The Good, the Bad, and the Ugly in Cybersecurity – Week 31

The Good

The U.S. State Department is offering up to $10 million to people who offer tips that help law enforcement investigate and disrupt state-sponsored threat actor groups.

This week, the State Department’s official Rewards for Justice Twitter account announced an increase in reward money offered to people who come forward with information on members or individuals affiliated with state-sponsored threat groups. The tweet specifically called out Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, and Lazarus Group, as well as any groups that “are involved in targeting critical U.S. infrastructure in violation of the Computer Fraud and Abuse Act.”

These increases reflect the U.S. government’s growing scrutiny on state-sponsored threat actors in North Korea, which have previously attacked cryptocurrency exchanges, financial institutions, and most recently healthcare organizations. The State Department first issued a $5 million bounty for information that would disrupt North Korean cyber criminal activities in April 2020, before issuing another call to action in March of 2022, when DPRK-sponsored threat actors launched a series of attacks to fund the North Korean government’s operations.

In light of other successful operations to disrupt international cyber criminals, it’s encouraging to see the U.S. government turn its attention to such notorious threat actors.

The Bad

On Tuesday, NetStandard, a Kansas-based MSP, suffered a cyber attack which forced the company to shut down its cloud-based services.

In an email to its customers, NetStandard disclosed that they had detected signs of a cyber attack in the environment for its MyAppsAnywhere cloud services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted SharePoint services.

Although the email also assured MyAppsAnywhere customers that none of NetStandard’s other services were impacted at the time of publication, NetStandard’s website was temporarily shut down following the incident. After they initially detected signs of an attack, the NetStandard team shut down their MyAppsAnywhere services, created an active incident bridge to stop attackers from causing more damage, and immediately contacted their insurance provider to find a third-party cybersecurity firm to provide remediation support and restore NetStandard’s services.

Since the initial disclosure, NetStandard has not provided public-facing updates to non-customers about the outages. However, security researchers believe that NetStandard was likely hit by ransomware, since ransomware operators like the REvil ransomware gang have previously threatened MSPs for their client base. By compromising the MSP’s clients, threat actors can extort multiple targets and increase the amount of money they gain and damage they can cause.

MSPs play a valuable role in keeping small and medium-sized businesses up and running, and it’s incredibly unfortunate that threat actors are targeting providers like NetStandard to reach a large number of smaller businesses. As the U.S. government continues to warn MSPs that they are at risk, we encourage MSPs to adopt recommended best practices to secure their environments and their customer data.

The Ugly

A private sector offensive actor (PSOA) has uncovered and used multiple Windows zero-day exploits in targeted cyber attacks.

In a recent report, researchers from Microsoft’s MSTIC identified the actor behind a cluster of threat activity it tracks as ‘KNOTWEED’ as being DSIRF, an Austria-based surveillance outfit that made the news for developing and selling Subzero, a malware toolkit that targets phones, computers and other internet-connected devices.

DSIRF, the report says, deployed Subzero in attacks targeting Microsoft customers in Europe and Central America, including banks, law firms, and strategic consultancies. In particular, DSIRF exploited CVE-2021-31199 and CVE-2021-31201, two Windows privilege escalation exploits, prior to their being patched in 2021. A third Windows privilege escalation vulnerability, later patched as CVE-2021-36948, was also used to drop Subzero malware. The researchers found that attack chain involved a malicious DLL signed by ‘DSIRF GmbH’.

Unlike other private sector offensive actors, DSIRF appear to run both access-as-a-service and hack-for-hire operations. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the PSOA, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that DSIRF may blend these models.

The private sector offensive actor space has been a cause of concern for some time now, with this just the latest of multiple cases coming to light of their involvement in areas that go far beyond their stated remit of aiding and abetting law enforcement agencies in pursuit of terrorist or criminal enterprises. Attacks on civil rights campaigners, dissidents, journalists and legitimate political opponents are increasingly being supported or undertaken by PSOA products or personnel.