Strategic insights for leaders from tactical cyber observers.

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.

TABLE OF CONTENTS

EDITOR’S HIGHLIGHTS

Security researchers revealed a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and start Honda vehicles. The “Rolling-Pwn” attack, uncovered by Star-V Lab security researchers Kevin2600 and Wesley Li, exploits a vulnerability in the way Honda’s keyless entry system transmits authentication codes between the car and the key fob. It works in a similar way to the recently discovered Bluetooth replay attack affecting some Tesla vehicles. Using easily purchasable radio equipment, the researchers eavesdropped and captured the codes, then broadcasted them back to the car to gain access. This allowed them to remotely unlock and start the engines of cars affected by the vulnerability, which includes models from as far back as 2012 and as recent as 2022. As noted by the researchers, this kind of attack should be prevented by the vehicle’s rolling codes mechanism – a system introduced to prevent replay attacks by providing a new code for each authentication of a remote keyless entry. Vehicles have a counter that checks the chronology of the generated codes, increasing the count when it receives a new code. Kevin2600 and Wesley Li found that the counter in Honda vehicles is resynchronized when the vehicle gets lock and unlock commands in a consecutive sequence, causing the car to accept codes from previous sessions that should have been invalidated. As noted by the researchers, fixing the flaw would be difficult because older vehicles don’t support over-the-air (OTA) updates. They also warned that there’s no way to guard against the hack and no way for victims to discover it happened to them. TechCrunch

Albania was hit by a massive cyberattack over the weekend, the government confirmed on Monday, July 18, prompting the shutdown of government systems. A synchronized criminal attack from abroad hit the servers of the National Agency for Information Society (AKSHI), which handles many government services; government services were down on Monday after the attack. Most of the desk services for the population were interrupted, and only several important services, such as online tax filing, continued to work because they were provided by servers not targeted in the attack. The Microsoft – Jones Group International team is helping AKSHI to mitigate the effect of the attack and restore operations. Security Affairs

Analyst Comment: The Albanian government described the incident as a “synchronized criminal attack from abroad.” This attack is another example of how vulnerable government and public services can be to cyberattacks. As governments migrate to digitizing their services, it is important to consider and implement continuity policies and procedures. The attack in Albania limited access to some of the public services due to their reliance on the e-Albania portal. Previously, a ransomware attack devastated government organizations’ operations in Costa Rica. Ukrainian public services platforms have also been targeted by cyberattacks leading up to the full-scale Russian invasion of the country. All of these events highlight the importance of continuity efforts, along with planning of defense and response actions.

Back to the top

The cybersecurity market in the insurance sector will reach $10.6B by 2025, according to GlobalData’s Cybersecurity in Insurance report. Between 2020 and 2025, revenues are expected to grow at a CAGR of 10.7%. This expansion will be fueled by the sector’s rapid digital transformation. Cybersecurity software will grow the fastest, with a CAGR of 14.6%, followed by hardware (10.7%) and services (5.5%). The rise of sophisticated ransomware attacks, the persistence of hybrid working models, ongoing supply chain risks, and the Russia-Ukraine war have all heightened the need for robust cybersecurity defenses across industries. Although the pandemic has increased the demand for cyber insurance, insurers have yet to improve penetration rates. In addition to increased demand due to increased cyber risks, recent cyberattacks have made cyber insurance a risky investment, resulting in higher insurance prices. The increased demand for assessing cybersecurity risks is reflected in the sharp increase in the number of active cybersecurity-related jobs in the insurance sector. Between Q1 2020 and Q1 2022, the number of cybersecurity-related jobs in insurance companies increased dramatically. The most rapid growth, 48%, occurred between Q4 2020 and Q1 2021. GlobalData

→ Cybersecurity vendor Trustwave has published the Decade Retrospective: The State of Vulnerabilities blog post featuring a list of what it considers to be the 10 most prominent and notable network security issues and breaches of the last 10 years:

  1. SolarWinds hack and FireEye breach: A supply chain cyberattack on network monitoring tool SolarWinds Orion in December 2020 that victimized myriad corporations and US government agencies. Cybercriminals exfiltrated FireEye red teaming tools and internal threat intelligence data. They also planted a malicious backdoor update (dubbed SUNBURST) that impacted ~18k customers.
  2. EternalBlue exploit and the WannaCry/NotPetya ransomware attacks: In 2017, the hacking group Shadow Brokers leaked significant exploits stolen from the NSA which were used to carry out the highly damaging WannaCry and NotPetya ransomware outbreaks that damaged health services in the UK and Ukraine.
  3. Heartbleed flaw in OpenSSL: The Heartbleed vulnerability of 2014 continues to threaten more than 200k vulnerable systems today.
  4. Shellshock remote code execution in Bash: A bug in the “Bourne Again Shell” (Bash) command-line interface existed for 30 years before its discovery in 2014. The vulnerability allowed threat actors to take control of a system without a username or password.
  5. Apache Struts remote command injection and Equifax breach: A critical zero-day vulnerability affecting the Jakarta Multipart parser in web application development framework Apache Struts 2 allowed remote command injection attacks by incorrectly parsing an attacker’s invalid Content-Type HTTP header. In 2017, hackers used the vulnerability to gain access to Equifax company data, potentially compromising the information of 143M people.
  6. Speculative execution vulnerabilities Meltdown and Spectre: Speculative execution vulnerabilities from 2018 could be used to exploit computer CPUs to gain access to data stored in the memory of other running programs.
  7. BlueKeep and remote desktops as an access vector: BlueKeep, discovered in 2019, was a remote code execution vulnerability in Microsoft Remote Desktop Services. Security researchers considered it to be “wormable” – attackers could use it to spread malware from computer to computer without human intervention.
  8. Drupalgeddon series and CMS vulnerabilities: The Drupalgeddon series, discovered in 2014 and 2018, respectively, consists of two critical vulnerabilities still considered active by the FBI.
  9. Microsoft Windows OLE vulnerability Sandworm: The Microsoft Windows Object Linking and Embedding (OLE) vulnerability CVE-2014-4114, detected in 2014, was used in Russian cyber-espionage campaigns targeting NATO, Ukrainian, and Western government organizations, and firms in the energy sector.
  10. Ripple20 vulnerabilities and the growing IoT landscape: In June 2020, Israeli IoT security company JSOF published 19 vulnerabilities collectively called Ripple20 to illustrate the “ripple effect” they will have on connected devices in the future.

CSO Online

Analyst Comment: Cybersecurity is an industry that moves at a very fast pace, with new vulnerabilities discovered daily. Because the industry moves so quickly, some vulnerabilities that were discovered a few years ago may become overlooked with time. However, some of these vulnerabilities still pose a threat. For example, last year InfoSecurity Magazine reported on a study focused on healthcare security, where 52% of participants admitted that their organization was not protected against the BlueKeep vulnerability, 64% were unprotected against WannaCry and 75% for NotPetya. Such studies highlight the importance of looking back into the most prominent threats of the past few years.

Major software supply chain attacks have had a significant impact on C-suite executives’ software security awareness and decision-making, leading to increased investment in monitoring attack surfaces. Organizations are recognizing the importance of establishing better software supply chain risk management policies and are taking steps to address the escalating threats and vulnerabilities targeting this expanding attack surface. These are some of the findings of a Coalfire-sponsored, CyberRisk Alliance-conducted survey of 300 software-buying and software-producing companies. 52% of the survey respondents said they are “very” or “extremely” concerned about software supply chain risks, and 84% said their organization is likely to allocate at least 5% of their AppSec budgets to managing software supply chain risk. Software buyers intend to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the report. In the meantime, software developers have stated that they intend to invest in secure code review as well as SBOM design and implementation. Additionally, 59% of software-development company customers have experienced purchase delays of up to three months due to code provenance concerns. Concerns about the software supply chain were raised by 51% of senior management (C-suite) buyers, second only to security team members (60%). On the software supplier side, 71% of respondents said that DevOps departments, more than security teams (63%), drive software supply chain decision-making. Given this perspective, the DevSecOps teams can positively impact an organization’s software supply chain security status by implementing good policies and practices regarding what open source code is included in their software and when those open source components are upgraded, according to Dan Cornell, VP at Coalfire. Dark Reading

Back to the top

NATION STATE ACTIVITY

Chinese-aligned hackers targeted White House correspondents and other US political reporters in the run-up to the January 6, 2021 attack on the US Capitol as well as the Russian invasion of Ukraine, according to a new report from cybersecurity firm Proofpoint. The report emphasizes the cybersecurity threats that journalists and other members of the news media face, who have long been popular targets for cyberspies. According to the report, the threat actor Proofpoint tracks as TA412 has carried out a series of phishing attempts targeting US-based journalists since early 2021. Researchers believe the attackers are working for the Chinese government. To gain potential insight into targets and their networks, TA412 sent messages with invisible embedded images, also known as web beacons or tracking pixels. The researchers identified five campaigns from TA412 between January and February of 2021. In the days leading up to the Capitol attack, the company also observed the TA412 pivot, focusing on White House correspondents and other Washington, DC-based reporters. According to the report, malicious emails sent to targets during that time period used subject lines “pulled from recent US news articles.” The group resurfaced in August 2021, this time focusing on journalists covering cybersecurity and surveillance issues. According to the report, another Chinese APT group, TA459, targeted journalists with emails containing a malicious attachment that infected their machines with the Chinoxy malware, giving the attackers backdoor access to victims’ systems. The Record

Analyst Comment:Techniques used by TA412 and TA459 to target White House correspondents and other US political and cyber security reporters are not novel. These campaigns are often aligned with Beijing’s political initiatives. In recent years, there has been growing rhetoric within China criticizing media from the West for bias against China and depicting international media as part of a wider plot to discredit Beijing. With successful phishing and malware campaigns to gain intelligence and infiltrate the reporting community, Beijing will be able to monitor and manipulate their perceptions. Additionally, China is known for its sensitivity toward international criticism, especially on human rights issues in Xinjiang, Tibet, and Hong Kong. Organizations in the US focused on these issues have been targeted by other China-linked APT groups in recent months. Journalists and personnel who report and work on issues sensitive to China are likely to be monitored by China’s intelligence community and face increasing phishing and malware targeting.

Chinese state media claimed that an APT group operating from India under the assumed name “Confucius” launched cyberattacks on the Pakistani government and military institutions. The Chinese cybersecurity company Antiy conducted a one-and-a-half-year investigation and determined that the group’s first attacks can be dated to 2013, the Global Times reported. The state-run Global Times alleged that the group primarily targeted the governments, military, and energy sectors of neighboring countries such as China, Pakistan, and Bangladesh to steal sensitive data. According to the Chinese media outlet, India employs these APTs as tools of cyberwarfare against China and its neighbors in South Asia with the help of state intelligence. Li Bosong, the chief engineer of Antiy, alleges that the group is skilled at using spear-phishing emails, phishing websites, and specific social engineering techniques to attack targets, adding that the hackers have studied Chinese culture during their repeated attacks on China. The group sends specialized spear phishing emails under the guise of the government of Pakistan employees. After the recipient downloads or opens the documents, Trojan horse programs that steal data are installed on the computer. Anity claims to have carefully examined attack samples from the group and found that the hackers shared tools and codes with SideWinder, another APT group. According to the report, International cybersecurity firms had previously disclosed that the APT group, known as Confucius, had also exchanged codes with other Indian groups like Urpage. Eurasian Times

Analyst Comment: Palo Alto Networks identified two clusters of activities related to Confucius malware in 2016. They suggested that these malware families were likely linked to a single developer, possibly of Indian origin. Palo Alto research had limited information on the targets, but they appear to be based in the Middle East and parts of Asia, and concentrated in Pakistan. Enterprises in other parts of the globe have also been targeted. Antiy analyzed the TTP used by the Confucius group from 2021 and indicated that the primary target of the operation is the Pakistani government and military organizations. The attacker embedded different types of malicious links in the body of the phishing email and an attached PDF file. To make the phishing campaign attractive to the victims, the threat actors used website cloning tools to build phishing sites that imitate the official websites of Pakistani government departments. Notably, the attackers would use CloudFlare to filter the IP addresses. Only IPs in certain countries can access the embedded malicious phishing sites. This shows that threat actors have specific targets in recent activities, which could be an evolution different from Palo Alto’s assessment of the group in 2016.

Antiy became one of the technical support units for China’s national network and information security in 2015 and signed a strategic agreement with China Communication Services in March 2022. There is a close tie between Antiy and the central government. It is plausible that the recent release of the research on Confucius’ activities was under Beijing’s direction signaling their possible intention to stir up tensions between India and Pakistan.

Back to the top

The Russian hackers responsible for the SolarWinds breach of US government networks have continued to hack US organizations to gather intelligence while also targeting an unnamed European government that is a NATO member, according to cybersecurity analysts. The new findings demonstrate how tenacious the hacking group — which US officials have linked to Russia’s foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, as well as how skilled the hackers are at targeting widely used cloud-computing technologies. The hacking efforts come as Russia’s invasion of Ukraine continues to strain US-Russia relations and drive both governments’ intelligence gathering efforts. In a separate report released on July 19 by US cybersecurity firm Palo Alto Networks, revealed that the Russian hacking group attempted to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June using popular services such as Dropbox and Google Drive. Another indication of Russia’s search for Western intelligence was highlighted on July 19, when Google’s Threat Analysis Group (TAG) detailed a possible effort, coordinated with Russia’s FSB intelligence service, to track Ukrainian hackers who have targeted Russian organizations. The hacking group set up a web application designed to mimic a tool used by the Ukraine IT Army, a group of hackers encouraged by the Ukrainian government that has targeted Russian corporate and government websites. The hackers may have been able to track who downloaded the app and potentially collect information on Ukrainian hackers who have been a thorn in the Russian government’s side. Turla is the group responsible. It is regarded as one of the Russian government’s top espionage teams, alongside the hacking group responsible for the SolarWinds intrusions and other groups, and has long been linked to skilled break-ins of Western government networks. Turla has targeted government organizations in Latvia, Lithuania, and other European countries since Russia’s full-scale invasion of Ukraine in February, according to Leonard. However, this was the first time the hackers had been spotted in Ukraine in four or five months. CNN

Analyst Comment: Sophisticated nation state actors are normally described as Advanced Persistent Threat (APT) groups, meaning that their activity may stay undetected for a long period of time. While this activity by SolarWinds hackers (carried out by APT29 aka Cozy Bear) and Turla has been discovered very recently, it likely includes campaigns that have been going on for a longer period of time.

Despite Kremlin-linked hackers’ focus on launching cyberattacks against Ukraine, Russia continues to pose a cyber threat to the US midterm elections, according to US national security officials. The heads of the NSA and FBI warned on Tuesday, July 19 that Russia-linked groups, which have hampered Kyiv with a series of mostly low-level cyberattacks over months, may still try to destabilize US elections in November through hacking and disinformation campaigns. Gen. Nakasone and Mr. Wray, who said they talk about once a week, said their teams’ coordination has improved as other agencies’ cyber capabilities have improved. Officials have also increasingly turned to American tech companies and other businesses for assistance in countering propaganda campaigns, disrupting hackers’ digital infrastructure, and analyzing malware from countries such as Russia. WSJ

Analyst Comment: LookingGlass continues to observe cyber threats targeting elections and election-related entities (including local governments, political parties, and candidates) and we assess they will continue in the coming years. This can include a variety of threats, such as hacking and disinformation campaigns coming from threat actors that can be linked to different nation states. It is worth mentioning that successful campaigns targeting US or European elections may have an impact on other current events, including the war in Ukraine.

Researchers who helped thwart Russian APT group Sandworm’s recent attack on Ukraine’s power supply will disclose at Black Hat USA their findings while reverse-engineering the Industroyer2 malware. An ESET team – along with Ukraine’s computer emergency response team (CERT-UA) and Microsoft – in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its Industroyer malware weapon, Industroyer2. If it had not been countered in time, the attack would have knocked several high-voltage substations from part of the nation’s electric grid. Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016, temporarily knocking out power in parts of Kyiv. Industroyer was the first known malware able to shut out the lights. The research team plans to reveal more technical details about Sandworm that haven’t yet been made public, as well as share recommendations for utilities to defend against the nation-state group’s attacks. Dark Reading

Back to the top

HACKTIVISM

The US Supreme Court justices who overturned Roe v. Wade last month may have been doxxed. According to threat intel firm Cybersixgill, the personal information of five Supremes – Justices Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh, and Amy Coney Barrett – may have been revealed. The findings were published by Cybersixgill’s security research lead Dov Lerner. According to Lerner, the doxes were on “various dark web forums,” and the “most notable” dox – which included physical addresses, IP addresses, and credit card information – happened on June 30. One of the perps claimed to post the justices’ information because they “focus[ed] on something unnecessary rather than focusing on bigger issues in [A]merica.” In a separate forum post, a doxxer published what’s said to be Alito’s and Thomas’ spouses’ names, birthdays, email addresses, phone numbers, social media accounts, and vehicle makes and models, judging from a screenshot. The activity comes after the judges’ personal information was shared on TikTok by furious Gen Zers. The Register

Analyst Comment: Doxxing is a commonly used hacktivist technique. Hacktivists and other attackers often use it to target celebrities, executives, and politicians. Doxxing is used as a way to humiliate, harass, and intimidate a victim. In this case it was also used as another method to raise awareness about a current socio-political issue.

Ukraine’s IT Army – a loose group of thousands of technologists and hackers – has been attacking Russian services and websites since Russia invaded Ukraine. On May 11, the website of RuTube, Russia’s largest streaming service and YouTube competitor, was taken offline for three straight days in what the company called the “largest cyberattack” it had ever suffered. At the end of the cyber onslaught, a volunteer group known as Ukraine’s IT Army claimed responsibility on its official Telegram channel, calling the attack “the biggest victory of the cyber war.” The hackers also claimed to have changed admin passwords, deleted and stole internal data, and blocked employees’ access cards to the company’s server rooms, locking people in. Ever since it was launched, just two days after Russia invaded Ukraine, the IT Army has claimed several victims, including Mvideo, a large Russian consumer electronics chain; QIWI, a popular Russian payment service provider; Asna, a network of more than 10k pharmacies in Russia; and EGAIS, the Russian government’s unified state automated alcohol accounting information system. The group has been a central figure in the fight that Ukraine and Russia are waging in cyberspace, and it’s breaking new ground in terms of what a volunteer, quasi-hacktivist group can do during war. While the IT Army has conducted various types of cyberattacks, it has mostly used DDoS as its weapon of choice and is now releasing its own DDoS tools Vice.com

Back to the top

CYBERCRIME

Microsoft last week sounded the alarm on a North Korean threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide. The hackers, who call themselves H0lyGh0st and are tracked by Microsoft as DEV-0530, have been using ransomware since at least June 2021, and have compromised numerous organizations since September 2021. Like other ransomware groups, the group engages in double extortion, threatening to release sensitive information stolen from victims unless a ransom is paid. DEV-0530 appears connected to the North Korea-linked APT actor DarkSeoul (also known as Plutonium and Andariel), based on email communication and on DEV-0530’s use of tools exclusive to DarkSeoul, the Microsoft Threat Intelligence Center (MSTIC) explains. Microsoft says that North Korean threat actors’ use of ransomware might be sanctioned by the country’s government to offset economic setbacks caused by the COVID-19 lockdown. However, it is equally possible that the adversary is using ransomware for personal gain, which could explain an “often-random selection of victims.” According to the tech giant, in November 2021, DEV-0530 successfully compromised several small-to-midsize businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple countries. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access. Security Week

Analyst Comment: H0lyGh0st ransomware activity is a good example of how ransomware can affect not only large enterprises, but also small and midsize businesses. However, unlike large organizations, small businesses are often not as well-equipped and may lack resources required to protect them from ransomware attacks and other forms of cybercrime.

While Bitcoin has fallen more than 70% from its highs last year, some security firms have observed an impact on ransomware activity. Since the beginning of this year, ransomware attacks have dropped by about a quarter, according to cybersecurity firm Arctic Wolf. Moreover, data released by the Identity Theft Resource Center reveals that ransomware attacks leading to data breaches fell 20% in the second quarter of 2022 compared with the first quarter of this year and have declined quarter over quarter. In an analysis of 34 Dark Web cryptocurrency exchanges, which typically charge high fees of 2% to 15% of transactions for anonymity, Cybersixgill found that none of them have continued to advertise the capability to exchange cryptocoins for cash. The shake-up in Dark Web cryptocurrency exchanges could account for the drop in ransomware since the beginning of the year; however, cybercriminals may also be shifting tactics. For example, business email compromise (BEC) has always outpaced ransomware in terms of profitability for cybercriminals and damages to companies. Other explanations for a drop in ransomware attacks include the disruption of Conti – associated with an 18% drop in ransomware activity – and Russia’s invasion of Ukraine, as both countries are home to some primary ransomware actors. However, other data suggests that ransomware groups are recovering quickly. Threat intelligence firm Digital Shadows found that the 88 data-leakage websites it tracks had listed 705 victims in the second quarter of 2022, up 21% from the previous quarter. Dark Reading

Analyst Comment: The article by Dark Reading brings up valid points, a combination of which may lead to the decrease of ransomware activity. Because many ransomware groups are financially motivated, some of them may transition to other forms of cybercrime, including BEC. For the same reason, due to the volatile nature of cryptocurrency, they may be driven to look for other payment options.

Nation-state actors and cybercriminals benefit from crypto mixers that create a disconnect between the cryptocurrency funds users deposit and what they withdraw. While the value received by mixers fluctuates significantly day-to-day, the 30-day moving average reached an all-time high of $51.8M worth of cryptocurrency on April 19, 2022, roughly doubling incoming volumes at the same point in 2021. According to Chainalysis data, the Russian darknet market Hydra accounts for 50% of all funds moving to mixers from sanctioned entities this year. Given the outsized role that Russia plays in cybercrime, and the connections some of these cybercriminal groups have to Russian intelligence services, an increase in funds moving from services like Hydra to mixers could be significant from a national security standpoint. Nearly all the remaining funds moving from sanctioned entities to mixers come from two groups associated with the North Korean government: Lazarus Group and Blender.io. Lazarus Group is a cybercrime syndicate responsible for several cryptocurrency hacks on behalf of the North Korean government, and along with associated groups remains extremely active. Blender.io, on the other hand, became the first ever mixer sanctioned this year for its role in laundering funds stolen by Lazarus Group and others associated with North Korea. Any funds it sends to other mixers could represent a continuation of that activity. The data shows that mixers currently pose a significant money laundering risk, with 25% of funds coming from illicit addresses. Chainalysis

Back to the top

Quarterly Illicit Cryptocurrency Received 2017 2022 1

Analyst Comment: Crypto mixers have been one of the most common approaches cyber criminals use to obfuscate money flows, along with so-called “chain-hopping” – jumping between different cryptocurrencies. After Hydra shutdown in the spring of 2022, cybercriminals were forced to look for alternative marketplaces that could offer mixing services. Based on recent LookingGlass observations, it appears that at least some of this activity has moved over to the RuTor forum. While cyber criminals face some challenges due to the recent Hydra shutdown, crypto mixers will likely continue posing a money laundering risk.

The education sector got hit with even more ransomware attacks in 2021, impacting almost 67% of higher education organizations, Sophos concluded in a new survey. This is an increase from the 44% of respondents in lower and higher education who reported ransomware attacks in 2020, but it is consistent with an overall increase in ransomware attacks. Ransomware targeting schools is not uncommon, but the financial and operational consequences are unusual. Ransomware attacks affect schools and universities more than other industries, according to Sophos. Across all industries, colleges and universities are the most affected, with 97% of higher education respondents reporting that ransomware attacks have impacted their ability to operate. Higher education IT professionals also report the slowest recovery times from ransomware attacks. Colleges and universities take twice as long as other industries to recover from a ransomware attack — 40% took more than a month, 31% took one to three months, and 9% recovered in three to six months, according to Sophos. The cost of remediation is another anomaly. Higher education institutions reported a $1.42M average remediation cost per ransomware attack, while lower education institutions reported a $1.58M cost. Cybersecurity Dive

Back to the top

CRITICAL INFRASTRUCTURE

ENERGY

A threat actor is infecting industrial control systems (ICS) to create a botnet through password “cracking” software for programmable logic controllers (PLCs). Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic. Security researchers at industrial cybersecurity company Dragos analyzed one incident impacting DirectLogic PLCs from Automation Direct and discovered that the “cracking” software was exploiting a known vulnerability in the device to extract the password. The tool also dropped Sality, a piece of malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster actions such as password cracking or cryptocurrency mining. Sality can terminate processes, open connections to remote sites, download additional payloads, or steal data from a host. The malware can also inject itself into running processes and abuse the Windows autorun function to copy itself onto network shares, external drives, and removable storage devices that could carry it to other systems. The specific sample analyzed by Dragos appears to be focused on stealing cryptocurrency. Bleeping Computer

Analyst Comment: There are a few scenarios, which may include employees looking for password cracking software on the internet. Some of these scenarios will include poor management of account credentials by industrial businesses combined with employees who may be pressed for time attempting to recover a lost password. To prevent Sality or similar infections, organizations should develop and implement strong account credentials policies and procedures, including discouraging their employees from using password cracking software.

HEALTHCARE

A ransomware attack on a debt collection agency in February may have exposed the data of nearly 2M patients, according to an update on HHS’ breach reporting portal. Professional Finance Company (PFC), based in Northern Colorado, disclosed the attack earlier this month, informing more than 650 of its healthcare provider clients that their data may have been compromised. According to the HHS portal, this is the second-largest health data breach this year, following the March cyberattack on medical imaging and outpatient surgical services provider Shields Health Care Group. Cyberattacks in the healthcare sector are becoming more common, raising industry concerns because an attack on one company can have far-reaching consequences for patient data in today’s interconnected world of health information systems. Along with directly targeting providers, malicious actors are also targeting third-party contractors as a means of gaining access to the troves of sensitive medical data that providers collect. Hackers were able to access and disable some of the company’s computers before PFC detected and blocked the attack, gaining access to information such as patient names, addresses, SSNs, health insurance data, and medical treatment data. Among those affected are the Arizona-based nonprofit Banner Health and the Nevada physician network Renown Health. Healthcare Dive

Analyst Comment: Healthcare has been a frequent target in recent years, despite the fact that some cybercriminals made a promise not to target healthcare institutions in the early days of the COVID-19 pandemic. Targeting healthcare is also generally frowned upon in underground communities, according to LookingGlass observations. However, some cybercriminals still see targeting healthcare institutions as profitable. There are many attack vectors within the sector, ranging from common techniques like phishing and use of remote services to risks exploiting vulnerable IoT devices in healthcare settings.

Federal investigators “disrupted” a North Korean state-sponsored hacking group that targeted US medical facilities and other health organizations, a top Justice Department official stated on Tuesday, July 19. According to Deputy Attorney General Lisa Monaco, the cyberattacks included the targeting of a medical center in Kansas last year, which disabled the hospital’s systems that store important data and run key equipment. Monaco stated that the government’s investigation resulted in a public warning about “Maui” ransomware targeting the health sector, in collaboration with the DHS. During the investigation into the ransomware attacks on medical centers, the FBI identified China-based money launderers who “regularly assist the North Koreans in ‘cashing out’ ransom payments,” according to Monaco, and seized approximately $500k in payments and cryptocurrency, including all funds paid by the Kansas medical center. Bloomberg

Back to the top

GOVERNANCE

USG

The Cyber Safety Review Board (CSRB) of the US Department of Homeland Security has concluded that the Apache Log4j vulnerability will continue to pose a significant risk to organizations for the next decade or longer. The newly formed board, comprised of private industry and government cybersecurity experts, determined that the open source community is under-resourced to ensure the security of its code and that broad assistance from stakeholders in both the private and public sectors is required. The Log4j vulnerability was found by an Alibaba Cloud Security team engineer in the PRC and reported to the Apache Software Foundation team that maintains Log4j. Prior to the public release of a patch, however, the vulnerability and proof of concept code were posted to Chinese social media WeChat by Chinese security firm BoundaryX. Significantly, the Board found that there was no evidence of malicious exploitation of Log4j prior to public disclosure. It couldn’t say for sure how the researcher at BoundaryX uncovered the vulnerability, but Board member Dmitri Alperovitch believes it likely the vulnerability was reverse engineered from information publicly available on the Log4j project’s tracking system. The board has recommended that federal agencies, as some of the largest consumers of open source code, contribute to open source security and urged the government to consider funding investments to improve ecosystem security in a recently published report. The CSRB issued a set of 19 high-level recommendations for organizations to follow in order to reduce their exposure to Log4j-related attacks and other similar software supply chain risks in the future. Organizations should look for and replace vulnerable Log4j versions, establish processes to prevent the reintroduction of vulnerable versions into the environment, and keep an accurate inventory of IT assets and applications. The CSRB’s findings and recommendations are the result of a months-long investigation into the circumstances surrounding the Log4j vulnerability disclosure and the responses from the open source community, technology vendors, government and private organizations. Dark Reading Risky Biz

Six vulnerabilities in a popular GPS tracking device could allow malicious hackers to secretly track, disrupt, or remotely shut off vehicles, federal cybersecurity officials warned Tuesday. “Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands and the disarming of various features (e.g., alarms),” according to CISA. The Chinese-made tracker is known as the MiCODUS MV720 GPS tracker; there are 1.5M of these devices currently in use across 169 countries, according to BitSight. Organizations using the trackers include a Fortune 50 energy, oil, and gas company; a national military in South America; a Fortune 50 technology company; a nuclear power plant operator; and state officials in the US, according to BitSight. The insecurity of GPS trackers carries national security implications as some cars in the US are outfitted with tracking devices that Chinese military officials could conceivably shut down. CyberScoop

Analyst Comment: Manufacturers continue to sell GPS trackers without updating security settings or patching existing vulnerabilities. Many of these devices are built on insecure code and outdated software as companies tend to prioritize price over quality. This has resulted in the ongoing use of such vulnerable devices.

Back to the top

On Tuesday, July 19, National Cyber Director Chris Inglis convened a National Cyber Workforce and Education Summit at the White House. During the Summit, participants came together to chart a path toward a more secure future through greater cyber awareness, education, and training. The Summit focused on the following topics:

  • The need to create and prioritize new skills-based pathways to cybersecurity jobs, including at community colleges, through Registered Apprenticeships, and via non-traditional training opportunities for Americans. Training models such as Registered Apprenticeships can allow career seekers to earn and learn at the same time while often obtaining college credit, degrees, and nationally recognized credentials.
  • The US’s opportunity in filling these open cybersecurity positions to build pipelines for historically untapped talent, including underserved and diverse communities, to reach jobs that often pay well and do not require a four-year degree.
  • How investing in cyber training and education will: (1) enable Americans to be successful in the digital economy; and (2) empower society to harness cyber capabilities to achieve individual and collective aspirations.

Whitehouse.gov

CISA announced on Monday, July 18 that its first international outpost would open in London later this month. CISA and other federal agencies have routinely collaborated with the UK’s top cyber authority, the National Cyber Security Center (NCSC), to issue joint warnings about vulnerabilities or malicious digital activity — a task that has only grown in importance since Russia’s unprovoked invasion of Ukraine. The announcement comes just days after the White House announced that CISA and the FBI had signed cybersecurity collaboration agreements with the National Cybersecurity Authority of Saudi Arabia. The two agreements are intended to promote information sharing between the two countries, including efforts to strengthen cyber defense and best practices. The Record

GEOPOLITICS

Following a report earlier this year that Russian hackers had been lurking in Budapest’s government network for more than a decade, silently stealing confidential information, NATO and EU officials expressed concern about the Hungarian government’s silence. Western officials are now more concerned about Hungary’s silence on the matter than the hacking itself, with the Orban regime refusing to publicly address the incident, share any details, or notify its allies. Risky Biz

The US House of Representatives amended the National Defense Authorization Act (NDAA) for Fiscal Year 2023, including a provision prohibiting American companies from acquiring sanctioned entities. One of the cases where this clause will apply is the acquisition of Israeli spyware maker NSO Group by US defense contractor L3Harris. Risky Biz

LAW & DATA PRIVACY

Chinese authorities are preparing to fine Didi, a Chinese mobile transportation platform, more than $1B, a move that could put an end to an investigation into the firm’s cybersecurity practices. Didi’s fine would be the largest regulatory penalty imposed on a Chinese tech company since China’s antitrust regulator fined e-commerce titan Alibaba and delivery giant Meituan $2.75B and $527M, respectively, last year. Didi’s penalty could pave the way for Beijing to ease a restriction banning it from adding new users to its platform and allow its apps to be restored on Chinese app stores. Reuters

Apple has been charged with antitrust violations in connection with Apple Pay, which accused the company of misusing its market dominance in the mobile device industry to stymie competitor payment apps and charging card issuers fees to boost its bottom line. The proposed class-action complaint by Affinity Credit Union is the latest antitrust battle for Apple, which has faced increased scrutiny from government regulators in recent years over its App Store policies. After a nearly two-year investigation, European regulators concluded on a preliminary basis that Apple abused its dominant position in the market for tap-to-pay apps or mobile wallets with Apple Pay. Apple can charge “payment card issuers fees that no other mobile wallet ventures can impose” by excluding competition, according to Affinity Credit Union, in a lawsuit filed Monday, July 18 in federal court in San Jose, California. Apple charges credit card issuers 0.15% on credit card transactions and 0.05% on debit card transactions. Google Pay and Samsung Pay, both of which run on the Android operating system, do not charge card issuers any fees. According to the lawsuit, Apple Pay fees “generated a reported $1B for Apple in 2019, and this revenue stream — earned from card issuers — is predicted to quadruple by 2023.” The credit union claims Apple is violating the Sherman Act, which is intended to protect competition, by tying together its mobile devices and mobile wallet and excluding all competitors. Bloomberg

Following the launch of a new “Data safety” section for the Android app in the Play Store, Google looks to be planning to remove the app permissions list from both the mobile app and the web. This week, Mishaal Rahman of Esper highlighted the change. The Data safety section, which Google began rolling out towards the end of April 2022, is the company’s reaction to Apple’s Privacy Nutrition Labels in iOS. It provides customers with a consolidated view of an app’s data gathering and processing policies. Developers of third-party applications are required to provide the appropriate information by July 20, 2022. With the deadline looming this week, the IT giant has eliminated the permissions section entirely. Facebook, Messenger, Instagram, WhatsApp, Amazon (including Amazon Prime Video), DuckDuckGo, Discord, and PhonePe are among the major apps that have yet to populate their Data safety sections. The Hacker News

The Danish data protection agency has prohibited local governments from using Google Workspace (formerly known as Google Apps and later G Suite). The agency’s decision came in a case involving the city of Helsingr, which was using Chromebooks and Google Workspace apps for administrative tasks, including school management. The Datatilsynet prohibited the use of Google Workspace, citing Google’s hidden data collection practices, which transferred personal information of Danish citizens abroad to US servers, in violation of EU and Danish legislation. Risky Biz

In a press release issued the previous week, Russia’s telecoms watchdog declared that the Twitch video streaming site had refused to remove “fakes” concerning Russia’s “special operation” in Ukraine. The statement was made in reference to the situation in Ukraine. Typically, these press releases are distributed before Roskomnadzor takes action to halt a service operating within Russia’s borders. Risky Biz

Analyst Comment: The Russian Internet watchdog Roskomnadzor treats any information about the war in Ukraine that does not align with the official version of the Russian government as “fake.” While in some cases, Roskomnadzor restricted access to services that refused to remove content after their request, there have been instances which led to other forms of punishment, including fines imposed on Google for refusing to remove certain content from YouTube.


Back to the top

Get the Cyber Monitor in Your Inbox