By the CyberWire staff
At a glance.
- The US National Cybersecurity Strategy is out.
- Dish Network reports disruption.
- US Marshals Service sustains a data breach.
- Attackers in LastPass data breach built on an earlier attack.
- MKS Instruments' 8K discloses ransomware incident.
- Bitdefender releases a decyptor for MortalKombat ransomware.
- Threat actor movements observed and reported over the week.
- Trends and reports, hot off the presses.
- Updates on cyber activity in the hybrid war against Ukraine.
- Patch news.
- Policies, procurements, and agency equities.
- Business news.
- Research developments.
The US National Cybersecurity Strategy is out.
The White House Thursday morning released the National Cybersecurity Strategy, intended by the executive branch to “secure the full benefits of a safe and secure digital ecosystem for all Americans,” in a fact sheet also released Thursday. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach. The strategy is intended to prioritize defensibility, resiliency, and values-alignment. It has five core tenets: critical infrastructure defense, disruption of threat actors, shaping of market forces, investments in future resiliency, and international collaboration. For more on the US National Cybersecurity Strategy, see CyberWire Pro.
Following the public release of the US National Cybersecurity Strategy Thursday, the Center for Strategic and International Studies (CSIS) held a launch event that saw two major federal players in cyberspace come together for discussion: the Acting National Cyber Director, Kemba Walden; and the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger. Walden noted that the SolarWinds incident brought federal attention to cybersecurity, and made it a point in the American Rescue Plan. She does note, however, that modernizing the tech not only improves defensibility, but also requires regular action to ensure system resiliency Neuberger noted the proven value of international collaboration, and both officials highlighted the importance of US interagency collaboration. For more on the implementation of the National Cybersecurity Strategy, see CyberWire Pro.
Dish Network reports disruption.
It was initially unclear whether outages over the week at Dish Network were the result of a cyberattack (as BleepingComputer speculated) or internal network issues (as the Verge reports Dish Network indicated). Whatever the cause, employees and customers have been affected since last Friday. As the week progressed, however, it became cleare that the incident was a cyberattack. The Verge reports that it obtained an internal Dish email advising employees that it was “investigating a cybersecurity incident” and that Dish is “aware that certain data was extracted.” A Form 8K filed with the US Securities and Exchange Commission (SEC) disclosed that the IT issues were indeed caused by a cyberattack. The 8K reads that Dish has activated its incident response plans, enlisted the help of outside cybersecurity resources, and says that they have “determined that the outage was due to a cyber-security incident.” The filing further identified the incident as a ransomware attack, and law enforcement has been notified. TechCrunch has been in touch with the company, who said that Dish TV, Sling TV, and wireless service are all back up. Investigation and remediation are in progress.
US Marshals Service sustains a data breach.
A data breach that could be ransomware-related has been reported at the US Marshals Service (USMS). Some data about current investigations as well as data pertaining to USMS employees are believed to have been compromised, NBC News Correspondent Tom Winter shared in a tweet thread Monday evening. NBC News broke the news of the breach around the same time. Marshals Service spokesperson Drew Wade said that the impacted system included sensitive law enforcement data, including some personally identifiable information on subjects of USMS investigations, third parties, and USMS staff. Bleeping Computer reports that USMS isolated the affected system from its network and is actively investigating the attack as a “major incident.” For more on the breach at the US Marshals Service, see CyberWire Pro.
Attackers in LastPass data breach built on an earlier attack.
Password manager LastPass disclosed a second breach of their systems on Monday. A threat actor leveraged information from an August breach to target the home computer of a senior employee. According to BleepingComputer, after what LastPass called a “coordinated second attack,” the company’s AWS cloud storage servers were accessed and data stolen. LastPass disclosed that the 2022 breach ended on August 12, when the threat actor “pivoted from the first incident,” and conducted “reconnaissance, enumeration, and exfiltration activities” in the cloud storage environment through late October. The Verge reports that the company has disclosed all the classes of data accessed in both breaches and has offered a PDF with more information about last year’s incidents. It’s also issued security notes for users of Free, Premium, and Families accounts, as well as a note for business administrators. Interesting to note is LastPass’ decision to add HTML tags to the support bulletins, Bleeping Computer says, which prevents them from being indexed by search engines. For more on the LastPass breach, see CyberWire Pro.
MKS Instruments' 8K discloses ransomware incident.
MKS Instruments, a Massachusetts-based supplier of "instruments, systems, subsystems and process control solutions that measure, monitor, deliver, analyze, power and control critical parameters of advanced manufacturing processes," has filed a Form 8K with the SEC disclosing a ransomware attack and describing the attack's consequences. John T.C. Lee, President and Chief Executive Officer of MKS, has said he expects full restoration of systems in coming weeks and notes that the company is “well into the recovery phase of our manufacturing and service operations.”
Bitdefender releases a decyptor for MortalKombat ransomware.
Bitdefender has released a universal decryptor for MortalKombat ransomware. MortalKombat (the malware's only connection to the eponymous game is its threat to change victims' wallpaper to Mortal Kombat images) is a strain of ransomware related to Xorist. It was first observed in January of this year, active against victims in the US, the UK, Turkey, and the Philippines.
Doing Threat Intel is Really Difficult - Try a Managed Intel Service
Why are you struggling with interpreting threat intel by yourself? Engage Nisos to achieve better risk insights and outcomes. Rely on the experts with a managed service that gives you the people, process, and technology to control costs while improving your defenses. Nisos leverages automation efficiency and analyst expertise that eliminates noise, identifies risks, and prioritizes your company-specific threats. We help you respond to threats faster and more effectively through assessments, monitoring, and investigations.
Threat actors' recent operations.
The US Cybersecurity and Infrastructure Security Agency and the FBI Thursday issued a joint advisory on Royal ransomware. Royal is noteworthy for its ability to disable various anti-virus tools in the course of exfiltrating data in its double-extortion attacks. Royal's operators have also been marked by their disposition to target "numerous critical infrastructure sectors.” The gang has been known to demand ransom payments of up to $10 million. The advisory includes an overview of tactics, techniques, and procedures, indicators of compromise, and deployable mitigations for organizations following an attack.
Crypto hardware wallet provider Trezor has warned of a major phishing campaign that’s targeting its customers via phone calls, text messages, and emails. The messages inform recipients that Trezor has recently suffered a security breach, and instruct them to follow a link to a spoofed Trezor wallet seed recovery page. Trezor says there’s no evidence that there’s been a real breach, and the company says it will never contact customers via phone calls or text messages. For more on this social engineering campaign, see CyberWire Pro.
Cado Security researchers shared in a blog Thursday morning their discovery of a campaign targeting insecure Redis deployments for cryptojacking. The campaign leverages open-source command line file transfer service transfer[.]sh, which has seen activity since at least 2014. The service, however, didn’t see any malware distribution until researchers noticed it early this year. The Cado team suspects that the move to the file transfer service may represent an attempt to evade detection.
Armorblox describes a phishing campaign that’s using OneNote file attachments to distribute the Qakbot banking Trojan. The phishing emails purport to come from a trusted vendor, and ask the recipient to open a OneNote attachment that appears to be an invoice. The email appears to be a follow-up to a conversation, which eventually prompts the target to open the attachment to review the details of an order appearing to have already been completed. The file will then execute VB Script code, which installs Qakbot.
Trend Micro reports that the Emissary Panda group, which they track under the name Iron Tiger, has updated its SysUpdate malware to reach Linux systems. The APT has also adopted a novel method of command and control, and continues to concentrate on Southeast Asia, but has also prospected targets in Europe and the Americas. TechMonitor notes that Iron Tiger's interests lie for the most part with governments, defense companies, and infrastructure.
ESET is following developments in Mustang Panda's activities, especially its deployment of a novel and specially designed "barebones" backdoor. Mustang Panda's operations have increased over the course of Russia's war against Ukraine, collecting intelligence in Beijing’s interest. "The victimology is unclear," ESET says, after noting signs of unusual interest in Bulgaria and Australia, but most of the group's interest appear to center on Europe.
Researchers at Safeguard Cyber have observed a social engineering campaign on LinkedIn that used the DALL-E generative AI model to make images for phony ads designed to gather personal information. The malicious ads purport to offer a link to a whitepaper that would empower “sales team[s] with next-level insights and strategies.” Safeguard Cyber’s researchers comment that this information would be useful in preparing future, targeted phishing attacks. For more information on abuse of DALL-E, see CyberWire Pro.
Mitiga has published research looking at Google Cloud Platform (GCP), concluding that the service has a “significant forensic security deficiency” in Google Cloud Storage that enables covert exfiltration of data by an attacker with access to a GCP storage bucket. The problem stems from the fact that GCP uses the same log description for a variety of different actions, and as a result, all of these actions will simply be logged as “storage.objects.get.” Google commented on Mitiga's blog, and, while Google doesn't consider the scenario Mitiga describes to be a vulnerability, Google said it "appreciates Mitiga's feedback" and has worked with them to develop some recommendations for improvement. For more on Mitiga's comments on the Google Cloud Platform, see CyberWire Pro.
BlackBerry has published a report on a threat actor, Blind Eagle, also known as APT-C-36. It's a South American cyberespionage operation that's been operating against targets in Ecuador, Chile, Spain, and Colombia since at least 2019. Its most recent activity has been directed primarily at organizations in Colombia, including "health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.”
A report earlier this month from BitSight described the BHProxies botnet residential proxy service and the actor behind it: a six year-old botnet named Mylobot. KrebsOnSecurity wrote Friday that the primary purpose of Mylobot appears to be the transformation of the infected system into a proxy. The BHProxies service allows for the rental of a residential IP address and is said to promote access to over 150,000 devices. The Mylobot threat actor, whose first activity was detected in an October 2017 sample by Deep Instinct, has been observed using sophisticated methods of camouflage. BitSight researchers say that they “cannot prove that BHProxies is linked to Mylobot, but we have a strong suspicion, since Mylobot and BHProxies used the exact same IP 46.166.173.180 on an interval of 24 hours.”
Don’t pay consulting firm prices for cyber workforce development solutions.
When seeking potential cybersecurity talent from non-tech or non-traditional backgrounds, you should ask yourself three things:
- What baseline cybersecurity skills does the candidate already have?
- Do our current JDs discourage non-traditional but capable talent from applying?
- What training opportunities do we have to elevate them throughout their careers?
If these questions give you pause, CyberVista can help get you started. CyberVista's Professional Services solutions provide evidence-driven insights to transform your workforce.
Trends.
Adaptive Shield released its annual SaaS-to-SaaS Access Report, discussing this year’s organizational security risks posited by connected third-party apps. The researchers report that companies with 10,000 SaaS users of Microsoft 365 have on average 2,033 applications connected to the productivity software, with that number jumping to 6,710 in Google Workspace connections. High-risk access to permissions, such as the ability to see, create, edit, and delete Google Drive files and M365 data have been found in 39% of apps connected to M365 and 11% to Google Workspace. The apps most commonly connected to such software have been email applications, followed by file and document management apps. For more on Adaptive Shield's study, see CyberWire Pro.
Predictive analytics to ensure your team passes the CISSP the first time.
Other CISSP certification training providers don't have a way to determine exam readiness until a practitioner passes (or fails) their certification exam. CyberVista's online CISSP course includes predictive analytics to show who is ready, who needs more time, and where to focus training. Through diagnostic exams, custom quizzes, a mock Computer Adaptive Test (CAT) Exam, and more, employers and practitioners alike feel confident in passing their CISSP the first time with CyberVista.
Updates on cyber activity in the hybrid war against Ukraine.
The Canadian Centre for Cybersecurity issued a warning last Friday advising vigilance and noting potentially increased malicious cyber activity in Canadian organizations on the anniversary of the Russian invasion of Ukraine. CSE’s Canadian Centre for Cyber Security (Cyber Centre) is specifically warning Canadian organizations and critical infrastructure operators to be prepared for the possible disruptive and defacement of websites by cyber threat actors aligned with Russian interests.
Russia's Internet watchdog Roskomnadzor has banned nine foreign messaging apps, Computing reports. The Internet agency’s statement singles out the apps as being foreign-owned, and as a method of direct communication between users. The direct, unmediated communication provided by these apps seems to be the more troubling aspect of the services. As Computing points out, other foreign-owned apps, such as Zoom, remain acceptable. The statement makes no specific accusation of subversion or direct complicity with anti-Russian forces, and the apps that fall under the new restrictions include Discord, Microsoft Teams, Snapchat, Telegram, WhatsApp, and WeChat, among others.
There have been no reports of major cyberattacks in recent days, but hacktivists have remained active. The US Consulate in Milan, for example, had its Twitter account hijacked, on February 27th, and the attackers used it to disseminate tweets associating Ukraine's government with Nazis. The State Department regained control of the account, but not, Newsweek reports, before the pro-Russian hacktivists' tweets achieved about 140,000 views.
The US National Cybersecurity Strategy was shaped in part by lessons learned from observing Russia's hybrid war against Ukraine, Defense News reports. The emphases on resilience, close partnership with industry, and forward engagement with the threat were among the features of the strategy influenced by the conduct of that war.
The CyberWire's continuing coverage of Russia's war against Ukraine may be found here.
RSA Conference 2023 San Francisco | April 24 – 27 | Moscone Center
Cutting-edge innovation. Expert speakers. Influential attendees. Valuable networking opportunities. RSA Conference 2023 will bring the cybersecurity community together again in San Francisco for four industry-shaping days, and you can be a part of that important conversation. Stay current with today’s best practices, learn about the latest trends, and tap into the strength of being Stronger Together. Learn more.
Patch news.
CISA, the US Cybersecurity and Infrastructure Security Agency, Tuesday released three Industrial Control Systems (ICS) advisories. They cover:
On Thursday, five more advisories were released, affecting Mitsubishi Electric MELSEC Series, Baicells Nova, Rittal CMC III Access systems, Medtronic Micro Clinician and InterStim Apps, and Mitsubishi Electric Factory Automation Engineering Products (Update J).
CISA, by the way, is interested in feedback, which they invite any interested parties to submit through the agency's anonymous Product Feedback Survey.
Policies, procurements, and agency equities.
CISA Director Jen Easterly, spoke Monday at Carnegie Mellon University and outlined steps she urged vendors to take in order to introduce more inherent security into their products. One of her conclusions was that the burden of security shouldn't fall on the consumer. Her remarks foreshadowed aspects of the National Cybersecurity Strategy released on Thursday.
The US Cybersecurity and Infrastructure Security Agency has published the findings of a red team assessment the agency carried out against a large critical infrastructure organization last year. The three-month operation saw the red team gain access to two workstations via spearphishing attacks and move laterally within the network. They were, however, unable to gain access to the organization's sensitive business systems after running up against multifactor authentication measures and time constraints. However, CISA believes that the use of Secure Shell session socket files could have given them access to “any hosts available to the users whose workstations were compromised.” For more on the assessment, see CyberWire Pro.
Business news.
Twitter has reportedly said goodbye to its head of the Twitter Blue service, Esther Crawford, as well as at least 50 others, the Information reports, citing cost-cutting measures. Meta is reportedly downsizing and restructuring, with intentions for layoffs across multiple divisions within the company, Computing shared last week. Help Net Security disclosed that executives are recognizing the inherent value of cybersecurity staff, though junior staff may be at risk of cuts in the current economic climate. Global skills shortages have also left executives open to the idea of cybersecurity hiring and retention, the outlet recounts. For a more comprehensive view into this week's business news, check out this week's CyberWire Pro Business Briefing.
Research developments.
In this week's research news, CrowdStrike has published its 2023 Global Threat Report, looking at security trends and threat actor activity over the course of 2022. Symantec describes a previously unobserved threat actor the company calls “Clasiopa” that targeted a materials research firm in Asia. The threat actor uses a combination of publicly available and custom-made malware tools, including a bespoke remote access Trojan called “Atharvan.” Menlo Security is tracking a campaign that’s using the commodity downloader PureCrypter to target government entities. The threat actor uses Discord to host the downloader, and employs a compromised domain belonging to a non-profit organization as a command-and-control server. For a deeper look at this week's cybersecurity research developments, see this week's edition of the CyberWire's Pro Research Briefing.