Pulse Safe VPN exploitation impacts protection, aerospace corporations. SonicWall mitigates zero-days beneath lively exploitation.


Pulse Secure VPN exploitation affects defense, aerospace companies.

US organizations continue to recover from the cyberespionage campaign, probably Chinese in origin, that exploited vulnerabilities in Pulse Secure’s VPN. CyberScoop reports that at least two dozen US agencies are known to run the VPN, but how many of those were compromised remains unclear. Most US Government agencies had until yesterday to report their self-scrutiny and remediation to CISA.

Pulse Secure is addressing vulnerabilities in the Pulse Connect Secure VPN publicly reported by FireEye’s Mandiant unit. CISA has issued an Alert on the vulnerabilities, providing technical details and urging organizations to apply the mitigations Pulse Secure has provided.

Federal agencies are getting more than encouragement: CISA yesterday issued Emergency Directive 21-03, requiring all organizations under its jurisdiction to “enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf,” and then, by 5:00 PM EDT this Friday, to run the Pulse Connect Secure Integrity Tool on every such instance.

According to Reuters, exploitation of the secure email product, which heavily affects US, and European defense firms (Nikkei suggests Japanese firms are also affected), is being attributed to Chinese intelligence services. The Chinese government dismisses FireEye’s attribution as “irresponsible and ill-intentioned,” because Beijing “firmly opposes and cracks down on all forms of cyber attacks.”

SonicWall mitigates zero-days under active exploitation.

SonicWall has issued mitigations for three zero-days affecting its email security products. FireEye discovered that the vulnerabilities were under active exploitation and disclosed the security issues to SonicWall. Attribution is unclear, but FireEye’s Mandiant unit is tracking the activity as UNC2682. The threat actor’s goals are unknown.

Supply chain compromise at Codecov.

US authorities are investigating an incident affecting the software auditing company Codecov, Reuters reports. It amounts to another potential supply chain compromise, specifically of the firm’s Bash Uploader. BleepingComputer says Codecov became aware of the problem on April 1st, when customers notified them that they’d spotted suspicious activity, and that attackers seem to have been active since January, when they began stealing developers’ credentials. Codecov has published a security update with remediation advice.

Reuters added late Monday evening that the Codecov supply chain attack may have affected several hundreds of the software company’s customers’ networks, with other software development vendors attracting particular attention, along with companies that themselves have a large customer base. It’s unclear whether the attackers are ordinary criminals or threat actors working on behalf of a nation-state.

“Big data” gangs.

Intel 471 has published a report on the Chinese criminal market for “big data:” it’s large, well-structured, and marked by clear organizational hierarchies and division of labor. It’s worth noting that this particular underworld does not seem to be thriving with the encouragement or tolerance of the domestic government. Chinese police appear to investigate and arrest gang members and their customers when they can find them. As Intel 471 puts it: “Chinese authorities reportedly adopted measures to crack down on the illegal big data trade and tighten regulations governing personal data and privacy. A series of regulatory measures regarding internet privacy protection and the security of personal information reportedly was introduced by the Cyberspace Administration of China in addition to the large-scale crackdown.”

Counterretaliation: personae non gratae.

As expected, Russia expelled ten US diplomats in retaliation for Washington’s expulsion of ten Russian diplomats, Deutsche Welle reports. The US took the action as part of its response to the SolarWinds supply chain compromise, an operation the US Intelligence Community has attributed to Russia’s SVR foreign intelligence service. The Kremlin also expelled three Polish diplomats after Warsaw ejected the same number of Russian personnel on Thursday. Euronews says that Poland ejected the three Russian diplomats in response to what the Polish government characterized as Russia’s “hostile actions.” Russian authorities continue to maintain, the Moscow Times writes, that the US attribution of the SolarWinds incident to Russia is “nonsense.”

Positive Technologies, the well-known Russian security firm sanctioned last week by the US Treasury Department for what the US Government regards as excessive closeness to Russia’s SVR and other intelligence organs, on Friday issued a statement characterizing Treasury’s accusations as “groundless.”

Standing down the two Unified Coordination Groups formed to respond to the SolarWinds and Exchange incidents.

The US Government has decided to stand-down the task forces established to deal with the SolarWinds incident (attributed to Russia) and the Microsoft Exchange Server compromise (attributed to China). Deputy National Security Advisor for Cyber Neuberger says, “Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures.”

This doesn’t mean that the two compromises, eclipsed though they may be by more recent incidents, are over. It’s merely that the response necessary to deal with them has fallen back into normal ranges. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) Thursday released an Alert warning that it had found instances of the Supernova malware during a CISA incident response. The “affected entity” is addressing the attack, and CISA says its own engagement with this incident is continuing. (Supernova is the backdoor associated with the SolarWinds compromise.)

RiskIQ has a rundown of the SolarWinds incident to date, with an interesting account of how the threat actor worked to make attribution more difficult. The US Government has been unambiguous in attributing the campaign to Russia’s SVR, but the kinds of similarities in tactics, techniques, and procedures private sector analysts look for were in this case more difficult to trace. RiskIQ thinks this ambiguity deliberate. “Pattern avoidance was a tactic used in all aspects of the SolarWinds campaign,” they say. The threat actors used different command-and-control IP addresses for each victim, and that in itself makes the correlation analysts like to use more difficult. The researchers found that Cozy Bear’s infrastructure “was registered under varying names and at different times over several years to avoid establishing a traceable pattern.” The SVR probably bought the domains from resellers or at auction. 

Cozy Bear also hosted its campaign infrastructure, at least their first-stage infrastructure, entirely within the US. That’s not only likely to lend an air of innocence to their traffic, but it also means that they may be more likely to escape the attentions of the US National Security Agency, whose remit is of course foreign intelligence and not domestic surveillance. (We note in passing that General Nakasone, Director NSA, has told the Senate that he didn’t want his organizations given authority to monitor domestic traffic. Defense Systems quotes General Nakasone as saying, “I’m not seeking legal authorities either for NSA or for U.S. Cyber Command.”)

The second stage of the campaign was still hosted largely in the US, but by the third stage Cozy Bear was largely working from overseas. These shifts were probably intended at least in part to avoid falling into the sort of pattern that would alert observers. The threat actor also had its first-stage implant “beacon to its command-and-control servers with random jitter after two weeks.” The second stage used the familiar penetration testing tool Cobalt Strike, and the malware used in the third stage looking nothing like the tools used earlier in the campaign. Analysts who found one stage’s malware would have found it difficult to follow the attack into other stages.

“Taken together,” the RiskIQ researchers write, “the threat actors implemented their TTPs in this campaign to avoid resemblance to prior patterns associated with APT29 or any of the other known Russian APT groups. Researchers or products attuned to detecting known APT29 or other Russian APT activity would fail to recognize the campaign as it was happening. And they would have an equally hard time following the trail of the campaign once it was discovered.” But they’re confident that their own telemetry also points to APT29, the SVR, Cozy Bear herself.

We note that this may be loose usage. The Holiday Bear attacks were probably executed by the SVR, but whether the group responsible occupied precisely the same place in the organization chart as Cozy Bear could be open to question. The distinctive, not hitherto observed attack sequence would have been expensive to create and execute. (Still Cozy enough for government work.)

The Record talked with SolarWinds’ CISO, and it’s a cautionary tale for organizations who may think they have their security bases covered. “A nation-state attack of this level and sophistication [meant it was] very patient, deliberate, targeted,” SolarWinds CISO Tim Brown said, adding, “That type of campaign isn’t your general attack that you prepare for. Now what we have to do is prepare for more of those as a community.” Going forward, he indicated that they intended to “limit employee access and not trust anyone by default.” (This of course is zero trust, a sound principle that shouldn’t be an afterthought.)

And compromises continue to receive attention from criminals as well. Cybereason has found the cryptojacking botnet Prometei exploiting unpatched Microsoft Exchange Server instances. Prometei, which uses victim machines to mine Monero, was discovered last summer, but Cybereason believes the Prometei gang has been in action since 2016. Evidently a criminal operation, the gang has been happy to make use of the Exchange Server exploits first deployed by China’s Hafnium threat actor.

Prometei is random and unselective, its goal apparently being the infection of as many systems as possible. It’s been active in North America, Europe, South America, and East Asia, but it does appear to systematically avoid hitting targets in former Soviet bloc countries, which suggests that its operators would rather stay on the good side of Russian law enforcement. The sectors affected are equally wide-ranging, including financial services, insurance retail, manufacturing, utilities, travel, and construction. 

University of Minnesota banned from contributing to Linux development.

The Linux Foundation’s Greg Kroah-Hartman has banned the University of Minnesota from contributing to the Linux kernel after researchers from the university submitted buggy code as a test, the Verge reports. The researchers submitted the code to see if it would bypass the kernel community’s review process.

The University stated, “We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed. We will report our findings back to the community as soon as practical.”

The US Postal Service is monitoring social media posts.

Yahoo News reports that the US Postal Service is running an “Internet Covert Operations Program,” apparently a broad monitoring of US citizens’ social media activity in an effort to “trawl” for signs of extremist content that might suggest incipient violations of law. The news has been poorly received by privacy advocates and some members of Congress.

Ransomware attacks continue.

Ransomware as a whole continues to be a pervasive criminal threat to both data availability and data security. Bloomberg reports that Apple supplier Quanta Computer, a Taiwan-based manufacturer of Macbooks, has been hit with a $50 million extortion demand by the REvil ransomware gang, a well-known criminal enterprise based in Russia.

Hoods worry about their reputation, too.

Sometimes hoods need good P.R., too. In this case the goons behind Babuk have reached out to journalists (GovInfoSecurity among them) to say that they’ve fixed the buggy decryptor Emsisoft researchers embarrassed the Babuk gang about shortly after an attack on the Houston Rockets professional basketball team. Emsisoft is looking into the claims.

Facebook identifies social engineering by two Palestinian actors.

Facebook announced this week that it has taken down two Palestinian groups who’d been using the social network for a politically motivated surveillance campaign. The two actors have been identified as the Preventive Security Service (the PSS) and the Gaza-based threat actor Arid Viper. They seem to have been particularly interested in prospecting (and impersonating) journalists and other gadflies. Some of their content presented itself as solicitation for complaints of human rights violations.

The PSS-associated group used both Windows and Android malware as well as social engineering campaigns to install spyware in targets’ devices. Arid Viper used bespoke, and hitherto unidentified, “iOS surveillanceware.” And Arid Viper also relied on social engineering to distribute its malware.

Catphishing for agents.

Britain’s MI5 warns of widespread, “industrial scale” catphishing campaigns in progress over LinkedIn, as espionage services approach government workers through fictitious profiles. At least ten-thousand British personnel are thought to have been prospected, the BBC reports.

Patch news.

CISA has released a new set of ICS Advisories.

Crime and punishment.

The US Justice Department has announced a 10-year sentence for a Ukrainian citizen accused of holding a “high-level role” within the FIN7 cybercrime group, CyberScoop reports. The Justice Department said Fedir Hladyr served as a manager and systems administrator for the group. Acting US Attorney Tessa M. Gorman of the Western District of Washington stated, “This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems. This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”

Justice added, “Hladyr originally joined FIN7 via a front company called Combi Security – a fake cyber security company that had a phony website and no legitimate customers. Hladyr admitted in his plea agreement that he soon realized that, rather than a legitimate company, Combi was part of a criminal enterprise. Hladyr served as FIN7’s systems administrator who, among other things, played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the elaborate network of servers that FIN7 used to attack and control victims’ computers. Hladyr also controlled the organization’s encrypted channels of communication.”

Courts and torts.

The ACLU has asked the US Supreme Court to overturn Foreign Intelligence Surveillance Court decisions blocking access to past judgments impacting privacy rights, citing the First Amendment, the New York Times reports.

Policies, procurements, and agency equities.

CNN reports that the US Department of Justice has launched an anti-ransomware task force, which will “will unify efforts across the federal government to pursue and disrupt ransomware attackers.” For more, see the CyberWire Pro Policy Briefing.

Fortunes of commerce.

The US insurance company Geico has disclosed that a bug on its website exposed customer data. The Record says the data include driver’s license information. 

Moxie Marlinspike, developer of the secure messaging app Signal, has released information about a vulnerability in Cellebrite’s digital forensic products. The vulnerability exposes Windows devices that run Cellebrite to the possibility of remote code execution. Cellebrite has been widely used by law enforcement organizations in both nice and nasty regimes. It had recently announced its development of a forensic tool for analyzing Signal communications, so reports are treating Marlinspike’s announcement as a case of the biter bit, the hawk under the eagle’s foot.