Destructive Malware Hit Ukraine Government and Related Systems
Six more REvil members arrested, Women human rights defenders were infected by Pegasus spyware, UK plans PR push against E2E encryption, EU tests simulated power company cyberattack, more
Today is a day to remember the great humanitarian and visionary, Martin Luther King, Jr., whose eloquence and compassion sparked movements toward justice and equality around the world.
On the heels of defacement attacks on Ukraine government public-facing internet infrastructure, which Ukraine attributed to Russian ally Belarus, Microsoft said it had observed destructive wiper malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government. The organizations affected include agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.
The malware attempted to pass itself off as ransomware but lacked a ransomware payment or recovery mechanism. Microsoft Threat Intelligence Center (MSTIC) found no notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. However, most experts point to Russia as the likely culprit. Furthermore, the Ukrainian government said that all the evidence points to Russia as being behind the cyber attack.
Microsoft identified the malware on dozens of impacted systems but said that number could grow as its investigation continues. It strongly encourages all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in a detailed technical post.
The malware appears to have been deployed around the time that meetings between Russian diplomats and the United States and NATO over the massing of Russian troops at the Ukrainian border hit a dead end. The destructive techniques and fake ransomware messages are reminiscent of data-wiping cyberattacks Russia carried out against Ukrainian systems from 2015 to 2017. (David Sanger / New York Times, Andy Greenberg / Wired)
Related: Microsoft, Microsoft, Associated Press, The Hacker News, The Moscow Times, Bloomberg, The Record, The Guardian, Politico, Wired, ETTelecom.com, TechCentral, New York Post, MSPoweruser, CNN.com, Bloomberg News, Deutsche Welle, The Hill: Cybersecurity, US-CERT Current Activity, CISA, Bleeping Computer, MSSP Alert, The Kyiv Independent, Washington Examiner, ZDNet, CRN, IT News, Digital.gov.ua, Reuters
A Moscow court remanded in custody for two months six more suspected members of the ransomware crime group REvil over illegal trafficking of funds. These arrests occurred one day after Russia announced it had arrested other REvil members and dismantled the group at the request of the United States.
The six men as Mikhail Golovachuk, Ruslan Khansvyarov, Dmitry Korotayev, Alexei Malozemov, Artyom Zayets and Daniil Puzyrevsky. (Andrey Ostroukh and Polina Nikolskaya / Reuters)
Related: Radio Free Europe / Radio Liberty, Teller Report, TASS, Numerama, Reddit - cybersecurity, Bitcoin News, Reddit - cybersecurity, Bloomberg News, Mercury News, Bitcoin News, The Register, Sputnik News, Security Affairs, Bleeping Computer, Al Arabiya, Al Jazeera English, CIO News, Techradar, TechDator, The Hacker News, Krebs on Security, Security Affairs, CNN.com, Security News | Tech Times, Security News | Tech Times, Washington Post, Graham Cluley, Urgent Comms, The Register
An investigation by the human rights group Front Line Defenders (FLD) and the digital rights non-profit group Access Now found that the mobile phones of Ebtisam al-Saegh, a Bahraini human rights defender, and Hala Ahed Deeb, who works with human rights and feminist groups in Jordan, had been hacked using NSO’s Pegasus spyware.
The University of Toronto’s Citizen Lab confirmed the findings and discovered that al-Saegh’s mobile device was found to have been hacked at least eight times between August and November 2019 using NSO spyware. The discovery of spyware on the two activists’ phones follows multiple reports of other female activists and journalists who have been targeted in the past. (Stephanie Kirchgaessner / The Guardian)
The UK government plans to launch a multi-pronged publicity attack on end-to-end encryption. One key objective is to turn public opinion against Facebook’s decision to encrypt its Messenger app.
The Home Office has hired the M&C Saatchi advertising agency to plan the campaign using public funds. One of the activities considered part of the publicity offensive is a stunt that would place an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black. (James Ball / Rolling Stone)
The European Union began testing its cyber-defense responsiveness with a simulated attack on a fictitious Finnish power company. In the simulation, a major cyber security incident is detected in software used by a major energy company.
The Finnish attack is part of a six-week exercise to stress-test Europe’s resilience, strengthen preparedness and cooperation among member states, and improve the effectiveness of a joint response. The tests are expected to conclude during a meeting of EU foreign ministers at the end of February. (Jorge Valero / Bloomberg)
Related: Security Affairs
Researchers at FingerprintJS discovered a serious Safari bug that can disclose information about users’ recent browsing histories and even some info of the logged-in Google account.
The bug in Safari’s IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. The bug affects all current versions of Safari on iPhone, iPad, and Mac. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved. (Benjamin Mayo / 9to5Mac)
Quick thinking and preemptive action by Jamie Hussey, IT director at Jackson Hospital, a 100-bed facility on Florida's panhandle, prevented the hospital from becoming crippled by a ransomware attack.
Shortly after the emergency room reported that it could not connect to patients’ charts, Hussey recognized that a ransomware attack was underway and shut down the hospital’s systems to keep the malware from spreading. (Sean Lyngaas / CNN)
UniCC, the largest carding site operating on the dark web, and its “brother” LuxSocks, is shutting down after reportedly generating $358 million in sales.
Carding sites are usually dark web platforms where cyber-criminals sell credit and debit card data stolen by other hackers using credit card skimmers that infect legitimate websites or malware planted in point of sale terminals. UniCC’s shutdown follows by almost exactly one year the shutdown of another carding site, Joker's Stash, which claimed to have sold over $400 million worth of stolen card listings. (Bill Toulas / Bleeping Computer)