By the CyberWire staff
At a glance.
- Two Iranian cyberespionage campaigns reported this week.
- Redfly cyberespionage targets a national grid.
- Ransomware attacks against MGM Resorts and Caesars Entertainment.
- Access broker's phishing facilitates ransomware.
Two Iranian cyberespionage campaigns reported this week.
ESET reports that the APT they track as Ballistic Bobcat (in other threat actor bestiaries APT35/APT42, Charming Kitten, TA453, or PHOSPHORUS) is currently active against targets in Brazil, Israel, and the United Arab Emirates. The group is using a novel backdoor, tracked as "Sponsor," which uses configuration files stored on disk. "These files," ESET writes, "are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines." Ballistic Bobcat carefully scans for known, unpatched vulnerabilities in target systems and exploits those for initial access. The APT's usual target list includes "education, government, and healthcare organizations, as well as human rights activists and journalists."
Microsoft warns that the Iranian state-sponsored actor Peach Sandstorm (which Microsoft formerly tracked as “HOLMIUM”) has been launching password-spraying campaigns against thousands of organizations since February 2023, with a particular focus on the satellite, defense, and pharmaceutical sectors. The goal of the campaign appears to be espionage. In a small number of cases, the threat actor succeeded in breaching organizations and exfiltrating data. Microsoft says, “The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments.”
Redfly cyberespionage targets a national grid.
Symantec (a Broadcom company) warns that the Redfly threat actor “used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year.” The attack began in February, and the objective appears to be espionage. Symantec notes, “The frequency at which [critical national infrastructure] organizations are being attacked appears to have increased over the past year and is now a source of concern. Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension. While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”
Access broker's phishing facilitates ransomware.
A Microsoft report outlines a criminal access broker that sends phishing lures through Microsoft Teams messages. The threat actor, which Microsoft tracks as “Storm-0324,” distributes a variety of malware strains, but primarily focuses on delivering JSSLoader before handing over access to the Sangria Tempest ransomware actor (also known as “FIN7”). Microsoft explains, “Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.” For more on this criminal service, see CyberWire Pro.
Earn your cybersecurity master’s from an NSA-recognized institution.
Further your career and secure your future with an advanced degree from the George Washington University — choose from 100% online master’s in cybersecurity analytics or in cybersecurity policy & compliance. Designed by D.C. experts and taught by cybersecurity leaders, these programs integrate computer science and engineering courses to give you the well-rounded expertise you need for leadership roles and professional advancement. Discover how you can get a world-class education made for working professionals.
Ransomware attacks against MGM Resorts and Caesars Entertainment.
Cyber criminals appear to have stolen six terabytes of data from MGM Resorts and Caesars Entertainment, Reuters reports. Scattered Spider, an anglophone affiliate of ALPHV, has been talking up its attack against MGM Resorts in particular. Members of the group have been boasting in their Telegram channels that their original plan was to rig slot machines and use money mules to drain them, but, when that didn't work out, they fell back on traditional social engineering to gain access to the company's systems in a ransomware operation. The Financial Times writes that the Spiders "evaded detection from the company’s security team by using common remote login software, and access to MGM’s corporate VPN to impersonate an employee’s digital footprint. They ran their malware remotely and claim to have penetrated the system within five hours of starting the attack, and evaded detection for eight days." A principal key to the gang's social engineering success is native proficiency in English and good idiomatic control.
The AP reports that some MGM Entertainment systems remain unavailable in the aftermath of the attack. According to BleepingComputer, there was more to the attack than data theft. The attackers claim they also encrypted more than 100 ESXi hypervisors. A statement by ALPHV (also known as BlackCat) said, “After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.” BleepingComputer also cites researchers at Mandiant who see a possible overlap between Scattered Spider and the Lapsu$ Group. In addition to overlapping tactics, there's an unusual demographic similarity that circumstantially suggests a connection: both groups are largely composed of English-speaking teenagers and young adults.
MGM Resorts International's 8-K said, "MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
Moody's Investor Service evaluated the incident and said, in an assessment they provided the CyberWire, that the incident is "credit negative" for MGM Resorts International. The downtime in particular was a problem for a business that relies heavily on technology, especially when that downtime entails potential revenue losses. MGM Resorts will also be dealing with "reputational risk and any direct costs related to investigation and remediation." There's a risk of litigation as well. In general, Moody's regards "the gaming and gambling industry as carrying moderate cybersecurity risk" because of its high degree of digitization and the large quantities of potentially valuable personal information companies in the sector tend to hold.
As expected, Caesars Entertainment filed its 8-K with the SEC on Thursday, at roughly noon Eastern Time. The company said that its "customer-facing operations, including our physical properties and our online and mobile gaming applications," were unaffected. But "customer-facing operations" don't extend to all customer data. In particular, Caesar's loyalty program database was compromised. The information acquired by "an unauthorized actor" includes "driver’s license numbers and/or social security numbers for a significant number of members in the database." The company is continuing to investigate, but so far has found no signs that member credentials, bank account information, or paycard data were exposed. Despite that preliminary finding, Caesars is extending credit monitoring and identity theft protection to affected customers, whom it will be notifying over coming weeks.
Friday afternoon Moody's sent their assessment of the Caesars incident to the CyberWire. The "cyberattack is credit negative but does not currently impact the company's ratings or outlook."
Caesars said, "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." This has been widely interpreted as an acknowledgement that the company negotiated a ransom payment with the criminals who took its data. The Wall Street Journal put the amount of ransom paid at $15 million, half the $30 million the attackers demanded. For more on the casino cyber incidents, see CyberWire Pro, here and here.
Why AI Is at Risk for Supply Chain Attacks and How You Can Address It.
As companies rush AI applications to market, pre-built open source binaries such as Python wheels have become widely adopted, even as they pose an increasing risk for supply chain attacks.
This webinar covers:
- What are pre-built binaries and Python wheels
- The state of open source software supply chain risks
- How organizations can ensure secure, scalable use of open source for AI, even in the cloud
Register today and join us on Sep. 21.
Patch news.
This week saw September's Patch Tuesday. Microsoft addressed sixty-one numbered vulnerabilities, SAP issued eighteen patches (described by Onapsis here), and Adobe fixed issues in Acrobat and Reader, Experience Manager, and Connect. CISA also issued seven advisories for vulnerabilities affecting industrial control systems. Six of the advisories affect Siemens products, while one relates to Rockwell Automation’s Pavilion8 predictive control software
Crime and punishment.
The Financial Times reports that among the many thousands of young, military-aged men who skipped from Russia last Fall to evade increased conscription, including the recall of former conscripts who'd finished their military service. were a large number of hackers, IT workers, and, most significantly, cybercriminals. Turkey received several thousand such emigrants, and many of them have either connected with local Turkish gangs or formed small criminal groups themselves. Conditions for cybercriminals in Turkey are not as easy as they are in Russia, where cyber gangs operate with the connivance of the government. They enjoy no such official protection in Turkey, but hope to stay at large by keeping their crimes petty, by avoiding hitting targets in Turkey (where victims are likely to complain to the authorities), and by keeping their trade as unobtrusive and evasive as possible.
Policies, procurements, and agency equities.
In an interview with Newsweek, Artur Lyukmanov, director of the Russian Foreign Ministry's International Information Security Department and special representative to President Vladimir Putin on international cooperation on information security, reiterated familiar Russian non-denial denials of Moscow's offensive cyber operations--US allegations are accompanied by a "lack of hard evidence," he said. Thus, it's not so much "we didn't do it," as, "where's your evidence?" and besides, you're the guilty ones here." He described the US National Cybersecurity Strategy as an inherently escalatory document that deeply implicates the US government and US corporations in "preparations for 'cognitive warfare.'" He said, "We want to halt further deterioration. A mistake in the use of ICTs may lead to a direct conflict, an all-out war, especially as that the White House is aware that Russia has all the necessary capabilities to defend itself. A devastative computer attack against our critical information infrastructure will not be left without response."
The US Department of Defense has sent its 2023 Cyber Strategy to Congress and made an unclassified version available to the public. "This strategy draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war," Assistant Secretary of Defense for Space Policy John Plumb said. "It has driven home the need to work closely with our allies, partners, and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict, and to fight and win if deterrence fails." The Strategy outlines "four complementary lines of effort:"
- "Defend the Nation." This commits to defending forward, and "disrupting and degrading" the adversaries' capabilities and the "ecosystem" that supports them.
- "Prepare to Fight and Win the Nation's Wars." This line of effort aims at national resilience, and at achieving the ability to operate in contested cyberspace.
- "Protect the Cyber Domain with Allies and Partners." This line of effort is most clearly influenced by the lessons of the hybrid war against Ukraine.
- "Build Enduring Advantages in Cyberspace." That is, the Department of Defense is in this for the long haul.
One of the principal lessons the US has drawn from Russia's war is that effective cyber defense depends upon international cooperation, and specifically upon cooperation among the public and private sectors of democracies. Breaking Defense reports that Ambassador-at-Large Nate Fick told the Billington Cybersecurity Summit last week that a new strategy for promoting such cooperation was under preparation, and that it would be circulated this Fall.
Sources say the US National Security Council (NSC) is calling on all of the members of the International Counter Ransomware Initiative (CRI) to promise they will refuse to meet the ransom demands of cyber threat actors. The CRI, which is composed of forty-seven member countries, is scheduled to meet for its annual summit on October 31, and one source says the White House plans to have a joint statement drafted before the event commences. The NSC has neither confirmed nor denied the plans, but cybersecurity experts are already weighing in. Allan Liska, a threat intelligence analyst at Recorded Future, told the Record, “Governments should be setting an example by never paying.” He added that giving in to cybercriminals provides them with more financial resources and incentivizes future crimes, and some might even be sending the funds to a nation-state group.
CISA has issued its Open Source Software Security Roadmap. The agency explained in its cover post that, "The roadmap lays out four key priorities to help secure the open source software ecosystem: (1) establishing CISA’s role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem." Comments on the document are welcome. The Roadmap's objectives are intended to be implemented over Fiscal Years 2024 through 2036.
Fortra Discusses Developing the Framework for a Culture of Security Awareness.
From gaining buy-in to staying engaged during leadership churn, Fortra walks you through the ins-and-outs of bringing a culture of cybersecurity to your company. With over two decades of security awareness training expertise, we know the pitfalls and can prepare you for persistent success. Learn from our experience how to:
- Communicate a cybersecurity framework
- Increase engagement
- Plan for leadership turnover
- Leverage safety net technology
- And more
Read Now.
Fortunes of commerce.
IronNet announced in a Form 8-K filing that it will furlough most of its employees, and is exploring bankruptcy or liquidation, the Wall Street Journal reports. The company stated, "In the absence of additional sources of liquidity, the Company’s existing cash and cash equivalents and anticipated cash flows from operations are not sufficient to meet the Company’s operating and liquidity needs."
Mergers and acquisitions.
Israeli cybersecurity firm Check Point is acquiring SaaS security platform provider Atmosec.
Maryland-based managed security service provider Dataprise has acquired New York City-headquartered MSSP Cohere Cyber Secure.
London-based Netcraft has acquired Australian brand protection provider FraudWatch.
Investments and exits.
Israeli secure payment infrastructure provider ThetaRay has raised $57 million in a growth round led by Portage, with participation from existing investors JVP, OurCrowd, and others.
San Francisco-based third-party management platform provider Certa has raised $35 million in an oversubscribed Series B led by Fin Capital and Vertex Ventures Southeast Asia and India, with participation from Tru Arrow Partners and existing investors Point72 Ventures, BDMI, the family office of Bernard Arnault’s Aglae Ventures, Mantis VC, and GOAT Capital.
London-based digital forensics and incident response (DFIR) company Binalyze has secured $19 million in a Series A round led by Molten Ventures, with participation from existing investors Earlybird Digital East and OpenOcean, and new investors Cisco Investments, Citi Ventures, and Deutsche Bank Corporate Venture Capital.
Maryland-headquartered Identity SecOps provider AuthMind has raised $8.5 million in a seed funding round led by Ballistic Ventures, with participation from IBM Ventures.
San Francisco-based assisted cloud remediation provider Tamnoon has raised $5.1 million in a seed funding round led by Merlin Ventures and Secret Chord Ventures, with participation from Elron Ventures, Inner Loop Capital, and toDay Ventures.
Crypto wallet security startup 0xPass has secured $1.8 million in pre-seed funding from AllianceDAO, Soma Capital, Alchemy Ventures, Blockchain Builders Fund, Formulate Ventures, Kommune, Hashed EM, Signum Capital/UOB, Nonce Classic, and angel investors, TechCrunch reports.
SlashNext CompleteTM AI Security for Email, Mobile and Browser
At SlashNext, we know the demands of a changing and growing threat landscape increase the need to protect people where they work in real time. That’s why SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps. With SlashNext’s generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work. Request a demo today.
And security innovation.
The US National Security Agency (NSA) is launching an initiative aimed at cracking down on tech competition from China. As the Federal News Network reports, NSA’s China directorate is spearheading an “innovation pipeline” called Red Ventures. David Frederick, the NSA’s assistant deputy director for China, told attendees of a webinar this week, “You’ll be hearing about some opportunities to come and talk about potential solutions related to our challenge problems to feed a new innovation pipeline that we’re going to establish. That’s meant to reach out to industry and also internally to our workforce to look for a whole range of solutions to our hardest problems.”