This is what they tell me cyberwar looks like.

Sure, the wording stinks, but it’s hard to find another description for the kinds of worm-like data-wiping attacks we’ve seen linked to kinetic war currently underway in Ukraine. Let’s try to catch up:

• ESET has done a fantastic job documenting the data-wiper attacks hitting Ukraine. The latest report discusses a second wiper with worm-spreading capabilities and even a ransomware smokescreen.
• Microsoft says it has seen evidence that civilian digital targets are being hit in the Ukraine attacks and says these “raise serious concerns under the Geneva Convention.”
• SentinelLabs follows up with its own report on the wiper and decoy ransomware component.
• Symantec says the disk-wiping attacks preceded the Russian invasion.
• The U.S. government’s cybersecurity agency CISA has released IOCs to help defenders hunt for signs of these destructive payloads.

Meanwhile, Iran and China…

Speaking of apex-level nation-state Malware activity, Symantec has found a super-stealthy backdoor linked to a Chinese APT actor first seen in 2012. The Symantec report on Daxin confirms the Chinese have invested in a command-and-control mechanism similar to Regin.

MIT Technology Review’s Patrick Howell O’Neill looked at the paper and concluded it was China’s work to build a one-of-a-kind cyber espionage behemoth to last.

The skinny: “While Beijing’s hackers were once known for simple smash-and-grab operations, the country is now among the best in the world thanks to a strategy of tightened control, big spending, and an infrastructure for feeding hacking tools to the government that is unlike anything else in the world.”

Separately, the U.S. government spent a part of the week warning that Iranian government sponsored threat actors continue to take aim at global government and commercial networks.

The staggering ransomware wealth transfer.

From vx-underground on Twitter (take with multiple grains of salt):

The Conti ransomware leaks have unveiled Conti’s primary Bitcoin address. From April 21st, 2017 – February 28th, 2022 Conti has received 65,498.197 BTC. That is 2,707,466,220.29 USD.

The Conti ransomware leaks have unveiled Conti's primary Bitcoin address.

From April 21st, 2017 – February 28th, 2022 Conti has received 65,498.197 BTC

That is 2,707,466,220.29 USD. pic.twitter.com/sUdRnkLsoo

— vx-underground (@vxunderground) February 28, 2022

In April last year, Emsisoft estimated that ransomware accounted for $74,632,036,933 moving from western countries to Russian criminal gangs.

Here’s another spicy Twitter thread on the Conti leaks suggesting links between Russian law enforcement and ransomware criminals.

Last year, we got an anonymous tip that "a global cyber crime group acting on an FSB order has hacked one of your contributors. The only thing they were interested on, was anything related to your @navalny investigation". We took enormous measures to upgrade our e-security (1/n)

— Christo Grozev (@christogrozev) February 28, 2022

Remember Log4Shell?

The SANS Internet Storm Center is reporting that attackers have lost interest in exploiting the Apache Log4j vulnerability. Here’s data from the ISC sensors:

Must-see research projects.

• BrokenPrint documents a pre-auth stack-based overflow vulnerability found and exploited in Netgear routers and modems.
• Stairwell’s Steve Miller on building a labeled malware corpus for YARA testing.
• Chinese security vendor Pangu Lab has published a 56-page technical report (PDF) showing its work researching Equation Group malware.

Hacking things.

• Researchers at Tel Aviv University expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. The paper provides a detailed description of the cryptographic design and code structure, and severe design flaws.
• Wired’s Lily Hay Newman with a softball piece on Intel’s iSTARE, a team that looks for critical flaws before CPU chips to to production. (Non-paywall archive).
• Kolide’s Jason Meller asks: Is Grammarly a keylogger?

CISA and FBI Warning on HermeticWiper and WhisperGate

In a joint cybersecurity advisory, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) provide technical details about the WhisperGate and HermeticWiper malware strains that have been used against organizations in Ukraine. The advisory cautions that “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.” The advisory also includes a list of mitigations.

Note

• Spend 5 minutes hunting for the specific IOCs mentioned (file hashes and the like). The rest of the day: Try to understand the infection chain and verify how you would detect similar techniques in your environment. Look for gaps in visibility (host or network-based logging).
• Unlike other malware, focused on quietly stealing IP or PII, this kind of incident is a DR/BCP issue that requires strategic thinking about continuity (how do we keep payroll, AR/AP, logistics, sales going) and recovery (access offline backups and start restoring business processes). Backups and backup applications are themselves targets for destruction/encryption, unlike in other critical incidents, natural or of the cyber variety.
• Attacks targeting Ukraine have featured disk wipers of one form or another as far back as 2013. The issue here is that attacks are spilling over into other areas, not just including Ukrainian supporters, but also in response to attacks on behalf of Ukraine, such as Anonymous promises, so we all need to brush up on our mitigations to make sure nobody just checked the box. Add examining systems for atypical malware delivery paths, resiliency for common points of failure, such as your SAN or network switches, robust physical and logical access controls, active monitoring and response to your list of services to verify are up to the task at hand.
• We learned about similar disruptive attacks and how to mitigate them after the North Korean attack on Sony. Here we have another opportunity to learn and be prepared for future attacks. Kudos for an actionable advisory from CISA and FBI.

Read more in

• Destructive Malware Targeting Organizations in Ukraine
• CISA, FBI to US firms: prepare for Ukraine wipers
• CISA, FBI warn US orgs of WhisperGate and HermeticWiper malware
• CISA and FBI warn of potential data wiping attacks spillover

SpaceX Starlink Satellite Service is Now Active in Ukraine

In response to requests from Ukrainian leaders, SpaceX has activated its Starlink satellite service in Ukraine. The organization has also sent Starlink user terminals to Ukraine.

Note

• Starlink does provide high bandwidth connectivity, but in its current design still requires ground stations in the same region as the user. But Starlink’s ability to provide easy to use ad-hoc connectivity has proven to be invaluable during various disasters in the past. Some pointed out that the terminals may be located by their EM emissions. I am not sure how practical that is, but the terminal can also be placed some distance from the user.
• Starlink has about 2,200 satellites in low-earth-orbit and is designed as a high-bandwidth, low-latency alternative to broadband. The terminals arrived about 48 hours after Elon promised them for free to Ukrainian users who getting about 137mbps download speeds. When available, Starlink’s premium option will offer speeds between 150 and 500mbps download, with 20-40mbps upload speeds.
• Good stuff to help Ukraine is popping up as in this example.
• I have been testing the Starlink service and it is a game changer for areas that do not have reliable Internet service providers. The equipment only requires one power outlet meaning you can have Internet connectivity from a backup battery or generator even if the entire area is out of power.

Read more in

• Ukraine asks Musk for Starlink terminals as Russian invasion disrupts broadband
• Elon Musk activates Starlink to help keep Ukraine’s internet up and running
• Elon Musk says SpaceX’s Starlink satellites now active over Ukraine

Viasat Says European Broadband Outages Caused by Cyberattack

Satellite communications company Viasat says that a cyberattack has been causing broadband outages across eastern Europe. The attack appears to have begun on February 24. The investigation into the situation is ongoing.

Note

• In Germany, about 6,000 wind turbines lost connectivity. These wind turbines used Ka-SAT satellite connections and the event may be related to the Viasat outage. At this point, the root cause is unclear. Some reports also suspect a rogue firmware update to the turbines network equipment. But while satellite connectivity is less susceptible to ground based issues (see SpaceX story), it can be very difficult to recover if geographically dispersed systems like Wind turbines (or the satellite itself) are affected.
• This is a good time to investigate alternate or fail-over ISP options. If possible, have the secondary ready to go, including testing, prior to needing it. Determine what capabilities will operate over the fail-over connection to ensure that even with a change in bandwidth the business remains viable, for example the Starlink terminals in the Ukraine are getting 137mbps download speeds.
• Viasat is also a satellite provider, like Starlink. SpaceX should keep an eye on this attack and learn from the competitors.

Read more in

• Viasat says ‘cyber event’ is causing broadband outages across Europe
• Satellite giant Viasat probes suspected broadband cyberattack amid Russia fears

Toyota Suspends Operations at Multiple Plants Following Supply Chain Cyberattack

Toyota has halted operations at one-third of its factories after a supplier was reportedly hit with a cyberattack. Kojima Industries makes multiple vehicle components for Toyota. In all, Toyota has suspended operations at 14 plants. The company did not speculate about how long the downtime will last.

Note

• All our supply-chains have been very challenged as of late and hacking a key supplier doesn’t help it recover. In some cases you may have no alternative but to “stop and wait” for a supplier to recover. Examine backup sources, particularly for key suppliers, to include startup activities and make recorded decisions about the viability of utilizing them, and the associated processes.
• If corporate executives weren’t re-evaluating their Just-In-Time, zero inventory, single-point-of-failure supply chains for resilience, of the physical and digital (is there a difference anymore?), then perhaps it’s that time of the century.
• When reviewing incident response plans many organisations tend to focus their response based on their own company assets being compromised. However, in today’s interconnected world, it’s good practice to review your Incident Response and Business Continuity Plans to include the impacts incidents within your supply chain.
• This is not the first supply chain attack you have heard of. These are tougher to red team (play devil’s advocate) but with proper planning, you can tabletop and perform technical exercises to test, measure, and improve your resilience to supply chain attacks.

Read more in

• Toyota shuts down all Japanese production after supplier is hacked
• Toyota supplier reports cyberattack that halts production across Japan
• Toyota to Close Japan Plants After Suspected Cyberattack
• Toyota halts production after reported cyberattack on supplier
• Toyota suspends domestic factory operations after suspected cyber attack

HHS Office for Civil Rights Director Tells Healthcare Providers to Strengthen Cyber Posture

In a blog post, US Department of Health and Human Services Director for Office for Civil Rights (OCR) Lisa Pino urges all HIPAA-covered entities to improve their cyber posture in 2022. Pino notes that rather than focusing only on electronic health records (EHRs), “risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.” The post includes suggested best practices and additional guidance and resources.

Note

• Really no new information here, but the Director’s blog post does emphasize basic security hygiene and training/education. However, in emphasizing risks assessment, the post includes a link to the old HHS Security Risk Assessment application which expects the user of the tools to enter voluminous IT asset and vendor information and make an assessment of the likelihood of attack success and the impact of successful attacks. This old approach of multiplying two imaginary numbers to create a third imaginary number creates many pages of documentation but nothing useful in actually identifying or reducing critical risks.
• The last two years have put healthcare providers on notice for attacks. The trick is providing actionable guidance which is easy to consume. The HHS includes recommendations we should all be following irrespective of the data sensitivity, from knowing where your data is, making sure it’s securely backed up in an immutable form, judicious application of patches and updates, to relevant, updated, user training. They also include links to resources for more information which can help you deep dive when planning to address any of these recommendations.

Read more in

• Improving the Cybersecurity Posture of Healthcare in 2022
• OCR director urges providers to strengthen cyber posture, risk management

Zabbix Flaws Added to CISA’s Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two Zabbix vulnerabilities to its Known Exploited Vulnerabilities catalog. Zabbix released fixes for the authentication bypass and improper access control vulnerabilities in December 2021. CISA has given federal civilian agencies until March 8 to install the patches.

Note

• If you’re using Zabbix with SAML SSO authentication enabled, you are potentially vulnerable. With the pressure to “MFA all the things” using SAML with an IDP which supports MFA, SSO, etc. across your organization is the easy button, but this also necessitates being on the lookout for security flaws in SAML implementations. This also means that mitigations such as disabling SAML authentication are not viable. In this case CVE-2022-23131, unsafe client-side session storage, has a CVSS score of 9.1, Zabbix has released patches, update to either 5.4.9rc2, 6.0beta1 or 6.0 (plan) as earlier patches didn’t fully address the issue.
• IT and cybersecurity tools can be exploited, especially when they’re approved and deemed safe. Monitoring with read rights is one thing, write is another… From the Zabbix page www.zabbix.com/features “Execute a script directly from a dashboard and remediate an issue or display additional information.”

Read more in

• Zabbix vulnerabilities added to CISA catalog
• CISA Adds Two Known Exploited Vulnerabilities to Catalog
• Unsafe client-side session storage leading to authentication bypass / instance takeover via Zabbix Frontend with configured SAML (CVE-2022-23131)

FCC Notice of Inquiry Seeks Comments on Border Gateway Protocol Security

In a Notice of Inquiry, the US Federal Communications Commission (FCC) says it is “seek[ing] comment on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP).” The notice says that “BGP’s initial design, which remains widely deployed today, does not include security features to ensure trust in the information that it is used to exchange.”

Note

• This should increase the support for updates to BGP, turning BGP best practices into requirements. If you’re wrestling with BGP security issues, take a moment to contribute. In the meantime, make sure you’re following best common practices with BGP to reduce risks of route hijacking or other disruptions.
• This talk by Wim Remes in 2015 is a good primer on BGP for security professionals.
  www.blackhat.com: Internet Plumbing for Security Professionals: The State of BGP Security (PDF)
  Video: youtu.be/po_9p6XxK2E
• Richard Clarke was complaining about BGP in the Clinton Administration.

Read more in

• FCC Launches Inquiry on Cyber Risks to Internet Routing Protocol

CISA Warns of SCADA Flaws in Schneider Products

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of multiple vulnerabilities affecting Schneider Electric’s Easergy medium voltage protection relays. The flaws could be exploited to cause denial-of-service conditions, reboot devices, disclose device credentials, or allow attackers to gain control of vulnerable devices. Schneider addressed the flaws in updates released on January 11, 2022.

Note

• Right now ICS systems are a prime target as attackers are focusing on disrupting services not only in the Ukraine, but also areas perceived to be supporting or of benefit to Ukraine. The flaws addressed include two classic buffer overflows (CVE-2022022725 and CVE-2022-22723) as well as hard coded credentials (CVE-2022-22722). Fix by applying the updates or at least disabling or restricting the GOOSE service. Additionally make sure that your ICS systems are isolated, not exposed to the Internet only communicating with authorized services and users. Scan all media before introduction to the isolated network, don’t allow remote access to directly terminate to the isolated network. Check the CISA alert for additional mitigations.

Read more in

• ICS Advisory (ICSA-22-055-03) Schneider Electric Easergy P5 and P3
• CISA Warns of High-Severity Flaws in Schneider and GE Digital’s SCADA Software

Microsoft Says FoxBlade Malware Infected Ukrainian Networks

In a blog post, Microsoft President and Vice-Chair Brad Smith writes that researchers with Microsoft Threat Intelligence Center recently detected cyberattacks using a new strain of malware, dubbed FoxBlade, against Ukrainian networks. Microsoft notified the Ukrainian government about the malware and offered technical advice. In the blog, Smith notes “These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack.”

Note

• Microsoft has also decided to follow the EU’s decision to block Russian state sponsored disinformation outlets from their social networks, app store and search engine. Facebook, Instagram, YouTube and Tik Tok have taken similar steps. This is a complex area but as the disinformation attacks during the recent US presidential election show, those and other similar commercial services need to have the processes and capabilities to do this kind of filtering. Many legislative and regulatory efforts are underway to force them to do so, but as we have seen threats move faster and always will.
• Note RT is a brand of TV-Nososti, founded by the Russian state-owned news agency RIA Novosti. It is listed by Putin as one of the core organizations of strategic importance to Russia. FoxBlade allows systems to be used for a DDoS attack, unbeknownst to their owner. Microsoft Defender has been updated with signatures to detect and block FoxBlade. Make sure your endpoint protection solution includes these protections. Microsoft is also removing RT’s apps from their app store, blocking ads from RT and Sputnik sources and de-ranking their sites in Bing such that unless you’re explicitly looking for them they won’t appear in your search results.

Read more in

• Digital technology and the war in Ukraine
• Microsoft finds FoxBlade malware on Ukrainian systems, removes RT from Windows app store
• Microsoft: Ukraine hit with new FoxBlade malware hours before invasion

The post Cybersecurity and Infosec News Headlines Update on March 02, 2022 appeared first on PUPUWEB - Information Resource for Emerging Technology Trends and Cybersecurity.