At a glance.
- What's turning up in cloud honeypots.
- An update on Cl0p's exploitation of a MOVEit vulnerability.
- Fraudsters abuse generative AI.
- Embedded URLs found in malware.
- Update on Barracuda ESG exploitation.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Company news.
- Labor markets.
- Studies and reports.
- Investments and exits.
What's turning up in cloud honeypots.
Orca Security has released a report detailing insights into attacker tactics, techniques, and procedures (TTPs), as well as the things that attract attackers. In the 2023 Honeypotting in the Cloud Report, the researchers placed honeypots — faux traps intended to lure cybercriminals away from actual threats — on a variety of environments, including AWS S3 Buckets, GitHub, and DockerHub, among others. Each of the nine deployed honeypots was said to contain a secret, which, in this case, was an AWS secret access key.
Key insights from the report include the rapid discovery by threat actors of vulnerabilities, as these honeypots were discovered within minutes of their deployment. The usage of the key, however, varies between different environments; the researchers saw GitHub keys used within two minutes, whereas with S3 buckets, exploitation took upwards of eight hours. Certain resources and environments are more attractive to malicious actors: more popular resources can be easy to access and contain a treasure trove of sensitive information. Orca researchers don’t advise automated protection solutions, recommending instead tailored strategies for defending each resource against threats.
An update on Cl0p's exploitation of a MOVEit vulnerability.
The Record by Recorded Future reports that there appear to be at least sixty-three organizations that were compromised by the Cl0p ransomware gang via the MOVEit vulnerabilities. SecurityWeek says the group’s victims include Gen Digital, the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia government, British Airways, the British Broadcasting Company, Aer Lingus, U.K. drugstore chain Boots, University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE). Cyber Security Hub reports that PwC and Ernst & Young were also compromised.
Cl0p claims that it doesn’t have stolen data from the BBC, British Airways, and Boots, although the BBC notes that it’s entirely possible the group is lying. The gang also told BleepingComputer that it had deleted any data stolen from government entities.
For more on Cl0p and MOVEit, see CyberWire Pro.
Progress Software has disclosed and patched a third vulnerability in its MOVEit file transfer application. The flaw is a SQL injection vulnerability (CVE-2023-35708) that could allow an attacker to “submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.” A proof-of-concept for the vulnerability was published on June 15th.
Cl0p continues its exploitation of MOVEit vulnerabilities to distribute ransomware. Ransom demands have begun to arrive at US Government agencies and other victims. According to Reuters, the US Department of Energy has received two such notices. BleepingComputer reports that the US State Department's Rewards for Justice program is offering up to $10 million for information tying the Cl0p ransomware gang to a foreign government. Cl0p has used the MOVEit vulnerabilities to compromise at least two dozen entities, including some US government agencies, SecurityWeek reports. For more developments in the MOVEit vulnerability exploitation, see CyberWire Pro.
Fraudsters abuse generative AI.
Sift has released its Q2 2023 Digital Trust and Safety Index which focused on “Fighting fraud in the age of AI automation” and discussed the use of generative AI in social engineering schemes and the fears from consumers surrounding the new technology. The fears aren’t entirely groundless. “In the last six months, 68% of consumers noticed an increase in the frequency of spam and scams, likely driven by the surge in AI-generated content. And Sift data shows a 40% increase in the average rate of fraudulent content blocked from the network in Q1 2023 vs. the entirety of 2022. This trajectory is only expected to continue.” The threat associated with AI is that it lowers the barrier to entry for fraud and social engineering scams. There's an easy plausibility to the language it generates that outdoes the text non-native (or even less-gifted native) speakers produce. For more on the abuse of generative AI for social engineering, see CyberWire Pro.
Embedded URLs found in malware.
Cofense has found that compromised domains make up 53% of embedded URLs used to deliver malware: “Compromised domains are used by threat actors of moderate to advanced skill levels, are moderately effective at bypassing SEGs, and are moderately effective at tricking victims.”
Abused domains, such as those using Google Docs or Microsoft OneDrive, made up 37% of embedded URLs. These domains are highly effective but short-lived, due to quick detection by the hosting services.
Domains that were created by the threat actors themselves accounted for just 11% of embedded URLs. The researchers note that created domains “are typically used by more advanced threat actors, are not highly effective at bypassing Secure Email Gateways (SEGs) and are highly effective at tricking victims.”
Update on Barracuda ESG exploitation.
Proofpoint has tweeted updates on exploitation of CVE-2023-2868, a vulnerability found in Barracuda's Email Security Gateway (ESG). UNC4841, the "aggressive and highly skilled actor conducting targeted activity" is believed to be acting on behalf of the Chinese government. Its targets, geographically, have been, from the most to least frequently affected, the United States, Norway, Taiwan, and Poland. By sector, UNC4841 has been most interested in academic institutions, defense establishments, and the US Federal Government.
Michael Raggi, Staff Threat Research Engineer at Proofpoint, explained. “Proofpoint has observed intermittent exploitation attempts by Chinese state-aligned threat actor UNC4841 targeting CVE-2023-2868 from October 2022 through May 29, 2023. This vulnerability was being actively used in the wild by an APT actor as recently as three weeks ago. While the phishing campaigns involved conventional espionage operations, the threat actor also exhibited a sustained focus on scientific research, energy entities, and public health data which demonstrates a more complex tasking than initially disclosed publicly. This zero-day vulnerability continues an increasing trend of vulnerable email gateway appliances being exploited via advanced exploits contained within phishing emails.”
Barracuda has issued both mitigations and patches.
Russia-Ukraine hybrid war update.
US Deputy National Security Advisor Anne Neuberger told the FT Cyber Resilience Summit on Thursday, June 22nd, “We know Ukraine is currently experiencing a significant surge in cyberattacks in parallel to the kinetic aspects.” The Record reports that she specified neither the scope of the attacks nor the sectors that were receiving hostile attention.
The GRU's APT28 group, Fancy Bear, used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) against Ukrainian email servers in the course of a renewed and recently detected Russian cyberespionage campaign. The attack's success was enabled, CERT-UA says, by the victims' continued use of an outdated version of the Roundcube open-source webmail software, a version that remains susceptible to SQL injection attacks.
CERT-UA credits the detection of the activity to information received from a Western company working within a program of regular information exchange. "We would like to take this opportunity to express our gratitude to the researchers of the international company, with whom the prompt exchange of information made it possible to detect attempts to implement a cyber threat in a timely manner." The company is unnamed, but it's clearly Recorded Future, given the link CERT-UA provides to the research that tipped them off to the GRU campaign.
Recorded Future says as much itself. An extensive account published June 20th by the company's Insikt Group says, "The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment," the researchers say. "We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022."
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Patch news.
Apple has patched two security flaws that were used in hacks against thousands of Russian devices, the Washington Post reports. Russia’s Federal Security Service (FSB), has attributed this campaign to the US NSA, but there's no evidence of NSA’s involvement apart from the FSB's accusation. The FSB itself has refrained from explaining how they reached their conclusion. An Apple spokesperson told Cyberscoop that the company has “never worked with any government to insert a backdoor into any Apple product and never will.” In its security update, Apple says that the hack allowed for the execution of “arbitrary code with kernel privileges.” Sophos writes that the vulnerabilities, CVE-2023-32439 and CVE-2023-32434, have been patched in Apple’s latest update on all devices (with the possible exception of tvOS, which Sophos says may just have yet to receive an update). It is strongly advised that those with Apple devices update as soon as possible. For more on Apple's patches, see CyberWire Pro.
Courts and torts.
SC Media reports that three individuals from Louisiana have filed a class action lawsuit in Massachusetts against Progress Software for its MOVEit data breach that occurred earlier this month. “The plaintiffs represent more than 100 individuals who say Progress Software’s security practices were negligent, resulting in their personal data being exposed and stolen through the hack. The complaint characterizes this information as “a gold mine for data thieves” and the victims are seeking damages in excess of $5 million,” writes SC Media.
The FTC has charged 1Health.io (aka Vitagene) with deceiving customers about the destruction of their personal data, changing their privacy policy without informing customers, and leaving personal information unsecured. In addition to a $75,000 fine the FTC is requiring Vitagene to acquire express consent from customers to share their personal data with third parties.
Policies, procurements, and agency equities.
His Majesty’s Government last Sunday announced that it would allocate £25 million to aid Ukraine's cybersecurity efforts. Prime Minister Rishi Sunak explained, "Russia’s appalling attacks on Ukraine are not limited to their barbaric land invasion, but also involve sickening attempts to attack their cyber infrastructure that provides vital services, from banking to energy supplies, to innocent Ukrainian people. This funding is critical to stopping those onslaughts, hardening Ukraine’s cyber defences and increasing the country’s ability to detect and disable the malware targeted at them." The new grant builds on and significantly expands last year's £6.35 million tranche of cybersecurity assistance.
Assistant Attorney General Matthew Olsen announced this week that the US Department of Justice (DOJ) is establishing a new section in its National Security Division focused on prosecuting malicious foreign cyber activity. The Record explains that the move is part of the DOJ’s efforts to be more proactive in fighting digital threats from foreign actors. Olson said the new unit will help the division to “increase the scale and speed of our disruption campaigns and prosecutions of nation-state cyber threats as well as state-sponsored cyber criminals” and will staff prosecutors who will be “positioned to act quickly as soon as the FBI or an [intelligence community] partner identifies a cyber enabled threat and we will be in a position to support investigations and disruption.” While Olson acknowledged that the National Security Cyber Section, or NatSec Cyber, is still in its “earliest stages,” CyberScoop notes that the section has already been approved by Congress and was laid out in Deputy Attorney General Lisa Monaco’s Comprehensive Cyber Review released in July 2022.
Company news.
DarkReading writes that the NSO Group, the Israeli firm behind the controversial spyware tool, Pegasus, is catching the eye of one magnate, however, it wouldn’t be one that you expect. The Guardian shared that Wrigley chewing gum heir, William “Beau” Wrigley, may be interested in acquiring the company’s assets. The Israeli government’s involvement, however, could strike down any potential offers as it is selling off their own technology. Other attempts to purchase NSO Group assets have remained unsuccessful, including one from L3 Harris last year that was stopped by the White House over concerns of security.
Labor markets.
In labor market news this week, the Economic Times reports that there are around 40,000 cybersecurity positions open in India. The current issue for the positions, the outlet writes, is a disconnect between the open positions and those with the skills to fill them. The workforce still needs upskilling within a broad array of areas within cybersecurity, including data privacy, cloud security, AI security, and network security, said to all be in high demand at this time.
Studies and reports.
Axiad released the findings of a Passwordless Authentication survey it commissioned. Conducted by Enterprise Research Group (ERG), the survey covers an array of vectors related to authentication: challenges, user experience, user attitudes toward authentication, and the wants and needs of organizations that implement authentication measures.
Professionals across the cybersecurity, development, and IT fields within North America were surveyed. Phishing and social engineering attacks proved to continuously be a point of concern, as 92% of the survey’s respondents reported fear over credential harvesting. Almost 60% of respondents report with confidence that they believe compromised accounts, or harvested credentials, have been the cause for a successfully implemented cyberattack within the last year. Passwordless authentication seems to be a prioritized vector for these professionals, as 82% of respondents placed a move to passwordless authentication within their top five priorities, with 85% reporting a move to passwordless authentication planned within the next 1 to 2 years. Respondents also report a belief that a move to passwordless authentication will aid IT and support teams within their organizations, with 86% of those surveyed in agreement.
OpenText Cybersecurity shared the results of their 2023 Global Managed Security survey, detailing concerns of cyber leaders within the workforce today, and the importance of prioritizing simple and effective security solutions. Tool consolidation is a high priority, as tool sprawl has been shared as a primary concern for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). 86% of the respondents report a desire to consolidate their tools. A vast majority (88%) of respondents see a move toward the consolidation and merging of security and compliance tools. Customers are reporting a strong need for “comprehensive, on-demand security,” which is cited by 82% of MSPs and MSSPs surveyed as a key requirement.
Investments and exits.
Natixis has bought more Rapid7 shares, DefenseWorld reports. The company previously owned 459,890 shares, which has increased by 141,857 during the fourth quarter of 2022, says a Securities and Exchange Commission filing. Natixis now holds about $15.63 million shares of the company.
Virginia-based threat intelligence provider Silent Push is fresh on the scene, launching last Wednesday with a $10 million seed funding round under their belt led by Ten Eleven Ventures, SecurityWeek reports. The company plans to provide customers with a “comprehensive view of internet-facing infrastructure.”
Belgian access management startup NineID has raised $2.6 million in funding, led by Pitchdrive, with additional investments from Comate Ventures and a slew of angel investors. The company plans to delegate the funds to product expansion and global growth.