Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 17 April 2023, 11:26 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cozy Bear Targets NATO, EU in Cyberespionage Campaign

The Polish Military Counterintelligence Service and the CERT Polska team have reported a widespread cyber-espionage campaign targeting foreign ministries and diplomatic entities in NATO member states, the European Union and, to a lesser extent, Africa. Many of the TTP's observed are consistent with the previous activities of APT 29, a.k.a. Cozy Bear or Nobelium, which operates on behalf of the Russian SVR. However, this campaign, which is still ongoing, utilises new software tools.

In all observed cases, the threat actor utilised spear-phishing tactics, with emails carrying invitations to meetings or collaborative documents, apparently from the embassies of European countries. In each case, the email or attached document contained a link to a compromised website containing the ENVYSCOUT script, which uses HTML smuggling to decode a downloaded file to the victim's device. While previous APT 29 campaigns have used .ZIP or .ISO files to package the malware payload and avoid its being stamped with the Mark of the Web, this time .IMG files were also used. A variety of techniques were used to entice the user into running the malware - such as adding lots of spaces to the filename so that its .EXE filetype would not be visible.

https://www.gov.pl/photo/83244748-9f0d-44af-8169-eadc4e72fe92

The actor's tool delivery flow (Image: CERT.PL)

Three new tools were observed:

  • SNOWYAMBER – a tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.
  • HALFRIG – used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.
  • QUARTERRIG – a tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.

SNOWYAMBER and QUARTERRIG are downloaders which perform some basic enumeration and, if the victim machine seemed to be of interest, download and run either Cobalt Strike or Brute Ratel. HALFRIG, however, is a loader which contains Cobalt Strike and runs it automatically.

The Polish Military Counterintelligence Service and CERT.PL recomend a number of configuration changes to defend against this and similar campaigns:

  • Blocking the ability to mount disk images on the file system. Most users doing office work have no need to download and use ISO or IMG files.
  • Monitoring of the mounting of disk image files by users with administrator roles.
  • Enabling and configuring Attack Surface Reduction Rules.
  • Configuring Software Restriction Policy and blocking the possibility of starting-up executable files from unusual locations (in particular: temporary directories, %localappdata% and subdirectories, external media).

gov.pl, Espionage campaign linked to Russian intelligence services, knowledge base article, 13 April 2023. Available online at https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services.

Australians Lose $A3.1 Billion to Scams

The latest Targeting Scams report from the Australian Competition and Consumer Commission has revealed that Australians lost a record $A3.1 billion to scams in 2022 - an 80% increase on the previous year. The report, which compiles data reported to the ACCC's Scamwatch, ReportCyber, the Australian Financial Crimes Exchange (AFCX), IDCARE and other government agencies, shows that the highest loss category was investment scams ($A1.5 billion) followed by remote access/tech support scams ($A229 million) and payment redirection scams ($A224 million).

The financial loss is only one dimension; since many victims lose significant amounts - their entire life savings, in some cases - they, their families and their businesses may suffer emotional distress and life disruption.

Although Scamwatch received a lower number of reports this year, the total financial losses increased significantly, with the average loss rising to almost $20,000. Scams are also increasingly difficult to detect, with more sophisticated tactics such as impersonating of official phone numbers, email addresses and websites to the insertion of scam texts in legitimate conversation threats.

ACCC, Targeting scams: Report of the ACCC on scams activity 2022, technical report, 17 April 2023. Available online at https://www.accc.gov.au/about-us/publications/serial-publications/targeting-scams-report-on-scams-activity/targeting-scams-report-of-the-accc-on-scams-activity-2022.

REvil Hacker Breaks Cover, Chats to Reporters

In an intriguing report produced by the Australian Broadcasting Corporation, journalists have chatted to a hacker who claims to be part of the REvil ransomware gang which is believed to be responsible for last year's Medibank data breach. Medibank refused to pay the demanded ransom, and in response the hackers released the medical records of around 2,000 people on their site.

The hacker, who uses the handle, "Kerasid", claims that "Australians are the most stupidest humans alive, and they have a lot of money for no reason  - alot of money and no sense at all". When a reporter messaged him, "The medibank hack caused distress to millions of Australians. Does this concern you? ", he replied, "I could not care less" and later stated, "it isn’t wrong in my eyes ".

The chat was part of an investigation undertaken by ABC current affairs program, Four Corners, the report from which will air on ABC TV tonight, 17 April 2023, at 8:32 PM AEST. (Four Corners episodes are often reposted on the ABC News In-depth YouTube channel, and we will post a link in due course.)

The history of the REvil and Conti ransomware gangs is long and murky - both groups appear to have fractured, with new groups inheriting parts of their code base and recruiting new affialiates and initial access brokers. The article, and the TV program, provide an insight into the groups' structures and operations.

Longbottom, Jessica, John Lyons and Jeanavive McGregor, Chatting with a hacker, ABC News, 17 April 2023. Available online at https://www.abc.net.au/news/2023-04-17/cybercrime-hacker-chats-about-medibank-revil-russia-ukraine/102179776.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: