By the CyberWire staff
At a glance.
- Orca describes, Microsoft fixes, four Azure SSRF issues.
- DNV recovering from ransomware.
- T-Mobile discloses a data breach.
- Cyberattack hits Nunavut utility.
- Phishing attacks attempt to reel in victims worldwide.
- Credential stuffing campaigns see an uptick in activity.
- Trends and reports, fresh off the presses.
- Latest developments in the hybrid war.
- Patch news.
- Crime and punishment.
- Policies, procurements, and agency equities.
- Business news.
- And research news.
Orca describes, Microsoft fixes, four Azure SSRF issues.
Researchers at Orca Security discovered four Server Side Request Forgery (SSRF) vulnerabilities affecting Microsoft Azure instances, two of which could be exploited without authentication. Microsoft has since patched the flaws. The affected services were Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins. All four of the flaws were Non-Blind SSRF vulnerabilities, which could allow an attacker to “scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target.” For more on the Azure vulnerabilities, see CyberWire Pro.
DNV recovering from ransomware.
According to the LoadStar, the ship classification society DNV has disclosed that its ShipManager fleet management software was hit by a ransomware attack on January 7th. DNV says approximately one thousand vessels belonging to seventy of its customers have been affected:
"DNV experts have shut down ShipManager’s IT servers in response to the incident. All users can still use the onboard, offline functionalities of the ShipManager software."
"There are no indications that any other software or data by DNV is affected. The server outage does not impact any other DNV services. DNV experts are working closely with global IT security partners to investigate the incident and to ensure operations are online as soon as possible. DNV is in dialogue with the Norwegian police about the incident. DNV is communicating daily with all 70 affected customers to update them on findings of the ongoing forensic investigations. In total around 1000 vessels are affected.
"We apologize for the disruption and inconvenience this incident may have caused."
TradeWinds reports that as of January 17th, DNV was still working to bring ShipManager back online. For more on the ShipManager incident, see CyberWire Pro.
T-Mobile discloses a data breach.
Mobile carrier T-Mobile disclosed a data breach Thursday that affects around 37 million postpaid and prepaid customer accounts, SecurityWeek reports. T-Mobile said in a Thursday filing with the US Securities and Exchange Commission (SEC) that the data breach was the work of a malicious actor abusing an API without authorization. The wireless provider claims that the attack, discovered January 5, was stopped within a day of discovery, Bloomberg reports, and that they had pinpointed the source. The carrier says that there is no evidence showing that any other systems were affected, and also did not appear to affect any sensitive data, rather “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” SecurityWeek explains. For more on the T-Mobile breach, see CyberWire Pro.
Cyberattack hits Nunavut utility.
Qulliq Energy Corp (QEC) in Nunavut was hit by a cyberattack on Sunday that took down its IT systems, the CBC reports. QEC disclosed yesterday that the attack took down the systems at its Customer Care and administrative offices. The company has enlisted external cybersecurity experts to investigate the scope of the attack and determine which data were accessed. QEC says it will notify anyone whose information was accessed. Premier P.J. Akeeagok said in a statement that various Provincial and Federal agencies are assisting with the recovery, and that the Royal Canadian Mounted Police are investigating the incident. The attacks didn’t affect power plant operations, just business systems (and customers are presently unable to pay their bills via credit card). While it’s still unclear whether the attackers accessed customer information, the company says customers should be vigilant just in case. For more information on the Nunavut incident, see CyberWire Pro.
Ready to make the switch to 1Password? It’s easy!
Bank logins. Confidential project files. Your grandma's super-secret shortbread recipe. Everything your team or business stores in 1Password is protected by our industry-leading encryption models – because security isn't just a feature. It's our foundation. And with dedicated onboarding and customer success teams at your disposal, switching is easier than you think.
Phishing attacks attempt to reel in victims worldwide.
Armorblox describes a phishing campaign that’s using phony shipping invoices that purport to come from DHL. The campaign targeted an organization in the education sector with more than 100,000 emails: The phish hook in the email is contained in an Excel document which, when opened, will display a blurred out preview of an invoice. The user will be asked to enter their Microsoft account login credentials in order to view the invoice. The researchers note that the emails were able to bypass email security filters since they didn’t contain any malicious links. For more on the credential phishing campaign, see CyberWire Pro.
Abnormal Security released research Thursday morning on phishing attacks purporting to be from internal HR departments with policy updates in the new year. The first attack, a payload-based credential phishing attack, claims to be from the victim’s company Human Resources department informing them of updates to benefits packages. The email asks for the review of an “updated handbook,” which would lead to a credential harvesting login page imitating Microsoft. The other observed link-based attack presented itself as an internal HR email, announcing a new employee handbook containing a link directing to a credential harvesting page. For more on HR-themed phishing, see CyberWire Pro.
Bitdefender has published a report looking at the prevalence of travel-themed phishing scams. The researchers found that 60% of all travel-themed emails sent between December 20th and January 10th were phishing attacks. Most of the attacks observed by Bitdefender targeted English-speaking users: “Particularly, spammers pushed their travel-themed lures on English-speaking recipients, with 53% of the correspondence targeting US inboxes. The US is followed by Ireland (10%), India (6%), the UK and South Africa (5% each), and Germany (4%).” For more on this form of social engineering, see CyberWire Pro.
Credential stuffing campaigns see an uptick in activity.
Norton LifeLock's corporate parent Gen Digital has warned some customers that their accounts may have been compromised. "Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," BleepingComputer quotes Gen Digital's letter to customers as saying. The incident appears to have been the result of a credential-stuffing campaign detected in mid-December when an unusually large volume of failed logins were detected on the 12th. "In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address." In a Saturday update provided to BleepingComputer, Gen Digital said it was alerting customers to suspicious login attempts and helping them secure their accounts. "Gen’s family of brands offers products and services to approximately 500 million users. We have secured 925,000 inactive and active accounts that may have been targeted by credential-stuffing attacks," the company said.
On January 18, PayPal said in a security incident notice that unauthorized parties accessed thousands of user accounts between December 6 and 8 of last year in a credential stuffing attack. The credential stuffing attack, Bleeping Computer explains, works by utilizing a bot that attempts various user credentials sourced in other leaks to access accounts on other sites. So, it follows that those reusing passwords across accounts with shared usernames and emails, or “password recycling,” would be most likely to fall victim to these attacks. Forbes writes that this incident was reported as of yesterday to have given threat actors access to 34,942 PayPal accounts. In a statement to EcommerceBytes, PayPal asserts that no financial information was accessed and payment systems were not affected, and reports that they are reaching out to those impacted. “We have contacted affected customers directly to provide guidance on this matter to help them further protect their information," the company said. "The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.” For more on the PayPal credential-stuffing incident, see CyberWire Pro.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Trends and reports, fresh off the presses.
Veeam released their 2023 Data Protection Trends report Tuesday morning, which surveyed 4,200 IT professionals on data protection drivers, challenges, and strategies. Hybrid IT remains common, balancing physical servers in data centers and cloud-hosted servers. Ransomware has been a pervasive issue that will continue, steadily, into 2023. And increasingly data security is cloud security. Cloud dependence continues to grow, with 80% anticipating the use of Backup as a Service (BaaS) or Disaster Recovery as a Service (DRaaS) for server protection over the next two years. For more on Veeam's study of trends in data protection, see CyberWire Pro.
Veracode has published a report on software application security, finding that 69% of applications have at least one OWASP Top 10 flaw. Around four out of five programs written in .NET and Java have at least one flaw, while just over half of JavaScript applications contain a flaw. For more on Veracode's study, see CyberWire Pro.
Palo Alto Networks’ Unit 42 has published a report describing “Playful Taurus” (also known as APT15 or Vixen Panda), a Chinese threat actor known for carrying out cyberespionage campaigns against government and diplomatic entities around the world. In this case, Playful Taurus is targeting government entities in Iran with a new version of its Turian malware. The threat actor appears to have compromised the networks of at least four Iranian government organizations, including Iran’s Ministry of Foreign Affairs. The new version of the threat actor’s malware includes “some additional obfuscation and a modified network protocol.” For more on Playful Taurus, see CyberWire Pro.
Nozomi Networks has released its OT/IoT Security Report for the second half of 2022, highlighting disruptive attacks against the transportation and manufacturing industries. The researchers describe a cyberattack that hit rail technology manufacturer Continental in November in which the attackers demanded a $50 million ransom to keep them from leaking over forty terabytes of stolen data, which Continental refused to pay. Nozomi also outlines wiper attacks against three Iranian steel companies, claimed by the hacktivist group Gonjeshke Darandehat (or Predatory Sparrow) though the BBC cites experts who suspect the attacks may have been state-sponsored.
Researchers at Trend Micro have found that GitHub Codespaces, a cloud-based IDE released in November 2022, can be abused to create a trusted malware file server. The issue lies in Codespace’s ability to share forwarded ports publicly, which allows developers to preview their projects as an end user, saying that it “can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.” Trend Micro notes that they haven’t seen this technique used in the wild. For more on Codespaces abuse, see CyberWire Pro.
Avanan, a Check Point Software company, released a blog this morning detailing a new attack that begins with an email appearing to originate from DocuSign, containing a link and an HTML attachment. The phishing email requests the review and signature of a document claiming to be “remittance advice.” If clicked, the “View Completed Document” button links to a clean, legitimate webpage, but the attachment, however, is not. If the document is opened, the attachment’s included SVG image encoded with Base64 containing Javascript that redirects to the malicious link. Hiding the malware allows for the email to bypass security checks. For more on blank-image attacks, see CyberWire Pro.
SynSaber has published a report looking at industrial control system (ICS) vulnerabilities catalogued by the US Cybersecurity and Infrastructure Security Agency (CISA) in the second half of 2022. The researchers found that 35% of vulnerabilities disclosed in 2H 2022 don’t currently have a patch available, and 33% will require a firmware update. Additionally, 43% of vulnerabilities were discovered by security researchers rather than the equipment manufacturers. The researchers also note that 22% of the vulnerabilities “require local or physical access to the system in order to exploit (up from 23% during the first half of the year).” For more on recent ICS vulnerabilities, see CyberWire Pro.
A suspected Chinese threat actor is exploiting a recently patched critical flaw in Fortinet's FortiOS SSL-VPN, according to researchers at Mandiant. The threat actor began exploiting the vulnerability in October 2022, months before the flaw was disclosed publicly. Fortinet issued an advisory on December 12th rating the vulnerability as “critical,” noting that the company was “aware of an instance where this vulnerability was exploited in the wild.” Mandiant says the threat actor targeted “a European government entity and a managed service provider located in Africa.” The researchers discovered a new malware dubbed “BOLDMOVE” that was developed to exploit this vulnerability; the threat actor appears to be sophisticated and well-funded. For more on BoldMove, see CyberWire Pro.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Latest developments in the hybrid war.
TASS reports, citing information provided by Kaspersky, that criminals are using Russian mobilization and conscription plans as an occasion for social engineering attacks against Russian victims. The goal appears to be theft of Telegram accounts. "Scammers steal Telegram user accounts using a phishing mailing list with an offer to get acquainted with a fake list of people who will allegedly be sent for mobilization on February 1-3, 2023, the channel specifies." If the mark follows the link, they'll be directed to a credential-theft site. As Meduza's coverage suggests, the emotions being exploited are anxiety, worry, fear: the phishing messages promise to send you to a site that will let you know whether you or a loved one is on the list of those scheduled to be summoned for military service next month.
“We need the Cyber United Nations, nations united in cyberspace in order to protect ourselves, effectively protect our world for the future, the cyber world, and our real, conventional world,” Yurii Shchyhol, who leads Ukraine’s State Service of Special Communications and Information Protection, told POLITICO. “What we really need in this situation is a hub or a venue where we can exchange information, support each other and interact.” The goal of such an organization would be international threat-information sharing and preparation to withstand cyberattacks. The metaphor may be wayward: the United Nations, after all, seeks to include all states, and the proposed organization would of necessity leave those who are bad actors out. The proposal really represents more a gesture in the direction of an alliance than it does a comprehensive global association.
Russian threat actors allegedly disrupted a Ukrainian news conference Tuesday, Axios reports. "We just faced a cyberattack on our information platform committed by Russia," Media Center Ukraine, the service convening the event said. "We understand they don't like to hear the truth about this war, but we're not to be stopped, we are online, we are broadcasting." The news conference was set to include an interview with Yurii Shchyhol, Head of State Service for Special Communications and Information Protection, who was to offer an overview of Russian cyber operations during its war against Ukraine. The delay was brief; the interview has since been posted by Ukrinform.
The Guardian reports that Viktor Zhora, of Ukraine’s State Service of Special Communication and Information Protection (SSSCIP), visited Britain's GCHQ this week, and has said that Russian cyberattacks have tripled over the past year, and continue at a high rate. Interestingly, he said that “in some cases, cyber-attacks supportive to kinetic effects” have been seen; that is, Ukraine sees signs that Russia is attempting to integrate cyber operations and information operations with missile strikes and action on the ground.
BlackBerry researchers reported Thursday that they'd observed Gamaredon operators running phishing attacks against Ukrainian targets consisting of spoofed Ukrainian government or corporate documents. "The Gamaredon Group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location," BlackBerry says, "and then finally leads the victim to the next stage server for the final payload." The final payload is an information stealer first observed in September of this past year. Gamaredon, also known as Primitive Bear or Actinium, is generally believed to be an FSB operation run out of occupied Crimea.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Patch news.
CISA, the US Cybersecurity and Infrastructure Security Agency, has added CVE-2022-44877 to its Known Exploited Vulnerability Catalog. "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter." Federal civilian Executive agencies have until February 7th to "apply updates per vendor instructions."
CISA on January 17th released four industrial control system (ICS) advisories, affecting GE Proficy Historian, Mitsubishi Electric MELSEC iQ-F, iQ-R Series, Siemens SINEC INS, and Contec CONPROSYS HMI System (CHS) (Update A).
Crime and punishment.
Reuters reports that virtual currency exchange Bizlato co-founder Anatoly Legkodymov was arrested Wednesday, say US authorities. The Russian Legkodymov is alleged to have processed $700 million in illicit funds, with claims that Bizlato exchanged the funds with Hydra Market. Described by prosecutors as "an illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents and money laundering services," the market was shut down in April of last year.
Policies, procurements, and agency equities.
The European Parliament and Council’s new EU Directive 2022/2555 (NIS2), set to replace the prior NIS Directive 2016/114, took effect Tuesday, and NIS2 expands the scope of its predecessor, adding relevant sectors and introducing new obligations. The new directive is an element of a broader effort in the bloc to bolster the resilience of essential EU infrastructure which includes the draft Cyber Resilience Act and the EU Regulation 2022/2554 on digital operational resilience for the financial sector. The review process for the prior directive indicated a need for a more united approach to cyber regulations across the bloc, so NIS2 establishes an EU-wide coordination group focused on improving communication between states, and member states will be mandated to create an administrative framework directed by a national cybersecurity strategy and supervisory authorities.
Lexology reports that last month the US Department of Health and Human Services (HHS) published “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), a four-volume cybersecurity guide for healthcare organizations. The product of a government-industry collaboration mandated by the Cybersecurity Act of 2015, the HICP covers enterprise-level information security from a comprehensive viewpoint, unlike other guidance focused mostly on personally identifiable health data. HHS says the document consists of “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes.” While the recommendations it contains are just that – recommendations – and not mandates, the goal is to provide a reference point for the health sector, which has increasingly become a target for cybercriminals.
Business news.
In business news this week, we've seen Texas-based identity security company SailPoint Technologies acquire third-party identity risk solutions provider SecZetta. Quantum computing company IonQ, founded by university professors and based in College Park, Maryland, has acquired Entangled Networks, a Toronto-based software startup. Actionable risk management company Crisis24 has acquired Atlanta-based critical event management platform Topo.ai. British cybersecurity skills training startup Hack the Box has raised $55 million in Series B funding, led by Carlyle. Space cybersecurity provider SpiderOak has brought in $16.4 million in Series C funding, led by Empyrean Technology Solutions. Virginia-based public benefit software company Second Front Systems has raised $2 million in funding from the United Kingdom's Gallos Technologies Ltd.
More cuts have been seen coming to tech in the past week. The Information reported yesterday Microsoft's intentions for mass layoffs across a slew of divisions, possible as soon as today. In a report today from Computing, the tech giant is said to be planning to cut 11,000 jobs, or around 5% of its workforce. Extensive layoffs are expected in the near future, described by Computing as "far greater" than those that have occurred in the past year. Singaporean Twitter employees at the blue bird's Asia headquarters have also been told to clear their desks and become remote workers, effective immediately, in an email sent last Wednesday, Deadline reports. The move is not confirmed to be permanent, but may follow suit with a similar instance in the San Francisco office last year, in which employees were notified of the closure of their office by senior leadership, only for it to reopen a week later.
For a more in-depth look into this week's business news, see this week's edition of the CyberWire's Pro Business Briefing.
And research news.
As for this week's latest in research news, Bitdefender describes a spyware campaign that appears to be targeting Iranian citizens. The spyware is distributed via the Trojanized installer of a VPN used by Iranians to bypass the nation's Internet restrictions. In a separate story, the University of Toronto's Citizen Lab has analyzed leaked documents that appear to outline Tehran's plans to set up an Iranian mobile network with an integrated lawful intercept solution. Recorded Future's Insikt Group observed a 62% drop in card-present payment card records posted to the dark web over the course of 2022. Likewise, card-not-present records dropped by 24% last year compared to 2021. The researchers believe this is due to Russia's crackdown on cybercrime within the country at the beginning of 2022, as well as its invasion of Ukraine in February. Armorblox also describes a phishing campaign that’s using phony shipping invoices that purport to come from DHL. The campaign targeted an organization in the education industry with more than 100,000 emails.
For a deeper foray into this week's cybersecurity research, check out this week's edition of the CyberWire's Pro Research Briefing.