Towfiqu barbhuiya / Unsplash
Welcome to Changelog for 7/9/23, published by Synack! Nathaniel Mott here, hoping we can all finally catch a break from the big East Coast heat wave last week. In the meantime, here’s what’s been hot in the world of cybersecurity.
The payload
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its partners said last week that activity involving variants of the TrueBot malware downloader is on the rise throughout the U.S. and Canada.
Truebot has been used to distribute malware since at least 2017. “When launched, it collects system information, like computer name, local network name and screen captures,” Microsoft Security Intelligence said. “TrueBot deploys additional payloads, like Cobalt Strike.”
The downloader itself was typically distributed via phishing emails until 2022, according to Cisco Talos, which said criminal groups had started deploying TrueBot by exploiting a vulnerability (CVE-2022–31199) in Netwrix Auditor in August and started using the Raspberry Robin malware to distribute TrueBot in October. (They added a cryptic note that the company’s researchers “believe with moderate confidence that during November, the attackers started using yet another way to distribute the malware,” too.)
CISA and Co.’s advisory focused on the deployment of TrueBot via exploitation of CVE-2022–31199. “As recently as May 2023,” the agencies said, “cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.”
But those attackers aren’t only abusing Netwrix Auditor. “Based on confirmation from open-source reporting and analytical findings of Truebot variants,” the agencies said, “[we] assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022–31199 to deliver new Truebot malware variants.”
The advisory includes additional information about the other malware families associated with TrueBot (which has been used to deploy mainstays like Cobalt Strike and Flawed Grace as well as custom tooling) and indicators of compromise organizations can use to hunt for TrueBot.
The week, compiled
The U.S. didn’t have an Independence Day repeat of the Kaseya hack of 2021, but on the other side of the Pacific, the Port of Nagoya in Japan had to suspend operations from July 4–6 because of a ransomware attack.
The Mainichi reported on July 5 that LockBit was responsible for the attack, which left port workers “unable to load and unload containers from trailers.” That could have proven quite disruptive, since Nagoya has reportedly been Japan’s largest port since 2002, but Bloomberg reported that the port started to resume operations the afternoon of July 6.
This isn’t the first time Russia-based attackers have targeted Nagoya. Japan Times said that Killnet — the group that launched distributed denial of service (DDOS) attacks on the websites of U.S. airports earlier this year — targeted the Nagoya Harbor Transportation Association’s website in 2022. (Which was decidedly less impactful than this ransomware attack.)
Bloomberg noted that ransomware gangs have been targeting these shipping hubs for years, with attacks on ports in Portugal, India and South Africa looking to disrupt operations from late 2021 to now. And one of the most high-profile ransomware attacks to date, NotPetya, led “the world’s largest shipping conglomerate […] to lose its mind” in June 2017.
Fortunately there wasn’t a repeat of NotPetya on July 4. This attack was limited to a specific port, and unlike NotPetya, it disrupted operations for a few days rather than a few weeks.
Also from last week:
Wired: Lackluster security for electric vehicle chargers could have serious implications, Wired and Grist reported this week, thanks to “sprawling vulnerabilities in internet-connected home and public charging hardware that could expose customer data, compromise Wi-Fi networks, and, in a worst-case scenario, bring down power grids.”
BleepingComputer: Surprise! Progress Software advised MOVEit Transfer users to upgrade to a new version of the software because a trio of vulnerabilities — one critical, two less severe — have been discovered weeks after the initial SQL injection vulnerability drew attention to the product.
RBN: Interpol announced last week the arrest of an unidentified man said to be affiliated with OPERA1ER, which Risky Biz News described as “one of the few cybercrime groups to repeatedly target African countries” with a combination of business email compromise, phishing and malware, thanks to a collaborative effort between numerous agencies and security firms.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
It’s hard to imagine using a computer without a keyboard. Yet that’s exactly what people did until July 4, 1956, when the first keyboard was hooked up to the MIT Whirlwind vacuum tube computer developed for the U.S. Navy.
“Direct keyboard input on computers debuted on MIT’s Whirlwind, which had been completed five years earlier,” Computer History Museum said in a retrospective post. “The now-common method of input was revolutionary at a time when programmers offered instructions to machines by inserting punched cards and changing dials and switches.”
The keyboard was a prerequisite for personal computing. Early adopters proved willing to navigate their devices without a mouse — which arrived with the Xerox Alto in 1973 — but doing so without a keyboard is somewhere between infuriating and impossible. (Especially if you don’t cheat by using an onscreen keyboard.) The click-clack is central to our modern tech stack.
So thanks, MIT, for hooking up a keyboard to the Whirlwind.
Local files
The Record: Proofpoint said this week an Iran-linked threat actor it tracks as TA453 is targeting “experts in Middle Eastern affairs and nuclear security” with malware for Windows and macOS devices alike and using “Google Scripts, Dropbox and CleverApps to disrupt the efforts of threat hunters.”
TechCrunch: The UK’s Online Safety Bill attracted further criticism this week as 68 security and privacy researchers penned an open letter saying “this act undermines privacy guarantees and, indeed, safety online.” (The bill is unpopular among Apple, Signal and many others besides.)
Off-script
It’s been almost 13 years since Instagram was released to give people a way to share filtered photos taken with low-quality smartphone cameras. Apparently that’s old enough for Facebook to hold the service hostage as it attempts to join the fediverse with its Twitter-like app, Threads.
The New York Times reported that Threads was downloaded more than 30 million times in just 16 hours — even though it’s only available in the U.S. Facebook hasn’t said why the launch was restricted to America, but it might have something to do with the preposterous amount of information Threads can collect about its users, which ranges from employment data and location to web activity and biometric data.
Oh, and there’s no way to delete a Threads account without deleting the associated Instagram account. Facebook has effectively taken its only service people still like — rather than tolerate so they can keep up with their boomer relatives and acquaintances from high school— and made it a load-bearing wall for an invasive Twitter clone that has some folks worried about the fediverse as a whole. (Even if they probably shouldn’t be.)
At least Facebook’s got Elon Musk all a-tizzy in the process.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!
