The CyberWire staff.

  • Conti’s brand appears to have gone into occultation (maybe for real, this time).
  • Lockbit has now taken Conti’s place as the biggest ransomware brand.
  • Lithuania sustains a major DDoS attack.
  • Iranian steel mill suspends production due to cyberattack.
  • Bumblebee rising.
  • Dark Crystal RAT described.
  • Influence operations in the interest of national market share.
  • SOHO routers under attack.
  • YTStealer discovered, out and active in the wild.
  • Most dangerous software weaknesses.
  • Amunet as a case study in C2C market differentiation.
  • C2C commodification extends to script kiddies.
  • Killnet hits Norwegian websites.
  • North Korea seems to have been behind the Harmony cryptocurrency heist.
  • MedusaLocker warning.

There seems to be a retired brand. According to BleepingComputer, the gang shut down its data leak and negotiation sites a week ago, and they seem to have remained down at least for the rest of the week. Observers think that this is the retirement of the brand, not the reform of the criminals behind it. Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revitalized, Quantum operation are some of the gangs that have old Conti members. Other members have launched their own data extortion operations, such as Karakurt, Black byte, and the Bazarcall collective.

The gang’s ARMattack campaign last November and December looks like it’s the brand’s last big thing, except for the public declaration of adherence to Moscow’s cause in the war against Ukraine. Group-IB says that it has hit some forty organizations in the US with noticeable effect.

LockBit 2.0 is the leading ransomware brand if the Conti brand is retired. A bit of a down month for the criminal enterprises, with an 18% drop in ransomware from April, puts LockBit 2.0, Black Basta, and Hive at the top.

According to BleepingComputer, AhnLab noticed a trend in Lock Bit 2.0’s attack technique. phishbait has changed, but the approach is still through it. The LockBit come-on now includes a bogus notice of copyright violations. The email says that the recipient should open the attached file to see the material. It’s not unique phishbait, the operators of both Bazar Loader and Bumblebee have used copyrighted claims to get their victims to bite.

A distributed denial-of-service (DDoS) attack was sustained by Lithuania. It is very likely that attacks of similar or greater intensity will continue in the coming days, especially in the transportation, energy and financial sectors, according to the National Cyber Security Centre ofLithuania. The Russian hacktivist group Killnet claimed responsibility for the attack. A group associated with Killnet, the “Cyber Spetsnaz” last week threatenedLithuania with cyberattack if it continued with its policy of restricting rail delivery of embargoed goods to Russia’s non-contiguous areas.

SecurityWeek reports that one of Iran’s major steel companies halted production on Monday due to a cyberattack. The state-owned steel company was struck. An anonymous hacking group called “Predatory Sparrow” claimed responsibility for the attack, saying it was done to target the “aggression of the Islamic Republic”. A piece of heavy machinery on a steel production line malfunctioned and caused a fire, according to closed-circuit footage shared by a group. The attack was unsuccessful and everything should return to normal by the end of the day, according to the CEO. Damage or production issues were not noted by the other producers.

According to CyberScoop, predatory sparrow has been heard before, notably in the attack against Iran’s rail system in 2021, and Check Point has obtained samples from the most recent incident that link it to the earlier attack. The group presents themselves as hacktivists opposed to the Islamic Republic, but very little is known about them.

The report on the Bumblebee loader was released by the Threat Hunter Team. It has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced a number of older loaders, which suggests that it is the work of established actors. The extent to which the C2C market has come to resemble the functioning of legitimate markets is shown by the rapidity with which Bumblebee has achieved a central position in criminal-to-criminal markets. “Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime environment,” the Threat Hunter Team concludes. Since it could be the pathway to several dangerous ransomware threats, any organization that discovers a Bumblebee infection on its network should treat it with high priority. There are a lot of indicators of compromise in the study.

Fast Track - Table Of Contents show

Dark Crystal RAT described.

The Dark Crystal RAT (DCRat) was being used by Russian operators to attack Windows systems in Ukranian. The description of how DCRat is being used was issued by the Fortiguard Labs. It’s believed that it’s a form of phish and the exact infection is unknown. The victim is tricked into running with a malicious macros. Data theft is a typical use of DCRat, but it can also be used to stage a wide range of other attacks. The report concludes that the RAT can be tailored to the attacker’s needs by adding plug-ins. As the RAT focuses on data exfiltration, stolen data will likely be used as a stepping stone for further activities against affected organizations It can lead to further damage, such as threat actors stealing personally identifiable information, and confidential data. There are likely to be targets of this attack in Ukranian. Having a foothold in the Ukrainian organization will cause long-term and unthinkable damage due to the nature of the software.

Influence operations in the interest of national market share.

According to the report, China has been engaging in an influence operation directed at arousing popular protests against rare-earth mining companies in Australia, Canada, and the US. China has a significant national interest in the sector, which includes firms like Appia Rare Earths and USA Rare Earth. Mandiant discovered and named the campaign “Dragonbridge”. Heavy use of inauthentic social media personae is what it does. “The campaign used inauthentic social media and forum accounts, including those posing as residents in Texas to feign concern over environmental and health issues surrounding the plant, including via posts to a public social media group that is likely to be receptive to that content,” Mandiant said in its report. Dragonbridge doesn’t seem to have been particularly effective, but Mandiant thinks the approach on display, particularly the microtargeting of the audience it seeks to reach, bears watching.

SOHO routers under attack.

Operators using the ZuoRAT remote access Trojan are active in attacking small office/ home office (SOHO) routers. The operators are after bigger fish. SOHO routers are an attractive point of entry into larger networks because of the remote work that they do. The shift to remote work spurred by the Pandemic allowed a sophisticated adversary to subvert the traditional defense-in-depth posture of many established organizations. The capabilities demonstrated in this campaign include gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentional stealth C2 infrastructure that uses multistage siloed routers to routers communications.

YTStealer discovered, out and active in the wild.

This morning, Intezer announced the discovery of a new type of malicious software. The only function of the malware is to steal cookies from the creators of YouTube. YTStealer only harvests credentials for YouTube and not any other services. If a browser’s database files are found in the user’s profile folder, it will launch the browser in headless mode and add a cookie to the cookie store. The malware uses a library called “Rod” to control the browser and then goes to the creator’s YouTube studio page and takes information about the channel and sends it to a control center. According to the company’s website, YouBot Solutions provides unique solutions for getting and monetized targeted traffic. YouBot’s red eye logo can be found on aparat.com, an Iranian video-sharing website.

The researchers say that YTStealer is sold to other threat actors. They note that YTStealer isn’t the only piece of software on a device. There is a lot of the software that was dropped aspirated versions of video and image software and game software. Researchers conclude that using only legitimate versions of software is a good way to have better control over what happens on your computer. The summary of Intezer’s report is in the Hacker News.

Most dangerous software weaknesses.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses have been released by the Homeland Security Systems Engineering and Development Institute. The Institute explains that the list shows the most common software weaknesses. These can lead to exploitable vulnerabilities that can allow adversaries to take over a system, steal data, or prevent applications from working. The recommendations for the vulnerabilities are included in the report, and it’s those recommendations that the CISA particularly commends.

Amunet as a case study in C2C market differentiation.

Amunet, an English-language cybercriminal forum, was updated by Digital Shadows Thursday. There is a plan for Amunet to branch out as the year progresses according to researchers. The planned launch of a “Leaks Circle” in March is described as a “project for visualization of leaked sources” which has not been identified by researchers. The intent to launch their own coin in May 2022, which has not been seen in the forum as of June, is followed by the intention to earn forum credits for sharing leaked databases. In July 2022, the forum is expected to add aLeaks Detector that checks for emails and corporate domain in leaked databases. A couple of hacking forums returned as snapshots for public observation, which is described as a “Time- Back-Machine,” which is the final stop on the roadmap.

According to researchers, Amunet is unremarkable when compared to other fora, but these intended upgrades could be enough to lure threat actors into using it. There is an interesting perspective on how criminal groups try to differentiate themselves in the C2C market.

C2C commodification extends to script kiddies.

Teenagers are earning money in the criminal-to-criminal cyber underworld market according to a study published by Avast. The family that the researchers found had operators who spent a lot of time on Discord had an odd set of interests. Some of the usual wares were offered by the criminal vendors, but their hearts appeared to be elsewhere. They offered features like opening a web browser with Pornhub and stealing gaming accounts. The puerile stuff you’d expect from teenagers is what it is. It’s a side hustle, done for pocket money and forulz, but it’s still criminal.

Killnet hits Norwegian websites.

Killnet, operating again as the Cyber Spetsnaz, announced a campaign against Norway on its Telegram channel. The post led with a doctored photo of Norway’s Foreign Minister in which she’s called “Mrs. Error” and made up to look like a Disney character. The introductory text said, “All units to battle.” A list of Norwegian targets followed. According to the Barents Observer, the Russian complaint against Norway is that it isn’t allowing Russian goods to transit through the Russian port of Murmansk. It is similar to the Russian complaint againstLithuania, which prevented shipment of some goods to the non-contiguous province of Kaliningrad and attracted the attention of Killnet. Russian coal mining operations on the island are protected by a treaty. The AP reports that Norway’s ambassador to Moscow was summoned to the Russian Foreign Ministry to give an explanation of Norwegian policy, after members of Russia’s parliament questioned Norway’s sovereignty.

The cyber attacks claimed by Killnet were distributed. Norwegian authorities said the effects were limited and mitigated after several sites were disrupted for hours. The attacks were blamed on a “criminal pro-Russian group,” and the NSM is looking into the group’s ties to the Russian government.

North Korea seems to have been behind the Harmony cryptocurrency heist.

According to The Wall Street Journal, the work of North Korean state-sponsored threat actors appears to be the reason for the $100 million taken in last week’s loot of the Harmony’s Horizon bridge. There is strong circumstantial evidence that points to the Lazarus Group being behind the theft. The US Government sees theft as a main source of funding for North Korea’s nuclear and missile programs. It’s not working out as well for the capital city of North Korea. The Lazarus Group’s money-laundering efforts have been put on heightened alert because of the current crash in the value of Cryptocurrencies. The times are difficult all over.

MedusaLocker warning.

The FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are all part of the US Cybersecurity and Infrastructure Security Agency, and they warn that MedusaLocker operators are using vulnerabilities in Remote Desktop Protocol to access. The proprietors split their take with their affiliates in an operation called MedusaLocker. The MedusaLocker payments appear to be split between the affiliates who receive 55 to 60 percent and the developers who receive the rest.

Patch news.

The US Cybersecurity and Infrastructure Security Agency added eight vulnerabilities. The Federal civilian Executive Branch agencies must address the issues by July 18th, 2022.

  • CVE-2022-29499, a Mitel MiVoice Connect Data Validation Vulnerability that “allows remote code execution due to incorrect data validation.
  • CVE-2021-30533, a Google Chromium Security Bypass Vulnerability. “Insufficient policy enforcement in the PopupBlocker for Chromium allows an attacker to remotely bypass security mechanisms. This vulnerability impacts web browsers using Chromium such as Chrome and Edge.”
  • CVE-2021-4034, a Red Hat Polkit Out-of-Bounds Read and Write Vulnerability. “The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability which allows for privilege escalation with administrative rights.”
  • CVE-2021-30983, an Apple iOS and iPadOS Buffer Overflow Vulnerability. “Apple iOS and iPadOS contain a buffer overflow vulnerability that could allow an application to execute code with kernel privileges.”
  • CVE-2020-3837, Apple Multiple Products Memory Corruption Vulnerability. “Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges.”
  • CVE-2020-9907, Apple Multiple Products Memory Corruption Vulnerability. “Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. Apply updates per vendor instructions.”
  • CVE-2019-8605, Apple Multiple Products Use-After-Free Vulnerability. “A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges.”
  • CVE-2018-4344, Apple Multiple Products Memory Corruption Vulnerability. “Apple iOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability which can allow for code execution.”

“Apply updates per vendor instructions” is the remedy in most cases. While the private sector in the US isn’t bound by BOD 22-01, it’s a good idea for all organizations to take a close look at their vulnerabilities.

Six industrial control system (ICS) security advisories were released by the US Cybersecurity and Infrastructure Security Agency on Tuesday.

  • ABB e-Design (“mitigations for an Incorrect Default Permissions vulnerability in ABB e-Design engineering software”).
  • Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (“mitigations for Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, and Plaintext Storage of a Password vulnerabilities in Omron SYSMAC CS/CJ/CP Series and NJ/NX Series programmable logic controllers”).
  • Advantech iView (“mitigations for a SQL Injection, Missing Authentication for Critical Function, Relative Path Traversal, and Command Injection vulnerabilities in Advantech iView management software”).
  • Motorola Solutions MOSCAD IP and ACE IP Gateways (“mitigations for a missing authentication for critical function vulnerability in the Motorola Solutions MOSCAD IP and ACE IP Gateways products”).
  • Motorola Solutions MDLC (“mitigations for Use of a Broken or Risky Cryptographic Algorithm, and Plaintext Storage of a Password vulnerabilities in the Motorola Solutions MDLC protocol parser”).
  • Motorola Solutions ACE1000 (“mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit”).

On Thursday, there were six more advisories released.

  • Exemys RME1 (“mitigations for an Improper Authentication vulnerability in the Exemys RME1 analog acquisition module”).
  • Yokogawa Wide Area Communication Router (“mitigations for a Use of Insufficiently Random Values vulnerability in the Yokogawa Wide Area Communication Router”).
  • Emerson DeltaV Distributed Control System (“mitigations for Missing Authentication for Critical Function, Use of Hard-coded Credentials, Insufficient Verification of Data Authenticity, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in the Emerson DeltaV Distributed Control System software management platform”).
  • Distributed Data Systems WebHMI (“mitigations for Cross-site Scripting, and OS Command Injection vulnerabilities in the Distributed Data Systems WebHMI SCADA system”).
  • Mitsubishi Electric FA Engineering Software (Update A) (“[A] follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electric’s FA Engineering Software products”).
  • CODESYS Gateway Server (Update A) (“[A] follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a Heap-based Buffer Overflow vulnerability in CODESYS Gateway Server products”).

Policies, procurements, and agency equities.

According to the Wall Street Journal, the US Department of Commerce added five Chinese companies to an export blacklist after they were found to be helping Russia’s military. Their access to US technology is limited because of their addition to the entity list. The companies added to the list are Connec Electronic and King Pai Technology Co. There is a company named Logistics Inc. The Chinese Embassy in Washington DC said that China’s stance on the Ukrainian issue is clear. We have not provided military assistance to the conflicting parties, as we have been playing a constructive role in promoting peace talks.