Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cozy Bear Targets Ukraine Supporters with Infostealer

Yesterday we reported on a Microsoft Outlook vulnerability being exploited by the Russian GRU-affiliated group APT28, a.k.a. Fancy Bear. Today it's the turn of another Russian group: APT29, a.k.a. Cozy Bear or NOBELIUM, a group affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation, who are now targeting European governments and diplomatic entities which are aiding Ukraine. You may recall them from such high-profile breaches as the US Democratic National Congress hack and their trojanning of the Solar Winds Orion network management software.

This time, they specifically targeted entities with an interest in the activities of the Polish Ministry of Foreign Affairs and especially the activities of the Polish Ambassador to the US, such as a talk he gave in early February to the Columbus School of Law at the Catholic University of America in Washington DC. They prepared for this campaign by creating HTML pages containing relevant lures on the web site of a library in El Salvador, and then used spearphishing to direct likely victims to those pages.

The HTML pages in turn dropped .ISO files which contained two files: a binary called BugSplatRc64.dll and a shortcut (.lnk) file which would invoke the DLL with the command line

C:\Windows\system32\rundll32.exe BugSplatRc64.dll,InitiateDs

When this runs, it copies BugSplatRc64.dll into the user's AppData directory and creates a new registry key to invoke it on boot, as a way of persisting. BugSplatRc64.dll is an infostealer; it first gathers basic information such as the user name and IP address which it then sends to the attacker's C2 server. From there, it connects to the C2 server every minute, checking for a payload which it will download and execute as shellcode within its process.

Interestingly, the C2 server uses the public API of the popular Notion note-taking software, making it hard to differentiate from legitimate traffic. This is a common technique of APT29; previously they have used the Trello API, only switching to Notion in late 2022.

Blackberry Research & Intelligence Team, NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine, blog post, 14 March 2023. Available online at https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine.

US DoJ, German Bundeskriminalamt Take Down Darknet Cryptocurrency Mixer

Despite popular belief to the contrary, cryptocurrencies such as Bitcoin do not provide complete anonymity; both police intelligence services and commercial forensics companies have developed techniques for tracking Bitcoin transactions to the destination wallets. Clearly, this poses a problem for cybercriminals such as ransomware groups, who want to use cryptocurrency as an untraceable form of international payment.

The solution has been so-called 'mixer' services, which run deposited Bitcoin (and other cryptocurrencies) through multiple rounds of transactions before depositing the total into a destination wallet, making it hard for analysts to trace in the process. Effectively, it's a highly randomized, automated form of money laundering.

Now, a coordinated operation between the US Department of Justice and the German Bundeskriminalamt has seen the seizure of two domains, a Github account, and the back-end servers of the ChipMixer service, along with over $US46 million in cryptocurrency. At the same time, Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged in Philadelphia with money laundering, operating an unlicensed money transmitting business and identity theft in connection with ChipMixer. If convicted, he faces a maximum of 40 years in jail.

Although ChipMixer had a domain on the public Internet, its main operation was a Tor hidden service which was used by a large criminal clientele to launder the proceeds of their crimes. Between August 2017 and March 2023, ChipMixer processed:

"ChipMixer facilitated the laundering of cryptocurrency, specifically Bitcoin, on a vast international scale, abetting nefarious actors and criminals of all kinds in evading detection", said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania. "Platforms like ChipMixer, which are designed to conceal the sources and destinations of staggering amounts of criminal proceeds, undermine the public’s confidence in cryptocurrencies and blockchain technology. We thank all our partners at home and abroad for their hard work in this case. Together, we cannot and will not allow criminals’ exploitation of technology to threaten our national and economic security."

DoJ Office of Public Affairs, Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer that Processed Over $3 Billion of Unlawful Transactions, news release, 15 March 2023. Available online at https://www.justice.gov/opa/pr/justice-department-investigation-leads-takedown-darknet-cryptocurrency-mixer-processed-over-3.

Ransomware Group Gives Up Encryption, Focuses on Exfiltration

A new report from Redacted details the recent operations of the BianLian ransomware gang. Like many such groups, the ransom revenue they get from their activities has allowed them to thrive, polishing their tactics and techniques and hitting ever more victims. However, there is a new twist in their operations.

While ransomware gangs used to simply encrypt the victims' files, holding them hostage until a ransom was paid, when they would release a decryption key to the victims, many if not most ransomware operators added a second string to their bow: exfiltrating data and threatening to release it publicly so as to cause embarrassment to the victim (or their customers or patients). This in part explains why they have sought out the healthcare sector for special attention. In other cases, they have ransomed identity information which can be sold to other cybercriminals for identity theft attacks.

Now BianLian have taken the obvious next step. Folllowing the release (by Avast) of a decryption tool that would allow victims to recover their files, the group has decided to skip the encryption step and focus instead on extorting a payment in return for not releasing exfiltrated files. In addition, they have also invested more effort in research allowing them to tailor their threats to the victim, investigating relevant laws and regulations that might specifically apply.

The Redacted report contains a full analysis of tactics and techniques, as well as IOC's such as digest values, active and historical IP addresses and more.

Fievishohn, Lauren, Brad Pittack and Danny Quist, BianLian Ransomware Gang Continues to Evolve, blog post, 16 March 2023. Available online at https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.