By the CyberWire staff
The Russian threat in a hybrid war.
As international sanctions tighten against Moscow, and in particular as its banking sector is incrementally blocked from access to the SWIFT system, VentureBeat reports that organizations around the world are bracing for Russian retaliation in cyberspace. President Putin's calculus may have led him to believe that restraint will gain him little. "Putin/Russia getting completely isolated economically & diplomatically. The West is completely united. Even China is getting scared of secondary sanctions," Silverado Policy Accelerator chairman and CrowdStrike co-founder Dmitri Alperovitch tweeted. “The danger: Putin has very little to lose now. He is cornered. May go all out on economic and cyber retaliation,”
SecurityWeek has an update on ESET's research into Russian cyberattacks against Ukrainian targets. The company says it's detected a worm, HermeticWizard, that's spreading HermeticWiper, which, as its name suggests, is data-erasing malware. ESET has also found HermeticRansom in the wild, which adds a capability for extortion to the campaign. CrowdStrike has also detected the Go-based ransomware, which it's calling "Party Ticket," but which it confirms is the same malware as HermeticRansom. Kaspersky assesses the ransomware as misdirection for the wiper campaign, which would be consistent with Russian practice at the outset of the war against Ukraine.
RiskIQ confirms that it's seeing Ghostwriter activity against Ukrainian troops. Ghostwriter has been associated with the Belarusian government, and with the group being tracked, by Recorded Future and others, as UNC1151. Recorded Future thinks it likely that Russian elements, particularly the GRU, have used Belarusian infrastructure and cooperated with Belarusian intelligence services to run operations against Ukraine.
And Proofpoint has published a report on a phishing campaign it's calling "AsylumAmbuscade," and which it links to UNC1151, which Proofpoint associates with the Belarusian threat actor it tracks as TA445. That group is most familiar in its Ghostwriter guise, in which throughout 2021 it mounted influence campaigns against European targets, especially in Latvia, Lithuania, and Poland. AsylumAmbuscade represents an intelligence collection effort. It seems particularly interested in the movement of refugees around and out of Ukraine, and it is, the Record reports, paying particular attention to targeting European officials involved in refugee relief. (There may now be around a million Ukrainian refugees, according to the AP.)
Conti, the familiar ransomware gang, says it will strike those who oppose Russia. According to Reuters, Conti blogged, "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy." Thus any serious suppression of cyber criminal gangs by Russian security authorities has proven to be, as was foreseeable, largely illusory, at best temporary and tactical.
The BBC reports that other hackers have rallied to the Russian colors and volunteered to hit Ukrainian online assets.
The US Federal Communications Commission (FCC) is investigating potential Russian threats to BGP routing, Next TV reports.
Cyber operations against Russia.
Hacker News reports that Russia's National Computer Incident Response and Coordination Center has warned its domestic clientele that cyberattacks against Russian critical infrastructure are to be expected. The hacktivist group Anonymous seems to be siding with Ukraine (although as always it's difficult to know who speaks for an anarcho-syndicalist collective), according to ZDNet. As always, statements by hacktivists should be received with cautious skepticism. Anonymous, however, has claimed responsibility for an attack against Russian media outlet RT, and RT was indeed knocked offline by a cyberattack, the Daily Beast reports.
Ukraine's government hasn't been reluctant to call for hacktivist volunteers as it's called for volunteer fighters. BleepingComputer reports that Kyiv is calling for "an IT army" to take on Russian targets, and that it's also released a target list: "Russian government agencies, government IP addresses, government storage devices and mail servers, three banks, large corporations supporting critical infrastructure, and even the popular Russian search engine and email portal, Yandex."
Of arguably more significance have been signs that Ukraine has been able to obtain, and publish, material from online Russian sources. Ukrainska Pravda reports that "The Centre for Defence Strategies has acquired the names of 120,000 Russian servicemen who are fighting in Ukraine." These have been posted online. That's unlikely to have any tactical effect, but it can't be good for either morale or for Russian confidence in the security of its networks. There are also reports that some FSB files have been taken.
Does your protection have a pulse?
To forge ahead in the future, you need to protect your present. With living, breathing security on your side, you can always stay one step ahead of attackers. Free of worry and full of confidence, your business can achieve anything now. For protection with a pulse, try Trellix.
More sanctions against Russia.
Foreign Policy reviews the current state of sanctions against Russia. They're along the lines of those the US has levied against Iran, but less comprehensive. On the other hand, there's a great deal more international unanimity on the measures imposed against Russia. Even traditionally and proverbially neutral Switzerland has sanctioned Moscow over its invasion of Ukraine. The International Institute of Finance (IIF) predicts Russian default on its international debt unless the crisis in Ukraine is resolved soon. Should Russia default, as seems likely, the IIF sees a double-digit contraction in the country's economy as a likely result.
Russian countermeasures include a rule that foreign owners of Russian equities may not sell those equities to Russian citizens. For what it's worth, Russia also says sanctions won't deflect it from its course in Ukraine.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
NVIDIA hacked.
California-based chipmaker NVIDIA was hit last week by a cyberattack that, the Telegraph reported, disrupted operations. The paper quoted a company insider as saying that internal systems were "completely compromised," and the Telegraph reported a priori speculation that the attack was related to the ongoing hybrid war in Ukraine. Bloomberg subsequently reported that the attack was unrelated to Russia's war against Ukraine, and that the disruption to the company's systems was less serious than it at first appeared. “Our business and commercial activities continue uninterrupted,” Nvidia told Bloomberg. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.” WCCF Tech subsequently said that the incident was a ransomware attack by the South American group Lapsu$.
The cyber incident at NVIDIA, which the chipmaker said this week did not seem to be a ransomware attack, does appear, the Hacker News reports, to involve a different kind of extortion. DarkTracer says the Lapsu$ gang has employee credentials and other data. Lapsu$ also issued what Ars Technica calls "one of the most unusual demands ever:" "We request that NVIDIA commits to completely open-source (and distribute under a FOSS license) their GPU drivers for Windows, macOS, and Linux, from now on and forever." Lapsu$ claims an altruistic motive: "We decided to help mining and gaming community, We want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it's a big folder). We both know lhr impact mining and gaming." What they really appear interested in doing is making it easier to mine alt-coin; LHR blocks many forms of mining.
Arctic Wolf: Customized Content For Your Security Journey
Engage with our interactive content that customizes to the unique needs of your organization on its journey to end cyber risk.
Toyota domestic production recovers from a supply chain disruption.
According to Reuters, Toyota has also been affected by a cyberattack on a supplier that's caused Toyota to suspend Japanese production. The nature of the attack on the supplier, Kojima Industries, is unknown. Toyota characterized the incident as a "supplier system failure." Authorities are investigating, and haven't ruled out a Russian connection.
Toyota's suspension of production in Japan, which a cyberattack on a third-party supplier induced, is now over. The disruption to the manufacturing lines lasted one day, Edge Markets reports. According to CNN, fourteen factories were affected.
TechCrunch reports that the cyber incident chip manufacturer Nvidia sustained was a ransomware attack, and that the company has confirmed that the attackers have begun to leak stolen information online. Some of the stolen data include employee credentials.
Add value to your lead generation strategy
The CyberWire can help you fill your funnel and build partnerships with valuable leads. With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust us to get their messages out. Feature your brand with the source that top security leaders choose. Learn more.
Trickbot's masters haven't retired.
Trickbot may have retired its infrastructure (see Threatpost's story), but the gang apparently remains at work, deploying Conti ransomware through its AnchorDNS backdoor, IBM reports. IBM stated, "The upgraded backdoor, identified by IBM Security X-Force researchers as AnchorMail or Delegatz, now uses an email-based C2 server which it communicates with using SMTP and IMAP protocols over TLS. With the exception of the overhauled C2 communication mechanism, AnchorMail’s behavior aligns very closely to that of its AnchorDNS predecessor. The discovery of this new Anchor variant adds a new stealthy backdoor for use during ransomware attacks and highlights the group’s commitment to upgrading its malware."
Stay on top with CyberWire Pro
Get uninterrupted, ad-free access to all of our public podcasts as well as our exclusive CyberWire Pro podcasts, briefings, articles, and events by becoming a CyberWire Pro subscriber. Subscribe to CyberWire Pro today for only $99/year and get access to all the exciting content we have planned for 2022! Subscribe today.
BabyShark swims out of Pyongyang.
Huntress updates its research into an APT it associates with North Korea, and which is generally being called "BabyShark." The threat actor's operational practices are consistent with those Palo Alto Networks last month observed being used earlier against think tanks, and Huntress says the attack it observed "was significantly customized and tailored to the specific victim environment, indicating a targeted attack." The initial infection vector was phishing. Huntress counsels that preventive measures alone are insufficient for protection, and that organizations should make full use of logging, monitoring, and hunting.
Huntress concludes, "The adversary here is likely a well-funded nation-state-supported threat actor, whose operations are known for their phishing prowess and building trust or a connection before dangling the lure. The remote access trojan and data exfiltration capabilities have been present and active in the target environment for nearly a year."
Vulnerabilities reported in PJSIP.
Researchers at JFrog have reported finding five security vulnerabilities in PJSIP, "a widely used open-source multimedia communication library developed by Teluu." The researchers added, "JFrog Security responsibly disclosed these vulnerabilities and worked with PJSIP’s maintainers on verifying the fix to these reported security vulnerabilities." They recommend upgrading PJSIP to version 2.12.
Aon reports cyber incident.
A Form 8-K insurance giant Aon filed with the US Securities and Exchange Commission (SEC) disclosed that the company was investigating a cyber incident it detected on February 25th, Computing reports. Aon says that its operations were unaffected: "The incident has not had a significant impact on our operations. We remain focused on our clients, and our ability to serve them has not been impacted by this event."
Daxin: a stealthy backdoor used against hardened networks.
Symantec describes a sophisticated hacking tool it's calling "Daxin" and attributed to China. The most recent known attacks involving Daxin occurred in November 2021. Daxin, in summary, is a stealthy backdoor designed for use against hardened networks. Symantec stated, "There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China. Most of the targets appear to be organizations and governments of strategic interest to China. In addition, other tools associated with Chinese espionage actors were found on some of the same computers where Daxin was deployed. Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor. Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions."
The warning has also been distributed through the Joint Cyber Defense Collaborative (JCDC), an information-sharing organization whose members include CISA, the FBI, NSA, and twenty-one US technology companies in addition to Symantec.
Registration-bombing attacks.
BlackCloak describes registration-bombing attacks that are serving as misdirection for financial fraud. Victims receive a very large number, often measuring in the hundreds, of emails confirming their registrations to sites they may never have even visited, still less signed up for. The intent is to push emails that might alert the victims to financial fraud (usually purchases with stolen credit cards) to the bottom of the in-box, where the criminals hope they'll be overlooked in the clutter.
Medical infusion pump vulnerabilities.
Palo Alto Networks' Unit 42 has published a report on vulnerabilities affecting medical infusion pumps, analyzing more than 200,000 pumps from seven different vendors. The researchers identified "over 40 different vulnerabilities and over 70 different security alerts among the devices, with one or more affecting 75% of the infusion pump devices we analyzed." More than half (52%) of the vulnerable pumps were affected by CVE-2019-12255, a buffer overflow vulnerability with a severity score of 9.8.
TeaBot banking Trojan found in the Play Store.
Researchers at Cleafy warn that the TeaBot Android banking Trojan has been distributed via the Google Play Store. The researchers stated, "On February 21, 2022, the Cleafy Threat Intelligence and Incident Response (TIR) team was able to discover an application published on the official Google Play Store, which was acting as a dropper application delivering TeaBot with a fake update procedure. The dropper lies behind a common QR Code & Barcode Scanner and, at the time of writing, it has been downloaded +10.000 times. All the reviews display the app as legitimate and well-functioning." Once downloaded, the malware will request Accessibility Services permissions in order to view and control the screen and perform actions on the phone.
TCP middlebox reflection.
Akamai researchers have recently observed DDoS attacks using a new technique called "TCP Middlebox Reflection" to amplify the amount of traffic they can send. The researchers state that "[t]his type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint." This technique was first discovered by researchers at the University of Maryland and the University of Colorado Boulder. Akamai explains:
"Attackers can craft various TCP packet sequences that contain HTTP request headers; in these HTTP headers, a domain name for a blocked site is used as the host header. When these packets are received by the middlebox that is configured to not allow access to the site, the middlebox responds, typically with HTTP headers and in some cases entire HTML pages. These responses provide attackers with a reflection opportunity, and in some cases a significant amplification factor.
"To abuse these boxes for distributed reflective denial of service (DRDoS) attacks, an attacker spoofs source IPs of the intended victim, resulting in response traffic directed at the victim from the middleboxes. Middlebox systems that have been configured in this way can be found on networks all around the internet as they’re commonly used by nation-states to enforce censorship laws or by corporate enterprise content filtering policies."
Patch news.
CISA on Thursday issued three industrial control system advisories. Two of them affect medical systems, BD Pyxis and BD Viper LT. The third advisory involves a telecontrol communication device, IPCOMM ipDIO.
Crime and punishment.
CNBC reports that Heather "Razzlekhan" Morgan, sometime rapper, self-proclaimed "crocodile of Wall Street," and accused alt-coin launderer, may be working out a plea deal with prosecutors.
Courts and torts.
Israeli spyware vendor NSO Group is suing Israeli business newspaper Calcalist for slander over statements in its coverage of NSO's products and business practices, Globes reports.