Training code turns out to be malicious in a new proof-of-concept attack discovered on GitHub.
Uptycs has discovered a proof-of-concept (PoC) that hides a malicious backdoor through which data are stolen. PoCs are used by cybersecurity researchers to understand potential vulnerabilities and are generally trusted to be safe options to learn what harmful code can be used against a network. Uptycs writes,“In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool. Its concealed backdoor presents a stealthy, persistent threat. Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process.” Although the PoC has been removed from GitHub, Uptycs believes users who installed it are at high risk of compromise. The malicious PoC copies code from an older legitimate Linux exploit, but upon further examination of the code researchers found malicious code inserted into the program. This type of tactic is not new, but this incident should remind researchers to always analyze files downloaded from the internet, and to do so skeptically.
Multichain reports over $100 million stolen in crypto heist.
The Record reports, “The crypto platform Multichain has suspended its services as it investigates claims that more than $125 million in cryptocurrency was stolen.” Multichain is a cross-blockchain exchange service, a bridge, that allows users to exchange cryptocurrency between various blockchains and networks. In a July 6th tweet Multichain advised all of its users to suspend use of its services and “revoke all contract approvals related to Multichain.” CryptoMode reports that the theft covered several assets belonging to Multichain: “Impacted assets included WBTC, USDC, DAI, wETH, and Link. The total haul from the theft amounted to a staggering $126 million, with WBTC, wETH, and USDC accounting for $30.9 million, $13.6 million, and $57 million, respectively.” The Record says that this isn’t the first time a cross-blockchain bridge has been targeted. “Cross-chain bridges like Multichain continue to be a ripe target for hackers in 2023 after billions were stolen throughout 2022.”
USB attacks have risen three-fold in the first half of 2023.
Mandiant reports that USB attacks have risen by three times in the first half of 2023. The report details two new USB attack campaigns: the SOGU malware infection that targets industries across the globe, and the SNOWYDRIVE infection that seems to target oil and gas companies across Asia. Both campaigns use a USB drive for initial infection and propagation, while installing malware that steals sensitive information from the host computer. SOGU is the more prevalent USB infection campaign and has spread to various sectors, including pharmaceutical, IT, energy, communications, and healthcare organizations across North America, Europe, Asia, and Oceania. “While some threat actors targeted specific industries or regions, Campaign 22-054 [Mandiant’s name for this USB threat] appears to be more opportunistic in nature. This campaign may be part of a long-term collection objective or a later-stage follow-up for subjects of interest to state-sponsored threat actors.” USB campaigns are especially dangerous as they are a method for attacking air-gapped systems, that is, systems with no connection to the outside internet. The most famous example of a USB-based attack was Stuxnet which, as Trellix explains, was an infection spread to Iranian nuclear facilities delivered by USB sticks.
CISA and the FBI issue a joint Cybersecurity Advisory on exploitation of Microsoft Exchange Online.
The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory regarding a Chinese cyberespionage campaign that’s targeting government officials. The advisory urges organizations, especially those operating critical infrastructure, to step up their monitoring and logging of activity surrounding Microsoft Exchange Online environments. Microsoft described the campaign in a blog post earlier this week, noting that the threat actor compromised email accounts at approximately 25 organizations “by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.”
The Washington Post reports that the campaign targeted the US Commerce and State Departments, and an email account belonging to US Commerce Secretary Gina Raimondo was compromised. The Associated Press notes that the hacks occurred just before US Secretary of State Antony Blinken’s trip to Beijing last month. The State Department appears to have been the first agency to recognize the suspicious activity. For more on this incident, including comment by industry experts, see CyberWire Pro.
Russia-Ukraine hybrid war update.
In a renewed push for a protected and controllable sector of cyberspace, Russia is pursuing a "sovereign Internet." But the program faces difficulties, Scientific American reports. A test last week attempted to disconnect Russia's Internet from the rest of the world's. The Kremlin declared the trial a success, but outside observers conclude to the contrary that it ended in failure, producing widespread outages among Russian websites. The sovereign Internet isn't a simple or unitary project, but rather a system of technologies, deep packet inspection tools figuring prominently among them, that would give the government greater ability to cut off external (that is, international) connections, and monitor domestic traffic and content. There's also an element of autarky in the program, as Russia seeks to provide domestic alternatives to hardware and software that would otherwise be provided from foreign sources.
Russia has responded to Ukraine's counteroffensive with a surge in cyberattacks, CSO reports. The GRU isn't the only Russian service involved, but it's been a prominent player in these operations.
Mandiant has been tracking cyber operations by Russia's military intelligence service, the GRU (often known in its cyber mode as Fancy Bear), and its researchers have discerned a common, well-thought through and repeatable process underlying the GRU's approach. It sees a five-phase operational style: first, "living on the edge," second, "living off the land," third, "going for the GPO," fourth, "disrupt and deny," and finally, "telegraphing 'success.' The researchers see the "playbook" as systematizing some well-established approaches and combining them into an operational method that's effective, repeatable, and responsive. It yields, for all of its fixed and stereotypical structure, a paradoxical agility and adaptability that render cyber operations a practical combat support capability.
Russian intelligence services prospecting diplomatic targets in Ukraine used an ad for a nicely-loaded, deeply-discounted, used BMW as phishbait to attract their prospects' eyes (and clicks). Palo Alto Networks' Unit 42 says the campaign, directed against twenty-two of the eighty embassies in Kyiv, was run by APT29, Cozy Bear, that is, Russia's SVR foreign intelligence service. The phish hooks were LNK files masquerading as images. The targeted diplomatic missions were those of Albania, Argentina, Canada, Cyprus, Denmark, Estonia, Greece, Iraq, Ireland, Kuwait, Kyrgyzstan, Latvia, Libya, the Netherlands, Norway, Slovakia, Spain, Sudan, Turkey, Turkmenistan, the United States, and Uzbekistan. The campaign's goal was espionage, collection against the embassies and their contacts.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Patch news.
Progress Software has issued patches for three security flaws affecting MOVEit Transfer, SecurityWeek reports. The vulnerabilities (CVE-2023-36934, CVE-2023-36932, CVE-2023-36933) could be exploited to steal information. The company says it will begin issuing service packs to simplify the patching process for its MOVEit products: “These Service Packs will provide a predictable, simple, and transparent process for product and security fixes....We have heard from you that a regular cadence and predictable timeline will enable you to better plan your resources and make it easier to adopt new product updates and fixes. As a part of these Service Packs, we will also be optimizing the installation process to make the upgrade process simpler.”
Microsoft has issued security fixes for 132 flaws, six of which were being actively exploited in the wild, BleepingComputer reports. One of the disclosed vulnerabilities (CVE-2023-36884), which hasn’t yet been patched, is a remote code execution flaw affecting Microsoft Office. Microsoft says this flaw has been exploited by the Russian cybercriminal group Storm-0978 to conduct cyberespionage against defense and government entities in Europe and North America.
Fortinet has patched a “stack-based overflow vulnerability in FortiOS & FortiProxy [that] may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.”
SAP has issued fixes for numerous vulnerabilities, including one affecting SAP Business Client that was assigned a CVSS score of 10.0. The company stated, “With a variety of new and updated SAP Security Notes, SAP’s July Patch Day was a busy one. Special attention should be paid to the high priority corrections, particularly those affecting SAP Business Client, SAP ECC and SAP S/4HANA (IS-OIL), and SAP NetWeaver (BI CONT ADD ON). As always, applying these patches as soon as possible is recommended to maintain the security and integrity of your SAP systems.”
Adobe has patched twelve security flaws in Adobe InDesign, including a deserialization of untrusted data vulnerability that could lead to arbitrary code execution, SecurityWeek reports.
Apple has rolled back its Rapid Security Response updates for iOS and macOS after the patch caused issues that prevented some websites from displaying properly, according to SecurityWeek. The company stated, “Rapid Security Responses iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b) will be available soon to address this issue.”
Crime and punishment.
A federal grand jury has indicted a man from Tracy, Massachusetts for intentionally causing damage to a protected computer after he was accused of remotely deleting critical software from a water treatment facility. The man, Rambler Gallo, was employed as an “Instrumentation and Control Tech'' for a private company responsible for operating the Discovery Bay Water Treatment Plant, located in Discovery Bay California. The indictment was filed on June 27th, and was unsealed on July 6th. HackRead reports that Gallo apparently resigned from the company responsible for servicing the plant, and subsequently uninstalled the critical software on the water plant’s computers. (We note that Mr. Gallo is of course entitled to the presumption of innocence with respect to the allegations.)
According to a press release from the U.S. Attorney’s office of the Northern District of California, “Prior to the attack on the Discovery Bay Water Treatment facility, Gallo, 53, of Tracy, Calif., was a full-time employee of a private Massachusetts-based company identified in the indictment as Company A. Company A contracted with Discovery Bay to operate the town’s wastewater treatment facility; the facility provides treatment for the water and wastewater systems for the town’s 15,000 residents. During his employment with Company A, from July of 2016 until December of 2020, Gallo was the company’s “Instrumentation and Control Tech,” with responsibility for maintaining the instrumentation and the computer systems used to control the electromechanical processes of the facility in Discovery Bay.” The indictment also charges Gallo with “transmitting a program, information, code, and command to cause damage to a protected computer.” If convicted, Gallo could face up to 10 years in prison and a $250,000 fine. The motives for such an attack (if indeed it was an attack and not human error) are unknown at the time of writing and, according to the press statement, the FBI is investigating the case. For more on the incident and the indictment, see CyberWire Pro.
Policies, procurements, and agency equities.
The White House this morning published the National Cybersecurity Strategy Implementation Plan, which provides guidance on how responsible parties are to put the national strategy into effect. The Implementation Plan has five "pillars:" An accompanying fact sheet listed them as:
- Pillar One | Defending Critical Infrastructure
- Pillar Two | Disrupting and Dismantling Threat Actors
- Pillar Three | Shaping Market Forces and Driving Security and Resilience
- Pillar Four | Investing in a Resilient Future
- Pillar Five | Forging International Partnerships to Pursue Shared Goals
The guidance is not, the White House points out, exhaustive. Agencies are expected to take actions appropriate to their mission and circumstances.
The European Commission announced, on July 10th, that it has reached an agreement with the US regarding trans-Atlantic data transfers. As the New York Times explains, the EU-US Data Privacy Framework regulates how data can travel between the EU and the US, and it is the culmination of a years-long debate regarding American intelligence access to European resident data and the impact on EU data privacy. By adopting this decision, the European Commission is formally stating that the US has sufficient protections, as outlined in the EU’s General Data Protection Regulation, to safeguard Europeans’ personal data. An FAQ from the Commission states, “As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorisations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.” Negotiated by European commissioner Didier Reynders, US attorney general Merrick B. Garland, and US Commerce Secretary Gina Raimondo, the agreement dictates when it is permissible for US intelligence to collect EU data, and when it is not. The accord also allows Europeans to object if they believe their personal information has not been collected in a way that is “necessary” and “proportionate” by American intelligence agencies, and such objections will be reviewed by the Data Protection Review Court, an independent body of American judges. Commission President Ursula von der Leyen stated, “Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the U.S., and at the same time to reaffirm our shared values.”
Tech giants like Meta and Google have been awaiting the decision with bated breath, as it determines when and how it is legal for such companies to transfer data across the Atlantic. This data transfer is essential for the thousands of firms that do business on both continents, and Politico notes that transatlantic data flows account for $7.1 trillion in economic activities. The Wall Street Journal notes it’s likely the deal will be challenged by EU privacy advocates, and Austrian lawyer and privacy activist Max Schrems has already said he plans to fight the agreement. “We would need changes in U.S. surveillance law to make this work and we simply don’t have it,” Schrems stated.
Labor markets.
Insider released a report highlighting what it calls the “lazy management” problem plaguing the cybersecurity industry. The report follows a software engineer named Graham. (His real name has been changed to protect his identity.) His journey through the various development teams he was assigned ultimately ended in a fulfilling, but ultimately terminal, project developing machine learning to improve Amazon music recommendations. He described the multiple occurrences of supervisors and managers failing upwards and getting promoted out of projects which amounted to nothing. Ultimately, the main issue brought up is the “fake work” being assigned to employees. “The conception of lazy employees raking in big paychecks to do little lays the blame in the wrong place. Oftentimes, employees are getting plenty of work done; it's just that the projects are of little to no importance to the company's bottom line. The tech employees spoke with us on the condition of anonymity to avoid professional reprisal.”
Scott Latham, a strategic-management professor at the University of Massachusetts Lowell, attributes the lack of meaningful products being produced to "lazy management."
Mergers and acquisitions.
Honeywell International has announced its intention to buy Scadafence, an Israeli operational-technology and Internet-of-Things cyber security provider. The Wall Street Journal writes that Honeywell hasn’t commented on the exact price of acquisition.
ARN reports that the data center provider DC Two has acquired the Perth, Australia-based security and intelligence firm Thomas Cyber. The total price of acquisition was $435,000 in multiple tranches until 2025.
Investments and exits.
GlobeNewswire reported that SAVVY has exited Stealth with $30 million in funding to “Enable Safe Use of SaaS Applications at Scale.
AUCloud raised 8.5 million in a capital raise which was fully subscribed and underwritten by businesswoman Cathie Reid, and Peter MAloney, the newly appointed CEO of AUCloud, according to FinTech Global.
Nokod Security raised $8 million “which will be used to establish a presence in the United States market, as well as to expand the R&D teams and support novel research of security vulnerabilities in the low-code/no-code domain,” writes Help Net Security.
BuisnessWire reports that Outdid has raised 2.5 million “to provide identity verification in a private and trustless manner.”