At a Glance.
- Barracuda urges replacement of gear.
- PowerDrop, a new PowerShell remote access tool targets a US defense contractor.
- Cl0p claims responsibility for MOVEit file transfer vulnerability and subsequent data breach.
- Anonymous Sudan attacks Microsoft platforms and demands $1,000,000 to stop the attacks.
- New criminal campaign targets Android users who wish to install modified applications.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
Barracuda urges replacement of gear.
Barracuda Networks is urging customers to immediately replace its email security gateways (ESGs) due to a security vulnerability (CVE-2023-2868). The company says the vulnerability, which has been exploited in the wild, “existed in a module which initially screens the attachments of incoming emails.” The earliest evidence of exploitation was in October 2022. CSO reports that the Australian Capital Territory government has disclosed that it was breached via the flaw.
Rapid7 notes that “[t]he pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access.”
The vulnerability’s description states, “The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.”
PowerDrop, a new PowerShell remote access tool targets a US defense contractor.
PowerDrop, a new malicious PowerShell script, was discovered by researchers at Adlumin to have infected machines at an unspecified US aerospace defense contractor. The malware uses a combination of Windows PowerShell script and Windows Management Instrumentation (WMI) to create a new remote access trojan (RAT). “The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups,” researchers write. Though attribution remains inconclusive, Adlumin assesses that based on the target and living off the land tactics, it is likely that the threat actors are operating on behalf of a nation state. Mark Sangster, Vice President of Strategy at Adlumin, said, “While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors.” As of this writing it’s unknown whether this incident is part of a larger campaign targeting multiple organizations.
Cl0p claims responsibility for MOVEit file transfer vulnerability and subsequent data breach.
Cl0p told BleepingComputer on June 5th that it was responsible for the employment of the MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362). The vulnerability, which was added to CISA’s known exploited vulnerability catalog last Friday, was first employed on May 27th BleepingComputer reported. Mandiant had associated exploitation of this vulnerability with Cl0p, as the gang had been searching for partners that use SQL injection. That attribution now seems confirmed. The ransomware group, in an uncharacteristic move, gave a June 14th deadline for victims to contact the attackers. This change of tactics, as ITpro reports, could be due to the unusually large amount of data stolen by the group. “The approach taken by the group is atypical from most extortion scenarios which usually sees the attackers approach the victims first. Members of the cyber security industry have speculated that Cl0p… has ingested too much data for it to identify the company to which it belongs.”
On June 7th, The BBC wrote that “More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken.” The BBC notes that the information stolen varies based on the firm. Zellis, a HR outsourcing company, seems to have been the initial victim in the supply chain attack, which allowed Cl0p to obtain “home addresses, national insurance numbers and, in some cases, bank details,” explains the BBC. They initially released a report on June 6th imploring those individuals, who may have had their personal information stolen, not to panic as “Hackers are not interested in going after individuals - it is too time consuming and they care about one thing only, getting paid.”
For more on Cl0p and the MOVEit vulnerability, see CyberWire Pro.
Anonymous Sudan attacks Microsoft platforms and demands $1,000,000 to stop the attacks.
Anonymous Sudan began targeting US organizations on Saturday, June 3rd, in a new distributed denial-of-service (DDoS) campaign after the hacktivists took offense at comments made by the U.S. Secretary of State Anthony Blinken regarding a possible US involvement in Sudan. The attacks, which originally targeted hospitals and the ride-sharing company Lyft, were refocused on Microsoft services. The group announced, on June 5th, that they had disabled Outlook in DDoS attacks which have reportedly frustrated thousands of customers. CNN reported that “Thousands of Microsoft Outlook users reported issues accessing their email accounts this morning(June 5th).” Bleeping Computer reported a global outage which prevented Outlook users from sending emails or managing calendars. The group went so far as to advertise their IT services to Microsoft for $1,000,000.
On June 6th, the group announced that it would go after ChatGPT, posting that they had already run a test attack and would launch a real attack later in the day. The group has since continued its DDoS campaign against Microsoft, adding Microsoft Azure to its list of targets on June 9th.
New criminal campaign targets Android users who wish to install modified applications.
Researchers at Bitdefender have discovered a “hidden malware campaign living undetected on mobile devices worldwide for more than six months.” The researchers explain that the campaign is designed to aggressively push adware, a type of malware that forces unwanted ads into the victim's online experience. The campaign is probably capable of switching tactics and transitioning to pushing Trojans or other malware to the devices already infected. Bitdefender has observed over 60,000 different samples that carry this adware, and the campaign, they believe, started in October of 2022. The applications that carry the malware are not available on any official app stores. Instead, they often pretend to be game cracks, free VPNs, Netflix, YouTube or TikTok without ads, and even fake security software. The most popular downloads seem to be modified legitimate applications that have, the scammers claim, been enhanced for better user experience. The applications, once installed, aren’t marked with an icon, which makes them more difficult to uninstall and which may mislead the user into thinking there was a problem during the installation process.
Russia-Ukraine hybrid war update.
The US Department of Defense is also buying Starlink connectivity to bolster the resilience of Ukraine's communications. Citing concerns about operational security, the Department has declined to provide details of the Starlink support.
Patch news.
Researchers at Varonis discovered “an easily exploitable UI bug (CVE-2023-28299) in Microsoft Visual Studio extension installer that allows an attacker to spoof an extension signature and effectively impersonate any publisher.” The flaw can be exploited by opening the VSIX file as a ZIP file and adding newline characters to the extension name, which will hide the “Digital Signature: None” warning in the installation prompt. The threat actor can then add a phony digital signature label at the beginning of the file name. Microsoft fixed this flaw in April, and users are advised to ensure Visual Studio is up-to-date.
Crime and punishment.
On Friday the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued sanctions against ArvanCloud, an Iranian cloud technology provider, for allegedly “facilitating” government internet censorship. The Record explains that all property and interests in property in the US will be blocked, and any business dealings with the company are prohibited. OFAC says ArvanCloud was “a key partner” in the Iranian regime’s establishment of the National Information Network, a government-controlled internet that gave officials the power to limit citizens’ access to online content. “Arvan Cloud has a close relationship with Iran’s intelligence services, including the Ministry of Intelligence and Security (MOIS), and Arvan Cloud executives have extensive ties to senior Iranian government officials,” OFAC stated.
The US Attorneys for the Southern District of Texas and the Southern District of New York have announced that eleven people in several states are now in custody and facing charges of criminal involvement in business email compromise (that's BEC for short) attacks. All eleven have been charged with conspiracy to commit wire fraud and money laundering. The US Attorneys say that the schemes cost victims millions in losses. The announcement explains, "The charges stem primarily from business email compromise schemes. Conspirators allegedly posed as legitimate businesses and fraudulently diverted money from victim bank accounts into accounts they controlled. According to the charges, they gained access to business email accounts and spoofed email addresses to deceive victims into believing they were making legitimate payments."
Courts and torts.
The US Securities and Exchange Commission (SEC) on Friday announced that it was dropping a number of cases in which Enforcement staff received improper access to restricted Adjudication Memoranda. The SEC attributed the incident to inadequate internal controls over sensitive information. "We deeply regret that the agency’s internal systems lacked sufficient safeguards surrounding access to Adjudication Memoranda," the SEC said, "and we are continuing our work to ensure that, going forward, work product from the Adjudication staff is appropriately safeguarded. We take this lapse in controls very seriously and are committed to both informing the public about the scope of this issue and preventing any similar lapses in the future."
The Washington Post discusses a US court decision that could have a major impact on how cybersecurity firms conduct business. On Friday the US Court of Appeals for the 9th Circuit reversed a lower court’s dismissal of Enigma Software’s 2017 lawsuit against Malwarebytes, which alleged that Malwarebytes’ labeling of Enigma’s software as “malicious,” “threats,” and “potentially unwanted programs'' amounted to false advertising. Enigma claimed that Malwarebytes added the labels only after Enigma sued website Bleeping Computer for allegedly presenting “false, misleading, and deceptive information” about Enigma products because it received sales commissions from competitor Malwarebytes. Malwarebytes sought to dismiss the case, claiming the labels in question were “just [nonactionable] subjective opinions'' instead of “verifiably false.” While acknowledging that judges are not experts on cybersecurity, the appeals court disagreed with Malwarebytes, declaring that the labels were indeed intended to be statements of fact.
Policies, procurements, and agency equities.
In March the US Securities and Exchange Commission SEC issued proposed new cybersecurity rules for broker-dealers, investment advisors, and asset managers which could require them to notify individuals impacted by certain types of data breaches. If adopted, the proposed plan would update Regulation S-P, which was adopted in 2000 before major developments in the use of tech by the financial sector. The comment period for the proposed rules ended on June 6th, and ThinkAdvisor shares some of the comments issued by industry experts. Nonprofit Better Markets submitted an official comment letter in support of the new rules, and legal director Stephen Hall said the SEC “has rightly proposed a rule that requires market participants to notify affected individuals. Notification can make the difference between identity theft that inflicts major financial losses and a swift response that results in minimal harm.” In his comments, North American Securities Administrators Association President Andrew Harnett said the term “cyberattack” should be included as an event that “could give rise to the customer notice obligation.” David Bellaire, general counsel for the Financial Services Institute in Washington, recommended that the SEC should allow an extended implementation period of two years, or three years for small firms, to give smaller broker-dealers adequate time to comply with the new rules.
Small businesses and nonprofits, which often lack the resources to devote to cybersecurity, are easy prey for hackers, and with federal agencies focused on cyberthreats to critical infrastructure, these organizations often slip through the cracks. US universities are offering an unusual solution: cybersecurity centers used to train students as digital security consultants. Modeled after law school legal clinics, these centers can offer free cyberdefense resources to organizations who don’t have the funding or staffing to do so on their own. Sarah Powazek, the program director of public interest cybersecurity at the University of California, Berkeley's Center for Long-Term Cybersecurity, told Wired, “There is a critical role for universities to play in community cyber defense. Students are local, highly motivated, and able to provide a range of services pro bono for under-resourced organizations that otherwise couldn’t afford them.” The University of Texas at Austin has plans to open the newest of these clinics in a few months, and it will have an unusual approach: a cyber hotline. Much like the 311 phone service that residents call to report city issues like potholes, the hotline will offer emergency cybersecurity support for local businesses, and the clinic will join a consortium of other schools sharing resources and best practices.
The Cyberspace Administration of China has released proposed regulations that would restrict the use of file-sharing programs like Apple’s AirDrop. As the Wall Street Journal notes, such services allow users to send data to nearby devices without an internet connection, and were recently used by protestors in China and Hong Kong to quickly share information. The new rules say that new file-sharing programs must undergo a security assessment and register details of their identities with the service providers before they can be introduced in China. Experts also say operators of these services will likely be required to give the government any requested data about the people who have used these file sharing programs. The agency says the new rules will be open for public comment until July 6 but did not disclose when the rules would come into effect. Coincidentally, Apple this week introduced a new feature called NameDrop that allows users to easily exchange contact info. It’s worth noting that In the latter half of 2021, Apple received 1,261 requests from Beijing asking for details about users’ devices and complied with 93% of them.
Labor markets.
This week, IBM announced plans to cut 30% of its workforce in non-customer facing roles in the next five years, with goals of replacing a total of around 8,000 positions, Zacks reports. Finance, accounting, and HR are the departments most likely to see an impact. Meta is also reportedly slashing its employee base once again, with plans of cuts to at least 1,100 jobs in California’s Bay Area, the Silicon Valley Business Journal reports. Employees in Menlo Park, Sunnyvale, Fremont, and San Francisco are going to be affected. Cybersecurity firm SentinelOne is lowering its headcount by around 5%, or around 105 members of their 2,100-person staff, GovInfoSecurity writes.
Despite these cuts, data from CyberSeek, a joint initiative of the National Institute of Standards and Technology (NIST) and CompTIA, shows that the need for cybersecurity practitioners is outpacing the demand for their skills. The data shows that for every 100 job postings, there are approximately 69 workers to fill the spaces. “The gap between the number of cybersecurity jobs currently demanded and the number of workers available to fill those jobs stands at an estimated 466,225,” the company’s release shares.
Mergers and acquisitions.
Southern California-based networking giant, Cisco, has acquired predictive and generative AI based cyber security firm Armorblox, GovInfoSecurity reports. The company intends to use Armorblox’s capabilities to “help customers better understand and interact with security control points,” says Raj Chopra, chief of product at Cisco.
Snyk, a Boston-based firm specializing in developer security, has agreed to the acquisition of Enso Security, the first provider of an Application Security Posture Management (ASPM) solution. The acquisition is anticipated for closure in the second quarter of this year.
Maryland-based software development cybersecurity provider iNovex has acquired Secure Innovations, a cybersecurity business focused on serving the greater government and intelligence community. iNovex says that this acquisition will advance their standing as a leading technology solutions company for the intelligence and government communities.
Investments and exits.
California-based Galvanick, an XDR platform provider for intelligence augmentation, has raised $10 million in seed funding, seeing significant investments from MaC Venture Capital, Founders Fund, Village Global, Countdown Capital, Hanover Technology Investment Management, Shrug Capital, 8090 Industries, and a multitude of angel investors. The firm intends to use the funding for hiring and expansion upon its initial platform for use in manufacturing and critical infrastructure.
CyberArk has seen an investment of 1,581 shares of their stock, or around $202,000, from M&T Bank, MarketBeat reports. This follows recent investments from other investors that include Achmea Investment Management BV, Pacer Advisors, and Covestor Ltd.
Cloud security firm Dig Security has seen an investment from Samsung Ventures this past week, the company shares. Samsung’s investment will aid the Israeli company in product.