Strategic insights for leaders from tactical cyber observers.

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.

TABLE OF CONTENTS

EDITOR’S HIGHLIGHTS

The US Treasury on Monday, August 8 sanctioned Tornado Cash, a virtual currency mixer, for its use by cybercriminals, including those under US sanctions. According to a senior Treasury official, Tornado Cash has reportedly laundered more than $7B in virtual currency since its launch in 2019, including $455M from the Lazarus Group, a North Korean state-sponsored hacking group. It was also used as recently as last week to launder money from a “heist” of Nomad, a US cryptocurrency firm, the official said. The sanctions will prohibit US persons, and those subject to US jurisdiction, from using the virtual currency mixer. As part of Monday’s action, 44 cryptocurrency wallets linked to Tornado Cash were sanctioned by the US government. According to the Treasury official, Tornado Cash is one of the largest virtual currency mixers that has been identified by the US government; it is only the second time the Department has sanctioned such an entity. In May, the Treasury Department sanctioned another virtual currency mixer, Blender.io, which it said was used by North Korea “to support its malicious cyber activities and money laundering of stolen virtual currency.” CNNForbes

Analyst Comment: This was the second time OFAC has sanctioned a mixer, but the first time it has sanctioned the open source code behind it. This is noteworthy because it not only prevents Americans from using Tornado Cash, but also bars them from using the open source code behind it.

The underground economy is thriving, thanks to a thriving and evolving ransomware sector. Dark Web markets sell professional ransomware products and services at varied prices. Venafi and Forensic Pathways researchers reviewed 35M Dark Web URLs, including forums and marketplaces, and found 475 web pages with ransomware strains, source code, build and custom-development services, and full-fledged RaaS solutions. Researchers found 30 ransomware families for sale on the pages, including well-known varieties like DarkSide/BlackCat, Babuk, Egregor, and GoldenEye. Well-known attack tools cost more than lesser-known alternatives. A customized version of DarkSide, the ransomware employed in the Colonial Pipeline attack, cost $1,262. Babuk ransomware source code cost $950, while Paradise cost $593. Many of the tools and services accessible through these markets, including step-by-step tutorials, are designed to assist attackers with minimal technical abilities and experience to conduct ransomware attacks. Check Point‘s midyear threat analysis reveals considerably more ransomware participants than previously assumed. Some ransomware variations, such as Conti, Hive, and Phobos, were more common than others, but they didn’t account for most attacks. 72% of the ransomware attacks that Check Point engineers responded to were unique. Ransomware is still the biggest danger to enterprise data security, according to the researchers. The report referenced the Conti group’s ransomware attacks on Costa Rica (and later Peru) as examples of how threat actors have widened their targeting for financial gain. Several of the largest ransomware firms employ hundreds of hackers, make hundreds of millions of dollars, and can invest in R&D, quality assurance, and negotiations. Larger ransomware groups are acquiring nation-state capabilities, according to the researchers. Researchers predict that the increased attention from governments and law enforcement will push such groups to maintain a legal profile. Dark Reading

Recent cyberattacks targeting the automotive industry in Germany drove KELA to investigate the level of exposure of the 15 largest German automotive manufacturers, suppliers, and dealers to shed light on cyber threats they faced from January 2021 to April 2022. The automotive sector is the largest sector in Germany, generating over $419B in revenue; also, Germany is the largest automobile manufacturing country in Europe, producing 30% of all passenger cars in the EU in 2021. Below are KELA’s key findings in its research on cybercrime threats to Germany’s automotive sector:

  • Threat actors are constantly looking for automotive hacking tools on cybercrime forums, aiming to exploit keyless entry attacks to steal cars. According to the General German Automobile Club e. V. (ADAC), only 5% of 501 tested vehicles are protected from keyless theft.
  • Sensitive data related to the automotive sector is being widely traded on cybercrime forums and markets: from network access to automotive companies for sale and internal data, such as source code and databases.
  • KELA researched the exposure of 15 German automotive companies in cybercrime sources and discovered that their credentials were mainly exposed in breaches not targeting the automotive sector (such as RedCappi and IndiaMART). Also, some sensitive internal services related to automotive companies were compromised (for example, enabling access to Jira and VPN accounts).
  • The data breach against Volkswagen and Audi in June 2021 exposed the data of 3.3M customers and has been in high demand since then on cybercrime platforms.
  • Amidst the top targeted countries for ransomware attacks in the automotive sector, Germany is the second most targeted victim, following the US.

KELA

Back to the top

NATION STATE ACTIVITY

More than a dozen victims across Ukraine, Russia, Belarus, and Afghanistan have been successfully targeted in a January 2022 campaign by state-sponsored hackers using a five-year-old Microsoft Office vulnerability. The campaign is believed to be focused on cyber espionage but has targeted military-linked defense companies, government agencies, and research institutes in the regions. Researchers at Kaspersky have attributed the attacks with ‘high probability’ to TA428, a China-linked state-sponsored hacking group. There was a “significant overlap” in the tactics, tools, and techniques used in these attacks with those of previous TA428-linked hacks, and the malware infrastructure was also located in China, they said. Highly sophisticated phishing campaigns were used to gain initial access to a variety of systems, with some attacks resulting in hackers taking control of IT infrastructure. An email contained a maliciously crafted Microsoft Office document that exploited the CVE-2017-11882 vulnerability affecting outdated versions of Microsoft Equation Editor – a Microsoft Office component. The exploit allows attackers to execute arbitrary code on a victim’s system without the need to enable VBA macros, unlike exploits of a similar nature. Numerous reports of Chinese state-sponsored hackers specifically targeting entities such as universities and militaries have surfaced in recent years. Most recently, UK and US national security services expressed their growing concern over China’s long-term ambitions with its uptick in intellectual property theft, and the numerous mergers and acquisitions in the region. ITPro

HACKTIVISM

A hacktivist collective posted more than 2 terabytes of hacked emails and files from a host of mining companies in Central and South America last week, in a move to expose environmental damage in the region. The group – which calls itself Guacamaya – posted the files from five public and private mining companies and two public agencies responsible for environmental oversight, one in Colombia and the other in Guatemala. The materials come from ENAMI, an Ecuadorian state mining company; the Agencia Nacional de Hidrocarburos (ANH) in Colombia; New Granada Energy Corporation in Colombia; Quiborax, a mining company in Chile; Oryx, an oil company in Venezuela; Tejucana, a Brazilian mining company; and Guatemala’s Ministerio De Ambiente y Recursos Naturales. The collective posted the materials to a website called Enlace Hacktivista, a site for documenting hacker history, sharing educational resources, and that provides space “for hackers to publish their hacks, leaks, and communiques.” In a Spanish-language statement posted with the materials, the group denounced what it described as environmental devastation by the US and other international governments and firms that plunder the region’s resources. CyberScoop

Back to the top

CYBERCRIME

As the market for initial access brokers matures, services like Genesis — which offers elite access to compromised systems and slick, professional services — are raising the bar in the underground economy. Sophos’ report this week takes a comprehensive look at Genesis, which launched in 2017 and provides malicious actors with access to other people’s data, ranging from credentials and cookies to digital fingerprints, via its invitation-only marketplace. Genesis currently lists over 400k bots (compromised systems) in over 200 countries, with Italy, France, and Spain at the top of the list. The market provides not only the data but also well-maintained tools to facilitate the (mis)use of that data. These tools include bespoke anti-detection offerings that assist its clients in remaining undetected when deploying stolen credentials to access targeted bots, such as a Google Chrome extension and even a “continually maintained and upgraded” Genesium browser. The high-quality level of data on offer, as well as the site’s commitment to keeping stolen information up to date, define the service. This means that hackers who pay for stolen information are kept up to date by Genesis on any changes or updates to that information. Users are charged a rate based on the amount of information they have on the targeted bot. Returning users can also access a dashboard with up-to-date information about the compromised systems they’ve accessed. The evolution of Genesis points to the “growing professionalization and specialization” of the cybercrime economy, the report notes. Ransomware groups and affiliates are assumed to be the service’s most frequent customers, particularly criminals who are looking for an IAB site that gives them expedited access and faster lateral movement to their targets. A high level of organization also distinguishes the Genesis market, giving malicious actors more contextual information surrounding stolen data, and allowing them greater insights into the compromised systems. This could lead to even more inventive attack vectors, according to an analyst.

Img Genesis
Dark Reading CBS News

Twitter announced that a hacker had taken advantage of a flaw in its system and was offering to sell the personal information that they had collected. The bug in question allowed a user to enter an email address or phone number and learn which account was associated with the information entered. Twitter stated that the vulnerability was discovered in January but was quickly fixed, and that there was no evidence that personal information had been compromised as a result of the bug at the time. However, Twitter was notified in July that someone may have exploited the vulnerability and was attempting to sell personal information of 5.4M users. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said in a blog post. The Hill

A massive attack hit the website of the German Chambers of Industry and Commerce (DIHK) this week, forcing the organization to shut down its IT systems. According to Michael Bergmann, chief executive of DIHK, the attack was serious and massive – the organization was not able to estimate how long its systems would be down. Bergmann did not provide further details about the attack, but the circumstances suggest the German Chambers of Industry and Commerce was the victim of a ransomware attack. According to DIHK, phone and fax were the only channels available for contact. Security Affairs

Back to the top

CRITICAL INFRASTRUCTURE

ENERGY

Most companies across the US oil and gas industry are at risk of a successful cyber breach according to BreachBits, a cyber risk rating and monitoring company that evaluates and tests organizations from a hacker’s perspective. Following an analysis of 98 representative upstream, midstream, downstream, and supply chain companies across the energy sector, BreachBits has released their findings in BreachRisk: Energy 2022, a cyber state of the industry study. The company found that on average, the oil and gas companies observed were at Medium Risk, but that risk was not distributed evenly across the sector, according to BreachBits CEO and Co-Founder John Lundgren. Moreover, 11% of the companies presented potentially serious, High Risk threats. The study by BreachBits ranked 59% of companies at Medium Risk for a cyber breach, 13% at Low Risk, and 28% at Very Low Risk. Other key observations included:

  • 94% of all ransomware threats were held by only 51% of companies.
  • BreachRisk increases for companies with greater than $50M in annual recurring revenue.
  • BreachRisk significantly increases for companies with more than 250 employees. Businesswire

WATER

A White House announcement that the EPA will delegate cybersecurity regulation for state water utilities through local sanitation inspections is receiving pushback from industry groups and cybersecurity experts. The decision follows months of a public dispute between the water sector and the EPA over how to adequately monitor the water supply for cyberthreats, an increasing concern following cyberattacks on water facilities in California and Florida. Anne Neuberger, deputy national security adviser for cyber and emerging technology, revealed the administration’s plans during an interview two weeks ago, saying she believes the EPA is well-equipped to ensure the cybersecurity of the sector is “holistically considered.” Yet enforcing cybersecurity regulations across the vast water sector presents challenges. Industry officials say there are 51k drinking water systems nationwide and an estimated 85 percent of water companies are municipal and sometimes very small. By not tailoring the approach to better assess and confront different utilities’ cybersecurity needs, and by relying on workers untrained in cybersecurity to carry out audits, industry groups say the EPA could be setting up a system that misses cyberattacks. Industrial cybersecurity experts also criticized the notion that state sanitation inspectors can effectively monitor and regulate cyber controls. CyberScoop

FINANCE

The North Korean Lazarus hacking group is engaging in a new social engineering campaign, with the hackers impersonating Coinbase to target employees in the fintech industry. A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack. According to Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, the threat actors are now pretending to be from Coinbase, targeting candidates suitable for the role of “Engineering Manager, Product Security.” When victims download what they believe to be a PDF about the job position, they are actually getting a malicious executable using a PDF icon. In this case, the file is named “Coinbase_online_careers_2022_07.exe,” which will display a decoy PDF document when executed while also loading a malicious DLL. Once executed, the malware will use GitHub as a command and control server to receive commands to perform on the infected device. This attack chain is similar to one documented by Malwarebytes in a blog post at the start of the year. State-sponsored North Korean hacking groups are known for launching financially motivated attacks against banks, cryptocurrency exchanges, NFT marketplaces, and individual investors with significant holdings. Bleeping Computer

Back to the top

HEALTHCARE

Researchers have discovered that bots are capturing pharmacy accounts and reselling prescriptions on a secondary market for illegal and in-demand drugs. In the past 60 days, the number of stolen pharmacy accounts for sale has increased fivefold, according to the researchers. Kasada threat intelligence first observed the use of credential stuffing in April 2022, when it was used to attack pharmacies, steal active accounts, and exploit the distribution of prescribed medications. Credential stuffing is an automated attack in which cybercriminals attempt to log in to various accounts using lists of stolen or leaked usernames and passwords. When they are successful, they take over accounts and either sell them or use them to commit fraud. In underground marketplaces, tens of thousands of stolen online pharmacy accounts are currently for sale. These marketplaces sell stolen accounts from both physical and online-only pharmacies, including many from the top ten pharmacies in the US. A stolen account can cost anywhere from a few hundred dollars to several thousand dollars. Furthermore, stolen accounts are frequently accompanied by a guarantee — if the login or card on file fails, the provider will replace it with a new account. Security Magazine

A cyberattack forced the closure of more than 100 Belgian and Dutch dental practices. The practices are owned by Colosseum Dental Benelux, a parent company with over 130 branches. The Dutch Data Protection Authority (AP) was made aware of the situation. Some of the affected dental practices have been closed since Thursday, August 4th. Colosseum Dental Benelux told Dutch media that there’s been a “cyber incident”, but did not detail the malware used. The organization expects its practices to reopen this week. Anonymous sources told Dutch media that employees can’t access the patient information of customers. Colosseum Dental Benelux’s response confirms the severity of the incident. Only when the privacy of partners, workers, or consumers is at risk must data breaches be notified. The report was generated, per Colosseum Dental Benelux. The nature of this incident exhibited characteristics that are consistent with ransomware, according to ESET Netherlands, a cybersecurity company. “The shutdown of an operation, not being able to access systems or websites, reporting to the police and AP — it all points in that direction,” according to CEO Dave Maasland. Techzine Europe

The National Health Service (NHS) 111 emergency services in the UK are currently affected by a significant and ongoing outage caused by a cyberattack on the systems of British managed service provider (MSP) Advanced. Advanced’s Adastra client patient management solution, which is used by 85% of NHS 111 services, has been affected by a major outage, along with several other services provided by the MSP. “There is a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers,” the Welsh Ambulance Services stated on August 6. While public access to Advanced’s status page is now restricted to customers and employees only, Advanced’s COO Simon Short confirmed that the incident was caused by a cyberattack discovered last week. While no information about the nature of the cyberattack was provided, based on the wording, it is likely that it was a ransomware or data extortion attack, according to analysts. More than 22k global customers use Advanced business software in industries ranging from healthcare and education to non-profits. Customers of the MSP include the NHS, the UK Department for Work and Pensions (DWP), and London City Airport. WMtech

Back to the top

GOVERNANCE

USG

Vulnerabilities in software that TV and radio networks around the country use to transmit emergency alerts could allow a hacker to broadcast fake messages over the alert system, according to a Federal Emergency Management Agency official. A cybersecurity researcher provided FEMA with evidence suggesting that certain unpatched and unsecured EAS (Emergency Alert System) devices are vulnerable, according to Mark Lucero, the chief engineer for Integrated Public Alert & Warning System – the national system that state and local officials use to send urgent alerts about natural disasters or child abductions. The agency last week urged operators of the devices to update their software to address the issue, saying that the false alerts could in theory be issued over TV, radio, and cable networks. There is no evidence that malicious hackers have exploited the vulnerabilities, according to Lucero. Ken Pyle, the cybersecurity researcher who discovered the issue, told CNN that he acquired several of the EAS devices independently and found poor security controls. He shared an example of a fake alert he crafted, but did not send, that declared a “civil emergency” for certain counties and areas in the US. CNN

GEOPOLITICS

Meta announced the takedown of two cyber espionage operations in South Asia, as well as a Russian troll farm that sought to bolster support for Russia’s invasion of Ukraine. Meta, which owns Facebook and Instagram, announced the findings in its Quarterly Adversarial Threat Report, which also detailed the company’s efforts to combat coordinated schemes in Greece, India, and South Africa. The company specifically highlighted its mitigation of “Cyber Front Z,” a troll farm operated from St. Petersburg that it said was linked to individuals associated with past activity by Russia’s Internet Research Agency (IRA), a troll farm that led the effort to spread disinformation around the 2016 US presidential election. Meta stated that it began taking action against Cyber Front Z in March, shortly after Russia invaded Ukraine, and that the network was brought down in early April. According to the tech giant, the troll farm hired people in shifts seven days a week to comment with pro-Russia content on posts supporting Ukraine published by celebrities such as Angelina Jolie and politicians such as Finland’s prime minister. “This appeared to be a poorly executed attempt, publicly coordinated via a Telegram channel, to create a perception of grassroots online support for Russia’s invasion by using fake accounts to post pro-Russia comments on content by influencers and media,” the company said in its report. The troll farm attempted to return several times, but the company continued to detect and disable its work, which included the use of 45 Facebook accounts, 1,037 Instagram accounts, and approximately $1.4k in advertising spending on both platforms paid for in rubles. Separately, the company stated that it took action against the Bitter APT, a group of hackers based in South Asia who distributed malware to targets in New Zealand, India, Pakistan, and the UK. The Hill

Back to the top

LAW & DATA PRIVACY

Details and screenshots of a recently obtained prototype version of the Pegasus spyware designed for Israeli police reveal the tools and broad capabilities of a system slated to be used in daily Israeli police work. The spyware’s suite of tools include various capabilities sought by police, such as listening to any phone call on an infected phone, reading text messages, and remotely opening the microphone and camera without the phone owner’s knowledge. The police intended to demonstrate the scope of the spyware in a hacked device by including location, contact list, messages, emails, instant messaging, outgoing and incoming calls, calendar, remote recordings, remote camera use, microphone use, and other data. It is unclear whether or not these tools, as well as the physical appearance and capabilities of the police-implemented system, were ever presented to cabinet ministers. According to a source familiar with the details, the proposal was also submitted to senior security officials in 2015. The presentation included screenshots from the initial prototype of the system the police intended to use, which show the NSO logo and the product name Pegasus. Furthermore, they exhibit some of the distinguishing characteristics that, according to reports from Israel and other countries, are present in the spyware. According to sources familiar with the Pegasus system, which is now used by other organizations, the version described in the presentation, which was planned about eight years ago, was either an earlier version of the current software or a demo version.

Img Interception Messages
WIRED Haaretz

DuckDuckGo recently announced that, after previously failing to block third-party Microsoft tracking scripts, they will now block all third-party Microsoft tracking scripts in their privacy browser. This change comes after the company received widespread criticism in May for failing to block certain third-party Microsoft trackers in the DuckDuckGo browser due to a syndicated search content agreement between the two companies. The blocking of Microsoft trackers is being rolled out through the 3rd-Party Tracker Loading Protection feature. However, because DuckDuckGo relies on Microsoft Advertising for search engine ads, there will be some limited support for Microsoft trackers when using the privacy browser. When a user clicks on an advertisement in a DuckDuckGo search, the DDG browser allows tracking scripts from bat.bing.com to run once on the advertiser’s site. This allowance enables advertisers to track the effectiveness of their advertising campaigns. DuckDuckGo, on the other hand, will block any future requests to that site that attempt to load trackers from bat.bing.com. DuckDuckGo stated that they hope to replace bat.bing.com trackers in the future with private ad conversion implementations that Firefox and Safari are working on. Bleeping Computer


Back to the top

Get the Cyber Monitor in Your Inbox