Malwarebytes targeted by UNC2452.
Malwarebytes disclosed on Tuesday that it had been targeted by the same nation-state actor responsible for the Solorigate cyberespionage campaign, although the breach appears to have been limited to some company emails:
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.
“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.
“We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.
“Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use.”
The incident further highlights the fact that SolarWinds wasn’t the only avenue of attack used by these threat actors. ZDNet notes that Malwarebytes is the fourth security vendor known to be targeted in this campaign (the others being FireEye, Microsoft, and CrowdStrike). FireEye, which tracks the Solorigate threat actor as “UNC2452,” has published a detailed white paper with guidelines for defending against the adversary’s tactics.
Second loader used in Solorigate.
Researchers at Symantec describe “Raindrop,” a malware loader used in the Solorigate cyberespionage campaign. Raindrop is very similar to the Teardrop loader analyzed by FireEye and others, but it uses a different packer. Additionally, Symantec states, “While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.”
Both Raindrop and Teardrop are used to deliver Cobalt Strike Beacon, but with different configurations: “To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol.”
Microsoft published its own report outlining how the Solorigate actors attempted to prevent their valuable Sunburst backdoor from being discovered even if the final payload (Cobalt Strike) was detected by a victim. The company offers the following observations on the extraordinary operational security displayed by the threat actors:
- “Methodic avoidance of shared indicators for each compromised host. As discussed in the previous section, each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims.
- “Camouflage and blending into the environment. Tools and binaries used by the attackers (e.g., ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations.
- “Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
- “In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
- “Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
- “We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.”
For more, see the CyberWire Pro Research Briefing.
Chimera expands focus of cyberespionage.
NCC Group and Fox-IT have found that a China-aligned threat group (tracked by CyCraft as “Chimera”) known for targeting Taiwan’s semiconductor industry has also targeted the airline sector. The espionage operations against airlines were focused on stealing passenger name records as opposed to trade secrets. The threat actor often remained undetected for extended periods of time, in at least one case lurking on a victim’s network for three years. In one instance, the researchers were able to track the group’s working hours:
“We developed a Python script that decoded and combined most of the logged C2 communication into a human readable format. As the adversary used Cobalt Strike with DNS as command & control protocol, we were able to reconstruct more than two years of adversary activity. With all this activity data, it was possible for us to create some insight into the ‘office’-hours of this adversary. The activity took place six days a week, rarely on Sundays. The activity started on average at 02:36 UTC and ended rarely after 13:00 UTC. We observed some periods where we expected activity of the adversary, but almost none was observed. These periods match with the Chinese Golden Week holiday.”
The researchers don’t attribute the activity to any particular nation-state, although they “assess with moderate confidence” that the actor is operating in the interests of China. Saryu Nayyar, CEO of Gurucul, commented, “The revelation that advanced attackers, apparently based in China, have been targeting airline travel sites to track specific individuals is not a surprise. Tracking the travel patterns of individuals involved in certain industries or areas of research is information of great value to a State level intelligence agency. While it is the kind of specific information that might be useful to a cybercriminal going after a specific target, is guaranteed to be useful to a rival state agency.”
For more, see the CyberWire Pro Privacy Briefing.
Stolen emails altered before being leaked.
The EU’s European Medicines Agency (EMA) says threat actors who stole COVID-19 vaccine documents appear to have altered them before releasing them online. The EMA says the material stolen “included internal/confidential email correspondence dating from November, relating to evaluation processes for COVID-19 vaccines. Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.” The fact that the files were altered suggests that disinformation may have been the purpose of the operation against EMA, as opposed to intellectual property theft, which had been one conjectured motive.
For more, see the CyberWire Pro Disinformation Briefing.
Swimlane, a SOAR platform provider based in Denver, Colorado, has raised $40 million in a funding round led by Energy Impact Partners (EIP). The company says the “funding will accelerate partnerships and alliances, expand research and development, and enable further global expansion.” Swimlane has also appointed James Brear as its new CEO. Brear most recently served as CEO of Veriflow (acquired by VMware in August 2019). Swimlane’s former CEO and co-founder Cody Cornell stated, “I have officially transitioned to Chief Strategy Officer (CSO), to partner with James on driving product and partnership strategies for Swimlane going forward.”
Rewind, a cloud backup company based in Ontario, has raised $15 million in a Series A round led by Inovia Capital, with participation from Ridge Ventures, Bessemer Venture Partners, ScaleUP Ventures, Fundfire, Mistral Venture Partners, and angel investors. The company stated, “This raise will accelerate its product development pipeline, bringing new data protection solutions to market faster than any current BaaS provider. Actively hiring across all core business functions, Rewind will also use the new capital to strengthen its R&D, sales, marketing and customer service teams to support its global market expansion.’ Rewind added, “Joining the Rewind Board of Directors, Charbonneau of Inovia Capital will work closely with the team to support Rewind’s aggressive expansion efforts. In addition, Alexandra Sukin of Bessemer Venture Partners, Yousuf Khan of Ridge Ventures, and Alexander Rink of Rink Ventures will provide their insight as observers.”
Quebec-headquartered data discovery and integrity assurance provider Qohash has raised CA$8 million (US$6.3 million) in a Series A round led by FINTOP Capital. The company stated, “With plans to expand across North America and accelerate commercialization, Qohash has also announced that John Philpott, General Partner of FINTOP Capital, and Laurent Simoneau, President and CTO of Coveo, will join Qohash’s Board of Directors.”
SC Magazine cites DataTribe’s Mike Janke to the effect that cybersecurity investments remained robust throughout 2020 despite the pandemic. “2020 turned out to be stronger than we thought, even without COVID,” Janke said. John Brennan, a partner at YL Ventures, has also seen increased investment activity, stating, “Security has been a very competitive market for some time, and we’re now seeing an increase in competition, both at the seed stage (where we invest) and in follow-on rounds, where later stage investors are feeling pressure to invest earlier (and with less validation).”
For more business news, including executive moves, see the CyberWire Pro Business Briefing.
Cisco has patched several flaws in Cisco Connected Mobile Experiences (CMX) and the Cisco AnyConnect Secure Mobility Client for Windows, the Daily Swig reports. The most serious of the vulnerabilities, CVE-2021-1144, affects CMX, and “could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” Cisco says “An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device.”
Crime and punishment.
The US FBI is investigating whether a Pennsylvania woman stole a laptop or hard drive from US Speaker Nancy Pelosi’s office during the Capitol Hill riots with the intention of selling it to Russian intelligence services. The Washington Post says the suspect is now in custody.
A former employee of residential security company ADT has pleaded guilty to adding his own email address to customers’ accounts so he could spy on them through their security cameras, Threatpost reports. Threatpost says the employee, Telesforo Aviles, “faces up to five years in federal prison for accessing roughly 200 accounts more than 9,600 times without consent, over a four-and-a-half year period.”
Courts and torts.
DLA Piper has an overview of the fines levied under GDPR since its enactment in May 2018. European data protection authorities have issued €114 million worth of fines so far:
“France, Germany, and Austria topped the rankings for the total value of GDPR fines imposed with just over EUR51 million, EUR24.5 million, and EUR18 million respectively. The Netherlands, Germany, and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636, and 22,181 notifications each.”
“The daily rate of breach notifications has also increased by 12.6% from 247 notifications per day for the first eight months of GDPR from 25 May 2018 to 27 January 2019, to 278 breach notifications per day for the current year
“Weighting the results against country populations, The Netherlands again come top with 147.2 reported breaches per 100,000 people, up from 89.8 per 100,000 people last year, followed by Ireland and Denmark. From the 27 countries that provided data on breach notifications, the UK, Germany and France ranked thirteenth, eleventh and twenty-third respectively on a reported fine per capita basis. Italy, Romania and Greece reported the fewest number of breaches per capita. Italy, a country with a population of over 62 million people, only recorded 1886 data breach notifications illustrating the cultural differences in approach to breach notification.”
The law firm notes that France currently holds the record for the largest fine, with the €50 million penalty it imposed on Google “for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach.”
Policies, procurements, and agency equities.
Former US President Trump on Tuesday issued an Executive Order outlining measures to control foreign malicious use of infrastructure-as-a-service products. The EO, whose title is “Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities,” is designed, Reuters reports, to restrict transactions between cloud service providers and foreign customers likely to misuse such services for cyberattacks. The Secretary of Commerce was given the leading role, directing the Secretary to propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an account. Commerce is expected to coordinate its work under the executive order with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence.
Google has threatened to disable its search engine in Australia if the Australian government passes a proposed law to require digital platforms to pay news companies for their content, the Sydney Morning Herald reports. Google’s regional director Mel Silva is quoted by the BBC as saying, “If this version of the code were to become law, it would give us no real choice but to stop making Google Search available in Australia.” The AP cites Australian Prime Minister Scott Morrison as saying, “We don’t respond to threats,” adding, “Australia makes our rules for things you can do in Australia. That’s done in our Parliament. It’s done by our government. And that’s how things work here in Australia.” The Sydney Morning Herald quotes Montaka Global fund manager Andrew Macken to the effect that Google may follow through with its ultimatum. “Google would perhaps rather lose Australia (a relatively small global market) to avoid setting a precedent for its other larger markets,” Macken said.
For more policy news, see the CyberWire Pro Policy Briefing.