At a glance.
- SeaFlower threat actor raids crypto wallets.
- Ukraine backs up sensitive data abroad.
- Exploiting Follina against Ukrainian media.
- Anonymous makes uncorroborated claims of successful action against Russia and Belarus.
- Effects of war on the criminal underworld.
- Cyber risk and the future of work.
SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets.
Security Week reports that digital advertising security company Confiant has discovered a campaign sending backdoored versions of iOS and Android Web3 wallets. The attackers have cloned the legitimate sites of the wallets and have included links to download them, which contain the app’s legitimate functionality, but which also exfiltrate the user’s seed phrase in order to steal the victim’s cryptocurrency. Confiant says that the cybercriminals running this campaign have not yet been identified, but are likely Chinese, as much of the data found are in Chinese, and contain information from Chinese and Hong Kong IP addresses.
Ukraine moves sensitive data abroad.
The Wall Street Journal reports that Ukraine has begun to store sensitive data abroad, backing up its information to render it less vulnerable to Russian physical or cyber attack. George Dubinskiy, the country's deputy minister of digital transformation, said, “To be on the safe side, we want to have our backups abroad.” Among the earlier transfers was a program to back data up to a secure private cloud with servers located in Poland. Priority has been given to protecting "VIP" databases, that is, databases deemed essential to the operation of Ukraine's economy.
Dealing with the GRU's exploitation of the Follina vulnerabilities.
CERT-UA maintains its conclusion that Sandworm, a GRU operation, was responsible for exploiting Follina to compromise Ukrainian media organizations, Computing reports. Compromised Word documents are carrying the AsyncRAT Trojan as a malicious payload.
Follina is a remote code execution vulnerability (CVE-2022-30190, assigned a severity rating of 7.8 out of 10 by Microsoft) that uses the Microsoft Support Diagnostic Tool (MSDT) to download and execute malicious script. It's being called "low-interaction remote code execution," not zero-click, because there's some interaction required for execution, but not much. All it takes is for a victim to preview a malicious file. Ars Technica notes that Microsoft has issued instructions for mitigation, explaining how to disable MSDT, but hasn't yet said whether it will issue a full patch for the issue.
Anonymous claims to have hacked Russia's drone suppliers...
Anonymous claims to have successfully hacked into Russia's drone suppliers, if not exactly the drones themselves. "Russian UAV drones plans and tactic's hacked. We hope this information will help the war to end as soon as possible , no war is justified! [sic]" tweeted @Spid3r, who claims adherence to the hacktivist collective. Accounts of exactly what Anonymous obtained are confused and unclear, but it does not appear to have been a "direct attack on the Russian military," as some sources said. Images @Spird3r posted of files allegedly stolen appear to include promotional literature and a list of companies involved in the production or trade of the Kronstadt Group's Orion-E armed drone, an export model. Computing notes, sensibly, that "The nature of Anonymous makes it impossible to ascertain if the hacked data is genuine, although cybersecurity experts do think that most of the collective claims of successful attacks are true."
...and to have hit sensitive targets in Belarus.
@Spid3r also claims to have engineered significant disruption of government activities in Belarus. "Access to 26 ministries, centers and banks of the Belarusian Government has been restricted as a result of attacks by me (@YourAnonSpider)" the hacktivist crowed on Twitter. There are no independent reports of such activity, which have to be received with skepticism. Somebody would surely have noticed such widespread disturbances.
The war's effects on the cyber underworld.
Kela Cybercrime Intelligence has researched the effect Russia’s war against Ukraine has been having on the cybercrime landscape, detailing new developments in the cybercriminal underground as a result of the conflict. The effects are being produced by new criminal opportunities, by the effect of Western sanctions, and by new Russian restrictions on certain online services.
Kela researchers have found, for example, that people are getting transportation out of Ukraine through hacking sites, rather than through legitimate sites and services, and there has been an increase in demand for money transfer services, as both Russia and Ukraine now have laws in place dictating limits on the amounts that can be transferred, and the locations to which money may be transferred. These are the traditional services black markets have traditionally offered in wartime, and cyber criminals have not been slow to pivot from online fraud and carding to taking advantage of the desperate.
What’s made legitimate remittances harder has also made criminal transactions more difficult. The blind eye the Russian organs have traditionally turned toward money laundering, for example, is now seeing a bit more clearly, and life has grown a bit more challenging for the underworld. And, of course, Western sanctions have made it difficult, in some cases difficult to the point of impossibility, for, say ransomware victims to pay their extortionists, especially when the ransomware operators are working from Russia, as so many of them do.
VPN services have also seen a “spike” in demand. “The spike can be caused by the arrival of new users hoping to acquire accounts for reliable VPN services,” Kela writes, “especially since Russia has started to block URLs linked to some of them, while to legally pay for remaining VPNs is hard without having non-Russia issued Visa and MasterCard credit cards.” There’s nothing inherently illegal about VPNs, but they’re restricted in Russia, where the government has enacted censorship laws to stifle access to sites that offer what the Kremlin regards as “disinformation,” that is, comment and reporting that don’t reflect the official Russian line on the special military operation. Facebook and Instagram are among the platforms being censored, and the cyber underworld has been quick to offer illicit VPN services to those who want to see the news the government would rather go unreported (or at least unheard).
Kela has also found that the war is affecting both cybercriminal online communities and C2C markets for ransomware and other crimeware. The actors behind the Raccoon Stealer malware reported on a forum that their core developers are unable to continue to produce the malware because of a “special operation” and that work on Raccoon Stealer has been suspended. The gang hints that the suspension is due to the war. Chatter about the effects of the war has also appeared on the Russophone cybercrime forum. There’s some debate there about the nature and justification of Russia’s war, despite the forum’s rules against such political discussion. And, of course, as we’ve seen, ransomware gangs have taken sides in the war, usually Russia’s side. (Conti is the most famous of these.) Some of the gangs, wishing for freedom to pursue criminal gain, have sought to keep operations as normal as possible by declaring their neutrality.
Security and the future of work.
Dashlane this morning released a report detailing cybersecurity for businesses that include remote or hybrid work. It was found that remote and hybrid work are becoming more common, with only 10% of respondents reporting no remote workers at their companies. Researchers found that awareness of cyber safety is up everywhere, but not every company is implementing appropriate, workable solutions. Password managers were the most common change companies made to increase security, and only one-third of employees with companies that implemented a password manager are confident that 95-100% of their coworkers actually utilize the new tool.