At a glance.
- Predatory Sparrow’s assault on Iran’s steel industry.
- Callback phishing campaign impersonates security companies.
- High-end and low-end cyber extortion.
- Hacking Hondas (and others)?
- Russian cyberattacks spread internationally.
- Adversary-in-the-middle sites support business email compromise.
- Silent validation carding bot discovered.
- Attempted social engineering at the European Central Bank.
- Germany puts its shields up.
- Lilith enters the ransomware game.
- ChromeLoader makes a fresh appearance.
- A North Korean ransomware operation.
- Media organizations targeted by state actors.
Predatory Sparrow’s assault on Iran’s steel industry.
The BBC reports that Predatory Sparrow, a nominally hacktivist group opposed to Iran’s regime, which claimed to have disrupted operations at Iran’s Mobarakeh Steel Company on June 27th, has posted video of fires at the facility it claims were caused by its cyberattack. Mobarakeh Steel has minimized the effects of the attack, saying that its operations were not disrupted. CyberScoop reports that Predatory Sparrow has also dumped a set of documents it calls “top secret” and which it claims were taken from the Iranian facilities during the cyberattack. Those claims, as well as the authenticity of the documents themselves, remain unverified.
Given the long-running tension between Iran and Israel, there’s been widespread speculation in the Israeli press that Predatory Sparrow, which presents itself as an Iranian dissident group, is operating in the interest of Israeli intelligence services. The Israeli government has begun an investigation into the source of the stories, which may or may not have derived from leaks.
Callback phishing campaign impersonates security companies.
CrowdStrike last Friday detected a callback phishing campaign that impersonates CrowdStrike and other security companies. The social engineering effort begins with an email that claims to have discovered a potential compromise on the recipient’s network. The email provides a telephone number and invites the victim to call and arrange an audit of their workstations. It’s unclear what might happen next, but the call will almost certainly invite the victim to install malware into their systems under the guise of a security update. “Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network,” CrowdStrike says. It’s an old scam, and, while one might think it played out, people continue to fall for it. The impersonation of a security firm is thought to add additional plausibility to the imposture. CrowdStrike points out, with emphasis, that “CrowdStrike will never contact customers in this manner.” Nor, one might add, will any other reputable security company. It’s also worth noting that the campaign is purely fraudulent, and doesn’t involve any compromise of a security firms’ networks.
High-end and low-end cyber extortion.
Resecurity has reported that the BlackCat gang, also known as ALPHV, is upping its ransom demands, and that it’s also following what Resecurity calls a “quadruple extortion” model. It encrypts victims’ files and threatens to release sensitive stolen data (the now familiar double-extortion approach), but then goes on to add two more attacks. One of these is distributed denial-of-service (DDoS); the other is “harassment,” a campaign of contacting the victims’ “customers, business partners, employees, and media to tell them the organization was hacked.” BleepingComputer reports that a feature of this newer, polyvalent approach is the provision of a searchable database of non-paying victims, the better to expose them to reputational damage.
BlackCat represents the high-end of the ransomware-as-a-service C2C market. There are still many other extortion scams in circulation, however, that are much simpler and require far less talent and attention to detail. Researchers at Sygnia, for example, report on the activities of LunaMoth, and these are so low-end that one hesitates to even call their operation “ransomware.” LunaMoth uses commodity RATs against its victims (and it does so opportunistically, with little evidence that they’re phishing for particular targets). It doesn’t bother encrypting data, and relies simply on the threat of doxing to extort payment.
Hacking Hondas (and others)?
Researchers claim to have demonstrated a proof-of-concept they’re calling “Rolling-PWN” that affects the remote keyless entry systems in Honda models between 2012 and 2022. They say the exploit (which has been assigned the designation CVE-2021-46145) takes advantage of the keyless entry systems’ rolling code system, which uses a synchronizing counter to prevent replay attacks. The rolling code system accepts, the researchers say, “a sliding window of codes” to account for the key fob being pressed accidentally, or when it’s out of range of the vehicle. “By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once [the] counter [is] resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.” The researchers worked on Hondas, but they think it likely that other makes are also vulnerable.
A statement Honda initially gave Vice dismissed the proof-of-concept as “old news.” Honda added, in an email to Vice, “Thus, I’d hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a ‘new’ thing. We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.”
Honda, however, has now acknowledged, SecurityWeek reports, that the Rolling-PWN proof-of-concept does indeed work against the carmaker’s remote keyless system. It is in fact possible for someone to unlock the car and even start it. But, Honda says, they couldn’t just drive the car away, since that requires the key fob to be present. The Record quotes Honda’s statement: “However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away.” The 2022 and 2023 models are said to be proof against Rolling-PWN, and Honda is making other security upgrades to mitigate the vulnerability.
Russian cyberattacks spread internationally.
Killnet, the threat actor that represents itself as a hacktivist tendency operating in the patriotic interest of Russia but not under the control of Moscow’s security services, has extended its distributed denial-of-service (DDoS) attacks to Polish government sites, the Express reports. As was the case with earlier operations against Lithuania, the most recent DDoS attacks didn’t rise above the level of a nuisance. Poland has strongly supported Ukraine both since the invasion and during the tensions that preceded Russia’s war.
Margiris Abukevicius, Lithuania’s vice minister of national defense, according to Delphi, while emphasizing that the effects of the DDoS attacks had a negligible effect on the country’s IT infrastructure, cautioned that they’re not to be dismissed, either. Cyberattacks of this kind are aimed at exerting influence quite apart from their effectiveness at disrupting networks. The audience, Mr. Abukevicius says, is at once both foreign (in Lithuania) and domestic (in Russia). The desired effect in Lithuania is erosion of confidence, leading Lithuanians to lose faith in their country’s ability to protect itself in cyberspace. He also sees increased friction as a Russian goal: one aim of the cyberattacks is to “increase tension.” The desired effect in Russia is the projection of an image of power, and of communicating an assurance that Russia’s enemies will be punished.
Even talking about the incidents carries a cost to the victim, Mr. Abukevicius said. “We need to understand that publicity is a very important part of these attacks. If we don’t talk about them, the other side will lose motivation. When we talk, when we talk about alleged victories, about alleged punishment of Lithuania, it’s motivating the other side.” He went on to urge that Russian cyber operations be kept in perspective. “We in Lithuania should not be so hooked on this and we often hear that the sky has been falling here for the last three weeks. It’s definitely not. Yes, we have attacks, some of them disruptive, but we don’t see those incidents or those efforts that don’t achieve any goal and don’t affect the delivery of services at all. There are also many of those, and I think that’s what we should say: that despite the effort, despite the coordination, the impact of these attacks is small.”
Adversary-in-the-middle sites support business email compromise.
Microsoft Security researchers have found a campaign that uses adversary-in-the-middle techniques (AitM) to stage more effective business email compromise (BEC) attacks. Phishing messages directed victims to AitM sites that would steal passwords and hijack sign-in sessions, skipping authentication even where multifactor authentication had been enabled. The attackers used stolen credentials and session cookies to access victims’ mailboxes for more effective and plausible BEC attacks against the victims’ colleagues. Microsoft says that more than 10,000 organizations have been affected since last September. Redmond recommends continuous monitoring, advanced anti-phishing solutions, and conditional access policies to mitigate AitM risk.
Silent validation carding bot discovered.
PerimeterX reports that its researchers have found a new silent validation carding bot. The bot takes stolen paycard data and attempts to store it in e-retailers’ wallet pages, where, if validated and accepted, it would become a stored payment method that could be used in future fraudulent transactions. This technique enables criminals to validate a card without alerting the card’s owner to the possibility of compromise. PerimeterX says the bot was detected and stopped before any actual fraud was committed.
Attempted social engineering at the European Central Bank.
Reuters reports that unidentified threat actors tried to inveigle European Central Bank (ECB) President Christine Lagarde into giving them an authentication code for WhatsApp that would have enabled them to open an account linked to Ms Lagarde’s phone number. The attackers claimed to be former German Chancellor Angela Merkel. “We can confirm that there was an attempted cyber incident recently involving the president,” an ECB spokesperson said. “It was identified and halted quickly. No information was compromised. We have nothing more to say as an investigation is ongoing.”
The not-Merkel said, according to the AP, that it would be easier and more secure if they could connect with Ms Lagarde over WhatsApp. The German edition of Business Insider reports that the attackers had Ms Lagarde’s mobile number and were able to spoof Ms Merkel’s number in their smishing text. “They wanted to use the Chancellor’s identity to obtain the authentication code of Lagarde’s existing or new messenger service account. This is actually used to verify the link between the personal account and the cell phone number. By sharing the code, the strangers could have taken over Lagarde’s account.”
Germany puts its shields up.
Aware of the potential threat of Russian cyberattacks, German authorities Tuesday announced a program of increased readiness and resilience. Deutsche Welle reports that Interior Minister Nancy Faeser explained the motivation for the increased state of alert: “The sea change we are facing in view of the Russian war of aggression against Ukraine requires a strategic repositioning and significant investment in our cybersecurity.” In addition to new, secure systems for exchanging information, the government intends to promote resilience in small- and medium-sized organizations. “That would apply to ‘critical infrastructure,’ businesses involved in transport, food, health, energy and water supply.”
Lilith enters the ransomware game.
Researchers at Cyble describe a new ransomware operation, “Lilith,” and BleepingComputer reports that the group not only operates a new strain of malware, but that it’s already posted the first victim to its double-extortion dump site. Cyble notes, “Throughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of this are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent threats.”
ChromeLoader makes a fresh appearance.
Palo Alto Networks’ Unit 42 describes new variants of the ChromeLoader malware now making their appearance in the wild. “This malware is used for hijacking victims’ browser searches and presenting advertisements,” the researchers write, “two actions that do not cause serious damage or leak highly sensitive data. However, based on the wide distribution the attackers gained in such a short time, they were able to inflict heavier damage than the damage inflicted by the two primary functions of the Chrome Extension.” The extension serves as adware and as an information stealer, pulling in the victim’s browser searchers.
The gang using ChromeLoader seems to have clear ideas about what it’s up to. Unit 42 writes:
“Additionally, the authors were quite organized, labeling their different malware versions and using similar techniques throughout their attack routines. This probably made their lives easier while developing their attack framework and maintaining their attack chains, but unintentionally, this also made the investigation process significantly easier. In fact, it improved the research ability so much that we were able to detect two new versions of this malware – the first one and the latest, which have never been linked to this malware family before. Finally, this attack chain demonstrates two rising trends among malware authors that security products and even common users should be aware of – the use of ISO (and DMG) files and the use of browser extensions.”
A North Korean ransomware operation.
Microsoft describes an emerging North Korean ransomware operation it tracks as DEV-0530 that’s using a relatively new strain of ransomware called “H0lyGh0st.” The blasphemous name, Microsoft points out, is the hood’s own choice, not Redmond’s. DEV-0530, a provisional designation assigned until more is known about the group, is noteworthy in that it appears to be entirely financially motivated, and in that it selects small and midsized businesses as its targets. “MSTIC [the Microsoft Threat Intelligence Center] assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM.”
The gang’s communications with its victims and others cop an altruistic and humanitarian line, claiming to be helping its victims improve their security posture (as if they were white-hat pentesters) and to be contributing to an egalitarian leveling of rich and poor to the advantage of the poor (as if they were Robin Hood).
The group is asking for between 1.2 and 5 Bitcoin in ransom (roughly $25,000 to $104,000 at current conversion rates), but so far, Microsoft says, their wallet seems to have remained empty, even though DEV-0530 has shown a willingness to negotiate their asking price.
Pyongyang has long used cybercrime as a source of income to redress the financial pressures it labors under due to the decades of international sanctions that have crippled the DPRK’s economy. It’s even more difficult to separate North Korean intelligence and security services from criminal activity than it is to tell the Russian privateers apart from the Russian organs, but this latest campaign is sufficiently ambiguous to suggest that it might be the work of a gang that’s obtained access to some state actors’ tools, or even the work of state actors who are moonlighting for personal gain. North Korean state actors have usually cast a broader net; DEV-0530 seems more tightly focused in its target selection. The activity remains under study, but in the meantime Microsoft has offered indicators of compromise and some advice for defenders.
Media organizations targeted by state actors.
Late Thursday Proofpoint released a study of recent activity by state actors directed against media organizations. The researchers find that China, North Korea, Turkey, and Iran have been particularly active in prospecting media organizations. “Proofpoint researchers have observed APT actors since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives.” Journalists’ social media accounts have been of particular interest to the threat groups.
On Tuesday, July 12th, the US Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control System (ICS) Advisories, one for Dahua ASI7213X-T1 (“mitigations for Improper Input Validation”) and the other for Schneider Electric Easergy P5 and P3 (Update A) (“mitigation for Use of Hard-coded Credentials, Classic Buffer Overflow, and Improper Input Validation vulnerabilities in the Schneider Electric Easergy P5 medium voltage protection relay”). On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) released an unusually large number of ICS advisories, thirty in all. They include one mitigation for a vulnerability in an Open Design Alliance system. The other twenty-nine involved Siemens products.
CISA also added an entry to its Known Exploited Vulnerabilities Catalog. The latest addition, which the Federal civilian executive agencies CISA oversees are expected to address by August 2nd, is CVE-2022-22047, a Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability. The remedy is to apply Microsoft’s patch.
This past Tuesday was July’s Patch Tuesday, and Microsoft released fixes for eighty-four issues, including the afore-mentioned CVE-2022-22047 that CISA wants US Federal agencies to take care of. SAP also patched, issuing twenty new security notes as well as three updates to earlier advisories.
Crime and punishment.
The second trial of Joshua Schulte has ended in a guilty verdict. Mr. Schulte, a former CIA employee, was arrested after WikiLeaks’ 2017 disclosure of the “Vault 7” classified documents that outlined Langley’s methods of penetrating networks operated by its intelligence targets, the New York Times reports. His first trial had resulted in convictions for contempt of court and lying to Federal investigators, but the jury had been unable to reach a verdict on the more serious charges of which he has now been convicted. The US Attorney for the Southern District of New York, who prosecuted Mr. Schulte, offered a brief statement on the outcome of the trial:
“Joshua Adam Schulte was a CIA programmer with access to some of the country’s most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe. When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public – and therefore, our adversaries. Moreover, Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm. Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history.”
Courts and torts.
Social media giant Twitter is reportedly suing Elon Musk after he moved to terminate his acquisition of the company, the Wall Street Journal reports. Mr Musk claims that Twitter has not provided the information and data he requested to assess the prevalence of fake and spam accounts and was “in material breach of multiple provisions” of the agreement, whereas the company claims it has “bent over backwards” to get him the information he has requested. Twitter also reports that Mr Musk breached the agreement terms by tweeting that the deal was “on hold” in May. The suit was filed in Delaware Chancery Court on Tuesday.
Policies, procurements, and agency equities.
In anticipation of the launch of the 5G technology standard for broadband cellular networks, anticipated to roll out in early 2023, Asia Financial reports that India is making it more difficult for Chinese IT vendors to sell to local operators. The Department of Telecommunications announced this week that telecom licenses will require operators to purchase equipment from “trusted sources” for both network expansion and upgrade projects, closing a loophole that some operators were using to justify acquiring equipment from Chinese manufacturers like Huawei and ZTE. Unfortunately, the new rules could make it harder for smaller firms to find affordable equipment. Mahesh Uppal, the founder of Delhi-based telecom consultancy firm Com First, explains, “Outsiders, barring the government, have no idea which equipment could be termed as coming from “reliable sources.” For the operators to move away from Chinese equipment would certainly involve higher costs and this is bad news for them.”