Snake (the crooks, not the hoods) and Charming Kitten are back. Influence ops and election security.
N2K logoMay 8, 2020

News for the cybersecurity community during the COVID-19 emergency: Friday, May 8th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Snake (the crooks, not the hoods) and Charming Kitten are back. Influence ops and election security.

Snake is back, and squirming its way through the healthcare sector.

Snake, a ransomware strain MalwareHunter warned against back in January, has been noted for the attention it pays to obfuscation as well as for its ability to reach into and encrypt files on all devices connected to a victim's network. Dragos, which called the malware "Ekans" ("Snake" spelled backwards to avoid confusion with other, unrelated malware also called "Snake" or some variation thereof, that was associated with the Turla threat actor, and whose researchers were probably the first to observe the strain), reported its activity against industrial control systems.

KrebsOnSecurity has over the last two days reported that Snake was implicated in an attack against Germany-based Fresenius Group, Europe's largest private hospital network. Fresenius declined to go into much detail about the incident, but a company spokesman told KrebsOnSecurity “I can confirm that Fresenius’ IT security detected a computer virus on company computers. As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”

The campaign is unlikely to be an isolated attack on Fresenius. While Fresenius is a big enterprise, the current Snake outbreak seems to be part of a larger effort against healthcare organizations working to provide emergency care during the COVID-19 pandemic. Data availability is of course immediately threatened by any ransomware attack, but Tripwire says that Snake has apparently joined other ransomware families in stealing sensitive data, then threatening to publish it on victim-shaming sites.

More on Charming Kitten's work against the WHO.

The World Health Organization expects to continue its struggles against cyberattacks and influence operations, and there's more evidence, circumstantial but strong, that Iran's Charming Kitten threat group has been responsible for phishing attempts against the organization. Bloomberg reports that the attackers posed as representatives of a media organization (the BBC) or a think tank (the American Foreign Policy Council) in emails that sought to induce the recipients to open malicious attachments represented as either a coronavirus newsletter or a set of proposed interview questions. ClearSky Cyber Security reviewed the emails for Bloomberg and concluded that the domains featured in the emails (mobiles [dot] identifier-services-session [dot] site and sgnldp [dot] live) and the use of the link-shortener bitli [dot] pro were the tip-offs.

The Charming Kitten operators seem to be interested, at least at first, in collecting email credentials from WHO employees. WHO told Bloomberg that it had "closed some systems in order to prevent hackers from gaining access to them, recruited new employees for its computer security team and enlisted the help of several security companies." But the attacks are wearing, and a WHO spokesperson says that it will be difficult for the organization to remain on high alert for much longer.

An example of a state media outlet's contribution to influence operations.

One of the tactics the US Department of Homeland Security and the FBI recently warned against in the context of threats to elections was the likelihood that operators would use "state-controlled media arms to propagate election-themed narratives to target audiences." That's observable in other areas as well, and as usual lies get their customary bodyguard of truth. Moscow-run RT, for example, is running a story that criticizes former British intelligence officials for using "the revolving door" to make a pile of money fear-mongering about Russian cyberattacks when they would have been better employed paying attention to the developing pandemic. What's the bodyguard of truth? That retired intelligence officers go to work in the private sector. What's the misdirection? That they should have been watching out for incipient epidemics. What's the lie? That warnings about Russian cyber operations are nothing more than fear-mongering, because Russia's a good citizen of cyberspace. What's the goal? Disruption: incitement of mistrust and resentment.

Voting security during (or even after) a pandemic.

One thing the pandemic has done is put a spoke in the wheels of programs designed to train election workers in how to secure voting, the Washington Post reports. It's also raised the likelihood that more ballots, in the US and elsewhere, will have to be cast remotely, in all probability mostly by mail, but in some cases online. Neither are easy to improvise at the eleventh hour.

All electronic balloting presents problems that paper ballots don't. (Paper ballots aren't problem-free either, and the history of corrupt elections goes back to the early Nineteenth Century at least, but they come with a different set of problems.) A group of academic and industry experts concerned with electronic voting have sent the US Cybersecurity and Infrastructure Security Agency (CISA) a letter expressing their appreciation for CISA's work, but more importantly stating concerns about CISA's advisories about election security. The signatories see three basic problems:

  1. "Online ballot marking greatly amplifies the security threats of online ballot delivery and introduces significant risks to ballot secrecy. It should be discouraged except for voters with relevant disabilities." 
  2. "Ballots delivered online are vulnerable to cybersecurity attacks. Unlimited/large scale online ballot delivery may enable the casting of fraudulent ballots if appropriate safeguards are not in place."
  3. "The back-end processing of electronically transmitted blank ballots involves a much greater workload and potential health risk for election workers compared to the processing of preprinted absentee ballots. Large-scale adoption of electronically delivered ballots will both burden election offices and increase the risk of person-to-person contact among election workers during the novel coronavirus pandemic if proper sanitation and social distancing precautions are not taken." 

Unemployed workers offered gigs as money mules.

PhishLabs warns that workers in the US and Canada who've lost their jobs during the COVID-19 emergency are being prospected with phishing emails that appear to offer gigs that would help tide them over through the crisis. It's an unusually cruel scam, coming as it does when unemployment rates in the US at least are hitting post-World War II highs. An email arrives (often impersonating the human resources department of a well-know corporation like Wells Fargo) with the offer of a part-time, personal services job that would enable the recipient to earn much-needed money while working from home. The recipient is asked to reply to the email for details. The job, it eventually becomes clear, is work as a money mule for a criminal enterprise.

Those familiar with the ways in which intelligence services recruit, compromise, and run agents will note that the criminals have learned from the spymasters. They begin by habituating the recruits to performing small, innocent tasks, then escalate to things that seem a bit sketchier, and finally have them running money for the gang. By that time the victim often feels they're too far gone, too compromised, to withdraw.