Russia's SVR Switch Tactics to Target Victims' Cloud Services

Russia's SVR Switch Tactics to Target Victims' Cloud Services

ALPHV responsible for attack on UnitedHealth, White House wants greater use of memory-safe programming languages, Commerce adds Sandvine to entity list, One Myanmar company has swindled $100 million in pig butchering scams, SubdoMailing ad fraud campaign sends five million emails daily, 17m LoanDepot customers' data stolen in attack, much more


Check out my latest CSO column, which delves into NIST’s just-released Cybersecurity Framework 2.0. (also cited below)

Image by Colossus Cloud from Pixabay
Image by Colossus Cloud from Pixabay

Members of the Five Eyes (FVEY) intelligence alliance warned that APT29 (also tracked as Cozy Bear, Midnight Blizzard, The Dukes) Russian Foreign Intelligence Service (SVR) hackers are now switching to attacks targeting their victims' cloud services.

In a joint advisory issued by the U.K.'s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity agencies from Australia, Canada, and New Zealand, the alliance said APT29 hackers are now gaining access to their targets' cloud environments using access service account credentials compromised in brute forcing or password spraying attacks.

They're also using dormant accounts that have never been removed after users left the targeted organizations, enabling them to regain access after systemwide password resets.

APT29's initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims' cloud tenants.

After gaining initial access, SVR hackers use sophisticated tools like the MagicWeb malware (which allows them to authenticate as any user within a compromised network) to evade detection in the victims's networks, mainly government and critical organizations spanning Europe, the United States, and Asia.

Mitigating APT29's initial access vectors should be at the top of the list for network defenders when working towards blocking their attacks.

Network defenders are also advised to enable MFA wherever and whenever possible, coupled with strong passwords, to use the principle of least privilege for all system and service accounts, to create canary service accounts to detect compromise quicker, and to reduce session lifetimes to block the use of stolen session tokens.

They should also only allow device enrollment for authorized devices and monitor for indicators of compromise that would yield the least false positives when monitoring security breaches. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, NCSC, Meritalk, TechTarget, Decipher, PaymentSecurity.io, Infosecurity Magazine, Cyberscoop, Security Week

Source: NCSC.
Source: NCSC.

Two sources familiar with the matter say that an outage at a unit of the UnitedHealth Group that has led to nationwide disruptions in the filling of prescriptions for days was triggered by the BlackCat or ALPHV ransomware group.

The group, which is also known as Noberus, has previously terrorized major businesses, including MGM Resorts International and Caesars Entertainment,

One source suggested that one of the indicators of compromise is a critical ScreenConnect auth bypass flaw (CVE-2024-1709) actively exploited in attacks to deploy ransomware on unpatched servers.

UnitedHealth Group VP Tyler Mason did not confirm whether BlackCat was responsible for the attack but said that 90% of affected pharmacies had implemented new electronic claim processes to address Change Healthcare issues.

The gang's operations were disrupted in December, with the FBI temporarily taking down its Tor negotiation and leak sites after hacking its servers and creating a decryption tool using keys collected during the months-long intrusion.

BlackCat has since "unseized" their leak site using private keys they still owned and is now operating a new Tor leak site that the FBI has yet to take down. (Chris Bing and Raphael Satter / Reuters and Sergiu Gatlan / Bleeping Computer)

Related: Security Week, Security Magazine, The Register - Security, Fast Company, Decipher, DataBreachToday.com, TechCrunch, CRN, Medriva, New York Times, Fast Company, iTnews

The White House Office of the National Cyber Director (ONCD) called for greater use of memory-safe programming languages to cut down on bugs that have caused problems since the 1980s: coding errors that allow attackers to abuse how software manages computer memory.

“To reduce the attack surface in cyberspace, we must eliminate entire classes of vulnerabilities at-scale, by securing the building blocks of cyberspace,” National Cyber Director Harry Coker said, outlining a new technical report that the White House produced for the industry.

The report has buy-in from leaders in the tech sector and academia, ONCD noted, touting statements of support from officials at companies such as SAP, Hewlett Packard Enterprise, and Honeywell.

The report mentions C and C++ as programming languages lacking “traits associated with memory safety and high proliferation across critical systems.” Languages such as Rust, Python, and Java are among the recommended replacements.

The White House wants executives and not just engineers to pay attention, a senior Biden administration official said in a call with reporters.

“We’re hoping that memory safety becomes an agenda item on the next board meeting for many of these companies,” the official said. (Joe Warminsky / The Record)

Related: The White House, The White House, Bleeping Computer, Cyberscoop, Infosecurity Magazine

The US Commerce Department is adding computer networking company Sandvine to its entity list, effectively banning it from obtaining US technology after determining that its supply of equipment to Egypt enabled “mass web-monitoring and censorship to block news as well as target political actors and human rights activists.”

Sandvine sells what’s known as deep-packet inspection technology, which can be used to monitor massive flows of internet traffic passing between networks. The technology can be customized to block out spam and viruses. But it can also block millions of websites and messaging apps and carry out covert surveillance of internet activity.

Two former Sandvine employees said the Commerce Department decision would likely be a major blow for the company, which they said utilizes components in its technology from US companies such as Dell.

Egypt was one of at least a dozen countries where governments had used Sandvine’s equipment to censor content on the internet. The company’s systems also appeared to have been utilized to enable attempts to hack the iPhone of a presidential candidate, according to security researchers. (Ryan Gallagher / Bloomberg)

Related: Department of Commerce, Federal Register, Reuters, BNN

Blockchain analytics firm Chainalysis and US anti-slavery group International Justice Mission (IJM) report that a single company operating from a compound in Myanmar has swindled over $100 million from victims in less than two years.

Chainalysis said it had tracked digital coins issued by Tether, one of the world’s largest cryptocurrency platforms, used in so-called pig butchering scams in which false romantic relationships are engineered to gain a victim’s trust.

It said Tether tokens had also been used to make payments to a company based in a compound known as KK Park in eastern Myanmar from the families of trafficked workers that it said had been forced to pay ransoms for their release.

The analysis found that the single Chinese company was able to pull over $100mn in cryptocurrency into just two digital wallets, a scale that Jackie Koven, head of cyber threat intelligence at Chainalysis, said showed the extent to which bad actors were using digital assets to fuel a burgeoning black market.

Chainalysis and IJM declined to identify the Chinese company to protect workers there who were victims of human trafficking. Heintz said former workers involved in pig-butchering scams had provided IJM with information regarding the two crypto wallets used by the company to receive illicit funds.

IJM said KK Park, which is located near Myanmar’s border with Thailand, was likely to be home to thousands of trafficked workers, many forced to operate online scams. “It’s a self-contained city,” Heintz said.

Tether has emerged as one of Southeast Asia's leading payment methods for money launderers and fraudsters. The company’s token offers high-speed, irreversible transactions that are attractive to those seeking to scam victims.

Tether said it was working with authorities worldwide to prevent the illicit use of its token and had frozen $276mn used in pig butchering-related scams. The platform added that it was “proud of its ongoing coordination with law enforcement.” (Scott Chipolina / Financial Times)

Related: Chainalysis, The Record, Protos, crypto.news, BeInCrypto, Web3IsGoingJustGreat

Source: Chainalysis.
Source: Chainalysis.

Researchers at Guardio Labs report that a massive ad fraud campaign named SubdoMailing uses over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails daily to generate revenue through scams and malvertising.

The threat actors hijack abandoned subdomains and domains belonging to well-known companies to send their malicious emails, gaining the benefit of being able to bypass spam filters and, in some cases, taking advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam.

Some notable brands that fell victim to this domain hijacking campaign include MSN, VMware, McAfee, The Economist, Cornell University, CBS, NYC.gov, PWC, Pearson, Better Business Bureau, Unicef, ACLU, Symantec, Java.net, Marvel, and eBay.

Clicking on the embedded buttons in the emails takes users through a series of redirections, generating revenue for the threat actors via fraudulent ad views. Ultimately, the user arrives at fake giveaways, security scans, surveys, or affiliate scams.

In CNAME attacks, the threat actors scan for subdomains of reputable brands with CNAME records pointing to external domains that are no longer registered. They then register these domains themselves through the NameCheap service.

A second method involves looking at SPF records of target domains that use the "include:" configuration option pointing to external domains no longer registered.

A case study of an email falsely authorized by MSN showcases the variety of tactics used by the attackers to make their emails appear legitimate and evade blocks, including abusing SPF (Sender Policy Framework) checks, DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocols.

Guardio Labs attributes the campaign to a threat actor they call “ResurrecAds, “who systematically scans the web for domains that can be hijacked, secures new hosts and IP addresses, and makes targeted domain purchases. (Bill Toulas / Bleeping Computer)

Related: Guardio Labs, SC Media, ReadWrite, BNN

Source: Guardio Labs.
Source: Guardio Labs.

Loan and mortgage giant LoanDepot confirmed that almost 17 million customers had sensitive personal information, including Social Security numbers, stolen in a January ransomware attack.

In a data breach filing with the Maine Attorney General, the company said that the stolen LoanDepot customer data includes names, dates of birth, email and postal addresses, financial account numbers, and phone numbers. The stolen data also includes Social Security numbers, which LoanDepot collected from customers.

The number of affected LoanDepot customers rose from 16.6 million as initially disclosed to federal regulators last month. (Zack Whittaker / TechCrunch)

Related: Maine Attorney General, SC Media, PYMNTS, HackRead, Finextra, Cybernews, Databreaches.net

Steel giant ThyssenKrupp confirmed that hackers breached systems in its Automotive division last week, forcing them to shut down IT systems as part of its response and containment effort.

"Our ThyssenKrupp Automotive Body Solutions business unit recorded unauthorized access to its IT infrastructure last week," stated a ThyssenKrupp spokesperson.

"The IT security team at Automotive Body Solutions recognized the incident at an early stage and has since worked with the ThyssenKrupp Group's IT security team to contain the threat."

"To this end, various security measures were taken, and certain applications and systems were temporarily taken offline."

ThyssenKrupp has clarified that no other business units or segments have been impacted by the cyberattack, which was contained in the automotive division. (Bill Toulas / Bleeping Computer)

Related: Security Affairs, Cyber Daily, BitDefender

Researchers at Morphisec have observed a hacking group tracked as UAC-0184 using steganographic image files to deliver the Remcos remote access trojan (RAT) onto the systems of a Ukrainian entity operating in Finland.

Steganography is a well-documented but rarely-seen tactic that involves encoding malicious code into the pixel data of images to evade detection by solutions using signature-based rules.

Typically, the small payload chunks in the image pixels do not result in an altered image appearance, but in the case seen by Morphisec, the image looks visibly distorted. This distortion, however, would only be damaging for the attackers in the case of manual inspection, and assuming there's none, it still works in evading detection from automated security products.

The attack chain observed by Morphisec starts with a carefully crafted phishing email supposedly from Ukraine's 3rd Separate Assault Brigade or the Israel Defense Forces.

Tricked recipients opening the shortcut file attachment trigger an infection chain that launches an executable (DockerSystem_Gzv3.exe), activating a modular malware loader named IDAT.

IDAT extracts the encoded payload that is embedded in the malicious PNG image file and then decrypts and executes it in memory, a process that involves multiple stages and additional modules that are injected into legitimate processes (Explorer.exe) and DLL files (PLA.dll).

The final stage involves the decryption and execution of the Remcos RAT, a commodity malware that hackers employ as a backdoor on compromised systems, allowing stealthy data theft and victim activity monitoring.

Morphisec says IDAT also delivers malware like Danabot, SystemBC, and RedLine Stealer, but it is unclear if these families were seen in the Finland-based computers or different attacks.

Morphisec opted not to provide technical information or specific details about the victim due to confidentiality but still shared some data on the employed attack methods.

Trend Micro saw the same group carrying out attacks in late 2023 against the Armed Forces of Ukraine, also using the same malware. (Bill Toulas / Bleeping Computer)

Related: Morphisec, CSO Online, Dark Reading

Remcos delivery attack stages. Source: Morphisec.
Remcos delivery attack stages. Source: Morphisec.

Vietnamese hackers are seemingly causing havoc in Meta’s social media platforms by exploiting vulnerabilities in the Oculus system, with thousands of Facebook accounts being falsely suspended.

According to members of the large Reddit community r/facebook, Facebook and Instagram users have been facing a “dire” security threat for quite some time because hackers are exploiting vulnerabilities in the Oculus Meta system.

The hackers are creating Oculus Meta accounts and clandestinely linking them to unsuspecting victims’ social media accounts. This kind of activity is then registered as unauthorized access and leads to the suspension of thousands of accounts.

According to Dan Astin-Gregory, a content creator whose Facebook account was also suspended, IP records show that the hackers operate from Vietnam.

Even two-factor authentication allegedly fails to safeguard users from unauthorized Meta account linking, leaving accounts vulnerable to exploitation. Facebook and Meta’s help centers are not responding to calls for assistance. (Gintaras Radauskas / Cybernews)

Related: Tom’s Guide, BNN, HackRead, Meta Community Forums, Reddit

Emir Soytürk, a developer involved with the Ethereum Foundation’s Devconnect workshops in Istanbul, claimed through a private post on X that blockchain platform Aleo, which promotes itself as more private and secure, mistakenly sent Know Your Customer (KYC) documents to his email.

These documents included selfies and ID card photos of another user, making him concerned about the security of his information.

Selim C, an analyst from crypto dashboard Alphaday, confirmed that the issue was not isolated, saying it also happens to them. On-chain sleuth ZachXBT noticed the thread and reached out to the crypto community on X by amplifying the discussion.

In response to these reports, Aleo said it has begun implementing a new set of long-term technical controls for their KYC confirmation practices. (Vince Dioquino / CryptoBriefing)

Related: Web3IsGoingJustGreat, crypto.news, Cointelegraph

Facebook owner Meta will set up a team to tackle disinformation and the abuse of generative artificial intelligence in the run-up to the European Parliament elections in June amid concerns about election interference and misleading AI-generated content.

European Parliament elections will take place June 6-9. Its 720 lawmakers and EU governments pass new EU policies and laws.

"As the election approaches, we'll activate an Elections Operations Center to identify potential threats and put mitigations in place in real time," said Marco Pancini, Meta's head of EU affairs.

He said experts from the company's intelligence, data science, engineering, research, operations, content policy, and legal teams will focus on combating misinformation, tackling influence operations, and countering the risks related to the abuse of generative AI.

Meta, which currently works with 26 independent fact-checking organisations across the European Union covering 22 languages, will add three new partners in Bulgaria, France, and Slovakia, Pancini said. (Foo Yun Chee / Reuters)

Related: Meta, The Record, Al Jazeera, Business Insider, Cointelegraph, Euractiv, UPI

The National Institute of Standards and Technology released its Cybersecurity Framework 2.0, which expands upon earlier versions with a greater focus on governance and supply chain security.

Other enhancements include updated informative references, quick-start guides to adopting the framework, and improved integration with other NIST resources. (Cynthia Brumfield / CSO Online)

Related: NIST, NIST, Meritalk, Dark Reading, GovTech, HelpNetSecurity, Cybernews, NextGov Federal News Network, InsideCyberSecurity.com, Security Week, The Stack

IntelBroker allegedly breached the databases of Los Angeles International Airport, making off with a trove of 2.6 million records containing confidential user data belonging to private plane owners.

The breach was publicly disclosed by IntelBroker on the notorious hacker and cybercrime platform Breach Forums, adding another high-profile hack to their already extensive. Notable targets of IntelBroker’s previous hacks include the Weee! Grocery platform, General Electric, Staffing Giant Robert Half, and a recent data leak involving a partial Facebook Marketplace database.

According to IntelBroker, they exploited a vulnerability in the airport’s Customer Relationship Management (CRM) system (CRM system) to gain unauthorized access to the database. (Waqas / HackRead)

Related: SC Media, Security Affairs

Source: HackRead.
Source: HackRead.

The City of Hamilton in Canada says it is responding to an “ongoing” cybersecurity incident, the scope of which is unclear at this time.

The city said Hamilton Street Railway (HRS) is affected, but buses are running on schedule. However, operators are currently driving without their computerized schedules, and on-board bus stop announcements are not working. The transit system’s app, email, and phone lines are also down.

The city said it is working with cybersecurity experts to address the incident, though no timeline for its resolution was provided. (Phil Tsekouras / CTV News)

Related: IT World Canada, The Hamilton Spectator, Cekan, Hamilton.ca

The San Francisco Bay Area city of Oakley was hit last week with a ransomware attack, prompting the city manager to declare a state of emergency “out of an abundance of caution” while the city’s technology division worked with law enforcement to investigate the extent of the attack.

The city said that emergency services, including 911, police, fire, and ambulances, were not affected. “The city’s Emergency Operations Center has been partially activated, and IT has taken affected systems offline while we work to safely secure and restore services,” the city said. “While this work is being done, the public should expect delays in non-emergency services from the City.”

Meanwhile, 24 miles away in Pleasant Hill, that city’s police department is investigating a “cyber incident” that impacted the city’s computer infrastructure, which also occurred on Feb. 22. Officials said in a statement that city services remain operational and that “public safety was never compromised.” (Sophia Fox-Sowell / Statescoop)

Related: City of Oakley, KRON4, ABC7, KTVU

Following an evaluation, the Department of Interior’s Office of Inspector General (OIG) cited cybersecurity shortcomings at the Interior Department that put employees’ sensitive personal information at risk of unauthorized access.

The OIG disclosed that its white-hat hackers were able to exfiltrate more than a gigabyte’s worth of data from the department’s cloud storage over the course of a week.

“Our tests succeeded because the department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data,” the OIG reported.

The evaluators further noted that the department has “never conducted regular required tests of the system’s controls for protecting sensitive data from unauthorized access” during the time cloud storage has been utilized. The potential consequences of data theft or leakage could be dramatic. (Michael Doyle / E&E News)

Related: DOI OIG

The Department of Energy (DOE) announced a $45 million investment into cybersecurity research for the energy sector, including projects on artificial intelligence detection and response and quantum communication for the grid.

DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will fund 16 projects with organizations headquartered in six states, covering six topics that are largely aimed at reducing cyber risks and improving the resilience of the electricity, oil, and natural gas sectors.

One of the funding projects is an “artificial intelligence and data processing capability” that can detect and respond to hacks for grid edge-devices, an umbrella term for customer-owned controls like smart thermostats and electric vehicle charging stations. Another AI-focused project is a framework for automating vulnerability assessments, discoveries, and mitigations in distributed energy resources.

DOE is also hoping to get ahead of the looming post-quantum cryptography issue by developing zero-trust authentication that is quantum-resistant. Another project seeks to develop an ability to use quantum communication to securely talk to time-sensitive applications, for example, in automation and remote management, as well as processing grid data. (Christian Vasquez / Cyberscoop)

Related: Energy.gov

Hackers reportedly hit the X account of Friends star Matthew Perry with a foundation set up in his honor targeted by a link in a pinned post at the top of his profile urging people to donate.

An Instagram post from the Matthew Perry Foundation said: "We have received reports that Matthew's official X page has been hacked and is directing users to a fraudulent site soliciting donations via cryptocurrency. Please do not donate to this site or share the fraudulent posts on social media.”

The post was also flagged by X's community notes feature, saying that the account had been hacked and the link was fake. (SkyNews)

Related: The Independent, Evening Standard, BNN, The West Australian

Best Thing of the Day: Just Don’t Run Over the Family Cat

This spring, a new software update coming to Husqvarna's robotic line of lawnmowers will allow riders to play the legendary 1993 video game DOOM® while mowing the lawn.

Worst Thing of the Day: Here’s Five Bucks for Seven Hours of Lost Connectivity

AT&T will offer a $5 credit to customers affected by a seven-hour widespread outage last week caused by technical issues the company encountered while trying to expand its network, and it might take two months for them to receive it.

Closing Thought

Read more