At a glance.
- The FAA attributes its January NOTAM outage to a contractor error.
- Gamer alert.
- Iranian threat actors reported active against a range of targets.
- UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks.
- This week's trends and reports.
- Threat actor movements observed and reported over the week.
- Latest developments in the hybrid war.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
The FAA attributes this month's NOTAM outage to a contractor error.
The Wall Street Journal reported late last week that the FAA has traced the cause of this month's NOTAM outage to an error committed by IT contractors during synchronization of backup files. "The Federal Aviation Administration said Thursday that a contractor working for the air-safety regulator had unintentionally deleted computer files used in a pilot-alert system, leading to an outage that disrupted U.S. air traffic last week," the Journal wrote. "The agency, which declined to identify the contractor, said its personnel were working to correctly synchronize two databases—a main one and a backup—used for the alert system when the files were unintentionally deleted." For more on the NOTAM outage, see CyberWire Pro.
RockPaperShotgun reports chatter that modders are abusing remote code cheats to alter opponents' stats and disable accounts in Rockstar Games Grand Theft Auto. That's not the only case being reported. In an unrelated incident, Dot Esports says that Riot Games has sustained a social engineering attack that affected systems in its development environment. The attack preceded the "start of various leagues in the League of Legends esports circuit." Gamerant reports that Riot Games may delay issuing updates as a consequence.
Iranian threat actors reported active against a range of targets.
Those targets appear to be in Australia and Israel. Malicious activity by Iranian threat actors continues. ABC Australia reported Tuesday that cyberattacks targeting Australian organizations for data extortion, believed to be the work of Iranian Revolutionary Guard-affiliated actors, were seen in a tabled parliamentary report.
In other campaigns, Secureworks Counter Threat Unit has also analyzed the activities of the Moses Staff and Abraham’s Ax personae, active in September 2021 and November 2022, respectively. Commonalities between attributes of the hacktivists fuel researchers’ beliefs that they are operated by the same entity. The researchers believe both personae are operated under the umbrella of the Iranian COBALT SAPLING threat group. COBALT SAPLING saw emergence in October of 2021, according to Secureworks, as a pro-Palestinian hacktivist group targeting Israeli entities.
UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks.
The UK's National Cyber Security Centre (NCSC) warned this week that Russian and Iranian intelligence services are increasing their phishing attempts. "The Russia-based SEABORGIUM (Callisto Group/TA446/COLDRIVER/TAG-53) and Iran-based TA453 (APT42/Charming Kitten/Yellow Garuda/ITG18) actors continue to successfully use spear-phishing attacks against targeted organisations and individuals in the UK, and other areas of interest, for information gathering activity." The campaigns are selective and highly targeted, prospecting people who work in academic, defense, and governmental organisations, in NGOs, and think-tanks, as well as politicians, journalists and activists. The campaigns are independent and not coordinated. Both efforts use open-source intelligence during their reconnaissance phase, impersonate well-known figures in a field of interest to the targets, and employ official-looking documents as their phishbait. They're both espionage campaigns engaged in collecting information. Their immediate goal is development of rapport with the target and eventually credential theft that might enable further social-engineering campaigns. Computing reports that the ultimate goal of the collection seems to be the gathering of compromising material that could later be used to recruit the targets.
This week's trends and reports.
Dynatrace has published a study looking at the challenges of maintaining security during DevOps processes. The survey of 1,300 CIOs and senior DevOps managers found that over a third (34%) of respondents are forced to sacrifice code security to keep up with the demand for faster innovation. The report outlines the following findings:
- “90% of organizations say digital transformation has accelerated in the past 12 months.
- “78% of organizations deploy software updates into production every 12 hours or less, and 54% say they do so at least once every two hours.
- “DevOps teams spend nearly a third (31%) of their time on manual tasks involving detecting code quality issues and vulnerabilities, reducing the time spent on innovation.
- “55% of organizations make tradeoffs between quality, security, and user experience to meet the need for rapid transformation.
- “88% of CIOs say the convergence of observability and security practices will be critical to building a DevSecOps culture, and 90% say increasing the use of AIOps will be key to scaling up these practices.”
For more on the tension between security and innovation, see CyberWire Pro.
BlackBerry has released its Quarterly Threat Intelligence Report for Q4 2022, looking at various threats facing desktop and mobile devices. The researchers note that while macOS is often viewed as being more secure than other operating systems, users frequently install malicious or unwanted software on their Apple devices: “During the 90-day reporting period, the malicious application Dock2Master was the most-seen threat on macOS: BlackBerry researchers noted that a whopping 34 percent of client organizations using macOS had Dock2Master on their network, where it was found on 26 percent of their devices.” And Windows systems have their characteristic threats, too: BlackBerry found that RedLine was the most active infostealer targeting Windows systems. For more on BlackBerry's report, see CyberWire Pro.
Akamai Wednesday morning released research detailing their analysis of a critical spoofing vulnerability, CVE-2022-34689, affecting Windows CryptoAPI. The vulnerability allows for malicious actors to feign a genuine entity’s identity and perform certain actions. According to Microsoft, this vulnerability allows for attackers to “spoof their identity and perform actions such as authentication or code signing as the targeted certificate.” CryptoAPI is the primary Windows API handling cryptography; particularly certificates. Akamai says exploitation has two primary steps: in the first, malicious actors take a “legitimate certificate, modify it, and serve the modified version to the victim,” researchers explain. “The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate’s subject.” The vulnerability, although rated critical, was only given a CVSS score of 7.5. Researchers attribute that rating to “the limited scope of vulnerable applications and Windows components in which the vulnerability prerequisites are met.” For more on the CryptoAPI vulnerability, see CyberWire Pro.
Foundry Thursday released their annual State of the CIO report, analyzing CIO attitudes toward finances, the evolution of the CIO role, and the anticipated initiatives in focus in the coming year. They think that economic instability may not spell an end to tech budget increases. The research details the continued optimism shared among CIOs in terms of finances in 2023, with over half of those surveyed (56%) expecting increased budgets despite the state of the economy. Reasoning for budget increases is believed to include a: “need for security improvements (40%), need to upgrade outdated IT infrastructure (38%), application modernization (38%), investments in new skills and talent (36%) and product innovation (27%)”. Over half of respondents (59%) report that the CIO has a budget of their own in their company, separate from the IT budget. For more on security trends as seen by CIOs, see CyberWire Pro.
Cisco this week released their 2023 Data Privacy Benchmark Study, which takes a foray into privacy and its impact on organizations from the perspectives of security professionals worldwide. The study details continued strong investments in privacy despite the global economic downturn, reporting an increase from $1.2 million three years ago to $2.7 million today. Organizations believe these are worthwhile investments, listing the benefits as "building trust with customers, reducing sales delays, or mitigating losses from data breaches," as some “significant” or “very significant” benefits from these expenditures. The benefits are estimated to be valued at around 1.8 times what organizations are spending, with a whopping 94% of those surveyed indicating the value of the investments outweighing the costs overall. 79% of surveyed professionals believe that regional privacy laws have been a positive influence, with privacy legislation present in 157 countries (twelve more than last year). A majority of respondents (88%) reported more comfort in storing their data within their own country lines, however the reality when factors such as costs and security are considered drives professionals toward globalized organizations. The bulk of respondents (90%), though, did report belief that a global provider operating at scale would be better suited for data protection when compared to local options.
Google’s Threat Analysis Group (TAG) has released a report outlining its efforts to disrupt the massive spam network DRAGONBRIDGE. DRAGONBRIDGE is a China-based influence network that uses hundreds of thousands of accounts across several platforms. The researchers note that most of the network’s posts are “low quality content without a political message, populated across many channels and blogs.” TAG has taken down more than 100,000 of the network’s accounts. The network hasn't been particularly effective, drawing little engagement and sending out a lot of hastily produced nonsense. For more on DRAGONBRIDGE, see CyberWire Pro.
Threat actor movements observed and reported over the week.
Bitdefender has observed an increase in attacks using ProxyNotShell and OWASSRF exploit chains to target Microsoft Exchange servers. ProxyNotShell and OWASSRF are exploit chains that use CVE-2022-41080 and CVE-2022-41082 to launch server-side request forgery (SSRF) against Exchange servers. These exploits can allow an authenticated user to escalate access and carry out remote code execution. BleepingComputer reported earlier this month that more than 60,000 Exchange servers are still vulnerable to these attacks. Bitdefender describes several recent attacks using these exploit chains, including one by the Cuba ransomware operation. Bitdefender notes that most of these attacks targeted entities in the United States, along with companies in Poland, Austria, Kuwait, and Turkey. For more on these attacks, see CyberWire Pro.
Securonix describes an attack campaign that’s using a Python-based remote access Trojan dubbed “PY#RATION.” Securonix observed the first version of PY#RATION in August 2022, and the malware has been updated several times since. The RAT is distributed via phishing emails written in English containing malicious ZIP files. The ZIP files contain LNK files disguised as JPG images showing a UK driver’s license. The researchers believe the campaign is targeting users in the UK or other English-speaking countries. After installation, the malware can carry out a wide variety of malicious activities associated with other RATs, such as keylogging and data theft. For more on PY#RATION, see CyberWire Pro.
BleepingComputer reports that criminals are using OneNote files attached to malicious spam emails to install remote access Trojans (RATs), the Quasar RAT among them, "that include information-stealing functionality." OneNote doesn't use macros, and so malicious files have in many cases escaped detection by the usual technical screening tools. The attachments do generate a familiar, general warning--"Opening attachments could harm your computer and data. Don't open it unless you trust the person who created the file." But experience shows that many users regard the warning as pro forma background noise, and click through anyway, thereby installing the RAT.
SentinelOne this morning describes the activities of a threat actor they're calling DragonSpark. The researchers are fairly confident it's a Chinese group, but whether it's a criminal or an intelligence organization remains unclear: the motive behind the attacks could be either financial gain or espionage. DragonSpark is making heavy use of SparkRAT, "a multi-platform and feature-rich tool" that's open-source but little-seen, and that's also "regularly updated with new features." The attacks use Golang source code interpretation, also an uncommon technique, to thwart static analysis and evade detection.
Looking at attack records between August and October of last year, Palo Alto Networks' Unit 42 researchers discovered that one vulnerability in particular, a remote-code execution issue affecting the Realtek Jungle SDK was particularly attractive to attackers. It's unusual, Unit 42 says, to see a single vulnerability account for more than 10% of the attacks detected over a period of time, but this one (CVE-2021-35394) "accounted for more than 40% of the total number of attacks" over those three months. "Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices," the researchers wrote this morning. "This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world."
The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory outlining the abuse of legitimate remote monitoring and management (RMM) software. The advisory describes a large, financially motivated phishing campaign that managed to compromise “many” Federal civilian executive branch (FCEB) networks. The advisory states, “In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to ‘refund’ this excess amount to the scam operator.” The agencies note that while this campaign was financially motivated, “the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors.”
Updates on cyber activity in the hybrid war against Ukraine.
Ukraine has signed an agreement to join NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE). The CCDCOE is based in Tallinn, Estonia. Ukraine's accession to the Centre will become official once the Centre's current members sign the agreement, but that agreement is widely expected to come swiftly. Closer cooperation is seen as benefiting both Ukraine and NATO. Nataliya Tkachuk, who directs information security and cybersecurity at Ukraine’s National Security and Defense Council told the Record, “Ukraine’s experience is unique. And we are ready to share it with our allies — from the public-private partnership and effective involvement of cyber volunteers to methods of detecting and neutralizing cyberattacks from Russia.”
Hacktivism has been practiced by both sides during Russia's war against Ukraine. In contrast to Russia’s tolerance of and collaboration with criminal organizations, Ukraine has placed more emphasis on recruiting IT-sector workers, hobbyists, and script kiddies into the IT Army. An essay in Wired wonders what the IT Army's hacktivists in particular can expect, once the war is over. Could they, for example, be prosecuted for cyber crimes? It seems unlikely that any jurisdiction other than a Russian one would undertake to do so, but Wired considers it a serious possibility. Hacktivists who've developed their skills during the war do represent an augmentation to a cyber workforce, and governments might devote some thought on what to do with them in the postwar world. "In 2023, voluntary cyber operations in support of Ukraine may therefore prove to be both an opportunity and a challenge," the essay concludes. "Governments would do well to see the IT Army of Ukraine as a recruiting ground—a pool of talent for official cyber volunteer programs."
Computer World has an account of how one company in particular, Microsoft, has helped Kyiv in cyber defense and IT resiliency. The assistance rendered has been, the piece argues, both principled and the working of enlightened self-interest, citing attacks against Ukraine meaning potential damage to Microsoft-reliant organizations. "By helping Ukraine, Microsoft also helps its customers — and it happens to be good PR, as well.”
Russia has conducted more distributed denial-of-service (DDoS) attacks against targets in Germany, SecurityWeek reports. Germany's BSI security organization said the attacks hit, in order of priority, airports, the financial sector, and, finally, federal and Land (state) administrations. The BSI attributed the attacks to Killnet, the hacktivist group that's functioned as an auxiliary to Russian security and intelligence services. The agency found the attribution difficult, given Killnet's practice of broadcasting a call-to-hack that invites like-minded people to join in, but concluded that the attacks were indeed the work of Killnet. As has generally been the case with earlier operations by the DDoS specialists, Killnet's attacks were quickly contained, produced minimal disruption, and amounted to little more than a nuisance. The cyberattacks appear to have continued Russia's policy of punishing Germany for its decision to deliver Leopard 2 tanks to Ukraine.
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
CISA, the US Cybersecurity and Infrastructure Security Agency, Monday added a vulnerability to its Known Exploited Vulnerabilities Catalog. US Federal civilian executive agencies have until February 13th to apply vendor updates to address CVE-2022-47966, remote code execution vulnerabilities in multiple Zoho ManageEngine products. They contain "an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario." CISA also added CVE-2017-11357 to to the catalog later in the week. The issue affects Telerik's User Interface (UI) for ASP.NET AJAX. "Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution." Federal civilian executive branch (FCEB) agencies have until February 16th to check their systems and "apply updates per vendor instructions."
CISA also released eight Industrial Control Systems (ICS) advisories Thursday. They cover these products: Delta Electronics CNCSoft ScreenEditor, Econolite EOS, SnapOne Wattbox, Sierra Wireless AirLink Router with ALEOS Software, Mitsubishi Electric MELFA SD SQ series and F-series Robot Controllers, Rockwell Automation products using GoAhead Web Server, Landis+Gyr E580, and Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update A).
Crime and punishment.
The US Department of Justice says that a joint US and European operation has taken down the notorious Hive ransomware gang. Thursday morning Hive’s site was replaced with a notice: "The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware." The European participants were, in addition to Europol, police in the Netherlands and Germany. (The German participants included both federal agencies and police in Baden-Württemberg.) The action was called "Operation Dawnbreaker." The U.S. Department of Justice characterizes Hive as a ransomware-as-a-service operation that made heavy use of double-extortion in its crimes: Hive was also notorious in its target selection, hitting, among other victims, hospitals and schools. Its attacks against hospitals in some cases disrupted delivery of care.
The FBI has been quietly at work against the gang since last summer, infiltrating Hive, taking decryption keys, and enabling Hive’s victims to avoid paying the ransom the gang demanded. FBI Director Christopher Wray said, at a press conference yesterday, "Last July, FBI Tampa gained clandestine, persistent access to Hive’s control panel. Since then, for the past seven months, we’ve been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive’s victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive’s fire." Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying, "Using lawful means, we hacked the hackers. We turned the tables on Hive."
No arrests were announced, the Wall Street Journal notices. Director Wray said at his press conference, however, that Operation Dawnbreaker continues, and is moving on to its next phase. Any arrests would presumably come in that subsequent phase, but most if not all of the perpetrators are in Russia, and so may be effectively out of reach. (Unless, of course, they should flee mobilization and land in a place with an effective extradition treaty, or choose a foreign vacation spot unwisely.) For more on the Hive takedown, see CyberWire Pro.
For cybercriminals, the pandemic is the gift that keeps on giving. The US Attorney for the Central District of California reports that a man residing in Orange County Monday pled guilty to stealing the identities of two dozen victims in order to fraudulently apply for over $1.2 million in COVID-19 pandemic unemployment insurance benefits. Nhan Hoang Pham obtained the personal identifying information of people living in California, Texas, and Michigan and used it to submit online applications to the California Employment Development Department (EDD), which coordinates the state’s unemployment insurance program, and had the benefits placed on debit cards routed to an address which he controlled. Pham attempted to steal approximately $1,255,350 through the fraudulent applications, of which he received approximately $408,496. Pham will face a statutory maximum sentence of 30 years in federal prison.
Courts and torts.
The US Department of Justice (DOJ) is suing Google's corporate parent Alphabet, Inc. over allegations that the tech giant is abusing its monopoly over digital advertising tech to drown out the competition. Eight states have joined the lawsuit, which claims that Google “corrupted legitimate competition in the ad tech industry by engaging in a systematic campaign to seize control of the wide swath of high-tech tools used by publishers, advertisers and brokers to facilitate digital advertising.” As Vox explains, the DOJ is accusing Google of forcing ad buyers and sellers to use Google’s advertising tech at less favorable terms for them than those another company might offer, meaning websites get less revenue from online advertising than they otherwise would, and advertisers are in turn paying more. In addition to asking Google to cease its anti competitive practices, the suit calls for Google to sell many of its ad tech products, which include software used for buying and selling ads, an advertising marketplace, and a service for displaying the ads on the web.
Policies, procurements, and agency equities.
The head of Greece's opposition party, former Prime Minister Alexis Tsipras, this week submitted a censure motion against the ruling party following allegations that current Prime Minister Kyriakos Mitsotakis has been using spyware to keep tabs on Greek citizens. On Tuesday Tsipras revealed the findings of an investigation conducted by the independent telecommunications privacy authority ADAE, which concluded that the Greek government had been spying on officials including the energy minister and army chiefs. Before announcing the censure motion, Tsipras told parliament, "For the past six months, Greek society has been witness to disclosures of an inconceivable number of phone taps, the deepest deviation from rule of law that the country has seen in its modern history…We have a historic duty to act.” As Reuters recounts, an official investigation into the wiretapping scandal has been underway since August, when leader of the socialist PASOK party Nikos Androulakis alleged that EYP, the country's intelligence service, wiretapped his conversations in 2021. The government has denied any wrongdoing, and last month parliament passed a bill reforming EYP and prohibiting the sale of spyware in the country.
We’ve been following the ever-growing list of US states and other entities that have blocked the use of TikTok due to concerns that the app poses a risk to national security. Politico reports that the Netherlands seems to be heading in the same direction. The popular video streaming app has 3.5 million Dutch followers, but two government officials say Dutch ministries and agencies are following a recommendation issued by the general affairs ministry in November to "suspend the use of TikTok for the government until TikTok has adjusted its data protection policy.” The Dutch government’s recommendation is more limited in scope and enforcement than those seen in the US. It's more of a pause than a ban, mainly focused on preventing the use of TikTok for media and advertising. The move comes as Dutch officials’ work to strengthen the country’s relationship with the US, where the White House is working to limit the sale of sensitive tech to China, including devices made by Dutch chip manufacturer ASML. Dutch Prime Minister Mark Rutte met with US President Joe Biden this month to discuss security and trade concerns linked to China. TikTok has responded by saying it’s open to engaging with the Dutch government "to debunk misconceptions and explain how we keep both our community and their data safe and secure."
Business in the cyber and tech sectors has seen some developments this past week. Mergers and acquisitions seen this week include Thoma Bravo announcing its entrance into a definitive agreement to acquire Magnet Forensics, a Canadian-based cybersecurity company servicing law enforcement and businesses, TechCrunch reports. Automated security and compliance platform provider Vanta has acquired Trustpage. Forter, a digital commerce fraud prevention platform, has announced the acquisition of Israeli bot detection company Immue. Reuters reports that RSA Technologies is looking into a sale of Archer, the company's risk and compliance software unit. This week's investments include a reported new agreement from Microsoft in a partnership with OpenAI, making a "multiyear, multibillion dollar investment," in the company, SecurityWeek reports. French quantum computing startup Pasqal has raised €100 million in Series B funding, led by Temasek.Vannevar Labs, a California-headquartered defense technology startup has raised $75 million in Series B funding, led by Felicis Ventures. California-based hybrid cloud data management vendor Cloudian has raised $60 million in a funding round to scale the company from multiple firms. Cyber crisis preparedness and response management company CYGNVS (an acronym of CYber GuidaNce Virtual Space) has emerged from stealth with $55 million in Series A funding to scale the company's operations.Forward Networks, a network management and software-defined networking provider based in California, has raised $50 million in Series D funding, led by MSD Partners, L.P. Crypto research and development company =nil; Foundation has raised $22 million in funding, led by Polychain Capital. Continuous access and business continuity platform Accsense, based in Ohio, has raised $5 million in seed funding for cloud identity and access management solutions.
In other related news, Crypto lender Genesis, along with two subsidiaries, filed for bankruptcy last Thursday night, the Wall Street Journal reports. The cybersecurity labor market (and the larger tech labor market) continues to navigate tumultuous waters this week. Dark Reading reported last week that Sophos decided to cut around 450 jobs, with TechCrunch reporting that about 10% of the company's workforce is impacted. On Friday, the Wall Street Journal shared news on major staff cuts at Alphabet, Google's parent company, reducing the headcount by 12,000 employees, or about 6% of the company's total labor pool. Biz Journals reported cuts at credit firm CapitalOne, impacting over 1,000 tech staff members. After a promise of cuts to only 201 workers last month, Intel is also reportedly cutting more than twice that in California, said the Silicon Valley Business Journal. Microsoft also reported cuts last week impacting around 5% of its worldwide labor force, Windows Central explains. Streaming giant Spotify is also whittling down its personnel, cutting 6% of its manpower, or 600 employees, after a "spending spree" over the worst of COVID, the Wall Street Journal reports. The Information also disclosed an internal message they viewed from the Gemini crypto startup, announcing layoffs of 10% of staff in what appears to be the third round of job cuts for the company. One click-checkout startup Bolt once again reduced its headcount by 10%, or at least 50 people, racking up a loss of over half of its staffing since May of last year, the Information divulged. For a more in-depth look into this week's business news, see this week's edition of the CyberWire's Pro Business Briefing.
This week's research developments.
In research news this week, Check Point reports that the Russian hacktivist group NoName057(16) earlier this month used DDoS attacks to successfully bring down several websites associated with the Czech presidential election. Chainalysis observed a steep decline in ransomware payments over the course of 2022. A suspected Chinese threat actor is exploiting a recently patched critical flaw in Fortinet's FortiOS SSL-VPN, according to researchers at Mandiant. Palo Alto Networks’ Unit 42 has published a report describing “Playful Taurus” (also known as APT15 or Vixen Panda), a Chinese threat actor known for carrying out cyberespionage campaigns against government and diplomatic entities around the world. For a deeper dive into this week's cybersecurity research, check out this week's edition of the CyberWire's Pro Research Briefing.