First, They Came for the Oil. Now it’s Just Bananas
There has been a rash of attacks affecting European critical infrastructure this week.
Dutch oil storage company Evos also suffered from “disruption of IT services” that caused delays in oil transfer at terminals in Terneuzen in the Netherlands, Ghent in Belgium and Malta, although this hasn’t been confirmed as ransomware (yet).
Port terminal operator SEA-Invest was also hit by a cyber-attack. A person in the fruit trade told Fresh Plaza that the incident was affecting supplies. “It’s complete chaos… banana supplies are already ten days behind schedule. All the fruit has to be removed from the containers manually. That all leads to very short ripening schedules and a lot of unease in the various links.”
This appears to be another ransomware incident — SEA-Invest recently appeared on Conti’s .onion site and security firm Secutec told Fresh Plaza the incident was caused by ransomware.
Aviation services company Swissport was also struck by ransomware, although this appears to be well contained.
⚠️ A part of #Swissport’s IT infrastructure was subject to a ransomware attack. The attack has been largely contained, and we are working actively to fully resolve the issue as quickly as possible. Swissport regrets any impact the incidence has had on our service delivery.
— Swissport (@swissportNews) February 4, 2022
⚠️IT security incident at #Swissport contained. Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologize for any inconvenience.
— Swissport (@swissportNews) February 5, 2022
Vodafone Portugal announced on Tuesday it suffered a “deliberate and malicious” cyber attack that took down all data services including “the 4G/5G network, fixed voice, television, SMS and voice/digital answering services”. We don’t have any further details on that one, it could be anything from a DDoS attack to a wiper campaign or ransomware.
These latest incidents come on top of earlier attacks we covered in early February. Two German companies – oil storage company Oiltanking and mineral oil trade company Mabanaft (both subsidiaries of the Marquard and Bahls energy and logistics group) – were hit by the BlackCat ransomware. Both companies declared force majeure, an inability to meet contracts because of unforeseen events, although to us it seems a bit rich to describe ransomware as unforeseeable or unlikely.
In a short statement the Dutch National Cyber Security Centre hosed down speculation that the attacks against the oil and chemical sectors were coordinated . “Based on our information, it’s not likely that these attacks are part of a coordinated campaign. It is probable that these attacks have been carried out with a criminal intent aimed at financial gain.”
This string of attacks comes despite Russian law enforcement ramping up its actions against cybercriminals. This week authorities there seized several cyber crime forums. Dmitry Volkov, the CEO of Russian cyber security firm Group-IB told Cyberscoop “we have never seen that many takedowns of card shops and forums within such a short period of time”. This follows the mid-January arrests of 14 REvil ransomware group members and the administrator of the Unicc carding forum.
Even if we take increased Russian law enforcement activity at face value, more arrests don’t necessarily mean that ransomware crime will go away. The supply of cyber criminals may shrink as fewer are willing to risk arrest, but the crime is so lucrative that it is likely a considerable number will keep going, change their tactics and take steps to improve their OPSEC.
The United States government has been the most vocal about ransomware on the international stage, so another possible response from ransomware crews may be to avoid US-based targets. This may be why we’re seeing increased “big game” ransomware campaigns hitting European interests.
We thinks that ransomware is a serious enough problem that countries need holistic approaches that use all of the tools they have available: diplomacy, law enforcement, improved defences and even disruptive offensive cyber operations. The many nations within the EU make it harder to coordinate some of these approaches.
We Were Uncorrect
The US Internal Revenue Service has backed down from its plan to use the third party ID.me service to verify people’s identities using facial recognition technology. Two weeks ago we wrote that we expected we’d all have to use face verification systems to access government services, but it looks like citizen pushback has kiboshed these plans, at least for now.
Unfortunately, the terrible state of cyber security means that the semi-private information we have in the past used to verify our identity such as address, birthday, and phone or driver’s licence numbers, are readily available from data breaches. This makes these no-longer-sorta-secret details less useful for identity verification, and therefore makes faces and matching to photo ID relatively more important. Faces also have some additional benefits — they are harder to steal and harder to lose.
So there are good reasons to use facial verification technologies. But let’s be clear, the reason the IRS is stepping back is that citizens simply don’t trust the government, or the contracts it might enter into with private companies that do this sort of thing.
Webmail of the Damned
European governments and media organisations have been targeted by (probably) a Chinese APT group using a 0day for the Zimbra open source email platform. The group first ran a reconnaissance phase using innocuous and relatively generic emails to test whether accounts existed and would open phishing emails. A second phase on promising target accounts involved a malicious email that would launch a cross-site scripting attack to steal the account’s email.
Volexity, the company that discovered the campaign, believes it is Chinese because of the organisations and individuals targeted and the lack of any apparent financial motivation combined with indications that the attackers worked in China’s time zone.
State Department Weighs in on ICRC Hack
The State Department has warned about a recent hack of the International Committee of the Red Cross (ICRC) that stole personal data from more than half a million highly vulnerable people.
The stolen data related to the ICRC’s Restoring Family Links service, which aims to reconnect people separated by war, migration and violence. One theory is that this is the work of intelligence organisations looking to find potential terrorists from conflict areas. That is fair enough, perhaps, but another theory is that this is the work of people aiming to persecute certain displaced people. The State Department’s warning makes us worry it is the latter.
It is good to see the State Department being more active in cyber-related issues. It has offered significant rewards for ransomware crews, foreign election interference, attacks on US critical infrastructure and also for specific individuals in cybercrimes.
And although it was not a State Department event, the 30-nation White House Counter-Ransomware summit highlights the need for international cooperation to tackle cybercrime. Bring on the new Bureau of Cyberspace and Digital Policy.
$3.6bn of Stolen Cryptocurrency Seized. 3.6bn!!
USD$3.6bn of cryptocurrency were seized from Ilya Lichtenstein and Heather Morgan, a New York husband and wife couple who have been arrested for allegedly laundering cryptocurrency stolen in a 2016 hack of the Bitfinex Bitcoin exchange.
The 120,000 Bitcoin stolen were worth about USD$71m at the time but over the last five years the couple only transferred about 25,000 Bitcoin out of the wallet containing the stolen funds. These Bitcoins appear to have gone through complex money laundering procedures, some of which involved the transfer of funds through dark markets, anonymity-enhanced cryptocurrencies, and even Walmart gift cards — the level of detail in the indictment is amazing. The remaining 94,000 Bitcoin were seized. It is not clear how the couple came to possess the stolen bitcoin.
The wife, Heather Morgan, is a colourful character and describes herself as a “serial entrepreneur,” “rapper” and Forbes writer. A rap video of hers remains online and is truly awful. It’s just terrible. Click through, but only if you dare.
In other cryptocurrency news, more detail has emerged about an unrelated cryptocurrency theft we very briefly mentioned in last week’s newsletter, in which USD$322m was stolen by abusing a vulnerability in the Wormhole blockchain bridge. The attacker was able to mint new Ethereum out of nowhere on the Solana blockchain, which makes you wonder… who was the money stolen from? And who gets it if it is returned?
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here's how it happened.
— smartcontracts (@kelvinfichter) February 3, 2022
Well. That’s one way to Bypass a Paywall
Chinese state-linked hackers have been discovered breaching media organisations in the US, UK and Australia in two separate reports.
In the first, News Corp, owner of mastheads including The Wall Street Journal and The Times, reported that it has been hacked, likely by Chinese groups. News Corp says a “limited number” of email accounts were targeted across News Corp’s US and UK businesses and it appears only news-related properties were of interest to the hackers.
Separately, media reports say an Australian news organisation was also hacked by Chinese state-linked actors in December last year.
Interestingly, this attack took advantage of the Log4J vulnerability to gain initial access via an affected vendor solution on the day the vulnerability was publicly announced.
News organisations are such large information clearing houses that it’s hard to know what the hacker’s specific interests were without knowing details about who or what they targeted.
An Excellent Piece from NBC’s Kevin Collier
A mid-December ransomware attack on Kronos, a major payroll company in the US, is still affecting worker’s pay (this piece is well-worth reading). This is one example of how cyber security incentives don’t align correctly. Employers are fine, but workers suffer. It’s disgusting.
The Researchers are Revolting
The victim of a North Korean cyber espionage campaign targeting security researchers is striking back by launching attacks against North Korea’s internet infrastructure, apparently with some success. The anonymous man told Wired “it felt like the right thing to do here”.
MS Office internet macros were blocked, and there was much rejoicing
From April some Microsoft Office applications, including Word, Excel and Powerpoint, will block macros from documents obtained from the internet by default. This will make it much harder for criminals to trick users into opening malware-laden Microsoft documents — rather than clicking a single button users have to jump through many more hoops.
This is a 𝐬𝐢𝐠𝐧𝐢𝐟𝐢𝐜𝐚𝐧𝐭 security change by Microsoft.
We will see a dramatic reduction in malware infections through downloaded Office documents with malicious macros.https://t.co/L3gZbsUdST
— Lawrence Abrams (@LawrenceAbrams) February 7, 2022
Top NPM packages will have mandatory 2FA