One month after disclosing a data breach that resulted in the theft of personal data of roughly 515,000 people globally, the International Committee of the Red Cross (ICRC) announced that hackers had access to its network for 70 days prior to the discovery of the attack.
Access to Red Cross’ network occurred on November 9, 2021, by exploiting CVE-2021-40539, a critical-severity authentication bypass flaw in Zoho’s ManageEngine ADSelfService Plus, ICRC said, adding it was a highly-sophisticated targeted attack “because the attackers created code designed solely for execution on the concerned ICRC servers.”
While the identity of the adversary remains unclear as yet, investigative journalist Brian Krebs said that a cybercriminal actor claiming to be in possession of stolen Red Cross data might be linked to an Iranian influence operation.
It’s also worth noting that a Palo Alto Networks’ Unit 42 report from November 2021 linked exploitation of the same Zoho vulnerability to a Chinese state-sponsored group known as APT27.
“The attackers used a very specific set of advanced hacking tools designed for offensive security,” ICRC said. “These tools are primarily used by advanced persistent threat groups, are not available publicly, and therefore out of reach to other actors.”
“The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs. This requires a high level of skills only available to a limited number of actors,” the humanitarian organization said, noting “most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions.”
What’s trending in security?
✈️ A threat actor tracked as TA2541 has been actively targeting the aerospace, aviation, defense, manufacturing and transportation sectors for years. Active since at least 2017, the adversary has been observed consistently employing aviation-, transportation- and travel-related themes in high-volume phishing campaigns to infect targets with off-the-shelf remote access Trojans (RATs).
The group typically sends more than 10,000 messages at a time as part of its attacks, targeting organizations in North America, Europe, and the Middle East. That said, the investigations have not uncovered what the ultimate goal of the group is, or where they are operating from. [The Hacker News]
💲 Roughly 74% of ransomware revenue in 2021 — over $400 million worth of cryptocurrency — went to strains highly likely to be affiliated with Russia in some way. Conti was the biggest ransomware strain by revenue in 2021, extorting at least $180 million from victims. The disclosure comes as the U.S. Justice Department ramped up efforts to tackle growing Web3 crimes by launching a new crypto enforcement unit. [Chainalysis]
⚠️ The FBI and U.S. Secret Service released a joint cybersecurity advisory on pervasive ransomware-as-a-service group BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three U.S. critical infrastructure sectors — government facilities, financial, and food and agriculture — as well as others outside the US. [CISA]
🛡️ The U.S. Department of Justice (DoJ) earlier this week appointed Eun Young Choi to serve as the first Director of the newly formed National Cryptocurrency Enforcement Team (NCET) to root out illegal activity on virtual currency exchanges. The development is part of efforts undertaken by the government to police a space that’s increasingly become the new frontier for criminal actors and nation-state groups to steal and launder money through anonymous avenues like digital currencies. [The Hacker News]
🏦 Two of the largest Ukrainian banks, PrivatBank and Oschadbank, as well as the websites of the Ukrainian Ministry of Defense and the Armed Forces suffered a distributed denial-of-service (DDoS) attack from unknown actors. "An excessive number of requests per second were recorded," the Defense Ministry said.
Subsequently, the U.K. and U.S. governments blamed the Russian Main Intelligence Directorate (GRU) for the distributed denial-of-service (DDoS) attacks targeting Ukraine’s defense ministry and major banks this week and warned of the potential for more significant disruptions in the days ahead. [Ars Technica / Gov.uk / The White House]
💣 State-sponsored threat actors from Russia have stolen unclassified but sensitive data on U.S. weapons development and specific technologies used by the U.S. military and government as part of a broader and ongoing cyber espionage campaign going back to at least January 2020. [The Hacker News]
🚨 A new Emotet infection chain has been observed using a phishing email containing an Excel file, which incorporates an obfuscated Excel 4.0 macro. "When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload," the researchers said. By frequently changing its infection techniques, the goal is to avoid detection. [Unit 42]
🔓 Cybercriminals are exploiting the growth in popularity of NFTs in efforts designed to trick victims into downloading trojan malware capable of hijacking their PCs while stealing usernames and passwords. The attack leverages a “peculiar-looking Excel spreadsheet” that seemingly includes NFT-related information, but instead downloads and installs the BitRAT malware in the background. [FortiGuard Labs]
⚙️ ShadowPad, a modular Windows backdoor, came into the spotlight in 2017 when it was used in software supply-chain attacks staged by a suspected Chinese state-sponsored hacker group known as Barium. Since then, it has become the tool of choice for several cyberespionage groups that are believed to be associated with China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA). [The Hacker News]
📱 Google is taking a page out of Apple’s book, by bringing Privacy Sandbox to Android from Chrome to curtail cross-app tracking on mobile devices. As part of the changes, Google said, it plans to phase out Advertising ID, a tracking feature within Android that enables marketers to keep tabs on users’ interests and activities as well as measure the effectiveness of their ads.
But rather than being a unilateral “ask app not to track” user-facing opt-in, Google hopes to work with developers, privacy advocates, and regulators to figure out a more sustainable approach that offers privacy-preserving solutions while also maintaining a “well functioning ad-funded web.” The new technologies are expected to be enforced in two years’ time. [The Hacker News]
🛑 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has compiled a list of more than 100 free cybersecurity tools and services that can help organizations reduce risk and improve resilience. “The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment,” CISA Director Jen Easterly said in a statement. [The Hacker News]
☁️ The European Data Protection Board (EDPB) has announced plans to probe the use of cloud-based services across E.U. public bodies as part of an effort to investigate GDPR compliance and detect possible data transfers of E.U. data overseas. [EDPB]
🔢 Based on an analysis of vulnerabilities reported Project Zero between January 2019 and December 2021, Linux developers have patched security holes faster than anyone else, in an average of 25 days vs. Google in 44 days, Mozilla in 46 days, Apple in 69, and Microsoft in 83. In 2021, vendors took an average of 52 days to fix security vulnerabilities, down from 80 days 3 years ago. [Google Project Zero]
📦 Shipping-themed phishing lures, such as false invoices, changes in shipping delivery, or notices related to a fictitious purchase, are being used to harbor a variant of the STRRAT malware as an attachment. “Threat actors expend an enormous amount of effort to craft campaigns that take advantage of the basic day-to-day operations of companies,” the researchers said. [FortiGuard Labs]
🐘 A state-sanctioned political espionage group dubbed ModifiedElephant has been linked to covert attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India with the goal of planting “incriminating evidence” to set them up for later arrests. The actor which snares victims with spear-phishing to deliver “unsophisticated and downright mundane” malware via rigged documents, is thought to have been in operation since at least 2012, while also sharing hacking infrastructure overlaps with another Indian-origin group known as Hangover (aka Patchwork).
ModifiedElephant’s tactics also have precedence, as it marks the second time a hacking collective has tampered with evidence. In September 2021, a Turkish nexus group dubbed EGoManiac was connected to a similar fabrication campaign where the “operators interdicted the machines of OdaTV journalists to place malware and incriminating documents, effectively framing them before arrest.” [The Hacker News / The Washington Post]
🗄️ The past week in data breaches, leaks, and ransomware: KlaySwap and Mizuno.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!