By the CyberWire staff
At a glance.
- NSA and CISA release a list of the ten most common misconfigurations.
- Identity and access management guidelines from CISA and NSA.
- The Predator Files. Double-tapping ransomware.
- Exim mail servers exposed to attack.
- North Korea's Lazarus Group targets Spanish aerospace firm.
- EvilProxy phishes for executives.
- Typosquatting to deliver a rootkit.
- BADBOX puts malware into the device supply chain.
NSA and CISA release a list of the ten most common misconfigurations.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released a list of the ten most common and troublesome misconfigurations: "1. Default configurations of software and applications 2. Improper separation of user/administrator privilege 3. Insufficient internal network monitoring 4. Lack of network segmentation 5. Poor patch management 6. Bypass of system access controls 7. Weak or misconfigured multifactor authentication (MFA) methods 8. Insufficient access control lists (ACLs) on network shares and services 9. Poor credential hygiene 10. Unrestricted code execution." The report includes an extensive account of the consequences of each misconfiguration, and also guidance on how to configure systems so as to avoid them.
Identity and access management guidelines from CISA and NSA.
CISA and NSA have also released guidance on addressing challenges related to identity and access management, Nextgov reports. The guidance focuses on “technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.”
The agencies offer the following recommendations for organizations to address the tradeoff between SSO functionality and complexity:
- “Research into the development of a secure-by-default, easy to use, SSO system to address these gaps in the market. For example: Relying Party vendors could provide security configuration recommendations and their impact. Additionally, management of lifetime tokens such as ID token, Access Token, and Refresh Token should come with a reasonable secure default value which prevents abuse scenarios.
- “IAM Vendors can aid in the detection of insecure implementations of identity federation protocols and work with the ecosystem to build awareness around these issues as well as improve the adoption of more secure uses of standards.”
For more on these IAM guidelines, see CyberWire Pro.
Earn your cybersecurity master’s from an NSA-recognized institution.
Further your career and secure your future with an advanced degree from the George Washington University — choose from 100% online master’s in cybersecurity analytics or in cybersecurity policy & compliance. Designed by D.C. experts and taught by cybersecurity leaders, these programs integrate computer science and engineering courses to give you the well-rounded expertise you need for leadership roles and professional advancement. Discover how you can get a world-class education made for working professionals.
The Predator Files.
NSO Group's Pegasus intercept tool has attracted the most public attention, but one of its competitors in the spyware market, Predator, may have seen even wider and potentially more disturbing distribution. The EIC (European Investigative Collaborations, a journalistic consortium) reports that "European companies have been funding and selling cyber-surveillance tools to dictators for more than a decade with the passive complicity of many European governments. The preliminary peak of surveillance excesses was most recently reached by the Intellexa Alliance - an association of several European companies through which Predator software was supplied to authoritarian states. Activists, journalists, and academics have been targeted, as have European and U.S. officials."
Double-tapping ransomware.
The US Federal Bureau of Investigation (FBI) has issued a Private Industry Notification outlining emerging trends in ransomware attacks, including “multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks.” The Bureau notes, “This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments. Second ransomware attacks against an already compromised system could significantly harm victim entities.” Ransomware variants involved in these attacks include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.
Exim mail servers exposed to attack.
BleepingComputer reports that millions of Exim mail servers are exposed to a zero-day flaw that can allow an unauthenticated attacker to perform remote code execution. According to Trend Micro’s Zero Day Initiative (ZDI), “The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.” ZDI notes, “Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.”
BleepingComputer says that more than 3.5 million Exim servers are currently exposed to the Internet.
Iran's OilRig deploys Menorah malware against Saudi targets.
Trend Micro says the Iran-aligned threat actor APT34 (also known as “OilRig” or “Helix Kitten”) is using a new strain of malware called “Menorah” to conduct cyberespionage. The researchers observed the malware delivered via a spearphishing attack that targeted a Saudi Arabian entity. Menorah appears to be a new variant of the SideTwist backdoor: “The .NET-written malware delivered through the malicious document is primarily deployed for cyberespionage and possesses multifaceted capabilities. The malware can fingerprint the targeted machine, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system. Compared to the previous variant of SideTwist, the new variant has more functions to hash the traffic to the command and control (C&C) server and make it stealthier to avoid detection.”
North Korea's Lazarus Group targets Spanish aerospace firm.
ESET warns that North Korea’s Lazarus Group targeted employees of a Spanish aerospace company by posing as job recruiters and sending Trojanized coding challenges: “The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges required as part of a hiring process, which the victim downloaded and executed on a company device.”
The challenges were used to deliver a new remote access Trojan called “LightlessCan,” which ESET says “represents a significant advancement compared to its predecessor, BlindingCan.”
EvilProxy phishes for executives.
Researchers at Menlo Security warn that a phishing campaign is exploiting an open-redirect vulnerability on the job listing site Indeed to distribute a link to a spoofed Microsoft login page. The campaign is targeting C-suite employees in various industries, particularly banking and financial services, insurance, property management and real estate, and manufacturing. The threat actors are using the EvilProxy phishing-as-a-service platform. For more on EvilProxy, see CyberWire Pro.
Typosquatting to deliver a rootkit.
ReversingLabs has discovered a typosquatting campaign affecting the JavaScript package manager npm. The malicious package “node-hide-console-windows” impersonated the legitimate package “node-hide-console-window,” and was downloaded more than seven-hundred times. The package installed a Discord bot, DiscordRAT 2.0, designed to deliver the open source rootkit r77.
BADBOX puts malware into the device supply chain.
Security firm HUMAN has disrupted “a key monetization mechanism of a sophisticated series of cybercriminal operations involving backdoored off-brand mobile and CTV Android devices, sold to end users through major retailers originating from repackaging factories in China.” The campaign, “BADBOX,” uses the Triada malware “to steal personally identifiable information, establish residential proxy exit peers, steal one-time passwords, create fake messaging and email accounts, and other unique fraud schemes.” HUMAN worked with Google and Apple to disrupt the ad fraud portion of BADBOX, dubbed “PEACHPIT.” Additionally, the researchers “shared information about the facilities at which some BADBOX-infected devices were created with law enforcement, including information about the organizations and individual threat actors believed to be responsible for the PEACHPIT operation.” For more on BADBOX, see CyberWire Pro.
A clear, friendly guide to mastering the hot new category in cloud-native security that's taking the industry by storm.
Patch news.
Apple has patched two serious vulnerabilities affecting iOS and iPadOS, SecurityWeek reports. Apple says one of the flaws, CVE-2023-42824, a privilege escalation vulnerability affecting the kernel, “may have been actively exploited against versions of iOS before iOS 16.6.” SecurityWeek notes that this is “the 16th documented in-the-wild zero-day against Apple’s iOS, iPadOS and macOS-powered devices.”
The other flaw, CVE-2023-5217, is a buffer overflow vulnerability affecting WebRTC that could enable remote code execution. This vulnerability involves a problem with the libvpx video codec library. BleepingComputer writes, "The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products.'
Crime and punishment.
Last week French citizen Sebastien Raoult, nom-de-hack Sezyo Kaizen, a member of the ShinyHunters gang, copped a guilty plea to conspiracy to commit wire fraud and aggravated identity theft. The US Department of Justice explained, "Raoult and his co-conspirators hacked into protected computers of corporate entities for the theft of confidential information and customer records, including personally identifiable information and financial information.” Specifically, Raoult helped create websites spoofing login pages belonging to legitimate businesses, then sent phishing emails to company employees with links to those fake login sites. Bleeping Computer reports that the hackers then used the login credentials to break into victims’ accounts and steal company data. They then sold data belonging to over sixty companies on the dark web and, in some cases, extorted the affected firms, demanding a ransom payment to not publicly leak the stolen information. Their activities cost victims more than $6 million.
Policies, procurements, and agency equities.
Two officials of the International Committee of the Red Cross (ICRC) have issued guidance for hacktivists, published as an essay in the European Journal of International Law. They constitute an extension of existing international norms of armed conflict to cyberspace, with a view to preserving norms that would protect noncombatants, not only against attacks against infrastructure, but also from online incitement to atrocity. Certain specific classes of targets are explicitly prohibited, notably medical and humanitarian facilities. While hacktivism has so far seldom if ever risen above the level of a nuisance in Russia's war against Ukraine, that could change. An essay in Dark Reading lays out a case for taking the threat seriously, despite its negligible results to date. Groups like KillNet are taking a new interest in wiper malware, and imaginatively they increasingly see themselves as a virtual analogue of private military corporations like the Wagner Group. For more on hacktivism and international humanitarian law, see CyberWire Pro.
The US Congress avoided a government shutdown last Saturday with the eleventh hour passage of a continuing resolution that will keep the government operating for another forty-five days, by which time Congress hopes to have passed the budget for Fiscal Year 2024. Fiscal Year 2024 begins on October 1st. The government would face another shutdown in the middle of November if a budget isn’t passed by then, so it’s worth keeping the implications of the continuing resolution in mind over the coming weeks. For a discussion of the implications a shurtdown might have for cybersecurity, see CyberWire Pro.
A redacted version of a report by the Office of the Inspector General at the Department of Homeland Security has been released. The IG was looking into the Transportation Security Administration’s (that’s TSA’s) formulation and enforcement of pipeline safety regulations after the May 2021 ransomware attack against Colonial Pipeline. The IG found that TSA, while it properly worked with stakeholders to develop the rules, didn’t effectively follow up to track compliance. The IG made three recommendations, all of them procedural enhancements designed to ensure proper oversight of operator compliance. TSA has concurred with the IG’s report and its recommendations.
Another Homeland Security Inspector General (IG) report found that three of the Department's agencies--Customs and Border Protection, Immigration and Customs Enforcement, and the Secret Service--"did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data." The data the agencies purchased included mobile device geolocation information, and the IG found that they hadn't prepared to preserve the privacy of the individuals whose data they purchased.
Russia's Duma is considering expanding the FSB's domestic surveillance remit to conduct more extensive monitoring of Russian Internet, banking, and telecommunications company users, the ISW reported. The surveillance would extend beyond simple intrusion and monitoring, and would amount to full control of databases, with the FSB authorized to remotely access, edit, and delete information in Russian private businesses’ databases. The Russian tech sector, including Yandex, opposes the measure on the grounds that FSB activities would render data less secure.
The Institute for the Study of War, citing the independent Belarusian media outlet Vot Tak, reports that Russian First Deputy Presidential Chief of Staff Sergey Kiriyenko had engaged the not-for-profit organization Dialog to categorize Russian Internet users, the better to tailor its messaging to their beliefs, interests, and dispositions. The categories, developed from both user data and information from government agencies, classify users by "profession, interests, and political beliefs and specifically orients false news about the war in Ukraine and pro-war narratives toward Russian military personnel, relatives of military personnel, and civil servants." And Dialog also sorts users as "loyal" or "disloyal." The classification and subsequent targeting seems to derive from Dialog's inability to develop "unified and clear narratives" that would appeal to the Russian public as a whole. Targeted messaging could also serve to promote self-censorship.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
October is Cybersecurity Awareness Month, and this year the US Cybersecurity and Infrastructure Security Agency (CISA) has announced a theme: “Secure Our World.” As CISA explains, “Not only will Secure Our World remain a consistent theme for every Cybersecurity Awareness Month in the future, but it will also launch as CISA’s new cybersecurity awareness program.”
The President and Congress first declared October Cybersecurity Awareness Month in 2004, meaning this year marks its 20th anniversary. In honor of this milestone, the National Institute of Standards and Technology (NIST) has shared a timeline summarizing the history of the agency’s cybersecurity program. NIST will also be offering a blog series covering various topics of interest, and hosting events throughout the month including a Block Cipher Modes of Operation workshop, a social media challenge, and Cybersecurity Career Week. The first entry in NIST's blog series addresses the first week's theme: "enabling multifactor authentication." For more on Cybersecurity Awareness Month, including advice and commentary from industry experts, see CyberWire Pro.
Join the Lacework CISO book club!
Get a copy of the classic novel, The Phoenix Project, and join quarterly interactive discussions with cybersecurity leaders. Sign up here.
Fortunes of commerce.
Network security company IronNet has officially shuttered its operations and terminated all of its employees, SecurityWeek reports. The company is pursuing a Chapter 7 bankruptcy filing.
Moody's has published a survey looking at cybersecurity practices around the world, finding that cybersecurity budgets have increased by 70% since 2019.
Scattered Spider, the ALPHV-affiliated gang associated with the ransomware incidents at MGM Resorts and Caesars Entertainment is now believed, Bloomberg reports, to have also been responsible for the cyberatttack against Clorox. The company has been concerned about the effect of the attack on its business, since production of several product lines was interrupted during the incident. Clorox warned, the Wall Street Journal writes, that the incident caused sales to fall between 23% and 28% for that quarter that closed on September 30th. The company will also show a loss for the quarter; it had projected roughly $150 million in profit. Thus the cyberattack was clearly material under any construal of the SEC's new reporting regulations.
Mergers and acquisitions.
TechCrunch reports that Palo Alto Networks is in advanced talks to acquire secure enterprise browser provider Talon Cyber Security for between $600 and $700 million, as well as cloud data security firm Dig Security for between $300 million and $400 million. Both startups are based in Israel. TechCrunch notes, "Both startups are less than three years old, and in both cases these would be strong outcomes compared to their existing valuations."
TPG has completed its acquisition of Forcepoint's Global Governments and Critical Infrastructure cybersecurity business from Francisco Partners. TPG stated, "The transaction separates Forcepoint’s G2CI and Commercial businesses and marks Forcepoint G2CI’s next chapter as an independent company with the flexibility and resources to grow its platform as a comprehensive, next-generation cybersecurity provider for the defense, intelligence, and critical national infrastructure industries. TPG acquired the business through TPG Capital, its large-scale U.S. and European private equity platform." Forcepoint G2CI President Sean Berg will serve as CEO of the new company.
Investments and exits.
Palo Alto, California-based Nexusflow, a company that uses generative AI to wrangle cybersecurity data, has raised $10.6 million in a seed funding round led by Point72 Ventures, with participation from Fusion Fund. According to TechCrunch, the company will put the funding toward "hiring, R&D, and ongoing product development."
Schedule a Complimentary Threat Briefing On LUCR-3 (aka Scattered Spider)
Learn the cloud TTPs of LUCR-3 (aka Scattered Spider), the group responsible for breaching the cloud environments of some of the largest enterprises in the world. Permiso is now offering complimentary threat briefings on this threat group with Ian Ahl, SVP of P0 Labs and former head of advanced practices at Mandiant. Learn how to better defend against cloud attacks orchestrated across identity providers, Iaas, Saas and CI/CD pipelines. Schedule your briefing today.