By the CyberWire staff
At a glance.
- Disinformation in the war between Hamas and Israel.
- Hacktivism and state action in Hamas's campaign against Israel.
- International hacktivists join the cyber conflict.
- Novel DDoS attack: Rapid Reset.
- The current state of DPRK cyber operations.
- Storm-0062 exploits Atlassian 0-day.
- Grayling cyberespionage group active against Taiwan.
- Magecart campaign abuses 404 pages.
- CISA releases two new resources against ransomware.
Disinformation in the war between Hamas and Israel.
The war that intensified Saturday with major attacks into Israel by Hamas has been accompanied by extensive disinformation, some of it directed by authorities (for the most part Hamas and governments sympathetic to Hamas) but much of it also spontaneously posted, especially in X, the platform formerly known as Twitter, but in other platforms as well. TikTok (where, for example, footage from video games has been presented as video of Israeli airstrikes) and Telegraph (where, for example, unverified and often false claims of successful cyberattacks have proliferated) have been prominent among those other platforms. But Twitter seems to have been particularly receptive to disinformation, in part because the sale of blue checks has eroded such filters that media outlets had once imperfectly but usefully provided: it's now more difficult to determine what reports originate from organizations that vet their reporting. X has also tended to promote inflammatory false information, amplifying it because such content generates engagement. And the platform's influencer culture gives careless influencers outsized clout with users.
But much of the influence being pushed doesn't involve disinformation proper. The New York Times has an overview of how Hamas has posted, often to X, the platform formerly known as Twitter, images of its atrocities against civilian victims in Israel. These are intended as both expressions of triumph and as incitement to further atrocities. X has been widely criticized for its failure to screen, filter, rate, or otherwise effectively moderate content. Changes to X's content moderation policies have, CNN reports, more-or-less adopted celebrity as a standard of newsworthiness, and largely abandoned attempts to expose coordinated inauthenticity. A European commissioner has written X to warn the platform that its failures in this respect may constitute a violation of the European Union's Digital Services Act (DSA).
Hacktivism and state action in Hamas's campaign against Israel.
"At least 15 known cybercriminal, ransomware, and hacktivist groups," by the Register's count, "have announced their active participation in disruptive attacks targeting institutions in Israel and Palestine." International supporters of both parties to the conflict are also coming under cyberattack. Some of the groups have long been aligned with Hamas, others with Israel, and still others are ramping up operations against a long-term enemy whose support for Israel or Hamas serves as either pretext or provocation. While most of the activity has been familiar distributed denial-of-service (DDoS) or nuisance-level defacement, some of it has targeted, SecurityWeek reports, infrastructure (especially electrical power distribution) and military command-and-control (especially Israeli Iron Dome anti-rocket systems). It seems the attempts against infrastructure and C2 have so far had limited effect. According to HackRead one pro-Hamas group, AnonGhost, seems to have been able to exploit a vulnerability in the Israeli Red Alert civil defense app to transmit false warnings of missile strikes.
Group-IB has been following both sides' hacktivist activity, and ReliaQuest has published a useful overview of the conflict in cyberspace, along with some brief recommendations for actions organizations can take during what should be a period of heightened alert. That said, US NSA cybersecurity director Rob Joyce commented that the cyber phases of the war have so far been largely confined to nuisance-level hacktivism. “But we’re not yet seeing real [nation] state malicious actors,” the Wall Street Journal quotes Joyce as saying. Israel has taken action against Hamas funding, seizing Hamas-linked Binance cryptocurrency accounts, Financial Magnates reports. Israel has also worked with British authorities to freeze at least one Barclays account linked to Hamas fundraising.
Real time cloud security powered by runtime insights. Secure every second.
In the cloud, every second counts. Attacks move at warp speed; security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. We correlate signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation. Visit our website to learn more.
International hacktivists join the cyber conflict.
Researchers at Radware outline the course the cyber phases of the war have taken--DDoS, for the most part. The hacktivist groups Radware has observed conducting or at least claiming attacks in support of Hamas include the Indonesian threat actor Garnesia_Team, Ganosec Team (also from Indonesia), the Moroccan Black Cyber Army, Mysterious Team Bangladesh, Team Herox (from India), Anonymous Sudan (which presents itself as a religious and political group from its eponymous country, but which in fact is a Russian auxiliary) and, of course, the Russian group KillNet,
Russian hacktivist auxiliaries have not been unanimous on the war in the Middle East. KillNet has been outspoken against Israel during the current fighting Hamas initiated last weekend, as has Anonymous Sudan. The Cyber Army of Russia disagrees sharply, not because it wishes to engage on behalf of Israel, but because the Cyber Army sees war in the Middle East as a distraction from Russia's main concern: the war in Ukraine. Cyble's Cyber Express reports that the Cyber Army of Russia is seeking to organize sentiment against KillNet under the hashtag #STOPKillNet.
Hacktivists (and hacktivist auxiliaries) who've joined the war Hamas began against Israel Saturday have claimed widespread and substantial damage to important systems, but so far their activities haven't extended much farther than familiar distributed denial-of-service operations and site defacements. Claims of attacks against, for example, electrical power distribution, seem to be for the most part attention-getting brag. AnonGhost's compromise of the RedAlert app, designed to send attack warnings to smart phones, seems the most consequential of the cyber operations so far. The Wall Street Journal describes threats of more significant cyberattacks. These haven't materialized yet, but concern will mount as threat actors more capable than ordinary hacktivists join the action. Security firm Sepio told the Journal that they've seen a rise in activity from Iran and Syria, as well as from Russian hacktivist auxiliaries.
Most of the hacktivism has been conducted in the interest of Hamas, but at least one Israeli group--either a front group or a hacktivist auxiliary--has reemerged to take a role in the conflict. Predatory Sparrow, known for operations against Iran, has been observed probing Iranian sites and posting warning messages, CyberScoop reports. "You think this is scary?" the messaging said, in Farsi. "We're back. We hope you're followng the events in Gaza." Iran has long been Hamas's patron, and is widely suspected of having provided both planning and logistical support to the Hamas operation.
A volunteer group acting for Israel, functions as an augmentation to intelligence services. The Wall Street Journal reports that the Israel Tech Guard, formed by workers in the country's cybersecurity sector, has been concentrating on the labor-intensive work of looking through online content to, among other things, seek to identify and locate Israelis taken hostage by Hamas. The volunteers are also working to secure online tools that contribute to public safety, like the Red Alert app compromised in the early hours of Hamas's assault.
Novel DDoS attack: Rapid Reset.
CISA, the US Cybersecurity and Infrastructure Security Agency, warns that a vulnerability affecting the HTTP/2 protocol (CVE-2023-44487) is being exploited in the wild to conduct very large distributed denial-of-service (DDoS) attacks. The vulnerability is known as "Rapid Reset." Major vendors who have issued patches or mitigations against Rapid Reset include:
CISA also recommends that organizations review the agency's earlier guidance, "Understanding and Responding to Distributed Denial of Service Attacks." The attacks are so far not attributed to any particular threat actor, the Washington Post reports, but they've been remarkable for their ability to generate large request floods from relatively modest botnets.
The current state of DPRK cyber operations.
North Korea has recently been active against blockchain and decentralized finance ("DeFi") targets, it was reported at the end of last week. Mixin Network, which facilitates blockchains transactions, disclosed losses amounting to a bit less than $150 million in a late September attack. US deputy national security adviser for cyber and emerging technology Anne Neuberger told Bloomberg that the "tradecraft" looked like the DPRK's. Mandiant this week published its assessment of the current organization and conduct of North Korean offensive cyber operations. It sees an evolution in both complexity and cooperation as Pyongyang continues to run both espionage and financial crime.
Storm-0062 exploits Atlassian 0-day.
Microsoft warns that the nation-state threat actor Storm-0062 has been exploiting CVE-2023-22515, a broken access control vulnerability affecting Atlassian’s Confluence Data Center and Server products, since September 14th. SecurityWeek reports that the threat actor is conducting cyberespionage for China’s Ministry of State Security (MSS). For more on Storm-0062's supply chain cyberespionage, see CyberWire Pro.
Grayling cyberespionage group active against Taiwan.
The Symantec Threat Hunter Team, part of Broadcom, describes what it characterizes as a hitherto unknown advanced persistent threat (APT), "Grayling," which conducted cyberespionage against Taiwan between February and May of this year. It's operations are marked by a distinctive sideloading technique, and its targets have tended to be in the manufacturing, IT, and biomedical sectors. While Taiwan has been Grayling's principal area of interest, the group may also have prospected targets in the Pacific, in Vietnam, and in the United States. There's no attribution, but Symantec blandly points out that whoever's running the APT has a strategic interest in Taiwan.
Magecart campaign abuses 404 pages.
Researchers at Akamai have discovered a Magecart web skimming campaign that’s been targeting Magento and WooCommerce websites for the past few weeks. The researchers note, “Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using. In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources. In some instances, the malicious code was inserted into the HTML pages; in other cases, it was concealed within one of the first-party scripts that was loaded as part of the website.” For more on the current Magecart campaign, see CyberWire Pro.
CISA releases two new resources against ransomware.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released two resources for identifying vulnerabilities and misconfigurations exploited by ransomware: a ‘Known to be Used in Ransomware Campaigns’ column in the KEV Catalog that identifies KEVs associated with ransomware, and a ‘Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns’ table on StopRansomware.gov that identifies misconfigurations and weaknesses associated with ransomware campaigns.
Join the Lacework CISO book club!
Get a copy of the classic novel, The Phoenix Project, and join quarterly interactive discussions with cybersecurity leaders. Sign up here.
Patch news.
Microsoft has issued patches for more than one-hundred vulnerabilities affecting Windows, three of which are being exploited in the wild, SecurityWeek reports. One of the exploited flaws, CVE-2023-36563, affects WordPad, and “could allow the disclosure of NTLM hashes.” Another actively exploited bug (CVE-2023-41763) impacts Skype for Business, and could lead to privilege escalation.
Adobe has patched critical flaws affecting several of its products, including Adobe Commerce, Magento Open Source, and Photoshop, SecurityWeek says.
Citrix has issued patches for numerous vulnerabilities affecting NetScaler ADC, NetScaler Gateway, and Citrix Hypervisor.
Crime and punishment.
The Wall Street Journal reports that a former executrive at FTX, the cryptocurrency exchange that collapsed last year, has testified she was forced by company founder Sam Bankman-Fried to carry out criminal acts to defraud the company’s customers out of their money. Caroline Ellison, who served as Bankman-Fried’s top deputy, appeared as a prosecution witness on Tuesday during Bankman-Fried’s criminal trial. Ellison says Bankman-Fried was aware that his crypto hedge fund, Alameda Research, was in financial trouble and defrauded FTX customers out of billions of dollars in an attempt to keep Alameda afloat. Bankman-Fried, who has pleaded not guilty, admits that FTX was poorly managed but claims he did not knowingly defraud customers and acted in good faith.
Elliptic has published an analysis of the $477 million theft of cryptocurrency from FTX in November 2022, noting that, “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges.” The researchers add, “Whoever was behind the hack, the stolen assets continue to be moved and laundered through the blockchain. Various cross-asset and cross-chain laundering techniques have been used to avoid seizure of these assets, and to attempt to conceal the money trail.”
Representative George Santos (Republican representing New York's 3rd District) already facing Federal fraud charges, has been named in a superceding inditctment that carries additional charges related to alleged online crimes, specifically "one count of conspiracy to commit offenses against the United States, two counts of wire fraud, two counts of making materially false statements to the Federal Election Commission (FEC), two counts of falsifying records submitted to obstruct the FEC, two counts of aggravated identity theft, and one count of access device fraud, in addition to the seven counts of wire fraud, three counts of money laundering, one count of theft of public funds, and two counts of making materially false statements."
Courts and torts.
Snap, parent company of popular instant messaging app Snapchat, is facing scrutiny from the UK Information Commissioner’s Office (ICO) for the app’s artificial intelligence chatbot My AI. On Friday the privacy watchdog announced a preliminary enforcement notice for Snap’s “potential failure to properly assess the privacy risks” presented by the generative AI chatbot. Billed as a virtual friend, My AI is pinned to the top of users’ feeds, available to provide answers to user questions or even send and receive snaps. The ICO has conducted a preliminary investigation, and while no breach has been discovered, the regulator says Snap may not have taken the necessary steps to make sure the product was compliant with the data protection rules laid out in the Children’s Design Code before the chatbot was launched in the UK last April. A Snap spokesperson told TechCrunch, “We are closely reviewing the ICO’s provisional decision. Like the ICO we are committed to protecting the privacy of our users. In line with our standard approach to product development, My AI went through a robust legal and privacy review process before being made publicly available. We will continue to work constructively with the ICO to ensure they’re comfortable with our risk assessment procedures.”
Microsoft Federal: Mission innovation, secure by design
Cybersecurity is a national security priority. That’s why Microsoft is setting the standard with security built-in. And our 8,000 threat hunters analyze 65 trillion+ signals daily, partnering with federal agencies to protect their digital estate. We help strengthen cybersecurity at scale—from identity, data, and apps to endpoints, infrastructure, and networks—so you can focus on what matters: your mission. Visit aka.ms/FedCyber today to get started.
Policies, procurements, and agency equities.
The BBC reports that prominent and opposing hacktivist auxiliaries stated over the weekend that they intended to abide by the guidelines officials of the International Committee of the Red Cross (ICRC) recommended last week. Russia's KillNet and the IT Army of Ukraine both said that they intended to follow rules that would clarify the extension of international humanitarian law to activities in cyberspace. The guidelines aim principally at protecting civilians and civilian infrastructure from harm. See CyberWire Pro for an extended consideration of the ICRC's recommendations.
The Cyberspace Administration of China (CAC) last month released a draft version of its Provisions on Regulating and Promoting Cross-Border Data Flows. Although the document is subject to change pending public comment, cyber/data/privacy insights explains that the document indicates China is easing up on its restrictions on international data transfers.
California Governor Newsom signed a new law that will make it easier for state residents to have their data deleted from data brokerage databases, the LA Times reports. While residents can currently ask individual brokers to remove their data, each broker requires an individual requisition, meaning consumers are faced with the nearly impossible task of determining everywhere their data might be stored, and even then brokers have the right to deny a request. Under Senate Bill 362, commonly called the Delete Act, the California Privacy Protection Agency is called to create a new tool by January 2026 that will allow Californians to ask all data brokers to delete their personal information with a single request.
Labor markets.
The Wall Street Journal reports that the unemployment rate in the IT industry rose to 4.3% last month, higher than the overall unemployment rate of 3.8%. The Journal sees this as "an indication that growth in traditional IT careers and entry-level roles could be slowing amid an artificial-intelligence boom." The Journal notes, however, that demand for employees still outpaces supply, particularly in the cybersecurity sector.
Mergers and acquisitions.
Identity and access management company Okta has acquired password manager Uno.
Minnesota-based security operations firm Arctic Wolf intends to acquire security orchestration, automation and response (SOAR) platform Revelstoke.
Investments and exits.
Reuters reports that BlackBerry plans to separate its IoT and cybersecurity business units as it targets an IPO for the IoT unit next year.
Santa Cruz, California-based minds.ai, a company that uses AI to optimize semiconductor operations and planning, has raised $5.3 million in a seed funding round led by Monta Vista Capital, with participation from Momenta and other investors.
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. CyberVista’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.