At a glance.
- Ransomware as a threat to manufacturing.
- Cyber phases of hybrid wars spread beyond the theaters of operation.
- US and Israel attribute attacks on PLCs to Iran.
- GRU campaign exploits Outlook vulnerability to gain access to sensitive email accounts.
- Russia's Doppelgänger influence operators experiment with AI.
- UK calls out an FSB influence campaign.
- XDSpy reported to be phishing the Russian defense sector.
- CISA warns of Adobe ColdFusion exploitation.
- 23andMe data incident increases in scope.
- Current P2Pinfect malware activity, with new capabilities.
- Agent Raccoon backdoors organizations on three continents.
- AeroBlade prospects US aerospace industry.
Ransomware as a threat to manufacturing.
Trustwave SpiderLabs has released a report looking at threats to manufacturing companies, finding that the LockBit 3.0 ransomware was the most commonly used malware in the sector, deployed in nearly 30% of attacks. The researchers add that “Clop, BlackCat/ALPHV, and Royal are also favored ransomware strains that have substantially affected the manufacturing threat landscape.” The report also notes that “companies specializing in industrial equipment, robotics, automation, heavy construction, automotive, electronics, and chemical manufacturing have been more prominently listed as victims on ransomware extortion websites.”
Cyber phases of hybrid wars spread beyond the theaters of operation.
Russia's war in Ukraine, like the war between Hamas and Israel initiated by Hamas's October 7th terror attacks, have both been hybrid wars, with significant action in cyberspace. CSO has an essay describing this "spillover" and how security teams should prepare for it. The essay argues that public and private sector organizations are both likely to become targets of cyberattacks mounted as contributions to such wars, and that security teams should recognize this risk, understand that the risk is unlikely to be catastrophic, and apply sound risk management practices to deal with it. "[C]ybersecurity teams must persistently simulate and collaborate with information sharing geared toward an adaptive defense posture that consistently tailors and re-tailors internal practices toward shifting geopolitical conditions."
US and Israel attribute attacks on PLCs to Iran.
Late Friday evening the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) released a joint Cybersecurity Advisory (CSA): IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors. The Joint Advisory amplifies guidance issued earlier last week in response to disclosures of the exploitation of a Unitronics programmable logic controller at certain water treatment facilities in the United States. The renewed warning is noteworthy on at least four counts:
- It unambiguously attributes the attacks to Iran's Islamic Revolutionary Guard Corps (IRGC).
- It says that "several" water systems in the US have come under attack.
- It notes that the risk is not confined to the water and wastewater sector. ("These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies.")
- It calls out the manufacturer of the PLCs for the poor practice of shipping devices with default passwords and failing to require that these be reset upon installation.
Since the CyberAv3ngers made their claims, other groups have also hit users of Israeli equipment. According to the Register at least three other Iranian-affiliated groups have also claimed similar attacks: Haghjoyan, CyberToufan Group, and YareGomnam Team.
The Record reports that Florida's St. Johns River Water Management District said that it has come under an unspecified cyberattack (apparently ransomware, from an unknown or at least undisclosed threat actor), but that the District has been able to work through its difficulties. It explained that it had “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.” For more on the attacks against PLCs in Aliquippa, see CyberWire Pro.
GRU campaign exploits Outlook vulnerability to gain access to sensitive email accounts.
Microsoft Security this week reported that the GRU threat group it tracks as Forest Blizzard (and formerly as Strontium) is "actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers." Organizationally, Forest Blizzard (also called "Fancy Bear") is linked to Unit 26165 of Russia’s military intelligence service, the GRU. Microsoft worked with Poland's Cyber Command (DKWOC) to contain and counter this hostile activity. CVE-2023-23397 is a privilege escalation vulnerability. Microsoft urges users to ensure that Outlook and Exchange are up-to-date: the vulnerability has been patched in current versions.
Other firms also reported on the GRU activity. Proofpoint outlined GRU exploitation of CVE-2023-23397. The activity Proofpoint describes casts further light on the GRU activity Microsoft Security described earlier. And Palo Alto Networks' Unit 42 on Thursday published research into the ongoing GRU campaign.
Russia's Doppelgänger influence operators experiment with AI.
Recorded Future's Insikt Group has described the evolution of Russia's Doppelgänger influence operation. It's targeting audiences in Ukraine, Germany, and the US with familiar Russian propaganda themes. The difference is that the group is now using generative AI to produce bogus news and opinion stories at scale. The effort is, CyberScoop reports, enjoying only limited success, but the large-scale generation of disinformation represents a noteworthy application of new technology.
WIRED reports that Doppelgänger is also using the images of celebrities juxtaposed with fake quotations denouncing Ukraine in an attempt to sway public opinion, mostly in Europe, against support for Ukraine's defensive war. The tenor of the messages in this crude influence campaign portrays Ukraine as, first, at fault for the war, and second, as wasting the aid it's received from the West. The celebrities whose images are being misappropriated include Taylor Swift, Selena Gomez, Kim Kardashian, Beyoncé, Oprah, Gigi Hadid, Lady Gaga, Jennifer Lopez, Justin Bieber, Shakira, Gwyneth Paltrow, and Cristiano Ronaldo.
The disinformation is being spread over coordinated networks of inauthentic Facebook accounts as part of the GRU's Doppelgänger campaign. The messaging may be primitive, but there's considerable sophistication involved in spreading it. Doppelgänger automates creation of Facebook accounts and exploits loopholes in the platform's ad moderation to disseminate its bogus influencer posts. The not-for-profit disinformation research group Reset told WIRED the campaign “exploits loopholes in Facebook’s ad verification and content moderation systems to foster hostility against Ukrainians and undermine EU support for Kyiv.”
UK calls out an FSB influence campaign.
The British Government has summoned the Russian ambassador for an explanation of the "Cold River" campaign, a sustained effort by Russia's FSB security service to influence elections in the UK. Reuters quotes junior foreign minister Leo Docherty's statement to Parliament: "I can confirm today that the Russian Federal Security Services, the FSB, is behind a sustained effort to interfere in our democratic processes." Cold River, also tracked by researchers as "Callisto," "Iron Frontier," and "Star Blizzard," is associated with the FSB's "Centre 18." Richard Dearlove, former head of Britain's Secret Intelligence Service, MI6, told Reuters, "Because of the UK’s support for Ukraine we are in a state of ‘grey warfare’ with Russia; and the Russians will use every means at their disposal to attack British interests short of open conflict." ComputerWeekly describes the campaign's goal as being "to selectively leak information obtained through cyber espionage and amplify its release in line with Russia’s geopolitical goals, or to undermine trust in UK politics."
The UK's National Cyber Security Centre (NCSC) issued a report on the campaign. Unlike its GRU sister service's Doppelgänger, which is an exercise in automated mass-marketing, the FSB's operators make heavy use of highly tailored spearphishing. They're also given to careful preparation of their targeting.
XDSpy reported to be phishing the Russian defense sector.
Russian cybersecurity company F.A.C.C.T. reported last week that XDSpy has been conducting phishing attacks against a Russian metallurgical firm and a company specializing in the development of ballistic missiles. The phishing emails misrepresented themselves as originating from a nuclear weapons design institute. The Record summarizes what's known about XDSpy, which isn't much. The group is known to have been active since at least 2011, and it's believed to be state-directed. ESET, which tracked XDSpy closely until the company lost access to Russia and Belarus after Russia's invasion of Ukraine, says that the cyberespionage group doesn't have a particularly sophisticated toolkit, but that its operations security is excellent. That security has prevented attribution of XDSpy to any government, but the group's interests seem focused on Eastern Europe, including Russian and the Balkans. The Record doesn't offer any attribution either, but it does observe that most of the recent cyberespionage against Russia has originated with North Korea and China. Those two governments have been principally interested in theft of technical information, and that seems to be XDSpy's goal as well.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
CISA warns of Adobe ColdFusion exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) this week released a Cybersecurity Advisory (CSA) confirming that CVE-2023-26360, a vulnerability in Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) has been exploited in a Federal Civilian Executive Branch (FCEB) agency. CVE-2023-26360 involves an improper access control that can be exploited for arbitrary code execution. The CSA offers risk mitigation advice: update software, segment networks, enforce signed software execution policies, and use a firewall.
The two incidents CISA describes occurred in two servers belonging to two agencies (not named) in June of this year. CISA assesses both incidents as having been (probably) reconnaissance efforts intended to map the victims' networks for potential further exploitation. Who was behind the attacks is unknown. It's not even known if the threat actor in both cases was the same.
23andMe data incident increases in scope.
The ancestry-tracing firm 23andMe has posted an amendment to the Form 8K it filed with the US Securities and Exchange Commission (SEC) on October 10th. That form had disclosed an incident in which customer information had been accessed through a credential-stuffing attack enabled by user password reuse. 23andMe said, "the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available." That's not, however, the full extent of the breach. "Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online." That is, TechCrunch reports, the attackers were able to access data on some 6.9 million individuals, orders of magnitude more than the 14,000 individuals who would represent 0.1% of the service's users.
The attackers have offered some stolen data for sale on BreachForums, charging between $1 and $10 per stolen account. The data include, WIRED summarized, "things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of 'broadly European' or 'broadly Arabian' descent. It may also include some more specific geographic ancestry information." No actual genetic information was compromised. For more on the 23andMe incident, see CyberWire Pro.
Current P2Pinfect malware activity, with new capabilities.
Cado Security warns that a new variant of the P2Pinfect botnet malware is targeting the MIPS (Microprocessor without Interlocked Pipelined Stages) architecture. The researchers say this “demonstrates increased targeting of routers, Internet of Things (IoT) and other embedded devices by those behind P2Pinfect.”
Agent Raccoon backdoors organizations on three continents.
Researchers at Palo Alto Networks’s Unit 42 are tracking a newly discovered backdoor, “Agent Racoon,” that’s targeted organizations in the US, Middle East, and Africa. A suspected nation-state threat actor used the backdoor to compromise organizations in the education, real estate, retail, non-profit organizations, telecom companies, and government sectors. Agent Raccoon is “written using the .NET framework, and leverages DNS to establish a covert channel with the C2 server.” The researchers note, “This tool set is not yet associated with a specific threat actor, and not entirely limited to a single cluster or campaign.”
AeroBlade prospects US aerospace industry.
Researchers at BlackBerry have identified what they describe as a hitherto unknown threat action (they call it "AeroBlade") conducting a spearphishing campaign against the US aerospace sector. AeroBlade, which seems to have become active late last year, is interested in "commercial and competitive cyber espionage." Simple information collection may not be the group's only interest. In the conclusion of the report BlackBerry speculates that "Its purpose was most likely to gain visibility over the internal resources of its target in order to weigh its susceptibility to a future ransom demand."
Patch news.
Apple has released security updates for Safari, macOS Sonoma, iOS, and iPadOS.
Atlassian addressed four vulnerabilities in Bitbucket, Confluence, and Jira.
CISA has released several industrial control systems advisories:
Crime and punishment.
The US and the UK have taken steps against the individuals and organizations involved in Star Blizzard. The State Department is offering up to $10 million under its Rewards for Justice Program "for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)."
The State Department is particularly interested in the FSB personnel for whom the U.S. Justice Department has secured indictments. On Thursday "a federal grand jury in San Francisco returned an indictment on Tuesday charging two individuals with a campaign to hack into computer networks in the United States, the United Kingdom, other North Atlantic Treaty Organization member countries and Ukraine, all on behalf of the Russian government." The individuals named in the indictment are "Ruslan Aleksandrovich Peretyatko, an officer in Russia’s Federal Security Service (FSB) Center 18, Andrey Stanislavovich Korinets and other unindicted conspirators employed a sophisticated spear phishing campaign to gain unauthorized, persistent access (i.e., 'hack') into victims’ computers and email accounts." Both gentlemen are presently out of reach, but, if apprehended and convicted, Mr. Peretratko faces up to five years in prison, Mr. Kornets up to ten.
Courts and torts.
Messrs. Peretyatko and Korinets have also been sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with its partners in the UK. "As a result of today’s action," the Department explained, "all property and interests in property of the individuals described above that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of a blocked or designated person."
Policies, procurements, and agency equities.
President Zelenskyy has appointed Yury Mironenko as the head of the State Service for Special Communications and Information Protection (SSSCIP). He replaces Yurii Shchyhol, who, with his deputy, Victor Zhora, were relieved and arrested on charges of embezzlement in the course of software procurements made between 2020 and 2022.
The European Union reached a provisional agreement on the Cyber Resilience Act (CRA), a set of regulations aimed at ensuring all tech products on the EU market are cybersecure. The European Commission describes the legislation as a global first, with the goal of increasing the “level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software.” Building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, the CRA covers everything from baby monitors to computer routers, assigning different products with different security requirements based on levels of risk. As the European Commission explains, “Through these measures, the new Act will empower users to make better informed and more secure choices, as manufacturers will have to become more transparent and responsible about the security of their products.”
The US Department of Health and Human Services (HHS) has released Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services. Intended as the Department's plan for implementing the President's cybersecurity strategy, the document reviews a range of existing initiatives and then outlines the next steps HHS intends to take toward improving the sector's security. Noting growing risk and a rising rate of cyberattacks against healthcare targets, the strategy explains, "Healthcare facilities are attractive targets for cyber criminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions."
The U.S. House Intelligence Committee unanimously approved a bill that would reauthorize Section 702 of the Foreign Intelligence Act. The House Judiciary Committee had passed a similar proposed reauthorization on Wednesday. The two proposals differ principally in that the Judiciary Committee's version includes a warrant requirement while the Intelligence Committee's does not. How or whether the House will deal with the two bills is unclear.
Fortunes of commerce.
The UC Berkeley Center for Long-Term Cybersecurity (CLTC), the World Economic Forum Centre for Cybersecurity, and CNA’s Institute for Public Research have published a report looking at “how digital security could evolve over the next five to seven years.” The report states, “Stable governments that follow through on long-term technology and cybersecurity strategies can become trusted ‘brands,’ gaining advantages in attracting talent, seizing leadership opportunities in multilateral standards-setting processes and countering disinformation campaigns.”
The report adds, "Acceleration in technology and business model innovation (both licit and criminal) will underpin the new digital security landscape for 2030. The workshops uncovered a universal sense that this acceleration is not likely to be incremental. The new landscape will require societies to fundamentally reorient their responses to perennial digital security challenges, three of which are changing in particularly important ways: data privacy, talent development, and sustainability."
Labor markets.
House legislators have introduced the Federal Cybersecurity Workforce Expansion Act, which is focused on supporting veterans and service members with an interest in taking on government cyber positions. Backed by Representatives Mike Gallagher, a Republican out of Wisconsin, and Chrissy Houlahan, a Democrat from Pennsylvania, the bill would create an apprenticeship program at the Cybersecurity and Infrastructure Security Agency, as well as a training program under the Department of Veterans Affairs. There are also provisions calling for partnerships with privacy sector organizations to increase job opportunities, and collaboration with local, state, and tribal communities and governments to help connect job hopefuls with available cyber positions. In July Senators Maggie Hassan (Democrat, New Hampshire) and John Cornyn (Republican, Texas) introduced a companion measure, and while similar bills have been created in the past, none have yet passed Congress. As Nextgov.com explains, lawmakers hope the ever-increasing threat of new cyber threats will make this bid more successful.
As part of the Federal Rotational Cyber Workforce Program, the Office of Personnel Management (OPM) has also established a new listing of cyber job opportunities to make it easier for federal cybersecurity employees to apply for details at other agencies. More than fifty positions listed representing sixty-five opportunities across twelve agencies are listed, with more being added regularly. By spending time at other agencies, Federal cyber staffers can pick up new skills and best practices that they can then share with their home agencies.
Mergers and acquisitions.
Austin, Texas-based data privacy management company Osano has completed its acquisition of Arlington, Virginia-headquartered data privacy solution provider WireWheel.
Investments and exits.
Palo Alto, California-based application security and vulnerability management firm ArmorCode has raised $40 million in a Series B round led by HighlandX, with participation from NGP Capital and existing investors Ballistic Ventures, Sierra Ventures, and Cervin Ventures.
Delaware-headquartered public-benefit software company Second Front Systems has secured $40 million in a Series B round led by NEA, with participation from existing investors Moore Strategic Ventures and AE Industrial Partners HorizonX.
Boston-based data privacy firm Mine has raised $30 million in a Series B round led by Battery Ventures and PayPal Ventures, with participation from Nationwide Ventures and existing investors Saban Ventures, Gradient Ventures (Google's AI), MassMutual Ventures, and Headline Ventures.
Irish cyber risk management startup Cytidel has raised €1.35 million (US$1.45 million) in a seed funding round led by Elkstone Ventures, with participation from Enterprise Ireland, the Irish Times reports.
London-based data security startup Klarytee has raised £700,000 (US$881,000) in a pre-seed funding round led by Concept Ventures, UK Tech Investment News reports.
And security innovation.
The US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the cybersecurity authorities of Australia, Canada, the United Kingdom, and New Zealand have released a joint guide for memory-safe coding practices.
