Winter Vivern Hunting For Emails

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: espionage group exploits a zero-day in Roundcube Webmail, Cloudflare records a surge in HTTP DDoS attacks, ZScaler detects a spike in IoT hacks, the International Criminal Court says its September cyber incident was espionage, CISA and HHS tout a “Cyber ToolKit,” an ex-NSA employee pleads guilty to attempting to sell secrets, and the Kansas court system still offline.

See Also: Revealing the Secrets of Synthetic Identity Fraud: Safeguarding Your Organization Amidst a Changing Threat Landscape

Eset discovered the Winter Vivern group exploiting a zero-day cross-site scripting vulnerability in the Roundcube Webmail server. The campaign targeted Roundcube servers of governmental entities and a think tank in Europe. Eset reported the vulnerability to the Roundcube team on Oct. 12 and a patch was released on Oct. 16.

Winter Vivern, tracked by Ukrainian cyber defenders as UAC-0114, is a well-known cyber-espionage group with a history of targeting European and central Asian governments since 2020. It has used initial access methods such as malicious documents, phishing websites and a custom PowerShell backdoor. The group, suspected of ties to Russia or Belarus, earlier this year targeted European and U.S. governments, including officials in Ukraine and Poland.

The newly exploited XSS vulnerability, identified as CVE-2023-5631, allows remote exploitation through a specially crafted email message. By injecting JavaScript code into victims’ Roundcube sessions, attackers could access and exfiltrate email messages.

Cloudflare reported a surge in hyper-volumetric HTTP/2 DDoS attacks during the third quarter of this year, including “one of the most sophisticated and persistent DDoS attack campaigns in recorded history.”

HTTP/2 Rapid Reset attacks used a vulnerability that emerged in late August allowing attackers to generate up to 5,000 times more traffic that previously. Rapid Reset attacks contributed to a 65% increase in HTTP DDoS attack traffic when compared to the previous three months, Cloudflare said. Gaming and gambling companies bore the brunt of the largest volume of HTTP DDoS traffic (see: Zero-Day Attacks Exploit ‘Rapid Reset’ Weakness in HTTP/2).

Malware attacks on Internet of Things devices skyrocketed by more 400% during the first half of this year compared to the same period last year, reported Zscaler on Tuesday.

The cybersecurity company attributes the spike to sustained activity from the Mirai and Gafgyt malware families. Mirai has been a thorn in cyber defenders’ side since 2016, especially since someone leaked its source code online, leading to update variants that continue to build bots out of IoT devices (see: Surging Condi Botnet Campaign Hits Unpatched TP-Link Routers).

Routers are still the IoT target of choice, ZScaler says, citing figures in its data showing that two thirds of IoT devices target the devices. “Routers are appealing IoT malware targets due to their central position in networks, continuous internet connectivity, widespread use of default credentials, and susceptible to firmware vulnerabilities.” That susceptibility persists despite years’ worth of warnings for users to update their routers – but then again, for most people routers are meant to be set and forget devices.

The International Criminal Court revealed additional details about a cyberattack it suffered five weeks ago, stating the incident was a targeted espionage operation. The coiurt, based The Hauge, Netherlands, first disclosed the attack in mid-September. The court made an attribution of the attackers. As of now, there’s no indication of data compromise.

The U.S. Cybersecurity Infrastructure and Security Agency says it took proactive measures in 2023 against ransomware, conducting “pre-ransomware notifications” for more than 65 U.S. healthcare organizations. In collaboration with the Department of Health and Human Services, these notifications aim to thwart malicious encryption and provide early warnings of potential attacks. CISA and HHS unveiled a comprehensive cybersecurity “toolkit,” merging resources like the updated Health Industry Cybersecurity Practices and the HPH Sector Cybersecurity Framework Implementation Guide. The toolkit also features CISA’s Cyber Hygiene Services, offering free vulnerability scanning and testing to enhance cyber resilience.

A recent report by NCC Group revealed an 86% increase in ransomware attacks on the healthcare sector in September, underlining the sector’s attractiveness to threat actors. The rise in attacks signals a persistent threat throughout 2023, particularly impacting pharmaceutical firms.

Former National Security Agency employee Jareh Sebastian Dalke pleaded guilty on Monday to attempting to sell classified national security information to Russia. Dalke, a 31-year-old army veteran from Colorado, could face up to a life sentence for providing information to an undercover FBI agent posing as a Russian operative. The sentencing is scheduled for April 26, 2024 and Dalke faces a maximum of life in prison.

The former information systems security designer sought to provide Russia with threat assessment of a third country’s military offensive capabilities and sensitive details on US defense capabilities. Federal prosecutors say that between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents to an individual he believed to be a Russian agent – who was actually an FBI online covert employee.

He later arranged to meet the purposed Russian agent at Union Station in downtown Denver, where he transferred four files containing classified national defense information. Federal agents arrested him moments after he sent the files.

Kansas officials are still grappling with a computer outage that has crippled most of the state’s courts for two weeks, terming it a “security incident.” The disruption has forced attorneys to resort to traditional paper filings, hindering online record searches and causing a backlog of physical documents. The impacted courts are functioning at a reduced capacity, navigating the challenge of managing growing stacks of paper that will require eventual sorting and scanning.

With reporting from ISMG’s Marianne Kolbasuk McGee in the Boston exurbs.