At a glance.

  • Twitter investigates apparent data breach.
  • Ransomware C2 staging discovered.
  • A C2C offering that’s restricted to potential privateers.
  • CosmicStrand UEFI firmware rootkit is out in a new and improved version.
  • Treating thieves like white hats?
  • IBM on the cost of a data breach: automation pays, and so does incident response planning.
  • Help wanted (C2C edition).
  • Private-sector offensive actors.
  • Pyongyang’s [un]H0lyGh0st.
  • Malicious macros may no longer be the royal road to compromise.

Twitter investigates apparent data breach.

Twitter is looking into the possibility that data from a breach are now being posted on the dark web. Restore Privacy traces the incident to reports in HackerOne back in January of a breach that had the potential of exposing user information even when that information was hidden in privacy settings. Twitter closed the vulnerability and paid the researcher who reported it a bug bounty. But it appears possible that the vulnerability has been exploited to collect a very large tranche of user data. Restore Privacy says that at least some of the data released as a teaser are authentic, and that the criminal who holds them (nom-de-hack “devil”) is offering the database for sale. Bidding starts at $30 thousand.

9 to 5 Mac sees the principal risk in the compromised data as more plausible, more effective phishing campaigns. Twitter told the Record that it’s investigating, but their comments focused principally on the January vulnerability disclosure. “We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability. As always, we’re committed to protecting the privacy and security of the people who use Twitter,” a Twitter spokesperson said, after noting that the company was looking into the most recent claims. “We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this. We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”

Ransomware C2 staging discovered.

Censys reports finding a criminal ransomware operation that’s being staged, and the discovery comes before actual attacks appear to have been carried out. The gang involved is Russian. “Censys assesses that initially discovered Russian Hosts A & B with Metasploit and Deimos C2 are possibly initial attack vectors to take over victim hosts. Russian Hosts F & G possess malware capable of disabling anti-virus and performing a ransomware attack, with beacons to two Bitcoin nodes that likely receive ransomware payment from victims.” Some of the attack infrastructure, the researchers say, has been put in place in the US. “Additionally, Censys located a host in Ohio also possessing the Deimos C2 tool discovered on the initial Russian host and, leveraging historical analysis, discovered that the Ohio host possessed a malware package with software similarities to the Russian ransomware hosts possessing PoshC2 mentioned above, in October 2021.”

The Record points out that Censys duly acknowledges the role CISA played in the discovery. “Part of how Censys was able to tie the hosts to MedusaLocker was from a Cybersecurity and Infrastructure Security Agency (CISA) report released three weeks ago that spotlighted the ransomware group and provided email addresses, IP addresses and TOR addresses that the group uses,” the Record reports.

A C2C offering that’s restricted to potential privateers.

SecurityWeek reports that Luna ransomware, a cross-platform capable attack tool coded in Rust that’s landed with some éclat recently in the criminal-to-criminal markets, is being offered only to russophone affiliates. Criminals speaking other languages can shop elsewhere.

CosmicStrand UEFI firmware rootkit is out in a new and improved version.

Researchers at Kaspersky have identified a new UEFI (Unified Extensible Firmware Interface) firmware rootkit they’re calling “CosmicStrand,” an updated version of a rootkit Qihoo360, discussed in 2017. CosmicStrand appears in Gigabyte or ASUS motherboard firmware images, and, while Kaspersky hasn’t been able to determine how the infection occurs, they think it likely that a common vulnerability in the H81 chipset is being exploited. The rootkit can be used to deploy a range of malicious payloads.

The victimology is interesting, and the attackers’ motives are difficult to discern. “We were able to identify victims of CosmicStrand in China, Vietnam, Iran and Russia,” Kaspersky wrote. “A point of interest is that all the victims in our user base appear to be private individuals (i.e., using the free version of our product) and we were unable to tie them to any organization or even industry vertical.” Attribution is unclear, although signs point to Chinese, or at least Chinese-speaking, authorship. CosmicStrand offers an attacker the prospect of great persistence and extraordinary stealth. And it prompts some disturbing speculation from Kaspersky about the unknown unknowns that may still be out there: “The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described. This discovery begs a final question: if this is what the attackers were using back then, what are they using today?”

Treating thieves like white hats?

Cryptocurrency platforms who’ve seen their holdings looted by cyber thieves are increasingly offering the criminals who’ve rifled the platforms’ wallets a reward if they’ll return a substantial fraction of what they’ve stolen. According to the Wall Street Journal, legitimate vulnerability researchers, white-hat bug hunters, are unhappy about their own trade being conflated with that of the criminals. The payments are a very small fig leaf placed over a ransom payment, which isn’t at all the case with legitimate bug bounties. The sort of crime the cryptocurrency platforms are dealing with isn’t in the first instance extortion; it’s direct theft, and it’s difficult to see this particular business strategy as likely to do anything other than stoke the existing bandit economy.

IBM on the cost of a data breach: automation pays, and so does incident response planning.

IBM Security has released its seventeenth annual Cost of a Data Breach Report. The research, conducted by Ponemon Institute and sponsored, analyzed and published by IBM Security, analyzed 550 organizations that fell victim to a data breach between March of 2021 and March of 2022. Researchers found that 83% of organizations had more than one data breach. It was discovered that 60% of the breaches led to increases in customer prices, with the costs of a data breach averaging $4.35 million. The critical infrastructure sector was disproportionately impacted financially by breaches, with impacted organizations averaging costs of $4.82 million. It pays, however, to have protection in place – $3.05 million was saved, on average, by companies with fully deployed security AI and automation systems, and $2.66 million was saved by companies with an incident response team and plan.

Data breaches, IBM thinks, are having an effect upon economic conditions in general. “The findings suggest these incidents may also be contributing to rising costs of goods and services,” the company said. “In fact, 60% of studied organizations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.” The toll breaches exact amounts to “an invisible cyber tax.”

Help wanted (C2C edition).

Huntress contacted us Tuesday with a note about the way they’re seeing threat actors target managed services providers (MSPs) in their supply chain attacks. “Huntress researchers discovered a Beeper thread from July 18, 2022 looking for a partner to help process stolen data from over 50 American MSPs, 100 ESXi, and more than 1,000 servers. The hacker boasted a ‘high profit share,’ with only little left to do before exploiting the data.” Huntress reminds us that this also seems to corroborate the threat to MSPs the Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) warned of on May 11th of this year. Their observations also confirm something about the C2C market: its criminal players suffer from the same human resources challenges the rest of us do. Here’s the text of what amounts to a criminal’s help-wanted ad: “Looking for a Partner for MSP processing. I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers. All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people. In terms of preparation, only little things are left, so my profit share will be high. Please send me a message for more details and suggestions.”

Huntress also reported on Thursday that they have discovered a Tweet from @Intel_by_KELA sharing metrics for a United Kingdom company they offering up as a potential victim. The tweet highlights the fact that the prospective victim has ransomware insurance. Huntress says that this Tweet, along with earlier, related announcements, demonstrates a trend of specialization by initial access brokers (IABs). An IAB is a threat actor looking to gain, and then sell, initial access to organizations. The IABs are pure-play C2C operations. Being an IAB means you have specific skill sets needed to infiltrate and gain access to organizations, and you have the benefit of payment being handled (you hope) out of law enforcement’s view. KELA is an IAB that specializes in trading managed service provider (MSP) access, which makes them a particularly worrisome threat, as a compromised MSP can lead to compromise of the MSP’s customers.

Private-sector offensive actors.

Microsoft late Wednesday released a report (compiled by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and RiskIQ) that describes the activity of a threat group it tracks as “Knotweed.” Knotweed is regarded as responsible for Subzero malware, which it provides to, or deploys on behalf of, its customers. The group has also exploited Windows and Adobe zero-days. The report explains why Microsoft views this threat actor as particularly egregious. In brief, it’s a private company hiring out cyberattack services:

“PSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of business models. Two common models for this type of actor are access-as-a-service and hack-for-hire. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the actor, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that KNOTWEED may blend these models: they sell the Subzero malware to third parties but have also been observed using KNOTWEED-associated infrastructure in some attacks, suggesting more direct involvement.”

The company behind Knotweed and its Subzero tool is a Vienna-based outfit, DSIRF. DSIRF’s landing page displays a simple quotation: “A lie can run round the world before the truth has got its boots on,” but without further elaboration. It’s unclear whether that’s a sideswipe at researchers who characterize the company as a mercenary operation. The company describes itself as an “Austria based company with offices in Vienna and Lichtenstein, providing mission-tailored services in the fields of information research, forensics as well as data- driven intelligence to multinational corporations in the technology, retail, energy and financial sectors.” They stress that they offer, fundamentally, research: “Our tightly integrated team provide sophisticated intelligence products which are individually tailored to each client. [sic]” Exploiting zero-days would seem to be taking an expansive view of business intelligence.

Microsoft explains their attribution:

Multiple news reports have linked DSIRF to the development and attempted sale of a malware toolset called Subzero. MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022. As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity. Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama. It’s important to note that the identification of targets in a country doesn’t necessarily mean that a DSIRF customer resides in the same country, as international targeting is common.”

A comprehensive set of indicators of compromise and defensive advice is included in Microsoft’s report.

In conjunction with the technical report on Knotweed, Microsoft also issued a statement, “Continuing the fight against private sector cyberweapons,” that places Knotweed (and DSIRF) into the context of what Redmond sees as a larger problem, the emergence of PSOAs, that is, private-sector offensive actors. It views companies like DSIRF, NSO Group, and Candiru as threats that deserve legislative attention. The Permanent Select Committee on Intelligence of the US House of Representatives held hearings on the matter yesterday. Microsoft’s statement to the Committee urged that the US work to advance global norms that would protect human rights and privacy from the wanton use of commercially produced surveillance tools that have “enabled governments around the world to exceed their technical capabilities or legal authorities.” Representatives of Google and the University of Toronto’s Citizen Lab testified in person, and, according to Decipher, their testimony was at least as condemnatory of the PSOAs as was Microsoft’s written statement.

Pyongyang’s [un]H0lyGh0st.

Digital Shadows has released a report that offers more information on the North Korean ransomware group, H0lyGh0st, earlier described by Microsoft on July 14th. H0lyGh0st targets small and medium-sized businesses for financial gain in ransomware attacks, and is known to use double extortion, which researchers define as “combining an encryption of data and services with deliberate data exfiltration.” The group also operates a data leak site for victim’s data. Operating out of North Korea has its challenges for the group, however: the group will probably have to pay a percentage of their profits to the government. It will doubtless find it difficult to communicate, and so have difficulty learning new techniques and recruiting new talent. H0lyGh0st is also known to charge a lower ransom than most gangs, asking for ransoms of 1.2 to 5 Bitcoin, with the willingness to lower ransoms in negotiations.

Researchers believe that HolyGhost is a North Korean state-linked group, despite privateers and pure criminals being significantly more unlikely in a place where state intelligence does its stealing directly. We asked Digital Shadows about this, and Ivan Righi, senior threat intelligence analyst at Digital Shadows, offered a candid answer: “The exact relationship between H0lyGh0st and North Korea is also unclear. However, it is highly likely that H0lyG0ost is at least a state-encouraged threat group, meaning that they could be backed or supported by the North Korean government in one way or another. In addition, it is likely that the group has to share its profits with the North Korean government, as it is difficult to believe that the group would be able to operate without any type of supervision or limitations.”

Malicious macros may no longer be the royal road to compromise.

Microsoft’s recent announcements about disabling macros by default seems to have already had an effect on criminal behavior. Proofpoint reports that it’s seeing a gangland shift away from attacks based on macros and toward other vectors. “Threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in campaigns to distribute malware. Proofpoint has observed the use of VBA and XL4 Macros decrease approximately 66% from October 2021 through June 2022, based on campaigned data.”

Patch news.

The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released five industrial control system (ICS) advisories affecting Inductive Automation Ignition (“mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software”), Honeywell Safety Manager, (“mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System”), Honeywell Saia Burgess PG5 (“mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC”), MOXA NPort 5110 (“mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server”), and Mitsubishi MELSEC and MELIPC Series (Update D) (“mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series industrial computers”). 

CISA’s ICS-CERT on July 28th released three industrial control system (ICS) advisories, for Rockwell Products Impacted by Chromium Type Confusion Vulnerability (“mitigations for a Type Confusion vulnerability in various Rockwell Automation products”), Mitsubishi FA Engineering Software (Update B) (“mitigations for Out-of-bounds Read and Integer Underflow vulnerabilities in Mitsubishi Electric FA Engineering Software, an engineering software suite), and Mitsubishi Electric Factory Automation Engineering Software (Update C) (“mitigations for a Permission Issues vulnerability in Mitsubishi Electric Factory Automation Engineering Software”).

In addition to these advisories, CISA has also released a detailed Malware Analysis Report on code it received from a Log4shell exploit against an unpatched, public-facing VMware Horizon server.

Policies, procurements, and agency equities.

Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) this week signed a Memorandum of Cooperation with its US counterpart, the Cybersecurity and Infrastructure Security Agency (CISA). The memorandum doesn’t initiate cooperation. Rather, it extends and expands the collaboration the two agencies have already enjoyed. CISA’s announcement notes three areas in particular where the two agencies will work together “on shared cybersecurity priorities:”

  • “Information exchanges and sharing of best practices on cyber incidents;
  • “Critical infrastructure security technical exchanges; and 
  • “Cybersecurity training and joint exercises.”

The SSSCIP’s deputy chairman, Oleksandr Potii, described the memorandum’s significance: “This memorandum of cooperation represents an enduring partnership and alignment in defending our shared values through increased real-time information sharing across agencies and critical sectors and committed collaboration in cultivating a resilient partnership.”

As TheHill observes, the focus of earlier stories on US-Ukrainian cooperation in cyberspace had been on US Cyber Command’s unspecified activities related to Russia’s war against Ukraine, acknowledged last month in some gnomic remarks by Cyber Command’s General Nakasone during an interview with Sky News. “We’ve conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations,” he said, adding, “My job is to provide a series of options to the secretary of defense and the president, and so that’s what I do.” What those options were General Nakasone understandably declined to say.

Crime and punishment.

The State Department’s Rewards for Justice Program is seeking out righteous snitches in return for nice compensation. The US has been looking toward the security of the upcoming midterm elections and is obviously interested in keeping Russian influence operators out of the mix. The program tweeted an offer Thursday: “Do you work for Yevgeniy PRIGOZHIN and/or #InternetResearchAgency? Want to earn up to $10M? LET’S CHAT. Drop us a line on the Dark web.” Mr. Prigozhin, a Russian oligarch close to President Putin (he ran a catering business favored by the Kremlin, hence his nickname “Putin’s chef”) is known not only for his connection to the Internet Research Agency troll-farm and disinformation shop, but also as the proprietor of the Wagner Group, the private military corporation that supplies Moscow with deniable mercenaries under contract. He’s come a long way from laying out the blini in the buffet line. You never know where your career’s going to take you, do you?