(Politico) Early on Friday, following a week of tense negotiations between Russia and the West over Ukraine, a major cyberattack took down a number of official Ukrainian websites. “Ukrainians! … All information about you has become public,” the attackers posted on the website of the Ukrainian foreign ministry. “Be afraid and expect worse. It’s your past, present and future.”
Though it’s not yet clear who was behind the attack, the timing made many observers think immediately of Russia, which has a long history of targeting Ukraine with cyber aggression. As the EU’s chief diplomat put it, “ I can't blame anybody as I have no proof, but we can imagine.”
Regardless of the perpetrator, the incident was a reminder of the many tools Russian President Vladimir Putin has used to weaken Ukraine other than traditional warfare. There is, of course, an actual war being fought in the country’s east. But Russia has supplemented its military efforts with nonmilitary tactics such as cyberattacks, disinformation and propaganda meant to exacerbate political tensions and undermine Ukrainians’ faith in their government and in democracy itself.
Much of Putin’s playbook falls into this murky area between war and peace — what national security analysts have come to call the gray zone. The term has become fashionable, but the concept isn’t new. It describes tactics that fall short of outright military aggression and instead take aim at a country’s social, economic or political cohesion. Gray-zone tactics include disinformation and cyberwarfare, as well as subversive economic practices, like China’s efforts to coerce Western firms into doing its bidding. Another recent example came when Belarusian leader Alexander Lukashenko — a Putin-allied autocrat — manufactured a migrant crisis at the border between Belarus and Poland. This also wasn’t a traditional act of aggression, but it created a feeling of crisis and chaos, forcing Poland and the rest of Europe to prepare for possible conflict.
Though the term can feel overused in national security circles, calling these seemingly disparate practices “gray-zone tactics” helps us see what they have in common: They’re cheaper and easier than using military force, they frequently aren’t overtly illegal, and to date they’ve rarely caused loss of life.
(EurekAlert) LAWRENCE — A prestigious Faculty Early Career Development (CAREER) Program award from the National Science Foundation will enable a researcher from the University of Kansas School of Engineering to investigate how to boost effectiveness of security operations centers (SOCs) — centralized facilities that deal with security issues and protect enterprise computer networks for private industry, academic institutions and government organizations.
“Organizations usually deploy security operations centers to manage their network operations, defend against threats in cyberspace and maintain regulatory compliance,” said Alexandru Bardas, assistant professor in KU’s Department of Electrical Engineering & Computer Science (EECS) and the Information & Telecommunication Technology Center (ITTC). “Automation and metrics play key roles in the effectiveness of security operation centers. Unfortunately, security-driven automation in these environments is often implemented in ad hoc ways and is not accurately reflected in the metrics.”
According to Bardas, current solutions don’t capture all dimensions of automation. He said enterprise networks usually have either partial technical solutions to security challenges that are both social and technical — or social frameworks that don’t fully comprehend the technical components of enterprise network security. The result, he said, is always a one-size-fits-all solution that contributes to inefficiencies in security operations centers.
“We hope to create a framework that tailors security-focused automation for operational environments, assesses the role of humans in this process and reflects the outcomes in the metrics,” Bardas said. “Instead of putting forward another set of generic automation and metrics guidelines for security operations centers, the framework’s main goal is to link technical capabilities of an organization with its social structure. This way, the landscape for security operations centers can evolve from ‘all defenses need to be successful’ to ‘all attacks need to be successful’ to maintain persistent access — turning the tables on adversaries.”
The KU researcher’s work will use an array of research approaches — from designing dynamic abstractions, models and software tools to ethnographic studies and interviews. Bardas said he hoped to account for factors such as stakeholders’ interests and strategic planning as well as provide on-the-ground analysts with ways to input local knowledge about their actual effectiveness into management and policy decisions.
(Wired) For the past two weeks, observers of North Korea's strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un's government. At least one of the central routers that allow access to the country's networks appeared at one point to be paralyzed, crippling the Hermit Kingdom's digital connections to the outside world.
Some North Korea watchers pointed out that the country had just carried out a series of missile tests, implying that a foreign government's hackers might have launched a cyberattack against the rogue state to tell it to stop saber-rattling.
But responsibility for North Korea's ongoing internet outages doesn't lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.
Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.
caltrek's comment: While an interesting read, the article does have a bit of the "it is bad when they do it to us, but ok when we do it to them" flavor about it. Especially in light of one opinion indicating that the original hack attributed to North Korea may not have come from North Korea at all, but from somebody willing and able to frame that country as the likely suspect for their hack.
(The Verge) On Saturday, attackers stole hundreds of NFTs (non-fungible tokens) from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club.
The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.
“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain. That success has come with significant security issues, as the company has struggled with attacks that leveraged old contracts or poisoned tokens to steal users’ valuable holdings.
Here is a rather basic informational piece on what to do if your Facebook account is hacked. Two of my Facebook "friends" have already gone through this experience:
Spending bill includes large funding increase to boost cybersecurity
Source: The Hill
The government funding bill sent to President Biden includes a surge in funding to the agency that oversees the nation's cybersecurity infrastructure and includes language that requires companies in critical sectors to alert the government of potential hacks.
The omnibus spending bill has a total $2.6 billion budget for the Cybersecurity and Infrastructure Security Agency (CISA), a $568 million increase above last year's funding level that surpasses the amount requested by the president.
The funding arrives as the U.S. braces for possible Russian cyberattacks following the West's forceful condemnation of its invasion in Ukraine and punishing economic sanctions.
Included in the budget is an extra $119.5 million increase for threat hunting and a $64.1 million increase for vulnerability management.
(TechCrunch) Email marketing giant Mailchimp has confirmed a data breach after malicious hackers compromised an internal company tool to gain access to customer accounts.
In a statement given to TechCrunch, Mailchimp CISO Siobhan Smyth said the company became aware of the intrusion on March 26 after it identified a malicious actor accessing a tool used by the company’s customer support and account administration teams. Access was gained following a successful social engineering attack, a type of attack that exploits human error and uses manipulation techniques to gain private information, access or valuables.
“We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected,” Smyth said.
But not quickly enough, as hackers viewed approximately 300 Mailchimp accounts, and successfully exported audience data from 102 of those, the company said. Mailchimp declined to say exactly what data was accessed but told TechCrunch that the hackers targeted customers in the cryptocurrency and finance sectors. In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, allowing the attackers to potentially send spoofed emails, but which have now been disabled and can no longer be used. But Smyth said that Mailchimp received some reports of the hackers using the information they obtained from user accounts to send phishing campaigns to their contacts.
“When we become aware of any unauthorized account access, we notify the account owner and immediately take steps to suspend any further access,” Smyth told TechCrunch. “We also recommend two-factor authentication and other account security measures for our users as added measures to keep accounts and passwords secure.”
(The Conversation) In 2014, as Russia launched a proxy war in Eastern Ukraine and annexed Crimea, and in the years that followed, Russian hackers hammered Ukraine. The cyberattacks went so far as to knock out the power grid in parts of the country in 2015. Russian hackers stepped up their efforts against Ukraine in the run-up to the 2022 invasion, but with notably different results. Those differences hold lessons for U.S. national cyber defense.
I’m a cybersecurity researcher with a background as a political officer in the U.S. Embassy in Kyiv and working as an analyst in countries of the former Soviet Union. Over the last year, I led a USAID-funded program in which Florida International University and Purdue University instructors trained more than 125 Ukrainian university cybersecurity faculty and more than 700 cybersecurity students. Many of the faculty are leading advisors to the government or consult with critical infrastructure organizations on cybersecurity. The program emphasized practical skills in using leading cybersecurity tools to defend simulated enterprise networks against real malware and other cybersecurity threats.
The invasion took place just weeks before the national cybersecurity competition was to be held for students from the program’s 14 participating universities. I believe that the training that the faculty and students received in protecting critical infrastructure helped reduce the impact of Russian cyberattacks. The most obvious sign of this resilience is the success Ukraine has had in keeping its internet on despite Russian bombs, sabotage and cyberattacks.
SAN JOSE, Costa Rica (AP) — Nearly a week into a ransomware attack that has crippled Costa Rican government computer systems, the country refused to pay a ransom as it struggled to implement workarounds and braced itself as hackers began publishing stolen information.
The Russian-speaking Conti gang claimed responsibility for the attack, but the Costa Rican government had not confirmed its origin.
The Finance Ministry was the first to report problems Monday. A number of its systems have been affected from tax collection to importation and exportation processes through the customs agency. Attacks on the social security agency’s human resources system and on the Labor Ministry, as well as others followed.
The initial attack forced the Finance Ministry to shut down for several hours the system responsible for the payment of a good part of the country’s public employees, which also handles government pension payments. It also has had to grant extensions for tax payments.
Conti had not published a specific ransom amount, but Costa Rica President Carlos Alvarado said, “The Costa Rican state will not pay anything to these cybercriminals.” A figure of $10 million circulated on social media platforms, but did not appear on Conti’s site.
Costa Rica Chaos a Warning that Ransomware Threat Remains by Alan Suderman and Ben Fox
June 17, 2022
Introduction:
WASHINGTON (AP via Courthouse News) — Teachers unable to get paychecks. Tax and customs systems paralyzed. Health officials unable to access medical records or track the spread of COVID-19. A country’s president declaring war against foreign hackers saying they want to overthrow the government.
For two months now, Costa Rica has been reeling from unprecedented ransomware attacks disrupting everyday life in the Central American nation. It’s a situation raising questions about the United States’ role in protecting friendly nations from cyberattacks when Russian-based criminal gangs are targeting less developed countries in ways that could have major global repercussions.
“Today it’s Costa Rica. Tomorrow it could be the Panama Canal,” said Belisario Contreras, former manager of the cybersecurity program at the Organization of American States, referring to a major Central American shipping lane that carries a large amount of U.S. import and export traffic.
Last year, cybercriminals launched ransomware attacks in the U.S. that forced the shutdown of an oil pipeline that supplies the East Coast, halted production of the world’s largest meat-processing company and compromised a major software company that has thousands of customers around the world.
The Biden administration responded with a whole of government action that included included diplomatic, law enforcement and intelligence efforts designed to put pressure on ransomware operators.
caltrek’s comment: Meanwhile, the Republican response seems to be to join forces with these hacker-prone hostile powers in order to hasten our enslavement.
Could the Russian cyber attack on Lithuania draw a military response from NATO?
Tuesday 28 June 2022
A NATO member is under attack.
Normally the meaning of this would be frighteningly clear, but this is an attack with a difference: not a physical attack, but a cyber attack; and working out what a cyber attack means is never simple.
The NATO member in question is the Baltic state of Lithuania, which was targeted on Monday by Russian hackers. According to the hackers, the attack is still going on.
Transport and media websites have been hit, as have the websites of various state institutions such as the Lithuanian tax service, which had to pause its operations yesterday.
A Russian hacker group known as Killnet claimed responsibility for the attacks, claiming on its Telegram channel that the attack was retaliation for Lithuania's decision to stop the transit of some goods to the Russian territory of Kaliningrad on the Baltic coast.
A Small Canadian Town is Being Extorted by a Global Ransomware Gang by Corin Faife
July 22, 2022
Introduction:
(The Verge) The Canadian town of St. Marys, Ontario, has been hit by a ransomware attack that has locked staff out of internal systems and encrypted data.
The small town of around 7,500 residents seems to be the latest target of the notorious LockBit ransomware group. On July 22nd, a post on LockBit’s dark web site listed townofstmarys.com as a victim of the ransomware and previewed files that had been stolen and encrypted.
In a phone call, St. Marys Mayor Al Strathdee told The Verge that the town was responding to the attack with the help of a team of experts.
“To be honest, we’re in somewhat of a state of shock,” Strathdee said. “It’s not a good feeling to be targeted, but the experts we’ve hired have identified what the threat is and are walking us through how to respond. Police are interested and have dedicated resources to the case ... there are people here working on it 24/7.”
Strathdee said that after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date. In general, the Canadian government’s cybersecurity guidance discouraged the paying of ransoms, Strathdee said, but the town would follow the incident team’s advice on how to engage further.
Cybersecurity Vendor Entrust Tells Customers Data Was Stolen During a June Cyberattack by Carly Page
July 27, 2022
Introduction:
(TechCrunch) Minneapolis-based cybersecurity giant Entrust has confirmed it was hit by a cyberattack last month.
Entrust, which describes itself as a global leader in identities, payments and data protection, told TechCrunch that an “unauthorized party” was able to access parts of its system that are used for the internal operations on June 18.
“We promptly began an investigation with the assistance of a leading third-party cybersecurity firm and have informed law enforcement,” Ken Kadet, vice president of communications at Entrust, said in a statement. “While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems and are fully operational.”
Cybersecurity researcher Dominic Alvieri obtained and published a July 6 notice sent to Entrust customers, which cited Entrust CEO Todd Wilkinson saying that “some files were taken from our internal systems.”
“As we continue to investigate the issue, we will contact you directly if we learn information that we believe would affect the security of the products and services we provide to your organization,” Wilkinson added in its note to customers.
U.S. Issues Rare Security Alert as Montenegro Battles Ongoing Ransomware Attack Carly Page
August 31, 2022
Introduction:
(TechCrunch) The U.S. Embassy in Montenegro has warned Americans that an ongoing ransomware attack in the country could cause widespread disruption to key public services and government services.
The ransomware attack, first confirmed by Montenegro’s Agency for National Security (ANB) last week, targeted government systems and other critical infrastructure and utilities, including electricity, water systems and transportation. At the time of writing, the official website of the government of Montenegro is unavailable and reports suggest that several power plants have switched to manual operations as a result of the attack.
Officials in Montenegro claimed no data was stolen and claimed that no permanent damage was done as a result of the attack.
However, Montenegro’s ANB declared that the country was “under a hybrid war,” and blamed “coordinated Russian services” for the attack. Relations between the two countries have remained strained since Montenegro joined the NATO alliance of Western countries in 2017, after which Russia threatened retaliatory action.
The U.S. Embassy in Montenegro has since published its own notice, writing that the government was facing a “persistent and ongoing” cyberattack. “The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors,” the Embassy warned. It advised citizens residing in the Balkan state to limit travel, review personal security plans, and “be aware of your surroundings.”
Uber Investigating Cybersecurity Incident After Hacker Breaches Its Internal Network by Carly Page
September 16, 2022
Introduction:
(Techcrunch) Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.
The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times, which broke news of the breach.
Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.
The sole hacker behind the beach, who claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp and Okta.
Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach,” the Times reports. The hacker also reportedly said that Uber drivers should receive higher pay.
Washington (CNN Business)Uber has linked the cybersecurity incident it disclosed last week to hackers affiliated with the Lapsus$ gang, a group accused of numerous high-profile corporate data breaches. The company also said the attackers were able to download or access company Slack messages and invoice-related data from an internal tool.
LockerGoga Ransomware Victims Can Now Recover Their Files for Free by Carly Page
September 19, 2022
Introduction:
(TechCrunch) Victims of the LockerGoga ransomware can now recover their stolen files for free, thanks to a new decryptor released by Romanian cybersecurity firm Bitdefender and the NoMoreRansom Initiative.
The LockerGoga ransomware family, known for its attacks against industrial organizations, first emerged in 2019.The file-encrypting malware was infamously used in an attack against Norsk Hydro in March 2019, forcing the Norwegian aluminum manufacturer to stop production for almost a week at a cost of more than $50 million. It was also used in attacks against Altran Technologies, a French engineering consultancy, and U.S.-based chemical companies Hexion and Momentive.
According to the Zurich Public Prosecutor’s Office, which also participated in the development of the decryptor along with Europol, the operators of LockerGoga were involved in ransomware attacks against more than 1,800 individuals and institutions in 71 countries, causing more than $100 million in damage.
The group behind the LockerGoga ransomware has been inactive since October 2021, when U.S. and European law enforcement agencies arrested 12 alleged members. Following the arrests, police spent months examining the data collected during the raid and discovered the group’s encryption keys to unlock data from LockerGoga ransomware attacks, the Zurich Public Prosecutor’s Office said.
“Decryption of data is normally possible when we either identify a vulnerability in the ransomware code or when individual decryption keys become available,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, told TechCrunch. “This decryptor relies on the keys seized in the 2021 arrests, which have been shared with us privately as per our collaboration with the involved law enforcement authorities.”
India’s Central Depository Services Limited (CDSL) Says Malware Compromised Its Network
by Jagmeet Singh
November 18, 2022
Introduction:
(TechCrunch) India’s leading central securities depository, Central Depository Services Limited, or CDSL, says its systems have been compromised by malware.
On Friday, the securities depository said in a filing with India’s National Stock Exchange that it detected malware affecting “a few of its internal machines.”
“As a matter of abundant caution, the company immediately isolated the machines and disconnected itself from other constituents of the capital market,” the filing said.
CSDL said it continues to investigate, and that it has so far “no reason to believe that any confidential information or the investor data has been compromised” due to the incident.
CDSL has not yet revealed the exact details of the malware. At the time of writing, the company’s website was down. The company declined to say if the two are related
NSA Says Chinese Hackers Are Exploiting a Zero Day Bug inn Popular Networking Gear by Carly Page
December 14, 2022
Introduction:
(TechCrunch) The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks.
The flaw, tracked as CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool, and are both popular in enterprise networks. The critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices — no passwords needed. Citrix also says the flaw is being actively exploited by threat actors.
“We are aware of a small number of targeted attacks in the wild using this vulnerability,” Peter Lefkowitz, chief security and trust officer at Citrix, said in a blog post. “Limited exploits of this vulnerability have been reported.” Citrix hasn’t specified which industries the targeted organizations are in or how many have been compromised. A Citrix spokesperson did not immediately respond to TechCrunch’s questions.
Citrix rushed out an emergency patch for the vulnerability on Monday and is urging customers using affected builds of Citrix ADC and Citrix Gateway to install the updates immediately.
Citrix didn’t share any further details about the in-the-wild attacks. However, in a separate advisory, the NSA said that APT5, a notorious Chinese hacking group, has been actively targeting Citrix ADCs in order to break into organizations without having to first steal credentials. The agency also provided threat-hunting guidance [PDF] for security teams and asked for intelligence sharing among the public and private sectors.
