At a glance.
- Molerats update their tactics, but not their target list.
- Protestware in open-source products.
- NSA warns of China-backed attacks on US critical infrastructure.
- GRU's Sandworm implicated in campaign against Danish electrical power providers.
- Cyberespionage campaign attributed to Russia's SVR.
- Anonymous Sudan claims attacks on ChatGPT and Cloudflare.
- Australian ports recovering from cyberattack.
- Rhysida malware: a warning and a description.
- BlackCat uses malicious Google ads.
- SysAid exploitation by Cl0p user Lace Tempest.
- Phobos ransomware: an affiliate crimeware-as-a-service program.
- LockBit doxes Boeing as Boeing hangs tough on paying ransom.
- Ransomware attack against China's largest bank.
Molerats update their tactics, but not their target list.
Proofpoint researchers have described some new activity by TA402, the Palestinian-aligned threat actor better known as the Molerats, and sometimes called the Gaza Cybergang, Frankenstein, or WIRTE. Between July and October TA402 has used a new downloader, IronWind, which they've used to install shellcode in victim systems. The group has also shifted away from using malicious Dropbox links and toward deploying XLL and RAR file attachments, presumably the better to evade detection. TA402's targeting has continued to follow its historical pattern of prospecting Arabic-speaking governmental organizations in the Middle East and North Africa. It hasn't so far shown a shift toward direct support of the war between Hamas and Israel.
Protestware in open-source products.
ReversingLabs this week drew attention to the phenomenon of "protestware," that is, the practice of concealing scripts advocating some political position in NPM packages embedding in open-source software. The message is commonly displayed after a user installs or executes the software. "Although the latest packages are not malicious," ReversingLabs researchers say, "they underscore a persistent risk in open source software, in which unintended and malicious features can lurk undetected — even in widely used applications." The two campaigns discussed in the report are being run, separately, in the Palestinian and Ukrainian interest, and, while protestware tends to shadow current events, it's not confined to the fighting in Ukraine or Gaza.
NSA warns of China-backed attacks on US critical infrastructure.
Speaking at the Cyberwarcon security conference held in Washington, DC last week, two members of the US National Security Agency (NSA) warned that Chinese government-backed hackers are targeting critical infrastructure in the US. As Wired explains, the message isn’t new; since May NSA has been cautioning that Beijing-sponsored threat group Volt Typhoon has its sights set on the US power grid. At the conference, however, NSA representatives focused on the novel tactics these hackers would utilize. As the Washington Post notes, NSA reminded attendees that the Chinese government goes to great effort to collect research on zero-day vulnerabilities, and the cybersecurity community should be on the lookout for attacks exploiting these novel bugs.
GRU's Sandworm implicated in campaign against Danish electrical power providers.
SektorCERT, Denmark's "cyber security centre for the critical sectors," this week described what it characterized as the largest cyberattack on record against that country's critical infrastructure. In May of this year an APT group, which SektorCERT associates with the Sandworm, simultaneously hit twenty-two companies in Denmark's highly decentralized electrical power sector. The attacks, which began on May 11th and continued into the last week of that month, exploited CVE-2023-28771, a critical command injection flaw affecting Zyxel firewalls. That vulnerability had been disclosed and addressed in late April, but the attackers were able to find enough unpatched systems to gain access.
The attack was ultimately detected and stopped without disruption to power distribution, but it seems to have been aimed at gaining comprehensive access to Denmark's grid. The attacks proper were preceded by a reconnaissance phase that began in January. A simultaneous attack against so many targets suggests both careful planning and determined execution. SektorCERT properly notes the difficulties of attribution, and itself stops short of saying the incident was the work of Russia's GRU, but on form it certainly looks like a Sandworm operation. Similar attacks have been mounted against Ukraine's power grid, and the incident in Denmark strongly suggests that infrastructure in what Moscow tends to call the "collective West" can be expected to figure in Russian target lists.
Cyberespionage campaign attributed to Russia's SVR.
Ukraine’s National Cyber Security Coordination Center (NCSCC) has published its analysis of a widespread cyberespionage campaign that, this past September, hit diplomatic targets in Azerbaijan, Greece, Romania and Italy. The foreign ministries of Azerbaijan and Italy were particularly hard hit. The campaign was widely regarded at the time as a Russian intelligence operation, and the NCSCC attributes it directly to APT29, Cozy Bear, a unit of Russia's SVR foreign intelligence service. In this case the intelligence goal seems only tangentially related to Russia's invasion of Ukraine, except insofar as trouble in the Near Abroad inevitably has repercussions for that war. The SVR appears to have been interested in Azerbaijan's intentions with respect to Nagorno-Karabakh, the province Azerbaijan has disputed with Armenia, and which Azerbaijan seized on September 19th and 20th of this year. Cozy Bear has been implicated in several other high-profile incidents, including Russian intrusion into US targets related to the 2016 US elections, and the 2020 supply chain attack against SolarWinds users.