At a glance.
- ICC sustains a cyberattack.
- CISA, FBI warn of Snatch ransomware.
- Cyber threats trending from East Asia.
- ShroudedSnooper intrusion activity is both novel and simple.
- Earth Lusca's cyberespionage techniques.
- Criminal malware from China prospects Sinophone victims.
- AI training data accidentally published to GitHub.
- Cyberattack induces Clorox product shortages.
ICC sustains a cyberattack.
Reuters reported that the International Criminal Court (ICC) sustained a "cybersecurity incident." Not only the ICC's staff, but also lawyers for both victims and accused were affected. The ICC's brief statement, communicated in its X (formerly Twitter) channel, said that the Court detected "anomalous activity affecting its information systems," at which time "immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact." The ICC is investigating with the help of Netherlands authorities, but beyond that the Court has so far offered no further information. In particular there's no attribution, but the most prominent cases before the ICC involve allegations of war crimes and crimes against humanity committed by Russia in the course of its invasion of Ukraine. The AP reviewed some recent history of Russia's troubled relations with the ICC: "Last year, a Dutch intelligence agency said it had foiled a sophisticated attempt by a Russian spy using a false Brazilian identity to work as an intern at the court, which is investigating allegations of Russian war crimes in Ukraine and has issued a war crimes arrest warrant for President Vladimir Putin, accusing him of personal responsibility for the abductions of children from Ukraine." Russia responded to the warrant, SecurityWeek reminds readers, by placing ICC prosecutor Karim Khan on its own “wanted” list.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
CISA, FBI warn of Snatch ransomware.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory outlining tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware: “Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.” For more on the warning about Snatch, see CyberWire Pro.
Cyber threats trending from East Asia.
Microsoft describes the cyber capabilities of the Chinese and North Korean governments, finding that Chinese influence operations have grown more effective over the past year: “China-aligned social media networks have engaged directly with authentic users on social media, targeted specific candidates in content about US elections, and posed as American voters. Separately, China’s state-affiliated multilingual social media influencer initiative has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million.” The researchers note that China’s cyber operations in 2023 have primarily focused on countries surrounding the South China Sea, the US defense industrial base (especially satellite communications and telecommunications infrastructure in Guam), and US critical infrastructure.
North Korean cyber operations have increased in sophistication over the past year, and Microsoft says Pyongyang’s threat actors seem particularly interested in stealing information related to maritime technology research.
Researchers at Elliptic believe North Korea’s Lazarus Group is responsible for the theft of $31 million worth of cryptocurrency from CoinEx last week, the Record reports. Elliptic stated, “Elliptic analysis confirms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain....Elliptic has observed this mixing of funds from separate hacks before from Lazarus, most recently when funds stolen from Stake.com overlapped with funds stolen from Atomic Wallet.”
ShroudedSnooper intrusion activity is both novel and simple.
Cisco Talos describes a new intrusion set dubbed “ShroudedSnooper” that’s targeting telecommunications providers in the Middle East. The threat actor is using two implants Cisco Talos calls “HTTPSnoop” and “PipeSnoop.” Talos states, “Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.” Talos says that the group's tactics, techniques, and procedures don't match any known groups, and so they're tracking the activity as representing something new. The report notes, however, that state-sponsored groups, particularly groups operating on behalf of Iran and China, have recently shown a strong preference for attacking telecommunication providers, especially providers in the Middle East and Asia. For more on ShroudedSnooper, see CyberWire Pro.
Earth Lusca's cyberespionage techniques.
Trend Micro says the China-aligned threat actor “Earth Lusca” is using a new Linux backdoor based on the open-source Windows malware Trochilus. The researchers are calling the Linux variant “SprySOCKS.” The researchers note, “The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware.” Earth Lusca has been targeting public-facing servers belonging to “government departments that are involved in foreign affairs, technology, and telecommunications.” The threat actor is primarily interested in countries in Southeast Asia, Central Asia, and the Balkans. They exploit known vulnerabilities against unpatched systems. For more on the campaign, see CyberWire Pro.
Criminal malware from China prospects Sinophone victims.
Proofpoint is tracking suspected Chinese cybercriminal campaigns targeting Chinese-speaking users with malware-laden phishing emails: “Campaigns are generally low-volume and are typically sent to global organizations with operations in China. The email subjects and content are usually written in Chinese, and are typically related to business themes like invoices, payments, and new products. The targeted users have Chinese-language names spelled with Chinese-language characters, or specific company email addresses that appear to align with businesses' operations in China.” While most of the activity is focused on users in China, at least one campaign is targeting Japanese organizations, which the researchers believe suggests “a potential expansion of activity.”
AI training data accidentally published to GitHub.
Researchers at Wiz reported that Microsoft’s AI research team accidentally exposed 38 terabytes of private data, including “secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.” The exposure occurred when a Microsoft employee published a bucket of open-source training data to a public GitHub repository. Users could download the training data via an Azure Storage URL; however, this URL granted permissions to the entire storage account, which included two Microsoft employees’ personal computer backups. Microsoft has fixed the issue, stating, “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.” For more on this data exposure incident, see CyberWire Pro.
Cyberattack induces Clorox product shortages.
Cleaning product manufacturer Clorox disclosed in an SEC filing that the cyberattack it sustained on August 14th has led to ongoing consumer product availability issues. Clorox stated, “The cybersecurity attack damaged portions of the Company’s IT infrastructure, which caused widescale disruption of Clorox’s operations. The Company is repairing the infrastructure and is reintegrating the systems that were proactively taken offline. The Company expects to begin the process of transitioning back to normal automated order processing the week of Sept. 25. Clorox has already resumed production at the vast majority of its manufacturing sites and expects the ramp up to full production to occur over time. At this time, the Company cannot estimate how long it will take to resume fully normalized operations.” The company added, “Clorox is still evaluating the extent of the financial and business impact. Due to the order processing delays and elevated level of product outages, the Company now believes the impact will be material on Q1 financial results.” For more on the incident at Clorox, see CyberWire Pro.
Patch news.
On Thursday Apple issued patches for macOS Ventura 13.6, iOS 17.0.1, and iPadOS 17.0.1. Three vulnerabilities in all (CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992) were patched, and there are reports that they've been exploited in the wild. The vulnerabilities could permit privilege escalation and signature validation bypass incidents.
Crime and punishment.
Finnish Customs has announced that an international law enforcement operation has taken down PIILOPUOTI, a dark web marketplace used to smuggle narcotics and drug paraphernalia into Finland. In cooperation with German and Lithuanian authorities, Europol, and the European Union Agency for Criminal Justice Cooperation (Eurojust), Finnish Customs has seized the site’s web server, which operated on the encrypted Tor Network since May 2022. A statement from Finnish authorities reads, “The criminal investigation is still underway. At this point, Finnish Customs and our international cooperation partners will not provide any further information on the matter.” Finish authorities have declined to share any additional details about the operation, including whether any arrests were made.
Bitdefender supported the investigation with technical consulting services. Alexandru Catalin Cosoi, Senior Director, Investigation and Forensics Unit at Bitdefender, said in emailed comments, “We are extremely pleased that PIILOPUOTI has been seized and would like to congratulate law enforcement, Finnish Customs and everyone involved. This operation is a prime example of the public and private sector pooling resources and working together to disrupt illegal online activities. It should also serve as a wake-up call for criminals who falsely believe their infrastructures, anonymity, and actions are fully protected by the dark web. They should understand if they are in the crosshairs of an international effort, they will eventually be brought to justice.”
Courts and torts.
A major EU privacy regulator has hit TikTok with a €345 million fine for violations concerning children’s privacy rights, Security Affairs reports. TikTok’s “family pairing” feature, is intended to allow adults to communicate with children to whom they are related. However, Ireland’s Data Protection Commission (DPC) found that a security flaw could allow unverified adults to send direct messages to teenagers to which they are not related. What’s more, a default account setting could let anyone view the content posted by children under thirteen. Officer of DPC Helen Dixon explained that the flaw meant, “non-child users had the power to enable direct messages for child users above the age of 16, thereby making this feature less strict for the child user. This also meant that, for example, videos that were posted to child users’ accounts were public by default, comments were enabled publicly by default, the Duet and Stitch features were enabled by default.”
Policies, procurements, and agency equities.
Russia's immediate interest in cultivating its relationship with North Korea is the prospect of Pyongyang supplying Russia's army with artillery ammunition, as expenditures have far exceeded Russian production capacity. There are, however, other potential areas of cooperation, notably in cyberspace. An essay in the EconoTimes argues, "Both North Korea and Russia are highly capable cyberwar and cyber intelligence nations: they can disrupt or break key infrastructure and steal sensitive government information. North Korea’s Lazarus group of hackers has been identified –– through careful process tracing –– to be responsible for thefts of cryptocurrency totalling tens of millions of dollars." Such cooperation wouldn't necessarily require much coordination. Most of North Korea's offensive cyber operations are already directed against countries whose relations with Russia are at least cool, if not downright adversarial.
The British parliament has passed the Online Safety Bill, a slate of legislation that has been the source of controversy since its earliest stages. Beginning in 2019 as a white paper, over the years the bill has grown in scope to address a swath of online issues from disinformation to cyberbullying to child safety to deepfake porn. As TechCrunch notes, current secretary of state Michelle Donelan worked to temper the reach of the legislation, particularly when it comes to the regulation of harmful but legal content that might interfere with freedom of speech. Most recently, messaging platforms that offer end-to-end encryption argued that the bill’s mandate for platforms to scan messages for harmful content could expose users’ communications to intrusion. The Record explains that while the current version of the bill could, in some circumstances, require messaging platforms to use “accredited technology” to identify particularly unsafe content like child sexual abuse material (CSAM), UK regulators would have to deem such scanning “necessary and proportionate,” and no such accredited technology yet exists.
Fortunes of commerce.
The cyberattack that disrupted operations at Clorox was among the first major incidents to fall under the US Securities and Exchange Commission (SEC) rules that went into effect on September 5th. (Compliance dates for mandatory reporting are somewhat later, falling for most companies in December. "The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023," the SEC explained.) The Wall Street Journal reviews how the company has responded publicly to the incident. Clorox has issued six statements, including two Forms 8-K, since the incident was disclosed on September 14th, shortly after it was detected. There are at least two challenges: keeping reporting current as an investigation unfolds ("A stream of 8-Ks will be the new norm,” one expert told the Journal), and determining whether an incident has a material impact on a public company.
The other two major recent incidents that raise interesting regulatory challenges are the attacks against MGM Resorts and Caesars Entertainment, both prominent casino operators. Caesars Entertainment saw data belonging to its loyalty program affected, but was able to keep its operations online during the incident. The Form 8-K the company filed with the SEC strongly hinted that it had paid the attackers ransom. MGM Resorts has had by all accounts a more difficult time. The New York Post reports that MGM continues to have trouble with its slot machines and hotel systems eight days after the attack was detected. The company is estimated to be losing as much as $8.4 million per day in revenue.
MGM and Caesars face an additional regulatory burden, Dark Reading points out, in the form of oversight by the Nevada Gaming Control Board, whose regulation 5,260 requires "covered entities" (including casino operators) to establish effective cybersecurity measures. In the event of an incident "resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence," a casino operator must disclose the incident to the Board within seventy-two hours and undertake both investigation and remediation of the incident.
Labor markets.
Silicon Valley Business Journal reports that Cisco has begun another round of layoffs. Some 350 jobs are being eliminated.
Mergers and acquisitions.
On Thursday Cisco announced that it had reached an agreement to acquire Splunk for $28 billion. The Wall Street Journal sees the acquisition as evidence of the growing importance of artificial intelligence to cybersecurity (and of the price companies are willing to pay to gain that capability). Moody's commented on the acquisition: “The Splunk transaction is the largest acquisition by far in Cisco's history. However, Splunk's business is complementary to Cisco's XDR platform and build out of Cisco's observability strategy, and more broadly, will increase the size and breadth of its software portfolio. Cisco has been adding to its observability capabilities through numerous acquisitions including AppDynamics and ThousandEyes. The Splunk acquisition will expand Cisco's capabilities to collect and act on telemetry across an organization's IT and security infrastructure.”
CrowdStrike has agreed to acquire cloud security posture management platform provider Bionic. TechCrunch reports the acquisition price as $350 million.
Shareholders of Australian cybersecurity company Tesserent have voted in favor of an acquisition by Thales Australia for AU$176 million, ARN reports.
Investments and exits.
Maryland-based industrial cybersecurity company Dragos has raised $74 million in a Series D extension led by WestCap, bringing the total amount of the Series D round to $274 million.
Austin, Texas-based HiddenLayer, a company that provides security for AI models and assets, has secured $50 million in a Series A round led by led by M12, Microsoft’s Venture Fund, and Moore Strategic Ventures, with participation from Booz Allen Ventures, IBM Ventures, Capital One Ventures, and Ten Eleven Ventures.
San Francisco-based backup-as-a-service startup Alcion has raised $21 million in a Series A round led by Veeam.
French cyber insurance company Stoïk has raised $10.7 million in a funding round led by Munich Re Ventures, with participation from Opera Tech Ventures, TechCrunch reports.
Sunnyvale, California-based cybersecurity policy management startup Discern Security has emerged from stealth with $3 million in seed funding from BoldCap, WestWave Capital, Cyber Mentor Fund, Security Syndicate, and others.
British cybersecurity company Goldilock has secured $1.7 million in a seed funding round led by New York Angels and Harvard Business School Alumni Angels of Greater New York.
And security innovation.
SentinelOne announced the formation of the Undermonitored Regions Working Group, in an effort to “better manage the challenge of tracking state-aligned cyber activities in less monitored areas like Africa and Latin America.” The company stated, “[T]his effort calls upon established security researchers to join analytic capabilities, combine telemetry, resources, and local expertise, and promote a unified approach to analyzing cyber operations used to support soft power agendas in Africa and Latin America.”