At a glance.
- Follina zero-day.
- Ransomware notes: gangland update.
- Bricked tractors and other threats to agriculture.
- Western nations remain alert for Russian cyberattacks.
- Russia's prosecution of REvil is at a stand (and it's America's fault).
Microsoft issues mitigations for Follina zero-day.
Malwarebytes researchers describe a zero-day vulnerability that could allow attackers to achieve remote-code execution in Windows systems. Exploitation of "Follina," as the researchers call the bug, "circumvents Microsoft’s Protected View and anti-malware detection. The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the
ms-msdt protocol URI scheme to load some code, and then execute some PowerShell." Microsoft addressed the issue yesterday. "On Monday May 30, 2022," Malwarebytes says, "Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. The workaround offered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol."
Notes from the underworld.
NCC Group has been tracking the return of CL0P ransomware, which last month emerged from its temporary occultation to hit twenty-one targets. "The most targeted sector for CL0P was industrials," NCC Group noted, "which made up 45% of CL0P’s attacks, followed by technology with 27%. This is roughly along the lines of the target selection NCC Group observed on the part of Conti and Lockbit, although CL0P is a bit more interested in the tech sector than are its criminal competitors. BleepingComputer reports that CL0P exploited Accellion's legacy File Transfer Appliance (FTA) to exfiltrate large quantities of data from the companies it victimized.
CSO takes a look at Conti, which may or may not be breaking up or rebranding, but which seems likely to persist in some form or other. Among their observations is that Conti has been, relatively speaking, less concerned than its competitors with delivering on promises made to victims, which suggests the gang either has a different revenue model or is pursuing goals other than simple, immediate profit.
The following notes concern the cyber phases of Russia's hybrid war against Ukraine. The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Cyber threats to the agricultural sector.
The agricultural sector is vulnerable to cyber disruption, as the small-scale Ukrainian bricking of tractors stolen by occupying forces and shipped back to Russia suggests. Some twenty-seven agricultural machines were taken by Russian forces from Melitopol and carried off for use in the Chechnyan region of Russia, CSO reports, but their former owners have rendered them inoperable and useless, much as one might remotely brick a stolen laptop. What's networked can usually be remotely disabled by its owners, and tractors are no different in this respect from a tablet. Should Russia decide to increase its push back against sanctions by exacerbating the food shortages its blockade has already induced, some observers have expressed concern that it could mount a general cyber campaign against the agricultural sector. The privateering against JBS Foods, ABC says, foreshadows what might be possible: "JBS Foods, the world's biggest meat processor, was held ransom by Russian-based hackers for $US11 million last year."
Western nations remain on alert for Russian cyberattacks.
Bleeping Computer reports that Italian authorities warned yesterday that Italy could see more distributed denial-of-service attacks of the sort recently conducted by the Russian Killnet group, nominally independent patriotic hacktivists working in Russia's interest, but probably also receiving some direction from Moscow's security and intelligence services. Killnet declared "Operation Panopticon," (that is, the creation of a space in which everything is seen) last week, and has since been seeking to rally sympathetic hackers to its cause. The original panopticon was proposed in the Eighteenth Century by the English utilitarian philosopher Jeremy Bentham, who intended it as a proposal for prison reform. Prisons ought to be designed, Bentham argued, with a central panopticon from which all the prisoners could be observed continuously and without interruption. We leave the unpacking of Killnet's choice of metaphor as an exercise for the readers.
Observers in the US and UK also continue to express concern about the prospects of major Russian offensive cyber campaigns, although so far at least no such successful campaigns have developed. Some warn of a potential for attacks against industrial control systems (using Pipedream malware tools); others see more risk of distributed denial-of-service attacks organized by Gamaredon (APT53, or Primitive Bear).
Ukrainian hacktivists continue to conduct nuisance-level attacks against Russian targets. Sberbank, Russia's largest bank, remains a favorite target, the Telegraph reports.
REvil prosecution has reached a dead end.
Remember when Russian authorities arrested some alleged leaders of the REvil ransomware gang back on January 14th? It would seem that their prosecution is now at a standstill. And, moreover, it's the Americans' fault, or so the word on the courthouse steps in Moscow has it. The Russian media outlet Kommersant reported Friday that "America did nothing," and suggests that this is a disappointment for the Russian authorities. Russia did its best in good faith and with a commitment to procedural equity, but the Americans failed to deliver the evidence they promised (says Kommersant).
The US suspended its cooperation with Russian law enforcement after the special military operation in Ukraine began, and so the Russian prosecution can now proceed no further. Cyberscoop points out that this is basically the defense attorney's perspective, and that perhaps it should be taken with a grain of salt. Anyway, defense counsel has apparently suggested that the alleged leaders of REvil are patriots willing to turn from their young, misguided life of crime, and that they're in a unique position to render assistance to Russia in her hour of cyber need. They've got the chops for it, apparently, having honed their skills as privateers (or if you prefer, criminals).