At a glance.

  • Cyberattacks hit Albania.
  • Threat actors prospect journalists.
  • GRU said to be trolling researchers who look into Sandworm.
  • Malicious apps ejected from Google Play.
  • SVR cyberespionage exploits penetration-testing tools.
  • FBI warns of apps designed to defraud cryptocurrency speculators.
  • Belgium accuses China of cyberespionage.
  • LockBit ransomware spreading through compromised servers.
  • Report: password stealing and impersonation risks in identity management product.
  • Micodus GPS tracker vulnerabilities.
  • A criminal talent broker.
  • A developing threat to financial institutions.
  • Phishing through PayPal.
  • Lessons to be learned from LAPSUS$, post-flameout.
  • Conti’s fate and effects.

Cyberattacks hit Albania.

Albania sustained a major cyberattack Sunday, Balkan Insight and other sources report. Government sources stress the attacks’ foreign origin and unprecedented scope. “Albania is under a massive cybernetic attack that has never happened before. This criminal cyber-attack was synchronized…from outside Albania,” the Council of Ministers said in a statement. Cybernews quotes the Albanian National Agency for the Information Society (AKSHI) on the government’s decision to shutdown some of its online services: “In order to withstand these unprecedented and dangerous strikes, we have been forced to close down government systems until the enemy attacks are neutralized.” Among the services disrupted are, according to Exit, “the websites of Parliament and the Prime Minister’s Office, as well as e-Albania—the government portal that all Albanians, as well as foreign residents and investors, have to use to use a slew of public services.” Services were still undergoing restoration today. Little information is available about the details of the attacks, and so far there’s been no attribution.

Threat actors prospect journalists.

Observers continue to comment on Proofpoint’s study of attempts by intelligence services in Turkey, Iran, China, and North Korea to either impersonate journalists or gain access to news media networks. BleepingComputer describes the attempts as preparatory activity intended to serve broader espionage campaigns: “The adversaries are either masquerading or attacking these targets because they have unique access to non-public information that could help expand a cyberespionage operation.” Their efforts include both spoofing and credit-harvesting.

Forbes sought advice from Proofpoint for media outlets and working journalists. “’There are a number of ways journalists can protect themselves from APT attacks,’ Sherrod DeGrippo, Proofpoint vice president of threat research and detection, told me. ‘One is for journalists and their associated outlets to understand their overall level of risk. For example, we have seen targeted attacks against academics and foreign policy experts, particularly those working on Middle Eastern foreign affairs, so individuals in this line of work should be particularly cautious. Another is if journalists are going to use email addresses outside of their corporate domain, such as Gmail or ProtonMail, they should list those publicly on their website so public sources can verify whether or not it’s a legitimate email. Conversely, experts approached by journalists should check the journalist’s website to see if the email address belongs to the journalist.’”

Proofpoint also suggested that all organizations try to arrive at some clarity concerning which of their people are most likely to receive this sort of attention, and that they tailor their training and other protective measures appropriately.

GRU said to be trolling researchers who look into Sandworm.

Dark Reading reports that ESET, which will be offering a report on countermeasures to the Sandworm malware Industroyer 2 at Black Hat next month, says its being trolled by the GRU. “The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers’ malware.” ESET thinks this is no coincidence, but rather a right-back-at-you from the Aquarium to let ESET know that the GRU knows what ESET’s studying, and that the GRU doesn’t care. ESET’s Robert Lipovsky said, “It’s fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say.” Lipovsky also said the GRU deployed a Trojanized version of ESET security products in the course of its attacks on Ukrainian networks. “They were sending a message that they were aware we are doing our job protecting the users in Ukraine,” he observed.

Malicious apps ejected from Google Play.

Zscaler describes its identification of three familiar strands of malware that have made a reappearance in Google’s Play Store. The security firm’s researchers found numerous apps hosting Joker (which steals “SMS messages, contact lists, and device information” and then signs the victim up for premium and unwanted wireless application protocol (WAP) services), Facestealer (which is designed to take victims’ Facebook credentials as well as auth tokens), and Coper (a banking Trojan that’s been particularly active in Europe, Australia, and South America). Google has ejected the infested apps from the Play Store, and Zscaler advises that users take the usual precautions when they consider installing an app.

SVR cyberespionage exploits penetration-testing tools.

Palo Alto Networks’ Unit 42 reported Tuesday morning that the Russian threat actor Cozy Bear (associated with the SVR foreign intelligence service and also known as Cloaked Ursa, APT29, and Nobelium) is leveraging trusted, legitimate cloud services in its campaigns, the better to avoid detection. Their two most recent campaigns have used Google Drive cloud storage services, and when this is combined with encryption, malicious activity is more difficult to detect. The most recent campaigns have had diplomatic themes, feigning an agenda of an ambassadorial meeting with, and are believed to have targeted Western diplomats between May and June of 2022. The documents suggest the target to be either foreign embassies in Portugal or foreign embassies in Brazil. The payload is carried in a link to a malicious HTML file that drops Cobalt Strike. 

Cobalt Strike is, of course, a legitimate penetration-testing toolset that’s often abused by threat actors. It’s not the only such tool that’s being misused this way. See Unit 42’s earlier post describing the SVR’s use of the less-well-known Brute Ratel tools in similar campaigns.

FBI warns of apps designed to defraud cryptocurrency speculators.

The US Federal Bureau of Investigation (FBI) Monday warned that cybercriminals again have alt-coin speculators in their sights. The Bureau says it’s “observed cyber criminals contacting US investors, fraudulently claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cyber criminals have used with increasing success over time to defraud the investors of their cryptocurrency.” Losses have in some cases run into the millions. The approach trades upon the victims’ avidity for gain and their desire for convenience: who wouldn’t want an app to help navigate the go-go world of crypto investing? Some of the apps represent themselves as being connected to legitimate (or at least formerly legitimate) exchanges. The FBI warns users to exercise due skepticism about offers of trading apps, and urges financial institutions not only to caution their customers about the risks of large financial transfers, but also to be alert for criminal impersonation of their brand.

Belgium accuses China of cyberespionage.

Belgium’s Foreign Ministry has accused China of an extensive cyberespionage campaign against numerous Belgian targets, including the country’s Ministries of Interior and Defense. The specific threat groups singled out include APT27, APT30, APT31, and Gallium, this last group also tracked as Softcell and UNSC 2814. “Belgium strongly denounces these malicious cyber activities, which are undertaken in contradiction with the norms of responsible state behaviour as endorsed by all UN member states,” the Foreign Ministry’s statement said in part. “We continue to urge the Chinese authorities to adhere to these norms and not allow its territory to be used for malicious cyber activities, and take all appropriate measures and reasonably available and feasible steps to detect, investigate and address the situation.”

BleepingComputer reports that China says, in effect, prove it, and by the way, you can’t, because China is the real victim here. The full response of the Chinese embassy in Brussels is familiar stuff: “We have taken note of the statement. It is extremely unserious and irresponsible of the Belgian side to issue a statement about the so-called “malicious cyberattacks” by Chinese hackers without any evidence. On the one hand, the Belgian side refuses to provide the factual basis and, on the other hand, it makes groundless accusations and deliberately denigrates and smears China. We express our strong dissatisfaction and our firm opposition. On the issue of cybersecurity, China is square, frank and open. China has always been a strong advocate of cybersecurity and one of the main victims of cyberattacks.”

LockBit ransomware spreading through compromised servers.

Researchers at the Symantec Threat Hunter Team, part of Broadcom Software, Wednesday reported that threat actors are targeting servers with LockBit ransomware. Their goal is to spread the ransomware through compromised networks. One attack utilizing LockBit has been seen identifying domain-related information, creating a group policy, and executing a “gpupdate /force” command to update the group policy. The threat actors behind LockBit, which Symantec tracks as Syrphid, first appeared in September 2019 and quickly expanded its operations through a network of affiliates. 

This version of LockBit delivers a double-extortion attack, both encrypting files and threatening public exposure of stolen data. LockBit is selective in its targeting, sparing Russia and a small selection of countries in the near abroad. It runs a language check, and, should it detect Azeri, Kazkh, Kyrgyz, Russian, Tajik, Turkmen, or Uzbek, the malware terminates.

LockBit is a ransomware-as-a-service operation, and it’s replaced the now-possibly defunct Conti atop the C2C market leaderboard. Its rise is thus partially opportunistic, but Symantec sees other keys to its success. “LockBit’s success is also due to its developers and affiliates continued evolution of features and tactics, which include the malware’s fast encryption speed, ability to target both Windows and Linux machines, its brash recruitment drives, and high-profile targets. In addition, as previously mentioned, the launch of a rewards program for vulnerabilities in LockBit’s code and for suggestions on improving the RaaS operation will no-doubt help the ransomware remain a serious threat to organizations.”

Report: password stealing and impersonation risks in identity management product.

Security firm Authomize reports that Okta identity provider tools present users with four serious security risks:

  1. “Clear text Password extraction via SCIM [System for Cross-domain Identity Management] 
  2. “Sharing of Passwords and sensitive data over unencrypted channels (HTTP)
  3. “Hub & spoke configuration allows sub-org admins to compromise accounts in the hub or other spokes downstream
  4. “Mutable identity log spoofing”

Okta responded that it had looked into Authomize’s report, and that it’s concluded that these don’t represent vulnerabilities, but rather are features of the way their product functions, and that any attendant risks can be addressed by following the best practices Okta recommends. “On July 19, 2022, a security consultancy released a blog post with claims related to the security of specific features of the Okta service. Prior to the release of their blog post, the security researcher reached out to Okta, sharing the technical details of their findings. After a thorough review, our internal product and security teams affirmed that the areas of concern highlighted are not vulnerabilities.”

Micodus GPS tracker vulnerabilities.

Researchers at BitSight have issued a report on vulnerabilities in the popular Micodus MV720 automotive GPS tracker. The MV720 is designed for both fleet management and theft protection. In addition to simply tracking vehicles in which it’s installed, the MV720 offers anti-theft, fuel cut off, remote control, and geofencing features. All of these are susceptible to exploitation in a variety of ways. As BitSight puts it, “The exploitation of these vulnerabilities could have disastrous and even life-threatening implications. For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways. Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.”

The researchers say they’ve been trying to get through to Micodus since September of last year, and the account of their attempts at responsible disclosure form a story of virtue under trial worthy of Samuel Richardson’s Clarissa. In brief, BitSight says Micodus never replied, and eventually when BitSight turned to the US Cybersecurity and Infrastructure Security Agency (CISA), CISA had no better luck getting through. Guangdong-based Micodus says on its website that it values customer feedback, but there was no mention on their site of any of the issues BitSight uncovered. Nor are there any fixes or updates available. BitSight thinks all users should disable their MV720s at once, and stop using them until a reliable fix for the vulnerabilities is available. CISA, while noting that no public exploitation of the vulnerabilities has so far been seen, basically agrees, and thinks users should take care to isolate their networks from the vulnerable devices.

A criminal talent broker.

Cyberint reports that they have discovered a new threat group emerging, the Atlas Intelligence Group, also known as the Atlantis Cyber-Army. Atlas is unusual in its recruitment of “cyber-mercenaries” to do specific jobs for campaigns known only to the administrators. The group has been operating and growing since May of this year, advertising in Telegram markets and its own dedicated Telegram accounts. Their customers access their services in an e-commerce store hosted on the Sellix platform.

One “Mr. Eagle,” who presents himself as the group’s leader, has advertised Atlas Intelligence Group’s variety of services, which include exclusive data leaks, distributed denial-of-service (DDoS) campaigns for hire, RDP attacks, and initial access. The group suggests in its advertising that it has connections with corrupt law enforcement personnel in Europe, but such claims, of course, are difficult to verify. “Most of their databases for sale are government related,” Cyberint says, “while access to RDP clients and webshells that are being sold, mostly belong to organizations from the finance, education and manufacturing industries.”

The permanent staff includes Mr. Eagle and perhaps four admins. They’re engaged, fundamentally, in outsourcing, acting as recruiters and brokers for the talent that actually delivers the illicit services: rogue pentesters, social engineering specialists, and malware developers.

The Atlas Intelligence Group has been seen to target countries around the world, including the US, Pakistan, Israel, Colombia, and the United Arab Emirates. Cyberint doesn’t say who buys from Atlas. Calling them “mercenaries” suggests that their clientele may be states, but then criminal gangs bring in hired guns as well. (A note on naming: Atlas Intelligence Group is referred to in some reports as “AIG,” and is not to be confused with the large and legitimate insurance and financial services company American International Group.)

A developing threat to financial institutions.

Proofpoint Thursday released a study of the TA4563 threat group and the EvilNum malware it’s deployed against financial institutions, mostly in Europe. The group is particularly interested in financial institutions that deal with foreign exchange, cryptocurrency, and decentralized finance (DeFi). EvilNum itself is a backdoor that, once in place, can be used either for data theft or for staging further malware.

“EvilNum malware and the TA4563 group pose a risk to financial organizations,” Proofpoint concludes. “Based on Proofpoint analysis, TA4563’s malware is under active development. Although Proofpoint did not observe follow-on payloads deployed in identified campaigns, third-party reporting indicates EvilNum malware may be leveraged to distribute additional malware including tools available via the Golden Chickens malware-as-a-service. TA4563 has adjusted their attempts to compromise the victims using various methods of delivery, whilst Proofpoint observed this activity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts.”

Phishing through PayPal.

Avanan reported that criminals have been seen using a PayPal account to distribute phishing emails. “Starting in June 2022, Avanan researchers have seen hackers use PayPal to send malicious invoices and request payments. The hackers send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton.”

The approach is similar to one seen earlier this summer in which criminals used QuickBooks to send phishing emails. The tactic is attractive because most Allow Lists view QuickBooks domains as legitimate and pass the email right through. Avanan researchers call the practice of attackers using websites that appear on static Allow Lists to get into a victim’s inbox “The Static Expressway.” This same tactic is being used again with PayPal, where criminals have sent out fake invoices that rely on the legitimacy of PayPal to reach inboxes. The threat actors create a free PayPal account impersonating brands like Norton, and send out a fake invoice that appears to the victim to be for the company’s services. Reportedly, the attack works because of what is known on the dark web as a “double spear:” they induce the victim to call a number and pay the invoice, which gives the attackers not only your email, but your phone number (and all too often your money as well).

Lessons to be learned from LAPSUS$, post-flameout.

The LAPSUS$ Group, which blazed like a skyrocket last year with its gaudy, wild, and opportunistic data theft and doxing extortion scams, has now effectively fizzled out. Some of its script-kiddie leaders have received police attention, and the group no longer seems to be a player in the underworld. Tenable has published a look at the LAPSUS$ record with a view to seeing what can be learned from the group’s career. LAPSUS$ was motivated equally, it seems, by cash and cachet. Specifically, three characteristics can be discerned in the group’s history:

  • “Lower maturity tactics and behaviors”
  • “Priority for clout and notoriety”
  • “Primarily focused on monetary goals”

The group’s career followed the sort of arc one might expect. It began with DDoS and website vandalism, then moved up to data theft. Tenable sums the group’s life like this: “Characterized by erratic behavior and outlandish demands that cannot be met — at one point, the group even accused a target of hacking back — the LAPSUS$ group’s tenure at the forefront of the cybersecurity newscycle was chaotic. It’s hard to say how much money the LAPSUS$ group has earned from its enterprise, but it cannot be denied that the group gained notoriety, for better or worse. Three months since the peak of LAPSUS$ attacks and the arrests, the group remains largely inactive.”

Conti’s fate and effects.

In the course of a discussion with Advanced Intelligence over the firm’s study of Conti’s attack against Costa Rican networks, BleepingComputer offers a useful summary of what’s happened to the gang. It’s effectively rebranded through dispersal, its alumni now working for the Quantum, Hive, AvosLocker, BlackCat, and Hello Kitty gangs. Security Boulevard calls these “splinter RaaS [ransomware-as-a-service] groups.”

Patch news.

CISA released two more ICS advisories on July 19th: a new advisory for MiCODUS MV720 GPS Tracker (“mitigations for Use of Hard-coded Credentials, Improper Authentication, Cross-site Scripting, and Authorization Bypass Through User-controlled Key vulnerabilities in the MiCODUS MV720 GPS tracker”) and a follow-up for Dahua ASI7213X-T1 (Update A) (“mitigations for Unrestricted Upload of File with Dangerous Type, Authentication Bypass by Capture-replay, and Generation of Error Message Containing Sensitive Information vulnerabilities in the Dahua ASI7213X-T1 facial recognition access controller”).

Six more ICS security advisories were released Thursday, for ABB Drive Composer, Automation Builder, Mint Workbench (“mitigations for an Improper Privilege Management vulnerability in ABB Drive Composer, Automation Builder, and Mint Workbench products”), Johnson Controls Metasys ADS, ADX, OAS (“mitigations for a Missing Authentication for Critical Function vulnerability in Johnson Controls Metasys ADS, ADX, OAS with MUI products”), Rockwell Automation ISaGRAF Workbench (“mitigations for Deserialization of Untrusted Data and Path Travel vulnerabilities in ISaGRAF Workbench, an automation development tool”), ICONICS Suite and Mitsubishi Electric MC Works64 Products (“mitigations for Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in SCADA products”), Automation Direct Stride Field IO (“mitigations for a Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect Stride Field I/O products”), and Rockwell Automation ISaGRAF (Update A) (an update to an earlier advisory, this “contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Rockwell Automation ISaGRAF software products”). 

Crime and punishment.

The US Justice Department has announced the recovery of some $500 thousand from North Korean state-sponsored cybercriminals who targeted healthcare organizations with Maui ransomware. US Deputy Attorney General Lisa Monaco cited the operation as an instance of a renewed focus on claw-back operations, and as a positive example of close private-sector cooperation with law enforcement. While the recovery is welcome, CNN points out that the amount is small relative to the hundreds of millions Pyongyang’s hackers are believed to have stolen in recent years.

Policies, procurements, and agency equities.

On Monday the Cybersecurity and Infrastructure Security Agency (CISA) today announced that it will establish its first Attaché Office abroad this month, and that it will be located in London. “The Attaché Office will serve as a focal point for international collaboration between CISA, UK government officials, and other federal agency officials,” the agency’s announcement said. “The CISA Attaché will advance CISA’s missions in cybersecurity, critical infrastructure protection, and emergency communications, and leverage the agency’s global network to promote CISA’s four international strategic goals: 

  • “Advancing operational cooperation
  • “Building partner capacity
  • “Strengthening collaboration through stakeholder engagement and outreach
  • “Shaping the global policy ecosystem”

CISA’s first Attaché will be Julie Johnson, most recently Regional Protective Security Advisor for CISA in New York and also CISA’s regional lead for Federal interagency working groups. She came to CISA from the US Department of Statem, where she worked in the Bureau of Intelligence and Research, Bureau of International Narcotics and Law Enforcement, and Bureau of Educational and Cultural Affairs.

The replacement of both the head of Ukraine’s SBU intelligence service and the country’s chief prosecutor (technically suspensions, since there’s the possibility of their restoration to office pending the outcome of investigation) indicates the extent to which Kyiv is troubled by the problems of disloyalty in the security and intelligence services. The SBU, like its Russian counterparts the FSB and SVR, is a successor organization to the old Soviet KGB, with all the liabilities that come with that heritage: corruption, cronyism, and, perhaps most significantly, susceptibility to compromise by its Russian counterparts. The Telegraph describes some of the specific incidents that prompted the suspensions, and its account points out the difficulties involved in reforming a service with deep institutional roots and a questionable cultural heritage. Contentious Ukrainian domestic politics further complicates efforts at reform.