paid license, then the logs remain inactive allowing threat actors to move data without notice. Mitiga writes “All users can access the Workspace and complete actions with the files inside their private company drive. They simply do so without generating any logs, making organizations blind to potential data manipulation and exfiltration attacks. When incidents occur, this standard prevents organizations from efficiently responding, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all.” Mitiga has alerted Google to this discrepancy but, as of the publishing of their report, Google had not yet responded. For more on Mitiga's report, see CyberWire Pro.
Russia-Ukraine hybrid war update.
Russia's FSB says, Reuters reports, that the US National Security Agency (NSA) has succeeded in compromising iPhones used in Russia. The phones belonged mostly to Russian citizens, but the FSB says that iPhones belonging to some foreign diplomats were also affected. The official moral Russia would have public opinion draw from the announcement is that NSA and Apple are conniving with one another. As the Foreign Ministry put it, "The hidden data collection was carried out through software vulnerabilities in U.S.-made mobile phones. The U.S. intelligence services have been using IT corporations for decades in order to collect large-scale data of Internet users without their knowledge." Apple denied working with NSA or any other agency to backdoor its own products in the interest of espionage or surveillance, Reuters reports. In response to FSB charges that Apple had colluded with the US National Security Agency to enable surveillance of Russian iPhone users, Apple said it had "never worked with any government to insert a backdoor into any apple product and never will."
After unusually heavy Russian missile strikes against Ukrainian cities (seventeen, during the month of May alone, Reuters counts), on May 31st drones (almost certainly Ukrainian drones) struck targets inside Russia. Those targets included oil refineries in the vicinity of Novorossiisk and Krasnodar. The Guardian reports, "Drones attacked two oil refineries just 40-50 miles (65-80 km) east of Russia’s biggest oil export terminals on Wednesday, sparking a fire at one and causing no damage to the other, according to Russian officials. More spectacularly, three drones (said to be the survivors of a flight of eight, five of which were either shot down or diverted by Russian defenses) hit a wealthy residential area of Moscow. President Putin called it terrorism, an "attempt to frighten Russians." Ukrainian officials said that, while they welcomed the attack against Moscow and looked forward to more of the same, Ukraine wasn't involved in the strike. (All deliberate or even reckless strikes against civilian targets violate norms of armed conflict.) These unmanned cross-border raids have continued into the start of June as Russian officials report that “From the morning of 01 June, partisan groups attacked Russia’s Belgorod region for the second time in ten days. In a complex battlefield situation, what appeared to be uncrewed aerial vehicles also struck Belgorod city (35km inside Russia), while the authorities evacuated civilians from the border town of Shebikino following Ukrainian shelling.”
The US is funding Starlink communications for Ukraine, C4ISRNet reports. Because of the sensitivity of the nature of the services provided, the Department of Defense provided no information on their cost, duration, or coverage. Starlink has over the course of the war provided valuable and resilient connectivity to Ukraine.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Patch news.
Google released a chrome patch with 16 security fixes. In a statement released on May 30th, Google notes that 13 of the fixes come from discoveries made by external researchers, many of which received cash awards from Google’s vulnerability rewards program. The largest cash reward of $15,000 went to Jaehun Jeong of Theori, who discovered an out of bounds write in Swiftshader in January of this year. Other rewards ranging from $500 to $10,000 were awarded to 12 other researchers who found various vulnerabilities.
ZyXEL released a security patch on May 30th, meant to fix a “post-authentication command injection vulnerability in NAS products.” This vulnerability, if left unpatched would, allow an attacker to execute remote operating system commands. The patch and vulnerability affects three ZyXEL personal cloud storage devices: NAS326, NAS540, and NAS542. ZyXEL recommends all users update their firmware for optimal protection.
Crime and punishment.
CNN reported on June 1st that a retired U.S. Air Force colonel has been sentenced to three years in prison for storing classified materials in his home in Florida. “Robert Birchum pleaded guilty earlier this year to unlawfully possessing and retaining classified documents relating to national defense, the department said in a news release.” CNN writes. The U.S. Department of Justice said that it first discovered the mishandling of classified documents in 2017 writing, “law enforcement officers discovered that Birchum knowingly removed more than 300 classified files or documents, including more than 30 items marked Top Secret, from authorized locations. Birchum kept these classified materials in his home, his overseas officer’s quarters, and a storage pod in his driveway. None of these locations were authorized for storage of classified national defense information. In particular, the criminal information charges that Birchum possessed two documents on a thumb drive found in his home that contained information relating to the National Security Agency’s capabilities and methods of collection and targets’ vulnerabilities. Both of these documents were classified as Top Secret/SCI, and their unauthorized release could be expected to cause exceptionally grave damage to the national security of the United States.”
Courts and torts.
The US Federal Trade Commission (FTC) announced that it has charged leading home security company Ring with compromising customer privacy. The FTC complaint states that Ring has put customer data at risk by allowing Ring staffers and contractors to access their private videos. As well, the Amazon-owned company neglected to implement other standard privacy protections, despite warnings, that would protect customers from cyber threats like credential stuffing and brute force attacks. A proposed order calls for Ring to delete data from videos that were unlawfully viewed and to adopt a privacy and security program with more stringent controls including multifactor authentication for customer and employee accounts. Ring will also be required to pay $5.8 million to cover consumer refunds. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Ring’s disregard for privacy and security exposed consumers to spying and harassment. The FTC’s order makes clear that putting profit over privacy doesn’t pay.” The proposed order will need to be approved by a federal court before it goes into effect. The agreement between Ring LLC and the US Federal Trade Commission may be found here.
Amazon has also agreed to pay a civil penalty of $25 million to settle federal charges concerning the collection of data from minors. The FTC found Amazon to be in violation of the Federal Children’s Online Privacy Protection Act (COPPA) for collecting sensitive data from children, including children’s precise locations and voice recordings, and retaining them for business purposes. Regulators say even after parents asked to have children’s conversations with virtual assistant Alexa deleted, Amazon failed to delete transcripts of the conversations from all its databases. Amazon denies it violated the law. The company issued a statement saying, “We built Alexa with strong privacy protections and customer control,” and claims it worked with the FTC before adding Alexa to its children’s content service. The decision will now go before a federal court for approval.
Policies, procurements, and agency equities.
The US Department of Defense has sent its 2023 cyber strategy to Congress. The Department says the strategy represents an evolution of the 2018 Department of Defense Cyber Strategy, and "provides direction" for the implementation of the 2022 National Defense Strategy in cyberspace. The Strategy itself is classified, but an unclassified fact sheet the Department released emphasizes that "This strategy is further informed by Russia’s 2022 invasion of Ukraine, which has demonstrated how cyber capabilities may be used in large-scale conventional conflict." It identifies the principal threats in cyberspace as the People’s Republic of China (the "pacing challenge in the cyber domain"), Russia ("an acute threat," especially with respect to its "malign influence efforts" and its ongoing attacks against Ukrainian infrastructure), North Korea, Iran, "violent extremist organizations," and transnational criminal organizations (often aligned with the "foreign policy objectives" of the governments that support and protect them).
A US court has determined for the first time that authorities need a warrant to search US citizens' phones at the US border. The Fourth Amendment protects US citizens from warrantless searches, but current border law gives US Customs and Border Protection (CBP) the authority to search anyone within one hundred miles of an American national line. As the American Civil Liberties Union has pointed out, that covers about two-thirds of the nation’s population, and advocacy groups have been fighting to limit these warrantless searches. In the case, the Register explains, defendant Jatiek Smith was detained by CBP after a trip from Jamaica and forced to hand over his phone, which was reviewed and imaged without a warrant.
Canada’s defense minister announced yesterday that it will partner with the US to create a cybersecurity certification framework for defense contractors. As Reuters reports, the framework will be identical to the US’s, allowing contractors working in both countries to only certify once. Referencing the president of Russia’s invasion of Ukraine, Canadian Defence Minister Anita Anand stated, "Putin's war on Ukraine has reminded all of us that the cyber domain is crucial to our national security. Here at home, malicious cyber activities have targeted defence contractors and subcontractors across Canada, leaving classified information vulnerable."
The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued the Fiscal Year 2023 Rural Emergency Medical Communications Demonstration Project (REMCDP) Notice of Funding Opportunity (NOFO), which will provide funding for up to two demonstration projects aimed at improving emergency communications infrastructure for rural medical care. As well, Homeland Security Today explains, the funding will be used to alleviate gaps in the implementation of the National Emergency Communications Plan. Applicants may apply for up to $2,000,000 for a two-year period of performance, and after a competitive review process, funding will be awarded to a maximum of two recipients for a total of up to $4,000,000. CISA established REMCDP to find ways to use existing technologies and engage non-medical professionals to bolster the delivery of medical care in rural areas. Applications for the NOFO must be submitted by July 28.
Labor markets.
Security Brief Australia has highlighted this past week some reasons that cybersecurity is a field worth taking interest in. They note that cybersecurity is always a field where there are positions in demand, as well as boasting competitive salaries. Opportunities for learning and growth are plentiful, and work within the industry itself can be rewarding. Cyber is also a welcoming field, with a strong sense of diversity and inclusion. To further expand on that point, the Upper Cumberland Business Journal reported significant growth in interest in careers within the cybersecurity field. An increased awareness of cybersecurity, growing from the beginning of 2022 to an all-time high this month, has “fueled a desire to protect personal and organizational data, hence growing interest in cybersecurity careers,” says Tech Digest.
Mergers and acquisitions.
Virginia’s large-scale US Department of Defense and national security provider Agile Security has acquired fellow Virginian cybersecurity company, XOR Security, Intelligence Community News reports. XOR is a provider of cybersecurity for commercial and federal government enterprise systems, and the acquisition has allowed Agile access to an employee base of over 1,000 personnel. “The acquisition of XOR Security bolsters our already comprehensive suite of enterprise IT solutions with additional cutting-edge cybersecurity talent,” said Jay Lee, CEO of Agile Defense.
Investments and exits.
Loews Corporation has invested approximately $10.53 million in CrowdStrike, purchasing 100,000 shares of stock in the company, MarketBeat reports. The CrowdStrike stock is reportedly the corporation’s 15th largest following the investment.
Denver, Colorado’s authID has closed its $8.2 million registered direct offering and private placement and $8.9 million notes exchange, the company reports. The direct offering and placement were led by existing investors. The company intends to use the proceeds for “working capital and general corporate purposes.”
Moving target cloud defense security company Hopr has raised $500,000 in funding from the Maryland Technology Development Corporation (TEDCO), who has added $300,000 to their initial investment last year of $200,000.