Categories: News
Categories: Ransomware
Tags: DAIXIN

Tags:  FBI

Tags:  CISA

Tags:  HHS

Tags:  ransomware team

Tags:  DAIXIN Team

Tags:  ransomware

The FBI, CISA, and HSH have issued a joint advisory about a new threat to healthcare organizations



(Read more...)




The post US agencies issue warning about DAIXIN Team ransomware appeared first on Malwarebytes Labs.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint advisory about DAIXIN Team, a fledgling ransomware and data exfiltration group that has been targeting US healthcare.

First spotted in June 2022, the DAIXIN Team quickly got the government's attention after executing multiple ransomware attacks against organizations in the health and public health sector. As is standard these days, the ransomware attacks involved both encrypting servers and stealing data. In this case the data included both personally identifiable information and patient health information PHI.

The DAIXIN leak site

The advisory reports that DAIXIN Team has been seen gaining initial access to victims' systems through their VPN severs. In one case they accessed a victim through an unpatched vulnerability, and in another the gang used phished credentials.

Upon successful infiltration, the team conducts reconnaissance, escalates privileges through credential dumping or the pass-the-hash technique, steals sensitive data, and deploys ransomware based on the Babuk Locker source code leaked in 2021.

According to Malwarebytes' Malware Intelligence Analyst and ransomware expert Marcelo Rivero, DAIXIN Team has been quieter of late. "At this time, they appear to have taken a hiatus, as they haven't listed any new victims so far this month."

As with most ransomware groups, DAIXIN team publishes details of its victims and leaks their stolen data, if they don't pay the ransom. After publishing details of three victims in August, it only published one in September, and so far none in October, with November just around the corner. A lack of published victims may indicate inactivity, or it could be that DAIXIN Team have been successful at persuading victims to pay up.

Still, healthcare organizations must heed the alarm raised by the FBI, CISA, and the HHS. They report that out of 649 ransomware reports received by the FBI Internet Crime Complaint Center in 2021, 148 were in the Healthcare and Public Health sector. DAIXIN Team may be the latest ransomware threat, but it isn't the only threat.

Basic mitigations can close the loopholes ransomware groups exploit:

*   Create a plan for patching software in a timely manner.
*   Train users to report suspicious emails and phishing attempts.
*   Require two-factor authentication (2FA) on remote desktops and VPNs.
*   Use endpoint security software with EDR to identify intruders and stop ransomware.
*   Assign access rights according to the Principle of Least Privilege.
*   Segment networks to make lateral movement more difficult.
*   Create and test offline, offsite backups that are beyond the reach of attackers.

For more information about how to protect your organization against DAIXIN Team and other ransomware gangs, go to this AA22-294A alert page.

US agencies issue warning about DAIXIN Team ransomware

The manufacturing segment was especially hard hit by cyberattacks in the third quarter of 2022.

Ransomware gangs are hitting the industrial sector hard — and especially manufacturing companies, with significant spikes in cyberattack activity against US organizations spotted in the third quarter. Meanwhile, emerging ransomware groups are bursting onto the scene, threatening to push the rate of attacks up even higher.

According to a Dragos Q3 analysis of ransomware attacks on industrial organizations, 36% of the recorded cases globally hit North America (46 incidents). This is a significant 10% increase over last quarter, when a quarter of cases affected the region.

However, the analysis also found that the rate of attacks globally remained flat quarter over quarter — 128 incidents for Q3 vs. 125 in Q2.

The majority (68%) of observed incidents were aimed at the manufacturing sector. Out of the confirmed attacks (i.e., those publicly reported, seen in the firm's telemetry, or confirmed on the Dark Web), 88 were against that segment, especially those producing metal products (12 attacks).

Stephen Banda, senior manager of security solutions at Lookout, noted that the manufacturing sector, like everyone else, is moving to the cloud; digitizing manufacturing, inventory tracking, operations, and maintenance increases agility and efficiency, with less production downtime and a greater nimbleness. But it also opens up new attack surfaces.

"To remain competitive, manufacturers are investing in intellectual property and new technologies like digital twins," he tells Dark Reading. "In short, manufacturers are transforming the way they produce and deliver goods - moving toward industrial automation and the flexible factory. This transformation, known as Industry 4.0, puts pressure on mobile devices and cloud solutions."

Yet for most manufacturers, security solutions still remain on-premises, he adds.

"This creates efficacy and scalability challenges when tasked with protecting productivity solutions that have moved to the cloud," he notes. "Security therefore must also move to the cloud to adequately safeguard manufacturing operations."

As for other industrial segments, 9% of attacks targeted the food and beverage sector (12 incidents), followed by oil and natural gas (6%, or eight incidents) and the energy and pharmaceuticals sectors (collectively making up 10% of attacks, with seven and six incidents respectively). The chemical, mining, engineering, and water and wastewater systems segments had just one attack each.  

**Different Threat Actors Target Different Industrial Segments**

In terms of the actors on the industrial stage, the LockBit gang was behind more than a third of all global incidents (35%), while some other known names focused on the energy sector (Ragnar Locker and BlackCat/AlphaV, notably). But the quarter also saw the rise of some emerging actors, like Sparta Blog, BianLian, Donuts, Onyx, and the slow-burning Yanluowang.

In all cases, various groups seemed to have specialties, Dragos noted, including:

*   Ragnar Locker has been targeting mainly energy.
*   Cl0p Leaks has been targeting only water and wastewater.
*   Karakurt has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
*   LockBit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
*   Stormous has only targeted Vietnam.
*   Lorenz has only targeted the United States.
*   Sparta Blog has only targeted Spain.
*   Black Basta and Hive mainly targeted the transportation sector.

Bud Broomhead, CEO at Viakoo, noted that specific ransomware strains targeting specific industries should galvanize intelligence sharing.

"This should spur more industry-level coordination to protect against those threats, specifically between companies that otherwise would compete in the marketplace," he says. "Rather than every organization individually mounting defenses, industry-wide responses are needed (put another way, cybercriminals are attacking an industry which requires industry-level responses). Threat actors don’t exist in silos, so why should the response to them be siloed?"

That coordination could be vitally important, given that going forward, Dragos researchers warned that more new ransomware groups will appear in the next quarter, as either new or reformed ones, due to the changes in ransomware groups and the leaking of the LockBit 3.0 builder — all of which could lead to greater attack volumes.

"\[We have\] high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of \[operational technology\] OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems," Dragos researchers said in the Wednesday report.

Broomhead noted that ramped up attacks are likely being driven by twin engines, including the Russia-Ukraine conflict.

"The rise in ransomware attacks against industrial organizations who rely on OT systems is likely coming from threat actors viewing such organizations as easier victims because OT systems and devices are much more vulnerable than traditional IT systems," he says. "While there may be a rise in targeting industrial organizations because of the conflict in Ukraine, those organizations have been targeted for a long time by several foreign adversaries, therefore this increase is a combination of industrial OT systems being easier to exploit and increased activity due to Ukraine."

Ransomware Gangs Ramp Up Industrial Attacks in US

When we think about cybercrime and retail it is natural to focus on websites being targeted with attacks. Indeed, there has been a shocking rise in the number of cyberattacks perpetrated against online retailers in the past year. Dakota Murphey explains why store owners and security managers need to also protect their physical locations from the cyber threat, too, however.

_This article was written by Dakota Murphey._

Figures from SonicWall's Biannual Report revealed that e-commerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers' minds.

However, for those retailers that have a physical store as well as an online presence, there might be an assumption that the cybersecurity in-store doesn't need to be considered as a top priority. Well, doing so could be a big mistake.

In this article, we take a look at why retail stores are more vulnerable to cybercrime than ever before.  

**Security Is Weaker**

There can be no doubt that one of the major issues around security in-store is the issue of complacency. It is assumed that physical stores themselves are unlikely to be targeted by cybercriminals — surely it is more likely that they will put their resources into using hacking or phishing? 

In reality, cybercriminals are always looking for ways to maximize their time — they want quick wins. Increasingly, as retail stores are less well protected they are being seen as an easy way into the computer system of a company. Perhaps the lesson that needs to be learned here is that you should never assume that you won't or can't be attacked.

Cybercriminals are far more sophisticated than they've ever been. If there are gaps in security, they can identify and tap into them. Retailers, for instance, need to balance consumers' privacy and data protection with their own tight security measures that protect their internal IT systems and physical stores. Failure to install security effectively and comply can result in firms facing fines for breaches in privacy laws under stringent CCTV regulations and GDPR guidelines.

**Stores and Websites Are Intrinsically Linked**

You might think that there is a divide inside your business: your physical store and your online store. However, it is generally the case that your physical premises are linked to your digital system just as much as an office might be. Do you log in to your system at work? Do you track customers' details using an IT system? 

For the majority of businesses, the physical store is actually just as dependent on your IT system as the site online. This presents a potential problem. If your physical retail store can potentially allow access to your whole IT system, cybercriminals can use nefarious methods in your physical premises. 

**The Rise of the Internet of Things**

Physical stores are increasingly reliant on Internet of Things devices — that being any device that is connected to the Internet. This might include stock checkers, smart shelves, predictive maintenance equipment and much more. 

Physical security devices such as CCTV, video surveillance, and alarm systems are often connected to the Internet and can also be a vulnerability for targeted cyberattacks. The wider use of video surveillance technology and other types of physical devices extends to more than pure crime detection. They have intelligent capabilities that can be applied to monitor crowds, secure physical sites, and support building management platforms. 

Although such integrated systems do a good job in providing smart data to support security firms and facilities managers managing retail sites, any data, files and surveillance videos can be vulnerable to cyberattacks. 

Whether stored or managed on cloud-based applications or as on-premise solutions, such physical security devices that protect retail stores also open up another potential entry point to your IT system that criminals can exploit. And, if CCTV, video surveillance and alarm systems are not managed properly, they can be a major problem.

**The Invasion of Shadow IT**

Shadow IT is the use of any kind of software or applications that aren't approved by the IT team. This is becoming a big problem, especially in stores where staff make use of personal devices as a part of their role. 

"The popularity of shadow IT is partly due to its perceived benefits," says George Glass, head of threat intelligence at cybersecurity specialists Redscan, "these include the ability to take initiative in setting up and using technology and the freedom to adopt systems and software more quickly in order to reduce workload. However, these apparent benefits come at a significant cost."

The issue arises when this shadow IT is not checked for vulnerabilities or is not kept up to date because it is not known by the IT team. These vulnerabilities and flaws can present a potential opening for cybercriminals. 

**Prioritizing Speed of Service Over Security**

It is naturally the case that many businesses in retail want to prioritise fast and effective customer service. Unfortunately, this can ultimately result in good security practices being overlooked in favour of getting on with tasks. For example, if a customer comes in requesting a password reset on their account, there may be some pressure to simply go ahead with this rather than following the correct procedure. 

Retail stores need to understand the interconnected nature of cybercriminals and in-person crime. With the rise in cashless retail and a surge in online sales (that has witnessed an unprecedented rise in recent years), retailers' IT security has had to keep in step and reposition itself with the evolution of consumers' buying habits. This increased awareness, however, has been reinforced by the UK Government's measures to support security technology within the retail industry. 

While retail stores are more vulnerable than ever to cybercrime, there is much that businesses can do to mitigate risk. Perhaps the most important factor is providing staff training to ensure that everyone understands their role in preventing cybercrime. 

_Dakota Murphey_ _is a freelance tech writer._

_**This story first appeared on**_ _**IFSEC Global**__**, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.**_

Why Retail Stores Are More Vulnerable Than Ever to Cybercrime

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

Adam Bannister 26 October 2022 at 16:00 UTC  
Updated: 27 October 2022 at 09:42 UTC

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

UPDATED A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.

**MisAligned permissions**

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”

Catch up with the latest cloud security news

Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.

However, Atlassian disputed this assertion in response to queries from The Daily Swig, emphasizing “that Jira Align's SaaS and Atlassian's wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.

**No exploitation detected**

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.

Bala Sathiamurthy, chief information security officer at Atlassian, told The Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”

He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”

**People permissions**

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

This article was updated on October 27 with the addition of comment from Atlassian.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Jira Align flaws enabled malicious users to gain super admin privileges

The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart.
That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy.
"The FastFire malware is disguised as a Google security plugin, and the

The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart.

That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy.

"The FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises itself as 'Hancom Office Viewer,' \[while\] FastSpy is a remote access tool based on AndroSpy," researchers Lee Sebin and Shin Yeongjae said.

Kimsuky, also known by the names Black Banshee, Thallium, and Velvet Chollima, is believed to be tasked by the North Korean regime with a global intelligence-gathering mission, disproportionately targeting individuals and organizations in South Korea, Japan, and the U.S.

This past August, Kaspersky unearthed a previously undocumented infection chain dubbed GoldDragon to deploy a Windows backdoor capable of stealing information from the victim such as file lists, user keystrokes, and stored web browser login credentials.

The advanced persistent threat is also known to an Android version of AppleSeed implant to execute arbitrary actions and exfiltrate information from the infected devices.

FastFire, FastViewer, and FastSpy are the latest additions to its evolving Android malware arsenal, which are designed to receive commands from Firebase and download additional payloads.

"FastViewer is a repackaged APK by adding arbitrary malicious code inserted by an attacker to the normal Hancom Office Viewer app," the researchers said, adding the malware also downloads FastSpy as a next-stage.

The rogue apps in question are below -

*   com.viewer.fastsecure (Google 보안 Plugin)
*   com.tf.thinkdroid.secviewer (FastViewer)

Both FastViewer and FastSpy abuse Android's accessibility API permissions to fulfill its spying behaviors, with the latter automating user clicks to grant itself extensive permissions in a manner analogous to MaliBot.

FastSpy, once launched, enables the adversary to seize control of the targeted devices, intercept phone calls and SMSes, track users' locations, harvest documents, capture keystrokes, and record information from the phone's camera, microphone, and speaker.

S2W's attribution of the malware to Kimsuky is based on overlaps with a server domain named "mc.pzs\[.\]kr," which was previously employed in a May 2022 campaign identified as orchestrated by the group to distribute malware disguised as North Korea related press releases.

"Kimsuky group has continuously performed attacks to steal the target's information targeting mobile devices," the researchers said. "In addition, various attempts are being made to bypass detection by customizing Androspy, an open source RAT."

"Since Kimsuky group's mobile targeting strategy is getting more advanced, it is necessary to be careful about sophisticated attacks targeting Android devices."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans

Concerns about breaches of sensitive information due to execution of malware scripts and growing adoption of cloud-based services are fueling growth of the content security market.

**CHICAGO, Oct. 26, 2022 /PRNewswire/** — The global Content Security Market size is expected to grow from an estimated value of USD 1,345 million in 2022 to 2,219 million USD by 2027, at a Compound Annual Growth Rate (CAGR) of 10.5% from 2022 to 2027**.** Some factors driving the Content Security Market growth include concerns regarding increased breach of sensitive information due to execution of malware scripts, growing adoption of cloud-based services/solutions, increased need to widespread information/content and engagement through advanced user interface, and user experience platforms.

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=194651579

**By Organization size, large enterprises are expected to witness higher market share during the forecast period**

The adoption of cloud services or solutions to take advantage of the digitalization era has been the primary area of interest for businesses in the context of both large and medium-sized businesses. At the same time, it gives hackers a chance to steal sensitive data by inserting malware scripts into website content, phishing emails, and other forms of communication. When it comes to considering the adoption of new technology, there is no doubt that large corporations are typically the ones to do so. This suggests that clever con scammers or whip-smart hackers have their sights set on these businesses. However, the small and medium-sized businesses are not far behind in adopting cloud services. In addition to considering cloud adoption for its cost-effectiveness and ability to automate manual processes, small business leaders should also consider data protection and security. The technology industry benefits from the growth of cloud users and its ecosystem. In addition, these business leaders must be aware of the drawbacks associated with utilizing lucrative services or deploying cloud solutions. Because of the growing concerns over data security, this makes it possible to envision content security as a possibility.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=194651579

**By vertical, BFSI segment is expected to witness highest market share during the forecast period**

The scope of content security and protection extends beyond a small number of industry verticals like BFSI, IT and ITeS, retail and e-commerce, media, and entertainment, and so on. BFSI is one of the industries that sets the standard for the adoption of digital technologies to streamline operations and operations as digital initiative grows. It includes banks, insurance companies, and financial institutions. From a strategic perspective, the BFSI industry is the most attractive target for scammers or hackers due to the sectors rapid digital progress and the substantial amount of consumer information it holds. As a result, the number of cybercrimes and frauds has increased steadily over time. There have been alarming numbers of cases involving the use of email content, phishing emails, and UI/UX that direct users to scripted altered websites. This shows how important it is to protect the public interest and content security in the global market.

**Get 10% Free Customization on this Report:** https://www.marketsandmarkets.com/requestCustomizationNew.asp?id=194651579

**By region, Asia Pacific is projected to grow with fastest growth rate during the forecast period**

When it comes to the content security market, North America is believed to hold most of the market share. It is not surprising that it has topped the list because it has witnessed a variety of cybercrimes, allowing the region to investigate a variety of malware or suspicious content origins. Digital transformation, on the other hand, has been a major focus of Asia-Pacific efforts to boost regional economic growth and integration. Asia-Pacific now ranks among the worlds fastest-growing regions, making it a huge potential market for content security. China, India, and Japan are a few of the regions most technologically advanced nations, which are facilitating the swift implementation of content security laws and regulations to improve data security. Additionally, despite the increasing number of cyberattacks and threats, businesses in the Asia-Pacific region have been adapting to the new digital trends.

**Key Players**

Major vendors in the **Global Content Security Market** include Cartesian Inc. (US), Microsoft Corporation (US), Trend Micro Inc. (Japan), Check point Software Technologies (Israel), Barracuda Networks (US), Sophos Technologies Pvt. Ltd (UK)., Proofpoint (US), Forcepoint (US), Verimetrix (France), Lookout (US), CommScope (US) and Infosec Information Technologies (Istanbul) are few key players in the content security market.

**Browse Adjacent Markets** : Information Security Market Research Reports & Consulting

**Related Reports**

**IDaaS Market** — Global Forecast to 2027

**Operational Technology (OT) Security Market** — Global Forecast to 2027

**Zero Trust Security Market** — Global Forecast to 2027

**Cybersecurity Insurance Market** — Global Forecast to 2027

**Supply Chain Management (SCM) Market** — Global Forecast to 2027

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7500 customers worldwide including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Content Security Market Worth $2.2 Million by 2027 - Exclusive Study by MarketsandMarkets(TM)

Google admitted to loss of data responsive to 2016 search warrant and agreed to program enhancements, reporting obligations, and a first-of-its-kind Independent Compliance Professional.

The Department of Justice on Oct. 25 filed a stipulation and agreement resolving a dispute with Google over the loss of data responsive to a search warrant issued in 2016.

Pursuant to the first-of-its-kind resolution, Google has agreed to reform and upgrade its legal process compliance program to ensure timely and complete responses to legal process such as subpoenas and search warrants, as required under the Stored Communications Act (SCA) and other applicable legal authorities. To monitor that Google fulfills its legal obligations, an Independent Compliance Professional will be retained to serve as an outside third-party related to Google’s compliance enhancements.

“The Department is committed to ensuring that electronic communications providers comply with court orders to protect and facilitate criminal investigations,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This agreement demonstrates the Department’s resolve in ensuring that technology companies, such as Google, provide prompt and complete responses to legal process to ensure public safety and bring offenders to justice.”

“The warrant underlying this agreement was sought in connection with a significant criminal investigation,” said U.S. Attorney Stephanie Hinds for the Northern District of California. “This agreement will help to ensure that, moving forward, Google will maintain the technical capability and resources necessary to comply with lawful warrants and orders, such as the one at issue in this case, that are critical to federal criminal investigations.”

As detailed in the Statement of Facts accompanying today’s agreement, in 2016, the United States obtained a search warrant in the Northern District of California for data held at Google related to the investigation of the criminal cryptocurrency exchange BTC-e. The warrant was issued under the SCA, the federal statute that requires providers such as Google to disclose customer communications when served with a warrant signed by a judge and supported by probable cause.

After the warrant was reviewed by a judge in the Northern District of California, sworn, signed, and served on Google, the Second Circuit Court of Appeals issued a decision holding that SCA search warrants did not reach data stored outside of the United States. Google halted execution of the search warrant and made rolling productions containing only information it could confirm was stored in the United States. Because Google’s data preservation tools at the time stored data in the United States – and thus brought the data under undisputed U.S. jurisdiction – Google also endeavored to create new tools that would prevent the data from being repatriated. Google and the government litigated regarding the search warrant through 2017 and into 2018, when Congress clarified that the SCA does indeed reach data that U.S. providers choose to store overseas. In the intervening time, data responsive to the warrant was lost.

In resolving the matter with the department, Google has agreed to numerous improvements to its legal process compliance program, as set forth in the filed agreement. The improvements are tailored to ensure that Google complies with its legal obligations to respond to lawful court orders, including those issued pursuant to the SCA. Google will maintain sufficient compliance staffing levels to support the enhancements to the program and will allocate engineering resources to support legal process compliance.

Google has further committed to implement processes and procedures to ensure timely response to legal process, as required under the SCA and other relevant legal frameworks, and to generate a compliance timeliness record for missed deadlines, which will be made available to the government upon request. Google will also develop and maintain needed tools to retrieve data in response to legal process, and to develop plans for legal process responses corresponding to new product launches.

The agreement (PDF) also provides that an Independent Compliance Professional will verify the accuracy of assertions in all reports contemplated by the agreement and evaluate Google’s assessment of its compliance with the enhancements to Google’s Legal Process Compliance Program set forth in the agreement. Pursuant to the agreement and in consultation with the mandated Independent Compliance Professional, Google will assemble periodic reports and updates regarding its Legal Process Compliance Program and its implementation of the enhancements set forth in the agreement. Google will provide these reports to the government, the Google Compliance Steering Committee, and the Audit and Compliance Committee of the Alphabet Board of Directors.

In the filed stipulation, Google represented to the court that it spent over $90 million on additional resources, systems, and staffing to implement legal process compliance program improvements.

Google will maintain its lawful protections of user data, and the agreement does not provide the United States access to Google user data.

Senior Counsel C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section and Corporate and Securities Fraud Section Chief Lloyd Farnham for the Northern District of California negotiated the agreement on behalf of the government.

Google Enters Into Stipulated Agreement to Improve Legal Process Compliance Program

The suspected Chinese influence operation had limited success. But it signals a growing threat from a new disinformation adversary.

Since Russia bombarded the 2016 election with Twitter trolls and astroturfed lies, election watchers have been on guard against social media “influence operations.” Four years later, Iran took a stab at meddling in the 2020 presidential election, with more mixed results. Now, the People's Republic of China—or, at least, a group with a long-running pro-Chinese government agenda—seems to be trying out its own political influence operation just ahead of this year's US midterm elections. And while that operation seems to have largely failed this time, the campaign represents the growing boldness of a new adversary in the fight against organized disinformation.

On Wednesday, cybersecurity and threat intelligence firm Mandiant published new findings about a group it calls Dragonbridge, which it's seen for years promoting pro-Chinese interests in fake grassroots social media campaigns designed to influence politics in Taiwan and Hong Kong. Now, Mandiant's analysts have tied Dragonbridge to a series of more US-focused influence campaigns. The group claimed that a notorious hacking spree carried out by known Chinese state-sponsored hackers was actually carried out by US intelligence, falsely blamed the sabotage of the Nord Stream pipeline on the US government, and—perhaps most brazenly—seeded hundreds of posts on social media designed to demoralize voters and reduce turnout ahead of the November midterms.

“This actor has been rapidly growing and hyper-aggressive. They went from carrying out limited campaigns focused on Hong Kong to a global operation on dozens of platforms,” says John Hultquist, Mandiant's VP of intelligence analysis. “Interfering in our elections is just another line that they're clearly willing to cross.”

Mandiant declined to reveal in its report or to WIRED the full collection of disinformation posts that it's tied to Dragonbridge, but the company says the posts numbered in the thousands. Nor would Mandiant name all the platforms where Dragonbridge had created accounts. But it describes posts published by these accounts arguing that American democracy was being taken over by extreme partisanship, as well as posts pointing to episodes of confrontations and violence between political groups and against the FBI as instances of “civil war.” The group also published a video, Mandiant says, that discourages Americans from voting, making claims about political gridlock and inaction and showing images of the January 6, 2021, insurrection at the US Capitol Building. “The solution to America’s ills is not to vote for someone,” the video argues at one point, according to Mandiant, but “to root out this ineffective and incapacitated system.” All of the content Mandiant identified in its report as part of the Dragonbridge operations has since been deleted, the company says.

Other simultaneous influence campaigns from the group tie it more evidently to Chinese government interests. Pseudonymous Twitter accounts that Mandiant says were controlled by Dragonbridge posted claims in both English and Mandarin stating that espionage campaigns carried out by the prolific China-linked hacker group APT41 were really the work of the NSA and CIA. “For at least ten years, the American hacker group \[APT41\] has repeatedly carried out cyber attacks, espionage activities, cyber piracy and cyber crimes against other countries,” reads one tweet in October from a seemingly fictional person named Karen Diaz.

In fact, the US Department of Justice indicted seven Chinese men in 2020 as members of APT41, tying them to a contractor working on behalf of China's Ministry of State Security known as Chengdu 404. The indictment accuses the men of hacking hundreds of targets around the globe, both to carry out espionage on behalf of the MSS and to profit from their own cybercrime operations.

In an attempt to shift that blame, Dragonbridge's influence campaign went so far as to create spoofed posts from Intrusion Truth, a mysterious pseudonymous Twitter account that has previously released evidence tying multiple hacking campaigns to China, including those of APT41. The fake Intrusion Truth posts instead falsely tie APT41 to US hackers. Dragonbridge also created an altered, spoofed version of an article in the Hong Kong news outlet _Sing Tao Daily_ pinning APT41's activities on the US government.

In a more timely example of Dragonbridge's disinformation operations, it also sought to blame the destructive sabotage of the Nord Stream natural gas pipeline—a key piece of infrastructure connecting European countries to Russian gas sources—on the United States. Mandiant says that claim, which echoes statements from Russian president Vladimir Putin and Russian disinformation sources, appears to be part of a larger campaign designed to sow divisions between the United States and its allies that have opposed and sanctioned Russia for its unprovoked and catastrophic military invasion of Ukraine.

None of those campaigns, Mandiant emphasizes, was particularly successful. Most of the posts had single-digit likes, retweets, or comments at best, the company says. Some of its spoofed tweets impersonating Intrusion Truth have no signs of engagement at all. But Hultquist warns nonetheless that Dragonbridge demonstrates a new interest in aggressive disinformation from pro-China sources, and possibly from China itself. He worries, given China's widespread cyber intrusions around the world, that future Chinese disinformation campaigns might include hack-and-leak operations that blend real revelations into disinformation campaigns, as Russia's GRU military intelligence agency has done. “If they get their hands on some real information from a hacking operation,” Hultquist says, “that's where they become especially dangerous.”

Despite Dragonbridge's occasional pro-Russian messages, Hultquist says that Mandiant has little doubt of the group's pro-China focus. The company first spotted Dragonbridge engaged in a fake grassroots campaign to disparage Hong Kong pro-democracy protestors in 2019. Earlier this year, it saw the group pose as Americans protesting against US rare-earth metal mining companies that competed with Chinese firms.

That doesn't mean Dragonbridge's campaigns are necessarily the work of a Chinese government agency or even a contractor firm like Chengdu 404. But they're very likely at least located in China, Hultquist says. “It's hard to imagine their activity, in its totality, being in any other country's interest,” says Hultquist.

If Dragonbridge is working directly for the Chinese government, it may mark a new phase in China's use of disinformation. In the past, China has largely stayed away from influence operations. A Director of National Intelligence report on foreign threats to the 2020 election declassified last year stated that China “considered but did not deploy influence efforts designed to change the outcome of the US Presidential election.” But just last month Facebook, too, says it spotted and removed campaigns of Chinese political disinformation posted to the platform from mid-2021 to September 2022, though it didn't say if the campaigns were linked to Dragonbridge.

Despite the apparent resources put into Dragonbridge's long-running operations, its new foray into election meddling looks remarkably ham-fisted, says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, _Active Measures_. He points to abstract phrases, like its call to “root out this ineffective and incapacitated system.” That kind of dull language fails to effectively exploit real wedge issues to exacerbate existing divisions in US society—often best identified by local agents on the ground. “It seems like they didn’t read the manual,” Rid says. “It seems like a remote, amateurish affair done from Beijing.”

But both Rid and Mandiant's Hultquist agree that Dragonbridge's relative lack of success shouldn't be seen as a sign of Americans' growing immunity to influence operations. In fact, they argue that the deep political divisions in American society may mean that the US is less equipped than ever to distinguish fact from fabrication in social media. “Authoritative sources are no longer trusted,” says Hultquist. “I'm not sure that we're in a great place right now, as a country, to digest that some major information operation is attributable to a foreign power.”

A Pro-China Disinfo Campaign Is Targeting US Elections—Badly

New service from BlackBerry's Threat Research and Intelligence Team reduces unknowns to enhance detection and response.

**NEW YORK, Oct. 26, 2022 /PRNewswire/** — Today, at the BlackBerry Security Summit, BlackBerry Limited (NYSE: BB; TSX: BB) announced the release of its new Cyber Threat Intelligence (CTI) offering, a professional threat intelligence service to help customers prevent, detect, and effectively respond to cyberattacks.

Delivered on a quarterly subscription basis, BlackBerry's new CTI service  
provides actionable intelligence on targeted attacks and cybercrime-motivated  
threat actors and campaigns, as well as intelligence reports specific to  
industries, regions, and countries. BlackBerry's CTI will save organizations  
time and resources by focusing on specific areas of interest relevant to a  
company's security goals.

"Being cyber resilient means making the right decisions at the right time," said  
Ismael Valenzuela, Vice President, Threat Research and Intelligence at  
BlackBerry. "Cyberattacks are becoming more sophisticated and threat actors move  
quickly. BlackBerry's Cyber Threat Intelligence delivers the details needed to  
improve detection and response, so organizations can stay on top of cyber threat  
activity and anticipate any next moves."

"More businesses are recognizing the value of threat intelligence and the  
distinctive benefits it brings to security teams," said Chris Kissel, Vice  
President, Security and Trust Products at IDC Research. "Curated threat  
intelligence from credible experts in the space provides businesses and their  
front line security personnel with timely insights, enabling them to better  
detect, triage, and investigate threats. Integrating this service with existing  
security ecosystems helps businesses stay one step ahead of cyber threats as  
digital attack surfaces evolve and expand."

The Threat Research and Intelligence Team has released numerous first-to-market  
research reports over the past year leveraging BlackBerry's data-driven digital  
ecosystem and analytical capabilities. These research reports have revealed new  
developments in the ransomware and malware space, and targeted, state-sponsored  
APT activity, including Symbiote, DCRat, Chaos Yashma ransomware and LokiLocker,  
all of which have been well-received by BlackBerry's customer base and the  
broader security community.

The service will launch in December.

For more information on how BlackBerry's Cyber Threat Intelligence service can  
support your organization, please visit BlackBerry.com to connect with one of  
our experts.

**About BlackBerry**  
BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and  
services to enterprises and governments around the world. The company secures  
more than 500M endpoints including 215M vehicles. Based in Waterloo, Ontario,  
the company leverages AI and machine learning to deliver innovative solutions in  
the areas of cybersecurity, safety, and data privacy solutions, and is a leader  
in the areas of endpoint security, endpoint management, encryption, and embedded  
systems. BlackBerry's vision is clear — to secure a connected future you can  
trust.

BlackBerry. Intelligent Security. Everywhere.

For more information, visit BlackBerry.com and follow @BlackBerry.

Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the  
trademarks or registered trademarks of BlackBerry Limited, and the exclusive  
rights to such trademarks are expressly reserved. All other trademarks are the  
property of their respective owners. BlackBerry is not responsible for any  
third-party products or services.

**SOURCE:** BlackBerry Limited

BlackBerry Launches Cyber Threat Intelligence Service to Strengthen Cyber Defenses

The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022. 
The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner and pdfFiller to drop backdoors on

The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022.

The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner and pdfFiller to drop backdoors on compromised systems.

"The initial 'Advanced IP Scanner' campaign occurred on July 23, 2022," the BlackBerry research and intelligence team said. "Once the victim installs a Trojanized bundle, it drops RomCom RAT to the system."

While previous iterations of the campaign involved the use of trojanized Advanced IP Scanner, the unidentified adversarial collective has since switched to pdfFiller as of October 20, indicating an active attempt on part of the adversary to refine tactics and thwart detection.

These lookalike websites host a rogue installer package that results in the deployment of the RomCom RAT, which is capable of harvesting information and capturing screenshots, all of which is exported to a remote server.

The adversary's latest activity directed against the Ukrainian military is a departure in that it employs a phishing email with an embedded link as an initial infection vector, leading to a fake website dropping the next stage downloader.

This downloader, signed using a valid digital certificate from "Blythe Consulting sp. z o.o." for an extra layer of evasion, is then used to extract and run the RomCom RAT malware. BlackBerry said the same signer is used by the legitimate version of pdfFiller.

Besides the Ukrainian military, other targets of the campaign include IT companies, food brokers, and food manufacturing entities in the U.S., Brazil, and the Philippines.

"This campaign is a good example of the blurred line between cybercrime-motivated threat actors and targeted attack threat actors," Dmitry Bestuzhev, threat researcher at BlackBerry, told The Hacker News.

"In the past, both groups acted independently, relying on different tooling. Today, targeted attack threat actors rely more on traditional tooling, making attribution harder."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel