Feds Warn Cybersecurity Community to Be Aware of Russian State-Sponsored Threat Actor Tactics
Microsoft issues 120 security fixes, Iranian group uses Log4Shell to drop backdoor, Serious flaw found in KCodes NetUSB component, SysJoker malware evades detection, Russian crim spills clues, more
In what is widely regarded as strategic messaging rather than an effort to convey new information, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA issued a joint alert disclosing commonly observed tactics, techniques, and procedures (TTPs) used by Russian state-sponsored threat actors.
The advisory warned against “common but effective tactics” used to gain initial access to victim networks, including spear phishing, brute force attacks, and exploiting known vulnerabilities. The alert encourages the cybersecurity community, especially critical infrastructure network defenders, to adopt a heightened state of awareness and to conduct proactive threat hunting. (Adam Janofsky / The Record)
Jen Easterly @CISAJen🛡️ Russian state-sponsored malicious cyber activity is a continuing threat to our critical infrastructure—why we’re working closely w/public & private sector partners to reinforce the importance of vigilance against these threats; read our latest advisory: https://t.co/d0NRcKyDF4 https://t.co/gR86Ti3DcR
Microsoft issued its Patch Tuesday updates to address nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems.
The most severe flaw addressed is CVE-2022-21907, a “wormable” critical, remote code execution flaw in the HTTP Protocol Stack that Microsoft considers a high-priority fix. Microsoft says the flaw affects Windows 10 and Windows 11, and Server 2019 and Server 2022. (Brian Krebs / Krebs on Security)
Related: The Register - Security, ZDNet Security, WebProNews, Bleeping Computer, Talos Intel, Tenable Blog, Rapid7, eSecurityPlanet, Zero Day Initiative - Blog, gHacks, Threatpost, Help Net Security, Security Week, US-CERT, The Hacker News, Security Affairs, Associated Press, IT Pro
Researchers at Check Point say that hackers believed to be part of the Iranian APT35 state-backed group (also known as Charming Kitten or Phosphorus) have been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor.
The modular payload can handle C2 communications, perform system enumeration, and eventually receive, decrypt, and load additional modules. Check Point believes that APT35 was among the first to leverage the vulnerability before targets had an opportunity to apply security updates, scanning for vulnerable systems mere days after its public disclosure. (Bill Toulas / Bleeping Computer)
Researchers at SentinelOne discovered a high severity flaw in the KCodes NetUSB component integrated into millions of end-user router devices from Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital, among others.
Exploiting this flaw, tracked as CVE-2021-45388, would allow a remote threat actor to execute code in the kernel, and although some restrictions apply, the impact is broad and could be severe. The router vendors that use vulnerable NetUSB modules are Netgear, TP-Link, Tenda, EDiMAX, Dlink, and Western Digital. NetUSB issued a patch to fix the flaw in December. (Bill Toulas / Bleeping Computer)
The Albanian government said that it would hire a U.S. company, Virginia-based Jones Group International, to bolster its cybersecurity following a large leak last month. Retired General James L. Jones, former national security adviser and supreme allied commander in Europe is the head of Jones.
In December, the personal information of some 690,000 people, including identity card numbers and employment and salary data, was leaked from a government database of state and private employees. (Associated Press)
Related: Balkan Insight
Researchers at Cloudflare have warned that some of the cybercriminals behind DDoS campaigns are becoming more prolific and more aggressive.
According to a survey by Cloudflare, ransom DDoS attacks increased by almost a third between 2020 and 2021 and jumped by 175% in the final quarter of 2021 compared to the previous three months. In December, one in three organizations surveyed said they received a ransom letter relating to a DDoS attack. (Danny Palmer / ZDNet)
Researchers at Intezer say that a new multi-platform backdoor malware named SysJoker has emerged in the wild, targeting Windows, Linux, and macOS with the ability to evade detection on all three operating systems.
The new malware, written in C++, has multiple variants that go undetected on VirusTotal. Admins whose systems have been compromised by SysJoker should kill all processes related to the malware and manually delete the files and the relevant persistence mechanism. They should also run a memory scanner to ensure that all malicious files have been uprooted from the infected system, and investigate the potential entry points, check firewall configurations, and update all software tools to the latest available version. (Bill Toulas / Bleeping Computer)
A 19-year-old security researcher, David Colombo, claims to have hacked remotely into more than 25 Tesla cars in 13 countries, saying that he discovered a software flaw in the company's systems.
Colombo also claimed he could see if a driver is present in the car, turn on the vehicles' stereo sound systems and flash their headlights. Colombo says he is in discussion with Tesla’s security team. (Katrina Nicholas / Bloomberg)
In its annual Global Risks Report, the World Economic Forum said that cyber threats are emerging risks to the global economy, adding to existing challenges posed by climate change and the coronavirus pandemic.
Cyberattacks are becoming more aggressive and widespread, as criminals use tougher tactics to go after more vulnerable targets. (Kelvin Chan / Associated Press)
Scandinavian hotel chain Nordic Choice Hotels took a novel approach to recover from a ransomware attack that hit it on December 2 by switching all affected systems to Chrome OS.
The company said that instead of contacting the hackers and negotiating a ransom for the decryption key that would have unlocked the infected devices, the hotel chose to migrate its entire PC fleet from Windows to Chrome OS. “[I]n less than 24 hours, the first hotel was operating in the Chrome OS ecosystem from Google. And in the following two days, Nordic Choice converted 2,000 computers all over the company consisting of 212 hotels in five different countries,” the hotel chain explained. (Catalin Cimpanu / The Record)
Related: Nordic Choice Hotels
Based on several hundred pages of emails sent among Missouri governor Mike Parson’s staff that showed the hour-by-hour decision-making by Parson’s top aides, Parson’s team struggled to portray St. Louis Post-Dispatch reporter Josh Renaud, who discovered a flaw in one of the state’s database, as a malicious hacker.
That flaw exposed thousands of the states’ educators’ Social Security numbers. Renaud discovered the flaw with a simple right-click and some elementary decoding. In a decision decried by cybersecurity specialists and First Amendment advocates, Parson contends he will pursue a criminal complaint against Renaud. (Jack Gillum / Bloomberg)
American video game company Electronic Arts confirmed that hackers used social engineering to trick some of its customer support staff into transferring high-profile FIFA accounts from their legitimate owners.
Electronic Arts estimates that fewer than 50 accounts have been taken over using this method. According to screenshots shared on social media by some of the victims, the hacks took place after the attackers contacted EA’s customer staff via the live chat feature and demanded that an account’s email address be changed. (Catalin Cimpanu / The Record)
A Russian cybercriminal access broker who uses the name Wazawaka, a significant player in the Russian-speaking cybercrime scene, left behind many clues using multiple email addresses and nicknames on several Russian crime forums that highlighted his activities and passwords.
Analysts with Flashpoint say Wazawaka’s postings on various Russian crime forums show he is proficient in many specializations, including botnet operations, keylogger malware, spam botnets, credential harvesting, Google Analytics manipulation, selling databases for spam operations, and launching DDoS attacks. Wazawaka’s lackadaisical approach to hiding and protecting his cybercriminal identities could stem from his realization that he shouldn’t target Russian people and that he can never leave Russia. “Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka said of his mantra. (Brian Krebs / Krebs on Security)
Research from Talk Liberation Investigates shows that Trumpworld social media network GETTR emulates Big Tech by including trackers and features from companies like Facebook and Google, muddying its efforts to pitch itself as an alternative to companies like Facebook.
“The gettr.com web app loads tracking cookies and pixels from Google and Facebook that create unique identifiers for individual users,” Talk Liberation Investigates says. (Joseph Cox / Motherboard)
Related: Talk Liberation Investigates
New draft legislation to revamp the Federal Information Security Management Act includes language that would codify the federal chief information security officer as a statutory role.
“There is established in the Office of the Federal Chief Information Officer of the Office of Management and Budget a Federal Chief Information Security Officer, who shall be appointed by the President,” the draft bill says. The legislation would also, among other things, redouble agencies’ focus on the implementation of zero-trust security principles and also assign the responsibility for operational coordination in the aftermath of a cyberattack to the Cybersecurity and Infrastructure Security Agency. (John Hewitt Jones / Fedscoop)
The National Institute of Standards and Technology (NIST) updated its cybersecurity guidance for system engineers., SP 800-160, Engineering Trustworthy Secure Systems.
The publication takes a holistic approach to systems engineering. NIST researchers give an overview of the objectives and concepts of modern security systems, primarily regarding the protection of a system's digital assets. One of the key updates NIST authors made in the latest version of the publication was a new emphasis on security assurances. (Alexandra Kelley / Nextgov)
Automated Security Validation (ASV) company Pentera raised $150 million in a Series C venture funding round.
Evolution Equity Partners and Insight Partners led the round with participation from Awz Ventures and Blackstone. (Krystal Hu / Reuters)