China-backed hackers targeted White House journalists before January 6

Researchers at cybersecurity company Proofpoint said they have observed the China-backed advanced persistent threat group, TA412, also known as Zirconium, engaging in several reconnaissance phishing campaigns since early last year.

Proofpoint says it witnessed five separate phishing campaigns in January and February 2021 targeting U.S.-based journalists, notably those covering U.S. politics and national security. However, the researchers noted a “very abrupt shift in targeting of reconnaissance phishing” in the days leading up to the January 6 attack on the U.S. Capitol, with the hackers focusing on Washington D.C. and White House correspondents.

The China-backed hackers utilized subject lines pulled from recent U.S. news articles, such as “Jobless Benefits Run Out as Trump Resists Signing Relief Bill,” “US issues Russia threat to China,” and “Trump Call to Georgia Official Might Violate State and Federal Law,” according to the researchers.

Then, months later in August 2021, Zirconium turned its attention to journalists working on cybersecurity, surveillance, and privacy issues with a focus on China. The group resumed its activity in February 2022 following a months-long pause to target U.S.-based media organizations reporting on Russia’s then-anticipated invasion of Ukraine.

Proofpoint observed another China-backed threat group, known as TA459, targeting journalists and media personnel in late April 2022 with malware that, if opened, gave the attackers a backdoor to a victim’s machine. This campaign used a potentially compromised Pakistani government email address to send the emails and looked to entice victims with a lure on foreign policy in Afghanistan.

The researchers said it has seen a “sustained effort” by advanced threat groups around the world targeting or leveraging journalists, and found similar cyber-operations launched by state-sponsored hackers in North Korea, Turkey and Iran.

The North Korean-aligned TA404 hacking group, better known as Lazarus, was also active in targeting American journalists. The group, which was recently linked to the $100 million Harmony bridge theft, is said to have targeted a media organization with job opportunity-themed phishing after it published an article critical of North Korean leader Kim Jong-un. While Proofpoint did not see follow-up emails, its researchers note that the attack shares indicators of compromise with a North Korean campaign observed by Google threat researchers earlier this year.

In Turkey, a threat actor that Proofpoint tracks at TA482 and associates with the Turkish government was observed engaging in credential harvesting campaigns that targeted the social media accounts of mostly U.S.-based journalists and media organizations. The researchers also report that TA453, another hacking group that is believed to support the Iran’s Islamic Revolutionary Guard Corps intelligence collection efforts, is masquerading as journalists before deploying credential harvesting malware.

Proofpoint said that while targeting journalists and media organizations is not novel, those operating in the media space should assess their level of risk. “If you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future,” the researchers warn.

Microsoft seizes domains used by Russian spies to target Ukraine

Microsoft has successfully seized domains used by APT28, a state-sponsored group operated by Russian military intelligence, to target institutions in Ukraine.

The tech giant said in a blog post on Thursday that Strontium — Microsoft’s moniker for APT28 or “Fancy Bear,” a hacking group linked to Russia’s GRU — used the domains to target multiple Ukrainian institutions, including media organizations, as well government institutions and think tanks involved in foreign policy in the U.S. and Europe.

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” said Tom Burt, Microsoft’s vice president for customer security.

Microsoft says it obtained a court order on April 6 that authorized the company to take control of seven domains APT28 was using to carry out its cyberattacks. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”

This action is part of a wider Microsoft investigation into the Russian state-sponsored hacking group that started back in 2016. Microsoft has obtained several court decisions in recent years to seize infrastructure being used by APT28. To date, Microsoft has filed 15 other cases against the Russian-backed threat group, leading to the seizure of more than 100 malicious domains controlled by the Russian spies.

The Russia-backed hacker group has been active since at least 2009, targeting predominantly media, military, security organizations and governments worldwide, including a 2015 hack of the German federal parliament and an attack against the Democratic National Committee in 2016.

APT28 has also been linked to the recent cyberattack on U.S. satellite communications provider Viasat, an incident that triggered satellite service outages across central and eastern Europe. A recent SentinelOne report said the attack was likely the result of destructive wiper malware that shares similarities with the VPNFilter malware, which infected thousands of home and small business routers and network devices worldwide. In 2018, the FBI attributed the VPNFilter operation to APT28.

Microsoft’s Burt said that APT28’s attacks “are just a small part of the activity we have seen in Ukraine,” adding that the company has “observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure.”

Microsoft’s domain seizures land just days after the FBI said it has taken down a massive botnet also run by the GRU.

Read more:

A CISO’s playbook for responding to zero-day exploits

SolarWinds, Colonial Pipeline, MSFT Exchange — these names have become synonymous with infamous cybersecurity events. We keep calling every new zero-day exploit a “wake-up call,” but all we have been doing is collectively hitting the snooze button.

But the discovery of the newest widespread critical vulnerability, Log4Shell, ruined the industry’s holiday season. It’s the biggest cybersecurity threat to emerge in years, thanks to the near ubiquity of Java in web applications and the popularity of the Log4j library. Due to its unprecedented scale, compounded by the fact that it is not easy to find, getting rid of this bug from your IT environment isn’t a “one-and-done” activity.

Security teams across the globe are once again racing to remediate a software flaw, even as attackers have begun targeting the low-hanging fruit — public web servers — at a recently reported rate of 100 attempts per minute. A mere seven days after its discovery, more than 1.8 million attacks had been detected against half of all corporate networks.

Are you awake now?

I’ve participated in many urgent Log4Shell briefings with Qualys customers (who include 19,000+ enterprises worldwide, 64% of Forbes Global 100), and it’s clear that dealing with a constant barrage of zero-day vulnerabilities is one of the greatest challenges faced by today’s security teams.

Just like inventorying, gathering and analyzing threat intelligence is crucial to provide the necessary foundation for security teams to take calculated and intentional steps.

It can be overwhelming to prioritize fixes and patches when responding to a zero-day exploit like Log4Shell. Here are a few steps to respond to security threats that we have learned and cataloged over the years:

Establish a standard operating procedure

Create a detailed standard operating procedure that includes step-by-step activities tailored to the vulnerability type.

For a zero-day response, the following information must be included:

  • Process flow for responses. If you need help, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created an excellent guide.
  • Categorize the vulnerability by the type, severity and required response times. There should be a specific category for critical zero-day vulnerabilities.
  • Pre-determined service-level agreements for each response team.
  • Procedure for declaring and communicating an incident (this could be a reference to the incident response standard operating procedure).
  • Steps for tracking, reporting, and concluding the incident and returning to normal operations.

SOC Prime lands $11M Series A to become ‘Spotify for cyber threats’

SOC Prime, a Boston-based early-stage startup that claims to have built the world’s largest threat detection marketplace, has secured $11 million in Series A funding.

The company will use the investment, led by DNX Ventures with participation from Streamlined Ventures and Rembrandt Venture Partners, to scale and accelerate the adoption of its marketplace that allows researchers to monetize their threat detection code to help security teams defend against cyberattacks.

SOC Prime describes its Detection as Code platform as like “Spotify for cyber threats.” This curates threat detection content from nearly 400 researchers and allows you to pull it into your existing SIEM and XDR platforms. Currently, the platform is home to more than 130,000 detections aligned with the MITRE ATT&CK framework, a curated knowledge base of known adversary threats, tactics and techniques.

The company pays security researchers a bounty every time their content is used, and allows subscribers to rate the content to determine how big a payout they get. In September, researchers earned $700 on average, and the startup tells TechCrunch that top performers in the program earn over $20,000 annually.

With its Series A investment in the bank, the company plans to double the bounty size in the short-term, with plans to grow it by up to fivefold over the next 12 months.

“The power of the global threat hunting community is an untapped resource for security teams around the world,” said Andrii Bezverkhyi, founder and CEO of SOC Prime. “Our threat detection marketplace is fueled by the industry’s most diverse, bounty-driven threat hunting community, and we are committed to empowering them as they contribute timely, impactful detections that help organizations adopt a collaborative defense approach to more efficiently combat digital threats.”

SOC Prime was founded in 2015 by Bezverkhyi, alongside fellow Ukranians Oleksandr Bredikhin and Ruslan Mikhalov, as a way to help organizations establish basic security practices and improve threat visibility in the face of a global talent shortage and alert fatigue, the startup tells TechCrunch.

In the last 12 months, the company grew its premium subscriber base by 50%, its monthly recurring revenue by 86% and its active customer base by 85%. Its customer base includes over 6,000 organizations using its freemium SaaS offering and over 70 paying customers, including enterprises, public sector organizations in the U.S. and EU, and security vendors.

The startup currently has over 80 employees in addition to the more than 300 vetted top threat researchers that create and monetize their threat detection code. By the end of 2022, the company plans to reach 140 employees and more than 900 vetted researchers.

Hiro Rio Maeda, managing partner at DNX Ventures, said: “Just like Netflix and Spotify changed the way that consumers access music and movies, we believe that SOC Prime will revolutionize the way that security teams access the threat detection content that is vital to defend their organizations.”

Microsoft says China-backed hackers are exploiting Exchange zero-days

Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.

The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable on-premise servers running Exchange 2013 and later.

Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the primary threat group it detected using these four new vulnerabilities. (An earlier version of Microsoft’s blog post incorrectly said Hafnium was the “only” group to exploit the vulnerabilities.)

Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”

Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.

The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”

Security decoy startup CounterCraft closes $5M Series A

Spain-based CounterCraft, which builds b2b tools for gathering counterintelligence on evolving security threats, has closed a $5M Series A. The all cash round is led by Adara Ventures, with eCAPITAL and Red Eléctrica Group joining as new investors, and with participation from existing backers including Evolution Equity, ORZA, and Wayra.

CounterCraft was founded back in 2015 with the aim of helping security chiefs take a more proactive defense stance. The founders went through Telefonica’s Wayra Madrid accelerator — and went on to raise a $1.1M seed round, back in 2016.

While its early focus was on the European market, the startup has expanded to serve clients across Western Europe and North America — with particular focus on national defense and intelligence departments, major financial institutions, and large enterprises.

We understand they have 20 customers at this stage. The new funding will be used to build out CounterCraft’s business in the US, per Adara Ventures .

Commenting on the Series A in a statement, Alberto Gomez, managing partner at the VC firm said: “We continue to be inspired by the combination of engineering ability and vision that CounterCraft has shown in defining a new category of defensive tool that responds to the current threat landscape. Nothing else we have seen effectively uses a Know-Your-Attacker stance to turn the tables on threat actors. We are now excited about CounterCraft’s prospects for expanding its presence with sophisticated, large clients in the U.S. and European markets.”

CounterCraft’s core product is what it bills as a “Threat Deception platform” — supporting its customers’ security function by contributing to three areas: threat detection, intelligence and response; and by using deceptive techniques as a lure to gather better intelligence on threats and attackers for a smarter response.

The platform offers a set of common use cases that can be automatically deployed without further configuration — including ‘Remote Worker Protection’; Pre-Breach Activity; Sphere Phishing Response; and Lateral Movement — with the three strands of ‘detection, intelligence and response’ covered for all use cases.

The platform is also designed to integrate with customers’ incident response workflows, and has the ability to reconfigure defensive systems in real time to mitigate risks from ongoing attacks.

CEO David Barroso notes, for example, that CounterCraft’s platform is fully integrated with the MITRE ATT&CK™ TTP classification project.

In terms of intelligence gathering Barroso says it mines assets such as WiFi, SWIFT, email accounts and social media. “Uniquely, the platform can automatically convert this harvested data into active responses. This puts CISOs back in the driving seat when defending,” he added in a statement.

What you need to know about COVID-19-related cyberattacks

The COVID-19 outbreak has not only caused global disruption, it has also changed the cybersecurity threat landscape. We are observing changing patterns of behaviors from threat actors and noticing waves of coronavirus-related cyberattacks.

To be clear, this trend is not unique to the global pandemic. Hackers have typically preyed on victims shortly after disasters or high-profile events around the world. Over the course of my career, I tracked notable global disasters that have been used as lures, such as the 2004 Indian Ocean earthquake and tsunami, the mass shooting events in Las Vegas and the Zika virus outbreak. Malicious actors notoriously exploit human emotions for financial gain. Today, COVID-19 is not off-limits.

As threat actors continue adapting to exploit the coronavirus pandemic, the global workforce continues to change dramatically. With much of the world ordered to practice physical distancing, an unprecedented number of people are working remotely, many for the first time. Companies are rushing to provision laptops to employees with desktops, deploy collaborative software and implement VPN infrastructure to access internal tools. So, if you were a hacker, what would this opportunity look like for you?

Attack methods logically exploit changes in the global environment. Mass working over remote connection leads to mass remote login activity. This activity is mostly over private, insecure machines with user accounts that have not done so before — therefore making remote login credentials an easy target for attackers.

Since Italy declared a state of emergency on January 31, 2020, information security professionals have recorded an escalation of cyberattacks in Italy reflecting this pattern. Breach protection company Cynet tracked a spike in phishing attacks in the last month in Italy, while non-quarantined countries withstood an unwavering number of attacks.

Hackers are jumping on the COVID-19 pandemic to spread malware

If there’s one thing certain during a pandemic, it’s that hackers will use it for their own gain.

Don’t be too surprised. Every time there’s a major news story, a world event or even regular national events like tax preparation season, hackers jump at the chance to take advantage of the uptick in chatter to launch attacks against unsuspecting victims.

As it turns out, the COVID-19 pandemic isn’t any different.

Several cybersecurity firms are reporting an uptick in attacks against a range of targets, all using the ongoing COVID-19 pandemic as a hook to hoodwink their victims into running malware. It comes as large portions of the globe are on lockdown amid the outbreak of the coronavirus strain. The World Health Organization said as of Thursday’s situation report that the coronavirus has resulted in 125,000 confirmed cases and 4,613 deaths.

FireEye said it has seen an uptick in targeted spearphishing campaigns from hackers in China, North Korea and Russia, to deliver malware. Ben Read, a senior manager in FireEye’s intelligence analysis unit, said all of the campaigns it has witnessed have leveraged the coronavirus as a lure to compromise their victims’ computers.

Recorded Future has also observed a number of cybercriminals using the coronavirus to spread a number of different types of malware against targets in the U.S., Europe and and Iran — three areas most affected by the COVID-19 outbreak outside of China, where the new coronavirus strain first emerged. The researchers found that some of these campaigns imitate “trusted” organizations like the World Health Organization and the U.S Centers for Disease Control and Prevention to infect their victims.

And Check Point, which last month found a number of coronavirus-themed disinformation campaigns, now says it has found a new malware campaign leveraging the fear of the outbreak to surreptitiously install a powerful remote access trojan designed to take full control of a victim’s computer.

But researchers say that attackers aren’t just using the coronavirus as a cover for spreading malware.

Email security firm Agari told TechCrunch that it has evidence of what appears to be the first case of a coronavirus-themed business email compromise attack, designed to trick businesses into turning over money.

While Agari said it has seen several coronavirus-related emails used to deliver spam, steal credentials and infect victims with malware, the company said it has seen a threat group it calls Ancient Tortoise using spoofed emails in an effort to trick a victim company’s customers to pay an outstanding balance but to a different bank than usual, “due to the coronavirus outbreak.” The different bank is a mule account based in Hong Kong, said Agari researchers.

As governments and companies scramble to contain the pandemic, security researchers are trying to better understand and detect the current spike in malware. And as long as the threat from the coronavirus remains, so will the risk from hackers.

Is your startup protected against insider threats?

We’ve talked about securing your startup, the need to understand phishing risks and how not to handle a data breach. But we haven’t yet discussed one of the more damaging threats that all businesses large and small face: the insider threat.

The insider threat is exactly as it sounds — someone within your organization who has malicious intent. Your employees will be one of your biggest assets, but human beings are the weakest link in the security chain. Your staff are already in a privileged position — in the sense that they are in a place where they have access to far more than they would as an outsider. That means taking data, either maliciously or inadvertently, is easier for staff than it might be for a hacker.

“Organizations need to understand that the threats coming from inside their organizations are as critical as, if not more dangerous than, the threats coming from the outside,” said Stephanie Carruthers, a social engineering expert who serves as chief people hacker at IBM X-Force Red, a division of Big Blue that looks for breaches in IoT devices before — and after — they go to market.

Insider risks can become active threats for many reasons. Some individuals may become disgruntled, some want to blow the whistle on wrongdoing and others can be approached (or even manipulated) by career criminals over debts or other matters in their private life.

There are plenty of examples, many not too far back in recent history.

Microsoft says Iranian hackers targeted 2020 presidential candidate

Microsoft said it has found evidence that hackers associated with Iran have targeted a 2020 presidential candidate.

The tech giant’s security and trust chief confirmed the attack in a blog post, but the company would not say which candidate was the target.

The threat group, which Microsoft calls Phosphorous — also known as APT 35 — made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers. These accounts, he said, are “associated” with a presidential campaign, current and former U.S. government officials, journalists and prominent Iranians living outside the country.

“Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials,” said Tom Burt, Microsoft’s vice president of customer security and trust.

The threat group tried to obtain access to secondary email accounts linked to a Microsoft account, which they would use as a way to break into the account, said Burt.

Some attacks involved gathering and targeting user phone numbers.

Burt said the attacks were “not technically sophisticated” but attempted to use a “significant amount of personal information” both to identify and attack the accounts.

This isn’t the first time Phosphorous has appeared on Microsoft’s radar. The tech giant sued the threat group, believed to be backed by Tehran, earlier this year to take control of several domains used by the hackers to launch watering hole attacks. The hacker group is also believed to be linked to former U.S. Air Force counter-intelligence officer Monica Witt, who defected to Tehran in 2013 and is now wanted by the FBI for alleged espionage.

In previous campaigns, the hackers have targeted academics and journalists with spearphishing campaigns designed to look like Yahoo and Google login pages but can defeat two-factor authentication.

Microsoft said it’s made more than 800 notifications of attempted state-backed attacks against users who are protected by the tech giant’s account monitoring service aimed at political campaigns.