Sorting out the threat actors: spies, privateers, contractors, hacktivists, and crooks.

At a glance.

• StripedFly reclassified.
• Eastern European gangs overcome their reservations about anglophone criminals.
• DDoS activity during the Hamas-Israeli war.
• Ukrainian cyber authorities report a rise in privateering Smokeloader attacks.
• Russian intelligence services' cyber operations in the hybrid war.
• DPRK threat actors pose as IT workers.
• Winter Vivern exploits a mail service 0-day.
• Okta discloses a data exposure incident.

StripedFly reclassified.

Kim Zetter reports, in Zero Day, that the StripedFly cryptominer has turned out to be more malign than hitherto expected. When Kaspersky discovered it in 2017, they wrote it off as a simple piece of criminal malware, designed for cryptomining. They also wrote it off as uninteresting and unsuccessful, yielding its proprietors nothing more than chump change from mining Monero alt-coin: just ten bucks in 2017, only $500 in 2018. Apparently, however, StripedFly was actually interested in collecting information, not cryptocurrency. Kaspersky "discovered the miner was actually a cover for a sophisticated spy platform that has infected more than one million victims around the world since 2017."

StripedFly seems to be a carefully designed espionage toolset that masked itself as an uninteresting, stumblebum criminal operation. StripedFly gains initial access to its targets through a variant of EternalBlue, an exploit attributed to an actor Kaspersky tracks as the Equation Group. Kaspersky studiously avoids attribution to nation-state services, but the Equation Group is widely believed to be associated with the US National Security Agency. EternalBlue was blown by the ShadowBrokers in April of 2017, a month after Microsoft patched the vulnerability the malware was designed to support. Since then other services, notably China's Ministry of State Security, have used variants of EternalBlue, but it's not at all clear who's responsible for StripedFly. For more on StripedFly, see CyberWire Pro.

Eastern European gangs overcome their reservations about anglophone criminals.

Microsoft describes “Octo Tempest,” a financially motivated threat actor that uses social engineering to compromise organizations around the world. Among the gang's victims, the Record points out, was MGM Resorts. At the time of that attack, the group was being called Scattered Spider, 0ktapus, or UNC3944.

One of the more repellent features of Octo Tempest's activity is its willingness to make direct personal threats of violence to bully victims into giving up their credentials. A sample threat reads as follows (and we note that speaking English doesn't mean writing it well--the language is coarse, debased, and primitive): "if we dont get ur [redacted] login in the next 20 minutes were sending a shooter to ur house ur wife is gonna get shot if u dont fold it lmk [redacted] well send shooters to both LOL." For more on Octo Tempest, see CyberWire Pro.

DDoS activity during the Hamas-Israeli war.

Cloudflare has published an overview of distributed denial-of-service (DDoS) attacks during the present war. Attacks against Israeli targets dwarfed attacks against Palestinian websites by a factor of ten.

The firm's observations showed negligible DDoS activity against Israeli sites in the weeks preceding the war, with a sharp spike on the morning of October 7th, when Hamas began its attacks. That activity peaked on October 8th, falling off until another surge on the 20th. The initial attacks "targeted websites that provide critical information and alerts to civilians on rocket attacks." Since then the attacks have concentrated on news and media sites, with some 56% of DDoS operations targeting these. After news media in frequency of targeting came the software sector (34%), followed by financial services, with government administration websites placing fourth.

DDoS against Palestinian sites surged after Hamas's initial attacks. In this case, however, the most targeted sector was financial services, with almost 76% of attacks directed against banks. "The Internet industry" came in second, sustaining 24% of DDoS activity. Media production websites came in a distant third.

Ukrainian cyber authorities report a rise in privateering Smokeloader attacks.

Russia has stepped up cyberattacks directed against Ukraine and Ukraine's international supporters. Some have been financially motivated, others aiming simply at disruption.

Kyiv's National Cybersecurity Coordination Center (NCCC) reported Tuesday that it was investigating an increase in Russian criminal attacks using Smokeloader malware. The NCCC explicitly characterizes the threat actors as "financially motivated cybercriminals," effectively privateers who supplement the efforts of Russian intelligence and security services and the hacktivist auxiliaries those services direct. 

Russian intelligence services' cyber operations in the hybrid war. 

ESET's APT Activity Report for the 2nd and 3rd quarter of 2023 matches unpatched vulnerabilities with government-sponsored offensive cyber operations. Unsurprisingly, Russian cyber activity retains its focus on Ukraine. The main Russian APT groups ESET tracks are Sandworm (operated by the GRU's Unit 74455, and also known as Voodoo Bear), Turla (associated with the FSB, and also known as Venomous Bear), Sednit (more familiarly known as Fancy Bear, and run by the GRU), and Gamaredon (an FSB operation, also known as Primitive Bear). ESET says that the greatest of these, from the Ukrainian perspective, is Gamaredon, "which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones."

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

DPRK threat actors pose as IT workers.

The FBI has issued a public service announcement offering “guidance to the international community, the private sector, and the public to better understand and guard against the inadvertent recruitment, hiring, and facilitation” of North Korean IT workers. The Bureau notes that “[t]he hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations (UN) authorities.” For more on North Korean operators out job hunting, see CyberWire Pro.

Winter Vivern exploits a mail service 0-day.

ESET warns that the Winter Vivern threat actor has been exploiting a cross-site-scripting zero-day vulnerability (CVE-2023-5631) in the Roundcube Webmail server since October 11th, 2023. RoundCube released patches for the flaw on October 16th. Winter Vivern used the flaw to conduct cyberespionage operations against European government entities and a think tank. The researchers don’t attribute Winter Vivern to any particular nation-state, but they note that it may be tied to the Belarus-aligned threat actor MoustachedBouncer. 

Okta discloses a data exposure incident.

Identity and access management company Okta has disclosed a data breach affecting some of the company’s customers. The company stated, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

BeyondTrust, which discovered the breach, said, “The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers.” KrebsOnSecurity notes that “it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.” For more on this incident, see CyberWire Pro.

Patch news.

Cisco has disclosed a new zero-day vulnerability (CVE-2023-20273) that was used to deploy malware on IOS XE devices compromised via CVE-2023-20198, another zero-day the company disclosed last week, BleepingComputer reports. According to data from Censys, as of October 18th nearly 42,000 Cisco devices had been compromised by the backdoor, though that number is steadily falling. Cisco made fixes available on October 22nd.

SecurityWeek reports that Mirth Connect, an open-source data integration platform developed by NextGen HealthCare, is vulnerable to a flaw that could allow attackers to bypass protections for a critical-severity remote-code-execution flaw (CVE-2023-37679) that was patched in August. Researchers at Horizon3.ai discovered the new flaw, noting that it was fixed in version 4.4.1 of Mirth Connect. The researchers state, “We urge all users of Mirth Connect, especially instances that are Internet-facing, to prioritize updating to 4.4.1 ASAP.”

Crime and punishment.

China’s Ministry of Public Security has brought back several thousand of the country’s citizens who were working for Chinese cybercriminal syndicates in Myanmar, the Associated Press reports. Many of the individuals were forced to work for the gangs, and it’s unclear how they’ll be dealt with by the Chinese justice system.

Authorities in Singapore have arrested twelve people between the ages of 17 and 40 for their alleged involvement in running scams on social media, the Independent Singapore reports.

The Spanish National Police have arrested 34 suspected members of a cybercriminal operation that ran a wide variety of scams, BleepingComputer reports. Sixteen raids across Madrid, Malaga, Huelva, Alicante, and Murcia led to the seizure of “firearms and hand weapons, four high-end cars, 80,000 euros in cash, and computers hosting a database with information on four million people.”

The Register reports that a 31-year-old Moldovan man who allegedly ran the cybercriminal marketplace E-Root has been extradited from the UK to the US to stand trial for charges of “conspiracy to commit access device and computer fraud, wire fraud conspiracy, money laundering conspiracy, access device fraud, and computer fraud.”

And finally, Europol has released details of an international law enforcement operation to disrupt the RagnarLocker ransomware gang: “In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain, and Latvia. The ‘key target’ of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court. The ransomware’s infrastructure was also seized in the Netherlands, Germany, and Sweden and the associated data leak website on Tor was taken down in Sweden.”

Courts and torts.

In an effort to fight misinformation, the US Supreme Court on Friday decided to pause a ruling restricting government interference with social media content. The New York Times reports that the Court has also decided to hear the Biden administration’s appeal on the ruling, reopening a case that questions where content moderation ends and government censorship begins. Justices Samuel Alito Jr, Clarence Thomas, and Neil Gorsuch voted against the pause, Alito stating, “Government censorship of private speech is antithetical to our democratic form of government, and therefore today’s decision is highly disturbing.” 

Meta is being sued by a coalition of forty-one US states and the District of Columbia for allegedly incorporating addictive features that target minors in its social media platforms. The plaintiffs claim that Meta misled the public about the dangers of Facebook and Instagram for young users and intentionally marketed its products to children under the age of 13, who are prohibited from the platforms by Meta’s policies as well as federal law. The Washington Post explains that the litigation comes on the heels of unsuccessful settlement talks with the tech giant that followed a multi-year investigation into how Meta’s practices affect the mental health of young users. The goal of the lawsuits is to force Meta to make policy changes that will lessen its platforms’ negative impact on minors and financially penalize the company for its practices.

Policies, procurements, and agency equities.

In an “unprecedented” joint call by Five Eyes counterintelligence leaders last Tuesday, the officials called out Beijing for what they characterized as theft of intellectual property on an "unprecedented" scale. The Five Eyes--Australia, Canada, New Zealand, the United Kingdom, and the United States--called on industry and universities to help counter this threat of Chinese espionage. Such espionage is nothing new, but what the Five Eyes find particularly unsettling, is the use of artificial intelligence in these campaigns, given its potential to amplify and augment the threat. The Five Eyes' counterintelligence leads have been unusually open in their assessment of the Chinese espionage threat. They took their concerns to the broader public in an unprecedented joint appearance on CBS News' "60 Minutes" this Sunday. For more on the warning, see CyberWire Pro.

"LOVEINT," or the practice of abusing government surveillance programs to virtually follow one's inamorata or inamorato around, has led to more queasiness about the reauthorization of Section 702. Wired reports that there’s been a new development in the ongoing debate over whether a powerful US intelligence surveillance tool should be renewed. Known as Section 702, the tool allows government intelligence agencies access to foreign communications, and is set to expire at the end of the year. While intelligence officials consider Section 702 an indispensable tool to uphold national security, privacy advocates say Section 702 has been abused to allow unlawful surveillance of US citizens. 

Fortunes of commerce.

Swimlane has published a report looking at the state of cybersecurity in the financial services sector, finding that “20% of respondents have had at least one breach with a total cost of $5 million in the last 12 months.” Additionally, 42% of respondents had a breach that cost at least $1 million in the past year. The top threats seen by financial services organizations are phishing (34%), ransomware (31%), cloud security threats (25%), and insider threats (21%).

Another look at the sector comes from Veracode, which this morning released a report looking at “the key factors influencing flaw introduction and accumulation” in the financial services sector. The researchers found that “[w]hile nearly 72 percent of applications in the Financial Services sector contain security flaws, this is the lowest of all industries analyzed and an improvement since last year.”

Mergers and acquisitions.

RTX (formerly known as Raytheon) is selling its cybersecurity business to an undisclosed buyer for approximately $1.3 billion, NBC Boston reports. A company spokesperson stated, "We regularly review our portfolio to ensure our business is best positioned to deliver for our customers, stakeholders and employees. Based on that review, we decided to divest our Cybersecurity, Intelligence and Services business. We believe this gives the business greater autonomy to deliver on customer missions and allows it to serve as a platform for innovation well into the future."

Accenture has acquired managed cybersecurity services firm MNEMO Mexico for an undisclosed amount. The company stated, "MNEMO Mexico’s cybersecurity professionals will join Accenture Security’s workforce of more than 19,500 professionals globally, extending Accenture’s local resources and capabilities in Mexico / Latin America while addressing the growing regional demand for managed security services."

Investments and exits.

Fraud detection company Spec has raised $15 million in a Series A round led by SignalFire, with participation from Legion Capital and Rally Ventures.

London- and San Francisco-headquartered generative AI security company Harmonic Security has launched with $7 million in seed funding from Ten Eleven Ventures, with participation from Storm Ventures and private investors.

Australian searchable data encryption company CipherStash has raised $3 million in a seed funding round led by Skip Capital, with participation from SixThirty Ventures.

French Software-as-a-Service application security startup Zygon has secured $3 million in seed funding led by Axeleo Capital, with participation from Kima Ventures.

Singaporean cyber risk management firm Protos Labs has raised SGD$3 million (approximately $2.2 million USD) in seed funding from BEENEXT, VinaCapital Ventures, Artem Ventures (in partnership with FWD Insurance), Plug and Play Silicon Valley, Investible, Gan Konsulindo, 1337 Ventures, and Gobi Partners.

Island, a pioneer in the enterprise browser category, has announced a $100 million C-round. The investment, led by Prysm Capital and joined by Canapi Ventures and existing venture investors Insight Partners, Stripes, Sequoia, Cyberstarts, and Georgian, gives Island a valuation of $1.5 billion. Island is headquartered in Dallas and has R&D facilities in Tel Aviv.

And security innovation.

Europol's Innovation Lab has published a report, "The Second Quantum Revolution," in which it outlines the potential implications of the new technology for law enforcement. Greater computational power promises new cryptographic challenges and new sensing opportunities. The report represents preparatory work. It urges agencies to stay aware of developments in the new field, and it summarizes its recommendations under five headings:" Observe quantum trends," "Build up knowledge and start experimenting," "Foster research and development (R&D) project," "Assess the impact of quantum technologies on fundamental rights," and "Review your organisation's transition plans." For more on Europol's advice, see CyberWire Pro.