State-Sponsored Spies Are Targeting Cisco Adaptive Security Appliances in Global Hacking Campaign

State-Sponsored Spies Are Targeting Cisco Adaptive Security Appliances in Global Hacking Campaign

Samourai Wallet founders charged for criminal money-laundering, Election hackers shift focus to major players, Czech and Ukraine cops expose bank fraud gang, Pegasus used against hundreds in Poland, France seeks new sanctions to target Russian disinformation, Sweden faces a dry weekend due to liquor logistics firm attack, much more


Jon 'ShakataGaNai' Davis, CC BY-SA 3.0, via Wikimedia Commons
Jon 'ShakataGaNai' Davis, CC BY-SA 3.0, via Wikimedia Commons

Cisco warned that its Adaptive Security Appliances, devices that integrate a firewall and VPN with other security features had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign called ArcaneDoor.

The hackers behind the intrusions, which Cisco Talos calls UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be tied to any previous intrusion incidents the companies had tracked. However, based on the group's espionage focus and sophistication, Cisco says the hacking appeared state-sponsored.

Cisco declined to say which country it believed responsible for the intrusions, but sources say the campaign appears to be aligned with China's state interests.

The hacking campaign began as early as November 2023, with most intrusions taking place between December and early January of this year when Cisco first learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company said.

The hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, called Line Dancer, lets the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco calls Line Runner, would allow the hackers' malware to maintain access to the target devices even when rebooted or updated. It's unclear if the vulnerabilities served as the initial access points to the victim networks or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted.

A separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device disrupts the hackers' access. (Andy Greenberg / Wired)

Related: Bleeping Computer, Ars Technica, PaymentSecurity.io, NCSC, Cisco Talos Blog, Cisco, Cisco, Security Affairs, CRN, The Record, Silicon Angle, The Register, Security Week, Security Affairs, r/cybersecurity, Help Net Security, Government of Canada, Slashdot, r/netsec, r/privacy, The Stack

Keonne Rodriguez and William Lonergan Hill, two founders of the Samourai Wallet crypto-mixing service, were charged by federal prosecutors with helping to launder $100 million in crime proceeds.

The pair were charged with a money laundering conspiracy and operating an unlicensed money-transmitting business from 2015 through February 2024.

During that time, Samourai was used to process $2 billion in anonymous financial transactions, providing a “haven for criminals to engage in large-scale money laundering and sanctions evasion,” US prosecutors said.

According to the indictment, Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra Market, and various computer fraud schemes.

Rodriguez was arrested Wednesday morning and was expected to appear in federal court in western Pennsylvania by Thursday. Hill was arrested in Portugal. The government said that US authorities will seek his extradition.

Samourai helped prevent the tracing of funds through its “Whirlpool” service, which coordinated crypto exchanges among users. According to the government, it also disguised transactions through “Ricochet,” which added “hops,” or extra intermediate transactions, between the payer and recipient.

Samourai allegedly made $3.4 million in fees from Whirlpool and $1.1 million from Richochet.

In coordination with law enforcement authorities in Iceland, Samourai’s web servers and domain (https://samourai.io/) were seized. Authorities also served a seizure warrant for Samourai’s mobile application on the Google Play Store. As a result, the application will no longer be available to be downloaded from the Google Play Store in the United States. (Bob Van Voris / Bloomberg and US Attorney’s Office)

Related: Coindesk, Axios, Bitcoin Magazine, Wall Street Journal, Decrypt, Cointelegraph, Blockworks, Bloomberg, Crypto Daily, Cryptonews, The Crypto Times, crypto.news, Cybernews, Bleeping Computer, The Record, Cryptoslate, Crypto Briefing, Bitcoinist, The Cyber Express, Forkast, The420

According to research by Mandiant and Google Cloud, foreign nations, criminal hacking groups, and other malicious actors looking to influence elections have dedicated fewer resources to directly targeting or hacking election infrastructure and have instead shifted toward attacking major players in the electoral ecosystem, such as campaigns, political parties, news outlets, and social media.

Attacks on voting machines and election systems, the hacking of political campaigns and election officials, and online information operations continue to pose threats to the integrity, or perceived integrity, of the democratic process.

The researchers’ report details how the threat landscape facing elections has become more complex and multifaceted over the past decade.

The rapid proliferation of machine learning systems has stoked fears that such technology will be used to manipulate elections, but the report cautions that it remains to be seen how newer threats, such as deepfakes and other forms of AI-generated disinformation, may impact elections and voter behavior.

The report concludes that unauthorized access or theft of data, hack-and-leak operations, and distributed denial of service attacks represent the most likely attack vectors for the 2024 elections. The likelihood of cyber-enabled vote tampering remains low but also has the greatest potential impact.

Based on observations from past election cycles, the report suggests that foreign intelligence services, domestic actors, and hacktivist groups are likely to combine multiple types of attacks for a more “layered” approach.

Mandiant believes Russia poses the greatest threat to upcoming US, UK, and Europe elections, with Moscow showing a willingness and intent to target and influence outcomes directly. China, Iran, and North Korea were all deemed more moderate threats primarily interested in cyber espionage and influence operations that spread favorable narratives about their own countries.

However, researchers say that reaching audiences through influence operations is now more difficult as democratic governments and technology companies have become more adept at spotting and exposing them. (Derek B. Johnson / Cyberscoop)

Related: Google Cloud, Tech Radar

Source: Google Cloud.
Source: Google Cloud.

Law enforcement agencies in Czechia and Ukraine say they exposed a criminal gang whose members posed as bank officials to defraud people over the phone, sometimes through remote access software.

Nine people have been detained in Ukraine in the case. The call center for the operation was located in the port city of Odesa.

Members of the group allegedly posed as employees of the Czech National Bank. They told victims that their banking accounts had been compromised, persuading them to transfer funds to a purported “rescue account,” police said.

In some cases, the criminals tricked victims into installing software on their computers that granted access to their online banking. In other instances, the callers asked people to withdraw cash and hand it over to a bogus courier who was supposed to deliver it to a safe place.

Czech police said that between 2022 and 2023, the fraudsters made more than 150 calls, causing victims nearly 30 million Czech crowns ($1.2 million) in damages.

According to the Ukrainian police, the criminals converted funds obtained from illegal activities into cryptocurrency and used them to purchase luxurious cars and real estate, which were registered to friends and relatives.

Last week, over 100 police officers from Ukraine and Czechia conducted 23 searches in both counties and raided the criminals' headquarters in the Ukrainian port city of Odesa. Of the nine detained people, one was the gang’s 40-year-old organizer.

Also among the detainees was a 50-year-old woman who initially worked as a fake operator and later became the main recruiter of new members from the Czechia, according to the Czech police. She placed job advertisements, communicated with potential hires, trained them, and ensured their departure to Ukraine.

If found guilty, Ukrainian members of the gang can face up to 12 years in prison and the confiscation of their property. Others await extradition to the Czech Republic, where they can face up to 10 years in prison. (Daryna Antoniuk / The Record)

Related: Czech Republic Police

Poland’s prosecutor general, Adam Bodnar, told the parliament that powerful Pegasus spyware made by NSO Group was used against hundreds of people, including elected officials, during the former government in Poland.

Bodnar told lawmakers that he found the scale of the surveillance “shocking and depressing.”

“It is sad for me that even in this room, I am speaking to people who were victims of this system,” Bodnar told the Sejm, the lower house of parliament.

Bodnar, who is also the justice minister, didn’t specify who exactly was subject to surveillance by the spyware. His office said the information was confidential.

Bodnar presented information that the prosecutor general’s office sent to the Sejm and Senate last week. The data showed that Pegasus was used in the cases of 578 people from 2017 to 2022 and that it was used by three separate government agencies: the Central Anticorruption Bureau, the Military Counterintelligence Service, and the Internal Security Agency.

The data show that it was used against six people in 2017, 100 in 2018, 140 in 2019, 161 in 2020, 162 in 2021, and then nine in 2022, when it stopped. (Vanessa Gera / Associated Press)

Related: Euronews

Sponsor

tl;dr secThe best way to keep up with cybersecurity research. Join >50,000 security professionals getting the best tools, talks, and resources right in their inbox for free.tldrsec.com/subscribe?_bhba=7f7ba79a-df4e-464a-b3ea-d2108db6c964
tl;dr sec

France is asking the European Union to set up a new sanctions regime to target Russian disinformation and election interference operations worldwide.

The proposal, backed by Estonia, Latvia, Lithuania, the Netherlands, and Poland, would allow the EU to strengthen sanctions against individuals and entities involved in Russian-sponsored destabilizing activities globally.

The draft proposal says that “destabilizing activities executed by Russia-related actors have increased everywhere in Europe as well – as the Russian regime has taken actions to undermine democracy, stability, and the rule of law through a variety of hybrid instruments.” (Alberto Nardelli and Jorge Valero / Bloomberg)

Related: The Record, The Guardian, Kyiv Post, EU Today

A ransomware attack on a Swedish logistics company, Skanlog, has prompted warnings from the country’s sole liquor retailer that its top shelves in stores around the country may be empty by the end of the week.

Skanlog is a critical distributor for Systembolaget, the Swedish government-owned retail chain with a monopoly on selling beverages stronger than 3.5% alcohol by volume.

Skanlog’s chief executive, Mona Zuko, told newspaper Dagens Industri that the incident was a ransomware attack from a group based in North Korea.

The logistics company is so important to Systembolaget that the company’s press officer, Teodor Almqvist, warned that certain beers, wines, spirits, and even paper bags could be sold out within a few days.

All beverage categories at all stores throughout the country are affected. Systembolaget said there was no risk of “total drying out” but that certain brands were likely to disappear until deliveries started arriving again. (Alexander Martin / The Record)

Related: Dagens Industri, Aftonbladet, Cybernews

Researchers at Kaspersky Lab report that a hacking operation labeled ToddyCat continues to steal “large volumes of data,” primarily from governmental targets in the Asia-Pacific region.

Kaspersky details ToddyCat's “tunneling” methods once inside a network, which include compromising VPN software and legitimate cloud providers and abusing the SSH protocol for internet traffic.

The company does not attribute ToddyCat to any country or existing state-backed hacking group, but previous reports noted that targets included “high-profile entities in Europe and Asia” and digital infrastructure in Taiwan and Vietnam. Researchers at Check Point say that previous research ties ToddyCat to China.

Kaspersky says ToddyCat activity dates back to at least 2020 and says that lately, it has been stealing data “on an industrial scale.” (Daryna Antoniuk / The Record)

Related: Securelist, SC Magazine, Dark Reading

Source: Kaspersky.
Source: Kaspersky.

Researchers at SlowMist report that the North Korean hacking group Lazarus is using LinkedIn to target vulnerable users and steal their assets via targeted malware attacks.

SlowMist revealed that Lazarus group hackers are pretending to look for jobs as blockchain developers in the cryptocurrency industry through LinkedIn.

SlowMist claimed hackers steal confidential employee credentials after inviting access to their repository to run relevant code. The code snippets the hacker runs contain malicious code that steals confidential information and assets. (Prashant Jha / Cointelegraph)

Related: Daily Coin, Coinpedia, The Crypto Times, Crypto News

In February, the anti-Donald Trump super PAC Lincoln Project lost $35,000 to a business email compromise (BEC) scam.

Spokesman Greg Minchak said, “A vendor’s email was hacked, with the hackers producing authentic-looking invoices sent from our vendor’s legitimate email account. The hack affected multiple clients of the vendor, including Lincoln Project.”

Two transactions were reported to the Federal Election Commission 12 days apart in February, one for $20,000 and one for $15,000, both of which Lincoln Project reported as “fraudulent” and “under dispute.” (James Reddick / The Record)

Related: FEC, The Independent, Raw Story

The action is part of a settlement following a complaint from May 2023 alleging that Ring failed to implement adequate security measures to protect the devices from unauthorized access. (Bill Toulas / Bleeping Computer)

Related: FTC, Consumer Affairs

President Biden’s re-election campaign plans to continue using TikTok for at least the next year, despite the president signing a law that would ban the social media platform nationwide if its China-based parent company doesn’t sell it in that time frame.

“A fragmented media environment requires us to show up and meet voters where they are — and that includes online,” a Biden campaign official said. “TikTok is one of many places we’re making sure our content is being seen by voters.”

The Biden campaign says it plans to use “every tool we have to reach young voters where they are” and has pledged to keep using “enhanced security measures.” (Monica Alba / NBC News)

Related: Gizmodo, Associated Press, The Intercept, The Hill

Facebook-owned messaging app WhatsApp is introducing support for passkey verification on iOS, removing the need for users to deal with SMS one-time passcodes.

The iOS launch comes six months after WhatsApp introduced passkey support on Android. The company announced on Wednesday that the feature is rolling out now and will be available to all iOS users in the coming weeks.

Once enabled, iOS users can log back into WhatsApp using passkey verification via facial recognition, biometrics, or a PIN stored on Apple’s passkey manager. (Aisha Malik / TechCrunch)

Related: MacRumors, Engadget, The Verge, 9to5Mac, Neowin, Forbes, PhoneArena, Times of India, The Mac Observer, Tech Times, Android Authority, iClarified, Business Standard, Mashable India, India Today, Gadgets 360, Newsbytes, Mint

Zero trust endpoint security solution company ThreatLocker announced it had raised $115 million in a Series D venture funding round.

General Atlantic led the round, with participation from StepStone Group and the D. E. Shaw group. (Michael Novinson / Data Breach Today)

Related: CRN, Channel Futures, FinSMEs, The Business Journals

Security awareness training firm KnowBe4 announced plans to acquire Egress, a British late-stage startup that sells cloud email security technologies.

KnowBe4, which was itself acquired earlier this year in a $4.6 billion take-private transaction, said the merger will create “the largest, advanced AI-driven cybersecurity platform for managing human risk.”

The plan is to combine the Egress email security technologies with KnowBe4’s security awareness training and simulated phishing products to expand and find new corporate markets. (Ryan Naraine / Security Week)

Related: Computer Weekly, CRN, The Independent, Dark Reading, MSSP Alert, SC Magazine UK, FinSMEs, Computer Weekly, Techerati, GovInfoSecurity, The Business Journals, Channel Futures, Business Wire

Best Thing of the Day: Your Voice Is Not Your Password

According to digital fraud detection company BioCatch, the rise of voice cloning has convinced 91% of US banks to reconsider using voice verification for major customers.

Worst Thing of the Day: Cybersecurity Still a Man’s Game

According to a study by ISC2, just 4% of cybersecurity teams have a majority of women, and 11% completely lack any female representation at all, with women earning an average of $5,400 less per year than men.

Closing Thought

Read more