By the CyberWire staff
Russia's flagging invasion thought likely to induce widespread cyberattacks.
Russian ground forces are digging in where they've halted along most of their axes of advance, especially in the approaches to Kyiv, which suggests that the invasion continues to stall. On Saturday Ukrainian President Zelensky called upon Russia to engage in "meaningful" peace talks," but such talks have yet to develop. Ukrainian forces have begun to push Russian forces out of the Kyiv suburbs they'd occupied. Russian forces in Ukraine continue their practice of using long-range weapons against civilian targets in an attempt to compensate for close-combat failure. Estimates of Russian casualties continue to rise. NATO estimates Russian combat deaths at between 7000 and 15, 000, up from US estimates offered earlier this week.
President Biden on Monday issued a general warning to US organizations that intelligence suggests a coming Russian cyber campaign: "This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks." An accompanying fact sheet stresses the importance of familiar best practices and offers an aspirational set of longer-range policy prescriptions.
A brief statement from the US Cybersecurity and Infrastructure Security Agency indicated that CISA would "rapidly share information and mitigation guidance" to help organizations, large and small, protect their systems. The Department of Homeland Security added, "Organizations can visit CISA.gov/Shields-Up for best practices on how to protect their networks, and they should report anomalous cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870, or to an FBI field office."
Russia says they won't stoop to cyberattacks. NBC News quotes Kremlin spokesperson Dmitry Peskov: "The Russian Federation, unlike many Western countries, including the United States, does not engage in state-level banditry." Most others are not so sure, especially since they've already used cyberattacks locally against Ukrainian targets.
March 31 Webinar | 2021 ICS/OT Cyber Lessons Learned from the Frontlines
Go beyond headlines and join Dragos incident responders and threat hunters as they share findings from their real-world experiences defending industrial operations. You'll hear insights on how limited or no visibility, poor security perimeters, and external connections are factoring into customer engagements in ICS/OT verticals. Join us for better ICS/OT cyber defense in 2022. Register now →
Russia also undergoes cyberattacks.
Anonymous continues its nuisance-level hacktivism, most recently by hijacking printers to publish anti-war messages to Russian audiences. About 160 printers were compromised to send more than 40,000 messages into Russia, according to HackRead.
The IT Army of Ukraine, which is more militia than hacktivist collective, has been operating with more official direction. CNBC puts the total number of members of the IT Army as somewhat more than 311,000. “We want them to go to the Stone Age and we are pretty good at this,” one IT Army member said of the Russian enemy.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Dissent and censorship in Russia's war against Ukraine.
Russian President Putin has vowed to purge Russia of "scum and traitors" insufficiently committed to the special military operation in Ukraine. The Kremlin has sought to crack down on both public protest and online dissent, (both now "fully criminalized," the Atlantic Council reports) but public protests, by Russian standards, have been surprisingly prominent. This suggests that news other than the official Kremlin line that the war is an ultimately defensive one waged against genocidal Nazis is getting through. Some of the channels in which it's circulating are surprising. Groups within the widely used Russian social media platform VKontakte ("VK," "In Touch") are serving as conduits for dissent and unofficial news. The groups involved are, according to Newsweek, "longstanding groups focused on common interests such as art, sports, music and celebrities." VKontakte is by no means a nest of dissenters: the executives who run it are close to the government and have themselves come under US sanction. The sharing of unofficial news on the war in Ukraine seems to be a function of the sheer difficulty of effective content moderation on a platform with more than ninety-million users.
The social media platform Telegram has surged in Russia, where it's continued to operate without the interruption and blockage experienced by Instagram, Twitter, and the like. Telegram originated in Russia, which may be why it's been permitted to operate. The Wall Street Journal quotes Ivan Kolpakov, editor in chief and co-founder of the now-blocked Russian independent media outlet Meduza (which is itself surviving in its Telegram feed) “Telegram isn’t perceived as a total enemy resource. It’s not perceived as a tool of information war against Russia. In Russia, a huge culture of uncensored journalism and so-called journalism appears on Telegram. Telegram itself told the Journal it didn't know why it hadn't been blocked, and it didn't know if it would be blocked in the future, but “We believe in freedom of speech and are proud we can serve people in different countries in difficult times.”
Russia's countervailing disinformation campaigns have not gained much traction internationally. They've been marked by opportunistic implausibility, much of it focused on misrepresentation of post-Cold War biological weapons disarmament programs. The New York Times has an account of Moscow's recent efforts, and Forbes runs a profile of the oligarch, Yuri Kovalchuk, who appears to be the de facto leader of Russia's disinformation campaigns.
Domestically, Russian propaganda has been aggressive in seeking to rally people under the sign of the cyrillic letter Z, used as a distinguishing mark on Russian armor entering Ukraine during the special military operation. Much of that rallying has a strongly xenophobic tone. CNN quotes some representative rhetoric from President Putin: "The West will try to rely on the so-called fifth column, on national traitors, on those who earn money here with us but live there. And I mean 'live there' not even in the geographical sense of the word, but according to their thoughts, their slavish consciousness."
Arctic Wolf: Customized Content For Your Security Journey
Engage with our interactive content that customizes to the unique needs of your organization on its journey to end cyber risk.
"Protestware" as a risky turn in hacktivism.
Last week a hacktivist (npm maintainer RIAEvangelist) wrote source code for an npm package he called PeaceNotWar, and distributed it within the open-source by making it a dependency of a popular and widely used npm module, thus affecting the software supply chain. PeaceNotWar was designed for use against systems in Belarus and Russia, but, even if that form of supply chain attack were to be deemed legitimate, it seems indiscriminate and difficult to contain.
Since then Russian organizations have grown understandably warier of the possibility of software supply chain corruption. MIT Technology Review reports, "In response to the threat, Sberbank, a Russian state-owned bank and the biggest in the country, advised Russians to temporarily not update any software due to the increased risk and to manually check the source code of software that is necessary—a level of vigilance that is unrealistic for most users."
Anonymous seeks to pressure Nestlé.
Anonymous says it compromised Nestlé's corporate network and extracted 10 GB of sensitive data which it subsequently dumped on the Internet in protest against the company's failure to have completely suspended operations in Russia. But this seems to be mistaken exaggeration at best. Data were indeed exposed, but Nestlé says, according to the Register, that their networks weren't in fact compromised. The data, the company says, originated with "a case from February this year, when some randomized and predominantly publicly available test data of a B2B nature was unintentionally made accessible online for a short period of time on a single business test website." Nestlé investigated and found the exposure to be trivial. In a separate move, lest any hacktivist decide to take a real whack at them, Nestlé expressed its solidarity with Ukraine and said it was limiting sales in Russia to baby food and hospital nutrition products. (Specifically, Mr. Lavrov will henceforth lack access to Kit Kats and Nesquik.) Nestlé's distinction among its products is difficult to fault on humanitarian grounds.
Arctic Wolf: Customized Content For Your Security Journey
Engage with our interactive content that customizes to the unique needs of your organization on its journey to end cyber risk.
Lapsus$ continues to best the tech sector, but its run may be nearing an end.
Reports circulating in Reddit and elsewhere suggest that the Lapsus$ group has posted, then deleted, material that suggests an attempt against Microsoft. Cyber Kendra reports (and points out that the story is early and so far unconfirmed) that Lapsus$ may have compromised an Azure DevOps account. Microsoft told BleepingComputer that they were investigating the gang's claims of successfully penetrating the company. The Register last week offered a brief history of the relatively young gang, which is thought to be based in Brazil, and which has made a specialty of hitting targets in the tech sector. Lapsus$ is thought to be a new group, not merely a rebranding of an existing criminal gang. Their approach is unusual in that they don't deploy ransomware, but rather steal source code and threaten to release it.
Both Microsoft and Okta have confirmed that they were hit by the Lapsus$ gang. In Microsoft's case, Redmond said, "Our investigation has found a single account had been compromised, granting limited access." Some company code was exfiltrated, but no customer data or code were affected.
Okta's case is more complicated. The company, which will hold a webinar later today to disclose details of the incident, said, "The Okta service is fully operational, and there are no corrective actions our customers need to take. After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly." Lapsus$ continues to claim, as the Record and other sources report, that the effect on Okta was much more serious than the company's public statements suggest. According to Forbes, some of Okta's customers feel the company has been slow to inform them of potential problems. One customer, Cloudflare, which uses Okta's identity management solution for internal employee accounts, offers advice to other customers about how to respond to the possibility of compromise.
Bloomberg reports that the leading intellects behind the Lapsus$ Gang may be a couple of teenagers, one in the UK, the other in Brazil. The BBC reported on Thursday that police in the UK arrested seven teenagers in relation to Lapsus$. The City of London Police stated, "Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing."
PlexTrac — Making security teams more efficient, effective, and proactive.
The cyber war is never ending, and the adversaries are relentless. PlexTrac is the proactive security management platform helping teams win the right cybersecurity battles. PlexTrac clients report an average “20 percent time savings” and a “30 percent increase in efficiency.” Find out how PlexTrac is helping teams “move quicker and be more proactive” by gaining insight into their security posture and assuring they are always prepared for the next threat.
TransUnion discloses cyber incident.
TransUnion disclosed a data exposure late last week when a gang (identifying itself as "N4ughtysecTU") succeeded in accessing one of the credit bureau's South African servers. The gang, which like Laspsus$ is thought to be based in Brazil, demanded $15 million in ransom. SecurityWeek reports that TransUnion has said it won't be paying. Tech Central says the South African Banking Risk Information Centre (Sabric) is working with the country's banks to protect consumers who might be affected by the breach.
Other criminal cyber activity.
eSentire reports finding a new Conti affiliate engaged in two operations. "The speed and efficacy of both the intrusion actions and the infrastructure management indicate automated, at-scale deployment of customized Cobalt Strike configurations and its associated initial access vectors. Customization choices include legitimate certificates, non-standard CS ports, and malleable Command and Control (C2)."
Pradeo warns of an Android malware strain that's infested Google Play. The researchers call it "Facestealer" (its main goal seems to be theft of Facebook credentials) and say it's affected about a hundred-thousand users. Google is purging Facestealer from the Play store. The principal vector has been an application, Craftsart Cartoon Photo Tools, that makes connections to a Russian server.
Deep Instinct describes a new member of the Micropsia malware family. They call it "Arid Gopher," note that it's written in Go, and say that it's operated by APT-C-23 (Arid Viper), a threat group interested mainly in Middle Eastern targets, "with specific interest against Palestinian targets."
Browser-in-the-browser (BitB) attacks are being observed in the wild, BleepingComputer reports. BitB attacks use "premade templates to create fake but realistic, Chrome popup windows that include custom address URLs and titles that can be used in phishing attacks," creating "fake browser windows within real browser windows...to create convincing phishing attacks."
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued four industrial control system security advisories this week, two on Tuesday for Delta Electronics DIAEnergie and Delta Electronics DIAEnergie (Update B), and two more on Thursday, for mySCADA myPRO and Yokogawa CENTUM and Exaopc.
VMware has fixed vulnerabilities (assessed as "critical") in its Carbon Black App Control. The company said of the first vulnerability (CVE-2022-22951), "An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution." The second vulnerability (CVE-2022-22952) may allow a "malicious actor with administrative access to the VMware App Control administration interface...to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file."
Crime and punishment.
The US Justice Department on Thursday unsealed indictments against four Russian nationals for allegedly carrying out hacking campaigns against the energy industry between 2012 and 2018 on behalf of the Russian government. The Justice Department says the individuals conducted operations that "targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries." The indictment accuses one individual, Evgeny Viktorovich Gladkikh, of working on the Triton malware, which was designed to disrupt safety systems at a Saudi oil plant. WIRED notes that the indictment also suggests "that Gladkikh and his collaborators appear to have tried to inflict a similar disruption on a specific but unnamed US oil refining firm, but failed."
The US FBI has added accused Russian carder kingpin Igor Dekhtyarchuk to its Most Wanted List. He's charged with "Wire Fraud; Aiding and Abetting; Access Device Fraud – Trafficking in Unauthorized Access Devices; Access Device Fraud – Possession of Fifteen or More Counterfeit or Unauthorized Access Devices; Access Device Fraud – Unauthorized Solicitation; [and] Aggravated Identity Theft."
Courts and torts.
The Australian Competition & Consumer Commission (ACCC) late last week filed a lawsuit against Facebook's parent company Meta over the company's alleged failure to prevent scammers from running ads on its platform, Reuters reports. ACCC Chair Rod Sims stated, "The essence of our case is that Meta is responsible for these ads that it publishes on its platform. It is alleged that Meta was aware...scam ads were being displayed on Facebook but did not take sufficient steps to address the issue." A Meta spokesperson said in response to the suit, "We will review the recent filing by the ACCC and intend to defend the proceedings."
Policies, procurements, and agency equities.
The Chinese government has required Microsoft's Bing search engine to suspend its auto-suggest function in China for a week, though the reason for the suspension remains unclear, Reuters reports. The company stated, "Bing is a global search platform and remains committed to respecting the rule of law and users' right to access information."