At a glance.
- StripedFly reclassified.
- Eastern European gangs overcome their reservations about anglophone criminals.
- DDoS activity during the Hamas-Israeli war.
- Ukrainian cyber authorities report a rise in privateering Smokeloader attacks.
- Russian intelligence services' cyber operations in the hybrid war.
- DPRK threat actors pose as IT workers.
- Winter Vivern exploits a mail service 0-day.
- Okta discloses a data exposure incident.
Kim Zetter reports, in Zero Day, that the StripedFly cryptominer has turned out to be more malign than hitherto expected. When Kaspersky discovered it in 2017, they wrote it off as a simple piece of criminal malware, designed for cryptomining. They also wrote it off as uninteresting and unsuccessful, yielding its proprietors nothing more than chump change from mining Monero alt-coin: just ten bucks in 2017, only $500 in 2018. Apparently, however, StripedFly was actually interested in collecting information, not cryptocurrency. Kaspersky "discovered the miner was actually a cover for a sophisticated spy platform that has infected more than one million victims around the world since 2017."
StripedFly seems to be a carefully designed espionage toolset that masked itself as an uninteresting, stumblebum criminal operation. StripedFly gains initial access to its targets through a variant of EternalBlue, an exploit attributed to an actor Kaspersky tracks as the Equation Group. Kaspersky studiously avoids attribution to nation-state services, but the Equation Group is widely believed to be associated with the US National Security Agency. EternalBlue was blown by the ShadowBrokers in April of 2017, a month after Microsoft patched the vulnerability the malware was designed to support. Since then other services, notably China's Ministry of State Security, have used variants of EternalBlue, but it's not at all clear who's responsible for StripedFly. For more on StripedFly, see CyberWire Pro.
Eastern European gangs overcome their reservations about anglophone criminals.
Microsoft describes “Octo Tempest,” a financially motivated threat actor that uses social engineering to compromise organizations around the world. Among the gang's victims, the Record points out, was MGM Resorts. At the time of that attack, the group was being called Scattered Spider, 0ktapus, or UNC3944.
One of the more repellent features of Octo Tempest's activity is its willingness to make direct personal threats of violence to bully victims into giving up their credentials. A sample threat reads as follows (and we note that speaking English doesn't mean writing it well--the language is coarse, debased, and primitive): "if we dont get ur [redacted] login in the next 20 minutes were sending a shooter to ur house ur wife is gonna get shot if u dont fold it lmk [redacted] well send shooters to both LOL." For more on Octo Tempest, see CyberWire Pro.