New Data Wiper Discovered That Was Used in Viasat Cyberattack
Administration divided over Kaspersky sanctions, Treasury sanctions Russian lab that reported created Trisis, Biden eyes changing Trump-era policy that gave DoD unprecedented cyber authority, more
CLICK HERE FOR THE SOLUTION TO ALL CYBERSECURITY PROBLEMS!
My latest CSO column updates the timeline of developments surrounding cyber incidents related to Russia’s invasion of Ukraine.
Researchers at SentinelOne say they discovered that a new data wiper, AcidRain, has been deployed in the cyberattack that targeted Viasat's KA-SAT satellite broadband service. That service had been used to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe.
AcidRain is designed to brute-force device file names and wipe every file it can find, making it easy to redeploy in future attacks. First spotted on March 15 after its upload onto the VirusTotal malware analysis platform, the malware goes through the compromised router or modem's entire filesystem. It also wipes flash memory, SD/MMC cards, and any virtual block devices it can find, using all possible device identifiers.
SentinelOne said the malware might have been developed explicitly for an operation against Ukraine and likely used to wipe modems in the KA-SAT cyberattack. It is the seventh data wiper malware deployed in attacks against Ukraine, with six others used to target the country since the start of the year. (Sergiu Gatlan / Bleeping Computer)
According to people familiar with the matter, the Biden administration is divided over whether to impose sanctions on Russian cybersecurity giant Kaspersky Lab, which the U.S. has long warned could be used by the Kremlin as a surveillance tool against its customers.
While the National Security Council pressed Treasury for sanctions against the company, sanctions experts within the department have raised concerns over the size and scope of such a move. Moreover, some officials in the U.S. and Europe fear sanctioning Kaspersky Lab will increase the likelihood of triggering a cyberattack against the West by Moscow, even potentially leveraging the software itself. (Vivian Salama and Dustin Volz / Wall Street Journal)
The U.S. Treasury Department’s Office of Foreign Assets Control added the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics, or TsNIIKhM, to the list of entities sanctioned since Russia’s invasion of Ukraine began.
The institute allegedly developed the infamous Trisis malware used in attacks on industrial control systems, including against a petrochemical plant in Saudi Arabia in 2017. Sergei Alekseevich Bobkov, the institute’s director, Konstantin Vasilyevich Malevanyy, its deputy director, and Evgeny Viktorovich Gladkikh, the researcher accused of developing Trisis, were also sanctioned. (Joe Warminsky / Cyberscoop)
Sources say that the Biden administration is reviewing whether and how to change a Trump-era policy that gave the Department of Defense and U.S. Cyber Command unprecedented authority to authorize cyber operations without White House approval.
The administration has launched an “interagency review process,” paving the way for revisions to the controversial Trump-era National Security Presidential Memorandum-13 (NSPM-13), which allowed the delegation of “well-defined authorities to the Secretary of Defense to conduct time-sensitive military operations in cyberspace. One of the sources briefed on the administration’s plans to review NSPM-13 said that White House officials want to “regularize cyber operations.” The source described the Trump administration’s delegation of broad cyber authorities to the Defense Department as highly unusual. (Suzanne Smalley /Cyberscoop)
Jeanette Manfra, director of risk and compliance for Google’s cloud services and a former top U.S. cybersecurity official, said that the government’s reliance on Microsoft, one of Google's chief business rivals, is an ongoing security threat.
Manfra also said in a blog post that a survey commissioned by Google found that most federal employees believe that the government’s reliance on Microsoft products is a cybersecurity vulnerability. Microsoft pushed back firmly against Manfra’s claim, calling it "unhelpful." (Kevin Collier / CNN)
Related: Google Cloud
An inspector general investigation found that the United States Postal Inspection Service (USPIS), the law enforcement arm of the post office, was “not legally authorized” to conduct blanket keyword searches of social media for terms such as “protest,” “attack,” and “destroy. The IG’s office said that USPIS is only supposed to investigate cases with some connection to the post office or the mail.
The report also found that analysts working on iCOP did not retain investigative materials according to the agency’s record retention policies making investigating the use of such investigative materials difficult. (Aaron Gordon and Joseph Cox / Motherboard)
Related: USPIS OIG
Leaked documents from Okta's outsourced provider of support services, Sitel (Sykes), did not contain domain admin passwords extracted from LastPass in an Excel spreadsheet, as has been reported.
In a statement released this week, Sitel addressed the "reported inaccuracies" that alleged the spreadsheet contained passwords or that the spreadsheet was responsible for the security incident. "This 'spreadsheet' identified in recent news articles simply listed account names from legacy Sykes but did not contain any passwords," explains Sitel, which had acquired business process outsourcing provider Sykes in August 2021. (Ax Sharma / Bleeping Computer)
Researchers at Fortinet say that the Chinese hacking group Deep Panda is targeting VMware Horizon servers with the Log4Shell exploit to deploy a novel rootkit named Fire Chili.
The rootkit is digitally signed using a certificate from Frostburn Studios (game developer) or one from Comodo (security software) to evade detection by AV tools, which Fortinet believes were stolen from the mentioned software developers. Fortinet found several DeepPanda overlaps with Winnti, another notorious Chinese hacking group known for using digitally signed certificates. (Bill Toulas / Bleeping Computer)
Google announced the next stage of trials of its Privacy Sandbox proposal focused on ads relevance and measurement.
Vinay Goel, product director, Privacy Sandbox, Chrome, said: “Starting today, developers can begin testing globally the Topics, FLEDGE, and Attribution Reporting APIs in the Canary version of Chrome. “We’ll progress to a limited number of Chrome Beta users as soon as possible. Once things are working smoothly in Beta, we’ll make API testing available in the stable version of Chrome to expand testing to more Chrome users.” (Natasha Lomas / TechCrunch)
Apple released security updates to address two zero-day vulnerabilities exploited by attackers to hack iPhones, iPads, and Macs.
The two flaws are an out-of-bounds write issue (CVE-2022-22674) in the Intel Graphics Driver that allows apps to read kernel memory and an out-of-bounds read issue (CVE-2022-22675) in the AppleAVD media decoder that will enable apps to execute arbitrary code with kernel privileges. (Sergiu Gatlan / Bleeping Computer)
Researchers at Zscaler have uncovered a new infostealer malware peddled in Russian underground forums they call BlackGuard. BlackGuard can steal information, including saved browser credentials and history, email client data, FTP accounts, autofill content, conversations in messenger software, cryptocurrency credentials, and other account information. Messengers targeted include Telegram, Signal, Tox, Element, and Discord.
Zscaler says that the new malware strain is "sophisticated" and has been made available to criminal buyers for a monthly price of $200. BlackGuard is also sold for $700 in return for a lifetime subscription. (Charlie Osborne / ZDNet)
The FBI has asked for public help finding the extortionist group Lapsus$.
In a newly issued wanted alert, the FBI seeks information on individuals responsible for the breaches of LG and Microsoft. Those followed breaches at NVIDIA and Samsung and were themselves followed by the announcement of a breach at Okta the next day. (Joe Uchill / SC Magazine)