Cloud disruption disables cancer radiation treatments.
A ransomware attack against Elekta, a firm whose software is used to operate linear accelerators used in cancer treatment, led the company to take its cloud offline, disrupting cancer care at a number of hospitals. Affected hospitals are moving patients to other facilities as they scramble to keep up the treatments, WTNH reports. Becker’s Hospital Review says the incident has affected at least forty health systems in the US, including Yale New Haven Health in Connecticut, Lifespan in Rhode Island, and Southcoast Health in Massachusetts. An Elekta spokesperson told Becker’s that services have been restored, and the company doesn’t believe any patient information was compromised.
Deepfakes (but kind of shallow).
Someone impersonating a spokesman for imprisoned Russian opposition figure Alexandr Navalny conducted Zoom meetings with European Parliament members. The sessions featured what the Guardian and NL Times call a deepfake video call purporting to be Navalny associate Leonid Volkov. Speculation about responsibility for the incident has focused on “Vovan and Lexus,” two well-known Russian prankers.
Holiday Bear unplugged.
The US FBI and CISA have released a joint description of trends in SVR cyber activities, summarizing the current state of the Russian foreign intelligence service’s operations against the US and allied networks it targets. In 2018, like everyone else, the SVR decided the future was in the cloud, and it’s been operating against targets there ever since. The service makes heavy use of false identities and cryptocurrencies in putting its campaign infrastructure in place. “These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers.” The SVR also uses open source or commercial tools (notably Mimikatz and Cobalt Strike) in its operations.
More on Ghostwriter.
FireEye has updated its research into Ghostwriter, an influence-operator that came to attention last year as it sought to affect public opinion in Latvia, Lithuania, and Poland. Its messaging then was anti-NATO, but the group has now expanded its thematic content to include disruption of domestic Polish politics and (according to Tagesschau) credential theft attacks on German political figures. FireEye believes the threat actor it tracks as UNC1151 operates some portions of Ghostwriter. The firm characterizes UNC1151 as “a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns.”
Cybercriminal group exploits SonicWall vulnerability.
FireEye warned on Thursday that it’s observed “an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability.” The company believes the threat is a serious one, with evidence of tool-sharing by criminal groups. The actor is using malware known as “SOMBRAT,” which FireEye says has been linked to ransomware activity. The researchers state:
“UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums. UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics.
“Mandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware. Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021.”
Memory allocation vulnerabilities in IoT and OT devices.
Microsoft on Thursday announced a set of memory allocation vulnerabilities they’re tracking as “BadAlloc.” The vulnerabilities affect IoT and OT devices, and they could be exploited either for remote code execution or to induce system crashes. CISA has also published mitigation advice for BadAlloc. Microsoft says it hasn’t observed the vulnerabilities being exploited in the wild, but operators are urged to patch or mitigate against the flaws.
Microsoft explains, “All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more. Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device. The memory allocation vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived dynamically from external input and being large enough to trigger an integer overflow or wraparound. The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer. While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow.”
The disclosure of BadAlloc should lend some urgency to the OT security about which NSA cautioned the Defense Industrial Base in Thursday’s Advisory. That advice was prompted by the SolarWinds compromise, but the concerns are broadly applicable to OT operators.
Naikon has a new secondary backdoor.
Bitdefender reports a new approach by the Naikon APT, a group it associates with the Chinese government. Active for more than ten years, Naikon focuses on government and military targets in South Asia. It’s now deploying a secondary backdoor, “Nebulae,” which Bitdefender believes plays an important role in the APT’s persistence in victim networks.
The researchers explain, “During our investigation, we identified that the victims of this operation are military organizations located in Southeast Asia. The malicious activity was conducted between June 2019 and March 2021. At the beginning of the operation, the threat actors used Aria-Body loader and Nebulae as the first stage of the attack. From our observations, starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit. The purpose of this operation was cyber-espionage and data theft.”
Jerusalem Day warnings.
May 7th is Quds Day, Jerusalem Day, observed by the Islamic Republic of Iran. By coincidence this year it falls near Israel’s own Jerusalem Day, May 10th, which commemorates Israel’s unification of the city during the Six-Day War. The Times of Israel reports that Israel’s National Cyber Directorate has issued an alert to expect Iran-associated cyberattacks in connection with the observances. The Directorate expects any cyberattacks this year to be more ambitious than the customary website defacements.
Rethinking MAPP (when you no longer trust your trusted partners).
According to Bloomberg, Microsoft is rethinking how it shares information with the eighty-one corporate members of the Microsoft Active Protection Program (MAPP). Redmond suspects that some participants may have tipped off hackers when Microsoft gave MAPP members early warning of the vulnerabilities Hafnium exploited.
FluBot is back.
FluBot, temporarily bopped when Spanish police arrested several of the hoods associated with the Android malware early last month, is back, and expanding its geographical reach, Proofpoint reports. New infestations have been observed in the United Kingdom, Germany, Hungary, Italy, Poland, and Spain. Proofpoint expects FluBot to reach North America soon. Proofpoint says the malware is distributed via phishing messages that purport to come from delivery companies, including DHL and FedEx.
The UK’s National Cyber Security Centre (NCSC) issued its own warning about FluBot, stating, “The spyware is installed when a victim receives a text message, asking them to install a tracking app due to a ‘missed package delivery’. The tracking app is in fact spyware that steals passwords and other sensitive data. It will also access contact details and send out additional text messages – further spreading the spyware.”
Babuk ransomware hits Washington, DC, Metropolitan Police.
The Babuk ransomware gang has hit the Washington, DC, Metropolitan Police Department, StateScoop reports, and it’s threatened to release 250 gigabytes of sensitive files. The Record has screenshots of the dumpsite. Vice says the stolen data include “police reports, mug shots and personal details about people arrested, and internal memos.” A spokesperson for the department told Vice, “We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
Recorded Future’s Allan Liska told StateScoop that the attack was probably opportunistic, as Babuk relies on phishing emails and well-known technical vulnerabilities to compromise its victims. Threatpost says the attackers themselves taunted the police department in their ransom note, stating, “We find 0 day before you.”
BleepingComputer reports that the Babuk gang on Thursday announced that they would be shutting down their operation, stating on their blog that “PD was our last goal,” referring to the Metropolitan Police Department. The announcement was later removed and a different version was posted, which BleepingComputer believes indicates that the gang isn’t finished just yet. In both versions of the announcement, however, the criminals said they planned to open-source their ransomware code when they retire, saying they’ll “do something like Open Source RaaS, everyone can make their own product based on our product and finish with the rest of the RaaS.”
Online fraud follows current events, and the Academy Awards last weekend provided cybercriminals an opportunity to dangle lures baited with Oscar material before prospective victims, Threatpost says. Researchers at Kaspersky identified malicious sites that attempted to steal users’ debit card information. The researchers stated, “In the hopes of watching an Oscar-nominated movie, users visited a site where they were shown the first few minutes of the film before being asked to register to continue watching. During the registration, to confirm their region of residence, the victim was asked to enter their bank-card details. After some time, money was debited from the card, and as expected, the film did not continue to play.”
The researchers add that threat actors are also distributing malware disguised as pirated Oscar-nominated films. Kaspersky’s Anton V. Ivanov noted, “We see that big events in the film industry can boost some interest from the cybercriminal community, but today this type of malicious activity is not as popular as it used to be. Nowadays, more and more people are switching to streaming services, which are more secure because they do not require downloading files. Still, films serve as a popular lure to spread phishing pages and spam emails.”
Apple this week fixed a vulnerability in its Gatekeeper notarization process, the Record and others report. The flaw, TechCrunch says, had been quietly exploited in the wild since January to distribute the Shlayer Trojan.
Crime and punishment.
Europol last Sunday took another step toward further disabling the Emotet botnet, when a time-activated program removed Emotet’s enabling malware from victim machines. SC Magazine notes the operation’s similarity to the FBI’s recent removal of malicious web shells from compromised Microsoft Exchange Server instances. Bleeping Computer reviews the activities of TA542 (also known as Mummy Spider), the group behind Emotet.
BleepingComputer also reports that the FBI and the Dutch National High Technical Crimes Unit (NHTCU) have shared more than 4 million compromised email addresses used by Emotet with Troy Hunt’s Have I Been Pwned service, allowing victims to determine if their accounts have been compromised and used for malware distribution. Hunt explained in a blog post, “I’ve flagged this incident as sensitive in HIBP which means it’s not publicly searchable, rather individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted. I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet. All impacted HIBP subscribers have been sent notifications already.”
The US Justice Department has arrested a dual Russian-Swedish citizen and charged him with operating Bitcoin Fog, a major cryptocurrency “mixer” that’s laundered $335 million worth of cryptocurrency since 2011. 32-year-old Roman Sterlingov was nabbed at Los Angeles International Airport on Tuesday, and faces charges of money laundering, operating an unlicensed money transmitting business, and money transmission without a license in the District of Columbia. Justice stated that “[t]he bulk of this cryptocurrency came from darknet marketplaces and was tied to illegal narcotics, computer fraud and abuse activities, and identity theft.”
Courts and torts.
The US Court of Appeals for the Second Circuit has ruled that individuals may file lawsuits over data breaches of their personal information due to the “increased risk” of identity fraud, even if they haven’t yet suffered any fraud, Law.com reports. Lexology quotes the ruling as stating, “courts have looked to the type of data at issue, and whether that type of data is more or less likely to subject plaintiffs to a perpetual risk of identity theft or fraud once it has been exposed,” adding that “the dissemination of high-risk information such as Social Security numbers and dates of birth — especially when accompanied by victims’ names — makes it more likely that those victims will be subject to future identity theft or fraud.”
The ruling is significant, but it doesn’t mean that any victim of a data breach can now file a viable lawsuit. Law.com cites Alexander Southwell from Gibson, Dunn & Crutcher’s privacy, cybersecurity, and data innovation practice group as saying, “I don’t think it moves the needle in terms of more risk of exposure [for companies]. I think it helps in terms of adding guidance” for determining cases that have grounds.
Geico has been sued by a California couple over a data breach the auto insurance provider disclosed earlier this month, Law360 reports.
Policies, procurements, and agency equities.
The Washington Post reports that security experts generally approve the US reaction to Russia’s SolarWinds exploitation campaign. But US Deputy National Security Advisor Anne Neuberger in a CNN interview cautioned against expecting too much. The Russian services almost surely remain active inside US networks, and long-term effects of the US response on Russian activity remain to be seen.
Interfax quotes senior Russian official Andrei Krutskikh the effect that it would be technologically impossible for the US to mount an undetected cyberattack in retaliation for Russia’s SolarWinds campaign (which Russia doesn’t admit it conducted). “It’s all stupidity,” Krutskikh said: anything the Americans might try, Russia will surely see coming.
Bipartisan sentiment grows in the US Congress for establishing a cyber reserve that could surge for incident response, Defense News reports.
As the US Department of Justice organizes its anti-ransomware task force, a report by the Institute for Security and Technology offers forty-eight recommendations. Prominent among them are calls for close international regulation of cryptocurrencies and assistance for victims who refuse to pay ransom.
In the context of responding to ransomware, it’s worth reviewing IBM’s Thursday description of the history and activity of the REvil ransomware gang (also known as Sodinokibi), a new-breed mob as interested in stealing information as it is in encrypting it.
Fortunes of commerce.
KrebsOnSecurity says that Experian has patched an API flaw in a partner website that exposed individuals’ credit ratings. Bill Demirkapi, the researcher who discovered the vulnerability, believes the flaw may persist, unaddressed, in other partners’ APIs. Demirkapi stated, “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”