At a glance.
- US Government discloses exploitation of MOVEit instances.
- An update on CosmicEnergy: it’s "not an immediate threat."
- AI-generated phishing attacks.
- A 2021 ransomware attack put a hospital under financial pressure that caused it to close.
- Cyber risk trends for small and medium businesses.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
US Government discloses exploitation of MOVEit instances.
CISA director Jen Easterly disclosed in a press briefing on Thursday, June 15th, that several US government agencies were compromised by the Cl0p ransomware gang via the recently disclosed MOVEit file-transfer vulnerability, the Register reports. Easterly said, “Since the vulnerability was disclosed, we have been working closely with Progress Software, with the FBI, and with our federal partners to understand prevalence within federal agencies. We are now providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.” Easterly added, “We are not aware of Clop actors threatening to extort, or release any data stolen from government agencies. Although we are very concerned about this, we're working on it with urgency. This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's network.” She noted that the threat actors are “only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred.”
The US Department of Energy is among the compromised agencies. A Department spokesperson told the Register, “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified CISA.” Federal News Network says the two compromised DOE entities are Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico. For more on these latest developments in MOVEit vulnerability, see CyberWire Pro.
An update on CosmicEnergy: it’s "not an immediate threat."
Researchers at Mandiant in last May announced their discovery of new malware that appeared to have been designed to disrupt electrical distribution and associated critical infrastructure. Mandiant, which called the malware “CosmicEnergy,” was cautious in its assessment, and, while suggesting caution, said that CosmicEnergy may in fact have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack.
On June 12th, Dragos released some reassuring conclusions from its own research. CosmicEnergy is not related to either Industroyer or CrashOverride, two known threats to infrastructure. “After analyzing COSMICENERGY, Dragos concluded that it is not an immediate risk to OT environments. The primary purpose of COSMICENERGY appears to have been for training scenarios rather than for deployment in real-world environments. There is currently no evidence to suggest that an adversary is actively deploying COSMICENERGY.” The malware is, Dragos finds, non-functional in several respects, and isn't, as it stands, a threat. For more on CosmicEnergy, see CyberWire Pro.
AI-generated phishing attacks.
Abnormal Security warns that attackers continue to abuse generative AI platforms like ChatGPT to craft convincing phishing emails. Abnormal has observed numerous types of phishing attacks that use grammatically correct templates created by generative AI. The researchers describe a targeted BEC attack that was assisted by AI: “[A]ttackers are also using ChatGPT-like tools to impersonate vendors. Vendor email compromise (VEC) attacks are among the most successful social engineering attacks because they exploit the trust that already exists in relationships between vendors and customers. And because discussions with vendors often involve issues around invoices and payments, it becomes harder to catch attacks that mimic these conversations—especially when there are no suspicious indicators of attack like typos.”
A 2021 ransomware attack put a hospital under financial pressure that caused it to close.
St. Margaret’s Health in Spring Valley, Illinois is shuttering its operations, which they have blamed in large part on the fallout of a ransomware attack on their systems, NBC News reports. Becker’s Hospital Review writes that the hospital’s coming June 16th closure follows a 2021 ransomware attack that rendered St. Margaret’s unable to submit claims to payers. Not only did the claim information not get submitted, but the systems were down for at least 14 weeks and required months of catch-up and recovery. The financial pressure this induced wound up being a factor in its closure, said vice president of quality and community services at the hospital, Linda Burt. The health system also ended operations at a Peru, Illinois-based facility in January. For more on the effects of ransomware on St. Margaret's Health, see CyberWire Pro.
Cyber risk trends for small and medium businesses.
Researchers at BlackFog have determined that 61% of SMBs have sustained a successful cyberattack in the past twelve months. The researchers state, “On average organizations saw close to five successful data breaches, malware or ransomware attacks affecting their network. Critically for SMBs, the main impact of an attack was business downtime, which affected 58% of respondents. The successful attacks also negatively impacted customer trust and retention with a third of all respondents reporting that the incidents resulted in the loss of customers. Worryingly, 39% of organizations affected also reported a loss of customer data.”
Russia-Ukraine hybrid war update.
French authorities report that Russian actors attempted to plant and amplify disinformation using, in part, spoofed pages misrepresenting themselves as major news outlets. Bloomberg reports that France's Ministry of Foreign Affairs uncovered a coordinated campaign that "involved the creation of fake web pages impersonating French media including 20 Minutes, Le Monde, Le Parisien and Le Figaro, and government sites, as well as the creation of fake accounts on social networks." Foreign Minister Catherine Colonna said in a statement, “France condemns these actions, which are unworthy of a permanent member of the United Nations Security Council. No attempt at manipulation will distract France from its support for Ukraine in the face of Russia’s war of aggression.”
Ukraine's Cyber Police on Monday, June 12th, announced the arrest of three bot-farmers who were operating from a garage in the west-central Ukrainian city of Vinnytsia. They were engaged in automated disinformation, distributed through inauthentic accounts they ran in the Russian interest. Their motivation may have been more financial than ideological, as they received payment in Russian rubles, presumably from Russian paymasters. The Record reports that the three men who operated the bot farm created about five-hundred bogus accounts each day, used them to distribute pro-Russian propaganda and disinformation, and received the equivalent of about $13,500 each month. The rubles (at present a prohibited currency in Ukraine) were laundered through illicit (in Ukraine) payment services like WebMoney and PerfectMoney, then converted to cryptocurrencies and loaded onto bank cards. The crew was also allegedly engaged in criminal fraud on various e-commerce platforms.
Patch news.
Microsoft and Adobe have both issued patches for critical vulnerabilities. Microsoft patched six critical flaws, none of which appear to have been exploited in the wild, SecurityWeek reports. Four of these bugs could lead to remote code execution, according to Naked Security.
Adobe has patched twelve vulnerabilities in Adobe Commerce that could lead to “arbitrary code execution, security feature bypass, and arbitrary file system read,” SecurityWeek says. Magento Open Source is also affected by these flaws. For more notes on Patch Tuesday, see CyberWire Pro.
Crime and punishment.
Two Russian nationals were charged with the 2014 hack of the Mt. Gox cryptocurrency exchange, described by CoinDesk as one of the biggest cryptocurrency heists in crypto history. An indictment from 2019 was unsealed last Friday, detailing how the two hackers, Alexey Bilyuchenko and Aleksandr Verner, stole upwards of 647,000 bitcoins from the exchange between 2011 and 2017, and used it in Mr. Bilyuchenko’s illicit crypto exchange known as BTC-e, the Record reports. Authorities allege Mr. Bilyuchenko was an operator of the BTC-e exchange.
The duo was said to gain “unauthorized access” to the crypto wallets within the Mt. Gox exchange around September of 2011, says a release from the Department of Justice. Once the funds were lifted, they were then laundered. Both Messrs. Bilyuchenko and Verner are being charged with conspiracy to commit money laundering, while Mr. Bilyuchenko is also facing a charge for operating an unlicensed money services business.
CyberScoop reports that a 20 year old Russian national has been arrested on charges of involvement with the LockBit ransomware gang. Ruslan Magomedovich Astamirov was taken into custody on Wednesday in Arizona, according to a criminal complaint. The charges identify the Chechnya native, Mr. Astamirov, as perpetrating at least five attacks targeting United States, Asia, Europe, and Africa-based victims between August 2020 and March 2023, the Record reports. His charges include “conspiracy to transmit ransom demands, commit wire fraud, and intentionally damage protected computers.”
Massachusetts Air National Guardsman Jack Teixeira has been indicted on felony charges involving leaks of classified military documents in Discord, AP News reports. Mr. Teixeira faces six counts of willful retention and transmission of national defense information.
The investigation into the leak began in April after classified US intelligene was seen circulating in social media. The former airman’s position in the Guard gave him a top-secret clearance, which allowed him to access sensitive information. Newsweek writes that he was subsequently identified by investigators and accused of sharing hundreds of pages of sensitive information on a Discord server. A conviction could mean ten years in prison and a $250,000 fine for each count of willful transmission of classified information.
The Guardian quotes US Attorney General Merrick Garland on the case: “Teixeira is charged with sharing information with users on a social media platform he knew were not entitled to receive it. In doing so, he is alleged to have violated US law and endangered our national security.”
Courts and torts.
HACKREAD reports that Microsoft has been sued by Hold Security LLC for allegedly “misusing over 360 million compromised credentials collected from the Dark Web.” Hold Security, a cybersecurity company signed an agreement with Microsoft in 2014 and is accusing Microsoft of not deleting credentials which are not associated with the software giant. HackRead reports “Per Hold Security, Microsoft could only access its customers’ records and delete the data linked to those accounts after notifying the customers. However, the Redmond-based firm didn’t comply and misused the database.” In its lawsuit, Hold Security accused Microsoft of “using accounts in Hold’s database improperly and without authorization for administering GitHub and LinkedIn, “commandeering” historical data and sharing it with third parties via the Edge browser,” and its CEO is accusing Microsoft of running a harassment campaign against the company after Hold Security found the violations.
Policies, procurements, and agency equities.
Industry leaders are calling for a new framework for the US National Cybersecurity Strategy, as the signatories believe that issues surrounding identity were not adequately addressed in the existing form of the cyber strategy. The CyberWire received a copy of the letter, whose signatories include the American Bankers Association and the Better Identity Coalition, among others. The groups advocate enhanced protections against identity-related cybercrime. Their recommendations include launching a task force dedicated to accelerated development of tools to guard against identity crimes, prioritization of the National Institute of Standards and Technology’s (NIST) identity and attribute validation services (with the end goal of a Digital Identity Framework encompassing standards and best practices for identity security), and documentation of the budget savings achieved when digital identity infrastructure and tools are implemented.
CISA, the US Cybersecurity and Infrastructure Agency, this week issued Binding Operational Directive 23-02. The directive requires Federal Civilian Executive agencies to "to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery." The directive's intent is to reduce the attack surface that misconfigured or otherwise insecure management interfaces present to potential adversaries.
Labor markets.
Companies continue to see layoffs this week in big tech and cybersecurity. The Information reports that Sumo Logic, a data analytics software provider, has made “widespread layoffs” this week following the purchase of the company from private equity firm Francisco Partners. Computing also writes that HashiCorp, an infrastructure automation software development company, is laying off eight percent of its employees, which comes despite a 37% increase year-on-year in revenue.
Cybersecurity firm Dragos also reported cuts to nine percent of its workforce last week, which amounts to about 50 of their employees, IT Wire reports. One can argue that compared to recent layoff disclosures, Dragos can be credited, as their severance offerings are better than some others. They’re offering those leaving 2 months of severance, and additional two months of healthcare atop their existing coverage, and a waiver for those interested in vesting equity, if they were with the company for under a year.
Mergers and acquisitions.
Malware prevention provider odix has merged with fellow Israeli Zero Trust technology firm, AKITA. The merger will allow for the combination of both companies’ cybersecurity offerings into one that provides comprehensive Zero Trust solutions. odix will be integrating the AKITA team into their existing workforce.
Gorilla Technology Group, an AI-based video analytics, IoT tech, and cybersecurity provider, has agreed to acquire Thailand’s Bacom Internetwork, an infrastructure distributor and systems integrator. The acquisition is expected to close by September.
Investments and exits.
Cybersecurity firm Blackpoint Cyber has raised $190 million in growth funding in a round led by Bain Capital Tech Opportunities. The Maryland company provides advanced security through managed service providers, or MSPs. The funding is planned for use in development of its security solutions.
Operational technology (OT) cybersecurity defense provider Shift5 has amassed $83 million in a Series B funding round, led by Moore Strategic Ventures. Booz Allen Hamilton’s Teamworthy Ventures firm, as well as JetBlue Ventures, also participated. The Virginia-based company, created by former US Army Cyber Command officers, intends to use the funding to “fuel the infrastructure supporting Shift5’s growing commercial and federal businesses as it expands to tackle the challenge of onboard observability,” MSSPAlert reports.
Israeli startup Kodem, which focuses on app security by analyzing runtime intelligence, has emerged from stealth, raising $25 million in funding, TechCrunch reports. Greylock led an $18 million Series A, atop a $7 million co-led seed round funded by TPY Capital and Greylock. The funds are allowing for the company to build and launch their platform worldwide.