By the CyberWire staff
At a glance.
- Twitter disables SMS authentication for all but blue-checked users.
- Cyber risk as business risk: the Applied Materials incident.
- GoDaddy's compromise.
- LockBit claims attack on water utility in Portugal.
- Ransomware interferes with food production.
- Threat actor movements observed and reported over the week.
- Latest trends and reports.
- Updates on cyber activity in the hybrid war against Ukraine on the first anniversary of the conflict's beginnings.
- Patch news.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets: a deep dive into cyber labor trends and risks, the DoD's workforce strategy, and the US federal and military cyber forces.
Twitter disables SMS authentication for all but blue-checked users.
Twitter's decision last week to revoke SMS texts as a two-factor-authentication (2FA) modality for all but paying Twitter Blue subscribers has been poorly received. Twitter explained, "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers." The Verge points out that the move away from SMS 2FA may be a cost-control measure, since it costs (a little bit) of money to send an SMS. It's true enough that SMS text authentication is not the best 2FA method, but it's better than nothing, and it's likely, as experts point out to NPR and Wired, that people who've used it as their default will not replace it with anything. And besides, why should subscribers paying for their blue check be expected to be content with an inferior method of authentication? Or are they paying for convenience?
Cyber risk as business risk: the Applied Materials incident.
Semiconductor technology giant Applied Materials anticipates financial losses of $250 million in sales this quarter due to a cyberattack, the Silicon Valley Business Journal reported Friday. A ransomware attack impacted one of the company’s third-party suppliers, deduced by industry analysts to be MKS Instruments, a technology and engineering company, the Record wrote last week. The Record quotes Applied Materials CEO Gary Dickerson as saying in a conference call, “Very recently, one of our major suppliers encountered a disruption that will impact our second-quarter shipments." In a recent earnings report release from Applied Materials, the company anticipates the second fiscal quarter of this year to net $6.40 billion and cites “ongoing supply chain challenges and a negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers.” For more on this story, see CyberWire Pro.
GoDaddy's compromise.
GoDaddy has disclosed that it discovered a breach in December 2022 that resulted in a threat actor redirecting customer websites to malicious domains, BleepingComputer reports. The company says the threat actor was able to install malware in its cPanel shared hosting environment. The company added that they, "have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.” GoDaddy also stated in an SEC filing that it believes the same threat actor was responsible for security incidents the company disclosed in 2020 and 2021. For more on the GoDaddy breach, see CyberWire Pro.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
LockBit claims attack on water utility in Portugal.
The LockBit ransomware gang has claimed responsibility for an attack against a water utility in Portugal. The Record reports that Águas e Energia do Porto, which serves the country's second largest city, said that neither water supply nor wastewater services were affected, but that some customer data may have been exposed. LockBit has given the utility until March 7th to pay the ransom, at which point the gang says it will release the stolen data.
Ransomware interferes with food production.
A ransomware attack on Dole PLC led the company to interrupt operations at its North American processing plants, CNN Business reports. A February 10th memo from the senior vice president of the company's Fresh Vegetables division said, “Dole Food Company is in the midst of a Cyber Attack and have subsequently shut down our systems throughout North America." The shutdown affected deliveries of salad kits to food retailers. The specific strain of ransomware involved has not been publicly disclosed. Dole Plc says that the attack remains under investigation, and that "the impact to Dole operations has been limited." For a representative range of security industry reaction to the incident, see CyberWire Pro.
Threat actor movements observed and reported over the week.
Researchers from Symantec, a Broadcom Software company, wrote this week about an observed campaign likely intended to gather intelligence from shipping companies and medical laboratories in Asia. They’re calling it “Hydrochasma.” Symantec researchers have observed activity from the Hydrochasma threat actor dating back to October of 2022. The actor is not linked to any other known campaigns, and data was not seen being exfiltrated by researchers, however, the use of the tools observed gave researchers indication that the goal may be the gathering of intelligence. The industries Hydrochasma prospects appear to be associated with COVID-19 vaccines and treatments. For more on Hydrochasma, see CyberWire Pro.
Symantec has also described a previously unobserved threat actor, “Clasiopa,” that targeted a materials research firm in Asia. The threat actor uses a combination of publicly available and custom-made malware tools, including a bespoke remote access Trojan called “Atharvan.” Clasiopa also may have abused two legitimate software packages in its attacks. Symantec says there’s no firm evidence pointing to who might be behind Clasiopa. Some of the threat actor’s malware contains references to India and Hinduism, but the researchers believe these are too obvious--that they could well be false flags. For more on Clasiopa, see CyberWire Pro.
Avanan warns that attackers are abusing the note-taking app Evernote to host malicious links they're distributing in a business email compromise (BEC) scam. Avanan researchers observed an attack in which an account belonging to the president of an organization was compromised. The attackers used the account to send phishing emails with a link to an Evernote page, purporting to contain a “secure message.” The Evernote page hosted a link to a credential-harvesting phishing site. For more on Evernote BEC abuse, see CyberWire Pro.
Resecurity reports a credential theft campaign in progress against major corporate data centers, writing that the most probable targets of interest for them include helpdesk systems, customer service, ticket management and support portals, remotely accessible devices, data center management systems, data center IT staff and customer emails, and embedded server management systems or related tech. It's unclear who's behind the campaign, but Bloomberg reports that the incident has compromised a disturbingly large amount of data.
ESET on Thursday reported that North Korea's Lazarus Group may be deploying a new backdoor, "WinorDLL64," through its Wslink downloader. The "WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional commands," the researchers write, adding, "Interestingly, it communicates over a connection that was already established by the Wslink loader." The connection to the Lazarus Group is circumstantial but convincing: its development environment, behavior, and code show overlap known Lazarus samples, and the victimology is consistent with observed Lazarus targeting.
In research news this week, Trend Micro has observed a new backdoor called "WhiskerSpy" that's being used by the Earth Kitsune APT to target individuals who are interested in North Korea. Trend Micro has also published a report outlining the activities of the threat actor tracked as "Earth Yako," a threat actor observed targeting "researchers in the academe and research think tanks in Japan" since January 2022, as well as launching several attacks against entities in Taiwan. Check Point is tracking a cyberespionage campaign that's targeting entities in Armenia with a new version of the OxtaRAT malware, which has also been used to target Azerbaijani activists and dissidents. For more on this and other threat research, check out this week's edition of the CyberWire's Pro Research Briefing.
Researchers at Jamf have discovered a new family of macOS cryptomining malware. The malware is evasive, and can sometimes pass security measures on machines running macOS Ventura. The malware is delivered via a malicious version of Final Cut Pro, which has been modified to install the XMRig miner in the background. The researchers discovered the software being offered on Pirate Bay. It’s worth noting that users can avoid this particular malware by not downloading pirated versions of software applications like Final Cut Pro. For more on this novel cryptojacker, see CyberWire Pro.
Bitdefender Wednesday morning released a report on S1deload Stealer, "a global campaign," the researchers write, "that targets Facebook and YouTube accounts." The payoff for the criminals is interesting and shows the complexity that has come to typify the criminal-to-criminal market. "S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency and propagates the malicious link to the user’s followers."
Don’t pay consulting firm prices for cyber workforce development solutions.
When seeking potential cybersecurity talent from non-tech or non-traditional backgrounds, you should ask yourself three things:
- What baseline cybersecurity skills does the candidate already have?
- Do our current JDs discourage non-traditional but capable talent from applying?
- What training opportunities do we have to elevate them throughout their careers?
If these questions give you pause, CyberVista can help get you started. CyberVista's Professional Services solutions provide evidence-driven insights to transform your workforce.
Latest trends and reports.
IBM has published its X-Force Threat Intelligence Index for 2023, finding that the most common impact from cyberattacks in 2022 was extortion. More than a quarter (27%) of attacks observed by IBM resulted in attempted extortion. Most of these involved data theft via ransomware or business email compromise (BEC) attacks. X-Force notes that attackers are finding new ways to turn up the heat in extortion attacks. The researchers also note that the average time to complete a ransomware attack has decreased dramatically over the past several years. In 2019, threat actors would usually spend more than two months setting up their attacks. By 2021, they could achieve their goal in just under four days. The report stresses that misconfigured or vulnerable domain controllers can open the door to ransomware. For more on ransomware trends, see CyberWire Pro.
Identity and Access Management (IAM) platform provider Oort Thursday morning released their 2023 State of Identity Security report, which details prevalent identity attacks that occurred in 2022, the weaknesses in multi-factor authentication, and related issues in the IAM industry. Researchers reference this month’s attack on Reddit, where attackers were capable of getting both a password and one-time password (OTP) from the victim, as well as attacks from cybercriminal gang 0ktapus. Oktapus targeted Twilio and are suspected of having targeted Coinbase. Such incidents have motivated a push from the security community toward phishing-resistant MFA, as the use of the strong second factors has only accounted for 1.82% of all logins. Just over 40% of organizations observed had weak MFA or none at all, showing a lot of holes for attackers to potentially exploit. For more on identity-based attacks, see CyberWire Pro.
Predictive analytics to ensure your team passes the CISSP the first time.
Other CISSP certification training providers don't have a way to determine exam readiness until a practitioner passes (or fails) their certification exam. CyberVista's online CISSP course includes predictive analytics to show who is ready, who needs more time, and where to focus training. Through diagnostic exams, custom quizzes, a mock Computer Adaptive Test (CAT) Exam, and more, employers and practitioners alike feel confident in passing their CISSP the first time with CyberVista.
Updates on cyber activity in the hybrid war against Ukraine on the first anniversary of the conflict's beginnings.
The IT Army of Ukraine claimed credit for briefly, periodically disrupting online services that carried President Putin's state-of-the-nation address. "We launched a DDoS attack on channels showing putin's address to the federal assembly," the IT Army posted in its Telegram channel, specifying its targets as 1TV, VGTRK and SMOTRIM. The IT Army is the most prominent representative of Ukrainian hacktivists operating as a cyber auxiliary of Ukraine's intelligence and security services. The Ukrainian government freely acknowledges the support it receives from the IT Army, but both the government and the IT Army deny that the hacktivist organization receives orders directly from the government.
This week marked the first anniversary of Russia's invasion of Ukraine. The US Cybersecurity and Infrastructure Security Agency (CISA) advised all organizations to stay alert for renewed, more intense Russian cyberattacks as the war against Ukraine enters its second year. "CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine," the agency said. "CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat." CISA draws particular attention to its DDoS Attack Guidance for Organizations and Federal Agencies and its Shields Up webpage.
According to BleepingComputer, CERT-UA has detected cyberattacks this week against Ukrainian government networks that used a web shell installed in December 2021. A Russian threat actor tracked as Ember Bear (also known as UAC-0056 or Lorec53) used it to install three backdoors, CredPump, HoaxPen, and HoaxApe, in February 2022 as the invasion was imminent, and to have maintained a presence through this week. The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) described the incident as a failed attempt by Russia "to stay visible in cyberspace."
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three entries to its Known Exploited Vulnerabilities Catalog:
US Federal executive civilian agencies have until March 14th to inspect their systems and, as always, "apply updates per vendor instructions."
Additionally, CISA Thursday released three industrial control system (ICS) advisories:
Courts and torts.
A police lieutenant in the US state of Minnesota was charged last year with abusing his access to state driver's licenses databases in order to track down a former girlfriend, and Star Tribune reports that the victim is now suing the city and the officer who allegedly stalked her.
This week, we've been following two cases the US Supreme Court heard concerning web companies’ liability for the content hosted on their sites. The first case, Gonzalez v. Google, questions whether video streaming platform YouTube should be held accountable for videos promoting ISIS that potentially served as motivation for the attacks that took place in Paris in 2015 and resulted in the deaths of over one hundred people, including American college student Nohemi Gonzalez, Time explains. The plaintiffs in the case allege that YouTube’s algorithms helped promote the controversial content that led to the attack. The Washington Post reports that Gonzalez family lawyer Eric Schnapper argued that the protections granted by Section 230, a measure within the Communications Decency Act that protects internet companies from liability for content posted by users, should not apply to Google’s algorithmic recommendations that incentivize the promotion of harmful content. After hearing nearly three hours of oral arguments, the justices indicated they did not feel Schnapper had offered a coherent enough case to revise 230, signaling they would move cautiously in making their final decision.
On Wednesday the Supreme Court heard Twitter v. Taamneh, in which the plaintiffs argue that Google, Twitter, and Facebook should similarly be held liable for an Istanbul ISIS attack that killed nearly thirty people. As Bloomberg explains, a lower court determined that Twitter (along with Google and Facebook) had to face claims that they played a role in the attack by failing to remove (and in turn profiting from) the terrorist’s materials. CNN reports that after nearly three hours of oral arguments, the Court seemed divided on whether Twitter’s hosting of the content in question constitutes a violation of the Anti-Terrorism Act, a federal statute that entitles victims of terrorist attacks to collect damages from entities that “aided and abetted” a terrorist act. The court’s conservatives seemed to side with Twitter, agreeing that the posts could not be seen as offering "substantial" assistance to the attackers, while the more liberal justices seemed to feel Twitter should bear some responsibility.
Policies, procurements, and agency equities.
The European Commission announced Thursday that its Corporate Management Board will be suspending the use of TikTok on corporate devices or personal devices used by the Commission's mobile device service. As the announcement reads, “This measure aims to protect the Commission against cybersecurity threats and actions which may be exploited for cyber-attacks against the corporate environment of the Commission.” The decision follows a series of similar TikTok bans enacted by US government agencies and even universities amid concerns that the popular Chinese-owned video streaming app could be a threat to national security.
Labor markets.
We’ve previously discussed ISC2’s “How the Cybersecurity Workforce Will Weather a Recession” report, which details the anticipated impact of economic hard times and related factors on the cybersecurity workforce as this year unfolds. The research showed that the cybersecurity workforce is highly regarded by executives, however, even with executives understanding their intrinsic value, cybersecurity workers have not been exempt from the economy’s wrath. Within the first two months of 2023, we’ve already seen major players in the sector – such as Sophos, Okta, and Secureworks – make cuts to their teams, Cybersecurity Dive noted earlier this month. Tanium, not itself laying people off, noted the cuts seen in big tech as well: Alphabet, Google’s parent company, saw cuts to 12,000 employees, with Amazon slashing their labor force by 18,000 and Dell, IBM, Microsoft, and SAP also recording major reductions in their staff. Some employees may also become a kind of insider risk (perhaps a former-insider risk), Tanium observes, as companies’ offboarding processes may not be adequate to a period of layoffs. Another, related consideration, as Dice discussed last week, is the uptick in recruitment for cybercriminal tech and IT. A Kaspersky study analyzing the cybercriminal labor market (discussed here late last month) identified some pretty high-paying job opportunities in cybercrime, as well as offers of many benefits that are reminiscent of their above-board counterparts, such as paid vacation and sick leave, as well as flexible scheduling. For a more in-depth look into this week's business and labor market news, see this week's edition of the CyberWire's Pro Business Briefing.