At a glance.
- Cl0p claims responsibility for GoAnywhere exploitation.
- Tonto Team cyberespionage attempt against Group-IB thwarted.
- DarkBit claims responsibility for ransomware attack on Technion University.
- Grand Theft Auto: now also a TikTok challenge.
- Latest trends and reports.
- Updates on cyber activity in the hybrid war against Ukraine.
- Patch news.
- Courts and torts.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
Cl0p claims responsibility for GoAnywhere exploitation.
Earlier this month, cybersecurity firm Fortra disclosed a vulnerability in their GoAnywhere MFT software, offering indicators of compromise (IOCs), with a patch coming only a week later, Security Week reported last week. Attacks exploiting the vulnerability are said to be linked to operators of the Cl0p ransomware family, who themselves claimed credit to Bleeping Computer on Friday. The GoAnywhere vulnerability “enables attackers to gain remote code execution on unpatched GoAnywhere MFT [managed file transfer] instances with their administrative console exposed to Internet access,” wrote Bleeping Computer. The release of a proof-of-concept exploit came on Monday, with the company providing emergency updates the following day. Fortra wrote on their support site Thursday that their Managed File Transfer as a Service (MFTaaS) was also impacted:
The Cl0p gang reached out to Bleeping Computer, claiming responsibility for the attacks and saying that they had “stolen the data over the course of ten days after breaching servers vulnerable to exploits targeting this bug.” Lateral movement across victimized systems and implementation of ransomware were also reportedly possible according to this spokesperson, though the gang’s good nature, of course, prevented them from doing either, stealing only documents from compromised servers. Cl0p’s observed activity exploiting a zero day Accellion FTA vulnerability in 2020 to steal the data of around 100 companies, is reminiscent of this more recent activity that the gang claims affected one-hundred-thirty victims. For more on Cl0p and GoAnywhere, see CyberWire Pro.
Tonto Team cyberespionage attempt against Group-IB thwarted.
Group-IB says its employees were targeted by a phishing campaign launched by the suspected Chinese threat actor Tonto Team. During the summer of 2022, Group-IB employees received phishing emails with malicious Office documents crafted with the Royal Road weaponizer, which is often used by Chinese state-sponsored actors. The emails were meant to deliver Bisonal.DoubleT, a strain of malware exclusively used by the Tonto Team. Group-IB’s security solution flagged the emails as malicious. During their investigation, the security firm found that it had been targeted by the Tonto Team in 2021 as well. These attacks were also unsuccessful. The researchers note that most Chinese state-sponsored threat actors are focused on conducting espionage or surveillance. For more on Tonto Team, see CyberWire Pro.
DarkBit claims responsibility for ransomware attack on Technion University.
Technion University in Haifa, Israel, fell victim to a ransomware attack that forced the shutdown of all of the school’s communication networks on Sunday, the Jerusalem Post wrote. A new ransomware group, “DarkBit,” has claimed responsibility for the cyberattack, ARN reported. The university tweeted Sunday, “The Technion is under cyber attack. The scope and nature of the attack are under investigation.” The group behind the attack, DarkBit, is asking for 80 Bitcoin, or approximately $1,729,320 from the university, with a threatened 30% increase in the demand if the ransom is left unpaid for forty-eight hours. DarkBit appears to be motivated by anti-Israeli or pro-Palestinian sentiment. The Israeli National Cyber Directorate (INCD) confirmed that they were connecting with Technion University administrators “to get a full picture of the situation, to assist with the incident and to study its consequences,” the Jerusalem Post reported Sunday. For more on DarkBit, see CyberWire Pro.
Grand Theft Auto: now also a TikTok challenge.
Car manufacturers Hyundai and Kia have rolled out free theft-deterrent software for vehicles that don’t have an immobilize, the United States Department of Transportation (NHTSA) said in a press release on Tuesday. Social media giant TikTok, known for its short-form video format, has seen the promotion of a so-called “Kia Challenge,” observed since July of last year in which users share “videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire [the] car,” Bleeping Computer wrote. This “challenge” saw such a great level of virality that Los Angeles, California saw an 85% increase in Kia and Hyundai thefts in 2022, with Chicago seeing a nine-time increase for the same brands.
The issue resides within a flaw in the vehicles’ “turn-key-to-start" system that allows for bypassing of “the immobilizer that verifies the authenticity of the code in the key's transponder to the car's ECU. This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle,” Bleeping Computer recounted. The NHTSA says that the update provides an extended alarm duration, from 30 seconds to one minute, and requires a physical key in the ignition to start. This initial rollout will impact 2017-2020 Elantra, 2015-2019 Sonata, and 2020-2021 Venue car models. More updates are anticipated in June, with that second rollout providing an update for other car models. For more on the vulnerability of cars to USB-enabled theft, see CyberWire Pro.