Russian State-Backed Hackers Gained Access to NGO Cloud After Exploiting DUO MFA Protocols

Ukraine detained hacker for helping Russian troops route phone calls, Germany urges replacement of Kaspersky AV, Banks fear Russian SWIFT attacks, Technicians keep Ukraine's internet running, more

Mar 16

The FBI said Russian state-backed hackers gained access to a non-governmental organization (NGO) cloud after enrolling their own device in the organization's Duo MFA following the exploitation of misconfigured default multifactor authentication (MFA) protocols.

In a joint advisory, the Bureau and the Cybersecurity and Infrastructure Security Agency (CISA) FBI and CISA urged all organizations to enforce MFA and review configuration policies to protect against "fail open" and re-enrollment scenarios, ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems and patch all systems and prioritize patching for known exploited vulnerabilities. (Sergiu Gatlan / Bleeping Computer)

CISA Infrastructure Security @CISAInfraSec

🛡 Shields Up! @FBI & @CISAgov warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols & a known vulnerability. Read our advisory & learn how to defend your networks: go.usa.gov/xz5dc

Cybersecurity and Infrastructure Security Agency @CISAgov

🛡 Shields Up! Russian state-sponsored actors have exploited default Multi-Factor Authentication (MFA) protocols. Make sure your MFA protocols are configured properly! Read our latest advisory w/@FBI to defend your networks against this attack: https://t.co/zzY2gkxNkp https://t.co/5m0150wj2O

The Security Service of Ukraine (SSU) says it has detained a “hacker” who appeared to be leveraging Ukrainian phone networks to help Russian military communications by routing phone calls on their behalf and sending text messages to Ukrainian security forces suggesting they surrender.

The SSU’s announcement said it “detained a hacker who provided the occupiers mobile connection in Ukraine.” The announcement claims that this hacker helped facilitate thousands of calls in just one day. Based on photos, the hacker appeared to be using a stolen, insecure SIMBox, enabling Ukrainian intelligence to intercept calls. (Joseph Cox / Motherboard)

Related: CNN, The Verge

Raphael Satter @razhael

CNN’s @snlyngaas cites US official as saying that Viasat hack is being investigated as potential Russian-state sponsored sabotage, corroborating some of our reporting from Friday. FWIW I’ve sought repeated comment from @RusEmbUSA but so far to no avail.

Ukraine detains ‘hacker’ accused of aiding Russian troops amid broader struggle to secure communicationsUkrainian authorities have detained a “hacker” who was allegedly helping the Russian military send instructions via mobile phone networks to its troops, Ukraine’s SBU security service said Tuesday.cnn.com

In a long line of warnings by various governments against Russian cybersecurity company Kaspersky Lab, the German Federal Office for Information Security (BSI) urged the replacement of antivirus software from Russian cybersecurity firm Kaspersky with other products.

“The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO, and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful IT attack,” a translated version of the announcement reads. In a statement, Kaspersky said, “We believe this decision is not based on a technical assessment of Kaspersky products—that we continuously advocated for with the BSI and across Europe—but instead is being made on political grounds.” (Joseph Cox / Motherboard)

Alexander Martin @AlexMartin

Five years after the US and UK warned government entities not to use Kaspersky Lab's antivirus software due to system access concerns, Germany's Federal Office for Information Security is making the same warning.

BSI warnt vor dem Einsatz von Kaspersky-VirenschutzproduktenDas BSI warnt vor dem Einsatz von Virenschutzsoftware des russischen Herstellers Kaspersky und empfiehlt, Anwendungen aus dessen Portfolio durch alternative Produkte zu ersetzen.bsi.bund.de

Big banks fear that banking system Swift faces a growing threat of Russian cyberattacks after seven of the country’s lenders were kicked off the global payments messaging system. Senior cybersecurity executives at banks fear that Swift could be a more attractive target than individual banks because it is a touchpoint in the global financial network.

VTB, Russia’s second-biggest bank, and Promsvyazbank, which finances Russia’s war machine, were among the lenders removed from Swift as part of the West’s sanctions campaign against Moscow in response to its invasion of Ukraine. (Owen Walker and Imani Moise / Financial Times)

Despite obliterated terrain and internet wires, fire-blackened data centers, curfews, lack of light, and the danger of death from above, internet technicians in Ukraine toil to turn the internet back on so Ukrainians can stay in touch with one another and get the word out beyond borders.

They are also helping law enforcement sniff out rogue operators who are helping Russians in the country stay connected even as a sustained operation targets Ukraine’s telecom providers. (Thomas Brewster / Forbes)

SSSCIP Ukraine @dsszzi

Telecommunication specialists are invisible heroes of our days Hundreds of specialists of Ukrainian internet service providers repair, restore and organize communication in bomb shelters, basements, underground parking lots every day.

A letter sent to White House National Security Advisor Jake Sullivan, four Republican House lawmakers question the early release of Alexsei Burkov, a cybercriminal who long operated two of Russia’s most exclusive underground hacking forums. Burkov was sentenced in the U.S. after he pleaded guilty to running a site that sold stolen payment card data and administering a highly secretive crime forum that served some of the most elite Russian cybercrooks. Burkov was released after serving only one year of a nine-year prison sentence.

“An ICE spokesperson stated that Burkov is wanted by Russian authorities, and a DOJ spokesperson denied that a prisoner exchange took place,” the letter reads. “The decision to prematurely release Burkov is curious given the lengths to which the U.S. government went to secure Burkov’s arrest.” (Brian Krebs / Krebs on Security)

The National Institute of Standards and Technology issued a special publication, SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, to tighten procurement regulations for critical software.

The publication details appropriate ways to assess an organization’s adherence to the agency’s go-to list of enhanced security requirements for protecting controlled but unclassified information. (Mariam Baksh / NextGov)

Related: InsideCyberSecurity.com, NIST

An attacker siphoned over $11 million from Agave and Hundred Finance in what appears to be a flash loan reentrancy attack on both DeFi protocols on the Gnosis chain.

The attacker exploited a reentrancy vulnerability in both protocols. Reentrancy is a Solidity programming language vulnerability that allows an attacker to trick a protocol’s contract into making an external call to an untrusted contract. (Osato Avan-Nomayo / The Block)

Related: Cointelegraph, CryptoPotato, FXEmpire

Hundred Finance @HundredFinance

Unfortunately Hundred and Agave have both been exploited on Gnosis chain today. Gnosis team is aware, investigation is ongoing. All the Hundred markets on all chains paused for now. These are the two transactions: Hundred dashboard.tenderly.co/tx/xdai/0x534b… Agave

Tenderly DashboardTenderly is an Ethereum monitoring, debugging and analytics platform. It empowers blockchain teams and individuals by providing a powerful Debugger, intuitive Gas Profiler, Transaction Simulations, Monitoring and Alerting capabilities, Advanced Analytics and so much more.dashboard.tenderly.co

Orca Security issued a report detailing the problems cybersecurity teams face due to “alert fatigue, a term that refers to the fact that many security teams have become overloaded with alerts generated by their security tools, to which crews must respond.

Among the findings is that 59% of respondents report receiving more than 500 alerts about public cloud security per day. Thirty-eight percent report receiving more than 1,000 of these alerts each day, many of which do not refer to cybersecurity threats. (Kyle Alspach / Venture Beat)

Related: Beta News, Security Magazine, Orca Security

Ireland’s Data Protection Commission (DPC) imposed a 17 million euro ($18.7 million) fine against Facebook’s parent company Meta following an investigation into 12 data breach notifications the regulator received in 2018.

The DPC found that Meta Platforms failed to have appropriate technical and organizational measures in place that would allow it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data. “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve,” a spokeswoman for Meta said. (Charlie Taylor / Irish Times)

Ireland’s evasive response to a significant security complaint filed against Google’s adtech the year the European Union’s General Data Protection Regulation (GDPR) went into effect is the target of a new lawsuit by the Irish Council for Civil Liberties (ICCL), whose senior fellow, Johnny Ryan, is named as the plaintiff. The suit accuses the Data Protection Commission (DPC) of years of inaction over what the complainants assert is “the largest data breach ever.”

At issue is the DPC’s response to a long-running complaint about Google’s role in the high-velocity trading of web users’ personal data to determine which ads get served and, more specifically, the lack of attention the data-trading systems of the tracking-based advertising industry pay to security. (Natasha Lomas / TechCrunch)

Related: Databreaches.net, The Journal.ie

The Federal Trade Commission slapped a $500,000 fine against the former owner of the CafePress custom t-shirt and merchandise site over security lapses leading to a 2019 data breach, entering into proposed settlements with the online merchandise platform's current and former owners.

The FTC filed a complaint against former CafePress owner Residual Pumpkin Entity LLC and current owner PlanetArt LLC, alleging CafePress didn't sufficiently protect consumers' and shopkeepers' personal data collected through its website. The CafePress owner patched a vulnerability that allowed a hacker to access more than 20 million unencrypted email addresses and encrypted passwords, and other unencrypted personal information, but didn't investigate or notify consumers for several months, the FTC said. CafePress separately in December 2020 reached a $2 million settlement with seven state attorneys general over the 2019 breach. (Sara Merken / Reuters)

Related: Bleeping Computer, FTC

Over two dozen film studios sued U.S. VPN provider TorGuard over copyright violations on its network. Similar court cases shut down LiquidVPN in 2021 and forced VPN Unlimited to block torrenting traffic earlier this year.

This same group of filmmakers also suedQuadranet, a web hosting provider that leased servers to TorGuard. (Sven Taylor / Restore Privacy)

Related: TorrentFreak, TorGuard

UK ferry company Wightlink said that hackers are feared to have stolen customers' personal information in a "highly sophisticated" cyber attack.

It identified a "small number" of people who might have been affected in February, and they have been contacted. The company said that the "criminal action" did not affect ferry services, its booking system, or its website. (BBC News)

Related: The Daily Swig

Cowbell Cyber, a full-stack insurance company that provides cyber insurance to SMEs, has closed a Series B venture funding round of $100 million.

Anthemis Group led the round with participation from Permira Funds, PruVen Capital, NYCA Partners, Viola Fintech, and all existing investors. (Ingrid Lunden / TechCrunch)

Parisian attack prevention cybersecurity startup Hackuity has emerged from stealth with a €12 million ($13.2 million ) venture funding round.

The round was led by Sonae IM with the participation of previous investor Caisse des Dépôts. (Megha Paul / Tech.eu)

Related: Globe Newswire

Veracode, a provider of application security solutions, received a growth investment from TA Associates. The amount of the deal was not disclosed.

Veracode’s current majority investor, Thoma Bravo, will retain a minority position in the business. The transaction, which values Veracode at $2.5B, is expected to be completed in Q2 2022, subject to customary closing conditions. (FinSMEs)

Related: Business Wire

Israeli cybersecurity company SentinelOne announced that it is acquiring US company Attivo Networks, an identity security and lateral movement protection company, for $616.5 million in cash and stock.

SentinelOne said that the acquisition would expand its market by $4 billion to include rapidly growing categories in identity security. The deal will close in the second fiscal quarter (by the end of July 2022), subject to regulatory and other approvals. (Shiri Habib-Valdhorn / Globes)

Image by Oleg Shakurov from Pixabay

Metacurity