At a glance.
- Users advised to patch Zyxel firewall vulnerabilities.
- Conti calls for Costa Ricans to rebel against their government.
- PayOrGrief is a rebranding of DoppelPaymer.
- Anonymous action in Sri Lanka is likely to harm those it's intended to support.
- Nuisance-level hacktivism in Russia's hybrid war.
- Finland and Sweden look to possibility of Russian cyberattacks as they approach NATO membership.
Vulnerability in Zyxel firewalls exploited (a patch is available).
Zyxel has released patches for its firewall versions affected by the OS command injection vulnerability (CVE-2022-30525) Rapid7 discovered and reported. Yesterday ShadowServer reported that its scans had found the affected devices to be widespread: "We see at least 20 800 of the potentially affected Zyxel firewall models (by unique IP) accessible on the Internet. Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the CVE-2022-30525 affected models are in the EU - France (4.5K) and Italy (4.4K)." NSA cybersecurity director Joyce retweeted ShadowServer's findings with a terse comment: "Exploitation underway. Check your Zyxel firewall version and patch."
Conti calls for rebellion in Costa Rica.
Unless, of course, Costa Rica's government pays Conti the ransom the gang demanded in its ransomware attack earlier this month, SC Magazine reports. A revolution in the interest of Conti is of course unlikely in the extreme, but what's Conti got to lose in asking for one?
PayOrGrief is rebranded DoppelPaymer.
Investigation of the ransomware attack against the city government of Thessaloniki, Greece, last July indicates that the attackers, PayOrGrief, were not in fact a new gang, but simply a rebranding of DoppelPaymer, Darktrace researchers report.
Anonymous action in Sri Lanka seems indiscriminate and counterproductive.
Anonymous hasn't confined its activities to #OpRussia (see below for notes on that). It's also declared its support of anti-government protesters in Sri Lanka (#OpSriLanka) by "declaring cyberwar against the government.” But, Rest of World reports, the effects of the action may not be entirely welcomed by those it's intended to support. The anarchist collective conducted distributed denial-of-service attacks against websites operated by the Ceylon Electricity Board, the Sri Lanka Police, and the Department of Immigration and Emigration. The hacktivists also doxed Sri Lanka Scholar (a private portal connecting students to universities) and the Sri Lanka Bureau of Foreign Employment (SLBFE). In both cases the names and email addresses of ordinary Sri Lankans were exposed, increasing their risk of falling victim to cybercrime.
The following sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Nusiance-level hacktivism in the hybrid war.
The cyber phases of the hybrid war have recently been marked for the most part by nuisance-level hacktivism. Both sides have developed characteristic attack styles. Anonymous, hacking in the Ukrainian interest under its #OpRussia hashtag, continues to dox its targets and dump the stolen data online at DDoSecrets. Hacker News summarizes the most recent targets, which seem to have been targets of opportunity:
- SOCAR Energoresource, which operates a major refinery (Antipinsky Refinery) and a number of oilfields. Anonymous has dumped 130 GB containing about 116,500 emails.
- Achinsk City Government. Some 7000 stolen emails amounting to about 8.5GB.
- The Polar Branch of the Russian Federal Research Institute of Fisheries and Oceanography. Essentially a fisheries regulatory agency, the Branch lost 466 GB of emails.
- Port and Railway Projects Service of JSC UMMC, which operates the two principal coal ports. Anonymous has dumped almost 77,500 emails in a 106 GB archive.
These cyberattacks seem roughly the virtual equivalent of harassment and interdiction, and probably about as consequential as H&I fires are in kinetic combat.
On the Russian side the hacktivist style appears to have become distributed denial-of-service, directed most recently at prestige targets in retaliatory attacks. Last week the pro-Russian hacktivist group styling itself "Legion" (a Killnet affiliate) called for cyber attacks against the Eurovision song contest, which had excluded Russian artists from the competition as a gesture of disapproval of Russia's war. Reuters reports that Italian police successfully disrupted the attack, which was itself intended to interfere with voting. (Ukraine's Kalush Orchestra won the contest, in case you missed it, with their performance of "Stefania.")
Sweden and Finland move closer to NATO membership; concern over possible Russian cyberattacks rises.
Russian comment on Finland's and Sweden's approach to NATO membership has been in part grandiose and violent ("annihilation," forward deployment of tactical nuclear weapons to deter NATO aggression, etc.) but all of it has been strongly unfavorable. Neither the alliance nor the two prospective new members seem likely to be dissuaded, but the two Nordic countries (and NATO) are preparing for the possibility of Russian cyberattacks with realistic caution, the Hill reports.