Risky Biz News: US Ransomware Task Force to go after ransomware top dogs

In other news: RSOCKS admin detained in Bulgaria; Wintermute hacked for $160 million; and Mullvad VPN expands to hardware security keys.

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Representatives from CISA, the FBI, the DOJ, cybersecurity companies, and the private sector held their first meeting last week as part of the Joint Ransomware Task Force (JRTF), an inter-agency project launched earlier this year by the US Congress through CIRCIA to counter and fight against the rising threat posed by ransomware attacks.

The meeting, headed by CISA and FBI officials, focused on establishing a set of primary goals on which the JRTF members will focus their upcoming efforts.

According to a CISA press release of the meeting's minutes, the Task Force plans to take both an offensive and defensive approach to dealing with this uniquely modern problem.

On the offensive side, the JRTF plans to put together "a list of highest threat ransomware entities" and then prioritize "operations to disrupt specific ransomware actors."

On the defensive side, the JRTF said it plans to collect and analyze ransomware trends and then work with federal and private sector entities "to increase adoption of defensive measures to reduce the prevalence of successful ransomware intrusions."

Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, and Co-Chair of the JRTF, said these were "necessary steps to synchronize [their] efforts" for "a future where ransomware no longer afflicts American organizations."

The announcement is bound to please many members of the cybersecurity community, many of which have detailed dossiers on most ransomware gangs and their members, and have long called for a more proactive approach in going after these gangs, be it through formal criminal cases or by forcing server infrastructure offline.

But how quickly JRTF's crackdown on top ransomware gangs will come is another topic of discussion, mainly because this is a mammoth coordination effort, the project is still new, and bureaucracy is still king.

Breaches and hacks

Uber links hack to Lapsus$ gang: In an update to its data breach blog post, ride-hailing company Uber said the security breach uncovered over the weekend targeted one of the company's external contractors and appears to have been carried out by an individual affiliated with the Lapsus$ hacking group. The company also confirmed that most of the second-hand analysis of the hack posted on social media by various researchers was authentic. This included:

  • Purchasing Uber credentials from underground markets
  • Using push notification spam to bypass MFA on the employee's account.
  • Gaining access to its G-Suite and Slack channels.
  • Reconfiguring Uber’s OpenDNS to display a graphic image to employees on some internal sites.

Uber said no customer data was accessed and that its services remained online during the breach. The company said it's still investigating the incident together with law enforcement.

Wintermute crypto-heist: Cryptocurrency DeFi platform Wintermute said it was hacked and lost $160 million in a security breach that took place on Tuesday, September 20. Most of the cryptocurrency security space appears to believe the attacker exploited a recently-disclosed vulnerability in an Ethereum vanity address generator tool to steal funds from Wintermute's main ETH wallet. Wintermute's CEO said the company remains solvent and said they are still open to the idea of offering a bug bounty payout to the attacker if they return the stolen funds.

American Airlines breach: American Airlines disclosed a security breach last week in a breach notification letter [PDF] filed with the Montana OAG. The airline said the breach occurred in July this year after a threat actor gained access to several employee email accounts. These accounts contained documents with the personal data of some of the airline's past customers, such as names, email addresses, home addresses, phone numbers, and travel documents information.

Gag order in Albania: The Albanian government has put a gag order on local press to prevent them from reporting any stories sourced from documents that were stolen and recently leaked by Iranian hackers.

Ransomware attack on Bosnia's government: Officials from Bosnia and Herzegovina are investigating a cyberattack that has crippled the operations of the country's parliament for more than two weeks, in what experts say bears all the hallmarks of a classic ransomware attack.

General tech and privacy

MSFT to turn on Tamper Protection: Microsoft said it will enable its Tamper Protection security feature for all Microsoft Defender enterprise customers by default. The feature works by preventing local apps from disabling or tampering with any of the Defender antivirus settings or processes. Tamper Protection has been generally available since October 2019, and Microsoft has been enabling this feature by default for all its “new” enterprise customers since last year. In a blog post on Tuesday, Microsoft said it is now enabling this feature by default for all its “past” and existing enterprise customers as well, on October 24, 2022.

Chrome gets a root store: After announcing its intention to develop its own root store for the Chrome browser back in late 2020, Google said it would start a slow rollout of this feature for macOS and Windows users running Chrome 105, its current stable version. Once this feature rolls out, Chrome will stop relying on the operating system's root store and switch to its internal system to verify if an SSL certificate is valid or not when establishing a new HTTPS connection.

YouTube ignores user downvotes: New research conducted by the Mozilla Foundation found that user downvoting mechanisms like the Dislike button and the Not Interested menu option are ignored, and YouTube continues to show the same type of content to its users.

Mullvad expands to security keys: VPN company Mullvad announced the creation of a sister company named Tillitis AB that will create and sell a new security key based on open-source firmware the company is currently developing.

Morgan Stanley fined for poor decommission policies: US banking giant has agreed to pay a $35 million fine to the US Securities and Exchange Commission after the bank admitted to having failed to monitor and ensure that server and hard drive decommission operations were being carried out correctly. According to the SEC's investigation, the US bank used a third-party contractor to dispose of its old equipment during a hardware refresh program but failed to notice that this company had resold old its old gear to another company that then put it up for an online auction. SEC officials said that some of the devices sold through this auction still contained unencrypted customer data and that the bank should have made sure the equipment was either destroyed or wiped to ensure its users' privacy was not put in danger.

Government, politics, and policy

Indonesia privacy bill: The Indonesia Parliament has passed this week a data protection bill that comes with fines and prison sentences for companies that fail to protect or abuse user data. According to Reuters, the fines can go up to 2% of a company's annual revenue, and prison sentences can go up to five years in jail for individuals who gather personal data illegally and up to six years in jail for those who falsify personal data for personal gains. The passing of this new law comes as the country has been faced with several major data leaks over the past years, incidents that have highlighted the poor security and broad data collection practices at most Indonesian companies.

ECJ ruling on traffic metadata retention: The European Court of Justice ruled on Tuesday on a case involving Germany's super-broad telecommunications traffic retention policies and ruled that metadata and location information may not be stored and queried en-masse unless in situations deemed a threat to national security. The German Telecommunications Act, which the ECJ ruled not compliant with EU laws, requires telcos to store customers' telephone and internet data for four and ten weeks, respectively, and make it available to law enforcement when requested. [See court ruling here, PDF, and coverage in DW]

FCC expands list of equipment/services that pose a national security threat: The US Federal Communications Commission has expanded the list of equipment vendors and service providers that it views as a national security threat with two Chinese telecom companies, namely Pacific Networks Corp and its wholly-owned subsidiary ComNet, and China Unicom. Their inclusion in this list means that US companies and state governments will not be able to use US government funds to purchase any of their equipment or services. Previously, the FCC also banned the likes of Kaspersky, China Telecom, China Mobile, Huawei, ZTE, Hytera, Hikvision, and Dahua.

DOJ's new crypto crime enforcement rules: Security researcher Garry Warner has a tl;dr breakdown of the DOJ's new rules [PDF] for cracking down on crimes involving cryptocurrencies, rules published by the department last week.

Proofpoint is one of this newsletter's main sponsors. Below is a product demo Patrick Gray, the host of the main Risky Business podcast, recorded with them last year, where they show off Nexus People Risk Explorer, the company's product for mitigating insider threats:

Cybercrime and threat intel

RSOCKS admin detained in Bulgaria: US authorities announced in June that they disrupted the operations of RSOCKS, a proxy-for-hire service and botnet. In a report published a week later, infosec reporter Brian Krebs identified the service's admin as Russian national Denis Kloster. At the time, Krebs said that attempts to contact Kloster for a statement remained unanswered. But according to a report in Bulgarian media last week, Kloster couldn't answer because he was in police custody in Bulgaria after being detained at the request of US authorities two weeks before, on May 30, when he arrived for a vacation in Bansko, a high-end ski resort in country's south-east mountains. The same report also said that Bulgarian authorities also approved the suspect's extradition to the US, where he is set to face cybercrime-related charges.

Underground market for Amazon merchant accounts: A BusinessInsider investigation found a thriving underground market of Amazon merchant accounts on places like Telegram and forums like PlayerUp and Swapd. BI reporters claim these accounts are used by shady sellers to skirt bans that Amazon has placed on their original accounts. Account prices range from a few hundred dollars for a new account to thousands of dollars for years-old accounts with established histories and solid customer reputations.

OSINT tooling: The Dutch Review Committee on Intelligence and Security Services (CTIVD) has published a report on how they collect, process, and use OSINT data in their investigations. My colleague Tom Uren recently had a discussion with The Grugq about how OSINT is rising to become a reliable source for intelligence collection.

Redis databases compromised: IoT search engine Censys says that out of 350,000 Redis databases it is detecting, around 39,000 instances appear to feature no authentication, and around half of those show signs they have been compromised.

Phishing campaign targets US govt contractors: Phishing detection company Cofense published a report this week on a persistent phishing campaign that has been taking place since mid-2019 and has repeatedly targeted the M365 accounts of US government contractors.

Malware technical reports

ChromeLoader: VMWare's security team has published a report on the emerging ChromeLoader malware family, also known as Choziosi Loader and ChromeBack, which works by changing Chrome browser search settings to hijack search queries and direct users to malicious sites. Check out similar reports on this malware from Red Canary, Palo Alto Networks, and CyberGeeks.

New TeamTNT malware: Cloud security firm AquaSec said it detected at least three new malware strains that appear to have been developed by the TeamTNT crypto-mining gang. These discoveries are of note because TeamTNT announced it shut down operations in a tweet last November, and all attacks since then have been associated with zombie server infrastructure that the group has operated in previous years.

APTs and cyber-espionage

UAC-0113 (Sandworm): Recorded Future has put out a report on UAC-0113, a group CERT Ukraine has linked to the Sandworm APT, and its recent infrastructure used to attack Ukrainian government agencies and private-sector organizations in recent months. Among its preferred tactics, UAC-0113 masqueraded as telecommunication providers operating within Ukraine, continued to rely on publicly available malware, but transitioned from DarkCrystal RAT to Colibri Loader and Warzone RAT as preferred payloads.

Russia's complicated APT landscape: The Atlantic Council published a report on the always-fascinating topic of Russia's APT landscape and its mixture of military hackers, private companies, patriotic hackers, and elements from the criminal underground.

Vulnerabilities and bug bounty

Oracle vulnerability: Cloud service company Wiz discovered a vulnerability in Oracle's Cloud Solutions Platform (CSP) that could have allowed a malicious threat actor to access the virtual disks of other Oracle customers. According to Wiz Head of Research Shir Tamari, the vulnerability's root cause was the lack of permissions verification in the AttachVolume API. The issue was also apparently resolved on the same day it was reported.

Azure Cloud Shell vulnerability: The Lightspin Research Team published details about a new Azure Cloud Shell vulnerability that can allow an attacker to steal a user's access tokens and execute commands in other users' terminals.

Bitbucket PoC: SuperX, a Chinese security researcher with security firm Winter Snow Lab, published last week a proof-of-concept exploit [cached] for CVE-2022-36804, a 9.9/10-rated command injection vulnerability that can allow attackers to run malicious code on Bitbucket servers using only modified HTTP requests. Atlassian fixed this issue at the end of August. According to Shodan, there are about 1,400 internet-facing servers, but it's not immediately obvious how many have a public repository; hence are vulnerable to attacks. More on this is also available in a Rapid7 write-up.

Apple Maps vulnerability: Ron Masas, a security researcher with Breakpoint, has published the story of how he found CVE-2022-32883, a vulnerability in the Apple Maps service that could leak users' locations. Apple patched this bug last week, on September 12.

Cobalt Strike security update: HelpSystems released this week a security update for the Cobalt Strike red-team framework that fixed a security flaw (CVE-2022-39197) that could have allowed threat actors to hijack CS servers.

Dataprobe iBoot-PDU vulnerabilities: Claroty researchers have uncovered vulnerabilities in Dataprobe's iBoot-PDU, an intelligent power distribution unit product. Claroty says these vulnerabilities can be used to bypass NAT and mount attacks on iBoot-PDUs to shut down power on connected devices.

EZVIZ smart cams vulnerabilities: Security firm Bitdefender has also published a report on vulnerabilities it found in the EZVIZ smart cams.

Firefox 105: Security updates are available for Firefox users after Mozilla released Firefox 105 on Tuesday.

Infosec industry

New tool—varc: Cado Security has open-sourced this week a new tool called varc, a new tool that can collect a snapshot of volatile data from a system immediately after the detection of malicious behavior. This includes stuff like active network connections, the memory of running processes, the content of opened files, and more. The tool works on Windows, Linux, macOS, AWS EC2, AWS Lamda, and containerized environments.

CrowdStrike acquires Reposify: Cybersecurity firm CrowdStrike announced on Tuesday that it is acquiring attack management platform Reposify. The company justified its decision by the need of its customers to have better visibility of their assets inventory and detect exposures before attackers exploit them.