Microsoft says it's blocked GRU cyber operations directed against US, European, and Ukrainian targets. Redmond calls the group "Strontium," in its metallic naming convention for threat groups, but the threat actor is also known as APT28 and, of course, Fancy Bear. The disruption was a familiar (and entirely praiseworthy) takedown. Microsoft explained, "On Wednesday April 6th, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks. We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications."
This particular GRU campaign isn't the only one Microsoft has observed during Russia's war against Ukraine. Microsoft characterized Strontium's use of its now sinkholed infrastructure as follows: "Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine’s government about the activity we detected and the action we’ve taken."
Given the conflict in Ukraine and the looming threat of nation-state cyber-attacks, it’s imperative for U.S. critical infrastructure organizations to understand the exposures, infections, and vulnerabilities affecting them—and which ones have been used by Russian threat actors in the past. Get a sector-level view that can inform your cyber defenses.[1]
Below is a weekly run down of important highlights in Cyber Security:
Russian cyber operations against Ukraine. Security firm Intezer has followed up CERT-UA's (Ukraine's CERT) discovery of a new malware framework being used in phishing campaigns: "A recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses. The four malware components delivered are used for stealing credentials, documents, and to provide remote access to the infected machine. "Two of these components were first reported on by the Computer Emergency Response Team for Ukraine (CERT-UA) in March 2022. They named the two components GraphSteel and GrimPlant. When investigating these events, we have identified that Elephant has also been delivered via phishing emails from spoofed Ukrainian email addresses. Elephant is a malware framework written in Go. The activity has been attributed to UAC-0056 (TA471, SaintBear, UNC2589) by CERT-UA."
Trojan comes bundled with ransomware and DDoS capabilities. Cyble describes a new and unusually capable remote access Trojan, "Borat RAT" (an homage to the Sacha Baron Cohen character), which the researchers call a "triple threat," combining as it does the functionality of a RAT, spyware, and ransomware. The malware also has a DDoS functionality. BleepingComputer reports that Borat's place in the C2C underground market is unclear (it's not known whether it's being sold or being freely traded) but it seems to be spreading through the underworld. Cyble states, "The Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it. With the capability to record audio and control the webcam and conduct traditional info stealing behavior, Borat is clearly a threat to keep an eye on. The added functionality to carry out DDOS attacks makes this an even more dangerous threat that organizations and individuals need to look out for."
Mailchimp breach leads to phishing attacks. Mailchimp says it's discovered and contained a data breach (accomplished by criminal social engineering). TechCrunch reports that about 300 users' accounts were compromised, and that customer data were extracted from 102 of those. The stolen data appears to have been put to use in phishing attempts against the cryptocurrency and financial services sectors. BleepingComputer reports that cryptocurrency customers appear to be particularly at risk. Finbold reports that users of Trezor hardware cryptocurrency wallets were targeted with a phishing campaign as a result of the Mailchimp compromise. Scammers sent emails to Trezor's mailing list informing users that their accounts were breached, and directed them to install a malicious version of Trezor's app.
FIN7 improves its operations. According to researchers at Mandiant, the financial cybercrime gang FIN7, hitherto best known for breaking into payment systems and corporate networks, has now added ransomware to its repertoire. FIN7 is now using REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware.
Phishing campaign targets Israeli officials. Cybereason describes an elaborate and well-researched catphishing campaign (its unlikely name is "Bearded Barbie") associated with Hamas and aimed at Israeli officials. The researchers stated: "While most of the previously reported APT-C-23 campaigns seemed to target Arabic-speaking individuals in the Middle East, Cybereason recently discovered a new elaborate campaign targeting Israeli individuals, among them, a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations. The campaign operators use sophisticated social engineering techniques, ultimately aimed to deliver previously undocumented backdoors for Windows and Android devices. The goal behind the attack was to extract sensitive information from the victims' devices for espionage purposes. "Our investigation reveals that APT-C-23 has effectively upgraded its malware arsenal with new tools, dubbed Barb(ie) Downloader and BarbWire Backdoor, which are equipped with enhanced stealth and a focus on operational security. The new campaign that targets Israeli individuals seems to have a dedicated infrastructure that is almost completely separated from the known APT-C-23 infrastructure which is assessed to be more focused on Arabic-speaking targets."
Google removes malicious apps from Play Store. The Wall Street Journal reports that Google removed dozens of apps from its Play Store when it was found that they contained data-harvesting code carried in a software development kit provided by Measurement Systems, a Panamanian company said to have connections with the US firm Vostrom Holdings.
China-linked threat actors target India's power sector. Recorded Future reports a Chinese-government campaign against India's electrical power sector. It appears to be in its reconnaissance phase. Recorded Future stated: "In recent months, we observed likely network intrusions targeting at least 7 Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh. One of these SLDCs was also targeted in previous RedEcho activity. This latest set of intrusions, however, is composed of an almost entirely different set of victim organizations. In addition to the targeting of power grid assets, we also identified the [targeting] of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group. To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy (FRP)." The researchers add, "The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations."
Indian authorities say they successfully stopped a cyber operation by Cicada. The Deccan Herald quotes Power Minister R.K. Singh as saying, "Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful."
Symantec has also observed renewed cyberespionage on the part of this Chinese APT. Symantec states, "Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. The wide number of sectors and geographies of the organizations targeted in this campaign is interesting. Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s targeting."
Scammers pose as Russian dissidents. Like the rest of us, you've no doubt been emailed by widows of Nigerian princes. Now, Avanan warns, there's a new kid on the advance-fee scam block: Nigerian princes, meet the "Russian dissidents." The scammers are posing as Russian opposition leader Alexei Navalny and asking for your help in withdrawing money from a Turkish bank account. 75% of the money will go to Ukrainian relief, and you get to keep the balance.
Phishing campaign targets Android users in Malaysia. ESET researchers report finding seven bogus e-commerce websites that impersonate legitimate Malaysian businesses (six of them cleaning services, the seventh a pet store). The sites dangle the offer of an app as opposed to an opportunity to make immediate purchases; the criminals' aim is to harvest banking credentials.
Meta releases Adversarial Threat Report. Among the inauthentic social media operations Meta (Facebook's corporate parent) took down this week were two Iranian espionage groups. Meta's Quarterly Adversarial Threat Report said "The first network was linked to a group of hackers known in the security industry as UNC788. The second was a separate, previously unreported group that targeted industries like energy, telecommunications, maritime logistics, information technology, and others." The first, familiar actor, the threat cluster UNC788 (associated with Phosphorus, Charming Kitten), used a malicious version of a legitimate Android birthday calendar app, a remote access tool that represented itself as a Quran, and a data-harvesting and remote access tool in a chat application. Its target list also included familiar interests: journalists, dissidents, human rights activists, universities, and so on.
Meta further says the UNC788 campaign "targeted people in the Middle East, including Saudi military, dissidents and human rights activists from Israel and Iran, politicians in the US, and Iran-focused academics, activists and journalists around the world. Their malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. We’ve been tracking and blocking this group’s efforts for a number of years, similar to our peers at other platforms. This latest cyber espionage campaign was active across the broader internet and focused on phishing its targets to steal credentials to their online accounts and sharing links to malicious websites hosting malware."
Patch news. The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued four industrial control system (ICS) advisories, for LifePoint Informatics Patient Portal, Rockwell Automation ISaGRAF, Johnson Controls Metasys, and Philips Vue PACS (Update A). On Thursday, CISA issued three more ICS advisories, for Pepperl+Fuchs WirelessHART-Gateway, ABB SPIET800 and PNI800, and Mitsubishi Electric GOT and Tension Controller (Update A). CISA has also added four vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2022-22965 (Spring Framework JDK 9+ Remote Code Execution Vulnerability), CVE-2022-22675 (Apple macOS Out-of-Bounds Write Vulnerability), CVE-2022-22674 (Apple macOS Out-of-Bounds Read Vulnerability), and CVE-2021-45382 (D-Link Multiple Routers Remote Code Execution Vulnerability). The US Federal civilian agencies CISA oversees have until April 25th to address them.
Crime and punishment. Germany's Bundeskriminalamt, (BKA, Germany's Federal police), on Tuesday announced its takedown of Hydra Market, the largest Russophone dark web contraband souk. The blockchain analysis firm Elliptic says that it's been able to determine that Hydra Market has processed some $5 billion in Bitcoin since 2016, with its take peaking in 2021. The BKA said that it had seized about 23 million Euros from the illegal trading platform, and that its investigation and takedown had been accomplished in cooperation with international partners, especially US law enforcement agencies. In addition to trading such contraband as illegal drugs and stolen data, Hydra Market was heavily involved in money laundering.
The US Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned Hydra Market, and has identified over a hundred virtual currency addresses associated with the criminal operation. Contraband traded in Hydra Market include "ransomware-as-a-service, hacking services and software, stolen personal information, counterfeit currency, stolen virtual currency, and illicit drugs." Decipher reports that experts think data seized from Hydra Market's servers will inform further investigations into the cyber underworld. And finally, the US Justice Department has indicted the Russian boss the US Attorney for the Northern District of California alleges is responsible for the Hydra Market. Dmitry Olegovich Pavlov faces charges of money laundering conspiracy and narcotics conspiracy. If convicted, he also faces forfeiture of all assets acquired through his crimes, and of any he used in the furtherance of his crimes. The Justice Department stated: "Starting in or about November 2015, Pavlov is alleged to have operated a company, Promservice Ltd., also known as All Wheel Drive and 4x4host[.]ru, that administered Hydra’s servers (Promservice). During that time, Pavlov, through his company Promservice, administered Hydra’s servers, which allowed the market to operate as a platform used by thousands of drug dealers and other unlawful vendors to distribute large quantities of illegal drugs and other illicit goods and services to thousands of buyers, and to launder billions of dollars derived from these unlawful transactions.
"As an active administrator in hosting Hydra’s servers, Pavlov allegedly conspired with the other operators of Hydra to further the site’s success by providing the critical infrastructure that allowed Hydra to operate and thrive in a competitive darknet market environment. In doing so, Pavlov is alleged to have facilitated Hydra’s activities and allowed Hydra to reap commissions worth millions of dollars generated from the illicit sales conducted through the site."
The BBC reports that two teenagers, one 16, the other 17, were arraigned last Friday at London's Highbury Corner youth court on charges connected with the activities of the Lapsus$ gang. are charged with fraud as well as a variety of computer-related offenses; both have been released on bail. Naked Security reports that the gang's activities seem to have resumed, however. Evidently some of its members have been carrying on even after the leaders' arrest.
Ukrainian FIN7 hacker Denys Iarmak has been sentenced to five years in a US prison after pleading guilty to conspiracy to commit wire fraud and to commit computer hacking, BleepingComputer reports. The US Justice Department stated, "Iarmak was involved with FIN7 from approximately November 2016 through November 2018. Iarmak frequently used project management software such as JIRA, hosted on private virtual servers in various countries, to coordinate FIN7 malicious activity and to manage the assorted network intrusions. JIRA is a project management and issue-tracking program used by software development teams.... During the course of the scheme, Iarmak received compensation for his participation in FIN7, which far exceeded comparable legitimate employment in Ukraine. Moreover, FIN7 members, including Iarmak, were aware of reported arrests of other FIN7 members, but nevertheless continued to attack U.S. businesses."
Policies, procurements, and agency equities. The US State Department on Monday stood up its new Bureau of Cyberspace and Digital Policy. The bureau will be led initially by Jennifer Bachus, a career Foreign Service Officer who was recently US Chargé d'Affaires in Prague. She'll serve as Principal Deputy Assistant Secretary for the CDP bureau until the Senate confirms an Ambassador-at-large to lead the organization.
The US Cybersecurity and Infrastructure Security Agency (CISA) continues to set the national table for a meal of best practices. April is National Supply Chain Integrity Month, and CISA's focus is on the information and communications technology supply chain: "Information and communications technology (ICT) products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments