Cozy Bear campaigns continue.
The Russian threat group that successfully exploited vulnerabilities in SolarWinds last year (an SVR unit familiarly known as either Cozy Bear or Berserk Bear) is said, by Mandiant, to again be working against Western targets. CNN quotes Mandiant’s Charles Carmakal as saying, “The group has compromised multiple government entities, organizations that focus on political and foreign policy matters, and technology providers that provide direct or indirect access to the ultimate target organizations within North America and Europe.”
A second, related CNN report, citing new research by Microsoft, suggests that Russian government cyberespionage groups are enjoying satisfying (for them) levels of success against Western targets. Russia, with China running second, is “still comfortable leaning into nation-state attacks.”
Facebook outages caused by internal error.
Facebook and its subsidiaries Instagram and WhatsApp suffered widespread, lengthy outages on Monday, the Wall Street Journal reports. The incident doesn’t appear to have been the result of an attack, but rather, as initial speculation tended to regard it, as the consequence of an internal error. Facebook tweeted its apologies mid-outage, and its engineering team explained the incident as follows: “Our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our data centers caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our data centers communicate, bringing our services to a halt.” The platforms were down for about six hours.
Cloudflare offers an account of the issues it observed in Facebook’s BGP (Border Gateway Protocol) configuration that offers further explanation of the outage. KrebsOnSecurity notes that the Facebook dot com domain was yesterday, briefly, listed by several domain registries as being up for sale. That’s of course wildly implausible, but it happens when automated searches find domains that appear vacated or abandoned, which was one of the effects of the BGP problems at Facebook. MIT Technology Review explains the consequences of the outage for those portions of the world where Facebook is essentially the way people access the Internet.
Pandora Papers leak.
The Pandora Papers, a 2.94 terabyte leak of financial data about rulers, oligarchs, billionaires, and other prominent people, have been obtained and published by the International Consortium of Investigative Journalists. Euractiv reports that thirty-five current and former world leaders are highlighted in the Papers. Statista notes that among the leaders named are “King Abdullah II of Jordan, the Emir of Dubai and prime minister of the United Arab Emirates, Sheik Mohammed bin Rashid, as well as the presidents of Azerbaijan, Montenegro, Kenya, Ecuador, Gabon, Chile, the Ukraine and the Republic of the Congo. The prime ministers of the Czech Republic, Cote d`Ivoire, and Lebanon and the emir of Qatar can also be found among those tied to offshore money havens.” Reuters reports that the US government is looking into the papers but is not yet ready to comment on its findings. While much of the content of the Pandora Papers appears shady, it’s not clear how much of it is actually illegal.
The popular gaming-oriented streaming platform Twitch suffered a major data breach this week, evidently at the hands of a hacktivist. Twitch says that the attacker gained access via an error in one of its server configuration changes. The hacker exposed 125 GB of data, including the platform’s source code and information about how much money its top streamers make. PC Gamer leads with a representative quotation: “This is as bad as it could possibly get.” But maybe not. In an update the company posted yesterday, Twitch said that as far as they knew, no login credentials were stolen. And, since Twitch doesn’t store paycard data, those weren’t exposed either. If the data aren’t there in the first place, they’re not there to be stolen. It’s also worth noting that while streamers’ earnings have been making headlines due to the breach, it was possible to get a rough estimate of their incomes even before the breach based on their subscriber counts.
Google warns users of state-sponsored campaigns.
On Wednesday, Google’s Threat Analysis Group (TAG) distributed an unusually high number of warnings to about 14,000 Gmail users indicating that they may presently be targeted by a government cyberespionage organization. The attempts have been attributed, BleepingComputer and the Record report, to APT28, that is, Fancy Bear, Russia’s GRU. A TAG member, Shane Huntley, tweeted about the implications of such warnings: Google probably blocked the attempts, but you should take prudent steps to protect yourself now, because “you are a potential target for the next attack.”
FIN12 targets healthcare entities with ransomware.
Mandiant on Thursday released a report on FIN12, an “aggressive, financially motivated” ransomware gang noteworthy for its concentration on healthcare organizations. FIN12 concentrates on deployment of ransomware proper (particularly Ryuk) and hasn’t followed the broader criminal trend toward double extortion. It’s also a heavy user of initial access brokers hired in the C2C market. Mandiant notes, “Since initially emerging, FIN12 has had a close partnership with TRICKBOT-affiliated threat actors; all incidents prior to March 2020 leveraged accesses obtained from TRICKBOT infections. However, FIN12 has seemingly diversified its partnerships, possibly seeking out other threat actors’ tools and services to increase the volume and efficiency of their attacks.”
The researchers add, “Almost 20 percent of directly observed FIN12 victims were in the healthcare industry and many of these organizations operate medical facilities. We observed FIN12 activity at healthcare organizations both before and after the joint alert by multiple U.S. government entities in October 2020 that warned of an “increased and imminent” threat to hospitals and medical facilities. This targeting pattern deviates from some other ransomware threat actors who had at least stated an intention to show restraint in targeting hospitals, especially throughout the COVID-19 pandemic. FIN12’s remaining victims have operated in a broad range of sectors, including but not limited to business services, education, finance, government, manufacturing, retail, and technology.”
The vast majority of the threat actor’s victims are located in North America, though the group began expanding its targeting in the first half of 2021, hitting entities in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the United Kingdom.
Tracking China’s APT41.
BlackBerry’s Research and Intelligence Team has linked China’s APT41 to an ongoing campaign against espionage targets in India. The campaign is noteworthy for its use of COVID-19 or income-tax themed phishbait as it prospects its targets. BlackBerry credits earlier research by FireEye (now Mandiant) and Prevailion with setting them on the right track. The researchers add, “When we looked deeper into the activities of the threats within these clusters, the similarities continued. Reports from Subex and Positive Technologies described campaigns using PDF files that lured people in with a variety of tactics, including leveraging people’s desire to see information indicating a swift end to the COVID-19 pandemic.”
(APT41 has gone by many names, including “Double Dragon,” “Barium,” “Winnti,” “Wicked Panda,” “Wicked Spider,” “TG-2633,” “Bronze Atlas,” “Red Kelpie,” and “Blackfly.”)
Coinbase accounts robbed.
Attackers were able to access and steal from around 6,000 Coinbase accounts, according to Infosecurity Magazine. The thieves obtained email addresses, passwords, and phone numbers from some other source, and then, Coinbase’s disclosure explains, were able to exploit a weakness in Coinbase’s account recovery system to get a second factor authentication code via text message. Coinbase says affected users will be reimbursed, but warns that the attackers may have also stolen or changed the victims’ account information:
“The third party who accessed your Coinbase account would have been able to view the following information, depending on what information you have in your account: your full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balance.
“The third party who accessed your account may have changed the email, phone number, or other information associated with your account. We are working to restore any changed emails or phone numbers to their original state prior to the unauthorized activity.”
Ransomware hits agricultural companies.
NBC News reviews the current series of BlackMatter ransomware attacks against the US agricultural sector. Two Iowa-based grain cooperatives, Farmers Cooperative Company and the New Cooperative, and Minnesota-based co-op Crystal Valley are known to have been disrupted. The timing of the attacks is troubling, coming as they do around the time of the harvest. The affected organizations have been reticent about sharing information (in part due to concerns over potential litigation) and some speculate that there may be other, publicly undisclosed farming-sector victims.
Scammers use SafeMoon cryptocurrency as phishbait.
Cybercriminals continue to follow niche fads. ESET describes how the currently shiny reputation of the new and highly volatile SafeMoon alt-coin has prompted criminals to use it as phishbait in a campaign designed to get the marks to download the Remcos RAT. Remcos itself occupies an increasingly familiar grey area: it has legitimate uses, but its also widely employed by criminals for stealing credentials from a range of browsers, keylogging, webcam and microphone hijacking, and downloading further malware.
FluBot Android malware distributed via scareware.
FluBot’s operators are running a scareware campaign. The come-on, CERT-NZ warns, is itself a warning against FluBot: “The installation page for #Flubot has changed to look like a warning page. If you see this page close the page IMMEDIATELY and DO NOT click ‘Install security update’.” The link to the download page is distributed through text messages. Flubot, BleepingComputer explains, depends heavily on social engineering to access and eventually completely control an Android device and, effectively, its user’s data.
Atom Silo ransomware operator exploits Confluence vulnerability.
Sophos describes Atom Silo ransomware’s DLL-sideloading and exploitation of Confluence to accomplish relatively stealthy attacks. Sophos writes, “The sophisticated attack, which took place over two days, was made possible by an earlier initial access leveraging a recently revealed vulnerability in Atlassian’s Confluence collaboration software. While the ransomware itself is virtually identical to LockFile, the intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software.”
More ransomware notes.
The Conti ransomware gang really doesn’t want its victims engaging the media. The gang has threatened to dump the data they’ve stolen should they get wind of a target’s talking to reporters, the Record says. The threat actor said in a statement, “For instance, yesterday, we have found that our chat with JVCKenwood whom we hit a week ago got reported to the journalists. Despite what is said in the article, the negotiations were going in accordance with a normal business operation. However, since the publication happened in the middle of negotiations it resulted in our decision to terminate the negotiations and publish the data. JVCKenwood has been already informed. Moreover, this week we have once again spotted screenshots from our negotiation chats circulating over social media.”
The proprietors of AvosLocker ransomware follow the now-familiar path of the double-extortion gangs who threaten to auction the data of victims who refuse to pay, the Record reports.
Flashpoint researchers are tracking the resurgence of REvil in the Groove collective’s criminal RAMP forum.
Cybereason updates its account of Operation GhostShell, a cyberespionage campaign the firm’s researchers described in July of this year. Among the discoveries they regard as particularly noteworthy are GhostShell’s association with a hitherto unknown threat group, “MalKamak,” believed to be operating in the interests of Iran, and MalKamak’s deployment of the novel ShellClient RAT. MalKamak has been operating since 2018 at least. The researchers note that, “Based on the telemetry, this threat has been predominantly observed in the Middle East region, but has also been observed targeting organizations in the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries.”
They add that the threat actor’s malware places an emphasis on stealth: “The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect.”
Philippine Senate hit by DDoS attacks.
The Philippine Senate is the latest high-profile organization to find its website encumbered by distributed denial-of-service attacks, the Inquirer reports. “The Senate’s Electronic Data Processing-Management and Information System (EPD-MIS) bureau said it ‘temporarily blocked access to the Senate website because of an ongoing distributed denial-of-service (DDoS) attack,’” the Inquirer says.
Microsoft plans to disable Excel 4.0 macros by the end of 2021, the Record reports. The Record notes that these are “one of the most abused Office features” by malware.
Crime and punishment.
Russia has formally charged Group-IB founder Ilya Sachkov with treason, Meduza reports. According to TASS, Sachkov has been accused of “disclosure of information that contains state secrets.”
Deputy Attorney General Lisa O. Monaco announced on Wednesday the formation of a National Cryptocurrency Enforcement Team (NCET), which will “tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.” The Justice Department stated, “The NCET will draw and build upon the established expertise across the Criminal Division to deter, disrupt, investigate, and prosecute criminal misuse of cryptocurrency, as well as to recover the illicit proceeds of those crimes whenever possible. Because cryptocurrency is used in a wide variety of criminal activity, from being the primary demand mechanism for ransomware payments, to money laundering and the operation of illegal or unregistered money services businesses, to being the preferred means of exchange of value on “dark markets” for illegal drugs, weapons, malware and other hacking tools, the NCET will foster the development of expertise in cryptocurrency and blockchain technologies across all aspects of the Department’s work. The NCET will also play a critical support role for international, federal, state, local, tribal, and territorial law enforcement authorities grappling with these new technologies and new forms of criminal tradecraft.”
Also on Wednesday, Deputy Attorney General Monaco announced the launch of the Justice Department’s Civil Cyber-Fraud Initiative, whose purpose is to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients….The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Courts and torts.
SolarWinds investors have requested that a US Federal judge keep their lawsuit against the company alive, claiming that SolarWinds’ former security advisor had warned the company of “critical deficiencies” in its cybersecurity posture before it suffered a severe supply-chain attack last year, Law360 reports.
Policies, procurements, and agency equities.
A former advisor to former US President Trump, Fiona Hill, told Congress it was unlikely Russia had any compromising material on the ex-president. Such ascendancy as President Putin achieved was open-source: an appeal to flattery.