This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
511 Comments
Tomi Engdahl says:
American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack https://securityaffairs.co/wordpress/128268/hacking/expeditors-international-cyber-attack.html
American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.
Tomi Engdahl says:
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers https://asec.ahnlab.com/en/31811/ The attacker or the malware usually scans port 1433 to check for MS-SQL servers open to the public.. It then performs brute forcing or dictionary attacks against the admin account, a.k.a. “sa” account to attempt logging in. Even if the MS-SQL server is not open to the public, there are types such as Lemon Duck malware that scans port
1433 and spreads for the purpose of lateral movement in the internal network.
Tomi Engdahl says:
Three new ICS threat groups discovered, one primed to disrupt energy targets https://www.scmagazine.com/analysis/apt/dragos-finds-three-new-ics-threat-groups-one-primed-to-disrupt-energy-targets
Dragos detailed three new threat groups targeting industrial control systems in its annual report, including one technologically adept group that seems to be scouting out potential disruptive attacks in the energy sector.
Tomi Engdahl says:
Chinese Experts Uncover Details of Equation Group’s Bvp47 Covert Hacking Tool https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html
Researchers from China’s Pangu Lab have disclosed details of a “top-tier” backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA).
Tomi Engdahl says:
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware https://www.mandiant.com/resources/unc2596-cuba-ransomware
In 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba Ransomware, exemplifies this trend.
Tomi Engdahl says:
Security warning: Hackers are using this new malware to target firewall appliances https://www.zdnet.com/article/security-warning-hackers-are-using-this-new-malware-to-target-firewall-appliances/
NCSC, CISA, NSA and FBI issue warning over malware linked to Sandworm hacking group which targets firewalls and provides remote access to networks. [...] The cyber attacks are primarily focused on WatchGuard firewall devices, but the agencies warned that Sandworm is capable of re-purposing the malware to spread it via other architectures and firmware.
NCSC-UK writeup at https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter
Tomi Engdahl says:
Some Cisco firewalls may not receive security feed updates after March
5
https://therecord.media/some-cisco-firewalls-may-not-receive-security-feed-updates-after-march-5/
“The existing SSL certificate authority (CA) used to sign certificates for Talos security intelligence updates will be decommissioned and replaced on March 6, 2022, ” the security vendor said in a field note this week. [...] To mitigate this issue, the American security company has published software updates that add support for the new Talos security feed infrastructure.
Tomi Engdahl says:
Entropy ransomware linked to Evil Corp’s Dridex malware https://www.bleepingcomputer.com/news/security/entropy-ransomware-linked-to-evil-corps-dridex-malware/
Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan.
Tomi Engdahl says:
LockBit, Conti most active ransomware targeting industrial sector https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ransomware-targeting-industrial-sector/
Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector.
Tomi Engdahl says:
Recent Cyberattacks Target Open-source Web Servers https://www.trendmicro.com/en_us/research/22/b/recent-cyberattacks-open-source-web-servers.html
Malicious actors take advantage of people’s reliance on web servers to perform attacks like remote code execution, access control bypass, denial of service, or even cyberjacking the victim servers to mine cryptocurrencies.
Tomi Engdahl says:
Devious phishing method bypasses MFA using remote access software https://www.bleepingcomputer.com/news/security/devious-phishing-method-bypasses-mfa-using-remote-access-software/
A devious, new phishing technique allows adversaries to bypass multi-factor authentication (MFA) by secretly having victims log into their accounts directly on attacker-controlled servers using the VNC screen sharing system.
Tomi Engdahl says:
PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials https://www.cysecurity.news/2022/02/pdc-discovered-phishing-campaign-that.html
The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It’s a component of the Microsoft Power Platform.
Tomi Engdahl says:
Samsung shipped ’100 million’ phones with flawed encryption https://www.theregister.com/2022/02/23/samsung_encryption_phones/
In all, the researchers estimate 100 million Samsung devices were vulnerable when they identified the encryption flaw last year.
However, they responsibly disclosed their findings to Samsung in May 2021, which led to the August 2021 assignment of CVE-2021-25444 to the vulnerability, and a patch for affected devices.. [..] Samsung did not immediately respond to a request to confirm the researchers’ estimate of affected devices and to estimate how many affected devices, if any, remain unpatched
However, Samsung failed to implement Keymaster TA properly in its Galaxy S8, S9, S10, S20, and S21 phones. The researchers reverse engineered the Keymaster app and showed they could conduct an Initialization Vector (IV) reuse attack to obtain the keys from the hardware-protected key blobs.
Tomi Engdahl says:
EU Activates Cyber Rapid Response Team Amid Ukraine Crisis
https://www.bankinfosecurity.com/eu-activates-cyber-rapid-response-team-amid-ukraine-crisis-a-18584
Amid rapid escalation in the Russia-Ukraine conflict derived from historical grievances and qualms with Ukraine’s plan to join the military alliance NATO, the world’s network defenders remain on high alert. And on Tuesday, the European Union confirmed that it will activate its elite cybersecurity team to assist Ukrainians if Russian cyberattacks occur.
UK alludes to retaliatory cyber-attacks on Russia https://therecord.media/uk-alludes-to-retaliatory-cyber-attacks-on-russia/
The UK government alluded yesterday that it might launch offensive cyber operations against Russia if the Kremlin attacks UK computer systems after an invasion of Ukraine.
Tomi Engdahl says:
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the MBR resulting in subsequent boot failure. This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack. This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available. Also:
https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia.
https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
Tomi Engdahl says:
New Malware Capable of Controlling Social Media Accounts Infects 5,000+ Machines and is actively being Distributed via Gaming Applications on Microsofts Official Store https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/
Check Point Research (CPR) has spotted new malware that is actively being distributed through Microsofts official store. With over 5,000 machines already affected, the malware continually executes attacker commands,such as controlling social media accounts on Facebook, Google and Sound Cloud. The malware can register new accounts, log in, comment on and like other posts.
Tomi Engdahl says:
Something strange is going on with Trickbot https://intel471.com/blog/trickbot-2022-emotet-bazar-loader
Its been a turbulent 18 months for Trickbot. The notorious modular malware has been in the spotlight, largely due to actions taken by both private companies and the U.S. government to thwart the attacks.
Even as U.S. Cyber Command and Microsoft seized servers and the U.S.
Department of Justice arrested several people alleged to be involved with the group that runs the malware, Trickbot stayed active throughout 2021 with various infection campaigns.
Tomi Engdahl says:
SockDetour a Silent, Fileless, Socketless Backdoor Targets U.S.
Defense Contractors
https://unit42.paloaltonetworks.com/sockdetour/
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare, education, finance and defense industries. In conducting further analysis of this campaign, we identified another sophisticated tool being used to maintain persistence, which we call SockDetour.
Tomi Engdahl says:
Microsoft Exchange servers hacked to deploy Cuba ransomware https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/
The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.
Tomi Engdahl says:
Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations https://www.cisa.gov/uscert/ncas/current-activity/2022/02/24/iranian-government-sponsored-muddywater-actors-conducting
CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdoms National Cyber Security Centre (NCSC-UK), and the National Security Agency
(NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater. MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Irans Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectorsincluding telecommunications, defense, local government, and oil and natural gasin Asia, Africa, Europe, and North America. Alert:
https://www.cisa.gov/uscert/ncas/alerts/aa22-055a
Tomi Engdahl says:
Zero-day XSS vulnerability in Horde webmail client can be triggered by file preview function https://portswigger.net/daily-swig/zero-day-xss-vulnerability-in-horde-webmail-client-can-be-triggered-by-file-preview-function
A zero-day cross-site scripting (XSS) vulnerability in Horde webmail client could allow an attacker to steal a victims emails and infiltrate their network, researchers warn. Horde webmail client is an open source email service from the Horde project. Researchers from SonarSource revealed in a blog post on February 23 that the client is vulnerable to a stored XSS vulnerability that is yet to be patched.
Tomi Engdahl says:
CISA Alerts on Actively Exploited Flaws in Zabbix Network Monitoring Platform https://thehackernews.com/2022/02/cisa-alerts-on-actively-exploited-flaws.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of two security flaws impacting Zabbix open-source enterprise monitoring platform, adding them to its Known Exploited Vulnerabilities Catalog. On top of that, CISA is also recommending that Federal Civilian Executive Branch (FCEB) agencies patch all systems against the vulnerabilities by March 8, 2022 to reduce their exposure to potential cyberattacks.. Also:
https://therecord.media/cisa-zabbix-servers-under-attack-with-recently-disclosed-vulnerability/
Tomi Engdahl says:
1-15 February 2022 Cyber Attacks Timeline https://www.hackmageddon.com/2022/02/24/1-15-february-2022-cyber-attacks-timeline/
The first timeline of February 2022 is out with 98 events. This number represents a 7% decrease with regards to the second timeline of January (105 events), but if compared with the first timeline of the previous month (91 events), shows a 7% increase. However the numbers are considerably lower than this same period one year ago when the peak of activity for 2021 was achieved.
Tomi Engdahl says:
Biden says U.S. prepared for Russian cyberattacks as invasion of Ukraine continues https://therecord.media/biden-says-u-s-prepared-for-russian-cyberattacks-as-invasion-of-ukraine-continues/
President Joe Biden on Thursday said that the United States is ready to respond to cyberattacks from Russia, as the administration unveiled a new round of sanctions intended to punish the country for its invasion of Ukraine. If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond, Biden said during an address from the White House East Room. He added that the White House has been working closely with the private sector to harden cyber defenses, sharpen our ability to respond to Russian cyberattacks as well.
Tomi Engdahl says:
Ukraine & Russia Situation From a Domain Names Perspective https://isc.sans.edu/forums/diary/Ukraine+Russia+Situation+From+a+Domain+Names+Perspective/28376/
For a few days, the eyes of the world are on the situation between Russia and Ukraine. Today, operations are also organized in the “cyber” dimension (besides the classic ones – land, air, sea, and space). . This new dimension is not only used for attacks like DDoS against the enemy but also for propaganda. Involved parties will be spreading fake news or bad guys may try to steal your data or some money.
Tomi Engdahl says:
Please Sign on the Dotted Line: DocuSign Phishing Attack https://www.armorblox.com/blog/blox-tales-please-sign-on-the-dotted-line-docusign-phishing-attack/
Electronic signatures have become the norm to conduct business transactions. From legal contracts, invoices, purchase orders and other legal documents, e-signature can be done without making an office visit, meeting a sales person or without the need of courier services like FedEx and UPS. The problem with electronic signatures?
They provide one more way for cybercriminals to attempt to steal identity and organizations financial and sensitive data. Malicious actors have used this process to launch phishing attacks masquerading as valid emails soliciting digital signatures.
Tomi Engdahl says:
White House denies reports that it is considering cyberattacks on Russian infrastructure https://www.zdnet.com/article/white-house-denies-report-about-cyberattacks-against-russian-infrastructure/
The White House has denied reports that it is considering a range of cyberattacks on Russian infrastructure in response to the invasion of Ukraine. The denials came after NBC News reported US President Joe Biden was offered options that included the use of American cyberweapons “on a scale never before contemplated.”. Reporters for NBC News claimed they were told by two US intelligence officials, one Western intelligence official, and another person briefed on the matter that Biden was given options such as shutting off electric power in Russia, disrupting the country’s internet connectivity, and damaging railroad switches.
Tomi Engdahl says:
F-Securen Hyppönen pitää päivänselvänä, että Venäjä on Ukrainaan kohdistuneiden kyberiskujen takana: suurin mysteeri mitä reittiä ja milloin menty sisälle https://www.kauppalehti.fi/uutiset/f-securen-hypponen-pitaa-paivanselvana-etta-venaja-on-ukrainaan-kohdistuneiden-kyberiskujen-takana-suurin-mysteeri-mita-reittia-ja-milloin-menty-sisalle/49be8416-5cc0-407d-bfb9-bd4073ce840a
Ukrainaan hallintoon ja rahoituslaitoksiin kohdistui varhain torstaina kyberhyökkäysten sarja, joka tuhosi tiedot sadoilta tietokoneilta.
Tietoturvayhtiö F-Securen tutkimusjohtajan Mikko Hyppösen kertoo Tiville, että hänen mielestä on päivänselvää, että hyökkäysten takana on Venäjä. Siihen viittaavat kohteet mihin on isketty sekä hyökkäysten tapa. Kyse on tuhohyökkäyksistä eikä taustalla ole rahamotivaatiota, Hyppönen sanoo Tiville.
https://www.wired.com/story/russias-cyber-threat-to-ukraine-is-vast-and-underestimated/
Russias Cyber Threat to Ukraine Is Vastand Underestimated. VLADIMIR PUTIN LAUNCHED an illegal, aggressive attack on Ukraine last night that has already killed dozens of soldiers and sent panic rippling through the world. Russian forces are air-striking cities all over Ukraine, with countless civilians in the firing line, as people flee the capital in Kyiv. Cyberattacks have also begun to amplify the chaos and destruction: Wiper attacks hit a Ukrainian bank and the systems of Ukrainian government contractors in Latvia and Lithuania; Ukrainian government websites were knocked offline; and the Kyiv Post website has been under constant assault since Russia attacked.
Wests Cyber Aid To Ukraine Comes Too Little, Too Late, Intelligence Expert Warns https://www.forbes.com/sites/thomasbrewster/2022/02/24/western-ukraine-cyber-aid-too-little-too-late-intelligence-expert-warns/
In addition to fending off physical assaults, Kyiv on Thursday was shielding itself against computer-wiping malware and other digital attacks, presumably originating in Russia, that targeted government institutions and banks. Pledges of support for Ukraine, with the aim of preventing any catastrophic cyberattacks, have come from a slew of countries, including Lithuania, Netherlands, Poland, Estonia, Romania and Croatia, as well as the E.U. U.K. intelligence services, including GCHQs National Cyber Security Centre (NCSC), are providing unspecified assistance, according to a Wednesday briefing.
Tomi Engdahl says:
Kyberprofessori Jarno Limnéll: Tässä saamme olla Suomessakin nyt tarkkana https://www.tivi.fi/uutiset/tv/4a7f89a7-846a-406f-830a-6cd784eb932c
Kyberprofessori Jarno Limnéll muistuttaa, että kiivaimmat kybertaistelut käydään informaatiotilan hallinnasta. Psykologisella rintamalla Suomessakin tulee pysyä tarkkana. Haittaohjelma iski myös latvialaisiin ja liettualaisiin yhtiöihin, joilla on yhteyksiä Ukrainan hallintoon. Syylliseksi iskuihin on epäilty Venäjää, sillä maata on aikaisemmin syytetty useista kyberhyökkäyksistä Ukrainaa vastaan. Venäjä on kiistänyt olevansa iskujen takana. Aalto-yliopiston kyberturvallisuuden työelämäprofessori Jarno Limnéll kertoo Tiville, että tilanne kyberhyökkäysten suhteen on epäselvä. Hän kuvailee iskuja rajatuiksi, sillä Venäjällä on kyky toteuttaa myös laajempia kyberiskuja.
Tomi Engdahl says:
Hive ransomware: Researchers figure out a method to decrypt files https://blog.malwarebytes.com/ransomware/2022/02/hive-ransomware-researchers-figure-out-a-method-to-decrypt-files/
Files encrypted by ransomware cant be recovered without obtaining the decryption key, if the encryption has been done properly. But that doesnt seem to be the case for Hive ransomware. Researchers from the Kookmin University in Korea have published a method for decrypting the data scrambled by Hive. Under normal circumstances, victims have to pay a ransom to get the private key that enables them to decrypt their encrypted files. But the researchers managed to exploit a flaw in the encryption routine which allowed them to recover the master key, making it possible to decrypt all the files of a victim that were encrypted in the same session.
Tomi Engdahl says:
Ukraina-lahjoitukset voivat päätyä rikollisille Varo! Auttamishalua käytetään häpeilemättä hyväksi
https://www.iltalehti.fi/tietoturva/a/9c306595-f1bf-4ecb-9d2d-b697271978f7
Venäjän hyökättyä Ukrainaan torstaina 24. helmikuuta, ovat järjestöt ympäri maailmaa aloittaneet erilaisia keräyksiä humanitaarisen avun tarjoamiseksi hädässä oleville ukrainalaisille. Liikkeellä on monia erilaisia lahjoituskampanjoita, joiden mukaan mahtuu valitettavasti myös huijauskampanjoita. Kyberturvallisuuskeskuksen tietoturva-asiantuntija Matias Mesiä kertoo, ettei keskus ole saanut vielä ilmoituksia hyväntekeväisyyshuijauksista, vaikka niistä maailmalla raportoidaankin.
Tomi Engdahl says:
Ukraine links phishing targeting military to Belarusian hackers https://www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/
The Computer Emergency Response Team of Ukraine (CERT-UA) warned today of a spearphishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel. Accounts compromised in these attacks are then used to send additional phishing messages to contacts in the victims’ address books. The phishing emails are being sent from two domains, the former trying to impersonate the i.ua free Internet portal providing email services to Ukrainians since 2008. “Mass phishing emails have recently been observed targeting private ‘i.ua’
and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals,” CERT-UA said earlier today.. Also:
https://therecord.media/ukraine-says-belarusian-hackers-are-targeting-its-military-personnel/
Tomi Engdahl says:
Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks https://thehackernews.com/2022/02/putin-warns-russian-critical.html
The Russian government on Thursday warned of cyber attacks aimed at domestic critical infrastructure operators, as the country’s full-blown invasion of Ukraine enters the second day. In addition to cautioning of the “threat of an increase in the intensity of computer attacks,” Russia’s National Computer Incident Response and Coordination Center said that the “attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes.”
Conti ransomware gang: You attack Russia, well hack you back https://grahamcluley.com/conti-ransomware-gang-you-attack-russia-well-hack-you-back/
The Conti ransomware gang says that it supports the Russian governments invasion of Ukraine and if anyone launches a retaliatory cyber attack against Russia, they will hit back hard. The message was posted on Contis website on the dark web earlier today.. Conti has proven its ability to compromise organisations, plant malware, steal sensitive information, and extort millions of dollars worth of cryptocurrency from its victims on numerous occasions.
Russia appears to deploy digital defenses after DDoS attacks https://therecord.media/russia-appears-to-deploy-digital-defenses-after-ddos-attacks/
The conflict online is mirroring the conflict offline with attacks and defense being deployed in cyberspace amid Russias invasion of Ukraine, including the Russian government appearing to deploy a digital drawbridge to protect websites. Thursday, Russian government websites going dark to some parts of the world after being targeted with a flood of web traffic via a distributed denial-of-service (DDoS) attack attempting to knock them offline. Its unclear who directed the attack or if it was successful in disrupting the sites.
Tomi Engdahl says:
NHS urges orgs to apply security update for Okta Client RCE bug https://www.bleepingcomputer.com/news/security/nhs-urges-orgs-to-apply-security-update-for-okta-client-rce-bug/
The UK’s NHS Digital agency is warning organizations to apply new security updates for a remote code execution vulnerability in the Windows client for the Okta Advanced Server Access authentication management platform. “NHS Digital is the national digital, data and technology delivery partner for the NHS and social care system,”
explains the website for NHS Digital.
Tomi Engdahl says:
CISA Adds Four Known Exploited Vulnerabilities to Catalog https://www.cisa.gov/uscert/ncas/current-activity/2022/02/25/cisa-adds-four-known-exploited-vulnerabilities-catalog
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.
These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
Tomi Engdahl says:
Potential cybersecurity impacts of Russias invasion of Ukraine https://blog.malwarebytes.com/malwarebytes-news/2022/02/potential-cybersecurity-impacts-of-russias-invasion-of-ukraine/
On Thursday night, Russia launched a military invasion of its neighbor and former Soviet Union member Ukraine, drawing a broad rebuke from international leaders, along with significant protest from the Russian public. The toll of human life from this war is unknown, and, like the many international acts of aggression that have preceded it, future figures and statistics will not, alone, make sense of it. The threats and dangers posed by this conflict will be borne by the combatants and the people of Ukraine, and they are in our thoughts. Our collective priority must be peoples physical safety, but Russias assault could also produce a range of cybersecurity-related risks that organizations and people will need to protect themselves against, starting today.
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
On Feb. 1, 2022, Unit 42 observed an attack targeting an energy organization in Ukraine. CERT-UA publicly attributed the attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to an employee of the organization, which used a social engineering theme that suggested the individual had committed a crime. The email had a Word document attached that contained a malicious JavaScript file that would download and install a payload known as SaintBot (a downloader) and OutSteel (a document stealer).
Tomi Engdahl says:
GPU giant Nvidia is investigating a potential cyberattack https://www.bleepingcomputer.com/news/security/gpu-giant-nvidia-is-investigating-a-potential-cyberattack/
US chipmaker giant Nvidia confirmed today it’s currently investigating an “incident” that reportedly took down some of its systems for two days. Systems impacted in what looks like a cyberattack include the company’s developer tools and email systems, as first reported by The Telegraph. The reported outage is the result of a network intrusion, and it is still not known if any business or customer data was stolen during the incident.. Also:
https://www.zdnet.com/article/nvidia-investigating-cybersecurity-incident/
Tomi Engdahl says:
Twitter restricted in Russia amid conflict with Ukraine
https://netblocks.org/reports/twitter-restricted-in-russia-amid-conflict-with-ukraine-JBZrogB6
NetBlocks metrics confirm the restriction of Twitter in Russia from the morning of Saturday 26 February 2022. The restrictions are in effect across multiple providers and come as Russian authorities and social media platforms clash over platform rules in relation to the conflict with Ukraine. Network data show that access to the Twitter platform and backend servers are restricted on leading networks including Rostelecom, MTS, Beeline and MegaFon as of 9:00 a.m.
Saturday morning UTC. Circumvention is currently possible using VPN services, which can help users work around the online censorship.
Tomi Engdahl says:
CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine https://www.cisa.gov/uscert/ncas/current-activity/2022/02/26/cisa-releases-advisory-destructive-malware-targeting-organizations
CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.
Alert: https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
Tomi Engdahl says:
Russia or Ukraine: Hacking groups take sides https://therecord.media/russia-or-ukraine-hacking-groups-take-sides/
Russias invasion of Ukraine has taken place both on and offline, blending physical devastation with escalating digital warfare.
Ransomware gangs and other hacking groups have taken to social media to announce where their allegiances lie. Many of the pronouncements from these groups include threats against critical government infrastructure. Some collectives are state-sponsored while others are decentralized but all are able to take down computer systems and breach organizations. Also:
https://www.zdnet.com/article/anonymous-hacktivists-ransomware-groups-get-involved-in-ukraine-russia-conflict/
Tomi Engdahl says:
Kremlin verkkosivut pimeinä jo kolmatta päivää Anonymous väittää olevansa kyberhyökkäyksen takana https://www.is.fi/digitoday/art-2000008645424.html
KREMLIN verkkosivut ovat olleet edelleen kaatuneena lauantaina, kertoo uutistoimisto Reuters. Myös muut Venäjän valtion ja median verkkosivut ovat joutuneet kyberhyökkäysten kohteiksi. CNN:n mukaan jotkin venäläiset valtion verkkosivut ovat olleet nurin yhtäjaksoisesti jo kolmen päivän ajan. Also:
https://twitter.com/netblocks/status/1497594515233951744
Tomi Engdahl says:
Ukraine recruits “IT Army” to hack Russian entities, lists 31 targets https://www.bleepingcomputer.com/news/security/ukraine-recruits-it-army-to-hack-russian-entities-lists-31-targets/
Ukraine is recruiting a volunteer “IT army” of security researchers and hackers to conduct cyberattacks on thirty-one Russian entities, including government agencies, critical infrastructure, and banks.
Saturday afternoon, Ukraine’s Minister for Digital Transformation Mykhaylo Fedorov announced that they need volunteer “digital talents”
for an “IT Army” to conduct operational tasks against Russia on the cyber frontline.
Tomi Engdahl says:
Trickbot Groups AnchorDNS Backdoor Upgrades to AnchorMail https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
IBM Security X-Force researchers have discovered a revamped version of the Trickbot Groups AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. The Trickbot Group, which X-Force tracks as ITG23, is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially used to facilitate online banking fraud. The group has adapted in recent years to the ransomware economy by using its Trickbot and Bazarloader payloads to gain a foothold for ransomware attacks and through its close relationship with the Conti ransomware-as-a-service (RaaS).
Tomi Engdahl says:
Ukrainan sota kasvattaa kybervaikuttamisen uhkaa myös Suomessa Suojelupoliisi kehottaa yrityksiä varautumaan kriittisen infrastruktuurin suojaamiseen https://www.kauppalehti.fi/uutiset/ukrainan-sota-kasvattaa-kybervaikuttamisen-uhkaa-myos-suomessa-suojelupoliisi-kehottaa-yrityksia-varautumaan-kriittisen-infrastruktuurin-suojaamiseen/a6113df9-8029-4975-bd9a-4a9c4dcf626a
Suojelupoliisin tehtävä on torjua kriittiseen infrastruktuuriin kohdistuvia uhkia, mutta Suomessa se on yksityisten yritysten hallussa. Siksi yrityksillä on keskeinen merkitys kybervaikuttamiselta suojautumisessa. Venäjän hyökkäys Ukrainaan on lisännyt jännitettä myös Suomen turvallisuuspoliittiseen tilanteeseen. Näin arveli myös suojelupoliisi, joka kehotti perjantaina Twitterissä yrityksiä varautumaan kybervaikuttamisen uhkaan.. Huomio yritykset! Erittäin jännittynyt turvallisuuspoliittinen tilanne kasvattaa myös Suomen kriittiseen infrastruktuuriin kohdistuvan kybervaikuttamisen uhkaa, Suojelupoliisi kirjoitti Twitterissä.
Tomi Engdahl says:
Cyberattack Hits Global Operations of Logistics Giant Expeditors International
https://www.securityweek.com/cyberattack-hits-global-operations-logistics-giant-expeditors-international
Seattle, Washington-based logistics giant Expeditors International on Sunday announced the disruption of its global systems as a result of a cyberattack.
The Fortune 500 company said it had shut down most of its operating systems, and in an update shared on Monday informed customers that its operations had still been impacted.
“While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments,” the company stated.
The company described it as a “targeted cyberattack,” but shared no other details. Based on its brief description of the incident, it may have been a ransomware attack.
Tomi Engdahl says:
EU to Activate Cyber Response Team to Help Ukraine
https://www.securityweek.com/eu-activate-cyber-response-team-help-ukraine
The European Union is set to activate an EU cyber response team to help Ukraine face Russian attacks, the unit’s leader Lithuania said on Tuesday.
Lithuania and others “are activating (the) Cyber Rapid Response Team to help Ukrainian institutions to cope with growing cyber threats,” the Baltic state’s Deputy Defence Minister Margiris Abukevicius tweeted.
The decision comes after Moscow recognised two breakaway regions in Ukraine, prompting backlash from the West and further fuelling fears of a possible Russian invasion of its post-Soviet neighbour.
Tomi Engdahl says:
Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group
https://www.securityweek.com/chinese-researchers-detail-linux-backdoor-nsa-linked-equation-group
A team of researchers from China’s Pangu Lab on Wednesday published a 50-page report detailing a piece of Linux malware allegedly used against many targets by the threat actor known as the Equation Group, which has been linked to the U.S. National Security Agency (NSA).
It’s not uncommon for cybersecurity companies in the United States to publish reports detailing the tools and activities of threat actors linked to the Chinese government, and now a group of Chinese researchers have released a report detailing a piece of malware tied to the U.S. government.
Pangu Lab is a research project of Pangu Team, which is best known for its iPhone jailbreaks. An iOS exploit earned them $300,000 last year at a major Chinese hacking contest
Tomi Engdahl says:
Destructive ‘HermeticWiper’ Malware Targets Computers in Ukraine
https://www.securityweek.com/destructive-hermeticwiper-malware-targets-computers-ukraine
Just as Russia was preparing to launch an invasion of Ukraine, Ukrainian government websites were disrupted by DDoS attacks and cybersecurity firms reported seeing what appeared to be a new piece of malware on hundreds of devices in the country.
The new malware, dubbed “HermeticWiper” by the cybersecurity community, is designed to erase infected Windows devices. The name references a digital certificate used to sign a malware sample — the certificate was issued to a Cyprus-based company called Hermetica Digital.
“At this time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate,” explained endpoint security firm SentinelOne, whose researchers have been analyzing the new malware.
The malware has also been analyzed by researchers at ESET and Symantec. Each of the companies has shared indicators of compromise (IoCs) associated with HermeticWiper.
Tomi Engdahl says:
US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks
https://www.securityweek.com/us-uk-warn-iranian-cyberattacks-government-commercial-networks
Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.
Active since at least 2017 and also tracked as Static Kitten, Seedworm, and Mercury, MuddyWater is an advanced persistent threat (APT) actor believed to be a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
Tomi Engdahl says:
NSO Sues Israeli Paper After Explosive Articles on Police
https://www.securityweek.com/nso-sues-israeli-paper-after-explosive-articles-police
The Israeli tech company NSO Group on Sunday filed a libel lawsuit against an Israeli newspaper after it published a series of explosive articles claiming Israeli police unlawfully used its spyware on dozens of public figures.
The articles by the Israeli business newspaper Calcalist published over recent weeks triggered an uproar over what the newspaper claimed was the police’s unfettered use of sophisticated phone hacking software on a broad swath of figures. An investigation into the reports, which were unsourced, found no indication of abuse.
The NSO suit targets a specific article published earlier this month, which said the company allowed clients to delete traces of their use of the spyware, a claim it denies. But the company, which has faced a growing backlash over its product, questioned the overall credibility of the reports, calling the series of articles “one-sided, biased and false.”
“The thorough investigation that was carried out pulls the rug out from under another attempt to discredit the company and its workers and serves as additional proof that not every journalistic investigation with a sensational headline about NSO is indeed based on facts,” the company said in a statement.
NSO was asking for 1 million shekels (310,000 dollars) in damages that it said would be donated to charity.