At a glance.
- Wide-ranging cyberespionage campaign by China's Ministry of State Security.
- Cyber Safety Review Board will look into cyberespionage against Microsoft Exchange.
- Attacks against industrial systems.
- Threats to satellite communications.
Wide-ranging cyberespionage campaign by China's Ministry of State Security.
Recorded Future’s Insikt Group has published a report on RedHotel, a threat actor answering to China's Ministry of State Security, that's prospecting targets primarily in Southeast Asia but in other regions as well. Microsoft tracks RedHotel as Charcoal Typhoon; Secureworks calls it Bronze University. The operation appears to be run for the Ministry of State Security by contractors operating from Chengdu. Recorded Future thinks RedHotel's activity has been marked since 2019 by unusual scope and intensity. The shared, commodity tools include, the Record says, ShadowPad and Winnti; the bespoke malware includes Spyder and FunnySwitch.
Cyber Safety Review Board will look into cyberespionage against Microsoft Exchange.
The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has announced that its third investigation will focus on “approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud.” The board stated, “The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The Department began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July. The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves.”
The investigation will represent the third such inquiry in the CSRB’s history. The first report covered Log4j; the second looked into the Lapsus$ Group.
Microsoft characterized the incident as a case of cyber espionage, and attributed the operation to a Chinese-associated group it tracks as Storm-0558. The group typically gained access to email accounts via stolen credentials.
The espionage itself is remarkable for its successful execution, not for its novelty--intelligence services collect like this whenever they can. The US Government's exposure to the attack, however, was remarkable. As the Post notes, "It was unclear how the government could have prevented it while relying exclusively on Microsoft for cloud, email and authentication services." The risks of the alleged security monoculture will doubtless figure in the Cyber Safety Review Board's inquiry.
Attacks against industrial systems.
Kaspersky warns that a new version of the SystemBC malware was used in an attack against a critical infrastructure power generator in an unnamed south African nation: “[A]n unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload.” Kaspersky offered tentative attribution of the incident to a Russian-speaking cybercriminal gang, specifically to FIN12 (which has also been called Pistachio Tempest). FIN12 has hitherto been known for attacks against the healthcare sector. In May of 2022 it was one of the gangs prominently featured in the US Department of Health and Human Services report, Ransomware Trends in the HPH Sector. FIN12 has changed its target selection but not its playbook. The group's motivation is financial.
Another report from Kaspersky found that APT31 (also known as “Judgment Panda” or “Zirconium”) has been targeting industrial systems in Eastern Europe. The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.” APT31 is generally regarded as an intelligence operation of the Chinese government. Much of its activity has involved industrial espionage, but the group has also been implicated in collection of political intelligence.
Threats to satellite communications.
CSO Online has an account of the lessons in incident response learned when Russian cyber operators disrupted Viasat service in Ukraine during the opening hours of Russia's invasion in February of 2022. Viasat and NSA offered their analyses of the incident at Black Hat and Defcon. Early on February 24th, 2022, as Russian forces were preparing to cross their lines of departure, a well-timed wiper attack disrupted Viasat's KA-band satellite communications, shutting down thousands of ground-based modems. Viasat identified several lessons it drew from the experience. First, incident response is a vital security capability. Second, information sharing is both complicated and vital. And, third, it's important to have a sound baseline understanding of what normal operations look like, the better to recognize anomalies. One mystery endures: how did the Russians obtain the credentials they used to gain access to Viasat's FTP server? Investigation seems to have ruled out both brute-forcing and a zero-day exploit. An insider threat has not been ruled out.
Other satellite communication services remain potential targets of cyberattack. The Telegraph reported Saturday that Ukraine's State Security Service (SBU) has claimed that Russia's GRU is attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements. The Debrief provided an update on Wednesday, quoting an SBU report to the effect that the GRU operation represented “large-scale cyber attacks to obtain unauthorized access to Android devices possessed by Ukrainian military personnel for planning and performing combat missions.” The SBU has found ten malware strains in the campaign, including one infostealer whose "functional purpose is to gather data from the Starlink satellite system.” This campaign, it’s important to note, represents collection, and not an attempt at disruption. It's espionage, not sabotage. The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Patch news.
CISA this week released two Industrial Control Systems Advisories. They cover ICSA-23-227-01 Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon, and ICSA-23-227-02 Rockwell Automation Armor PowerFlex.
Crime and punishment.
Friday afternoon INTERPOL and AFRIPOL announced Africa Cyber Surge II, a successful coordinated action across twenty-five African countries that resulted in fourteen arrests and the identification of 20,674 "suspicious cyber networks" across the continent. Police agencies acted with the support of private-sector partners Group-IB, Trend Micro, Kaspersky, and Coinbase.
Earlier this week, a joint Polish-US operation brought down the LolekHosted bulletproof hosting provider last week, the Record reports. The US Federal Bureau of Investigation (FBI) and the Internal Revenue Service (IRS) were joined in the action by the Regional Prosecutor's Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow. Europol announced the arrests of five administrators of the service in Poland. LolekHosted was a player in the criminal-to-criminal marketplace. According to the US Justice Department, LolekHosted was used for a variety of criminal activities, including NetWalker ransomware attacks.
Officials in Northern Ireland continue to investigate a data leak in which the private info of all 10,000 of the Police Service of Northern Ireland’s (PSNI) serving officers and staff were inadvertently leaked due to an employee error. It wasn’t long before the data began circulating on the web, and on Monday a redacted document allegedly exposed in the leak was posted on a wall facing a Sinn Fein office in Belfast. The Irish Sun reports that on Wednesday a man was arrested on suspicion of collecting information likely to be useful to terrorists. Belfast Live notes that after being detained and questioned at Musgrave Serious Crime Suite, the man was released on bail.
Courts and torts.
Johns Hopkins University and Health System is currently facing at least seven class action lawsuits brought by patients who say the medical institution failed to protect their private data. The breach was the result of hackers exploiting a vulnerability in the popular MOVEit file transfer protocol, and approximately 300,000 individuals were impacted in the Johns Hopkins incident. However, Hopkins is just one of nearly seven hundred organizations that have fallen victim to the MOVEit supply-chain issue so far, and 46 million individuals are estimated to have been impacted worldwide. The Banner spoke with several cyber experts who explained that even for organizations like Hopkins, who take cybersecurity seriously, avoiding exploitation via the MOVEit bug was practically impossible.
Policies, procurements, and agency equities.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued its Remote Monitoring and Management (RMM) Cyber Defense Plan. “Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.” To defend against such attacks, CISA’s plan identifies two key pillars: operational collaboration and cyber defense guidance.
The White House is moving toward a more prescriptive approach to agency cybersecurity. CNN reports that National Security Advisor Jake Sullivan has issued a memorandum to Federal civilian executive agencies. Noting that there's been a general failure to fully comply with the President's 2021 Executive Order on cybersecurity, the memo directs that the agencies achieve full compliance by the end of this year. It turns out that cyberwar is real, but it’s not real in the bolt-from-the-blue way many imagined.
Reuters reports that the U.S. Consumer Financial Protection Bureau (CFPB) will begin regulating data brokers. The new regulatory system will bring more companies under the scrutiny of the Fair Credit Reporting Act. The CFPB's decision is informed by a study finished in March, which concluded that data brokers gave information about consumers "in financial distress" to other companies who then pushed "predatory debt products" at vulnerable debtors.
CNBC explains that the CFPB also sees the growing capabilities of artificial intelligence as lending urgency to more effective consumer protection. Chopra said, at a White House roundtable devoted to the issue, "Artificial intelligence — or the technologies that market themselves as that — and other predictive decision making, is relying on even more massive amounts of data to feed those algorithms and that’s creating financial incentives for even more surveillance and more intrusive data collection.” A final rule will be proposed for public comment soon, after incorporation of feedback from businesses.
Governments around the world are working on how best to regulate the quickly-expanding powers of artificial intelligence, and the White House is reportedly expediting an executive order that will address the issue. Arati Prabhakar, director of the White House Office of Science Technology and Policy, told CyberScoop that the Biden administration is fast-tracking an EO that would not only address risks AI poses, but also provide guidelines to federal agencies on secure use of AI.
CISA is close to issuing guidance on configuration baselines for selected, widely used cloud products, including Microsoft 365 and Google Workspace. The effort has been long in progress, antedating incidents like the Chinese cyberespionage campaign recently discovered. Grant Dasher, the architecture branch chief for the Office of the Technical Director for Cybersecurity at CISA, said guidance would soon be issued for Microsoft 365 in particular. The overarching effort is CISA's Secure Cloud Business Applications (SCuBA) project.
Mieke Eoyang, US deputy assistant secretary of defense for cyber policy addressed the mismatch between expectation and reality during a presentation at DefCon. The cyber threat, she argued, is real, just not decisive in the way popular imagination expected it to be. She doesn't put it this way, but it's probably better to analogize cyber operations to espionage, reconnaissance, surveillance, and electronic warfare (and in fact it forms a species of all these) than to massive kinetic strikes. Policymakers often ask, Eoyang said, “Can you just give me a cyber option?” This, however, is tougher than it seems. “'It takes time and preparation, it takes understanding, it takes engineering, it takes coding' to design a cyberattack, she said. 'It’s not what I think a lot of people expect.'” What a lot of people expected was lights out across the civilized world. What they saw instead was espionage and DDoS. Again, the CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Fortunes of commerce.
Boston-based Rapid7 announced a round of layoffs this week. The Boston Business Journal reports that a "restructuring" will eliminate four-hundred-seventy jobs, which comes to 18% of the company's workforce. The company also plans to close several offices.
TechCrunch reports that the British cybersecurity firm NCC Group, headquartered in Manchester, also announced "a small number" of layoffs as it continues a retrenchment that began in February with cuts of a hundred-twenty-five employees, roughly 7% of its UK and US workforce. How many employees will be affected by this latest round is so far unknown.
Okta plans to enter the Indian market, establishing a new office in Bengaluru.
Labor markets.
In a recent interview, the US deputy national cyber director for technology and ecosystem security, Camille Stewart Gloster, told Nextgov.com that the Office of the National Cyber Director is working to address gaps in the cybersecurity workforce. In particular, Gloster is focused on collecting data about the cyber workforce, and finding the best way to analyze that data so it informs the training and recruiting processes. Defining "cyber worker" will be one of the first challenges.
Mergers and acquisitions.
Check Point, headquartered in San Carlos, California, announced a definitive agreement to acquire security service edge (SSE) shop Perimeter 81 for about $490 million. The company stated, "With this acquisition, Check Point will help organizations accelerate the adoption of secure access across remote users, sites, cloud, datacentres, and the internet, all while aiming to deliver the most secure and fastest SSE solution in the market."
Bitdefender has acquired Singapore-based Horangi Cyber Security. The company stated, "The acquisition expands the attack surface monitoring capabilities of Bitdefender’s product and services portfolio and allows business customers worldwide to overcome a broader range of cybersecurity challenges, including misconfiguration and vulnerability detection, governance, and compliance across hybrid and multi-cloud environments."
Thoma Bravo has delayed its closing date for its $2.3 billion acquisition of ForgeRock in order to give the US Justice Department an extra week to decide whether to challenge the deal on antitrust grounds, the Middle Market reports.
Investments and exits.
Dropzone AI announced a $3.5 million seed round led by Decibel Partners, with participation from Pioneer Square Ventures Fund. Dropzone specializes in the development of autonomous AI security agents.
Sweet Security, based in Tel Aviv, has raised $12 million in a seed round, the investment led by Glilot Capital Partners, with participation by CyberArk Ventures and a group of angel investors.
Kivera has announced a $3.5 million seed round as it enters the US market and moves its headquarters from Sydney to New York. The funding came from General Advance, Round 13 Capital, and several angel investors. Kivera specializes in mitigating cloud security risks.
Virginia-based HushMesh has raised $5.2M Technical.ly reports. The startup specializes in automated encryption key management.
Pistachio, formerly CYBR, headquartered in Oslo and specializing in defense against AI threats, has announced a €3.25M funding round, Arctic Startup reports, led by Signals Venture Capital.
Palo Alto-based identity-security shop Veza has received strategic investments from Capital One Ventures and ServiceNow Ventures that bring the company’s total financing to $125 million.
Data security posture management firm Symmetry Systems, based in San Mateo, California, has raised $17.7 million in an insider funding round, SecurityWeek reports.
San Francisco-based Rootly, which offers an "enterprise-grade incident management platform," has raised $12 million in a Series A round led by Renegade Partners, with participation by Google Gradient Ventures and XYZ Ventures.
Osano has closed a $25 million Series B round led by Baird Capital, with participation by Jump Capital, LiveOak Venture Partners, Next Coast Ventures, TDF Ventures, and First Ascent Ventures. Osano, based in Austin, Texas, offers a data privacy platform.
Israeli software supply chain security startup OX Security has secured a strategic investment from IBM Ventures, Dark Reading reports.
Gallant Capital Partners has announced strategic investments in "DynTek, Inc. ('DynTek'), a US-based professional IT services, cybersecurity, and risk management organization, and rSolutions Corporation ('rSolutions'), a Canadian-based cybersecurity firm." The company stated, "Gallant's investment in both companies will support accretive growth through further innovation and development of technical offerings and cybersecurity services, operational enhancements that drive customer experience, and strategic acquisitions."
And security innovation.
At midweek Google announced progress toward development of quantum-resilient security keys. "While quantum attacks are still in the distant future," Google's Security Blog said, "deploying cryptography at Internet scale is a massive undertaking which is why doing it as early as possible is vital."