By the CyberWire staff
At a glance.
- Tennessee man arrested for alleged participation in North Korean employment scheme.
- Singapore police recover $41 million stolen in BEC scam.
- CrowdStrike releases technical postmortem on faulty update.
- Ransomware attack cost LoanDepot nearly $27 million.
- Hunters International ransomware group deploys new Trojan.
- FBI says BlackSuit ransomware gang has demanded over $500 million since 2022.
- Chinese threat actor compromised ISP to distribute malware.
- Iranian influence operations focus on the US elections.
- Cyberattack against Mobile Guardian results in remote wiping of school devices.
- Researchers discover new Linux Kernel cross-cache attack.
Tennessee man arrested for alleged participation in North Korean employment scheme.
The US Justice Department has arrested a man in Nashville, Tennessee, for allegedly helping North Korean IT workers get remote jobs at companies in the US and the UK. Matthew Isaac Knoot is accused of running a "laptop farm" to make the North Korean workers appear as if they were located in the US.
The Justice Department stated, "The victim companies shipped laptops addressed to 'Andrew M.' to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that 'Andrew M.' was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di."
The Justice Department says North Korea's remote IT workers "have been known individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited WMD programs."
Singapore police recover $41 million stolen in BEC scam.
Authorities in Singapore used a stop-payment mechanism developed by Interpol to reclaim more than $41 million stolen from a Singaporean commodities firm in a business email compromise scam (BEC), the Record reports. Interpol said in a press release, "On receipt of the police report, the Singapore Police Force (SPF) swiftly requested assistance from authorities in Timor Leste through INTERPOL’s Global Rapid Intervention of Payments (I-GRIP) mechanism. I-GRIP uses the global police organization’s 196-country police network to speed up requests for assistance in financial crime cases. On 25 July, the SPF’s Anti-Scam Centre received confirmation that USD 39 million was detected and withheld from the fake supplier’s bank account in Timor Leste. Moreover, Timor Leste authorities arrested a total of seven suspects in relation to the scam through follow-up investigations, leading to the further recovery of more than USD 2 million."
Unlock Key Insights from the SANS Application & API Security Survey 2024
Discover how leading AppSec testing tools are securing today’s complex dev environments. The SANS report provides essential findings and expert recommendations on maximizing the impact of pentesting, DAST, SCA, and more. Streamline remediation with pre-validated findings and protect your expanding attack surface effectively.
CrowdStrike releases technical postmortem on faulty update.
CrowdStrike has published a technical root cause analysis of the faulty Falcon EDR sensor update that caused global outages on July 19th. The issue involved a content interpreter receiving 21 values when it expected only 20, which produced an out-of-bounds memory read that caused Windows systems to crash.
CrowdStrike explained, "This parameter count mismatch evaded multiple layers of build validation and testing, as it was not discovered during the sensor release testing process, the Template Type (using a test Template Instance) stress testing or the first several successful deployments of IPC Template Instances in the field. In part, this was due to the use of wildcard matching criteria for the 21st input during testing and in the initial IPC Template Instances."
Ransomware attack cost LoanDepot nearly $27 million.
US mortgage lending firm LoanDepot disclosed that the ransomware attack it sustained in January has cost the company nearly $27 million so far, $25 million of which involved legal fees related to class action lawsuits, SecurityWeek reports. LoanDepot said the number includes "costs to investigate and remediate the Cybersecurity Incident, the costs of customer notifications and identity protection, professional fees, including legal expenses, litigation settlement costs, and commission guarantees, gains or losses on extinguishment of debt and disposal of fixed assets, non-cash goodwill impairment, and other impairment charges to intangible assets and operating lease right-of-use assets, as well as certain costs associated with our restructuring efforts."
Hunters International ransomware group deploys new Trojan.
Researchers at Quorum Cyber warn that a newly discovered remote access Trojan dubbed "SharpRhino" is targeting IT workers via a watering-hole site that impersonates the Angry IP Scanner, BleepingComputer reports. The Trojan serves as an initial infection vector for the Hunters International ransomware gang. Quorum states, "On execution, it establishes persistence and provides the attacker with remote access to the device, which is then utilised to progress the attack. Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption."
FBI says BlackSuit ransomware gang has demanded over $500 million since 2022.
The US Federal Bureau of Investigation (FBI) has released an updated advisory on the BlackSuit ransomware, noting that the group has demanded more than $500 million in ransoms since the group emerged in September 2022. The FBI confirmed that BlackSuit is a rebrand of the Royal ransomware, and BleepingComputer notes that Royal is believed to be a successor to the Conti ransomware operation. Most of the group's ransom demands have ranged between $1 million and $10 million, with the highest individual demand reaching $60 million.
The FBI states, "BlackSuit conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by BlackSuit threat actors. After gaining access to victims’ networks, BlackSuit actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems."
Simplify Your Identity Management.
Identity architects and engineers, securely integrate non-standard apps with any IDP using Strata. Apply modern MFA and ensure seamless failover during outages. Avoid app refactoring and reduce legacy tech debt. Share your identity challenge and get a free set of AirPods Pro.
Chinese threat actor compromised ISP to distribute malware.
Researchers at Volexity found that the China-linked threat actor StormBamboo (also known as "Evasive Panda") compromised an internet service provider (ISP) last year in order to distribute malware. The researchers state, "Volexity determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms. StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot)."
Iranian influence operations focus on the US elections.
Microsoft has published a report on Iranian cyber operations focused on the US 2024 elections. Microsoft says Mint Sandstorm, a threat actor attributed to the Islamic Revolutionary Guard Corps (IRGC), "sent a spear-phishing email to a high-ranking official of a presidential campaign from a compromised email account of a former senior advisor." The same group also "unsuccessfully attempted to log in to an account belonging to a former presidential candidate." Additionally, Peach Sandstorm, another group tied to the IRGC, compromised a low-level user account at a county government in a swing state.
Microsoft is also tracking an Iranian influence operation "comprising four websites masquerading as news outlets [that are] actively engaging US voter groups on opposing ends of the political spectrum with polarizing messaging on issues such as the US presidential candidates, LGBTQ rights, and the Israel-Hamas conflict." The threat actor uses generative AI tools to assist in this operation, but the campaign hasn't seen much traffic so far.
Microsoft adds, "Looking forward, we expect Iranian actors will employ cyberattacks against institutions and candidates while simultaneously intensifying their efforts to amplify existing divisive issues within the US, like racial tensions, economic disparities, and gender-related issues."
Got proof that your SSO and MFA controls are performing their security duty?
The increasing frequency of identity-based attacks highlights the necessity of ensuring your Single Sign-On (SSO) and Multi-Factor Authentication (MFA) systems are functioning as intended. Simply implementing these technologies isn’t sufficient; ongoing verification of their effectiveness is crucial. Savvy provides real-time visibility for performing audits and implementing automated controls, guiding users at scale to address issues before threat actors can exploit them. Discover how Savvy can help you put policy into practice. Learn more.
Cyberattack against Mobile Guardian results in remote wiping of school devices.
A cyberattack against mobile device management firm Mobile Guardian has caused disruptions at educational institutions in North America, Europe, and Singapore, the Register reports. The company has halted its services while it responds to the incident. The details of the attack are unclear, but the incident somehow "resulted in a small percentage of devices to be unenrolled from Mobile Guardian and their devices wiped remotely." The company says there's "no evidence to suggest that the perpetrator had access to users’ data."
13,000 student devices were wiped in Singapore, and the country's Ministry of Education (MOE) has severed ties with Mobile Guardian as a result. The MOE says it's "working with schools to support affected students, including deploying additional IT roving teams to schools and providing additional learning resources."
Researchers discover new Linux Kernel cross-cache attack.
Researchers from the Graz University of Technology have discovered a Linux cross-cache attack technique that can allow attackers to elevate privileges or escape containers, SecurityWeek reports. The exploit technique, dubbed "SLUBStick," "exploits code patterns prevalent in the Linux kernel to perform a cross-cache attack and turn a heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily." SLUBStick is significant because it succeeds more than 99% of the time, while most other cross-cache attacks have a success rate of only 40%.
Upcoming webinar: Unpacking the 2024 Ransomware Landscape
Join David Bittner and Deepen Desai, Chief Security Officer at Zscaler, on August 22nd for an exclusive deep dive into the latest findings from the Zscaler ThreatLabz 2024 Ransomware Report. In this discussion, we will highlight critical insights into the most targeted industries and regions, uncover the dynamics behind a record ransom payout, discuss emerging ransomware families to watch, and share predictions for the upcoming year. Register now to secure your spot.
ADT discloses data breach.
US residential security company ADT has disclosed a data breach that affected "limited customer information, email addresses, and locations," BleepingComputer reports. ADT said in an SEC filing, "Based on its investigation to date, the Company has no reason to believe that customers’ home security systems were compromised during this incident. Additionally, the Company has no reason to believe the attackers obtained other personally sensitive information such as credit card data or banking information."
BleepingComputer notes that a threat actor posted data allegedly stolen from ADT on a cybercriminal forum on July 31st, claiming the data includes "30,800 customer records, including customer emails, complete addresses, user IDs, and the products purchased."
Courts and torts.
The US Justice Department and the the Federal Trade Commission (FTC) have sued TikTok and its parent company ByteDance for alleged violations of the Children’s Online Privacy Protection Act (COPPA). The Justice Department stated, "[F]rom 2019 to the present, TikTok knowingly permitted children to create regular TikTok accounts and to create, view, and share short-form videos and messages with adults and others on the regular TikTok platform. The defendants collected and retained a wide variety of personal information from these children without notifying or obtaining consent from their parents. Even for accounts that were created in “Kids Mode” (a pared-back version of TikTok intended for children under 13), the defendants unlawfully collected and retained children’s email addresses and other types of personal information."
The Record quotes a TikTok spokesperson as saying, "We disagree with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed."