Week that Was for 02.10.24

At a glance.

• Five Eyes publish report on Volt Typhoon.
• International conference seeks to address commercial spyware abuse.
• US State Department imposes visa restrictions over misuse of spyware.
• Iran refines cyber operations against Israel.
• Netherlands calls out Chinese state-sponsored hacking campaign.
• Malicious app impersonates LastPass.
• Ransomware payments exceeded $1 billion in 2023.
• Cyberattack against Clorox caused $49 million in expenses.
• French health insurance companies breached.
• Commando Cat targets exposed Docker hosts.
• Fortinet clarifies issuance of FortiSIEM CVEs.

Five Eyes publish report on Volt Typhoon.

The US Cybersecurity and Infrastructure Security Agency (CISA), NSA, FBI, and the cybersecurity directorates of Australia, Canada, New Zealand, and the UK have published a joint advisory outlining the alleged Chinese state-sponsored threat actor Volt Typhoon's operations against US critical infrastructure.

The advisory states, "The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts." The US agencies note that the threat actor has been "maintaining access and footholds within some victim IT environments for at least five years."

The advisory adds, "[The Canadian Centre for Cyber Security (CCCS)] assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors."

International conference seeks to address commercial spyware abuse.

The UK and France hosted a diplomatic conference this week to sign an international agreement regarding the proliferation of commercial spyware tools, the Record reports. Thirty-five nations will attend the conference, along with "big tech leaders, legal experts, and human rights defenders," and "vendors involved in developing and selling cyber intrusion tools and services." The Record notes that the Israeli government is notably absent from the conference, despite that country's sizable share of the commercial spyware market.

Conference attendees signed the Pall Mall Process, a new international initiative that will commit participants "to taking joint-action on the issue, including meeting again in Paris in 2025."

The UK's Deputy Prime Minister Oliver Dowden said in his opening speech, "Our joint efforts should focus on ensuring that states and industry alike act responsibly in cyberspace ensuring our robust existing framework of international law and norms are equally applied in the virtual realm. For governments, we can make a difference, through effective regulation, proper export controls, and working with the market responsibly as a customer and end user to develop better safeguards and oversight. Our partners in industry also have a role to play: Software providers keeping their products patched, identifying flaws, and working with partners on collective security. And the legitimate vendors of these capabilities ensuring they have responsible supply chains. They all have a responsibility to vet and limit their customers and to exercise caution when considering their use."

Representatives from Google were present at the conference, and the company's Threat Analysis Group (TAG) published a report looking at the commercial surveillance industry. The report notes that commercial spyware vendors "are behind half of known 0-day exploits targeting Google products as well as Android ecosystem devices."

US State Department imposes visa restrictions over misuse of spyware.

The US State Department yesterday announced that it will impose visa restrictions on individuals accused of misusing commercial spyware, Reuters reports. Secretary of State Antony Blinken said in a press statement, "The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses. The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association."

The policy will apply to "(1) individuals believed to have been involved in the misuse of commercial spyware, to target, arbitrarily or unlawfully surveil, harass, suppress, or intimidate individuals including journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals; (2) individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware described in prong (1) above, including but not limited to developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware to governments, or those acting on behalf of governments, that engage in activities as described in prong (1) above; and (3) the immediate family members of individuals subject to the restrictions in prongs (1) and (2) above. For purposes of this policy, “immediate family members” include spouses and children of any age."

Iran refines cyber operations against Israel.

Microsoft says Iran has accelerated its cyber operations against Israel over the course of the Israel-Hamas war. The researchers note, "Many of Iran’s immediate operations after October 7 were hasty and chaotic – indicating it had little or no coordination with Hamas – but it nevertheless has achieved growing success." Microsoft's report outlines the following findings:

• "A 42% increase in traffic, in the first week of the war, to news sites run by or affiliated to the Iranian state. Even three weeks later, this traffic was still 28% above pre-war levels.
• "Despite early Iranian claims, many 'attacks' in the early days of the war were either 'leaking' old material, using pre-existing access to networks or were false.
• "Iran’s activity quickly grew from nine Microsoft-tracked groups active in Israel during the first week of the war to 14, two weeks into the war. Cyber-enabled influence operations went from roughly one operation every other month in 2021 to 11 in October 2023 alone.
• "As the war progressed, Iranian actors expanded their geographic scope to include attacks on Albania, Bahrain and the USA. They also increased their collaboration, enabling greater specialization and effectiveness."

Netherlands calls out Chinese state-sponsored hacking campaign.

Dutch intelligence agencies have disclosed that Chinese state-sponsored hackers gained access to a computer network used by the Dutch Ministry of Defence last year, Reuters reports. The malware targeted FortiGate devices on a network used for unclassified research and development. Defense Minister Kajsa Ollongren stated, "For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China. In this way we increase international resilience against this type of cyber espionage."

Malicious app impersonates LastPass.

A malicious app impersonating the LastPass password manager made it into Apple's App Store, BleepingComputer reports. Apple has since removed the app. TechCrunch notes that although the app was available for several weeks, it doesn't seem to have had many downloads. Christofer Hoff, chief secure technology officer for LastPass, told the Register, "[We're] working with Apple to understand more broadly how an application like this passed their normally rigorous security and brand protection mechanisms. The naming convention, the iconography, and the description of the fraudulent app are all heavily borrowed from LastPass, and this appears to be a deliberate attempt to target LastPass users."

Ransomware payments exceeded $1 billion in 2023.

Ransomware payments surpassed $1 billion in 2023, according to a report from Chainalysis. The researchers note, "Although 2022 saw a decline in ransomware payment volume, the overall trend line from 2019 to 2023 indicates that ransomware is an escalating problem. Keep in mind that this number does not capture the economic impact of productivity loss and repair costs associated with attacks....It is important to recognize that our figures are conservative estimates, likely to increase as new ransomware addresses are discovered over time."

Ransomware payments more than doubled last year compared to 2022. The researchers believe the decrease in ransomware activity in 2022 was largely due to Russia's war in Ukraine: "Several factors likely contributed to the decrease in ransomware activities in 2022, including geopolitical events like the Russian-Ukrainian conflict. This conflict not only disrupted the operations of some cyber actors but also shifted their focus from financial gain to politically motivated cyberattacks aimed at espionage and destruction."

Cyberattack against Clorox caused $49 million in expenses.

Cleaning product manufacturer Clorox disclosed in an SEC filing that the cyberattack it sustained in August 2023 has cost the company $49 million so far, Infosecurity Magazine reports. The company stated, "The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the company’s business operations."

Clorox hasn't disclosed the nature of the attack, but Infosecurity Magazine notes that the response to the incident suggests the involvement of ransomware.

French health insurance companies breached.

France's data privacy regulator, the Commission Nationale Informatique et Libertés (CNIL), has warned that data belonging to more than 33 million people in France (approximately half the country's population) were compromised in a cyberattack against two health insurance companies at the end of January, the Record reports. The compromised data include "marital status, date of birth and social security number, the name of the health insurer as well as the guarantees of the contract taken out." The two companies, Viamedis and Elmer’s, say no medical or treatment information was breached.

Commando Cat targets exposed Docker hosts.

Cado Security is tracking a cryptojacking campaign called "Commando Cat" that's targeting exposed Docker API endpoints with a new strain of malware. The researchers note, "The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one. This makes it versatile and able to extract as much value from infected machines as possible. The payloads seem similar to payloads deployed by other threat actors, with the AWS stealer in particular having a lot of overlap with scripts attributed to TeamTNT in the past. Even the C2 IP points to the same provider that has been used by TeamTNT in the past. It is possible that this group is one of the many copycat groups that have built on the work of TeamTNT."

Fortinet clarifies issuance of FortiSIEM CVEs.

Fortinet has clarified its confusing issuance of two CVEs for critical vulnerabilities affecting its FortiSIEM product (CVE-2024-23108 and CVE-2024-23109). After initially telling BleepingComputer that the advisories were duplicates issued in error, the company now says the CVEs are patch bypasses for a critical vulnerability (CVE-2023-34992) that was disclosed in October 2023. Fortinet said in an updated statement to BleepingComputer, "The PSIRT team followed its process to add two similar variants of the previous CVE (CVE-2023-34992), tracked as CVE-2024-23108 and CVE-2024-23109 to our public advisory FG-IR-23-130, which was published in October 2023. The two new CVEs share the exact same description and score as the initial one; in parallel we updated MITRE. A reminder pointing to the updated Advisory will be included for our customers on Tuesday when Fortinet publishes its monthly advisory."

Patch news.

Ivanti on Thursday disclosed an authentication bypass vulnerability affecting its Connect Secure, Policy Secure, and ZTA gateways, BleepingComputer reports. A patch is available, and Ivanti says "it is critical that you immediately take action to ensure you are fully protected." The company adds, "Customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again."

Crime and punishment.

The US State Department is offering up to $10 million "for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Hive ransomware variant transnational organized crime group."