Research at a collection of cybersecurity firms and authorities in the US, UK, and Australia was recently updated by researchers with Secureworks Counter Threat Unit to provide insights on attacks on an unnamed “U.S. philanthropic organization” in January 2022 and an unnamed local U.S. government in March 2022. Quoting CyberScoop, The two incidents represent distinct clusters of activity within the Cobalt Mirage group. The researchers concluded that one focused on opportunistic ransomware attacks for financial gain, and the other worked on targeted intrusions seeking access and intelligence collection. In conclusion, the well-known Iranian hacking organization focuses heavily on financial attacks.
REvil, too, is getting more research. They’re re-emerging yet again, based on research from the same Secureworks team.
Microsoft is warning about a new variant of Sysrv, which it calls Sysrv-K, scanning the internet for WordPress plugins with older vulnerabilities and a recently disclosed remote code execution (RCE) flaw in the Spring Cloud Gateway software. The goal — to install cryptocurrency mining malware on Linux and Windows systems.
Researchers from the Technical University of Darmstadt in Germany have released details about an exploit for iPhones when they’re off – because specific wireless chips remain on, including one for Bluetooth. The researchers said in their research paper that they were able to show that it’s possible to install malware on the Bluetooth chip. It’s important to note that this research is primarily theoretical, and there’s no evidence that this kind of attack has been used in the wild. Also, as the researchers point out in the paper, hackers would need first to hack and jailbreak the iPhone to be able to access the Bluetooth chip and exploit it, potentially making it a bit redundant in most cases. The researchers note that the Low-Power Mode implementation is a net positive, as it allows users to find lost or stolen phones even off. Their key finding is the new threat model.
Why do we care?
My takeaway continues to be that the themes are consistent. Cybercrime is about financial gain. We could go down the rabbit hole of nation-state actors. We won’t because the practical advice there is simply that governments need to handle this. Feel strongly about nation-state protection? Vote for politicians who will fund it.
For providers and their customers, the motivating factor to consider is the financial gains of the attacker. Again, vote for politicians who will handle the proper sanctions but then take mitigation steps to prevent the damage. Yes, the usual recommendations about two-factor authentication and backups… but more importantly, build security approaches that assume breach and minimize the gains to be had. That includes being prepared not to pay.