US Treasury Department sanctions cryptocurrency mixer.
The US Department of the Treasury has sanctioned Blender.io on the grounds that the cryptocurrency mixer was involved in laundering money for the Lazarus Group, North Korea’s well-known government criminal organization. “On March 23, 2022,” Treasury says, “Lazarus Group, a DPRK state-sponsored cyber hacking group, carried out the largest virtual currency heist to date, worth almost $620 million, from a blockchain project linked to the online game Axie Infinity; Blender was used in processing over $20.5 million of the illicit proceeds.” The sanctions are believed to be the first levied against a mixer service.
Rewards for Justice is interested in Conti.
The US Department of State added members of the Conti ransomware operation to its Rewards for Justice program. “The Department of State is offering a reward of up to $10,000,000 for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group. In addition, the Department is also offering a reward of up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”
US tractor manufacturer AGCO hit by ransomware attack.
Reuters reports that ACGO, a major manufacturer of farm equipment, has sustained a ransomware attack that’s affected production and delivery of tractors and other agricultural equipment. The company said that disruptions might last “several days and potentially longer.” Some customers said they began to have difficulties accessing AGCO sites on Thursday. Which strain of ransomware was used, and which gang was behind the operation, are unknown, but the Record offers some informed speculation that it may have been BlackMatter. The Record also notes the coincidence, if coincidence it was, that AGCO had on Thursday announced plans to donate $50,000 to BORSCH, a Ukrainian relief effort devoted to helping that country’s farmers.
The US FBI had warned back in September that the agriculture and food sector could expect ransomware attacks, and the Bureau updated its warning at the end of April, saying that attacks on agriculture could be expected to coincide with planting and harvest seasons. This attack would seem to bear those warnings out.
Costa Rica declares a state of emergency as Conti ransomware cripples government sites.
President Rodrigo Chaves of Costa Rica has declared a state of emergency as the government works to recover from a Conti ransomware attack. According to BleepingComputer, Conti claims to have hit, and taken data from, the Costa Rican Finance Ministry, the Ministry of Labor and Social Security, and the Social Development and Family Allowances Fund. Other agencies whose operations are reported to have been affected include the Administrative Board of the Electrical Service of the province of Cartago (Jasec), the Ministry of Science, Innovation, Technology, and Telecommunications, National Meteorological Institute (IMN), Radiographic Costarricense (Racsa), the Interuniversity Headquarters of Alajuela (SIUA), and Costa Rican Social Security Fund (CCSS). Conti is a privateering gang that says it hacks in the Russian interest as well as its own, but this particular campaign seems primarily financially motivated.
DCRat and the C2C markets.
BlackBerry has released a report on DCRat (“DarkCrystal RAT”), a discount commodity malware tool offered in Russophone criminal-to-criminal markets. It is, BlackBerry’s researchers say, “the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget.” It can be had for as little as six bucks, US, and even less when it’s on special. Why it’s so inexpensive is unclear: BlackBerry speculates that the developer may be more interested, now, in market share than immediate profit, or perhaps the work is more hobby than livelihood. In any case, DCRat is under active development and still on offer, dirt cheap.
The gang behind REvil is likely to be back.
That’s Secureworks’ conclusion. Their researchers have found that samples of REvil obtained since the Gold Southfield group resumed operation last month strongly suggest access to the ransomware’s source code. The malware also seems to be under active development.
Secureworks found that various modifications have been made from the sample found in October 2021 as compared to the sample found in March of this year, including updates to hard-coded public keys, changes to affiliate tracking, removal of prohibited region check, leveraging of “accs” configuration element to attempt network authentication, new Tor domains, and updates to safe-mode option values and registry key values.
More Joker-infested apps found in Google Play.
The Hacker News reports that more Trojanized apps have been found in the Google Play Store, whence they’re seeking to spread to compromised Android devices. Joker has been used in apparently legitimate apps “for billing and SMS fraud, while also performing a number of actions of a malicious hacker’s choice, such as stealing text messages, contact lists, and device information.”
Kaspersky researcher Igor Golovin said in a report, “They’re usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name.”
The apps infected with Joker usually appear to be basic lifestyle applications that request permissions to text messages and notifications once downloaded, and abuse those outlets to request the victim to subscribe to premium services and content.
“Subscription trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers’ own non-existent services. To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which is the most frequent source of malware,” Golovin said.
The Nerbian RAT is out.
Proofpoint describes, in a report issued this morning, describes a new, OS-agnostic RAT written in the increasingly popular Go language. The researchers call it “Nerbian,” and say that it “leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries.”
The campaign was found to be a low-volume email campaign disproportionately targeting entities in Italy, Spain, and the United Kingdom. The malicious actor presented itself as the World Health Organization (WHO) giving important information on COVID-19. When the user enables macros, a .bat file is dropped, giving the malware access to the system. The dropper performs environment checks before dropping the RAT, ensuring that the malware can be dropped effectively. It was found that keystrokes are logged and the screen is captured.
NPM dependency confusion attacks seem to have been pentesting after all.
Reversing Labs earlier this week blogged about an NPM dependency confusion that’s been exploited recently in attacks against large German firms. “New npm packages discovered last week by ReversingLabs appear to target a major German media conglomerate as well as a major rail and logistics operator. The packages are similar to those discovered by researchers at the firm Snyk and disclosed in late April.” It’s unclear who was behind the attacks, what their objectives were, or even how successful they were, but it seems clear that NPM attacks are more widespread than hitherto believed. jFrog, which has also been tracking the incidents, sees a similar ambiguity, and thinks the attacks could be the work of either a sophisticated threat actor or an unusually aggressive penetration tester.
JFrog, reporting on the NPM confusion attacks that they and others observed hitting German firms, speculated that the incident might have amounted to nothing more than an unusually aggressive penetration testing effort. That now seems increasingly likely: “Following the publication of this blog post, a penetration testing company called ‘Code White’ took responsibility for this dependency confusion attack.” Code White says an intern did it: “Tnx for your excellent analysis at [Snyk] and don’t worry, the ‘malicious actor’ is one of our interns who was tasked to research dependency confusion as part of our continuous attack simulations for clients.”
JFrog doesn’t give this particular pentest good reviews. Shachar Menashe, their Senior Director of Security Research wrote in an email, “I think this level of payload on a legitimate pentest is pretty irresponsible. First of all, since the code had absolutely no indications in it (in the source code) or in its metadata (ex. the npm package description) this could have put the company’s threat response team into high alert, wasting the client’s resources on nothing. Adding a simple string ‘for security pentest purposes’ on the npm package description or even in the source code could have prevented this while still proving the point, as was presented in previous very successful attacks.”
HP announced Thursday that the HP Wolf Security threat research team has released its annual global HP Wolf Security Threat Insights Report. The team has identified a 27-fold increase in Emotet malware campaigns in the first quarter of 2022, as compared to the last quarter of 2021, and is now the most common malware family at 9% of all malware identified. HP Wolf Security has identified techniques that cybercriminals are using, including an increase in non-Office based malicious file formats, an increase in HTML smuggling, and a “two-for-one” malware campaign that leads to RAT infections.
What to look for in defending your organization against ransomware.
In a rough-and-ready way, Intel471 suggests that defenders look for three classes of tools: Trojans, information stealers, and, unsurprisingly, in the wake of the NPM dependency confusion incident in German, penetration-testing tools. Those last of course have their legitimate uses, but they’re also readily susceptible to abuse. This isn’t, as Intel271 cautions, anything remotely resembling a panacea, but it can be a useful starting point.
Iranian cyberespionage (and a possible APT side-hustle).
Fortinet describes a spearphishing effort against Jordanian diplomatic targets that was evidently conducted by Iran. The lure is a familiar “please acknowledge receipt of this document” come-on, but the payload is more sophisticated than the usual run of criminal phishing. The Excel macro in the phish hook may have been accompanied by anti-analysis features. The malware itself would sleep for six-to-eight hours, and the attackers used DNS tunneling for command and control. Their three command-and-control servers were also used unusually intelligently: two of them were “tightly controlled” and were brought up only at specific times. The third server has apparently been used for misdirection, to make attribution more difficult. Fortinet thinks the campaign was run by APT34 (also known as Helix Kitten) an Iranian government-directed threat group.
Another Iranian threat group, APT35 (or Charming Kitten) has been, Hacker News reports, actively conducting ransomware attacks. The activity cluster is tracked, by Secureworks, as Cobalt Mirage. Two series of attacks are reported, One uses BitLocker and DiskCryptor “for financial gain;” the other, while it also deployed ransomware opportunistically, is directed principally toward gaining access to, and collecting intelligence from, espionage targets.
Roblox vulnerabilities undergoing active exploitation.
Avanan reports that a Trojan file “hidden within a legitimate scripting engine that’s used for cheat code” is affecting users of the popular gaming platform Roblox. “The tool,” Synapse X,” installs an executable file that installs library files into the Windows system folder, giving the program the potential to break applications, corrupt or remove data, or send information back to the hacker.” Synapse X has legitimate uses, but in this case it’s serving as a dropper, and one of the files it’s dropping is a backdoor. The evident goal is to use Roblox as a way into networks of interest; it’s not simply a hack designed to annoy gamers.
CIA gets a CISO.
Rick Baich, CISO at AIG, has agreed to return to Government service. He’ll be assuming duties as the Central Intelligence Agency’s Chief Information Security Officer and Director of the Office of Cyber Security.
The US Cybersecurity and Infrastructure Security Agency (CISA) released six industrial control system (ICS) security advisories. The advisories include Adminer in Industrial Products, Eaton Intelligent Power Protector, Eaton Intelligent Power Manager Infrastructure, Eaton Intelligent Power Manager, AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere, and Mitsubishi Electric MELSOFT GT OPC UA.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an unusually large number of industrial control system (ICS) advisories on Thursday:
CISA has also added two vulnerabilities to its Known Exploited Vulnerabilities Catalog: the Microsoft Windows LSA Spoofing Vulnerability (which “contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM”) and F5’s BIG-IP Missing Authentication Vulnerability (which “contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services”). US Federal civilian agencies have until June 1st to address the former, until May 31st to address the latter. The SANS Institute has published a more detailed study of the BIG-IP issue, which F5 addressed in an update last week.
And, concerned about a growing threat to managed service providers (MSPs), the Five Eyes have issued a joint Alert with advice to MSPs and their customers on preventing and responding to cyberattacks staged against and through MSPs.