By the CyberWire staff
At a glance.
- Molerats update their tactics, but not their target list.
- Protestware in open-source products.
- NSA warns of China-backed attacks on US critical infrastructure.
- GRU's Sandworm implicated in campaign against Danish electrical power providers.
- Cyberespionage campaign attributed to Russia's SVR.
- Anonymous Sudan claims attacks on ChatGPT and Cloudflare.
- Australian ports recovering from cyberattack.
- Rhysida malware: a warning and a description.
- BlackCat uses malicious Google ads.
- SysAid exploitation by Cl0p user Lace Tempest.
- Phobos ransomware: an affiliate crimeware-as-a-service program.
- LockBit doxes Boeing as Boeing hangs tough on paying ransom.
- Ransomware attack against China's largest bank.
Molerats update their tactics, but not their target list.
Proofpoint researchers have described some new activity by TA402, the Palestinian-aligned threat actor better known as the Molerats, and sometimes called the Gaza Cybergang, Frankenstein, or WIRTE. Between July and October TA402 has used a new downloader, IronWind, which they've used to install shellcode in victim systems. The group has also shifted away from using malicious Dropbox links and toward deploying XLL and RAR file attachments, presumably the better to evade detection. TA402's targeting has continued to follow its historical pattern of prospecting Arabic-speaking governmental organizations in the Middle East and North Africa. It hasn't so far shown a shift toward direct support of the war between Hamas and Israel.
Protestware in open-source products.
ReversingLabs this week drew attention to the phenomenon of "protestware," that is, the practice of concealing scripts advocating some political position in NPM packages embedding in open-source software. The message is commonly displayed after a user installs or executes the software. "Although the latest packages are not malicious," ReversingLabs researchers say, "they underscore a persistent risk in open source software, in which unintended and malicious features can lurk undetected — even in widely used applications." The two campaigns discussed in the report are being run, separately, in the Palestinian and Ukrainian interest, and, while protestware tends to shadow current events, it's not confined to the fighting in Ukraine or Gaza.
NSA warns of China-backed attacks on US critical infrastructure.
Speaking at the Cyberwarcon security conference held in Washington, DC last week, two members of the US National Security Agency (NSA) warned that Chinese government-backed hackers are targeting critical infrastructure in the US. As Wired explains, the message isn’t new; since May NSA has been cautioning that Beijing-sponsored threat group Volt Typhoon has its sights set on the US power grid. At the conference, however, NSA representatives focused on the novel tactics these hackers would utilize. As the Washington Post notes, NSA reminded attendees that the Chinese government goes to great effort to collect research on zero-day vulnerabilities, and the cybersecurity community should be on the lookout for attacks exploiting these novel bugs.
GRU's Sandworm implicated in campaign against Danish electrical power providers.
SektorCERT, Denmark's "cyber security centre for the critical sectors," this week described what it characterized as the largest cyberattack on record against that country's critical infrastructure. In May of this year an APT group, which SektorCERT associates with the Sandworm, simultaneously hit twenty-two companies in Denmark's highly decentralized electrical power sector. The attacks, which began on May 11th and continued into the last week of that month, exploited CVE-2023-28771, a critical command injection flaw affecting Zyxel firewalls. That vulnerability had been disclosed and addressed in late April, but the attackers were able to find enough unpatched systems to gain access.
The attack was ultimately detected and stopped without disruption to power distribution, but it seems to have been aimed at gaining comprehensive access to Denmark's grid. The attacks proper were preceded by a reconnaissance phase that began in January. A simultaneous attack against so many targets suggests both careful planning and determined execution. SektorCERT properly notes the difficulties of attribution, and itself stops short of saying the incident was the work of Russia's GRU, but on form it certainly looks like a Sandworm operation. Similar attacks have been mounted against Ukraine's power grid, and the incident in Denmark strongly suggests that infrastructure in what Moscow tends to call the "collective West" can be expected to figure in Russian target lists.
Cyberespionage campaign attributed to Russia's SVR.
Ukraine’s National Cyber Security Coordination Center (NCSCC) has published its analysis of a widespread cyberespionage campaign that, this past September, hit diplomatic targets in Azerbaijan, Greece, Romania and Italy. The foreign ministries of Azerbaijan and Italy were particularly hard hit. The campaign was widely regarded at the time as a Russian intelligence operation, and the NCSCC attributes it directly to APT29, Cozy Bear, a unit of Russia's SVR foreign intelligence service. In this case the intelligence goal seems only tangentially related to Russia's invasion of Ukraine, except insofar as trouble in the Near Abroad inevitably has repercussions for that war. The SVR appears to have been interested in Azerbaijan's intentions with respect to Nagorno-Karabakh, the province Azerbaijan has disputed with Armenia, and which Azerbaijan seized on September 19th and 20th of this year. Cozy Bear has been implicated in several other high-profile incidents, including Russian intrusion into US targets related to the 2016 US elections, and the 2020 supply chain attack against SolarWinds users.
Real time cloud security powered by runtime insights. Secure every second.
In the cloud, every second counts. Attacks move at warp speed; security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. We correlate signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation. Visit our website to learn more.
Anonymous Sudan claims attacks on ChatGPT and Cloudflare.
Bloomberg reports that Anonymous Sudan claimed responsibility for distributed denial-of-service (DDoS) attacks that intermittently interrupted OpenAI's ChatGPT last week. The Russian hacktivist auxiliary cited OpenAI's Israeli investments as justification for the operation, thus posing as a more-or-less Islamist group instead of the Kremlin front it is. Anonymous Sudan offered an explanation in its Telegraph channel for its attack on OpenAI. The group also claimed responsibility for DDoS attacks against Cloudflare. CyberDaily quotes Anonymous Sudan's Telegram channel: "Cloudflare is strongly down by skynet / Godzilla-Botnet / AnonymousSudan.” Skynet is a DDoS-for-hire operation. Cloudflare quickly restored normal operations. For industry comment on Anonymous Sudan's attacks, see CyberWire Pro.
Australian ports recovering from cyberattack.
Australia's National Cyber Security Coordinator announced Saturday that the government was investigating a cyberattack that disrupted several Australian ports. "DP World Australia has advised it has restricted access to its Australian port operations in Sydney, Melbourne, Brisbane and Fremantle while it investigates the incident" the Coordinator tweeted. "This interruption is likely to continue for a number of days and will impact the movement of goods into and out of the country. DP World Australia is working with its stakeholders to consider the impacts on its operations at specific ports." DP World began restoring operations at the affected ports Monday, according to the BBC.
DP World Australia has said, Bloomberg reports, that it has not received a ransom demand. The Conversation recounts informed speculation to the effect that the incident represents sabotage "by a foreign state actor."
Ports operations resumed as investigation continued. There is so far no public disclosure of the precise nature of the incident, and no known criminal group appears to have claimed responsibility. DP World did issue a statement to its various stakeholders in which it said, "A key line of inquiry in this ongoing investigation is the nature of data access and data theft.” BleepingComputer points out that data theft is typically a concern in extortion attacks, but there's been no public acknowledgement that the incident involved ransomware. (In any case, a concern about data loss would be prudent in any victim of a cyberattack.)
Rhysida malware: a warning and a description.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory describing the Rhysida ransomware-as-a-service operation: “Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”
Fortinet has published an analysis of a Rhysida intrusion, noting, “The majority of the TTPs employed by the threat actor during this intrusion are typical for these types of ransomware intrusions, and no novel techniques were observed....While the threat actor may have had more sophisticated TTPs within their repertoire, in this case, they were able to achieve their outcomes using exclusively unsophisticated, known TTPs. As ransomware and extortion-based attacks continue to affect thousands of victims like this one across the globe every day, organizations should focus on ensuring they can detect more of the basic TTPs employed throughout this intrusion.” For more on Rhysida and its place in the C2C market, see CyberWire Pro.
BlackCat uses malicious Google ads.
Researchers at eSentire warn that an ALPHV/BlackCat ransomware affiliate is using malware-laden Google ads to target entities in the Americas and Europe: “This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect, to lure business professionals to attacker-controlled websites. Thinking they are downloading legitimate software, the business professionals are actually downloading the Nitrogen malware. Nitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with an initial entry into the target organization’s IT environment.”
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. CyberVista’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
SysAid exploitation by Cl0p user Lace Tempest.
Microsoft’s threat intelligence team has warned that Lace Tempest, the Cl0p ransomware actor that was behind the widespread attacks against the MOVEit file transfer software earlier this year, is now exploiting a recently disclosed path traversal vulnerability (CVE-2023-47246) affecting on-premise SysAid servers. SysAid issued a patch for the flaw on November 8th. For more on Lace Tempest and its exploitation of the SysAid vulnerability, see CyberWire Pro.
Phobos ransomware: an affiliate crimeware-as-a-service program.
Cisco Talos has published a study of the Phobos ransomware affiliate program, alongside an analysis of the ransomware itself: The researchers found five commonly used Phobos variants: Eking, Eight, Elbie, Devos and Faust. They are, for the most part, distributed to targets through the SmokeLoader backdoor Trojan.
LockBit doxes Boeing as Boeing hangs tough on paying ransom.
Boeing sustained a ransomware attack by the LockBit gang with a November 2nd deadline to pay up or face the release of stolen data. Boeing reported that its parts and distribution units were affected, telling the Register, "Elements of Boeing's parts and distribution business recently experienced a cybersecurity incident. We are aware that, in connection with this incident, a criminal ransomware actor has released information it alleges to have taken from our systems. We continue to investigate the incident and will remain in contact with law enforcement, regulatory authorities, and potentially impacted parties, as appropriate. We remain confident this incident poses no threat to aircraft or flight safety." For industry comment on LockBit's attack, see CyberWire Pro.
Ransomware attack against China's largest bank.
A ransomware attack hit the Industrial & Commercial Bank of China (ICBC) last week, disrupting trades in the US Treasury market, Reuters reports. The Lockbit ransomware gang is believed to be behind the attack, although the gang itself hasn’t claimed responsibility. A US Treasury spokesperson told Reuters, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.” ICBC said in a notice on its website that the bank is “progressing its recovery efforts with the support of its professional team of information security experts.”
Reuters says the hack left the bank’s US broker-dealer, ICBC Financial Services, “temporarily owing BNY Mellon (BK.N) $9 billion, an amount many times larger than its net capital.” The brokerage received a cash injection from its Chinese parent to pay back BNY.
The Washington Post comments that LockBit's attack against the Industrial and Commercial Bank of China’s ICBC Financial Services division may backfire against the gang. LockBit is generally regarded as operating under the tolerance and effective protection of the Russian government. LockBit says that it's based in Amsterdam, and that it's a group of disinterested criminals without political purposes and interested simply in financial gain. It's got a plausible case for financial motivation, but the group's Russian identity isn't in serious question. It operates effectively as a privateer, free to attack where it will, as long as it avoids Russian targets. It also runs an affiliate program in which it licenses its malware to other criminal franchises.
US and (especially) Chinese authorities are unlikely to ignore or overlook the attack on ICBC. LockBit told Reuters that ICBC had paid the ransom demanded, and that the matter was now closed, but that's just LockBit's unreliable word. For more on the ransomware attack against ICBC, see CyberWire Pro.
Webinar: Securing the advancement of women in cyber.
As part of N2K’s Women in Cyber series and in partnership with Tulsa Innovation Labs, we’ve brought together women in cybersecurity leadership for a discussion featuring insights, experiences, and strategies for advancing more women into leadership roles within the field. Listen now to this inspiring conversation.
Patch news.
Microsoft on Tuesday issued patches for fifty-eight vulnerabilities, including five zero-days, BleepingComputer reports. Three of the zero-days (CVE-2023-36036, CVE-2023-36033, and CVE-2023-36025) have been exploited in the wild. The two other zero-days were publicly disclosed before patches were available, but Microsoft says it hasn’t seen evidence of exploitation.
VMware has addressed a critical authentication bypass vulnerability in VMWare Cloud Director Appliance.
Fortinet issued patches for several flaws affecting FortiClient and FortiGate.
SAP has received patches for six flaws, including an improper access control vulnerability with a CVSS score of 9.6, caused by the SAP Business One installation process.
Crime and punishment.
A classic double-extortion ransomware gang that both encrypts and doxes its victims, Royal is undergoing some changes. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) updated their advisory accordingly. CISA and the Bureau have updated their notes on the gang's tactics, techniques, and procedures, as well as their list of indicators of compromise (IOCs).
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory outlining the activities of the Scattered Spider cybercriminal gang: “Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities. Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).” The threat actor targets large companies, and has “been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.” The joint advisory represents a call for information sharing as much as it does a warning against the activities of this particular threat group.
Courts and torts.
BleepingComputer reports that ALPHV/BlackCat ransomware gang has dimed out one of its claimed victims to the US Securities and Exchange Commission (SEC). Their victim, the criminals allege, failed to disclose a cyber incident that had a material impact on its business by filing an 8K within the prescribed four days. ALPHV/BlackCat claimed to have stolen data from software company MeridianLink on November 7th. MeridianLink hasn't paid, and so the gang has reported the company to the SEC. MeridianLink says it's found no evidence of data loss. The gang received an automated reply from the SEC ("Thank you for contacting the United States Securities and Exchange Commission," etc.) but it's unlikely their complaint will be found to have merit.
The Electronic Frontier Foundation has asked the Federal Trade Commission (FTC) to stop resellers from selling set-top Android boxes and mobile devices known to be compromised with malware. The ban the EFF advocates would affect devices manufactured by AllWinner and RockChip. These devices, the EFF says, were found by HUMAN researchers to be infected with BadBox malware. "When first connected to the internet, these infected devices immediately start communicating with botnet command and control servers, the letter explains. Then they connect to a vast click-fraud network—in which bots juice advertising revenue by producing bogus ad clicks." The infected devices can also be used to stage other attacks without their owners' knowledge, and this exposed them to legal risk as well as ordinary cyber risk. The EFF argues that this supply chain problem is a consumer protection issue, which therefore clearly lies within the FTC's remit.
Share your message with our audience of security leaders.
N2K Cyber’s 2024 sponsorship packages are now available. If you're looking to reach the eyes and ears of our influential security professionals, let's talk and see how we can build a program that meets your goals.
Policies, procurements, and agency equities.
NATO held its first annual Cyber Defence Conference last week in Berlin, Germany, and leaders emphasized the need for collaboration among allies when it comes to defending against cyberattacks. During the public opening speeches and panel discussion, members voiced their support for the creation of a NATO Cyber Centre. However, as the Record notes, the exact goals of the body have not yet been determined. It’s possible the initiative could focus on strengthening allies’ cyber competencies, creating an information-sharing resource, or perhaps even functioning a command center for combined tactical operations.
The European Union Agency for Cybersecurity (ENISA) announced that it had formalized an agreement with its Ukrainian counterparts to build cybersecurity capacity, exchange best practices, and increase common situational awareness in cyberspace.
Following last month’s executive order from US President Biden calling on the Department of Homeland Security (DHS) to promote global AI safety standards, the Cybersecurity and Infrastructure Security Agency (CISA) released a Roadmap for Artificial Intelligence (AI). CISA explains that the guidance “outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.”
On Tuesday the US Department of Defense (DoD) Chief Digital and Artificial Intelligence Office (CDAO) published the Responsible Artificial Intelligence (RAI) Toolkit. A key deliverable of the DoD RAI Strategy & Implementation Pathway, the toolkit builds upon guidance previously issued by the Defense Innovation Unit, the National Institute of Standards and Technology (NIST), and the Institute of Electrical and Electronics Engineers. The DoD explains, “The RAI Toolkit provides users a voluntary process that identifies, tracks, and improves alignment of AI projects to RAI best practices and the Department's AI Ethical Principles, while capitalizing on opportunities for innovation.”
The US Consumer Financial Protection Bureau (CFPB) is proposing a new rule that could mean digital payment apps are treated more like their brick-and-mortar counterparts, Yahoo Finance reports. The rule would require nonbank financial companies that handle more than 5 million transactions a year to follow the same rules as the big banks that are already overseen by the CFPB. This would include popular mobile apps like Apple Pay and Google Pay, giving CFPB permission to more closely scrutinize the Big Tech firms that run these platforms.
New York's Governor Kathy Hochul, governor of the US state of New York, on Monday proposed a new slate of cybersecurity regulations for the hospitals in an effort to protect critical network systems and the sensitive data they contain. Every hospital would be required to establish its own cybersecurity program and response plan, as well as appoint a chief information security officer.
Mergers and acquisitions.
SentinelOne has acquired advisory firm Krebs Stamos Group (KSG) to launch PinnacleOne, a strategic risk analysis and advisory group that will be led by former CISA director Christopher Krebs and former Facebook CISO Alex Stamos. Krebs will serve as SentinelOne's Chief Intelligence and Public Policy Officer and President of PinnacleOne, while Stamos will serve as SentinelOne's Chief Trust Officer.
Investments and exits.
AI-enhanced security operations solutions company Radiant Security has raised $15 million in a Series A round led by Next47, with participation from General Advance and existing investors Lightspeed Venture Partners, Acrew Capital, Uncorrelated Ventures, and Jibe Ventures.
Extended threat protection platform provider RADICL has raised an additional $9 million in early-stage funding, bringing the company's total funding to $12 million. The new funding was led by Paladin Capital Group, with participation from Access Ventures, the DA Ventures Seed Fund (a Denver Angels affiliate), and a group of strategic angel investors.
Threat-informed defense platform provider Tidal Cyber has secured $5 million in seed funding led by Squadra Ventures, with participation from existing investors.
Canadian attack surface management firm Cavelo has raised CAD$5 million (USD$3.6 million) in a seed funding round led by Inovia Capital, with participation from existing investors including Graphite Ventures.