Risky Biz News: UK government confirms NCF offensive cyber operations

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The UK government has formally confirmed for the first time that its National Cyber Force (NCF) agency is active and has conducted offensive operations in the real world.

Formally established in 2020, the NCF is a joint agency between the UK's Ministry of Defence and its main intelligence agency, the GCHQ. Its main role is "operating in and through cyberspace," but since its inception, the UK government has never shared any details about how the agency works and what it actually does.

In a press release this week, with the caveat that "the NCF's work is covert," UK officials have shared some general details of what the agency has been doing for the past three years.

According to the UK government, past NFC offensive cyber operations disrupted terrorist groups, protected military deployments overseas, and removed child sexual abuse material from the public internet.

Other operations countered foreign state-orchestrated disinformation campaigns and prevented external interference in the UK's democratic elections.

The agency also countered sophisticated, stealthy and continuous cyber threats, but officials didn't say if this was against state-level or cybercrime adversaries.

Officials reiterated that the NCF's operations followed domestic and international law, and the agency acted responsibly in cyberspace.

As part of their commitment to (some sort of) transparency, the UK government published a document detailing the guidelines and doctrine behind National Cyber Force operations.

Titled "Responsible Cyber Power in Practice," the document describes the principles of responsible behavior in cyberspace that the agency follows. Per the document, the NCF says its operations are conducted based on a legal framework, operations are designed to be timed and targeted with precision, and their impact is carefully assessed for both escalation and de-escalation.

"In outlining its current thinking, the NCF aims to promote constructive debate and contribute to demonstrating the UK's commitment to being a responsible cyber power. It may also potentially contribute to deterrence."

Breaches and hacks

WD breach: American data storage company Western Digital says hackers gained access and stole data from some of its internal systems. The incident took place on March 26, the company said in a statement. Western Digital says it shut down the affected system and is working with a security vendor to investigate the breach and restore the affected systems. Some of the company's cloud systems were down over the weekend as a result of the attack.

eFile compromise: The website of eFile.com, an IRS-authorised service for filing tax returns, has been compromised and used to deliver malware to visitors. According to researchers from the ISC SANS, the website was modified with a malicious JavaScript file that prompted users to update their browsers. These updates would download malicious Windows executables—labeled as trojans by the file-scanning service VirusTotal.

KNVB hack: The Dutch football (soccer) federation says that hackers have breached its servers and stolen the personal information of its employees. The incident took place on Saturday. The KNVB says it reported the breach to the Dutch Data Protection Agency.

Crypto-bot hacked: A threat actor has attacked and stolen cryptocurrency assets from multiple automated MEV (maximal extractable value) bots running on the Ethereum network. The exact sum of stolen funds is still being calculated, but the attacker stole $20 million just from one single bot. The attack was carried out via a malicious Ethereum validator, according to several blockchain security firms.

Allbridge crypto-heist: The Allbridge cryptocurrency platform was hacked for $570,000 worth of cryptocurrency assets over the past weekend. The attacker returned $465,000 to the project on Monday after the company promised to look the other way and consider the rest of the funds a "white-hat bounty." That's the cryptocurrency landscape in a nutshell, ladies and gentlemen! [More coverage in CoinTelegraph]

Russian blogger hacked: Pro-Ukraine hacktivist group CyberResistence hacked the AliExpress account of Russian military blogger Mykhayl Luchin, known for a campaign of raising funds to acquire drones for the Russian military in Ukraine. The hackers claim they used a payment card linked to the AliExpress account to buy $25,000 worth of dildos from AliExpress.

Musk scam aftermath: A Florida school principal resigned last month after writing a $100,000 check to an internet scammer posing as Elon Musk's right-hand man. According to WESH, the school's staff warned the principal four months before that the person she was talking to was a scammer. Fortunately for the school—Burns Science and Technology Charter in Oak Hill—the institution's business manager got wind of the transaction and stopped the check before it cleared.

Euler hacker returns more funds: The Euler hacker has returned another $31 million worth of assets. To date, the hacker has returned $177 million of the $197 million assets they stole from the platform, approximately 90% of the stolen funds. Since the hacker returned so much of the funds, Euler has canceled the $1 million bounty they put on the hacker's head. [Additional coverage in CryptoNews]

General tech and privacy

Mullvad Browser: The Mullvad VPN service and the Tor Project have released a new browser named the Mullvad Browser. The browser is built on Firefox and integrates all the privacy features of the Tor Browser—minus the Tor network integration. This includes strong anti-fingerprinting protections, the blocking of third-party trackers, private browsing by default, and no hidden telemetry collection. The browser is available for Windows, macOS, and Linux.

Google Drive limit: Google confirmed last week it put a limit of 5 million maximum files per Google Drive account—even for paid ones—and told no one. Plenty of users are now complaining on Reddit they can't use the service they paid for.

Cross-site cookie blocking standard: All major browser makers have announced plans to block the use of cross-site cookies. Work is now underway on a standard to align browser behavior for the treatment of SameSite=None cookies.

Twitter's state media and the algorithm: VoA journalist Wenhao Ma reports that Twitter is no longer limiting the influence of Chinese state media accounts on the platform, a development that goes against Twitter's own policy. Tweets from accounts with a "Chinese state-affiliated media" label are now appearing to users in their "For you" timelines, something that wasn't the case before.

Twitter algorithm open to manipulation: Researchers have found a way to game the Twitter algorithm and have accounts silenced on the platform. The process involves getting multiple users to block, unfollow, mute, and spam-report an account. Apparently, this is so bad it got a CVE identifier as CVE-2023-29218.

TikTok fined in the UK: The UK's privacy watchdog, the ICO, has fined TikTok £12.7 million for misusing children's personal data. The ICO says TikTok collected the personal data of children under the age of 13 without parental consent.

Enter Uniview: IPVM reporters have discovered another Chinese security camera vendor that is supplying the Chinese government with surveillance tools and ethnic profiling capabilities in the Xinjiang and Tibet regions. Named Uniview, the company has been linked to hundreds of projects across China, has allegedly created Uyghur tracking software, and co-authored government standards on ethnicity detection technology. Uniview joins the ranks of Dahua, Hikvision, and Tiandy—other Chinese companies that have helped Chinese officials with tracking and oppressing ethnic minorities.

Government, politics, and policy

US contracted NSO just before ban: A US government agency used a shell company to acquire access to an NSO Group surveillance tool just days before the Biden administration sanctioned the company in November 2021. The contracted tool, named Landmark, allows operators to covertly track mobile phones around the world without the phone user's knowledge or consent. The shell company through which the tool was contracted is the same company through which the FBI previously tested NSO products in the past. [More in the New York Times]

Australia bans TikTok on govt devices: The Australian government has banned the use of the TikTok app on official government devices. With the recent ban, all members of the Five Eyes intelligence-sharing alliance have now formally banned the app on government devices.

NATO, too: Similarly, NATO has also banned staffers from downloading the app on their work, NATO-provided devices. In both cases, officials cited fear of Chinese spying and surveillance.

NATO looking for contractors: NATO is looking for cybersecurity contractors to assess the security posture of its web assets. Interested parties have until April 25 to submit their applications to the US Department of Commerce, which oversees the approval process. [Additional coverage in SecurityWeek]

BSI uses Huawei devices: Germany's intelligence agency, the BSI, has confirmed it uses Huawei devices for its internal network. Kind of a bad look for an agency tasked with preventing Chinese foreign influence and spying.

Germany starts looking at Twitter: The German government has initiated procedures to fine Twitter for failing to remove illegal content in a timely manner. The Federal Office of Justice (BfJ) says it received numerous complaints from users about Twitter's lackadaisical response.

Risky Business Demo

In this Risky Business demo, Tines CEO and co-founder Eoin Hinchy shows off the Tines no-code automation platform to host Patrick Gray.

Cybercrime and threat intel

Genesis Market takedown: Law enforcement agencies have shut down Genesis Market, an infamous underground portal where threat actors sold and bought login credentials and authentication cookies. The portal has been live since at least 2019, with a presence on both the clear and dark web, prior to being taken down this week. Over the years, Genesis established itself as the go-to destination where threat actors could acquire credentials to breach government networks and large corporations alike. Credentials and cookies listed on the site were linked to various infostealer malware strains, with the vast majority coming from AZORult. [Additional coverage in The Record]

Alcasec detained: Spanish authorities have detained a 19-year-old hacker going by the name of Alcasec. The teen, identified as José Luis Huertas, is accused of hacking into multiple government agencies, including the country's tax administration and judiciary service. Officials say Alcasec used data from the hacked databases to create a service named "The Eye of Horus" that allowed other threat actors to query the personal data of Spanish citizens. In YouTube videos advertising his tool, Alcasec claims the Eye of Horus contained data on 90% of Spain's population.

Phisher sentenced in the Netherlands: A Dutch judge has sentenced a teen from the city of Leeuwarden to three months' suspended juvenile detention and community service of 120 hours for developing and selling phishing panels.

Pig-butchering funds seized: US authorities have seized $112 million worth of cryptocurrency from six virtual currency accounts. Officials say the accounts were used to launder the proceeds of cryptocurrency confidence scams, also known as pig-butchering scams. The seizure comes after investment and romance fraud dethroned BEC scams for the first time last year as the most damaging form of cybercrime, accounting for $3.3 billion in losses in 2022.

KEV update: CISA has updated its KEV database with one new vulnerability that is currently being actively exploited. The vulnerability is CVE-2022-27926, a Zimbra flaw exploited by Russian hackers against NATO-allied governments.

Spam campaign takes down npm: That huge campaign [1, 2, 3] that has flooded the npm portal with spammy libraries has gotten so huge the npm portal has been intermittently going down over the past few days with "Service Unavailable" errors.

Veritas attacks: An affiliate of the AlphV (BlackCat) ransomware gang is targeting publicly exposed Veritas backup servers to gain access to corporate networks. The attacker, tracked by Mandiant as UNC4466, is exploiting three 2021 vulnerabilities (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) in the Veritas Backup Exec server. Mandiant says it saw the first attacks in October of last year, a month after the publication of a Metasploit module for the vulnerabilities. Currently, there are more than 8,500 internet-accessible Veritas Backup Exec servers.

BreachForum replacement: A new forum named PwnedForums has surfaced as a replacement for the now-seized BreachFroums. Baphomet, one of the former BreachForums admins, has denied being involved.

Cybercrime groups structure: Trend Micro has a 27-page paper on the various internal structures of cybercrime groups.

Empty SFX files: CrowdStrike researchers say they discovered that seemingly empty SFX archives could be used to run PowerShell commands without being detected.

Proxyjacking attacks: Sysdig has a report on proxyjacking—the act of infecting users with malware that converts their system into a rentable proxy that relays other people's web traffic. Sysdig's take is that attackers could also go after cloud servers and hijack legitimate servers for proxyjacking attacks, and not just home users.

"The Sysdig TRT recommends setting up billing limits and alerts with your CSP to avoid receiving potentially shocking usage bills."

IT Army of Ukraine: ThreatMon has a 34-page report on the IT Army of Ukraine, the unofficial hacktivist army of Ukraine.

TikTok's role in money laundering: AT&T has a report on the methods employed by Chinese threat actors to launder funds stolen from Western victims. Observed monetization techniques include classic cash-out schemes where the threat actors use the stolen funds to purchase gift cards or expensive real-world products that are later resold, allowing the threat actors to lose their money trails. Newer monetization techniques also involve buying and reselling e-books and NFTs, but also TikTok coins. In the case of TikTok, the threat actors will buy TikTok coins and donate them to a malicious TikTok account. This account is either run by the threat actor or a recruited "influencer" who takes a cut of the coins and sends the rest back to the gang.

Malware technical reports

New DFIR Report: The team at DFIR Report has published a new report on an ISO-to-ransomware attack chain.

Rorschach ransomware: Check Point researchers have discovered a new ransomware operation named Rorschach that was already used in the wild to target a US-based company. Check Point says the ransomware attack stood out because of the sheer speed at which it encrypted files and because the ransomware itself was deployed using a signed component of a commercial security product. Check Point called it "one of the fastest ransomware observed," even faster than the notoriously fast LockBit 3.0 strain.

BabLock ransomware: Group-IB researchers have identified a new ransomware strain named BabLock. Active since January this year, the BabLock gang exploits a Zimbra vulnerability (CVE-2022-41352) to gain access to corporate networks where it can deploy its payload. The ransomware is based on the leaked Babuk source code and has versions for Windows, Linux, and ESXi platforms. Unlike most ransomware operations, BabLock doesn't have a payment or dark web leak site. Instead, they use email to communicate with victims.

Typhon Reborn: Cisco Talos has a report on Typhon Reborn V2, the latest version of the Typhon Reborn information stealer, released earlier this year in January. The new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.

Verblecon: A threat actor is infecting systems worldwide with the Verblecon malware in order to conduct hidden crypto-mining operations. Broadcom's Symantec team describes the malware as very advanced and claims the threat actor "may not realize the potential capabilities of the malware they are deploying."

Rilide: Trustwave researchers have discovered a new strain of malware named Rilide, hidden in a browser extension that targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Trustwave says the extension is installed on users' computers via other malware campaigns. Its main purpose appears to be to steal money from cryptocurrency exchange accounts. In the incidents it analyzed, Trustwave says Rilide was disguised as a legitimate Google Drive extension.

Sponsor Section

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

APTs and cyber-espionage

3CX incident targeted cryptocurrency companies: Russian security firm Kaspersky says it observed at least ten computers infected during the 3CX supply chain attack where the intruders deployed an additional payload—the Gopuram backdoor. Kaspersky believes this backdoor is actually the final payload of the 3CX attack, being deployed only on systems the operators deemed important. According to current evidence, Kaspersky believes the attackers—identified as North Korean hackers—had a specific interest in cryptocurrency companies.

UAC-0145: Ukraine's CERT team has published an alert on UAC-0145, a threat actor using cracked versions of Microsoft Office to infect targets in the ICS sector.

Mantis APT: Broadcom's Symantec division has published a report on the recent operations of the Mantis APT. The group is also known as Arid Viper, Desert Falcon, and APT-C-23, and is believed to operate out of Palestine. Symantec's report covers the group's Windows operations. A report from earlier this week from Qihoo 360 covered the group's recent Android ops.

Vulnerabilities and bug bounty

Restart status: Microsoft's Defender Vulnerability Management platform now tells you if a device has been restarted or not to apply recent security patches.

Pentah0wnage: Aura Information Security has published a report on Pentah0wnage, a set of vulnerabilities in Pentaho Business Analytics Server, a business intelligence and data analytics platform written in Java. The vulnerabilities are tracked as CVE-2022-43769, CVE-2022-43773, CVE-2022-43938, and CVE-2022-43939. Combined, they can allow for a pre-auth RCE chain.

Nexx vulnerabilities: Security researcher Sam Sabetan has discovered several vulnerabilities in Nexx products, such as garage doors, smart alarms, and smart electric plugs. Sabetan says the vulnerabilities can allow remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any Nexx customer across the world. Nexx has not responded to the researcher, reporters, and not even CISA. No updates are available for the affected Nexx products.

Microsoft Windows Task Scheduler vulnerability: BishopFox has published a technical deep dive into CVE-2023-21541, a vulnerability in the Windows Task Scheduler that Microsoft patched in January.

Android security updates: ...for April 2023 are out!

Infosec industry

New tool—GTFOArgs: Security researcher Joshua Rogers has open-sourced a new project named GTFOArgs, a curated list of Unix binaries that can be manipulated for argument injection, possibly resulting in security vulnerabilities.

New tool—BBRadar: Security researcher Kleoz has created BBRadar, a website to aggregate links to all known public bug bounty programs.