By the CyberWire staff
At a glance.
- Cadet Blizzard attributed to Unit 29155 of Russia’s GRU.
- Brazil's Supreme Court upholds ban on X.
- Predator spyware resurfaces.
- US government accuses Russia of conducting influence operations focused on the 2024 US presidential election.
- Iran paid at least $3 million in ransom following attack on banking system.
- North Korean social engineering attacks target the cryptocurrency sector.
- Victims lost $110 million to Bitcoin ATM scams in 2023.
- Transport for London hit by cyberattack.
- Voldemort malware delivered via social engineering.
Cadet Blizzard attributed to Unit 29155 of Russia’s GRU.
A group of Western government agencies, including four of the Five Eyes, has issued a joint advisory on Cadet Blizzard, a threat actor attributed to the Russian GRU's Unit 29155. The US FBI says "the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations."
The advisory adds, "In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine."
WIRED notes that hacking is a relatively new endeavor for Unit 29155; the group has previously been known for physical tactics, including "poisonings, attempted coups, and bombings inside Western countries."
If you're on the front line, we've got your back.
Mark your calendar for mWISE™, the unique cybersecurity conference from Mandiant, now part of Google Cloud. Built by practitioners for practitioners, it runs from September 18–19, 2024 in Denver, Colorado.
What makes mWISE different from other cybersecurity conferences? It’s a targeted event with hands-on learning for frontline practitioners. The intimate setting allows you to make one-on-one connections with leaders in the field. And best of all, it’s focused on learning without the sales pitches.
Brazil's Supreme Court upholds ban on X.
Brazil's Supreme Court has unanimously upheld a ban on X (formerly Twitter) after the social media platform failed to appoint a new legal representative before a court-imposed deadline, the BBC reports. The ban first went into effect on Saturday when the company refused to comply with an order by Supreme Court Justice Alexandre de Moraes to take down accounts that were allegedly spreading misinformation. Moraes has also imposed daily fines of R$50,000 (approximately US$8,910) for Brazilians who use VPNs to access X, though Tom's Guide notes that this could be difficult to enforce.
Predator spyware resurfaces.
Researchers at Recorded Future warn that Intellexa's Predator spyware has resurfaced, with likely customers in Angola, Saudi Arabia, and the Democratic Republic of the Congo. Intellexa, which is based in Europe and was founded by an Israeli ex-intelligence officer, was sanctioned by the US Treasury Department earlier this year for enabling "the proliferation of commercial spyware and surveillance technologies around the world, including to authoritarian regimes."
Recorded Future states, "Predator's operators have significantly enhanced their infrastructure, adding layers of complexity to evade detection. The new infrastructure includes an additional tier in its multi-tiered delivery system, which anonymizes customer operations, making it even harder to identify which countries are using the spyware. This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator."
Secure Multi-Cloud and On-Prem Apps During M&A with Strata.
Strata modernizes legacy systems with MFA or passwordless authentication, ensuring continuous identity availability across multi-cloud environments. Prevent cybersecurity risks during mergers and acquisitions with seamless identity integration. Share your identity challenge and receive complimentary AirPods Pro.
US government accuses Russia of conducting influence operations focused on the 2024 US presidential election.
The United States government on Wednesday accused Russia of conducting a widespread influence campaign, dubbed "Doppelganger," focused on the US presidential election, the Associated Press reports. The US Justice Department seized thirty-two domains that were allegedly being used "to covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election." The US Treasury Department's Office of Foreign Assets Control (OFAC) has designated ten individuals and two entities for their alleged involvement in a scheme "to covertly recruit unwitting American influencers in support of their malign influence campaign."
The US State Department has also announced a $10 million reward for information on foreign interference in US elections.
Iran paid at least $3 million in ransom following attack on banking system.
POLITICO reports that Iran paid at least $3 million in ransom last month to extortionists who threatened to leak information stolen from up to 20 Iranian banks. The hacking group "IRLeaks" claimed to have stolen personal and financial data belonging to millions of Iranians.
Iran hasn't acknowledged the incident, but the country's supreme leader said in the wake of the attack that the US and Israel are attempting "to spread psychological warfare to push us into political and economic retreat and achieve its objectives." POLITICO cites sources as saying that IRLeaks is likely a financially motivated group, unaffiliated with a nation-state.
DMV Rising, D.C.’s Premier Conference for Cyber Execs.
The Washington, D.C. Maryland, and Virginia (DMV) region has established itself as a top-tier player in the global cyber industry. Join us on September 12, 2024 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.
North Korean social engineering attacks target the cryptocurrency sector.
The US Federal Bureau of Investigation (FBI) has issued an advisory on North Korean social engineering campaigns targeting employees in the cryptocurrency industry. The Bureau notes, "North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products. For companies active in or associated with the cryptocurrency sector, the FBI emphasizes North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products."
Victims lost $110 million to Bitcoin ATM scams in 2023.
The US Federal Trade Commission (FTC) has disclosed that consumers lost more than $110 million to scams involving Bitcoin ATMs last year. Bitcoin ATMs are machines that accept cash in exchange for cryptocurrency. The FTC explains, "The majority of scam losses involving Bitcoin ATMs come as a result of government impersonation, business impersonation, and tech support scams. The lies told by scammers vary, but they all create some urgent justification for consumers to take cash out of their bank accounts and put it into a Bitcoin ATM. As soon as consumers scan a QR code provided by scammers at the machine, their cash is deposited straight into the scammers’ crypto account."
Transport for London hit by cyberattack.
Transport for London (TfL), a local government body responsible for London's transport network, has sustained a cyberattack, the BBC reports. TfL said in a statement, "At present, there is no evidence that any customer data has been compromised and there has been no impact on TfL services. The security of our systems and customer data is very important to us, and we have taken immediate action to prevent any further access to our systems." TfL’s chief technology officer Shashi Verma says the transport provider is working with the National Crime Agency and the National Cyber Security Centre to respond to the incident.
BBC London cites sources as saying the incident mainly affected backroom systems at TfL's corporate headquarters
Voldemort malware delivered via social engineering.
Proofpoint describes a social engineering campaign that's impersonating tax authorities in Europe, Asia, and the US in order to deliver a custom strain of malware dubbed "Voldemort." The researchers explain, "The attack chain comprises multiple techniques currently popular within the threat landscape as well as uncommon methods for command and control (C2) like the use of Google Sheets. Its combination of the tactics, techniques, and procedures (TTPs), lure themes impersonating government agencies of various countries, and odd file naming and passwords like 'test' are notable. Researchers initially suspected the activity may be a red team, however the large volume of messages and analysis of the malware very quickly indicated it was a threat actor."
The researchers don't attribute the activity to any particular threat actor, but they believe the campaign's goal is cyberespionage.
Patch news.
Google has issued patches for 35 Android vulnerabilities, including an actively exploited flaw affecting Android’s Framework component, SecurityWeek reports. The exploited vulnerability (CVE-2024-32896) is a logic error which "could lead to local escalation of privilege with no additional execution privileges needed." Google says the flaw "may be under limited, targeted exploitation." The vulnerability was first disclosed in June, when it was patched on Pixel devices.
Courts and torts.
The Dutch Data Protection Authority (Dutch DPA) has fined US-based facial recognition firm Clearview AI €30.5 million ($33.7 million) for allegedly collecting photos of Dutch citizens without consent, the Record reports. The DPA states, "Clearview should never have built the database with photos, the unique biometric codes and other information linked to them....Clearview informs the people who are in the database insufficiently about the fact that the company uses their photo and biometric data." The DPA adds, "Other data protection authorities have already fined Clearview [on] various earlier occasions, but the company does not seem to adapt its conduct. That is why the Dutch DPA is looking for ways to make sure that Clearview stops the violations. Among other things, by investigating if the directors of the company can be held personally responsible for the violations."
Clearview's chief legal officer, Jack Mulcaire, disputed the DPA's claims, telling BleepingComputer, "Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR. This decision is unlawful, devoid of due process, and is unenforceable."