Commit 09_19_2023: ShroudedSnooper, ShadowDragon

David Arrowsmith / Unsplash

Hello! Welcome to Commit 09_19_2023. (For more on this "Commit" thing, check out our first installment.) README senior editor Nathaniel Mott here with reports on ShroudedSnooper, ShadowDragon and other breaking cybersecurity news.

Cisco Talos: ShroudedSnooper targets Middle East telecoms

Cisco Talos today revealed a pair of implants—HTTPSnoop and PipeSnoop—that it said were used against “telecommunications providers in the Middle East.” The company said that neither these implants nor the associated tactics, techniques and procedures are consistent with a known threat actor, so Cisco Talos decided to attribute the campaigns to a new group called ShroudedSnooper. (The report includes additional information about both implants and the relevant indicators of compromise.)

Why it matters: “Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact,” Cisco Talos said. “These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.”

404 Media: ShadowDragon tracks Fortnite players, fetishists and everyone else

A combination of emails obtained via the Freedom of Information Act, “leaked audio from inside an industry event” and public comments have culminated in a 404 Media report outlining the ways a surveillance company called ShadowDragon monitors social media to provide data to Immigration and Customs Enforcement, the Drug Enforcement Administration and the State Department, among others.

404 Media said that ShadowDragon is “gathering data from video games like Fortnite and images from BabyCenter, a reference and pregnancy tracking site for new and expecting parents, as well as social media sites for Black people, bodybuilders, and the fetish community.” This is supposedly intended to help government agencies “monitor protests,” but mostly it seems to be a stark reminder that the U.S. government and its contractors are watching pretty much everything people share online.

ICC: The Hague was hacked

The International Criminal Court said today it “detected anomalous activity affecting its information systems” at the end of last week and that “immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact.” But it won’t provide additional details; the ICC ended its statement by saying that it “will not be providing further information in relation to this incident at present.”

This lack of additional information is routine from organizations in the middle of conducting incident response, even when those organizations don’t have to directly interact with numerous governments as a result of an attack. But it makes it difficult to gauge the potential fallout. Hopefully the ICC provides more details when its investigation concludes. (And not, for example, when someone makes a public ransom demand or starts to leak documents that were compromised as part of this attack.)

SentinelLabs: Pretending to be YouTube to pwn Android devices

On Sept. 18 SentinelLabs provided your regular reminder to install Android apps from trusted sources—including the Play Store and well-maintained open source marketplaces—instead of random websites. This time it’s because a group the company tracks as Transparent Tribe, “a suspected Pakistani actor known for targeting military and diplomatic personnel in both India and Pakistan,” is reportedly using malicious apps masquerading as YouTube to compromise its targets.

It can be difficult to take recommendations like “individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat” seriously. But there’s a reason why groups like Transparent Tribe reuse tactics like this: they work. Someone has, and someone always will, get themselves compromised by installing a shady version of YouTube promoted by a fake social media persona operated by some threat actor or another.

WSJ: Clorox says ransomware cleanup will take longer than expected

I hope you’ve stocked up on bleach. The Wall Street Journal reported that Clorox said a ransomware attack it publicly announced in August is having ongoing effects on its ability to ship the various cleaning supplies offered by the numerous brands that stand under its corporate umbrella. This admission was followed by a roughly 3% drop in the company’s stock price (at time of writing).

Like I pointed out yesterday, hacks against companies like MGM Resorts and Clorox are easy to dismiss at first, if only because we’ve all been hearing about ransomware attack after ransomware attack for years. But these attacks can have greater consequences than we expect. Dips in a company’s stock price? Meh. A trip to Vegas being ruined because resorts are relying on manual systems, or cleaning supplies going out of stock? Yeah, that’s probably going to get more people’s attention.

Trend Micro: China uses SprySOCKS to backdoor Linux servers

People love to rag on Mac users for thinking they don’t have to worry about malware, but Linux users often have the same misconception. Turns out threat actors don’t just target Windows users. Trend Micro reminded everyone with its recent report on a China-linked threat actor’s development of a backdoor for Linux that the researchers have dubbed SprySOCKS.

Trend Micro said the threat actor, called Earth Lusca, “has been highly aggressive in targeting the public-facing servers of its victims by exploiting known vulnerabilities” and targeted “countries in Southeast Asia, Central Asia, and the Balkans (with a few scattered attacks on Latin American and African countries)” in the first half of 2023. Anyone operating in those countries who thought they were safe because their servers run Linux instead of Windows should probably heed Trend Micro’s warning that some terrible things are afoot.