Knotweed Group Is Linked to Spyware Vendor Targeting Law Firms, Banks and Consultancies
Lawmakers are alarmed by mercenary spyware, EU staff was compromised by Pegasus spyware, WordFly ransomware attacks hinders arts organizations worldwide, Reward for NK bad actors' info doubles, more
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Microsoft has linked a threat group known as Knotweed to an Austrian spyware vendor also operating as a cyber mercenary outfit named DSIRF that targets European and Central American entities using a malware toolset dubbed Subzero.
Some Knotweed attacks observed by Microsoft have targeted law firms, banks, and strategic consultancy organizations worldwide, including Austria, the United Kingdom, and Panama. "To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware," said Cristin Goodwin, General Manager at Microsoft's Digital Security Unit. (Sergiu Gatlan / Bleeping Computer)
Related: Microsoft, The Register, Security Week, Reuters, Ars Technica, Decipher, Neowin, PCMag.com, The Verge, Reddit - cybersecurity, Teiss, IT Security Guru, Techradar, Silicon Republic, Security Affairs, CyberNews, NDTV Gadgets360.com, Forbes, TechWorm
During a House hearing on foreign commercial spyware, Representative Adam Schiff (D-CA), Chairman of the House Intelligence Committee, said he is alarmed by the proliferation of powerful spyware that “can be used against every member of this committee or in the executive branch, every journalist and political activist, every American citizen, every citizen of the world with an electronic device.”
During the hearing, John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab, which has conducted extensive research on the spyware market, told Schiff and his committee that not enough has been done to date and urged them to act more quickly and decisively moving forward. “It has taken us too long to have this conversation … and now we must make sure it moves at the pace of proliferation.” (Suzanne Smalley / Cyberscoop)
The European Union found evidence that NSO Group’s Pegasus spyware compromised smartphones used by some of its staff.
In a July 25 letter sent to European lawmaker Sophie in ‘t Veld, EU Justice Commissioner Didier Reynders said iPhone maker Apple had told him in 2021 that his iPhone had possibly been hacked using Pegasus. Although an investigation of Reynders’ personal and professional devices did not find conclusive proof that Reynders' or EU staff phones were hacked, investigators discovered indicators of compromise. (Raphael Satter / Reuters)
The House passed the Energy Cybersecurity University Leadership Program Act to address the rise of cyber threats against energy infrastructure in the United States.
Co-sponsored by Representatives Deborah Ross (D-NC) and Mike Carey (R-OH), the bill was part of a block of bills that passed in a 336-90 vote. Also included in the block was the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies (RANSOMWARE) Act which would require the FTC to submit biennial reports on ransomware incidents and other foreign cyber attacks on U.S. organizations. (Ines Kagubare / The Hill)
A ransomware gang has taken down WordFly, a mailing list provider for top arts organizations, among others, and siphoned data belonging to the US-based Smithsonian, Canada's Toronto Symphony Orchestra, and the Courtauld Institute of Art in London.
Although Wordfly’s site is down, on a separate site, the company said, "Please plan accordingly if you need to send email before Aug. 1.” During the attack, the malicious actors stole customers' email addresses and "other data" used by those organizations to communicate with their fans via WordFly. (Jessica Lyons Hardcastle / The Register)
The U.S. State Department has increased rewards paid to anyone providing information on any North Korean-sponsored threat groups' members to $10 million, double the $5 million it offered last March.
One month after dangling the $5 million reward, the FBI linked the largest crypto hack to two North Korean hacking groups, Lazarus and BlueNorOff (aka APT38), saying they were responsible for the theft of $620 million in Ethereum from Axie Infinity's Ronin network bridge. (Sergiu Gatlan / Bleeping Computer)
Researchers at IronNet say that a new phishing as a service (PhaaS) platform named Robin Banks'has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services.
The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. Robin Banks also offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. (Bill Toulas / Bleeping Computer)
Google Privacy Sandbox vice president Anthony Chavez says in a blog post that his company now intends “to begin phasing out third-party cookies in Chrome in the second half of 2024” instead of the planned 2022.
Regulatory pressure spurred a previous delay that pushed the window into 2023, but its current development approach (if not the underlying technology, so far) does have approval from the UK’s Competition and Markets Authority (CMA). Google is testing a new set of APIs (including some you may have heard of, like Fledge or Topics API) that it claims can strike a balance between preserving privacy and continuing to enable the online advertising economy that is the core of its business. (Richard Lawler / The Verge)
The Cyber AB, formerly known as the CMMC Accreditation Body that oversees accreditations under the Defense Department’s new Cybersecurity Maturity Model Certification program, has given defense contractors the greenlight to undertake voluntary CMMC assessments as they await a final rule from the DOD.
The Cyber AB issued a draft document Tuesday detailing the assessment process that third-party organizations will need to follow in certifying that DOD contractors can securely handle the department’s sensitive information, as will soon be required by the CMMC program. (Billy Mitchell / Fedscoop)
App makers are increasingly experiencing the consequences of software self-sabotage as a means of protest, turning software into “protestware.”
For example, the developer of the widely used atomicwrites Python library Markus Unterwaditzer temporarily deleted his code from the popular code registry PyPI after the site said it would mandate two-factor authentication for maintainers of “critical projects,” projects that fell into the top 1% of all downloads on the registry. And Marak Squires, developer of npm projects colors and faker broke, began printing gibberish text on users’ screens and had intentionally corrupted his own work to send a message of protest to big corporations.
“The conversation around ‘protestware’ is really a conversation about software supply chain security. You can’t trust what you can’t verify,” Dan Lorenc, the co-founder, and chief executive at Chainguard, said. (Ax Sharma / TechCrunch)
Naomi Yusupov, a Chinese intelligence analyst at threat intelligence firm Cybersixgill, says that the availability of supposedly hacked Chinese data on the dark web appears to have surged in recent weeks on the heels of the massive Shanghai National Police breach, which was one of the largest ever recorded.
Between March and June, an average of 14 monthly leaks from Chinese entities were posted to BreachForums. But in the first 15 days of July, the total jumped to 25, setting a pace for more than 50. (AJ Vicens / Cyberscoop)
The Spanish police announced the arrest of two hackers believed to be responsible for cyberattacks on the country's radioactivity alert network (RAR), which took place between March and June 2021.
The two hackers arrested are former workers of a company contracted by the General Directorate of Civil Protection and Emergencies (DGPGE) to maintain the RAR system, so they had a deep knowledge of its operation and how to deliver an effective cyberattack. The RAR hackers gained illegitimate access to DGPGE's network and attempted to delete the RAR management web application in the control center.
In parallel, the duo launched individual attacks against sensors, taking down 300 out of 800 spread across Spain, essentially breaking their link to the control center and disrupting the data exchange. (Bill Toulas / Bleeping Computer)
Researchers at Proofpoint say that hackers who normally distributed malware via phishing attachments with malicious macros gradually changed tactics after Microsoft Office began blocking them by default, switching to new file types such as ISO, RAR, and Windows Shortcut (LNK) attachments.
The malicious campaign stats for October 2021 and June 2022 identified a clear shift to other methods of payload distribution, recording a decrease of 66% in the use of macros. At the same time, the use of container files such as ISOs, ZIPs, and RARs has grown steadily, rising by almost 175%. (Bill Toulas / Bleeping Computer)
Israel’s National Cyber Directorate (INCD) and the United States Department of Homeland Security have joined forces with the Israel-US Binational Industrial Research and Development (BIRD) Foundation on a new cybersecurity initiative titled BIRD Cyber.
The project calls on US and Israeli companies, universities, and research institutions to develop technologies critical to preserving cybersecurity and threats to critical infrastructure. BIRD Cyber will provide grants of up to $1.5 million per project and up to 50% of the research and development budgets required. (Jerusalem Post)
Convenience store chain Wawa will pay $8 million to several states over a 2019 data breach that involved around 34 million payment cards.
The Pennsylvania attorney general’s office said Wawa did not take reasonable security measures to prevent hackers from installing malware that is thought to have collected card numbers, customer names, and other data. (Associated Press)
The U.S. agency that oversees credit unions, the National Credit Union Administration (NCUA), proposed a 72-hour deadline for regulated companies to report cyberattacks.
The report would include a basic description of the cyberattack, what functions are affected, the date of the incident, what vulnerabilities may have been exploited or what tools were used, and any contact info from the hacker. NCUA will take comments until September 26. (Jonathan Greig / The Record)
After Firefox Monitor claimed that Indian digital payments leader Paytm suffered a massive data breach two years back that may have exposed the data of over 3.4 million users, the company said that the data of its users is “completely safe.”
A Paytm Mall spokesperson said that the data of “our users is completely safe” and “claims related to data leak in the year 2020 are completely false and unsubstantiated.” (Business Standard)
Blockchain security provider NDSE Cyber, which does business as Naoris Protocol, raised $11.5 million in an equity and token sale.
Backers include Tim Draper of Draper Associates, who led the round. Other investors include Holt Xchange, Holdun Family Officer, SDC Management, Expert Dojo, Uniera, Level One Robotics, and multiple angel investors, including some “well-known” NBA stars and tennis players. (Mike Wheatley / Silicon Angle)
Cyber risk management and HIPAA compliance solutions vendor Clearwater completed its acquisition of TECH LOCK, allowing the company to provide 24/7 managed detection and response (MDR) services and enhance its cybersecurity and HIPAA compliance offerings.
Clearwater plans to leverage TECH LOCK’s industry-certified assessors to provide PCI, HITRUST, and CMMC assessments and certifications. (Jill McKeon / Health IT Security)
Human Security, a bot mitigation and fraud detection platform for enterprises, is merging with PerimeterX, a company focused on safeguarding web apps from account takeover and automated fraud.
The terms of the deal were not disclosed. The combined entity will comprise nearly 500 employees and eventually fall under the Human Security name once the two respective platforms are integrated. (Paul Sawers / TechCrunch)