This week
Cyberattack claimed against Iranian steelworks
Spectacular footage was posted online by the Gonjeshke Darande (Predatory Sparrow) ‘hacktivist’ claiming responsibility for a cyberattack against three Iranian steel companies, later confirmed by state media in Iran.
Operations were suspended as a result of the attack, though the CEO of one of the affected companies said that “the attack failed and no damage was done to the production line.”
View the full video on Twitter: @GonjeshkeDarand
Kinetic impacts stemming from cyber-attacks are, fortunately, few and far between - making this all the more of a stand-out incident. A previous incident, also targeting a steel works, was reported by the German Office for Information Security (BSI) in 2014.
But while the sparks flew in the video of the attack, the attack itself appears to be far more controlled, as The Grugq points out in his newsletter The Info Op. Of particular note is “the level of effort that the operators took to make sure that the attack didn’t harm people. Not only did they take pains to ensure this, but they also made it a pillar of their announcement, along with proof that they took those steps.”
Then there is not only compromising the industrial control systems but also the facility’s CCTV to provide evidence of the attack. While not unfeasible, these, combined with the slightly odd target selection for a ‘hacktivist’ group points to it being a state-sponsored group conducting an offensive cyber-operation, but also trying to manage the fallout and establish ‘norms’ around these types of attacks.
Tom Uren has more background on this, and previous Predatory Sparrow attacks on Iranian targets, which included similar forewarning and careful planning in the Seriously Risky Business newsletter.
cyberscoop.com, bbc.co.uk (German steel mill, 2014), substack.com (Grugq), substack.com (Srsly Risky Biz)
How mercenary hackers sway litigation battles
A special report from Raphael Matter and Christopher Bing at Reuters looks at the relationship between Indian ‘hackers for hire’ and US private investigators and law firms. Regular readers will recall the name BellTroX InfoTech from a Citizen Lab investigation in 2020 (vol. 4, iss. 24) who obtained information from the opposition party’s email accounts to provide intelligence on legal strategies or other evidence. It’s a good read and example of the ‘clock and gavel’ tactics that some resort to behind the scenes to influence legal battles.
Interesting stats
39% of all UK crime in 2020-21 was fraud, according to the Office for National Statistics, with £1.3 billion being misappropriated by criminals in scams against UK banking customers, says industry group UK Finance ft.com
18 0-day vulnerabilities have been found being exploited in the wild so far in 2022… and 50% are variations on previous vulnerabilities that “could have been prevented with more comprehensive patching and regression tests,” according to Maddie Stone of Google’s Project Zero team blogspot.com
In brief
Attacks, incidents & breaches
- Several Lithuanian government services were taken offline for several hours by distributed denial-of-service (DDoS) attack after the country refused to allow Russian exports of metal and coal through the country to the Russian exclave of Kaliningrad therecord.media
- Norway has also blamed a “pro-Russian group” for DDoS against public and private providers of ‘important services’ reuters.com
- AMD is investigating claims that the RansonHouse group compromised its network and stole 450GB of data last year bleepingcomputer.com
- NFT Marketplace OpenSea has disclosed a data breach this week caused by an employee at a supplier downloading email addresses belonging to users and newsletter subscribers. The addresses could be used to target phishing attacks for crypto-assets bleepingcomputer.com
- Book publisher Macmillan has shut down its network and closed offices while responding to a ransomware attack, leaving the company unable to process new orders techcrunch.com
- Names, date of birth, gender, race, driver’s license number, addresses, and criminal history of California concealed/carry weapons permit applications between 2011-2021 leaked by the state’s Firearms Dashboard Portal theregister.com
- Last week’s $100 million theft from crypto-currency Harmony (vol. 5, iss. 26) has been linked to North Korea’s Lazarus group by Elliptic techcrunch.com
- Carnival Cruises has agreed to a $1.25 million fine for the way that it handled a 2019 data breach. The breach was disclosed in March 2020 (vol. 3, iss. 10) and affected 180,000 employees and customers whose names, Social Security, passport, driver’s license, health and payment information was compromised by attackers therecord.media
Threat intel
- The LockBit ransomware group has released version ‘3.0’ of its ransomware-as-a-service operation and, in parallel, launched a bug bounty programme — usually the sort of thing modern tech companies use to engage and reward security researchers for finding vulnerabilities in their platforms — with payouts for identifying vulnerabilities in websites, providing personal information, and bugs in encryption software that might allow the safe recovery of files, amongst others therecord.media
- Evilnum APT group carrying out renewed espionage campaigns that align with the interests of Belarus, says Zscaler bleepingcomputer.com
- The ‘8220’ group have made ‘notable updates’ to their malware targeting Linux systems, says Microsoft. Vulnerabilities in Confluence and WebLogic are being exploited to compromise systems and drop a crypto miner and IRC bot zdnet.com
- Chinese foreign language students were targeted for ‘translation jobs’ working for Hainan Xiandun, allegedly a front company for the Ministry of State Security (MSS) APT40 group, to analyse stolen documents from espionage operations arstechnica.com]
- Android malware disables Wi-Fi, subscribes to premium services and intercepts/suppresses SMS confirmation messages, in a new ‘toll-fraud’ campaign says Microsoft microsoft.com
- Information and indicators of compromise (IOCs) on MedusaLocker ransomware from CISA cisa.gov
Vulnerabilities
- Vulnerabilities found in 25 plugins for the Jenkins open source continuous integration (CI/CD) platform theregister.com
- Public proof of concept published for 9.8/10 remote code execution vulnerability in Zoho ManageEngine ADAudit Plus. The bug, CVE-2022-28219, was patching in Mach bleepingcomputer.com
Cyber defence
- CISA is urging federal agencies and companies to adopt ‘Modern Authentication’ options in Exchange Online before Microsoft removes ‘Basic Authentication’ options at the beginning of October. While modern options allow the use of multi-factor authentication, the basic routes (used by many legacy applications) are still currently enabled in parallel, allowing attackers to circumvent these additional protections thergister.com The change is likely to be disruptive to organisations that aren’t planning for it, despite Microsoft giving over a year’s notice: here’s a recent update from the Exchange team on how to prepare microsoft.com
- Guidance from NCSC on reducing data exfiltration by malicious insiders — you’ll be disappointed if you hoped for a ‘turn this on and be done’; it’s down to you to step through in a structured manner — but also a useful list of relevant case studies at the bottom ncsc.gov.uk
- After rising an estimated 92% in the last 12 months, cyber insurance premiums may be stabilising allowing “cautious optimism” of brokers, says Marsh therecord.media
- Google has consolidated its password managers in Chrome and Android techcrunch.com
Security engineering
- Congrats to Pedram for the launch of SecDim Play, a security game where you get points for finding and fixing security bugs secdim.com
Privacy
- Mozilla is adding a feature to its Firefox web browser that removes tracking parameters from hyperlinks that are used to track users sharing URLs and those who are clicking on them bleepingcomputer.com
Public policy
- The NATO military alliance will improve civil-military cooperation and create a ‘rapid reaction’ cyber force, following a meeting of leaders from all 30 allied countries in Madrid this week cyberscoop.com
- The US Department of Justice is targeting to handle 65% of ransomware cases reported to it within 72 hours by the end of September 2023 therecord.media
Regulatory
- The US Federal Trade Commission (FTC) is suing Walmart for failing to clamp down on fraudulent transactions while pocketing fees from scammers using its money transfer services. Walmart has called the suit “factually misguided and legally flawed” theregister.com
- Cyber regulations for pipelines operators are being relaxed by the US Transportation Security Administration (TSA), with reporting deadlines doubling from 12 hours to 24 hours and a performance-based method that gives greater flexibility and choice over how companies protect their digital systems wsj.com
Law enforcement
- Sebastien Vachon-Desjardin, a Canadian extradited to the US in March, is to plead guilty to four charges around his involvement in the NetWalker ransomware gang. Alongside his arrest earlier in the year, 719 Bitcoin and $790,000 in Canadian currency were seized cyberscoop.com
- Ukrainian police have arrested nine people for operating over 400 phishing websites believed to have been used to steal $3.4 million from around 5,000 victims bleepingcomputer.com
And finally
HackerOne employee terminated for selling bug reports on the side
Bug bounty platform HackerOne has terminated an employee following an investigation that found they were using their position reviewing vulnerability submissions to steal bug reports and sell them on the side… using the company’s own platform. It seems they had pretty terrible opsec, as network traffic provided evidence linking their staff and sock puppet HackerOne accounts and it seems they didn’t waste any time getting to ‘work’ as seven fraudulent claims were submitted to participating companies before they were terminated within 3 months of starting their employment.