EclecticIQ Threat Research Team
October 11, 2021

The Analyst Prompt #37 Cryptocurrency Regulations; Dutch Info Sharing; New MS Vulnerability

Intelligence Research

Policy and Governance: China and the U.S. Take Big (But Very Different) Steps to Regulate Cryptocurrency

On 24 September, the People’s Bank of China issued a statement proclaiming all cryptocurrency transactions illegal in China. (4) Less than a week after the announcement crypto-related firms have begun shutting down business in mainland China. (5) China’s reason for the ban was to address “illegal financial activities” which “…seriously endangers the safety of people’s assets” (4), but some experts assess the very idea of a cryptocurrency went contrary to Beijing’s vision for a state-controlled economy. (6)

In a more targeted move, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) on 21 September announced sanctions against the cryptocurrency exchange SUEX “for its part in facilitating financial transactions for ransomware actors.” (7) The announcement explains the sanctions prevent U.S. citizens from doing business with SUEX and “block” any SUEX assets or property under U.S. jurisdiction. The Treasury also issued updated guidance on ‘potential sanctions risks for facilitating ransomware payments’ – which are not illegal but remain highly discouraged. (8)

These vastly different Chinese and U.S. actions illustrate the range of issues arising from increasing use of cryptocurrency, and the challenges governments face as they decide if and how to regulate crypto. The coming months will almost certainly bring more news of nations taking steps to regulate crypto in a way that they view as most beneficial– but these steps may be increasingly at odds with the actions or interest of other nation-states. These actions may also put governments at odds with threat actors who use cryptocurrency, including many successful ransomware gangs. EclecticIQ will watch for indicators that threat actors alter their modus operandi in reaction to sanctions and similar regulation.

Exploit Tools and Targets: Details Emerge About Backdoor FoggyWeb

Microsoft recently divulged more detail about a relatively new piece of malware exploiting MS systems called FoggyWeb. According to Microsoft, FoggyWeb is a persistent backdoor through which attackers can exfiltrate data from a compromised Active Directory Federated Services (AD FS) server, including token-signing and token-decryption certificates. FoggyWeb was first observed in April 2021 and has been used by the sophisticated Russian threat group NOBELIUM, which was behind the Sunburst backdoor used in the attack on SolarWinds. Microsoft’s primary advice to counter this threat is to secure AD FS servers. A list of known IOCs for FoggyWeb is available here. (9, 10)

More research on FoggyWeb is sure to be forthcoming in coming weeks, along with more information about who has been targeted via the FoggyWeb backdoor. For now, looking to the SolarWinds attack may give limited insight on the possible scope of the damage. Given the value of FoggyWeb and that the actor behind it is the highly skilled group NOBELIUM, it is likely that many victims of FoggyWeb have yet to be identified – or even realize they may be compromised. Those who have been compromised by this exploit are likely to be government targets or government partners and service providers, as well as companies who work in critical infrastructure or who work with unique intellectual property. Nonetheless, EclecticIQ recommends all cyber defenders review Microsoft's blog post for identifying and responding to a FoggyWeb breach.

New and Noteworthy: The Netherlands Announces an Industry-Led Cyber Threat Information Sharing Community

The Dutch business community is moving forward with plans to set up a cyber defense warning and information sharing network which can share threat data more quickly than established government-led procedures, according to a 29 September article by The Hauge Security Delta (HSD). (1) The new sharing network will enable anybody who identifies a vulnerability to report it in the system, which will trigger an alert to the targeted individual or that person’s internet provider. Prior to this initiative, threat information could be shared only via the Dutch National Cyber Security Center (NCSC). According to the director of Fox-IT, this new network is intended to complement the NCSC’s efforts, and to pass information quickly when the government cannot.

As cyber threats grow, non-governmental sharing networks will be increasingly helpful in identifying solutions to time-sensitive problems and in addressing issues outside the government’s purview. The degree of success for this group and others like it will be determined largely by the presence of strong leadership with clear vision, proper resourcing, and acceptance by the wider community as the venue for information sharing and problem solving. Also, the success of non-governmental networks can be amplified by effective partnership with government. The NCSC is leaning forward with its own efforts to improve cyber threat sharing, including establishing its own information sharing network, Secure Net (detail available here) and in setting up its own network of partnerships (see the NCSC’s website here). (2, 3) EclecticIQ sees both industry and government-led efforts as necessary and will continue supporting both government and industry partners to counter cyber threats.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Appendix:

  1. https://www.thehaguesecuritydelta.com/news/newsitem/1951-dutch-business-community-start-their-own-alarm-system-against-hackers2
  2. https://emagazine.one-conference.nl/2021/secure-net-ncscs-partnership-for-rapid-and-safe-information-sharing/
  3. https://www.ncsc.nl/onderwerpen/samenwerkingspartner-worden
  4. https://www.bbc.com/news/technology-58678907
  5. https://www.reuters.com/technology/cryptocurrency-exchanges-rush-cut-ties-with-chinese-users-after-fresh-crackdown-2021-09-27/
  6. https://www.wired.com/story/chinas-sweeping-cryptocurrency-ban-inevitable/
  7. https://home.treasury.gov/news/press-releases/jy0364
  8. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf
  9. https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
  10. https://www.theregister.com/2021/09/28/active_directory_foggyweb_malware/ 

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo