Cyberattacks hit Ukrainian government sites.
Reuters reports that a “massive” cyberattack hit Ukrainian government websites yesterday. Websites operated by the Ukrainian Cabinet and at least seven ministries were affected. Some of the defacements told their Ukrainian audience to “be afraid and expect the worst.” The message was posted in Ukrainian, Russian, and Polish. The attacks seem to be simple defacements, an influence operation, and not the data-destruction and doxing the message claims. Note the implicit attempt to suggest that Poland and Ukraine have a historical dispute over Ukraine’s western territories. The Moscow Times reports that Ukraine’s SBU said that services had been restored to normal within hours of the attacks.
While it was initially impossible to rule out hacktivism or provocation by some third party, these seem unlikely. The Ukrainian Foreign Ministry points to the obvious suspect: Russian intelligence services: “It’s too early to draw conclusions, but there is a long record of Russian (cyber) assaults against Ukraine in the past,” a spokesman told Reuters. Russian officials haven’t commented so far on yesterday’s case, but they’ve denied involvement in other past incidents that have been widely attributed to Moscow’s organs. Those include, in the AP’s tally this morning, 2014 attacks on electoral systems, attacks on regional power grids in 2015 and 2016, and the NotPetya attack of 2017.
The EU holds cyber exercises.
Bloomberg reports that the EU’s member states are holding a series of cyber “stress tests” this week designed to check Europe’s resilience to attacks on supply chains, and to give them the ability to redress any shortfalls they discover.
“The exercise will be structured around a gradual escalation toward a major crisis that culminates in an attack that could qualify as an armed aggression under the United Nations Charter, according to one of the documents. In order to be as realistic as possible and better prepare the bloc for a real-world attack, it will be modeled on incidents that have taken place or could occur in the near future,” Bloomberg writes. The exercises were proposed by France.
US warns of “Russian state-sponsored cyber threats to US critical infrastructure.”
Tuesday afternoon the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning with the FBI and NSA, “Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.” CISA Director Jen Easterly tweeted this brief commendation of the joint advisory her agency issued yesterday in conjunction with the FBI and NSA: “Russian state-sponsored malicious cyber activity is a continuing threat to our critical infrastructure—why we’re working closely w/public & private sector partners to reinforce the importance of vigilance against these threats; read our latest advisory.”
The Alert doesn’t call out the threat of Russian military operations against Ukraine as the proximate cause of the warning, but its timing seems hardly coincidental. “This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations,” the Summary says. “This overview is intended to help the cybersecurity community reduce the risk presented by these threats.”
Iranian cyberespionage activity: attribution and TTPs.
US Cyber Command has formally attributed the MuddyWater threat actor to Iran’s Ministry of Intelligence and Security:
“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks.
“MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations.
“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS ‘conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.’”
US Cyber Command’s attribution of MuddyWater to Iran’s Ministry of Intelligence and Security is the second formal attribution of malicious activity in cyberspace the US has made this week, coming as it does shortly after the joint CISA/FBI/NSA warning of Russian activity against critical infrastructure. In the case of MuddyWater, US Cyber Command shared details of the tools MuddyWater is known to be using, and advises network operators that finding such tools in their systems “may indicate the presence of Iranian malicious cyber actors.”
Other Iranian threat actors also make use of open-source tools. Check Point describes how APT35 (also known as Charming Kitten) has been using Log4j vulnerabilities to distribute a new modular PowerShell toolkit. The tools both encrypt and exfiltrate data APT35 takes from its targets.
Pegasus found in Salvadoran phones.
The University of Toronto’s Citizen Lab reports that it’s found NSO Group’s Pegasus intercept tools in phones belonging to some thirty-five journalists, non-governmental organizations (NGOs), and “members of civil society” in El Salvador. Publications affected include El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, and El Diario de Hoy. Two independent journalists were also affected. Three NGOs were affected: Fundación DTJ, Cristosal, and a third, unnamed organization.
Coincidentally, the US National Counterintelligence and Security Center (NCSC) has issued an advisory on commercial surveillance products. Those are unnamed, but they clearly include such tools as NSO Group’s Pegasus. “Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections.” The advisory includes recommendations for digital hygiene that might make it less likely that a target’s devices be compromised.
The biter bit?
Malwarebytes reports that an advanced persistent threat (APT) seems to have infected itself with its own remote administration Trojan (RAT), specifically the BADNEWS (Ragnatela) RAT. The APT is PatchWork (also known as Dropping Elephant, Chinastrats, and Quilted Tiger). Patchwork is associated with the Indian Government, and has been observed collecting against targets in Pakistan.
US Senators inquire about possible security risks in Yealink phones.
Defense One writes that there’s US Senatorial concern about the risk Chinese-made Yealink phones might present users. Senator Chris Van Hollen (Democrat of Maryland) wrote the Department of Commerce back in September, asking for an explanation of the Yealink software that could, at least in principle, monitor and report users’ calls and online activity.
FBI warns of “BadUSB” campaign.
The Record reports that the FBI has warned that FIN7, the criminal gang well-known for operating DarkSide and BlackMatter ransomware, has undertaken a BadUSB campaign against US organizations in the transportation, insurance, and defense sectors The physical USBs, which carry malware, are being sent by the US Postal Service and United Parcel Service. Some represent themselves as packages arriving from the US Department of Health and Human Services that carry important COVID-19 information. Others pose as holiday packages from Amazon and include a thank-you note, a bogus gift card, and, of course, the malicious USB drive. The payloads observed include “Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, and TIRION” as well as “BlackMatter and REvil” ransomware.
DPRK-sponsored cybercrime enjoys a substantial return on investment.
Kaspersky reports on the activities of a group it calls “BlueNorhoff,” and identifies as a subunit of North Korea’s Lazarus Group. BlueNoroff ‘s current campaign, “SnatchCrypto, is aimed at various companies that, by the nature of their work, deal with cryptocurrencies and smart contracts, DeFi, Blockchain, and the FinTech industry.” An NBC News report puts Pyongyang’s take in cryptocurrency theft last year at almost $400 million, with Ethereum holdings particularly affected.
Sabotaging your code, that’ll show ’em.
The open source software supply chain may have a free-rider problem. BleepingComputer reported an infinite-loop a developer inserted into two widely used open-source libraries. It was a gesture of protest. The developer, whom BleepingComputer identified as Marak Squires, is thought to regard himself as having been exploited by the many organizations who’ve used his software without either adequate compensation or support.
The Apache Foundation addressed this sentiment and its causes in a position paper. SecurityWeek headlines its account of the paper “Apache Foundation Calls Out Open-Source Leechers.” That’s a strong way of putting it (and we couldn’t find any variant of “leech,” still less “freeloader” or “parasite”) in the Apache text, but it’s not too far off the mark.
Apache doesn’t call organizational users “leechers” or “leeches,” but its position paper describes a free-rider problem. “We can’t fix open source supply chain issues by focusing exclusively on the upstream producer,” is how Apache puts it in their first “take-away.” The downstream users of open source software should, Apache argues, “contribute back.” That is, “Help fix bugs. Conduct security audits and feed back the results. Cash, while welcome and useful, isn’t sufficient. We eagerly welcome audits and fixes from any source. We have a process defined for doing so…”
This is not to say that the Apache Software Foundation endorses developers’ sabotaging their own code. Far from it. Their concern is with the security and safety of the open source products themselves.
On Patch Tuesday Microsoft addressed ninety-seven vulnerabilities, nine rated Critical and eighty-eight rated Important. Adobe, Android, Cisco, SAP, and VMware have also recently patched. BleepingComputer has a useful overview.
Crime and punishment.
Russia’s Federal Security Service (FSB) has arrested members of the REvil ransomware gang at the request of the US government, Reuters reports. The FSB said in a statement, “As a result of joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized.” The FSB said it had conducted the raids (which netted not only fourteen arrests, but $600,000 and €500,000 in cash, as well as computers, “crypto wallets used to commit crimes,” and twenty luxury cars, all of which are said to be ill-gotten) at the “appeal of competent US authorities.” Cooperation only goes so far, however. Interfax clarified in a follow-up that none of the Russian citizens arrested will be turned over to the US for prosecution, “The Basic Law of the Russian Federation prohibits the extradition of citizens of the Russian Federation to a foreign state,” a source explained to Interfax.
Lest one think that the FSB’s raid on REvil means that the salad days of state-tolerated Russian cybercrime are over, consider KrebsOnSecurity’s account of the work being done by the access broker known as Wazawaka, a numero in Russophone cybercrime fora. “Come, rob, and get dough!,” Wazawaka advertised in the Exploit forum back in 2020, inviting crooks to buy access to a Chinese company and “show them who is boss.” He’s still going strong, and he says he adheres to the communitarian principle that data taken in double-extortion scams shouldn’t be resold. Rather, it should simply be posted for general use in the criminal-to-criminal marketplace should the victim fail to pay the ransom.
Israel has arrested five people on charges connected with alleged Iranian espionage, Bloomberg reports. Four women and one man were arrested; Yahoo News says they were persuaded to spy on behalf of Tehran through a catphishing operation that used the bogus identity “Rambod Namdar,” which the phishers represented as a Jewish Iranian. The Israelis prospected in the operation were also Jews of Iranian origin, and so the operation appears to be a classic affinity scam of the kind long used by intelligence services seeking to recruit human assets.
Ukrainian authorities have arrested five alleged members of a ransomware gang that operated internationally.
The European Data Protection Supervisor (EDPS) ordered Europol to “delete data concerning individuals with no established link to a criminal activity.”
Courts and torts.
Bloomberg Law says NSO Group intends to go to the US Supreme Court in its bid to defeat a Meta lawsuit.
Policies, procurements, and agency equities.
The White House offered a preliminary “readout” of this week’s Open Source Software Security Summit, during which Government and industry officials met to discuss ways of shoring up the security of widely used open-source software. That discussion was prompted by December’s revelation of vulnerabilities in the Apache Software Foundation’s Log4j library, and it was given salience by this week’s warnings from the US Intelligence Community that there was a risk of nation-state attacks exploiting issues with that and other open-source products. The White House said, in part, “Participants had a substantive and constructive discussion on how to make a difference in the security of open source software, while effectively engaging with and supporting the open source community. The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes.”
Google, which was among the companies attending the summit, applauded the Government’s initiative and called for further cooperation: “We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements. Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing.”
Red Hat also approved of the direction the summit set: “The core tenets of the Cyber EO remain fundamental to improving the security posture of all software—both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available. A key theme of the meeting was the recognition that open source software has accelerated the pace of technological innovation, provides tremendous societal and economic benefits, and can contribute greatly to enhancing trust and cybersecurity.” Many observers see work toward effective use of software bills of materials as among the most important initial goals of public-private cooperation.
The US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog now includes Log4shell, and that’s consistent with the agency’s aspiration, expressed clearly during Monday’s media call, of serving as a single authoritative source for information on risk and remediation.
And the US National Institute of Standards and Technology (NIST) has issued a revision to its cybersecurity guidance, Engineering Trustworthy Secure Systems. “With the continuing frequency, intensity, and adverse consequences of cyber-attacks,” NIST says in its introduction, “disruptions, hazards, and other threats to federal, state, and local governments, as well as private sector organizations, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States.” The two-hundred-seven-page document builds upon earlier standards documents, and NIST has asked for comment. “The objective, NIST explains, “is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to help ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor throughout the system life cycle.”