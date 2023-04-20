Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! A timeless question: Which superpower would you have if you could have one? I tend to cheat by saying “the power cosmic,” because it’s so vague and “whatever we think the story needs.” But I’m curious what our readers say. Wp Get the full experience. Choose your plan ArrowRight Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The U.K. has a warning about the spyware market, and Twitter suspends a journalist after he tweets a story about an account being hacked. First:

Mandiant for the first time sees a ‘software supply chain attack lead to another software supply chain attack’

A recent massive hack that hit a popular provider of internet-enabled voice calls has an echo problem, it turns out.

The compromise of that provider, 3CX, was a so-called supply-chain attack, which is when hackers compromise a vendor to gain access to other targets. Cybersecurity firm Mandiant, which investigated that attack for 3CX, said that the supply-chain attack originated with another, prior supply-chain attack.

Advertisement

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” the Google-owned cyber company said in a blog post today.

Major attacks on vendors have frequently shown how far supply-chain attacks can stretch from their initial intrusion. The SolarWinds breach made headlines in 2021 for spreading to U.S. agencies and major tech companies, and the Kaseya breach that same year might have claimed more than 1,000 victims.

The 3CX attack, however, initially appeared to be short-lived, thanks to quick work from government agencies and the private sector, even as experts warned there could be more fallout to come. Mandiant’s report suggests that might be the case.

To have a supply-chain cyberattack that is the result of a separate supply-chain hack is “a very novel and interesting and quite scary threat,” Charles Carmakal, chief technology officer at Mandiant, told reporters in a Wednesday briefing.

About that threat …

Mandiant Consulting — the wing of the company that responds to cyber incidents — said a 3CX employee had installed malware-infected software from a previous victim of a supply-chain attack, trading software provider Trading Technologies. That malware installed a backdoor into the employee’s computer, then stole their credentials, thus granting the hackers high-level access to 3CX’s system and the ability to deploy more malware tools.

Advertisement

A North Korean hacking group compromised both 3CX and Trading Technologies, Mandiant concluded. “This really illustrates the increased cyberoffensive capabilities of the North Korean and North Korean-nexus threat actors,” Carmakal said. The group in question, which Mandiant calls UNC4736, historically has heavily targeted cryptocurrency companies.

Mandiant said it notified Trading Technologies about what it discovered earlier this month. The product in question was actually retired in 2020 but was still available for download on the company’s website until 2022, according to Carmakal. That does somewhat limit the potential negative impact, he said.

It’s not clear how far the impact of either supply-chain attacks have extended, Carmakal said. 3CX claims more than 12 million daily users.

Overall, “we don’t have great visibility into who the downstream victims are,” Carmakal said. “We think over time we’ll get better visibility into downstream victims. I think there’s just a number of victims that don’t yet know they’re compromised. … We’re still in the early days, and sometimes it takes weeks or months for victims to discover they’re compromised.

Advertisement

“The biggest threat is how many organizations were compromised over the past, say 12 months or so, don’t know it yet, and that something potentially more damaging could happen,” he said.

As the report states, “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

“The use of software supply chain compromises also demonstrates that the regime-backed operators can leverage network accesses in creative ways to distribute malware, a certain degree of sophistication to develop modular malware, cross over into other verticals, and enable follow-on intrusion campaigns for a wide range of offensive operations aligned with North Korea’s regime interests and priorities,” the report reads.

A bit more on North Korea

Russian cybersecurity firm Kaspersky previously concluded that the hackers behind the 3CX attack had a “surgical” focus on cryptocurrency firms. North Korean hackers have stolen billions from cryptocurrency companies in recent years, according to security researchers and government organizations.

The United States, Japan and South Korea said in a joint statement this month that they were perturbed by North Korea illicitly funding its weapons of mass destruction program despite U.N. Security Council sanctions, including via hacking activities.

Advertisement

“We reiterate with concern that overseas DPRK IT workers continue using forged identities and nationalities to evade UNSC sanctions and earn income abroad that funds the DPRK’s unlawful WMD and ballistic missile programs,” the statement reads. “We are also deeply concerned about how the DPRK supports these programs by stealing and laundering funds as well as gathering information through malicious cyber activities.”

The keys

U.K. signals widespread abuse in cyber mercenary, spyware market

The United Kingdom’s National Cyber Security Center (NCSC) warned Wednesday that thousands of people are being targeted every year by threats stemming from hackers-for-hire and surveillance software, James Pearson and Raphael Satter report for Reuters.

According to a new report by the NCSC, the “mercenary hacking market was offering products that were on par with government hacking groups,” they write.

“There is another new front opening, as we see more and more adversaries able to buy and sell sophisticated cyber tools and spyware like Pegasus,” said British Cabinet Minister Oliver Dowden at an NCSC conference on Wednesday, referencing spyware made by Israel’s NSO Group.

Israeli outlet Haaretz reported Wednesday that the iPhone of an Israeli citizen was infected with Pegasus spyware twice in the past two years for unknown reasons.

Lawmakers and cybersecurity experts broadly approved a spyware executive order put out by the Biden administration last month. The United Kingdom was also among a group of U.S. allies that recently called for strict global controls against the proliferation of spyware.

Russian hackers adapt in attacks against Ukraine

Russia-linked threat actors are continuing to evolve as Moscow’s war against Ukraine continues, AJ Vicens reports for CyberScoop, citing research from Google.

Advertisement

Their tactics, which involve data extraction and attempts to influence public opinion about the war, include “promoting highly produced YouTube videos as well as more traditional phishing campaigns,” according to the story.

Nearly 60 percent of Russia-linked phishing campaigns are targeting Ukraine, according to Billy Leonard, a security engineer with the Google Threat Analysis Group. Leonard also said the ongoing cyber activity — from what are believed to be elite Russian and Belarusian hacking units — shows no signs of slowdown.

Google said that the Russian hacking group Sandworm has launched multiple hacking campaigns that targeted Ukrainian defense industry, military and Ukr.net mail users in attempts to extract user credentials, the CyberScoop story reported.

Wired reporter suspended from Twitter after posting story on hacking of conservative commentator’s account

Twitter on Wednesday suspended the account of Wired reporter Dell Cameron after he shared his story about the hacking of conservative commentator Matt Walsh’s Twitter account.

Advertisement

The alleged hacker, who calls themselves Doomed, told Cameron that they hacked the account to “make funny tweets” and they decided to compromise the account because they felt like “stirring up some drama.” The hacker told Cameron that they were able to access the account after using a technique known as “SIM swapping” and with the help of an “insider.”

Accounts that use text messages for two-factor authentication are particularly vulnerable to SIM swapping. Twitter only allows users who pay for its Twitter Blue subscription service to use text-based authentication; however, other users can use apps to authenticate, which experts say are more secure than text messages.

On social media platform Mastodon, Cameron shared an email from Twitter stating that his account was suspended for “Violating our rules against distribution of hacked material.”

It’s not clear what specific rule Twitter is accusing Cameron of violating. Twitter didn’t respond to a request for comment on why Cameron’s account was suspended.

Walsh argued on Twitter that Cameron had “directly solicited stolen material from my phone.”

Wired managing editor Hemal Jhaveri said in a statement that Cameron’s story and Twitter feed didn’t have hacked materials, and that Wired, which is owned by Condé Nast, does “not believe his account violated Twitter’s policy.” Jhaveri asked for the account to be reinstated and called for an explanation:

We have not received any further explanation from Twitter and our attempts to reach Twitter's press office were met with the customary poop emoji. We ask that the account be reinstated, and that Twitter provide an explanation. 3/3



- WIRED Managing Editor, Hemal Jhaveri — WIRED (@WIRED) April 19, 2023

Hill happenings

Advertisement

Securing the ballot

Industry report

National security watch

Global cyberspace

Cyber insecurity

Encryption wars

Privacy patch

Daybook

George Washington University’s CyberMed DC Summit kicks off at 9 a.m.

The Information Technology Industry Council convenes its 2023 High-Performance Computing Summit at 10 a.m.

The Center for Strategic and International Studies holds an event titled “Does the U.S. Need a Cyber Force?” at 2 p.m.

Secure log off

Girl on the train 🚂 pic.twitter.com/SR25LuSzir — Zoë Crowther (@zoenora6) April 18, 2023

Thanks for reading. See you tomorrow.

GiftOutline Gift Article