By the CyberWire staff
At a glance.
- Election security: no major incidents in US off-year voting.
- The cyber front in the Hamas-Israel war.
- Sandworm and Ukraine's power grid: 2022 attacks described and analyzed.
- A major Chinese cyberespionage effort against Cambodia.
- Current BlueNoroff activity.
- Data brokers offer information on active US military personnel.
- Singapore resort sustains cyberattack.
- Update on Okta's response to its security incident.
- A precautionary shutdown at a major US mortgage lender.
- A new Gootloader variant is active in the wild.
- Atlassian vulnerabilities actively exploited.
Election security: no major incidents in US off-year voting.
Tuesday was Election Day in the US, an off-year election, but one that security experts watched closely. The US Cybersecurity and Infrastructure Security Agency (CISA) ran an Election Operations Center to help secure the vote. The agency said, "This Elections Operations Center brings together federal partners, state and local election officials, and private sector election partners to share real-time threat information. CISA stands ready to provide technical security support to the election infrastructure community." CISA's quick assessment late Tuesday concluded, “We continue to see no specific or credible threats to election infrastructure.”
The cyber front in the Hamas-Israeli war.
The National Interest published an assessment of cyber operations to date in the war between Hamas and Israel. Israel shut down Internet connectivity in Gaza during the first weeks of the war (and tightened the shutdown over the weekend), and Israel has sustained a variety of hacktivist assaults. Most of these have achieved at most nuisance-level effects. The most prominent were the successful hacktivist intrusion into the Red Alert civil defense missile warning system on October 8, and the October 12th hack of smart billboards in Tel Aviv to display pro-Hamas messages. Israeli defenses seem to have been largely successful in blunting state-directed attacks. The National Interest writes, "the lack of success or diminished presence of state-sponsored threat groups seems to be attributed to the proactive cyber defensive approach adopted by the Israeli National Cyber Directorate (INCD) as well as the mobilization of the country’s cyber security ecosystem."
Whatever the effectiveness of Israeli cyber defenses, some state-sponsored threat actors have intervened on the side of Hamas (much of this activity is Iranian, some of it Russian). Palo Alto Networks' Unit 42 this morning reported that an Iranian threat group, "Agonizing Serpens" (which other researchers call "Agrius," "BlackShadow," "Pink Sandstorm," or "DEV-0022") is conducting a two-phase campaign against Israeli universities and research organization. The first stage is data theft, with the data subsequently used to dox the victims. Unit 42 sees this as fundamentally an influence operation as opposed to traditional espionage. The information stolen is both personal and proprietary, and doxing is central to the operation; its goal is "to sow fear or inflict reputational damage." The second stage is a wiper attack, which the researchers characterize as a "scorched earth" approach that renders affected endpoints unusable. The attackers gain access through vulnerable web servers through which they deploy web shells. Unit 42 describes three tools used in the wiper phase as novel, not previously seen: MultiLayer (which covers the attacker's tracks), MultiList (which inventories files on the affected system), and MultiWip (the wiper proper).
Uptycs reports that one hacktivist group, GhostSec, formerly an Anonymous affiliate, may be turning its attention to Israel. "Previously dedicated to tracking and disrupting ISIS-related online propaganda, they notably collaborate more closely with law enforcement and intelligence agencies than their predecessor, Anonymous, Uptycs comments. Their recent activity against Israeli targets, however, suggests a shift in the group's interests and focus, especially since that activity is centered on its GhostLocker ransomware-as-a-service operation. The evident profit motive suggests a new complexity to GhostSec's goals and objectives.
CrowdStrike describes a series of cyberattacks that targeted Israeli organizations in the transportation, logistics, and technology sectors in October 2023. CrowdStrike attributes the campaign to the Iran-aligned threat actor IMPERIAL KITTEN. IMPERIAL KITTEN is believed to be associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), and “likely fulfills Iranian strategic intelligence requirements associated with IRGC operations.” In this case, IMPERIAL KITTEN used spearphishing emails to deliver several strains of malware via malicious Excel documents, including IMAPLoader and StandardKeyboard.
A study by Microsoft finds that Iranian cyberattacks against Israeli targets have been "reactive and opportunistic," not forming part of an integrated campaign developed in cooperation with Hamas. Nonetheless, some of the most consequential cyberattacks of the war so far have emanated from Iran, and the head of Israel's National Cyber Directorate, Gaby Portnoy, sees the prospect of an intensified Iranian campaign as his biggest worry. “They [Iran] know that they can act there more freely [in cyberspace] than in the physical space,” Portnoy told CNN. “We are prepared for that as much as we can.”
Quit scanning and remediating your entire registry
Runtime Protection will show you exactly what vulnerabilities lie within your application path, so you can zoom in on what's critical and ignore the vulnerabilities that don't matter. No need to burden dev teams – shrink your attack surface and remove 60-90% of your total vulnerabilities in a day.
Sandworm and Ukraine's power grid: 2022 attacks described and analyzed.
Mandiant released a study of Sandworm's cyberattacks against Ukraine's electrical power grid last year. Sandworm, also known as Voodoo Bear, is a threat actor operated by the GRU's Unit 74455. Three months of preparation culminated in the exploitation, on October 10th, 2022, in the exploitation of end-of-life Hitachi Energy MicroSCADA control systems that brought the affected systems under Sandworm control, and which enabled the attackers to issue commands that tripped breakers in electrical power distribution substations. Two days later Sandworm deployed a new variant of CaddyWiper (discovered in Ukraine the previous March by ESET) which served both to damage the associated IT networks and to obscure its own operations. The attack was marked by living-off-the-land techniques, significant because they "decreased the time and resources required to conduct a cyber physical attack," and because they reduced the likelihood of detection.
The Russian campaign stands out for several reasons. First, it was a successful attack against a widely deployed OT system. Such attacks have been rare, and have proven difficult to execute. Second, the cyberattacks coincided with a kinetic Russian missile campaign designed to cripple Ukrainian infrastructure as winter approached. Such coordination of cyberattack into a combined arms operation has also been rare, and difficult for Russian forces to achieve. Third, the attack showed both careful preparation and an ability to develop offensive tools quickly. And, finally, the attack showed what Russia is likely to attempt in its infrastructure disruption campaign during the winter of 2023 and 2024.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
A major Chinese cyberespionage effort against Cambodia.
Palo Alto Networks' Unit 42 has found two major Chinese APTs engaged in cyberespionage against Cambodia. They've hit at least twenty government and industry organizations in that country in what appears to be a long-term collection effort. Cambodia and China enjoy generally good diplomatic and economic relations, but that's irrelevant to China's choice of targets. Beijing's long-range goal is an enhanced naval presence in the waters off Southeast Asia, and the intelligence being gathered is designed to support that end.
Current BlueNoroff activity.
Jamf has published a report on a new macOS malware strain attributed to North Korea’s BlueNoroff threat actor. BlueNoroff is a suspected state-sponsored actor that focuses on cryptocurrency theft. Jamf explains, “The activity seen here greatly aligns with the activity we’ve seen from BlueNoroff in what Jamf Threat Labs tracks as the Rustbucket campaign where the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the disguise of an investor or head hunter. BlueNoroff often creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity.”
North Korea has long used cybercrime as a means of redressing economic shortfalls caused by international sanctions and the pariah state’s own policies.
Data brokers offer information on active US military personnel.
Sensitive personal information belonging to thousands of active-duty US military personnel can be purchased for as little as twelve cents per record from online data brokers, researchers at Duke University have found. The information includes health data, financial data, location data, information about religious practices, and more. The researchers note that the availability of such data poses national security risks, though the data brokerage industry remains largely unregulated in the US: “In short, an industry that builds and sells detailed profiles on Americans could be exploited by hostile actors to target military servicemembers and veterans, as a subset of the U.S. population. Many veterans often still know currently classified information, even if they are no longer active-duty members of the military.” Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy, told CNN, “It was way too easy to obtain this data: a simple domain, 12 cents a service member, and no background checks on our purchases. If our research team, subject to university research ethics and privacy processes, could do this in an academic study, a foreign adversary could get data in a heartbeat to profile, blackmail, or target military personnel.” For more on data brokers and their access to servicemembers' PII, see CyberWire Pro.
Microsoft Federal: Mission innovation, secure by design
Cybersecurity is a national security priority. That’s why Microsoft is setting the standard with security built-in. And our 8,000 threat hunters analyze 65 trillion+ signals daily, partnering with federal agencies to protect their digital estate. We help strengthen cybersecurity at scale—from identity, data, and apps to endpoints, infrastructure, and networks—so you can focus on what matters: your mission. Visit aka.ms/FedCyber today to get started.
Singapore resort sustains cyberattack.
Singapore’s Marina Bay Sands resort has disclosed a data breach that affected the personal information of 665,000 customers, CNA reports. The breached data belonged to non-casino rewards programme members, and included names, email addresses, mobile phone numbers, phone numbers, countries of residence, and membership numbers and tiers. The incident occurred on October 19th and 20th 2023. The company said in a statement, “We will be reaching out to Sands LifeStyle loyalty programme members and sincerely apologize for the inconvenience caused by this incident. We have reported it to the relevant authorities in Singapore and other countries where applicable and are working with them in their inquiries into the issue.” For more on the Marina Bay Sands incident, see CyberWire Pro.
Update on Okta's response to its security incident.
Identity and access management provider Okta has provided additional details on the breach it sustained from September 28th to October 17th. The company disclosed that “a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.” The threat actor obtained “HAR files that contained session tokens which could in turn be used for session hijacking attacks,” and used these tokens to hijack the Okta sessions of five customers. Three of these customers–1Password, BeyondTrust, and Cloudflare–have disclosed that they were affected. Okta continued, “The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself." For more on the incident, see CyberWire Pro.
A precautionary shutdown at a major US mortgage lender.
Mr. Cooper (previously Nationstar Mortgage LLC), the largest mortgage lending company in the US, has sustained a cyberattack that brought down its IT systems, BleepingComputer reports. The incident affected the company’s online payment portal; the company noted, “Customers trying to make payments will not incur fees or any negative impacts as we work to fix this issue.”
The company said, “On October 31, Mr. Cooper became the target of a cyber security incident and took immediate steps to lock down our systems in order to keep your data safe. Our systems remain locked down, and we are working on a resolution as quickly as possible.” It wasn't immediately clear whether any customer data had been compromised. The company added, “We are actively investigating this event to determine if any data has been compromised. If customers are impacted, they will be notified and provided with identity protection services.” For more on the incident, see CyberWire Pro.
A new Gootloader variant is active in the wild.
SEO poisoning, in which victims' search histories are used against them, seems to be the initial point of entry for a new Gootloader variant IBM's X-Force has discovered. The researchers call the malicious implant “GootBot,” and say it "facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments." They describe GootBot as "a lightweight obfuscated PS script, containing only a single C2 server." It's an alternative to other, more familiar post-exploitation tools like CobaltStrike. GootBot implants, once in, spread across an infected enterprise domain looking for domain controllers. "At the time of writing," X-Force says, "GootBot implants maintain zero AV detections on VirusTotal, enabling [the malware] to spread stealthily."
Atlassian vulnerabilities actively exploited.
Rapid7 is tracking ongoing exploitation of a recently disclosed improper authorization vulnerability (CVE-2023-22518) affecting Confluence Data Center and Confluence Server. The security firm says the vulnerability has been exploited in “multiple customer environments, including for ransomware deployment.” Rapid7 notes, “The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.” Atlassian issued patches for the flaw last week, urging customers to apply the fixes immediately.
Rapid7 has also observed exploitation of CVE-2023-22515, “a critical broken access control vulnerability in Confluence that came to light on October 4.”
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. CyberVista’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
Crime and punishment.
A Dutch hacker is facing four years of prison time for attacking and blackmailing over a dozen companies in the Netherlands and abroad. Former cybersecurity professional Pepijn Van der Stap, has been charged with extortion and laundering upwards of 2.5 million euros in cryptocurrency, Bleeping Computer reports. The Dutch Public Prosecution Service found that Van der Stap and his accomplices targeted both domestic and international companies and institutions with a series of cybercrimes between August 2020 and January 2023. After hacking the companies, the cybercriminals blackmailed the victims, threatening to release stolen data unless they forked over hefty sums, and Van der Stap also sold the sensitive data on the dark web. It’s worth noting that many of the impacted organizations have not yet disclosed the attacks or the extent of their financial losses. The hacker’s CV includes a position at Hadrian Security, as well as a stint volunteering at the Dutch Institute for Vulnerability Disclosure, and he claims he was on the way to cleaning up his act when he was arrested. Van der Stap stated, "For about 16 months before my arrest, I was not engaged in much illegal activity and wanted to get out altogether. But as much as I wanted to get out, it felt impossible at times.
Courts and torts.
The US Securities and Exchange Commission (SEC) continues to pursue its civil suit against IT service management firm SolarWinds, as well as its CISO Tim Brown, for alleged fraud and internal control failures related to the massive 2020 cyberattack that spread like wildfire through the company’s thousands of customers. The lawsuit has the CISO community on high alert as they try to determine how to avoid personal liability for company security failures.
Security Week spoke with industry professionals for their reactions. Igor Volovich, VP of Compliance Strategy at Qmulos, said the SolarWinds incident was less about intentional malfeasance and more about the dangers of divorcing cybersecurity from corporate risk, compliance, and regulatory functions. He also noted that corporate whistleblowers can be granted special protections under the Department of Justice’s Civil Cyber-Fraud Initiative and the False Claims Act, giving them increased incentive to come forward and leaving CISOs in a vulnerable position.
As the Stack notes, EY Cybersecurity Consulting’s Brian Levine penned a LinkedIn post warning CISOs to be especially cautious when it comes to discussing their companies’ cybersecurity issues. With broad recommendations like, “Do not say anything that could even arguably be considered a false statement or omission,” and “Do not state anything that is subjective and avoid adjectives,” his advice demonstrates just how narrow the path is for a CISO who wants to avoid liability. He also recommends that CISOs thoroughly explain their risk disclosure program “so that readers (and the SEC) understand that you are (a) regularly identifying and considering improvements to your controls; and (b) constantly finding and attempting to handle significant vulnerabilities and weaknesses.”
Policies, procurements, and agency equities.
The US Space Force sees the cybersecurity of space systems as crucial to mission capability. Via Satellite quotes Colonel Richard Kniseley, senior material leader of the Space Force’s Commercial Space Office, as saying, “The U.S. and our allied forces must now contend with growing threats from satellite link interceptions.” It's interesting that he sees the threat as representing a convergence of both electronic and cyber attack. “This results from advanced jamming techniques and illegal satellite uplinks. Our operations are hindered by compromised communication integrity and potential data breaches.”
As European lawmakers are scheduled to continue negotiations on the EU’s Cyber Resilience Act (CRA) this week, tech industry leaders are warning that the legislation’s restrictions could stifle innovation, damage the market, and actually weaken cybersecurity. The Information Technology Industry Council (ITI), a global tech trade association based in Washington DC, offers recommendations to ensure the new legislative framework is not so broad that it causes more harm than good. ITI is asking EU legislators to narrow the scope of CRA and more clearly define terms like “remote data processing solutions” and “commercial activity.”
On Monday electronics makers like Siemens, Ericsson, and Schneider Electric, along with industry group DigitalEurope, issued a joint letter to EU industry chief Thierry Breton and digital chief Vera Jourova warning that the CRA’s restrictions could lead to supply chain disruptions. The letter reads, "The law as it stands risks creating bottlenecks that will disrupt the single market." As Reuters explains, the CRA calls for the manufacturers of smart products to assess the cybersecurity risks and take measures to fix any issues over the lifetime of the products, and industry professionals say the resulting red tape could lead to supply delays on par with those experienced during the height of the pandemic. With the increase in smart components in products in recent years, the disruptions could impact everything from washing machines to toys to critical components for high-tech manufacturing.
Webinar: Securing the advancement of women in cyber.
As part of N2K’s Women in Cyber series and in partnership with Tulsa Innovation Labs, we’ve brought together women in cybersecurity leadership for a discussion featuring insights, experiences, and strategies for advancing more women into leadership roles within the field. Listen now to this inspiring conversation.
Fortunes of commerce.
Mr. Cooper (previously Nationstar Mortgage LLC), the largest mortgage lending company in the US, has sustained a cyberattack that brought down its IT systems, BleepingComputer reports. We received emailed comments from Moody's Investors Service on Mr. Cooper's cyber incident. “The cyberattack against Mr. Cooper, which blocked millions of customers from making payments and processing mortgage transactions, is credit negative," said Stephen Lynch, Vice President – Senior Credit Officer for Moody’s Investors Service, which is closely monitoring the incident. "The full impact of the event will depend on duration of the disruptions, ensuing potential reputational damage, and magnitude of the breach.”
Mergers and acquisitions.
Insurance firm Travelers has agreed to acquire cyber insurance provider Corvus.
Accenture has acquired Spanish cybersecurity firm Innotec Security from Entelgy Group for an undisclosed amount.
Lumen Technologies has completed the sale of its EMEA business to London-headquartered Colt Technology Services for $1.8 billion.
Arlington, Virginia-headquartered IT services contractor Redhorse has acquired Allied Associates International, a company that provides cybersecurity and engineering services for the national security sector, Washington Technology reports.
Investments and exits.
Zero-trust security firm Xage Security has raised $20 million in an additional funding round led by new investor Science Applications International Corporation (SAIC) and existing investors Piva Capital, March Capital, SCF Partners, Overture Climate Fund, Valor Equity Partners, and Chevron Technology Ventures.
Dubai-based AI cybersecurity startup SpiderSilk has raised $9 million in a funding round led by Wa’ed Ventures, with participation from STV and Global Ventures.
Montana-headquartered AI security startup Wraithwatch has secured $8 million in a seed funding round led by Founders Fund, with participation from XYZ Capital and Human Capital, TechCrunch reports.
London-headquartered supply chain security firm Risk Ledger has secured £6.25 million (US$7.6 million) in a Series A funding led by Mercia Ventures.
Israeli application security startup Myrror Security has emerged from stealth with $6 million in seed funding from Blumberg Capital and Entrée Capital.
Canadian attack surface management technology provider Cavelo has raised CAD$5 million (US$3.6 million) in venture capital financing led by Inovia Capital, with participation from existing investors including Graphite Ventures.