Risky Biz News: Ransom campaign hits cloud servers
In other news: Iranians also targeted the Harris campaign; Germany wants to limit Windows kernel access; 2024 set to be highest-grossing year for ransomware.
This newsletter is brought to you by Corelight. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A threat actor is hacking and extorting companies that have misconfigured their cloud server infrastructure.
The data extortion campaign has been taking place since earlier this year and involves a large-scale scan of the internet for companies that have exposed their environment variable files.
Also known as .ENV, these files act as a centralized location for storing configuration data by multiple software solutions.
Security firm Palo Alto Network says the attacker has been scanning the internet for ENV files, extracting login credentials, and accessing cloud servers.
The attacker has allegedly scanned more than 230 million unique servers and successfully retrieved 90,000 environment variables—with around 7,000 of these being access keys associated with cloud services.
PAN researchers say that in some cases, the attacker accessed cloud servers, exfiltrated data, deleted the original files, and then asked for a ransom to return the stolen documents.
Due to the fact that negotiations were handled via a private channel, researchers are unable to determine if any company has paid the attackers.
The campaign follows a similar pattern seen in the mid-2010s when multiple threat actors started scanning the internet for misconfigured databases such as MongoDB, Elasticsearch, Redis, and Apache Cassandra. Attackers stole or deleted data and then asked for ransoms from the beleaguered companies, many of which did not see their data back.
Palo Alto Networks did not reveal the number of victims, but the main lesson here is that while some individual cloud services and software may now use secure defaults to prevent unauthorized remote access, these won't work when the attackers are using legit access credentials.
Oh, and secure your ENV files, you goofballs! That's not the stuff you want to be putting on the internet.
Breaches, hacks, and security incidents
Enzo Biochem settlement: Bio-tech company Enzo Biochem will pay $4.5 million to settle regulatory charges related to an April 2023 ransomware attack that exposed the personal data of 2.4 million patients. The sum will be divvied out to patients in Connecticut, New York, and New Jersey. Attorneys General from the three states sued the company for its lax security protocols. Officials said hackers breached Enzo Biochem after getting hold of login credentials shared by multiple employees that had not been changed for more than a decade.
AutoCanada hack: Car dealership AutoCanada has been hit by hackers over the past weekend. The company says it shut down systems after a breach of its internal IT systems on Sunday. AutoCanada says it expects the attack to cause disruptions to its operations until systems are restored. The company is now the second North American car dealership to deal with a major cyber attack after CDK Global was hit by ransomware in June.
Iran denies Central Bank hack: The Iranian government has denied that hackers broke into the country's Central Bank systems and stole information on all account holders. The hack was initially reported by Iran International in a two-sentence article with no other details.
Vow crypto-heist: A threat actor has stolen $1.2 million worth of assets from the Vow cryptocurrency project. Vow says the attacker exploited a recent change in its conversion rate to receive 100 times the funds they were entitled to. The project is looking at ways to recover the funds.
Holograph hack arrests: Italian police has detained two suspects believed to have stolen $14.4 million from cryptocurrency platform Holograph. The company filed a complaint with French authorities after getting hacked in June. Holograph's token lost 80% of its market value after the incident. The two suspects are set to be extradited to France to face charges for their crimes. [Additional coverage in CoinSpeaker]
Washington Times ransomware attack: The Rhysida ransomware gang claims it hacked right-wing news outlet the Washington Times. The group claims it has stolen employee sensitive data and has given the site a week to pay a ransom. The group is asking for 15 Bitcoin—$300,000. The news outlet has not confirmed the hack. [Additional coverage in the Daily Dot]
General tech and privacy
Kim Dotcom extradition: New Zealand's Justice Minister has signed the extradition to the US for Kim Dotcom, the founder of the Megaupload file-sharing site. The FBI has been seeking Dotcom's extradition since 2012. He is wanted in the US for piracy and copyright infringement-related crimes. [Additional coverage in The Guardian]
Texas sues GM over car privacy: The Texas Attorney General has sued General Motors for illegally collecting and selling drivers' data to insurance companies. Texas officials say the carmaker used technology baked into its cars and misleading dark patterns to trick car owners into giving consent to having their data collected and sold to third parties. This data was later used to create "Driving Scores" that helped car insurers charge larger fees. GM is the first car manufacturer to be hit with a lawsuit for selling driver data. The Texas OAG says it is also investigating other carmakers for the same practice.
Astra Linux says "chill": Russian OS maker Astra Linux has told users to relax after an American think tank has called on the research community to start analyzing how the OS works and how it's being used inside Russia.
Government, politics, and policy
FBI warns Harris campaign of info-op: The FBI has told the Harris presidential campaign it was the target of a foreign actor's influence operation. Neither the FBI nor the Harris campaign reveal details about the foreign actor. A Recorded Future report published this week claims that Russia, China, Iran, and American extremist groups are all running active influence operations targeting the US presidential election. [Additional coverage in Reuters]
BSI wants to limit kernel access: Germany's cybersecurity agency wants to block cybersecurity tools from accessing the Windows kernel. The Federal Office for Information Security (BSI) is exploring the idea after a CrowdStrike update temporarily bricked 8.5 million Windows systems across the globe at the end of July. Microsoft can't limit security tools from accessing the Windows kernel due to an agreement with European antitrust regulators. The BSI is planning a conference later this year with major tech firms, where it hopes they will commit to restricting access to the kernel in a way that satisfies the antitrust ruling. [Additional coverage in the WSJ]
Smartphone security label: Germany's cybersecurity agency wants to introduce a cybersecurity labeling scheme for smartphones and mobile devices. The label would be designed to provide easy-to-understand information about a mobile device's security features. The smartphone labeling scheme would follow a similar scheme German authorities have set up for routers and IoT devices.
India orders spam-call crackdown: India's telecom watchdog has ordered service providers to take measures to block unwanted spam and promotional calls from unregistered telemarketing numbers. Providers are required to create blocklists and share blocked numbers with each other no more than 24 hours after a number has been banned. Providers that fail to comply with the new rules risk getting disconnected from the national network for up to two years. [Additional coverage in Yahoo News/ Read full TRAI order/PDF]
Sponsor section
In this Risky Business News sponsored interview, Tom Uren talks to Brian Dye, CEO of Corelight, about a string of recent CISA advisories. These advisories address specific technical issues, but when examined together, Brian says there is an underlying message about addressing security holistically.
Cybercrime and threat intel
Slilpp seller sentenced: A judge has sentenced a Russian national to 40 months in prison for selling stolen financial data and login credentials on an underground forum known as Slilpp. Officials say Georgy Kavzharadze was one of the site's most prolific vendors, going by the name of TeRorPP. He allegedly made over $1.2 million for selling stolen data and credentials on the site. The FBI tracked down Kavzharadze after it seized Slilpp in June 2021. He's been in custody since May 2022.
FIN7: Team Cymru looks at FIN7's new server infrastructure since its big-time return to the malspam scene this year.
TWELVE returns: Kaspersky researchers say that a pro-Ukrainian hacking group known as TWELVE has returned with new attacks against Russian organizations. The group launched in April of last year but ceased activity after its Telegram channel was suspended at the start of 2024. Kaspersky says it has now detected the group's attack patterns in recent intrusions that took place in June. New evidence also suggests the group is sharing infrastructure with another threat actor known as DARKSTAR. Also known as Shadow or Comet, this group is also known for attacking Russian companies with ransomware.
Olympic Games attack infrastructure: BforeAI researchers have published a list of IOCs used in attacks designed to exploit the recent Paris Olympic Games.
Twitter DDoS attack: Chinese security firm QiAnXin says that it detected one of the Mirai botnet variants launch a DDoS attack on Twitter during the Musk-Trump live interview. Sources inside Twitter claimed Musk was lying and that there was no DDoS attack.
Peregrine Technologies profile: Forbes has published a profile on Peregrine Technologies, a startup founded by a former Palantir exec that sells surveillance tools to police forces.
"They used that experience to inform the development of what is essentially a super-powered Google for police data. Enter a name or address into its web-based app, and Peregrine quickly scans court records, arrest reports, police interviews, body cam footage transcripts — any police dataset imaginable — for a match. It's taken data siloed across an array of older, slower systems, and made it accessible in a simple, speedy app that can be operated from a web browser."
Malware technical reports
Gafgyt botnet: AquaSec researchers have spotted a Gafgyt botnet variant that targets machines with weak SSH passwords in order to deploy a crypto-miner specialized in GPU mining. AquaSec says the botnet appears to be targeting cloud servers with access to high-end resources rather than the IoT equipment it usually infects.
EDRKillShifter: The RansomHub ransomware gang is using a new tool named EDRKillShifter to disable EDR products on compromised networks before launching their attacks.
Prestashop skimmer: Sucuri researchers look at a web skimmer strain they found planted on e-commerce sites running on the Prestashop CMS.
Tusk campaigns: Kaspersky has published a report on three infostealer campaigns the company is tracking as Tusk. These campaigns use multiple steps to infect both Windows and macOS users with infostealers. There are also clues other sub-campaigns may be dormant and ready to go soon.
ValleyRAT: Fortinet researchers have taken a look at a recent campaign spreading the ValleyRAT malware.
Banshee: Elastic's security team looks at Banshee, a new macOS infostealer that goes after browser data and crypto-wallets. The infostealer popped up on malware markets this month and is being sold for $3,000/month, which is quite a pricey tag for a silly stealer.
Mint Stealer: Security researcher Rakesh Krishnan has published a deep dive into Mint Stealer, an infostealer that's been around for two years now and still going strong despite the crowded space on the stealer market.
Sponsor Section
James Pope, Corelight's Director of Technical Marketing Engineering, demonstrates the company's Open NDR Platform and how it combines network detections with a whole host of other data sources.
APTs, cyber-espionage, and info-ops
Meta disinfo ops: Meta has published its Adversarial Threat Report for the second quarter of the year. The report covers disinfo operations between April and June. As always, Russia was "the number one source" for disinfo ops on Meta sites. Half the report [PDF] is just Russian ops, and Meta says it is seeing an increased number of for-hire companies running disinformation and influence operations on behalf of the Russian government. These private contractors lack the sophistication of Russian security agencies and usually run low-quality and high-volume campaigns centered around Russia's war. Meta says contractors struggle to engage authentic audiences and are often called out as trolls by its normal users. The social media giant expects more private companies to join the disinformation-for-hire scene as Russia's info-op needs grow in the coming months.
Russian spear-phishing campaigns: Two Russian state-sponsored groups have launched spear-phishing campaigns targeting Western and Russian civil society members. The attacks were discovered by security researchers from AccessNow and CitizenLab. The malicious emails have targeted Russian and Belarusian nonprofit organizations, Russian independent media, international NGOs active in Eastern Europe, and the former US Ambassador to Ukraine. CitizenLab linked one of the campaigns to a group known as ColdRiver and Calisto, linked to Russia's FSB intelligence service. The second campaign was the work of a new group that's been named ColdWastrel, also believed to be linked to the Russian government.
Doppelganger surveillance: German government officials have formally confirmed the Russian origins of the Doppelganger disinformation group after they've gained access and surveilled one of the group's web servers for days. Officials took control of the server in mid-July after reports from Correctiv and the Qurium Foundation exposed the group's server infrastructure and network of EU companies supporting their work. They say the server backend and logs contained connections from Russian IPs, the wide use of the Cyrillic alphabet, and usage patterns associated with Russian timezones and holidays. [Additional coverage in Correctiv/ Full BLfV report/PDF]
APT42: The Iranian hackers who breached the Trump campaign earlier this year have also targeted the Harris camp. The phishing campaigns took place in May and June this year. Google tracks the group as APT42 and says the threat actor has a long history of going after high-ranking government officials in both the US and Israel.
APT35's Cyclops: Harfang Labs has published a report on Cyclops, a new malware platform written in Go and used in the wild by the APT35 (Charming Kitten) Iranian APT. Harfang says Cyclops appears to have replaced the BellaCiao platform in the group's operations. Work on the malware started in December 2023 and focuses on backdoor-like capabilities.
Green Cicada: Security firm CyberCX has identified a network of at least 5,000 Twitter accounts involved in a large-scale disinformation campaign. The Green Cicada network is one of the largest Twitter disinformation efforts ever discovered. It has been active since late last year and predominantly engages with US political and cultural issues. Researchers say the Green Cicada accounts appear to be controlled by an AI large language model system. CyberCX has found clues to link the network to Chinese AI company Zhipu AI and an AI researcher affiliated with Tsinghua University in Beijing.
Vulnerabilities, security research, and bug bounty
Windows zero-click RCE: As people go through the Patch Tuesday updates and researchers take credit for their work, it looks like Micorosft fixed a major vulnerability in Windows this week. It's a 9.8/10 zero-click RCE that can be exploited on all Windows systems where IPv6 is enabled—obviously via IPv6 packets. Credit goes to Xiao Wei from KunlunLab. Tracked as CVE-2024-38063.
Copy2Pwn: ZDI has published a write-up on Copy2Pwn (CVE-2024-38213), one of the six zero-days that Microsoft patched this week. The zero-day was used by the DarkGate malware gang in campaigns this year.
"This exploit, which we've named copy2pwn, results in a file from a WebDAV share being copied locally without Mark-of-the-Web protections."
Substack worm: Security firm Calif says it helped Substack patch a wormable XSS bug that could have been used for a MySpace-like attack to attack the site's users.
Matrix leaves vulnerabilities unpatched: Security researcher Soatok Dreamseeker has published details about three bugs in the Matrix Libolm library. The researcher says the Matrix project chose to retire the library rather than fix the reported issues.
Android Showcase app: Security firm iVerify has found that an app preinstalled on millions of Google Pixel devices sold since 2017 is vulnerable and exposes users to attacks. iVerify says an app named Showcase.apk has extensive system privileges that can allow traffic interception, code injection, and remote code execution attacks. Google says it plans to remove the app in a future Pixel update.
SolarWinds exploitation: CISA says that threat actors are exploiting a recently patched vulnerability in SolarWinds Web Help Desk servers. The vulnerability was classified as under exploitation a day after a patch was made available. The bug has a severity score of 9.8 out of 10, allows remote attackers to take over servers without needing to authenticate, and impacts all Web Help Desk versions. The core issue has been identified as another Java data deserialization bug. [h/t ScreamingGoat]
Unfixed Azure Pass-through Authentication bypass: Microsoft has declined to patch a bypass in Azure AD's Pass-through Authentication scheme discovered by Cymulate researchers. PoC available.
UDL files for phishing: TrustedSec researchers have described a theoretical technique (for now) for using UDL files to hide malicious OLE code and bypass email security filters. The technique is ideal for phishing operations and will likely get exploited in the wild.
MITRE reaches 400 CNAs: Cloud security firm Wiz has become the 400th registered CNA with MITRE. Unfortunately, with more organizations issuing CVEs, this is bad news for that NIST backlog, which has yet to be addressed. According to Socket Security, the number of CVEs awaiting analysis has increased by 30% since June.
Infosec industry
Acquisition news: Digicert has acquired DNS and cloud provider Vercara.
Cisco layoffs: American tech giant Cisco will cut around 7% of its workforce (~5,500) as it refocuses on security, cloud, and AI. [Additional coverage in the San Francisco Gate]
Threat/trend reports: Abnormal Security, Chainalysis, Palo Alto Networks, Radware, Resilience, and Zayo have recently published reports covering infosec industry threats and trends. A summary of the Resilience report:
Around 40% of all cyber insurance claims filed this year were caused by a failure at a third-party vendor. Cyber risk company Resilience says that vendor-driven claims are the fastest-growing area of claims in its portfolio. The company warns that over-reliance on a small number of ubiquitous software vendors is creating huge opportunities for threat actors, especially ransomware gangs.
From the Chainalysis report:
"2024 is set to be the highest-grossing year yet for ransomware payments, due in no small part to strains carrying out fewer high-profile attacks, but collecting large payments (known in the industry as "big game hunting"). 2024 has seen the largest ransomware payment ever recorded at approximately $75 million to the Dark Angels ransomware group. The median ransom payment to the most severe ransomware strains has spiked from just under $200,000 in early 2023 to $1.5 million in mid-June 2024."
New tool—Surveillance Watch: Privacy advocate Esra'a Al Shafei has launched Surveillance Watch, a directory with all the known spyware and surveillance peddlers.
New tool—Draytek Arsenal: Two security researchers at Faraday have open-sourced Draytek Arsenal, a tool to reverse engineer Draytek firewalls. The tool was presented at DEF CON.
New tool—SnafflerParser: Pen-tester zh54321 has released SnafflerParser, a tool that beautifies the outputs of pen-testing tool Snaffler.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss what it would mean to be in a golden age of OSINT and whether we are in one.
In this discussion, Tom Uren and Patrick Gray talk about a US government policy initiative to cover cyber insurance gaps while also improving security across the economy. Lofty goals, but Tom wonders if it is a difficult way to address security gaps.
The Risky Business team has recently started publishing video versions of our podcasts. Below is the main weekly show, with Pat and Adam at the wheel!
