At a glance.
- Reddit breached.
- Top US cyber diplomat says his Twitter account was hacked.
- LockBit says ION paid ransom.
- New ransomware exploits VMware ESXi vulnerability.
- UK and US issue joint sanctions against Russian ransomware operators.
- Latest trends and reports.
- Threat actor movements observed and reported over the week.
- Updates on cyber activity in the hybrid war against Ukraine.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
Reddit has disclosed that it sustained a data breach on February 5th after an employee fell for a phishing attack, BleepingComputer reports. Reddit said in a statement that an attacker set up a website that impersonated the company’s intranet gateway and was designed to steal credentials and two-factor authentication tokens. After an employee fell for the ruse, the attacker “gained access to some internal docs, code, as well as some internal dashboards and business systems.” The company added, “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).” Reddit also hasn’t found any signs that the attacker accessed user data. For more on the Reddit breach, see CyberWire Pro.
Top US cyber diplomat says his Twitter account was hacked.
Nate Fick, US ambassador-at-large for cyber and head of the State Department's Bureau of Cyberspace and Digital Policy, tweeted Saturday, "My account has been hacked. Perils of the job..." It's a personal account, used for posts about "weather, mountain biking, and backcountry skiing," which probably accounts for the refreshing shrug-off. Ambassador Fick communicates officially through an official account, @StateCDP.
LockBit says ION paid ransom.
The UK-based ION Trading Group, hit by a LockBit-claimed ransomware attack that began on Tuesday, has reportedly paid the ransom asked of them by the threat group, Bloomberg reported Friday. Bloomberg News cites a LockBit group representative, who told them “that the ransom was paid and that the gang provided a decryption key to unlock the compromised computers.” The person or entity behind the ransom payment, as well as the monetary amount, was not disclosed to the outlet. Reuters said last week that the attack could take days to fix, though if the “group representative” is reliable, the decryption key provided may expedite the process. The United States Federal Bureau of Investigation has begun their own search for information on the attack, in addition to UK regulators conducting individual investigations, Bloomberg wrote Friday.
New ransomware exploits VMware ESXi vulnerability.
France's Computer Emergency Response Team (CERT-FR) and Italy's National Cybersecurity Agency (ACN) have both warned of a widespread ransomware campaign that’s exploiting a vulnerability in VMware ESXi servers. The ransomware is exploiting CVE-2021-21974, which VMware patched in February 2021. BleepingComputer says at least 3,200 servers around the world have been infected. CERT-FR recommends that organizations apply all patches for ESXi hypervisors, and also verify that they haven’t already been compromised. The ransomware appears to be based on Babuk source code. The ransomware, which is being tracked as “ESXiArgs,” appears to be a new strain. SC Media reports that Europe is the hardest-hit region, followed by North America. Reuters quotes the US Cybersecurity and Infrastructure Security Agency (CISA) as saying, “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed.”
VMware published the following statement:
“We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves.
“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs). You can sign up for email and RSS alerts when an advisory is published or significantly modified on our main VMSA page.
“With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi. In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.”
CISA has released a script that can, in some cases, rebuild virtual machines from flat files and recover data encrypted by ESXiArgs. BleepingComputer explains that the ransomware “failed to encrypt flat files, where the data for virtual disks are stored.” SecurityScorecard has published a report looking at potentially vulnerable ESXi servers, and cases in which these servers have recently communicated with malicious IP addresses. The Washington Post notes that the ESXiArgs campaign appears to have had a somewhat muted impact compared to earlier widespread ransomware or pseudo-ransomware campaigns, such as WannaCry or NotPetya. Italy's National Cybersecurity Agency (ACN) says, according to Reuters, that it’s unclear who’s behind the campaign. In particular, there’s no obvious involvement of a state-actor. For more on ESXiArgs, see CyberWire Pro.
Examination of debris from the Chinese balloon the US Air Force shot down off Myrtle Beach earlier this week continues, but the US State Department has announced that the balloon was a surveillance system, the New York Times reports. Specifically, it was engaged in collection of signals intelligence, a capability that became known to the US before the balloon was shot down and its wreckage recovered. Close flyby inspections by U-2 aircraft were able to determine that as the balloon made its leisurely trip from Montana to South Carolina. The balloon's payload included antenna arrays “likely capable of collecting and geo-locating communications,” US statement said, and the craft packed enough solar panels to drive a large set of electronic sensors.
UK and US issue joint sanctions against Russian ransomware operators.
Thursday morning the US Treasury Department’s Office of Foreign Asset Control and the UK’s National Crime Agency jointly sanctioned seven members of a gang that’s operated the Trickbot malware. The individuals sanctioned are also involved with the Conti and RYUK ransomware strains. The National Crime Agency says, “The seven cyber criminals are now subject to travel bans and asset freezes, and are severely restricted in their use of the global financial system.”
The US Treasury Department drew particular attention to the way the Russian government has long provided a safe haven for cyber criminals. Treasury’s statement said, in part, “Russia is a haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the U.S., the U.K., and allies and partners. These malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K. Last month, Treasury’s Financial Crimes Enforcement Network (FinCEN) identified a Russia-based virtual currency exchange, Bitzlato Limited, as a ‘primary money laundering concern’ in connection with Russian illicit finance.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented, commending CISA and US federal agencies for their impact on ransomware:
"This is just the latest salvo in successfully fighting ransomware. It and all the other challenges recently facing ransomware cybercriminals can be traced back to the May 2021 Colonial Pipeline ransomware attack. Somehow, long overdue, ransomware finally reached an overreach tipping point event that I'm sure even they themselves wished they could take back. I think nearly everyone had thought that ransomware was causing far too much damage to continue to be the threat that it was for over a decade. I mean we had average ransomware payments lurching over $100,000 and many organizations were routinely paying multi-million dollar ransoms. It was pretty bad. And I don't think any of us understood why it continued to be worse and worse each year without something being done about it. But then they attacked a gasoline pipeline company (not even the pipeline itself, just the admin side of it) and it changed everything.
"CISA and all their partners (e.g., FBI, DOJ, NSA, business councils, foreign agencies, etc.) got involved. Even the President of the United States got involved. Ransomware finally crossed a bridge too far. The defenders figured out what it would take to mitigate ransomware. It's really the kitchen sink approach. CISA started better educating everyone about ransomware and putting out notices of the latest attacks and indicators of compromise. We started to go after the money. We started to identify and even sometimes arrest ransomware group members. We started to sanction or threaten to sanction legitimate organizations that allowed ransomware gangs to cash out their ill-gotten gains. "Victims started saying no to paying the ransom. After over a decade of most victims...say 40% to 50% of them, usually paying the ransom, today most don't. And that's despite the potentially costly consequences, such as private data being publicly published. So, you've got law enforcement hot on their trail (even if they can't be arrested) and it's harder for them to make money doing what easily worked for over a decade. For the first time in the fight against ransomware, they didn't just exponentially expand their attacks and profit. Ransomware isn't gone and might not ever be, but the good guys are in the game fighting back. It isn't as one-sided as it used to be. And we need to recognize that CISA and the U.S. government did this. It isn't often that you can point to a government and say they made a difference in cybersecurity, but this is one of those times and I'm glad we have CISA in the fight."
Redacted's VP of Intelligence, Adam Flatley, noted the functionality of sanctions such as these, but stresses the need for a collaborative approach:
"Sanctions like these can be surprisingly effective against criminal enterprises like Trickbot, though that may not seem obvious at first. But it's important to view this as just one tool in the toolbox, and sanctions need to be layered with other diplomatic, law enforcement, and intelligence community capabilities in a coordinated campaign to target cybercrime gangs operating from sanctuary countries like Russia in order to maximize disruption and dismantling efforts."