Intel Reports

Activity Summary - Week Ending on 26 October 2023:

• Red Sky identified 28,459 connections from ‘new’ unique IP addresses
• German Privax hit 42x
• 41 ‘new’ Botnets hits
• Supply Chain Attacks
• Starjacking and Typosquatting
• ClassPad
• NY Casinos and several Health Facilities Hit
• Netherland
• Ontario, Canada
• Crambus Hacking Group

Red Sky Alliance Compromised (C2) IP’s 

On 25 October 2023, Red Sky Alliance identified 28,459 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 25 October 2023, analysts identified 41 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Supply Chain Attacks - Cybersecurity firm Checkmarx has discovered a new wave of supply chain attacks exploiting bugs in popular communication and e-commerce platforms.  The targeted platforms include Telegram, Alibaba Cloud, and AWS.  Attackers are injecting malicious code into open-source projects and compromising systems.  They leveraged Starjacking and Typosquatting techniques to lure developers to the malicious packages.  The campaign was active throughout September 2023.

Cybersecurity firm Checkmarx discovered a new supply chain attack, which they believe was launched by a low-key threat actor it tracks as kohlersbtuh15.  This campaign was active in September 2023.  The recent surge in these malicious attacks prompted the Open Source Security Foundation (OpenSSF) to introduce its latest initiative, the Malicious Packages Repository, just last week.  As per the Checkmarx report authored by Yehuda Gelb, the attacker used the Python programming software repository (Pypi) and launched attacks using Starjacking and Typosquatting techniques.

Further probing revealed that the actor is exploiting vulnerabilities in platforms, such as Telegram, Amazon Web Services (AWS), and Alibaba Cloud Elastic Compute Service (ECS) to target developers and users.  They are exploiting Aliyun’s services, and these three platforms are a part of it.  The attacker injects malicious code into the open-source projects these platforms are using to compromise users’ devices and steal sensitive data, financial and personal information, and login credentials.  The malicious code is injected into specific software functions, which makes it pretty challenging to detect foul play and address the issue.

The code embedded into these packages doesn’t execute automatically but is strategically hidden inside different functions and triggers when one of these functions is called.  Reportedly, kohlersbtuh15 launched a series of malicious packages to the PyPi package manager, targeting the open-source community.  Using typosquatting, the attackers craft a package mirroring the legitimate one, but the fake package has a hidden malicious dependency, which triggers the malicious script running in the background.  The victim would not suspect anything as everything happens behind the scenes.

Starjacking refers to linking a package hosted on a package manager to an unrelated package repository on GitHub.  Through this technique, unsuspecting developers are tricked into considering it an authentic package.  To enhance the scope of this attack, threat actors have combined these two techniques in the same software package.  For instance, the Telethon 2 package is a typosquatted version of the popular Telethon package that also performs starjacking via the official Telethon package’s GitHub repository.  This indicates the threat actor has copied the source code exactly as it is from the official package and embedded malicious lines in the telethon/client/messages.py file.  The malicious code is executed with the command Send Message only.

The screenshot above displays a list of malicious packages and the countries with the highest downloads of these packages, as reported by Checkmarx.  “By targeting popular packages used in platforms such as Telegram, AWS, and Alibaba Cloud, the attacker demonstrated a high level of precision. This was not a random act, but a deliberate effort to compromise specific users who rely on these widely-used platforms, potentially impacting millions of people,” Gelb wrote.  The damage caused by this attack is far greater than compromised devices as all types of data linked with these platforms, like communication details from Telegram or AWS cloud data and business-related data from Alibaba Cloud, could be accessed and exploited. This attack highlights that supply chain attacks continue to be a threat as attackers are eyeing vulnerabilities in third-party services/software to access targeted systems and steal data.[1]

Casio ClassPad - If you are a Casio ClassPad customer, it is strongly recommended that you change your ClassPad password immediately to protect yourself.  The breach was discovered on October 11, 2023, affecting 91,921 users in Japan and 35,049 customers from 148 countries and regions.

Casio has disclosed a data breach that impacted customers of its ClassPad education platform in 148 countries.  The breach was discovered on October 11, 2023, while the person in charge was attempting to work within the development environment, a database failure was discovered, prompting the company to assess the situation.  Upon further analysis, it was also determined that on the evening of Thursday, October 12, unauthorized access had occurred, leading to the exposure of personal information of residents from countries outside Japan.  The exposed data includes customer names, email addresses, countries of residence, service usage details, and purchase information such as payment methods, license codes, and order specifics.

Casio stated that the hackers did not infiltrate systems beyond the compromised database within the development environment and that the ClassPad.net app remains operational.  “Customers in Japan: 91,921 items belonging to customers, including individuals and 1,108 educational institution customers – Customers outside Japan: 35,049 items belonging to customers from 148 countries and regions.”

Human Error !  In a data breach notification,[2] Casio confirmed that the situation arose because certain network security settings within the development environment were unintentionally disabled due to an operational error within the responsible department, coupled with inadequate operational oversight.  These factors are believed to have allowed an external party to gain unauthorized access.  The company is working with law enforcement authorities and has reported the incident to Japan’s Personal Information Protection Commission. Casio has also taken steps to secure the ClassPad platform and prevent future data breaches.

KnowBe4, commented on the breach, highlighting that it was indeed caused by human error. Grimes underscored the importance of employee cybersecurity training as a cornerstone for both small businesses and large corporations.  “This data breach was caused by human error which led to network and database compromise.  It’s important that any changes impacting cybersecurity be reviewed prior to implementation and that all security settings be periodically reviewed for accuracy,“ said KnowBe4.   “It shows the importance of change control and configuration control.  These can be considered “boring topics” by some, but are must-haves if an organization is expected to stay secure as it can over the long run.“

What to Do If You Are a Casio ClassPad Customer - If you are a Casio ClassPad customer, Casio recommends that you take the following steps to protect yourself:

• Change your ClassPad password immediately.
• Monitor your ClassPad account for any suspicious activity.
• Be wary of phishing emails or other scams that may attempt to exploit the data breach.

What Casio is Doing to Address the Data Breach - Casio has taken a number of steps to address the data breach, including:

• Notifying affected customers of the data breach.
• Working with law enforcement authorities to investigate the breach.
• Securing the ClassPad platform and preventing future data breaches.
• Reporting the incident to Japan’s Personal Information Protection Commission.

The Casio ClassPad data breach is a reminder that even large and well-established companies are vulnerable to cyberattacks. Customers of Casio ClassPad should take steps to protect themselves, such as changing their passwords and monitoring their accounts for suspicious activity.[3]

GLOBAL TRENDS:

US & NY - New York state’s casino operation and two hospitals were hit with cyber-attacks last weekend, officials said.  The state Gaming Commission confirmed that its central operating system serving the state’s slot parlors was impacted by a cybersecurity attack, forcing the closure of Jake 58 casino in Islandia, Suffolk County, for several days.  “On Tuesday, 17 October 2023, everi, the licensed operator of New York’s video lottery gaming central system, experienced a cybersecurity event that remains under investigation,” said the Gaming Commission spokesman.  “The Commission has no indication that personal identifiable information was compromised.  The Commission continues to monitor the situation.”[4] 

HealthAlliance Hospital and Margaretville Hospital in the Hudson Valley were forced to divert patients elsewhere over the weekend following cybersecurity incidents.  The cyber hack also impacted the Mountainside nursing home.  The two hospitals remained open during this diversion, and walk-in patients were treated and either released or stabilized, a statement put out by the Westchester Medical Center Health Network, which oversees the medical facilities.  Ambulance service was restored by 7 p.m on 21 October.

“To address the threat and take the necessary steps to fully restore our secure network, on Friday, 20 October, our IT experts shut down all connected IT systems at HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center.  We then began standing up our IT systems, a process that is ongoing, but we have regained all necessary capabilities to resume full operations.” 

The chief strategy officer of WMCHealth said,  “I want to applaud everyone at HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center for all of their hard work and dedication while facing an incredibly difficult situation, helping us return to full operations sooner than expected while continuing to provide the best possible care for patients in our community.  “This helped demonstrate the strength of the entire WMCHealth Network, with hospitals, physicians, nurses and administrators from across the network playing a vital role in making sure our patients were cared for as we worked to regain full operations, resume admitting patients and minimize any impacts of this disruption.”  Last year, the One Brooklyn Health system that oversees Brookdale, Interfaith and Kingsbrook Jewish hospitals was hit with a cyber attack.

These “safety net” facilities serve the poorest and neediest patients in the city and receive tens of millions of dollars in subsidies from the state.  A patient in April subsequently filed a class-action negligence suit against One Brooklyn because medical records were exposed during the attack.  Other casino operators were temporarily impacted but did not have to close down for an extended period.  “We shut down for a brief period.  It got cleared up fairly quickly.  It was all the same issue,” said a part-owner of the Saratoga Casino.  “It got everyone’s attention,” he added.

Netherlands - The International Criminal Court provided additional information about the cyberattack five weeks ago, saying that it was a targeted operation for espionage purposes.  The intergovernmental organization disclosed the breach on 19 September, a few days after detecting anomalous activity on its information systems.  As an international tribunal, the International Criminal Court (ICC) is seated in The Hague, Netherlands, and its attributions are to investigate, and to hold accountable individuals committing crimes of concern to the international community.[5]

Espionage operation - In a statement on 20 October,  the ICC shared new details about the action it took following the cyberattack and some initial results from the forensic analysis of the incident.  “The evidence available thus far indicates a targeted and sophisticated attack with the objective of espionage.  The attack can therefore be interpreted as a serious attempt to undermine the Court’s mandate” - the International Criminal Court.  Current evidence is insufficient to attribute the attack, ICC said in a statement, adding that the Dutch law enforcement is currently running the criminal investigation.

The impact of the attack remains unclear at the moment and no evidence so far points to data entrusted to the Court being compromised. Should such evidence emerge, affected parties will be contacted immediately with direct messages from the Court.

Speeding up defense improvements - The ICC says that it has already taken “all necessary steps to address any compromise to data belonging to individuals, organizations and States,” and will continue to do so.  ICC is reinforcing its risk management framework and preparing for potential repercussions from the cyberattack, such as security risks to victims and witnesses. Steps for improving digital security have also been accelerated.  The recent cyberattack occurred at a “time of broader and heightened security concerns for the Court,” with daily and persistent attempts to disrupt ICC’s systems and criminal proceedings initiated against several elected officials, including Judges of the Court and the Prosecutor.

Canada - The shared services model adopted by governments and non-profits has many advantages, including efficiency and economies of scale.  However, a cyber attack on a firm that provides shared IT services for five hospitals in Southern Ontario could be an example of what happens if a provider has trouble.

The five hospitals — Bluewater Health of Sarnia, Ont., Chatham Kent Health Alliance, Erie Shores HealthCare of Leamington, Ont., Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital, 1qsaid in a joint statement earlier this week that a cyber-attack on their IT provider, TransForm Shared Service Organization, is impacting IT services.  “Unfortunately, this incident is impacting our provision of care in various ways,” the hospitals said in the statement.  We are investigating the cause and scope of the incident, including whether any patient information was affected.  Our investigation is ongoing, and we will provide further updates as appropriate.  We will not be providing further comment in response to this statement.”

People who don’t need emergency care have been asked not to go to the hospitals for the time being.  Instead, they should contact their family doctor or a local clinic.  Patients scheduled to have treatment were being contacted to reschedule appointments or provide alternative arrangements.[6]

Headquartered in Chatham, Ont. and founded in 2013, TransForm Shared Service Organization is a not-for-profit, shared services organization founded by the five hospitals in Erie St. Clair to manage their hospital IT and supply chain needs.  It also oversees the project management of the Ontario eHub, a provincial clinical data integration network implementing PointClickCare’s Post-Acute Care Network Management for participating healthcare institutions.  So far over 36 hospitals and 118 long term care homes in the province are on eHub, with more to come by the end of the year.

Middle East - The cyber war in the Middle East was recently taken up a notch when Symantec’s Threat Hunter Team reported last week that they believe the Iranian Crambus espionage group (aka OilRig, MuddyWater, APT34) staged an eight-month-long intrusion against an unspecified government in the Middle East.  In a blog post on 19 October 2023, Symantec’s researchers reported that Crambus has a long-running track record of mounting operations against many countries in the Middle East, including Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, and Turkey. They have also targeted Albania and the United States.  The Symantec researchers said Crambus has staged long-running intrusions for intelligence gathering and spying purposes.  It has also added a heavy social engineering component in recent years during the early stages of its attacks.  Crambus most recently came to attention last year when Microsoft linked the group to a destructive attack against the Albanian government.  “Over the past couple of years, Iran has focused their hacking on their perceived competitors in the region,” said Mandiant’s head of cyber espionage analysis at Google Cloud.  “This has included numerous governments in the Middle East. We believe that Iranian groups, Including APT34, have targeted these governments to get insight into sensitive foreign policy decision making."[7] 

During this most recent attack, the Symantec researchers said Crambus stole files and passwords, and in one case, installed a PowerShell backdoor to monitor incoming emails sent from an Exchange Server.  The attackers then executed commands in the form of emails and forwarded the results back to the threat group.  Symantec said malicious activity took place on at least 12 computers and there’s evidence that the attackers deployed backdoors and keyloggers on dozens more.

An environment for cyber warfare - The ongoing tensions and numerous proxy wars over the years between Iran and Israel have created an environment conducive to cyber warfare.  The region has already seen various cyber and social media incidents since Hamas first launched its terrorist attack in southern Israel on 7 October.

Early on, the Jerusalem Post’s website was taken down and the RedAlert app was attacked.  On the social-media front, The New York Times has reported that even though it has been banned from Facebook, Hamas has been using social media to get its message out to people, especially on Telegram.  As far as any links to Iran, Callie Guenther, senior manager, cyber threat research at Critical Start, explained that Iran's alleged support of Hamas and other regional groups hostile to Israel suggests a multi-pronged strategy of influence, including various cyber operations.  “Given the intricate geopolitical web, groups like Crambus might be tasked with operations against Israeli infrastructure, gathering intelligence on Israeli military strategies, or disrupting systems to influence the physical battlefield,” said Guenther.  “They could also engage in operations against states that side with or support Israel. Iran has previously been implicated in cyberattacks against Israel.  In 2020, a series of cyber incidents, including an alleged Iranian attempt to compromise Israeli water infrastructure, highlighted the evolving nature of the conflict in the cyber realm.”

Security pros need to keep in mind that Iran and Israel have maintained an adversarial relationship since the Iranian Revolution in 1979 when the Shah of Iran was overthrown, Guenther added. The revolutionary leadership in Iran has consistently opposed Israel's right to exist, partly rooted in religious differences and partly in regional politics.  Guenther said Iran's alleged support for groups like Hamas and Hezbollah, as evident from multiple sources, serves to exert influence and combat Israel indirectly.

[1] https://www.hackread.com/telegram-aws-alibaba-cloud-supply-chain-attack/

[2] https://world.casio.com/information/1018-incident/

[3] https://www.hackread.com/human-error-casio-classpad-data-breach/

[4] https://www.msn.com/en-us/news/us/cyber-attacks-hit-ny-state-casino-operation-two-hudson-valley-hospitals/ar-AA1iFipo

[5] https://www.bleepingcomputer.com/news/security/international-criminal-court-systems-breached-for-cyber-espionage/

[6] https://www.itworldcanada.com/article/five-southern-ontario-hospitals-impacted-by-cyber-attack-on-shared-services-provider/550594

[7] https://www.scmagazine.com/news/unspecified-middle-eastern-country-allegedly-targeted-by-new-cyber-campaign-linked-to-iranian-backed-threat-group