By the CyberWire staff
At a glance.
- Recovery from global CrowdStrike outage continues.
- ICS malware disrupted heating services in Ukraine.
- French police launch operation to clean up PlugX infections.
- North Korea's APT45 conducts espionage alongside financially motivated attacks.
- APT10 targets Japanese companies.
- Telegram exploit used zero-day vulnerability.
- Meta disrupts Nigerian sextortion operation.
- Ghost accounts on GitHub distribute malware.
Recovery from global CrowdStrike outage continues.
CrowdStrike has published a technical report on the faulty update the company issued on Friday that caused IT disruptions around the world. The company stated, "On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems. The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC."
Microsoft estimates that the CrowdStrike update brought down approximately 8.5 million Windows devices. While this is less than one percent of all Windows machines, the company said "the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services." Microsoft has released a tool to help administrators recover their endpoints.
Insurance services provider Parametrix estimates that the total direct costs faced by Fortune 500 companies due to last week's CrowdStrike outage will reach approximately $5.4 billion, ComputerWeekly reports. The outage affected around 25% of Fortune 500 firms, most heavily impacting airlines, hospitals, and banks. Software and IT companies (excluding Microsoft) were among the least affected, likely due to their greater reliance on Linux systems. Parametrix notes, "This could be viewed as a silver lining, because a high impact on this sector would have resulted in an even larger ripple effect, given this sector includes some of the largest service providers in the world."
The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) have both warned of phishing attacks taking advantage of the outage. The NCSC says "an increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals." The Australian Signals Directorate has also observed multiple malicious websites offering phony recovery tools.
If you're on the front line, we've got your back.
Mark your calendar for mWISE™, the unique cybersecurity conference from Mandiant, now part of Google Cloud. Built by practitioners for practitioners, it runs from September 18–19, 2024 in Denver, Colorado.
What makes mWISE different from other cybersecurity conferences? It’s a targeted event with hands-on learning for frontline practitioners. The intimate setting allows you to make one-on-one connections with leaders in the field. And best of all, it’s focused on learning without the sales pitches.
ICS malware disrupted heating services in Ukraine.
Dragos has published a report on a new strain of ICS malware that disrupted a district energy company in Lviv, Ukraine in January 2024, resulting in a two-day loss of heating to 600 apartment buildings during sub-zero temperatures. The malware, which Dragos has dubbed "FrostyGoop," is "the first ICS-specific malware that uses Modbus communications to achieve an impact on operational technology (OT)." Dragos suspects the malware gained access to the ICS systems through an unknown vulnerability in an externally facing Mikrotik router.
The researchers explain, "The affected heating system controllers were ENCO Controllers. The adversaries downgraded the firmware on the controllers from versions 51 and 52 to 50, which is a version that lacks monitoring capabilities employed at the victim facility, resulting in the Loss of View. The adversaries did not attempt to destroy the controllers. Instead, the adversaries caused the controllers to report inaccurate measurements, resulting in the incorrect operation of the system and the loss of heating to customers."
French police launch operation to clean up PlugX infections.
The French police, with assistance from cybersecurity firm Sekoia, are pushing out a "disinfection solution" to remove the PlugX malware from at least 3,000 infected systems in France, the Record reports. PlugX is frequently used by Chinese threat actors to conduct cyberespionage.
The specifics of the operation weren't disclosed, but BleepingComputer notes that Sekoia published a report on a PlugX self-deletion mechanism earlier this year. Sekoia stated at the time, "Given the potential legal challenges that could arise from conducting a widespread disinfection campaign, which involves sending an arbitrary command to workstations we do not own, we have resolved to defer the decision on whether to disinfect workstations in their respective countries to the discretion of national Computer Emergency Response Teams (CERTs), Law Enforcement Agencies (LEAs), and cybersecurity authorities."
Simplify Your Identity Management.
Identity architects and engineers, securely integrate non-standard apps with any IDP using Strata. Apply modern MFA and ensure seamless failover during outages. Avoid app refactoring and reduce legacy tech debt. Share your identity challenge and get a free set of AirPods Pro.
North Korea's APT45 conducts espionage alongside financially motivated attacks.
Mandiant has published a report on APT45, a newly designated North Korean threat actor that's been conducting cyberespionage against the government and defense sectors since at least 2009. The group has gradually expanded into financially motivated operations, including ransomware attacks.
Mandiant notes, "APT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science. Financially motivated activity occurring alongside intelligence collection has become a defining characteristic of North Korean cyber operations, and we expect APT45 to continue both missions." APT45 also targeted nuclear research facilities and power plants in 2019, including India's Kudankulam Nuclear Power Plant.
APT10 targets Japanese companies.
Cybereason has published a report on "Cuckoo Spear," a suspected Chinese cyberespionage operation targeting Japanese companies. The researchers attribute the operation to APT10, a threat actor tied to China's Ministry of State Security.
Cybereason notes, "A variety of different techniques were used to lure in potential victims, but the Threat Actors mainly rely on Spear-Phishing as the common initial access technique with LODEINFO; however, malicious actors have started to shift their tactics to exploiting vulnerabilities. NOOPDOOR must be loaded first on the victim machines, which is done through persistence mechanisms." The threat actor uses scheduled tasks, WMI consumer events, and Windows service DLLs to achieve persistence.
DMV Rising, D.C.’s Premier Conference for Cyber Execs.
The Washington, D.C. Maryland, and Virginia (DMV) region has established itself as a top-tier player in the global cyber industry. Join us on September 12, 2024 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.
Telegram exploit used zero-day vulnerability.
ESET discovered an exploit for a zero-day vulnerability in Telegram for Android that allows threat actors to deliver malicious payloads disguised as video files. The exploit is being hawked on a cybercriminal forum. Telegram released a patch for the flaw on July 11th.
The exploit enables users to send a binary attachment that appears as a video preview in the Telegram chat. ESET explains, "By default, media files received via Telegram are set to download automatically. This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared. The option can be disabled manually – in that case, the payload can still be downloaded by tapping the download button in the top left corner of the shared, apparent video."
Meta disrupts Nigerian sextortion operation.
Meta has removed 63,000 Instagram accounts belonging to the Nigerian cybercrime group the Yahoo Boys, the Record reports. The accounts were used to conduct sextortion scams, mostly targeting adult men in the US. Meta stated, "Applying lessons learned from taking down terrorist groups and coordinated inauthentic behavior, we used our identification of this coordinated network to help us identify more accounts in Nigeria that were attempting to engage in similar sextortion scams."
Additionally, the company "removed around 7,200 assets, including 1,300 Facebook accounts, 200 Facebook Pages and 5,700 Facebook Groups, also based in Nigeria, that were providing tips for conducting scams. Their efforts included offering to sell scripts and guides to use when scamming people, and sharing links to collections of photos to use when populating fake accounts."
Got proof that your SSO and MFA controls are performing their security duty?
The increasing frequency of identity-based attacks highlights the necessity of ensuring your Single Sign-On (SSO) and Multi-Factor Authentication (MFA) systems are functioning as intended. Simply implementing these technologies isn’t sufficient; ongoing verification of their effectiveness is crucial. Savvy provides real-time visibility for performing audits and implementing automated controls, guiding users at scale to address issues before threat actors can exploit them. Discover how Savvy can help you put policy into practice. Learn more.
Ghost accounts on GitHub distribute malware.
Researchers at Check Point have discovered a network of around 3,000 "ghost accounts" on GitHub that's being used to distribute malware through phishing repositories. The researchers note that "[t]his type of operation, where fake accounts are instrumented to organically perform phishing attacks to distribute malware, has never been seen before." The operation is owned by a threat actor dubbed "Stargazer Goblin," and has been active since at least June 2023. Check Point states, "This network operates a Distribution as a Service (DaaS) network providing a platform for other potential threat actors to provide Stargazer Goblin their malicious links or malware to be distributed via malicious phishing templates on GitHub repositories. The network has been distributing all sorts of malware families, with notable mentions of Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine."
GitHub has since disabled these accounts, but Check Point found evidence that similar networks are likely active on X (formerly Twitter), YouTube, Discord, Twitch, Instagram, and others.
Crime and punishment.
The US State Department is offering a $10 million reward for information leading to the arrest of Rim Jong Hyok, a North Korean national accused of conducting ransomware attacks against critical infrastructure and healthcare organizations in the US, BleepingComputer reports. The State Department says Rim is tied to Andariel, a threat actor controlled by the DPRK’s Reconnaissance General Bureau. The State Department alleges, "Rim and others conspired to hack into the computer systems of U.S. hospitals and other healthcare providers, install Maui ransomware, and extort ransoms. The ransomware attacks encrypted victims’ computers and servers used for medical testing or electronic medical records and disrupted healthcare services. These malicious cyber actors then used the ransom payments to fund malicious cyber operations targeting U.S. government entities and U.S. and foreign defense contractors, among others."
The West Midlands Police in the UK have arrested a 17-year-old boy from Walsall for his alleged involvement with the Scattered Spider cybercriminal group, SecurityWeek reports. The arrest was part of a joint operation with the UK's National Crime Agency and the US FBI.
The UK's National Crime Agency (NCA) has shut down the major DDoS-for-hire marketplace DigitalStress, Infosecurity Magazine reports. The NCA took over the domain and set up a mirror site to collect visitors' information. The agency also "covertly and overtly accessed communication platforms being used to discuss launching DDoS attacks." The NCA stated, "User information will now be analysed by the NCA for law enforcement action, and data relating to overseas users will be passed to international law enforcement."