Risky Biz News: China complains about US malware, five years later

In other news: Several top VPN apps were caught installing root certificates on user devices and a major Java crypto bug will give many defenders nightmares.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.

A Chinese government official has, once again, accused the US government of "irresponsible malicious cyber activities." Wang Wenbin, a spokesperson for the Chinese Ministry of Foreign Affairs, cited an alert sent by China's CERT team earlier this week that warned Chinese companies about possible uses of HIVE, a malware suite developed by the CIA.

The statement marks the third time in two months that Chinese officials complained about US cyber-espionage tooling after making similar statements about Bvp47 in February and NOPEN in March. Details about HIVE and NOPEN have been available since 2017 since the Vault7 and Shadow Brokers leaks. Details about Bvp47 were shared earlier this year for the first time, but the research was also rooted in trawling the 2017 Shadow Brokers leak.

It is unclear why China is pearl-clutching about half a decade old leaks, but its recent statements suggest officials are using the leaked tools to portray the US as an aggressor in Southeast Asia, maybe as a way to justify its own extensive cyber-espionage operations in the region.

Breaches and hacks

Flight delays: A cyberattack on Airline Choice, a provider of flight booking and departure solutions, is causing flight delays for some passengers and airlines. According to a report, some Sunwing passengers have been stranded and had flights delayed for days.

Attempted bank heist: A Sberbank exec said that at the beginning of the war, a Ukrainian application developer added code to their apps that attempted to steal money from Russian users' bank accounts. The bank said they stopped the attack, which at its peak reached tens of thousands of attempts per minute.

Mandiant access sale: On Thursday, a threat actor claimed to have gained access to the Mandiant threat intelligence portal on a recently launched cybercrime forum named Breached. The threat actor claimed to be able to provide access to the portal despite the presence of a 2FA solution.

Extorting book authors: A threat actor appears to have breached Litnet, a Russian portal that lets book authors publish and distribute their works online. The hack was discovered last week after the attacker emailed Litnet authors and demanded $125 (10,000 rubles) from each, threatening to otherwise publish their personal details online.

DDoS attacks in Estonia: Several Estonian government websites were hit by DDoS attacks on Thursday, April 21, 2022. According to local reports, the attacks "had little effect."

You have to be kidding me: A judge approved a settlement for the nearly 22 million customers affected by the December 2019 Wawa data breach. According to CBS, as part of the settlement, impacted customers will receive a meager $5 or $15 gift card, while those who suffered out-of-pocket losses will receive $500 cash. Remind you, the breach exposed payment card information, which was later sold on underground carding forums.

General tech and privacy

VPN shenanigans: An AppEsteem investigation found that six popular VPN service providers installed root certificates on their customers' devices, exposing users to surveillance and MitM attacks. The six VPN providers are Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN, and Turbo VPN. A summary of the research is available on TechRadar.

Chrome extension security: Google said it plans to add a verified-like badge to established Chrome extension developers as a way to root out some of its Chrome Web Store problems, flooded in recent years with cheap and often malicious clones of more popular extensions.

Google tests "passkeys": 9to5Google has discovered that Google is testing a new feature called "passkeys" in one of its Android apps. Per the publication, passkeys are cryptographic keys synced to a user's device and Google account that will allow users to log in to online services without needing a password.

Google learns its lesson: Google rolled out a new cookie consent banner for YouTube France visitors after receiving a fine in the country and said it would soon deploy the same revamped popup for all its online services across Europe to ensure compliance with EU privacy directives.

Microsoft boo-boo: An error in Microsoft Defender's detection rules flagged the Google Chrome browser update tool as malicious, triggering widespread security alerts across the enterprise sector.

BIOS deprecation: The Fedora Linux distro team is currently debating deprecating support for BIOS-only systems. This would be done by blocking new Fedora installs on systems with BIOS-only support.

Tor facelift: ProtonMail has rolled out a new version of its Tor-based portal, with additional integrations for its Calendar and Drive products, as well as an easier sign-up flow for dark web users.

More attack surface: v86 of the Opera web browser was released this week, a version that also comes with a built-in cryptocurrency wallet.

Warrant for Metadata Act: Rep. Ted Lieu (D-Calif.) introduced a bill this week—named the Warrant for Metadata Act—that, if approved, would require US government agencies to first obtain a warrant before collecting any kind of metadata from Americans.

OffensiveCon and chill: Video recordings of the OffensiveCon 2022 security conference are now available on YouTube. The conference took place in Berlin, Germany, at the start of February and is exclusively dedicated to offensive security practitioners.

Government, politics, and policy

Five Eyes warning: The US, the UK, Canada, Australia, and New Zealand have issued a joint security advisory warning that "evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks" against western critical infrastructure as retaliation for the sanctions imposed on Russia after its invasion of Ukraine.

FBI warning for US agro sector: In tune with the Five Eyes warning, the FBI also published its own alert [PDF] about new ransomware attacks that may target the US agriculture sector. The alert cited the series of attacks that targeted farming cooperatives in the fall of 2021, such as the ones that hit NEW Cooperative, Crystal Valley, and Farmers Cooperative.

A DDoS shield around Russia: Roskomnadzor, Russia's telecommunications watchdog, announced plans to create a system to protect the Russian internet space against DDoS attacks, Forbes Russia reported. In addition, the agency also wants to increase the throughput of its deep packet inspection (DPI) equipment, which is installed across the country's ISPs to help government officials filter Russian internet traffic.

Update paranoia: After several open-source software developers added code to their projects to attack Russian and Belarussian users, Russia's NKTsKI cyber-security agency published last month guidelines on how to safely update software that used foreign open-source software. Last week, the agency published a similar guide for updating closed-source (western) software.

Cybercrime and threat intel

Apple Pay abused in the wild: Motherboard reported that cybercriminals had found a way to link stolen payment card details to their own Apple Pay account (or other contactless payment systems) and then go on spending sprees all over the world with funds stored on the stolen cards.

Spoofing credit unions (trend): Avanan has reported an uptick in the number of email spam and phishing campaign that are spoofing credit unions, all with the goal of taking funds and credentials from end-users.

Conti lives on: Secureworks reports that members of the Conti ransomware gang (tracked by the company as GOLD ULRICK) have continued to operate despite the recent leaks of its tooling and internal chats.

Malware technical reports

New ransomware: SentinelLabs has published a report on Nokoyawa, a new ransomware strain that appeared in February 2022 and which the company described as an evolution of Karma, a variant of the Nemty ransomware. The report contradicts a Trend Micro analysis that categorized Nokoyawa as a rebrand of the Hive ransomware operation.

SunCrypt goodness: LIFARS has published a technical report on the SunCrypt ransomware.

Hive on the move: A recent Varonis report details a series of recent attacks where the Hive ransomware has been deployed via hacked Microsoft Exchange email servers.

FBI alert on AlphV/BlackCat: The FBI has also published a technical report on the AlphV/BlackCat ransomware. According to the Bureau, the ransomware strain was used to compromise and encrypt the data of at least 60 entities since it launched last year, in December 2021. The FBI also called on the private sector to share more info about other attacks carried out by the group, calling for more collaboration in tracking the AlphV squad.

New IoT botnet: In a report that fell through the cracks in March, China's CERT team has also published a technical breakdown of BlackMoon, a new IoT botnet used to carry out DDoS attacks. According to the Chinese cybersecurity agency, the botnet peaked at 210,000 infected devices in mid-February.

New Certishell malware: Antivirus vendor Avast has published a technical report on Certishell, a malware strain that is targeting Czech and Slovak users exclusively. Avast said the malware's creator is based in Slovakia and has been active since 2015. The malware contains modules for remote access, cryptomining, and even ransomware. Avast said Certishell is being distributed using cracks, keygens, and pirated software.

New LemonDuck report: CrowdStrike has published a new report on the LemonDuck cryptomining botnet, which is now targeting Docker systems. Past reports on this botnet have also been available from Microsoft [1, 2], Cisco Talos, Sophos, Guardicore, and Trend Micro.

APT vagueness

APT trends: Mandiant has published M-Trends 2022, its yearly report on threat and cybersecurity trends. The report highlighted growth in the number of Linux malware families, the increased targeting of virtualization environments with ransomware, and the reduction in Chinese nation-state groups active throughout 2021, suggesting a more narrowed and focused approach to their offensive operations. In addition, the report also highlighted that one-third of all hacker groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to coverage by Patrick Howell O'Neill.

Vulnerabilities and bug bounty

Major Java crypto vulnerability: Beil Madden, a security architect at ForgeRock, has found a vulnerability in how the Java SDK implemented ECDSA signatures, a ubiquitous cryptographic algorithm. Madden said the bug could be used to bypass ECDSA signature checks in Java apps. In practice, this can be used to forge SSL certificates, SAML authentication assertions, signed JWT and OIDC tokens, and even WebAuthn authentication messages, allowing attackers to bypass security key checks. After learning of the issue last November, Oracle patched the issue, tracked as CVE-2022-21449, in the April 2022 security updates. Multiple proof-of-concepts are now available.

Android audio bugs: Cybersecurity firm Check Point said chipset manufacturers Qualcomm and MediaTek used a vulnerable version of the Apple Lossless Audio Codec (ALAC) in their Android audio decoders. The vulnerable audio codecs allow remote code execution attacks against an estimated two-thirds of Android smartphone users, per the company's report. The vulnerabilities—collectively tracked as ALHACK—were fixed in December 2021, and Check Point said it plans to reveal more details in mid-May during the CanSecWest conference.

Still unaptched: SonarSource has published a report about a stored XSS vulnerability in the RainLoop open-source webmail client. At the time of writing, there was no official patch available.

Quick money: A hackathon held by bug bounty platform YesWeHack netted a security researcher €10,000 (US $10,890) overnight.