Two threats in the wild, and a third in proof-of-concept. Swiss intelligence expects an uptick in Russian cyberespionage. Privateers and auxiliaries in a hybrid war.
JokerSpy afflicts Macs. ThirdEye (not so blind). Mockingjay process injection as proof-of-concept. Switzerland expects Russia to increase cyberespionage as agent networks are disrupted. The fracturing of Conti, and the rise of its successors. The Washington Post’s Tim Starks explains the security of undersea cables. Our guest is Brian Johnson of Armorblox to discuss Social Security Administration impersonation scams. And the "UserSec Collective" says it's recruiting hacktivists for the Russian cause.
I’m Dave Bittner with your CyberWire intel briefing for Wednesday, June 23rd, 2023.
JokerSpy afflicts Macs.
A new Mac malware called “JokerSpy” was used in an attack on “a prominent Japanese cryptocurrency exchange,” according to researchers at Elastic. The malware was partially analyzed by Bitdefender earlier this month. Ars Technica notes that there appear to be versions of the malware that target Windows and Linux machines as well.
Elastic states, “While we are still investigating and continuing to gather information, we strongly believe that the initial access for this malware was a malicious or backdoored plugin or 3rd party dependency that provided the threat actor access. This aligns with the connection that was made by the researchers at Bitdefender who correlated the hardcoded domain found in a version of the sh.py backdoor to a Tweet about an infected macOS QR code reader which was found to have a malicious dependency.”
ThirdEye (not so blind).
Researchers at Fortinet have observed a new infostealer they’re calling “ThirdEye.” The malware isn’t sophisticated, although its developers are actively making improvements: “The ThirdEye infostealer has relatively simple functionality. It harvests various system information from compromised machines, such as BIOS and hardware data. It also enumerates files and folders, running processes, and network information. Once the malware is executed, it gathers all this data and sends it to its command-and-control (C2) server…. And unlike most other malware, it does nothing else.”
So ThirdEye stays focused.
Mockingjay process injection as proof-of-concept.
Researchers at Security Joes outline a process injection technique they’ve dubbed “Mockingjay.” The researchers were able to use a vulnerable DLL in Visual Studio 2022 Community that has a default Read-Write-Execute (RWX) section on disk. They write:
“After conducting extensive tests, our method has proven to be a highly successful solution for injecting and executing code in a remote process that uses the DLL msys-2.0.dll. In this case, we were able to inject our own code into the memory space of the ssh.exe process without being detected by the EDR. The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions or create a new thread within the target process to initiate the execution of our injected code. This differentiation sets this strategy apart from other existing techniques and makes it challenging for Endpoint Detection and Response (EDR) systems to detect this method.”
It’s not out in the wild, but security teams may wish to take note.
Switzerland expects Russia to increase cyberespionage as agent networks are disrupted.
Switzerland's Federal Intelligence Service warns that Russia can be expected to turn to cyberespionage as its human intelligence networks in Europe and North America are increasingly rolled up, and as the officers working under diplomatic cover who run those networks are declared persona non grata. "While the Russian intelligence services which operate abroad continue to pose the main threat in terms of espionage, their capabilities were undermined in many European states and in North America in 2018 (response to the attempted murder of Sergei Skripal) and in 2022 (response to the war against Ukraine), in some cases significantly. Large numbers of Russian intelligence officers working under diplomatic cover were expelled." Thus cyberespionage can serve as a "compensatory measure" when traditional espionage operators are expelled or otherwise denied access.
The fracturing of Conti, and the rise of its successors.
The Global Initiative against Transnational Organized Crime released a report detailing the Conti cybercrime group’s fall from its prominent perch in the underworld following the gang’s declaration of support for Russia in the Ukraine-Russia war. “Two days after Conti pledged their support for the Russian invasion of Ukraine, things began to unravel for the group. A Twitter profile with the handle @ContiLeaks started leaking the ransomware group’s internal communication. Although there are conflicting reports on who was behind the leak – perhaps a Ukrainian security researcher or an affiliate against the war – the over 100 000 leaked files were dubbed the ‘Panama Papers of ransomware’. Over the coming months, Conti’s methodical and business-like approach disintegrated, although attacks continued, including on the networks of the Costa Rican state.” On May 19th 2023, it was reported that Conti’s websites were no longer working.
The story doesn’t seem to end there however. IBM’s Security X-Force reported on June 27th that their tracking of the crypters who worked with Conti revealed that the group remains active, at least in fragmentary or rump forms. “One year on, ITG23 (Conti) has experienced many organizational changes, splintering into factions and forging new relationships. Despite these events, ITG23 crypters remain fundamental to tracking post-ITG23 factions and their activity; so much so that we believe identifying and tracking the crypters is just as important, if not even more so, than tracking the malware itself. Our research indicates that while ITG23 may have fractured apart after shutting down Conti, many of its various members continue to be very active — still communicating amongst themselves and using shared infrastructure.” Conti has fractured into what they call factions, which X-Force calls out as Royal, Quantum, Zeon, BlackBasta (this one a familiar name), and Silent Ransom.
Conti has provided a case study in cyber privateering: a financially motivated, criminal gang tolerated and encouraged to make its money attacking the enemies of the state. No formal letter of marque and reprisal required, just a wink and a nod from the FSB.
The "UserSec Collective" says it's recruiting hacktivists for the Russian cause.
And, finally, we turn from cyber privateers to cyber auxiliaries.
The group calling itself UserSec has reported on its Telegram page that the group has formed a new group of pro-Russian hacktivists. Take what follows with the customary grain of salt. (They’ve still got salt mines in Russia, right?)
Calling it with a sad failure of imagination the "UserSec Collective," they boast to have attracted groups from Russia, India, Egypt, and other countries supporting the Russian cause. They also claim to have already carried out a mass cyber attack against many internet service providers, the details of which remain unreleased. A full list of the groups in the collective was posted this morning. That list is implausibly large. It includes fifteen hacktivist groups (see our Daily News Briefing for a full list) and one "media organization," someone called the “Quantum Stellar Initiative,” which sounds like a tabloid from the Marvel Universe. The UserSec Collective has so far claimed an attack against a French government visa site, france-visas[.]gouv[.]fr.
Again, view the communiqués with appropriate skepticism: the UserSec Collective is as likely to represent grass roots hacktivism as Anonymous Sudan is to be either Anonymous or Sudanese. Off to the salt mines.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Don’t forget to check out the “Grumpy Old Geeks” podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find “Grumpy Old Geeks” where all the fine podcasts are listed. And check out the “Recorded Future” podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That’s at recordedfuture.com/podcast.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
New Mockingjay process injection technique evades EDR detection (BleepingComputer)
Ukraine war made Switzerland hub for Chinese, Russian spies: Swiss intelligence (South China Morning Post)
The rise and fall of the Conti ransomware group (Global Initiative)
The Trickbot/Conti Crypters: Where Are They Now? (Security Intelligence)