Lapsus$ gang breaches T-Mobile for source code.
KrebsOnSecurity reports that internal Lapsus$ gang chatter the week before some of the group’s (alleged) members were arrested last month indicated that the gang had made multiple incursions into T-Mobile’s systems. For reasons that are unclear, Lapsus$ exhibited a strong interest in source code. They compromised employee accounts either by social engineering or–mark this–buying them from Russophone initial access brokers. T-Mobile told KrebsOnSecurity, “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”
KrebsOnSecurity reports Lapsus$ members were found to continuously target T-Mobile employees. Having access to employee accounts allows for easy “SIM swaps,” which reassign a target’s mobile number to a device they controlled, thereby being able to access texts and phone calls. The major issue with being able to intercept phone communications is that links for password resets and sites requiring multi-factor authentication often utilize texts or calls for verification.
It was found that if the gang was cut off from an employee’s credentials, they’d just buy another one. Logs from March 19, 2022 show that Lapsus$ had gained access to Atlas, an internal T-Mobile tool for customer account management, and the gang attempted to access government accounts, but they required further verification. Eventually, the leader of Lapsus$ decided to cut the VPN connection completely, but they continued to steal source code. It is unclear why source code was the main target of the attacks.
Conti claims responsibility for Costa Rican ransomware campaign, expands campaign to country’s electrical system.
Costa Rica continues to work toward recovery from a ransomware campaign that afflicted government sites during the country’s presidential transition. ABC has summarized the attack and the government’s response. The Conti gang has claimed responsibility for the campaign, which appears to be a double extortion operation in which data are both encrypted and stolen. The Costa Rican government has refused to pay the ransom.
Conti’s ransomware campaign against Costa Rica has expanded to affect the country’s electrical power distribution system, the Record reports. Junta Administrativa del Servicio Eléctrico de Cartago (JASEC), which delivers power to the city of Cartago, said that its administrative and business systems had been disabled by the ransomware. This doesn’t, however, represent a direct attack on industrial control systems: power generation and distribution continue normally, JASEC says.
FBI warns of attacks on agricultural cooperatives.
The FBI warned last week that agricultural cooperatives should expect to become targets of ransomware operators during crucial, seasonal inflection points, particularly around harvest and—right now—around planting times.
The FBI noted ransomware attacks on six grain cooperatives in 2021’s season, and two attacks early this year. Some victims of ransomware attacks had their production disrupted. Disruption of production can cause major issues in the food chain, since grain is not only consumed by humans, but is also used for animal feed.
Finnish team wins NATO cyberdefense competition.
NATO’s Exercise Locked Shields has concluded, and a team from Finland won the competitive phase of the exercise. A Lithuania-Poland team scored second, with Estonia-Georgia in third.
The head of cyber exercises at the CCDCOE, Carry Kangur, is quoted as saying the competition was “very close,” with Finland edging ahead because of its solid defense against network and web attacks and excellence in situation reporting.
Iranian cyber tensions rise approaching Quds Day.
With Quds Day occurring this week, a traditional time of heightened cyber tension between Iran and other nations (especially Israel), the AP reports that Iranian media say the country has detected and blocked “hundreds” of cyberattacks against public and private infrastructure. Haaretz reports that an Iranian hacktivist outfit styled “Hackers of Savior” has claimed an attack against the Bank of Israel. Israel’s National Cyber Directorate, however, says it’s seen no proof of any compromise against the bank.
Emotet malware gang testing new techniques.
Proofpoint on Tuesday reported that it’s seeing unusual activity from Emotet-malware-wielding gang TA542. The criminal group, which has been in a slow period since going into partial occultation early last year, appears to be conducting low-volume testing of new techniques. Specifically, they’re using OneDrive URLs and XLL files to deliver their malicious payloads. The activity may also indicate a shift to “more selective and limited scale attacks in parallel to the typical mass scale email campaigns.”
It was found that the sender’s email address was compromised, and that the emails weren’t sent by the Emotet spam module. The emails were simple, with a subject line of “Salary” and a OneDrive link with zip files containing Excel Add-in (XLL) files. The zip files were simply named “Salary_new.zip” and the XLL files are named something like “Salary_and_bonuses-04.01.2022.xll.” When the files are executed, they drop and run Emotet.
Proofpoint analysts have determined with confidence that this malware is the work of actor TA542, as the actor closely controlled the Emotet malware since 2014 and had not rented it out.
Cyber criminals found to offer free trials of malware.
Free trials can be used to attract customers in the criminal-to-criminal market just as they’re used in legitimate markets. IT-Markt discusses the case of the Ginzo infostealer, which, while in G-Data’s estimation isn’t particularly novel, is wooing clients and building reputation in the C2C souks.
Infostealer Ginzo would target stored browser passwords, cryptocurrencies, and system data and access tokens for Discord. It was given out for free by the creators on underground forums.
G Data gives explanations for the free sharing of the Ginzo malware, “A campaign to build up a good reputation in the scene is just as possible as a clever marketing campaign, analogous to legitimate software providers. There, too, it is not unusual to offer a tool free of charge during the market launch. The next step would then be to introduce a payment model at a later point in time – once the tool is established enough and has a sufficiently large user base.”
North Korean cyberespionage group targeting highly specialized engineering companies.
Two new reports on North Korean cyber activity were released Wednesday. Symantec is tracking a resurgence of cyberespionage by Stonefly (whose name is legion–it’s also known as DarkSeoul, BlackMine, Operation Troy, and Silent Chollima). The most recent attack, which began in February, has been against “an engineering firm that works in the energy and military sectors.” It’s believed Stonefly exploited a Log4j vulnerability (CVE-2021-44228) on a public-facing VMware View server. Stonefly pivoted from there to compromise eighteen other systems in the network. Narrowly focused on technical intelligence, Stonefly makes heavy use of commodity malware.
North Korean Lazarus Group targets South Korean users in spearphishing campaign.
The other report on DPRK cyber ops comes from Zscaler, who’s following the Lazarus Group’s recent activities. An ongoing spearphishing campaign whose phishbait is typically related to cryptocurrency and whose phish hook is concealed in a Lazarus-controlled Dropbox account. Correlation of domains identified earlier with the Lazarus Group (by Prevailion, Google TAG, and ESET) led Zscaler to connect the campaign to Pyongyang’s best-known threat actor.
Five Eyes intelligence issues advisory detailing 2021’s top routinely exploited vulnerabilities.
Five Eyes intelligence and security services has issued a Joint Cybersecurity Advisory that describes 2021’s “Top Routinely Exploited Vulnerabilities.” Log4shell, ProxyShell, ProxyLogon, and ZeroLogon issues figure prominently in the list. The agencies who contributed to the report include the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the UK’s National Cyber Security Centre (NCSC-UK).
French authorities investigating sabotage on telecom networks.
Reuters reports that French authorities are investigating what appear to have been coordinated acts of sabotage that physically severed lines delivering Internet and telephone service in that country. “The French Telecoms Federation said attacks of vandalism had impacted telecoms networks in several regions, including the Ile-de-France region around Paris, eastern France and the Auvergne-Rhone-Alpes and Bourgogne-France-Comte regions.”
New malicious downloader identified.
Proofpoint has identified a new malicious downloader, “Bumblebee,” which has been used in criminal campaigns since March at least. Bumblebee, which facilitates initial access and is used to deliver other payloads, including ransomware, appears to have replaced BazaLoader, which seems to have gone out of use at about the time Conti was doxed. Its users appear to be receiving it from the same source.
Bumblebee has been found to be “in active development and wields elaborate evasion techniques to include complex anti-virtualization,” according to Proofpoint.
At least three threat actors were identified using email campaigns to distribute Bumblebee, with several shared aspects across campaigns, such as use of ISO files containing shortcut files and DLLs and a common DLL entry point used by multiple actors within the same week.
In March of this year, a DocuSign-branded email campaign was discovered, designed to lead the recipient to the download of a malicious ISO file. Also in March, a campaign was found delivering emails generated by submitting a message to a contact form on the target’s website. In April, a thread-hijacking campaign delivering emails to existing benign email conversations with malicious zipped ISO attachments was found.
Cloudflare blocks one of largest HTTPS DDoS attacks on record.
Cloudflare reported on Wednesday that it had blocked one of the largest volumetric attacks so far observed, “a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.”
The attack targeted a Cloudflare user operating a crypto launchpad, which are used to “surface Decentralized Finance projects to potential investors.” The attack was launched by a botnet they’ve witnessed before with attacks as high as 10 million rps.
Cloudflare says the attack was blocked by a software-defined autonomous system programmed to detect and mitigate DDoS attacks across the network.
Criminal uses for black hat search engine optimization.
On Thursday Cybersixgill described the criminal uses of black-hat search-engine optimization. The researchers explain that black hat SEO is a manipulation of search engines to attain higher rankings in searches. One possible use for black hat SEO is in phishing campaigns. Phishing campaign sites are usually caught by antivirus after a few days, so criminals use black hat SEO to manipulate their position in the search rankings and “hunt” as many victims as they can in that short period of time. This can also be used by criminals to damage the credibility of legitimate sites by convincing users that visiting the legitimate site caused a hack.
Services have also been found on the deep and dark web offering SEO, optimization, and more for malicious sites.
Romanian government sites targeted in DDoS attack.
Balkan Insight reports that Romanian government websites came under distributed denial-of-service attacks today. Bucharest characterizes the attacks as “symbolic,” and well within the government’s ability to contain and mitigate them.
The government stated that IT specialists were working on restoring service to the sites and identifying the causes of the attack. The Defense Ministry asserted that the website was not compromised, only inaccessible. The Defense Ministry’s site does not contain sensitive or classified databases, and other services and computer networks were unaffected.
Defense Minister Vasile Dincu said, “Such attacks exist on government sites even without an ongoing war. Our cyber security divisions are ready. Episodes like this are also from amateurs. Some are institutionally orchestrated.”
Deus Finance announces losses of more than $13 million to online theft.
According to the Record, Deus Finance, a decentralized finance (DeFi) platform, has acknowledged that it lost somewhat more than $13 million to online theft this week. The Record describes the incident as a flash loan attack. “Flash loan attacks involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins. The loan is paid back and the borrower keeps any profit.”
The attacker took out a $143 million flash loan, bought 9.5 million DEI, causing the price to increase, and paid the flash loan back, profiting $13 million. Deus Finance released messages on Twitter and Telegram about the attack, stating, “Please note that all user funds are safe and that no users were liquidated. The devs are still investigating the full scope of the situation and further details will follow soon.”
PeckShield says the attacker stole $13.4 million from the platform, but acknowledged potential larger losses for the platform, while CertiK claims the losses are around $15.7 million.
Coca-Cola investigating hacking claims.
The Wall Street Journal says that Coca-Cola is still investigating the Stormous Group’s claim to have compromised company networks.
Stormous hackers claim that data they have for sale is from Coca-Cola’s systems, asserting that they’d stolen around 161 gigabytes of data and were selling it for $64,000.
A Coca-Cola spokesman is quoted as saying, “We are aware of this matter and are investigating to determine the validity of the claim. We are coordinating with law enforcement.”
Security researchers question the validity of Stormous’ alleged hacks, including an alleged breach of Epic Games and the Ukrainian Ministry of Foreign Affairs. Researchers say that data the group had offered previously was already available on darkweb forums. Cybersecurity company ZeroFox Inc. called Stormous a “scavenger operation,” as they’ve claimed hacks since July 2021 and none have been verified.
US and 60 other nations issue Declaration for the Future of the Internet.
The US and sixty other nations have issued a Declaration for the Future of the Internet. A White House factsheet says that the Declaration aims as securing the following principles:
- “Protect human rights and fundamental freedoms of all people;
- “Promote a global Internet that advances the free flow of information;
- “Advance inclusive and affordable connectivity so that all people can benefit from the digital economy;
- “Promote trust in the global digital ecosystem, including through protection of privacy; and
- “Protect and strengthen the multistakeholder approach to governance that keeps the Internet running for the benefit of all.”
Neither Russia nor China signed on.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued two industrial control system security advisories, one for Hitachi Energy System Data Manager, the other for Mitsubishi Electric MELSEC and MELIPC Series (Update B). The US Cybersecurity and Infrastructure Security Agency (CISA) issued two more industrial control system advisories Thursday, covering Delta Electronics DIAEnergie and Johnson Controls Metasys.
Crime and punishment.
The US Department of State has added six Russian GRU officers to its Rewards for Justice program. The six Russian operators, all members of Unit 74455 (also known as Sandworm, Voodoo Bear, Telebots, and Iron Viking) are wanted in connection with the NotPetya attacks. Information on the six can draw a reward of up to $10 million.