Threat Briefing: May 10, 2023

Threat Briefing Cybersecurity
Threat Intel Update

Threat Intel Update

Over the last several months multiple technology companies have been the victim of cyber-attacks leading to the disruption of company operations, loss of company and customer data, and creating opportunities for future cyber-attacks by leveraging data stolen from those technology companies. Additionally, cyber actors have looked for ways to increase the pressure on victims to pay ransoms, likely as a way to force victims to make quicker decisions as part of the incident response process. These recent attacks continue to highlight the importance of maintaining a strong defensive posture to prevent cyber attacks and the need to adapt to the ever-changing cyber threat landscape.

Cyber Attacks

Avos Ransomware Group Compromises Bluefield University, Utilizes Emergency Broadcast System to Message Students and Staff About Attack, in late April the university suffered a ransomware attack and caused it to postpone all exams. The Avos ransomware actors exfiltrated 1.2 TB of data from the university’s computer systems and posted a sample of the data they exfiltrated. In early May the Avos actors accessed the university’s emergency broadcast system to inform the students of the extent of the attack. Tech Radar

Ransomware Actors Attack Religious Entities, A New Industry for Ransomware Actors, the LockBit ransom group attacked a South Carolina-based church stealing employee data. The Karakurt ransomware actors, an offshoot of the former Conti ransomware group, attacked a Catholic publishing company, resulting in the loss of 130 gigabytes of data including employee information and financial information. Ransomware groups have typically not targeted religious organizations, likely due to a lack of financial incentive to launch attacks. The Record

Ransomware Attack against Taiwan-based Computer Hardware Manufacturer Results in Leak of Code Signing Keys After Failing to Pay Ransom, Micro-Star International (MSI) was the victim of a ransomware attack by Money Message in April 2023 and extorted for $4 million to either return or delete the stolen data. MSI has not paid the ransom and as a result, Money Message has released code signing keys for firmware for 57 MSI products and also private signing keys for Intel Boot Guard, used on over 100 MSI products. The leaked firmware keys could be utilized to deploy malicious firmware. Help Net Security

Canada-based Constellation Software Victim of Ransomware Attack, Resulting in Loss of Company Information, the company owns over 500 software companies through its six operating groups and is active in North America, Australia, Europe, and South America, indicated only internal financial reporting was lost due to the attack. The ALPHV ransomware group has posted the company to its data leak site and has claimed to have stolen more than 1TB of data from Constellation Software and has posted a sample of the data online. Bleeping Computer

Reporting on Ransomware Attacks Likely Represents a Percentage of Actual Ransomware Attacks Conducted, information from the U.S. government suggests only 20% of victims report ransomware attacks to law enforcement, which could be limiting the effectiveness of efforts to disrupt ransomware attacks. While attacks are likely under-reported, an opportunity exists to improve how the government collects ransomware data and the impact of its disruptions. CyberScoop

Western Digital Confirms Customer Information Stolen Due to March 2023 Ransomware Attack, following the attack Western Digital temporarily disabled its cloud service as it investigated the extent of the attack. The cyber actor responsible for the attack was initially unknown but the ALPHV group has claimed responsibility and indicated it had stolen approximately 10TB of data. Western Digital has now temporarily disabled its online store and confirmed customer billing information, contact information, partial credit card information, and hashed and salted passwords were stolen as part of the data theft. The Hacker News

Cyber Financial Fraud & Crime

Ohio-Man Sentenced to Four Years in Prison for Laundering Proceeds from Dark Web Market and Obstructing a Criminal Forfeiture, Gary Harmon recreated Bitcoin wallets to transfer 712 Bitcoin from wallets that had belonged to his brother Larry Harmon, who had been arrested for operating Helix, a cryptocurrency money laundering service. Helix had laundered approximately $300 million in cryptocurrency for dark web market users. Law enforcement seized devices belonging to Larry Harmon storing Bitcoin associated with the laundering operation as part of a criminal forfeiture operation. By recreating Larry Harmon’s Bitcoin wallets, Gary Harmon was able to disrupt the criminal forfeiture law enforcement was engaging in against Larry Harmon. U.S. Department of Justice

Platform for Verifying Stolen Credit Cards Disrupted by U.S. Law Enforcement, the service known as Try2Check, allowed cyber actors to verify if stolen credit cards were valid and active before being posted for sale. The service operated due to having unauthorized access to a payment processing company’s servers in the U.S. Try2Check was disrupted as part of a joint operation by the U.S., German and Austrian governments, and in addition, the U.S. has indicted the operator of Try2Check, Denis Kulkov. The U.S. is offering a $10 million reward for information leading to the arrest of Kulkov. Security Week

Illicit Cryptocurrency Exchange Service Provider Disrupted by U.S. and Ukrainian Law Enforcement Operation, the two countries worked together to seize nine internet domains offering anonymous virtual currency exchange services. The operation supports the enforcement of U.S. laws regarding anti-money laundering programs and helps to disrupt activity by ransomware actors. U.S. Attorney’s Office, Eastern District of Michigan

Cyber Compliance, Enforcement, & Policy

“Snake” Malware Utilized by Russia’s Federal Security Service (FSB) Disrupted by U.S. Law Enforcement Operation, for over 20 years the FSB used different versions of Snake to steal documents from over 50 countries, including members of NATO and journalists. The stolen data was then exfiltrated using a cover network of compromised computers as a peer-to-peer network. The Snake malware persists on a victim’s computer despite efforts remediation efforts and has been one of Russia’s most sophisticated malware variants. U.S. Department of Justice

Department of Homeland Security, Congress, and White House Working on Legislation to Codify Cyber Safety Review Board (CSRB), the board was established by executive order in 2022 and acts in a similar manner to the National Transportation Safety Board which investigates accidents. The CSRB focuses on evaluating major cyber incidents and has already reviewed the Log4j vulnerability and is currently reviewing the Lapsus$ cyber group and has previously interviewed foreign government officials. The CSRB has worked with the private sector as part of its incident reviews to receive information but is also seeking subpoena power to obtain additional information if needed to support cyber incident reviews. The Record

New Jersey Appeals Court Rules in Favor of Victim’s Cyber Insurance Claim for 2017 NotPetya Cyber Attack, pharmaceutical company Merck filed a $1.4 billion cyber insurance claim for damage caused by the NotPetya malware. Merck’s insurers rejected the claim, stating the cyber attack was an “act of war” and therefore did not apply to the cyber attack Merck suffered. The New Jersey Appeals Court rejected the insurer’s claim the attack was an “act of war” and indicate the insurers were using the definition too broadly to apply to the cyber attack faced by Merck. CSO Online

U.S. Government Seizes Internet Domains Supporting Booter Services Supporting DDoS Computer Attack Services, of the 13 domains seized, 10 are reincarnations of services previously seized by the U.S. government in December 2022. Victims of these attacks have included financial institutions, schools and universities, and public sector entities. Additionally, four individuals who were associated with the domains seized in December pleaded guilty to their role in operating a booter service. U.S. Attorney’s Office, Central District of California

Draft of United Nations Cybercrime Treaty to be Released in June, the United Nations General Assembly began discussions on a cybercrime treaty in 2019. Discussions on the treaty have included a focus on law enforcement cooperation, technical assistance, and aligning with a prior cyber treaty released in 2001. The draft will be released on June 28th and will be followed by additional negotiation sessions before a vote scheduled for August 2024. The Record

U.S. and European Law Enforcement Agencies Arrest Nearly 300 Dark Web Vendors as Part of “Monopoly Market” Disruption, as of early May 288 individuals were arrested and over $53 million in cryptocurrency and cash was seized during law enforcement operations around the world. The majority of those arrested were in the U.S. while others arrested were in Europe and Brazil and a continuation of Operation Spector, which has focused on disrupting the “Monopoly Market”. German law enforcement had previously seized the infrastructure for “Monopoly Market” in December 2021 and used information from the seizure to identify dark web vendors. Europol

Cyber Vulnerabilities

Chinese Cyber Actors Increase Focus on Compromising Firewalls and Virtual Hardware, Improving Cyber Tradecraft, a recent attack against an entity in the defense industry highlighted improvements in China’s cyber tradecraft as the cyber actors focused on exploiting a vulnerability in FortinetOS to gain access to Fortinet firewalls. The cyber actors also developed a malware framework specific for WMware ESXi hypervisors, that combined with the access to firewalls created an environment where EDR systems would not be able to detect malicious activity. In addition, Chinese cyber actors began deleting log files, a change from previous operations in which they did not delete log activity. Dark Reading

Google Prevented Over 1.4 Million Policy-Violating Apps and Banned over 170,000 Developer Accounts in 2022, through policy and security improvements along with machine learning, Google was able to disrupt malicious activity in the Google Play ecosystem. Google’s steps also prevented over $2 billion in fraudulent transactions and prevented over 500,000 apps from accessing sensitive permissions over the last three years. Google’s App Security Improvement program also helped over 300,000 apps address over 500,000 security weaknesses. Google Blog

Information Stealer LOBSHOT Distributed Through Google Ads, LOBSHOT is a Windows-based financial trojan and has been attributed to TA505, with activity linked to Evil Corp, who has been associated with the Dridex banking trojan. LOBSHOT dates back to July 2022 and has been used to obtain data from wallet extensions in Chrome, Edge, and Firefox, including cryptocurrency extensions. Victims initially download the malware by searching for legitimate software tools and clicking on malicious Google Ads used to download an MSI installer that launches a PowerShell script to download LOBSHOT. The Hacker News

Phishing-as-a-Service Tool “Greatness” Supports Malicious Actors with Limited Skills to Launch Cyber Attacks, the service was first launched in 2022 and activity spiked in December 2022 and again in March 2023. “Greatness” has been mostly used to target businesses and mimics Microsoft 365 login pages. Victims of the phishing campaigns have been mostly in the U.S. but also in Australia, U.K., Canada and Brazil, with most victims in the manufacturing sector but education and financial organizations were also impacted. The Record

Microsoft Release Security Update for Vulnerability Exploited by BlackLotus UEFI Malware, as of 10 May 2023, Microsoft disclosed a vulnerability, CVE-2023-24932, which is used to bypass mitigation for CVE-2022-21894, a Secure Boot vulnerability exploited by the BlackLotus malware. If a cyber actor has local admin privileges on a device, they can execute self-signed code at the UEFI level when Secure Boot is enabled, providing a means of persistence on a device. Help Net Security

Geopolitical News

U.S. and South Korean Governments Developing “Strategic Cybersecurity Cooperation Framework” to Counter Cyber Adversaries, the framework will focus on countering threats to critical infrastructure, combating cybercrime, and protecting cryptocurrency and blockchain applications. North Korea’s cyber activities which have supported its military weapons development program are a concern for both the U.S. and South Korea. Additionally, the two countries signed an agreement to cooperate on quantum technology research adding to the level of cooperation between the U.S. and South Korea, including the 70-year-old mutual defense treaty to support each other in the event of an attack. The Record

NATO to Open First Liaison Office in Japan, First Office in Asia, the opening of the office will future support NATO’s partnership with other countries in the region such as South Korea and Australia as NATO members navigate security challenges from Russia and China. NATO and Japan and have worked on security cooperation regarding cyber security, non-proliferation, and disruptive uses of science & technology and misinformation. Reuters

Costa Rica, Jordan, and Colombia to Join Counter Ransomware Initiative, since its establishment in 2021, over 30 countries plus the European Union and INTERPOL have joined to support collaboration on ransomware. Countries have worked together on improving ransomware disruption efforts, information sharing, diplomacy, and the illicit use of cryptocurrency while also working on joint exercises to respond to cyber incidents. The Record

Russia and Private Military Company Wagner Come to an Agreement on Supplies Needed to Continue Operations in Ukraine, Wagner’s leader had previously indicated he would suspend Wagner’s operations in Ukraine by May 10th as Wagner lacked military supplies needed to capture the Ukrainian town of Bakhmut. However, the Russian government has now agreed to provide supplies to support Wagner as part of the ongoing attack on Bakhmut. BBC

Meta Disrupts London-based Chinese Disinformation Campaign Targeting the U.S. and Central Asia, the campaign relied on fictitious employees working for a front company called London New Europe Media to recruit individuals to help create content criticizing the U.S. or critics of the Chinese government. Meta found London New Europe Media was associated with Xi’an Tainwendian Network Technology, a China-based information technology company. The Record

Content from this threat briefing was provided by Nelnet’s CyberSecurity Threat Intel.

Sign Up

To receive Threat Briefings by email.

Sign Up Now


About the Author
CampusGuard Logo

CampusGuard Threat Intel Team