US, UK and EU Attribute Attacks on Viasat's KA-SAT Network to Russia
Spain fires top spy chief in wake of Pegasus spyware probe, Clearview AI agrees to stop sales to private companies, Lincoln College forced to shutter after ransomware attack, much more
Check out my latest CSO column on the changes some organizations suggest need to be made to the NIST Cybersecurity Framework.
The US, UK, and European Union have formally confirmed that Russia was behind a massive cyberattack, likely a wiper malware attack, against satellite internet network provider Viasat which took thousands of modems offline at the onset of the war in Ukraine.
In late February, the attack against Viasat’s KA-SAT network took place just as the Russian army pushed into Ukraine and helped facilitate President Vladimir Putin's invasion of the country. "This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU Member States," the Council of the EU said in a statement.
"This unacceptable cyberattack is yet another example of Russia's continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine," it added. British Foreign Secretary Liz Truss said the cyberattack was a "deliberate and malicious attack by Russia against Ukraine.” (James Pearson, William James / Reuters)
The Spanish government has reportedly fired the country’s spy chief Paz Esteban following revelations that the intelligence service hacked the phones of leading members of the Catalan independence movement using NSO Group’s spyware Pegasus. Moreover, Estaban’s dismissal follows the use of Pegasus spyware in external attacks on the mobiles of the prime minister and the defense minister.
Esteban reportedly confirmed last week to a congressional committee that 18 members of the Catalan independence movement were spied on with judicial approval by Spain’s National Intelligence Centre (CNI), leaving the Catalan regional government demanding answers. (Sam Jones / The Guardian)
In a speech, Jeremy Fleming, the director of the British spy agency GCHQ said that Russian hackers are seeking to target western countries supporting Ukraine in its efforts to resist Moscow’s invasion. However, he did not provide substantiation for his statement.
He said that while fears of a fully-fledged online war between Russia and Ukraine had perhaps failed to materialize, there remained “plenty” of cyber activity as part of the conflict, including “some spillover of activity affecting other countries.” (Dan Sabbagh / The Guardian)
Notorious facial recognition company Clearview AI, which has downloaded billions of people’s photos from social networks and other websites to build a face-search database for law enforcement, has agreed to stop its sales to private companies in the United States as part of a landmark settlement.
The settlement follows a lawsuit filed in federal court in Illinois by the American Civil Liberties Union, which accused Clearview of violating an Illinois law banning companies from sharing people’s face photos, fingerprints, and other biometric information without their consent. As part of the settlement, Clearview has agreed to stop selling or offering free access to its facial recognition database to most businesses and other private entities nationwide. It is also banned from selling to law enforcement in Illinois for five years. (Drew Harwell / Washington Post)
Related: BiometricUpdate, Bloomberg Technology, CNET, Cyberscoop, protocol, Engadget, The Record by Recorded Future, ACLU, The Verge, Chicago Sun-Times - All, Techdirt, CNET, PCMag.com, Cyberscoop. Pixel Envy, Courthouse News Service, The Register, Security Week, PYMNTS.com, Digital Journal, Slashdot
After more than 150 years, predominately black Lincoln College in Illinois is closing its doors due to challenges from COVID-19 and, most recently, a ransomware attack.
The attack in December 2021 “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections. All systems required for recruitment, retention, and fundraising efforts were inoperable,” the college said. When the systems were restored in March 2022, there were “significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester” which did not materialize. (Omar Jimenez and Sean Lyngaas / CNN)
Sources say that the Biden administration ramped up a national security probe into Russia's Kaspersky Lab antivirus software in March amid heightened fears of Russian cyberattacks after Moscow invaded Ukraine. The probe is taking place under broad new powers created by the Trump administration that allow the Commerce Department to ban or restrict transactions between U.S. firms and internet, telecom, and tech companies from "foreign adversary" nations, including Russia and China.
The case was referred to the Commerce Department by the Department of Justice last year but didn’t gain momentum until earlier this year. Regulators have already banned federal government use of Kaspersky software. They could ultimately force the company to take measures to reduce risks posed by its products or prohibit Americans from using them altogether. (Alexandra Alper / Reuters)
Attackers launched an oracle price manipulation attack against decentralized finance protocol Fortress, resulting in the loss of all of its funds.
The attackers stole ETH 1,048 (USD 2.58m) and DAI 400,000, cumulatively worth around USD 2.98 million from the project. After exploiting the protocol, the attacker bridged all stolen funds to Ethereum (ETH) before depositing them into Tornado Cash's popular crypto mixer. (Ruholamin Haqshanas / Crypto News)
Related: The Record
DomainTools discovered a new credit card-skimming service operated by a Russian cybercrime organization called CaramelCorp that supplies subscribers with a skimmer script, deployment instructions, and a campaign management panel, everything a threat actor needs to launch their credit card stealing campaign.
A lifetime subscription to the service, which CaramelCorp will only sell to Russian-speaking threat actors, costs $2,000. The sellers make unverified claims that Caramel can bypass protection services from Cloudflare, Akamai, Incapsula, and others. (Bill Toulas / Bleeping Computer)
The UK’s National Cyber Security Centre (NCSC) said the number of scams it took down was four times higher than the amount removed in 2020.
The cybersecurity arm of the GCHQ said the rise was the result of the organization expanding its services to tackle a broader range of scams, including fake celebrity endorsements, rather than an overall increase in malicious content targeting the UK public. (Martyn Landi / Evening Standard)
Related: The Guardian
Microsoft announced a new service category called Microsoft Security Experts that combines human-led service with security technologies to help companies and organizations improve security.
The service consists of Microsoft Defender Experts for Hunting, Microsoft Defender Experts for XDR, and Microsoft Security Services for Enterprise. Hunting is for customers who already have a security operations center but also want assistance from Microsoft to hunt for threats proactively. Experts for XDR is aimed at extending security operations centers. XDR stands for extended detection and response. Experts for XDR is aimed at extending security operations centers. XDR stands for extended detection and response. (Sean Endicott / Windows Central)
Researchers at BlackBerry discovered a budget-friendly remote access trojan (RAT) dubbed DCRat or DarkCrystal RAT that's under active development and is selling on underground Russian forums for about $7 for a two-month subscription.
The Windows malware was released in 2018, then redesigned and relaunched the following year. Despite the low price of DCRat, threat actors can perform a range of nefarious acts with it due to its modular architecture and plugin framework, including espionage and data theft, distributed denial of service attacks, and dynamic code execution in several different languages. (Jessica Lyons Hardcastle / The Register)
Anonymous reports to the City of London police obtained under Freedom of Information requests reveal that criminals are combining physical muscle with digital know-how in a wave of “crypto muggings” to steal digital currency.
One victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole £28,700, including cryptocurrency. (Rob Davies / The Guardian)
Researchers at Kaspersky Lab discovered a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible. (Ionut Ilascu / Bleeping Computer)