Risky Biz News: FSB-linked DDoS tool could also be used for disinformation campaigns

In other news: APTs heavily rely on public vulnerabilities; Conti shuts down and prepares for a rebrand; CISA warns of major VMWare bugs.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Back in March 2020, a hacktivist group calling itself Digital Revolution leaked data from a Russian IT company that they claimed was building offensive hacking tools for one of the FSB's internal departments, unit No. 64829, also known as the FSB Information Security Center.

The leak contained details about several projects ordered by the FSB, including a tool called Fronton, which at the time, security researchers described as an IoT botnet that could be used to carry out DDoS attacks.

But in a report published on Thursday, Nisos, a Virginia-based threat intelligence company, said that a day after the initial leak, the Digital Revolution group released additional documents about the Fronton tool that went under the radar all this time. Analysis of these files revealed that the Fronton project also contained a component that could function as a platform for social media disinformation campaigns.

"This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse," the company said yesterday.

Nisos believes the name SANA possibly stands as an acronym for Соцсетный Аналитичесный Научный Аппарат, translated from Russian as "Social media Analytical Scientific Apparatus."

Per the company, the system includes features to schedule mass postings to online platforms using live or scheduled functionality built on top of a geographically distributed botnet.

Nisos said that after scanning the internet, it was able to find at least one instance of this tool deployed in the wild, but it couldn't determine if it was a test server or an instance used for actual disinformation operations.

[See additional coverage of the Nisos report in Cyberscoop.]

Breaches and hacks

Greenland, too: The Greenland government said this week that a cyberattack that took place on May 9 crippled the activity of its national health service. Government officials said they are in the process of restoring the agency's IT systems, but since the attack, doctors have not been able to access patients' medical records, and citizens haven't been able to contact the agency via email. Officials did not disclose the nature of the attack.

Texas DOI breach: The Texas Department of Insurance disclosed a data breach last week. Officials said that the data of more than 1.8 million Texans was exposed "due to a programming code error" for almost three years between March 2019 and January 2022.

NFT Discord hacks: Hackers compromised several Discord servers of popular NFT projects this week and tried to trick users into giving up cryptocurrency or buying fake NFTs, Motherboard reported.

Nikkei got ransomed: The Singapore division of the Nikkei media conglomerate was hit by ransomware on Thursday, the agency said.

General tech and privacy

Mozilla to continue supporting ad blockers: After Google announced in 2018 plans to create a new browser extensions API that would greatly diminish the power ad blockers have inside Chromium-based browsers, Mozilla announced plans this week to support this new API but also backward compatibility with the old one as a way to ensure its users have access to powerful and efficient ad-blocking technologies.

India doesn't budge on VPNs: Earlier this month, the Indian government passed a new cybersecurity law that included a clause to force all cloud and VPN providers active within its borders to keep records on the identities and IP addresses of Indian users. In statements made this week, the government said it wouldn't back down on the new requirement even after several cloud and VPN providers have threatened to stop providing services and pull out of India.

Government, politics, and policy

Disinformation Governance Board: Less than a month after establishing its Disinformation Governance Board, the DHS has paused its effort after the new agency was at the center of several disinformation efforts led by right-wing groups, the Washington Post reported. The backlash focused on accusations that the US government was trying to control free speech, but DHS officials said this was never the agency's purpose.

DOJ's new CFAA policy: The US Department of Justice also announced on Thursday a revision to how it prosecutes violations of the Computer Fraud and Abuse Act (CFAA), instructing prosecutors not to charge individuals who committed CFAA violations while conducting "good-faith security research." The new DOJ policy comes after rights groups and the cybersecurity industry have lobbied for changes to the CFAA for decades, arguing that its current wording stifles cybersecurity research and threatens national security [See publications from Rapid7, Stanford Law School, Harvard, the EFF, the US National Association of Criminal Defense Lawyers, and Brookings University].

ID.me inquiry: Three US senators have asked the FTC to investigate ID.me, a private company that was contracted to provide a selfie-based facial recognition login system for the IRS web portal. The senators believe the company made "deceptive statements" on how it would handle biometrics data it would have collected from Americans; before its solution was withdrawn following public backlash.

FTC crackdown: The US FTC announced its intention to crack down on companies that collect the personal details of children via online learning platforms. "Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection.

Funds recovery: The US Department of Justice said it recovered more than $15 million from Swiss bank accounts owned by the operators of the 3ve (Kovter) ad fraud operation.

Uninsurable: Cyberscoop is reporting that a growing number of US-based water companies are finding it harder to get cyber-insurance due to the large number of attacks targeting their industry and their poor cybersecurity practices.

More cyber-insurance analysis: The WSJ is reporting that many cyber-insurance providers have raised their rates throughout 2021 after a series of high-profile cybersecurity incidents and especially after the May 2021 Colonial Pipeline hack. Direct-written premiums in 2021 grew by 92% year-over-year, according to information submitted to the National Association of Insurance Commissioners.

Cybercrime and threat intel

Conti allegedly shuts down: The Conti ransomware group is apparently preparing to shutter its operations, according to a report from threat intelligence company AdvIntel. The company said that early on Thursday, the Conti administrators informed affiliates about plans to move on from the Conti brand and then shut down their internal Rocket instant messaging servers. Experts believe the group will rebrand and is just ditching the Conti name, which has seen several reputational hits on the cybercriminal underground after suffering several high-profile leaks in recent months and had its inner workings thoroughly documented by the cybersecurity community. For example, just earlier this week, security teams at Prodaft and IBM X-Force published reports on the gang's history and operational patterns based on the leaked materials.

How many K8s did you say?: The Shadowserver Foundation said that following a recent study, more than 381,000 of the total 450,000 Kubernetes API instances it identified had responded to its queries, meaning they were exposed on the internet and open to attacks.

ATM explosions: Europol has detained three suspects for allegedly orchestrating a series of attacks against ATMs in Germany. The group stole almost €1 million and was deemed highly dangerous as it used explosives to open or unhinge ATMs from building walls, putting the buildings at risk of collapse.

DarkFeed returns: After being threatened and forced by a ransomware operator to go offline, the DarkFeed ransomware monitoring service said it plans to return in a new format.

New Deadbolt ransomware attacks: Taiwanese IoT maker QNAP published a security alert on Thursday warning of a new wave of attacks using the Deadbolt ransomware against its network-attached storage (NAS) devices. The company said the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly the TS-x51 series and TS-x53 series.

Ransomware academic study: A recent academic study on the landscape of ransomware payments has found that the operators of RaaS (Ransomware-as-a-Service) portals are better at laundering their funds than the smaller commodity ransomware crews. According to researchers, RaaS operators are more strict in their laundering patterns and prefer bitcoin mixers or (now-sanctioned) cryptocurrency exchanges over exchanges that adhere to KYC/AML regulations, typically used by the smaller commodity ransomware crews.

Ransomware initial access trends: A recent report published by cybersecurity firm Group-IB has found that many ransomware gangs prefer to use vulnerabilities in unpatched network devices as the preferred way to gain access to victim networks. In addition, the same report found that the average ransom demand grew by 45% to reach $247,000/attack last year in 2021. [Coverage of the report in Bleeping Computer]

BlackByte: Cisco Talos has published a report on the BlackByte ransomware crew, which AdvIntel recently connected to the larger Conti operation.

KillNet: Threat analyst CyberKnow has a report out on the internal structure of the KillNet pro-Russian hacktivist group.

Phishing campaign uses chatbots: Security firm Trustwave said in a report published on Thursday that it discovered a novel phishing campaign that used automated chatbots to trick users into entering their personal and financial data in chat windows appearing on phishing sites. Previous phishing campaigns that relied on chat windows relied on a threat actor being on the other side to ask victims questions and didn't rely on automated chatbots.

Cytrox attribution: Google TAG has formally linked five zero-day vulnerabilities exploited last year to Cytrox, a surveillance kit provider based in North Macedonian. Four of the zero-days impacted Google Chrome, while a fifth was used to hack Android devices.

1.1 Tbps DDoS attack: DDoS mitigation provider Radware said it dealt with a massive 1.1 Tbps DDoS attack that targeted "one of the world's largest service providers." According to the company, the attack took place last week and lasted approximately 36 hours.

Malware technical reports

XORDDOS: Microsoft has published a technical report on XORDDOS, a strain of Linux malware that is being used to hijack servers and smart devices into DDoS botnets. Microsoft said that this malware, which has been around since late 2014, has had a recent spike in usage, with the company reporting a sudden 254% rise in activity.

GitLab server attacks: SentinelLabs said it detected a campaign that targeted Rust developers using a malicious library disguised as a popular Rust package. Researchers said this package contained malicious code that would look for a local GitLab CI build server installed on the developer's machine and, if found, it would download a Go-based backdoor to be used for future attacks. SentinelOne researchers said they suspect the threat actor was compromising systems in preparation for future supply chain attacks against software makers.

Emotet botnet: The Trend Micro team has published a technical report on the recent malspam campaigns carried out by the Emotet botnet since its return this winter.

Dridex: Palo Alto Networks has published a report on the recent infection chains used by the Dridex group.

Qbot: Red Canary has published its quarterly threat report this week, and the company says that for the first time, the Qbot operation was observed using Windows Installer (MSI) packages instead of malicious Microsoft Office macros.

APTs and cyber-espionage

Recent disinformation efforts: Mandiant has published an overview report of disinformation efforts centering around Russia's invasion of Ukraine. Threat actors involved in these campaigns include the likes of APT28, Secondary Infektion, Ghostwriter, Russia's IRA, Russian intelligence-linked media outlets, and Russian hacktivist groups Killnet, Xaknet, and RahDit. One of the most disturbing disinformation operations was one conducted by Belarusian group Ghostwriter, which tried to push narratives that Polish criminal groups were harvesting organs from Ukrainian refugees in an attempt to sow distrust between the two countries.

Russian intrusions: Mandiant told Bloomberg that it is currently responding to more than a dozen live intrusions by Russian foreign intelligence services aimed at diplomats, military computers, defense contractors, and other targets.

Twisted Panda: Check Point published a report on a threat actor it calls Twisted Panda that has recently targeted Russian state-owned defense institutes.

Space Pirates: Positive Technologies has published a report on an APT group it calls Space Pirates that's been targeting Russian companies from the aerospace field and companies from the energy sector in Russia, Georgia, and Mongolia. Researchers believe the group operates for the benefit of the Chinese government.

Lazarus attacks: AhnLab published a report about recent attacks from the Lazarus APT that are trying to exploit the Log4Shell vulnerability for initial access into targeted networks. AhnLab said that during successful attacks, the group would install the NukeSpeed backdoor on compromised systems.

APT academic paper: A recent paper published by a team of Italian academics has discovered that APT groups heavily rely on publicly-disclosed vulnerabilities to breach their victims rather than the use of zero-days. The study included data from 86 APTs and 350 campaigns carried out from 2008 to 2020. [Additional coverage in ThreatPost]

Vulnerabilities and bug bounty

DHS BOD: CISA has issued a rare emergency directive ordering federal agencies to patch a set of VMWare vulnerabilities disclosed last month that are now actively exploited in the wild. The two vulnerabilities are  CVE 2022-22954 and CVE 2022-22960. In addition, CISA has ordered federal agencies to patch two other VMWare vulnerabilities (CVE-2022-22972 and CVE-2022-22973) that the company disclosed yesterday and which the agency expects that threat actors will also weaponize in the future.

NSW driver's license forgeries: According to a report published this week by cybersecurity firm Dvuln, Australia's New South Wales government has yet to fix vulnerabilities dating back to 2019 that can be used to generate fraudulent digital driver's licenses.

Pwn2Own results: Results from the Pwn2Own 2022 hacking contest are being added to this live blog. The Microsoft Teams desktop app seems to be a favorite target this year.

Infosec industry

Pwnie Awards: Nominations for this year's Pwnie Awards are open!