By the CyberWire staff
At a glance.
- Cl0p claims responsibility for GoAnywhere exploitation.
- Tonto Team cyberespionage attempt against Group-IB thwarted.
- DarkBit claims responsibility for ransomware attack on Technion University.
- Grand Theft Auto: now also a TikTok challenge.
- Latest trends and reports.
- Updates on cyber activity in the hybrid war against Ukraine.
- Patch news.
- Courts and torts.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
Cl0p claims responsibility for GoAnywhere exploitation.
Earlier this month, cybersecurity firm Fortra disclosed a vulnerability in their GoAnywhere MFT software, offering indicators of compromise (IOCs), with a patch coming only a week later, Security Week reported last week. Attacks exploiting the vulnerability are said to be linked to operators of the Cl0p ransomware family, who themselves claimed credit to Bleeping Computer on Friday. The GoAnywhere vulnerability “enables attackers to gain remote code execution on unpatched GoAnywhere MFT [managed file transfer] instances with their administrative console exposed to Internet access,” wrote Bleeping Computer. The release of a proof-of-concept exploit came on Monday, with the company providing emergency updates the following day. Fortra wrote on their support site Thursday that their Managed File Transfer as a Service (MFTaaS) was also impacted:
The Cl0p gang reached out to Bleeping Computer, claiming responsibility for the attacks and saying that they had “stolen the data over the course of ten days after breaching servers vulnerable to exploits targeting this bug.” Lateral movement across victimized systems and implementation of ransomware were also reportedly possible according to this spokesperson, though the gang’s good nature, of course, prevented them from doing either, stealing only documents from compromised servers. Cl0p’s observed activity exploiting a zero day Accellion FTA vulnerability in 2020 to steal the data of around 100 companies, is reminiscent of this more recent activity that the gang claims affected one-hundred-thirty victims. For more on Cl0p and GoAnywhere, see CyberWire Pro.
Tonto Team cyberespionage attempt against Group-IB thwarted.
Group-IB says its employees were targeted by a phishing campaign launched by the suspected Chinese threat actor Tonto Team. During the summer of 2022, Group-IB employees received phishing emails with malicious Office documents crafted with the Royal Road weaponizer, which is often used by Chinese state-sponsored actors. The emails were meant to deliver Bisonal.DoubleT, a strain of malware exclusively used by the Tonto Team. Group-IB’s security solution flagged the emails as malicious. During their investigation, the security firm found that it had been targeted by the Tonto Team in 2021 as well. These attacks were also unsuccessful. The researchers note that most Chinese state-sponsored threat actors are focused on conducting espionage or surveillance. For more on Tonto Team, see CyberWire Pro.
DarkBit claims responsibility for ransomware attack on Technion University.
Technion University in Haifa, Israel, fell victim to a ransomware attack that forced the shutdown of all of the school’s communication networks on Sunday, the Jerusalem Post wrote. A new ransomware group, “DarkBit,” has claimed responsibility for the cyberattack, ARN reported. The university tweeted Sunday, “The Technion is under cyber attack. The scope and nature of the attack are under investigation.” The group behind the attack, DarkBit, is asking for 80 Bitcoin, or approximately $1,729,320 from the university, with a threatened 30% increase in the demand if the ransom is left unpaid for forty-eight hours. DarkBit appears to be motivated by anti-Israeli or pro-Palestinian sentiment. The Israeli National Cyber Directorate (INCD) confirmed that they were connecting with Technion University administrators “to get a full picture of the situation, to assist with the incident and to study its consequences,” the Jerusalem Post reported Sunday. For more on DarkBit, see CyberWire Pro.
Grand Theft Auto: now also a TikTok challenge.
Car manufacturers Hyundai and Kia have rolled out free theft-deterrent software for vehicles that don’t have an immobilize, the United States Department of Transportation (NHTSA) said in a press release on Tuesday. Social media giant TikTok, known for its short-form video format, has seen the promotion of a so-called “Kia Challenge,” observed since July of last year in which users share “videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire [the] car,” Bleeping Computer wrote. This “challenge” saw such a great level of virality that Los Angeles, California saw an 85% increase in Kia and Hyundai thefts in 2022, with Chicago seeing a nine-time increase for the same brands.
The issue resides within a flaw in the vehicles’ “turn-key-to-start" system that allows for bypassing of “the immobilizer that verifies the authenticity of the code in the key's transponder to the car's ECU. This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle,” Bleeping Computer recounted. The NHTSA says that the update provides an extended alarm duration, from 30 seconds to one minute, and requires a physical key in the ignition to start. This initial rollout will impact 2017-2020 Elantra, 2015-2019 Sonata, and 2020-2021 Venue car models. More updates are anticipated in June, with that second rollout providing an update for other car models. For more on the vulnerability of cars to USB-enabled theft, see CyberWire Pro.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Threat actor movements observed and reported over the week.
Cisco Talos has been tracking an unidentified financially motivated threat actor that's using a new strain of ransomware called "MortalKombat," as well as the Laplas Clipper malware. The threat actor is delivering both strains of malware via cryptocurrency-themed phishing emails. Laplas Clipper is designed to monitor an infected system's clipboard for cryptocurrency wallet addresses, then hijack transactions by overwriting them with an address belonging to the attacker. Laplas was first observed in November 2022, while the MortalKombat ransomware first surfaced last month. The researchers believe MortalKombat belongs to the Xorist ransomware family. For more on MortalKombat, see CyberWire Pro.
North Korea’s APT37 (also known as “RedEyes or “StarCruft”) is distributing a new strain of malware dubbed “M2RAT,” according to a report from AhnLab Security Emergency Response Center (ASEC). ASEC spotted M2RAT being distributed via phishing emails last month. The emails contain documents that will execute shellcode by exploiting an EPS vulnerability in the Hangul word processor, which BleepingComputer notes is commonly used in South Korea. The shellcode will download a JPEG image to the victim’s machine, then uses steganography to extract code that will download M2RAT. The malware is designed to exfiltrate data via keylogging and screenshotting. M2RAT will also scan for mobile devices that are connected to the infected machine, and will transfer any documents or voice recordings to the PC. ASEC explains that APT37 usually targets “human rights activists, journalists, and North Korean defectors.” The researchers note that since the threat actor targets individuals and personal devices rather than companies with expensive security solutions, the victims often don’t know they’ve been compromised. For more on APT37, see CyberWire Pro.
Morphisec is tracking a stealthy malware campaign that’s distributing the new ProxyShellMiner cryptominer. ProxyShellMiner exploits the ProxyShell vulnerabilities in Microsoft Exchange Server (which Microsoft issued patches for in 2021). The malware uses the vulnerabilities to gain initial access, then installs the cryptominer. The researchers note that while cryptominers are often viewed as a somewhat benign form of malware, the access gained by attackers can be used to launch more damaging attacks. For more on this cryptomining campaign, see CyberWire Pro.
Symantec has spotted a new strain of malware called “Frebniis” that’s being deployed against targets in Taiwan. Frebniis abuses a troubleshooting feature of Microsoft’s Internet Information Services (IIS) to install a backdoor. Frebniis can be used to proxy commands to systems in a network that aren’t accessible from the Internet. The researchers conclude, “No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.”
Get more depth with CyberWire Pro content.
Did you know that CyberWire Pro offers five tailored briefings to help you focus in on your area of cybersecurity speciality? With daily Privacy and Policy briefings and weekly Research, Business and Disinformation briefings, you can dive right into topics that interest you the most. PLUS, get ad-free listening of all of our public podcasts and exclusive CyberWire Pro podcasts like CSO Perspectives and extended Interview Selects. Subscribe today for only $99/year and get all of this content and more! Subscribe today. Subscribe today.
Latest trends and reports.
The US Treasury Department has issued a report looking at challenges associated with the adoption of cloud technology by the financial industry. The report found that financial firms can benefit from cloud technology, and that in some cases, “cloud services represent a significant evolution in the back-end processing for financial services transactions.” Treasury adds, however, that “these benefits can only be harnessed if the selected services are adequately designed and managed for the appropriate level of security and resilience.” For more on Treasury's cloud advisory, see CyberWire Pro.
Abnormal Security detailed insights into multilingual business email compromise (BEC) attacks in a report, and insights into two actors; Midnight Hedgehog and Mandarin Capybara, who launch these campaigns in multiple languages concurrently. BEC attacks may be somewhat less prevalent than their phishing and identity theft counterparts, Abnormal Security researchers say, but the availability, affordability, and accessibility of software and technology lower the barrier to entry in targeted multiple-language attacks. Such attacks use common sales and marketing online services for malicious purposes. “Using these resources, BEC actors tend to collect target contact information—referred to as ‘leads’—within a certain geographic area, usually a single country or state,” the research states. Google Translate doesn’t hurt either. While it’s not flawless, it is free, and allows for quick translation and turnaround to victims of varying tongues. For more on multilingual BEC attacks, see CyberWire Pro.
Zscaler observed the Havoc framework being deployed against a government organization last month, and the security firm has published a detailed analysis of how the framework operates. BleepingComputer says that “[a]mong its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.” It’s worth noting that, like Cobalt Strike and other similar tools, Havoc is intended to be used by penetration testers. Like most pentesting tools, however, it can be abused by threat actors. For more on Havoc, see CyberWire Pro.
Group-IB this week released a report detailing the activity of a nation-state threat actor dubbed “SideWinder.” The SideWinder APT, known also by the names Rattlesnake, Hardcore Nationalist (HN2), and T-APT4, has been observed since 2012 conducting cyberespionage against governments in the Asia-Pacific region. It’s believed to be headquartered in India. Group-IB discovered the group’s SideWinder.AntiBot.Script tool in June of last year, in use against Pakistani companies. The researchers were able to piece together a list of potential targets for the group, containing 61 “government, military, financial, law enforcement, political, telecommunications, and media organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka,” the research reports. Significant overlap was also observed by researchers between the servers and resources in use by SideWinder and the BabyElephant APT group, hinting that they could possibly be one and the same.
Don’t pay consulting firm prices for cyber workforce development solutions.
When seeking potential cybersecurity talent from non-tech or non-traditional backgrounds, you should ask yourself three things:
- What baseline cybersecurity skills does the candidate already have?
- Do our current JDs discourage non-traditional but capable talent from applying?
- What training opportunities do we have to elevate them throughout their careers?
If these questions give you pause, CyberVista can help get you started. CyberVista's Professional Services solutions provide evidence-driven insights to transform your workforce.
Updates on cyber activity in the hybrid war against Ukraine.
The Russian cyber auxiliaries of Killnet claimed to be striking NATO over last weekend on Telegram. The boast referred, the Telegraph reports, to a distributed denial-of-service attack disrupting NATO communications with NATO aircraft delivering humanitarian relief supplies to earthquake-stricken regions of Turkey and Syria. The attack’s effects appeared limited, and were contained after a few hours. Flashpoint offers an update on the Infinity criminal-to-criminal marketplace which Killnet, the Russian cybercriminal auxiliary, has opened to attract more talent to the Russian cause. One interesting conclusion the researchers arrive at is that Infinity's rules are much less fastidious about permitting financially-motivated crime against Russian organizations than other Russian criminal fora have been.
In a report issued Thursday morning, Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape, Google's Threat Analysis Group, Mandiant, and Trust & Safety groups offered an appreciation of how the cyber phases of the war have developed. Google makes no pretense of neutrality in the war, which it directly calls Russian "aggression." Russian cyber operations have so far fallen short of prewar expectations and may well continue to do so, but Google thinks that the war has shown that cyber operations are likely to remain an enduring feature of future wars.
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Last Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) added three entries to its Known Exploited Vulnerabilities Catalog. US Federal civilian executive agencies have until March 3rd to check their systems and, as usual, "apply updates per vendor instructions." On February 16th CISA also released fifteen industrial control system (ICS) advisories. They cover systems by Siemens, Sub-IoT, Delta Electronic, and BD Alaris.
This month’s Patch Tuesday saw fixes from Microsoft, Apple, SAP, Citrix, Mozilla, and Adobe. Microsoft issued patches for seventy-seven flaws, including three zero days that were being actively exploited in the wild, BleepingComputer reports. The zero-days affect the Windows Graphics Component, Microsoft Publisher, and the Windows Common Log File System Driver. Apple has issued an emergency patch for a vulnerability affecting iOS, iPadOS, and macOS, Tom’s Guide reports. The vulnerability affects WebKit, and can lead to remote code execution on the device if the user visits a malicious webpage. Apple says it's “aware of a report that this issue may have been actively exploited.” For more on Patch Tuesday, see CyberWire Pro.
Policies, procurements, and agency equities.
The US Department of Defense (DoD) yesterday released a DoD manual on the Cyberspace Workforce Qualification & Management Program, the third installment in a policy series focused on cultivating cyber personnel. DoD CIO John Sherman explained, “The [policy series] will require workforce members to demonstrate a foundational understanding at the work role level while also addressing personnel capability and continuous professional development at the work role level. Through these mechanisms, we will be able to track and manage cyber workforce capabilities across the DoD enterprise.” The intention behind the new manual is to provide a modernized approach to talent management, giving DoD components more flexibility when it comes to developing a qualified cyber workforce. The manual covers cyber roles in the areas of information technology, cybersecurity, cyber effects, cyber intelligence, and cyber enablers.
US Deputy Attorney General Lisa Monaco yesterday announced the formation of a Disruptive Technology Strike Force, an interagency collaboration between the US Departments of Justice and Commerce. Its aim will be to deny hostile governments “tactical advantage through the acquisition, use, and abuse of disruptive technology, innovations that are fueling the next generation of military and national security capabilities.” The new Strike Force is intended, CyberScoop reports, as an evolutionary development of the Committee on Foreign Investment in the U.S. (CFIUS), the mechanism that's hitherto been used to protect US technology from hostile foreign poaching. The Disruptive Technology Strike Force is expected to bring enforcement out of the "brick-and-mortar" period in which CFIUS was drafted and into the present age of cyberespionage.
Layoffs continue to plague the cyber and big tech industries into this week. Computing reported that quantum startup Rigetti is slashing 28% of their staff, citing a focus on "nearer-term priorities." Microsoft reportedly laid off LinkedIn recruiting staff on Monday, according to the Information. SAP is laying off 224 employees in its Bay Area location, the Silicon Valley Business Journal reports. Dell Technologies-owned Secureworks is cutting almost 10% of its workforce, or about 200 jobs, in the name of "shifting investments," CRN wrote Monday. Microsoft reduced its teams working on Surface devices, HoloLens mixed reality hardware, and Xbox, Bloomberg recounts. For a more comprehensive view into this week's business news, check out this week's CyberWire Pro Business Briefing.
In this week's research news, Dragos has published its ICS/OT Cybersecurity Year in Review for 2022. The report found that ransomware attacks against industrial organizations nearly doubled last year, with seventy percent of these attacks targeting the manufacturing industry. Researchers at Symantec describe a new strain of information-stealing malware dubbed "Graphiron" that's being used by the Russian threat actor Nodaria against Ukrainian entities. Cisco Talos has been tracking an unidentified financially motivated threat actor that's using a new strain of ransomware called "MortalKombat," as well as the Laplas Clipper malware. JFrog has published a report looking at the most prevalent open-source security vulnerabilities. The researchers found that public severity ratings, such as those provided by the National Vulnerability Database's (NVD's) Common Vulnerability Scoring System (CVSS), are often "overinflated since they ignore the real-world impact of a specific CVE." For a deeper excursion into this week's cybersecurity research developments, see this week's edition of the CyberWire's Pro Research Briefing.