The Week that Was: LockBit 3.0 claims responsibility for Nagoya ransomware attack. BlackCat and SEO poisoning.

By the CyberWire staff

At a glance.

LockBit 3.0 claims responsibility for Nagoya ransomware attack.
BlackCat and SEO poisoning.
LockBit seeks to extort semiconductor manufacturer.
Professionals in the cyber underworld.
Microsoft debunks claims of data theft by Anonymous Sudan.
Russia-Ukraine hybrid war update.
Courts and torts.
Policies, procurements, and agency equities.
Labor markets.
Mergers and acquisitions.
Investments and exits.

LockBit 3.0 claims responsibility for Nagoya ransomware attack.

The Port of Nagoya resumed some container operations Thursday as it restored normal services in the course of recovering from Tuesday's ransomware attack. Bloomberg reports that five terminals are returning to operation. The Japan Times quotes the Nagoya Harbor Transportation Association as saying that LockBit 3.0, the well-known Russian ransomware gang, has issued a ransom demand, thereby claiming responsibility for the disruption. Tech Monitor notes that LockBit 3.0, a ransomware-as-a-service (RaaS) gang, has been unusually active over the past week. Its other victims include Taiwanese chip maker TSCM as well as a range of organizations in the Netherlands, Spain, Canada, and the US. The amount LockBit 3.0 has demanded remains unknown. For more on the incident, including industry reaction, see CyberWire Pro.

Wish you had a cheat sheet for AWS investigations? Expel created one!

We remediate loads of cyber incidents in Amazon Web Services (AWS), and some common themes have emerged re: attacker use of APIs. We’ve noticed they map nicely to MITRE ATT&CK tactics.

So we captured them in a mind map of possible attack paths once hackers are inside an AWS environment. This resource should be helpful if you ever find yourself chasing a baddie through the cloud and want to catch them sooner than later.

BlackCat and SEO poisoning.

The Russophone BlackCat ransomware gang (also known as “ALPHV”) is using malvertising to trick victims into installing malicious versions of the WinSCP file-transfer application, BleepingComputer reports. According to researchers at Trend Micro, “The infection starts once the user searches for ‘WinSCP Download’ on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer. From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage.”

The InfoSec Survival Guide to Continuous Compliance

For a security compliance program to be effective, it must be built into the fabric of the organization, its processes, and its people. In AuditBoard’s The InfoSec Survival Guide: Achieving Continuous Compliance, security and compliance experts explore the need for a new approach to rapidly expanding compliance demands and dive into solutions at every stage of the compliance life cycle to help InfoSec teams of all maturity levels improve and optimize their practices.

LockBit seeks to extort semiconductor manufacturer.

The LockBit ransomware group is asking for $70 million in exchange for not leaking data allegedly stolen from Taiwanese chip manufacturer TSMC, the Register reports. TSMC told the Register that one of its third-party equipment suppliers, Kinmax, was the source of the breach.

SecurityWeek quotes TSMC as stating, “At TSMC, every hardware component undergoes a series of extensive checks and adjustments, including security configurations, before being installed into TSMC’s system. Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any TSMC’s customer information. After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the Company’s security protocols and standard operating procedures. TSMC remains committed to enhancing the security awareness among its suppliers and making sure they comply with security standards. This cybersecurity incident is currently under investigation that involves a law enforcement agency.”

Kinmax said in a statement, “The leaked content mainly consisted of system installation preparation that the company provided to our customers as default configurations. We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience.”

The Dirty Secret of OS Updates.

Users don't install updates, and IT admins won't force installs via a restart. But installing OS updates is a top priority for both security and IT.

When you make it part of conditional access, you can finally get it done without massive lists of exemptions or mountains of support tickets.

Watch the on-demand demo to learn how Kolide enables device trust for teams with Okta, ensuring only secure devices can access your apps.

Professionals in the cyber underworld.

Cybercriminal gangs are increasingly operating like professional businesses, according to Melissa Bischoping, Director of Endpoint Security Research at Tanium. In an article for Infosecurity Magazine, Bischoping stated, “The [ransomware-as-a-service] approach is almost identical to today’s modern businesses, which seek to hire the best talent across different functions. Through public-facing data leak sites (DLS), telegram channels or direct recruitment of targets as insider threats, cyber-criminals advertise job openings, promoting pay, benefits and other perks. In fact, the LAPSUS$ ransomware group has been advertising job openings since November 2021, targeting employees at large technology firms such as AT&T and Verizon to lure employees to perform insider jobs in exchange for high pay (up to $20,000 a week). The landscape for cyber-criminal jobs is competitive, with new ransomware groups and data leak sites popping up constantly.”

Optimize the value of your biggest investment – your cyber talent.

Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. CyberVista’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.

Microsoft debunks claims of data theft by Anonymous Sudan.

Anonymous Sudan (generally regarded as a Russian front organization) on July 1st claimed in its Telegram channels to have breached Microsoft servers and stolen data belonging to some thirty-million customers. “We announce that we have successfully hacked Microsoft and have access to a large database containing more than 30 million Microsoft accounts, email and password. Price for full database: 50,000 USD,” the group posted. Microsoft says the claim is baseless. “At this time, our analysis of the data shows that this is not a legitimate claim and an aggregation of data,” a Microsoft representative told BleepingComputer. “We have seen no evidence that our customer data has been accessed or compromised."

Just yesterday, Anonymous Sudan also announced an ongoing attack on Riot Games, an American video game developer for League of Legends. Anonymous Sudan has claimed that they have access to Riot's “back end of League of Legends.” This campaign is a continuation of attacks against American companies in response to comments made by the Secretary of State concerning the civil war in Sudan. Riot Games would appear to be merely a US-based target of opportunity.

Cybersecurity and Infrastructure Security Agency (CISA) released an alert on June 30th regarding distributed denial of service (DDoS) attacks: “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.” Though the alert does not point fingers at any groups, it can be assumed that this is in response to the recent attacks against US, and NATO industries by Russian-aligned groups. BleepingComputer assessed that the warning represented a response to Anonymous Sudan’s new wave of DDoS attacks against various government and private sector organizations.

Russia-Ukraine hybrid war update.

Moscow and Kyiv yesterday accused one another of planning to sabotage the Zaporizhzhia Nuclear Power Plant, thereby inducing a radiological incident comparable in scale to the late-Soviet disaster at Chernobyl. The plant is controlled by Russian occupation troops, but the Ukrainian staff remains on-site to look after its operation. As a safety precaution, the plant's six reactors have been shut down, but that doesn't remove the risk of contamination should the reactors be damaged in an explosion.

Ukrainian sources have warned that Russian troop withdrawals from the vicinity of Zaporizhzhia could be a precursor to a deliberately staged incident, the Guardian reports. Russian official media have downplayed the effects of an incident at the plant, saying that Russian troops were trained and equipped to operate without difficulty in a contaminated environment. (Few informed observers credit such claims.)

OODA Loop has an overview of "non-state actors'" recent cyber operations in the war. Hacktivists operating in the Ukrainian interest (and, we add, certainly with some degree of coordination with the competent Ukrainian government agencies) have devoted some attention to interfering with Russian rail traffic. The rail operator RZD disclosed yesterday in its Telegram channel that its website and mobile app had been taken down by a cyberattack. The Ukrainian IT Army claimed responsibility, tweeting, "Hear that? Seems like the trains on Russian swamps have lost their steam. Buying a ticket? That's a tough one, offline counters are playing the 'frozen statue' game too. The terrorist state is not just heading, but gleefully racing to 'Chaos Central'."

The IT Army is also recruiting. "Our cyber warriors at ITArmy are playing the role of a virtual Robin Hood - wrecking enemy infrastructure and keeping nothing for ourselves! Do you know what the enemy feels when their servers are crashing and wallets are emptying? Join us!"

Last Friday the Russian Internet regulator Roskomnadzor blocked RIA FAN, Politics Today, Economy Today, Neva News, and People's News, all of which were tied closely to the Wagner Group. Working from the other side, Wagner Group boss Yevegny Prigozhin has dissolved the Patriot Media holding company, best known as the corporate parent of his troll farm, the Internet Research Agency (IRA). What effect this will have on IRA operations is as yet unclear; the troll farm may be acquired by another company. The Record reports that employees throughout Patriot Media were laid off with a bad severance package (that is, with no severance package). Should they return in some form, oligarch Yuri Kovalchuk, banker and owner of the National Media Group (NMG), is thought to be the most likely suitor for the IRA and Mr. Prigozhin's other now-blocked-and-shuttered properties.

Courts and torts.

Twitter has threatened to sue Meta for its new social media platform, Threads. Semafor reports that hours after the launch of the platform, Alex Spiro, a lawyer for Twitter, sent Meta CEO Mark Zuckerberg a letter “accusing the company of engaging in ‘systematic, willful, and unlawful misappropriation of Twitter’s trade secrets and other intellectual property.’” Mr. Spiro also alleged that Meta had hired former Twitter employees to acquire trade secrets and confidential information. Meta’s spokesperson, Andy Stone, has remarked that the accusations are baseless.

Policies, procurements, and agency equities.

A source at Facebook says the US State Department has canceled a scheduled monthly meeting with the social media giant focused on fighting potential digital threats to the 2024 presidential election. The move appears to be in response to a Louisiana federal judge’s ruling earlier this week limiting the White House’s communications with tech firms. President Biden’s Department of Justice has already filed a notice that it will appeal the ruling, but according to the source the State Department has nonetheless canceled all future meetings with Facebook, and presumably other tech giants, “pending further guidance.” The Washington Post reports that the State Department, as well as Google and other tech firms contacted, have not yet responded to a request for comment. The canceled meetings indicate that the ruling issued by US District Judge Terry A. Doughty, a Trump appointee, could impede government efforts to work with social media companies to combat foreign influence operations and the spread of misinformation online. A former Department of Homeland Security official, who has asked to remain anonymous, told the Washington Post that the meetings are likely being canceled while government agencies determine the full impact of the judge’s ruling. “I would expect to see DOJ or the White House take the first public steps,” the former official said. “There will likely be a chilling effect from overly cautious government counsels. What previously had been inbounds will look too close to the line, or we’re not sure how it’s going to work.”

Labor markets.

The Cipher Brief released an opinion piece which highlights the value of government agencies recruiting alumni from the Intelligence Community (IC). “Former employees of these agencies are still advancing the cybersecurity mission and shaping the field. A mathematician who once broke foreign cryptographic systems now researches quantum-safe cryptography in academia; a former intelligence analyst is disrupting malign nation-state cyber activity at a tech company; and alumni working in product management or customer-facing roles are building best-practice cybersecurity philosophies into products and the operationalization processes supporting them,” writes The Cipher Brief. “The allure of private sector compensation may keep alumni from returning as government employees, but a concerted alumni engagement strategy can leverage their rich experience to enhance national security in cyberspace, where private and public sector boundaries are increasingly blurred.”

The Cipher Brief put an emphasis on treating former employees as potential assets which, if recruited, could provide critical insights into the cybersecurity field. “Embrace former employees as potential assets, not counterintelligence threats. In addition to the necessary security outreach, such as reminders of lifelong obligations like pre-publication review, the government can also provide alumni with curricula to lead cybersecurity awareness programs and with training on recruitment. A collaborative effort between agencies and their alumni can tell the agency’s story or deepen public-private partnerships while protecting classified information and impropriety,” it writes. Hiring back the alumni isn’t the only option, as agencies could create an alumni outreach program which would allow for unclassified briefings, and networking opportunities. These networking groups could even help with recruiting new employees, as the alumni are likely in contact with many bright minded individuals who could be interested in working for the government.

Mergers and acquisitions.

Cisco has acquired the private broadband-network monitoring company SamKnows for an undisclosed price. NetworkWorld reports, “SamKnows technology will be integrated into Cisco’s ThousandEyes cloud-based network intelligence software that analyzes everything from the performance of local and wide-area networks to ISP, cloud, and collaboration-application performance to the health of the internet.”

Reveald and Epiphany Systems have completed their strategic merger which will operate under the Reveald name. AIthority explains, “The merger creates an innovative convergence of technology and expertise, well-equipped to assist security teams in protecting their organizations from ever-evolving cyber threats. Leveraging the AI-powered Epiphany platform, Reveald’s solutions integrate predictive AI with human expertise to deliver attack path identification, continuous monitoring, and rapid remediation. This approach minimizes risk, trims operational costs, and boosts operational efficiency through consistent and predictable maturity enhancements.”

The Information reported that, in February of 2023, Nvidia had acquired OmniML, a startup which developed methods to shrink machine learning models for implementation on devices rather than on a cloud architecture. The Information writes, “The acquisition could be a sign that the chipmaker, whose data-center server chips have fueled a recent AI boom and enabled chatbots including ChatGPT, wants to improve its separate AI chips for cars, industrial robots and drones.”

AIthority reports that Bitdefender announced its intention to acquire Horangi Cyber Security. Details of the price of acquisition have not yet been released.

Investments and exits.

IP Fabric has announced that it has closed its Series B funding round, securing close to $25 million. One Peak led the funding followed by Senevo and Presto Ventures. Cision reports, “This will fuel IP Fabric's mission of making network assurance ubiquitous so that people, businesses, and governments can operate without the exponential risk of network failures or outages.”

Cyware reports that it has raised $30 million in Series C funding led by Ten Eleven Ventures. Advent International, Zscaler, Emerald Development Managers, Prelude (a venture practice at Mercato Partners), and Great Road Holdings also participated in the funding. Cyware writes, “The Series C financing comes as Cyware has experienced strong year-over-year growth propelled by robust market adoption, excellent customer retention, and extraordinarily large market access.”

Amazon Web Services announced that it would be investing $100 million in what has been dubbed the Generative AI and Machine Learning Center. CIO reports, “The new program will connect AWS AI and machine learning (ML) experts with enterprises to help them envision, design, and launch new generative AI products, services, and processes, the company said, adding that these applications can be targeted at industries such as manufacturing, healthcare, and financial services among others.”