At a glance.
- UNC3944 uses SIM swapping to gain access to Azure admin accounts.
- China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.
- CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming.
- Iranian cyber ops against Israeli targets.
- Rheinmetall data posted to BlackBasta's extortion site.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
UNC3944 uses SIM swapping to gain access to Azure admin accounts.
Threat actors gained access to a Microsoft Azure administrator account through an SMS phishing and SIM swapping campaign. Researchers at Mandiant have tracked UNC3944 in its SIM swapping campaign and infiltration of Azure. The researchers write, “UNC3944 is a financially motivated threat actor which Mandiant has been tracking since May of 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts... This threat group heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases.” SIM swapping, as explained by Mozilla’s dist;//ed, is a social engineering technique in which attackers pose as service providers requesting identity verification for sim card activation to gain pin numbers, the last four digits of a social security number, or other sensitive information for identity verification.
The criminals use the compromised accounts to gain initial access and begin building persistence and gathering information. The attackers use a reverse SSH tunnel and utilize commercial off-the-shelf tools to avoid security measures and maintain persistence. “Living off the Land attacks have become far more common as attackers have learned to make use of built-in tools to evade detection. The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer. Mandiant recommends that organizations restrict access to remote administration channels and disable SMS as a multifactor authentication method wherever possible”, the researchers conclude.
China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.
A joint advisory from all Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) reports a major Chinese cyberespionage operation that succeeded in penetrating a range of US critical infrastructure sectors. Microsoft, in its own report on Volt Typhoon, as the threat activity is being called, says the group has been active since at least the middle of 2021. The targets of the spying have extended to the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Microsoft writes that, "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible." It does this, the Five Eyes stress, by carefully living off the land, exploiting existing legitimate administrative tools and privileges in its targets.
Much of Volt Typhoon's activity has been directed against Guam, a US Territory in the Western Pacific that hosts important US military bases. Those bases would be important to any US intervention on behalf of Taiwan, should China decide to take a page from Russia's geopolitical playbook and invade what it regards as a renegade province. For its part China dismisses the reports as a coordinated American disinformation campaign, and denies that it's engaged in any of the activities the Five Eyes and Microsoft associate with Volt Typhoon. For more on Volt Typhoon, see CyberWire Pro.
CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming.
Researchers at Mandiant have discovered a new malware designed to disrupt electricity supply and critical infrastructure. Called CosmicEnergy, the malware specializes in affecting operational technology (OT) and industrial control systems (ICS) by “interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia,” writes Mandiant. CosmicEnergy was uploaded to a public malware scanning utility in 2021 by a user in Russia. The version obtained by Mandiant lacks a built in discovery capability, which means that a user would have to manually identify the IPs of MSSQL servers, MSSQL credentials and target IEC-104 information object addresses. Attribution is inconclusive, but researchers suggest that this malware could have been a Russian red-teaming tool used in exercises to simulate an electric infrastructure attack.
CosmicEnergy was found on VirusTotal, which seems a curious place for a threat actor to park malware, but it's happened before. The researchers explain that it is possible that this malware was developed as a red teaming tool for Rostelecom-solar, a Russian cyber security firm. Mandiant has not been able to attribute this malware to any nation state, but they explain that this could have been used for an exercise in Russia to simulate an attack on power stations. They write, “Although we have not identified sufficient evidence to determine the origin or purpose of CosmicEnergy, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets. It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s International Economic Forum (SPIEF).” They add that it is equally possible that this was created by another actor as there is a lack of conclusive evidence, “Threat actors regularly adapt and make use of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks, like TEMP.Veles’ use of METERPRETER during the TRITON attack.” And, of course, even legitimate red-teaming tools can be put to malign purposes. For more on CosmicEnergy, see CyberWire Pro.
Iranian cyber ops against Israeli targets.
Iranian threat actor Agrius has been observed continuing to target entities in Israel, Check Point reports. What appear to be destructive ransomware attacks are actually masking influence operations, the researchers suggest. The APT group, now calling both itself and its newest ransomware strain “Moneybird,” has been seen in recent attacks deploying their unseen ransomware written in C++. While the researchers did not elaborate on what organizations were victimized, the Record writes, the techniques reflect that of Agrius. Public-facing web servers were the initial point of compromise, which, when entered, allowed for reconnaissance and data stealing, as the hackers were able to move laterally within networks.
Information Security Buzz reports that another Iranian threat group is attacking Israeli shipping and logistics companies to lift customers’ data. Israeli cyber firm ClearSky says with “low confidence” that this may be the work of Tortoiseshell (known also as TA456 and Imperial Kitten). At least eight websites were impacted by the campaign, including “SNY Cargo, logistics company Depolog, and restaurant equipment supplier SZM.” Al-Monitor says what the firm calls a “watering hole attack,” or an attack infecting the website of a specific group, has also victimized some organizations in the financial services industry. The majority of websites, as of mid-April, had been purged of the malicious code.
Rheinmetall data posted to BlackBasta's extortion site.
BlackBasta, recently seen in action against Swiss-based technology company ABB, continues to show a predilection for attacks against industrial firms. The double-extortion ransomware gang published data stolen from Rheinmetall on BlackBasta's extortion site this past Saturday. According to BleepingComputer, samples on the site included "non-disclosure agreements, technical schematics, passport scans, and purchase orders." Rheinmetall confirmed that it had indeed come under attack by the Russian criminal organization: "Rheinmetall is continuing to work on resolving an IT attack by the ransomware group Black Basta. This was detected on 14 April 2023. It affects the Group's civilian business. Due to the strictly separated IT infrastructure within the Group, Rheinmetall's military business is not affected by the attack." Rheinmetall is a well-known German manufacturer of steel, defense systems, automotive systems and engines. For more on BlackBasta and the attack on Rheinmetall, see CyberWire Pro.
Russia-Ukraine hybrid war update.
Polish news agencies were taken offline by distributed denial-of-service (DDoS) attacks, Cybernews reports. The Polish government attributes the actions to Russian hacktivists. Such groups are well-known to function as auxiliary cyber forces. DDoS campaigns have become a characteristic feature of Russia's hybrid war. Help Net Security, citing a study by Arelion, reviews the ways in which DDoS attacks attend geopolitical conflict.
The UK's Ministry of Defence pointed out a geolocation-spoofing stunt. Russian operators have been spoofing commercial ships' Automatic Detection System data to draw a big "Z" (emblem of patriotic support for Russia's invasion of Ukraine) virtually across the Black Sea. It's childish and represents no serious attempt at fooling anyone about ship movements (some of the ships being spoofed are represented as traveling at speeds of up to 103 knots). It's large scale virtual graffiti that's unlikely to persuade anyone to Russia's side, a stunt on a par with pilots drawing naughty images with fighter contrails. (It's also a hazard to navigation.)
KillNet's boss-cum-spokesperson, KillMilk, this week announced that he was firing a bunch of his hacktivists. The Russian outlet Lenta.ru reports that “According to information received from a number of Killnet participants, this is primarily about clearing the organization of small groups that make insufficient or insufficiently professional contribution to attacks on the infrastructure of Western countries. At the same time, the activities of the association will continue, although at first Killmilk really plans to work alone." So, hacktivists, up your game or you're out.
Patch news.
CISA, the US Cybersecurity and Infrastructure Security Agency, added three entries to its Known Exploited Vulnerabilities Catalog on Monday. As usual, inclusion in the Catalog is "based on evidence of active exploitation." The three vulnerabilities, all in Apple products, are:
- CVE-2023-32409 Apple Multiple Products WebKit Sandbox Escape Vulnerability
- CVE-2023-28204 Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability
- CVE-2023-32373 Apple Multiple Products WebKit Use-After-Free Vulnerability
Under Binding Operational Directive (BOD) 22-01, US Federal Executive civilian agencies have until June 12th to check their systems and, as usual,"apply updates per vendor instructions." CRN reports that the affected systems include versions of iPhone back to the iPhone 6S, Macs running macOS Big Sur, Monterey, and Ventura; and several iPad models. Apple, which patched the products last Thursday, has a complete rundown of the products susceptible to exploitation.
Crime and punishment.
The US Government has begun more than 4,000 legal actions against individuals involved in money laundering schemes. These can include cases involving those who've acted (sometimes unwittingly) as money mules. The Register reports that recently twenty-five individuals have been charged with participating in money laundering schemes. In one case of note, Craig Clayton of Rhode Island is alleged to have created sixty-five shell companies in the US and eighty bank accounts to launder over $35 million between 2019 and 2023. USPS Inspector-in-Charge Eric Shen said, “Anyone can be approached to be a money mule, but criminals often target students, those looking for work, and those on dating websites... When those individuals use the US Mail to send or receive funds from fraudsters, postal inspectors are quick to step in and put a stop to money mule activities.” Many apparently unwitting money mules have been given strongly worded letters explaining the legal consequences if they don’t cease all alleged money laundering. While receiving money from a virtual date may sound enticing, the old saying “it’s too good to be true” perfectly sums up this scheme. Experts (and, really, anyone else with a healthy dose of common sense) recommend not taking money from strangers on the Internet.Doing so can lead to scams and, in this case, unknowingly assisting in large-scale money-laundering operations.
Courts and torts.
Reuters reports that a ruling Friday by the US Foreign Intelligence Surveillance Court finds that the US Federal Bureau of Investigation (FBI) improperly used a US database of foreign intelligence. The Bureau accessed the database “278,000 times over several years, including on Americans suspected of crimes.” According to the Record, the FBI was found to have improperly searched the communications of those who participated in the January 6, 2021 riot at the US Capitol, as well as the 2020 protests against police brutality following the death of George Floyd. The violations include “improper searches of donors to a congressional campaign,” the AP writes, and predate “a series of corrective measures that started in the summer of 2021 and continued last year.”
The EU has levied a €1.2 billion ($1.3 billion) fine against Facebook's corporate parent Meta, the AP reports. Ireland’s Data Protection Commission, which oversees US companies' activities in Europe on behalf of the EU, handed down the fine over what it judged to be data transfers to US-based systems that violated the EU's General Data Protection Regulation (GDPR). Meta calls the decision unjustified and says it will appeal. For now, Facebook services in Europe remain uninterrupted. The Wall Street Journal notes that the decision is likely to place pressure on Washington to arrive at some modus vivendi with the EU over data practices that would replace the defunct Safe Harbor agreement. Meta has until October to comply with the Data Protection Commission's directives.
Policies, procurements, and agency equities.
The California Consumer Privacy Act, the US state of California’s privacy rights and consumer protection law, was also passed in 2018, and Fisher Phillips offers answers to some of the most frequently asked questions about the statute. Highlights include a comprehensive list of the various entities that qualify as “consumers” under the law, as well as the characteristics that determine whether a business is subject to the CCPA. It also addresses the amendments implemented by the passage of the California Privacy Rights Act of 2020 (CPRA), and the consequences of non-compliance.
During its investigation into Pegasus spyware last year, digital research center Citizen Lab confirmed that the surveillance software had been used by the Mexican government to hack the phones of members of the opposition party, journalists, and human rights activists. Now, the Washington Post reports, the spyware has been discovered on the phone of the undersecretary for human rights in Mexico’s Government Ministry Alejandro Encinas, as well as two of his staffers. At a press conference this week, President Andrés Manuel López Obrador acknowledged the hack but said he doesn’t believe the Mexican government was responsible. It’s worth noting that Encinas has been one of López Obrador’s right-hand men throughout his career, and the president enlisted Encinas to investigate a number of high-profile scandals in recent years. Kate Doyle, a senior analyst at the National Security Archive, stated, “This seems like the most dangerous chapter of the Pegasus story in Mexico. If the Mexican military is spying on one of the president’s top aides without his knowledge, then the Mexican military is operating outside of civilian control.”
Additionally, some researchers believe that Azerbaijan used the Pegasus spyware developed by NSO group to “target a government worker, journalists, activists, and the human rights ombudsperson in Armenia.” TechCrunch asserts that these instances may be the first public use of commercial spyware to be used in the context of war. Pegasus, the spyware in alleged to be used, has been at the receiving end of controversy as many human rights activists question the ethics of selling such a tool which they assert is being used to spy on journalists and political activists. As Access Now explained in a press release, “Providing Pegasus spyware to either of the sides in the context of a violent conflict carries a substantial risk of potentially contributing to and facilitating serious human rights violations and even war crimes,.” The victims of this hack were alerted to the breach when Apple informed them that their devices might have been targeted by government spyware. Azerbaijan has not yet been confirmed as the perpetrator of this use of spyware, but “a coalition of media sources” point to the country being listed as one of NSO’s customers as evidence to the affirmative. Neither Azerbaijan's US embassy, nor NSO have commented on such allegations at this time.
Labor markets.
Baby boomers have been retiring at higher rates, Insider reports. The pandemic expedited the process for some younger boomers who chose to retire early, which began a plunge in workforce growth that is believed will continue for decades. Cybersecurity in particular has been suffering a skills shortage for a long time, which other industries are now seeing spill into their workforce. The “Forever Labor Shortage,” as Insider has dubbed it, may mean an “all-out competition” for workers, and may mean higher salaries in some cases. While it is difficult to not be drawn in by the call of more money, ITWeb reports that the long-term impact of the skills shortage and stress are the biggest challenge facing cybersecurity right now. There are more jobs open than there are people to fill them in cybersecurity, says SVP of content strategy and evangelist at KnowBe4 Africa, Anna Collard. Many cybersecurity pros saw the doubling of their alerts within the last five years, and as a result, are experiencing alert fatigue. Slip-ups can also trigger pointed fingers at security pros, which can cause workplace toxicity. A report shows that nearly 30% of those surveyed working in cyber believed their mental health was getting worse.
“Cyber security is fun,” says Collard. “It is interesting and dynamic. But these benefits are often overshadowed by that sense of dread that something is about to go horribly wrong. Incidents are unexpected, stressful and often leave teams exhausted, and there is no time to rest before the next incident hits. Cyber criminals are very well rewarded for their diligence when it comes to exploiting every vulnerability they can find. Cyber security teams have to chase these vulnerabilities and threats to ensure nothing is left to chance.” Holistic support and a non-toxic work environment are now imperative for security professionals, and will minimize risk of losing talent within the field.
Mergers and acquisitions.
Canadian BlueCat Networks, a networking cloud infrastructure provider, has acquired network management solution provider, Men&Mice. Men&Mice’s proprietary solution, Micetro, provides IP address management and orchestration, and strengthens the BlueCat market offering portfolio. Financial terms of the deal were not disclosed.
Prudential PLC has acquired 7,948 shares of cloud security and compliance provider Qualys’ stock, Best Stocks reports. Interestingly, both Wolfe Research and JPMorgan Chase & Co appraised Qualys’ stock at “underperform” and “underweight” respectively. However, the outlet reports that Westpark Capital has issued a “buy” rating for the company’s stock, showing retained optimism in Qualys.
Investments and exits.
Impersonation detection and prevention solution Memcyco has raised $10 million in seed funding, led by Capri Ventures and Venture Guides. The Israeli company provides agentless real-time protection and detection against brandjacking, or website impersonation.
Tel Aviv’s Entro has raised $6 million in seed funding, led by StageOne Ventures and Hyperwise Ventures, with participation from a number of angel investors. The company’s flagship platform hopes to aid in enterprise management and protection of account credentials, certificates, and API keys.
Space cybersecurity provider SpiderOak has received investments from Accenture, Raytheon Technologies, and Stellar Ventures, GovConWire reports. The funding will be used to expedite deployment of the company's zero-trust cyber security platforms for government and commercial space clients.