International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware

The United Kingdom’s National Cyber Security Centre (NCSC-UK), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Canadian Centre for Cyber Security (CCCS), and the Australian Signals Directorate (ASD) published a joint Malware Analysis Report (MAR), on Infamous Chisel a new mobile malware targeting Android devices with capabilities to enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information.

Infamous Chisel mobile malware has been used in a malware campaign targeting Android devices in use by the Ukrainian military.

Infamous Chisel is a collection of components targeting Android devices and is attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning and Secure Copy Protocol (SCP) file transfer.

The authoring organizations urge users, network defenders, and stakeholders to review the malware analysis report for indicators of compromise (IOCs) and detection rules and signatures to determine system compromise. For more information about malware, see CISA’s Malware, Phishing, and Ransomware page. The joint MAR can also be read in full on the NCSC-UK website. Associated files relating to this report can also be accessed via the NCSC's Malware Analysis Reports page.

UK cyber chief: "AI should be developed with security at its core"

SECURITY must be the primary consideration for developers of artificial intelligence (AI) in order to prevent designing systems that are vulnerable to attack, the head of the UK’s cyber security agency (NCSC) has today warned.

In a major speech, Lindy Cameron highlighted the importance of security being baked into AI systems as they are developed and not as an afterthought. She also emphasised the actions that need to be taken by developers to protect individuals, businesses, and the wider economy from inadequately secure products.

Her comments were delivered to an audience at the influential Chatham House Cyber 2023 conference, which sees leading experts gather to discuss the role of cyber security in the global economy and the collaboration required to deliver an open and secure internet.

She said:

“We cannot rely on our ability to retro-fit security into the technology in the years to come nor expect individual users to solely carry the burden of risk. We have to build in security as a core requirement as we develop the technology.

“Like our US counterparts and all of the Five Eyes security alliance, we advocate a ‘secure by design’ approach where vendors take more responsibility for embedding cyber security into their technologies, and their supply chains, from the outset. This will help society and organisations realise the benefits of AI advances but also help to build trust that AI is safe and secure to use.

“We know, from experience, that security can often be a secondary consideration when the pace of development is high.

“AI developers must predict possible attacks and identify ways to mitigate them. Failure to do so will risk designing vulnerabilities into future AI systems.”

The UK is a global leader in AI and has an AI sector that contributes £3.7 billion to the economy and employs 50,000 people. It will host the first ever summit on global AI Safety later this year to drive targeted, rapid, international action to develop the international guardrails needed for safe and responsible development of AI.

Reflecting on the National Cyber Security Centre’s role in helping to secure advancements in AI, she highlighted three key themes that her organisation is focused on. The first of these is to support organisations to understand the associated threats and how to mitigate against them. She said:

“It’s vital that people and organisations using these technologies understand the cyber security risks – many of which are novel.

“For example, machine learning creates an entirely new category of attack: adversarial attacks. As machine learning is so heavily reliant on the data used for the training, if that data is manipulated, it creates potential for certain inputs to result in unintended behaviour, which adversaries can then exploit.

“And LLMs pose entirely different challenges. For example - an organisation's intellectual property or sensitive data may be at risk if their staff start submitting confidential information into LLM prompts.”

The second key theme Ms Cameron discussed was the need to maximise the benefits of AI to the cyber defence community. On the third, she emphasised the importance of understanding how our adversaries – whether they are hostile states or cyber criminals – are using AI and how they can be disrupted. She said:

“We can be in no doubt that our adversaries will be seeking to exploit this new technology to enhance and advance their existing tradecraft.

“LLMs also present a significant opportunity for states and cyber criminals too. They lower barriers to entry for some attacks. For example, they make writing convincing spear-phishing emails much easier for foreign nationals without strong linguistic skills.”

Cyber Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide

The National Security Agency (NSA) and several partner agencies have identified infrastructure for Snake malware—a sophisticated Russian cyberespionage tool—in over 50 countries worldwide.

To assist network defenders in detecting Snake and any associated activity, the agencies are publicly releasing the joint Cybersecurity Advisory (CSA), “Hunting Russian Intelligence “Snake” Malware” today.

The agencies, which include the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Cyber National Mission Force (CNMF), Canadian Cyber Security Centre (CCCS), United Kingdom National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), and New Zealand National Cyber Security Centre (NCSC-NZ) attribute Snake operations to a known unit within Center 16 of Russia’s Federal Security Service (FSB). The international coalition has identified Snake malware infrastructure across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia.

“Russian government actors have used this tool for years for intelligence collection,” said Rob Joyce, NSA Director of Cybersecurity. “Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware globally.”

Malicious cyber actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, through a victim in a North Atlantic Treaty Organization (NATO) country.

In the U.S., the FSB has victimized industries including education institutions, small businesses, and media organizations. Critical infrastructure sectors, such as local government, finance, manufacturing, and telecommunications, have also been impacted.

Typically, Snake malware is deployed to external-facing infrastructure nodes on a network. From there, it uses other tools, and techniques, tactics, and procedures (TTPs) on the internal network to conduct additional exploitation operations.

NCSC CEO delivers international speech on securing the Internet of Things and smart cities

The head of the UK’s National Cyber Security Centre, Lindy Cameron, has emphasised the importance of connected technologies being made secure by design in a speech at Singapore International Cyber Week.

Lindy Cameron said the growth of the Internet of Things (IoT) has brought benefits for consumers, enterprises and at a city level in connected places, but she highlighted that the associated risks must be managed now to stay ahead of cyber threats.

She outlined how the UK has developed a strong framework for managing the future security of the Internet of Things, including through new legislation, the adoption of international cyber security standards and developing ‘secure by design’ principles to help influence IoT at the design phase.

She called for swift, decisive and ongoing action to ensure connected devices are designed, built, deployed and managed with security as a first-class concern, to prevent malicious actors, improve national resilience and reap benefits of these emerging technologies

NCSC joins industry to offer unprecedented protection for public from scams

CITIZENS across the UK are set to benefit from a landmark partnership between government and industry which will see access to scam websites instantly blocked.

A new data sharing capability developed by the National Cyber Security Centre (NCSC) – a part of GCHQ – in collaboration with industry partners will present Internet Service Providers (ISPs) with real-time threat data that enables them to instantly block access to known fraudulent sites.

The new capability is being made available to all ISPs operating in the UK and will significantly bolster the nation’s ability to protect citizens from cyber criminals. In due course, even more defenders will be invited to join, including browser and manager service providers.

The NCSC has previously highlighted the problem of scam websites, including fake news pages where celebrities such as Ed Sheeran and Sir Richard Branson appear to be endorsing investment schemes that seek to trick people into parting with their money.

NCSC advises organisations to act following Russia’s attack on Ukraine

Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call upon on organisations in the UK, and beyond, to bolster their online defences.

The NCSC – which is a part of GCHQ – has urged organisations to follow its guidance on steps to take when the cyber threat is heightened.

While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences.

The guidance encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.

For the NCSC Guidance visit https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened

UK and US cyber security leaders meet to discuss shared threats and opportunities

National Cyber Security Centre CEO and Director of the US Cybersecurity and Infrastructure Security Agency met in London.

Top cyber security officials from the UK and US affirmed their commitment to tackling ransomware in their first official face-to-face engagement.

Lindy Cameron, CEO of the National Cyber Security Centre – a part of GCHQ – met with Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency to discuss their organisations’ priorities, including combatting ransomware.

During their bi-lateral meeting in London they reflected on the impact of ransomware attacks this year and the need for industry collaboration to complement government’s operational efforts against ransomware.

NCSC Chief Executive Lindy Cameron said:

“It was a pleasure to host Director Easterly for our first in-person bi-lateral meeting to discuss the critical issues in cyber security today.

“Ransomware is a serious and growing security threat that cuts across borders, and it is important for us to maintain a continuing dialogue with our closest ally to tackle it.”

The issue of gender diversity was also on the agenda, with both agreeing that more needed to be done to remove barriers to entry into the profession for women and girls.

They discussed the NCSC’s CyberFirst Girls Competition, which aims to get more girls interested in cyber through fun but challenging team events for teenagers, and CISA’s ongoing commitment to expanding opportunities for young women and girls to pursue careers in cyber security and technology and closing the gender gap that exists in these fields.

The two leaders also discussed government collaboration with industry, including the NCSC’s Industry 100 scheme and CISA’s Joint Cyber Defense Collaborative.

The Industry 100 scheme has integrated public and private sector talent in the UK to pool their knowledge to tackle key cyber security issues. The Joint Cyber Defense Collaborative has similarly bought American public and private sector entities together to unify crisis action planning and defend against threats to U.S. critical infrastructure.

UK and allies publish advice to fix global cyber vulnerabilities

Advice on countering the most publicly known—and often dated—software vulnerabilities has been published for private and public sector organisations worldwide.
The National Cyber Security Centre (NCSC), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and Federal Bureau of Investigation (FBI) have published a joint advisory highlighting 30 vulnerabilities routinely exploited by cyber actors in 2020 and those being exploited in 2021.
In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Today’s advisory lists the vendors, products, and CVEs, and recommends that organisations prioritise patching those listed.
NCSC Director for Operations, Paul Chichester, said:
“We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them.
“The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices.
“Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm."
As well as alerting organisations to the threat, this advisory directs public and private sector partners to the support and resources available to mitigate and remediate these vulnerabilities.
Guidance for organisations on how to protect themselves in cyberspace can be found on the NCSC website. Our 10 Steps to Cyber Security collection provides a summary of advice for security and technical professionals.
On the mitigation of vulnerabilities, network defenders are encouraged to familiarise themselves with guidance on establishing an effective vulnerability management process. Elsewhere, the NCSC’s Early Warning Service also provides vulnerability and open port alerts.
CISA Executive Assistant Director for Cybersecurity, Eric Goldstein, said:
“Organisations that apply the best practices of cyber security, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks.
“Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organisations should prioritise for patching to minimise risk of being exploited by malicious actors.”
FBI Cyber Assistant Director, Bryan Vorndran, said:
“The FBI remains committed to sharing information with public and private organisations in an effort to prevent malicious cyber actors from exploiting vulnerabilities.
“We firmly believe that coordination and collaboration with our federal and private sector partners will ensure a safer cyber environment to decrease the opportunity for these actors to succeed.”
Head of the ACSC, Abigail Bradshaw CSC, said:
“This guidance will be valuable for enabling network defenders and organisations to lift collective defences against cyber threats.
“This advisory complements our advice available through cyber.gov.au and underscores the determination of the ACSC and our partner agencies to collaboratively combat malicious cyber activity.”

NCSC CEO warns that ransomware is key cyber threat

The chief of the UK’s National Cyber Security Centre said ransomware was the key threat facing the UK and urged the public and business to take it seriously.
Speaking virtually to an audience at the Royal United Services Institute (RUSI) Annual Security Lecture, Lindy Cameron warned of the “cumulative effect” of failing to properly deal with the rising threat.
She also revealed the threat faced by think tanks, noting that it is “almost certain” that the primary cyber threat they face is from nation state espionage groups, and it is highly likely that they seek to gain strategic insights into government policy and commercially sensitive information.
The CEO of the NCSC – which is a part of GCHQ – also warned that for the vast majority of UK citizens and organisations, the primary key threat is not state actors but cyber criminals.
She highlighted the importance of building organisational cyber resilience which, in combination with government capabilities and law enforcement action, is the most effective way to counter threats in cyberspace.
Lindy Cameron said:
“For most UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals, and in particular the threat of ransomware.
“While government is uniquely able to disrupt and deter our adversaries, it is network defenders in industry, and the steps that all organisations and citizens are taking that are protecting the UK from attacks, day in, day out.
“The protection they provide is crucial to the digital transformation of the economy, and every organisation, large and small, has a role to play.”
On the recent rise in ransomware attacks, Lindy Cameron noted that the ecosystem is evolving through the Ransomware as a Service (RaaS) model, whereby ransomware variants and commodity listings are available off the shelf for a one-off payment or a share of the profits.
As the RaaS model has become increasingly successful, with criminal groups securing significant ransom payments from large profitable businesses who cannot afford to lose their data to encryption or to suffer the down time while their services are offline, the market for ransomware has become increasingly “professional”.
Elsewhere, Lindy Cameron also set out the context of the Integrated Review and forthcoming cyber strategy, highlighting the need to better integrate our security, economic, technical, and diplomatic capabilities in support of shared national objectives.
She outlined how our allies and adversaries alike are betting on cyber, and that the UK needs to continue setting the pace.

NCSC's Early Warning service

Early Warning helps organisations investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds.
Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere.
Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names you provide, correlates those which are relevant to your organisation into daily notifications for your nominated contacts via the Early Warning portal.
Organisations will receive the following high level types of alerts:
- Incident Notifications – This is activity that suggests an active compromise of your system.
For example: A host on your network has most likely been infected with a strain of malware.
- Network Abuse Events – This may be indicators that your assets have been associated with malicious or undesirable activity.
For example: A client on your network has been detected scanning the internet.
- Vulnerability and Open Port Alerts – These are indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet.
For example: You have a vulnerable application, or you have an exposed Elasticsearch service.
Cyber security researchers will often uncover malicious activity on the internet or discover weaknesses in organisations security controls, and release this information in information feeds. In addition, the NCSC or its partners may uncover information that is indicative of a cyber security compromise on a network. The NCSC will collate this information and use this data to alert your organisation about potential attacks on your network.
Full details at www.ncsc.gov.uk/information/early-warning-service
1 2