At a glance.
- DPRK cyberespionage this week.
- US Intelligence Community warns of cyber threats to space systems.
- China's cyberespionage campaign against vulnerable Barracuda appliances.
- The cyber phase of Russia's hybrid war against Ukraine.
- Recent trends in cybercriminal tactics and techniques.
DPRK cyberespionage this week.
South Korea’s Gyeonggi Nambu Provincial Police Agency said last Sunday that the North Korean threat actor Kimsuky targeted South Korean contractors working for a joint military exercise between the US and South Korea, SecurityWeek reports. The agency found that an IP address used in the attack was also used in an alleged Kimsuky hack against a South Korean nuclear reactor operator in 2014. The threat actor used spearphishing attacks in an attempt to steal information. The police agency stated that “military-related information was not stolen.”
Cisco Talos has discovered a new remote access Trojan, “CollectionRAT,” that’s being used by North Korea’s Lazarus Group: “CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls, and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors.” The researchers also observed that “Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.” For more on CollectionRAT, including industry comment, see CyberWire Pro.
US Intelligence Community warns of cyber threats to space systems.
The US Federal Bureau of Investigation (FBI), the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) have issued a bulletin outlining cyberespionage threats targeting the space industry, Reuters reports. The bulletin states, “Foreign intelligence entities (FIEs) recognize the importance of the commercial space industry to the US economy and national security, including the growing dependence of critical infrastructure on space-based assets. They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise. FIEs use cyberattacks, strategic investment (including joint ventures and acquisitions), the targeting of key supply chain nodes, and other techniques to gain access to the US space industry.”
The warning is heavy on the threat to intellectual property, but it also warns against direct threats to space systems themselves. The New York Times points out that China and Russia represent the serious adversaries in this field, and that the US Intelligence Community thinks it likely that any future war will open with a cyberattack against satellite systems. Russia’s invasion of Ukraine provides the template. For more about the warning of cyber threats to the space sector, see CyberWire Pro.
China's cyberespionage campaign against vulnerable Barracuda appliances.
The US Federal Bureau of Investigation (FBI) has released an alert warning that Barracuda’s Email Security Gateway (ESG) appliances remain vulnerable to compromise by suspected Chinese government threat actors: “The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately.”
The FBI says the vulnerability, CVE-2023-2868, “allows cyber actors to format TAR file attachments in a particular manner and send them to an email address affiliated with a domain that has an ESG appliance connected to it. The malicious file’s formatting, when scanned, results in a command injection into the ESG that leads to system commands being executed with the privileges of the ESG. As the vulnerability exists in the scanning process, emails only need to be received by the ESG to trigger the vulnerability.”
The cyber phase of Russia's hybrid war against Ukraine.
The cyber front in Russia's war has been quiet of late, with few cyberattacks or significant instances of cyberespionage reported over the last several days. But disinformation continues. Recent themes in Russian influence operations (debunked by the Canadian Government's standing fact-checking of Russian claims) have sought to portray Poland as avid to recover territories the Soviet Union annexed to the Ukrainian Republic at the end of the Second World War.
The overarching theme of Russian influence operations, represented in a very long interview TASS conducted with Russian Foreign Minister Lavrov, is that Russia is the victim of aggression, with Ukraine's government serving as a cat's paw for the United States, which seeks Russia's reduction to a permanent state of as an impoverished, minor power. (The theme is repeated by Iran's semi-official Mehr News Agency.)
Yevgeny Prigozhin was killed in a plane crash Wednesday, and his death is widely believed to have been a Kremlin-ordered assassination. His Internet Research Agency (IRA) had already indicated after the march on Moscow that it was ceasing operations, and its future as an organization is more in doubt now than ever. The Washington Post notes that this will necessarily induce some changes in the way Russian influence operations are conducted. It seems likely, however, that the template for disinformation and influence the IRA established will see continued use by Russian intelligence services, especially the GRU. The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Recent trends in cybercriminal tactics and techniques.
Sophos’s 2023 Active Adversary report for Tech Leaders has found that the speed of ransomware attacks has increased significantly since the beginning of 2023. Defenders now have about half the time to respond to a ransomware attack than they did last year. The phenomenon extends to other threats: in all types of attacks, the average time to gain control of Active Directory is just sixteen hours.
HP Wolf Security has released its quarterly Security Threat Insights Report, finding that QakBot spam activity spiked in Q2 2023: “[C]reative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques, they were able to bypass detection tools and security policies. 32% of the QakBot infection chains analyzed by HP in Q2 were unique.”
Trustwave SpiderLabs has published a report on the business email compromise (BEC) landscape in the first half of 2023: “For the first quarter of the year, we saw a 25% increase in unique attacks compared to the last quarter of 2022. February accounted for the highest volume of BEC emails in the first half of the year. January is the second most active month for BEC. Based on our historical data, BEC emails appear to increase during the first quarter after the December holiday slump. As the year begins, people are gearing up for the tax season and the start of new endeavours. Fraudsters are sure to take advantage of this.”
Kroll has observed a “notable shift toward increased supply chain risk” in the second quarter of 2023, “driven not only by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability, but by a rise in email compromise attacks.”
The researchers believe the Cl0p gang has been targeting a MOVEit vulnerabily for the past two years: “Initial Kroll analysis of the MOVEit cases across their client base identified that similar activity targeting MOVEit servers had been observed as far back as 2021, suggesting that the CL0P ransomware group had likely identified the zero-day years earlier and had spent some time creating automated tools to aid them in conducting the mass-exploitation event.”
Abnormal Security has found that Microsoft is by far the most commonly spoofed brand used in phishing attacks. Microsoft-branded attacks have accounted for 4.31% of all phishing attempts in 2023. Attackers frequently target Microsoft credentials in order to compromise an organization’s Microsoft 365 environment. Abnormal has also observed an increase in grammatically correct phishing emails, suggesting that attackers are using generative AI tools to write their phishing templates.
An analysis by TransUnion has found that synthetic identity fraud has reached record levels, particularly in the auto finance industry. TransUnion explains, “Synthetic fraud is the use of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.” Synthetic identity exposure in the auto industry reached $1.8 billion in the first half of 2023, making the sector an attractive target for fraudsters.
Patch news.
CISA released four Industrial Control Systems (ICS) advisories this week, covering ICSA-23-234-01 Hitachi Energy AFF66x ICSA-23-234-02 Trane Thermostats, ICSA-23-234-03 Rockwell Automation ThinManager ThinServer, and ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series (Update A).
Juniper has addressed vulnerabilities in Junos OS on SRX Series and EX Series. The vulnerabilities could be used to induce a denial-of service condition.
Crime and punishment.
The Southwark Crown Court in London has found two teenagers, members of the Lapsus$ Group, responsible for cyberattacks against companies that included Uber, Nvidia, and Rockstar Games, the BBC reports. One of the youths, aged 18, has been remanded; the other, a seventeen-year-old, remains out on bail. Both are awaiting sentencing.
In the United States, the US Attorney for the Southern District of New York has announced the indictment of Roman Storm and Roman Semenov, founders of Tornado Cash, on charges of "conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money transmitting business." They are alleged to have handled more than a billion dollars in illicit transactions, including "hundreds of millions" laundered on behalf of North Korea's Lazarus Group. Mr. Storm is in custody. Mr. Semenov, a Russian citizen, remains at large.
Courts and torts.
The US Department of the Treasury announced that it had sanctioned Roman Semenov, co-founder of Tornado Cash, for operating his mixer service in the interest of North Korea. Treasury said, "As a result of today’s action, all property and interests in property of the designated individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC [Treasury's Office of Foreign Assets Control]. OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons."
Bankrupt crypto exchange FTX has disclosed the exposure of what Coin Telegraph describes as "limited, non-sensitive customer data of specific claimants" at its bankruptcy case claims agent, Kroll. FTX is quoted as saying that “The incident occurred at Kroll, and Kroll is notifying affected individuals directly with measures that customers can take to protect themselves. FTX account passwords were not maintained by Kroll, and FTX’s own systems were not affected.”
Policies, procurements, and agency equities.
Germany’s Interior Ministry is conducting an audit of the country’s 5G mobile network to determine what percentage of its components come from Chinese-based tech giants Huawei and ZTE. As the South China Morning Post explains, many other EU countries and the US have banned equipment from these two companies due to national security concerns. However, despite pressure from the US, Germany has chosen to avoid a full ban, instead announcing that all components considered “critical IT infrastructure” would require certification from authorities. There have been concerns that rooting out dangerous equipment and replacing it with non-Huawei or ZTE components could be cost-prohibitive, but Germany's Interior Minister, Nancy Faeser, says this will not impede the process.
As the British government considers following in Washington’s footsteps by cracking down on tech connections with China, UK officials are asking private firms about their investments. As Politico explains, British companies have been asked to complete a survey “designed to build a collective understanding" of investment flows “in sensitive sectors.” While the government’s interest in Chinese investments is no secret, the survey also aims to learn about investment in various countries including Australia, Bermuda, Canada, Hong Kong, Mexico, and the US. The British government recently pledged to “more closely align” with the US on policies preventing the export of tech equipment to China, and just last week US President Joe Biden issued an executive order regulating such investments.
Following a March inquiry conducted by the US Consumer Financial Protection Bureau (CFPB), on August 15 Director Rohit Chopra announced plans to extend the Fair Credit Reporting Act (FCRA) to certain “data broker practices.” The new rules are expected to be published for public comment in 2024, but in the meantime, the CFPB released a fact sheet offering an overview of the proposed changes. As cyber/data/privacy insights explains, the new rules would expand the FCRA in two ways:
- Data brokers that sell certain types of consumer information would be defined as “consumer reporting agencies” (CRAs), meaning they would be required to comply with certain requirements regarding accuracy and dispute handling.
- The extent to which “credit header data” (identification details like name, date of birth, and Social Security number) constitutes a “consumer report” would be clarified in order to protect against disclosure of this data.
Representative Nancy Mace (Republican, South Carolina First District) this morning announced the introduction of the Federal Cybersecurity Vulnerability Reduction Act of 2023. The proposed measure would extend to contractors, FedScoop reports, the vulnerability disclosure requirements under which Federal agencies presently work.
The US Office of the National Cyber Director (ONCD) has invited public comment "on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy." The challenge involved in understanding the implications of regulatory overlap is complicated, and ONCD has extended the deadline for comments from September 15th to October 31st. Comments may be submitted through www.regulations.gov.
Fortunes of commerce.
Reuters, citing "people familiar with the matter," says publicly traded cybersecurity firm SentinelOne is considering a sale to a private equity firm.
San Francisco-based cloud computing services provider Fastly last Thursday "announced two major developments in its domain name API and Transport Layer Security (TLS) capabilities: the acquisition of Domainr, an ICANN-accredited real-time domain availability API provider, as well as general availability of Certainly, Fastly’s publicly-trusted TLS Certification Authority (CA)."
Labor markets.
Intel is laying off 226 employees at its locations in Santa Clara and San Jose, the Silicon Valley Business Journal reports. According to the Economic Times, "The company is reportedly laying off 10 GPU software development engineers, eight system software development engineers, six cloud software engineers, six product marketing engineers, and six system-on-chip design engineers, along with others."
Mergers and acquisitions.
Thoma Bravo has completed its $2.3 billion acquisition of identity and access management firm ForgeRock combining it with portfolio company Ping Identity.
Zurich Holding Company of America, a subsidiary of Zurich Insurance Group, has acquired Missouri-headquartered cyber counterintelligence firm SpearTip, Reinsurance News reports.
London-headquartered unified communications firm Gamma has acquired cybersecurity services company Satisnet.
The Silicon Valley Business Journal reports that Broadcom plans to complete its $69 billion acquisition of VMware by October 31st, and will invest $2 billion per year into research and development at the company.
Investments and exits.
Austin, Texas-based digital identity protection firm SpyCloud has secured $110 million in a growth round led by Riverwood Capital.
Boston-based SaaS identity risk management firm Grip Security has raised $41 million in a Series B round led by Third Point Ventures, with participation from YL Ventures, Intel Capital, and The Syndicate Group.
Codebase vulnerability detection company ProjectDiscovery has raised $25 million in a Series A round led by CRV, with participation from Point72 Ventures, SignalFire, Rain Capital, Mango Capital, Accel, Lightspeed, Guillermo Rauch, Caleb Sima, Talha Tariq, and others.
Alameda, California-based Cerby, a company that provides an access management platform for nonstandard applications, has raised $17 million in Series A funding led by Two Sigma Ventures, with participation from Outpost Ventures, Ridge Ventures, Founders Fund, Bowery Capital, AV8, Salesforce Ventures, Tau Ventures, Okta Ventures, Incubate Fund, and Ben Johnson, co-founder of Obsidian Security and Carbon Black.
And security innovation.
On Monday the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and National Institute of Standards and Technology (NIST) issued a fact sheet urging organizations to prepare for the transition to post-quantum cryptographic (PQC) standards. “Quantum-Readiness: Migration to Post-Quantum Cryptography” describes the impacts of quantum capabilities and calls on organizations – especially critical infrastructure operators – to develop a Quantum-Readiness Roadmap. As well, organizations are encouraged to conduct inventories of quantum-vulnerable assets, apply risk assessments and analysis, and engage vendors in the migration process. NIST plans to publish the first set of post-quantum cryptographic (PQC) standards in 2024.