CyberWire Daily - CyberWire Pro Research Briefing from 12/21/2021.
Episode Date: December 25, 2021Enjoy a peek into CyberWire Pro's Research Briefing as the team is off taking our long winter's nap. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, an...d consequences, as they’re played out in cyberspace. This week's headlines: US Commission on International Religious Freedom reportedly hacked. Sophistication of NSO exploit on par with nation-state tooling. Conti ransomware actors exploit Log4Shell. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Here's your CyberWire Pro research briefing for Tuesday, December 21, 2021.
Avast has discovered a new targeted attack against a small, lesser-known U.S. federal government commission associated with
international rights. Avast doesn't name the affected entity, but the record reports that
it was the United States Commission on International Religious Freedom. Avast isn't
sure what the attackers were after, but they note that the threat actor had significant access within
the network. Quote, while we have no information on the impact of this attack
or the actions taken by the attackers,
based on our analysis of the files in question,
we believe it's reasonable to conclude
that the attackers were able to intercept
and possibly exfiltrate all local network traffic
in this organization.
This could include information exchanged
with other U.S. government agencies
and other international governmental and non-governmental organizations focused on international rights.
We also have indications that the attackers could run code of their choosing in the operating system's context on infected systems, giving them complete control.
taken altogether, this attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multistage attack to penetrate this or other networks more deeply.
And quote, Avast is releasing its research after notifying the affected entity and receiving no response.
Quote, after initial communication directly to the affected organization,
they would not respond, return communications, or provide any information.
The attempts to resolve this issue included repeated direct follow-up outreach attempts to the organization.
We also used other standard channels for reporting security issues directly to affected organizations,
and standard channels the United States government has in place to receive reports like this. End quote.
End quote.
Researchers at Google's Project Zero have analyzed an iOS exploit developed by spyware vendor NSO Group, concluding that, quote, Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible only to a
handful of nation-states. The exploit, dubbed Forced Entry, takes advantage of an integer
overflow vulnerability that was patched by Apple in September 2021. The exploit allows an attacker
to infect a victim's phone by simply sending a text message. The researchers credit the University of Toronto's
Citizen Lab for discovering the exploit after it was used to target a Saudi activist earlier this
year. Researchers at Adv Intel warn that Conti ransomware actors are exploiting Log4Shell,
a critical vulnerability in Apache's Log4J logging library.
Quote,
On December 12, through deep visibility into adversarial collections,
AdvIntel discovered that multiple Conti group members expressed interest in the exploitation of the vulnerability for the initial attack vector, resulting in the scanning activity
leveraging the publicly available Log4J2 exploit.
scanning activity leveraging the publicly available Log4J2 exploit. This is the first time this vulnerability entered the radar of a major ransomware group. The current exploitation
led to multiple use cases through which the Conti group tested the possibilities
of utilizing the Log4J exploit. Most importantly, Adve Intel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network,
resulting in vCenter accessing affected U.S. and European victim networks from the pre-existing Cobalt Strike sessions.
End quote.
Proofpoint says the tiny nuke banking trojan is targeting users in France via phishing emails that impersonate logistics and transportation companies.
Proofpoint observed dozens of tiny nuke campaigns targeting French entities in 2018.
After only observing a handful of tiny nuke campaigns in 2019 and 2020, Proofpoint observed tiny nuke reappearing in January 2021, in one campaign distributing around 2,000 emails. Subsequent
campaigns appeared in low volumes in May, June, and September. In November, Proofpoint identified
multiple tiny nuke campaigns distributing around 2,500 messages and impacting hundreds of customers.
In the most recent campaigns, the threat actor uses invoice-themed lures purporting to be
logistics, transportation, or business services entities, end quote.
And that's your CyberWire Pro research briefing.