Naikon APT is still active in the APAC region.
Check Point uncovered an ongoing cyberespionage campaign run by the China-associated Naikon APT against at least seven national governments in the Asia Pacific. The operation has focused on “ministries of foreign affairs, science and technology ministries, as well as government-owned companies” located in Australia, Brunei, Indonesia, Myanmar, the Philippines, Thailand, and Vietnam. The group’s activities include “locating and collecting specific documents from infected computers and networks within government departments” and “extracting data from removable drives, taking screenshots and keylogging, and of course harvesting the stolen data for espionage.”
ThreatConnect and Defense Group released a report in 2015 linking Naikon to Unit 78020 of the PLA’s Chengdu Military Region Second Technical Reconnaissance Bureau, which is responsible for “regional computer network operations, signals intelligence, and political analysis of the Southeast Asian border nations, particularly those claiming disputed areas of the energy-rich South China Sea.” Following ThreatConnect’s publication, Naikon apparently retooled and turned to stealthier tactics, allowing it to stay off the radar for five years.
Check Point says Naikon is using a previously unobserved remote access Trojan dubbed “Aria-body,” which contains code overlap with a Naikon backdoor described by Kaspersky in 2015. The hackers use their access to compromised networks to launch spearphishing attacks against additional government entities, and they configure their victims’ servers to act as command-and-control servers.
Snake ransomware launches new campaign.
Germany-based Fresenius Group, Europe’s largest private hospital network, was hit by a ransomware attack, KrebsOnSecurity reports. The attack involved the relatively new Snake ransomware (also called “Ekans,” to distinguish it from the Turla-associated rootkit of the same name). Fresenius spokesperson Matt Kuhn told Krebs that, “while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”
BleepingComputer reported on Wednesday that the Fresenius incident seems to be part of a wider attack campaign that began on Monday, May 4th. The Snake ransomware had been largely dormant following a spate of attacks in January, but submissions of Snake samples on ID Ransomware suddenly spiked on Monday. In addition to Fresenius, BleepingComputer says other victims of the campaign include “an architectural firm in France and a prepaid debit card company.”
According to MalwareHunterTeam, the ransom notes in this new campaign indicate that Snake’s operators have followed in the footsteps of other ransomware families and are now exfiltrating victims’ data and threatening to release it if the ransom isn’t paid within forty-eight hours.
Ransomware hits Taiwanese energy companies.
Taiwan’s state-owned oil and gas company CPC Corporation suffered a ransomware attack on Monday, CyberScoop reports. The attack didn’t impact production, but it temporarily took down the company’s electronic payment system.
Trend Micro revealed on Wednesday that the attack involved a new ransomware strain that bears similarities to the Freezing and EDA2 ransomware families, along with tenuous ties to LockerGoga. The company calls the new malware “ColdLock,” and says it targets databases and email servers. The researchers state that ColdLock infected “several organizations in Taiwan,” adding that “[t]here have been no indications that this attack has hit any other organization outside of those targeted; we do not believe that this family is currently in widespread use.” Trend Micro didn’t name CPC as a victim, but CyberScoop says the ColdLock samples described in the report match those deployed against CPC.
Taiwan News notes that Formosa Petrochemical, a privately-owned Taiwanese refinery, also sustained a ransomware attack on Tuesday, but it’s not clear which malware was involved and authorities are still investigating to determine if the incidents are related. Formosa said the incident caused its gas stations to lose track of their income for Tuesday, but production and customer service were unaffected.
An anonymous official in Taiwan’s national security community told Taiwan Focus that the attacks may have been motivated by President Tsai Ing-wen’s upcoming inauguration on May 20th, although the official didn’t say whether there was evidence suggesting that this was the case. Another official at the country’s Ministry of National Defense said it’s a “reasonable conclusion” to expect more attacks before the inauguration. So far no one has ventured to attribute the attacks to any specific actor or nation-state.
Salt vulnerabilities lead to cryptomining attacks.
Researchers at F-Secure on April 30th disclosed two high-severity vulnerabilities in Salt, an open-source management framework used to oversee and administer servers. One of the flaws (CVE-2020-11651) is an authentication bypass vulnerability, while the other (CVE-2020-11652) is a directory traversal vulnerability. SaltStack, the company that maintains Salt, issued patches for the flaws the day before F-Secure published its advisory, but more than 6,000 Salt servers were still unpatched and exposed to the Internet at the time of F-Secure’s publication. F-Secure stressed that “any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” and urged users to patch their systems and put them behind a firewall.
ZDNet reported on May 3rd that an attacker had exploited the flaws to gain access to the infrastructure of LineageOS, although the attack was thwarted before any damage was done. Similar hacks hit the Ghost content management platform, the Xen Orchestra web interface for Xen Server, and website search service Algolia. In all three of these instances, the attacker installed cryptominers which were quickly detected when they overloaded server capacity.
An attacker also exploited the Salt vulnerabilities to compromise a server used by DigiCert and potentially gained access to a key used for signing Signed Certificate Timestamps (SCTs), but the Register says the attacker was focused on cryptomining and doesn’t seem to have realized (or cared) what they had stumbled upon. As a precautionary measure, however, DigiCert is replacing the SCTs that were issued after the server was compromised.
Akamai says these incidents are all part of the same cryptomining campaign, but warns that ransomware actors can be expected to begin making use of the Salt vulnerabilities soon.
See the CyberWire Pro Research Briefing for more.
WeChat monitors international users to build its censorship database.
The University of Toronto’s Citizen Lab says the Tencent-owned Chinese messaging app WeChat monitors and analyzes communications between users outside of China to train Tencent’s Chinese censorship system. The researchers explain that WeChat uses a database of file hashes to efficiently censor content for its domestic users, and it uses content surveillance to analyze files whose hashes aren’t in that database. If a file is deemed politically sensitive, WeChat will block the file and add its hash to the database. As a result, new files that are politically sensitive will be visible to Chinese users the first time they’re sent, since the file analysis takes time.
Citizen Lab sent a large number of unique, politically sensitive images between three accounts not registered in China, and then sent the same images to a China-registered account. The researchers found that the files would already be censored by the time they were sent to the China-registered account. Since these files had unique hashes, WeChat could have only come across them by monitoring the non-China-registered accounts.
The researchers note that WeChat doesn’t appear to censor accounts registered outside of China, but they conclude that the content sent by these accounts is analyzed and “used to invisibly train and build up WeChat’s Chinese political censorship system.”
Facebook shuts down coordinated inauthenticity.
Facebook announced that it shut down “eight networks of accounts, Pages and Groups” in April 2020 for engaging in coordinated inauthenticity. Two of the networks—one based out of Russia and the other in Iran—were directed at international audiences. The other six campaigns, based in the US, Georgia, Myanmar, and Mauritania, focused their efforts on domestic users. In total, the social network removed 732 Facebook accounts, 793 Pages, 200 Groups, and 162 Instagram accounts. Facebook notes that “[t]he majority of the networks we took down this month were still trying to grow their audience or had a large portion of engagement on their Pages generated by their own accounts.”
Read more in our CyberWire Pro Disinformation Briefing.
MacOS version of Dacls Trojan spotted.
Malwarebytes found a new version of Dacls, a remote access Trojan tied to North Korea’s Lazarus Group. This variant is tailored to macOS. When Dacls samples were first spotted in December 2019 by Qihoo 360 Netlab, they were designed to run on Windows and Linux. The macOS version appears to be adapted from the Linux variant and contains many of the same features. It’s delivered via a Trojanized multifactor authentication app primarily used by Chinese speakers.
Love Bug author identified.
The BBC tracked down the author of the Love Bug worm that infected approximately 45 million computers around the world in 2000. Onel de Guzman, a 44-year-old man who now works in a phone repair booth in the Philippines, admitted to creating the malware to steal passwords so he could access the Internet for free. He says he didn’t intend for it to spread beyond the Philippines and regrets the damage it caused.
Samsung rolled out patches for a zero-click vulnerability (CVE-2020-8899) affecting all of its smartphones produced since 2014, ZDNet reports. Google’s Project Zero found that an attacker could achieve remote code execution after sending between 50 and 300 MMS (Multimedia Messaging Service) messages to the phone. The victim would obviously notice their phone being blown up with texts, but Project Zero says the exploit could be adjusted to execute without triggering notifications.
Firefox 76.0 contains eleven security fixes, three of which are rated critical, Naked Security reports.
Instacart patched a flaw reported by Tenable that could have allowed an attacker to insert malicious links into SMS messages sent from Instacart.
Crime and punishment.
Europol announced that Polish and Swiss police have arrested five members of the InfinityBlack hacking crew and seized hardware (including cryptocurrency wallets) worth around €100,000. Europol says the group’s “main source of revenue came from stealing loyalty scheme login credentials and selling them on to other, less technical criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.” ZDNet explains that InfinityBlack is best known for operating a website that compiled and sold credentials leaked in data breaches.
Courts and torts.
Cybereason is suing its former Director of Product Management Jonathan Joseph Shelmerdine for allegedly taking corporate documents off his company laptop before he left Cybereason for a new “senior product management job” at SentinelOne, CRN reports. Cybereason also sued Shelmerdine last month in an attempt to block him from taking a job at SentinelOne, which the company names as one of its primary industry competitors.
Policies, procurements, and agency equities.
The Guardian obtained a draft document from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) laying out the risks associated with the three stages of electronic absentee voting—specifically, the delivery of a ballot to the voter, the marking of the ballot by the voter, and the return of the marked ballot to the election administrators. The agency assesses that the last stage faces the highest level of risk, stating, “Electronic ballot return…creates significant security risks to voted ballot integrity, voter privacy, ballot secrecy, and system availability. Securing the return of voted ballots via the internet while ensuring ballot integrity and maintaining voter privacy is difficult, if not impossible, at this time.” The agency discourages the use of electronic ballot return, but adds that “[i]f election officials choose or are mandated by state law to employ this high risk process, its use should be limited to voters who have no other means to return their ballot and have it counted.”
The Czech Republic and the US have signed a joint decision on 5G security, ABC News reports. The document states that “protecting communications networks from disruption or manipulation, and ensuring the privacy and individual liberties of the citizens of the United States and the Czech Republic, are vital to ensuring that our people are able to take advantage of the tremendous economic opportunities 5G will enable.”
See the CyberWire Pro Policy Briefing for more.
Fortunes of commerce.
Facial recognition startup Clearview AI has said it “is cancelling the accounts of every customer who was not either associated with law enforcement or some other federal, state, or local government department, office, or agency,” BuzzFeed News reports. Clearview previously maintained that its facial recognition software was designed for law enforcement, but BuzzFeed revealed earlier this year that the company had provided its tool to a number of private companies, including Macy’s, Kohl’s, and Walmart. Clearview’s decision to cancel its private-sector deals comes as it faces multiple lawsuits, including one that alleges the company violated Illinois’s strict biometric privacy law.
Mergers and acquisitions.
San Jose, California-based video communications provider Zoom has purchased New York-headquartered encryption service company Keybase for an undisclosed sum. Keybase will help Zoom implement end-to-end encryption for its paid accounts. CNBC notes that this is Zoom’s first acquisition since the company’s launch nine years ago. The Verge says Keybase’s co-founder Max Krohn will head Zoom’s security engineering team.
Virginia-based US government IT contractor Perspecta has acquired New Jersey-based electronic warfare (EW) prototyping firm DHPC Technologies for an undisclosed amount.
Virginia-based C4ISR contractor Xator Corporation has acquired intelligence and engineering contractor InCadence Strategic Solutions, also based in Virginia. The terms of the deal weren’t disclosed.
Tel Aviv-based cybersecurity synchronization company Orchestra Group has acquired Haifa-based automated penetration testing startup Cronus for an undisclosed amount, according to Globes.
Microsoft is in discussions to acquire Israeli ICS and IoT security company CyberX. Haaretz and Globes say Microsoft is expected to pay $165 million, while Calcalist reports the purchase is estimated at $170 million. It’s not clear when the acquisition will take place; Haaretz reports that Microsoft will announce in the coming days that it’s already signed the deal, but Calcalist says the deal will be signed in June. Globes states that “[t]he deal is in the latter stages of being finalized.”
Accenture has completed its purchase of Symantec’s Cyber Security Services business from Broadcom.
Investments and exits.
Israeli cloud security company Orca Security has raised $20.5 million in a Series A round led by GGV Capital, with participation from YL Ventures and Silicon Valley CISO Investments (SVCI).
San Jose, California-based enterprise user monitoring company Dtex Systems has raised $17.5 million in a Series D round led by Northgate Capital, with participation from existing investors Norwest Venture Partners and Four Rivers Group.
Tel Aviv-based cryptography company Hub Security has raised $5 million in a Series A round led by AXA Ventures, with participation from OurCrowd.
San Francisco-based identity and access governance company Clear Skye has raised $4.95 million in a Series A round led by Toba Capital, with participation from Inner Loop Capital and ServiceNow Ventures.
Florida-headquartered BlackCloak, a company that provides cybersecurity for high-profile individuals and executives, has raised $1.9 million from Maryland-based DataTribe.
More business news can be found in the CyberWire Pro Business Briefing.