Deciphering the Acuity cybersecurity incident.

Acuity downplays its recent breach. IcedID gives way to a new malware strain. Russia arrests alleged credit card thieves. Wiz uncovers security flaws in Hugging Face AI models. NERC and the E-ISAC review lessons learned from simulated attacks on the electrical grid. UK police track honey traps targeting MPs. Microsoft says China is actively trying to influence US elections. A major global lens maker suffers a cyber attack. Guest Dick O'Brien from the Symantec Threat Hunter Team shares how ransomware operators adapt to disruption. And SEO under threat of legal action. 

Today is April 5th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Acuity downplays its recent breach. 

In a follow-up to the recent cybersecurity incident at Acuity, a tech firm serving U.S. federal agencies, the company has acknowledged the breach but downplayed the sensitivity of the compromised data. Hacker IntelBroker claimed to have disseminated personal data from approximately 3,000 individuals, mainly linked to the U.S. Department of State, along with 2.5 Gb of files purportedly from Acuity. Despite assertions of exposing "classified communications," Acuity CEO Rui Garcia clarified the breach affected only outdated, non-sensitive GitHub repository information. The company has since implemented security upgrades and, after thorough investigations, reported no impact on sensitive client data. The State Department is conducting its inquiry into the allegations.

IcedID gives way to a new malware strain. 

Latrodectus, a new malware evolving from the IcedID loader, has been identified in malicious email campaigns since November 2023. Discovered by Proofpoint and Team Cymru, its capabilities appear experimental. IcedID, known since 2017 as a banking trojan, has evolved into a sophisticated loader for various malware types, including ransomware. Recently, with the February 2024 guilty plea of an IcedID leader, researchers suggest Latrodectus, sharing infrastructure and tactics with IcedID, may become its successor. Distributed mainly through phishing by threat actors TA577 and TA578, Latrodectus initiates attacks via fake copyright infringement notices, leading victims to download a payload designed to evade detection and perform sandbox checks before executing. It can retrieve further malicious payloads from a command and control server, signaling a potential rise in its use for future cyberattacks.

Russia arrests alleged credit card thieves. 

In a rare public action against cybercrime within its borders, Russia has charged six individuals with stealing details from 160,000 credit cards and online store payments. The suspects employed malware and malicious code to pilfer payment information, later selling it on darknet forums. This operation utilized a Magecart-style attack, injecting code into e-commerce sites to capture sensitive data. The crackdown is notable in a country where cybercriminals often operate with impunity, hinting at possible connections to the broader crackdown, such as the 2022 arrest of the UniCC forum administrator involved in a massive stolen card trade.  The suspects face up to seven years in prison if convicted.

Wiz uncovers security flaws in Hugging Face AI models. 

Cloud security company Wiz discovered two critical flaws in AI models on Hugging Face, a major AI model sharing platform, posing risks to AI-as-a-service providers. The vulnerabilities include risks of shared inference infrastructure and CI/CD pipeline takeover. These flaws could allow attackers to execute malicious code or perform supply chain attacks by exploiting the 'pickle' format used in serialized AI models or by compromising the automated software development workflow. Wiz's investigation demonstrated potential exploitation methods, such as causing false predictions or remote code execution. Despite limited tools for checking model integrity, Hugging Face offers Pickle Scanning for verification. Wiz and Hugging Face collaborated to address these issues.

NERC and the E-ISAC review lessons learned from simulated attacks on the electrical grid. 

A report from NERC and the E-ISAC looks at lessons learned from The GridEx VII exercise, a simulated targeting of North America's electric grid with cyber and physical attacks. The exercise involved a broad spectrum of participants from the electric sector and government, emphasizing the grid's resilience and response strategies. This simulation included distributed play and an executive tabletop session, spotlighting the urgent need for fortified resilience against complex threats, better coordination among electric utilities, government partners, and interconnected sectors, along with the enhancement of hybrid work environment response strategies. Recommendations in the report include calls for improved communication methods, better planning to ensure technical information is accessible across diverse teams, and tailored support for organizations of different sizes and experience levels. Future directions include deeper engagement across sectors, making the exercise more accessible to a wide participant range, and enhancing materials, especially for cyber scenarios, to better prepare for and mitigate evolving cybersecurity threats to the grid.

UK police track honey traps targeting MPs. 

UK police and Parliament's security department are investigating a "honey trap" scheme targeting Westminster politicians, officials, and journalists, involving suggestive messages on WhatsApp aiming to obtain compromising photos. This follows a Politico report highlighting the messages' tailored nature and sexually explicit progressions. While there's no direct evidence linking the scheme to state espionage, concerns about such activities have risen after warnings about China's cyber targeting. The situation came to light after William Wragg, a senior Conservative MP, admitted to sharing colleagues' numbers under pressure from someone he met on Grindr. Investigations were sparked by a report of unsolicited messages to a Leicestershire MP, with impacted individuals urged to report for their protection against potential blackmail.

Microsoft says China is actively trying to influence US elections. 

Microsoft has reported that Chinese-affiliated actors are employing fake social media accounts and AI-generated content to potentially influence U.S. elections and sow division on contentious domestic issues. According to Microsoft Threat Intelligence, these operations aim to gather intelligence and possibly sway the outcomes of elections in the U.S. and other democracies, with recent activities targeting the Taiwanese elections through AI content. This assertion follows earlier criticisms of Microsoft for mishandling a preventable breach attributed to China-linked hackers, underscoring a complex backdrop of cybersecurity tensions between Western countries and China. The tech giant emphasizes the enhanced sophistication and targets of China's influence operations, despite "little evidence" of successful opinion manipulation.

A major global lens maker suffers a cyber attack. 

Japan’s Hoya Corporation is actively working to recover systems at some production plants affected by a cyberattack on March 30. The attack led to the isolation of servers, disrupting IT systems at its headquarters and various divisions. Immediate action was taken upon detecting abnormal system behavior at an overseas office. The company, one of the world’s largest manufacturers of optical products, is collaborating with external forensic experts and has informed relevant authorities. The incident has impacted production plants and product ordering systems, but the extent and nature of the breach, including whether confidential information was compromised, are still under investigation. Hoya is prioritizing the restoration of affected systems and minimizing customer impact, with the investigation expected to take considerable time.

Next up, Dick O’Brien from Symantec Threat Hunter Team is back sharing how ransomware operators adapt to disruption. We’ll be back after this.

Welcome back

SEO under threat of legal action. 

And finally, Ernie Smith, author and proprietor of the website Tedium, recently encountered a sophisticated scam operation disguised as a copyright enforcement action. Smith received a communication from a supposed law firm, Commonwealth Legal, which alleged a copyright infringement related to an image used on his website. The notice, rather than demanding the removal of the image or threatening a lawsuit, instructed Smith to place a "visible and clickable link" under the disputed photo, directing to a website named "tech4gods." The message warned of legal action should he fail to comply.

Upon closer inspection, Smith discovered numerous red flags pointing to the illegitimacy of Commonwealth Legal. The firm's website featured generic design elements populated with stock images, and the portraits of its "lawyers" appeared eerily lifeless, typical of faces generated by AI through Generative Adversarial Networks (GANs). Further investigations into the firm's listed address revealed it as non-existent, and attempts to reach the firm through provided contact details led nowhere.

This peculiar situation unveiled not a genuine copyright enforcement effort but an elaborate SEO scam. The scam aimed to improve the Google ranking of "tech4gods," a gadget review website. 

This incident sheds light on a new, more insidious form of SEO scamming that mimics the structure and threat of legal copyright actions. These scams exploit the fear and formalities associated with legal disputes to coerce website owners into unknowingly participating in manipulative SEO practices. 

Our legal desk tells us the lawyers at Commonwealth Legal are so advanced, they've already passed the bar exam in the Metaverse.

Before we go, a quick note of thanks. One of the most gratifying parts of being part of this team is when a kind listener takes the time to let us know how much they value and appreciate our work.

We got an anonymous care package in the mail from a listener in Texas who sent along an amazing collection of goodies, snacks and knick-knacks for our N2K Cyberwire and T-Minus podcasting teams, along with a hand-written letter expressing gratitude for the work we do. To our Texas superfan, on behalf of everyone here, thank you for taking the time and effort to reach out and share your kind thoughts. You’ve got a lot of folks smiling from ear to ear here at the N2K Cyberwire studios, and it’s a great way for all of us to head into the weekend. So thanks. 

Have a great weekend, everybody!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
Be sure to check out my conversation with Noah Pack, a SANS Internet Storm Center Intern, this weekend over on the Research Saturday podcast, where we discuss his research on "What happens when you accidentally leak your AWS API keys?"

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.