At a glance.

  • Pegasus spyware observed in Thailand.
  • New North Korean ransomware group.
  • Cozy Bear uses online storage services.
  • A new technique against air-gapped systems.

Pegasus spyware observed in Thailand.

Researchers at the University of Toronto’s Citizen Lab have observed the Pegasus spyware being used in “an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.” The spyware targeted at least thirty people between October 2020 and November 2021, and coincided with pro-democracy protests in Thailand. Citizen Lab doesn’t definitively attribute the campaign to the Thai government, but they believe it’s unlikely that another nation-state would be interested in these targets:

“Conducting such an extensive hacking campaign against high profile individuals in another country is risky and runs the possibility of discovery, especially given the well-known previous cases where Pegasus infections were publicly discovered and publicly disclosed.

“In addition, the victimology, and in some cases the timing of the infections, reflects information that would be easily available to the Thai authorities, such as non-public relationships and financial activity, but substantially more challenging for other governments to obtain.”

New North Korean ransomware group.

Microsoft warns that a North Korean threat actor that calls itself “H0lyGh0st” is targeting small and midsize businesses in several countries with ransomware. The victims include “manufacturing organizations, banks, schools, and event and meeting planning companies.” Microsoft tracks the threat actor as DEV-0530, and notes that it’s not clear if Pyongyang is behind the operation or if North Korean government employees are acting independently for their own financial gain:

“The first possibility is that the North Korean government sponsors this activity. The weakened North Korean economy has become weaker since 2016 due to sanctions, natural disasters, drought, and the North Korean government’s COVID-19 lockdown from the outside world since early 2020. To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses.

“However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”

Cozy Bear uses online storage services.

Researchers at Palo Alto Networks’ Unit 42 note that Cloaked Ursa (also known as APT29 or Cozy Bear—a threat actor associated with Russia’s SVR) has been using online storage services including Google Drive and Dropbox to host their malware:

“Since early May, Cloaked Ursa has continued to evolve their abilities to deliver malware using popular online storage services. Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.”

A new technique against air-gapped systems.

Security researcher Mordechai Guri from Ben-Gurion University has published a paper on a new technique for stealing data from airgapped systems using serial ATA (SATA) cables. Guri explains that SATA “is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives.” The attacker would still need to infect a system within four feet of the air-gapped system in order to steal data from it, but Guri notes that “the SATA interface is highly available to attackers in many computers, devices, and networking environments.