Vercara’s Open-Source Intelligence (OSINT) Report – April 5 – April 11, 2024

China allegedly targeting U.S. voters with AI-powered disinformation.

(TLP: CLEAR) On Monday, April 8^th, Taiwanese coalitions unveiled the details of a sophisticated disinformation operation orchestrated by Chinese entities during Taiwan’s recent national elections. The elections, which concluded in January, marked a significant setback for Beijing following the triumph of a candidate favoring closer ties with the U.S. According to reporting, the disinformation strategy employed by the Chinese leveraged advanced generative artificial intelligence (AI) technologies. Reporting indicates that these technologies were used to manipulate videos and foster unrest within Taiwan, including the complete alteration of statements made by at least one U.S. Congress member. Furthermore, the disinformation campaigns orchestrated by Chinese actors during Taiwan’s recent national elections employed a series of sophisticated narratives aimed at undermining the United States. These narratives included false accusations that Washington was establishing biological laboratories in Taiwan and inciting conflict between Israel and Hamas in Gaza.

(TLP: CLEAR) Analyst Comments: The aforementioned disinformation efforts offer insights into China’s strategic attempts to influence public opinion during the U.S. presidential elections. Additional narratives disseminated by these groups portrayed the U.S. as an unreliable ally poised to forsake Taiwan, criticized American democracy as inauthentic, and accused the U.S. of instigating global turmoil. Reporting suggests that China also used generative AI to spread conspiracies about the CIA interfering in U.S. elections.

(TLP: CLEAR) Recommended Best Practices/Regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defense” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.”

Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 24 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:

The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.

The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.

The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.

The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.wsj.com/politics/national-security/china-is-targeting-u-s-voters-and-taiwan-with-ai-powered-disinformation-34f59e21

Source: https://thehill.com/policy/international/4581889-chinas-ai-driven-election-meddling-in-taiwan-points-to-2024-risks-in-us/ 

CISA warns Russian Microsoft hackers targeted federal emails.

(TLP: CLEAR) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently highlighted Russian government-sponsored hackers’ efforts to gain access to Microsoft’s email systems to conduct reconnaissance and intercept communications between U.S. officials and Microsoft. This revelation was part of an emergency directive issued by the U.S. regulatory body on Thursday, April 11, underscoring the severity of the security breach. In a previously issued advisory report, CISA cautioned that hackers were leveraging compromised authentication details obtained via email to attempt breaches into Microsoft’s customer systems, including those utilized by several government entities. Furthermore, this alert about government agencies being targeted through stolen Microsoft email credentials came in the wake of the company’s announcement in March. At that time, Microsoft disclosed ongoing struggles with a threat actor group it has dubbed “Midnight Blizzard.” This revelation sent shockwaves through the cybersecurity community and was soon followed by a report from the U.S. Cyber Safety Review Board. The board’s report, released last week, identified a separate, preventable hack attributed to China, criticizing Microsoft for significant cybersecurity shortcomings and a deliberate lack of transparency. CISA opted not to disclose the identities of potentially affected agencies. In response, Microsoft communicated via email that they are actively collaborating with their customers to conduct investigations and implement necessary mitigations. This effort includes partnering with CISA to enact an emergency directive aimed at offering strategic guidance to government agencies.

(TLP: CLEAR) Analyst Comments: This breach is indicative of the sophisticated strategies employed by state-sponsored actors, showcasing a shift towards more strategic, long-term infiltration tactics. The identification of state-sponsored actors behind these cyberattacks complicates international relations and highlights the need for a global consensus on norms and behaviors in cyberspace.

(TLP: CLEAR) Recommended Best Practices/Regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”.

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara:  Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://www.inforisktoday.com/cisa-warns-russian-microsoft-hackers-targeted-federal-emails-a-24831

US Health Dept warns hospitals of hackers targeting IT help desks.

(TLP: CLEAR) The Health Sector Cybersecurity Coordination Center (HC3) has issued a new advisory alerting to an uptick in social engineering attacks aimed at IT help desks within the healthcare industry. Significantly, these threat actors are employing a deceptive tactic by using local area codes when contacting IT help desks, masquerading as employees in financially sensitive positions, such as those in revenue cycle management or administrative roles. This strategy is intended to exploit trust and gain unauthorized access to sensitive information. Furthermore, to lend credibility to their role in the deception and act, the threat actors provide legit sensitive details such as the last four digits of the target employee’s Social Security number and corporate ID, alongside other personal information. According to the Health Sector Cybersecurity Coordination Center (HC3), this information is likely sourced from professional networking platforms and other publicly accessible databases, including records from previous data breaches. Once trust is established, the threat actor fakes a broken phone, claiming it has prevented them from logging in or receiving Multi-Factor Authentication (MFA) tokens. This ruse persuades IT help desk personnel to register a new device for MFA. According to observations by the Health Sector Cybersecurity Coordination Center (HC3), these tactics have enabled attackers to access corporate systems, specifically targeting login credentials for payer websites. In a noted instance, the attacker exploited this access to submit a form altering Automated Clearing House (ACH) settings for payer accounts, effectively rerouting funds to a foreign account under their control.

(TLP: CLEAR) Analyst Comments: At this time, the recent attacks have not been attributed to any specific threat actor. However, the Health Sector Cybersecurity Coordination Center (HC3) notes that the observed tactics, techniques, and procedures (TTPs) closely match those of Scattered Spider (also known as UNC3944), a group known for similar social engineering attacks in the entertainment sector in September 2023. While it is unclear if Scattered Spider is behind these latest incidents, their targeting of the healthcare sector aligns with a December 2023 directive from a BlackCat administrator.

(TLP: CLEAR) Recommended Best Practices/Regulations: Organizations in the health sector are advised to implement several measures to block attacks targeting their IT help desks. Firstly, they should require callbacks to verify the identities of employees requesting password resets and new MFA devices. Monitoring for suspicious ACH changes is also crucial. Additionally, it is recommended that all users with access to payer websites be revalidated. Supervisors should verify all such requests to further enhance security. Lastly, training help desk staff to identify and report social engineering techniques, as well as to verify callers’ identities thoroughly, is essential in mitigating these types of cybersecurity threats.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation.

Source: https://www.bleepingcomputer.com/news/security/us-health-dept-warns-hospitals-of-hackers-targeting-it-help-desks/

10-year-old ‘RUBYCARP’ Romanian hacker group surfaces with botnet.

(TLP: CLEAR) A recent study has unveiled the extensive and sophisticated operations of the Romanian cyber threat group, ‘RUBYCARP’. Reporting has highlighted details of their decade-long involvement in cryptocurrency mining and advanced phishing tactics. RUBYCARP’s primary operational strategy involves the deployment of a robust botnet, utilizing a mix of public exploits and brute force attacks to perpetrate their activities, highlighting their technical prowess and persistent threat in the cyber landscape. Additionally, a key finding from the recent reporting reveals RUBYCARP’s deployment of an advanced script designed to simultaneously launch multiple cryptocurrency miners. This approach not only accelerates the attack process but also minimizes the risk of detection. The script, which predominantly targets XMRig/Monero miners, was previously hosted on the now-inactive domain “download[.]c3bash[.]org.” This strategy underscores RUBYCARP’s sophisticated methods in enhancing efficiency and stealth in its cyber operations.

(TLP: CLEAR) Analyst Comments: The aforementioned study accentuates RUBYCARP’s distinctive role in the creation and distribution of cyber weapons, a practice not commonly observed among threat actors. The report suggests a potential affiliation between RUBYCARP and groups such as ‘Outlaw APT,’ highlighting their collaboration in Perl Shellbot development and cyber weapon proliferation, which marks a significant evolution in cyber threat capabilities.

(TLP: CLEAR) Recommended Best Practices/Regulations: Users Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

“Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depends on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://thehackernews.com/2024/04/10-year-old-rubycarp-romanian-hacker.html

Chinese threat actors deploy new TTPs to exploit Ivanti vulnerabilities.

(TLP: CLEAR) Recent reporting has unveiled advanced techniques employed by Chinese threat actors to conduct lateral movements post-exploitation of Ivanti vulnerabilities. In a detailed blog postdated April 4, researchers reported on the activities of five espionage groups with suspected ties to China. The analysis revealed that these groups have been exploiting a series of recent Ivanti vulnerabilities, specifically CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Notably, one of the APT groups, identified as UNC5291, has been leveraging these vulnerabilities to strategically target the US Energy and Defense sectors. Additionally, the group tracked as UNC5291 is assessed to be linked to Volt Typhoon (UNC3236). This association is based on observed probing activities against the academic, energy, defense, and health sectors, which are consistent with Volt Typhoon’s historical interest in targeting critical infrastructure. It was noted that financially motivated actors are exploiting these vulnerabilities. As of April 3, 2024, Ivanti has issued a comprehensive patch for all supported versions of Ivanti Connect Secure affected by recent vulnerabilities. This release addresses the diverse range of activities observed on vulnerable iterations of Ivanti Connect Secure and other edge appliances. In response to these security challenges, Ivanti has also introduced a new external integrity checker tool designed to assist compromised systems in detecting ongoing threat actor activities.

(TLP: CLEAR) Analyst Comments: Threat actors with connections to China continue to employ custom malware and sophisticated techniques for evasion, tailoring their attacks to exploit the system vulnerabilities effectively. The recent surge in activities from state-sponsored Russian and Chinese hacking groups may correlate with this year’s U.S. presidential election, highlighting the strategic timing of their cyber operations. Additionally, it is advised that the organization’s security policy shall include routine reviews of all IT infrastructure, including applications, to ensure they are up to date with the latest security patches. Ivanti has also released patching guidance and instructions to help prevent further exploitation activity here: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

(TLP: CLEAR) Recommended Best Practices/Regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION  

“Control:  

“a. Implement [Selection (one or more): signature-based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;  

“b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;  

“c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and  

“d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.” 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.

UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.infosecurity-magazine.com/news/chinese-threat-ttps-ivanti/

Source: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

IMF warns of cyber risks to financial sector.

(TLP: CLEAR) Recently, for the first time, the International Monetary Fund has included cybersecurity in its semiannual report on financial risks, recognizing the significant potential damage cyberattacks can inflict on the financial sector. It was noted that the financial repercussions of cyberattacks on banks and other companies have escalated in recent years and that even small-scale hacks can have severe consequences, underscoring the critical need for heightened security measures. Furthermore, according to the IMF report, while cyberattacks on financial institutions have not yet triggered systemic or widespread issues, the growing digitization, the absence of stringent regulatory frameworks, and occasionally lax corporate governance in cybersecurity are amplifying these risks, the fund noted. Additionally, according to a recent report by the Financial Services Information Sharing and Analysis Center (FS-ISAC), a nonprofit organization that promotes the exchange of cybersecurity information among financial institutions, denial-of-service attacks, which primarily disrupt websites and online applications, surged by 154% in 2023 compared to the previous year. These attacks, often considered low-level in terms of technical sophistication, pose significant operational challenges for banks and other financial institutions.

(TLP: CLEAR) Analyst Comments: Recent reports indicate that politically motivated hackers are chiefly responsible for a substantial rise in denial-of-service attacks aimed at banks and financial services firms worldwide. Initially, the Securities and Exchange Commission (SEC) proposed that companies be required to disclose the presence of cybersecurity expertise on their boards. However, this requirement was retracted in the final regulations. Now, companies are obligated to outline their board’s process for managing cyber risks.

(TLP: CLEAR) Recommended Best Practices/Regulations: To enhance NIST SP 800-53 Rev5 SC-5: “DENIAL-OF-SERVICE PROTECTION  

“Control:  

“a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and  

“b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].” 

SC-5 requires that organizations perform risk management concerning the availability of IT systems and to implement controls that are apropos for the level of risk.

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://thehackernews.com/2024/03/apis-drive-majority-of-internet-traffic.html