Knotweed Group Is Linked to Spyware Vendor Targeting Law Firms, Banks and Consultancies

Lawmakers are alarmed by mercenary spyware, EU staff was compromised by Pegasus spyware, WordFly ransomware attacks hinders arts organizations worldwide, Reward for NK bad actors' info doubles, more

Microsoft has linked a threat group known as Knotweed to an Austrian spyware vendor also operating as a cyber mercenary outfit named DSIRF that targets European and Central American entities using a malware toolset dubbed Subzero.

Some Knotweed attacks observed by Microsoft have targeted law firms, banks, and strategic consultancy organizations worldwide, including Austria, the United Kingdom, and Panama. "To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware," said Cristin Goodwin, General Manager at Microsoft's Digital Security Unit. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, The Register, Security Week, Reuters, Ars Technica, Decipher, Neowin, PCMag.com, The Verge, Reddit - cybersecurity, Teiss, IT Security Guru, Techradar, Silicon Republic, Security Affairs, CyberNews, NDTV Gadgets360.com, Forbes, TechWorm

Sean Lyngaas @snlyngaas

An #Austria-based firm that hawks “highly sophisticated Red Teams to challenge your company’s most critical assets” is really developing exploits that have been used against law firms, banks & “strategic consultancies” in Europe and Panama, per MSFT Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits - Microsoft Security BlogMSTIC and MSRC disclose technical details of a private-sector offensive actor (PSOA) tracked as KNOTWEED using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers.microsoft.com

July 27th 2022

3 Retweets1 Like

Thomas Brewster @iblametom

"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama." Very, very interesting.

Microsoft Security Intelligence @MsftSecIntel

Microsoft discovered and patched a 0-day exploit (CVE-2022-22047) that #KNOTWEED, an Austria-based private sector offensive actor, used to deploy #Subzero malware. Analysis of campaigns, tactics, & payloads in this #MSTIC blog w/ @msftsecresponse @RiskIQ: https://t.co/9QZbKSo9FA

July 27th 2022

3 Retweets3 Likes

Cristin Flynn Goodwin @CristinGoodwin

Continuing the fight against cyberweapons and surveillance is important. Today, we announced a disruption against a private sector actor we call KNOTWEED and filed testimony in support of the House Permanent Select Committee on Intelligence hearing. Info: Continuing the fight against private sector cyberweapons - Microsoft On the IssuesToday, Microsoft is announcing the disruption of the use of certain cyberweapons created and sold by a group we call Knotweed.blogs.microsoft.com

July 27th 2022

25 Retweets72 Likes

During a House hearing on foreign commercial spyware, Representative Adam Schiff (D-CA), Chairman of the House Intelligence Committee, said he is alarmed by the proliferation of powerful spyware that “can be used against every member of this committee or in the executive branch, every journalist and political activist, every American citizen, every citizen of the world with an electronic device.”

During the hearing, John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab, which has conducted extensive research on the spyware market, told Schiff and his committee that not enough has been done to date and urged them to act more quickly and decisively moving forward. “It has taken us too long to have this conversation … and now we must make sure it moves at the pace of proliferation.” (Suzanne Smalley / Cyberscoop)

Related: Gizmodo, DataBreachToday.com, The Register, Decipher, Motherboard, The Record

The European Union found evidence that NSO Group’s Pegasus spyware compromised smartphones used by some of its staff.

In a July 25 letter sent to European lawmaker Sophie in ‘t Veld, EU Justice Commissioner Didier Reynders said iPhone maker Apple had told him in 2021 that his iPhone had possibly been hacked using Pegasus. Although an investigation of Reynders’ personal and professional devices did not find conclusive proof that Reynders' or EU staff phones were hacked, investigators discovered indicators of compromise. (Raphael Satter / Reuters)

Related: The Times of Israel, The Hill, EUObserver

The House passed the Energy Cybersecurity University Leadership Program Act to address the rise of cyber threats against energy infrastructure in the United States.

Co-sponsored by Representatives Deborah Ross (D-NC) and Mike Carey (R-OH), the bill was part of a block of bills that passed in a 336-90 vote. Also included in the block was the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies (RANSOMWARE) Act which would require the FTC to submit biennial reports on ransomware incidents and other foreign cyber attacks on U.S. organizations. (Ines Kagubare / The Hill)

Related: SC Magazine, Urgent Comms, The Record by Recorded Future

A ransomware gang has taken down WordFly, a mailing list provider for top arts organizations, among others, and siphoned data belonging to the US-based Smithsonian, Canada's Toronto Symphony Orchestra, and the Courtauld Institute of Art in London.

Although Wordfly’s site is down, on a separate site, the company said, "Please plan accordingly if you need to send email before Aug. 1.” During the attack, the malicious actors stole customers' email addresses and "other data" used by those organizations to communicate with their fans via WordFly. (Jessica Lyons Hardcastle / The Register)

Related: Security Week, Cybernews, Smithsonian, IT World Canada, Insurance Business America, CRN Australia, Wordfly, Sydney Dance Company, The Courtauld

The U.S. State Department has increased rewards paid to anyone providing information on any North Korean-sponsored threat groups' members to $10 million, double the $5 million it offered last March.

One month after dangling the $5 million reward, the FBI linked the largest crypto hack to two North Korean hacking groups, Lazarus and BlueNorOff (aka APT38), saying they were responsible for the theft of $620 million in Ethereum from Axie Infinity's Ronin network bridge. (Sergiu Gatlan / Bleeping Computer)

Related: DataBreachToday.com, Dark Reading, Security Week, The Hacker News

Rewards for Justice @RFJ_USA

REWARD! Up to $10M 💰for information on DPRK-linked malicious #cyber activity & #cyberthreat actors. Got a tip on the Lazarus Group, Kimsuky, Bluenoroff, Andariel, or others? Send it to RFJ via our TOR-based tip line. rfj.tips/d320b9

July 26th 2022

10 Retweets24 Likes

Researchers at IronNet say that a new phishing as a service (PhaaS) platform named Robin Banks'has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services.

The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. Robin Banks also offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. (Bill Toulas / Bleeping Computer)

Related: IronNet

Google Privacy Sandbox vice president Anthony Chavez says in a blog post that his company now intends “to begin phasing out third-party cookies in Chrome in the second half of 2024” instead of the planned 2022.

Regulatory pressure spurred a previous delay that pushed the window into 2023, but its current development approach (if not the underlying technology, so far) does have approval from the UK’s Competition and Markets Authority (CMA). Google is testing a new set of APIs (including some you may have heard of, like Fledge or Topics API) that it claims can strike a balance between preserving privacy and continuing to enable the online advertising economy that is the core of its business. (Richard Lawler / The Verge)

Related: Neowin, WebProNews, Slashdot, geekinteger, Silicon Republic, Mobile Syrup, The Register, Google

The Cyber AB, formerly known as the CMMC Accreditation Body that oversees accreditations under the Defense Department’s new Cybersecurity Maturity Model Certification program, has given defense contractors the greenlight to undertake voluntary CMMC assessments as they await a final rule from the DOD.

The Cyber AB issued a draft document Tuesday detailing the assessment process that third-party organizations will need to follow in certifying that DOD contractors can securely handle the department’s sensitive information, as will soon be required by the CMMC program. (Billy Mitchell / Fedscoop)

Related: InsideDefense.com, Reddit - cybersecurity, Cyber AB

App makers are increasingly experiencing the consequences of software self-sabotage as a means of protest, turning software into “protestware.”

For example, the developer of the widely used atomicwrites Python library Markus Unterwaditzer temporarily deleted his code from the popular code registry PyPI after the site said it would mandate two-factor authentication for maintainers of “critical projects,” projects that fell into the top 1% of all downloads on the registry. And Marak Squires, developer of npm projects colors and faker broke, began printing gibberish text on users’ screens and had intentionally corrupted his own work to send a message of protest to big corporations.

“The conversation around ‘protestware’ is really a conversation about software supply chain security. You can’t trust what you can’t verify,” Dan Lorenc, the co-founder, and chief executive at Chainguard, said. (Ax Sharma / TechCrunch)

Ilkka Turunen @llkkaT

One of the unique phenomenon of the software supply chain is that sometimes maintainers want to send a message and protest using their package. A fascinating article by @Ax_Sharma deep diving into this phenomenon Protestware on the rise: Why developers are sabotaging their own code – TechCrunchA wave of software developers have self-sabotaged their code to protest big corporations to Russia’s war in Ukraine.techcrunch.com

July 28th 2022

3 Likes

Naomi Yusupov, a Chinese intelligence analyst at threat intelligence firm Cybersixgill, says that the availability of supposedly hacked Chinese data on the dark web appears to have surged in recent weeks on the heels of the massive Shanghai National Police breach, which was one of the largest ever recorded.

Between March and June, an average of 14 monthly leaks from Chinese entities were posted to BreachForums. But in the first 15 days of July, the total jumped to 25, setting a pace for more than 50. (AJ Vicens / Cyberscoop)

Related: Cybersixgill

The Spanish police announced the arrest of two hackers believed to be responsible for cyberattacks on the country's radioactivity alert network (RAR), which took place between March and June 2021.

The two hackers arrested are former workers of a company contracted by the General Directorate of Civil Protection and Emergencies (DGPGE) to maintain the RAR system, so they had a deep knowledge of its operation and how to deliver an effective cyberattack. The RAR hackers gained illegitimate access to DGPGE's network and attempted to delete the RAR management web application in the control center.

In parallel, the duo launched individual attacks against sensors, taking down 300 out of 800 spread across Spain, essentially breaking their link to the control center and disrupting the data exchange. (Bill Toulas / Bleeping Computer)

Related: The Record, Policia Nacional

Researchers at Proofpoint say that hackers who normally distributed malware via phishing attachments with malicious macros gradually changed tactics after Microsoft Office began blocking them by default, switching to new file types such as ISO, RAR, and Windows Shortcut (LNK) attachments.

The malicious campaign stats for October 2021 and June 2022 identified a clear shift to other methods of payload distribution, recording a decrease of 66% in the use of macros. At the same time, the use of container files such as ISOs, ZIPs, and RARs has grown steadily, rising by almost 175%. (Bill Toulas / Bleeping Computer)

Related: ComputerWeekly: IT security, The Stack, The Tech Outlook, Bleeping Computer, Proofpoint

Israel’s National Cyber Directorate (INCD) and the United States Department of Homeland Security have joined forces with the Israel-US Binational Industrial Research and Development (BIRD) Foundation on a new cybersecurity initiative titled BIRD Cyber. 

The project calls on US and Israeli companies, universities, and research institutions to develop technologies critical to preserving cybersecurity and threats to critical infrastructure. BIRD Cyber will provide grants of up to $1.5 million per project and up to 50% of the research and development budgets required. (Jerusalem Post)

Related: PR Newswire, The Times of Israel

Convenience store chain Wawa will pay $8 million to several states over a 2019 data breach that involved around 34 million payment cards.

The Pennsylvania attorney general’s office said Wawa did not take reasonable security measures to prevent hackers from installing malware that is thought to have collected card numbers, customer names, and other data. (Associated Press)

Related: WGAL, The Philadelphia Inquirer, WAVY.com, 6ABC, NJ.com

The U.S. agency that oversees credit unions, the National Credit Union Administration (NCUA), proposed a 72-hour deadline for regulated companies to report cyberattacks.

The report would include a basic description of the cyberattack, what functions are affected, the date of the incident, what vulnerabilities may have been exploited or what tools were used, and any contact info from the hacker. NCUA will take comments until September 26. (Jonathan Greig / The Record)

Related: SC Magazine, Federal Register

After Firefox Monitor claimed that Indian digital payments leader Paytm suffered a massive data breach two years back that may have exposed the data of over 3.4 million users, the company said that the data of its users is “completely safe.”

A Paytm Mall spokesperson said that the data of “our users is completely safe” and “claims related to data leak in the year 2020 are completely false and unsubstantiated.” (Business Standard)

Related: INC42, New Indian Express, Gadgets Now

Blockchain security provider NDSE Cyber, which does business as Naoris Protocol, raised $11.5 million in an equity and token sale.

Backers include Tim Draper of Draper Associates, who led the round. Other investors include Holt Xchange, Holdun Family Officer, SDC Management, Expert Dojo, Uniera, Level One Robotics, and multiple angel investors, including some “well-known” NBA stars and tennis players. (Mike Wheatley / Silicon Angle)

Related: Coindesk, Startups News, HackRead

Cyber risk management and HIPAA compliance solutions vendor Clearwater completed its acquisition of TECH LOCK, allowing the company to provide 24/7 managed detection and response (MDR) services and enhance its cybersecurity and HIPAA compliance offerings.

Clearwater plans to leverage TECH LOCK’s industry-certified assessors to provide PCI, HITRUST, and CMMC assessments and certifications. (Jill McKeon / Health IT Security)

Related: Techlock, Clearwater

Human Security, a bot mitigation and fraud detection platform for enterprises, is merging with PerimeterX, a company focused on safeguarding web apps from account takeover and automated fraud.

The terms of the deal were not disclosed. The combined entity will comprise nearly 500 employees and eventually fall under the Human Security name once the two respective platforms are integrated. (Paul Sawers / TechCrunch)

Related: Geektime, Cybersecurity Insiders, TechCrunch

Image by Erwin from Pixabay