At a glance.
- Five Eyes call out GRU cyberespionage campaign.
- Russian hacktivist auxiliary hits Polish and Czech organizations.
- Investigation of railroad incidents in Poland continues.
- DPRK's Lazarus Group exploits ManageEngine issues.
- China's GREF deploys tools used against Uyghurs in broader espionage.
- Cyberespionage campaign by Earth Estries.
- Chinese influence campaign taken down by Meta was long-running and persistent.
- Adversary-in-the-middle attacks.
Five Eyes call out GRU cyberespionage campaign.
Early Thursday the Five Eyes--the intelligence services of Australia, Canada, New Zealand, the United Kingdom, and the United States--issued a joint advisory providing further details on the malware, "Infamous Chisel," used in a GRU cyberespionage campaign first described early this month by Ukraine's SBU. Infamous Chisel targets Android devices on behalf of Sandworm, the threat group associated with the GRU’s Main Centre for Special Technologies (GTsST). The US Cybersecurity and Infrastructure Security Agency (CISA) explains that "It performs periodic scanning of files and network information for exfiltration," including system and application configuration files. It "provides network backdoor access via a Tor (The Onion Router) hidden service and Secure Shell (SSH)," as well as other capabilities that include "network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer." Infamous Chisel isn't sophisticated or well-crafted malware. The Five Eyes assess the malware's components as representing "low to medium sophistication." They "appear to have been developed with little regard to defense evasion or concealment of malicious activity." Its targets seem to have been mainly Ukrainian military devices.
Russian hacktivist auxiliary hits Polish and Czech organizations.
NoName057(16) this week hit the Warsaw Stock Exchange, the Polish Government's Trusted Profile identity verification service, and five major commercial banks: Bank Pekao, Raiffeisen Bank, Plus Bank, Credit Agricole Bank, and BNP Paribas. Cybernews quotes the group's communique as explaining, “To express our support to all adequate citizens of Poland who oppose the authorities of their country drowning in Russophobia, our DDoS rocket launchers today are aimed at Polish targets.” The attacks were all distributed denial-of-service (DDoS) incidents, which is consistent with NoName057(16) familiar operational pattern. Some of the attacks seem to have been of longer than usual duration, notably those afflicting the Warsaw Stock Exchange, Bank Pekao, and Raiffeisen Bank were still experiencing disruption.
The group subsequently moved on to Czech targets. The Brno Daily reported distributed denial-of-service (DDoS) attacks against Komercni banka, CSOB, Air Bank, Fio banka, Ceska Sporitelna, and the Prague stock exchange. Expats.cz adds Raiffeisen and Moneta Money Bank to the organizations targeted. These were nuisance-level attacks, representing no threat to the organizations' or their customers' data. NoName057 (16) says the attacks are intended to punish the victims' support for Ukraine, and to induce them to reconsider such support. Full service was restored at most sites within hours of the attack.
Investigation of railroad incidents in Poland continues.
Polish authorities have arrested two men, both Polish citizens, SecurityWeek reports, in connection with an attack that halted twenty trains in the vicinity of Szczecin. They used an acoustic tone transmitted over a radio system to issue stop signals. The incident began Friday night around Szczecin, and continued, but with minimal effect, Saturday and Sunday in other parts of the country, notably around Gdynia and Bialystok. Cybernews says the two men arrested were taken into custody in Bialystok, where they were found in possession of "radio equipment." The suspects' ages are given as 24 and 29, but they're not further identified. The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
DPRK's Lazarus Group exploits ManageEngine issues.
Cisco Talos says North Korea’s Lazarus Group has exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target “an internet backbone infrastructure provider in Europe” and healthcare entities in the US and Europe. The threat actor used the vulnerability to deploy the recently discovered QuiteRAT malware, which the researchers note “has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller.” The researchers add, “This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework.” The Lazarus Group has been active in other respects as well: see CyberWire Pro for a review of some other activity.
China's GREF deploys tools used against Uyghurs in broader espionage.
ESET says the China-linked threat actor “GREF” is distributing the BadBazaar Android malware via Trojanized versions of Telegram and Signal in the Google Play store and the Samsung Galaxy Store. Both stores have since removed the malicious apps. ESET notes that BadBazaar has been used in the past to target Uyghurs and other Turkic ethnic minorities. In this case, the malicious Telegram app, called “FlyGram,” was shared in a Uyghur Telegram group. The researchers add that the malicious Signal app, called “Signal Plus Messenger,” “represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.”
Cyberespionage campaign by Earth Estries.
Trend Micro describes a cyberespionage campaign by a cybercriminal group the researchers call “Earth Estries.” The threat actor is targeting “organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.” Trend Micro states, “[W]e believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities.” The researchers refrain from making any attributions, but they note that there are some overlaps between Earth Estries and the China-linked FamousSparrow APT.
Chinese influence campaign taken down by Meta was long-running and persistent.
Facebook's corporate parent Meta has published its Adversarial Threat Report for the second quarter of 2023. The company continued its commendable practice of concentration on inauthenticity, and in particular coordinated inauthenticity, as opposed to direct content moderation in its work against disinformation. Of particular interest in this report is the work against a Chinese campaign that the New York Times characterizes as the company's "biggest single takedown." The Register notes Meta's conclusion that the influence operators learn from one another (by observation from afar, that is, not necessarily as a matter of formal collaboration). In this case, Spamouflage seems to have taken Secondary Infektion as its role model. Execution wasn't uniformly sound, and Spamouflage gained little traction among potential fellow travelers and amplifiers.
Adversary-in-the-middle attacks.
The Microsoft Threat Intelligence team has warned of a rise in adversary-in-the-middle (AiTM) phishing attacks, The Hacker News reports. These attacks are launched via phishing-as-a-service (PhaaS) offerings. Microsoft said in a post on X (formerly known as Twitter), “This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale.” The researchers add, “Circumventing MFA is the objective that motivated attackers to develop AiTM session cookie theft techniques. Unlike traditional phishing attacks, incident response procedures for AiTM require revocation of stolen session cookies.” For more on this sector of the C2C market, see CyberWire Pro.
A "fully undetectable information stealer."
Cyfirma is tracking a new malware-as-a-service offering called “Prysmax,” advertised as a fully undetectable information stealer. Cyfirma notes that currently “[t]he malware is indeed fully undetectable by over 95% of signature-based detections commonly employed by antivirus solutions.” The researchers add that “[t]he infostealer strategically manipulates file associations, enabling it to execute whenever any .exe file is run. This technique ensures that the malware is triggered seamlessly, whenever legitimate executable files are opened, potentially leading to persistent infection.”
DB#JAMMER brute-forces exposed MSSQL databases.
Securonix warns that DB#JAMMER attack campaigns are targeting exposed MSSQL databases with brute-force attacks in order to deliver the FreeWorld ransomware. The researchers note, “One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. Some of these tools include enumeration software, RAT payloads, exploitation, and credential stealing software, and finally ransomware payloads.”
Securonix adds, “FreeWorld ransomware appears to be a variant of Mimic ransomware as it follows many similar TTPs in order to carry out its goals. Both variants appear to abuse the legitimate application Everything to query and locate target files to be encrypted.”
Patch news.
CISA released one ICS advisory this week, for PTC CodeBeamer.
Companies that issued patches and mitigations this week include Mozilla (for Firefox and Firefox ESR), VMware (for multiple vulnerabilities in Aria Operations for Networks), Juniper Networks (for Junos OS and Junos OS Evolved), and Cisco (for three "high-severity DoS flaws in NX-OS and FXOS software").
Crime and punishment.
This week the US Justice Department announced the takedown of the Qakbot botnet. Led by the US FBI, it was a multinational action with participation by France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. The basic approach the agencies followed was first, to obtain lawful access to the infrastructure and redirect traffic to servers the Bureau controlled. Any computer redirected to the server received an uninstaller file that removed the Qakbot malware. The US Attorney for the Central District of California explained Qakbot's place in the criminal economy. "Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer networks." Qakbot's operators are based in Russia, which explains the lack of arrests and why Qakbot was able to operate with impunity: it was tolerated and probably enabled by the Russian authorities. For more on Operation Duck Hunt, see CyberWire Pro.
Courts and torts.
The University of Minnesota disclosed it suffered a data breach in late July, and the hacker allegedly responsible claims to be in possession of 7 million Social Security numbers linked to members of the college community. Fox 9 now reports that a former student and former employee who fear their data might have been exposed have filed a class action lawsuit against the school. The university has not yet commented on the suit, but last week confirmed it had enlisted the help of law enforcement to carry out a breach investigation, which is still underway. It’s worth noting that the incident appears to be yet another casualty tied to the mass-hack of the popular MOVEit app, which the university used to transfer files.
Policies, procurements, and agency equities.
A federal report from Canada’s Centre for Cyber Security – a branch of the Communications Security Establishment (CSE) – is warning of a ramp up in Russian and Iranian organized cybercrime targeting Canadian organizations. The report names Russia and Iran as cybercrime safe havens where threat actors can carry out operations against Canada and other nations in the West. (As Reuters reports, the Russian government has denied any support of cybercriminals.) It also predicts that “Organized cybercrime will very likely pose a threat to Canada's national security and economic prosperity over the next two years.” In 2022 there were 70,878 reports of cyber fraud in Canada resulting in C$530 million in stolen funds.
As of last Friday, the EU’s Digital Services Act (DSA) is in effect, giving residents more power over what they see and don’t see on the web. Security Week reports that users on social media platforms like Facebook, Instagram, TikTok, and Snapchat can now opt out of automated recommendation algorithms that determine what they see in their feeds, search results, and suggested content. ByteDance, parent company of TikTok and Snapchat, has hired a stable of new moderators and legal specialists to review videos flagged by users, and Facebook’s and Instagram’s content reporting tools have been made more easily accessible to users.
Over the past two weeks, the United Nations has been negotiating a new international cybercrime treaty that, if adopted, would institute a new international legal regime. As the Register notes, the current draft dramatically expands the definition of cybercrime, and some human rights groups argue that abuse of the treaty by authoritarian regimes could lead to government censorship and unlawful public surveillance. As the Record explains, It doesn’t help that the treaty was originally proposed by Russia with support from countries like China and North Korea, nations that have been known to suppress the views of their citizens. The US State Department hopes the UN will land on a more limited definition of cybercrime. This negotiation session ended yesterday; the final session is scheduled for early next year.
The US Department of Homeland Security is offering $374.9 million in funding to support the cybersecurity efforts of state, local, and territorial governments, the National Law Review reports. The 2023 State and Local Cybersecurity Grant Program (SLCGP) aims to help local governments manage and reduce systemic cyber risks through focused investments in cybersecurity planning and exercising, hiring cyber personnel, and improving critical cyber infrastructure. Established under Section 2218 of 2021’s Infrastructure Investment and Jobs Act, the SLGCP is focused on protecting information systems owned or operated by local governments.
Fortunes of commerce.
Reuters, citing "people familiar with the matter," said early this week that publicly traded cybersecurity firm SentinelOne is considering a sale to a private equity firm. By midweek the rumors had shifted, with reports that Wiz is considering a bid for SentinelOne. CTech elaborated on the rumors with a report that "SentinelOne will not agree to a deal for less than $18-20 per share, equating to around $6 billion and 25% above the current value." These rumors may not have been welcome at SentinelOne, which, Bloomberg reports, terminated its six-month-old strategic partnership with Wiz. A SentinelOne emailed Bloomberg on Wednesday, “We terminated our re-sell agreement with Wiz as a result of their continued lack of execution against their commitments. The Wiz partnership has not been material to our business.” CTech says that SentinelOne would prefer acquisition by either a fund or a large, diversified corporation. But late Friday afternoon CNBC reported that SentinelOne CEO Tomer Weingarten said the company was not for sale, but instead was “focused on our individual path.”
Labor markets.
Intel is laying off 226 employees at its locations in Santa Clara and San Jose, the Silicon Valley Business Journal reports. According to the Economic Times, "The company is reportedly laying off 10 GPU software development engineers, eight system software development engineers, six cloud software engineers, six product marketing engineers, and six system-on-chip design engineers, along with others."
In the cybersecurity sector proper, TechCrunch reports that Malwarebytes has laid off 100 employees. The layoffs are part of a restructuring that will split the company into two major business units. That split is not expected to involve the sale of either unit.
Mergers and acquisitions.
Thoma Bravo has completed its $2.3 billion acquisition of identity and access management firm ForgeRock. The private equity firm has combined ForgeRock into its portfolio company Ping Identity.
San Francisco-based cloud computing services provider Fastly last Thursday "announced two major developments in its domain name API and Transport Layer Security (TLS) capabilities: the acquisition of Domainr, an ICANN-accredited real-time domain availability API provider, as well as general availability of Certainly, Fastly’s publicly-trusted TLS Certification Authority (CA)."
Zurich Holding Company of America, has acquired Missouri-headquartered cyber counterintelligence firm SpearTip, Reinsurance News reports.
London-based unified communications firm Gamma has acquired cybersecurity services company Satisnet.
The Silicon Valley Business Journal reports that Broadcom plans to complete its $69 billion acquisition of VMware by October 31st, and will invest $2 billion per year into research and development at the company.
Honeywell has agreed to acquire SCADAfence as an operational technology and Internet of things cybersecurity play.
Parsons Corp. on Wednesday announced its acquisition of Sealing Technologies, inc. for about $200 million in a bid to increase Parsons' cybersecuirty capabilities.
Owl has acquired cloud security firm Big Bad Wolf Security.
Recorded Future has made a strategic investment in advanced adversary hunting shop Hunt.io.
Investments and exits.
Austin, Texas-based digital identity protection firm SpyCloud has secured $110 million in a growth round led by Riverwood Capital.
Boston-based SaaS identity risk management firm Grip Security has raised $41 million in a Series B round led by Third Point Ventures, with participation from YL Ventures, Intel Capital, and The Syndicate Group.
Codebase vulnerability detection company ProjectDiscovery has raised $25 million in a Series A round led by CRV, with participation from Point72 Ventures, SignalFire, Rain Capital, Mango Capital, Accel, Lightspeed, Guillermo Rauch, Caleb Sima, Talha Tariq, and others.
Alameda, California-based Cerby, a company that provides an access management platform for nonstandard applications, has raised $17 million in Series A funding led by Two Sigma Ventures, with participation from Outpost Ventures, Ridge Ventures, Founders Fund, Bowery Capital, AV8, Salesforce Ventures, Tau Ventures, Okta Ventures, Incubate Fund, and Ben Johnson, co-founder of Obsidian Security and Carbon Black.
Software governance automation firm Fianu Labs emerged from stealth with $2 million in seed funding.
And security innovation.
DataTribe has opened applications for its 2023 challenge, in which innovative cybersecurity startups compete for up to $2 million in seed funding. Applications are due by September 28th, 2023.
Cybersecurity not-for-profit MISI, which fosters small business and academic engagement along with STEM and workforce development, has become a partner of Maryland’s Global Gateway Soft Landing Program. "Managed by the Maryland Department of Commerce, the program provides international companies with an opportunity to test out their viability in the U.S. market."