The Week that Was: HTML attacks double in one year. LOBSHOT, a cryptowallet stealer abusing Google Ads. Russia-Ukraine disinformation update.

At a glance.

• HTML attacks double in one year.
• LOBSHOT, a cryptowallet stealer abusing Google Ads.
• Meta observes and disrupts new NodeStealer malware campaign.
• Iran integrates influence and cyber operations.
• Wipers reappear in Ukrainian networks.
• Russia-Ukraine disinformation update.
• Crime and punishment.
• Courts and torts.
• Policies, procurements, and agency equities.
• Labor markets.
• Mergers and acquisitions.
• Investments and exits.
• Company news.

HTML attacks double in one year. 

Barracuda released a study this morning indicating that HTML attacks have doubled since last year. The researchers note that not only is the total number of attacks increasing, but the number of unique attacks seems to be increasing as well. “On March 23, almost nine in ten (405,438 — 85%) of the total 475,938 malicious HTML artifacts were unique ― which means that almost every single attack was different.” HTML attacks are commonly seen in phishing campaigns when users download HTML attachments from emails. Barracuda recommends that organizations adopt email protections to spot and block malicious HTML attachments, that they train their personnel to spot phishing emails, that they implement MFA and consider a zero trust security model, and that they prepare an incident response plan that includes ways of disrupting a campaign should it penetrate your organization.

LOBSHOT, a cryptowallet stealer abusing Google Ads. 

Elastic Security Labs reports a new trend of Google Ad based malware that uses “an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers.” Elastic Security calls this malware strain “LOBSHOT,” and describes it as having hidden virtual network computing (hVNC) capability. That allows LOBSHOT to remain undetected by the host machine. Researchers attribute this campaign to the Russian cybercrime group TA505, “a well-known cybercrime group associated with Dridex, Locky, and Necurs campaigns.” LOBSHOT is used to steal financial data, specifically going after chrome extensions associated with cryptowallets. It also seems to have the ability to target Edge and Firefox wallets. 

As SecurityWeek reported, “the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.” Elastic Security explains that it does this by performing a Windows Defender anti-emulation check. This allows the malware to verify “if the string [matches] HAL9TH and if the username matches JohnDoe. These are hard-coded values within the emulation layer of Defender; if they are present, the malware immediately stops running.” The malware comes with a built-in GUI which allows attackers to execute specific commands quickly such as: modifying sounds settings, starting browsers, and using the infected machine’s clipboard (presumably to obtain or modify copied wallet addresses.)

Meta observes and disrupts new NodeStealer malware campaign. 

Meta yesterday detailed a new malware campaign that targets social media accounts by advertising ChatGPT services. NodeStealer, first identified in January, has been targeting several platforms, including DropBox, Google Drive, Mega, MediaFire, Discord, Atlassian’s Trello, Microsoft OneDrive, and ICloud in addition to Meta platforms. Meta claims to have blocked over 1,000 unique ChatGPT-themed malicious URLs on its platforms. “These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity,” Meta wrote. NodeStealer favors disguising its malware (which arrives as an executable) as Microsoft Office files or PDFs, both very commonly used formats. Meta explains that, “When executed, the malware first establishes persistence to ensure that it continues to operate after the victim restarts the machine. The malware uses the auto-launch module on Node.js to do so.” The malware is designed to steal browser data like passwords and cookies, and it works against users of Chrome, Opera, Microsoft Edge, and Brave browsers. Meta has also shared indicators of compromise and other information about NodeStealer’s operation to promote a stronger collective defense. 

Iran integrates influence and cyber operations.

Microsoft has observed Iran making increasingly sophisticated attempts at influence operations. "Microsoft has detected these efforts rapidly accelerating since June 2022. We attributed 24 unique cyber-enabled influence operations to the Iranian government last year – including 17 from June to December – compared to just seven in 2021. We assess that most of Iran’s cyber-enabled influence operations are being run by Emennet Pasargad – which we track as Cotton Sandstorm (formerly NEPTUNIUM) – an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections." The new playbook is predictable but no less influential for its templated quality. A campaign begins with a "cyber persona" announcing and usually exaggerating a low-grade cyberattack. That announcement is then picked up, distributed, and amplified by inauthentic personae using the target audience's native language. "The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens."

Wipers reappear in Ukrainian networks.

CERT-UA warns that the threat group UAC-0165, almost certainly Russian and probably the GRU's Sandworm, has deployed RoarBat wipers against networks in Ukraine. "It has been found that the performance of electronic computing machines (server equipment, automated user workplaces, data storage systems) was impaired as a result of destructive influence carried out using the appropriate software." The nominally hacktivist group "CyberArmyofRussia_Reborn" in January of this year claimed a similar attack against the Ukrinform news service. CERT-UA points out that organizations can take measures to protect themselves against RoarBat. "Please note that the successful implementation of the attack was facilitated by the lack of multi-factor authentication when making remote VPN connections, the lack of network segmentation and filtering of incoming, outgoing and inter-segment information flows."

Russia-Ukraine disinformation update.

Breaking Defense offers a summary of expert opinion on the early lessons being drawn from the cyber phases of Russia's war against Ukraine. Widespread fear of a "cyber 9/11" or a "cyber Pearl Harbor," that is, a decisive, crippling, bolt-from-the-blue attack in cyberspace, has proven unfounded. "[T]he strategic lesson for the US, several independent experts said, is that this kind of drawn-out cyber conflict is a more likely model for future wars than the sudden-death visions of a “cyber Pearl Harbor” or “cyber 9/11″ predicted by US officials for over a decade." While cyber operations have been and are likely to remain an important part of future wars, they're unlikely to be decisive war winners, nor are they likely to produce significant operational-level victories. In this respect, we note, they resemble their older cousins in electronic warfare: valuable as combat multipliers, but not bringing an overwhelming advantage. (It's perhaps worth noting that while the attack on Pearl Harbor and the terrorist actions of 9/11 achieved operational surprise, those who carried them out wound up eventually losing the war.)

KillNet held an Ask Me Anything session on their telegram page on Saturday to answer questions about their new self-designation as a Private Military Hacking Company. The questions raised were mostly regarding how the PMHC will operate. When asked about the structure of their organizations, KillNet responded, “We created four sub-detachments consisting of former cybercriminals and former members of special services (not only from Russia). At the current time we are ready to not only defend the motherland, but also conduct computer network attacks and destruction of intruders of different levels throughout the world.”

KillNet published their PMHC services and they are more diverse than one would first think. They promise to get to all requests for missions in 8 business hours and quicker if the request is especially urgent. 51% of the payment for the mission is required up front and the remaining 49% will be sent when both parties deem it acceptable.

The services KillNet will take on commission:

1. Campaigns focused on legal entities and individuals of the United States and Europe. Specifically they listed disinformation campaigns, disruption of network infrastructure, industrial sabotage, artificial conflicts between company employees, and “killing reputation in official sources;”  
2. Create autonomous UAVs, those with Intel gathering or suicide capabilities will be made only for the MOD and the PMC Wagner; 
3. Create electronic warfare and electronic reconnaissance drones only for the MOD and Wagner;
4. Create automated robotic systems for MOD and Wagner;
5. Create custom software for any individual wishing to buy it.  

In addition to their mission, they urged Russian citizens to refrain from launching any objects into the sky for Russia’s May 9th Victory Day. They explain that this could lead to an unintended provocation, and that could paralyze Russia’s air defense system.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

Crime and punishment.

US, Austrian, and German authorities have taken down the Try2Check service, a dark web platform on which criminals could run checks on the validity of stolen credit cards. BleepingComputer writes that Try2Check is believed to have been in operation since 2005. The C2C platform's operator, Russian citizen Denis Gennadievich Kulkov, was also indicted in the US on charges related to access device fraud, computer intrusion and money laundering. Mr. Kulikov is presently living in Russia, and so is out of reach of US law enforcement, but the Feds will be watching for him to slip up and leave the safe (if dreary and impoverished) life in Russia for more appealing precincts. The US Secret Service and State Department have announced a $10 million reward under the Transnational Organized Crime Rewards Program (TOCRP) for information leading to Mr. Kulikov's apprehension. 

Europol has announced a successful international action, Operation SpecTor, against a major dark web contraband market. "In an operation coordinated by Europol and involving nine countries, law enforcement have seized the illegal dark web marketplace 'Monopoly Market' and arrested 288 suspects involved in buying or selling drugs on the dark web. More than EUR 50.8 million (USD 53.4 million) in cash and virtual currencies, 850 kg of drugs, and 117 firearms were seized. The seized drugs include over 258 kg of amphetamines, 43 kg of cocaine, 43 kg of MDMA and over 10 kg of LSD and ecstasy pills."

A ransomware attack against a US Marshals Service computer network is still causing the organization to experience an outage on one of its services. As the Washington Post reports, “A key law enforcement computer network has been down for 10 weeks, the victim of a ransomware attack that has frustrated efforts by senior officials to get the system back up and running — raising concerns about how to secure critical crime-fighting operations.” The US Marshall’s Technical Operations Group (TOG), which uses highly technical methods to track fugitives by cellphones and email accounts, has been crippled since its computer systems were compromised in a ransomware attack. 

The US Marshal refused to pay the ransom and decided to wipe all devices that could have been used to facilitate the breach. This has caused some frustration among agents. “In the case of the TOG system, the network has existed outside regular Justice Department computer systems for years, unnoticed in the open, crowded internet,” according to the Post. Many agents had their work phones wiped, which resulted in the loss of text conversations and contact information, which is inconvenient but not crippling. The service is working to rebuild its systems and re-evaluating its network architecture.

Courts and torts.

A New Jersey Court ruled Monday that Merck may be entitled to a payout from their insurers following a 2017 cyberattack against the company, Fierce Pharma reports. The June 2017 cyberattack was conducted by NotPetya, a group with ties to Russia, whose malware was distributed through accounting software and affected more than 40,000 machines in the pharmaceutical organization’s network, Bloomberg Law reports. The government did attribute the attack later to Russian intelligence and charged six Russian officers. Merck’s insurers disputed a payout of $1.4 billion to the company on the basis of the “hostile/warlike action” exclusion clause within their policies, Wall Street Journal writes. However, the appeals court this week said that the exclusion clause should not apply to a non-military affiliated company, despite the nature of its origin. It’s a win for Merck, but more litigation is expected.

Policies, procurements, and agency equities.

PCMag reported Thursday that the US Department of Justice (DOJ) has shifted focus away from arrest and toward disruption and prevention of cyberattacks. US Deputy Attorney General Lisa Monaco explained at the RSA conference that the goal is now to minimize harm. "We're not measuring our success only with courtroom actions and courtroom victories," she said. Monaco used the Colonial Pipeline attack as an example of how to protect victims. For context, the DOJ was able to seize approximately $2.3 million in bitcoin Colonial Pipeline had paid the criminals to recover its files. Monaco attributes this success to Colonial Pipeline’s willingness to work with the DOJ. This approach is not centered on prosecution. “The direction we’ve given to our prosecutors and investigators is ‘you gotta have a bias towards action to disrupt and prevent, to minimize that harm if it is ongoing, to disrupt it and take that action to protect the next victim. And doing so will not always yield a prosecution.” The DOJ’s CyclopsBlink operation, in which the DOJ worked with Microsoft and other private companies to discover and disrupt a botnet operated by Russia’s GRU, is another example of this approach. The botnet hadn’t yet been activated, and its disruption amounted to proactive mitigation.

Labor markets.

TechCrunch reports that cybersecurity firm Bishop Fox has laid off about 13% of its workforce, or 50 employees. It's unfortunate, but other companies in the sector may wish to take note that a lot of highly qualified professionals are likely to be looking for a new position. Recruiters and hiring managers, reach out to the Bishop Fox alumni.

Mergers and acquisitions.

Israel based monitoring and insurance provider RADCOM has announced the completion of their acquisition of mobility experience, analytics company Continual. The company says that the acquisition will provide a broader portfolio for RADCOM in location and mobility analytics.

Investments and exits.

UK-based data security provider Metomic has raised $20 million in Series A funding, led by Evolution Equity Partners, with participation from Resonance and Connect Ventures. The company says that the funding will be used for expansion efforts within the US, as well as research and development.

Cybersecurity firm Aadya Security has raised $5 million in Series A funding, led by Left Lane Capital, with contributions from 645 Ventures, Gaingels, Firebrand Ventures, and Invest Detroit, Security Week reports. The investment is planned to be used for expansion of the company’s sales team, expansion of the company’s channel program, and expansion of its market share.

Security company Shield, who specializes in protection against online scams, has raised $2.1 million in pre-seed funding from a multitude of investors, including Kraken Ventures, Eterna Capital, Alchemy, and Moonpay, among others, Pulse 2.0 reports. The company’s goal is to shield organizations and consumers from exploits of crypto.

Behavioral biometrics intelligence and fraud detection company BioCatch has welcomed Permira Growth Opportunities as a shareholder, as it has acquired a significant minority stake in the company. Permira is now the third largest shareholder in BioCatch, who now plans to concentrate on geographical expansion, product, innovation, and potential future mergers and acquisitions.

Company news.

New Jersey-based API Security provider L7 Defense has rebranded as ammune.ai, Yahoo Finance reports. The goal of the rebrand is for the company to label themselves as a leader in AI security. "AI protection is the fast-forward present of cybersecurity, and we intend to lead it. Together with partners that commit to AI, in the smartNIC sector, we will fill the cyber security gap [and] accelerate security for data centers. Rebranding as ammune.ai reflects our commitment to providing the best AI-based security solutions to our customers,” said Dr. Avi Fried, CEO of ammune.ai.