At a glance.
- Hacktivism and influence operations in the Middle East.
- Cyber sparring in Russia's hybrid war.
- RomCom backdoor used against Brussels conference.
- WinRAR exploitation.
- Cyberespionage in the Middle East (OilRig) and East Asia (BloodAlchemy).
- Cisco IOS XE zero-day exploited.
Hacktivism and influence operations in the Hamas-Israel war.
Cyber operations in the Hamas-Israel war continue to be characterized by a high-volume of opportunistic nuisance-level hacktivism. Bloomberg describes a surge in hacktivism, some of it a genuine grassroots phenomenon, some of it conducted by state-directed auxiliaries and front groups. A significant number of the front groups appear to be run from Iran.
An example of narratives competing for influence in the same space has been on prominent display with respect to damage to a Gaza hospital. Both sides had accused the other of a strike against the Al Ahli Hospital, with Hamas calling it an Israeli airstrike and Israel calling it a malfunctioning rocket launched toward Israel by Palestinian Islamic Jihad. Evidence increasingly points to the latter. The US National Security Council tweeted its evaluation of the Al Ahli Hospital incident. "While we continue to collect information, our current assessment, based on analysis of overhead imagery, intercepts, and open source information, is that Israel is not responsible for the explosion at the hospital in Gaza yesterday." The Israeli Defense Forces (IDF) have released an intercepted conversation between Hamas operatives discussing the incident and attributing it to the failure of a Palestinian Islamic Jihad rocket. The Telegraph has an overview of the evidence suggesting that the destruction was caused by a failed rocket launch. Casualty estimates also seem to be dropping--Gaza authorities had published a death toll of more than 500, but the visible damage to the hospital seems to render that count implausible.
Hamas's claims that the explosion was due to an Israeli airstrike, however, continue to be generally accepted and circulated in Islamist and wider Arab circles, where they've driven widespread protests this week. Most of the hacktivism in the conflict has been conducted in the interest of Hamas.
ZeroFox has a useful account of the ways in which misinformation (false claims made without malicious intent) and disinformation (intentional lies told with a political purpose) are unfolding in the current war. Some of the disinformation originates from third-parties to the conflict. "ZeroFox intel has identified a notable uptick in anti-Palestinian disinformation from seemingly Indian accounts and anti-Israel disinformation from seemingly pro-Russian accounts."
Where are false or dubious claims concentrated? The DFR Lab reports that pro-Israeli accounts (especially in English) have tended to show a preference for X (the platform formerly known as Twitter) despite X's recent difficulties with its hosting of pro-Hamas posts. The Hamas-linked accounts have gravitated to Telegram. Much amplification of disinformation is achieved through the use of accounts that impersonate trusted sources.
Hacktivist auxiliaries' operations tend to resemble one another.
ComputerWeekly observes that pro-Hamas hacktivism has followed a pattern established during Russia's war against Ukraine, concentrating on website defacements. The piece also notes that during the war between Hamas and Israel hacktivism has been relatively one-sided, with very few cyberattacks against Palestinian sites. The attacks haven't for the most part risen above the level of a nuisance, and concentration on defacements seems more opportunistic than strategic, more a matter of capability than of imitation. A Cambridge University researcher who's studied the conduct of the war told ComputerWeekly, “Lots of people talk up the idea that hacktivists could make a big difference in combat. What we are seeing in both the Ukraine work and the work now in Hamas is that this is over-egged. You do see some civilian activism around war outbreaks but it's so low grade as to be of no security concern."
There are some differences. The hacktivism on display in the Hamas-Israeli war is less disciplined, less susceptible to state control, than that observed in the hybrid war between Russia and Ukraine. Axios writes, "The war between Israel and Hamas is reminding governments just how difficult it is to control politically motivated hacking groups...Politically motivated hackers (also known as hacktivists) often target state-backed organizations and groups in an effort to complicate war efforts." Targeting is complicated, and freelancing makes it even moreso. To take just one example, an attack that takes, say, a government service offline, might inadvertently interfere with collection efforts underway against that service.
Ukrainian hacktivist auxiliary takes down Trigona privateers.
Members of the Ukrainian Cyber Alliance (UCA) claim to have gained access to servers used by the Trigona ransomware gang. BleepingComputer reports that the hacktivists say they "exfiltrated all of the data from the threat actor’s systems, including source code and database records," and then wiped the servers. The UCA exploited CVE-2023-22515, a recently described vulnerability in Atlassian's Confluence Data Center and Server to gain remote access and elevate their privileges to work their damage. "Welcome to the world you created for others!" a member of the UCA tweeted above a taunting screenshot headlined "Trigona is gone." They're still sorting through the data they exfiltrated from Trigona, but if they find the files contain decryption keys, they say they intend to make those publicly available for the victims of Trigona attacks to use in recovering their systems.
Ukrainian telecommunications providers hit by cyberattack.
CERT-UA reported Sunday that eleven telecommunications providers in Ukraine had experienced interference by "an organized group of criminals tracked by the identifier UAC-0165." The goal of the attacks seems to be disruption as opposed to theft or extortion. The Hacker News says that "A successful breach is followed by attempts to disable network and server equipment, specifically Mikrotik equipment, as well as data storage systems."
A Russian credential-harvesting campaign.
Researchers at Cluster25 are tracking attacks by what they characterize as a "Russia-nexus nation-State threat actor." The campaign aims at harvesting credentials, and it involves phishing with a baited pdf that carries an exploit for CVE-2023-38831, a vulnerability in WinRAR compression software versions prior to 6.23. The phishbait is a pdf that purports to share indicators of compromise associated with malware strains that include SmokeLoader, Nanocore RAT, Crimson RAT, and AgentTesla. Cluster25 offers no more specific attribution than "Russia-nexus," but the Hacker News speculates that the activity may be run by the SVR foreign intelligence service.
Russian hacktivist auxiliaries hit Belgian websites.
In what they've declared to be retaliation for Belgian support for Ukraine, the Brussels Times reports. Websites belonging to the Belgian Senate, Federal Public Service Finance, the Prime Minister’s Chancellery, and the monarchy were affected last Sunday. Service had returned to normal on all but the Senate's site by early Monday morning. The hacktivists posted a message to the Senate's site complaining of Belgium’s commitment last week to supply Ukraine with F-16 fighters by 2025.
Emailed bomb threats in the Baltic.
The Baltic Times reports that waves of emailed bomb threats have been arriving in the region. They appear to represent a coordinated campaign run by Russian operators. "This is an attempt to create a certain panic, to destabilize the situation in a sense, and to burden institutions, especially law enforcement, with an additional load," Lithuania's Interior Minister said.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Void Rabisu deploys lightweight RomCom backdoor against Brussels conference.
Trend Micro describes the recent activities of Void Rabisu, which it describes as "an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine." In this case the intrusion was directed against the Women Political Leaders (WPL) Summit that convened in Brussels between June 7th and 8th of this year. The Summit's goal was to increase the participation of women in politics, and while that may not have been something the threat actors necessarily approved of, it seems likelier that the conference was simply a target of opportunity, an occasion to prospect and compromise devices and systems belonging to political leaders. The ultimate payload Void Rabisu delivered was "a new version of ROMCOM backdoor that we have dubbed as “ROMCOM 4.0” (also known as PEAPOD)."
Void Rabisu is an interesting mixed case of an organization (or, if you will an intrusion set) that has been financially motivated, that trades in the criminal-to-criminal market, but which engages in espionage and, once it's on its target, acts like an advanced persistent threat (APT). There's no attribution of the activity so far. "While we have no evidence that Void Rabisu is nation-state-sponsored," Trend Micro writes, "it’s possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine." And in general Void Rabisu has consistently acted against Ukrainian interests.
Nation-states exploit the WinRAR vulnerability.
Google’s Threat Analysis Group (TAG) warns that several government-backed threat actors are exploiting CVE-2023-38831, a vulnerability in WinRAR that was patched on August 2nd. The flaw “allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive.” TAG says Russia’s Sandworm and APT28 threat actors (both attributed to the GRU) have been making use of the flaw, along with China’s APT40 (also known as “ISLANDDREAMS”). The threat actors use phishing emails to deliver malicious ZIP archives containing the exploit.
An OilRig cyberespionage campaign prospects a Middle Eastern government.
Iran's OilRig threat group, also known as APT34 and, by Symantec, as Crambus, conducted an eight-month intrusion campaign against a Middle Eastern government. The Threat Hunter Team at Symantec (a Broadcom company) reported that Crambus "stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers." Which government was targeted Symantec doesn't say, but the researchers do note that the Crambus target list has historically included Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United States, and Turkey.
BloodAlchemy backdoors ASEAN targets.
Researchers at Elastic Security Labs are tracking a new backdoor dubbed “BLOODALCHEMY” that’s being used to conduct cyberespionage against governments and organizations in the Association of Southeast Asian Nations (ASEAN). BLOODALCHEMY is part of the REF5961 intrusion set described by Elastic earlier this month. The researchers believe the activity is “state-sponsored and espionage-motivated,” launched by a threat actor aligned with the Chinese government.
Cisco IOS XE zero-day exploited.
Cisco has disclosed an actively exploited zero-day vulnerability (CVE-2023-20198) in the Web User Interface feature of Cisco IOS XE software when exposed to the Internet or untrusted networks. Cisco states, “Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.” Cisco strongly recommends that “organizations that may be affected by this activity immediately implement the guidance outlined in Cisco’s Product Security Incident Response Team (PSIRT) advisory.”
Patch news.
Valve will require additional security measures for game developers on Steam in an attempt to prevent compromised developer accounts from being used to push malicious updates, BleepingComputer reports. On October 24th, Valve will begin enforcing SMS-based security prompts for new updates to games’ default release branches. BleepingComputer notes that the move follows a spike in the use of compromised Steamworks accounts to distribute malware over the past few months. For more on the additional security measures, see CyberWire Pro.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Cybersecurity Advisory (CSA) on the active exploitation of CVE-2023-22515, a vulnerability in Atlassian Confluence Data Center and Server, a widely used collaboration platform. Exploitation enables a malicious actor to create unauthorized Confluence administrator accounts, with the attendant possibility of data exfiltration. The Advisory recommends immediately upgrading to a patched version of the vulnerable product. For background to this incident, see CyberWire Pro.
Crime and punishment.
The RagnarLocker ransomware operation’s negotiation and data leak sites were seized by an international group of law enforcement agencies, BleepingComputer reports. Based on the takedown notice posted to the seized websites, the operation involved law enforcement entities from the US, Germany, France, Italy, Japan, Spain, the Netherlands, the Czech Republic, and Latvia. For more on the takedown, see CyberWire Pro.
Policies, procurements, and agency equities.
The UK’s Information Commissioner’s Office (ICO) has issued new guidance on workplace monitoring. Previous guidance was incorporated into the ICO’s Employment Practices Code in 2011, but with the increase in telework and myriad innovations in technology in recent years, the guidance was overdue for a refresh. As cyber/data/privacy insights explains, all companies subject to UK data protection law must comply, which includes non-UK companies that are either established in the UK or offer goods or services to British residents.
The UK’s Department of Science, Innovation, and Technology has issued a code of practice for app stores and app developers regarding privacy and security. Composed of eight key principles, the code is considered voluntary. However, following the recommendations would be wise, as some of the principles within the code are mandated through existing legislation like the Data Protection Act 2018 and UK General Data Protection Regulation, and other principles are intended to help companies take steps toward compliance with legislation.
The US Federal Communications Commission (FCC) is moving toward a return to net neutrality. The Wall Street Journal characterizes the proposed regulation as treating Internet service providers like utilities. The regulations would prevent carriers, for example, from giving favorable treatment to some content providers.
The US Consumer Financial Protection Bureau (CFPB, an independent agency responsible to the Federal Reserve) has proposed a rule that would affect how financial institutions handle their customers' data. The Personal Financial Data Rights rule would give consumers more control over the data they share with institutions, and it would impose certain restrictions on how those institutions handle those data. It would in particular prevent firms from "misusing or wrongfully monetizing the sensitive personal financial data." The authority for the proposed rule is Section 1033 of Dodd-Frank. The rule is open for comment until December 29th. For more on the proposed rule, see CyberWire Pro.
Fortunes of commerce.
Dark Reading notes the effect that Hamas's attack against Israel has had on the country's tech sector, particularly its start-ups. Many employees are subject to call up as reservists during an emergency, and that's certainly happening now. Cybersecurity firms are also intertwined with the Israeli Defense Forces, and they've been rendering support to the war effort. Israeli operations by private-sector actors seem to have concentrated on collection and analysis, particularly with respect to identifying and locating hostages taken in the initial Hamas attacks. Haaretz reports that NSO, Rayzone, and AnyVision have been especially involved in this effort.
Lloyd's of London has concluded that the economic effects of a major attack on financial services payment systems would be severe, amounting to some $3.5 trillion worldwide.
Cooley outlines considerations for Form 8-K cybersecurity materiality determinations under the SEC's new cybersecurity disclosure requirements. Cooley explains, "While the final rules require 8-K reporting only upon a determination of materiality, rather than detection of an incident, such determinations must be made “without unreasonable delay after discovery of the incident.” Materiality judgments must consider both impacts already experienced and reasonably likely future impacts; however, the SEC has indicated determinations may not be delayed until such future impacts have emerged. For example, an incident that gives rise to reasonably likely material litigation risk would be reportable when the company determines that the factors giving rise to such a risk are implicated in an incident, not when actual litigation claims are first raised. The adopting release cites as other examples the foreseeable impacts of reputational damage or stolen intellectual property, even if such harms are not yet experienced."
Labor markets.
Tines has published its Voice of the SOC report for 2023, finding that 63% of security professionals experience some level of burnout, while 55% are likely to switch jobs within the next year. Respondents said that time spent on manual work is the most frustrating part of their jobs. Still, 99% of respondents are satisfied with their jobs, 98% are engaged with their work, and 96% feel that they are fairly compensated. Tines asked security professionals what organizations could do to improve retention: "The top answer was to simply pay more — no surprises there. Despite over 96% of respondents reporting they feel fairly compensated, they still feel a pay increase would help keep them around. But security teams also pointed to other factors: supplying more modern tools with advanced capabilities; hiring more people; and providing tools that automate the tedious manual tasks that have them looking elsewhere."
Investments and exits.
Security governance startup Gutsy has emerged from stealth with $51 million in seed funding from YL Ventures LLC and Mayfield Fund, SiliconANGLE reports.
Prove Identity has secured $40 million in a funding round led by MassMutual Ventures and Capital One Ventures.
Digital security and fraud prevention platform Darwinium has raised $18 million in a Series A round led by US Venture Partners (USVP), with participation from existing investors Blackbird, Airtree Ventures, and Accomplice.
Biometric authentication startup Anonybit has secured an additional $3 million funding round led by JAM FINTOP, with participation from Connecticut Innovations and 4S Bay Partners, bringing the company's total funding to $8 million.
Vera, a privacy and security enforcement startup, has raised $2.7 million in a pre-seed round led by Differential Venture Partners, with participation from Betaworks, Everywhere VC, Essence VC, SaaS Ventures, Greycroft, and ATP Ventures, FinSMEs reports.
And security innovation.
The allies who produced the original guide to security by design, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” (the Five Eyes plus Germany and the Netherlands) have been joined by their counterparts in the Czech Republic, Israel, Japan, the Republic of Korea, Norway, the Organization of American States, and Singapore in updating the guidelines. CISA described the goal of the updated version, made available the week: "This guidance is intended to further catalyze progress toward investments and cultural shifts necessary for measurable improvements in customer safety; expanded international conversation about key priorities, investments, and decisions; and a future where technology is safe, secure, and resilient by design."