By the CyberWire staff
At a glance.
- Suspected Chinese threat actor exploits Connect Secure and Policy Secure zero-days.
- Sea Turtle targets Dutch organizations.
- SEC’s X account compromised.
- Akira ransomware gang ramps up operations.
- Cryptocurrency drainer-as-a-service described.
- AsyncRAT campaign targets US infrastructure.
- Cyber incident at loanDepot.
- Suspected Iranian threat actor targets Albania with wiper.
Suspected Chinese threat actor exploits Connect Secure and Policy Secure zero-days.
Ivanti has disclosed two actively exploited zero-days affecting its Connect Secure and Policy Secure gateways. The flaws were discovered by researchers at Volexity, who observed exploitation by the suspected Chinese state-sponsored threat actor UTA0178. Ivanti says it’s aware of fewer than ten customers that have been targeted.
The first vulnerability is an “authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure [that] allows a remote attacker to access restricted resources by bypassing control checks.” The second is a “command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure [that] allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.”
The company has released mitigation guidance, and will issue patches “in a staggered schedule with the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February.”
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
Sea Turtle targets Dutch organizations.
Researchers at Dutch cybersecurity firm Hunt & Hackett say a suspected Turkish state-sponsored group called “Sea Turtle” is targeting organizations in the Netherlands to conduct cyberespionage: “The campaigns observed in the Netherlands appear to focus on telecommunication, media, ISPs, and IT-service providers and more specifically Kurdish websites (among others PPK affiliated). The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents. The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals. This appears to be consistent with claims from US officials in 2020 about hacker groups acting in Turkey’s interest, focusing on the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey.”
Sea Turtle was discovered in 2019 by researchers at Cisco Talos, though they refrained from attributing it to any particular nation-state. The group is known for its DNS hijacking techniques.
SEC’s X account compromised.
The US Securities and Exchange Commission’s (SEC’s) X account was compromised yesterday and used to tweet that the SEC was granting approval for Bitcoin ETFs to be listed on all registered national securities exchanges, the AP reports. The phony tweet caused the price of Bitcoin to spike to $48,000.
SEC Chairman Gary Gensler tweeted on his personal account soon afterwards, “The @SECGov twitter account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”
X’s Safety account tweeted last night, “Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
RSAC 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSAC 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Akira ransomware gang ramps up operations.
Sophos has published an update on the Akira ransomware, noting that the group's activities increased toward the end of 2023: "Following our initial report on Akira ransomware, Sophos has responded to over a dozen incidents involving Akira impacting various sectors and regions. According to our dataset, Akira has primarily targeted organizations located in Europe, North America, and Australia, and operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors." The researchers add, "The most common mode of initial access leveraged by Akira ransomware actors was unauthorized logon to VPNs by accounts lacking multi-factor authentication (MFA). Typically, Sophos observed Akira actors specifically targeting Cisco VPN products without MFA enabled, such as Cisco ASA SSL VPN or Cisco AnyConnect."
The Finnish National Cybersecurity Center (NCSC-FI) has also issued a warning on Akira, noting that the ransomware hit at least twelve organizations in Finland last year, three of which occurred during Christmas vacations, Help Net Security reports. The NCSC-FI stated, "The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year....Of the ransomware malware cases reported to the Cybersecurity Center in December, six out of seven involved Akira family malware."
Cryptocurrency drainer-as-a-service described.
Mandiant has disclosed details of the hack of the company’s X account last week, BleepingComputer reports. The company says its account was hijacked by a drainer-as-a-service (DaaS) gang via a brute-force attack in order to spread a cryptocurrency stealer. The researchers note, “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected. We've made changes to our process to ensure this doesn't happen again.”
Mandiant also describes the drainer-as-a-service used in the attack, which the researchers have dubbed “CLINKSINK.” The drainer targets users of the Solana cryptocurrency, and has stolen at least $900,000 over the past few weeks: “In some recently observed campaigns, threat actors used social media and chat applications, including X and Discord, to distribute cryptocurrency-themed phishing pages that entice victims to interact with the CLINKSINK drainer. The observed CLINKSINK phishing domains and pages have leveraged a wide range of fake token airdrop-themed lures masquerading as legitimate cryptocurrency resources, such as Phantom, DappRadar, and BONK. These phishing pages have loaded the malicious CLINKSINK JavaScript drainer code to facilitate a connection to victim wallets and the subsequent theft of funds.”
AsyncRAT campaign targets US infrastructure.
Researchers at AT&T Alien Labs are tracking an AsyncRAT malware campaign that’s been targeting entities that “manage key infrastructure in the US” for the past eleven months. The malware is delivered via a JavaScript file embedded in a phishing page: “These files, despite being clearly a script, contain long strings that are commented out, with texts composed of randomly positioned words, with ‘Melville’, ‘church’, ‘chapter’ and ‘scottish’ being the most repeated words.”
The researchers identified over 300 samples hosted on more than 100 domains.
Cyber incident at loanDepot.
US mortgage lender loanDepot sustained a cyberattack over the weekend that forced the company to take some of its IT systems offline, BleepingComputer reports. The incident prevented customers from making online payments.
The company stated, “loanDepot is experiencing a cyber incident. We have taken certain systems offline and are working diligently to restore normal business operations as quickly as possible. We are working quickly to understand the extent of the incident and taking steps to minimize its impact. The Company has retained leading forensics experts to aid in our investigation and is working with law enforcement.We sincerely apologize for any impacts to our customers and we are focused on resolving these matters as soon as possible.”
Suspected Iranian threat actor targets Albania with wiper.
ClearSky has published a report on the wiper attack that hit websites belonging to Albanian government and infrastructure organizations in late December 2023. ClearSky attributes the attack to the Iranian threat actor “Homeland Justice,” which has been targeting Albanian entities since July 2022. The threat actor used a wiper called “No-Justice” in the December 2023 attack, which at the time “had a valid digital signature by ‘Kuwait Telecommunications Company KSC,’ indicating a consistent method to give files an appearance of legitimacy.”
Patch news.
Cisco has issued a patch for a critical vulnerability in its Unity Connection messaging and voicemail product, Help Net Security reports. If exploited, the flaw can “allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system.” The company urges users to apply the patches immediately.
Mergers and acquisitions.
Hewlett Packard Enterprise (HPE) has agreed to buy Juniper Networks for approximately $14 billion, CNBC reports. HPE said in a press release, "The acquisition is expected to double HPE’s networking business, creating a new networking leader with a comprehensive portfolio that presents customers and partners with a compelling new choice to drive business value."
Courts and torts.
The US Federal Trade Commission (FTC) has reached a settlement with Virginia-based data broker Outlogic (formerly X-Mode Social) barring the company from sharing or selling any sensitive location data, the Record reports. FTC Chair Lina M. Khan stated, “The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data. By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”
Crime and punishment.
The US Justice Department last week charged nineteen individuals in its investigation into xDedic, a cybercriminal marketplace that was shuttered by law enforcement in 2019, the Record reports.
A note to our readers and listeners.
The CyberWire won't be publishing on Monday, in observance of the US holiday of Martin Luther King, Jr. Day. We'll be back as usual on Tuesday.