July 25, 2023

Happy Tuesday! Welcome back to Codebook.

  • πŸ‘‹πŸ» I've recently returned to Mastodon β€” come say hi if you're there!
  • πŸ“¬ Have thoughts, feedback or scoops to share? [email protected].

Today's newsletter is 1,433 words, a 5.5-minute read.

1 big thing: A hidden network for nation-state cyberattacks

Illustration: Annelise Capossela/Axios

An unknown nation-state appears to be laying the foundation for its next hacking campaign, but little is known yet about what its motivations may be and who's at risk, security researchers tell Axios.

What's happening: Researchers at Infoblox released new details Tuesday about a malware campaign they're calling Decoy Dog that has all the characteristics of a potential espionage campaign.

  • Many of the suspicious domain names linked to the campaign are tied to Russian IP addresses, according to the report, but researchers can't say with certainty that Russia is behind the attack.
  • But Infoblox, which scans domain name systems (DNS) for malicious activity, has only discovered the underlying foundation of the campaign so far.

Why it matters: Infoblox estimates that more than 100 devices are infected with the Decoy Dog malware already β€” and the company's researchers believe as many as four groups could be deploying the malware.

  • Those groups might not all be tied to the same nation-state either, Infoblox CEO Scott Harrell tells Axios.

What they're saying: "We've just seen more points of data that tell us this is something for the industry to watch and for the industry to do research on because clearly there's something going on, and the threat actor is continuing to evolve," Harrell says.

The big picture: Infoblox detected the malicious activity through old-school DNS monitoring rather than through more popular reverse engineering, where researchers study a suspicious email attachment for signs of malware.

  • DNS monitoring can give a bird's-eye view of what's happening across the entire internet, compared to malware detection tools that focus on a specific organization's network.
  • During its scans, Infoblox spotted a handful of domain names operating in "a very specific way" that raised suspicions. The company first detected signs of Decoy Dog back in March 2022.
  • Infoblox declined to disclose which organizations are affected and what kinds of devices have been infected, but a spokesperson says the company has discussed its findings with several security vendors and multiple government agencies.

Details: Decoy Dog appears to manipulate elements of open-source remote access tool Pupy, which helps the malware more easily disguise its activities.

  • Pupy, which is also used as a penetration tool, allows people to control a device remotely from wherever they are, and the tool can bypass detection from most antivirus applications.
  • Decoy Dog builds on that tool to adjust what operating systems the tool is compatible with and adds new communication tools to help the malware maintain long-term access to whatever device it's on.

Zoom out: Harrell tells Axios that Infoblox made a few changes to how it scans DNS following the 2020 SolarWinds cyber-espionage campaign that went undetected for more than a year.

  • Those changes helped Infoblox find the Decoy Dog campaign, he says.

Yes, but: It's still unclear how exactly the hackers are getting a foothold on these devices and who is behind the campaign.

The intrigue: The last time Infoblox reported on Decoy Dog, the hackers quickly disconnected a few domains and changed up their tactics to try to shake off the researchers.

  • Now, Infoblox is hoping more organizations will use today's report to scan for signs of Decoy Dog on their systems and piece together who's behind it and how they're breaking in.
  • "To take the research further, we did want to see more people get involved and we wanted to get more awareness in the community," Harrell says.

Be smart: Infoblox included a list of identified domain names tied to the campaign that network administrators can block now.

2. MOVEit breach fuels ransomware spree

Source: Corvus Insurance; Chart: Axios Visuals

The number of ransomware attacks more than doubled in June from the same month last year, fueled partly by a Russia-linked ransomware gang's exploitation of the MOVEit file-transfer tool, new data suggests.

By the numbers: In June, 456 companies were listed as victims across various dark web extortion sites run by ransomware gangs, according to recent research from cyber insurer Corvus.

  • That's a roughly 180% increase from last June.

Why it matters: The summer months usually bring a brief reprieve as hackers also take vacations, but this summer is on track to be different.

The big picture: 93% of organizations believe the threat of ransomware has grown in 2023, and 45% say they've been a ransomware victim already this year, according to data released Tuesday by security firm Cohesity.

  • This year's bump in ransomware attacks is likely due to the steep decline in attacks in 2022 following Russia's war in Ukraine, Jason Rebholz, CISO at Corvus, told Axios in an email.

The intrigue: Russia-linked ransomware gang Cl0p's campaign exploiting a security flaw in MOVEit inflated Corvus' numbers.

  • Nearly 20% of the alleged June victims were associated with the MOVEit breach, according to the Corvus report.
  • However, even without Cl0p's campaign, the month still saw a 128% year-over-year increase in the number of victims.

Yes, but: Listings on dark web sites aren't always accurate, and they don't always tell the full story.

  • Ransomware gangs post the victims they've targeted after the victims fail to pay a ransom within a certain period of time. If an organization does pay, it's not listed.
  • And ransomware gangs also tend to inflate or exaggerate their claims. Last month, hackers listed Taiwanese chipmaker TSMC on its dark web site when they actually hit one of the company's IT hardware suppliers.

3. Internet shutdowns' growing impact this year

Illustration: Annelise Capossela/Axios

An estimated 4.2 billion people around the world were affected by government internet restrictions during the first half of 2023, according to a new report by Surfshark, Axios' Jacob Knutson writes.

Why it matters: Governments have repeatedly used internet restrictions this year to stifle dissent by limiting human rights, manipulating elections and imposing religious values on their populations.

By the numbers: Governments this year have carried out more than 42 instances of digital suppression, primarily by restricting access to social media platforms and partially or totally shutting down the internet.

  • That's a 31% decrease in newly imposed disruptions compared to the same period in 2022, but that doesn't necessarily mean they are on the decline.
  • Rather, the restrictions are becoming more extensive and affecting more people, as the number of people impacted by new restrictions rose from 2.08 billion in the first half of 2022 to 2.35 billion in the same period in 2023.
  • 30 of the new disruptions were triggered by public demonstrations, while 10 resulted from other forms of political turmoil, such as the war in Sudan.
  • Facebook has been the most targeted social media platform this year, with new restrictions in Ethiopia, Guinea, Senegal, Pakistan and Suriname, while Telegram, Instagram and YouTube are facing restrictions in four countries.

The big picture: The 2023 wave of new internet restraints comes after dozens of countries signed a pact committing to keep the internet freely accessible and open last year.

Go deeper

4. Catch up quick

@ D.C.

πŸ”Ž The FBI improperly searched a database of materials from Section 702 of the Foreign Intelligence Surveillance Act for information about a U.S. senator and state officials, a federal surveillance court found. (Axios)

πŸ›οΈ The Justice Department is merging its cryptocurrency and computer crimes investigation units to better go after ransomware gangs. (SC Media)

πŸ‡³πŸ‡΄ A dozen Norwegian government offices have been breached after hackers exploited a zero-day vulnerability in Ivanti's mobile endpoint management software. (TechCrunch)

@ Industry

πŸ‘” Only five Fortune 100 companies currently list a security professional on their website's executive leadership page. (Krebs on Security)

πŸ‘οΈ Sam Altman's iris-scanning crypto startup Worldcoin has started its global service rollout. (Reuters)

🍹 Alcohol sellers are turning to biometrics for age verification. (Axios)

@ Hackers and hacks

🚨 Chipmaker AMD is working on fixes for a newly discovered security flaw that could allow malicious hackers to steal passwords, cryptographic keys and other secrets from its Ryzen and Epyc Zen 2 chips. (The Register)

πŸ‡°πŸ‡΅ North Korea-backed hackers took advantage of an operational security mistake on JumpCloud's network to hack the company and target its crypto customers, researchers at Mandiant found. (BleepingComputer)

πŸšͺ Researchers have uncovered a deliberate back door in a secretive encryption cipher found in radio communications. (Wired)

5. 1 fun thing

Lola the cat ready for her next adventure. Photo: Sam Sabin/Axios

For those keeping track of my adventure cat tales: Lola's cat backpack has arrived, and she's loving it so far. πŸŽ’

  • We took a short trip around our building the other day as a quick test, and I was shocked when she refused to leave her backpack after! 😎

β˜€οΈ See y'all on Friday!

Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.