At a Glance.
- Vulcan’s Q2 2023 Vulnerability Watch report details notable issues.
- Russia's hybrid war against Ukraine: lessons learned.
- The fracturing of Conti, and the rise of its successors.
- Canadian energy company SUNCOR reports a cyberattack.
- Report: Unauthorized access is the leading cause of data breaches for the fifth year in a row.
- Camaro Dragon spreads malware via USB drives.
- Russia-Ukraine hybrid war update.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Noteworthy US Federal contracts.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
Vulcan’s Q2 2023 Vulnerability Watch report details notable issues.
Vulcan’s Voyager18 Cyber research team has published its Q2 2023 Vulnerability Watch report in which they highlight the top vulnerabilities discovered over the past three months. The report lists twelve especially notable vulnerabilities, correlating their CVSS scores with Exploit Prediction Scoring System (EVSS) Scores and suggesting mitigation strategies for each. Vulcan writes, “In order to navigate the ever-changing landscape of cyber threats, organizations must prioritize staying abreast of emerging trends in cybersecurity, implementing a proactive vulnerability management strategy, and investing in ongoing training and education for their IT teams. By embracing these measures, organizations can successfully minimize the potential impact of vulnerabilities and uphold a robust security stance against persistent cyber challenges.” The report includes such high profile vulnerabilities as CVE-2023-34362 (MOVEit Transfer), CVE-2023-34364 (Progress DataDirect Connect), CVE-2023-2868 (Barracuda Networks ESG), in addition to eight previously reported critical vulnerabilities. The report also explains the anticipated new CVSS 4.0 which is meant to provide simpler, more flexible ratings for vulnerabilities.
Russia's hybrid war against Ukraine: lessons learned.
The CyberWire daily briefing team has been covering Russia's war against Ukraine since before the invasion began, devoting special attention to the cyber phases of that war. Having tracked the Russian invasion of Ukriane from the start of the war, The CyberWire has produced the "Russia's hybrid war against Ukraine: lessons learned" report which details Russia's cyber and disinformation operations as the war has progressed. This report takes into account historical events and draws upon the expertise of The CyberWire team and their extensive, first hand knowledge of military doctrine, geopolitics, and cyber operations. The full report may be found here.
The fracturing of Conti, and the rise of its successors.
The Global Initiative against Transnational Organized Crime released a report detailing the Conti cybercrime group’s fall from its prominent perch in the underworld following the gang’s declaration of support for Russia in the Ukraine-Russia war. “Two days after Conti pledged their support for the Russian invasion of Ukraine, things began to unravel for the group. A Twitter profile with the handle @ContiLeaks started leaking the ransomware group’s internal communication. Although there are conflicting reports on who was behind the leak – perhaps a Ukrainian security researcher or an affiliate against the war – the over 100 000 leaked files were dubbed the ‘Panama Papers of ransomware’. Over the coming months, Conti’s methodical and business-like approach disintegrated, although attacks continued, including on the networks of the Costa Rican state.” On May 19th 2023, it was reported that Conti’s websites were no longer working.
The story doesn’t seem to end there however. IBM’s Security X-Force reported on June 27th that their tracking of the crypters who worked with Conti revealed that the group remains active, at least in fragmentary or rump forms. “One year on, ITG23 (Conti) has experienced many organizational changes, splintering into factions and forging new relationships. Despite these events, ITG23 crypters remain fundamental to tracking post-ITG23 factions and their activity; so much so that we believe identifying and tracking the crypters is just as important, if not even more so, than tracking the malware itself. Our research indicates that while ITG23 may have fractured apart after shutting down Conti, many of its various members continue to be very active — still communicating amongst themselves and using shared infrastructure.” Conti has fractured into what they call factions, which X-Force calls out as Royal, Quantum, Zeon, BlackBasta (this one a familiar name), and Silent Ransom.
Canadian energy company SUNCOR reports a cyberattack.
Sunday, June 25th, the Canadian energy company SUNCOR disclosed that it was the victim of a cyber attack. “Suncor (TSX: SU) (NYSE: SU) has experienced a cyber security incident. The company is taking measures and working with third-party experts to investigate and resolve the situation, and has notified appropriate authorities.” The company hadn’t found any evidence that data regarding customers, suppliers, or employees were affected. Bleeping Computer reports that the company, on Monday, warned users that they might be unable to log into their accounts, and that there was an ongoing issue with customers’ ability to accrue rewards points. As of last Friday, many customers were tweeting that “it is currently impossible to pay with credit/debit cards at Petro-Canada stations, leaving cash as the only option.” The company’s car-wash season passes also seem to have been affected. Reuters sought more information from the authorities, but there was little on offer: “The Canadian Centre for Cyber Security had earlier said it was aware of reports of an incident affecting Petro-Canada but said it did not generally comment on ‘specific cybersecurity incidents.’“
Report: Unauthorized access is the leading cause of data breaches for the fifth year in a row.
ForgeRock’s 2023 Identity Breach report was released on June 22nd and it shows that at least 1.5 billion user records were exposed in 2022. 53% of all breaches that occurred in 2022 were from third party organizations and cost on average 9.4 million dollars per breach. Unauthorized access, responsible for 49% of the data breaches (which is actually down a bit from recent history) was determined to be the leading cause of breaches for the fifth consecutive year. Ransomware, however, at 34%, is on the rise. ForgeRock blames companies’ misconfiguration of cloud services, firewalls, and human error as the major factors contributing to the breaches.
Camaro Dragon spreads malware via USB drives.
Check Point Research has published a report on a USB-propagated malware campaign that it attributes to the Chinese-based espionage group Camaro Dragon. Check Point's researchers discovered the malware while investigating an incident in a European hospital earlier this year. “The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drives.” Patient Zero, as CPR calls the first victim, initially received the infection while attending a conference in Asia and connecting a USB drive to a colleague's already infected computer.
Russia-Ukraine hybrid war update.
After reportedly being shelled by the Russian MOD in Ukraine, Wagner’s owner, Yevgeny Prigozhin, announced that he wanted to bring justice to the military leaders of Russia on 24 June. The mutiny was met with initial gains by the PMC group, as they marched into Rostov-on-Don, seizing key military command and control points. Ultimately the uprising settled 200 km away from Moscow with Belorusian President swooping in to sooth the angered Prigozhin, which ultimately saw the PMC leader effectively being exiled to Belarus.
On June 29th, the AP reported that General Sergey Vladimirovich Surovikin, Commander of Aerospace Forces and one of General Gerasimov's deputies in Ukraine, is still unaccounted for. He and several of his principal subordinates haven't been heard from for three days, and informed speculation holds that he's probably been taken into custody in connection with what Moscow probably perceives as complicity in the mutiny of Yevgeny Prigozhin's Wagner Group last Saturday. The Telegraph, citing other media reports, says that he's not (yet) in jail, but is being "held in one place" while he's being put to the question concerning his relations with the Wagnerites.
Should General Surovikin indeed be imprisoned, that would mark his second tour as a yardbird: he was arrested as a junior officer in connection with his role in the failed 1991 coup during the final months of Soviet power. In that case he was on the side of Soviet hardliners seeking the overthrow of Mikhail Gorbachev. President Yeltsin subsequently pardoned then-Captain Surovikin on the grounds that he was only following orders.
What lies in store for the Wagner PMC group is still unknown, as they have effectively been barred from participating in the “Special Military Operation,” with its employees being given the ultimatum of either joining the Russian military, joining Prigozhin in Belarus, or going home. This treatment is seen as drastically less lethal than many people predicted from Russian President Putin, who is widely known to combat most dissidents with jail time or in some cases, death.
Cybernews reports that the Wagner Group claims to have conducted a destructive cyberattack against Dozor-Teleport, a satellite firm that provides communications services to some elements of the Russian Ministry of Defense. Discussions of the (reported) incident should be treated with caution if not outright skepticism. They appear to originate with a Telegram channel having few followers and no obvious connection to the Wagner Group. They've been amplified by Ukrainian social media accounts.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Crime and punishment.
Three months after apprehending alleged BreachForums impresario Pompompurin (his name, IRL is Conor Fitzpatrick) on a range of cybercrime charges, US authorities have seized the illicit service's web domain. As is customary in such takedowns, the domain now displays a banner saying that the site is under new management, specifically the FBI, the Office of Inspector General at the Department of Health and Human Services, and the Department of Justice, acting under a warrant issued by the US District Court for the Eastern District of Virginia. The action against BreachForums was both interagency and international. The Bureau shares credit for the operation with the US Secret Service, Homeland Security Investigations, the New York Police Department, the US Postal Inspection Service, the Dutch National Police, the Australian Federal Police, the U.K. National Crime Agency, and Police Scotland. BleepingComputer points out that the Bureau did a bit of visual crowing: the image of Pompompurin (a golden retriever from the Hello Kitty universe) that graced the site now sports a pair of handcuffs.
A month and a half after learning of a data breach involving their employees, American Airlines and Southwest Airlines have determined that the incident originated with a third-party vendor, Pilot Credentials, which both companies used. In a statement sent to employees, American Airlines explained that they had learned about an incident that occurred on May 3rd, 2023, and subsequently launched an investigation. “According to the third-party vendor (pilotcredintials[.]com), an unauthorized actor accessed the third-party vendor’s systems on or around April 30, 2023 and obtained certain files provided by some pilot and cadet applicants during our hiring process,” the airline wrote. The airline further explained that names, social security numbers, driver license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued IDs were potentially taken. It’s offering two years of IdentityWorks’ identity-monitoring service to all who were affected. BleepingComputer writes that 5,745 personnel were affected by the breach.
Southwest issued a similar disclosure. On June 23rd the office of Maine’s Attorney General released a data breach notification for residents affected by the Southwest Airlines breach that put the tally of people affected at 3,009. Southwest is offering a two-year Equifax credit-monitoring program to affected individuals.
Courts and torts.
SC Media reports that SolarWinds has been informed that it could face civil enforcement as a result of the 2020 Orion breach. “In a Securities and Exchange Commission (FEC) filing on Friday, SolarWinds said ‘certain current and former executive officers and employees, including the Company’s Chief Financial Officer and Chief Information Security Officer’ had received ‘Wells Notices’ as part of the SEC’s investigation into the breach,” SC Media writes. The Wells Notice is typically used as a prelude to official action being taken against a party by the FEC. CSO Online reports that the Wells Notice sent to SolarWinds alleged “violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures.” CSO Online also remarked that this could lead to more legal liability being placed on CISOs.
Policies, procurements, and agency equities.
Internet observatory Netblocks found that five Russian ISPs blocked Google News on Friday as tensions between the Wagner Group and the Ministry of Defense rose during the run-up to the Wagnerites' abortive march on Moscow. Google News has been blocked before, the New York Times observes, most prominently in March of 2022, when Roskomnadzor announced an interdict of the service after Google blocked some online content that spread disinformation in support of Russia's war against Ukraine.
Computing reports that the eleventh round of European Union sanctions enacted against Russia will hit that country's IT sector particularly hard. The European Council singled out companies holding a license from the FSB authorizing them to work "at the Russian security level of 'state secret' as well as companies holding a "weapons and military equipment license from Russia's Ministry of Industry and Trade. It's not just their work on conventional military systems that puts them on the EU's list. "The Council has also assessed that information warfare constitutes a key means by which Russia implements its war of aggression against Ukraine and commits gross violations of international law and the principles of the Charter of the United Nations."
As experts debate the potential benefits of a central bank digital currency (CBDC) in the EU, CoinDesk reports that the European Commission yesterday issued its legislative plans for the digital euro. A post on the EU’s executive website and co-authored by the commission’s Executive Vice President Valdis Dombrovskis and the European Central Bank’s (ECB) Executive Board Member Fabio Panetta stated a CBDC would bring “strategic advances,” and “also enhance the integrity and safety of the European payment system at a time when growing geopolitical tensions make us more vulnerable to attacks to our critical infrastructure.” While the legislation would support the implementation of the CBDC, it is up to the ECB to determine whether to issue the digital euro. In a statement to the press, the ECB applauded the commission's plans, saying the bank will decide in the fall whether to enter the next phase in developing the currency. “The euro is the most tangible symbol of European integration,” ECB President Christine Lagarde stated. "We look forward to continuing working together with other EU institutions towards a digital euro to ensure our currency is fit for the digital age.”
Noteworthy US Federal contracts.
Booz Allen Hamilton has secured a $2.6 billion Enterprise Development, Operations Services contract for the IRS, reports the Washington Exec. “The EDOS contract supports IRS’ applications development portfolio to modernize mission critical applications while implementing annual tax season legislative requirements. It’s designed for task orders that will support the filing season and the agency’s legislatively mandated modernization goals.”
Science Applications International Corp. has won a $1.3 billion contract with the US Treasury Department to implement a range of cloud and professional services called T-cloud. “The contract supports Treasury as it adopts a multicloud environment by centralizing management of the systems infrastructure, platform and software-as-a-service by a single broker. It will provide full suites of AWS, Microsoft, Google, IBM and Oracle cloud services, with opportunity to onboard new cloud service providers,” writes WashingtonExec.
Labor markets.
Though layoffs across the tech industry have hit thousands of employees, many non-technology focused companies have been reported as hiring these professionals to bolster their own computer networks. The Daily Record reports “Now they are being courted by long-established employers whose names aren’t typically synonymous with tech work, including hotel chains, retailers, investment firms, railroad companies and even the Internal Revenue Service. All of those sectors have signaled on recruiting platforms that they are still hiring software engineers, data scientists and cybersecurity specialists despite the layoffs in Big Tech. It’s a chance for them to level the playing field against tech giants that have long had their pick of the top talent with lucrative compensation, alluring perks and sheer name recognition.” The Daily Record goes on to note that the US Government is hiring as well, as it always has room for more IT professionals.
Mergers and acquisitions.
“CyberRisk Alliance (CRA), a business intelligence company serving the cybersecurity community, has acquired LaunchTech Communications, a leading public relations and communications agency serving fast-paced, global cybersecurity and technology companies,” wrote LaunchTech on their blog.
Socure, a leading digital identity verification solutions company, reports that it has acquired Berix, a start up which developed a “high-accuracy document verification solution with a patent-pending forensics engine able to detect spoofed IDs – including AI-generated fakes – that are visually indistinguishable to the human eye.”
HashiCorp, a multi-cloud infrastructure automation software company, has acquired BluBracket, a code security developer, in an effort to “expand its product portfolio to enable customers to discover and manage their entire secrets inventory.”
Investments and exits.
Cyera secured a $100 million series B investment from Accel, Sequoia, Cybestarts and Redpoint ventures. “This brings the company's total funding to $160 million since emerging from stealth in March of 2022. In the past year, Cyera has gained significant traction among S&P 500 enterprises, growing revenue by 800%, as security teams prioritize data security across their hybrid cloud environments,” writes Cyera.
Blackbird.AI has raised $20 million in Series B investments from Ten Eleven Ventures, Dorilton Capital, Generation Ventures, StartFast Ventures, and Trousdale Ventures. In total the company has raised $32 million in investments.