Welcome to Safety Sunday – 7. Week. our weekly round-up of events in the world of cyber security (12 – 18 February 2024).
We’re collecting notable incidents and vulnerability reports from the past week.
CZECH MILITARY INTELLIGENCE CONDUCTED AN ACTIVE INTERVENTION IN CYBERSPACE
The Military Intelligence contributes to the defence of the Czech Republic in cyberspace as part of its tasks. In order to fulfil this mission, we carry out a number of measures that are fully in line with the legislation in force. One of the options is active intervention in cyberspace.
During January, VZ joined the international operation DYING EMBER led by the USA. The operation consisted of taking action against the global infrastructure of compromised routers exploited by the APT28 actor, associated with the Russian military intelligence service GRU. The VZ carried out an active intervention consisting in modifying the configuration of part of the infrastructure of the compromised devices.
The compromised routers were exploited by APT28 against important targets in the Czech Republic and abroad, including our NATO allies and Ukraine.
Akira Ransomware Gang Exploiting Cisco ASA/FTD Bug CVE-2020-3259: CISA Alert
In a recent advisory, CISA (Cybersecurity and Infrastructure Security Agency) cautioned about the active exploitation of Cisco ASA/FTD vulnerability CVE-2020-3259 by the notorious Akira Ransomware gang. This critical security flaw, with a CVSS score of 7.5, poses significant risks to organizations’ cybersecurity. CISA’s inclusion of CVE-2020-3259 in its Known Exploited Vulnerabilities catalog underscores the urgency for organizations to address this issue promptly. The vulnerability, an information disclosure flaw in the web services interface of ASA and FTD, was patched by Cisco in May 2020. Despite the patch release, malicious actors continue to target unpatched systems.
Akira Ransomware group, as reported by Truesec cybersecurity researchers, has been actively exploiting CVE-2020-3259 in attacks against Cisco ASA and FTD appliances. Through this vulnerability, attackers can access sensitive data stored in the affected devices’ memory, including login credentials. Truesec’s findings highlight the severity of the situation, with the Akira Ransomware group leveraging the vulnerability as an entry point in several attacks. The group’s activities, spanning various sectors such as education, finance, and real estate, underscore the widespread threat posed by ransomware attacks. To mitigate the risk posed by CVE-2020-3259, CISA has mandated federal agencies to address the vulnerability by March 7, 2024, in accordance with Binding Operational Directive (BOD) 22-01. However, the directive’s scope extends beyond federal agencies, urging private organizations to assess their infrastructure for vulnerabilities listed in the catalog. In light of these developments, cybersecurity experts emphasize the importance of proactive measures. Organizations are urged to review the Known Exploited Vulnerabilities catalog regularly and prioritize patching vulnerable systems to safeguard against potential exploitation.
By staying vigilant and taking proactive steps to address known vulnerabilities like CVE-2020-3259, organizations can enhance their cybersecurity posture and mitigate the risk of falling victim to ransomware attacks and other cyber threats.
FBI Disrupts Russian Moobot Botnet Infecting Ubiquiti Routers
In a significant cyber operation dubbed “Operation Dying Ember,” the FBI successfully dismantled a botnet comprising Ubiquiti Edge OS routers infected with the Moobot malware. This network, orchestrated by Russia’s Main Intelligence Directorate of the General Staff (GRU), posed a substantial threat to the United States and its allies. GRU Military Unit 26165, also known as APT28, Fancy Bear, and Sednit, utilized this botnet to proxy malicious traffic and execute spearphishing and credential theft attacks against a myriad of targets, including U.S. and foreign governments, military entities, and corporate organizations.
What sets this botnet apart is its origin. Unlike previous GRU or Russian Federal Security Service (FSB) initiatives, the Moobot botnet was not developed from scratch by the GRU. Instead, cybercriminals unaffiliated with the GRU initially compromised the routers and installed the Moobot malware, exploiting widely known default administrator passwords. Subsequently, the GRU repurposed the botnet, deploying their custom malicious tools through Moobot. This tactic transformed the botnet into a powerful cyber espionage instrument with global reach. Upon investigation, the FBI unearthed a plethora of APT28 tools and artifacts embedded within compromised routers. These included Python scripts for harvesting webmail credentials, programs for stealing NTLMv2 digests, and custom routing rules designed to redirect phishing traffic to dedicated attack infrastructure.
Under “Operation Dying Ember,” FBI agents executed court-authorized actions to neutralize the threat posed by the GRU. They remotely accessed compromised routers, leveraging the Moobot malware to eradicate stolen and malicious data and files. Furthermore, they eradicated the Moobot malware itself and blocked remote access, preventing further infiltration by Russian cyberspies. To temporarily thwart GRU’s access to the routers, the FBI modified firewall rules, restricting remote management access without disrupting standard functionality or compromising user data. These measures, while temporary, effectively severed the routers’ ties to the Moobot botnet. It’s noteworthy that Moobot marks the second botnet disrupted by the FBI in 2024, following the takedown of the KV-botnet utilized by Chinese Volt Typhoon state hackers in January.
In response to escalating cyber threats, CISA and the FBI have issued guidance for SOHO router manufacturers, urging them to bolster device security through secure configuration defaults and the elimination of web management interface flaws during development. The APT28 cyber-espionage group’s nefarious activities have been well-documented, including the 2015 hack of the German Federal Parliament and attacks against the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016. Consequently, several APT28 members faced sanctions by the Council of the European Union in October 2020 for their role in the 2015 German Federal Parliament hack.
US DOD Notifies Over 26,000 Individuals of Potential Data Breach Dating Back a Year
The Department of Defense (DOD) is actively notifying more than 26,000 current and former employees, job applicants, and partners regarding a potential data breach incident dating back to early 2023. This breach, first identified in February 2023, exposed sensitive personal information online and prompted the DOD to take immediate action. A notice dated February 1, 2024, issued by the Defense Intelligence Agency (DIA), urges affected individuals to enroll in government-provided identity theft protection services as a precautionary measure.
According to the document, the breach occurred between February 3, 2023, and February 20, 2023, when numerous email messages were inadvertently exposed to the internet by a DOD service provider. While there is no evidence of misuse, the exposed emails contained personally identifiable information (PII) associated with individuals connected to the DOD, including employees, support staff, and job seekers. PII encompasses various data elements such as addresses, Social Security numbers, credit card details, and biometric records, which could potentially be used to identify individuals. When approached for comment, the DIA referred inquiries to a Pentagon spokesperson, who declined to disclose the identity of the service provider involved. However, the spokesperson confirmed that over 20,600 individuals were affected by the breach.
Regarding network security measures, the Pentagon spokesperson stated that the affected server was promptly identified and removed from public access on February 20, 2023. The vendor responsible for the exposure has since resolved the underlying issues. The DOD, in collaboration with the service provider, has taken steps to understand the incident and mitigate future risks. This includes implementing procedural modifications and enhancing anomaly detection and alert capabilities to bolster cyber event prevention and detection. The department continues to engage with the service provider to enhance cybersecurity measures. Notification efforts to inform affected individuals are ongoing, emphasizing the DOD’s commitment to transparency and accountability in addressing cybersecurity incidents. As outlined in the letter dispatched to potential victims, the DIA reassures recipients that comprehensive actions have been taken to address the breach and fortify cybersecurity protocols moving forward.
Symantec Report Links Alpha Ransomware to Defunct NetWalker Operation
Security researchers have uncovered compelling evidence linking the Alpha ransomware to the now-defunct NetWalker ransomware operation, shedding light on potential overlaps in their tools, tactics, and procedures. NetWalker, a notorious ransomware-as-a-service (RaaS) platform, gained infamy between October 2019 and January 2021 before law enforcement intervention shuttered its dark web infrastructure. Alpha ransomware, distinct from ALPHV/BlackCat, emerged in February 2023 with a notably subdued profile, avoiding prominent visibility on hacker forums and refraining from extensive attack campaigns.
However, recent developments have brought Alpha into the spotlight, notably through the establishment of a data leak site and the publication of stolen files from breached networks. Presently, Alpha’s extortion portal lists nine victims, with eight already having their compromised data disclosed by threat actors. The latest iteration of Alpha ransomware employs a random 8-character alphanumeric extension for encrypted files and features revised ransom notes, directing victims to contact threat actors via messaging services. Reported ransom demands range from 0.272 BTC to up to $100,000, reflecting variations linked to the victim’s business size.
The striking resemblances between NetWalker and Alpha operations suggest a possible continuation or adaptation of NetWalker’s codebase by Alpha developers. Alternatively, a new threat entity might have acquired NetWalker payloads, repurposing them for their ransomware campaigns. While Alpha currently operates on a smaller scale within the ransomware landscape, its emergence underscores the need for heightened vigilance among organizations. The evolving nature of ransomware threats underscores the importance of robust cybersecurity measures to thwart potential attacks and mitigate associated risks.
Lazarus Group Turns to YoMix Bitcoin Mixer for Laundering Stolen Crypto
Lazarus, the notorious North Korean hacker collective, notorious for orchestrating numerous high-profile cryptocurrency heists, has shifted its laundering tactics, now utilizing the YoMix bitcoin mixer to obscure the origins of stolen funds. A recent report from Chainalysis, a blockchain analysis company, indicates that Lazarus has adapted its laundering methods in response to government sanctions imposed on multiple bitcoin mixing services previously utilized by the threat actor. According to Chainalysis, YoMix has experienced a significant surge in funds throughout 2023, attributed directly to Lazarus activity rather than a general increase in popularity.
Lazarus’ involvement in cryptocurrency theft is a critical aspect of its operations, believed to finance not only the group’s endeavors but also North Korea’s weapons development program. Recent notable cryptocurrency thefts orchestrated by Lazarus include the Ronin Network (Axie Infinity) hack in March 2022, yielding $625 million, the Harmony Horizon hack in June 2022 resulting in $100 million in losses, and the Alphapo heist in July 2023, netting hackers $60 million in crypto assets. From January 2017 to December 2023, North Korean hacking groups, including Lazarus, Kimsuky, and Andariel, have collectively stolen an estimated $3 billion in cryptocurrency, as per a report from Recorded Future. These ill-gotten gains have passed through various coin mixing services that circumvent anti-money laundering regulations, accepting deposits even from wallets flagged for suspicious activity. Despite the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) identifying and sanctioning platforms previously utilized by Lazarus for laundering proceeds, such as Blender, Tornado Cash, and Sinbad, the group consistently adapts by migrating to new services.
Chainalysis identifies YoMix as the latest platform employed by the North Korean threat actor to obfuscate the trail of stolen cryptocurrency funds. The ever-evolving tactics of Lazarus underscore the ongoing challenge in combating cybercrime and emphasize the critical importance of robust cybersecurity measures and international cooperation to mitigate threats posed by state-sponsored hacker collectives.