At a glance.
- Russia routes occupied Ukraine's Internet traffic through Russia.
- Intercepts in the hybrid war: the odd and the ugly.
- Hertzbleed side-channel issue affects Intel and AMD processors.
- Iranian spearphishing campaign prospected Israeli, US officials.
- Patch Tuesday notes.
- CISA releases three ICS security alerts.
- A look at software bills of materials.
Russia routes occupied Ukraine's Internet traffic through Russia.
Control of media and communications continues to advance as a matter of occupation policy in those areas of Ukraine that Russia controls. Wired describes how Internet traffic in particular has received close Russian attention. In the vicinity of Kherson, Luhansk, Donetsk, and Zaporizhzhia, Internet service providers have been forced to reconfigure to connect through Miranda Media, a Russian operation. Mobile networks are receiving comparable attention, with hitherto unknown companies now providing mobile service in those areas. The integration of the occupied regions' Internet and telecommunications into Russia has been used to disseminate Russian disinformation and propaganda. It's also part of an ongoing campaign of Russification that's extended to such matters as financial services and nominal citizenship, imposing the ruble as the local currency and issuing Russian passports to Ukrainian civilians who remain in the occupied regions.
Intercepts in the hybrid war: the odd and the ugly.
CyberScoop reports that the Belarusian Cyber-Partisans, a dissident group opposed to the continued rule of President Lukashenka, has released what it says are telephone conversations between the Russian embassy and Russian consulate that suggest the Moscow-Minsk alliance is less fraternal than it's publicly represented to be. The Cyber-Partisans call their interception campaign "Operation Zhara" ("Heatwave"). The recordings were, the Cyber-Partisans suggest, made by the Belarusian government itself, an unbrotherly gesture, in the Cyber-Partisans' view. In any case, the content of the calls they've released is remarkably anodyne: discussion of setting up a new facility (with several allusions to the installation of toilets), calls from people asking about their COVID vaccination certificates, inquiries about immigration, a request for advice on how to get a tow truck to Kursk, solicitous inquiries about an interlocutor's health (with attendant universal cliches like "If you've got your health, you've got everything") and so on. There's some mild bureaucratic buck-passing, but on the whole the staff in the embassy and consulate seem patient and conscientious enough. The Cyber-Partisans say they've got more coming, but if they're hoping for greater eclat, they should look for scandal, vilification, double-dealing, etc. The material they've released so far doesn't at all show the Russian diplomatic staff in a bad light: we don't know, but so far at least, they seem nice.
Far from anodyne, however, is another recording of an intercepted call. Collected and released by Ukraine's SBU, the Security Service of Ukraine, the call, which the SBU says was between two Russian intelligence officers, discusses using Ukrainian "detainees" to clear mines and unexploded ordnance from Mariupol. The Telegraph reports that the number of prisoners Russian forces have taken in the region is unknown, but is believed to total roughly 2000. How they are to be used for mine clearance isn't specified, although the two speakers talk about having the detainees "dig trenches and sleep in them." But it seems unlikely that prisoners would be issued proper mine-clearing equipment, and in any case explosive ordnance disposal isn't a job for the untrained and unled. Using prisoners of war in this fashion, whether they're being driven across minefields or simply put to work on military projects, is a violation of the Geneva Conventions. If the recording is authentic, the two interlocutors are casually alluding to, and conducting low-level planning, for a war crime.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Hertzbleed side-channel issue affects Intel and AMD processors.
Researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington describe "Hertzbleed," so-called from the measure of frequency, Hertz, and also a punning allusion to the earlier Hearbleed vulnerability. The researchers characterize Hertzbleed as "a new family of side-channel attacks: frequency side channels." Under the right circumstances an attacker could extract encryption keys via remote timing. Tracked as CVE-2022-23823 and CVE-2022-24436, Hertzbleed is a difficult issue to address, since as the researchers point out, it's not really a bug, but a feature of how the processors function. Intel has issued workarounds to mitigate the risk of exploitation.
Iranian spearphishing campaign prospected former Israeli officials.
Check Point describes a complicated spearphishing campaign that prospected former Israeli officials (and some American targets as well). It used personae and subjects tailored to the targets' interests, and it employed url shorteners to further obfuscate the social engineering. The threat actor used a legitimate service, NameCheap's Validation.com identity verification service, to lend further credibility to their approach. Check Point attributes the campaign to the Phosphorus APT, long associated with Tehran's intelligence and security services.
Patch Tuesday notes.
Yesterday was Patch Tuesday. Microsoft issued fifty-five patches, including one that addressed the widely exploited Follina vulnerability. Adobe and SAP also patched their products. And, today, Wednesday, marked the long-anticipated retirement of Internet Explorer: Microsoft has ended support for its once widely-used browser.
CISA releases three ICS security alerts.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday released three industrial control system (ICS) security advisories, for Johnson Controls Metasys ADS ADX OAS Servers, Meridian Cooperative Meridian, and Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R.
Other ICS issues were also addressed yesterday. SecurityWeek reports that Siemens and Schneider Electric between them patched eighty-three vulnerabilities in their products. Siemens addressed fifty-nine vulnerabilities in fourteen advisories, and Schneider Electric fixed twenty-four vulnerabilities, covered in eight advisories.
A look at software bills of materials.
Google reports a considerable increase in efforts to adopt Software Bills of Materials (SBOMs). SBOMs list all the components, libraries, and modules needed to build a piece of software. The National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, requiring that SBOM information be available for software, which gave an additional boost to the use of SBOMs. Google emphasizes, however, that SBOMs need to be used and mapped onto known vulnerabilities to highlight what could pose a threat. They offer an example from a Kubernetes SBOM: they mapped it against the Open Source Vulnerabilities (OSV) database and found that v1.21.3 of Kubernetes contains the CVE-2020-26160 vulnerability. The usage of the SBOM in this case allows consumers using this version of Kubernetes to be aware of and address the vulnerability and remediate the issues. A future with widespread SBOM adoption will allow for more user awareness of the components and risks found in the software they consume regularly.