Changelog: Sandworm becomes APT44

Vasily Koloda / Unsplash

The payload

Someone get Sandworm a cap and gown. Mandiant announced on April 17 that it was “graduating” the Russian hacking group responsible for multiple disruptions to Ukraine’s electric grid, the NotPetya ransomware disaster and several others of the most high-profile cyber operations, to APT44.

“Due to its history of aggressive use of network attack capabilities across political and military contexts, APT44 presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect,” Mandiant said in the blog post about Sandworm’s graduation. “The combination of APT44's high capability, risk tolerance, and far-reaching mandate to support Russia’s foreign policy interests places governments, civil society, and critical infrastructure operators around the world at risk of falling into the group's sights on short notice.”

The announcement was accompanied by a report (PDF) titled “APT44: Unearthing Sandworm.” The report includes a detailed retelling of the group’s activity since 2015; a look at the “disruptive operations,” “military enablement” and “information operations” it’s conducted to support Russia’s invasion of Ukraine; and technical information, such as indicators of compromise associated with its operations and the many types of malware it’s used, along with hunting rules that can be used to detect their presence on a system. (The IOCs were shared via VirusTotal and can be found in a dedicated and seemingly up-to-date collection.)

One line from Mandiant’s report stood out to me: “We also assess that at least one additional Russian cybersecurity company has provided direct operational support to APT44’s operations in Ukraine.” The company in question wasn’t identified, but this report arrived hot on the heels of a CNN report indicating that the Biden administration is planning to ban Kaspersky entirely from the U.S. market, and I can’t help but wonder if these revelations are related. Note that I’m not saying they are—there are other Russian cybersecurity firms, after all, and coincidences do happen—merely that I’m curious about the timing.

I’m also curious to learn more about the “Cyber Army of Russia.” Wired reported on April 17 that “one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of water utilities in the United States and Poland as well as a water mill in France, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.”  (Though Le Monde reported that the group might not have the best understanding of these targets.)

China seems to be the West’s cyber adversary of the moment, but this report makes it clear Russia can’t be ignored. “APT44 will almost certainly continue to present one of the widest and highest severity cyber threats globally,” Mandiant said. “It has been at the forefront of the threat landscape for over a decade and is responsible for a long list of firsts that have set precedents for future cyber attack activity. Patterns of historical activity, such as efforts to influence elections or retaliate against international sporting bodies, suggest there is no limit to the nationalist impulses that may fuel the group’s operations in the future.”

The week, compiled

VPN providers must have the best PR teams in the world—and I’m not talking about the ones that advertise on seemingly every YouTube channel with more than a dozen viewers. Pretty much every company of a certain size is expected to set up a corporate VPN even though it seems like a critical vulnerability in products from Ivanti, Fortinet and their counterparts are revealed every week or so.

Last week it was Palo Alto Networks’ (PAN) turn. Volexity said on April 12 that it had discovered an actively exploited zero-day vulnerability in GlobalProtect that a threat actor had used to “remotely exploit the firewall device, create a reverse shell, and download further tools onto the device” before using it “as an entry point to move laterally within the victim organizations.” PAN issued an advisory about the vuln, CVE-2024-3400, on April 12 and released patches for affected versions of PAN-OS on April 15.

PAN’s threat intelligence group, Unit 42, said on April 12 that it believed only a single threat actor was exploiting CVE-2024-3400 against specific targets. GreyNoise said that appeared to remain the case as of April 15, but there have since been indications that other groups are looking to exploit the flaw en masse. (Which probably had something to do with multiple proof-of-concept exploits being published in that time.) Anyone still running a vulnerable version of PAN-OS should probably do something about that.

The discovery of this vulnerability has also revealed a flaw in a popular Go library called “gorilla/sessions.” This could have been another “oh shit” moment for companies relying on a widely used open source library, but runZero CEO HD Moore said a number of mitigating factors should limit the bug’s impact. Gorilla’s also being actively developed again—at least some of the git repositories related to the toolkit were archived until new maintainers took over the project in July 2023—so that’s a plus.

kaysha-V3qzwMY2ak0-unsplash

Kaysha / Unsplash

That’s good news for the Go ecosystem. As for the security teams at countless organizations that rely on VPNs, in some sense, this was really just another week at the office. The ones relying on GlobalProtect simply happened to lose this round of “critical vulnerability with public proof of concept exploit” roulette. I’m sure next week it’ll land on… one of literally any of the other popular VPN providers.

And now for the week’s leading security news:

TechCrunch: The Change Healthcare hack is the gift that keeps on giving. After the $22 million ransom was stolen by AlphV / BlackCat as part of an exit scam, the group responsible for the attack threatened to leak stolen data if they didn’t get their money from UnitedHealth Group. TechCrunch reported on April 15 that the group has started to make good on its promise by publishing some of the records it made off with.

Reuters: OpenSSF and OpenJS said this week that, as Reuters put it, “at least three different JavaScript projects were targeted by unnamed individuals demanding suspicious updates or asking to be made maintainers of the targeted software” in what appeared to be efforts to insert backdoors into those projects. This tactic rose to prominence with the xz-utils backdoor; expect similar reports in the future.

Europol: Europol today announced that “law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost,” following a “year-long operation.” The agency said that 70 addresses “were searched across the world” between April 14-17, and that 37 people were arrested as a result. More details can be found in the agency’s announcement.

A message from Synack

Going to RSA? While at RSA, stop by Synack’s “Journey to Secure the Future” experience at Fogo de Chão – across the street from the Moscone Convention Center. Come meet with emerging cybersecurity companies, attend our Woman in Cyber Executive Panel discussion, watch a live demo of the Synack Platform or explore one of the many cosmic parties that’ll feature drinks, food and music that’s out of this world. Click here for a full list of events.

Local files

The Record: Welcome to another U.S. election cycle, complete with Russian interference! Microsoft said this week that, as The Record put it, “Russia’s disinformation operations around the U.S. elections have ramped up over the last month-and-a-half after a relatively slow start compared to previous cycles” with an eye towards reducing American support for helping Ukraine rebuff the country’s invasion.

Wired: A few weeks ago I said the Cyber Safety Review Board was “all bark, no bite” on Microsoft. This week, Eric Geller made the case in Wired that the entire U.S. government “has a Microsoft problem” that it shows no signs of solving any time soon. 

BleepingComputer: BlackBerry said this week that a threat group known as FIN7, Carbon Spider and Sangria Tempest “targeted a large U.S. car maker with spear-phishing emails for employees in the IT department to infect systems with the Anunak backdoor” as part of what appeared to be a ransomware attack that failed. (For more on FIN7, check out this Mandiant report from 2022.)

Off-script

This is fast becoming the “comics corner,” but so many of the other topics I consider are either absolute bummers or threats to my already-high blood pressure, so please bear with me for a while.

I read the “Invincible” comic series by Robert Kirkman, Cory Walker and Ryan Ottley in 2019. There were some questionable story arcs, but for the most part, I thought it was an interesting take on a superhero comic that spends nearly as much time playing with the genre’s tropes as it does following them.

invincible

Amazon

Amazon’s animated adaptation of the comic debuted in 2021. I made it through a few episodes when they debuted, but ultimately decided not to finish it out. Then a friend recommended that I give the show another shot, so I watched the rest of the first season, and have made it through half of the second.

It’s a fine show! Some of the voices continue to annoy me—and others are weird simply because they’re so recognizable from other shows—but overall it’s a good adaptation. Check it out, as long as you’re willing to put up with more blood, gore and swearing than most animated superhero shows.