By the CyberWire staff
At a glance.
- Joint advisory warns of Beijing's "BlackTech" threat activity.
- New players in the C2C market.
- Unattributed APTs.
- Threat actors appear to target war crimes investigations.
- More MOVEit-related data breaches are disclosed.
Joint advisory warns of Beijing's "BlackTech" threat activity.
A Joint Cybersecurity Advisory was issued Wednesday morning by US and Japanese security and intelligence agencies warning of BlackTech, an industrial espionage activity cluster operated by China. BlackTech has shown the ability to modify router firmware undetected, and to "exploit routers’ domain-trust relationships." The campaign has begun by compromising routers in subsidiary companies and then pivoting from the subsidiaries to corporate headquarters in the US and Japan. The goal of BlackTech's collection has for the most part been the acquisition of intellectual property.
New players in the C2C market.
Group-IB describes a new ransomware-as-a-service (RaaS) affiliate called “ShadowSyndicate.” The researchers state, “[I]t’s incredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections with a large number of malicious servers. In total, we found ShadowSyndicate’s SSH fingerprint on 85 servers since July 2022. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility.”
Resecurity warns that the Smishing Triad threat actor has “vastly expanded its attack footprint” in the United Arab Emirates (UAE). “The group typically sends out malicious text messages from iCloud accounts they have previously hijacked, while masquerading as reputable organizations like government agencies, financial institutions (FIs), and shipping firms. Smishing Triad is also offering its smishing kits for sale on Telegram to other cybercriminals.
Secureworks has published a report on the financially motivated threat actor “Gold Melody,” which acts as an initial access broker for other cybercriminal groups. The threat actor “relies on web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity once inside a compromised environment.”
CyberSecurity Connect has reported that a ransomware gang, Ransomed.vc, claimed to have successfully hacked into Sony, gaining access to sensitive information the company holds. Outsiders who've seen the proof-of-hack Ransomed.vc offer are skeptical: it's possibly consistent with being information culled from a variety of third-party sources. Ransomed.vc is thought to be a new group, and seems to be both a direct ransomware operator and a player in the ransomware-as-a-service market, where it recruits criminal affiliates. BleepingComputer notes that another criminal actor, "MajorNelson" disputes credit with Ransomed.vc, claiming that it's in fact responsible. For more on the reported Sony compromise, see CyberWire Pro.
The Journey to a Secure Software Supply Chain - Free eBook
These days, everyone is at risk of a software supply chain attack. Traditionally, security has focused on vulnerabilities in the codebase, but the supply chain problem is far broader and deeper.
Get this eBook to learn:
- Threats throughout the SDLC, spanning Import, Build and Usage
- The 5 stage journey from Complete Anarchy to Nirvana
- Gaining open source observability, scalability and remediation
Download the free eBook and get informed guidance on your supply chain security journey!
Unattributed APTs.
NSFOCUS Security Labs reports tracking a patient, persistent, low-profile APT that's impersonating the Red Cross to prospect its victims. The researchers call the threat group "AtlasCross." The researchers believe that AtlasCross shares no significant "attribution indicators" with other known threat groups. None of the usual markers, which NSFOCUS lists as "execution flow, attack technology stack, attack tools, implementation details, attack objectives, [and] behavior tendency," show any similarity to those employed by other actors, and the researchers offer no speculation about AtlasCross's allegiance. AtlasCross has compromised twelve servers, all of them in the United States, and all of them hosted in an Amazon cloud. The hosts are otherwise clean, and are unlikely to trip warnings or otherwise arouse suspicion. For more on the campaign, see CyberWire Pro.
Cisco Talos describes a new intrusion set, “ShroudedSnooper,” that’s targeting Middle Eastern telecommunications providers. The threat actor uses two implants, “HTTPSnoop” and “PipeSnoop.” Talos states, “Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.” The researchers add, “HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.” Talos says that the group's tactics, techniques, and procedures don't match any known groups, and so they're tracking the activity as representing something new. The report notes, however, that state-sponsored groups, particularly groups operating on behalf of Iran and China, have recently shown a strong preference for attacking telecommunication providers, especially providers in the Middle East and Asia. For more on ShroudedSnooper, see CyberWire Pro.
Securonix is tracking a phishing campaign targeting the Ukrainian military with malware-laden attachments posing as drone instruction manuals. The threat actor, which Securonix identifies with one Ukraine's CERT-UA tracks as UAC-0154, deploys maliciously altered Microsoft help files (.chm) to deliver the malware. “The payload is an obfuscated binary that gets XOR’d and decoded to produce a beacon payload for MerlinAgent malware. Once the payload establishes communication back to its C2 server, the attackers would have full control over the victim host. While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection.” Securonix tracks the campaign as STARK#VORTEX. UAC-0154 remains unattributed, but whoever's behind it, they appear to be acting in the Russian interest.
SentinelOne describes “Sandman,” which targets telecommunication providers in the Middle East, Western Europe, and South Asia. Sandman uses a backdoor called “LuaDream,” which SentinelOne says “indicates a well-executed, maintained, and actively developed project of a considerable scale.” The researchers note, “At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.”
Palo Alto Networks’s Unit 42 offered an account of an obscure threat actor, “Gelsemium,” targeting a Southeast Asian government. The campaign “featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia.” The researchers also note that Gelsemium isn't alone: three separate clusters of cyberespionage activity have targeted “different governmental entities in the same country, including critical infrastructure, public healthcare institutions, public financial administrators and ministries.” Each cluster appears to be the work of distinct threat actors.
Threat actors appear to target war crimes investigations.
Reuters reports that the International Criminal Court (ICC) disclosed a "cybersecurity incident." Not only the ICC's staff, but also lawyers for both victims and accused were affected. The ICC's brief statement, communicated in its X (formerly Twitter) channel, said that the Court detected "anomalous activity affecting its information systems," at which time "immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact." The ICC is investigating with the help of Netherlands authorities, but beyond that the Court has so far offered no further information. There's no attribution, but the most prominent cases before the ICC involve allegations of war crimes and crimes against humanity committed by Russia in the course of its invasion of Ukraine, and Russia has a complicated, fractious history with the ICC.
Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said last Friday, in an interview with Reuters, that his organization has seen a distinct shift in the targets selected by Russian cyberespionage services. At least two of the major intelligence organs--the GRU and FSB--had previously shown a distinct preference for collecting against Ukraine's electrical power infrastructure. They're now concentrating on Ukraine's law enforcement agencies, and specifically on those units charged with collecting and analyzing evidence of Russian war crimes.
This may represent the early stages of an attempt to destroy evidence and otherwise interfere with investigations, but it's also possible that it amounts to a form of opposition research, that the collection has an eye to preparing disinformation campaigns that would be deployed to discredit otherwise credible allegations of war crimes.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Join us for the 2023 Gone Phishing Tournament.
To coincide with Cybersecurity Awareness Month, Fortra’s Terranova Security is proud to host a new edition of the Gone Phishing Tournament.
Co-sponsored by Microsoft, the event uses real-world simulations to establish accurate phishing benchmarking statistics to help you drastically reduce your cyber security risk levels.
In 2022, over 1.2 million participating end users tested their cyber knowledge during the Gone Phishing Tournament. Can your team outsmart this year’s simulation? Register for free.
More MOVEit-related data breaches are disclosed.
JDSupra reports that Sovos Compliance, LLC, has determined that six more of its clients may have had data exposed via exploitation of MOVEit file transfer software. These clients–UBS Financial Services Inc, Atlantic Shareholder Services, Patelco Credit Union, Bangor Savings Bank, Pan-American Life Insurance Group, Inc., and Celink–may have seen the names and Social Security numbers of their own customers accessed by unauthorized parties.
Children born in Ontario between 2010 and 2023 and their mothers may have had their personal information exposed in a Cl0p ransomware attack against the Better Outcomes Registry & Network (BORN), a provincial government agency in Ontario. BleepingComputer reports that up to 3.4 million people may have been affected.
The third organization is the National Student Clearinghouse. According to SecurityWeek, students at some nine-hundred colleges and universities may have had their personal data exposed through the National Student Clearinghouse’s use of MOVEit. It was an extortion attack. For more details on these incidents, including reactions from industry experts, see CyberWire Pro.
The Cl0p ransomware gang, Palo Alto Networks' Unit 42 reports, has moved away from posting stolen files to a Tor dump site in favor of releasing them in torrents. It's a quicker way of moving large amounts of data, and thus a faster way of pressuring victims into paying extortion demands, but speed and convenience come, as they so often do, at the cost of security. Tor can be cumbersome, and Cl0p found it slowed down the gang's ability to crowd the large number of victims it accumulated during exploitation of MOVEit vulnerabilities. The downside for Cl0p is that the gang's operations are now more susceptible to inspection. "In this case, the result of this research is a handful of hosting servers out of Russia that hold enormous amounts of stolen victim data. We can expect much more to come in the following weeks."
Patch news.
Progress Software has pushed out fixes for its WS_FTP file transfer software. Two of the vulnerabilities addressed (CVE-2023-40044 and CVE-2023-42657) are rated "critical," and Progress urges customers to upgrade their systems. Rapid7 says that as of this Friday it had detected no exploitation of these vulnerabilities in the wild, but it seconds the advice to apply fixes as soon as possible.
This week Apple issued patches for macOS Ventura 13.6, iOS 17.0.1 and iPadOS 17.0.1. Three vulnerabilities in all (CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992) were patched, and there are reports that they've been exploited in the wild. The vulnerabilities could permit privilege escalation and signature validation bypass incidents.
CISA issued three advisories for vulnerabilities affecting Rockwell Automation PanelView 800, DEXMA DexGate, and Hitachi Energy’s RTU500 Series.
Google has updated its account of a vulnerability, and issued a patch to address exploitation in the wild. TechCrunch reports that what had formerly been perceived as a vulnerability in Chromium is in fact a problem with the open-source libwebp library used by Chromium developers. For more on the vulnerability, see CyberWire Pro.
Crime and punishment.
At a Washington Post event on Tuesday, cyber experts and officials warned about the growing number of teenagers turning to cybercrime. Adolescent hackers have been behind several recent cyber attacks, including the casino incidents and the activities of the Lapsus$ gang, and some experts compare the way they’re indoctrinated online to the radicalization of terrorists. Deputy Attorney General Lisa Monaco sees "a phenomenon where quite literally juveniles and others here and abroad, have kind of limitless access to an online for-profit criminal ecosystem.” She said, “This juvenile hacking phenomenon is not unlike what we saw in the terrorism landscape, individuals radicalized online.” There are few measures in place to intervene in the criminalization. Monaco offered one possible approach: cracking down on the web fora where hacking tools are bought and sold.
Rampant cloud activity?
Cloud risk can grow faster than your AWS bill (true story).
That’s why Wiz partnered with Wiley to create the AWS Security for Dummies eBook. This free pdf contains 46 pages of expert tips to harden your AWS environment, including:
- How to get the basics right to help scale security
- How to secure specific resources based on your usage
- Which critical weaknesses to prioritize
Grab your free digital copy now and boost your AWS security posture.
Courts and torts.
Legal Dive offers a closer look at how the US Security and Exchange Commission’s (SEC) newly instated cyber incident reporting rules will impact corporate executives. Determining materiality is key, as publicly traded companies are required to disclose cyber incidents within four business days of determining the incident is material to the company’s performance. CISOs are responsible for this disclosure, which means they’re also responsible for deciding whether the incident is material. Some CISOs are clearly worried, as evidenced by an increase in requests to be given additional liability protection as part of their jobs. For more on SEC reporting rules, see CyberWire Pro.
Policies, procurements, and agency equities.
Lieutenant General Tom Copinger-Symes, deputy commander of the United Kingdom’s Strategic Command, where he holds responsibility for the Ministry of Defence’s offensive and defensive cyber capabilities, told the Record in a long interview that his command has, on the strength of lessons learned from Russia's hybrid war against Ukraine, decided to adopt a hunt-forward strategy similar to that followed by US Cyber Command.
On Thursday US and UK officials reached an agreement regarding online data flows between the two countries. The handling of data transfers from the UK and EU to the US has been a point of contention for years, with several EU courts determining that the US does not have adequate protections in place to safeguard the data of Europeans. CyberScoop reports that an executive order issued by US President Joe Biden last year outlined a slate of surveillance reforms aimed at making the US’s data transfer policies more in line with those of the UK and EU, and in July the European Commission reached a data flow agreement with the US.
On Monday the US Cybersecurity and Infrastructure Security Agency (CISA) released its Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management. Created by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, the document provides guidelines by which tech manufacturers can clearly communicate with buyers about the hardware components of their products. For more on the Framework, see CyberWire Pro.
Jessica Rosenworcel, chair of the US Federal Communications Commission (FCC) announced plans this week to restore net neutrality rules that were established in 2015 but rescinded during the Trump Administration. Net neutrality would, the FCC said in a factsheet, "establish basic rules for Internet Service Providers that prevent them from blocking legal content, throttling your speeds, and creating fast lanes that favor those who can pay for access."
Fortunes of commerce.
MGM Resorts reported that customer-facing operations had returned to normal ten days after the casino operator sustained a ransomware attack. Cybernews reports, however, that employees complained of having to rely on manual backups as familiar automated systems remain imperfectly available. The employees themselves are also said to have expressed concern about the possible exposure of their own personal data in the incident.
Reuters describes Scattered Spider, the gang at the center of the recent ransomware attacks against casino operators, as careful in its research into potential victims, fluent in English, and relentless in its pursuit of its chosen targets. Its members are believed to be young, for the most part 17 to 22 years old, Okta thinks their activities show they've studied its product (perhaps even taken Okta online training). Mandiant says they've engaged in swatting (making bogus 911 calls reporting phony active threats designed to send police SWAT teams to innocent homes). And their motivation is complex, at least as interested in cachet as cash. Mandiant founder Kevin Mandia said, "I don’t even think these intrusions are about money. I think they’re about power, influence and notoriety. That makes it harder to respond to." Scattered Spider and ALPHV seem to be entangled in an affiliate relationship. For more on the incidents at Caesars and MGM Resorts, see CyberWire Pro.
The cyberattack that disrupted operations at Clorox was among the first major incidents to fall under the US Securities and Exchange Commission (SEC) rules that went into effect on September 5th. (Compliance dates for mandatory reporting are somewhat later, falling for most companies in December. "The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023," the SEC explained.) The Wall Street Journal reviews how the company has responded publicly to the incident. Clorox has issued six statements, including two Forms 8-K, since the incident was disclosed on September 14th, shortly after it was detected. There are at least two challenges: keeping reporting current as an investigation unfolds ("A stream of 8-Ks will be the new norm,” one expert told the Journal), and determining whether an incident has a material impact on a public company.
The MGM and Caesars incidents also offer lessons in compliance. These two companies face an additional regulatory burden, Dark Reading points out, in the form of oversight by the Nevada Gaming Control Board, whose regulation 5,260 requires "covered entities" (including casino operators) to establish effective cybersecurity measures. In the event of an incident "resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence," a casino operator must disclose the incident to the Board within seventy-two hours and undertake both investigation and remediation of the incident.
Zero-trust security firm Xage Security has secured a $17 million five-year contract with US Space Force to protect Space Systems Command networks, SpaceNews reports.
Security isn’t M365’s strongest suite.
The most popular email app is also the most targeted one. Out-of-the-box M365 security may leave your inbox vulnerable to attacks. Mimecast is optimized for M365 so that you can install the best email security in minutes and neutralize threats. Start a free trial today to fill the gaps in email security and help your employees and business Work Protected.
Mergers and acquisitions.
Cisco is acquiring Splunk for approximately $28 billion.
Calcalist reports that Palo Alto Networks is in advanced negotiations to acquire Israeli secure enterprise browser provider Talon Cyber Security for $600 million.
Arlington Capital Partners has agreed to acquire secure business collaboration provider Exostar from Thoma Bravo for an undisclosed amount.
Seattle-based unified cybersecurity platform provider WatchGuard has acquired Massachusetts-headquartered cloud and network threat detection and response firm CyGlass Technology Services.
UK-headquartered identity and access management firm ProofID has acquired Texas-based identity governance and administration integrator Regatta Solutions Group.
Investments and exits.
Israeli SASE provider Cato Networks has raised $238 million in a financing round led by LightSpeed Venture Partners, with participation from Adams Street Partners, Softbank Vision Fund 2, Sixty Degree Capital, and Singtel Innov8. The funding brings the company's valuation to more than $3 billion.
Israeli zero-instrumentation production intelligence startup Senser has emerged from stealth with $9.5 million in seed funding from Eclipse, with participation by Amdocs and other private investors.
And security innovation.
CrowdStrike has "announced the launch of an equity free Amazon Web Services (AWS) & CrowdStrike Cybersecurity Startup Accelerator for EMEA-based startups." The company stated, "Created to foster and fuel cybersecurity’s next market-defining disruptors, the new AWS & CrowdStrike Cybersecurity Startup Accelerator cohort, will offer customized mentorship, technical expertise, and partnership opportunities, as part of AWS Startup Loft Accelerator (SLA) program. High-potential early-stage cybersecurity companies could also get funding from CrowdStrike’s strategic investment vehicle, the CrowdStrike Falcon Fund."