At a glance.
- Conti’s brand appears to have gone into occultation (maybe for real, this time).
- Lockbit has now taken Conti’s place as the biggest ransomware brand.
- Lithuania sustains a major DDoS attack.
- Iranian steel mill suspends production due to cyberattack.
- Bumblebee rising.
- Dark Crystal RAT described.
- Influence operations in the interest of national market share.
- SOHO routers under attack.
- YTStealer discovered, out and active in the wild.
- Most dangerous software weaknesses.
- Amunet as a case study in C2C market differentiation.
- C2C commodification extends to script kiddies.
- Killnet hits Norwegian websites.
- North Korea seems to have been behind the Harmony cryptocurrency heist.
- MedusaLocker warning.
Conti’s brand appears to have gone into occultation (maybe for real, this time).
Conti seems to have retired, as a brand. BleepingComputer reports that the gang shut down its data leak and negotiation sites a week ago, and they seem to have remained down, at least for the rest of the week. Observers read this as the retirement of the brand, not the retirement (still less the reform) of the criminals behind it. “Some of the ransomware gangs known to now include old Conti members include Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revitalized, Quantum operation, BleepingComputer writes. “Other members have launched their own data extortion operations that do not encrypt data, such as Karakurt, BlackByte, and the Bazarcall collective.”
The gang’s ARMattack campaign last November and December, short but intense, retrospectively looks like the brand’s last big hurrah, except, of course, for its public declaration of adherence to Moscow’s cause in Russia’s war against Ukraine. Group-IB describes ARMattack as having hit some forty organizations in the US and elsewhere with noticeable effect.
Lockbit has now taken Conti’s place as the biggest ransomware brand.
Assuming the Conti brand stays retired, the leading ransomware brand is now LockBit 2.0. NCC Group’s May ransomware report for May (a bit of a down month for the criminal enterprises, with an 18% drop in ransomware from April) puts the leaderboard like this: LockBit 2.0, Black Basta (a rising criminal star), Hive, and the rump of a retiring Conti.
BleepingComputer reports that AhnLab has noticed a trend in LockBit 2.0’s attack technique. The approach is still through phishing, but the phishbait has changed. The typical LockBit come-on now consists of a bogus copyright infringement notice. To see the infringing material, the email says, the recipient should open an attached file, which carries the hook, the payload. It’s not unique phishbait: the operators of both BazarLoader and Bumblebee have also used copyright infringement claims to induce their victims to bite.
Lithuania sustains a major DDoS attack.
Lithuania on Monday announced that it has sustained a distributed denial-of-service (DDoS) attack. Reuters quotes Lithuania’s National Cyber Security Centre to the effect that further attacks of this kind are expected: “It is very likely that attacks of similar or greater intensity will continue in the coming days, especially in the transportation, energy and financial sectors.” The nominally hacktivist Russian group Killnet, responsible for earlier DDoS attacks against Italian targets, claimed responsibility for the incident. A group associated with Killnet, the “Cyber Spetsnaz” last week threatened Lithuania with cyberattack should it persist in its policy (a “muscular response,” Foreign Policy calls it, with mixed approval and alarm) of restricting rail delivery of embargoed goods to Russia’s non-contiguous province Kaliningrad.
Iranian steel mill suspends production due to cyberattack.
A cyberattack has struck one of Iran’s major steel companies on Monday, forcing it to halt production, SecurityWeek reports. The attack struck the state-owned Khuzestan Steel Co. and two other major steel producers. An anonymous hacking group, “Gonjeshke Darande” (“Predatory Sparrow,” in the Jerusalem Post’s translation), has claimed responsibility for the attack, saying that it was done to target the “aggression of the Islamic Republic.” The group shared alleged closed-circuit footage from the Khuzestan Steel Co. in which a piece of heavy machinery on a steel billet production line malfunctioned and caused a fire. The CEO of Khuzestan Steel, Amin Ebrahimi, claimed that the attack was thwarted, saying, “Fortunately with time and awareness, the attack was unsuccessful,” and noting that everything should return to normal by the end of Monday. Neither of the other steel producers targeted in the attack noted damage or production issues.
Predatory Sparrow has been heard from before, CyberScoop observes, notably in 2021’s wiper attacks against Iran’s rail system, and Check Point has obtained samples from the most recent incident that link it to the earlier attack. Relatively little is known about the group, beyond, that is, their self-presentation as hacktivist opposed to the Islamic Republic.
The Symantec Threat Hunter Team, part of Broadcom Software, Tuesday morning released a report on the Bumblebee loader. The researchers characterize it as “a recently developed malware loader” and say that it “has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced a number of older loaders, which suggests that it is the work of established actors and that the transition to Bumblebee was pre-planned.” The rapidity with which Bumblebee has achieved a central position in criminal-to-criminal markets indicates not only the C2C market’s relative efficiency, but the extent to which it’s come to resemble the functioning of legitimate markets. “Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” the Symantec Threat Hunter Team concludes. “Any organization that discovers a Bumblebee infection on its network should treat this incident with high priority since it could be the pathway to several dangerous ransomware threats.” Their study includes a long set of indicators of compromise.
Dark Crystal RAT described.
CERT-UA earlier this month warned that Windows systems in Ukraine were under attack by Russian operators deploying the Dark Crystal RAT (DCRat). Fortinet’s Fortiguard Labs Monday issued a description of how DCRat (which they describe as “a commercial .NET Remote Access Trojan (RAT) commonly found being sold in underground forums”) is being used. While the precise infection vector is unknown, it’s believed to be a form of phishing. The payload is carried in malicious macros the victim is induced to run. The typical use to which DCRat is put has been data theft, but it also establishes persistence in victims’ systems and can be used to stage a broad range of other attacks. The report concludes, “The RAT can be customized to the attacker’s needs by adding plug-ins. As the RAT primarily focuses on data exfiltration, stolen data will likely be used as a stepping stone for further activities against affected organizations. It can also lead to further damage such as a threat actor maintaining persistence in the long term, stealing personally identifiable information (PII), and confidential data. Targets of this attack are likely in Ukraine. Having a foothold in the compromised Ukrainian organization goes a long way towards inflicting long-term and unthinkable damage, due to the nature of this malware.”
Influence operations in the interest of national market share.
China has been engaging, Reuters reports, in an influence operation directed at arousing popular protests against Australian, Canadian, and US rare-earth mining companies. The sector is one in which China has a significant national interest, and the firms singled out for attention include Lynas Rare Earths Ltd, Appia Rare Earths and Uranium Corp, and USA Rare Earth. The campaign, “Dragonbridge,” discovered and named by Mandiant, seems aimed at market dominance. It makes heavy use of inauthentic social media personae. “The campaign used inauthentic social media and forum accounts, including those posing as residents in Texas to feign concern over environmental and health issues surrounding the plant, including via posts to a public social media group predisposed to be receptive to that content,” Mandiant said in its report. Dragonbridge doesn’t seem, so far, to have been particularly effective, but Mandiant thinks the approach on display, particularly the microtargeting of the audience it seeks to reach, bears watching.
SOHO routers under attack.
Lumen’s Black Lotus Labs report that small office/home office (SOHO) routers are under active attack by operators using the ZuoRAT remote access Trojan. The operators are after bigger fish than home offices. Remote work has made SOHO routers an attractive point-of-entry into larger networks, and that appears to be the case here. “The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations,” Lumen’s report says. “The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years.”
YTStealer discovered, out and active in the wild.
Intezer this morning announced its discovery of malware it’s calling “YTStealer.” The malware has been aptly named, as the sole function is to steal authentication cookies from YouTube content creators. YTStealer is different from other malware, in that it only harvests credentials for YouTube and not any other service. If authentication codes are found in a browser’s database files in the user’s profile folder, the malware launches the browser in headless mode on the infected operating system and adds the cookie to the cookie store. The malware then uses a library called “Rod” to control the browser, and it navigates to the creator’s YouTube Studio page and steals information about the channel and encrypts it, sending it to a command and control center whose domain name is youbot[.]solutions. YouBot Solutions appears to be a company registered in New Mexico that describes itself by saying that it “provides unique solutions for getting and monetizing targeted traffic.” YouBot may well be connected outside the American Southwest: its red eye logo that appears on its Google business listing could be found, Intezer points out, on aparat [dot] com, an Iranian video-sharing website.
YTStealer is a C2C play: the researchers say that YTStealer is probably sold to other threat actors. They note that YTStealer often isn’t the only dropped malware on a device: RedLine and Vidar have been seen alongside the YTStealer malware. Much of the dropped malware is disguised as pirated versions of video and image software and game mods and cheats. Using only legitimate versions of software is a good way to have better control over what ends up on your computer, researchers conclude. The Hacker News has a summary of Intezer’s report.
Most dangerous software weaknesses.
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The Institute explains, “This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” The report includes recommended mitigations for the vulnerabilities listed, and it’s those mitigations CISA particularly commends to organizations’ attention.
Amunet as a case study in C2C market differentiation.
Digital Shadows Thursday morning updated its account of Amunet, an English-language cybercriminal forum launched in January 2022. Researchers have discovered a roadmap for 2022 on Amunet, explaining how the site plans to branch out as the year progresses. The roadmap highlights the January launch, followed by an intended launch of a “Leaks Circle,” in March, described as a “project for visualization of leaked sources,” which has not been identified by researchers. This is followed by the intent to launch their own cryptocurrency in May 2022, which has not been seen in the forum as of June, barring one post in early May explaining that those who shared leaked databases would earn forum credits that can be exchanged for cryptocurrency. In July 2022, the forum is anticipated to see the addition of a “Leaks Detector” that checks for “emails and corporate domains” in leaked databases. The final stop on the roadmap is set for October 2022, coined as a “Time-Back-Machine,” which is described as “A couple of hacking forums […] returned as snapshots for public observation.”
While researchers regard Amunet in its current state as unremarkable when compared to other fora, these intended upgrades could be enough to lure threat actors into using it. The observations also provide an interesting perspective on how criminal groups try to differentiate themselves in the C2C market.
C2C commodification extends to script kiddies.
Avast has published a study of the way in which teenagers are earning money in the criminal-to-criminal cyber underworld market. The researchers found a malware-as-a-service family whose operators spent a lot of time on Discord and seemed to have an unusual set of interests. The criminal vendors offered some of the usual wares (info stealers, cryptojackers, ransomware, password scrapers, etc.) but their hearts appeared to be elsewhere. Their offerings instead emphasized “features like stealing gaming accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser with Pornhub.” That is, Avast points out, the puerile stuff you’d expect from teenagers. It’s a side hustle, done for pocket money and for the lulz, but it remains criminal nonetheless.
Killnet hits Norwegian websites.
Killnet, operating again as the Cyber Spetsnaz, Wednesday announced a campaign against Norway in its Telegram channel. The post led with a doctored photo of Norway’s Foreign Minister Anniken Huitfeldt in which she’s called “Mrs. Error” and made up to look like the Disney villainess Malificent. “Good morning Norway!” the introductory text read, “All units to battle.” This was followed by a list of Norwegian targets. The Russian complaint against Norway, as the Barents Observer reports, is that Norway isn’t permitting Russian goods to transit Norwegian territory enroute to the island of Svalbard via the Russian port of Murmansk. Thus it has some similarity to the Russian complaint against Lithuania, which had prevented shipment of some goods to the non-contiguous province of Kaliningrad, and which also attracted the attention of Killnet. Svalbard is under Norwegian sovereignty, but a treaty guarantees Russian coal mining operations on the island. Members of Russia’s Duma have questioned Norway’s sovereignty given what they call Oslo’s violations of the Svalbard treaty, and the AP reports that Norway’s ambassador to Moscow was summoned to the Russian Foreign Ministry to give an explanation of Norwegian policy.
The cyber attacks claimed by Killnet have been distributed denial-of-service (DDoS) incidents. Several sites were disrupted for a matter of hours, but Norwegian authorities said the effects were limited and have been largely mitigated. Norway’s NSM attributed the attacks to a “criminal pro-Russian group,” and is investigating the group’s possible ties to the Russian government.
North Korea seems to have been behind the Harmony cryptocurrency heist.
The Wall Street Journal reports that efforts to launder some $100 million taken in last week’s looting of Harmony’s Horizon blockchain bridge (a service that enables the transfer of funds from one blockchain to another) appear to be the work of North Korean state-sponsored threat actors. TechCrunch notes that strong circumstantial evidence points to the long-familiar Lazarus Group as the operators behind the theft. The US Government sees such theft as a principal North Korean means of funding its advanced nuclear and ballistic missile programs. It’s not working out as well for Pyongyang as it once did, however. Reuters reported earlier this week that the current crash in cryptocurrency values has given the DPRK’s weapons programs a bit of a haircut, which explains the urgency on display in the Lazarus Group’s money-laundering efforts. Times are tough all over.
The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) warn that MedusaLocker ransomware operators are now relying for the most part on exploiting vulnerabilities in Remote Desktop Protocol (RDP) to access their victims’ networks. MedusaLocker is a ransomware-as-a-service operation in which the proprietors split the take with their affiliates. “MedusaLocker ransomware payments appear to be consistently split,” CISA says, “between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.” An audio version of the CISA Alert, prepared with the CyberWire, may be found here.
The US Cybersecurity and Infrastructure Security Agency (CISA) Monday added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog. The issues, which Federal civilian Executive Branch agencies falling under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities must address by July 18th, 2022, are:
- CVE-2022-29499, a Mitel MiVoice Connect Data Validation Vulnerability that “allows remote code execution due to incorrect data validation.
- CVE-2021-30533, a Google Chromium Security Bypass Vulnerability. “Insufficient policy enforcement in the PopupBlocker for Chromium allows an attacker to remotely bypass security mechanisms. This vulnerability impacts web browsers using Chromium such as Chrome and Edge.”
- CVE-2021-4034, a Red Hat Polkit Out-of-Bounds Read and Write Vulnerability. “The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability which allows for privilege escalation with administrative rights.”
- CVE-2021-30983, an Apple iOS and iPadOS Buffer Overflow Vulnerability. “Apple iOS and iPadOS contain a buffer overflow vulnerability that could allow an application to execute code with kernel privileges.”
- CVE-2020-3837, Apple Multiple Products Memory Corruption Vulnerability. “Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges.”
- CVE-2020-9907, Apple Multiple Products Memory Corruption Vulnerability. “Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions.”
- CVE-2019-8605, Apple Multiple Products Use-After-Free Vulnerability. “A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges.”
- CVE-2018-4344, Apple Multiple Products Memory Corruption Vulnerability. “Apple iOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability which can allow for code execution.”
In all cases the remedy is “Apply updates per vendor instructions.” While the private sector in the US (and elsewhere) of course isn’t bound by BOD 22-01, it’s prudent for all organizations to take a close look and consider remediating these vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released six industrial control system (ICS) security advisories, for:
- ABB e-Design (“mitigations for an Incorrect Default Permissions vulnerability in ABB e-Design engineering software”).
- Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (“mitigations for Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, and Plaintext Storage of a Password vulnerabilities in Omron SYSMAC CS/CJ/CP Series and NJ/NX Series programmable logic controllers”).
- Advantech iView (“mitigations for a SQL Injection, Missing Authentication for Critical Function, Relative Path Traversal, and Command Injection vulnerabilities in Advantech iView management software”).
- Motorola Solutions MOSCAD IP and ACE IP Gateways (“mitigations for a missing authentication for critical function vulnerability in the Motorola Solutions MOSCAD IP and ACE IP Gateways products”).
- Motorola Solutions MDLC (“mitigations for Use of a Broken or Risky Cryptographic Algorithm, and Plaintext Storage of a Password vulnerabilities in the Motorola Solutions MDLC protocol parser”).
- Motorola Solutions ACE1000 (“mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit”).
On Thursday CISA released six more ICS advisories:
- Exemys RME1 (“mitigations for an Improper Authentication vulnerability in the Exemys RME1 analog acquisition module”).
- Yokogawa Wide Area Communication Router (“mitigations for a Use of Insufficiently Random Values vulnerability in the Yokogawa Wide Area Communication Router”).
- Emerson DeltaV Distributed Control System (“mitigations for Missing Authentication for Critical Function, Use of Hard-coded Credentials, Insufficient Verification of Data Authenticity, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in the Emerson DeltaV Distributed Control System software management platform”).
- Distributed Data Systems WebHMI (“mitigations for Cross-site Scripting, and OS Command Injection vulnerabilities in the Distributed Data Systems WebHMI SCADA system”).
- Mitsubishi Electric FA Engineering Software (Update A) (“[A] follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electric’s FA Engineering Software products”).
- CODESYS Gateway Server (Update A) (“[A] follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a Heap-based Buffer Overflow vulnerability in CODESYS Gateway Server products”).
Policies, procurements, and agency equities.
The US Department of Commerce added five Chinese companies to an export blacklist after discovering that they were allegedly helping Russia’s military, the Wall Street Journal reports. Their addition to the entity list limits their access to US technology. The companies added to the list include Connec Electronic Ltd., King Pai Technology Co., Sinno Electronics Co., Winninc Electronic and World Jetta (H.K.) Logistics Ltd. A representative from the Chinese Embassy in Washington DC said of the additions, “China’s position on the Ukrainian issue is consistent and clear. We have been playing a constructive role in promoting peace talks and have not provided military assistance to the conflicting parties.”