At a glance.

  • Chinese APT deploys new cyberespionage tool.
  • Hacktivism roils India after politician’s remarks about the Prophet.
  • Ukraine reports a “massive” spam campaign against the country’s media organizations.
  • SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets.
  • Ukraine moves sensitive data abroad.
  • Security and the future of work.
  • Hertzbleed side-channel issue affects Intel and AMD processors.
  • Iranian spearphishing campaign prospected former Israeli officials.
  • A look at software bills of materials.
  • A new version of IceXLoader is observed.
  • Exploiting versioning limits to render files inaccessible.
  • Malibot: an info stealer masquerading as a coin miner.
  • “Hermit” spyware used by nation-state security services.
  • Fabricated evidence planted in computers.
  • Exercise Cyber Shield 2022 wraps up.

Chinese APT deploys new cyberespionage tool.

In a report released Monday, Palo Alto Networks’ Unit 42 outlines the recent activities of Gallium, a Chinese government threat actor particularly active against selective targets in Australia, Southeast Asia, Africa, and Europe. Gallium has also been associated with Operation Soft Cell, a campaign against telecommunications providers. The recent operations Palo Alto describes are distinguished by their employment of “a new, difficult-to-detect remote access trojan named PingPull.” They’re also marked by an expansion to sectors other than telecommunications, specifically government organizations and financial services. Palo Alto has shared detailed findings with fellow members of the Cyber Threat Alliance. The company also extends “special thanks to the NSA Cybersecurity Collaboration Center, the Australian Cyber Security Centre and other government partners for their collaboration and insights offered in support of this research.”

Hacktivism roils India after politician’s remarks about the Prophet.

Remarks by a representative of India’s ruling Bharatiya Janata Party (BJP) have prompted a defacement campaign against websites belonging to Indian diplomatic, academic, and agricultural organizations. The actions, organized by the hacktivist group DragonForce Malaysia, are organized around the message, “For you is your religion and for me is my religion.” The Times of India quotes Prasad Patibandla, director (research and operations) at the Centre for Research on Cyber Intelligence and Digital Forensics, as saying, correctly, “Website defacement is the lowest form of cyber attack. Data theft, particularly financial data theft and personal data, will impact people and the banking sector.” He adds, “Companies and government organisations must step up cybersecurity.” The remarks themselves, by Nupur Sharma, were taken by many Muslims, including Muslim governments, to be defamatory, blasphemous.

Ukraine reports a “massive” spam campaign against the country’s media organizations.

An email from the Press Office of Ukraine’s State Service of Special Communication and Information Protection (SSSCIP) last Saturday warned that a “massive” spam campaign against media outlets had begun:

“The Computer Emergency Response Team of Ukraine (CERT-UA) acting under the SSSCIP warns about mass spamming with dangerous emails titled ‘Interactive Map Reference List’. In particular, these emails are targeting media outlets (radio stations, newspapers, news agencies, etc.) of Ukraine. Over 500 destination email addresses have been identified. These emails contain an attached document … opening which may initiate downloading of CrescentImp malware. Specialists warn that cyber criminals have been increasingly resorting to email spamming from compromised addresses of public institutions. If you fall victim to a cyberattack, please contact the CERT-UA immediately. This activity is tracked by UAC-0113 (attributed to the Sandworm group with a medium certainty level). As reported earlier, this group was involved in orchestrating a massive attack on the energy sector of Ukraine in April.”

Sandworm is a Russian threat actor associated (in MITRE’s ATT&CK catalogue) with Russia’s GRU military intelligence service and perhaps best known for its role in the 2015 and 2016 cyberattacks against sections of Ukraine’s power grid. The group has also been fingered for the 2017 NotPetya pseudo-ransomware attack and 2018’s Olympic Destroyer incident.

The payload in the spam emails appears to exploit Follina vulnerability in the Microsoft Windows Support Diagnostic Tool (CVE-2022-30190) to install a downloader for CrescentImp malware, CrescentImp’s provenance and functionality are unclear, BleepingComputer reports, but CERT-UA has provided indicators of compromise to assist in CrescentImp’s detection.

SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets.

Security Week reports that digital advertising security company Confiant has discovered a campaign sending backdoored versions of iOS and Android Web3 wallets. The attackers have cloned the legitimate sites of the wallets and have included links to download them, which contain the app’s legitimate functionality, but which also exfiltrate the user’s seed phrase in order to steal the victim’s cryptocurrency. Confiant says that the cybercriminals running this campaign have not yet been identified, but are likely Chinese, as much of the data found are in Chinese, and contain information from Chinese and Hong Kong IP addresses.

Ukraine moves sensitive data abroad.

The Wall Street Journal reports that Ukraine has begun to store sensitive data abroad, backing up its information to render it less vulnerable to Russian physical or cyber attack. George Dubinskiy, the country’s deputy minister of digital transformation, said, “To be on the safe side, we want to have our backups abroad.” Among the earlier transfers was a program to back data up to a secure private cloud with servers located in Poland. Priority has been given to protecting “VIP” databases, that is, databases deemed essential to the operation of Ukraine’s economy.

Security and the future of work.

Dashlane released a report Tuesday morning detailing cybersecurity for businesses that include remote or hybrid work. It was found that remote and hybrid work are becoming more common, with only 10% of respondents reporting no remote workers at their companies. Researchers found that awareness of cyber safety is up everywhere, but not every company is implementing appropriate, workable solutions. Password managers were the most common change companies made to increase security, and only one-third of employees with companies that implemented a password manager are confident that 95-100% of their coworkers actually utilize the new tool.

Hertzbleed side-channel issue affects Intel and AMD processors.

Researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington describe “Hertzbleed,” so-called from the measure of frequency, Hertz, and also a punning allusion to the earlier Heartbleed vulnerability. The researchers characterize Hertzbleed as “a new family of side-channel attacks: frequency side channels.” Under the right circumstances an attacker could extract encryption keys via remote timing. Tracked as CVE-2022-23823 and CVE-2022-24436, Hertzbleed is a difficult issue to address, since as the researchers point out, it’s not really a bug, but a feature of how the processors function. Intel has issued workarounds to mitigate the risk of exploitation.

Iranian spearphishing campaign prospected former Israeli officials.

Check Point describes a complicated spearphishing campaign that prospected former Israeli officials (and some American targets as well). It used personae and subjects tailored to the targets’ interests, and it employed URL shorteners to further obfuscate the social engineering. The threat actor used a legitimate service, NameCheap’s identity verification service, to lend further credibility to their approach. Check Point attributes the campaign to the Phosphorus APT, long associated with Tehran’s intelligence and security services.

A look at software bills of materials.

Google reports a considerable increase in efforts to adopt Software Bills of Materials (SBOMs). SBOMs list all the components, libraries, and modules needed to build a piece of software. The National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, requiring that SBOM information be available for software, which gave an additional boost to the use of SBOMs. Google emphasizes, however, that SBOMs need to be used and mapped onto known vulnerabilities to highlight what could pose a threat. They offer an example from a Kubernetes SBOM: they mapped it against the Open Source Vulnerabilities (OSV) database and found that v1.21.3 of Kubernetes contains the CVE-2020-26160 vulnerability. The usage of the SBOM in this case allows consumers using this version of Kubernetes to be aware of and address the vulnerability and remediate the issues. A future with widespread SBOM adoption will allow for more user awareness of the components and risks found in the software they consume regularly.

A new version of IceXLoader is observed.

Researchers at Fortinet describe a new version of IceXLoader being hawked in criminal-to-criminal markets. “IceXLoader is a commercial malware used to download and deploy additional malware on infected machines,” the researchers write. “The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.” The new version is more evasive and difficult to detect than its predecessors, and, of course, successful infection exposes the victims to deployment of other, more damaging malware.

Exploiting versioning limits to render files inaccessible.

Proofpoint researchers have discovered a Microsoft 365 functionality that allows ransomware to encrypt SharePoint and OneDrive files and make them unrecoverable without backups or a decryption key. Researchers explain that threat actors can gain access to a user account through compromising or hijacking credentials, then can lower versioning limits on files on OneDrive and SharePoint down to something as low as 1, encrypt the files twice, and if they feel so inclined, can exfiltrate the unencrypted files, and ask for a ransom. Another option for encrypting the files doesn’t involve changing the versioning settings: the default version limit is 500, so a file can be edited 501 times, rendering the original unrestorable because, as the 501st version, it exceeds that limitation by one. The malicious actor could then encrypt the files after each of the 501 edits, and increasing the version limit post-attack cannot restore the file. 

Proofpoint disclosed this information to Microsoft, which explained, first, that the versioning settings configuration workflow is working as intended, and, second, that older versions of files can be recovered and restored for fourteen days by using Microsoft Support. While the versioning settings configuration functionality is working as designed, Proofpoint says that it can still be abused by malicious actors. The researchers also reported difficulty recovering older versions of some files through Microsoft Support.

Malibot: an info stealer masquerading as a coin miner.

Researchers at F5 Labs describe “Malibot,” an Android malware family capable of exfiltrating personal and financial information, SecurityWeek reports. F5 says the malware can often be found posing on fraudulent websites as popular cryptocurrency mining app “TheCryptoApp,” but may also pose as a Chrome browser or other applications. The malware’s capabilities include support for web injections and overlay attacks, the ability to run and delete applications, the ability to steal cookies, multi factor authentication codes, text messages, and more. Malibot was found to abuse the Android Accessibility API, which permits it to perform actions without user interaction and maintain itself on the system. The use of the Accessibility API also allows for bypass of Google two-factor authentication, as prompts can be validated through the infected device.

Malibot uses the same servers as the ones used to distribute the Sality malware, and shares a Russian IP address with other malicious campaigns. The primary targets of the malware have been customers of Spanish and Italian banks, but the malware could soon branch out to other locations.

“Hermit” spyware used by nation-state security services.

Lookout researchers have discovered a sophisticated Android spyware family, “Hermit,” that appears to have been created to serve nation-state customers. The spyware, currently in use by Kazakhstan’s government against domestic targets, has also been associated with Italian authorities in 2019, and at other times with an unknown actor in Syria’s Kurdish region.

Hermit was developed by the Italian RCS Lab S.p.A. and Tykelab Srl, the latter probably a front company. RCS Lab was previously a reseller for Italian spyware vendor Hacking Team, and worked with military groups in Bangladesh, Chile, Mongolia, Myanmar, Pakistan, Turkmenistan, and Vietnam.

The researchers believe that the Android spyware is being distributed through text messages that claim to be from legitimate sources, and noted that while an iOS version of the spyware exists, researchers were unable to get a sample. The Android spyware is reported to support 25 modules, and 16 of them were able to be analyzed. Many of the modules collect different forms of data, such as call logs, browser data, photos, and location, while others can exploit rooted devices and make and redirect calls. Lookout security researcher Paul Shunk explained to SecurityWeek that the initial application is a framework with minimal surveillance capability, but that it could fetch and activate modules as needed, which allows for the application to fly under the radar during the security vetting process.

Exercise Cyber Shield 2022 wraps up.

National Guard soldiers and airmen, government agency partners, and private partners, converged in Little Rock, Arkansas for Exercise Cyber Shield, an annual unclassified cyber training exercise running from June 5-17 this year. The aim of Cyber Shield as described by the National Guard is to “develop, train and exercise cyber forces in the areas of computer network internal defensive measures and cyber incident response.”

A transcript provided by the Illinois National Guard describes the scenario for this year’s Cyber Shield, which was focused on the role the National Guard plays in protecting the US Department of Defense computer networks. “Cyber Shield is a defensive-focused operation. We specifically focus on our internal defensive measures, stuff that we’re doing within the Department of Defense’s own networks,” Illinois Air Army National Guard Lieutenant Colonel Jeffrey Fleming said to the CyberWire. “We train the basics, the basic tenets of cyber, so that whatever network our operators end up on, whether it’s wearing a uniform to support the Governor, active duty side, or taken back to their civilian careers, they have the knowledge and experience to do that wherever we need to operate.”

We’ll have more coverage of Cyber Shield when we return next week.

Patch news.

Microsoft issued fifty-five patches on Tuesday, including one that addressed the widely exploited Follina vulnerability. Adobe and SAP also patched their products. And Wednesday marked the long-anticipated retirement of Internet Explorer: Microsoft has ended support for its once widely-used browser.

The US Cybersecurity and Infrastructure Security Agency (CISA) released three industrial control system (ICS) security advisories, for Johnson Controls Metasys ADS ADX OAS ServersMeridian Cooperative Meridian, and Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R.

Other ICS issues were also addressed Tuesday. SecurityWeek reports that Siemens and Schneider Electric between them patched eighty-three vulnerabilities in their products. Siemens addressed fifty-nine vulnerabilities in fourteen advisories, and Schneider Electric fixed twenty-four vulnerabilities, covered in eight advisories.

Crime and punishment.

Interpol has announced that its Operation First Light 2022, directed against telecommunication fraud, business email compromise, and the money laundering associated with them, has yielded a significant haul. Results are still coming in, but so far, Interpol says, the operation’s tally is:

  • “1,770 locations raided worldwide”
  • “Some 3,000 suspects identified”
  • “Some 2,000 operators, fraudsters and money launderers arrested”
  • “Some 4,000 bank accounts frozen”
  • “Some USD 50 million worth of illicit funds intercepted”

Law enforcement organizations in seventy-six countries were involved, a remarkably large cooperative effort. Four countries conducted the raids: China, Singapore, Papua New Guinea, and Portugal. The crimes involved were varied, ranging from human trafficking to Ponzi schemes built around bogus job ads.

The US Attorney for the Southern District of California has announced the takedown of a Russian cyber gang’s botnet. Working with partners in Germany, the Netherlands, and the United Kingdom, the US FBI seized RSOCKS, a criminal-to-criminal service that offered access to bots as proxies in the C2C underworld market. The US Attorney explained, “Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers. The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic. It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages.” It cost RSOCKS criminal clientele between $30 and $200 a day to route their traffic through the proxies.

The Telegraph reports that British Home Secretary Priti Patel signed an order Friday extraditing Wikileaks impresario Julian Assange to the United States, where he faces espionage charges. Mr. Assange’s legal team intends to appeal the decision.

Citing updated research by SentinelOne, Wired reports that police in Pune, India, planted incriminating evidence in the computers of journalists, activists, and academics, evidence that was subsequently used to justify their arrest. SentinelOne has, according to Wired, connected the evidence-planting to activity it reported in its February, 2022, study of the ModifiedElephant APT. That report said, “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.”

Courts and torts.

The Verge reports that a Moscow court has fined the Wikimedia Foundation five-million rubles (about $65 thousand) for its reporting on Russia’s special military operation, the war against Ukraine. Wikimedia is appealing the fine. Stephen LaPorte, associate general counsel at the Wikimedia Foundation, said, “This decision implies that well-sourced, verified knowledge on Wikipedia that is inconsistent with Russian government accounts constitutes disinformation. The government is targeting information that is vital to people’s lives in a time of crisis. We urge the court to reconsider in favor of everyone’s rights to knowledge access and free expression.” Wikimedia also argues that Russia lacks jurisdiction.