Risky Biz News: XakNet "hacktivists" linked to APT28 and Russia's GRU intelligence service

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

In a report published on Friday, security firm Mandiant said it linked three pro-Russian hacktivist groups to intrusions performed by APT28, the codename of a cyber-espionage group operated by the Russian Main Intelligence Directorate (GRU).

This includes self-proclaimed hacktivist groups such as the XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn—known to the world through their eponymous Telegram channels, where they announce future operations and leak data from their victims.

This assessment is based primarily on Mandiant's direct observations of the deployment of wipers used by APT28 on the networks of multiple Ukrainian organizations and the subsequent leaks of data by threat actors claiming to be hacktivists likely originating from those entities on Telegram within 24 hours. We identified at least 16 data leaks from these groups, four of which coincided with wiping attacks by APT28.

Mandiant researchers also add:

In one XakNet data leak, Mandiant discovered a unique technical artifact from an APT28 intrusion. This indicates APT28 had access to the same parts of the network the leak was sourced from.

In addition, Mandiant also believes that XakNet has coordinated with another faux hacktivist group named KillNet, but has not formally linked the latter to the GRU just yet. The company has also not ruled out that either GRU or other Russian intelligence services might be behind other pro-Russian newly formed hacktivist groups, such as FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternate spelling: JokerDPR), and RedHackersAlliance.

But Mandiant's findings are not surprising in the slightest for anyone familiar with APT28's history and its propensity toward using "hacktivist" personas. GRU's cyber division has also previously posed as Anonymous Poland in a campaign to influence the country's politics through leaks, hacked WADA under the guise of a hacktivist group cheekily named FancyBear (a codename used for Russia's FSB hackers), invented the Guccifer 2.0 persona [PDF] to leak data from the DNC hack, and the CyberBerkut persona to leak data on Ukrainian politicians in the late 2010s.

As for a response from the hacktivist groups after Mandiant's report, only XakNet has addressed the topic, promising a reply in the coming days. Knowing how we know XakNet, it will probably be something lame and stupid.

Breaches and hacks

dYdX npm hack: A threat actor compromised the npm account of a developer at cryptocurrency platform dYdX and published malicious code in two of the company's JavaScript libraries—solo and perpetual. The incident was first spotted by Polish security researcher Maciej Mensfeld, and the company acted within hours to secure its libraries. [Additional coverage in Phylum]

Pôle Léonard de Vinci hack: Two hackers claims to have breached the IT network of Pôle Léonard de Vinci, a university based in Paris, France, and are now threatening to publish more than 600GB of its data.

Optus data up for sale: After Australian telco Optus disclosed a security breach last week, the company's data has now popped up for sale on Breached, a famous cybercrime forum. According to the seller, the Optus data contains the details of 11.2 million telco customers. [Additional coverage in BankInfoSecurity]

General tech and privacy

Vivaldi promises to keep ad blockers working: After Google is slowly starting to roll out its new core rules for Chromium extensions (called Manifest V3), the team behind the Vivaldi browser said they will still support the older V2 system going forward. The new V3 nerfs the capabilities of ad blockers, which many extension developers said Google is doing on purpose to protect its ad-biz unit. Definitely not a monopoly in the browser market. Don't look over here EU and US authorities. All's fine!

Browser competition and walled gardens: Mozilla published a 66-page paper [PDF] last week describing how "walled garden" approaches in today's tech landscape are actively harming the browser market and user privacy.

All five major platforms today (Google, Apple, Meta, Amazon, Microsoft) bundle their respective browsers with their operating systems and set them as the operating system default in the prime home screen or dock position. For many people, this placement is sufficient and they will not see or pursue extra steps to discover alternatives.

Signal asks users to help Iranians: Secure messaging app Signal has asked its users to set up and run proxy servers and help Iranians connect to the Signal service, currently blocked inside the country following massive public protests. A ready-made server setup is also available on GitHub.

Meta sued for bypassing Apple anti-tracking: A group of users has sued Meta, Facebook's parent company, for bypassing Apple's anti-tracking privacy protections on iOS devices. The lawsuit is based on the findings of a Google software engineer published last month.

Fitbit users must link to their Google accounts: Google will force all Fitbit device owners to link a Google account to their device starting next year; otherwise, their devices will stop working. Google acquired Fitbit for $2.1 billion in 2021.

Russian govt TLS certs: Russia's national Certificate Authority is now operational and has already issued TLS certificates for more than 7,000 domains, according to the Russian Ministry of Digital Development, Telecommunications, and Mass Media.

Ubuntu gets AD support: Something we missed this April is the new Ubuntu Desktop 22.04 release that now supports Active Directory integration, allowing you to run group policies on your fleet of Linux systems.

Government, politics, and policy

Kaspersky faces possible ban across the EU: Bloomberg reported on Friday that five countries (Latvia, Lithuania, Estonia, Ireland, and Poland) are pushing for a new set of sanctions against Russia, including a possible ban on Russian cybersecurity firm Kaspersky.

Russia won't mobilize IT specialists: Russia's Ministry of Defense said on Friday that it won't mobilize individuals who hold certain professions, such as IT specialists working in critical infrastructure, telecommunications, media, and the financial market. The exemption comes after representatives of Russia's private sector asked the government for an exemption after already facing serious staff shortages since the start of the war.

US bill to secure FOSS software: Two US senators, Rob Portman (R-OH) and Gary Peters (D-MI), introduced a new bill last week to help strengthen the security of open source software.

The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.

NNSA cyber review: The US Government Accountability Office (GAO) has published a review of the cybersecurity practices of the National Nuclear Security Administration (NNSA), the US government agency that manages the country's nuclear weapons arsenal. GAO said that despite federal laws mandating a cybersecurity management program, the NNSA and its contractors haven't fully implemented most of six major cybersecurity practices. [Additional coverage in The Record]

China is building cyber ranges: A report from the University of Georgetown's Center for Security and Emerging Technology goes deep into China's "cyber ranges," facilities built by the Chinese government where cybersecurity experts from academia and the private sector can test new tools, practice attack and defense, and evaluate the cybersecurity of a particular product or service. This report found:

1. China's cyber ranges facilitate joint exercises between the People's Liberation Army (PLA) and civilians. One competition hosted each year in Chengdu aims to replicate the North Atlantic Treaty Organization's (NATO) Locked Shields exercise. Teams include representatives from the military, private cybersecurity firms, and critical infrastructure operators. Separately, a defense state-owned enterprise (SOE) makes a "comprehensive space scenario range" available to civilians at an annual cybersecurity competition. Each of these examples demonstrates China's implementation of military-civil fusion in the cyber domain.
2. Some cyber ranges allow hackers to practice attacking and defending critical infrastructure systems. Two ranges covered in this report provide users with training on industrial control systems within the cyber range; one of which purportedly engages in "national offensive and defensive exercises." The Office of the Director of National Intelligence's 2022 unclassified annual threat assessment found that China was "almost certainly […] capable of launching cyber attacks that would disrupt critical infrastructure services." These ranges could allow rehearsals and testing of these types of attacks in the future.
3. Peng Cheng Laboratory in southern China is using a supercomputer to research artificial intelligence's (AI) application to cybersecurity. The lab's partners include the National University of Defense Technology, China's Key Laboratory of Science and Technology for National Defense, and Shanghai Jiao Tong University, a university with ties to military hacking teams. The lab has quickly earned the respect of longtime experts in China's cybersecurity community.

Sponsor section

RunZero (formerly Rumble Network Discovery) is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

Cybercrime and threat intel

UK teen detained: The City of London police detained last week, on Thursday, a 17-year-old teen from Oxfordshire on hacking-related charges. While UK officials have not released the suspect's name or other details about his arrest, the teen is widely suspected of being Teapot, a member of the Lapsus$ gang, who recently breached Uber and Rockstar Games, the makers of the GTA game series.

Crypto hacker arrested in the Philippines: South Korean police said on Friday that a hacker who stole 14 billion won ($9.85 million) worth of cryptocurrency from a local platform was arrested in the Philippines. The man was identified as Mr. A., and Korean officials said he previously worked as an IT engineer. He was extradited back to South Korea last week, where he is set to face criminal charges related to the hack and subsequent money laundering operations.

Hackers detained in Ukraine: The Security Service of Ukraine (SSU) said it detained a hacker group in Lviv that infected user devices with malware, collected, and then sold their personal data on the dark web. Officials said the group collected the personal details of 30 million users—from Ukraine and the EU—and sold it to Russian propagandists, who then created fake online profiles in the victims' names to spread fake news and panic surrounding Russia's invasion of Ukraine.

Dutch man sentenced in spyware case: A Dutch man was sentenced to 80 hours of community service after he was found guilty of installing spyware on his partner's MacBook laptop back in 2020. The name of the spyware was not mentioned, but authorities said the suspect could access the device's microphone, camera, and keystrokes.

Bjorka: The Diplomat has a profile on Bjorka, a hacker who has breached and leaked data from Indonesian government agencies for the past few months.

Sophos zero-day under attack: Sophos fixed a zero-day vulnerability (CVE-2022-3236) in its enterprise firewall product that was actively exploited across the South Asia region. The security vendor described the issue as a code injection vulnerability that can allow remote code execution via the firewall's web interface. The company released a firmware patch and promised to publish a thorough report as it investigates the ongoing attacks.

Mir DDOS attacks: Members of Ukraine's IT Army hacktivist group have carried out a large-scale DDOS attack against Mir, a popular Russian payment system—currently operating around 130 million payment cards across Russia.

Agent Tesla spam: Kaspersky has a report out on a massive email spam campaign spreading the Agent Tesla infostealer.

Raspberry Robin activity surge: Security firm Red Canary reported a surge in activity from the Raspberry Robin malware, which saw it jump from the #8 spot to #2 in the company's most recent monthly malware ranking.

Credit card scam network uncovered: Researchers from ReasonLabs said they uncovered a huge network of fake adult websites that trick users into subscribing and charging huge recurring services to their cards. The researchers believe the scammers are based in Russia and have scammed tens of thousands of victims out of tens of millions of US dollars.

Gootloader SEO campaign: Deepwatch researchers have analyzed a recent Gootloader campaign that uses SEO to push websites in users' search results. These websites are optimized for users in particular industry sectors, and they also host a malicious JavaScript file that attempts to push the Gootloader malware on users' systems. Users working in government, legal, real estate, medical, and education were targeted, according to Deepwatch.

Malware technical reports

Scylla campaign: Cybersecurity firm Human has published a report on Scylla, a cybercrime operation that abuses advertising SDKs to perform ad fraud. Human says the operation ran 29 Android apps that were pretending to be more than 6,000 different CTV apps in order to receive higher-priced ads. Scylla then used hidden ad displays and fake clicks to generate profits behind its users' backs.

Erbium Stealer: CyFirma published a report on Sunday on the new Erbium Stealer malware, currently advertised on underground hacking forums.

APTs and cyber-espionage

APT41: The US Department of Health & Human Services has published a security alert about APT41 [PDF], a Chinese state-sponsored threat actor with a track history of targeting healthcare organizations.

Fancy Bear: A Cluster25 report published last Friday deals with recent operations carried out by the Fancy Bear (APT28) Russian cyber-espionage group.

BlackTech: Security researcher CyberRamen published a blog post on Saturday describing how the BlackTech Chinese APT has slowly migrated its attack infrastructure from GoDaddy to companies like PDR Ltd. and Vitalwerks Internet Solutions, LLC.

Vulnerabilities and bug bounty

Seagate vulnerability: @x86matthew, a security researcher with MDSec Labs, has published a write-up on how he exploited a vulnerability (CVE-2022-40286) in a Windows Seagate media service to elevate privileges to SYSTEM level.

WhatsApp September security updates: WhatsApp has published two fixes for two vulnerabilities in its Android and iOS apps. Both issues (CVE-2022-27492 and CVE-2022-36934) allow for remote code execution scenarios when receiving a video file and video call, respectively.

ModSecurity vulnerabilities: Terjanq, a security engineer at Google, published Friday a write-up on 13 vulnerabilities he discovered in the ModSecurity web server firewall module.

NodeJS server vulnerability: Security researcher Octavia Johnston published details on CVE-2022-35256, a new HTTP request smuggling vulnerability impacting the NodeJS web server. The vulnerability was patched earlier this month.

Microsoft out-of-band security update: Microsoft released an out-of-band security update last week for its Microsoft Endpoint Configuration Manager app to address a security issue known as CVE-2022-37972, which was set to be described for the first time at the BSidesKC security conference this weekend.

Infosec industry

New tool—Quokka: Quarkslab has open-sourced Quokka, a binary exporter to manipulate a program's disassembly without a disassembler. The source code is on GitHub.

New tool—Wolfi: DevOps security firm Chainguard open-sourced last week Wolfi, a stripped-down Linux distribution designed to improve the security of the software supply chain. [Additional coverage in SecurityWeek and ZDNet]

RomHack Camp stream: A recorded live stream of the RomHack Camp 2022 security conference, which took place over the weekend, is now available on YouTube.

An interesting survey: See below, and vote if still active.