General Worldwide activity:

1st: Nakasone: Foreign surveillance program helped fend off cyberattacks

Overview: NSA Director Gen. Paul Nakasone said Thursday that the special targeted internet surveillance program for non-U.S. citizens known as Section 702 has played an “irreplaceable” role in helping the agency fend off ransomware attacks and prevent weapons components from reaching adversaries, as well as being used to identify threats to U.S. troops. “702 has helped us to understand the strategic intentions of the foreign governments,” Nakasone explained to the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) in a keynote speech, adding that 702 authorities have allowed the agency to disrupt foreign cyber attacks and ransomware operations. Nakasone did not provide much rich detail about the operations, aside from the list. But the statement was part of a broader effort meant to build support for the renewal of what has become a central tool for the intelligence community. Section 702 of the Foreign Intelligence Surveillance Act, or FISA, is set to sunset at the end of the year.

Breakdown: We have now seen several U.S. programs releasing information on past results for both defense and “defend forward” activity. Unfortunately, we are not getting the full details of the results to be able to weigh the impacts ourselves when this is a rather hotly debated issue. The major concern with this program, which is tied to warrantless wiretapping/surveillance, is that while collecting the communications of non-Americans, it is statistically almost impossible to eliminate collecting surveillance data on U.S. citizens as well. We are definitely not the only country in the world with such programs, but the U.S. does have a list of rights we all have as citizens that end up in direct conflict with programs that gather up this vast amount of data on a daily basis. Hopefully at some point we will get more concrete details on the effectiveness of this kind of program in a way that does not defeat the entire purpose and make it easier for threat groups to avoid.

2nd: Royal Mail cyberattack linked to LockBit ransomware operation

Overview: A cyberattack on Royal Mail, UK’s largest mail delivery service, has been linked to the LockBit ransomware operation. Yesterday, the Royal Mail disclosed that they suffered a cyber incident that forced them to halt international shipping services. “Royal Mail is experiencing severe service disruption to our international export services following a cyber incident,” disclosed Royal Mail in a service update. While Royal Mail did not provide any details on the cyberattack, they said they were working with external cybersecurity experts and have notified UK regulators and law enforcement.

Breakdown: Ransomware activity seems to be spiking here in the new year after a break during the holiday season, which is not surprising after the last few years, but still not great news for those of us defending systems. Here we have a major system getting hit with an attack that pretty much crippled their ability to service their customers, which in this case impacted worldwide shipping for anything being sent through the UK! The initial news pointed out that if you had any need to send packages, it was really just a matter of waiting until systems were restored and to give the recipient a heads up it would be late. With this quickly developing over the past couple days, it is also a great example of how to handle informing the public of a breach with enough details people can prepare and avoid the confusion by just not using mail services for a few days.

3rd: Supreme Court dismisses spyware company NSO Group’s claim of immunity

Overview: The Supreme Court dismissed on Monday an attempt by the Israeli spyware vendor NSO Group to claim immunity from legal challenges. NSO Group filed a petition for a writ of certiorari last year, arguing that under common law it could not be hauled before a judge as it was merely an agent of the foreign governments to whom it sold its products. The same claim of immunity had previously been dismissed twice by U.S. courts, first by a California district court and then by the Ninth Circuit. The Supreme Court’s website on Monday was updated to say that NSO Group’s most recent petition had also been denied.

Breakdown: The NSO group has been the focus of many articles the last few years, as their tools have been used and by many people’s opinions, massively abused, to perform surveillance on citizens of certain countries with repressive governmental regimes. They continue to deny any wrongdoing as the maker of these tools, stating essentially that they vet their customers fully and in the end, it is the customers use of the tools that can have moral issues. Now that we have the Supreme Court dismissing the immunity claim, it opens up the path for multiple groups and private companies to sue NSO in a U.S. court for actions they deem inappropriate.

4th: Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System

Overview: Twitter on Wednesday said that its investigation found “no evidence” that users’ data sold online was obtained by exploiting any security vulnerabilities in its systems. “Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said in a statement. “The data is likely a collection of data already publicly available online through different sources.” The disclosure comes in the wake of multiple reports that Twitter data belonging to millions of users — 5.4 million in November 2022, 400 million in December 2022, and 200 million last week — have been made available for sale on online criminal forums.

Breakdown: The actual threat intel level concern on leaks like this is communicating it out to the widest audience possible so people are aware of the breach and can be prepared to take action. Depending on your level of concern, you could shut down your twitter account entirely, change your contact info such as email address, and at the very least you should consider enabling multi-factor authentication on your account. Be ready for potential spam/phishing messages now that your name/twitter handle/email address have been released together and are easily discoverable by threat groups.

5th: New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

Overview: A new analysis of Raspberry Robin’s attack infrastructure has revealed that it’s possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it’s believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.

Breakdown: Sharing for awareness on this toolset and the fact that it has been repurposed as well as new features added to make it a much more serious threat. APT groups are always looking for useful new options, and the additions made here make it much more useful as a general attacker tool. The article has a nice semi-technical breakdown of the features available for a great overview on how current malware functions.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 01/09 to 01/13/2023

General Worldwide activity:

Written by James Beal