A PRC-aligned actor used a trio of custom malware to take advantage of inherent weaknesses in edge appliances.

Researchers say the recent compromise of Barracuda Networks email security gateways (ESGs) was carried out by a newly discovered Chinese APT, which used three different backdoors to exploit security failings endemic to edge devices.

According to Barracuda's timeline, on May 18, the company was alerted to anomalous traffic coming from some of its ESGs. The following day, in collaboration with security company Mandiant, it discovered a zero-day vulnerability — CVE-2023-2868 — since assigned a score of 9.8 out of 10 on the CVSS vulnerability severity scale, making it critical-rated.

In multiple statements provided to Dark Reading, Barracuda has indicated that around 5% of active ESG devices worldwide have shown evidence of compromise. The company has a global footprint, with market-share watchers pegging it as claiming around a fifth of the ESG market, with clients that include CVS Health, IBM, and McKesson. 

Now, in a report published Thursday, June 15, Mandiant has connected the campaign to a novel APT it's tracking as UNC4841, assessing "with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China."

A full third of UNC4841's targets have been government organizations, and more than half are in the Americas — though "that may partially reflect the product's customer base," the researchers qualified. In many cases, the hackers collected email data not just from specific targets, but individual targets, including government officials and academics in Southeast Asia.

"They're definitely very competent," says Ben Read, Mandiant's senior manager of cyber espionage analysis, Google Cloud. "To find a vulnerability and exploit it in the ways that they have demonstrates an understanding that would have taken a lot of time and expertise to figure out. They definitely have significant funds."

**UNC4841's Many Backdoors**

UNC4841's attacks began with rudimentary phishing emails containing generic messages and broken grammar. Attached to the emails, however, were malicious tape archive (TAR) files which, when opened, exploited CVE-2023-2868, allowing the attackers to remotely execute code on target machines.

A sample UNC4841 phishing email. Source: Mandiant

Now in control of the privileges afforded to Barracuda ESGs, the attackers deployed three separate backdoors — SALTWATER, SEASPY, and SEASIDE — which each attempted to masquerade as legitimate ESG modules and services.

These backdoors "do have different capabilities, but overlap in terms of allowing for command-and-control (C2) communication to the device," explains Austin Larsen, Mandiant senior incident response consultant, Google Cloud. As he sees it, having three backdoors is a form of fault tolerance: "The actor is shown a pretty intense desire to maintain access to these devices, by establishing redundancy through multiple backdoors."

Even after its backdoors were discovered and addressed, "the threat actor reacted very quickly to any actions taken by Barracuda and Mandiant,” Larsen says. “They wanted to maintain persistence and access to these devices for as long as possible."

Together, this may explain why, even after Barracuda released a series of security patches, UNC4841's malicious activity remained ongoing. Beginning May 31, to finally rid the attackers from the appliances, the company offered to outright replace all affected ESGs at no cost to customers.

**What to Do About Edge Appliances**

Larsen points out that it's not just ESGs — edge appliances in general aren't secure enough.

"The threat that it poses is that network defenders typically don't have visibility into the underlying operating system, and so your traditional countermeasures — like EDR solutions for detection — typically don't run on these appliances," he explains. "And so, actors have realized that it's a great place to operate from, because they can typically avoid detection.”

The issues with edge appliances only mount from there. "They live on the edge of networks, so they're typically exposed in some way to the Internet and a lot of appliances are in a legacy phase at this point," he adds. "And so we're seeing that these appliances aren't quite getting the same level of attention as some more modern products and solutions, in terms of security."

But even if edge appliances themselves are vulnerable, with proper segmentation, the networks they're connected to don't have to be.

"We did identify this specific threat actor attempting to move laterally from the edge devices post-exploitation," Larsen notes. "Had these devices been in an unprivileged segment of the network, that may have prevented some of that lateral movement."

Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT

It's easy to find free training in cybersecurity, but is free the best option for entering the field?

How far can you go for free? It's an interesting question if you're traveling, but it can be critical if you're trying to build a career in cybersecurity. In the last few months, a number of vendors and organizations have announced new or expanded rosters of free cybersecurity classes. Would it be possible to launch a career based only on the not-for-charge offerings?

**From the Ground Up**

There's no question that our industry is dramatically short of skilled and trained professionals to deal with the daily onslaught of attacks and attempted exploits. There is a very real question about the best way to close the gap between open positions and available talent.

One potential method of closing the talent gap isn't a realistic option: There is no way to put enough human beings through formal certification training to meet the need. When I talk to executives at training companies, all admit that, as good as they are, there's just not enough time/bandwidth/money for them to take all the necessary candidates through the process. And that conversation doesn't even begin to look at the question of whether the candidates could afford the time and investment to take the courses.

Among the answers offered to this question is the availability of free training classes in cybersecurity. Recent months have seen a wave of new no-cost options for those interested in getting into cybersecurity. Among the options are:

*   **FedVTE:** The Federal Virtual Training Environment offers free courses on many topics for US military veterans along with federal, state, local, tribal, and territorial government employees, and federal contractors.
*   **IBM****:** IBM SkillsBuild uses Coursera to deliver training for cybersecurity analyst as well as a wide variety of other IT professional positions. Some courses leading to "badges" are free; some certification requires payment.
*   **Cybrary****:** In February, Cybrary announced that more than 500 hours of cybersecurity courses were being made available at no charge. These courses cover topics ranging from cybersecurity fundamentals to professional certification prep as well as role-based material for professional development.
*   **SANS****:** SANS offers courses beginning with the Cyber Aces program on awareness, continuing with free workshops and the ability to "test drive" courses that will be paid offerings. Membership in the SANS.org community is also free and provides access to information from many cybersecurity professionals and instructors.
*   **Oxford Home Study****:** Based in the UK, this organization offers a number of different cybersecurity courses at no cost, some leading to the possibility of certification in cybersecurity.

There are others, of course, but all present the same question to would-be cybersecurity professionals: How far can I go with free courses?

The answer lies as much in what they _don't_ provide as in what they do. With rare exceptions, the free courses can provide knowledge but not credentials. And while that is not the issue in cybersecurity that it might have been 10 years ago, it can't be completely ignored.

**Sidestepping Credentials**

So what is the aspiring cybersecurity professional to do? First, definitely take advantage of free knowledge. Though they may take you only so far, free courses can take a budding cybersecurity professional beyond a first step. Next, get some hands-on experience. For those who are not employed in cybersecurity (and even those who are), capture-the-flag (CTF) exercises can be a valuable and accessible way to gain experience in the hands-on details of the field.

Next, the free courses can be a valuable tool when deciding whether or not it would be worthwhile to invest in a paid course in cybersecurity. In too many cases, the only way to find out whether a field is right for an individual is to spend money to become educated in that field. In cybersecurity, though, individuals have the opportunity to find out whether they want to pursue a career without making a huge monetary investment.

**And the Enterprise?**

A business could be sorely tempted to turn employees toward free courses when the individuals ask for professional training. And if the individual says that they're curious about cybersecurity, free courses could be an appropriate answer. But for professional training that will create an individual ready to step onto the beginning track of cybersecurity, there are paid courses of study that offer much more in the way of training, assessment, and accountability than do the free options.

Free courses in cybersecurity are good for the industry and for individuals, but they have a role to play in cybersecurity training and shouldn't be asked to go wildly beyond that role. Keep expectations realistic and opportunities for hands-on experience readily available, and free courses can play a solid supporting role in early cybersecurity career development.

Free Training's Role in Cybersecurity

The academy is meant to ensure a safe and strong telecommunication service and information technologies for Angola's citizens, the president said.

Angola President João Lourenço announced plans to open a cybersecurity academy to better secure the nation's telecommunications and IT networks.

According to the Angolan Press Agency, Lourenço added that efforts are underway to guarantee trust and security of the country's networks, with a focus on the protection and defense of critical infrastructure and vital information services. The academy is meant to ensure a safe and strong telecommunication service and information technologies user defense.

A number of digital modernization programs are underway in Angola in both the public and private sectors. A strong partnership with the private sector has boosted the use of digital services across verticals including banking, insurance, energy, and health, Lourenço said in his remarks. An emerging startup ecosystem is introducing innovative technologies. Angola has seen a 55% growth in mobile telephone service and 20% increase in the Internet access rate from 2021 to the first quarter of 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Angola Marks Technology Advancements With Cybersecurity Academy Plans

A new version of the infamous browser extension is spreading through files on websites offering pirated wares and leverages unique persistence mechanisms.

Fake websites advertising pirated video games, films, and other wares are spreading a new variant of the ChromeLoader malware dubbed "Shampoo," that is anything but clean: It steals sensitive data, redirects searches, and injects ads into a victim's browser session.

Researchers from HP Wolf Security have been tracking the new campaign, which appears to have been active since March and distributes malware similar to the original ChromeLoader — first discovered in May 2022 — but that's noticeably harder to wash out of the proverbial IT hair thanks to multiple persistence mechanisms, they said.

The goal of the first version of ChromeLoader was to install a malicious Chrome extension for advertising, a process that includes "a particularly complex infection chain" that begins with victims downloading malicious ISO files from websites hosting illegal content that hijack browsers, wrote Jack Royer, an HP malware analyst intern, in a post on the HP Threat Research Blog published this week.

"ChromeLoader used in the Shampoo campaign is very similar; it tricks victims into downloading and running malicious VBScript files from websites, eventually leading to the installation of a malicious Chrome browser extension," he explained. "This campaign is very similar to ChromeLoader, in terms of its infection chain, distribution, and objective," with the two sharing code similarities and the ad-monetization feature.

One notable feature of Shampoo that's different than the original ChromeLoader is how it uses the browser's Task Scheduler to achieve persistence, by setting up a scheduled task to re-launch itself every 50 minutes, they said.

The script runs a PowerShell script that sets up the scheduled task, running a looping script every 50 minutes that downloads and runs another PowerShell script, the researchers said. This script downloads and installs the malicious ChromeLoader Shampoo extension that, once attached to a Chrome session, starts sending sensitive information back to a command and control (C2) server.

"This persistence mechanism allows the malware to remain active despite reboots or the script being killed by a security tool or user," Royer wrote.

**Inside the Shampoo ChromeLoader Infection Chain**

Users who encountered Shampoo did so by downloading illegal content from the Internet, such as movies, video games, or other files, from websites that offer pirated files, the researchers said. Victims are tricked into running malicious VBScripts that they think are pirated wares — for example, Cocaine Bear.vbs or Your download is ready.vbs — which triggers the infection chain, the researchers noted.

"The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps," with its author appearing to have used a free online JavaScript obfuscator to make the malware harder to detect, Royer wrote.

Other malicious activities that ChromeLoader Shampoo carries out on a victim's machine include disabling search suggestions in the address bar; redirecting Google, Yahoo, and Bing searches to the C2; logging the victim's last search query in Chrome's local storage; and logging the last search query in Chrome's local storage and preventing victims from accessing chrome://extensions by redirecting them to chrome://settings, likely to stop them from removing the extension, the researchers said.

The persistence mechanism that sets up the scheduled looping task also unregisters a list of tasks prefixed with "chrome\_" — such as "chrome engine," "chrome policy," and "chrome about," the researchers noted. "This is likely done to remove any previous or competing version of the same malware," Royer wrote.

**Be Wary of Illegal Downloads**

Though the first version of ChromeLoader was similar to Shampoo in that it was mainly aimed at hijacking browser sessions and stealing victim data, it has since evolved into a more dangerous threat, with attackers now using it to drop ransomware, steal data, and crash systems at enterprises.

It's unclear if the Shampoo variant also will be leveraged in this way in the future. However, the researchers advised that people shouldn't take chances, and provided tips for how to avoid infection as well as a list of indicators of compromise in the post.

One obvious way to avoid compromise by the Shampoo variant is not to download pirated material from the Internet, and to avoid downloading any files from untrusted websites in general, they said. This is particularly true for employees using Chrome in a corporate environment, who should be particularly wary of downloading anything from the Internet via a corporate network (or onto a shared work/personal device), lest it spread throughout an organization.

Organizations should also configure email gateway and security tool policies to block files from unknown external sources as added protection, advised Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team, in a press statement.

'Shampoo' ChromeLoader Variant Difficult to Wash Out

Organizations that remain compliant with data-sovereignty regulations while enabling cross-border data sharing gain significant competitive advantage because they can make quick, agile, and informed decisions.

Since the dawn of the digital age, businesses have worked under the assumption that data is like water. It is the source of nourishment for business operations. It's been free-flowing – with little to no limitations on how it's collected, stored, processed, and moved. But today, that tap has been turned off, rivers rerouted, and dams created by privacy regulations blocking an essential business element.

Companies have built global businesses by sharing data, and decades of globalization are being reversed by privacy regulations. In the wake of data privacy's growing momentum through data sovereignty laws, they must now learn how to deliver the same level of customer service, meet delivery deadlines, and communicate across supply chains while remaining compliant. This leaves organizations needing to balance seemingly opposing goals: advancing business with data sharing, artificial intelligence (AI), and machine learning, while maintaining compliance.

May 2023 marked the fifth anniversary of the first (and arguably most comprehensive) data privacy law — the European Union General Data Protection Regulation (GDPR). Over 130 similar laws have passed since, with many more on the horizon. For example, Canada's Digital Charter Implementation Act, India's Digital Personal Data Protection (DPDP) bill, the Colorado Privacy Act (CPA), and the Utah Consumer Privacy Act (UCPA) go into effect this year. While consumers hail the laws' protections, organizations accustomed to collecting, using, and sharing data across borders struggle to balance compliance with meeting business needs.

**Compliance Challenges**

Businesses have long understood that data sharing has limits (or borders). Legal separations keep data from various subsidiaries distinct or limit sharing between partners to specific data types. Multi-tenant software applications often require logical partitions to keep customer data private. What is rapidly changing are new data sovereignty laws, often cloaked as "data privacy" regulations, that enforce geographic boundaries on where data is processed and stored. Businesses must comply with the laws of each country where they operate, and data sovereignty presents a clear compliance challenge as companies hurry to rethink how and where they safely acquire personal data to share and protect.

Countries enacting regulations keeping personal data inside their borders may deem their citizens' data of strategic national importance. More commonly, it's an enforcement mechanism that acknowledges personal data as an asset owned by individuals that businesses must use and share according to that country's laws. Recent data sovereignty requirements cannot be easily bypassed or pushed to the consumer's consent. They must be followed, making adhering to those policies while conducting business a significant challenge. Companies operating on a global scale need to move and process sensitive data across complex legal, corporate, geopolitical, and regulatory boundaries. Data localization puts their cloud strategies at risk.

**The Cost of Doing Business Across Borders**

Organizations face significant costs due to operating under data sovereignty laws. The most expensive is duplication of technology, people, or resources to meet sovereignty requirements. To comply with regulations, businesses often duplicate internal resources across regions or countries, ensuring data remains within its original jurisdiction. However, failing to take active measures to protect personal data can result in hefty fines.

Recently, the European Court of Justice imposed a $1.3 billion fine on US-based Meta for not adequately protecting EU citizens' personal data. Meta used "standard contractual clauses," a common technique that relies on contract language as an obligation rather than technical controls. However, the court found this approach to be insufficient for GDPR compliance. Therefore, robust data protection mechanisms are essential for companies to avoid costly fines and safeguard customer data.

Using expensive third-party data processors for localization requirements is another issue. While this diminishes compliance risks, it increases security risks due to sharing data with another party. Legacy technologies, including dynamic data masking, access control lists, and file-based protection methods, were not built to tackle today's compliance requirements.

Community and national leaders may argue that the extra costs to comply with sovereignty laws are the price of doing business. But for many, those costs could be too high.

**Solutions for Reintegrating Borderless Data**

As the Information Technology and Innovation Foundation states, "Data is the lifeblood of the modern global economy….Businesses use data to create value, and many can only maximize that value when data can flow freely across borders." However, for borderless data and data sovereignty to coexist, businesses must find compliant ways to enable cross-border data sharing. That's where tokenization comes in.

By tokenizing data, businesses can secure it while allowing different users and companies to access it, all while maintaining compliance with local regulations. An important ruling by the General Court of the European Union in April highlights the relevance of this issue. In GCEU Court Case T-557/20, SRB v EDPS, the court held that pseudonymized data transmitted to a data recipient would not be considered personal data if the data recipient does not possess the legal means to reidentify the data subject. This ruling has significant implications for companies with transborder data flows, making finding compliant ways to enable cross-border data sharing even more critical.

In a broader sense, for companies to achieve efficient global compliance, they need centralized data policy, logging, auditing, and monitoring that deliver efficiencies at scale to meet data sovereignty requirements for applications. Automated systems that offer centralized, continuous protection, audit, and compliance for personally identifiable information (PII) will reduce compliance costs and open new opportunities for businesses to compete on data. By federating the implementation of data security and privacy to more abundant resources, organizations can reduce costs.

**Policy and Commerce Can Co-Exist**

Data sovereignty laws constantly change as technology and digital trends evolve. Therefore, organizations can't fall back on a "one-and-done" approach to compliance. It's essential to continually monitor and adjust to changing laws. Organizations that remain compliant while enabling borderless data gain a significant competitive advantage because they can make quick, agile, and informed decisions about customers and products in existing markets. In addition, the ability to share data across new regions opens new markets worldwide.

Ultimately, by complying with privacy and security regulations, organizations can protect customer data, build trust, and enhance their reputation, leading to increased customer loyalty. Loyalty equals revenue, and revenue equals long-term success.

Borderless Data vs. Data Sovereignty: Can They Co-Exist?

NetSecOpen recently released a new draft of its testing and benchmarking guide, which could be adopted later this year.

Despite slow progress, NetSecOpen — a group of network security companies and hardware testing organizations — aims to have its testing and benchmark standards in place by later this year.

The group published the latest version of its network security testing standard for next-generation firewall technology in May to gather feedback as the group moves toward a final version. The end result will be a consensus method for testing and benchmarking network security appliances that allows comparisons of different vendors' devices, even if they are evaluated by different third parties, says Brian Monkman, executive director of NetSecOpen.

"What we're working on accomplishing here is something that's never been done — setting up standard test requirements that can be executed by multiple labs using different test tools and getting comparable results," he says. "It's something analogous to when the miles per gallon ... had different approaches and ... they tested things differently and so they forced the creation of a standard. That's kind of what we're doing here."

Established in 2017, NetSecOpen aims to ease the tension between product makers and test labs, which have occasionally become rancorous. Members include large network security firms — including Cisco Systems, Fortinet, Palo Alto Networks, and WatchGuard — as well as testing equipment makers, such as Spirent and Ixia, and evaluators, such as the European Advanced Networking Test Center (EANTC) and the University of New Hampshire InterOperability Laboratory (UNH-IOL).

While the latest standards document is published as part of the Internet Engineering Task Force (IETF) process, the eventual guidelines will not be an Internet standard to which equipment makers must adhere, but a common approach to testing methodology and configurations that improve the reproducibility and transparency of resulting tests.

The current testing standards for firewalls published by the IETF (RFC3511) are 20 years old, and the technology has changed dramatically, NetSecOpen stated in its draft (RFC9411).

"Security function implementations have evolved and diversified into intrusion detection and prevention, threat management, analysis of encrypted traffic, and more," the draft states. "In an industry of growing importance, well-defined and reproducible key performance indicators (KPIs) are increasingly needed to enable fair and reasonable comparisons of network security functions."

**Real-World Test Cases**

The NetSecOpen tests aim to use real-world data to pit the latest network security appliances against realistic network loads and security threats. The attack traffic test set, for example, brings together common vulnerabilities that have been used by attackers in the past decade.

The NetSecOpen draft recommends specific test architectures, traffic mixes between IPv4 and IPv6, and enabled security features. However, other aspects of testing include required elements, such as the capabilities of emulated browsers, attack traffic that targets a specific subset of known exploitable vulnerabilities, and tests of a variety of throughput performances, such as application traffic, HTTPS requests, and quick UDP Internet connections (QUIC) protocol requests.

Network security firm Palo Alto Network, a founding member of NetSecOpen, actively collaborates with NetSecOpen to "create the tests and actively participate in testing our firewalls using those tests," says Samaresh Nair, director of product line management at Palo Alto Networks.

"The testing process is ... standardized with accredited test houses," he says. "Customers can use it to evaluate various products with standardized results tested similarly."

The vulnerabilities test sets are in the process of being updated because the Cybersecurity and Infrastructure Security Agency (CISA) demonstrated that smaller, noncritical vulnerabilities can be strung together into effective attacks. The organizations had previously dismissed many of those vulnerabilities as a lesser threat, but attack chain data CISA collected show that attackers will adapt.

"There's definitely a class of CVEs out there that we, in the past, would have ignored, and we need to pay attention to those simply because vulnerabilities are being strung together," NetSecOpen's Monkman says. "That's going to be really the biggest challenge that we have because the CISA KEV vulnerability list might grow."

**Cloud Up Next**

In addition to new mixes of vulnerabilities — such as those that are currently targeting the education and healthcare sectors — NetSecOpen is looking to include detection of command-and-control channels used by attackers, as well as ways of preventing infection and lateral movement.

Testing the security of cloud environments — such as distributed cloud firewalls and Web application firewalls — is also on the future blueprint, says Chris Brown, technical manager at UNH-IOL, which joined NetSecOpen in 2019.

"Cloud would not change NetSecOPEN’s mission for well-defined, open, and transparent standards, but rather expand the products currently tested," Brown says. "In the foreseeable future, network perimeter defense will still be necessary despite the many benefits of cloud computing."

Network-Security Testing Standard Nears Prime Time

Attackers continue to attempt to steal Bitcoin and other virtual coins, with a 40% increase in phishing attacks and fourfold increase in incidents.

Cryptocurrency continues to be a favorite target of attackers, with attacks targeting Bitcoin and other currencies growing at a robust pace.

In the recently released "2023 Data Breach Investigations Report" (DBIR), Verizon noted that attacks in its dataset that specifically target cryptocurrency data grew 300%, to 48 incidents reported, up from 12 in 2022. Whether the trend continues this year remains to be seen, says David Hylender, senior manager of threat intelligence for Verizon.

"The crypto boom presented many opportunities for attackers to gain access to many valuable crypto assets," Hylender says. "However, the circumstances have changed somewhat over the past year, and they may result in corresponding changes in the degree that attackers will be targeting this type of data."

Of the attacks submitted to the Verizon DBIR, about half used an exploit, more than 40% used stolen credentials, and about a quarter incorporated a phishing attack, according to the report. While some of the attacks — more than 10% — used email as a vector, most compromised the user's account through the Web application or an application programming interface, the report stated.

Verizon's Hylender cautioned that the company had received only dozens of reports, much smaller than the hundreds or thousands of other types of compromises the company analyzed from other sources.

"We caveat in the report that although it has seen a fourfold increase, it is still a relatively small number compared to all other data types," he says.

**Volatile Markets, Stable Cybercrime**

Over the past decade, cryptocurrency has become an integral part of the cybercriminal ecosystem, allowing would-be attackers to pay for a variety of offensive-security services and receive payments from ransomware victims. Increasingly, the potential for quick and substantial financial gains has attracted speculative investors, who are, in return, targeted by scammers aiming to exploit this enthusiasm for their own benefit, says Kurt Baumgartner, a principal security researcher with Kaspersky.

"Cryptocurrency enables cybercrime in multiple ways," Baumgartner says. "We've seen cryptocurrency exchanges pilfered, cryptocurrency trading apps Trojanized and their related websites compromised for use as command-and-control, cryptocurrency used by cybercrime individuals and groups for employment and services payments, ... and cryptocurrency used as an easily laundered method of sometimes massive payment by victims in the millions for ransomware and other extortion crimes."

Even as the value of cryptocurrency fluctuates wildly in the market, it remains a popular financial instrument for cybercriminals to use _and_ abuse. Last year, the number of cryptocurrency-related phishing attacks targeting Kaspersky customers grew 40% to 5 million, up from 3.6 million in 2021, the company stated.

One campaign used a Trojanized Tor browser to steal cryptocurrency from more than 15,000 users in 52 countries, valuing at least $400,000, according to Kaspersky's research. In another campaign, cyber thieves used a loader dubbed DoubleFinger to install a Trojan — dubbed GreetingGhoul — that replaces the login window of common cryptocurrency wallets with an information-collecting duplicate.

"DoubleFinger, coupled with GreetingGhoul, is an advancement for crime elements both in terms of stealth technology and targeting when it comes to cryptocurrency theft," Kaspersky's Baumgartner says. "As cryptocurrency continues to be a highly valued object of online theft efforts, with individuals protecting themselves with cold wallets and the like, malware like these demonstrate serious advancement both in malicious technologies and techniques."

Cryptocurrency Attacks Quadrupled as Cybercriminals Cash In

Microsoft says Cadet Blizzard wielded a custom wiper malware in the weeks leading up to Russia's invasion of Ukraine, and it remains capable of wanton destruction.

A threat actor that played a key role in the leadup to the Russian invasion of Ukraine was identified on June 14. Activity from the "Cadet Blizzard" advanced persistent threat (APT) peaked from January to June of last year, helping to pave the way for military invasion.

Microsoft detailed the activity in a blog post. Most notable among the APT's actions were a campaign to deface Ukrainian government websites, and a wiper known as "WhisperGate" that was designed to render computer systems completely inoperable.

These attacks "prefaced multiple waves of attacks by Seashell Blizzard" — another Russian group — "that followed when the Russian military began their ground offensive a month later," Microsoft explained.

Microsoft connected Cadet Blizzard with Russia's military intelligence agency, the GRU.

Identifying the APT is a step towards fighting Russian state-sponsored cybercrime, says Timothy Morris, chief security advisor at Tanium, "however, it is always more important to focus on the behaviors and tactics, techniques, and procedures (TTPs) and not solely upon who is doing the attacking."

**Cadet Blizzard's Behaviors & TTPs**

Generally, Cadet Blizzard gains initial access to targets through commonly known vulnerabilities in Internet-facing Web servers like Microsoft Exchange and Atlassian Confluence. After compromising a network, it moves laterally, harvesting credentials and escalating privileges, and using Web shells to establish persistence before stealing sensitive organizational data or deploying extirpative malware.

The group doesn't discriminate in its end goals, aiming for "disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," Microsoft explained.

But rather than being a jack of all trades, Cadet is more like a master of none. "What's perhaps most interesting about this actor," Microsoft wrote of the APT, "is its relatively low success rate compared with other GRU-affiliated actors like Seashell Blizzard \[Iridium, Sandworm\] and Forrest Blizzard (APT28, Fancy Bear, Sofacy, Strontium\]."

For example, compared to wiper attacks attributed to Seashell Blizzard, Cadet's WhisperGate "affected an order of magnitude fewer systems and delivered comparatively modest impact, despite being trained to destroy the networks of their opponents in Ukraine," Microsoft explained. "The more recent Cadet Blizzard cyber operations, although occasionally successful, similarly failed to achieve the impact of those conducted by its GRU counterparts."

All this considered, it's no surprise that the hackers also "appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups," Microsoft found.

**What to Expect From the Cadet Blizzard APT**

Though centered on matters related to Ukraine, Cadet Blizzard operations aren't particularly focused.

Besides deploying its signature wiper and defacing government websites, the group also operates a hack-and-leak forum called "Free Civilian." Outside of Ukraine, it has attacked targets elsewhere in Europe, Central Asia, and even Latin America. And besides government agencies, it often targeted IT service providers and software supply chain manufacturers, as well as NGOs, emergency services, and law enforcement.

But while they may have a messier operation in certain ways, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, warns that Cadet Blizzard is still a fearsome APT.

"Their goal is destruction, so organizations absolutely need to be equally worried about them, as they would other actors, and take proactive measures like turning on cloud protections, reviewing authentication activity and enabling multifactor authentication (MFA) to protect against them," she says.

For his part, Morris recommends that organizations "start with the basics: strong authentication — MFA,

FIDO keys where necessary — implement principle of least privilege; patch, patch, patch; ensure your security controls and tools are present and working; and train users frequently."

Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks

St. Margaret's Health is shutting down due to a 2021 ransomware attack and other factors. It's an object lesson for how small and rural healthcare facilities face grave cyber-risk when extortionists come calling.

An Illinois hospital's decision to cease operations later this week at least partly because of a 2021 ransomware attack that crippled operations for months is a stark reminder of the sometimes-existential threat that online extortion campaigns can pose.

That's especially true for resource-strapped small and rural hospitals.

St. Margaret's Health (SMH) will permanently close its hospitals, clinics, and other facilities at Spring Valley and Peru, Ill. this Friday, June 16, after serving the community for 120 years. Multiple factors led to the decision, including unprecedented expenses tied to the COVID-19 pandemic, low patient volumes tied to social-distancing mandates, and staff shortages that forced the health system to have to rely on temporary staffing agencies.

But the February 2021 ransomware attack on its systems at Spring Valley had a big part to play; they  catastrophically impacted the hospital's ability to collect payments from insurers for services rendered, and the attack forced a shutdown of the hospital's IT network, email systems, its electronic medical records (EMR) portal, and other Web operations.

**A Contributing Factor**

SMH vice president of quality and community services Linda Burt says the attack lasted four months, during which employees had no access to the IT system, including email and the EMR system. 

"We had to resort to paper for medical records. It took many months, and in some service lines, almost a year to get back online and able to enter any charges or send out claims," Burt says. "Many of the insurance plans have timely filing clauses which, if not done, they will not pay. So, no claims were being sent out and no payment was coming in."

SMH is the latest to make the list that security analyst and researcher Adrian Sanabria maintains of organizations that were forced out of business because of a cyberattack over the past two decades. The list currently comprises 24 organizations — many of them small — across multiple sectors. Among the names in the list is payment processing firm CardSystems, which closed in 2005 following a data breach that exposed sensitive data associated with some 40 million credit cards; security firm HBGary which went kaput in 2011 after hackers broke into its systems and leaked information about the company; and Brookside ENT and Hearing Center which shut down in 2019 following a ransomware attack. Significantly, 10 of the cyberattacks on Sanabria's list are ransomware-related and all of those happened after 2014, when ransomware really started ramping up.

**St. Margaret's Won't be the Last Ransomware Casualty**

Joshua Corman, former CISA chief strategist and current vice president of cyber safety strategy at Claroty, expects what happened at SMH will happen to other hospitals, especially smaller ones and those located in rural areas. Corman, who was part of a CISA COVID-19 task force that looked into the potential correlation between excess hospital deaths and ransomware, says the hospitals most expected to close are those that are situated the farthest away from other hospitals and alternative care options.

"Small and rural hospitals already face significant financial strains from the last few years of \[the\] pandemic and very few have much cash-on-hand reserves for unplanned disruptions," Corman says. "Ransomware attacks can disrupt operations for weeks and months and can, therefore, represent the straw that breaks the camel's back."

A couple of factors might be exacerbating the situation. Often many small, midsized, and rural hospitals lack a full-time security staff. They also have a harder time getting cyber insurance, and when they do, it can cost more for less coverage. 

"Congress and the White House are exploring relief, and it's long overdue," Corman says. 

In the meantime, policy-makers and industry stakeholders need to find a way to raise the bar on cyber-hygiene in material ways, and provide financial assistance for smaller, target-rich, but cyber-poor entities. "Ransomware attacks represent a new, man-made, but material hazard deserving of Board-level attention," Corman says. "This hazard could drive smaller and rural hospitals into closure."

Mike Hamilton, former CISO for the City of Seattle and currently in the same role at healthcare cybersecurity firm Critical Insight, says it's unclear if the attack on SMH was opportunistic or targeted in nature. However, even healthcare entities like SMH, which likely don't have the ability to pay a ransom even if they wanted to, can become a target if the threat actor knows it carries cyber insurance, Hamilton says. "Knowing that organizations have cyber insurance allows threat actors to set the extortion demand just under the threshold for the cost of rebuild and recovery," he notes.

**Advocating for State & Federal Assistance**

Like Corman, Hamilton too views a cyberattack that disrupts operations as existential for healthcare providers that are already operating on thin margins.

Corman advises administrators and top management at smaller and rural healthcare systems to advocate for assistance from state and federal authorities. "To aid in minimizing risk, these systems should engage their regional CISA and HHS resources along with the FBI," Corman notes. They can also focus on prioritizing patching of CISA's Known Exploited Vulnerabilities and take advantage of some of the free cybersecurity tools that CISA offers such as Cyber Hygiene Scanning (CyHy) and Cyber Essentials.

Hamilton says healthcare IT teams need to limit employee access to the Internet from a healthcare environment as much as possible. "Use the analogy of a control room that operates a dam that generates power — no Internet access, period," he says. "Most attacks start with user action and limiting that access can have an outsized effect on prevention."

Illinois Hospital Closure Showcases Ransomware's Existential Threat

Microsoft quickly issued patches for the two security issues, which could allow unauthorized access to cloud sessions.

Two cloud security vulnerabilities — in Azure Bastion and Azure Container Registry — were found in Microsoft Azure's services, which "allowed an attacker to achieve cross-site scripting (XSS) by using iframe-postMessages \[and\] allowed unauthorized access to the victim's session within the compromised Azure service iframe," according to Orca Security.

Orca notified the Microsoft Security Response Center (MSRC) immediately upon discovery of the bugs. MSRC was able to reproduce the issues after it was notified of the vulnerabilities' existence in order to patch and verify them.

Cross-site scripting (XSS) is an event in which a threat actor injects malicious scripts into a credible website, ultimately executed by users' browsers unknowingly. At that point, this can lead to severe consequences, noted Orca Security, as threat actors can gain unauthorized access, compromise network systems, or even steal data.

However, "these vulnerabilities require a victim to be lured into visiting a compromised endpoint that the malicious actor controls," commented David Lindner, CISO at Contrast Security, in an emailed statement. "Should Microsoft fix this? Most likely, but I would not call these severe by any means. If anyone gets lured into an attacker-controlled endpoint, all bets are off anyway."

The fixes were automatic, so no further action is required from Azure users, but they may want to look for signs of compromise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading