Risky Biz News: Costa Rica declares national emergency after ransomware attack

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

During his first cabinet meeting, Rodrigo Chaves, Costa Rica's newly elected president, declared a state of national emergency in light of a ransomware attack that hit government systems three weeks ago.

The attack hit the networks of several ministries, such as the Ministry of Finance, the Ministry of Work and Social Security, and the Ministry of Science, Innovation, Technology, and Telecommunications. For many days, the attack caused prolonged outages of government systems and web-facing platforms. The most severe damage was caused to the Ministry of Finance, which was unable to collect taxes and other payments.

The attack hit the Central American state right in the middle of its presidential transition, with former president Carlos Alvarado Quesada telling journalists on April 21 that the attack had destabilized the government in a period of transition.

However, despite the incident's impact, officials refused to give in to demands made by the Conti gang, which requested a payment of $10 million to provide a decryption key for affected systems. Instead, officials passed a decree mandating that all government bodies patch computer systems, change passwords, disable unnecessary ports, monitor network infrastructure, and report any security incidents to the local CERT team.

As for the Conti gang, the group has spent the past three weeks making multiple threats on their dark web portal, trying to put pressure on and scare Costa Rican officials, hoping for a change of heart and a payment for their "effort." Nonetheless—after his first day in office—it appears that Costa Rica's new president is just as set against paying the Conti crew as his predecessor, and the gang will most likely have to eat the loss.

But the attack on Costa Rica was not the only one that hit a LATAM country, Brett Callow, a threat analyst and ransomware expert at Emsisoft, told Risky Business News over the weekend.

"The US public sector has long been ransomware gangs' target of choice, but that may be changing. While attacks in countries like Costa Rica and Peru may not offer the same ROI, the increasing number of successes by US and European LEAs may make them seem like a safer choice," Callow told us, referring to the fact that many ransomware gangs may now be avoiding the US and Western Europe after a series of recent seizures, arrests, prison time sentences, and even bounties.

Breaches and hacks

AGCO attack: AGCO, one of the largest manufacturers of agricultural equipment in the US, was hit by ransomware on Friday. The company said the attack affected operations at some of its production facilities, and dealers said tractor sales had been stalled during the crucial planting season. The attack came on cue and only three weeks after the FBI published an alert [PDF] about ransomware gangs looking to disrupt the US agriculture sector during the spring planting season.

DNS attack: The Mad Meerkat Finance platform—or MM.Finance—said it lost $2 million worth of cryptocurrency last week. In a post-mortem, the company said it fell victim to a "DNS attack," but did not provide additional details about what exact type of DNS attack it suffered, except to say that it plans to remove two service providers from its infrastructure.

Government, politics, and policy

NATO cyber-hub vandalized: In an interview with The Record, Kersti Kaljulai, the former president of Estonia, said the NATO Cooperative Cyber Defence Centre of Excellence, the alliance's cyber hub, came under cyber-attack and even had an HQ wall vandalized with graffiti during the recent NATO Locked Shields exercise. Kaljulaid also said that she believes Cyber Command should ramp up "hunt forward" missions, engagement where CYBERCOM sends IT experts overseas to help foreign IT staff identify advanced nation-state adversaries in their networks.

UK sanctions Russian chipmakers: The UK government sanctioned on Friday Baikal Electronics and MCST (Moscow Center of SPARC Technologies), Russia's main chipmakers. The sanctions [PDF] mean the two companies can't license and call on foreign factories to produce their chips as both companies rent chip designs from Arm, a UK-based company. In light of the sanctions, Russian newspaper Kommersant reported that the two companies only have two options at their disposal—either to find a factory willing to break sanctions or redesign their chips on RISK-V, MIPS, or VLIW architectures, a process that will take at least two to three years and require up to 1 billion rubles.

China moves away from western tech: China has ordered central government agencies and state-backed corporations to replace foreign-branded personal computers with domestic alternatives within two years. Local authorities will have to replace more than 50 million computers, according to Bloomberg. The government's move comes after the US has sanctioned China's biggest PC maker, Huawei, and after government officials have constantly accused the US of spying on China, with the latest such accusations being slung at Washington on Friday when Foreign Ministry spokesperson Zhao Lijian said that "the US has for many years conducted mass, systematic, indiscriminate data and cyber theft across the world" and that the US spread disinformation China's hacking activity.

Colonial Pipeline to be fined: Officials from the US Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) said last week that they intend to fine Colonial Pipeline almost $1 million for IT security lapses that led to last year's major ransomware attack. The attack had a catastrophic outcome leading to gas and fuel outages on the US East Coast for days in May 2021.

US puts bounty on Conti gang: The US State Department has offered on Friday a reward of up to $10 million for information on leaders of the Conti ransomware gang and an additional $5 million for info that can lead to the arrest of Conti affiliate members. The bounty is similar to the one that State Department officials placed last year on the Darkside and REvil groups.

First-ever US sanctions on cryptocurrency mixer: The US Treasury sanctioned on Friday the company that operates Blender.io, the first-ever sanctions imposed on a cryptocurrency mixing service. According to US officials, the service was used by North Korean state hackers to launder some of the funds stolen during the Ronin Network hack at the end of March. The service went down soon after the sanctions were announced.

Cybercrime and threat intel

Arrests in Ukraine: Ukraine's Cyber Police said it detained a 29-year-old who was a member of a hacking group that bought browser cookies from the dark web to hijack foreign bank accounts.

CaramelCorp: The team at DomainTools has published a report on Caramel, a new web-based JavaScript skimmer sold by a cybercrime group calling itself CaramelCorp. According to researchers, the skimmer costs $2,000 and is sold only after a vetting process, as a precaution from its creators to ensure it only goes into the hands of people who know how to use it and reduce the chances of being detected by security companies.

Facebook botnet: Qurium, a foundation that helps host websites for independent media outlets, said last week that it mitigated a DDoS attack against Bulatlat, a local Philippine news portal. The organization said the DDoS attack was carried out by a botnet of hacked Facebook accounts, mostly belonging to Vietnamese users.

Malware technical reports

BLISTER loader: Elastic's security team has published a report about BLISTER, a malware loader that has been used since last year as an initial infection point in malware campaigns that have often ended in clipbankers, information stealers, trojans, and even ransomware. The team also released a Python script to extract the configuration and payload from BLISTER samples.

BlueStealer: Something we missed last week was Minerva's write-up on the BlueStealer malware, a basic but popular malware loader.

BPFDoor: Starting from a PwC report, Kevin Beaumont has put together several IoCs related to BPFDoor, a Linux-based backdoor used by a Chinese APT known as Red Menshen.

JesterStealer: Ukraine's CERT team has published a report on JesterStealer, a malware strain mass-distributed via emails in Ukraine using lures of a "chemical attack."

Vulnerabilities and bug bounty

KO attacks: A team of academics has published a report on a new type of vulnerability in OpenPGP-based email encryption tools. Named Key Overwriting (KO) attacks, academics said that if an encrypted private key or its metadata is exposed in an unsafe medium, they can corrupt it in such a way that secret data might be leaked when the key is used. All types of email encryption keys are vulnerable, but "ECDSA, EdDSA, ECDH, DSA and ElGamal keys are generally easier to target than RSA ones," the researchers said. Vulnerable encryption technology includes the like of GnuPG, OpenPGP.js, gopenpgp, Sequoia, RNP, and even services like ProtonMail and FlowCrypt.

RubyGems bug: The team behind the RubyGems package repository for Ruby code has fixed a vulnerability, tracked as CVE-2022-29176, that could have allowed threat actors to remove legitimate packages and publish malicious replacements in their place.